[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Xen-devel] [qemu-mainline bisection] complete test-amd64-i386-xl-qemuu-debianhvm-amd64



branch xen-unstable
xenbranch xen-unstable
job test-amd64-i386-xl-qemuu-debianhvm-amd64
testid debian-hvm-install

Tree: linux git://xenbits.xen.org/linux-pvops.git
Tree: linuxfirmware git://xenbits.xen.org/osstest/linux-firmware.git
Tree: qemu git://xenbits.xen.org/qemu-xen-traditional.git
Tree: qemuu git://git.qemu.org/qemu.git
Tree: xen git://xenbits.xen.org/xen.git

*** Found and reproduced problem changeset ***

  Bug is in tree:  qemuu git://git.qemu.org/qemu.git
  Bug introduced:  b04fc428356a540fdb9065fa8c3c71ee476c2031
  Bug not present: f2155a089600e80cf7bcdc814520ef3304882cc4
  Last fail repro: http://logs.test-lab.xenproject.org/osstest/logs/65229/


  commit b04fc428356a540fdb9065fa8c3c71ee476c2031
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Thu Nov 26 17:50:12 2015 +0000

      Update version for v2.5.0-rc2 release

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 72f75c76d84e2eefc6806dafca116860ffe847f0
  Merge: a5df350 d08e42a
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Thu Nov 26 16:50:59 2015 +0000

      Merge remote-tracking branch 'remotes/mst/tags/for_upstream' into staging

      vhost, pc: fixes for 2.5

      Minor vhost fixes.  HW version tweak for PC.
      Documentation and test updates.

      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>

      # gpg: Signature made Thu 26 Nov 2015 16:40:25 GMT using RSA key ID 
D28D5469
      # gpg: Good signature from "Michael S. Tsirkin <mst@xxxxxxxxxx>"
      # gpg:                 aka "Michael S. Tsirkin <mst@xxxxxxxxxx>"

      * remotes/mst/tags/for_upstream:
        vhost-user-test: fix migration overlap test
        Fix memory leak on error
        Revert "vhost: send SET_VRING_ENABLE at start/stop"
        tests/vhost-user-bridge: read command line arguments
        tests/vhost-user-bridge: propose GUEST_ANNOUNCE feature
        vhost-user: clarify start and enable
        vhost-user: set link down when the char device is closed
        pc: Don't set hw_version on pc-*-2.5
        osdep: Change default value of qemu_hw_version() to "2.5+"

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit d08e42a1125d384cb53423f5810b0c7ea52dc6c9
  Author: Michael S. Tsirkin <mst@xxxxxxxxxx>
  Date:   Thu Nov 26 15:14:02 2015 +0200

      vhost-user-test: fix migration overlap test

      During migration, source does GET_BASE, destination does SET_BASE.
      Use that as opposed to fds being configured to detect
      vhost user running on both source and destination.

      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>

  commit a5df35070a4c7fa8e2d9c6bd7175ee8e3e0f7641
  Merge: 317e4db df64983
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Thu Nov 26 16:27:26 2015 +0000

      Merge remote-tracking branch 
'remotes/armbru/tags/pull-monitor-2015-11-26' into staging

      QMP and QObject patches

      # gpg: Signature made Thu 26 Nov 2015 09:07:18 GMT using RSA key ID 
EB918653
      # gpg: Good signature from "Markus Armbruster <armbru@xxxxxxxxxx>"
      # gpg:                 aka "Markus Armbruster <armbru@xxxxxxxxxxxx>"

      * remotes/armbru/tags/pull-monitor-2015-11-26:
        qjson: Limit number of tokens in addition to total size
        qjson: surprise, allocating 6 QObjects per token is expensive
        qjson: store tokens in a GQueue
        qjson: Convert to parser to recursive descent
        qjson: replace QString in JSONLexer with GString
        qjson: Inline token_is_escape() and simplify
        qjson: Inline token_is_keyword() and simplify
        qjson: Give each of the six structural chars its own token type
        qjson: Spell out some silent assumptions
        check-qjson: Add test for JSON nesting depth limit
        qjson: Don't crash when input exceeds nesting limit
        qjson: Apply nesting limit more sanely
        monitor: Plug memory leak on QMP error

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 317e4db6e90421abeeebc78f1a3e8472a76b2e74
  Merge: fe4cf57 5120901
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Thu Nov 26 15:56:53 2015 +0000

      Merge remote-tracking branch 'remotes/bonzini/tags/for-upstream' into 
staging

      Small patches, without the one that introduces -fwrapv.

      # gpg: Signature made Thu 26 Nov 2015 15:48:53 GMT using RSA key ID 
78C7AE83
      # gpg: Good signature from "Paolo Bonzini <bonzini@xxxxxxx>"
      # gpg:                 aka "Paolo Bonzini <pbonzini@xxxxxxxxxx>"

      * remotes/bonzini/tags/for-upstream:
        target-i386: kvm: Print warning when clearing mcg_cap bits
        target-i386: kvm: Use env->mcg_cap when setting up MCE
        target-i386: kvm: Abort if MCE bank count is not supported by host
        virtio-scsi: don't crash without a valid device
        target-sparc: fix 32-bit truncation in fpackfix
        exec: remove warning about mempath and hugetlbfs
        Revert "exec: silence hugetlbfs warning under qtest"
        call bdrv_drain_all() even if the vm is stopped
        MAINTAINERS: Update TCG CPU cores section

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 5120901a378501403d5454b69cf43e666fc29d5b
  Author: Eduardo Habkost <ehabkost@xxxxxxxxxx>
  Date:   Wed Nov 25 18:19:16 2015 +0100

      target-i386: kvm: Print warning when clearing mcg_cap bits

      Instead of silently clearing mcg_cap bits when the host doesn't
      support them, print a warning when doing that.

      Signed-off-by: Eduardo Habkost <ehabkost@xxxxxxxxxx>
      [Avoid \n at end of error_report. - Paolo]
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>
      Message-Id: <1448471956-66873-10-git-send-email-pbonzini@xxxxxxxxxx>

  commit 2590f15b13cc57487518996b32bb7626b0d80909
  Author: Eduardo Habkost <ehabkost@xxxxxxxxxx>
  Date:   Wed Nov 25 18:19:15 2015 +0100

      target-i386: kvm: Use env->mcg_cap when setting up MCE

      When setting up MCE, instead of using the MCE_*_DEF macros
      directly, just filter the existing env->mcg_cap value.

      As env->mcg_cap is already initialized as
      MCE_CAP_DEF|MCE_BANKS_DEF at target-i386/cpu.c:mce_init(), this
      doesn't change any behavior. But it will allow us to change
      mce_init() in the future, to implement different defaults
      depending on CPU model, machine-type or command-line parameters.

      Signed-off-by: Eduardo Habkost <ehabkost@xxxxxxxxxx>
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>
      Message-Id: <1448471956-66873-9-git-send-email-pbonzini@xxxxxxxxxx>

  commit 49b69cbfcd6e32e2178d6ff7e5d60689c3f79c6e
  Author: Eduardo Habkost <ehabkost@xxxxxxxxxx>
  Date:   Wed Nov 25 18:19:14 2015 +0100

      target-i386: kvm: Abort if MCE bank count is not supported by host

      Instead of silently changing the number of banks in mcg_cap based
      on kvm_get_mce_cap_supported(), abort initialization if the host
      doesn't support MCE_BANKS_DEF banks.

      Note that MCE_BANKS_DEF was always 10 since it was introduced in
      QEMU, and Linux always returned 32 at KVM_CAP_MCE since
      KVM_CAP_MCE was introduced, so no behavior is being changed and
      the error can't be triggered by any Linux version. The point of
      the new check is to ensure we won't silently change the bank
      count if we change MCE_BANKS_DEF or make the bank count
      configurable in the future.

      Signed-off-by: Eduardo Habkost <ehabkost@xxxxxxxxxx>
      [Avoid Yoda condition and \n at end of error_report. - Paolo]
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>
      Message-Id: <1448471956-66873-8-git-send-email-pbonzini@xxxxxxxxxx>

  commit 3e32e8a96e6995cde3d8a13d68e31226ee83f290
  Author: Eugene (jno) Dvurechenski <jno@xxxxxxxxxxxxxxxxxx>
  Date:   Thu Nov 26 15:45:35 2015 +0100

      virtio-scsi: don't crash without a valid device

      Make sure that we actually have a device when checking the aio
      context. Otherwise guests could trigger QEMU crashes.

      Signed-off-by: "Eugene (jno) Dvurechenski" <jno@xxxxxxxxxxxxxxxxxx>
      Reviewed-by: David Hildenbrand <dahi@xxxxxxxxxxxxxxxxxx>
      Message-Id: <1448549135-6582-2-git-send-email-jno@xxxxxxxxxxxxxxxxxx>
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit 12a3567c4099be194b44987ac5d7d65b99bcfab7
  Author: Paolo Bonzini <pbonzini@xxxxxxxxxx>
  Date:   Mon Nov 2 15:05:34 2015 +0100

      target-sparc: fix 32-bit truncation in fpackfix

      This is reported by Coverity.  The algorithm description at
      ftp://ftp.icm.edu.pl/packages/ggi/doc/hw/sparc/Sparc.pdf suggests
      that the 32-bit parts of rs2, after the left shift, is treated
      as a 64-bit integer.  Bits 32 and above are used to do the
      saturating truncation.

      Message-Id: <1446473134-4330-1-git-send-email-pbonzini@xxxxxxxxxx>
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit bfc2a1a1f41c2861b20e8318c0541d0823427802
  Author: Daniel P. Berrange <berrange@xxxxxxxxxx>
  Date:   Wed Nov 25 10:52:29 2015 +0000

      exec: remove warning about mempath and hugetlbfs

      The gethugepagesize() method in exec.c printed a warning if
      the file path for "-mem-path" or "-object memory-backend-file"
      was not on a hugetlbfs filesystem. This warning is bogus, because
      QEMU functions perfectly well with the path on a regular tmpfs
      filesystem. Use of hugetlbfs vs tmpfs is a choice for the management
      application or end user to make as best fits their needs. As such it
      is inappropriate for QEMU to have an opinion on whether the user's
      choice is right or wrong in this case.

      Signed-off-by: Daniel P. Berrange <berrange@xxxxxxxxxx>
      Message-Id: <1448448749-1332-3-git-send-email-berrange@xxxxxxxxxx>
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit 2c189a4e12a37b1c7cae2a2643c378c5af8f67fc
  Author: Daniel P. Berrange <berrange@xxxxxxxxxx>
  Date:   Wed Nov 25 10:52:28 2015 +0000

      Revert "exec: silence hugetlbfs warning under qtest"

      This reverts commit 1c7ba94a184df1eddd589d5400d879568d3e5d08.

      That commit changed QEMU initialization order from

       - object-initial, chardev, qtest, object-late

      to

       - chardev, qtest, object-initial, object-late

      This breaks chardev setups which need to rely on objects
      having been created. For example, when chardevs use TLS
      encryption in the future, they need to have tls credential
      objects created first.

      This revert, restores the ordering introduced in

        commit f08f9271bfe3f19a5eb3d7a2f48532065304d5c8
        Author: Daniel P. Berrange <berrange@xxxxxxxxxx>
        Date:   Wed May 13 17:14:04 2015 +0100

          vl: Create (most) objects before creating chardev backends

      Signed-off-by: Daniel P. Berrange <berrange@xxxxxxxxxx>
      Message-Id: <1448448749-1332-2-git-send-email-berrange@xxxxxxxxxx>
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit b2780d325306dc80ec07db9c0c61e9b2ac10e559
  Author: Wen Congyang <wency@xxxxxxxxxxxxxx>
  Date:   Fri Nov 20 17:34:38 2015 +0800

      call bdrv_drain_all() even if the vm is stopped

      There are still I/O operations when the vm is stopped. For example,
      stop the vm, and do block migration. In this case, we don't drain all
      I/O operation, and may meet the following problem:

      qemu-system-x86_64: migration/block.c:731: block_save_complete: Assertion 
`block_mig_state.submitted == 0' failed.

      Signed-off-by: Wen Congyang <wency@xxxxxxxxxxxxxx>
      Message-Id: <564EE92E.4070701@xxxxxxxxxxxxxx>
      Cc: qemu-stable@xxxxxxxxxx
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit 903a41d3415960240cb3b9f1d66f3707b27010d6
  Author: Stefano Dong (��水) <opensource.dxs@xxxxxxxxxx>
  Date:   Thu Nov 26 12:00:12 2015 +0000

      Fix memory leak on error

      hw/ppc/spapr.c: Fix memory leak on error, it was introduced in bc09e0611
      hw/acpi/memory_hotplug.c: Fix memory leak on error, it was introduced in 
34f2af3d

      Signed-off-by: Stefano Dong (��水) <opensource.dxs@xxxxxxxxxx>
      Reviewed-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>

  commit fe4cf57da7a85fa65488448acdc22a65096e832a
  Merge: b8b0ee0 7fe4a41
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Thu Nov 26 10:58:10 2015 +0000

      Merge remote-tracking branch 'remotes/kraxel/tags/pull-vnc-20151126-1' 
into staging

      vnc: fix segfault

      # gpg: Signature made Thu 26 Nov 2015 07:37:43 GMT using RSA key ID 
D3E87138
      # gpg: Good signature from "Gerd Hoffmann (work) <kraxel@xxxxxxxxxx>"
      # gpg:                 aka "Gerd Hoffmann <gerd@xxxxxxxxxx>"
      # gpg:                 aka "Gerd Hoffmann (private) <kraxel@xxxxxxxxx>"

      * remotes/kraxel/tags/pull-vnc-20151126-1:
        vnc: fix segfault

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit b8b0ee0ea3d2789d8ee7372b9a173e7952e18087
  Merge: 7ef7ddf 44c6e00
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Thu Nov 26 10:24:18 2015 +0000

      Merge remote-tracking branch 
'remotes/mdroth/tags/qga-pull-2015-11-25-v2-tag' into staging

      qemu-ga patch queue for 2.5

      * include additional w32 MSI install components needed for
        guest-exec
      * fix 'make install' when compiling with --disable-tools
      * fix potential data corruption/loss when accessing files
        bi-directionally via guest-file-{read,write}
      * explicitly document how integer args for guest-file-seek map to
        SEEK_SET/SEEK_CUR/etc to avoid platform-specific differences

      v2:
      * fixed missing SoB

      # gpg: Signature made Wed 25 Nov 2015 23:58:45 GMT using RSA key ID 
F108B584
      # gpg: Good signature from "Michael Roth <flukshun@xxxxxxxxx>"
      # gpg:                 aka "Michael Roth <mdroth@xxxxxxxxxx>"
      # gpg:                 aka "Michael Roth <mdroth@xxxxxxxxxxxxxxxxxx>"

      * remotes/mdroth/tags/qga-pull-2015-11-25-v2-tag:
        qga: added another non-interactive gspawn() helper file.
        qga: Better mapping of SEEK_* in guest-file-seek
        tests: add file-write-read test
        qga: flush explicitly when needed
        qga: gspawn() console helper to Windows guest agent msi build
        makefile: fix qemu-ga make install for --disable-tools

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 449e3578107799817a81249b189f6f82aa9e787d
  Author: Michael S. Tsirkin <mst@xxxxxxxxxx>
  Date:   Wed Nov 25 13:39:57 2015 +0200

      Revert "vhost: send SET_VRING_ENABLE at start/stop"

      This reverts commit 3a12f32229a046f4d4ab0a3a52fb01d2d5a1ab76.

      In case of live migration several queues can be enabled and not only the
      first one. So informing backend that only the first queue is enabled is
      wrong.

      Reported-by: Thibaut Collet <thibaut.collet@xxxxxxxxx>
      Cc: Yuanhan Liu <yuanhan.liu@xxxxxxxxxxxxxxx>
      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Reviewed-by: Yuanhan Liu <yuanhan.liu@xxxxxxxxxxxxxxx>

  commit 7ef7ddf37674f7147ef23c311cbc3c37e908c8b0
  Merge: c7933a8 9c73517
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Thu Nov 26 09:44:25 2015 +0000

      Merge remote-tracking branch 'remotes/jnsnow/tags/ide-pull-request' into 
staging

      # gpg: Signature made Wed 25 Nov 2015 20:25:21 GMT using RSA key ID 
AAFC390E
      # gpg: Good signature from "John Snow (John Huston) <jsnow@xxxxxxxxxx>"

      * remotes/jnsnow/tags/ide-pull-request:
        ide-test: fix timeouts
        atapi: Fix code indentation
        atapi: Account for failed and invalid operations in cd_read_sector()
        ide-test: cdrom_pio_impl fixup

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit df649835fe48f635a93316fdefe96ced7189316e
  Author: Markus Armbruster <armbru@xxxxxxxxxx>
  Date:   Wed Nov 25 22:23:33 2015 +0100

      qjson: Limit number of tokens in addition to total size

      Commit 29c75dd "json-streamer: limit the maximum recursion depth and
      maximum token count" attempts to guard against excessive heap usage by
      limiting total token size (it says "token count", but that's a lie).

      Total token size is a rather imprecise predictor of heap usage: many
      small tokens use more space than few large tokens with the same input
      size, because there's a constant per-token overhead: 37 bytes on my
      system.

      Tighten this up: limit the token count to 2Mi.  Chosen to roughly
      match the 64MiB total token size limit.

      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>
      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>
      Message-Id: <1448486613-17634-13-git-send-email-armbru@xxxxxxxxxx>

  commit 9bada8971173345ceb37ed1a47b00a01a4dd48cf
  Author: Paolo Bonzini <pbonzini@xxxxxxxxxx>
  Date:   Wed Nov 25 22:23:32 2015 +0100

      qjson: surprise, allocating 6 QObjects per token is expensive

      Replace the contents of the tokens GQueue with a simple struct.  This cuts
      the amount of memory allocated by tests/check-qjson from ~500MB to ~20MB,
      and the execution time from 600ms to 80ms on my laptop.  Still a lot (some
      could be saved by using an intrusive list, such as QSIMPLEQ, instead of
      the GQueue), but the savings are already massive and the right thing to
      do would probably be to get rid of json-streamer completely.

      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>
      Message-Id: <1448300659-23559-5-git-send-email-pbonzini@xxxxxxxxxx>
      [Straightforwardly rebased on my patches]
      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>
      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>

  commit 95385fe9ace7db156b924da6b6f5c9082b68ba68
  Author: Paolo Bonzini <pbonzini@xxxxxxxxxx>
  Date:   Wed Nov 25 22:23:31 2015 +0100

      qjson: store tokens in a GQueue

      Even though we still have the "streamer" concept, the tokens can now
      be deleted as they are read.  While doing so convert from QList to
      GQueue, since the next step will make tokens not a QObject and we
      will have to do the conversion anyway.

      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>
      Message-Id: <1448300659-23559-4-git-send-email-pbonzini@xxxxxxxxxx>
      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>
      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>

  commit d538b25543f4db026bb435066e2403a542522c40
  Author: Markus Armbruster <armbru@xxxxxxxxxx>
  Date:   Wed Nov 25 22:23:30 2015 +0100

      qjson: Convert to parser to recursive descent

      We backtrack in parse_value(), even though JSON is LL(1) and thus can
      be parsed by straightforward recursive descent.  Do exactly that.

      Based on an almost-correct patch from Paolo Bonzini.

      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>
      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>
      Message-Id: <1448486613-17634-10-git-send-email-armbru@xxxxxxxxxx>
      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>

  commit d2ca7c0b0d876cf0e219ae7a92252626b0913a28
  Author: Paolo Bonzini <pbonzini@xxxxxxxxxx>
  Date:   Wed Nov 25 22:23:29 2015 +0100

      qjson: replace QString in JSONLexer with GString

      JSONLexer only needs a simple resizable buffer.  json-streamer.c
      can allocate memory for each token instead of relying on reference
      counting of QStrings.

      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>
      Message-Id: <1448300659-23559-2-git-send-email-pbonzini@xxxxxxxxxx>
      [Straightforwardly rebased on my patches, checkpatch made happy]
      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>
      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>

  commit 6b9606f68ec589def27bd2a9cea97ec63cffd581
  Author: Markus Armbruster <armbru@xxxxxxxxxx>
  Date:   Wed Nov 25 22:23:28 2015 +0100

      qjson: Inline token_is_escape() and simplify

      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>
      Message-Id: <1448486613-17634-8-git-send-email-armbru@xxxxxxxxxx>
      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>

  commit 50e2a467f5315fa36c547fb6330659ba45f6bb83
  Author: Markus Armbruster <armbru@xxxxxxxxxx>
  Date:   Wed Nov 25 22:23:27 2015 +0100

      qjson: Inline token_is_keyword() and simplify

      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>
      Message-Id: <1448486613-17634-7-git-send-email-armbru@xxxxxxxxxx>
      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>

  commit c54616608af442edf4cfb7397a1909c2653efba0
  Author: Markus Armbruster <armbru@xxxxxxxxxx>
  Date:   Wed Nov 25 22:23:26 2015 +0100

      qjson: Give each of the six structural chars its own token type

      Simplifies things, because we always check for a specific one.

      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>
      Message-Id: <1448486613-17634-6-git-send-email-armbru@xxxxxxxxxx>
      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>

  commit b8d3b1da3cdbb02e180618d6be346c564723015d
  Author: Markus Armbruster <armbru@xxxxxxxxxx>
  Date:   Wed Nov 25 22:23:25 2015 +0100

      qjson: Spell out some silent assumptions

      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>
      Message-Id: <1448486613-17634-5-git-send-email-armbru@xxxxxxxxxx>
      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>

  commit f0ae0304c7a41a42b7d4a6cde450da938d3c2cc7
  Author: Markus Armbruster <armbru@xxxxxxxxxx>
  Date:   Wed Nov 25 22:23:24 2015 +0100

      check-qjson: Add test for JSON nesting depth limit

      This would have prevented the regression mentioned in the previous
      commit.

      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>
      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>
      Message-Id: <1448486613-17634-4-git-send-email-armbru@xxxxxxxxxx>

  commit 0753113a26bb8c77f951b1ea91fd4f36d099c37a
  Author: Markus Armbruster <armbru@xxxxxxxxxx>
  Date:   Wed Nov 25 22:23:23 2015 +0100

      qjson: Don't crash when input exceeds nesting limit

      We limit nesting depth and input size to defend against input
      triggering excessive heap or stack memory use (commit 29c75dd
      json-streamer: limit the maximum recursion depth and maximum token
      count).  However, when the nesting limit is exceeded,
      parser_context_peek_token()'s assertion fails.

      Broken in commit 65c0f1e "json-parser: don't replicate tokens at each
      level of recursion".

      To reproduce stuff 1025 open braces or brackets into QMP.

      Fix by taking the error exit instead of the normal one.

      Reported-by: Eric Blake <eblake@xxxxxxxxxx>
      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>
      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>
      Message-Id: <1448486613-17634-3-git-send-email-armbru@xxxxxxxxxx>

  commit 4f2d31fbc0bfdf41feea7d1be49f4f7ffa005534
  Author: Markus Armbruster <armbru@xxxxxxxxxx>
  Date:   Wed Nov 25 22:23:22 2015 +0100

      qjson: Apply nesting limit more sanely

      The nesting limit from commit 29c75dd "json-streamer: limit the
      maximum recursion depth and maximum token count" applies separately to
      braces and brackets.  This makes no sense.  Apply it to their sum,
      because that's actually a measure of recursion depth.

      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>
      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>
      Message-Id: <1448486613-17634-2-git-send-email-armbru@xxxxxxxxxx>

  commit 3a81a10179b702e031d8f84438193d83a64b4122
  Author: Markus Armbruster <armbru@xxxxxxxxxx>
  Date:   Thu Oct 29 12:15:09 2015 +0100

      monitor: Plug memory leak on QMP error

      Leak introduced in commit 8a4f501..710aec9, v2.4.0.

      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>
      Message-Id: <1446117309-15322-1-git-send-email-armbru@xxxxxxxxxx>
      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>
      Reviewed-by: Luiz Capitulino <lcapitulino@xxxxxxxxxx>

  commit 7fe4a41c262e2529dc79f77f6fe63c5309fa2fd9
  Author: Gerd Hoffmann <kraxel@xxxxxxxxxx>
  Date:   Wed Nov 25 08:04:05 2015 +0100

      vnc: fix segfault

      Commit "c7628bf vnc: only alloc server surface with clients connected"
      missed one rarely used codepath (cirrus with guest drivers using 2d
      accel) where we have to check for the server surface being present,
      to avoid qemu crashing with a NULL pointer dereference.  Add the check.

      Reported-by: Anthony PERARD <anthony.perard@xxxxxxxxxx>
      Tested-by: Anthony PERARD <anthony.perard@xxxxxxxxxx>
      Signed-off-by: Gerd Hoffmann <kraxel@xxxxxxxxxx>

  commit 44c6e00c3fd85b9c496bd3e74108ace126813a59
  Author: Yuri Pudgorodskiy <yur@xxxxxxxxxxxxx>
  Date:   Wed Nov 25 22:02:26 2015 +0300

      qga: added another non-interactive gspawn() helper file.

      With previous commit we added gspawn-win64-helper-console.exe,
      required for gspawn() mingw implementation.
      Unfortunatly when running as a service without interactive
      desktop, gspawn() also requires another helper app.

      Added gspawn-win64-helper.exe and gspawn-win32-helper.exe
      for corresponding architectures.

      Signed-off-by: Yuri Pudgorodskiy <yur@xxxxxxxxxxxxx>
      Signed-off-by: Denis V. Lunev <den@xxxxxxxxxx>
      CC: Michael Roth <mdroth@xxxxxxxxxxxxxxxxxx>
      * remove trailing whitespace
      Signed-off-by: Michael Roth <mdroth@xxxxxxxxxxxxxxxxxx>

  commit 0a982b1bf3953dc8640c4d6e619fb1132ebbebc3
  Author: Eric Blake <eblake@xxxxxxxxxx>
  Date:   Wed Nov 25 10:37:15 2015 -0700

      qga: Better mapping of SEEK_* in guest-file-seek

      Exposing OS-specific SEEK_ constants in our qapi was a mistake
      (if the host has SEEK_CUR as 1, but the guest has it as 2, then
      the semantics are unclear what should happen); if we had a time
      machine, we would instead expose only a symbolic enum.  It's too
      late to change the fact that we have an integer in qapi, but we
      can at least document what mapping we want to enforce for all
      qga clients (and luckily, it happens to be the mapping that both
      Linux and Windows use); then fix the code to match that mapping.
      It also helps us filter out unsupported SEEK_DATA and SEEK_HOLE.

      In the future, we may wish to move our QGA_SEEK_* constants into
      qga/qapi-schema.json, along with updating the schema to take an
      alternate type (either the integer, or the string value of the
      enum name) - but that's too much risk during hard freeze.

      Signed-off-by: Eric Blake <eblake@xxxxxxxxxx>
      Signed-off-by: Michael Roth <mdroth@xxxxxxxxxxxxxxxxxx>

  commit 4eaab85cb1c1ba9c575d29921df81d63c7aa35df
  Author: Marc-André Lureau <marcandre.lureau@xxxxxxxxxx>
  Date:   Wed Nov 25 13:59:12 2015 +0100

      tests: add file-write-read test

      This test exhibits a POSIX behaviour regarding switching between write
      and read. It's undefined result if the application doesn't ensure a
      flush between the two operations (with glibc, the flush can be implicit
      when the buffer size is relatively small). The previous commit fixes
      this test.

      Related to:
      https://bugzilla.redhat.com/show_bug.cgi?id=1210246

      Signed-off-by: Marc-André Lureau <marcandre.lureau@xxxxxxxxxx>
      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>
      Signed-off-by: Michael Roth <mdroth@xxxxxxxxxxxxxxxxxx>

  commit 895b00f62a7e86724dc7352d67c7808d37366130
  Author: Marc-André Lureau <marcandre.lureau@xxxxxxxxxx>
  Date:   Wed Nov 25 13:59:11 2015 +0100

      qga: flush explicitly when needed

      According to the specification:
      http://pubs.opengroup.org/onlinepubs/9699919799/functions/fopen.html

      "the application shall ensure that output is not directly followed by
      input without an intervening call to fflush() or to a file positioning
      function (fseek(), fsetpos(), or rewind()), and input is not directly
      followed by output without an intervening call to a file positioning
      function, unless the input operation encounters end-of-file."

      Without this change, an fwrite() followed by an fread() may lose the
      previously written content, as shown in the following test.

      Fixes:
      https://bugzilla.redhat.com/show_bug.cgi?id=1210246

      Signed-off-by: Marc-André Lureau <marcandre.lureau@xxxxxxxxxx>
      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>
      * don't confuse {write,read}() with f{write,read}() in
        commit msg (Laszlo)
      Signed-off-by: Michael Roth <mdroth@xxxxxxxxxxxxxxxxxx>

  commit 9c73517ca56d6611371376bd298b4b20f3ad6140
  Author: John Snow <jsnow@xxxxxxxxxx>
  Date:   Tue Nov 24 14:36:11 2015 -0500

      ide-test: fix timeouts

      Use explicit timeouts instead of trying to approximate it by counting
      the cumulative duration of nsleep calls.

      In practice, the timeout if inb() dwarfed the nsleep delays, and as a
      result the real timeout value became a lot larger than 5 seconds.

      So: change the semantics from "Not sooner than 5 seconds" to "no more
      than 5 seconds" to ensure we don't hang the tester for very long.

      Signed-off-by: John Snow <jsnow@xxxxxxxxxx>
      Reviewed-by: Kevin Wolf <kwolf@xxxxxxxxxx>
      Message-id: 1448393771-15483-2-git-send-email-jsnow@xxxxxxxxxx

  commit f2b608ab80a336b0136d35d9b49419a917656d44
  Author: Yuri Pudgorodskiy <yur@xxxxxxxxxxxxx>
  Date:   Thu Nov 19 15:20:37 2015 +0300

      qga: gspawn() console helper to Windows guest agent msi build

      This helper, gspawn-win64-helper-console.exe for 64-bit and
      gspawn-win32-helper-console.exe for 32-bit environment,
      is needed for gspawn() mingw implementation, used by guest-exec command.

      Without these files guest-exec command on Windows will not
      work with "file not found" diagnostic message.

      Signed-off-by: Yuri Pudgorodskiy <yur@xxxxxxxxxxxxx>
      Signed-off-by: Denis V. Lunev <den@xxxxxxxxxx>
      CC: Michael Roth <mdroth@xxxxxxxxxxxxxxxxxx>
      Signed-off-by: Michael Roth <mdroth@xxxxxxxxxxxxxxxxxx>

  commit 68aa262ad09c81b8b1284340cc0d26b65c605df5
  Author: Michael Roth <mdroth@xxxxxxxxxxxxxxxxxx>
  Date:   Mon Nov 23 15:48:58 2015 -0600

      makefile: fix qemu-ga make install for --disable-tools

      ab59e3e introduced a fix for `make install` on w32 that involved
      filtering out qemu-ga from $TOOLS install recipe so that we could
      append $(EXESUF) to it before attempting to install the binary
      via install-prog function.

      install-prog takes a list of binaries to install to a particular
      directory. If the list is empty it breaks. We guard against this
      by ensuring $TOOLS is not empty prior to calling.

      However, ab59e3e introduces extra filtering after this check which
      can still result on us attempting to call install-prog with an
      empty list of binaries. In particular, this occurs if we
      build with the --disable-tools configure option, which results
      in qemu-ga being the only member of $TOOLS.

      Fix this by doing a simple s/qemu-ga/qemu-ga$(EXESUF)/ pass through
      $TOOLS instead of filtering out qemu-ga to handle it seperately.

      Reported-by: Steve Ellcey <sellcey@xxxxxxxxxx>
      Cc: Stefan Weil <sw@xxxxxxxxxxx>
      Signed-off-by: Michael Roth <mdroth@xxxxxxxxxxxxxxxxxx>

  commit c7933a80bc6f3bb79c341f8fc17b4cf76622e2f3
  Merge: 1a4dab8 f77dcdb
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Wed Nov 25 16:20:58 2015 +0000

      Merge remote-tracking branch 
'remotes/juanquintela/tags/migration/20151125' into staging

      migration/next for 20151125

      # gpg: Signature made Wed 25 Nov 2015 14:28:47 GMT using RSA key ID 
5872D723
      # gpg: Good signature from "Juan Quintela <quintela@xxxxxxxxxx>"
      # gpg:                 aka "Juan Quintela <quintela@xxxxxxxxxx>"

      * remotes/juanquintela/tags/migration/20151125:
        block-migration: limit the memory usage
        Assume madvise for (no)hugepage works

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 1a4dab849d5d06191ab5e5850f6b8bfcad8ceb47
  Merge: e85dda8 8c34d89
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Wed Nov 25 14:47:06 2015 +0000

      Merge remote-tracking branch 'remotes/kevin/tags/for-upstream' into 
staging

      Block layer patches

      # gpg: Signature made Wed 25 Nov 2015 13:33:14 GMT using RSA key ID 
C88F2FD6
      # gpg: Good signature from "Kevin Wolf <kwolf@xxxxxxxxxx>"

      * remotes/kevin/tags/for-upstream:
        qemu-iotests: Add -nographic when starting QEMU in 119 and 120
        block/qapi: Plug memory leak on query-block error path
        raw-posix.c: Make GetBSDPath() handle caching options
        nand: fix flash erase when oob is in memory
        test-aio: Fix event notifier cleanup
        tests/Makefile: Add more dependencies for test-timed-average

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit f77dcdbc76dbf9bade9739e85e1013639e535835
  Author: Wen Congyang <wency@xxxxxxxxxxxxxx>
  Date:   Fri Nov 20 17:37:13 2015 +0800

      block-migration: limit the memory usage

      If we set migration speed in a very large value, block-migration will try 
to read
      all data to the memory. Because
          (block_mig_state.submitted + block_mig_state.read_done) * BLOCK_SIZE
      will be overflow, and it will be always less than rate limit.

      There is no need to read too many data into memory when the rate limit is 
very large.
      So limit the memory usage can fix the overflow problem.

      Signed-off-by: Wen Congyang <wency@xxxxxxxxxxxxxx>
      Reviewed-by: Juan Quintela <quintela@xxxxxxxxxx>
      Reviewed-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Signed-off-by: Juan Quintela <quintela@xxxxxxxxxx>

  commit 1d7414396f926651c4d7a673eb3a10aca5246d76
  Author: Dr. David Alan Gilbert <dgilbert@xxxxxxxxxx>
  Date:   Thu Nov 19 15:27:48 2015 +0000

      Assume madvise for (no)hugepage works

      madvise() returns EINVAL in the case of many failures, but also
      returns it in cases where the host kernel doesn't have THP enabled.
      Postcopy only really cares that THP is off before it detects faults,
      and turns it back on afterwards; so we're going to have
      to assume that if the madvise fails then the host just doesn't do
      THP and we can carry on with the postcopy.

      Signed-off-by: Dr. David Alan Gilbert <dgilbert@xxxxxxxxxx>
      Tested-by: Jason J. Herne <jjherne@xxxxxxxxxxxxxxxxxx>
      Reviewed-by: Juan Quintela <quintela@xxxxxxxxxx>
      Reviewed-by: Amit Shah <amit.shah@xxxxxxxxxx>
      Signed-off-by: Juan Quintela <quintela@xxxxxxxxxx>

  commit 8c34d891b1594840d8394a3c9b92236c13254fd8
  Merge: 903c341 4d7f853
  Author: Kevin Wolf <kwolf@xxxxxxxxxx>
  Date:   Wed Nov 25 14:33:01 2015 +0100

      Merge remote-tracking branch 
'mreitz/tags/pull-block-for-kevin-2015-11-25' into queue-block

      One block patch for qemu 2.5-rc2.

      # gpg: Signature made Wed Nov 25 14:30:45 2015 CET using RSA key ID 
E838ACAD
      # gpg: Good signature from "Max Reitz <mreitz@xxxxxxxxxx>"

      * mreitz/tags/pull-block-for-kevin-2015-11-25:
        qemu-iotests: Add -nographic when starting QEMU in 119 and 120

      Signed-off-by: Kevin Wolf <kwolf@xxxxxxxxxx>

  commit 4d7f853ff0054989a4f20f1f22d1ec489c669c3b
  Author: Fam Zheng <famz@xxxxxxxxxx>
  Date:   Mon Nov 23 10:32:10 2015 +0800

      qemu-iotests: Add -nographic when starting QEMU in 119 and 120

      Otherwise, a window flashes on my desktop (built with SDL). Add this as
      other cases have it.

      Signed-off-by: Fam Zheng <famz@xxxxxxxxxx>
      Message-id: 1448245930-15031-1-git-send-email-famz@xxxxxxxxxx
      Signed-off-by: Max Reitz <mreitz@xxxxxxxxxx>

  commit 903c341d5742b160e52752eb6fdc1ba9b87dc52e
  Author: Markus Armbruster <armbru@xxxxxxxxxx>
  Date:   Fri Nov 20 13:53:35 2015 +0100

      block/qapi: Plug memory leak on query-block error path

      Spotted by Coverity.

      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>
      Reviewed-by: Kevin Wolf <kwolf@xxxxxxxxxx>
      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>
      Signed-off-by: Kevin Wolf <kwolf@xxxxxxxxxx>

  commit 98caa5bc0083ed4fe4833addd3078b56ce2f6cfa
  Author: Programmingkid <programmingkidx@xxxxxxxxx>
  Date:   Fri Nov 20 19:17:48 2015 -0500

      raw-posix.c: Make GetBSDPath() handle caching options

      Add support for caching options that can be specified from the command
      line.

      The CD-ROM raw char device bypasses the host page cache and therefore
      has alignment requirements.  Alignment probing is necessary so only use
      the raw char device if BDRV_O_NOCACHE is set.

      This patch fixes -cdrom /dev/cdrom on Mac OS X hosts, where bdrv_read()
      used to fail due to misaligned requests during image format probing.

      Signed-off-by: John Arbuckle <programmingkidx@xxxxxxxxx>
      Reviewed-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Signed-off-by: Kevin Wolf <kwolf@xxxxxxxxxx>

  commit 8e37ca6d0be8aae2887c167da783fd2d9536c962
  Author: Ricard Wanderlof <ricard.wanderlof@xxxxxxxx>
  Date:   Fri Nov 13 14:17:28 2015 +0100

      nand: fix flash erase when oob is in memory

      For the "main area on file, oob in memory" case, fix the shifts so that
      we erase the correct number of pages.

      Signed-off-by: Ricard Wanderlöf <ricardw@xxxxxxxx>
      Signed-off-by: Kevin Wolf <kwolf@xxxxxxxxxx>

  commit 7595ed743914b9de1d146213dedc1e007283f723
  Author: Kevin Wolf <kwolf@xxxxxxxxxx>
  Date:   Mon Nov 23 13:30:23 2015 +0100

      test-aio: Fix event notifier cleanup

      One test case closed an event notifier (event_notifier_cleanup())
      without first disabling it (set_event_notifier(..., NULL)). This
      resulted in a leftover handle 0 that was added to each subsequent
      WaitForMultipleObjects() call, causing the function to fail (invalid
      handle).

      Signed-off-by: Kevin Wolf <kwolf@xxxxxxxxxx>
      Reviewed-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>
      Reviewed-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>

  commit 5e41fbffa115608fe6f7159d345d6caa0019e687
  Author: Kevin Wolf <kwolf@xxxxxxxxxx>
  Date:   Mon Nov 23 13:28:12 2015 +0100

      tests/Makefile: Add more dependencies for test-timed-average

      'make check' failed to compile the test case for mingw because of
      undefined references. Pull in a few more dependencies so that it builds.

      Signed-off-by: Kevin Wolf <kwolf@xxxxxxxxxx>
      Reviewed-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>
      Reviewed-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>

  commit e85dda8070b20dd8765d52daf64de70a9ccf395f
  Merge: 1aae36d 22037db
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Wed Nov 25 12:09:34 2015 +0000

      Merge remote-tracking branch 'remotes/sstabellini/tags/xen-20151125' into 
staging

      Xen 2015/11/25

      # gpg: Signature made Wed 25 Nov 2015 11:19:26 GMT using RSA key ID 
70E1AE90
      # gpg: Good signature from "Stefano Stabellini 
<stefano.stabellini@xxxxxxxxxxxxx>"

      * remotes/sstabellini/tags/xen-20151125:
        xen_disk: Remove ioreq.postsync
        xen: fix usage of xc_domain_create in domain builder

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 2b1641d0a2fc10bdbffb1c0aa9836186af008766
  Author: Paolo Bonzini <pbonzini@xxxxxxxxxx>
  Date:   Fri Nov 13 18:49:54 2015 +0100

      MAINTAINERS: Update TCG CPU cores section

      These are the people that I think have been touching it lately
      or reviewing patches.

      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit 7cf32491eac9dc32fd8ca7933f3edc9d42f884ee
  Author: Victor Kaplansky <victork@xxxxxxxxxx>
  Date:   Tue Nov 24 12:56:00 2015 +0200

      tests/vhost-user-bridge: read command line arguments

      Now some vhost-user-bridge parameters can be passed from the
      command line:

      Usage: prog [-u ud_socket_path] [-l lhost:lport] [-r rhost:rport]
              -u path to unix doman socket. default: /tmp/vubr.sock
              -l local host and port. default: 127.0.0.1:4444
              -r remote host and port. default: 127.0.0.1:5555

      Signed-off-by: Victor Kaplansky <victork@xxxxxxxxxx>
      Reviewed-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>

  commit 85ea9da5b8d8c0b2ab77b493d5ce62599279bf33
  Author: Victor Kaplansky <victork@xxxxxxxxxx>
  Date:   Tue Nov 24 12:55:56 2015 +0200

      tests/vhost-user-bridge: propose GUEST_ANNOUNCE feature

      The backend has to know whether VIRTIO_NET_F_GUEST_ANNOUNCE was
      negotiated, so, as a hack we propose the feature by
      vhost-user-bridge during the feature negotiation.

      Signed-off-by: Victor Kaplansky <victork@xxxxxxxxxx>
      Reviewed-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>

  commit c61f09ed855b5009f816242ce281fd01586d4646
  Author: Michael S. Tsirkin <mst@xxxxxxxxxx>
  Date:   Mon Nov 23 12:48:52 2015 +0200

      vhost-user: clarify start and enable

      It seems that we currently have some duplication between
      started and enabled states.

      The actual reason is that enable is not documented correctly:
      what it does is connecting ring to the backend.

      This is important for MQ, because a Linux guest expects TX
      packets to be completed even if it disables some queues
      temporarily.

      Cc: Yuanhan Liu <yuanhan.liu@xxxxxxxxxxxxxxx>
      Cc: Victor Kaplansky <victork@xxxxxxxxxx>
      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>

  commit d39c87d70763f2755d1d7a719817b06f0281fb01
  Author: Wen Congyang <wency@xxxxxxxxxxxxxx>
  Date:   Wed Nov 11 14:53:29 2015 +0800

      vhost-user: set link down when the char device is closed

      Signed-off-by: Wen Congyang <wency@xxxxxxxxxxxxxx>
      Reviewed-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Reviewed-by: Yuanhan Liu <yuanhan.liu@xxxxxxxxxxxxxxx>

  commit 463b52f285164ec3dc0649763e06e40cea9e8a1f
  Author: Eduardo Habkost <ehabkost@xxxxxxxxxx>
  Date:   Thu Nov 12 15:29:55 2015 -0200

      pc: Don't set hw_version on pc-*-2.5

      Now that qemu_hw_version() returns a fixed "2.5+" string instead
      of QEMU_VERSION, we don't need to set hw_version on pc-*-2.5
      explicitly.

      Suggested-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: Eduardo Habkost <ehabkost@xxxxxxxxxx>
      Reviewed-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>

  commit fac862ffa605f6fa41f52033b27346d26a96bea5
  Author: Eduardo Habkost <ehabkost@xxxxxxxxxx>
  Date:   Thu Nov 12 15:29:54 2015 -0200

      osdep: Change default value of qemu_hw_version() to "2.5+"

      There are two issues with qemu_hw_version() today:

      1) If a machine has hw_version set, the value returned by it is
         not very useful, because it is not the actual QEMU version.
      2) If a machine does't set hw_version, the return value of
         qemu_hw_version() is broken, because it will change when
         upgrading QEMU.

      For those reasons, using qemu_hw_version() is strongly
      discouraged, and should be used only in code that used
      QEMU_VERSION in the past and needs to keep compatibility.

      To fix (2), instead of making every machine broken by default
      unless they set hw_version, make qemu_hw_version() simply return
      "2.5+" if qemu_set_hw_version() is not called.

      Suggested-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: Eduardo Habkost <ehabkost@xxxxxxxxxx>
      Reviewed-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>

  commit 1aae36df4b8ed884c6ef6995e70c67fad79b49df
  Merge: 4b6eda6 1d64924
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Wed Nov 25 11:38:03 2015 +0000

      Merge remote-tracking branch 
'remotes/armbru/tags/pull-ivshmem-2015-11-25' into staging

      ivshmem patches for 2.5

      # gpg: Signature made Wed 25 Nov 2015 09:25:38 GMT using RSA key ID 
EB918653
      # gpg: Good signature from "Markus Armbruster <armbru@xxxxxxxxxx>"
      # gpg:                 aka "Markus Armbruster <armbru@xxxxxxxxxxxx>"

      * remotes/armbru/tags/pull-ivshmem-2015-11-25:
        ivshmem: Rename property memdev to x-memdev for 2.5
        ivshmem: Mark questionable socket type test FIXME
        tests/ivshmem-test: Supply missing initializer in get_device()
        qemu-doc: Fix ivshmem usage example with shm=...
        qemu-doc: Fix ivshmem example markup

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 22037db38ccfe497bd13a94edead6657781b9b37
  Author: Alberto Garcia <berto@xxxxxxxxxx>
  Date:   Wed Nov 25 11:54:14 2015 +0200

      xen_disk: Remove ioreq.postsync

      This code has been dead for three years (since commit 7e7b7cba1).

      Signed-off-by: Alberto Garcia <berto@xxxxxxxxxx>
      Signed-off-by: Stefano Stabellini <stefano.stabellini@xxxxxxxxxxxxx>
      Reviewed-by: Stefano Stabellini <stefano.stabellini@xxxxxxxxxxxxx>

  commit 1d649244b3695cb148dd2ae66999db0f6f9566b3
  Author: Markus Armbruster <armbru@xxxxxxxxxx>
  Date:   Tue Nov 24 18:06:29 2015 +0100

      ivshmem: Rename property memdev to x-memdev for 2.5

      The device's guest interface and its QEMU user interface are
      flawed^Whotly debated.  We'll resolve that in the next development
      cycle, probably by deprecating the device in favour of a cleaned up,
      but not quite compatible revision.

      To avoid adding more baggage to the soon-to-be-deprecated interface,
      mark property "memdev" as experimental, by renaming it to "x-memdev".
      It's the only recent user interface change.

      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>
      Message-Id: <1448384789-14830-6-git-send-email-armbru@xxxxxxxxxx>
      [Update of qemu-doc.texi squashed in]
      Reviewed-by: Marc-André Lureau <marcandre.lureau@xxxxxxxxxx>

  commit 2825717c02f5b1367e8e315b222888db00618170
  Author: Markus Armbruster <armbru@xxxxxxxxxx>
  Date:   Tue Nov 24 18:06:28 2015 +0100

      ivshmem: Mark questionable socket type test FIXME

      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>
      Reviewed-by: Marc-André Lureau <marcandre.lureau@xxxxxxxxxx>

  commit 1613094766602bdb8cae337ceecd8ab68f956197
  Author: Markus Armbruster <armbru@xxxxxxxxxx>
  Date:   Tue Nov 24 18:06:27 2015 +0100

      tests/ivshmem-test: Supply missing initializer in get_device()

      If the device isn't found, the assertion uses dev without
      initialization.  Fix that.

      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>
      Message-Id: <1448384789-14830-4-git-send-email-armbru@xxxxxxxxxx>
      Reviewed-by: Marc-André Lureau <marcandre.lureau@xxxxxxxxxx>

  commit a9282c25a5e2e860dfba5eca6d08fb2e42ee4f1a
  Author: Markus Armbruster <armbru@xxxxxxxxxx>
  Date:   Tue Nov 24 18:06:26 2015 +0100

      qemu-doc: Fix ivshmem usage example with shm=...

      The example suggests you can omit "shm".  This isn't true; you must
      specify exactly one of "shm", "chardev", "memdev".  Fix it.

      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>
      Message-Id: <1448384789-14830-3-git-send-email-armbru@xxxxxxxxxx>
      Reviewed-by: Marc-André Lureau <marcandre.lureau@xxxxxxxxxx>

  commit 50d34c4e357c41231b1106fc3f46cfd479a31e41
  Author: Markus Armbruster <armbru@xxxxxxxxxx>
  Date:   Tue Nov 24 18:06:25 2015 +0100

      qemu-doc: Fix ivshmem example markup

      Use @var{foo} like we do everywhere else, not <foo>.

      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>
      Message-Id: <1448384789-14830-2-git-send-email-armbru@xxxxxxxxxx>
      Reviewed-by: Marc-André Lureau <marcandre.lureau@xxxxxxxxxx>

  commit 73a27d9ac35e3da3a2cf0ebd0bcc2be6de19dd0a
  Author: Alberto Garcia <berto@xxxxxxxxxx>
  Date:   Tue Nov 24 14:18:00 2015 +0200

      atapi: Fix code indentation

      This was accidentally changed by commit 5f81724d

      Signed-off-by: Alberto Garcia <berto@xxxxxxxxxx>
      Reviewed-by: John Snow <jsnow@xxxxxxxxxx>
      Message-id: 
93fb43522e3b8dddb6c709d568919347d9a5ba3f.1448367341.git.berto@xxxxxxxxxx
      Signed-off-by: John Snow <jsnow@xxxxxxxxxx>

  commit 36be0929f53260cb9b1e2720c7c22f6b5fb5910f
  Author: Alberto Garcia <berto@xxxxxxxxxx>
  Date:   Tue Nov 24 14:17:59 2015 +0200

      atapi: Account for failed and invalid operations in cd_read_sector()

      Commit 5f81724d made PIO read requests async but didn't add the
      relevant block_acct_failed() and block_acct_invalid() calls.

      Signed-off-by: Alberto Garcia <berto@xxxxxxxxxx>
      Reviewed-by: John Snow <jsnow@xxxxxxxxxx>
      Message-id: 
9b87e09d61019c128139b6c999ed0c07f0674170.1448367341.git.berto@xxxxxxxxxx
      Signed-off-by: John Snow <jsnow@xxxxxxxxxx>

  commit a421f3c38509ee4ce47230ec68c5c3a184efb538
  Author: John Snow <jsnow@xxxxxxxxxx>
  Date:   Fri Nov 20 17:53:55 2015 -0500

      ide-test: cdrom_pio_impl fixup

      Final tidying: move the interrupt wait into the loop,
      document that the status read clears the IRQ, and move
      the final interrupt check outside of the loop.

      This should be functionally equivalent to how it works
      currently, but a little less ambiguous and slightly more
      explicit about the state transitions.

      Signed-off-by: John Snow <jsnow@xxxxxxxxxx>
      Reviewed-by: Kevin Wolf <kwolf@xxxxxxxxxx>
      Message-id: 1448060035-31973-3-git-send-email-jsnow@xxxxxxxxxx

  commit 4b6eda626fdb8bf90472c6868d502a2ac09abeeb
  Merge: d9636b6 f93c3a8
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Tue Nov 24 17:05:06 2015 +0000

      Merge remote-tracking branch 'remotes/lalrae/tags/mips-20151124' into 
staging

      MIPS patches 2015-11-24

      Changes:
      * Fixes for enabling/disabling 64-bit addressing

      # gpg: Signature made Tue 24 Nov 2015 14:54:35 GMT using RSA key ID 
0B29DA6B
      # gpg: Good signature from "Leon Alrae <leon.alrae@xxxxxxxxxx>"

      * remotes/lalrae/tags/mips-20151124:
        target-mips: flush QEMU TLB when disabling 64-bit addressing
        target-mips: Fix exceptions while UX=0

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit d9636b6c2b533ab43fad8c9f47633debeef94561
  Merge: 229c037 e14f0eb
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Tue Nov 24 14:22:37 2015 +0000

      Merge remote-tracking branch 
'remotes/pmaydell/tags/pull-target-arm-20151124' into staging

      target-arm queue:
       * fix minimum RAM check warning on xlnx-ep108
       * remove unused define from aarch64-linux-user.mak config
       * don't mask out bits [47:40] in ARMv8 LPAE descriptors
       * correct unallocated instruction checks for ldst_excl

      # gpg: Signature made Tue 24 Nov 2015 14:17:10 GMT using RSA key ID 
14360CDE
      # gpg: Good signature from "Peter Maydell <peter.maydell@xxxxxxxxxx>"
      # gpg:                 aka "Peter Maydell <pmaydell@xxxxxxxxx>"
      # gpg:                 aka "Peter Maydell 
<pmaydell@xxxxxxxxxxxxxxxxxxxxxx>"

      * remotes/pmaydell/tags/pull-target-arm-20151124:
        target-arm/translate-a64.c: Correct unallocated checks for ldst_excl
        target-arm: Don't mask out bits [47:40] in LPAE descriptors for v8
        default-configs/aarch64-linux-user.mak: Remove unused define
        xlnx-ep108: Fix minimum RAM check

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit e14f0eb12f920fd96b9f79d15cedd437648e8667
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Tue Nov 24 14:12:15 2015 +0000

      target-arm/translate-a64.c: Correct unallocated checks for ldst_excl

      The checks for the unallocated encodings in the ldst_excl group
      (exclusives and load-acquire/store-release) were not correct. This
      error meant that in turn we ended up with code attempting to handle
      the non-existent case of "non-exclusive load-acquire/store-release
      pair". Delete that broken and now unreachable code.

      Reported-by: Laurent Desnogues <laurent.desnogues@xxxxxxxxx>
      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Reviewed-by: Laurent Desnogues <laurent.desnogues@xxxxxxxxx>
      Reviewed-by: Edgar E. Iglesias <edgar.iglesias@xxxxxxxxxx>
      Reviewed-by: Sergey Fedorov <serge.fdrv@xxxxxxxxx>

  commit 6109769a8b42bd0c3d5b1601c9b35fe7ea6a603e
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Tue Nov 24 14:12:15 2015 +0000

      target-arm: Don't mask out bits [47:40] in LPAE descriptors for v8

      In an LPAE format descriptor in ARMv8 the address field extends
      up to bit 47, not just bit 39. Correct the masking so we don't
      give incorrect results if the output address size is greater
      than 40 bits, as it can be for AArch64.

      (Note that we don't yet support the new-in-v8 Address Size fault which
      should be generated if any translation table entry or TTBR contains
      an address with non-zero bits above the most significant bit of the
      maximum output address size.)

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Reviewed-by: Laurent Desnogues <laurent.desnogues@xxxxxxxxx>
      Reviewed-by: Edgar E. Iglesias <edgar.iglesias@xxxxxxxxxx>
      Message-id: 1448029971-9875-1-git-send-email-peter.maydell@xxxxxxxxxx

  commit f72c0a79f76f1b7ed1a1e0ff8be31f5df06b3269
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Tue Nov 24 14:12:15 2015 +0000

      default-configs/aarch64-linux-user.mak: Remove unused define

      The uses of the CONFIG_GDBSTUB_XML define were removed in commit
      b77abd95a9484c, but the define in aarch64-linux-user.mak somehow
      escaped the cull (the patchset probably crossed in the mail with
      the patches adding aarch64 support). Remove the stray define.

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Reviewed-by: Laurent Desnogues <laurent.desnogues@xxxxxxxxx>
      Message-id: 1447690178-4560-1-git-send-email-peter.maydell@xxxxxxxxxx

  commit 5b4a047fbe8ceb68ad1a78d51f0fadbe2bb12af7
  Author: Alistair Francis <alistair.francis@xxxxxxxxxx>
  Date:   Tue Nov 24 14:12:15 2015 +0000

      xlnx-ep108: Fix minimum RAM check

      The minimum RAM check logic for the Xiilnx EP108 was off by one,
      which caused a false positive. Correct the logic to only print
      warnings when the RAM is below 0x8000000.

      Signed-off-by: Alistair Francis <alistair.francis@xxxxxxxxxx>
      Message-id: 
fba8112ca7b01efd72553332b8045ecf107b7662.1448021100.git.alistair.francis@xxxxxxxxxx
      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit f93c3a8d0c0c1038dbe1e957eb8ab92671137975
  Author: Leon Alrae <leon.alrae@xxxxxxxxxx>
  Date:   Thu Nov 19 19:15:35 2015 +0000

      target-mips: flush QEMU TLB when disabling 64-bit addressing

      CP0.Status.KX/SX/UX bits are responsible for enabling access to 64-bit
      Kernel/Supervisor/User Segments. If bit is cleared an access to
      corresponding segment should generate Address Error Exception.

      However, the guest may still be able to access some pages belonging to
      the disabled 64-bit segment because we forget to flush QEMU TLB.

      This patch fixes it.

      Signed-off-by: Leon Alrae <leon.alrae@xxxxxxxxxx>

  commit 7871abb94c2f4adc39f2487f6edf5e69ba872a65
  Author: James Hogan <james.hogan@xxxxxxxxxx>
  Date:   Tue Nov 17 17:13:54 2015 +0000

      target-mips: Fix exceptions while UX=0

      Commit 01f728857941 ("target-mips: Status.UX/SX/KX enable 32-bit address
      wrapping") added a new hflag MIPS_HFLAG_AWRAP, which indicates that
      64-bit addressing is disallowed in the current mode, so hflag users
      don't need to worry about the complexities of working that out, for
      example checking both MIPS_HFLAG_KSU and MIPS_HFLAG_UX.

      However when exceptions are taken outside of exception level,
      mips_cpu_do_interrupt() manipulates the env->hflags directly rather than
      using compute_hflags() to update them, and this code wasn't updated
      accordingly. As a result, when UX is cleared, MIPS_HFLAG_AWRAP is set,
      but it doesn't get cleared on entry back into kernel mode due to an
      exception. Kernel mode then cannot access the 64-bit segments resulting
      in a nested exception loop. The same applies to errors and debug
      exceptions.

      Fix by updating mips_cpu_do_interrupt() to clear the MIPS_HFLAG_WRAP
      flag when necessary, according to compute_hflags().

      Fixes: 01f728857941 ("target-mips: Status.UX/SX/KX enable 32-bit...")
      Signed-off-by: James Hogan <james.hogan@xxxxxxxxxx>
      Cc: Leon Alrae <leon.alrae@xxxxxxxxxx>
      Cc: Aurelien Jarno <aurelien@xxxxxxxxxxx>
      Reviewed-by: Leon Alrae <leon.alrae@xxxxxxxxxx>
      Signed-off-by: Leon Alrae <leon.alrae@xxxxxxxxxx>

  commit 229c0372cf3ca201c41d2bb121627e6752e776ad
  Merge: 5522a84 466138d
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Tue Nov 24 10:27:19 2015 +0000

      Merge remote-tracking branch 'remotes/stefanha/tags/block-pull-request' 
into staging

      # gpg: Signature made Tue 24 Nov 2015 08:04:07 GMT using RSA key ID 
81AB73C8
      # gpg: Good signature from "Stefan Hajnoczi <stefanha@xxxxxxxxxx>"
      # gpg:                 aka "Stefan Hajnoczi <stefanha@xxxxxxxxx>"

      * remotes/stefanha/tags/block-pull-request:
        virtio-blk: Move resetting of req->mr_next to virtio_blk_handle_rw_error
        parallels: dirty BAT properly for continuous allocations

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 466138dc689b6b14f31d5d20316affb4b4efd177
  Author: Fam Zheng <famz@xxxxxxxxxx>
  Date:   Mon Nov 23 08:41:20 2015 +0800

      virtio-blk: Move resetting of req->mr_next to virtio_blk_handle_rw_error

      "werror=report" would free the req in virtio_blk_handle_rw_error, we
      mustn't write to it in that case.

      Reported-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>
      Signed-off-by: Fam Zheng <famz@xxxxxxxxxx>
      Message-id: 1448239280-15025-1-git-send-email-famz@xxxxxxxxxx
      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>

  commit c9f6856ded10602147ca1d1806e7afb545430fd9
  Author: Vladimir Sementsov-Ogievskiy <vsementsov@xxxxxxxxxxxxx>
  Date:   Tue Nov 17 20:02:58 2015 +0300

      parallels: dirty BAT properly for continuous allocations

      This patch marks part of the BAT dirty properly. There is a possibility 
that
      multy-block allocation could have one block allocated on one BAT page and
      next block on the next page. The code without the patch could not save
      updated position to the file.

      Signed-off-by: Vladimir Sementsov-Ogievskiy <vsementsov@xxxxxxxxxxxxx>
      Signed-off-by: Denis V. Lunev <den@xxxxxxxxxx>
      Message-id: 1447779778-26062-1-git-send-email-den@xxxxxxxxxx
      CC: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>

  commit 5522a841cab5f15ac0f8d207b320c21755a7a1a5
  Merge: 68c6128 a3567ba
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Mon Nov 23 16:07:49 2015 +0000

      Merge remote-tracking branch 'remotes/ehabkost/tags/numa-pull-request' 
into staging

      NUMA fix for -rc2

      # gpg: Signature made Mon 23 Nov 2015 12:45:34 GMT using RSA key ID 
984DC5A6
      # gpg: Good signature from "Eduardo Habkost <ehabkost@xxxxxxxxxx>"

      * remotes/ehabkost/tags/numa-pull-request:
        hostmem: Ignore ENOSYS while setting MPOL_DEFAULT

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 68c61282fe8a02aa3bddfa7a9c2b7ad7e6177f69
  Merge: 541abd1 644da9b
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Mon Nov 23 13:54:41 2015 +0000

      Merge remote-tracking branch 'remotes/rth/tags/pull-tcg-20151123' into 
staging

      Last minute fix.

      # gpg: Signature made Mon 23 Nov 2015 12:17:26 GMT using RSA key ID 
4DD0279B
      # gpg: Good signature from "Richard Henderson <rth7680@xxxxxxxxx>"
      # gpg:                 aka "Richard Henderson <rth@xxxxxxxxxx>"
      # gpg:                 aka "Richard Henderson <rth@xxxxxxxxxxx>"

      * remotes/rth/tags/pull-tcg-20151123:
        tcg: Fix highwater check

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit a3567ba1e6171ef7cfad55ae549c0cd8bffb1195
  Author: Pavel Fedin <p.fedin@xxxxxxxxxxx>
  Date:   Tue Oct 27 15:51:31 2015 +0300

      hostmem: Ignore ENOSYS while setting MPOL_DEFAULT

      Currently hostmem backend fails if CONFIG_NUMA is enabled in QEMU
      (the default) but NUMA is not supported by the kernel. This makes
      it impossible to use ivshmem in such configurations.

      This patch fixes the problem by ignoring ENOSYS error if policy is set to
      MPOL_DEFAULT. This way the code behaves in the same way as if CONFIG_NUMA
      was not defined. qemu will still fail if the user specifies some other
      policy, so that the user knows it.

      Signed-off-by: Pavel Fedin <p.fedin@xxxxxxxxxxx>
      Reviewed-by: Eduardo Habkost <ehabkost@xxxxxxxxxx>
      Signed-off-by: Eduardo Habkost <ehabkost@xxxxxxxxxx>

  commit 644da9b39e477caa80bab69d2847dfcb468f0d33
  Author: John Clarke <johnc@xxxxxxxxxxx>
  Date:   Thu Nov 19 10:30:50 2015 +0100

      tcg: Fix highwater check

      A simple typo in the variable to use when comparing vs the highwater mark.
      Reports are that qemu can in fact segfault occasionally due to this 
mistake.

      Signed-off-by: John Clarke <johnc@xxxxxxxxxxx>
      Signed-off-by: Richard Henderson <rth@xxxxxxxxxxx>

  commit 541abd10a01da56c5f16582cd32d67114ec22a5c
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Fri Nov 20 17:43:46 2015 +0000

      Update version for v2.5.0-rc1 release

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit f348daf3d5d2e349519764cd0c3ec3aaca113732
  Author: Peter Lieven <pl@xxxxxxx>
  Date:   Fri Nov 20 15:29:02 2015 +0100

      tests: fix cdrom_pio_impl in ide-test

      The check for the cleared BSY flag has to be performed
      before each data transfer and not just before the
      first one.

      Commit 5f81724d revealed this glitch as the BSY flag
      was not set in ATAPI PIO transfers before.

      While at it fix the descriptions and add a comment before
      the nested for loop that transfers the data.

      Signed-off-by: Peter Lieven <pl@xxxxxxx>
      Message-id: 1448029742-19771-1-git-send-email-pl@xxxxxxx
      Reviewed-by: Kevin Wolf <kwolf@xxxxxxxxxx>
      Reviewed-by: John Snow <jsnow@xxxxxxxxxx>
      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 28c3e6ee72a34d3c2c44ef508b599fa460b273bb
  Merge: 348c327 9f4aa7c
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Thu Nov 19 17:54:46 2015 +0000

      Merge remote-tracking branch 
'remotes/afaerber/tags/qom-devices-for-peter' into staging

      QOM infrastructure fixes and device conversions

      * Fix for properties on objects > 4 GiB
      * Performance improvements for QOM property handling
      * Assertion cleanups
      * MAINTAINERS additions

      # gpg: Signature made Thu 19 Nov 2015 14:32:16 GMT using RSA key ID 
3E7E013F
      # gpg: Good signature from "Andreas Färber <afaerber@xxxxxxx>"
      # gpg:                 aka "Andreas Färber <afaerber@xxxxxxxx>"

      * remotes/afaerber/tags/qom-devices-for-peter:
        MAINTAINERS: Add check-qom-{interface,proplist} to QOM
        qom: Clean up assertions to display values on failure
        qom: Replace object property list with GHashTable
        qom: Add a test case for complex property finalization
        net: Convert net filter code to use object property iterators
        ppc: Convert spapr code to use object property iterators
        vl: Convert machine help code to use object property iterators
        qmp: Convert QMP code to use object property iterators
        qom: Introduce ObjectPropertyIterator struct for iteration
        qdev: Change Property::offset field to ptrdiff_t type

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 348c32709fdbeb475dd072af49523cfdd75873f1
  Merge: c601a24 1c7ba94
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Thu Nov 19 16:26:08 2015 +0000

      Merge remote-tracking branch 'remotes/mst/tags/for_upstream' into staging

      vhost, pc: fixes for 2.5

      Fixes all over the place.

      This also re-enables a test we disabled in 2.5 cycle
      now that there's a way not to get a warning from it.

      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>

      # gpg: Signature made Thu 19 Nov 2015 13:27:43 GMT using RSA key ID 
D28D5469
      # gpg: Good signature from "Michael S. Tsirkin <mst@xxxxxxxxxx>"
      # gpg:                 aka "Michael S. Tsirkin <mst@xxxxxxxxxx>"

      * remotes/mst/tags/for_upstream:
        exec: silence hugetlbfs warning under qtest
        tests: re-enable vhost-user-test
        acpi: fix buffer overrun on migration
        vhost-user: fix log size
        vhost-user: ignore qemu-only features
        specs/vhost-user: fix spec to match reality
        tests/vhost-user-bridge: implement logging of dirty pages
        i440fx: print an error message if user tries to enable iommu
        q35: Check propery to determine if iommu is set
        vhost-user: start/stop all rings
        vhost-user: print original request on error
        vhost-user-test: support VHOST_USER_SET_VRING_ENABLE
        vhost-user: update spec description
        vhost: don't send RESET_OWNER at stop
        vhost: let SET_VRING_ENABLE message depends on protocol feature

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit c601a244a49f4e0be2539cbc5ffd288727cd4e89
  Merge: 80fda8f ce8a1b5
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Thu Nov 19 15:56:50 2015 +0000

      Merge remote-tracking branch 
'remotes/pmaydell/tags/pull-target-arm-20151119' into staging

      target-arm queue:
       * add missing condexec updates when emulating architectural breakpoints
         and coprocessor access checks in Thumb translation (could in theory
         cause problems when these happened inside a Thumb IT block and an
         exception was taken)
       * arm_gic: correctly restore nested IRQ priority

      # gpg: Signature made Thu 19 Nov 2015 13:29:37 GMT using RSA key ID 
14360CDE
      # gpg: Good signature from "Peter Maydell <peter.maydell@xxxxxxxxxx>"
      # gpg:                 aka "Peter Maydell <pmaydell@xxxxxxxxx>"
      # gpg:                 aka "Peter Maydell 
<pmaydell@xxxxxxxxxxxxxxxxxxxxxx>"

      * remotes/pmaydell/tags/pull-target-arm-20151119:
        target-arm: Update condexec before arch BP check in AA32 translation
        target-arm: Update condexec before CP access check in AA32 translation
        hw/arm_gic: Correctly restore nested irq priority

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 80fda8f609457736ab43f0cb8027abb0e28a67f8
  Merge: 8f28030 79b3c12
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Thu Nov 19 15:05:06 2015 +0000

      Merge remote-tracking branch 
'remotes/juanquintela/tags/migration/20151119' into staging

      migration/next for 20151119

      # gpg: Signature made Thu 19 Nov 2015 11:17:07 GMT using RSA key ID 
5872D723
      # gpg: Good signature from "Juan Quintela <quintela@xxxxxxxxxx>"
      # gpg:                 aka "Juan Quintela <quintela@xxxxxxxxxx>"

      * remotes/juanquintela/tags/migration/20151119:
        migration: normalize locking in migration/savevm.c
        migration: implement bdrv_all_find_vmstate_bs helper
        migration: reorder processing in hmp_savevm
        snapshot: create bdrv_all_create_snapshot helper
        migration: drop find_vmstate_bs check in hmp_delvm
        snapshot: create bdrv_all_find_snapshot helper
        migration: factor our snapshottability check in load_vmstate
        snapshot: create bdrv_all_goto_snapshot helper
        snapshot: create bdrv_all_delete_snapshot helper
        snapshot: return error code from bdrv_snapshot_delete_by_id_or_name
        snapshot: create helper to test that block drivers supports snapshots
        Unneeded NULL check
        migration: Dead assignment of current_time
        Set last_sent_block

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 9f4aa7cef2214137db192b252f1d4fc1799d05c7
  Author: Andreas Färber <afaerber@xxxxxxx>
  Date:   Wed Nov 18 19:03:29 2015 +0100

      MAINTAINERS: Add check-qom-{interface,proplist} to QOM

      Add the QOM unit tests to the QOM maintenance area so that maintainers
      get CC'ed on changes and to document QOM test coverage.

      Reviewed-by: Daniel P. Berrange <berrange@xxxxxxxxxx>
      Reviewed-by: Igor Mammedov <imammedo@xxxxxxxxxx>
      Signed-off-by: Andreas Färber <afaerber@xxxxxxx>

  commit 8438a13543a281e3e61542cc0763bf1b05169016
  Author: Andreas Färber <afaerber@xxxxxxx>
  Date:   Mon Nov 16 17:49:20 2015 +0100

      qom: Clean up assertions to display values on failure

      Instead of using g_assert() for integer comparisons, use
      g_assert_cmpint() so that we can see the respective values.

      While at it, fix one stray indentation.

      Reviewed-by: Daniel P. Berrange <berrange@xxxxxxxxxx>
      Signed-off-by: Andreas Färber <afaerber@xxxxxxx>

  commit b604a854e843505007c59d68112c654556102a20
  Author: Pavel Fedin <p.fedin@xxxxxxxxxxx>
  Date:   Tue Oct 13 13:37:45 2015 +0100

      qom: Replace object property list with GHashTable

      ARM GICv3 systems with large number of CPUs create lots of IRQ pins. Since
      every pin is represented as a property, number of these properties becomes
      very large. Every property add first makes sure there's no duplicates.
      Traversing the list becomes very slow, therefore QEMU initialization takes
      significant time (several seconds for e. g. 16 CPUs).

      This patch replaces list with GHashTable, making lookup very fast. The 
only
      drawback is that object_child_foreach() and 
object_child_foreach_recursive()
      cannot add or remove properties during traversal, since GHashTableIter 
does
      not have modify-safe version. However, the code seems not to modify 
objects
      via these functions.

      Signed-off-by: Pavel Fedin <p.fedin@xxxxxxxxxxx>
      Signed-off-by: Daniel P. Berrange <berrange@xxxxxxxxxx>
      Tested-by: Pavel Fedin <p.fedin@xxxxxxxxxxx>
      [AF: Fixed object_property_del_{all,child}() issues;
           g_hash_table_contains() -> g_hash_table_lookup(), suggested by 
Daniel]
      Reviewed-by: Daniel P. Berrange <berrange@xxxxxxxxxx>
      Signed-off-by: Andreas Färber <afaerber@xxxxxxx>

  commit 1c7ba94a184df1eddd589d5400d879568d3e5d08
  Author: Marc-André Lureau <marcandre.lureau@xxxxxxxxxx>
  Date:   Wed Nov 18 10:02:58 2015 +0100

      exec: silence hugetlbfs warning under qtest

      vhost-user-test prints a warning. A test should not need to run on
      hugetlbfs, let's silence the warning under qtest. The
      condition can't check on qtest_enabled() since vhost-user-test actually
      doesn't use qtest accel. However, qtest_driver() can be used, if
      qtest_init() is called early enough. For that reason, move chardev and
      qtest initialization early.

      Signed-off-by: Marc-André Lureau <marcandre.lureau@xxxxxxxxxx>
      Reviewed-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>

  commit 421f4448cec3e42f8477499c5c584699e2cf656b
  Author: Marc-André Lureau <marcandre.lureau@xxxxxxxxxx>
  Date:   Mon Oct 26 15:32:00 2015 +0100

      tests: re-enable vhost-user-test

      Commit 7fe34ca9c2e actually disabled vhost-user-test altogether,
      since CONFIG_VHOST_NET is a per-target config variable.

      tests/vhost-user-test is already x86/x64 softmmu specific test, in order
      to enable it correctly, kvm & vhost-net are also conditions. To check
      that, set CONFIG_VHOST_NET_TEST_$target when kvm is also enabled.

      Since "check-qtest-x86_64-y = $(check-qtest-i386-y)", avoid duplication
      when both x86 & x64 are enabled.

      Other targets than x86 aren't enabled yet, and is intentionally left as
      a future improvement, since I can't easily test those.

      Signed-off-by: Marc-André Lureau <marcandre.lureau@xxxxxxxxxx>
      Reviewed-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>

  commit d9a3b33d2c9f996537b7f1d0246dee2d0120cefb
  Author: Michael S. Tsirkin <mst@xxxxxxxxxx>
  Date:   Thu Nov 19 15:14:07 2015 +0200

      acpi: fix buffer overrun on migration

      ich calls acpi_gpe_init with length ICH9_PMIO_GPE0_LEN so
      ICH9_PMIO_GPE0_LEN/2 bytes are allocated, but then the full
      ICH9_PMIO_GPE0_LEN bytes are migrated.

      As a quick work-around, allocate twice the memory.
      We'll probably want to tweak code to avoid
      migrating the extra ICH9_PMIO_GPE0_LEN/2 bytes,
      but that is a bit trickier to do without breaking
      migration compatibility.

      Tested-by: "Dr. David Alan Gilbert" <dgilbert@xxxxxxxxxx>
      Reported-by: "Dr. David Alan Gilbert" <dgilbert@xxxxxxxxxx>
      Cc: qemu-stable@xxxxxxxxxx
      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>

  commit ce8a1b5449cd8c4c2831abb581d3208c3a3745a0
  Author: Sergey Fedorov <serge.fdrv@xxxxxxxxx>
  Date:   Tue Nov 17 16:38:47 2015 +0300

      target-arm: Update condexec before arch BP check in AA32 translation

      Architectural breakpoint check could raise an exceptions, thus condexec
      bits should be updated before calling gen_helper_check_breakpoints().

      Signed-off-by: Sergey Fedorov <serge.fdrv@xxxxxxxxx>
      Message-id: 1447767527-21268-3-git-send-email-serge.fdrv@xxxxxxxxx
      Reviewed-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 43bfa4a100687af8d293fef0a197839b51400fca
  Author: Sergey Fedorov <serge.fdrv@xxxxxxxxx>
  Date:   Tue Nov 17 16:38:46 2015 +0300

      target-arm: Update condexec before CP access check in AA32 translation

      Coprocessor access instructions are allowed inside IT block.
      gen_helper_access_check_cp_reg() can raise an exceptions thus condexec
      bits should be updated before.

      Signed-off-by: Sergey Fedorov <serge.fdrv@xxxxxxxxx>
      Message-id: 1447767527-21268-2-git-send-email-serge.fdrv@xxxxxxxxx
      Reviewed-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit a859595791e6ac5c14afe0b8a53634bf1cc21f0f
  Author: François Baldassari <francois@xxxxxxxxxx>
  Date:   Thu Nov 19 12:09:52 2015 +0000

      hw/arm_gic: Correctly restore nested irq priority


      Upon activating an interrupt, set the corresponding priority bit in the
      APR/NSAPR registers without touching the currently set bits. In the event
      of nested interrupts, the GIC will then have the information it needs to
      restore the priority of the pre-empted interrupt once the higher priority
      interrupt finishes execution.

      Signed-off-by: François Baldassari <francois@xxxxxxxxxx>
      Reviewed-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 79b3c12ac5714e036a16d1a163a3517d74504f87
  Author: Denis V. Lunev <den@xxxxxxxxxx>
  Date:   Thu Nov 19 09:42:11 2015 +0300

      migration: normalize locking in migration/savevm.c

      basically all bdrv_* operations must be called under aio_context_acquire
      except ones with bdrv_all prefix.

      Signed-off-by: Denis V. Lunev <den@xxxxxxxxxx>
      Reviewed-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Reviewed-by: Fam Zheng <famz@xxxxxxxxxx>
      CC: Juan Quintela <quintela@xxxxxxxxxx>
      CC: Kevin Wolf <kwolf@xxxxxxxxxx>
      Tested-by: Greg Kurz <gkurz@xxxxxxxxxxxxxxxxxx>
      Signed-off-by: Juan Quintela <quintela@xxxxxxxxxx>

  commit 7cb14481498e7acd969a76b53be0535cd90f7d53
  Author: Denis V. Lunev <den@xxxxxxxxxx>
  Date:   Thu Nov 19 09:42:10 2015 +0300

      migration: implement bdrv_all_find_vmstate_bs helper

      The patch also ensures proper locking for the operation.

      Signed-off-by: Denis V. Lunev <den@xxxxxxxxxx>
      Reviewed-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Reviewed-by: Fam Zheng <famz@xxxxxxxxxx>
      Reviewed-by: Juan Quintela <quintela@xxxxxxxxxx>
      CC: Kevin Wolf <kwolf@xxxxxxxxxx>
      Tested-by: Greg Kurz <gkurz@xxxxxxxxxxxxxxxxxx>
      Signed-off-by: Juan Quintela <quintela@xxxxxxxxxx>

  commit 0b46160521ab72744da94988583a45d4d45e2986
  Author: Denis V. Lunev <den@xxxxxxxxxx>
  Date:   Thu Nov 19 09:42:09 2015 +0300

      migration: reorder processing in hmp_savevm

      State deletion can be performed on running VM which reduces VM downtime
      This approach looks a bit more natural.

      Signed-off-by: Denis V. Lunev <den@xxxxxxxxxx>
      Reviewed-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Reviewed-by: Fam Zheng <famz@xxxxxxxxxx>
      Reviewed-by: Juan Quintela <quintela@xxxxxxxxxx>
      Tested-by: Greg Kurz <gkurz@xxxxxxxxxxxxxxxxxx>
      Signed-off-by: Juan Quintela <quintela@xxxxxxxxxx>

  commit a9085f9b5583ba7a02b412ba08f929555112c244
  Author: Denis V. Lunev <den@xxxxxxxxxx>
  Date:   Thu Nov 19 09:42:08 2015 +0300

      snapshot: create bdrv_all_create_snapshot helper

      to create snapshot for all loaded block drivers.

      The patch also ensures proper locking.

      Signed-off-by: Denis V. Lunev <den@xxxxxxxxxx>
      Reviewed-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Reviewed-by: Fam Zheng <famz@xxxxxxxxxx>
      Reviewed-by: Juan Quintela <quintela@xxxxxxxxxx>
      CC: Kevin Wolf <kwolf@xxxxxxxxxx>
      Tested-by: Greg Kurz <gkurz@xxxxxxxxxxxxxxxxxx>
      Signed-off-by: Juan Quintela <quintela@xxxxxxxxxx>

  commit c6258b04f19bc690b576b089f621cb5333c533d7
  Author: Denis V. Lunev <den@xxxxxxxxxx>
  Date:   Thu Nov 19 09:42:07 2015 +0300

      migration: drop find_vmstate_bs check in hmp_delvm

      There is no much sense to do the check and write warning.

      Signed-off-by: Denis V. Lunev <den@xxxxxxxxxx>
      Reviewed-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Reviewed-by: Fam Zheng <famz@xxxxxxxxxx>
      Reviewed-by: Juan Quintela <quintela@xxxxxxxxxx>
      Tested-by: Greg Kurz <gkurz@xxxxxxxxxxxxxxxxxx>
      Signed-off-by: Juan Quintela <quintela@xxxxxxxxxx>

  commit 723ccda1a0eecece8e70dbcdd35a603f6c41a475
  Author: Denis V. Lunev <den@xxxxxxxxxx>
  Date:   Thu Nov 19 09:42:06 2015 +0300

      snapshot: create bdrv_all_find_snapshot helper

      to check that snapshot is available for all loaded block drivers.
      The check bs != bs1 in hmp_info_snapshots is an optimization. The check
      for availability of this snapshot will return always true as the list
      of snapshots was collected from that image.

      The patch also ensures proper locking.

      Signed-off-by: Denis V. Lunev <den@xxxxxxxxxx>
      Reviewed-by: Fam Zheng <famz@xxxxxxxxxx>
      Reviewed-by: Juan Quintela <quintela@xxxxxxxxxx>
      CC: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      CC: Kevin Wolf <kwolf@xxxxxxxxxx>
      Tested-by: Greg Kurz <gkurz@xxxxxxxxxxxxxxxxxx>
      Signed-off-by: Juan Quintela <quintela@xxxxxxxxxx>

  commit 849f96e2f71b52444516a0880fd9d12691b63d20
  Author: Denis V. Lunev <den@xxxxxxxxxx>
  Date:   Thu Nov 19 09:42:05 2015 +0300

      migration: factor our snapshottability check in load_vmstate

      We should check that all inserted and not read-only images support
      snapshotting. This could be made using already invented helper
      bdrv_all_can_snapshot().

      Signed-off-by: Denis V. Lunev <den@xxxxxxxxxx>
      Reviewed-by: Juan Quintela <quintela@xxxxxxxxxx>
      Reviewed-by: Fam Zheng <famz@xxxxxxxxxx>
      CC: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      CC: Kevin Wolf <kwolf@xxxxxxxxxx>
      Tested-by: Greg Kurz <gkurz@xxxxxxxxxxxxxxxxxx>
      Signed-off-by: Juan Quintela <quintela@xxxxxxxxxx>

  commit 4c1cdbaad07d067f3d156687d79014ab44387e2c
  Author: Denis V. Lunev <den@xxxxxxxxxx>
  Date:   Thu Nov 19 09:42:04 2015 +0300

      snapshot: create bdrv_all_goto_snapshot helper

      to switch to snapshot on all loaded block drivers.

      The patch also ensures proper locking.

      Signed-off-by: Denis V. Lunev <den@xxxxxxxxxx>
      Reviewed-by: Greg Kurz <gkurz@xxxxxxxxxxxxxxxxxx>
      Reviewed-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Reviewed-by: Fam Zheng <famz@xxxxxxxxxx>
      Reviewed-by: Juan Quintela <quintela@xxxxxxxxxx>
      CC: Kevin Wolf <kwolf@xxxxxxxxxx>
      Tested-by: Greg Kurz <gkurz@xxxxxxxxxxxxxxxxxx>
      Signed-off-by: Juan Quintela <quintela@xxxxxxxxxx>

  commit 9b00ea376d42e543feb12d7ce5435366d01aab1b
  Author: Denis V. Lunev <den@xxxxxxxxxx>
  Date:   Thu Nov 19 09:42:03 2015 +0300

      snapshot: create bdrv_all_delete_snapshot helper

      to delete snapshots from all loaded block drivers.

      The patch also ensures proper locking.

      Signed-off-by: Denis V. Lunev <den@xxxxxxxxxx>
      Reviewed-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Reviewed-by: Fam Zheng <famz@xxxxxxxxxx>
      Reviewed-by: Juan Quintela <quintela@xxxxxxxxxx>
      CC: Kevin Wolf <kwolf@xxxxxxxxxx>
      Tested-by: Greg Kurz <gkurz@xxxxxxxxxxxxxxxxxx>
      Signed-off-by: Juan Quintela <quintela@xxxxxxxxxx>

  commit 25af925fffc29f2e4c05aee10c61c823c4cdf398
  Author: Denis V. Lunev <den@xxxxxxxxxx>
  Date:   Thu Nov 19 09:42:02 2015 +0300

      snapshot: return error code from bdrv_snapshot_delete_by_id_or_name

      this will make code better in the next patch

      Signed-off-by: Denis V. Lunev <den@xxxxxxxxxx>
      Reviewed-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Reviewed-by: Fam Zheng <famz@xxxxxxxxxx>
      Reviewed-by: Juan Quintela <quintela@xxxxxxxxxx>
      CC: Kevin Wolf <kwolf@xxxxxxxxxx>
      Tested-by: Greg Kurz <gkurz@xxxxxxxxxxxxxxxxxx>
      Signed-off-by: Juan Quintela <quintela@xxxxxxxxxx>

  commit e9ff957ac26e0e11869a3568cfa7423ae33c51e7
  Author: Denis V. Lunev <den@xxxxxxxxxx>
  Date:   Thu Nov 19 09:42:01 2015 +0300

      snapshot: create helper to test that block drivers supports snapshots

      The patch enforces proper locking for this operation.

      Signed-off-by: Denis V. Lunev <den@xxxxxxxxxx>
      Reviewed-by: Greg Kurz <gkurz@xxxxxxxxxxxxxxxxxx>
      Reviewed-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Reviewed-by: Fam Zheng <famz@xxxxxxxxxx>
      Reviewed-by: Juan Quintela <quintela@xxxxxxxxxx>
      CC: Kevin Wolf <kwolf@xxxxxxxxxx>
      Tested-by: Greg Kurz <gkurz@xxxxxxxxxxxxxxxxxx>
      Signed-off-by: Juan Quintela <quintela@xxxxxxxxxx>

  commit 5df5416e639cd75bd85d243af41387c2418fa580
  Author: Dr. David Alan Gilbert <dgilbert@xxxxxxxxxx>
  Date:   Wed Nov 18 11:48:41 2015 +0000

      Unneeded NULL check

      The check is unneccesary, we read the value at the start of the
      thread, use it, and never change it.  The value is checked to be
      non-NULL before thread creation.

      Spotted by coverity, CID 1339211

      Signed-off-by: Dr. David Alan Gilbert <dgilbert@xxxxxxxxxx>
      Signed-off-by: Juan Quintela <quintela@xxxxxxxxxx>

  commit 95a7788b2faa81ff95675f1e46a3272a612b35de
  Author: Dr. David Alan Gilbert <dgilbert@xxxxxxxxxx>
  Date:   Wed Nov 18 11:48:40 2015 +0000

      migration: Dead assignment of current_time

      I set current_time before the postcopy test but never use it;
      (I think this was from the original version where it was time based).
      Spotted by coverity, CID 1339208

      Signed-off-by: Dr. David Alan Gilbert <dgilbert@xxxxxxxxxx>
      Signed-off-by: Juan Quintela <quintela@xxxxxxxxxx>

  commit 84e7b80a05c0c44b90533c6cd2f1db5c932ccf77
  Author: Dr. David Alan Gilbert <dgilbert@xxxxxxxxxx>
  Date:   Wed Nov 18 11:48:39 2015 +0000

      Set last_sent_block

      In a82d593b61054b3dea43 I accidentally removed the setting of
      last_sent_block,  put it back.

      Symptoms:
        Multithreaded compression only uses one thread.
        Migration is a bit less efficient since it won't use 'cont' flags.

      Signed-off-by: Dr. David Alan Gilbert <dgilbert@xxxxxxxxxx>
      Fixes: a82d593b61054b3dea43
      Signed-off-by: Juan Quintela <quintela@xxxxxxxxxx>

  commit 8c4d156c187c84b574d287bd4b9ddf9a6975de7c
  Author: Daniel P. Berrange <berrange@xxxxxxxxxx>
  Date:   Mon Nov 16 15:37:34 2015 +0000

      qom: Add a test case for complex property finalization

      Devices have some quite complex object child/link relationships
      which place some requirements on the object_property_del_all()
      function to consider that properties can be modified while
      being iterated over.

      This extends the QOM property test case to replicate the
      device like structure and expose any potential bugs in the
      object_property_del_all() function.

      Signed-off-by: Daniel P. Berrange <berrange@xxxxxxxxxx>
      Signed-off-by: Andreas Färber <afaerber@xxxxxxx>

  commit 456fb0bfe0b27c54d316be7fe3b362247f732656
  Author: Daniel P. Berrange <berrange@xxxxxxxxxx>
  Date:   Tue Oct 13 13:37:44 2015 +0100

      net: Convert net filter code to use object property iterators

      Stop directly accessing the Object::properties field data
      structure and instead use the formal object property iterator
      APIs. This insulates the code from future data structure
      changes in the Object struct.

      Signed-off-by: Daniel P. Berrange <berrange@xxxxxxxxxx>
      Tested-by: Pavel Fedin <p.fedin@xxxxxxxxxxx>
      Signed-off-by: Andreas Färber <afaerber@xxxxxxx>

  commit 9a842f7d3ce421b39c7edbfe2c47efeac5db6c28
  Author: Daniel P. Berrange <berrange@xxxxxxxxxx>
  Date:   Tue Oct 13 13:37:43 2015 +0100

      ppc: Convert spapr code to use object property iterators

      Stop directly accessing the Object::properties field data
      structure and instead use the formal object property iterator
      APIs. This insulates the code from future data structure
      changes in the Object struct.

      Signed-off-by: Daniel P. Berrange <berrange@xxxxxxxxxx>
      Tested-by: Pavel Fedin <p.fedin@xxxxxxxxxxx>
      Signed-off-by: Andreas Färber <afaerber@xxxxxxx>

  commit 2465bc564d39d9b62fa21b3e84313be3b32dbc16
  Author: Daniel P. Berrange <berrange@xxxxxxxxxx>
  Date:   Tue Oct 13 13:37:42 2015 +0100

      vl: Convert machine help code to use object property iterators

      Stop directly accessing the Object::properties field data
      structure and instead use the formal object property iterator
      APIs. This insulates the code from future data structure
      changes in the Object struct.

      Signed-off-by: Daniel P. Berrange <berrange@xxxxxxxxxx>
      Tested-by: Pavel Fedin <p.fedin@xxxxxxxxxxx>
      Signed-off-by: Andreas Färber <afaerber@xxxxxxx>

  commit 1b30c094dcb69273b7661897c067906f81e5b967
  Author: Daniel P. Berrange <berrange@xxxxxxxxxx>
  Date:   Tue Oct 13 13:37:41 2015 +0100

      qmp: Convert QMP code to use object property iterators

      Stop directly accessing the Object::properties field data
      structure and instead use the formal object property iterator
      APIs. This insulates the code from future data structure
      changes in the Object struct.

      Signed-off-by: Daniel P. Berrange <berrange@xxxxxxxxxx>
      Tested-by: Pavel Fedin <p.fedin@xxxxxxxxxxx>
      Signed-off-by: Andreas Färber <afaerber@xxxxxxx>

  commit a00c94824126901168bca5b89147f9e334a49e87
  Author: Daniel P. Berrange <berrange@xxxxxxxxxx>
  Date:   Tue Oct 13 13:37:40 2015 +0100

      qom: Introduce ObjectPropertyIterator struct for iteration

      Some users of QOM need to be able to iterate over properties
      defined against an object instance. Currently they are just
      directly using the QTAIL macros against the object properties
      data structure.

      This is bad because it exposes them to changes in the data
      structure used to store properties, as well as changes in
      functionality such as ability to register properties against
      the class.

      This provides an ObjectPropertyIterator struct which will
      insulate the callers from the particular data structure
      used to store properties. It can be used thus

        ObjectProperty *prop;
        ObjectPropertyIterator *iter;

        iter = object_property_iter_init(obj);
        while ((prop = object_property_iter_next(iter))) {
            ... do something with prop ...
        }
        object_property_iter_free(iter);

      Signed-off-by: Daniel P. Berrange <berrange@xxxxxxxxxx>
      Tested-by: Pavel Fedin <p.fedin@xxxxxxxxxxx>
      [AF: Fixed examples, style cleanups]
      Signed-off-by: Andreas Färber <afaerber@xxxxxxx>

  commit 3b6ca4022d150ad273d4cd9556c2f4873389f965
  Author: Ildar Isaev <ild@xxxxxxxx>
  Date:   Wed Mar 4 17:09:46 2015 +0300

      qdev: Change Property::offset field to ptrdiff_t type

      Property::offset field is calculated as a diff between two pointers:

        arrayprop->prop.offset = eltptr - (void *)dev;

      If offset is declared as int, this subtraction can cause type overflow,
      thus leading to failure of the subsequent assertion:

        assert(qdev_get_prop_ptr(dev, &arrayprop->prop) == eltptr);

      So ptrdiff_t should be used instead.

      Signed-off-by: Ildar Isaev <ild@xxxxxxxx>
      Reviewed-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Signed-off-by: Andreas Färber <afaerber@xxxxxxx>

  commit 8f280309030331a912fd8924c129d8bd59e1bdc7
  Merge: 7199c89 ca4fa82
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Wed Nov 18 17:07:24 2015 +0000

      Merge remote-tracking branch 'remotes/kevin/tags/for-upstream' into 
staging

      Block layer patches

      # gpg: Signature made Wed 18 Nov 2015 15:28:32 GMT using RSA key ID 
C88F2FD6
      # gpg: Good signature from "Kevin Wolf <kwolf@xxxxxxxxxx>"

      * remotes/kevin/tags/for-upstream:
        block: Call external_snapshot_clean after blockdev-snapshot
        blockdev: Add missing bdrv_unref() in drive-backup
        iotests: fix race in 030
        nand: fix address overflow

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 48854f57ce3e6aa4bd13368559e5c292e1c44e49
  Author: Michael S. Tsirkin <mst@xxxxxxxxxx>
  Date:   Wed Nov 18 16:13:54 2015 +0200

      vhost-user: fix log size

      commit 2b8819c6eee517c1582983773f8555bb3f9ed645
      ("vhost-user: modify SET_LOG_BASE to pass mmap size and offset")
      passes log size in units of 4 byte chunks instead of the
      expected size in bytes.

      Fix this up.

      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>

  commit 72018d1e1917a56d05e24aedc9f582b7c8385e19
  Author: Michael S. Tsirkin <mst@xxxxxxxxxx>
  Date:   Tue Nov 17 16:55:17 2015 +0200

      vhost-user: ignore qemu-only features

      Some features (such as ctrl vq) are supported
      by qemu without need to communicate with the
      backend.

      Drop them from the feature mask so we set them
      unconditionally.

      Reported-by: Victor Kaplansky <vkaplans@xxxxxxxxxx>
      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>

  commit 7199c89d8c6bbd0eda2cadb0d3fc7149934202bf
  Merge: ab9b872 08cb175
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Wed Nov 18 16:27:15 2015 +0000

      Merge remote-tracking branch 
'remotes/berrange/tags/qcrypto-fixes-20151118-1' into staging

      Pull qcrypto fixes 2015/11/18 v1

      # gpg: Signature made Wed 18 Nov 2015 15:44:07 GMT using RSA key ID 
15104FDF
      # gpg: Good signature from "Daniel P. Berrange <dan@xxxxxxxxxxxx>"
      # gpg:                 aka "Daniel P. Berrange <berrange@xxxxxxxxxx>"

      * remotes/berrange/tags/qcrypto-fixes-20151118-1:
        crypto: avoid passing NULL to access() syscall
        crypto: fix leaks in TLS x509 helper functions
        crypto: fix mistaken setting of Error in success code path
        crypto: fix leak of gnutls_dh_params_t data on credential unload

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 08cb175a24d642a40e41db2fef2892b0a1ab504e
  Author: Daniel P. Berrange <berrange@xxxxxxxxxx>
  Date:   Wed Nov 18 15:42:26 2015 +0000

      crypto: avoid passing NULL to access() syscall

      The qcrypto_tls_creds_x509_sanity_check() checks whether
      certs exist by calling access(). It is valid for this
      method to be invoked with certfile==NULL though, since
      for client credentials the cert is optional. This caused
      it to call access(NULL), which happens to be harmless on
      current Linux, but should none the less be avoided.

      Signed-off-by: Daniel P. Berrange <berrange@xxxxxxxxxx>

  commit ca4fa82fe66076284f702adcfe7c319ebbf909ec
  Merge: 0702d3d 4ad6f3d
  Author: Kevin Wolf <kwolf@xxxxxxxxxx>
  Date:   Wed Nov 18 16:27:44 2015 +0100

      Merge remote-tracking branch 
'mreitz/tags/pull-block-for-kevin-2015-11-18' into queue-block

      One block patch for qemu 2.5-rc1.

      # gpg: Signature made Wed Nov 18 16:26:59 2015 CET using RSA key ID 
E838ACAD
      # gpg: Good signature from "Max Reitz <mreitz@xxxxxxxxxx>"

      * mreitz/tags/pull-block-for-kevin-2015-11-18:
        block: Call external_snapshot_clean after blockdev-snapshot

      Signed-off-by: Kevin Wolf <kwolf@xxxxxxxxxx>

  commit 4ad6f3db7db154d5274274bd0079d6318367ab16
  Author: Alberto Garcia <berto@xxxxxxxxxx>
  Date:   Fri Nov 13 15:00:24 2015 +0200

      block: Call external_snapshot_clean after blockdev-snapshot

      Otherwise the AioContext will never be released.

      Signed-off-by: Alberto Garcia <berto@xxxxxxxxxx>
      Message-id: 1447419624-21918-1-git-send-email-berto@xxxxxxxxxx
      Reviewed-by: Fam Zheng <famz@xxxxxxxxxx>
      Signed-off-by: Max Reitz <mreitz@xxxxxxxxxx>

  commit 0702d3d88c2059814212b83f01e14ff3bb7b0c66
  Author: Max Reitz <mreitz@xxxxxxxxxx>
  Date:   Mon Nov 9 23:39:10 2015 +0100

      blockdev: Add missing bdrv_unref() in drive-backup

      All error paths after a successful bdrv_open() of target_bs should
      contain a bdrv_unref(target_bs). This one did not yet, so add it.

      Signed-off-by: Max Reitz <mreitz@xxxxxxxxxx>
      Reviewed-by: Alberto Garcia <berto@xxxxxxxxxx>
      Reviewed-by: Kevin Wolf <kwolf@xxxxxxxxxx>
      Reviewed-by: Fam Zheng <famz@xxxxxxxxxx>
      Signed-off-by: Kevin Wolf <kwolf@xxxxxxxxxx>

  commit 7b35030eedc26eff82210caa2b0fff2f9d0df453
  Author: Daniel P. Berrange <berrange@xxxxxxxxxx>
  Date:   Wed Nov 18 14:44:31 2015 +0000

      crypto: fix leaks in TLS x509 helper functions

      The test_tls_get_ipaddr() method forgot to free the returned data
      from getaddrinfo().

      The test_tls_write_cert_chain() method forgot to free the allocated
      buffer holding the certificate data after writing it out to a file.

      Signed-off-by: Daniel P. Berrange <berrange@xxxxxxxxxx>

  commit 6ef8cd7a4142049707b70b8278aaa9d8ee2bc5f5
  Author: Daniel P. Berrange <berrange@xxxxxxxxxx>
  Date:   Wed Nov 18 14:42:40 2015 +0000

      crypto: fix mistaken setting of Error in success code path

      The qcrypto_tls_session_check_certificate() method was setting
      an Error even when the ACL check suceeded. This didn't affect
      the callers detection of errors because they relied on the
      function return status, but this did cause a memory leak since
      the caller would not free an Error they did not expect to be
      set.

      Signed-off-by: Daniel P. Berrange <berrange@xxxxxxxxxx>

  commit 61b9251a3aaa65e65c4aab3a6800e884bb3b82f9
  Author: Daniel P. Berrange <berrange@xxxxxxxxxx>
  Date:   Wed Nov 18 14:41:35 2015 +0000

      crypto: fix leak of gnutls_dh_params_t data on credential unload

      The QCryptoTLSCredsX509 object was not free'ing the allocated
      gnutls_dh_params_t data when unloading the credentials

      Signed-off-by: Daniel P. Berrange <berrange@xxxxxxxxxx>

  commit 01809194a06d8e6c51c3e69600f14355225f4855
  Author: John Snow <jsnow@xxxxxxxxxx>
  Date:   Wed Nov 11 15:27:36 2015 -0500

      iotests: fix race in 030

      the stop_test case tests that we can resume a block-stream
      command after it has stopped/paused due to error. We cannot
      always reliably query it before it finishes after resume, though,
      so make this a conditional.

      The important thing is that we are still testing that it has stopped,
      and that it finishes successfully after we send a resume command.

      Signed-off-by: John Snow <jsnow@xxxxxxxxxx>
      Reviewed-by: Fam Zheng <famz@xxxxxxxxxx>
      Reviewed-by: Alberto Garcia <berto@xxxxxxxxxx>
      Reviewed-by: Jeff Cody <jcody@xxxxxxxxxx>
      Signed-off-by: Kevin Wolf <kwolf@xxxxxxxxxx>

  commit a184e74f24f83935c8fc7cd76c06ad0717f89fdb
  Author: Rabin Vincent <rabin.vincent@xxxxxxxx>
  Date:   Tue Nov 10 14:25:47 2015 +0100

      nand: fix address overflow

      The shifts of the address mask and value shift beyond 32 bits when there
      are 5 address cycles.

      Cc: qemu-stable@xxxxxxxxxx
      Signed-off-by: Rabin Vincent <rabin.vincent@xxxxxxxx>
      Reviewed-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>
      Reviewed-by: Peter Crosthwaite <crosthwaite.peter@xxxxxxxxx>
      Signed-off-by: Kevin Wolf <kwolf@xxxxxxxxxx>

  commit ab9b872ab3147faf3c04e91d525815b9139dd996
  Merge: 6b79f25 ab59e3e
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Wed Nov 18 12:47:29 2015 +0000

      Merge remote-tracking branch 
'remotes/mdroth/tags/qga-pull-2015-11-13-v2-tag' into staging

      qemu-ga patch queue for 2.5

      * fixes for guest-exec gspawn() usage:
        - inherit default lookup path by default instead of
          explicitly defining it as being empty.
        - don't inherit default PATH when PATH/ENV are explicit

      v2:

      * added fix for w32 'make install' target
      * added version check for new g_spawn() flag

      # gpg: Signature made Tue 17 Nov 2015 22:33:03 GMT using RSA key ID 
F108B584
      # gpg: Good signature from "Michael Roth <flukshun@xxxxxxxxx>"
      # gpg:                 aka "Michael Roth <mdroth@xxxxxxxxxx>"
      # gpg:                 aka "Michael Roth <mdroth@xxxxxxxxxxxxxxxxxx>"

      * remotes/mdroth/tags/qga-pull-2015-11-13-v2-tag:
        makefile: fix w32 install target for qemu-ga
        qga: allow to lookup in PATH from the passed envp for guest-exec
        qga: fix for default env processing for guest-exec

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 6b79f253a37708f21e8d1cd2831b8d8c03f58989
  Merge: 55db5ee d66a8fa
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Wed Nov 18 12:16:14 2015 +0000

      Merge remote-tracking branch 'remotes/jnsnow/tags/ide-pull-request' into 
staging

      # gpg: Signature made Tue 17 Nov 2015 20:06:58 GMT using RSA key ID 
AAFC390E
      # gpg: Good signature from "John Snow (John Huston) <jsnow@xxxxxxxxxx>"

      * remotes/jnsnow/tags/ide-pull-request:
        ide: enable buffered requests for PIO read requests
        ide: enable buffered requests for ATAPI devices
        ide: orphan all buffered requests on DMA cancel
        ide: add support for IDEBufferedRequest
        block: add blk_abort_aio_request
        ide/atapi: make PIO read requests async

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit ab59e3ecb2c12fafa89f7bedca7d329a078f3870
  Author: Michael Roth <mdroth@xxxxxxxxxxxxxxxxxx>
  Date:   Sun Nov 15 09:46:06 2015 -0600

      makefile: fix w32 install target for qemu-ga

      fafcaf1 added a 'qemu-ga' install target on w32, which can be used
      in place of the existing qemu-ga.exe target to also handle dealing
      with other components such as DLLs for VSS/fsfreeze and generating
      an MSI package if appropriate configure options are present.

      As part of that, qemu-ga$(EXESUF) was removed from $TOOLS in favor
      of this new qemu-ga target.

      The install rule however relies on a direct mapping of the $TOOLS
      entry to the actual resulting binary. In the case of w32, qemu-ga
      is not identical to qemu-ga$(EXESUF), and the install recipe fails
      to find the 'qemu-ga' binary.

      Fix this by essentially remapping 'qemu-ga' back to 'qemu-ga.exe'
      in the install recipe.

      This raises the question of whether or not qemu-ga should continue
      to live in TOOLS as opposed to its own special target, but as a
      late fix for a regression in 2.5 this commit should be safer, since
      we rely on qemu-ga's presence in $TOOLS in several places throughout
      Makefile.

      Reported-by: Stefan Weil <sw@xxxxxxxxxxx>
      Cc: Paolo Bonzini <pbonzini@xxxxxxxxxx>
      Reviewed-by: Stefan Weil <sw@xxxxxxxxxxx>
      Signed-off-by: Michael Roth <mdroth@xxxxxxxxxxxxxxxxxx>

  commit 0be40839519215988e207b86bc1638de53567588
  Author: Yuri Pudgorodskiy <yur@xxxxxxxxxxxxx>
  Date:   Thu Nov 12 16:36:21 2015 +0300

      qga: allow to lookup in PATH from the passed envp for guest-exec

      This was original behaviour before GLIB gspawn() rework and we rely on
      this behaviour.

      Signed-off-by: Yuri Pudgorodskiy <yur@xxxxxxxxxxxxx>
      Signed-off-by: Denis V. Lunev <den@xxxxxxxxxx>
      CC: Michael Roth <mdroth@xxxxxxxxxxxxxxxxxx>
      * add version check (2.33.2) for G_SPAWN_SEARCH_PATH_FROM_ENVP
      Signed-off-by: Michael Roth <mdroth@xxxxxxxxxxxxxxxxxx>

  commit 02a4d82e8c19267ad06b08389b5e914ba668450e
  Author: Yuri Pudgorodskiy <yur@xxxxxxxxxxxxx>
  Date:   Thu Nov 12 16:36:20 2015 +0300

      qga: fix for default env processing for guest-exec

      envp == NULL must be passed inside gspawn() if it was not passed with
      the command line. Original code inherits environment from the QGA,
      which is wrong.

      Signed-off-by: Yuri Pudgorodskiy <yur@xxxxxxxxxxxxx>
      Signed-off-by: Denis V. Lunev <den@xxxxxxxxxx>
      CC: Michael Roth <mdroth@xxxxxxxxxxxxxxxxxx>
      Signed-off-by: Michael Roth <mdroth@xxxxxxxxxxxxxxxxxx>

  commit 55db5eeeb7aa3328515817dc4e45728580e517a0
  Merge: c27e901 33b5e8c
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Tue Nov 17 22:00:45 2015 +0000

      Merge remote-tracking branch 'remotes/ehabkost/tags/x86-pull-request' 
into staging

      X86 fixes, 2015-11-17

      Two X86 fixes, hopefully in time for -rc1.

      # gpg: Signature made Tue 17 Nov 2015 19:06:53 GMT using RSA key ID 
984DC5A6
      # gpg: Good signature from "Eduardo Habkost <ehabkost@xxxxxxxxxx>"

      * remotes/ehabkost/tags/x86-pull-request:
        target-i386: Disable rdtscp on Opteron_G* CPU models
        target-i386: Fix mulx for identical target regs

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit d66a8fa83b00b3b3d631a0e28cdce8c9b5698822
  Author: Peter Lieven <pl@xxxxxxx>
  Date:   Tue Nov 17 15:06:39 2015 -0500

      ide: enable buffered requests for PIO read requests

      Signed-off-by: Peter Lieven <pl@xxxxxxx>
      Reviewed-by: Fam Zheng <famz@xxxxxxxxxx>
      Message-id: 1447345846-15624-7-git-send-email-pl@xxxxxxx
      Signed-off-by: John Snow <jsnow@xxxxxxxxxx>

  commit 02506b20b6609ed4ecb09de9900ba9f1dd20b205
  Author: Peter Lieven <pl@xxxxxxx>
  Date:   Tue Nov 17 15:06:33 2015 -0500

      ide: enable buffered requests for ATAPI devices

      Signed-off-by: Peter Lieven <pl@xxxxxxx>
      Reviewed-by: Fam Zheng <famz@xxxxxxxxxx>
      Message-id: 1447345846-15624-6-git-send-email-pl@xxxxxxx
      Signed-off-by: John Snow <jsnow@xxxxxxxxxx>

  commit 7cda62087c0baf064486f3d803184c2c3b35c04a
  Author: Peter Lieven <pl@xxxxxxx>
  Date:   Tue Nov 17 15:06:29 2015 -0500

      ide: orphan all buffered requests on DMA cancel

      If the guests canceles a DMA request we can prematurely
      invoke all callbacks of buffered requests and flag all them
      as orphaned. Ideally this avoids the need for draining all
      requests. For CDROM devices this works in 100% of all cases.

      Signed-off-by: Peter Lieven <pl@xxxxxxx>
      Reviewed-by: Fam Zheng <famz@xxxxxxxxxx>
      Message-id: 1447345846-15624-5-git-send-email-pl@xxxxxxx
      Signed-off-by: John Snow <jsnow@xxxxxxxxxx>

  commit 1d8c11d631545ee43aff16b0763aff7181b61f20
  Author: Peter Lieven <pl@xxxxxxx>
  Date:   Tue Nov 17 15:06:25 2015 -0500

      ide: add support for IDEBufferedRequest

      this patch adds a new aio readv compatible function which copies
      all data through a bounce buffer. These buffered requests can be
      flagged as orphaned which means that their original callback has
      already been invoked and the request has just not been completed
      by the backend storage. The bounce buffer guarantees that guest
      memory corruption is avoided when such a orphaned request is
      completed by the backend at a later stage.

      This trick only works for read requests as a write request completed
      at a later stage might corrupt data as there is no way to control
      if and what data has already been written to the storage.

      Signed-off-by: Peter Lieven <pl@xxxxxxx>
      Reviewed-by: Fam Zheng <famz@xxxxxxxxxx>
      Message-id: 1447345846-15624-4-git-send-email-pl@xxxxxxx
      Signed-off-by: John Snow <jsnow@xxxxxxxxxx>

  commit ca78ecfa72f311cd647b12a41d93e1ce54f18e66
  Author: Peter Lieven <pl@xxxxxxx>
  Date:   Tue Nov 17 15:06:21 2015 -0500

      block: add blk_abort_aio_request

      Signed-off-by: Peter Lieven <pl@xxxxxxx>
      Reviewed-by: Fam Zheng <famz@xxxxxxxxxx>
      Message-id: 1447345846-15624-3-git-send-email-pl@xxxxxxx
      Signed-off-by: John Snow <jsnow@xxxxxxxxxx>

  commit 5f81724d80a1492c73d329242663962139db739b
  Author: Peter Lieven <pl@xxxxxxx>
  Date:   Tue Nov 17 14:59:52 2015 -0500

      ide/atapi: make PIO read requests async

      PIO read requests on the ATAPI interface used to be sync blk requests.
      This has two significant drawbacks. First the main loop hangs util an
      I/O request is completed and secondly if the I/O request does not
      complete (e.g. due to an unresponsive storage) Qemu hangs completely.

      Note: Due to possible race conditions requests during an ongoing
      elementary transfer are still sync.

      Signed-off-by: Peter Lieven <pl@xxxxxxx>
      Reviewed-by: John Snow <jsnow@xxxxxxxxxx>
      Message-id: 1447345846-15624-2-git-send-email-pl@xxxxxxx
      Signed-off-by: John Snow <jsnow@xxxxxxxxxx>

  commit 33b5e8c03ae7a62d320d3c5c1104fe297d5c300d
  Author: Eduardo Habkost <ehabkost@xxxxxxxxxx>
  Date:   Fri Nov 13 17:07:13 2015 -0200

      target-i386: Disable rdtscp on Opteron_G* CPU models

      KVM can't virtualize rdtscp on AMD CPUs yet, so there's no point
      in enabling it by default on AMD CPU models, as all we are
      getting are confused users because of the "host doesn't support
      requested feature" warnings.

      Disable rdtscp on Opteron_G* models, but keep compatibility on
      pc-*-2.4 and older (just in case there are people are doing funny
      stuff using AMD CPU models on Intel hosts).

      Signed-off-by: Eduardo Habkost <ehabkost@xxxxxxxxxx>

  commit 9ecac5dad16722ce2a8c3e88d8eeba5794990031
  Author: Richard Henderson <rth@xxxxxxxxxxx>
  Date:   Tue Nov 17 12:41:47 2015 +0100

      target-i386: Fix mulx for identical target regs

      The Intel specification clearly indicates that the low part
      of the result is written first and the high part of the result
      is written second; thus if ModRM:reg and VEX.vvvv are identical,
      the final result should be the high part of the result.

      At present, TCG may either produce incorrect results or crash
      with --enable-checking.

      Reported-by: Toni Nedialkov <farmdve@xxxxxxxxx>
      Reported-by: Max Reitz <mreitz@xxxxxxxxxx>
      Signed-off-by: Richard Henderson <rth@xxxxxxxxxxx>
      Signed-off-by: Eduardo Habkost <ehabkost@xxxxxxxxxx>

  commit 7ebcfe569211f6ff5402b558b85e2ce1e1066cf6
  Author: Michael S. Tsirkin <mst@xxxxxxxxxx>
  Date:   Tue Nov 17 13:55:48 2015 +0200

      specs/vhost-user: fix spec to match reality

      We wanted to start/stop rings on VRING_ENABLE, but that is not what QEMU
      does. Rather than tweaking code some more, with risk to stability, let's
      just document it as it is.

      We'll be  able to fix this in the future with a new protocol feature bit.

      Reported-by: Victor Kaplansky <victork@xxxxxxxxxx>
      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>

  commit 5c93c47338dbaa8a21a8ccc9d95dc5ade3f7fa19
  Author: Victor Kaplansky <victork@xxxxxxxxxx>
  Date:   Tue Nov 17 12:04:06 2015 +0200

      tests/vhost-user-bridge: implement logging of dirty pages

      During migration devices continue writing to the guest's memory.
      The writes has to be reported to QEMU. This change implements
      minimal support in vhost-user-bridge required for successful
      migration of a guest with virtio-net device.

      Signed-off-by: Victor Kaplansky <victork@xxxxxxxxxx>
      Reviewed-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>

  commit 8d211f622b11ac2877c344f29de284d5a842d9d7
  Author: Bandan Das <bsd@xxxxxxxxxx>
  Date:   Fri Nov 13 01:55:48 2015 -0500

      i440fx: print an error message if user tries to enable iommu

      There's no indication of any sort that i440fx doesn't support
      "iommu=on"

      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>
      Signed-off-by: Bandan Das <bsd@xxxxxxxxxx>
      Reviewed-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>
      Signed-off-by: Bandan Das <bsd@xxxxxxxxxx>

  commit 1f8431f42d833e8914f2d16ce4a49b7b72b90db0
  Author: Bandan Das <bsd@xxxxxxxxxx>
  Date:   Fri Nov 13 01:55:47 2015 -0500

      q35: Check propery to determine if iommu is set

      The helper function machine_iommu() isn't necesary. We can
      directly check for the property.

      Signed-off-by: Bandan Das <bsd@xxxxxxxxxx>
      Reviewed-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: Bandan Das <bsd@xxxxxxxxxx>

  commit c27e9014d56fa4880e7d741275d887c3a5949997
  Merge: 9be060f 382e173
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Tue Nov 17 12:34:07 2015 +0000

      Merge remote-tracking branch 'remotes/kraxel/tags/pull-vnc-20151116-1' 
into staging

      vnc: buffer code improvements, bugfixes.

      # gpg: Signature made Mon 16 Nov 2015 17:20:02 GMT using RSA key ID 
D3E87138
      # gpg: Good signature from "Gerd Hoffmann (work) <kraxel@xxxxxxxxxx>"
      # gpg:                 aka "Gerd Hoffmann <gerd@xxxxxxxxxx>"
      # gpg:                 aka "Gerd Hoffmann (private) <kraxel@xxxxxxxxx>"

      * remotes/kraxel/tags/pull-vnc-20151116-1:
        vnc: fix mismerge
        buffer: allow a buffer to shrink gracefully
        buffer: factor out buffer_adj_size
        buffer: factor out buffer_req_size
        vnc: recycle empty vs->output buffer
        vnc: fix local state init
        vnc: only alloc server surface with clients connected
        vnc: use vnc_{width,height} in vnc_set_area_dirty
        vnc: factor out vnc_update_server_surface
        vnc: add vnc_width+vnc_height helpers
        vnc: zap dead code
        vnc-jobs: move buffer reset, use new buffer move
        vnc: kill jobs queue buffer
        vnc: attach names to buffers
        buffer: add tracing
        buffer: add buffer_shrink
        buffer: add buffer_move
        buffer: add buffer_move_empty
        buffer: add buffer_init
        buffer: make the Buffer capacity increase in powers of two

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 9be060f5278dc0d732ebfcf2bf0a293f88b833eb
  Merge: 361cb26 10f5a72
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Tue Nov 17 11:33:38 2015 +0000

      Merge remote-tracking branch 'remotes/stefanha/tags/block-pull-request' 
into staging

      # gpg: Signature made Tue 17 Nov 2015 11:13:05 GMT using RSA key ID 
81AB73C8
      # gpg: Good signature from "Stefan Hajnoczi <stefanha@xxxxxxxxxx>"
      # gpg:                 aka "Stefan Hajnoczi <stefanha@xxxxxxxxx>"

      * remotes/stefanha/tags/block-pull-request:
        virtio-blk: Fix double completion for werror=stop
        block: make 'stats-interval' an array of ints instead of a string
        aio-epoll: Fix use-after-free of node
        disas/arm: avoid clang shifting negative signed warning
        tpm: avoid clang shifting negative signed warning
        tests: Ignore recent test binaries
        docs: update bitmaps.md

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 10f5a72f70862d299ddbdf226d6dc71fa4ae34dd
  Author: Fam Zheng <famz@xxxxxxxxxx>
  Date:   Tue Nov 17 18:20:11 2015 +0800

      virtio-blk: Fix double completion for werror=stop

      When a request R is absorbed by request M, it is appended to the
      "mr_next" queue led by M, and is completed together with the completion
      of M, in virtio_blk_rw_complete.

      During DMA restart in virtio_blk_dma_restart_bh, requests in s->rq are
      parsed and submitted again, possibly with a stale req->mr_next. It could
      be a problem if the request merging in virtio_blk_handle_request hasn't
      refreshed every mr_next pointer, in which case, virtio_blk_rw_complete
      could walk through unexpected requests following the stale pointers.

      Fix this by unsetting the pointer in virtio_blk_rw_complete. It is safe
      because this req is either completed and freed right away, or it will be
      restarted and parsed from scratch out of the vq later.

      Signed-off-by: Fam Zheng <famz@xxxxxxxxxx>
      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>

  commit 40119effc5c36dbd0ca19ca85a5897d5b3d37d6d
  Author: Alberto Garcia <berto@xxxxxxxxxx>
  Date:   Mon Nov 16 11:28:38 2015 +0200

      block: make 'stats-interval' an array of ints instead of a string

      This is the natural JSON representation and prevents us from having to
      decode the list manually.

      Signed-off-by: Alberto Garcia <berto@xxxxxxxxxx>
      Message-id: 
0e3da8fa206f4ab534ae3ce6086e75fe84f1557e.1447665472.git.berto@xxxxxxxxxx
      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>

  commit 0ed39f3df2d3cf7f0fc3468b057f952a3b251ad9
  Author: Fam Zheng <famz@xxxxxxxxxx>
  Date:   Mon Nov 16 14:32:14 2015 +0800

      aio-epoll: Fix use-after-free of node

      aio_epoll_update needs the fields in node, so delay the free.

      Reported-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>
      Signed-off-by: Fam Zheng <famz@xxxxxxxxxx>
      Message-id: 1447655534-13974-1-git-send-email-famz@xxxxxxxxxx
      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>

  commit 02460c3b4287776062715b95c59cd8829015615d
  Author: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
  Date:   Tue Nov 10 15:57:35 2015 +0000

      disas/arm: avoid clang shifting negative signed warning

      clang 3.7.0 on x86_64 warns about the following:

        disas/arm.c:1782:17: warning: shifting a negative signed value is 
undefined [-Wshift-negative-value]
          imm |= (-1 << 7);
                  ~~ ^

      Note that this patch preserves the tab indent in this source file
      because the surrounding code still uses tabs.

      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>

  commit 886ce6f8b6ede74eb04314ef62d15bcdf5df7ef1
  Author: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
  Date:   Tue Nov 10 15:57:34 2015 +0000

      tpm: avoid clang shifting negative signed warning

      clang 3.7.0 on x86_64 warns about the following:

        hw/tpm/tpm_tis.c:1000:36: warning: shifting a negative signed value is 
undefined [-Wshift-negative-value]
                  tis->loc[c].iface_id = TPM_TIS_IFACE_ID_SUPPORTED_FLAGS1_3;
                                         ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
        hw/tpm/tpm_tis.c:144:10: note: expanded from macro 
'TPM_TIS_IFACE_ID_SUPPORTED_FLAGS1_3'
           (~0 << 4)/* all of it is don't care */)
            ~~ ^

      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>

  commit a12e52a151ab48fbfe462110a36d2399713271e6
  Author: Eric Blake <eblake@xxxxxxxxxx>
  Date:   Thu Nov 12 20:47:03 2015 -0700

      tests: Ignore recent test binaries

      Commits 6c6f312d and bd797fc1 added new tests (test-blockjob-txn
      and test-timed-average, respectively), but did not mark them for
      exclusion in .gitignore.

      Signed-off-by: Eric Blake <eblake@xxxxxxxxxx>
      Reviewed-by: John Snow <jsnow@xxxxxxxxxx>
      Message-id: 1447386423-13160-1-git-send-email-eblake@xxxxxxxxxx
      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>

  commit c4c2daa1ae9ed03c6dd78477a9b132edbce9e08c
  Author: John Snow <jsnow@xxxxxxxxxx>
  Date:   Tue Nov 10 18:00:17 2015 -0500

      docs: update bitmaps.md

      Include new error handling scenarios for 2.5.

      Signed-off-by: John Snow <jsnow@xxxxxxxxxx>
      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>
      Message-id: 1447196417-26081-1-git-send-email-jsnow@xxxxxxxxxx
      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>

  commit 361cb26827ffd5f24af05b0e473ecd82d6a33bde
  Merge: c257779 513e7cd
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Tue Nov 17 10:20:25 2015 +0000

      Merge remote-tracking branch 'remotes/armbru/tags/pull-qapi-2015-11-17' 
into staging

      QAPI patches

      # gpg: Signature made Tue 17 Nov 2015 08:28:24 GMT using RSA key ID 
EB918653
      # gpg: Good signature from "Markus Armbruster <armbru@xxxxxxxxxx>"
      # gpg:                 aka "Markus Armbruster <armbru@xxxxxxxxxxxx>"

      * remotes/armbru/tags/pull-qapi-2015-11-17:
        input: Document why x-input-send-event is still experimental
        qapi: Document introspection stability considerations

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 513e7cdbaeec56c77e4cf26f151d7ee79f3a6be9
  Author: Eric Blake <eblake@xxxxxxxxxx>
  Date:   Thu Nov 12 11:50:43 2015 -0700

      input: Document why x-input-send-event is still experimental

      The x-input-send-event command was introduced in 2.2 with mention
      that it is experimental, but now that several releases have elapsed
      without any changes, it would be nice to document why that was done
      and should still remain experimental in 2.5.

      Meanwhile, our documentation states that we prefer 'lower-case',
      rather than 'CamelCase', for qapi enum values.  The InputButton and
      InputAxis enums violate this convention.  However, because they are
      currently used primarily for generating code that is used internally;
      and their only exposure through QMP is via the experimental
      'x-input-send-event' command, we are free to change their spelling.
      Of course, it would be nicer to delay such a change until the same
      time we promote the command to non-experimental.  Adding
      documentation will help us remember to do that rename.

      We have plans to tighten the qapi generator to flag instances of
      inconsistent use of naming conventions; if that lands first, it
      will just need to whitelist these exceptions until the time we
      settle on the final interface.

      Fix a typo in the docs for InputAxis while at it.

      Signed-off-by: Eric Blake <eblake@xxxxxxxxxx>
      Message-Id: <1447354243-31825-1-git-send-email-eblake@xxxxxxxxxx>
      Reviewed-by: Gerd Hoffmann <kraxel@xxxxxxxxxx>
      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>

  commit 39a65e2c243978a480e03cab865462d98873fc3c
  Author: Eric Blake <eblake@xxxxxxxxxx>
  Date:   Wed Nov 11 10:50:02 2015 -0700

      qapi: Document introspection stability considerations

      We are not ready (and might never be ready) to declare
      introspection stable between releases. Clients written to
      control multiple versions of qemu, and desiring to know
      whether a particular member is supported for a given
      command, must be prepared to locate that member in spite
      of qapi changes that may affect the member's location or
      type within the overall object, even though such changes
      did not break QMP wire back-compatibility.

      Signed-off-by: Eric Blake <eblake@xxxxxxxxxx>
      Message-Id: <1447264202-19554-1-git-send-email-eblake@xxxxxxxxxx>
      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>

  commit dc3db6adde329548771ab2addc2ef8376b2b8b32
  Author: Michael S. Tsirkin <mst@xxxxxxxxxx>
  Date:   Mon Nov 16 18:40:18 2015 +0200

      vhost-user: start/stop all rings

      We are currently only sending VRING_ENABLE message for the first ring,
      that's wrong: we must start/stop them all.

      Reported-by: Victor Kaplansky <victork@xxxxxxxxxx>
      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>

  commit 5421f318ecc82294ad089fd54924df787b67c971
  Author: Michael S. Tsirkin <mst@xxxxxxxxxx>
  Date:   Mon Nov 16 13:55:53 2015 +0200

      vhost-user: print original request on error

      When we get an unexpected response, print out
      the original request.
      Helps debug protocol errors tremendously.

      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>

  commit 87656d50181e1be475303c1b88be6df0963c5bfd
  Author: Michael S. Tsirkin <mst@xxxxxxxxxx>
  Date:   Mon Nov 16 13:33:36 2015 +0200

      vhost-user-test: support VHOST_USER_SET_VRING_ENABLE

      vhost-user-test is broken now: it assumes
      QEMU sends RESET_OWNER, and we stopped doing that.
      Wait for ENABLE_RING with 0 instead.

      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>

  commit c257779e2a586043a1480bb7e96fb6bcd0129634
  Merge: bc7c6c1 ba060c5
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Mon Nov 16 12:09:47 2015 +0000

      Merge remote-tracking branch 'remotes/otubo/tags/pull-seccomp-20151116' 
into staging

      seccomp branch queue

      # gpg: Signature made Mon 16 Nov 2015 08:50:28 GMT using RSA key ID 
12F8BD2F
      # gpg: Good signature from "Eduardo Otubo (Software Engineer @ 
ProfitBricks) <eduardo.otubo@xxxxxxxxxxxxxxxx>"
      # gpg: WARNING: This key is not certified with a trusted signature!
      # gpg:          There is no indication that the signature belongs to the 
owner.
      # Primary key fingerprint: 1C96 46B6 E1D1 C38A F2EC  3FDE FD0C FF5B 12F8 
BD2F

      * remotes/otubo/tags/pull-seccomp-20151116:
        seccomp: loosen library version dependency
        configure: arm/aarch64: allow enable-seccomp
        seccomp: add cacheflush to whitelist

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit a586e65bbd017ab55fe4149dd1bcba5c3a72bcd1
  Author: Michael S. Tsirkin <mst@xxxxxxxxxx>
  Date:   Sun Nov 15 21:25:11 2015 +0200

      vhost-user: update spec description

      Clarify logging setup to make sure all clients comply in a way that is
      future-proof.  Document how rings are started/stopped.

      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Reviewed-by: Victor Kaplansky <victork@xxxxxxxxxx>

  commit bc7c6c1fec2e9aa1ff6f2e018ed641db1429315c
  Merge: 8337c6c 917158d
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Mon Nov 16 10:14:33 2015 +0000

      Merge remote-tracking branch 'remotes/jnsnow/tags/ide-pull-request' into 
staging

      # gpg: Signature made Fri 13 Nov 2015 20:16:21 GMT using RSA key ID 
AAFC390E
      # gpg: Good signature from "John Snow (John Huston) <jsnow@xxxxxxxxxx>"

      * remotes/jnsnow/tags/ide-pull-request:
        qtest/ahci: use raw format when qemu-img is absent
        libqos: add qemu-img presence check
        qtest/ahci: always specify image format
        ahci/qtest: don't use tcp sockets for migration tests
        atapi: Prioritize unknown cmd error over BCL error
        atapi: add byte_count_limit helper

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 12b8cbac3c8243b3dd485aaebb82547aefa06adb
  Author: Yuanhan Liu <yuanhan.liu@xxxxxxxxxxxxxxx>
  Date:   Fri Nov 13 15:24:10 2015 +0800

      vhost: don't send RESET_OWNER at stop

      First of all, RESET_OWNER message is sent incorrectly, as it's sent
      before GET_VRING_BASE. And the reset message would let the later call
      get nothing correct.

      And, sending SET_VRING_ENABLE at stop, which has already been done,
      makes more sense than RESET_OWNER.

      Signed-off-by: Yuanhan Liu <yuanhan.liu@xxxxxxxxxxxxxxx>
      Reviewed-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>

  commit 923e2d98ede7404882656aeb4364c3964a95db3d
  Author: Yuanhan Liu <yuanhan.liu@xxxxxxxxxxxxxxx>
  Date:   Fri Nov 13 15:24:09 2015 +0800

      vhost: let SET_VRING_ENABLE message depends on protocol feature

      But not depend on PROTOCOL_F_MQ feature bit. So that we could use
      SET_VRING_ENABLE to sign the backend on stop, even if MQ is disabled.

      That's reasonable, since we will have one queue pair at least.

      Signed-off-by: Yuanhan Liu <yuanhan.liu@xxxxxxxxxxxxxxx>
      Reviewed-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>

  commit ba060c53d585d186ff0ac6b181f4b2a867acc210
  Author: dann frazier <dann.frazier@xxxxxxxxxxxxx>
  Date:   Fri Oct 23 15:34:22 2015 -0600

      seccomp: loosen library version dependency

      Drop the libseccomp required version back to 2.1.0, restoring the ability
      to build w/ --enable-seccomp on Ubuntu 14.04.

      Commit 4cc47f8b3cc4f32586ba2f7fce1dc267da774a69 tightened the dependency
      on libseccomp from version 2.1.0 to 2.1.1. This broke building on Ubuntu
      14.04, the current Ubuntu LTS release. The commit message didn't mention
      any specific functional need for 2.1.1, just that it was the most recent
      stable version at the time. I reviewed the changes between 2.1.0 and 
2.1.1,
      but it looks like that update just contained minor fixes and cleanups - no
      obvious (to me) new interfaces or critical bug fixes.

      Signed-off-by: dann frazier <dann.frazier@xxxxxxxxxxxxx>
      Acked-by: Eduardo Otubo <eduardo.otubo@xxxxxxxxxxxxxxxx>

  commit 693e59105d2ce4d6f4c96a2373fec06a24d0e6be
  Author: Andrew Jones <drjones@xxxxxxxxxx>
  Date:   Wed Sep 30 11:59:18 2015 -0400

      configure: arm/aarch64: allow enable-seccomp

      This is a revert of ae6e8ef11e6cb, but with a bit of refactoring,
      and also specifically adding arm/aarch64, rather than all
      architectures. Currently, libseccomp code appears to also support
      mips, ppc, and s390. We could therefore allow qemu to enable
      seccomp for those platforms as well, with additional configure
      patches, given they're tested and proven to work.

      Signed-off-by: Andrew Jones <drjones@xxxxxxxxxx>
      Acked-by: Eduardo Otubo <eduardo.otubo@xxxxxxxxxxxxxxxx>

  commit 47d2067af3424c1a9b1b215dfc6b0c55ac4b3ee7
  Author: Andrew Jones <drjones@xxxxxxxxxx>
  Date:   Mon Nov 2 23:53:26 2015 +0100

      seccomp: add cacheflush to whitelist

      cacheflush is an arm-specific syscall that qemu built for arm
      uses. Add it to the whitelist, but only if we're linking with
      a recent enough libseccomp.

      Signed-off-by: Andrew Jones <drjones@xxxxxxxxxx>

  commit 917158dc3b22924922dc1f3b9d4049a4fc83d926
  Author: John Snow <jsnow@xxxxxxxxxx>
  Date:   Fri Nov 13 14:31:43 2015 -0500

      qtest/ahci: use raw format when qemu-img is absent

      If we don't have the qemu-img tool, use the raw format
      for tests and skip the high-sector LBA48 tests.

      Signed-off-by: John Snow <jsnow@xxxxxxxxxx>
      Message-id: 1447439479-16775-4-git-send-email-jsnow@xxxxxxxxxx

  commit cb11e7b2f3878575f23d49454c02d8dce35c8d35
  Author: John Snow <jsnow@xxxxxxxxxx>
  Date:   Fri Nov 13 14:31:42 2015 -0500

      libqos: add qemu-img presence check

      To allow tests to optionally exercise additional tests
      that require the qemu-img tool that may not be present
      in all builds.

      Signed-off-by: John Snow <jsnow@xxxxxxxxxx>
      Message-id: 1447439479-16775-3-git-send-email-jsnow@xxxxxxxxxx

  commit b236b61056ff0a6b69aa2a92cf5bb10a81450753
  Author: John Snow <jsnow@xxxxxxxxxx>
  Date:   Fri Nov 13 14:31:42 2015 -0500

      qtest/ahci: always specify image format

      Signed-off-by: John Snow <jsnow@xxxxxxxxxx>
      Message-id: 1447439479-16775-2-git-send-email-jsnow@xxxxxxxxxx

  commit 6d9e7295c5ff6fdd2d7989639b836c6fdc01ac61
  Author: John Snow <jsnow@xxxxxxxxxx>
  Date:   Fri Nov 13 14:31:42 2015 -0500

      ahci/qtest: don't use tcp sockets for migration tests

      Signed-off-by: John Snow <jsnow@xxxxxxxxxx>
      Message-id: 1447108074-20609-1-git-send-email-jsnow@xxxxxxxxxx

  commit f36aa12d2f2d5b5a877e38641183259e119e1568
  Author: John Snow <jsnow@xxxxxxxxxx>
  Date:   Fri Nov 13 14:31:42 2015 -0500

      atapi: Prioritize unknown cmd error over BCL error

      If we don't know about the command at all, we need to prioritize
      that failure above the zero byte-count-limit failure.

      This fixes a failure in the sparc64 NetBSD 7.0 installer bootup.

      Reported-by: Mark Cave-Ayland <mark.cave-ayland@xxxxxxxxxxxx>
      Signed-off-by: John Snow <jsnow@xxxxxxxxxx>
      Tested-by: Mark Cave-Ayland <mark.cave-ayland@xxxxxxxxxxxx>
      Message-id: 1447095959-10046-3-git-send-email-jsnow@xxxxxxxxxx

  commit af0e00db0e389dfa33d597f917a21454643bd314
  Author: John Snow <jsnow@xxxxxxxxxx>
  Date:   Fri Nov 13 14:31:42 2015 -0500

      atapi: add byte_count_limit helper

      Signed-off-by: John Snow <jsnow@xxxxxxxxxx>
      Tested-by: Mark Cave-Ayland <mark.cave-ayland@xxxxxxxxxxxx>
      Message-id: 1447095959-10046-2-git-send-email-jsnow@xxxxxxxxxx

  commit cdadde39a80779b52f72aedf80839cabac975e57
  Author: Roger Pau Monne <roger.pau@xxxxxxxxxx>
  Date:   Fri Nov 13 17:38:06 2015 +0000

      xen: fix usage of xc_domain_create in domain builder

      Due to the addition of HVMlite and the requirement to always provide a
      valid xc_domain_configuration_t, xc_domain_create now always takes an arch
      domain config, which can be NULL in order to mimic previous behaviour.

      Add a small stub called xen_domain_create that encapsulates the correct
      call to xc_domain_create depending on the libxc version detected.

      Signed-off-by: Roger Pau Monné <roger.pau@xxxxxxxxxx>
      Acked-by: Stefano Stabellini <stefano.stabellini@xxxxxxxxxxxxx>
      Signed-off-by: Stefano Stabellini <stefano.stabellini@xxxxxxxxxxxxx>

  commit 8337c6cbc37c6b2184f41bab3eaff47d5e68012a
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Fri Nov 13 17:10:36 2015 +0000

      Update version for v2.5.0-rc0 release

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 74fcbd22d20a2fbc1a47a7b00cce5bf98fd7be5f
  Author: Guenter Roeck <linux@xxxxxxxxxxxx>
  Date:   Thu Nov 12 09:54:55 2015 -0800

      hw/misc: Add support for ADC controller in Xilinx Zynq 7000

      Add support for the Xilinx XADC core used in Zynq 7000.

      References:
      - Zynq-7000 All Programmable SoC Technical Reference Manual
      - 7 Series FPGAs and Zynq-7000 All Programmable SoC XADC
        Dual 12-Bit 1 MSPS Analog-to-Digital Converter

      Tested with Linux using QEMU machine xilinx-zynq-a9 with devicetree
      files zynq-zc702.dtb and zynq-zc706.dtb, and kernel configuration
      multi_v7_defconfig.

      Reviewed-by: Alistair Francis <alistair.francis@xxxxxxxxxx>
      Signed-off-by: Guenter Roeck <linux@xxxxxxxxxxxx>
      [ PC changes:
        * Changed macro names to match TRM where possible
        * Made programmers model macro scheme consistent
        * Dropped XADC_ZYNQ_ prefix on local macros
        * Fix ALM field width
        * Update threshold-comparison interrupts in _update_ints()
        * factored out DFIFO pushes into helper. Renamed to "push/pop"
        * Changed xadc_reg to 10 bits and added OOB check.
        * Reduced scope of MCTL reset to just stop channel coms.
        * Added dummy read data to write commands
        * Changed _ to - seperators in string names and filenames
        * Dropped ------------ in header comment
        * Catchall'ed _update_ints() in _write handler.
        * Minor whitespace changes.
        * Use ZYNQ_XADC_FIFO_DEPTH instead of ARRAY_SIZE()
      ]
      Signed-off-by: Peter Crosthwaite <crosthwaite.peter@xxxxxxxxx>
      Tested-by: Guenter Roeck <linux@xxxxxxxxxxxx>
      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit f3bcfc5663646f74e62fe9d3d8774b8f0adda7bf
  Merge: b2df6a7 389775d
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Thu Nov 12 18:08:19 2015 +0000

      Merge remote-tracking branch 
'remotes/juanquintela/tags/migration/20151112' into staging

      migration/next for 20151112

      # gpg: Signature made Thu 12 Nov 2015 16:56:44 GMT using RSA key ID 
5872D723
      # gpg: Good signature from "Juan Quintela <quintela@xxxxxxxxxx>"
      # gpg:                 aka "Juan Quintela <quintela@xxxxxxxxxx>"

      * remotes/juanquintela/tags/migration/20151112:
        migration_init: Fix lock initialisation/make it explicit
        migrate-start-postcopy: Improve text
        Postcopy: Fix TP!=HP zero case
        Finish non-postcopiable iterative devices before package
        migration: Make 32bit linux compile with RDMA
        migration: print ram_addr_t as RAM_ADDR_FMT not %zx

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit b2df6a79df6343d0ed4ea05d83b3ff1d849e8d25
  Merge: cfcc7c1 aece5ed
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Thu Nov 12 17:22:06 2015 +0000

      Merge remote-tracking branch 'remotes/kevin/tags/for-upstream' into 
staging

      Block layer patches (rebased Stefan's pull request)

      # gpg: Signature made Thu 12 Nov 2015 15:34:16 GMT using RSA key ID 
C88F2FD6
      # gpg: Good signature from "Kevin Wolf <kwolf@xxxxxxxxxx>"

      * remotes/kevin/tags/for-upstream: (43 commits)
        block: Update copyright of the accounting code
        scsi-disk: Account for failed operations
        macio: Account for failed operations
        ide: Account for failed and invalid operations
        atapi: Account for failed and invalid operations
        xen_disk: Account for failed and invalid operations
        virtio-blk: Account for failed and invalid operations
        nvme: Account for failed and invalid operations
        iotests: Add test for the block device statistics
        block: Use QEMU_CLOCK_VIRTUAL for the accounting code in qtest mode
        qemu-io: Account for failed, invalid and flush operations
        block: New option to define the intervals for collecting I/O statistics
        block: Add average I/O queue depth to BlockDeviceTimedStats
        block: Compute minimum, maximum and average I/O latencies
        block: Allow configuring whether to account failed and invalid ops
        block: Add statistics for failed and invalid I/O operations
        block: Add idle_time_ns to BlockDeviceStats
        util: Infrastructure for computing recent averages
        block: define 'clock_type' for the accounting code
        ide: Account for write operations correctly
        ...

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 389775d1f67b2c8f44f9473b1e5363735972e389
  Author: Dr. David Alan Gilbert <dgilbert@xxxxxxxxxx>
  Date:   Thu Nov 12 15:38:27 2015 +0000

      migration_init: Fix lock initialisation/make it explicit

      Peter reported a lock error on MacOS after my a82d593b
      patch.

      migrate_get_current does one-time initialisation of
      a bunch of variables.
      migrate_init does reinitialisation even on a 2nd
      migrate after a cancel.

      The problem here was that I'd initialised the mutex
      in migrate_get_current, and the memset in migrate_init
      corrupted it.

      Remove the memset and replace it by explicit initialisation
      of fields that need initialising; this also turns out to be simpler
      than the old code that had to preserve some fields.

      Reported-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Signed-off-by: Dr. David Alan Gilbert <dgilbert@xxxxxxxxxx>
      Fixes: a82d593b
      Reviewed-by: Juan Quintela <quintela@xxxxxxxxxx>
      Signed-off-by: Juan Quintela <quintela@xxxxxxxxxx>

  commit a54d340b9d0902fa73ff9e5541974b9b51fb1d45
  Author: Dr. David Alan Gilbert <dgilbert@xxxxxxxxxx>
  Date:   Thu Nov 12 11:34:44 2015 +0000

      migrate-start-postcopy: Improve text

      Improve the text in both the qapi-schema and hmp help to point out
      you need to set the postcopy-ram capability prior to issuing
      migrate-start-postcopy.

      Also fix the text of the migrate_start_postcopy error that
      deals with capabilities.

      Signed-off-by: Dr. David Alan Gilbert <dgilbert@xxxxxxxxxx>
      Reviewed-by: Juan Quintela <quintela@xxxxxxxxxx>
      Acked-by: Jason J. Herne <jjherne@xxxxxxxxxxxxxxxxxx>
      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>
      Signed-off-by: Juan Quintela <quintela@xxxxxxxxxx>

  commit cfcc7c144879ebe61ac2472216314fc1331b4450
  Author: John Snow <jsnow@xxxxxxxxxx>
  Date:   Thu Nov 12 11:29:49 2015 -0500

      configure: check for $cxx before use

      I broke this when adding checks for clang++.

      Reported-by: Laurent Vivier <lvivier@xxxxxxxxxx>
      Signed-off-by: John Snow <jsnow@xxxxxxxxxx>
      Message-id: 1447345789-840-1-git-send-email-jsnow@xxxxxxxxxx
      Reviewed-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit a3b6ff6d0a7a964c5c7cd5f9a0d5e42752b6347a
  Author: Dr. David Alan Gilbert <dgilbert@xxxxxxxxxx>
  Date:   Wed Nov 11 14:02:28 2015 +0000

      Postcopy: Fix TP!=HP zero case

      Where the target page size is different from the host page
      we special case it, but I messed up on the zero case check.

      Signed-off-by: Dr. David Alan Gilbert <dgilbert@xxxxxxxxxx>
      Reviewed-by: Juan Quintela <quintela@xxxxxxxxxx>
      Signed-off-by: Juan Quintela <quintela@xxxxxxxxxx>

  commit 1c0d249ddf3c75c3992847d0af67f79a1cfd23d2
  Author: Dr. David Alan Gilbert <dgilbert@xxxxxxxxxx>
  Date:   Wed Nov 11 14:02:27 2015 +0000

      Finish non-postcopiable iterative devices before package

      Where we have iterable, but non-postcopiable devices (e.g. htab
      or block migration), complete them before forming the 'package'
      but with the CPUs stopped.  This stops them filling up the package.

      Signed-off-by: Dr. David Alan Gilbert <dgilbert@xxxxxxxxxx>
      Reviewed-by: Juan Quintela <quintela@xxxxxxxxxx>
      Signed-off-by: Juan Quintela <quintela@xxxxxxxxxx>

  commit 80e60c6e1c417aa50a4fed1cb1a2f73885be3bef
  Author: Juan Quintela <quintela@xxxxxxxxxx>
  Date:   Tue Nov 10 17:43:04 2015 +0100

      migration: Make 32bit linux compile with RDMA

      Rest of the file already use that trick. 64bit offsets make no sense in
      32bit archs, but that is ram_addr_t for you.

      Signed-off-by: Juan Quintela <quintela@xxxxxxxxxx>
      Reviewed-by: Dr. David Alan Gilbert <dgilbert@xxxxxxxxxx>

  commit 9458ad6b445ff1e886f74ed75cf5050721f93b3e
  Author: Juan Quintela <quintela@xxxxxxxxxx>
  Date:   Tue Nov 10 17:42:05 2015 +0100

      migration: print ram_addr_t as RAM_ADDR_FMT not %zx

      Not all the wold is 64bits (yet).

      Signed-off-by: Juan Quintela <quintela@xxxxxxxxxx>
      Reviewed-by: Dr. David Alan Gilbert <dgilbert@xxxxxxxxxx>

  commit ed6c64489ef11d9ac5fb4b4c89d455a4f1ae8083
  Author: Sergey Fedorov <serge.fdrv@xxxxxxxxx>
  Date:   Thu Nov 12 15:10:43 2015 +0000

      target-arm: Update PC before calling gen_helper_check_breakpoints()

      PC should be updated in the CPU state before calling check_breakpoints()
      helper. Otherwise, the helper would not see the correct PC in the CPU
      state if it is not at the start of a TB.

      Signed-off-by: Sergey Fedorov <serge.fdrv@xxxxxxxxx>
      Message-id: 1447176222-16401-1-git-send-email-serge.fdrv@xxxxxxxxx
      Reviewed-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 8f0da01d189077647adf79618acc3832f77b7918
  Merge: 17e50a7 4652f16
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Thu Nov 12 15:15:30 2015 +0000

      Merge remote-tracking branch 'remotes/mst/tags/for_upstream' into staging

      virtio, vhost: fixes for 2.5

      This fixes a performance regression with virtio 1,
      and makes device stop/start more robust for vhost-user.
      virtio devices on pcie bus now have pcie and pm
      capability, as required by the PCI Express spec.
      migration now works better with virtio 9p.

      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>

      # gpg: Signature made Thu 12 Nov 2015 14:40:42 GMT using RSA key ID 
D28D5469
      # gpg: Good signature from "Michael S. Tsirkin <mst@xxxxxxxxxx>"
      # gpg:                 aka "Michael S. Tsirkin <mst@xxxxxxxxxx>"

      * remotes/mst/tags/for_upstream:
        virtio-9p: add savem handlers
        hw/virtio: Add PCIe capability to virtio devices
        vhost: send SET_VRING_ENABLE at start/stop
        vhost: rename RESET_DEVICE backto RESET_OWNER
        vhost-user: modify SET_LOG_BASE to pass mmap size and offset
        virtio-pci: unbreak queue_enable read
        virtio-pci: introduce pio notification capability for modern device
        virtio-pci: use zero length mmio eventfd for 1.0 notification cap when 
possible
        KVM: add support for any length io eventfd
        memory: don't try to adjust endianness for zero length eventfd
        virtio-pci: fix 1.0 virtqueue migration

      Conflicts:
        include/hw/compat.h
      [Fixed a trivial merge conflict in compat.h]
      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit aece5edc96f211eec6febdafc9bbbb99315a2efd
  Author: Alberto Garcia <berto@xxxxxxxxxx>
  Date:   Wed Oct 28 17:33:18 2015 +0200

      block: Update copyright of the accounting code

      Signed-off-by: Alberto Garcia <berto@xxxxxxxxxx>
      Message-id: 
80a2278e3ec2dafd5daab20a7cb2d6a9b83371e4.1446044838.git.berto@xxxxxxxxxx
      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Signed-off-by: Kevin Wolf <kwolf@xxxxxxxxxx>

  commit d7628080f3bd074f80666561beadfdd5e2f5b0df
  Author: Alberto Garcia <berto@xxxxxxxxxx>
  Date:   Wed Oct 28 17:33:17 2015 +0200

      scsi-disk: Account for failed operations

      Signed-off-by: Alberto Garcia <berto@xxxxxxxxxx>
      Message-id: 
0ead7b0e59c22926e033ca12725e3a31985ec46b.1446044838.git.berto@xxxxxxxxxx
      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Signed-off-by: Kevin Wolf <kwolf@xxxxxxxxxx>

  commit b88b3c8b836ca55d8a4f738deed3b63c0ca84060
  Author: Alberto Garcia <berto@xxxxxxxxxx>
  Date:   Wed Oct 28 17:33:16 2015 +0200

      macio: Account for failed operations

      Signed-off-by: Alberto Garcia <berto@xxxxxxxxxx>
      Message-id: 
ee6f4fde6a7c1071ca96d4ddd53e4934ff812fcd.1446044838.git.berto@xxxxxxxxxx
      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Signed-off-by: Kevin Wolf <kwolf@xxxxxxxxxx>

  commit ecca3b397d06a957b18913ff9afc63860001cfdf
  Author: Alberto Garcia <berto@xxxxxxxxxx>
  Date:   Wed Oct 28 17:33:15 2015 +0200

      ide: Account for failed and invalid operations

      Signed-off-by: Alberto Garcia <berto@xxxxxxxxxx>
      Message-id: 
bf4d6c9c563877e699b0bf42e7eaf8b096c4a35e.1446044838.git.berto@xxxxxxxxxx
      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Signed-off-by: Kevin Wolf <kwolf@xxxxxxxxxx>

  commit ece2d05ed4adb9a9aa3ca9da0496be769dfb3a25
  Author: Alberto Garcia <berto@xxxxxxxxxx>
  Date:   Wed Oct 28 17:33:14 2015 +0200

      atapi: Account for failed and invalid operations

      Signed-off-by: Alberto Garcia <berto@xxxxxxxxxx>
      Message-id: 
59dee4e2921b0c79d41c49b67dfb93d32db9f7f9.1446044838.git.berto@xxxxxxxxxx
      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Signed-off-by: Kevin Wolf <kwolf@xxxxxxxxxx>

  commit 57ee366ce9cf8d9f7a52b7b654b9db78fe887349
  Author: Alberto Garcia <berto@xxxxxxxxxx>
  Date:   Wed Oct 28 17:33:13 2015 +0200

      xen_disk: Account for failed and invalid operations

      Signed-off-by: Alberto Garcia <berto@xxxxxxxxxx>
      Message-id: 
e0cbb96cb0e1f86c37c7ce332efdf02b57b9d365.1446044838.git.berto@xxxxxxxxxx
      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Signed-off-by: Kevin Wolf <kwolf@xxxxxxxxxx>

  commit 01762e03222154fef6d98087ce391aed8a157be5
  Author: Alberto Garcia <berto@xxxxxxxxxx>
  Date:   Wed Oct 28 17:33:12 2015 +0200

      virtio-blk: Account for failed and invalid operations

      Signed-off-by: Alberto Garcia <berto@xxxxxxxxxx>
      Message-id: 
4f623ce52c9d673d35a043fc2959526b41b685c6.1446044838.git.berto@xxxxxxxxxx
      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Signed-off-by: Kevin Wolf <kwolf@xxxxxxxxxx>

  commit 1753f3dc177a82f8b3c5ea8d2a32737db9411dd4
  Author: Alberto Garcia <berto@xxxxxxxxxx>
  Date:   Wed Oct 28 17:33:11 2015 +0200

      nvme: Account for failed and invalid operations

      Signed-off-by: Alberto Garcia <berto@xxxxxxxxxx>
      Message-id: 
678dc67da229759d404b44f7cc2bf5ed8bf8ad14.1446044838.git.berto@xxxxxxxxxx
      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Signed-off-by: Kevin Wolf <kwolf@xxxxxxxxxx>

  commit 4214face09bed08279c68a67fa1a4b01be887346
  Author: Alberto Garcia <berto@xxxxxxxxxx>
  Date:   Wed Oct 28 17:33:10 2015 +0200

      iotests: Add test for the block device statistics

      Signed-off-by: Alberto Garcia <berto@xxxxxxxxxx>
      Message-id: 
0fb8501bbf3666b3d5d3f67fa899729c88f21baf.1446044838.git.berto@xxxxxxxxxx
      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Signed-off-by: Kevin Wolf <kwolf@xxxxxxxxxx>

  commit 918a17a464bac332b14a19d87106acc81e476f05
  Author: Alberto Garcia <berto@xxxxxxxxxx>
  Date:   Wed Oct 28 17:33:09 2015 +0200

      block: Use QEMU_CLOCK_VIRTUAL for the accounting code in qtest mode

      This patch switches to QEMU_CLOCK_VIRTUAL for the accounting code in
      qtest mode, and makes the latency of the operation constant. This way we
      can perform tests on the accounting code with reproducible results.

      Signed-off-by: Alberto Garcia <berto@xxxxxxxxxx>
      Message-id: 
35ed0501450fa572684e9b5e92c361ab6cce565b.1446044838.git.berto@xxxxxxxxxx
      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Signed-off-by: Kevin Wolf <kwolf@xxxxxxxxxx>

  commit 556c2b60714e7dae3ed0eb3488910435263dc09f
  Author: Alberto Garcia <berto@xxxxxxxxxx>
  Date:   Wed Oct 28 17:33:08 2015 +0200

      qemu-io: Account for failed, invalid and flush operations

      Signed-off-by: Alberto Garcia <berto@xxxxxxxxxx>
      Message-id: 
78a7662a8636e55991737ece50003a2dc5a5f3e0.1446044838.git.berto@xxxxxxxxxx
      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Signed-off-by: Kevin Wolf <kwolf@xxxxxxxxxx>

  commit 2be5506fc85d5fef1abdb2128d446cb0b14b12bc
  Author: Alberto Garcia <berto@xxxxxxxxxx>
  Date:   Wed Oct 28 17:33:07 2015 +0200

      block: New option to define the intervals for collecting I/O statistics

      The BlockAcctStats structure contains a list of BlockAcctTimedStats.
      Each one of these collects statistics about the minimum, maximum and
      average latencies of all I/O operations in a certain interval of time.

      This patch adds a new "stats-intervals" option that allows defining
      these intervals.

      Signed-off-by: Alberto Garcia <berto@xxxxxxxxxx>
      Message-id: 
41cbcd334a61c6157f0f495cdfd21eff6c156f2a.1446044837.git.berto@xxxxxxxxxx
      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Signed-off-by: Kevin Wolf <kwolf@xxxxxxxxxx>

  commit 96e4dedaff9922f87e4ec351d51d3f093198382a
  Author: Alberto Garcia <berto@xxxxxxxxxx>
  Date:   Wed Oct 28 17:33:06 2015 +0200

      block: Add average I/O queue depth to BlockDeviceTimedStats

      This patch adds two new fields to BlockDeviceTimedStats that track the
      average number of pending read and write requests for a block device.

      The values are calculated for the period of time defined for that
      interval.

      Signed-off-by: Alberto Garcia <berto@xxxxxxxxxx>
      Message-id: 
fd31fef53e2714f2f30d59ed58ca2f67ec9ab926.1446044837.git.berto@xxxxxxxxxx
      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Signed-off-by: Kevin Wolf <kwolf@xxxxxxxxxx>

  commit 979e9b03fc8c85d3b78a14410c64cbb16d348095
  Author: Alberto Garcia <berto@xxxxxxxxxx>
  Date:   Wed Oct 28 17:33:05 2015 +0200

      block: Compute minimum, maximum and average I/O latencies

      This patch keeps track of the minimum, maximum and average latencies
      of I/O operations during a certain interval of time.

      The values are exposed in the BlockDeviceTimedStats structure.

      An option to define the intervals to collect these statistics will be
      added in a separate patch.

      Signed-off-by: Alberto Garcia <berto@xxxxxxxxxx>
      Message-id: 
c7382dc89622c64f918d09f32815827772628f8e.1446044837.git.berto@xxxxxxxxxx
      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Signed-off-by: Kevin Wolf <kwolf@xxxxxxxxxx>

  commit 362e9299b34b3101aaa20f20363441c9f055fa5e
  Author: Alberto Garcia <berto@xxxxxxxxxx>
  Date:   Wed Oct 28 17:33:04 2015 +0200

      block: Allow configuring whether to account failed and invalid ops

      This patch adds two options, "stats-account-invalid" and
      "stats-account-failed", that can be used to decide whether invalid and
      failed I/O operations must be used when collecting statistics for
      latency and last access time.

      Signed-off-by: Alberto Garcia <berto@xxxxxxxxxx>
      Reviewed-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Message-id: 
ebc7e5966511a342cad428a392c5f5ad56b15213.1446044837.git.berto@xxxxxxxxxx
      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Signed-off-by: Kevin Wolf <kwolf@xxxxxxxxxx>

  commit 7ee12dafe96a86dfa96af38cea1289305e429a55
  Author: Alberto Garcia <berto@xxxxxxxxxx>
  Date:   Wed Oct 28 17:33:03 2015 +0200

      block: Add statistics for failed and invalid I/O operations

      This patch adds the block_acct_failed() and block_acct_invalid()
      functions to allow keeping track of failed and invalid I/O operations.

      The number of failed and invalid operations is exposed in
      BlockDeviceStats.

      We don't keep track of the time spent on invalid operations because
      they are cancelled immediately when they are started.

      Signed-off-by: Alberto Garcia <berto@xxxxxxxxxx>
      Message-id: 
a7256ccb883a86356b1c6c46b5a29ed5448546a5.1446044837.git.berto@xxxxxxxxxx
      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Signed-off-by: Kevin Wolf <kwolf@xxxxxxxxxx>

  commit cb38fffbc968e797ae32039b1e2c47b940b30cb4
  Author: Alberto Garcia <berto@xxxxxxxxxx>
  Date:   Wed Oct 28 17:33:02 2015 +0200

      block: Add idle_time_ns to BlockDeviceStats

      This patch adds the new field 'idle_time_ns' to the BlockDeviceStats
      structure, indicating the time that has passed since the previous I/O
      operation.

      It also adds the block_acct_idle_time_ns() call, to ensure that all
      references to the clock type used for accounting are in the same
      place. This will later allow us to use a different clock for iotests.

      Signed-off-by: Alberto Garcia <berto@xxxxxxxxxx>
      Message-id: 
7d8cfcf931453e1a2443e6626e8c1edc347c7c8a.1446044837.git.berto@xxxxxxxxxx
      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Signed-off-by: Kevin Wolf <kwolf@xxxxxxxxxx>

  commit bd797fc15b4290e02c219b7cd6289a33cd6cd18b
  Author: Alberto Garcia <berto@xxxxxxxxxx>
  Date:   Wed Oct 28 17:33:01 2015 +0200

      util: Infrastructure for computing recent averages

      This module computes the average of a set of values within a time
      window, keeping also track of the minimum and maximum values.

      In order to produce more accurate results it works internally by
      creating two time windows of the same period, offsetted by half of
      that period. Values are accounted on both windows and the data is
      always returned from the oldest one.

      [Add missing util/replay.o to test-timed-average dependencies to fix the
      build.
      --Stefan]

      Signed-off-by: Alberto Garcia <berto@xxxxxxxxxx>
      Message-id: 
201b09c21bbc9c329779d2b2365ee2b9c80dceeb.1446044837.git.berto@xxxxxxxxxx
      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Signed-off-by: Kevin Wolf <kwolf@xxxxxxxxxx>

  commit 5519593c07c71c55b196546a00c08106bd9a100b
  Author: Alberto Garcia <berto@xxxxxxxxxx>
  Date:   Wed Oct 28 17:33:00 2015 +0200

      block: define 'clock_type' for the accounting code

      Its value is still QEMU_CLOCK_REALTIME, but having it in a variable will
      allow us to change its value easily in the future when running in qtest
      mode.

      Signed-off-by: Alberto Garcia <berto@xxxxxxxxxx>
      Reviewed-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Message-id: 
547485eb841cf9e3b2770c96539ae9ae5996e214.1446044837.git.berto@xxxxxxxxxx
      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Signed-off-by: Kevin Wolf <kwolf@xxxxxxxxxx>

  commit c618f331d314c34ff2390d2dbd3f926e513c7059
  Author: Alberto Garcia <berto@xxxxxxxxxx>
  Date:   Wed Oct 28 17:32:59 2015 +0200

      ide: Account for write operations correctly

      Signed-off-by: Alberto Garcia <berto@xxxxxxxxxx>
      Reviewed-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Message-id: 
2e71323c0875c2b66a8ae22229545e0c013af8d4.1446044837.git.berto@xxxxxxxxxx
      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Signed-off-by: Kevin Wolf <kwolf@xxxxxxxxxx>

  commit 693044ebd20ce8730aae679ff58d52aa8ec60b0a
  Author: Alberto Garcia <berto@xxxxxxxxxx>
  Date:   Wed Oct 28 17:32:58 2015 +0200

      xen_disk: Account for flush operations

      Currently both BLKIF_OP_WRITE and BLKIF_OP_FLUSH_DISKCACHE are being
      accounted as write operations.

      Signed-off-by: Alberto Garcia <berto@xxxxxxxxxx>
      Reviewed-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Message-id: 
7a2a14e3ac62027aa6267a6c02abc70717be9c0a.1446044837.git.berto@xxxxxxxxxx
      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Signed-off-by: Kevin Wolf <kwolf@xxxxxxxxxx>

  commit 6c6f312dd752c74c124ecfc4c34e8aaf7254c3b8
  Author: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
  Date:   Thu Nov 5 18:13:20 2015 -0500

      tests: add BlockJobTxn unit test

      The BlockJobTxn unit test verifies that both single jobs and pairs of
      jobs behave as a transaction group.  Either all jobs complete
      successfully or the group is cancelled.

      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Reviewed-by: Max Reitz <mreitz@xxxxxxxxxx>
      Reviewed-by: John Snow <jsnow@xxxxxxxxxx>
      Signed-off-by: Fam Zheng <famz@xxxxxxxxxx>
      Signed-off-by: John Snow <jsnow@xxxxxxxxxx>
      Message-id: 1446765200-3054-15-git-send-email-jsnow@xxxxxxxxxx
      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Signed-off-by: Kevin Wolf <kwolf@xxxxxxxxxx>

  commit fc6c796ff2b049303473702d1ade9196d1843f5d
  Author: John Snow <jsnow@xxxxxxxxxx>
  Date:   Thu Nov 5 18:13:19 2015 -0500

      iotests: 124 - transactional failure test

      Use a transaction to request an incremental backup across two drives.
      Coerce one of the jobs to fail, and then re-run the transaction.

      Verify that no bitmap data was lost due to the partial transaction
      failure.

      To support the 'err-cancel' QMP argument name it's necessary for
      transaction_action() to convert underscores in Python argument names
      to hyphens for QMP argument names.

      Signed-off-by: John Snow <jsnow@xxxxxxxxxx>
      Reviewed-by: Max Reitz <mreitz@xxxxxxxxxx>
      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Signed-off-by: Fam Zheng <famz@xxxxxxxxxx>
      Message-id: 1446765200-3054-14-git-send-email-jsnow@xxxxxxxxxx
      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Signed-off-by: Kevin Wolf <kwolf@xxxxxxxxxx>

  commit 94d16a640a1058653327392e08c6d39eeba1e499
  Author: John Snow <jsnow@xxxxxxxxxx>
  Date:   Thu Nov 5 18:13:18 2015 -0500

      block: add transactional properties

      Add both transactional properties to the QMP transactional interface,
      and add the BlockJobTxn that we create as a result of the err-cancel
      property to the BlkActionState structure.

      [split up from a patch originally by Stefan and Fam. --js]
      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Signed-off-by: Fam Zheng <famz@xxxxxxxxxx>
      Signed-off-by: John Snow <jsnow@xxxxxxxxxx>

      Signed-off-by: John Snow <jsnow@xxxxxxxxxx>
      Message-id: 1446765200-3054-13-git-send-email-jsnow@xxxxxxxxxx
      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Signed-off-by: Kevin Wolf <kwolf@xxxxxxxxxx>

  commit 78f51fde88d1925b5ae51ba789339baa9ff72ad1
  Author: John Snow <jsnow@xxxxxxxxxx>
  Date:   Thu Nov 5 18:13:17 2015 -0500

      block: Add BlockJobTxn support to backup_run

      Allow a BlockJobTxn to be passed into backup_run, which
      will allow the job to join a transactional group if present.

      Propagate this new parameter outward into new QMP helper
      functions in blockdev.c to allow transaction commands to
      pass forward their BlockJobTxn object in a forthcoming patch.

      [split up from a patch originally by Stefan and Fam. --js]
      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Signed-off-by: Fam Zheng <famz@xxxxxxxxxx>
      Signed-off-by: John Snow <jsnow@xxxxxxxxxx>

      Signed-off-by: John Snow <jsnow@xxxxxxxxxx>
      Message-id: 1446765200-3054-12-git-send-email-jsnow@xxxxxxxxxx
      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Signed-off-by: Kevin Wolf <kwolf@xxxxxxxxxx>

  commit c347b2c62a53b73cf6cc31225feb125d2f20f186
  Author: John Snow <jsnow@xxxxxxxxxx>
  Date:   Thu Nov 5 18:13:16 2015 -0500

      block/backup: Rely on commit/abort for cleanup

      Switch over to the new .commit/.abort handlers for
      cleaning up incremental bitmaps.

      [split up from a patch originally by Stefan and Fam. --js]
      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Signed-off-by: Fam Zheng <famz@xxxxxxxxxx>
      Signed-off-by: John Snow <jsnow@xxxxxxxxxx>

      Signed-off-by: John Snow <jsnow@xxxxxxxxxx>
      Message-id: 1446765200-3054-11-git-send-email-jsnow@xxxxxxxxxx
      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Signed-off-by: Kevin Wolf <kwolf@xxxxxxxxxx>

  commit c55a832fdddec2c350b585ade0476501f616608d
  Author: Fam Zheng <famz@xxxxxxxxxx>
  Date:   Thu Nov 5 18:13:15 2015 -0500

      block: Add block job transactions

      Sometimes block jobs must execute as a transaction group.  Finishing
      jobs wait until all other jobs are ready to complete successfully.
      Failure or cancellation of one job cancels the other jobs in the group.

      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Reviewed-by: Max Reitz <mreitz@xxxxxxxxxx>
      Signed-off-by: Fam Zheng <famz@xxxxxxxxxx>
      Signed-off-by: John Snow <jsnow@xxxxxxxxxx>
      Message-id: 1446765200-3054-10-git-send-email-jsnow@xxxxxxxxxx
      [Rewrite the implementation which is now contained in block_job_completed.
      --Fam]
      Signed-off-by: Fam Zheng <famz@xxxxxxxxxx>
      Reviewed-by: Max Reitz <mreitz@xxxxxxxxxx>

      Signed-off-by: John Snow <jsnow@xxxxxxxxxx>
      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Signed-off-by: Kevin Wolf <kwolf@xxxxxxxxxx>

  commit 94db6d2d30962cc0422a69c88c3b3e9981b33e50
  Author: Fam Zheng <famz@xxxxxxxxxx>
  Date:   Thu Nov 5 18:13:14 2015 -0500

      blockjob: Simplify block_job_finish_sync

      With job->completed and job->ret to replace BlockFinishData.

      Signed-off-by: Fam Zheng <famz@xxxxxxxxxx>
      Signed-off-by: John Snow <jsnow@xxxxxxxxxx>
      Message-id: 1446765200-3054-9-git-send-email-jsnow@xxxxxxxxxx
      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Signed-off-by: Kevin Wolf <kwolf@xxxxxxxxxx>

  commit a689dbf2df74a55d43e3fc4d6aec30ed67ca998f
  Author: Fam Zheng <famz@xxxxxxxxxx>
  Date:   Thu Nov 5 18:13:13 2015 -0500

      blockjob: Add "completed" and "ret" in BlockJob

      They are set when block_job_completed is called.

      Signed-off-by: Fam Zheng <famz@xxxxxxxxxx>
      Reviewed-by: John Snow <jsnow@xxxxxxxxxx>
      Reviewed-by: Max Reitz <mreitz@xxxxxxxxxx>
      Signed-off-by: John Snow <jsnow@xxxxxxxxxx>
      Message-id: 1446765200-3054-8-git-send-email-jsnow@xxxxxxxxxx
      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Signed-off-by: Kevin Wolf <kwolf@xxxxxxxxxx>

  commit 57901ecb8e02f03464d5f37bb6edf82e5076812d
  Author: Fam Zheng <famz@xxxxxxxxxx>
  Date:   Thu Nov 5 18:13:12 2015 -0500

      blockjob: Add .commit and .abort block job actions

      Reviewed-by: Max Reitz <mreitz@xxxxxxxxxx>
      Reviewed-by: John Snow <jsnow@xxxxxxxxxx>
      Signed-off-by: Fam Zheng <famz@xxxxxxxxxx>
      Signed-off-by: John Snow <jsnow@xxxxxxxxxx>
      Message-id: 1446765200-3054-7-git-send-email-jsnow@xxxxxxxxxx
      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Signed-off-by: Kevin Wolf <kwolf@xxxxxxxxxx>

  commit 18930ba3d17866fff6df52ae6d2e54ce5c5ca04b
  Author: Fam Zheng <famz@xxxxxxxxxx>
  Date:   Thu Nov 5 18:13:11 2015 -0500

      blockjob: Introduce reference count and fix reference to job->bs

      Add reference count to block job, meanwhile move the ownership of the
      reference to job->bs from the caller (which is released in two
      completion callbacks) to the block job itself. It is necessary for
      block_job_complete_sync to work, because block job shouldn't live longer
      than its bs, as asserted in bdrv_delete.

      Now block_job_complete_sync can be simplified.

      Signed-off-by: Fam Zheng <famz@xxxxxxxxxx>
      Signed-off-by: John Snow <jsnow@xxxxxxxxxx>
      Message-id: 1446765200-3054-6-git-send-email-jsnow@xxxxxxxxxx
      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Signed-off-by: Kevin Wolf <kwolf@xxxxxxxxxx>

  commit b976ea3cf591ac994cc17dcf0fc550c9aa9c0f5d
  Author: Fam Zheng <famz@xxxxxxxxxx>
  Date:   Thu Nov 5 18:13:10 2015 -0500

      backup: Extract dirty bitmap handling as a separate function

      This will be reused by the coming new transactional completion code.

      Signed-off-by: Fam Zheng <famz@xxxxxxxxxx>
      Reviewed-by: John Snow <jsnow@xxxxxxxxxx>
      Reviewed-by: Max Reitz <mreitz@xxxxxxxxxx>
      Signed-off-by: John Snow <jsnow@xxxxxxxxxx>
      Message-id: 1446765200-3054-5-git-send-email-jsnow@xxxxxxxxxx
      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Signed-off-by: Kevin Wolf <kwolf@xxxxxxxxxx>

  commit 50f43f0ff9a640b901b2657492d642e14a57bd4d
  Author: John Snow <jsnow@xxxxxxxxxx>
  Date:   Thu Nov 5 18:13:09 2015 -0500

      block: rename BlkTransactionState and BdrvActionOps

      These structures are misnomers, somewhat.

      (1) BlockTransactionState is not state for a transaction,
          but is rather state for a single transaction action.
          Rename it "BlkActionState" to be more accurate.

      (2) The BdrvActionOps describes operations for the BlkActionState,
          above. This name might imply a 'BdrvAction' or a 'BdrvActionState',
          which there isn't.
          Rename this to 'BlkActionOps' to match 'BlkActionState'.

      Lastly, update the surrounding in-line documentation and comments
      to reflect the current nature of how Transactions operate.

      This patch changes only comments and names, and should not affect
      behavior in any way.

      Reviewed-by: Max Reitz <mreitz@xxxxxxxxxx>
      Reviewed-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Reviewed-by: Fam Zheng <famz@xxxxxxxxxx>
      Signed-off-by: Fam Zheng <famz@xxxxxxxxxx>
      Signed-off-by: John Snow <jsnow@xxxxxxxxxx>
      Message-id: 1446765200-3054-4-git-send-email-jsnow@xxxxxxxxxx
      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Signed-off-by: Kevin Wolf <kwolf@xxxxxxxxxx>

  commit 749ad5e887e85fd51d83bf4d08ed72858f937fd9
  Author: John Snow <jsnow@xxxxxxxxxx>
  Date:   Thu Nov 5 18:13:08 2015 -0500

      iotests: add transactional incremental backup test

      Test simple usage cases for using transactions to create
      and synchronize incremental backups.

      Signed-off-by: John Snow <jsnow@xxxxxxxxxx>
      Reviewed-by: Max Reitz <mreitz@xxxxxxxxxx>
      Reviewed-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Reviewed-by: Fam Zheng <famz@xxxxxxxxxx>
      Signed-off-by: Fam Zheng <famz@xxxxxxxxxx>
      Message-id: 1446765200-3054-3-git-send-email-jsnow@xxxxxxxxxx
      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Signed-off-by: Kevin Wolf <kwolf@xxxxxxxxxx>

  commit df9a681dc9ad41c9cdeb9ecc5d060ba9abd27e01
  Author: Fam Zheng <famz@xxxxxxxxxx>
  Date:   Mon Nov 9 18:16:54 2015 +0800

      qed: Implement .bdrv_drain

      The "need_check_timer" is used to clear the "NEED_CHECK" flag in the
      image header after a grace period once metadata update has finished. In
      compliance to the bdrv_drain semantics we should make sure it remains
      deleted once .bdrv_drain is called.

      We cannot reuse qed_need_check_timer_cb because here it doesn't satisfy
      the assertion.  Do the "plug" and "flush" calls manually.

      Signed-off-by: Fam Zheng <famz@xxxxxxxxxx>
      Reviewed-by: Kevin Wolf <kwolf@xxxxxxxxxx>
      Message-id: 1447064214-29930-10-git-send-email-famz@xxxxxxxxxx
      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Signed-off-by: Kevin Wolf <kwolf@xxxxxxxxxx>

  commit 67da1dc5ce696c7b309b1db100da7d94292847b7
  Author: Fam Zheng <famz@xxxxxxxxxx>
  Date:   Mon Nov 9 18:16:53 2015 +0800

      block: Introduce BlockDriver.bdrv_drain callback

      Drivers can have internal request sources that generate IO, like the
      need_check_timer in QED. Since we want quiesced periods that contain
      nested event loops in block layer, we need to have a way to disable such
      event sources.

      Block drivers must implement the "bdrv_drain" callback if it has any
      internal sources that can generate I/O activity, like a timer or a
      worker thread (even in a library) that can schedule QEMUBH in an
      asynchronous callback.

      Update the comments of bdrv_drain and bdrv_drained_begin accordingly.

      Like bdrv_requests_pending(), we should consider all the children of bs.
      Before, the while loop just works, as bdrv_requests_pending() already
      tracks its children; now we mustn't miss the callback, so recurse down
      explicitly.

      Signed-off-by: Fam Zheng <famz@xxxxxxxxxx>
      Reviewed-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>
      Message-id: 1447064214-29930-9-git-send-email-famz@xxxxxxxxxx
      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Signed-off-by: Kevin Wolf <kwolf@xxxxxxxxxx>

  commit 83c98d7b924eab36a0a2c7813731dbef439a91d3
  Author: Fam Zheng <famz@xxxxxxxxxx>
  Date:   Mon Nov 9 18:16:52 2015 +0800

      block: Drop BlockDriver.bdrv_ioctl

      Now the callback is not used any more, drop the field along with all
      implementations in block drivers, which are iscsi and raw.

      Signed-off-by: Fam Zheng <famz@xxxxxxxxxx>
      Reviewed-by: Kevin Wolf <kwolf@xxxxxxxxxx>
      Message-id: 1447064214-29930-8-git-send-email-famz@xxxxxxxxxx
      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Signed-off-by: Kevin Wolf <kwolf@xxxxxxxxxx>

  commit 5c5ae76acb024f05b8f021e9f1e10a0299328bdd
  Author: Fam Zheng <famz@xxxxxxxxxx>
  Date:   Mon Nov 9 18:16:51 2015 +0800

      block: Emulate bdrv_ioctl with bdrv_aio_ioctl and track both

      Currently all drivers that support .bdrv_aio_ioctl also implement
      .bdrv_ioctl redundantly.  To track ioctl requests in block layer it is
      easier if we unify the two paths, because we'll need to run it in a
      coroutine, as required by tracked_request_begin. While we're at it, use
      .bdrv_aio_ioctl plus aio_poll() to emulate bdrv_ioctl().

      Signed-off-by: Fam Zheng <famz@xxxxxxxxxx>
      Message-id: 1447064214-29930-7-git-send-email-famz@xxxxxxxxxx
      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Signed-off-by: Kevin Wolf <kwolf@xxxxxxxxxx>

  commit 8b45f6878d291646cadc4786ae807e6a42c188b4
  Author: Fam Zheng <famz@xxxxxxxxxx>
  Date:   Mon Nov 9 18:16:50 2015 +0800

      block: Add ioctl parameter fields to BlockRequest

      The two fields that will be used by ioctl handling code later are added
      as union, because it's used exclusively by ioctl code which dosn't need
      the four fields in the other struct of the union.

      Signed-off-by: Fam Zheng <famz@xxxxxxxxxx>
      Reviewed-by: Kevin Wolf <kwolf@xxxxxxxxxx>
      Message-id: 1447064214-29930-6-git-send-email-famz@xxxxxxxxxx
      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Signed-off-by: Kevin Wolf <kwolf@xxxxxxxxxx>

  commit 4bb17ab51a78c6daaaa9d6c86d1c890d24c091c4
  Author: Fam Zheng <famz@xxxxxxxxxx>
  Date:   Mon Nov 9 18:16:49 2015 +0800

      iscsi: Emulate commands in iscsi_aio_ioctl as iscsi_ioctl

      iscsi_ioctl emulates SG_GET_VERSION_NUM and SG_GET_SCSI_ID. Now that
      bdrv_ioctl() will be emulated with .bdrv_aio_ioctl, replicate the logic
      into iscsi_aio_ioctl to make them consistent.

      Signed-off-by: Fam Zheng <famz@xxxxxxxxxx>
      Reviewed-by: Kevin Wolf <kwolf@xxxxxxxxxx>
      Message-id: 1447064214-29930-5-git-send-email-famz@xxxxxxxxxx
      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Signed-off-by: Kevin Wolf <kwolf@xxxxxxxxxx>

  commit b1066c875597649be1d1d6db4712bc504b4c4c81
  Author: Fam Zheng <famz@xxxxxxxxxx>
  Date:   Mon Nov 9 18:16:48 2015 +0800

      block: Track discard requests

      Both bdrv_discard and bdrv_aio_discard will call into bdrv_co_discard,
      so add tracked_request_begin/end calls around the loop.

      Signed-off-by: Fam Zheng <famz@xxxxxxxxxx>
      Reviewed-by: Kevin Wolf <kwolf@xxxxxxxxxx>
      Message-id: 1447064214-29930-4-git-send-email-famz@xxxxxxxxxx
      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Signed-off-by: Kevin Wolf <kwolf@xxxxxxxxxx>

  commit cdb5e3155eb323380c59f19fe88e28fedd85d3d8
  Author: Fam Zheng <famz@xxxxxxxxxx>
  Date:   Mon Nov 9 18:16:47 2015 +0800

      block: Track flush requests

      Both bdrv_flush and bdrv_aio_flush eventually call bdrv_co_flush, add
      tracked_request_begin and tracked_request_end pair in that function so
      that all flush requests are now tracked.

      Signed-off-by: Fam Zheng <famz@xxxxxxxxxx>
      Reviewed-by: Kevin Wolf <kwolf@xxxxxxxxxx>
      Message-id: 1447064214-29930-3-git-send-email-famz@xxxxxxxxxx
      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Signed-off-by: Kevin Wolf <kwolf@xxxxxxxxxx>

  commit ebde595ce63369921dbbe1bd16fec0b230050d67
  Author: Fam Zheng <famz@xxxxxxxxxx>
  Date:   Mon Nov 9 18:16:46 2015 +0800

      block: Add more types for tracked request

      We'll track more request types besides read and write, change the
      boolean field to an enum.

      Signed-off-by: Fam Zheng <famz@xxxxxxxxxx>
      Reviewed-by: Kevin Wolf <kwolf@xxxxxxxxxx>
      Message-id: 1447064214-29930-2-git-send-email-famz@xxxxxxxxxx
      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Signed-off-by: Kevin Wolf <kwolf@xxxxxxxxxx>

  commit 4652f1640e029e1f2433fa77ba6af285c7cd923a
  Author: Greg Kurz <gkurz@xxxxxxxxxxxxxxxxxx>
  Date:   Thu Oct 22 19:38:42 2015 +0200

      virtio-9p: add savem handlers

      We don't support migration of mounted 9p shares. This is handled by a
      migration blocker.

      One would expect, however, to be able to migrate if the share is 
unmounted.
      Unfortunately virtio-9p-device does not register savevm handlers at all !
      Migration succeeds and leaves the guest with a dangling device...

      This patch simply registers migration handlers for virtio-9p-device. 
Whether
      migration is possible or not still depends on the migration blocker.

      Signed-off-by: Greg Kurz <gkurz@xxxxxxxxxxxxxxxxxx>
      Reviewed-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>

  commit 1811e64c35fe1d9bce77952937a16c001dc08465
  Author: Marcel Apfelbaum <marcel@xxxxxxxxxx>
  Date:   Tue Nov 10 13:41:29 2015 +0200

      hw/virtio: Add PCIe capability to virtio devices

      The virtio devices are converted to PCI-Express
      if they are plugged into a PCI-Express bus and
      the 'modern' protocol is enabled.

      Devices plugged directly into the Root Complex as
      Integrated Endpoints remain PCI.

      Signed-off-by: Marcel Apfelbaum <marcel@xxxxxxxxxx>
      Reviewed-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>

  commit 17e50a72a3aade0eddfebc012a5d7bdd40a03573
  Merge: df1ac44 39bec4f
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Thu Nov 12 14:15:32 2015 +0000

      Merge remote-tracking branch 'remotes/jasowang/tags/net-pull-request' 
into staging

      # gpg: Signature made Thu 12 Nov 2015 08:01:55 GMT using RSA key ID 
398D6211
      # gpg: Good signature from "Jason Wang (Jason Wang on RedHat) 
<jasowang@xxxxxxxxxx>"
      # gpg: WARNING: This key is not certified with sufficiently trusted 
signatures!
      # gpg:          It is not certain that the signature belongs to the owner.
      # Primary key fingerprint: 215D 46F4 8246 689E C77F  3562 EF04 965B 398D 
6211

      * remotes/jasowang/tags/net-pull-request:
        net: netmap: use error_setg() helpers in place of error_report()
        net: netmap: Fix compilation issue
        e1000: Introducing backward compatibility command line parameter
        e1000: Implementing various counters
        e1000: Fixing the packet address filtering procedure
        e1000: Fixing the received/transmitted octets' counters
        e1000: Fixing the received/transmitted packets' counters
        e1000: Trivial implementation of various MAC registers
        e1000: Introduced an array to control the access to the MAC registers
        e1000: Add support for migrating the entire MAC registers' array
        e1000: Cosmetic and alignment fixes
        slirp: Fix type casts and format strings in debug code

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 3a12f32229a046f4d4ab0a3a52fb01d2d5a1ab76
  Author: Yuanhan Liu <yuanhan.liu@xxxxxxxxxxxxxxx>
  Date:   Wed Nov 11 21:24:41 2015 +0800

      vhost: send SET_VRING_ENABLE at start/stop

      Send SET_VRING_ENABLE at start/stop, to give the backend
      an explicit sign of our state.

      Signed-off-by: Yuanhan Liu <yuanhan.liu@xxxxxxxxxxxxxxx>
      Reviewed-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>

  commit 60915dc4691768c4dc62458bb3e16c843fab091d
  Author: Yuanhan Liu <yuanhan.liu@xxxxxxxxxxxxxxx>
  Date:   Wed Nov 11 21:24:37 2015 +0800

      vhost: rename RESET_DEVICE backto RESET_OWNER

      This patch basically reverts commit d1f8b30e.

      It turned out that it breaks stuff, so revert it:
          http://lists.nongnu.org/archive/html/qemu-devel/2015-10/msg00949.html

      CC: "Michael S. Tsirkin" <mst@xxxxxxxxxx>
      Reported-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>
      Signed-off-by: Yuanhan Liu <yuanhan.liu@xxxxxxxxxxxxxxx>
      Reviewed-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>

  commit 2b8819c6eee517c1582983773f8555bb3f9ed645
  Author: Victor Kaplansky <victork@xxxxxxxxxx>
  Date:   Wed Nov 11 16:26:02 2015 +0200

      vhost-user: modify SET_LOG_BASE to pass mmap size and offset

      Unlike the kernel, vhost-user application accesses log table by
      mmaping it to its user space. This change adds two new fields to
      VhostUserMsg payload: mmap_size, and mmap_offset and make QEMU to
      pass the to vhost-user application in VHOST_USER_SET_LOG_BASE
      request.

      Signed-off-by: Victor Kaplansky <victork@xxxxxxxxxx>
      Reviewed-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>

  commit 393f04d3ab40d03aa2fde0017ff7f02fc34cbd4e
  Author: Jason Wang <jasowang@xxxxxxxxxx>
  Date:   Fri Nov 6 16:02:49 2015 +0800

      virtio-pci: unbreak queue_enable read

      Guest always get zero when reading queue_enable. This violates
      spec. Fixing this by setting the queue_enable to true during any guest
      writing and setting it to zero during reset.

      Cc: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: Jason Wang <jasowang@xxxxxxxxxx>
      Reviewed-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>

  commit 9824d2a39d9893ef9bbe71f94efb57da265b73f6
  Author: Jason Wang <jasowang@xxxxxxxxxx>
  Date:   Fri Nov 6 16:02:48 2015 +0800

      virtio-pci: introduce pio notification capability for modern device

      We used to use mmio for notification. This could be slow on some arch
      (e.g on x86 without EPT). So this patch introduces pio bar and a pio
      notification cap for modern device. This ability is enabled through
      property "modern-pio-notify" for virtio pci devices and was disabled
      by default. Management can enable when it thinks it was needed.

      Benchmarks shows almost no obvious difference compared to legacy
      device on machines without ept. Thanks Wenli Quan <wquan@xxxxxxxxxx>
      for the benchmarking.

      Cc: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: Jason Wang <jasowang@xxxxxxxxxx>
      Reviewed-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>

  commit bc85ccfdf5cc045588f665c84b5707d7364c8a6c
  Author: Jason Wang <jasowang@xxxxxxxxxx>
  Date:   Fri Nov 6 16:02:47 2015 +0800

      virtio-pci: use zero length mmio eventfd for 1.0 notification cap when 
possible

      We use data match eventfd for 1.0 notification currently. This could
      be slow since software decoding is needed for mmio exit. To speed this
      up, we can switch to use zero length mmio eventfd for 1.0 notification
      since we can examine the queue index directly from the writing
      address. KVM kernel module can utilize this by registering it to fast
      mmio bus which could be as fast as pio on ept capable machine when
      fast mmio is supported by host kernel.

      Lots of improvements were seen on a ept capable machine:

      Guest RX:(TCP)
      size/session/+throughput%/+cpu%/-+per cpu%/
      64/1/+1.6807%/[-16.2421%]/[+21.3984%]/
      64/2/+0.6091%/[-11.0187%]/[+13.0678%]/
      64/4/+0.0553%/[-5.9768%]/[+6.4155%]/
      64/8/+0.1206%/[-4.0057%]/[+4.2984%]/
      256/1/-0.0031%/[-10.1166%]/[+11.2517%]/
      256/2/-0.5058%/[-6.1656%]/+6.0317%]/
      ...

      Guest TX:(TCP)
      size/session/+throughput%/+cpu%/-+per cpu%/
      64/1/[+18.9183%]/-0.2823%/[+19.2550%]/
      64/2/[+13.5714%]/[+2.2675%]/[+11.0533%]/
      64/4/[+13.1070%]/[+2.1817%]/[+10.6920%]/
      64/8/[+13.0426%]/[+2.0887%]/[+10.7299%]/
      256/1/[+36.2761%]/+6.3434%/[+28.1471%]/
      ...
      1024/1/[+44.8873%]/+2.0811%/[+41.9335%]/
      ...
      1024/4/+0.0228%/[-2.2044%]/[+2.2774%]/
      ...
      16384/2/+0.0127%/[-5.0346%]/[+5.3148%]/
      ...
      65535/1/[+0.0062%]/[-4.1183%]/[+4.3017%]/
      65535/2/+0.0004%/[-4.2311%]/[+4.4185%]/
      65535/4/+0.0107%/[-4.6106%]/[+4.8446%]/
      65535/8/-0.0090%/[-5.5178%]/[+5.8306%]/

      Latency:(TCP_RR)
      size/session/+transaction rate%/+cpu%/-+per cpu%/
      64/1/[+6.5248%]/[-9.2882%]/[+17.4322%]/
      64/25/[+11.0854%]/[+0.8000%]/[+10.2038%]/
      64/50/[+12.1076%]/[+2.4627%]/[+9.4131%]/
      256/1/[+5.3677%]/[+10.5669%]/-4.7024%/
      256/25/[+5.6402%]/-0.8962%/[+6.5955%]/
      256/50/[+5.9685%]/[+1.7766%]/[+4.1188%]/
      4096/1/+0.2508%/[-10.4941%]/[+12.0047%]/
      4096/25/[+1.8533%]/-0.0273%/+1.8812%/
      4096/50/[+1.2156%]/-1.4134%/+2.6667%/

      Notes: data with '[]' is the one whose significance is greater than 95%.

      Thanks Wenli Quan <wquan@xxxxxxxxxx> for the benchmarking.

      Cc: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: Jason Wang <jasowang@xxxxxxxxxx>
      Reviewed-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>

  commit 351082238d5d45d6836ec94eabe3fe7d72b36f46
  Author: Jason Wang <jasowang@xxxxxxxxxx>
  Date:   Fri Nov 6 16:02:46 2015 +0800

      KVM: add support for any length io eventfd

      Signed-off-by: Jason Wang <jasowang@xxxxxxxxxx>
      Reviewed-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Acked-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit b8aecea23aaccf39da54c77ef248f5fa50dcfbc1
  Author: Jason Wang <jasowang@xxxxxxxxxx>
  Date:   Fri Nov 6 16:02:45 2015 +0800

      memory: don't try to adjust endianness for zero length eventfd

      There's no need to adjust endianness for zero length eventfd since the
      data wrote was actually ignored by kernel. So skip the adjust in this
      case to fix a possible crash when trying to use wildcard mmio eventfd
      in ppc.

      Cc: Greg Kurz <gkurz@xxxxxxxxxxxxxxxxxx>
      Cc: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Cc: Paolo Bonzini <pbonzini@xxxxxxxxxx>
      Acked-by: Greg Kurz <gkurz@xxxxxxxxxxxxxxxxxx>
      Signed-off-by: Jason Wang <jasowang@xxxxxxxxxx>
      Reviewed-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>

  commit a6df8adf3edbb3062f087e425564df35077e8410
  Author: Jason Wang <jasowang@xxxxxxxxxx>
  Date:   Fri Nov 6 16:02:44 2015 +0800

      virtio-pci: fix 1.0 virtqueue migration

      We don't migrate the followings fields for virtio-pci:

      uint32_t dfselect;
      uint32_t gfselect;
      uint32_t guest_features[2];
      struct {
          uint16_t num;
          bool enabled;
          uint32_t desc[2];
          uint32_t avail[2];
          uint32_t used[2];
      } vqs[VIRTIO_QUEUE_MAX];

      This will confuse driver if migrating during initialization. Solves
      this issue by:

      - introduce transport specific callbacks to load and store extra
        virtqueue states.
      - add a new subsection for virtio to migrate transport specific modern
        device state.
      - implement pci specific callbacks.
      - add a new property for virtio-pci for whether or not to migrate
        extra state.
      - compat the migration for 2.4 and elder machine types

      Cc: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: Jason Wang <jasowang@xxxxxxxxxx>
      Reviewed-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Reviewed-by: Cornelia Huck <cornelia.huck@xxxxxxxxxx>

  commit df1ac44e9f0c1b1d775c65b6e86fbcac0be77930
  Merge: fd717e7 0a9516c
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Thu Nov 12 13:41:44 2015 +0000

      Merge remote-tracking branch 'remotes/dgibson/tags/ppc-next-20151112' 
into staging

      ppc patch queue -2015-11-12

      Highlights:
         - A number of fixes for MacOS 9 compatibility based on the old MOL
           (Mac-On-Linux) code and a GSoC project.
         - Cleaner and more general way of handling register access from the
           monitor

      # gpg: Signature made Thu 12 Nov 2015 04:33:26 GMT using RSA key ID 
20D9B392
      # gpg: Good signature from "David Gibson <david@xxxxxxxxxxxxxxxxxxxxx>"
      # gpg:                 aka "David Gibson (Red Hat) <dgibson@xxxxxxxxxx>"
      # gpg:                 aka "David Gibson (ozlabs.org) 
<dgibson@xxxxxxxxxx>"
      # gpg: WARNING: This key is not certified with sufficiently trusted 
signatures!
      # gpg:          It is not certain that the signature belongs to the owner.
      # Primary key fingerprint: 75F4 6586 AE61 A66C C44E  87DC 6C38 CACA 20D9 
B392

      * remotes/dgibson/tags/ppc-next-20151112:
        monitor/target-ppc: Define target_get_monitor_def
        cuda.c: add delay to setting of SR_INT bit
        cuda.c: fix T2 timer and enable its interrupt
        cuda.c: rename get_counter() state variable from s to ti for consistency
        cuda.c: refactor get_tb() so that the time can be passed in
        cuda.c: add defines for CUDA registers
        cuda.c: fix CUDA SR interrupt clearing
        cuda.c: implement dummy IIC access commands
        cuda.c: implement simple CUDA_GET_6805_ADDR command
        cuda.c: fix CUDA_PACKET response packet format
        cuda.c: fix CUDA ADB error packet format
        PPC: mac99: Always add USB controller
        PPC: Fix lswx bounds checks
        PPC: Allow Rc bit to be set on mtspr

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit fd717e789010012c5f0537269df19ef19d469baf
  Merge: 2048a2a 52074d0
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Thu Nov 12 13:11:06 2015 +0000

      Merge remote-tracking branch 
'remotes/mdroth/tags/qga-pull-2015-11-11-tag' into staging

      qemu-ga patch queue

      * fix for unintended overwriting of data on w32 using
        guest-file-open with append mode

      # gpg: Signature made Wed 11 Nov 2015 22:14:52 GMT using RSA key ID 
F108B584
      # gpg: Good signature from "Michael Roth <flukshun@xxxxxxxxx>"
      # gpg:                 aka "Michael Roth <mdroth@xxxxxxxxxx>"
      # gpg:                 aka "Michael Roth <mdroth@xxxxxxxxxxxxxxxxxx>"

      * remotes/mdroth/tags/qga-pull-2015-11-11-tag:
        qga: fix append file open modes for win32

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 2048a2a49188af7a9df065f7553021f89d8e9ec5
  Author: Marc-André Lureau <marcandre.lureau@xxxxxxxxxx>
  Date:   Thu Nov 12 12:10:18 2015 +0100

      tests: classify some ivshmem tests as slow

      Some tests may take long to run, move them under g_test_slow()
      condition.

      The 5s timeout for the "server" test will have to be adjusted to the worst
      known time (for the records, it takes ~0.2s on my host). The "pair"
      test takes ~1.7, a quickest version could be implemented.

      Signed-off-by: Marc-André Lureau <marcandre.lureau@xxxxxxxxxx>
      Message-id: 1447326618-11686-1-git-send-email-marcandre.lureau@xxxxxxxxxx
      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit c459343b8552e65398a05581f7ff31a068b5b551
  Merge: 7497b8d 455b0fd
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Thu Nov 12 10:09:14 2015 +0000

      Merge remote-tracking branch 'remotes/armbru/tags/pull-error-2015-11-11' 
into staging

      error: More error_setg() usage

      # gpg: Signature made Wed 11 Nov 2015 17:57:15 GMT using RSA key ID 
EB918653
      # gpg: Good signature from "Markus Armbruster <armbru@xxxxxxxxxx>"
      # gpg:                 aka "Markus Armbruster <armbru@xxxxxxxxxxxx>"

      * remotes/armbru/tags/pull-error-2015-11-11:
        error: More error_setg() usage

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 39bec4f38b028a2cff8c38f3455aef44d7b3b6c4
  Author: Vincenzo Maffione <v.maffione@xxxxxxxxx>
  Date:   Tue Nov 10 10:47:22 2015 +0100

      net: netmap: use error_setg() helpers in place of error_report()

      This update was required to align error reporting of netmap backend
      initialization to the modifications introduced by commit a30ecde.

      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>
      Reviewed-by: Markus Armbruster <armbru@xxxxxxxxxx>
      Signed-off-by: Vincenzo Maffione <v.maffione@xxxxxxxxx>
      Signed-off-by: Jason Wang <jasowang@xxxxxxxxxx>

  commit 54c59b4de584b3467166febb4ff84627a2f29a0e
  Author: Vincenzo Maffione <v.maffione@xxxxxxxxx>
  Date:   Tue Nov 10 10:47:21 2015 +0100

      net: netmap: Fix compilation issue

      Reorganization of struct NetClientOptions (commit e4ba22b) caused a
      compilation failure of the netmap backend. This patch fixes the issue
      by properly accessing the union field.

      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>
      Reviewed-by: Markus Armbruster <armbru@xxxxxxxxxx>
      Signed-off-by: Vincenzo Maffione <v.maffione@xxxxxxxxx>
      Signed-off-by: Jason Wang <jasowang@xxxxxxxxxx>

  commit ba63ec8594a5dd412182aced07b4bf042403766a
  Author: Leonid Bloch <leonid.bloch@xxxxxxxxxxxxxxxxxx>
  Date:   Wed Nov 11 15:52:47 2015 +0200

      e1000: Introducing backward compatibility command line parameter

      This follows the previous patches, where support for migrating the
      entire MAC registers' array, and some new MAC registers were introduced.

      This patch introduces the e1000-specific boolean parameter
      "extra_mac_registers", which is on by default. Setting it to off will
      enable migration to older versions of QEMU, but will disable the read
      and write access to the new registers, that were introduced since adding
      the ability to migrate the entire MAC array.

      Example for usage to enable backward compatibility and to disable the
      new MAC registers:

          qemu-system-x86_64 -device e1000,extra_mac_registers=off,... ...

      As mentioned above, the default value is "on".

      Signed-off-by: Leonid Bloch <leonid.bloch@xxxxxxxxxxxxxxxxxx>
      Signed-off-by: Dmitry Fleytman <dmitry.fleytman@xxxxxxxxxxxxxxxxxx>
      Signed-off-by: Jason Wang <jasowang@xxxxxxxxxx>

  commit 3b27430177498a1728b6765c70b455900f93d73a
  Author: Leonid Bloch <leonid.bloch@xxxxxxxxxxxxxxxxxx>
  Date:   Wed Nov 11 15:52:46 2015 +0200

      e1000: Implementing various counters

      This implements the following Statistic registers (various counters)
      according to Intel's specs:

      TSCTC  GOTCL  GOTCH  GORCL  GORCH  MPRC   BPRC   RUC    ROC
      BPTC   MPTC   PTC... PRC...

      PLEASE NOTE: these registers will not be active, nor will migrate, until
      a compatibility flag will be set (in the next patch in this series).

      Signed-off-by: Leonid Bloch <leonid.bloch@xxxxxxxxxxxxxxxxxx>
      Signed-off-by: Dmitry Fleytman <dmitry.fleytman@xxxxxxxxxxxxxxxxxx>
      Signed-off-by: Jason Wang <jasowang@xxxxxxxxxx>

  commit 4aeea330f022f45d0dabff6090ecbb98755c2116
  Author: Leonid Bloch <leonid.bloch@xxxxxxxxxxxxxxxxxx>
  Date:   Wed Nov 11 15:52:45 2015 +0200

      e1000: Fixing the packet address filtering procedure

      Previously, if promiscuous unicast was enabled, a packet was received
      straight away, even if it was a multicast or a broadcast packet. This
      patch fixes that behavior, while making the filtering procedure a bit
      more human-readable.

      Signed-off-by: Leonid Bloch <leonid.bloch@xxxxxxxxxxxxxxxxxx>
      Signed-off-by: Dmitry Fleytman <dmitry.fleytman@xxxxxxxxxxxxxxxxxx>
      Signed-off-by: Jason Wang <jasowang@xxxxxxxxxx>

  commit 45e93764711484440e56f580f233009bb3da18bc
  Author: Leonid Bloch <leonid.bloch@xxxxxxxxxxxxxxxxxx>
  Date:   Wed Nov 11 15:52:44 2015 +0200

      e1000: Fixing the received/transmitted octets' counters

      Previously, these 64-bit registers did not stick at their maximal
      values when (and if) they reached them, as they should do, according to
      the specs.

      This patch introduces a function that takes care of such registers,
      avoiding code duplication, making the relevant parts more compatible
      with the QEMU coding style, while ensuring that in the unlikely case
      of reaching the maximal value, the counter will stick there, as it
      supposed to.

      Signed-off-by: Leonid Bloch <leonid.bloch@xxxxxxxxxxxxxxxxxx>
      Signed-off-by: Dmitry Fleytman <dmitry.fleytman@xxxxxxxxxxxxxxxxxx>
      Signed-off-by: Jason Wang <jasowang@xxxxxxxxxx>

  commit 1f67f92c4fdf59a98c2fdf67d3e78deba489a370
  Author: Leonid Bloch <leonid.bloch@xxxxxxxxxxxxxxxxxx>
  Date:   Wed Nov 11 15:52:43 2015 +0200

      e1000: Fixing the received/transmitted packets' counters

      According to Intel's specs, these counters (as the other Statistic
      registers) stick at 0xffffffff when this maximal value is reached.
      Previously, they would reset after the max. value.

      Signed-off-by: Leonid Bloch <leonid.bloch@xxxxxxxxxxxxxxxxxx>
      Signed-off-by: Dmitry Fleytman <dmitry.fleytman@xxxxxxxxxxxxxxxxxx>
      Signed-off-by: Jason Wang <jasowang@xxxxxxxxxx>

  commit 72ea771c9711cba63686d5d3284bc6645d13f7d2
  Author: Leonid Bloch <leonid.bloch@xxxxxxxxxxxxxxxxxx>
  Date:   Wed Nov 11 15:52:42 2015 +0200

      e1000: Trivial implementation of various MAC registers

      These registers appear in Intel's specs, but were not implemented.
      These registers are now implemented trivially, i.e. they are initiated
      with zero values, and if they are RW, they can be written or read by the
      driver, or read only if they are R (essentially retaining their zero
      values). For these registers no other procedures are performed.

      For the trivially implemented Diagnostic registers, a debug warning is
      produced on read/write attempts.

      PLEASE NOTE: these registers will not be active, nor will migrate, until
      a compatibility flag will be set (in a later patch in this series).

      The registers implemented here are:

      Transmit:
      RW: AIT

      Management:
      RW: WUC     WUS     IPAV    IP6AT*  IP4AT*  FFLT*   WUPM*   FFMT*   FFVT*

      Diagnostic:
      RW: RDFH    RDFT    RDFHS   RDFTS   RDFPC   PBM*    TDFH    TDFT    TDFHS
          TDFTS   TDFPC

      Statistic:
      RW: FCRUC
      R:  RNBC    TSCTFC  MGTPRC  MGTPDC  MGTPTC  RFC     RJC     SCC     ECOL
          LATECOL MCC     COLC    DC      TNCRS   SEC     CEXTERR RLEC    XONRXC
          XONTXC  XOFFRXC XOFFTXC

      Signed-off-by: Leonid Bloch <leonid.bloch@xxxxxxxxxxxxxxxxxx>
      Signed-off-by: Dmitry Fleytman <dmitry.fleytman@xxxxxxxxxxxxxxxxxx>
      Signed-off-by: Jason Wang <jasowang@xxxxxxxxxx>

  commit bc0f0674f037a01f2ce0870ad6270a356a7a8347
  Author: Leonid Bloch <leonid.bloch@xxxxxxxxxxxxxxxxxx>
  Date:   Wed Nov 11 15:52:41 2015 +0200

      e1000: Introduced an array to control the access to the MAC registers

      The array of uint8_t's which is introduced here, contains access metadata
      about the MAC registers: if a register is accessible, but partly 
implemented,
      or if a register requires a certain compatibility flag in order to be
      accessed. Currently, 6 hypothetical flags are supported (3 exist for e1000
      so far) but in the future, if more than 6 flags will be needed, the 
datatype
      of this array can simply be swapped for a larger one.

      This patch is intended to solve the following current problems:

      1) In a scenario of migration between different versions of QEMU, which
      differ by the MAC registers implemented in them, some registers need not 
to
      be active if a compatibility flag is set, in order to preserve the 
machine's
      state perfectly for the older version. Checking this for each register
      individually, would create a lot of clutter in the code.

      2) Some registers are (or may be) only partly implemented (e.g.
      placeholders that allow reading and writing, but lack other functions).
      In such cases it is better to print a debug warning on read/write 
attempts.
      As above, dealing with this functionality on a per-register level, would
      require longer and more messy code.

      Signed-off-by: Leonid Bloch <leonid.bloch@xxxxxxxxxxxxxxxxxx>
      Signed-off-by: Dmitry Fleytman <dmitry.fleytman@xxxxxxxxxxxxxxxxxx>
      Signed-off-by: Jason Wang <jasowang@xxxxxxxxxx>

  commit 9e11773417d98fd2ec961568ec2875063b95569b
  Author: Leonid Bloch <leonid.bloch@xxxxxxxxxxxxxxxxxx>
  Date:   Wed Nov 11 15:52:40 2015 +0200

      e1000: Add support for migrating the entire MAC registers' array

      This patch makes the migration of the entire array of MAC registers
      possible during live migration. The entire array is just 128 KB long, so
      practically no penalty should be felt when transmitting it, additionally
      to the previously transmitted individual registers. The advantage here is
      eliminating the need to introduce new vmstate subsections in the future,
      when additional MAC registers will be implemented.

      Backward compatibility is preserved by introducing a e1000-specific
      boolean parameter (in a later patch), which will be on by default.
      Setting it to off would enable migration to older versions of QEMU.

      Additionally, this parameter will be used to control the access to the
      extra MAC registers in the future.

      Signed-off-by: Leonid Bloch <leonid.bloch@xxxxxxxxxxxxxxxxxx>
      Signed-off-by: Dmitry Fleytman <dmitry.fleytman@xxxxxxxxxxxxxxxxxx>
      Signed-off-by: Jason Wang <jasowang@xxxxxxxxxx>

  commit 20f3e86362758b5085aa17baa7bc109c858acf67
  Author: Leonid Bloch <leonid.bloch@xxxxxxxxxxxxxxxxxx>
  Date:   Wed Nov 11 15:52:39 2015 +0200

      e1000: Cosmetic and alignment fixes

      This fixes some alignment and cosmetic issues. The changes are made
      in order that the following patches in this series will look like
      integral parts of the code surrounding them, while conforming to the
      coding style. Although some changes in unrelated areas are also made.

      Signed-off-by: Leonid Bloch <leonid.bloch@xxxxxxxxxxxxxxxxxx>
      Signed-off-by: Dmitry Fleytman <dmitry.fleytman@xxxxxxxxxxxxxxxxxx>
      Signed-off-by: Jason Wang <jasowang@xxxxxxxxxx>

  commit ecc804cac31cec6cb90feaa459503afda8b38d09
  Author: Stefan Weil <sw@xxxxxxxxxxx>
  Date:   Sat Aug 29 09:12:35 2015 +0200

      slirp: Fix type casts and format strings in debug code

      Casting pointers to long won't work on 64 bit Windows.
      It is not needed with the right format strings.

      Signed-off-by: Stefan Weil <sw@xxxxxxxxxxx>
      Signed-off-by: Jason Wang <jasowang@xxxxxxxxxx>

  commit 0a9516c2d6711cb6760a726952bdbbe931fd045c
  Author: Alexey Kardashevskiy <aik@xxxxxxxxx>
  Date:   Thu Nov 12 14:44:23 2015 +1100

      monitor/target-ppc: Define target_get_monitor_def

      At the moment get_monitor_def() returns only registers from statically
      defined monitor_defs array. However there is a lot of BOOK3S SPRs
      which are not in the list and cannot be printed from the monitor.

      This adds a new target platform hook - target_get_monitor_def().
      The hook is called if a register was not found in the static
      array returned by the target_monitor_defs() hook.

      The hook is only defined for POWERPC, it returns registered
      SPRs and fails on unregistered ones providing the user with information
      on what is actually supported on the running CPU. The register value is
      saved as uint64_t as it is the biggest supported register size;
      target_ulong cannot be used because of the stub - it is in a "common"
      code and cannot include "cpu.h", etc; this is also why the hook prototype
      is redefined in the stub instead of being included from some header.

      This replaces static descriptors for GPRs, FPRs, SRs with a helper which
      looks for a value in a corresponding array in the CPUPPCState.
      The immediate effect is that all 32 SRs can be printed now (instead of 
16);
      later this can be reused for VSX or TM registers.

      This replaces callbacks for MSR and XER with static descriptors in
      monitor_defs as they are stored in CPUPPCState.

      While we are here, this adds "cr" as a synonym of "ccr".

      Signed-off-by: Alexey Kardashevskiy <aik@xxxxxxxxx>
      Signed-off-by: David Gibson <david@xxxxxxxxxxxxxxxxxxxxx>

  commit cffc331a3156870d54883bc79e4278472ffd8f1d
  Author: Mark Cave-Ayland <mark.cave-ayland@xxxxxxxxxxxx>
  Date:   Wed Nov 11 22:49:51 2015 +0000

      cuda.c: add delay to setting of SR_INT bit

      MacOS 9 is racy when it comes to accessing the shift register. Fix this by
      introducing a small delay between data accesses and raising the SR_INT
      interrupt bit.

      Signed-off-by: Mark Cave-Ayland <mark.cave-ayland@xxxxxxxxxxxx>
      Reviewed-by: David Gibson <david@xxxxxxxxxxxxxxxxxxxxx>
      Signed-off-by: David Gibson <david@xxxxxxxxxxxxxxxxxxxxx>

  commit a53cfdcca2834ec7e61fd955c4f24ac233c4ec16
  Author: Mark Cave-Ayland <mark.cave-ayland@xxxxxxxxxxxx>
  Date:   Wed Nov 11 22:49:50 2015 +0000

      cuda.c: fix T2 timer and enable its interrupt

      Fix the counter loading logic and enable the T2 interrupt when the timer
      expires. Otherwise MacOS 9 hangs on boot.

      Signed-off-by: Mark Cave-Ayland <mark.cave-ayland@xxxxxxxxxxxx>
      Signed-off-by: David Gibson <david@xxxxxxxxxxxxxxxxxxxxx>

  commit 0174adb611a22bcfeeb123851cf4874e6d922d06
  Author: Mark Cave-Ayland <mark.cave-ayland@xxxxxxxxxxxx>
  Date:   Wed Nov 11 22:49:49 2015 +0000

      cuda.c: rename get_counter() state variable from s to ti for consistency

      Signed-off-by: Mark Cave-Ayland <mark.cave-ayland@xxxxxxxxxxxx>
      Reviewed-by: David Gibson <david@xxxxxxxxxxxxxxxxxxxxx>
      Signed-off-by: David Gibson <david@xxxxxxxxxxxxxxxxxxxxx>

  commit eda14abbb804f8ed2cb903c99ad1852848fa2e42
  Author: Mark Cave-Ayland <mark.cave-ayland@xxxxxxxxxxxx>
  Date:   Wed Nov 11 22:49:48 2015 +0000

      cuda.c: refactor get_tb() so that the time can be passed in

      This is in preparation for sharing the code between timers.

      Signed-off-by: Mark Cave-Ayland <mark.cave-ayland@xxxxxxxxxxxx>
      Reviewed-by: David Gibson <david@xxxxxxxxxxxxxxxxxxxxx>
      Signed-off-by: David Gibson <david@xxxxxxxxxxxxxxxxxxxxx>

  commit b5ac04103bc3b24042418df1a561096187165fd7
  Author: Mark Cave-Ayland <mark.cave-ayland@xxxxxxxxxxxx>
  Date:   Wed Nov 11 22:49:47 2015 +0000

      cuda.c: add defines for CUDA registers

      Signed-off-by: Mark Cave-Ayland <mark.cave-ayland@xxxxxxxxxxxx>
      Reviewed-by: David Gibson <david@xxxxxxxxxxxxxxxxxxxxx>
      Signed-off-by: David Gibson <david@xxxxxxxxxxxxxxxxxxxxx>

  commit d271ae36dc1e292ae140f5bbf23e0fc1392dd325
  Author: Mark Cave-Ayland <mark.cave-ayland@xxxxxxxxxxxx>
  Date:   Wed Nov 11 22:49:46 2015 +0000

      cuda.c: fix CUDA SR interrupt clearing

      Make sure that we also clear the data and clock interrupts at the same 
time.

      Signed-off-by: Mark Cave-Ayland <mark.cave-ayland@xxxxxxxxxxxx>
      Signed-off-by: David Gibson <david@xxxxxxxxxxxxxxxxxxxxx>

  commit ce8d3b647b5acc2bec19602d9fac87d3da11ae77
  Author: Mark Cave-Ayland <mark.cave-ayland@xxxxxxxxxxxx>
  Date:   Wed Nov 11 22:49:45 2015 +0000

      cuda.c: implement dummy IIC access commands

      These are used by MacOS 9 on boot. Here we return an error except for 
4-byte
      commands which write to the IIC bus in a similar manner to MOL.

      Signed-off-by: Mark Cave-Ayland <mark.cave-ayland@xxxxxxxxxxxx>
      Signed-off-by: David Gibson <david@xxxxxxxxxxxxxxxxxxxxx>

  commit f1f46f74a9de7298977a3ed668e71843fa904c38
  Author: Mark Cave-Ayland <mark.cave-ayland@xxxxxxxxxxxx>
  Date:   Wed Nov 11 22:49:44 2015 +0000

      cuda.c: implement simple CUDA_GET_6805_ADDR command

      This simply returns an empty response with no error status as implemented 
by
      MOL to allow MacOS 9 boot to proceed further.

      Signed-off-by: Mark Cave-Ayland <mark.cave-ayland@xxxxxxxxxxxx>
      Reviewed-by: David Gibson <david@xxxxxxxxxxxxxxxxxxxxx>
      Signed-off-by: David Gibson <david@xxxxxxxxxxxxxxxxxxxxx>

  commit 4202e63c0432c72ba518dd882e99a794620d1665
  Author: Mark Cave-Ayland <mark.cave-ayland@xxxxxxxxxxxx>
  Date:   Wed Nov 11 22:49:43 2015 +0000

      cuda.c: fix CUDA_PACKET response packet format

      According to comments in MOL, the response to a CUDA_PACKET should be one 
of
      the following:

      Reply: (CUDA_PACKET, status, cmd)
      Error: (ERROR_PACKET, status, CUDA_PACKET, cmd)

      Update cuda_receive_packet() accordingly to reflect this in order to make
      MacOS 9 happy.

      Signed-off-by: Mark Cave-Ayland <mark.cave-ayland@xxxxxxxxxxxx>
      Signed-off-by: David Gibson <david@xxxxxxxxxxxxxxxxxxxxx>

  commit 6729aa40135bc96d69b5bf5e65a7d463ef7793e7
  Author: Mark Cave-Ayland <mark.cave-ayland@xxxxxxxxxxxx>
  Date:   Wed Nov 11 22:49:42 2015 +0000

      cuda.c: fix CUDA ADB error packet format

      According to MOL, ADB error packets should be of the form (type, status, 
cmd)
      rather than just (type, status). This fixes ADB device detection under 
MacOS 9.

      Signed-off-by: Mark Cave-Ayland <mark.cave-ayland@xxxxxxxxxxxx>
      Signed-off-by: David Gibson <david@xxxxxxxxxxxxxxxxxxxxx>

  commit 72f1f97d4927f798167855fda7881b0e22756b20
  Author: Alexander Graf <agraf@xxxxxxx>
  Date:   Wed Nov 11 22:49:41 2015 +0000

      PPC: mac99: Always add USB controller

      The mac99 machines always have a USB controller. Usually not having one 
around
      doesn't hurt quite as much, but Mac OS 9 really really wants one or it 
crashes
      on bootup.

      So always add OHCI to make it happy.

      Signed-off-by: Alexander Graf <agraf@xxxxxxx>
      Signed-off-by: Mark Cave-Ayland <mark.cave-ayland@xxxxxxxxxxxx>
      Reviewed-by: David Gibson <david@xxxxxxxxxxxxxxxxxxxxx>
      Signed-off-by: David Gibson <david@xxxxxxxxxxxxxxxxxxxxx>

  commit 488661ee9dd300110a6612d52fe68e2bb3539a5f
  Author: Alexander Graf <agraf@xxxxxxx>
  Date:   Wed Nov 11 22:49:40 2015 +0000

      PPC: Fix lswx bounds checks

      The lswx instruction checks whether the desired string actually fits
      into all defined registers. Unfortunately it does the calculation wrong,
      resulting in illegal instruction traps for loads that really should fit.

      Fix it up, making Mac OS happier.

      Signed-off-by: Alexander Graf <agraf@xxxxxxx>
      Signed-off-by: Mark Cave-Ayland <mark.cave-ayland@xxxxxxxxxxxx>
      Reviewed-by: David Gibson <david@xxxxxxxxxxxxxxxxxxxxx>
      Signed-off-by: David Gibson <david@xxxxxxxxxxxxxxxxxxxxx>

  commit 4248b336d3c1b74e343842c5b478b165d75f5ce8
  Author: Alexander Graf <agraf@xxxxxxx>
  Date:   Wed Nov 11 22:49:39 2015 +0000

      PPC: Allow Rc bit to be set on mtspr

      According to the ISA setting the Rc bit on mtspr is undefined behavior.
      Real 750 hardware simply ignores the bit and doesn't touch cr0 though.

      Unfortunately, Mac OS 9 relies on this fact and executes a few mtspr
      instructions (to set XER for example) with Rc set.

      So let's handle the bit the same way hardware does and ignore it.

      Signed-off-by: Alexander Graf <agraf@xxxxxxx>
      Signed-off-by: Mark Cave-Ayland <mark.cave-ayland@xxxxxxxxxxxx>
      Reviewed-by: Thomas Huth <thuth@xxxxxxxxxx>
      Reviewed-by: David Gibson <david@xxxxxxxxxxxxxxxxxxxxx>
      Signed-off-by: David Gibson <david@xxxxxxxxxxxxxxxxxxxxx>

  commit 7497b8dddcaee5b5f1851434607d0de044012ebe
  Merge: 31e49ac c833d1e
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Wed Nov 11 23:20:07 2015 +0000

      Merge remote-tracking branch 'remotes/cody/tags/block-pull-request' into 
staging

      # gpg: Signature made Wed 11 Nov 2015 17:59:33 GMT using RSA key ID 
C0DE3057
      # gpg: Good signature from "Jeffrey Cody <jcody@xxxxxxxxxx>"
      # gpg:                 aka "Jeffrey Cody <jeff@xxxxxxxxxxxxx>"
      # gpg:                 aka "Jeffrey Cody <codyprime@xxxxxxxxx>"

      * remotes/cody/tags/block-pull-request:
        gluster: allocate GlusterAIOCBs on the stack

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 31e49ac192f782d594bbd04070fe79e800b7813f
  Merge: 2869653 3c4c694
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Wed Nov 11 18:23:08 2015 +0000

      Merge remote-tracking branch 'remotes/cohuck/tags/s390x-20151111' into 
staging

      Hopefully last big batch of s390x patches, including:
      - bugfixes for LE host and for pci translation
      - MAINTAINERS update
      - hugetlbfs enablement (kernel patches pending)
      - boot from El Torito iso images on virtio-blk
        (boot from scsi pending)
      - cleanup in the ipl device code

      There's also a helper function for resetting busless devices in the
      qdev core in there.

      # gpg: Signature made Wed 11 Nov 2015 17:49:58 GMT using RSA key ID 
C6F02FAF
      # gpg: Good signature from "Cornelia Huck <huckc@xxxxxxxxxxxxxxxxxx>"
      # gpg:                 aka "Cornelia Huck <cornelia.huck@xxxxxxxxxx>"

      * remotes/cohuck/tags/s390x-20151111:
        s390: deprecate the non-ccw machine in 2.5
        s390x/ipl: switch error reporting to error_setg
        s390x/ipl: clean up qom definitions and turn into TYPE_DEVICE
        qdev: provide qdev_reset_all_fn()
        pc-bios/s390-ccw: rebuild image
        pc-bios/s390-ccw: El Torito 16-bit boot image size field workaround
        pc-bios/s390-ccw: El Torito s390x boot entry check
        pc-bios/s390-ccw: ISO-9660 El Torito boot implementation
        pc-bios/s390-ccw: Always adjust virtio sector count
        s390x/kvm: don't enable CMMA when hugetlbfs will be used
        s390x: switch to memory_region_allocate_system_memory
        MAINTAINERS: update virtio-ccw/s390 git tree
        MAINTAINERS: update s390 file patterns
        s390x/pci : fix up s390 pci iommu translation function
        s390x/css: sense data endianness

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 455b0fde8c38a0794743e2e7c1a40018b7bee9f6
  Author: Eric Blake <eblake@xxxxxxxxxx>
  Date:   Tue Nov 10 23:51:20 2015 -0700

      error: More error_setg() usage

      A few uses of error_set(ERROR_CLASS_GENERIC_ERROR) were missed in
      c6bd8c706, or have snuck in since.  Nuke them.

      Signed-off-by: Eric Blake <eblake@xxxxxxxxxx>
      Message-Id: <1447224690-9743-19-git-send-email-eblake@xxxxxxxxxx>
      Acked-by: Andreas Färber <afaerber@xxxxxxx>
      [Indentation tidied up, commit message tweaked]
      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>

  commit 2869653f23c63c400d3791513b507e9feddbc751
  Merge: 3c07587 4d07c72
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Wed Nov 11 16:43:19 2015 +0000

      Merge remote-tracking branch 'remotes/kevin/tags/for-upstream' into 
staging

      Block layer patches

      # gpg: Signature made Wed 11 Nov 2015 16:03:19 GMT using RSA key ID 
C88F2FD6
      # gpg: Good signature from "Kevin Wolf <kwolf@xxxxxxxxxx>"

      * remotes/kevin/tags/for-upstream: (41 commits)
        iotests: Check for quorum support in test 139
        qcow2: Fix qcow2_get_cluster_offset() for zero clusters
        iotests: Add tests for the x-blockdev-del command
        block: Add 'x-blockdev-del' QMP command
        block: Add blk_get_refcnt()
        mirror: block all operations on the target image during the job
        qemu-iotests: fix -valgrind option for check
        qemu-iotests: fix cleanup of background processes
        qemu-io: Correct error messages
        qemu-io: Check for trailing chars
        qemu-io: fix cvtnum lval types
        block: test 'blockdev-snapshot' using a file BDS as the overlay
        block: Remove inner quotation marks in iotest 085
        block: Disallow snapshots if the overlay doesn't support backing files
        throttle: Use bs->throttle_state instead of bs->io_limits_enabled
        throttle: Check for pending requests in throttle_group_unregister_bs()
        qemu-img: add check for zero-length job len
        qcow2: avoid misaligned 64bit bswap
        qemu-iotests: Test the reopening of overlay_bs in 'block-commit'
        commit: reopen overlay_bs before base
        ...

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 3c4c694c7ce2d21c0cf17a27cc60c91b6725ce48
  Author: Christian Borntraeger <borntraeger@xxxxxxxxxx>
  Date:   Fri Nov 6 13:07:25 2015 +0100

      s390: deprecate the non-ccw machine in 2.5

      The non-ccw machine for s390 (s390-virtio) is not very well maintained
      and caused several issues in the past:
      - aliases like virtio-blk did not work for s390
      - virtio refactoring failed due to long standing bugs (e.g.see
      commit cb927b8a "s390-virtio: Accommodate guests using virtqueues too 
early")
      - some features like memory hotplug will cause trouble due to virtio 
storage
        being above guest memory
      - the boot loader bios no longer seems to work. the source code of that
        loader is also no longer maintained

      2.4 changed the default to the ccw machine, let's deprecate the old
      machine for 2.5.

      Signed-off-by: Christian Borntraeger <borntraeger@xxxxxxxxxx>
      Acked-by: David Hildenbrand <dahi@xxxxxxxxxxxxxxxxxx>
      Message-Id: <1446811645-25565-1-git-send-email-borntraeger@xxxxxxxxxx>
      Signed-off-by: Cornelia Huck <cornelia.huck@xxxxxxxxxx>

  commit 8f04e88e2cd792e348eb54983ce1a485d5db4f27
  Author: David Hildenbrand <dahi@xxxxxxxxxxxxxxxxxx>
  Date:   Thu Oct 8 12:33:28 2015 +0200

      s390x/ipl: switch error reporting to error_setg

      Now that we can report errors in the realize function, let's replace
      the fprintf's and hw_error's with error_setg.

      Signed-off-by: David Hildenbrand <dahi@xxxxxxxxxxxxxxxxxx>
      Signed-off-by: Cornelia Huck <cornelia.huck@xxxxxxxxxx>

  commit 04fccf106e22c4b861398cf2146f5a5b5f18d01e
  Author: David Hildenbrand <dahi@xxxxxxxxxxxxxxxxxx>
  Date:   Thu Oct 8 12:32:13 2015 +0200

      s390x/ipl: clean up qom definitions and turn into TYPE_DEVICE

      Let's move the qom definitions of the ipl device into ipl.h, replace
      "s390-ipl" by a proper type define, turn it into a TYPE_DEVICE
      and remove the unneeded class definition.

      Signed-off-by: David Hildenbrand <dahi@xxxxxxxxxxxxxxxxxx>
      Signed-off-by: Cornelia Huck <cornelia.huck@xxxxxxxxxx>

  commit ff8de0757fc13407c81f002e936031ddc13057e4
  Author: David Hildenbrand <dahi@xxxxxxxxxxxxxxxxxx>
  Date:   Tue Jul 21 08:32:07 2015 +0200

      qdev: provide qdev_reset_all_fn()

      For TYPE_DEVICE, the dc->reset() function is not called on system resets
      yet. Until that is changed, we have to manually register a reset handler.
      Let's provide qdev_reset_all_fn(), that can directly be used - just like
      the reset handler that is already available for qbus.

      Reviewed-by: Cornelia Huck <cornelia.huck@xxxxxxxxxx>
      Signed-off-by: David Hildenbrand <dahi@xxxxxxxxxxxxxxxxxx>
      Signed-off-by: Cornelia Huck <cornelia.huck@xxxxxxxxxx>

  commit 81a93ee64d78a1933998ff1b95f06b6d67db46fd
  Author: Cornelia Huck <cornelia.huck@xxxxxxxxxx>
  Date:   Thu Nov 5 13:47:38 2015 +0100

      pc-bios/s390-ccw: rebuild image

      Contains:
        pc-bios/s390-ccw: Always adjust virtio sector count
        pc-bios/s390-ccw: ISO-9660 El Torito boot implementation
        pc-bios/s390-ccw: El Torito s390x boot entry check
        pc-bios/s390-ccw: El Torito 16-bit boot image size field workaround

      Signed-off-by: Cornelia Huck <cornelia.huck@xxxxxxxxxx>

  commit 869648e87eeb998cc0ede230f3b7aabfdf0eb2dd
  Author: Maxim Samoylov <max7255@xxxxxxxxxxxxxxxxxx>
  Date:   Mon Oct 12 17:50:20 2015 +0200

      pc-bios/s390-ccw: El Torito 16-bit boot image size field workaround

      Because of El Torito spec flaw boot image size needs to be verified.

      Boot catalog entry size field has 16-bit width, and specifies size
      in 512-byte units.

      Thus, boot image size cannot exceed 32M.

      We actually search for the file to get the file size.

      This is done by scanning the ISO directory tree for the ISO block number
      and reading the file size from the directory entry.

      Signed-off-by: Maxim Samoylov <max7255@xxxxxxxxxxxxxxxxxx>
      Reviewed-by: David Hildenbrand <dahi@xxxxxxxxxxxxxxxxxx>
      Signed-off-by: Cornelia Huck <cornelia.huck@xxxxxxxxxx>

  commit ba21f0cca8165c5b284274edd12dc955cf4fb248
  Author: Maxim Samoylov <max7255@xxxxxxxxxxxxxxxxxx>
  Date:   Mon Oct 12 17:50:20 2015 +0200

      pc-bios/s390-ccw: El Torito s390x boot entry check

      Boot entry is considered compatible if boot image is Linux kernel
      with matching S390 Linux magic string.

      Empty boot images with sector_count == 0 are considered broken.

      Signed-off-by: Maxim Samoylov <max7255@xxxxxxxxxxxxxxxxxx>
      Reviewed-by: David Hildenbrand <dahi@xxxxxxxxxxxxxxxxxx>
      Signed-off-by: Cornelia Huck <cornelia.huck@xxxxxxxxxx>

  commit 866cac91e06219f473a2900eefef0d1cf242b136
  Author: Maxim Samoylov <max7255@xxxxxxxxxxxxxxxxxx>
  Date:   Mon Oct 12 17:50:20 2015 +0200

      pc-bios/s390-ccw: ISO-9660 El Torito boot implementation

      This patch enables boot from media formatted according to
      ISO-9660 and El Torito bootable CD specification.

      We try to boot from device as ISO-9660 media when SCSI IPL failed.

      The first boot catalog entry with bootable flag is used.

      ISO-9660 media with default 2048-bytes sector size only is supported.

      Signed-off-by: Maxim Samoylov <max7255@xxxxxxxxxxxxxxxxxx>
      Reviewed-by: David Hildenbrand <dahi@xxxxxxxxxxxxxxxxxx>
      Signed-off-by: Cornelia Huck <cornelia.huck@xxxxxxxxxx>

  commit 38150be860434de9d9c76cef71ff5c6b6112ee8f
  Author: Maxim Samoylov <max7255@xxxxxxxxxxxxxxxxxx>
  Date:   Mon Oct 12 17:50:20 2015 +0200

      pc-bios/s390-ccw: Always adjust virtio sector count

      Let's always adjust the sector number to be read using the current
      virtio block size value.

      This prepares for the implementation of IPL from ISO-9660 media.

      Signed-off-by: Maxim Samoylov <max7255@xxxxxxxxxxxxxxxxxx>
      Reviewed-by: David Hildenbrand <dahi@xxxxxxxxxxxxxxxxxx>
      Reviewed-by: Cornelia Huck <cornelia.huck@xxxxxxxxxx>
      Signed-off-by: Cornelia Huck <cornelia.huck@xxxxxxxxxx>

  commit 4c292a009700755a1e6b234063ef3f2db235aaae
  Author: Dominik Dingel <dingel@xxxxxxxxxxxxxxxxxx>
  Date:   Tue Aug 11 11:12:12 2015 +0200

      s390x/kvm: don't enable CMMA when hugetlbfs will be used

      On hugetlbfs CMMA will not be useful as every ESSA instruction will trap.
      So don't offer CMMA to guests with a hugepages backing.

      Signed-off-by: Dominik Dingel <dingel@xxxxxxxxxxxxxxxxxx>
      Acked-by: Christian Borntraeger <borntraeger@xxxxxxxxxx>
      Signed-off-by: Cornelia Huck <cornelia.huck@xxxxxxxxxx>

  commit ae23a33591056d6349753766047ebc511158da9c
  Author: Dominik Dingel <dingel@xxxxxxxxxxxxxxxxxx>
  Date:   Tue May 12 13:21:30 2015 +0200

      s390x: switch to memory_region_allocate_system_memory

      By replacing memory_region_init_ram with 
memory_region_allocate_system_memory
      we gain goodies like mem-path backends. This will allow us to use 
hugetlbfs
      once the kernel supports it.

      Signed-off-by: Dominik Dingel <dingel@xxxxxxxxxxxxxxxxxx>
      Acked-by: Christian Borntraeger <borntraeger@xxxxxxxxxx>
      Signed-off-by: Cornelia Huck <cornelia.huck@xxxxxxxxxx>

  commit 3e9ed24b84c4acdd077904a74eaec6d95cfef928
  Author: Cornelia Huck <cornelia.huck@xxxxxxxxxx>
  Date:   Wed Nov 4 16:08:20 2015 +0100

      MAINTAINERS: update virtio-ccw/s390 git tree

      Let's reference the git branch I actually use, and add Christian's
      git tree.

      Acked-by: Christian Borntraeger <borntraeger@xxxxxxxxxx>
      Signed-off-by: Cornelia Huck <cornelia.huck@xxxxxxxxxx>

  commit c5bfb202bb3bcdc1a368e85fef336e89d6254f8c
  Author: Cornelia Huck <cornelia.huck@xxxxxxxxxx>
  Date:   Wed Nov 4 15:59:55 2015 +0100

      MAINTAINERS: update s390 file patterns

      We were missing some files, and some files should get an additional
      entry to add the people actually looking after the code.

      Reported-by: Thomas Huth <thuth@xxxxxxxxxx>
      Acked-by: Christian Borntraeger <borntraeger@xxxxxxxxxx>
      Signed-off-by: Cornelia Huck <cornelia.huck@xxxxxxxxxx>

  commit dce1b089249f52c053cf74dc3da98aea16656961
  Author: Yi Min Zhao <zyimin@xxxxxxxxxxxxxxxxxx>
  Date:   Wed Oct 28 11:30:23 2015 +0800

      s390x/pci : fix up s390 pci iommu translation function

      On s390x, each pci device has its own iommu, which is only properly
      setup in qemu once the mpcifc instruction used to register the
      translation table has been intercepted. Therefore, for a pci device that
      is not configured or has not been initialized, proper translation is
      neither required nor possible. Moreover, we may not have a host bridge
      device ready yet.

      This was exposed by a recent vfio change that triggers iommu translation
      during the initialization of the vfio pci device. Let's do an early exit
      in that case.

      Reviewed-by: Cornelia Huck <cornelia.huck@xxxxxxxxxx>
      Reviewed-by: Jens Freimann <jfrei@xxxxxxxxxxxxxxxxxx>
      Signed-off-by: Yi Min Zhao <zyimin@xxxxxxxxxxxxxxxxxx>
      Signed-off-by: Cornelia Huck <cornelia.huck@xxxxxxxxxx>

  commit b498484ed49ab9d1fcada3468f95dda1a5f59366
  Author: Cornelia Huck <cornelia.huck@xxxxxxxxxx>
  Date:   Wed Nov 4 18:40:54 2015 +0100

      s390x/css: sense data endianness

      We keep the device's sense data in a byte array (following the
      architecture), but the ecws are an array of 32 bit values. If we
      just blindly copy the values, the sense data will change from
      de-facto BE data to de-facto cpu-endian data, which means we end
      up doing an incorrect conversion on LE hosts.

      Let's just explicitly convert to cpu-endianness while assembling
      the irb.

      Reported-by: Andy Lutomirski <luto@xxxxxxxxxx>
      Tested-by: Andy Lutomirski <luto@xxxxxxxxxx>
      Signed-off-by: Cornelia Huck <cornelia.huck@xxxxxxxxxx>
      Reviewed-by: Christian Borntraeger <borntraeger@xxxxxxxxxx>

  commit 52074d0f662fc51293d4cde8077631f754784405
  Author: Kirk Allan <kallan@xxxxxxxx>
  Date:   Tue Nov 10 16:19:11 2015 -0700

      qga: fix append file open modes for win32

      For append file open modes, use FILE_APPEND_DATA for the desired access
      for writing at the end of the file.

      Version 2:
      For "a+", "ab+", and "a+b" modes use FILE_APPEND_DATA|GENERIC_READ.
      ORing in GENERIC_READ starts a read at the begining of the file.  All
      writes will append to the end fo the file.

      Added white space to maintain the alignment of the 
guest_file_open_modes[].

      Signed-off-by: Kirk Allan <kallan@xxxxxxxx>
      Cc: qemu-stable@xxxxxxxxxx
      * use FILE_GENERIC_APPEND macro, which provides same semantics as
        FILE_APPEND_DATA, but retains other flags from GENERIC_WRITE
      Signed-off-by: Michael Roth <mdroth@xxxxxxxxxxxxxxxxxx>

  commit 4d07c720f44beafd10907cecfd5b8a57622243c1
  Merge: a9ecfa0 92e6898
  Author: Kevin Wolf <kwolf@xxxxxxxxxx>
  Date:   Wed Nov 11 17:02:02 2015 +0100

      Merge remote-tracking branch 
'mreitz/tags/pull-block-for-kevin-2015-11-11' into queue-block

      Block patches from 2015-10-26 until 2015-11-11.

      # gpg: Signature made Wed Nov 11 17:00:50 2015 CET using RSA key ID 
E838ACAD
      # gpg: Good signature from "Max Reitz <mreitz@xxxxxxxxxx>"

      * mreitz/tags/pull-block-for-kevin-2015-11-11:
        iotests: Check for quorum support in test 139
        qcow2: Fix qcow2_get_cluster_offset() for zero clusters
        iotests: Add tests for the x-blockdev-del command
        block: Add 'x-blockdev-del' QMP command
        block: Add blk_get_refcnt()
        mirror: block all operations on the target image during the job
        qemu-iotests: fix -valgrind option for check
        qemu-iotests: fix cleanup of background processes

      Signed-off-by: Kevin Wolf <kwolf@xxxxxxxxxx>

  commit 92e68987745b0f89f04d29fe1d0c821010d58ea6
  Author: Alberto Garcia <berto@xxxxxxxxxx>
  Date:   Tue Nov 10 18:28:11 2015 +0200

      iotests: Check for quorum support in test 139

      The quorum driver is always built in, but it is disabled during
      run-time if there's no SHA256 support available (see commit e94867e).

      This patch skips the quorum test in iotest 139 in that case.

      Signed-off-by: Alberto Garcia <berto@xxxxxxxxxx>
      Message-id: 1447172891-20410-1-git-send-email-berto@xxxxxxxxxx
      Signed-off-by: Max Reitz <mreitz@xxxxxxxxxx>

  commit a99dfb45f26bface6830ee5465e57bcdbc53c6c8
  Author: Kevin Wolf <kwolf@xxxxxxxxxx>
  Date:   Wed Nov 4 18:16:24 2015 +0100

      qcow2: Fix qcow2_get_cluster_offset() for zero clusters

      When searching for contiguous zero clusters, we only need to check the
      cluster type. Before this patch, an increasing offset (L2E_OFFSET_MASK)
      was expected, so that the function never returned more than a single
      zero cluster in practice. This patch fixes it to actually return as many
      contiguous zero clusters as it can.

      Cc: qemu-stable@xxxxxxxxxx
      Signed-off-by: Kevin Wolf <kwolf@xxxxxxxxxx>
      Message-id: 1446657384-5907-1-git-send-email-kwolf@xxxxxxxxxx
      Signed-off-by: Max Reitz <mreitz@xxxxxxxxxx>

  commit 342075fd0ec9dce87139d71a81e1dbbe5ab5d021
  Author: Alberto Garcia <berto@xxxxxxxxxx>
  Date:   Mon Nov 2 16:51:56 2015 +0200

      iotests: Add tests for the x-blockdev-del command

      Signed-off-by: Alberto Garcia <berto@xxxxxxxxxx>
      Message-id: 
57c3b0d4d0c73ddadd19e5bded9492c359cc4568.1446475331.git.berto@xxxxxxxxxx
      Reviewed-by: Max Reitz <mreitz@xxxxxxxxxx>
      Signed-off-by: Max Reitz <mreitz@xxxxxxxxxx>

  commit 81b936ae70e635557af9ca80922ee69146cb5f4c
  Author: Alberto Garcia <berto@xxxxxxxxxx>
  Date:   Mon Nov 2 16:51:55 2015 +0200

      block: Add 'x-blockdev-del' QMP command

      This command is still experimental, hence the name.

      This is the companion to 'blockdev-add'. It allows deleting a
      BlockBackend with its associated BlockDriverState tree, or a
      BlockDriverState that is not attached to any backend.

      In either case, the command fails if the reference count is greater
      than 1 or the BlockDriverState has any parents.

      Signed-off-by: Alberto Garcia <berto@xxxxxxxxxx>
      Reviewed-by: Max Reitz <mreitz@xxxxxxxxxx>
      Message-id: 
6cfc148c77aca1da942b094d811bfa3fcf7ac7bb.1446475331.git.berto@xxxxxxxxxx
      Signed-off-by: Max Reitz <mreitz@xxxxxxxxxx>

  commit f636ae85f3db8ffb987c79715869dba1b8217e8a
  Author: Alberto Garcia <berto@xxxxxxxxxx>
  Date:   Mon Nov 2 16:51:54 2015 +0200

      block: Add blk_get_refcnt()

      This function returns the reference count of a given BlockBackend.
      For convenience, it returns 0 if the BlockBackend pointer is NULL.

      Signed-off-by: Alberto Garcia <berto@xxxxxxxxxx>
      Reviewed-by: Max Reitz <mreitz@xxxxxxxxxx>
      Message-id: 
dfdd8a17dbe3288842840636d2cfe5bb895abcb0.1446475331.git.berto@xxxxxxxxxx
      Signed-off-by: Max Reitz <mreitz@xxxxxxxxxx>

  commit 10f3cd15dd9913f8d959fbd061e6e00c45432093
  Author: Alberto Garcia <berto@xxxxxxxxxx>
  Date:   Mon Nov 2 16:51:53 2015 +0200

      mirror: block all operations on the target image during the job

      There's nothing preventing the target image from being used by other
      operations during the 'drive-mirror' job, so we should block them all
      until the job is done.

      Signed-off-by: Alberto Garcia <berto@xxxxxxxxxx>
      Reviewed-by: Max Reitz <mreitz@xxxxxxxxxx>
      Message-id: 
82b88fd04cde918a08a6f9a4ab85626d7fd7b502.1446475331.git.berto@xxxxxxxxxx
      Signed-off-by: Max Reitz <mreitz@xxxxxxxxxx>

  commit e6c17669eb0868013d9a17050d8eb2d598f06067
  Author: Jeff Cody <jcody@xxxxxxxxxx>
  Date:   Fri Oct 30 15:25:18 2015 -0400

      qemu-iotests: fix -valgrind option for check

      Commit 934659c switched the iotests to run qemu-io from a bash subshell,
      in order to catch segfaults.  This method is incompatible with the
      current valgrind_qemu_io() bash function.

      Move the valgrind usage into the exec subshell in _qemu_io_wrapper(),
      while making sure the original return value is passed back to the
      caller.

      Update test output for tests 039, 061, and 137 as it looks for the
      specific subshell command when the process is terminated.

      Reported-by: Kevin Wolf <kwolf@xxxxxxxxxx>
      Signed-off-by: Jeff Cody <jcody@xxxxxxxxxx>
      Message-id: 
0066fd85d26ca641a1c25135ff2479b7985701cf.1446232490.git.jcody@xxxxxxxxxx
      Reviewed-by: Max Reitz <mreitz@xxxxxxxxxx>
      Signed-off-by: Max Reitz <mreitz@xxxxxxxxxx>

  commit f6c8c2e055f88e8ed74ac0c185fc9fbca1e1b775
  Author: Jeff Cody <jcody@xxxxxxxxxx>
  Date:   Fri Oct 30 15:25:17 2015 -0400

      qemu-iotests: fix cleanup of background processes

      Commit 934659c switched the iotests to run qemu and qemu-nbd from a bash
      subshell, in order to catch segfaults.  Unfortunately, this means the
      process PID cannot be captured via '$!'. We stopped killing qemu and
      qemu-nbd processes, leaving a lot of orphaned, running qemu processes
      after executing iotests.

      Since the process is using exec in the subshell, the PID is the
      same as the subshell PID.

      Track these PIDs for cleanup using pidfiles in the $TEST_DIR. Only
      track the qemu PID, however, if requested - not all usage requires
      killing the process.

      Reported-by: John Snow <jsnow@xxxxxxxxxx>
      Signed-off-by: Jeff Cody <jcody@xxxxxxxxxx>
      Message-id: 
9e4f958b3895b7259b98d845bb46f000ba362869.1446232490.git.jcody@xxxxxxxxxx
      [mreitz@xxxxxxxxxx: Replaced '! -z "..."' by '-n "..."']
      Signed-off-by: Max Reitz <mreitz@xxxxxxxxxx>

  commit c833d1e8f5e95762336a823a35ade65a2d0fe587
  Author: Paolo Bonzini <pbonzini@xxxxxxxxxx>
  Date:   Thu Oct 1 13:04:38 2015 +0200

      gluster: allocate GlusterAIOCBs on the stack

      This is simpler now that the driver has been converted to coroutines.

      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>
      Signed-off-by: Jeff Cody <jcody@xxxxxxxxxx>
      Reviewed-by: Kevin Wolf <kwolf@xxxxxxxxxx>

  commit a9ecfa004f2dd83df612daac4a87dfc3a0feba28
  Author: John Snow <jsnow@xxxxxxxxxx>
  Date:   Thu Nov 5 18:53:04 2015 -0500

      qemu-io: Correct error messages

      Reported-by: Max Reitz <mreitz@xxxxxxxxxx>
      Signed-off-by: John Snow <jsnow@xxxxxxxxxx>
      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>
      Reviewed-by: Kevin Wolf <kwolf@xxxxxxxxxx>
      Signed-off-by: Kevin Wolf <kwolf@xxxxxxxxxx>

  commit ef5a788527b2038d742b057a415ab4d0e735e98f
  Author: John Snow <jsnow@xxxxxxxxxx>
  Date:   Thu Nov 5 18:53:03 2015 -0500

      qemu-io: Check for trailing chars

      Make sure there's not trailing garbage, e.g.
      "64k-whatever-i-want-here"

      Reported-by: Max Reitz <mreitz@xxxxxxxxxx>
      Signed-off-by: John Snow <jsnow@xxxxxxxxxx>
      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>
      Reviewed-by: Kevin Wolf <kwolf@xxxxxxxxxx>
      Signed-off-by: Kevin Wolf <kwolf@xxxxxxxxxx>

  commit 9b0beaf3de1396a23d5c287283e6f36c4b5d4385
  Author: John Snow <jsnow@xxxxxxxxxx>
  Date:   Thu Nov 5 18:53:02 2015 -0500

      qemu-io: fix cvtnum lval types

      cvtnum() returns int64_t: we should not be storing this
      result inside of an int.

      In a few cases, we need an extra sprinkling of error handling
      where we expect to pass this number on towards a function that
      expects something smaller than int64_t.

      Reported-by: Max Reitz <mreitz@xxxxxxxxxx>
      Signed-off-by: John Snow <jsnow@xxxxxxxxxx>
      Signed-off-by: Kevin Wolf <kwolf@xxxxxxxxxx>

  commit 3fa123d05964b07f9d4d972f131cce847091926d
  Author: Alberto Garcia <berto@xxxxxxxxxx>
  Date:   Tue Nov 3 12:32:37 2015 +0200

      block: test 'blockdev-snapshot' using a file BDS as the overlay

      This test checks that it is not possible to create a snapshot if the
      requested overlay node is a BDS which does not support backing images.

      Signed-off-by: Alberto Garcia <berto@xxxxxxxxxx>
      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>
      Signed-off-by: Kevin Wolf <kwolf@xxxxxxxxxx>

  commit f2d7f16f948b2ecfbb039c6bd62d6c7e2d61fac4
  Author: Alberto Garcia <berto@xxxxxxxxxx>
  Date:   Tue Nov 3 12:32:36 2015 +0200

      block: Remove inner quotation marks in iotest 085

      This patch removes the inner quotation marks in all cases like this:

         cmd=" ... "${variable}" ... "

      Signed-off-by: Alberto Garcia <berto@xxxxxxxxxx>
      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>
      Signed-off-by: Kevin Wolf <kwolf@xxxxxxxxxx>

  commit 08b24cfe3765f4b739700778814048e7d9a045fe
  Author: Alberto Garcia <berto@xxxxxxxxxx>
  Date:   Tue Nov 3 12:32:35 2015 +0200

      block: Disallow snapshots if the overlay doesn't support backing files

      This addresses scenarios like this one:

        { 'execute': 'blockdev-add', 'arguments':
          { 'options': { 'driver': 'qcow2',
                         'node-name': 'new0',
                         'file': { 'driver': 'file',
                                   'filename': 'new.qcow2',
                                   'node-name': 'file0' } } } }

        { 'execute': 'blockdev-snapshot', 'arguments':
          { 'node': 'virtio0',
            'overlay': 'file0' } }

      Signed-off-by: Alberto Garcia <berto@xxxxxxxxxx>
      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>
      Reviewed-by: Max Reitz <mreitz@xxxxxxxxxx>
      Signed-off-by: Kevin Wolf <kwolf@xxxxxxxxxx>

  commit a0d64a61db602696f4f1895a890c65eda5b3b618
  Author: Alberto Garcia <berto@xxxxxxxxxx>
  Date:   Wed Nov 4 15:15:36 2015 +0200

      throttle: Use bs->throttle_state instead of bs->io_limits_enabled

      There are two ways to check for I/O limits in a BlockDriverState:

      - bs->throttle_state: if this pointer is not NULL, it means that this
        BDS is member of a throttling group, its ThrottleTimers structure
        has been initialized and its I/O limits are ready to be applied.

      - bs->io_limits_enabled: if true it means that the throttle_state
        pointer is valid _and_ the limits are currently enabled.

      The latter is used in several places to check whether a BDS has I/O
      limits configured, but what it really checks is whether requests
      are being throttled or not. For example, io_limits_enabled can be
      temporarily set to false in cases like bdrv_read_unthrottled() without
      otherwise touching the throtting configuration of that BDS.

      This patch replaces bs->io_limits_enabled with bs->throttle_state in
      all cases where what we really want to check is the existence of I/O
      limits, not whether they are currently enabled or not.

      Signed-off-by: Alberto Garcia <berto@xxxxxxxxxx>
      Signed-off-by: Kevin Wolf <kwolf@xxxxxxxxxx>

  commit 5ac724184c286b367525035eabf4b8bb4a386c54
  Author: Alberto Garcia <berto@xxxxxxxxxx>
  Date:   Wed Nov 4 15:15:35 2015 +0200

      throttle: Check for pending requests in throttle_group_unregister_bs()

      throttle_group_unregister_bs() removes a BlockDriverState from its
      throttling group and destroys the timers. This means that there must
      be no pending throttled requests at that point (because it would be
      impossible to complete them), so the caller has to drain them first.

      At the moment throttle_group_unregister_bs() is only called from
      bdrv_io_limits_disable(), which already takes care of draining the
      requests, so there's nothing to worry about, but this patch makes
      this invariant explicit in the documentation and adds the relevant
      assertions.

      Signed-off-by: Alberto Garcia <berto@xxxxxxxxxx>
      Signed-off-by: Kevin Wolf <kwolf@xxxxxxxxxx>

  commit 62547b8a1c04daf30f50e3db362ade53e22bf222
  Author: John Snow <jsnow@xxxxxxxxxx>
  Date:   Mon Nov 2 18:28:20 2015 -0500

      qemu-img: add check for zero-length job len

      The mirror job doesn't update its total length until
      it has already started running, so we should translate
      a zero-length job-len as meaning 0%.

      Otherwise, we may get divide-by-zero faults.

      Signed-off-by: John Snow <jsnow@xxxxxxxxxx>
      Reviewed-by: Jeff Cody <jcody@xxxxxxxxxx>
      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>
      Signed-off-by: Kevin Wolf <kwolf@xxxxxxxxxx>

  commit 95334230637cef9fbd199bb79a56271ec73d4732
  Author: John Snow <jsnow@xxxxxxxxxx>
  Date:   Mon Nov 2 18:32:06 2015 -0500

      qcow2: avoid misaligned 64bit bswap

      If we create a buffer directly on the stack by using 12 bytes, there's
      no guarantee the 64bit value we want to swap will be aligned, which
      could cause errors with undefined behavior.

      Spotted with clang -fsanitize=undefined and observed in iotests 15, 26,
      44, 115 and 121.

      Signed-off-by: John Snow <jsnow@xxxxxxxxxx>
      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>
      Signed-off-by: Kevin Wolf <kwolf@xxxxxxxxxx>

  commit bcdce5a73cb28f32b3ca3a51e8fa89879685e015
  Author: Alberto Garcia <berto@xxxxxxxxxx>
  Date:   Wed Oct 28 15:43:50 2015 +0200

      qemu-iotests: Test the reopening of overlay_bs in 'block-commit'

      The 'block-commit' command needs the overlay image of 'top' to
      be opened in read-write mode in order to update the backing file
      string. If 'top' is not the active layer or its backing file then its
      overlay needs to be reopened during the block job.

      This is a test case for that scenario.

      Signed-off-by: Alberto Garcia <berto@xxxxxxxxxx>
      Reviewed-by: Max Reitz <mreitz@xxxxxxxxxx>
      Signed-off-by: Kevin Wolf <kwolf@xxxxxxxxxx>

  commit 3db2bd5508c86a1605258bc77c9672d93b5c350e
  Author: Alberto Garcia <berto@xxxxxxxxxx>
  Date:   Wed Oct 28 15:43:49 2015 +0200

      commit: reopen overlay_bs before base

      'block-commit' needs write access to two different nodes of the chain:

      - 'base', because that's where the data is written to.
      - the overlay of 'top', because it needs to update the backing file
        string to point to 'base' after the operation.

      Both images have to be opened in read-write mode, and commit_start()
      takes care of reopening them if necessary.

      With the current implementation, however, when overlay_bs is reopened
      in read-write mode it has the side effect of making 'base' read-only
      again, eventually making 'block-commit' fail.

      This needs to be fixed in bdrv_reopen(), but until we get to that it
      can be worked around simply by swapping the order of base and
      overlay_bs in the reopen queue.

      In order to reproduce this bug, overlay_bs needs to be initially in
      read-only mode. That is: the 'top' parameter of 'block-commit' cannot
      be the active layer nor its immediate backing chain.

      Cc: qemu-stable@xxxxxxxxxx
      Signed-off-by: Alberto Garcia <berto@xxxxxxxxxx>
      Reviewed-by: Max Reitz <mreitz@xxxxxxxxxx>
      Signed-off-by: Kevin Wolf <kwolf@xxxxxxxxxx>

  commit 89e3a2d86d31212d09ca688193ccecb92c0c77b5
  Author: Alberto Garcia <berto@xxxxxxxxxx>
  Date:   Mon Oct 26 14:27:17 2015 +0200

      block: add tests for the 'blockdev-snapshot' command

      Signed-off-by: Alberto Garcia <berto@xxxxxxxxxx>
      Reviewed-by: Max Reitz <mreitz@xxxxxxxxxx>
      Reviewed-by: Jeff Cody <jcody@xxxxxxxxxx>
      Signed-off-by: Kevin Wolf <kwolf@xxxxxxxxxx>

  commit 43de7e2de07093e47c7f25386aff280875dc3c62
  Author: Alberto Garcia <berto@xxxxxxxxxx>
  Date:   Mon Oct 26 14:27:16 2015 +0200

      block: add a 'blockdev-snapshot' QMP command

      One of the limitations of the 'blockdev-snapshot-sync' command is that
      it does not allow passing BlockdevOptions to the newly created
      snapshots, so they are always opened using the default values.

      Extending the command to allow passing options is not a practical
      solution because there is overlap between those options and some of
      the existing parameters of the command.

      This patch introduces a new 'blockdev-snapshot' command with a simpler
      interface: it just takes two references to existing block devices that
      will be used as the source and target for the snapshot.

      Since the main difference between the two commands is that one of them
      creates and opens the target image, while the other uses an already
      opened one, the bulk of the implementation is shared.

      Signed-off-by: Alberto Garcia <berto@xxxxxxxxxx>
      Reviewed-by: Max Reitz <mreitz@xxxxxxxxxx>
      Signed-off-by: Kevin Wolf <kwolf@xxxxxxxxxx>

  commit 3e8c2e57056614933fc5eb022e1d6d0f28071b44
  Author: Alberto Garcia <berto@xxxxxxxxxx>
  Date:   Mon Oct 26 14:27:15 2015 +0200

      block: support passing 'backing': '' to 'blockdev-add'

      Passing an empty string allows opening an image but not its backing
      file. This was already described in the API documentation, only the
      implementation was missing.

      This is useful for creating snapshots using images opened with
      blockdev-add, since they are not supposed to have a backing image
      before the operation.

      Signed-off-by: Alberto Garcia <berto@xxxxxxxxxx>
      Reviewed-by: Max Reitz <mreitz@xxxxxxxxxx>
      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>
      Reviewed-by: Kevin Wolf <kwolf@xxxxxxxxxx>
      Reviewed-by: Jeff Cody <jcody@xxxxxxxxxx>
      Signed-off-by: Kevin Wolf <kwolf@xxxxxxxxxx>

  commit a911e6ae7ce47d51b519d462c1d99d53b37b0f8c
  Author: Alberto Garcia <berto@xxxxxxxxxx>
  Date:   Mon Oct 26 14:27:14 2015 +0200

      block: rename BlockdevSnapshot to BlockdevSnapshotSync

      We will introduce the 'blockdev-snapshot' command that will require
      its own struct for the parameters, so we need to rename this one in
      order to avoid name clashes.

      Signed-off-by: Alberto Garcia <berto@xxxxxxxxxx>
      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>
      Reviewed-by: Max Reitz <mreitz@xxxxxxxxxx>
      Reviewed-by: Kevin Wolf <kwolf@xxxxxxxxxx>
      Reviewed-by: Jeff Cody <jcody@xxxxxxxxxx>
      Signed-off-by: Kevin Wolf <kwolf@xxxxxxxxxx>

  commit a39a24fbb05055d00026eb569ff3f7b868ca8785
  Author: Alberto Garcia <berto@xxxxxxxxxx>
  Date:   Mon Oct 26 14:27:13 2015 +0200

      block: check for existing device IDs in external_snapshot_prepare()

      The 'snapshot-node-name' parameter of blockdev-snapshot-sync allows
      setting the node name of the image that is going to be created.

      Before creating the image, external_snapshot_prepare() checks that the
      name is not already being used. The check is however incomplete since
      it only considers existing node names, but node names must not clash
      with device IDs either because they share the same namespace.

      If the user attempts to create a snapshot using the name of an
      existing device for the 'snapshot-node-name' parameter the operation
      will eventually fail, but only after the new image has been created.

      This patch replaces bdrv_find_node() with bdrv_lookup_bs() to extend
      the check to existing device IDs, and thus detect possible name
      clashes before the new image is created.

      Signed-off-by: Alberto Garcia <berto@xxxxxxxxxx>
      Reviewed-by: Max Reitz <mreitz@xxxxxxxxxx>
      Reviewed-by: Jeff Cody <jcody@xxxxxxxxxx>
      Signed-off-by: Kevin Wolf <kwolf@xxxxxxxxxx>

  commit adfe20303f2a897ce64b77fe579a0c7dc1e81771
  Author: Max Reitz <mreitz@xxxxxxxxxx>
  Date:   Mon Oct 26 21:39:19 2015 +0100

      iotests: Add test for change-related QMP commands

      Signed-off-by: Max Reitz <mreitz@xxxxxxxxxx>
      Signed-off-by: Kevin Wolf <kwolf@xxxxxxxxxx>

  commit baead0abefa8e95b18e53281ac182c96b24ba0cb
  Author: Max Reitz <mreitz@xxxxxxxxxx>
  Date:   Mon Oct 26 21:39:18 2015 +0100

      hmp: Add read-only-mode option to change command

      Expose the new read-only-mode option of 'blockdev-change-medium' for the
      'change' HMP command.

      Signed-off-by: Max Reitz <mreitz@xxxxxxxxxx>
      Reviewed-by: Kevin Wolf <kwolf@xxxxxxxxxx>
      Signed-off-by: Kevin Wolf <kwolf@xxxxxxxxxx>

  commit 39ff43d9e1f42b1d829a955e546cddab87ac0626
  Author: Max Reitz <mreitz@xxxxxxxxxx>
  Date:   Wed Nov 11 04:49:44 2015 +0100

      blockdev: read-only-mode for blockdev-change-medium

      Add an option to qmp_blockdev_change_medium() which allows changing the
      read-only status of the block device whose medium is changed.

      Some drives do not have a inherently fixed read-only status; for
      instance, floppy disks can be set read-only or writable independently of
      the drive. Some users may find it useful to be able to therefore change
      the read-only status of a block device when changing the medium.

      Signed-off-by: Max Reitz <mreitz@xxxxxxxxxx>
      Signed-off-by: Kevin Wolf <kwolf@xxxxxxxxxx>

  commit 1068674927a08cb9f535946abe2f91529b13160c
  Author: Max Reitz <mreitz@xxxxxxxxxx>
  Date:   Mon Oct 26 21:39:16 2015 +0100

      hmp: Use blockdev-change-medium for change command

      Use separate code paths for the two overloaded functions of the 'change'
      HMP command, and invoke the 'blockdev-change-medium' QMP command if used
      on a block device (by calling qmp_blockdev_change_medium()).

      Signed-off-by: Max Reitz <mreitz@xxxxxxxxxx>
      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>
      Reviewed-by: Kevin Wolf <kwolf@xxxxxxxxxx>
      Signed-off-by: Kevin Wolf <kwolf@xxxxxxxxxx>

  commit 24fb4133001e1f54a526f0927837f30c1507169a
  Author: Max Reitz <mreitz@xxxxxxxxxx>
  Date:   Fri Nov 6 16:27:06 2015 +0100

      qmp: Introduce blockdev-change-medium

      Introduce a new QMP command 'blockdev-change-medium' which is intended
      to replace the 'change' command for block devices. The existing function
      qmp_change_blockdev() is accordingly renamed to
      qmp_blockdev_change_medium().

      Signed-off-by: Max Reitz <mreitz@xxxxxxxxxx>
      Signed-off-by: Kevin Wolf <kwolf@xxxxxxxxxx>

  commit f1f57066573e832438cd87600310589fa9cee202
  Author: Max Reitz <mreitz@xxxxxxxxxx>
  Date:   Mon Oct 26 21:39:14 2015 +0100

      block: Inquire tray state before tray-moved events

      blk_dev_change_media_cb() is called for all potential tray movements;
      however, it is possible to request closing the tray but nothing actually
      happening (on a floppy disk drive without a medium).

      Thus, the actual tray status should be inquired before sending a
      tray-moved event (and an event should be sent whenever the status
      changed).

      Checking @load is now superfluous; it was necessary because it was
      possible to change a medium without having explicitly opened the tray
      and closed it again (or it might have been possible, at least). This is
      no longer possible, though.

      Signed-off-by: Max Reitz <mreitz@xxxxxxxxxx>
      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>
      Reviewed-by: Kevin Wolf <kwolf@xxxxxxxxxx>
      Signed-off-by: Kevin Wolf <kwolf@xxxxxxxxxx>

  commit de2c6c0536c5c5ebb6e0ce7dcfd8fa9476edab52
  Author: Max Reitz <mreitz@xxxxxxxxxx>
  Date:   Mon Oct 26 21:39:13 2015 +0100

      blockdev: Implement change with basic operations

      Implement 'change' on block devices by calling blockdev-open-tray,
      blockdev-remove-medium, blockdev-insert-medium (a variation of that
      which does not need a node-name) and blockdev-close-tray.

      Signed-off-by: Max Reitz <mreitz@xxxxxxxxxx>
      Signed-off-by: Kevin Wolf <kwolf@xxxxxxxxxx>

  commit 38f54bd1ee0ed0f13b7326eb79403e320c3a28d3
  Author: Max Reitz <mreitz@xxxxxxxxxx>
  Date:   Mon Oct 26 21:39:12 2015 +0100

      blockdev: Implement eject with basic operations

      Implement 'eject' by calling blockdev-open-tray and
      blockdev-remove-medium.

      Signed-off-by: Max Reitz <mreitz@xxxxxxxxxx>
      Signed-off-by: Kevin Wolf <kwolf@xxxxxxxxxx>

  commit d129988289a885e57aa8790097e2d814764571bd
  Author: Max Reitz <mreitz@xxxxxxxxxx>
  Date:   Mon Oct 26 21:39:11 2015 +0100

      blockdev: Add blockdev-insert-medium

      And a helper function for that, which directly takes a pointer to the
      BDS to be inserted instead of its node-name (which will be used for
      implementing 'change' using blockdev-insert-medium).

      Signed-off-by: Max Reitz <mreitz@xxxxxxxxxx>
      Signed-off-by: Kevin Wolf <kwolf@xxxxxxxxxx>

  commit 2814f67271bce537f29c6a7832f89fd4f1cdaa1a
  Author: Max Reitz <mreitz@xxxxxxxxxx>
  Date:   Mon Oct 26 21:39:10 2015 +0100

      blockdev: Add blockdev-remove-medium

      Signed-off-by: Max Reitz <mreitz@xxxxxxxxxx>
      Signed-off-by: Kevin Wolf <kwolf@xxxxxxxxxx>

  commit abaaf59d245b6984644497b6745f88912c715c39
  Author: Max Reitz <mreitz@xxxxxxxxxx>
  Date:   Mon Oct 26 21:39:09 2015 +0100

      blockdev: Add blockdev-close-tray

      Signed-off-by: Max Reitz <mreitz@xxxxxxxxxx>
      Reviewed-by: Kevin Wolf <kwolf@xxxxxxxxxx>
      Signed-off-by: Kevin Wolf <kwolf@xxxxxxxxxx>

  commit 7d8a9f71b9ec9fa295265392218efaf0771d96e0
  Author: Max Reitz <mreitz@xxxxxxxxxx>
  Date:   Mon Oct 26 21:39:08 2015 +0100

      blockdev: Add blockdev-open-tray

      Signed-off-by: Max Reitz <mreitz@xxxxxxxxxx>
      Signed-off-by: Kevin Wolf <kwolf@xxxxxxxxxx>

  commit 38cb18f5b71428fb8a3e3759ac8fa21ac70cb1b5
  Author: Max Reitz <mreitz@xxxxxxxxxx>
  Date:   Mon Oct 26 21:39:07 2015 +0100

      block: Add functions for inheriting a BBRS

      In order to open a BDS which inherits a BB's root state,
      blk_get_open_flags_from_root_state() is used to inquire the flags to be
      passed to bdrv_open(), and blk_apply_root_state() is used to apply the
      remaining state after the BDS has been opened.

      Signed-off-by: Max Reitz <mreitz@xxxxxxxxxx>
      Signed-off-by: Kevin Wolf <kwolf@xxxxxxxxxx>

  commit c69a4dd89989b483b06d765b13e41594c78d32b9
  Author: Max Reitz <mreitz@xxxxxxxxxx>
  Date:   Mon Oct 26 21:39:06 2015 +0100

      block: Make bdrv_states public

      When inserting a BDS tree into a BB, we will need to add the root BDS to
      this list. Since we will want to do that in the blockdev-insert-medium
      implementation in blockdev.c, we will need access to it there.

      This patch is not exactly elegant, but bdrv_states will be removed in
      the future anyway because we no longer need it since we have BBs.

      Signed-off-by: Max Reitz <mreitz@xxxxxxxxxx>
      Reviewed-by: Alberto Garcia <berto@xxxxxxxxxx>
      Signed-off-by: Kevin Wolf <kwolf@xxxxxxxxxx>

  commit 1c95f7e1aff8417ff6e6cc23bc2d04fbcf79d37e
  Author: Max Reitz <mreitz@xxxxxxxxxx>
  Date:   Mon Oct 26 21:39:05 2015 +0100

      block: Add blk_remove_bs()

      This function removes the BlockDriverState associated with the given
      BlockBackend from that BB and sets the BDS pointer in the BB to NULL.

      Signed-off-by: Max Reitz <mreitz@xxxxxxxxxx>
      Signed-off-by: Kevin Wolf <kwolf@xxxxxxxxxx>

  commit 9f4ed6fbd264a7c097590d830dcfd93996a80acb
  Author: Alberto Garcia <berto@xxxxxxxxxx>
  Date:   Mon Oct 26 16:46:49 2015 +0200

      block: Don't call blk_bs() twice in bdrv_lookup_bs()

      Signed-off-by: Alberto Garcia <berto@xxxxxxxxxx>
      Signed-off-by: Kevin Wolf <kwolf@xxxxxxxxxx>

  commit 3c07587d49458341510360557c849e93e9afaf59
  Merge: d93ae5b b41d320
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Wed Nov 11 09:34:18 2015 +0000

      Merge remote-tracking branch 'remotes/dgibson/tags/ppc-next-20151111' 
into staging

      ppc patch queue - 2015-11-11

      Highlights:
        - Updated SLOF version for "pseries machine
        - Bugfix / cleanup for KVM hash page table allocation

      # gpg: Signature made Wed 11 Nov 2015 02:30:51 GMT using RSA key ID 
20D9B392
      # gpg: Good signature from "David Gibson <david@xxxxxxxxxxxxxxxxxxxxx>"
      # gpg:                 aka "David Gibson (Red Hat) <dgibson@xxxxxxxxxx>"
      # gpg:                 aka "David Gibson (ozlabs.org) 
<dgibson@xxxxxxxxxx>"
      # gpg: WARNING: This key is not certified with sufficiently trusted 
signatures!
      # gpg:          It is not certain that the signature belongs to the owner.
      # Primary key fingerprint: 75F4 6586 AE61 A66C C44E  87DC 6C38 CACA 20D9 
B392

      * remotes/dgibson/tags/ppc-next-20151111:
        spapr: Handle failure of KVM_PPC_ALLOCATE_HTAB ioctl
        ppc: Let kvmppc_reset_htab() return 0 for !CONFIG_KVM
        pseries: Update SLOF firmware image to qemu-slof-20151103
        ppc: Add/Re-introduce MMU model definitions needed by PR KVM

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit b41d320fef705289d2b73f4949731eb2e189161d
  Author: Bharata B Rao <bharata@xxxxxxxxxxxxxxxxxx>
  Date:   Tue Nov 10 10:54:54 2015 +0530

      spapr: Handle failure of KVM_PPC_ALLOCATE_HTAB ioctl

      KVM_PPC_ALLOCATE_HTAB ioctl can return -ENOMEM for KVM guests and QEMU
      never handled this correctly. But this didn't cause any problems till
      now as KVM_PPC_ALLOCATE_HTAB ioctl returned with smaller than requested
      HTAB when enough contiguous memory wasn't available in the host.
      After the proposed kernel change: 
https://patchwork.ozlabs.org/patch/530501/,
      KVM_PPC_ALLOCATE_HTAB ioctl will not fallback to lower sized HTAB
      allocation and will fail if requested HTAB size can't be met.

      Check for such failures in QEMU and abort appropriately. This will
      prevent guest kernel from hanging/freezing during early boot by doing
      graceful exit when host is unable to allocate requested HTAB.

      Signed-off-by: Bharata B Rao <bharata@xxxxxxxxxxxxxxxxxx>
      Signed-off-by: David Gibson <david@xxxxxxxxxxxxxxxxxxxxx>

  commit a3166f8f6e9d3928d0b863c7f0dac1cf24b6c004
  Author: Bharata B Rao <bharata@xxxxxxxxxxxxxxxxxx>
  Date:   Tue Nov 10 10:54:53 2015 +0530

      ppc: Let kvmppc_reset_htab() return 0 for !CONFIG_KVM

      The !CONFIG_KVM implementation of kvmppc_reset_htab() returns -1
      by default. Change this to return 0 so that we fall back to user space
      HTAB allocation for emulated guests.

      This fixes the make check failures for ppc64 emulated target.

      Signed-off-by: Bharata B Rao <bharata@xxxxxxxxxxxxxxxxxx>
      Signed-off-by: David Gibson <david@xxxxxxxxxxxxxxxxxxxxx>

  commit 121048195860f0320a7e1cd5a4b86356082eb9c7
  Author: Alexey Kardashevskiy <aik@xxxxxxxxx>
  Date:   Tue Nov 3 13:20:34 2015 +1100

      pseries: Update SLOF firmware image to qemu-slof-20151103

      The changes are:
      1. supports recent binutils;
      2. 64bit BARs behind PCI bridges supported;
      3. Many fixes for USB keyboard support - keys, XHCI;
      4. virtio-vga support.

      This image was built with:
      gcc version 4.8.3 20140911 (Red Hat 4.8.3-7) (GCC)
      GNU ld version 2.23.2

      The full changelog is:
        > version: update to 20151103
        > documentation: Add a clause about signing off
        > qemu/js2x/client: Support binutils >= 2.25.1
        > Fix special keys on USB
        > Fix function keys on USB
        > pci-scan: program 64-bit mem bar range in pci-bridge bar
        > Allow to build SLOF on Little Endian host
        > usb-xhci: add keyboard support
        > usb-xhci: ready the link trb early
        > usb-xhci: scan usb high speed ports
        > usb-xhci: bulk improve event handling loop
        > usb-xhci: return on allocation failure
        > usb-xhci: add delay in shutdown path
        > usb-xhci: event trbs does not need link trb
        > usb-hid: refactor usb key reading
        > takeover: Fix header includes
        > board-js2x: Add missing file dma-function.fs
        > vga: Add support for virtio-vga
        > qemu-vga: Use MMIO BAR instead of legacy IO ports
        > slof: Change call_c() function to a proper assembler function

      Signed-off-by: Alexey Kardashevskiy <aik@xxxxxxxxx>
      Signed-off-by: David Gibson <david@xxxxxxxxxxxxxxxxxxxxx>

  commit ba3ecda05e933acf6fff618716b6f6d2ed6a5a07
  Author: Bharata B Rao <bharata@xxxxxxxxxxxxxxxxxx>
  Date:   Fri Nov 6 13:12:59 2015 +0530

      ppc: Add/Re-introduce MMU model definitions needed by PR KVM

      Commit aa4bb5875231 (ppc: Add mmu_model defines for arch 2.03 and 2.07)
      removed the mmu_model definition POWERPC_MMU_2_06a which is needed by
      PR KVM. Reintroduce it and also add POWERPC_MMU_2_07a.

      This fixes QEMU crash (qemu: fatal: Unknown MMU model) during booting
      of PR KVM guest.

      Signed-off-by: Bharata B Rao <bharata@xxxxxxxxxxxxxxxxxx>
      Cc: Benjamin Herrenschmidt <benh@xxxxxxxxxxxxxxxxxxx>
      Signed-off-by: David Gibson <david@xxxxxxxxxxxxxxxxxxxxx>

  commit d93ae5b69621b7ec6ecfa405ec656d5b5f5e4770
  Merge: a77067f bdd81ad
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Tue Nov 10 22:21:42 2015 +0000

      Merge remote-tracking branch 
'remotes/awilliam/tags/vfio-update-20151110.0' into staging

      VFIO updates 2015-11-10

       - Make Windows happy with vfio-pci devices exposed on conventional
         PCI buses on q35 by hiding PCIe capability (Alex Williamson)
       - Convert to g_new() where appropriate (Markus Armbruster)

      # gpg: Signature made Tue 10 Nov 2015 19:46:41 GMT using RSA key ID 
3BB08B22
      # gpg: Good signature from "Alex Williamson <alex.williamson@xxxxxxxxxx>"
      # gpg:                 aka "Alex Williamson <alex@xxxxxxxxxxx>"
      # gpg:                 aka "Alex Williamson <alwillia@xxxxxxxxxx>"
      # gpg:                 aka "Alex Williamson <alex.l.williamson@xxxxxxxxx>"

      * remotes/awilliam/tags/vfio-update-20151110.0:
        vfio: Use g_new() & friends where that makes obvious sense
        vfio/pci: Hide device PCIe capability on non-express buses for PCIe VMs

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit bdd81addf4033ce26e6cd180b060f63095f3ded9
  Author: Markus Armbruster <armbru@xxxxxxxxxx>
  Date:   Tue Nov 10 12:11:08 2015 -0700

      vfio: Use g_new() & friends where that makes obvious sense

      g_new(T, n) is neater than g_malloc(sizeof(T) * n).  It's also safer,
      for two reasons.  One, it catches multiplication overflowing size_t.
      Two, it returns T * rather than void *, which lets the compiler catch
      more type errors.

      This commit only touches allocations with size arguments of the form
      sizeof(T).  Same Coccinelle semantic patch as in commit b45c03f.

      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>
      Signed-off-by: Alex Williamson <alex.williamson@xxxxxxxxxx>

  commit 0282abf078c3353a178ab77a115828ce333181dd
  Author: Alex Williamson <alex.williamson@xxxxxxxxxx>
  Date:   Tue Nov 10 12:11:08 2015 -0700

      vfio/pci: Hide device PCIe capability on non-express buses for PCIe VMs

      When we have a PCIe VM, such as Q35, guests start to care more about
      valid configurations of devices relative to the VM view of the PCI
      topology.  Windows will error with a Code 10 for an assigned device if
      a PCIe capability is found for a device on a conventional bus.  We
      also have the possibility of IOMMUs, like VT-d, where the where the
      guest may be acutely aware of valid express capabilities on physical
      hardware.

      Some devices, like tg3 are adversely affected by this due to driver
      dependencies on the PCIe capability.  The only solution for such
      devices is to attach them to an express capable bus in the VM.

      Signed-off-by: Alex Williamson <alex.williamson@xxxxxxxxxx>

  commit a77067f6ac9b17beefea506ce5f514072fe3fcf4
  Merge: a1a8858 15b3b8e
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Tue Nov 10 17:49:39 2015 +0000

      Merge remote-tracking branch 
'remotes/juanquintela/tags/migration/20151110' into staging

      migration/next for 20151110

      # gpg: Signature made Tue 10 Nov 2015 14:23:26 GMT using RSA key ID 
5872D723
      # gpg: Good signature from "Juan Quintela <quintela@xxxxxxxxxx>"
      # gpg:                 aka "Juan Quintela <quintela@xxxxxxxxxx>"

      * remotes/juanquintela/tags/migration/20151110: (57 commits)
        migration: qemu_savevm_state_cleanup becomes mandatory operation
        Inhibit ballooning during postcopy
        Disable mlock around incoming postcopy
        End of migration for postcopy
        Postcopy: Mark nohugepage before discard
        postcopy: Wire up loadvm_postcopy_handle_ commands
        Start up a postcopy/listener thread ready for incoming page data
        Postcopy; Handle userfault requests
        Round up RAMBlock sizes to host page sizes
        Host page!=target page: Cleanup bitmaps
        Don't iterate on precopy-only devices during postcopy
        Don't sync dirty bitmaps in postcopy
        postcopy: Check order of received target pages
        Postcopy: Use helpers to map pages during migration
        postcopy_ram.c: place_page and helpers
        Page request: Consume pages off the post-copy queue
        Page request: Process incoming page request
        Page request: Add MIG_RP_MSG_REQ_PAGES reverse command
        Postcopy: End of iteration
        Postcopy: Postcopy startup in migration thread
        ...

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 15b3b8eaae8dbcc903bb164311ea0066c77536a7
  Author: Denis V. Lunev <den@xxxxxxxxxx>
  Date:   Mon Nov 9 10:24:04 2015 +0300

      migration: qemu_savevm_state_cleanup becomes mandatory operation

      since commit
          commit 94f5a43704129ca4995aa3385303c5ae225bde42
          Author: Liang Li <liang.z.li@xxxxxxxxx>
          Date:   Mon Nov 2 15:37:00 2015 +0800

          migration: defer migration_end & blk_mig_cleanup

      when actual .cleanup callbacks calling was removed from complete 
operations.

      The patch fixes regression introduced by the commit above results in
      100% reliable assert for virtio-scsi VM with iothreads enabled during
      'virsh create-snapshot' operation:
          assert(i != mr->ioeventfd_nb);
          memory_region_del_eventfd
          virtio_pci_set_host_notifier_internal
          virtio_pci_set_host_notifier
          virtio_scsi_dataplane_start
          virtio_scsi_handle_cmd
          virtio_queue_notify_vq
          virtio_queue_host_notifier_read
          aio_dispatch

      Signed-off-by: Denis V. Lunev <den@xxxxxxxxxx>
      Reviewed-by: Liang Li <liang.z.li@xxxxxxxxx>
      Reviewed-by: Juan Quintela <quintela@xxxxxxxxxx>
      CC: Paolo Bonzini <pbonzini@xxxxxxxxxx>
      CC: Juan Quintela <quintela@xxxxxxxxxx>
      CC: Amit Shah <amit.shah@xxxxxxxxxx>
      Signed-off-by: Juan Quintela <quintela@xxxxxxxxxx>

  commit 371ff5a3f04cd7d05bab49ac6e80da319026d95b
  Author: Dr. David Alan Gilbert <dgilbert@xxxxxxxxxx>
  Date:   Thu Nov 5 18:11:23 2015 +0000

      Inhibit ballooning during postcopy

      Postcopy detects accesses to pages that haven't been transferred yet
      using userfaultfd, and it causes exceptions on pages that are 'not
      present'.
      Ballooning also causes pages to be marked as 'not present' when the
      guest inflates the balloon.
      Potentially a balloon could be inflated to discard pages that are
      currently inflight during postcopy and that may be arriving at about
      the same time.

      To avoid this confusion, disable ballooning during postcopy.

      When disabled we drop balloon requests from the guest.  Since ballooning
      is generally initiated by the host, the management system should avoid
      initiating any balloon instructions to the guest during migration,
      although it's not possible to know how long it would take a guest to
      process a request made prior to the start of migration.
      Guest initiated ballooning will not know if it's really freed a page
      of host memory or not.

      Queueing the requests until after migration would be nice, but is
      non-trivial, since the set of inflate/deflate requests have to
      be compared with the state of the page to know what the final
      outcome is allowed to be.

      Signed-off-by: Dr. David Alan Gilbert <dgilbert@xxxxxxxxxx>
      Reviewed-by: Juan Quintela <quintela@xxxxxxxxxx>
      Reviewed-by: Amit Shah <amit.shah@xxxxxxxxxx>
      Signed-off-by: Juan Quintela <quintela@xxxxxxxxxx>

  commit 58b7c17e226aa4d3b943ea22c1d1309126de146b
  Author: Dr. David Alan Gilbert <dgilbert@xxxxxxxxxx>
  Date:   Thu Nov 5 18:11:22 2015 +0000

      Disable mlock around incoming postcopy

      Userfault doesn't work with mlock; mlock is designed to nail down pages
      so they don't move, userfault is designed to tell you when they're not
      there.

      munlock the pages we userfault protect before postcopy.
      mlock everything again at the end if mlock is enabled.

      Signed-off-by: Dr. David Alan Gilbert <dgilbert@xxxxxxxxxx>
      Reviewed-by: David Gibson <david@xxxxxxxxxxxxxxxxxxxxx>
      Reviewed-by: Amit Shah <amit.shah@xxxxxxxxxx>
      Reviewed-by: Juan Quintela <quintela@xxxxxxxxxx>
      Signed-off-by: Juan Quintela <quintela@xxxxxxxxxx>

  commit e9bef235d91bff87517770c93d74eb98e5a33278
  Author: Dr. David Alan Gilbert <dgilbert@xxxxxxxxxx>
  Date:   Thu Nov 5 18:11:21 2015 +0000

      End of migration for postcopy

      Tweak the end of migration cleanup; we don't want to close stuff down
      at the end of the main stream, since the postcopy is still sending pages
      on the other thread.

      Signed-off-by: Dr. David Alan Gilbert <dgilbert@xxxxxxxxxx>
      Reviewed-by: Juan Quintela <quintela@xxxxxxxxxx>
      Reviewed-by: Amit Shah <amit.shah@xxxxxxxxxx>
      Signed-off-by: Juan Quintela <quintela@xxxxxxxxxx>

  commit f9527107570853b6a4a0903e4b0733747d02e74a
  Author: Dr. David Alan Gilbert <dgilbert@xxxxxxxxxx>
  Date:   Thu Nov 5 18:11:20 2015 +0000

      Postcopy: Mark nohugepage before discard

      Prior to servicing userfault requests we must ensure we've not got
      huge pages in the area that might include non-transferred memory,
      since a hugepage could incorrectly mark the whole huge page as present.

      We mark the area as non-huge page (nhp) just before we perform
      discards; the discard code now tells us to discard any areas
      that haven't been sent (as well as any that are redirtied);
      any already formed transparent-huge-pages get fragmented
      by this discard process if they cotnain any discards.

      Transparent huge pages that have been entirely transferred
      and don't contain any discards are not broken by this mechanism;
      they stay as huge pages.

      By starting postcopy after a full precopy pass, many of the pages
      then stay as huge pages; this is important for maintaining performance
      after the end of the migration.

      Signed-off-by: Dr. David Alan Gilbert <dgilbert@xxxxxxxxxx>
      Reviewed-by: Juan Quintela <quintela@xxxxxxxxxx>
      Signed-off-by: Juan Quintela <quintela@xxxxxxxxxx>

  commit 27c6825bd3749758fb9fcad44f3759f593be8506
  Author: Dr. David Alan Gilbert <dgilbert@xxxxxxxxxx>
  Date:   Thu Nov 5 18:11:19 2015 +0000

      postcopy: Wire up loadvm_postcopy_handle_ commands

      Wire up more of the handlers for the commands on the destination side,
      in particular loadvm_postcopy_handle_run now has enough to start the
      guest running.

      Signed-off-by: Dr. David Alan Gilbert <dgilbert@xxxxxxxxxx>
      Reviewed-by: Juan Quintela <quintela@xxxxxxxxxx>
      Reviewed-by: Amit Shah <amit.shah@xxxxxxxxxx>
      Signed-off-by: Juan Quintela <quintela@xxxxxxxxxx>

  commit c76201ab52b1dd53823cd81449d17b72224f1623
  Author: Dr. David Alan Gilbert <dgilbert@xxxxxxxxxx>
  Date:   Thu Nov 5 18:11:18 2015 +0000

      Start up a postcopy/listener thread ready for incoming page data

      The loading of a device state (during postcopy) may access guest
      memory that's still on the source machine and thus might need
      a page fill; split off a separate thread that handles the incoming
      page data so that the original incoming migration code can finish
      off the device data.

      Signed-off-by: Dr. David Alan Gilbert <dgilbert@xxxxxxxxxx>
      Reviewed-by: Juan Quintela <quintela@xxxxxxxxxx>
      Signed-off-by: Juan Quintela <quintela@xxxxxxxxxx>

  commit c4faeed2313e2bf9aa3694544bd211c15e28c164
  Author: Dr. David Alan Gilbert <dgilbert@xxxxxxxxxx>
  Date:   Thu Nov 5 18:11:17 2015 +0000

      Postcopy; Handle userfault requests

      userfaultfd is a Linux syscall that gives an fd that receives a stream
      of notifications of accesses to pages registered with it and allows
      the program to acknowledge those stalls and tell the accessing
      thread to carry on.

      We convert the requests from the kernel into messages back to the
      source asking for the pages.

      Signed-off-by: Dr. David Alan Gilbert <dgilbert@xxxxxxxxxx>
      Reviewed-by: Juan Quintela <quintela@xxxxxxxxxx>
      Reviewed-by: Amit Shah <amit.shah@xxxxxxxxxx>
      Signed-off-by: Juan Quintela <quintela@xxxxxxxxxx>

  commit 4ed023ce2a39ab5812d33cf4d819def168965a7f
  Author: Dr. David Alan Gilbert <dgilbert@xxxxxxxxxx>
  Date:   Thu Nov 5 18:11:16 2015 +0000

      Round up RAMBlock sizes to host page sizes

      RAMBlocks that are not a multiple of host pages in length
      cause problems for postcopy (I've seen an ACPI table on aarch64
      be 5k in length - i.e. 5x target-page), so round RAMBlock sizes
      up to a host-page.

      This potentially breaks migration compatibility due to changes
      in RAMBlock sizes; however:
         1) x86 and s390 I think always have host=target page size
         2) When I've tried on Power the block sizes already seem aligned.
         3) I don't think there's anything else that maintains per-version
            machine-types for compatibility.

      Signed-off-by: Dr. David Alan Gilbert <dgilbert@xxxxxxxxxx>
      Reviewed-by: Juan Quintela <quintela@xxxxxxxxxx>
      Signed-off-by: Juan Quintela <quintela@xxxxxxxxxx>

  commit 99e314ebca8c7b3450e4beaa95117c63d8f2f393
  Author: Dr. David Alan Gilbert <dgilbert@xxxxxxxxxx>
  Date:   Thu Nov 5 18:11:15 2015 +0000

      Host page!=target page: Cleanup bitmaps

      Prior to the start of postcopy, ensure that everything that will
      be transferred later is a whole host-page in size.

      This is accomplished by discarding partially transferred host pages
      and marking any that are partially dirty as fully dirty.

      Signed-off-by: Dr. David Alan Gilbert <dgilbert@xxxxxxxxxx>
      Reviewed-by: Juan Quintela <quintela@xxxxxxxxxx>
      Signed-off-by: Juan Quintela <quintela@xxxxxxxxxx>

  commit 35ecd943e7ea8a29b6cc6872ad8ba620e91b4407
  Author: Dr. David Alan Gilbert <dgilbert@xxxxxxxxxx>
  Date:   Thu Nov 5 18:11:14 2015 +0000

      Don't iterate on precopy-only devices during postcopy

      During the postcopy phase we must not call the iterate method on
      precopy-only devices, since they may have done some cleanup during
      the _complete call at the end of the precopy phase.

      Signed-off-by: Dr. David Alan Gilbert <dgilbert@xxxxxxxxxx>
      Reviewed-by: Juan Quintela <quintela@xxxxxxxxxx>
      Signed-off-by: Juan Quintela <quintela@xxxxxxxxxx>

  commit 663e6c1df8721960c0a3bb6cd5dd047b610c3bad
  Author: Dr. David Alan Gilbert <dgilbert@xxxxxxxxxx>
  Date:   Thu Nov 5 18:11:13 2015 +0000

      Don't sync dirty bitmaps in postcopy

      Once we're in postcopy the source processors are stopped and memory
      shouldn't change any more, so there's no need to look at the dirty
      map.

      There are two notes to this:
        1) If we do resync and a page had changed then the page would get
           sent again, which the destination wouldn't allow (since it might
           have also modified the page)
        2) Before disabling this I'd seen very rare cases where a page had been
           marked dirtied although the memory contents are apparently identical

      Signed-off-by: Dr. David Alan Gilbert <dgilbert@xxxxxxxxxx>
      Reviewed-by: David Gibson <david@xxxxxxxxxxxxxxxxxxxxx>
      Reviewed-by: Juan Quintela <quintela@xxxxxxxxxx>
      Reviewed-by: Amit Shah <amit.shah@xxxxxxxxxx>
      Signed-off-by: Juan Quintela <quintela@xxxxxxxxxx>

  commit c53b7ddc61198c4af8290d6310592e48e3507c47
  Author: Dr. David Alan Gilbert <dgilbert@xxxxxxxxxx>
  Date:   Thu Nov 5 18:11:12 2015 +0000

      postcopy: Check order of received target pages

      Ensure that target pages received within a host page are in order.
      This shouldn't trigger, but in the cases where the sender goes
      wrong and sends stuff out of order it produces a corruption that's
      really nasty to debug.

      Signed-off-by: Dr. David Alan Gilbert <dgilbert@xxxxxxxxxx>
      Reviewed-by: Juan Quintela <quintela@xxxxxxxxxx>
      Signed-off-by: Juan Quintela <quintela@xxxxxxxxxx>

  commit a71808772acbea54df8ebf3680f01884f7383198
  Author: Dr. David Alan Gilbert <dgilbert@xxxxxxxxxx>
  Date:   Thu Nov 5 18:11:11 2015 +0000

      Postcopy: Use helpers to map pages during migration

      In postcopy, the destination guest is running at the same time
      as it's receiving pages; as we receive new pages we must put
      them into the guests address space atomically to avoid a running
      CPU accessing a partially written page.

      Use the helpers in postcopy-ram.c to map these pages.

      qemu_get_buffer_in_place is used to avoid a copy out of qemu_file
      in the case that postcopy is going to do a copy anyway.

      Signed-off-by: Dr. David Alan Gilbert <dgilbert@xxxxxxxxxx>
      Reviewed-by: Juan Quintela <quintela@xxxxxxxxxx>
      Signed-off-by: Juan Quintela <quintela@xxxxxxxxxx>

  commit 696ed9a9b3fee2d033d7b049ba2e6568860a25d1
  Author: Dr. David Alan Gilbert <dgilbert@xxxxxxxxxx>
  Date:   Thu Nov 5 18:11:10 2015 +0000

      postcopy_ram.c: place_page and helpers

      postcopy_place_page (etc) provide a way for postcopy to place a page
      into guests memory atomically (using the copy ioctl on the ufd).

      Signed-off-by: Dr. David Alan Gilbert <dgilbert@xxxxxxxxxx>
      Reviewed-by: Amit Shah <amit.shah@xxxxxxxxxx>
      Reviewed-by: Juan Quintela <quintela@xxxxxxxxxx>
      Signed-off-by: Juan Quintela <quintela@xxxxxxxxxx>

  commit a82d593b61054b3dea431ef829977000d772a252
  Author: Dr. David Alan Gilbert <dgilbert@xxxxxxxxxx>
  Date:   Thu Nov 5 18:11:09 2015 +0000

      Page request: Consume pages off the post-copy queue

      When transmitting RAM pages, consume pages that have been queued by
      MIG_RPCOMM_REQPAGE commands and send them ahead of normal page scanning.

      Note:
        a) After a queued page the linear walk carries on from after the
      unqueued page; there is a reasonable chance that the destination
      was about to ask for other closeby pages anyway.

        b) We have to be careful of any assumptions that the page walking
      code makes, in particular it does some short cuts on its first linear
      walk that break as soon as we do a queued page.

        c) We have to be careful to not break up host-page size chunks, since
      this makes it harder to place the pages on the destination.

      Signed-off-by: Dr. David Alan Gilbert <dgilbert@xxxxxxxxxx>
      Reviewed-by: Juan Quintela <quintela@xxxxxxxxxx>
      Signed-off-by: Juan Quintela <quintela@xxxxxxxxxx>

  commit 6c595cdee116dc46b0d4d7d632a426681ae66ad9
  Author: Dr. David Alan Gilbert <dgilbert@xxxxxxxxxx>
  Date:   Thu Nov 5 18:11:08 2015 +0000

      Page request: Process incoming page request

      On receiving MIG_RPCOMM_REQ_PAGES look up the address and
      queue the page.

      Signed-off-by: Dr. David Alan Gilbert <dgilbert@xxxxxxxxxx>
      Reviewed-by: Amit Shah <amit.shah@xxxxxxxxxx>
      Reviewed-by: Juan Quintela <quintela@xxxxxxxxxx>
      Signed-off-by: Juan Quintela <quintela@xxxxxxxxxx>

  commit 1e2d90ebc54531c416a6765849308c8476d98f2d
  Author: Dr. David Alan Gilbert <dgilbert@xxxxxxxxxx>
  Date:   Thu Nov 5 18:11:07 2015 +0000

      Page request: Add MIG_RP_MSG_REQ_PAGES reverse command

      Add MIG_RP_MSG_REQ_PAGES command on Return path for the postcopy
      destination to request a page from the source.

      Two versions exist:
         MIG_RP_MSG_REQ_PAGES_ID that includes a RAMBlock name and start/len
         MIG_RP_MSG_REQ_PAGES that just has start/len for use with the same
                              RAMBlock as a previous MIG_RP_MSG_REQ_PAGES_ID

      Signed-off-by: Dr. David Alan Gilbert <dgilbert@xxxxxxxxxx>
      Reviewed-by: Juan Quintela <quintela@xxxxxxxxxx>
      Reviewed-by: Amit Shah <amit.shah@xxxxxxxxxx>
      Signed-off-by: Juan Quintela <quintela@xxxxxxxxxx>

  commit b10ac0c42cef8829cd1461ce20f1869231b5f41f
  Author: Dr. David Alan Gilbert <dgilbert@xxxxxxxxxx>
  Date:   Thu Nov 5 18:11:06 2015 +0000

      Postcopy: End of iteration

      The end of migration in postcopy is a bit different since some of
      the things normally done at the end of migration have already been
      done on the transition to postcopy.

      Signed-off-by: Dr. David Alan Gilbert <dgilbert@xxxxxxxxxx>
      Reviewed-by: Juan Quintela <quintela@xxxxxxxxxx>
      Reviewed-by: Amit Shah <amit.shah@xxxxxxxxxx>
      Signed-off-by: Juan Quintela <quintela@xxxxxxxxxx>

  commit 1d34e4bf6a34f12b9ca387301b863b59f14d38ed
  Author: Dr. David Alan Gilbert <dgilbert@xxxxxxxxxx>
  Date:   Thu Nov 5 18:11:05 2015 +0000

      Postcopy: Postcopy startup in migration thread

      Rework the migration thread to setup and start postcopy.

      Signed-off-by: Dr. David Alan Gilbert <dgilbert@xxxxxxxxxx>
      Reviewed-by: Amit Shah <amit.shah@xxxxxxxxxx>
      Reviewed-by: Juan Quintela <quintela@xxxxxxxxxx>
      Signed-off-by: Juan Quintela <quintela@xxxxxxxxxx>

  commit f0a227ade4b0331c9e12fc01f8b74e2531fd496d
  Author: Dr. David Alan Gilbert <dgilbert@xxxxxxxxxx>
  Date:   Thu Nov 5 18:11:04 2015 +0000

      postcopy: ram_enable_notify to switch on userfault

      Mark the area of RAM as 'userfault'
      Start up a fault-thread to handle any userfaults we might receive
      from it (to be filled in later)

      Signed-off-by: Dr. David Alan Gilbert <dgilbert@xxxxxxxxxx>
      Reviewed-by: David Gibson <david@xxxxxxxxxxxxxxxxxxxxx>
      Reviewed-by: Juan Quintela <quintela@xxxxxxxxxx>
      Reviewed-by: Amit Shah <amit.shah@xxxxxxxxxx>
      Signed-off-by: Juan Quintela <quintela@xxxxxxxxxx>

  commit 1caddf8a819d83027d897997c0af10c426f88633
  Author: Dr. David Alan Gilbert <dgilbert@xxxxxxxxxx>
  Date:   Thu Nov 5 18:11:03 2015 +0000

      postcopy: Incoming initialisation

      Signed-off-by: Dr. David Alan Gilbert <dgilbert@xxxxxxxxxx>
      Reviewed-by: David Gibson <david@xxxxxxxxxxxxxxxxxxxxx>
      Reviewed-by: Amit Shah <amit.shah@xxxxxxxxxx>
      Reviewed-by: Juan Quintela <quintela@xxxxxxxxxx>
      Signed-off-by: Juan Quintela <quintela@xxxxxxxxxx>

  commit e0b266f01dd21748c12f35e18e6f300035f2f336
  Author: Dr. David Alan Gilbert <dgilbert@xxxxxxxxxx>
  Date:   Thu Nov 5 18:11:02 2015 +0000

      migration_completion: Take current state

      Soon we'll be in either ACTIVE or POSTCOPY_ACTIVE when we
      complete migration, and we need to know which we expect to be
      in to change state safely.

      Signed-off-by: Dr. David Alan Gilbert <dgilbert@xxxxxxxxxx>
      Reviewed-by: Juan Quintela <quintela@xxxxxxxxxx>
      Signed-off-by: Juan Quintela <quintela@xxxxxxxxxx>

  commit f3f491fcd6dd594ba695b7da5ecbdacb4e84b364
  Author: Dr. David Alan Gilbert <dgilbert@xxxxxxxxxx>
  Date:   Thu Nov 5 18:11:01 2015 +0000

      Postcopy: Maintain unsentmap

      Maintain an 'unsentmap' of pages that have yet to be sent.
      This is used in the following patches to discard some set of
      the pages already sent as we enter postcopy mode.

      Signed-off-by: Dr. David Alan Gilbert <dgilbert@xxxxxxxxxx>
      Reviewed-by: Juan Quintela <quintela@xxxxxxxxxx>
      Signed-off-by: Juan Quintela <quintela@xxxxxxxxxx>

  commit 763c906b0ee964e4b5c529a4ee171723339644cc
  Author: Dr. David Alan Gilbert <dgilbert@xxxxxxxxxx>
  Date:   Thu Nov 5 18:11:00 2015 +0000

      Add qemu_savevm_state_complete_postcopy

      Add qemu_savevm_state_complete_postcopy to complement
      qemu_savevm_state_complete_precopy together with a new
      save_live_complete_postcopy method on devices.

      The save_live_complete_precopy method is called on
      all devices during a precopy migration, and all non-postcopy
      devices during a postcopy migration at the transition.

      The save_live_complete_postcopy method is called at
      the end of postcopy for all postcopiable devices.

      Signed-off-by: Dr. David Alan Gilbert <dgilbert@xxxxxxxxxx>
      Reviewed-by: Juan Quintela <quintela@xxxxxxxxxx>
      Reviewed-by: Amit Shah <amit.shah@xxxxxxxxxx>
      Signed-off-by: Juan Quintela <quintela@xxxxxxxxxx>

  commit 8421b205ddb70314c0de2aa3222aed755f310f87
  Author: Dr. David Alan Gilbert <dgilbert@xxxxxxxxxx>
  Date:   Thu Nov 5 18:10:59 2015 +0000

      Avoid sending vmdescription during postcopy

      VMDescription is normally sent at the end, after all
      of the devices; however that's not the end for postcopy,
      so just don't send it when in postcopy.

      Signed-off-by: Dr. David Alan Gilbert <dgilbert@xxxxxxxxxx>
      Reviewed-by: Juan Quintela <quintela@xxxxxxxxxx>
      Reviewed-by: Amit Shah <amit.shah@xxxxxxxxxx>
      Signed-off-by: Juan Quintela <quintela@xxxxxxxxxx>

  commit 9ec055ae29df5132f61757519ab57b6b4209baa4
  Author: Dr. David Alan Gilbert <dgilbert@xxxxxxxxxx>
  Date:   Thu Nov 5 18:10:58 2015 +0000

      MIGRATION_STATUS_POSTCOPY_ACTIVE: Add new migration state

      'MIGRATION_STATUS_POSTCOPY_ACTIVE' is entered after migrate_start_postcopy

      'migration_in_postcopy' is provided for other sections to know if
      they're in postcopy.

      Signed-off-by: Dr. David Alan Gilbert <dgilbert@xxxxxxxxxx>
      Reviewed-by: David Gibson <david@xxxxxxxxxxxxxxxxxxxxx>
      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>
      Reviewed-by: Juan Quintela <quintela@xxxxxxxxxx>
      Reviewed-by: Amit Shah <amit.shah@xxxxxxxxxx>
      Signed-off-by: Juan Quintela <quintela@xxxxxxxxxx>

  commit 36f48567b82e3160bc0df87b8b4f239d55ca73e9
  Author: Dr. David Alan Gilbert <dgilbert@xxxxxxxxxx>
  Date:   Thu Nov 5 18:10:57 2015 +0000

      migration_completion: Take current state

      Soon we'll be in either ACTIVE or POSTCOPY_ACTIVE when we
      complete migration, and we need to know which we expect to be
      in to change state safely.

      Signed-off-by: Dr. David Alan Gilbert <dgilbert@xxxxxxxxxx>
      Reviewed-by: Juan Quintela <quintela@xxxxxxxxxx>
      Signed-off-by: Juan Quintela <quintela@xxxxxxxxxx>

  commit 4886a1bcb7d7a88da02eefb0f33327c613ac52a3
  Author: Dr. David Alan Gilbert <dgilbert@xxxxxxxxxx>
  Date:   Thu Nov 5 18:10:56 2015 +0000

      migrate_start_postcopy: Command to trigger transition to postcopy

      Once postcopy is enabled (with migrate_set_capability), the migration
      will still start on precopy mode.  To cause a transition into postcopy
      the:

        migrate_start_postcopy

      command must be issued.  Postcopy will start sometime after this
      (when it's next checked in the migration loop).

      Issuing the command before migration has started will error,
      and issuing after it has finished is ignored.

      Signed-off-by: Dr. David Alan Gilbert <dgilbert@xxxxxxxxxx>
      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>
      Reviewed-by: Juan Quintela <quintela@xxxxxxxxxx>
      Reviewed-by: Amit Shah <amit.shah@xxxxxxxxxx>
      Signed-off-by: Juan Quintela <quintela@xxxxxxxxxx>

  commit eb59db53a4f23420f127ec7aad2a672f787df697
  Author: Dr. David Alan Gilbert <dgilbert@xxxxxxxxxx>
  Date:   Thu Nov 5 18:10:55 2015 +0000

      postcopy: OS support test

      Provide a check to see if the OS we're running on has all the bits
      needed for postcopy.

      Creates postcopy-ram.c which will get most of the other helpers we need.

      Signed-off-by: Dr. David Alan Gilbert <dgilbert@xxxxxxxxxx>
      Reviewed-by: Amit Shah <amit.shah@xxxxxxxxxx>
      Reviewed-by: Juan Quintela <quintela@xxxxxxxxxx>
      Signed-off-by: Juan Quintela <quintela@xxxxxxxxxx>

  commit c31b098f64c5bbbc26350b9b5cf98ae2d2888de7
  Author: Dr. David Alan Gilbert <dgilbert@xxxxxxxxxx>
  Date:   Thu Nov 5 18:10:54 2015 +0000

      Modify save_live_pending for postcopy

      Modify save_live_pending to return separate postcopiable and
      non-postcopiable counts.

      Signed-off-by: Dr. David Alan Gilbert <dgilbert@xxxxxxxxxx>
      Reviewed-by: Juan Quintela <quintela@xxxxxxxxxx>
      Reviewed-by: Amit Shah <amit.shah@xxxxxxxxxx>
      Signed-off-by: Juan Quintela <quintela@xxxxxxxxxx>

  commit 11cf1d984b86b294972cd25df6286e5b2e98735d
  Author: Dr. David Alan Gilbert <dgilbert@xxxxxxxxxx>
  Date:   Thu Nov 5 18:10:53 2015 +0000

      MIG_CMD_PACKAGED: Send a packaged chunk of migration stream

      MIG_CMD_PACKAGED is a migration command that wraps a chunk of migration
      stream inside a package whose length can be determined purely by reading
      its header.  The destination guarantees that the whole MIG_CMD_PACKAGED
      is read off the stream prior to parsing the contents.

      This is used by postcopy to load device state (from the package)
      while leaving the main stream free to receive memory pages.

      Signed-off-by: Dr. David Alan Gilbert <dgilbert@xxxxxxxxxx>
      Reviewed-by: Amit Shah <amit.shah@xxxxxxxxxx>
      Reviewed-by: Juan Quintela <quintela@xxxxxxxxxx>
      Signed-off-by: Juan Quintela <quintela@xxxxxxxxxx>

  commit 093e3c429693f87fb917424c637ad8f599bd9e67
  Author: Dr. David Alan Gilbert <dgilbert@xxxxxxxxxx>
  Date:   Thu Nov 5 18:10:52 2015 +0000

      Add wrappers and handlers for sending/receiving the postcopy-ram 
migration messages.

      The state of the postcopy process is managed via a series of messages;
         * Add wrappers and handlers for sending/receiving these messages
         * Add state variable that track the current state of postcopy

      Signed-off-by: Dr. David Alan Gilbert <dgilbert@xxxxxxxxxx>
      Reviewed-by: Amit Shah <amit.shah@xxxxxxxxxx>
      Reviewed-by: Juan Quintela <quintela@xxxxxxxxxx>
      Signed-off-by: Juan Quintela <quintela@xxxxxxxxxx>

  commit 53dd370ced9b61a8113fc1c19ac8d61ca572a29c
  Author: Dr. David Alan Gilbert <dgilbert@xxxxxxxxxx>
  Date:   Thu Nov 5 18:10:51 2015 +0000

      Add migration-capability boolean for postcopy-ram.

      The 'postcopy ram' capability allows postcopy migration of RAM;
      note that the migration starts off in precopy mode until
      postcopy mode is triggered (see the migrate_start_postcopy
      patch later in the series).

      Signed-off-by: Dr. David Alan Gilbert <dgilbert@xxxxxxxxxx>
      Reviewed-by: Juan Quintela <quintela@xxxxxxxxxx>
      Reviewed-by: Amit Shah <amit.shah@xxxxxxxxxx>
      Signed-off-by: Juan Quintela <quintela@xxxxxxxxxx>

  commit 7b89bf279f16c093ed46845b8e6e0fb61b7ef639
  Author: Dr. David Alan Gilbert <dgilbert@xxxxxxxxxx>
  Date:   Thu Nov 5 18:10:50 2015 +0000

      Rework loadvm path for subloops

      Postcopy needs to have two migration streams loading concurrently;
      one from memory (with the device state) and the other from the fd
      with the memory transactions.

      Split the core of qemu_loadvm_state out so we can use it for both.

      Allow the inner loadvm loop to quit and cause the parent loops to
      exit as well.

      Signed-off-by: Dr. David Alan Gilbert <dgilbert@xxxxxxxxxx>
      Reviewed-by: Juan Quintela <quintela@xxxxxxxxxx>
      Reviewed-by: Amit Shah <amit.shah@xxxxxxxxxx>
      Signed-off-by: Juan Quintela <quintela@xxxxxxxxxx>

  commit 70b2047774231ba2cb672eb936e12f603fa644aa
  Author: Dr. David Alan Gilbert <dgilbert@xxxxxxxxxx>
  Date:   Thu Nov 5 18:10:49 2015 +0000

      Return path: Source handling of return path

      Open a return path, and handle messages that are received upon it.

      Signed-off-by: Dr. David Alan Gilbert <dgilbert@xxxxxxxxxx>
      Reviewed-by: Juan Quintela <quintela@xxxxxxxxxx>
      Signed-off-by: Juan Quintela <quintela@xxxxxxxxxx>

  commit f6844b99ce08e836d509ec4be2fbfc5ab13ac18f
  Author: Dr. David Alan Gilbert <dgilbert@xxxxxxxxxx>
  Date:   Thu Nov 5 18:10:48 2015 +0000

      migration_is_setup_or_active

      Add 'migration_is_setup_or_active' utility function to check state.
      (It gets postcopy added to it's list later on in the series)

      Signed-off-by: Dr. David Alan Gilbert <dgilbert@xxxxxxxxxx>
      Reviewed-by: Juan Quintela <quintela@xxxxxxxxxx>
      Signed-off-by: Juan Quintela <quintela@xxxxxxxxxx>

  commit 6decec931149ae50d84e2b264bf93f3676d5b3f9
  Author: Dr. David Alan Gilbert <dgilbert@xxxxxxxxxx>
  Date:   Thu Nov 5 18:10:47 2015 +0000

      Return path: Send responses from destination to source

      Add migrate_send_rp_message to send a message from destination to source 
along the return path.
        (It uses a mutex to let it be called from multiple threads)
      Add migrate_send_rp_shut to send a 'shut' message to indicate
        the destination is finished with the RP.
      Add migrate_send_rp_ack to send a 'PONG' message in response to a PING
        Use it in the MSG_RP_PING handler

      Signed-off-by: Dr. David Alan Gilbert <dgilbert@xxxxxxxxxx>
      Reviewed-by: Amit Shah <amit.shah@xxxxxxxxxx>
      Reviewed-by: Juan Quintela <quintela@xxxxxxxxxx>
      Signed-off-by: Juan Quintela <quintela@xxxxxxxxxx>

  commit 2e37701efdba7bb89f7159eff055bb71dbb9f02f
  Author: Dr. David Alan Gilbert <dgilbert@xxxxxxxxxx>
  Date:   Thu Nov 5 18:10:46 2015 +0000

      Return path: Control commands

      Add two src->dest commands:
         * OPEN_RETURN_PATH - To request that the destination open the return 
path
         * PING - Request an acknowledge from the destination

      Signed-off-by: Dr. David Alan Gilbert <dgilbert@xxxxxxxxxx>
      Reviewed-by: Amit Shah <amit.shah@xxxxxxxxxx>
      Reviewed-by: Juan Quintela <quintela@xxxxxxxxxx>
      Signed-off-by: Juan Quintela <quintela@xxxxxxxxxx>

  commit c76ca1888f49b4155a9de5a915dc9f814800c817
  Author: Dr. David Alan Gilbert <dgilbert@xxxxxxxxxx>
  Date:   Thu Nov 5 18:10:45 2015 +0000

      Migration commands

      Create QEMU_VM_COMMAND section type for sending commands from
      source to destination.  These commands are not intended to convey
      guest state but to control the migration process.

      For use in postcopy.

      Signed-off-by: Dr. David Alan Gilbert <dgilbert@xxxxxxxxxx>
      Reviewed-by: Amit Shah <amit.shah@xxxxxxxxxx>
      Reviewed-by: Juan Quintela <quintela@xxxxxxxxxx>
      Signed-off-by: Juan Quintela <quintela@xxxxxxxxxx>

  commit 3e4097b564386b1fd1b62f2cd20e056d4b3403da
  Author: Dr. David Alan Gilbert <dgilbert@xxxxxxxxxx>
  Date:   Thu Nov 5 18:10:44 2015 +0000

      Return path: socket_writev_buffer: Block even on non-blocking fd's

      The destination sets the fd to non-blocking on incoming migrations;
      this also affects the return path from the destination, and thus we
      need to make sure we can safely write to the return path.

      Signed-off-by: Dr. David Alan Gilbert <dgilbert@xxxxxxxxxx>
      Reviewed-by: Amit Shah <amit.shah@xxxxxxxxxx>
      Reviewed-by: Juan Quintela <quintela@xxxxxxxxxx>
      Signed-off-by: Juan Quintela <quintela@xxxxxxxxxx>

  commit a1a88589dc982f9f8b6c717c2ac98dd71dd4353d
  Merge: a8b4f95 577bf80
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Tue Nov 10 13:55:07 2015 +0000

      Merge remote-tracking branch 
'remotes/pmaydell/tags/pull-target-arm-20151110' into staging

      target-arm queue:
       * fix bugs in gdb singlestep handling and breakpoints
       * minor code cleanup in arm_gic
       * clean up error messages in hw/arm/virt
       * fix highbank kernel booting by adding a board-setup blob

      # gpg: Signature made Tue 10 Nov 2015 13:43:52 GMT using RSA key ID 
14360CDE
      # gpg: Good signature from "Peter Maydell <peter.maydell@xxxxxxxxxx>"
      # gpg:                 aka "Peter Maydell <pmaydell@xxxxxxxxx>"
      # gpg:                 aka "Peter Maydell 
<pmaydell@xxxxxxxxxxxxxxxxxxxxxx>"

      * remotes/pmaydell/tags/pull-target-arm-20151110:
        target-arm: Clean up DISAS_UPDATE usage in AArch32 translation code
        hw/arm/virt: error_report cleanups
        arm: highbank: Implement PSCI and dummy monitor
        arm: highbank: Defeature CPU override
        arm: boot: Add secure_board_setup flag
        hw/intc/arm_gic: Remove the definition of NUM_CPU
        target-arm: Fix gdb singlestep handling in arm_debug_excp_handler()

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit adc468e9b9ad866cd95b1e567291f9dcc1f49f1c
  Author: Dr. David Alan Gilbert <dgilbert@xxxxxxxxxx>
  Date:   Thu Nov 5 18:10:43 2015 +0000

      Return path: Open a return path on QEMUFile for sockets

      Postcopy needs a method to send messages from the destination back to
      the source, this is the 'return path'.

      Wire it up for 'socket' QEMUFile's.

      Signed-off-by: Dr. David Alan Gilbert <dgilbert@xxxxxxxxxx>
      Reviewed-by: Juan Quintela <quintela@xxxxxxxxxx>
      Reviewed-by: Amit Shah <amit.shah@xxxxxxxxxx>
      Signed-off-by: Juan Quintela <quintela@xxxxxxxxxx>

  commit c1fcf220c95b17f1a05adb799824d2c352ff9281
  Author: Dr. David Alan Gilbert <dgilbert@xxxxxxxxxx>
  Date:   Thu Nov 5 18:10:42 2015 +0000

      Add Linux userfaultfd.h header

      Postcopy uses the userfaultfd.h feature in the Linux kernel; include
      the header.

      (In early versions of the patch series we had this, and then we dropped
      this by only including it if the kernel headers defined the syscall
      number; however 1842bdfd added the syscall definition to our
      headers, which means we can't tell if the kernel has it or not)

      Signed-off-by: Dr. David Alan Gilbert <dgilbert@xxxxxxxxxx>
      Reviewed-by: Juan Quintela <quintela@xxxxxxxxxx>
      Signed-off-by: Juan Quintela <quintela@xxxxxxxxxx>

  commit a3e06c3d13b77a2534894dcebbc6ac08568dbe73
  Author: Dr. David Alan Gilbert <dgilbert@xxxxxxxxxx>
  Date:   Thu Nov 5 18:10:41 2015 +0000

      Rename save_live_complete to save_live_complete_precopy

      In postcopy we're going to need to perform the complete phase
      for postcopiable devices at a different point, start out by
      renaming all of the 'complete's to make the difference obvious.

      Signed-off-by: Dr. David Alan Gilbert <dgilbert@xxxxxxxxxx>
      Reviewed-by: Amit Shah <amit.shah@xxxxxxxxxx>
      Reviewed-by: Juan Quintela <quintela@xxxxxxxxxx>
      Signed-off-by: Juan Quintela <quintela@xxxxxxxxxx>

  commit aefeb18bde45fa629e3055a7bb6637a7dcad8c36
  Author: Dr. David Alan Gilbert <dgilbert@xxxxxxxxxx>
  Date:   Thu Nov 5 18:10:40 2015 +0000

      migrate_init: Call from savevm

      Suspend to file is very much like a migrate, and it makes life
      easier if we have the Migration state available, so initialise it
      in the savevm.c code for suspending.

      Signed-off-by: Dr. David Alan Gilbert <dgilbert@xxxxxxxxxx>
      Reviewed-by: David Gibson <david@xxxxxxxxxxxxxxxxxxxxx>
      Reviewed-by: Juan Quintela <quintela@xxxxxxxxxx>
      Reviewd-by: Amit Shah <amit.shah@xxxxxxxxxx>
      Signed-off-by: Juan Quintela <quintela@xxxxxxxxxx>

  commit a776aa15a7e3e08964c6c537314b9590dde27b4d
  Author: Dr. David Alan Gilbert <dgilbert@xxxxxxxxxx>
  Date:   Thu Nov 5 18:10:39 2015 +0000

      ram_load: Factor out host_from_stream_offset call and check

      The main RAM load loop has a call to host_from_stream_offset for
      each page type that actually loads data with the same test;
      factor it out before the switch.

      The host = NULL is to silence a bogus gcc warning of
      an unitialised in the RAM_SAVE_COMPRESS_PAGE case, it
      doesn't seem to realise that host is always initialised by the if at
      the top in the cases the switch takes.

      Signed-off-by: Dr. David Alan Gilbert <dgilbert@xxxxxxxxxx>
      Reviewed-by: Juan Quintela <quintela@xxxxxxxxxx>
      Signed-off-by: Juan Quintela <quintela@xxxxxxxxxx>

  commit 4f2e425267327719ee71ba6f191f7d66507a6c02
  Author: Dr. David Alan Gilbert <dgilbert@xxxxxxxxxx>
  Date:   Thu Nov 5 18:10:38 2015 +0000

      ram_debug_dump_bitmap: Dump a migration bitmap as text

      Useful for debugging the migration bitmap and other bitmaps
      of the same format (including the sentmap in postcopy).

      The bitmap is printed to stderr.
      Lines that are all the expected value are excluded so the output
      can be quite compact for many bitmaps.

      Signed-off-by: Dr. David Alan Gilbert <dgilbert@xxxxxxxxxx>
      Reviewed-by: Amit Shah <amit.shah@xxxxxxxxxx>
      Reviewed-by: Juan Quintela <quintela@xxxxxxxxxx>
      Signed-off-by: Juan Quintela <quintela@xxxxxxxxxx>

  commit ebf811500bc8dffa906ebd4c52b96f7620d7bf8e
  Author: Dr. David Alan Gilbert <dgilbert@xxxxxxxxxx>
  Date:   Thu Nov 5 18:10:37 2015 +0000

      Add QEMU_MADV_NOHUGEPAGE

      Add QEMU_MADV_NOHUGEPAGE as an OS-independent version of
      MADV_NOHUGEPAGE.

      We include sys/mman.h before making the test to ensure
      that we pick up the system defines.

      Signed-off-by: Dr. David Alan Gilbert <dgilbert@xxxxxxxxxx>
      Reviewed-by: Juan Quintela <quintela@xxxxxxxxxx>
      Reviewed-by: Amit Shah <amit.shah@xxxxxxxxxx>
      Signed-off-by: Juan Quintela <quintela@xxxxxxxxxx>

  commit a800cd5c38ba4ac20fe9ca68a6dee408f2d5b11f
  Author: Dr. David Alan Gilbert <dgilbert@xxxxxxxxxx>
  Date:   Thu Nov 5 18:10:36 2015 +0000

      Add wrapper for setting blocking status on a QEMUFile

      Add a wrapper to change the blocking status on a QEMUFile
      rather than having to use qemu_set_block(qemu_get_fd(f));
      it seems best to avoid exposing the fd since not all QEMUFile's
      really have one.  With this wrapper we could move the implementation
      down to be different on different transports.

      Signed-off-by: Dr. David Alan Gilbert <dgilbert@xxxxxxxxxx>
      Reviewed-by: Amit Shah <amit.shah@xxxxxxxxxx>
      Reviewed-by: Juan Quintela <quintela@xxxxxxxxxx>
      Signed-off-by: Juan Quintela <quintela@xxxxxxxxxx>

  commit 9504fb510c87c3dd6fe2e9a25e84c1426672f226
  Author: Dr. David Alan Gilbert <dgilbert@xxxxxxxxxx>
  Date:   Thu Nov 5 18:10:35 2015 +0000

      Add qemu_get_buffer_in_place to avoid copies some of the time

      qemu_get_buffer always copies the data it reads to a users buffer,
      however in many cases the file buffer inside qemu_file could be given
      back to the caller, avoiding the copy.  This isn't always possible
      depending on the size and alignment of the data.

      Thus 'qemu_get_buffer_in_place' either copies the data to a supplied
      buffer or updates a pointer to the internal buffer if convenient.

      Signed-off-by: Dr. David Alan Gilbert <dgilbert@xxxxxxxxxx>
      Reviewed-by: Juan Quintela <quintela@xxxxxxxxxx>
      Signed-off-by: Juan Quintela <quintela@xxxxxxxxxx>

  commit 42e2aa56372291d35345fcec85d5da2004c8b57c
  Author: Dr. David Alan Gilbert <dgilbert@xxxxxxxxxx>
  Date:   Thu Nov 5 18:10:34 2015 +0000

      Rename mis->file to from_src_file

      'file' becomes confusing when you have flows in each direction;
      rename to make it clear.
      This leaves just the main forward direction ms->file, which is used
      in a lot of places and is probably not worth renaming given the churn.

      Signed-off-by: Dr. David Alan Gilbert <dgilbert@xxxxxxxxxx>
      Reviewed-by: Juan Quintela <quintela@xxxxxxxxxx>
      Signed-off-by: Juan Quintela <quintela@xxxxxxxxxx>

  commit e3dd74934f2d2c8c67083995928ff68e8c1d0030
  Author: Dr. David Alan Gilbert <dgilbert@xxxxxxxxxx>
  Date:   Thu Nov 5 18:10:33 2015 +0000

      qemu_ram_block_by_name

      Add a function to find a RAMBlock by name; use it in two
      of the places that already open code that loop; we've
      got another use later in postcopy.

      Signed-off-by: Dr. David Alan Gilbert <dgilbert@xxxxxxxxxx>
      Reviewed-by: Juan Quintela <quintela@xxxxxxxxxx>
      Signed-off-by: Juan Quintela <quintela@xxxxxxxxxx>

  commit 422148d3e56c3c9a07c0cf36c1e0a0b76f09c357
  Author: Dr. David Alan Gilbert <dgilbert@xxxxxxxxxx>
  Date:   Thu Nov 5 18:10:32 2015 +0000

      qemu_ram_block_from_host

      Postcopy sends RAMBlock names and offsets over the wire (since it can't
      rely on the order of ramaddr being the same), and it starts out with
      HVA fault addresses from the kernel.

      qemu_ram_block_from_host translates a HVA into a RAMBlock, an offset
      in the RAMBlock and the global ram_addr_t value.

      Rewrite qemu_ram_addr_from_host to use qemu_ram_block_from_host.

      Provide qemu_ram_get_idstr since its the actual name text sent on the
      wire.

      Signed-off-by: Dr. David Alan Gilbert <dgilbert@xxxxxxxxxx>
      Reviewed-by: David Gibson <david@xxxxxxxxxxxxxxxxxxxxx>
      Reviewed-by: Juan Quintela <quintela@xxxxxxxxxx>
      Reviewed-by: Amit Shah <amit.shah@xxxxxxxxxx>
      Signed-off-by: Juan Quintela <quintela@xxxxxxxxxx>

  commit 87f50caa30ae7449c5875ff3171cff4d8648569a
  Author: Dr. David Alan Gilbert <dgilbert@xxxxxxxxxx>
  Date:   Thu Nov 5 18:10:31 2015 +0000

      Move page_size_init earlier

      The HOST_PAGE_ALIGN macros don't work until the page size variables
      have been set up; later in postcopy I use those macros in the RAM
      code, and it can be triggered using -object.

      Fix this by initialising page_size_init() earlier - it's currently
      initialised inside the accelerators, move it up into vl.c.

      Signed-off-by: Dr. David Alan Gilbert <dgilbert@xxxxxxxxxx>
      Reviewed-by: Juan Quintela <quintela@xxxxxxxxxx>
      Signed-off-by: Juan Quintela <quintela@xxxxxxxxxx>

  commit 172dfd4faf2b64720db8a2dad7048056f2b81d75
  Author: Dr. David Alan Gilbert <dgilbert@xxxxxxxxxx>
  Date:   Thu Nov 5 18:10:30 2015 +0000

      Move configuration section writing

      The vmstate_configuration is currently written
      in 'qemu_savevm_state_begin', move it to
      'qemu_savevm_state_header' since it's got a hard
      requirement that it must be the 1st thing after
      the header.
      (In postcopy some 'command' sections get sent
      early before the saving of the main sections
      and hence before qemu_savevm_state_begin).

      Signed-off-by: Dr. David Alan Gilbert <dgilbert@xxxxxxxxxx>
      Reviewed-by: Amit Shah <amit.shah@xxxxxxxxxx>
      Reviewed-by: Juan Quintela <quintela@xxxxxxxxxx>
      Signed-off-by: Juan Quintela <quintela@xxxxxxxxxx>

  commit 038629a699240326928665ea97e6e11059bbc007
  Author: Dr. David Alan Gilbert <dgilbert@xxxxxxxxxx>
  Date:   Thu Nov 5 18:10:29 2015 +0000

      Provide runtime Target page information

      The migration code generally is built target-independent, however
      there are a few places where knowing the target page size would
      avoid artificially moving stuff into migration/ram.c.

      Provide 'qemu_target_page_bits()' that returns TARGET_PAGE_BITS
      to other bits of code so that they can stay target-independent.

      Signed-off-by: Dr. David Alan Gilbert <dgilbert@xxxxxxxxxx>
      Reviewed-by: Amit Shah <amit.shah@xxxxxxxxxx>
      Reviewed-by: Juan Quintela <quintela@xxxxxxxxxx>
      Signed-off-by: Juan Quintela <quintela@xxxxxxxxxx>

  commit 2bfdd1c8a6ac22ee1f9209c247509ff0cadd2a52
  Author: Dr. David Alan Gilbert <dgilbert@xxxxxxxxxx>
  Date:   Thu Nov 5 18:10:28 2015 +0000

      Add postcopy documentation

      Signed-off-by: Dr. David Alan Gilbert <dgilbert@xxxxxxxxxx>
      Reviewed-by: Amit Shah <amit.shah@xxxxxxxxxx>
      Reviewed-by: Juan Quintela <quintela@xxxxxxxxxx>
      Signed-off-by: Juan Quintela <quintela@xxxxxxxxxx>

  commit 577bf808958d06497928c639efaa473bf8c5e099
  Author: Sergey Fedorov <serge.fdrv@xxxxxxxxx>
  Date:   Tue Nov 10 13:37:33 2015 +0000

      target-arm: Clean up DISAS_UPDATE usage in AArch32 translation code

      AArch32 translation code does not distinguish between DISAS_UPDATE and
      DISAS_JUMP. Thus, we cannot use any of them without first updating PC in
      CPU state. Furthermore, it is too complicated to update PC in CPU state
      before PC gets updated in disas context. So it is hardly possible to
      correctly end TB early if is is not likely to be executed before calling
      disas_*_insn(), e.g. just after calling breakpoint check helper.

      Modify DISAS_UPDATE and DISAS_JUMP usage in AArch32 translation and
      apply to them the same semantic as AArch64 translation does:
       - DISAS_UPDATE: update PC in CPU state when finishing translation
       - DISAS_JUMP:   preserve current PC value in CPU state when finishing
                       translation

      This patch fixes a bug in AArch32 breakpoint handling: when
      check_breakpoints helper does not generate an exception, ending the TB
      early with DISAS_UPDATE couldn't update PC in CPU state and execution
      hangs.

      Signed-off-by: Sergey Fedorov <serge.fdrv@xxxxxxxxx>
      Message-id: 1447097859-586-1-git-send-email-serge.fdrv@xxxxxxxxx
      Reviewed-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit faa811f6de44d58180f5d235787678dcdd4b2e9d
  Author: Andrew Jones <drjones@xxxxxxxxxx>
  Date:   Tue Nov 10 13:37:33 2015 +0000

      hw/arm/virt: error_report cleanups

      Signed-off-by: Andrew Jones <drjones@xxxxxxxxxx>
      Reviewed-by: Markus Armbruster <armbru@xxxxxxxxxx>
      Message-id: 1446909925-12201-1-git-send-email-drjones@xxxxxxxxxx
      Reviewed-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 40340e5f221935723bffbca305f3090e8866c818
  Author: Peter Crosthwaite <crosthwaitepeter@xxxxxxxxx>
  Date:   Tue Nov 10 13:37:33 2015 +0000

      arm: highbank: Implement PSCI and dummy monitor

      Firstly, enable monitor mode and PSCI, both of which are features of
      this board.

      In addition to PSCI, this board also uses SMC for cache maintenance
      ops. This means we need a secure monitor to catch these and nop them.
      Use the ARM boot board-setup feature to implement this. The SMC trap
      implements the needed nop while all other traps will pen the CPU.

      As a KVM CPU cannot run in secure mode, do not do the board-setup if
      not running TCG. Report a warning explaining the limitation in this
      case.

      Reviewed-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Signed-off-by: Peter Crosthwaite <crosthwaite.peter@xxxxxxxxx>
      Message-id: 
0fd0d12f0fa666c86616c89447861a70dbe27312.1447007690.git.crosthwaite.peter@xxxxxxxxx
      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit dca6eeed8c2a1c131d161139428dd18a35e58b03
  Author: Peter Crosthwaite <crosthwaitepeter@xxxxxxxxx>
  Date:   Tue Nov 10 13:37:33 2015 +0000

      arm: highbank: Defeature CPU override

      This board should not support CPU model override. This allows for
      easier patching of the board with being able to rely on the CPU
      type being correct.

      Reviewed-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Signed-off-by: Peter Crosthwaite <crosthwaite.peter@xxxxxxxxx>
      Message-id: 
471a61e049c7ca6e82f5ef6668889a1d518c7e00.1447007690.git.crosthwaite.peter@xxxxxxxxx
      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit baf6b6815ba9ae8255eefd1ddf15216d53da34b5
  Author: Peter Crosthwaite <crosthwaitepeter@xxxxxxxxx>
  Date:   Tue Nov 10 13:37:33 2015 +0000

      arm: boot: Add secure_board_setup flag

      Add a flag that when set, will cause the primary CPU to start in secure
      mode, even if the overall boot is non-secure. This is useful for when
      there is a board-setup blob that needs to run from secure mode, but
      device and secondary CPU init should still be done as-normal for a non-
      secure boot.

      Signed-off-by: Peter Crosthwaite <crosthwaite.peter@xxxxxxxxx>
      Message-id: 
d1170774d5446d715fced7739edfc61a5be931f9.1447007690.git.crosthwaite.peter@xxxxxxxxx
      Reviewed-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit b95690c9beaffd95edf91eb67829dc1e0a81e666
  Author: Wei Huang <wei@xxxxxxxxxx>
  Date:   Tue Nov 10 13:37:33 2015 +0000

      hw/intc/arm_gic: Remove the definition of NUM_CPU

      arm_gic.c retrieves CPU number using either NUM_CPU(s) or s->num_cpu.
      Such mixed-uses make source code inconsistent. This patch removes
      NUM_CPU(s), which was defined for MPCore tweak long ago, and instead
      favors s->num_cpu. The source is more consistent after this small tweak.

      Reviewed-by: Andreas Färber <afaerber@xxxxxxx>
      Signed-off-by: Wei Huang <wei@xxxxxxxxxx>
      Reviewed-by: Michael Tokarev <mjt@xxxxxxxxxx>
      Message-id: 1446744293-32365-1-git-send-email-wei@xxxxxxxxxx
      Reviewed-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 5c629f4ff4dc9ae79cc732f59a8df15ede796ff7
  Author: Sergey Fedorov <serge.fdrv@xxxxxxxxx>
  Date:   Tue Nov 10 13:37:32 2015 +0000

      target-arm: Fix gdb singlestep handling in arm_debug_excp_handler()

      Do not raise a CPU exception if no CPU breakpoint has fired, since
      singlestep is also done by generating a debug internal exception. This
      fixes a bug with singlestepping in gdbstub.

      Signed-off-by: Sergey Fedorov <serge.fdrv@xxxxxxxxx>
      Message-id: 1446726361-18328-1-git-send-email-serge.fdrv@xxxxxxxxx
      Reviewed-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit a8b4f9585a0bf5186fca793ce2c5d754cd8ec49a
  Merge: ce27861 f545504
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Tue Nov 10 09:39:24 2015 +0000

      Merge remote-tracking branch 'remotes/armbru/tags/pull-qapi-2015-11-10' 
into staging

      QAPI patches

      # gpg: Signature made Tue 10 Nov 2015 07:12:25 GMT using RSA key ID 
EB918653
      # gpg: Good signature from "Markus Armbruster <armbru@xxxxxxxxxx>"
      # gpg:                 aka "Markus Armbruster <armbru@xxxxxxxxxxxx>"

      * remotes/armbru/tags/pull-qapi-2015-11-10:
        qapi-introspect: Document lack of sorting
        qapi: Provide nicer array names in introspection
        qapi: More tests of input arrays
        qapi: Test failure in middle of array parse
        qapi: More tests of alternate output
        qapi: Simplify error cleanup in test-qmp-*
        qapi: Simplify non-error testing in test-qmp-*
        qapi: Plug leaks in test-qmp-*
        qapi: Share test_init code in test-qmp-input*
        qobject: Protect against use-after-free in qobject_decref()
        qapi: Strengthen test of TestStructList
        qapi: Use generated TestStruct machinery in tests

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit f5455044201747fd72531f5e8c1b1e9c56573d9c
  Author: Eric Blake <eblake@xxxxxxxxxx>
  Date:   Thu Nov 5 23:35:36 2015 -0700

      qapi-introspect: Document lack of sorting

      qapi-code-gen.txt already claims that types, commands, and
      events share a common namespace; set this in stone by further
      documenting that our introspection output will never have
      collisions with the same name tied to more than one meta-type.

      Our largest QMP enum currently has 125 values, our largest
      object type has 27 members, and the mean for each is less than
      10.  These sizes are small enough that the per-element overhead
      of O(log n) binary searching probably outweighs the speed
      possible with direct O(n) linear searching (a better algorithm
      with more overhead will only beat a leaner naive algorithm only
      as you scale to larger input sizes).

      Arguably, the overall SchemaInfo array could be sorted by name;
      there, we currently have 531 entities, large enough for a binary
      search to be faster than linear.  However, remember that we have
      mutually-recursive types, which means there is no topological
      ordering that will allow clients to learn all information about
      that type in a single linear pass; thus clients will want to do
      random access over the data, and they will probably read the
      introspection output into a hashtable for O(1) lookup rather
      than O(log n) binary searching, at which point, pre-sorting our
      introspection output doesn't help the client.

      It doesn't help that sorting can be subjective if you introduce
      locales into the mix (I'm not experienced enough with Python
      to know for sure, but at least it looks like it defaults to
      sorting in the C locale even when run under a different locale).
      And while our current introspection output is deterministic
      (because we visit entities in a sorted order), we may want
      to change that order in the future (such as using OrderedDict
      to stick to .json declaration order).

      For these reasons, we simply document that clients should not
      rely on any particular order of items in introspection output.
      And since it is now a documented part of the contract, we have
      the freedom to later rearrange output if needed, without
      worrying about breaking well-written clients.

      Signed-off-by: Eric Blake <eblake@xxxxxxxxxx>
      Message-Id: <1446791754-23823-13-git-send-email-eblake@xxxxxxxxxx>
      [Commit message tweaked]
      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>

  commit ce5fcb472d512455a8d13fae4c04ecf8eb00573b
  Author: Eric Blake <eblake@xxxxxxxxxx>
  Date:   Thu Nov 5 23:35:35 2015 -0700

      qapi: Provide nicer array names in introspection

      For the sake of humans reading introspection output, it is nice
      to have the name of implicit array types be recognizable as
      arrays of the underlying type.  However, while this patch allows
      humans to skip from a command with return type "[123]" straight
      to the definition of type "123" without having to first inspect
      type "[123]", document that this shortcut should not be taken by
      client apps.

      This makes the resulting introspection string slightly larger by
      default (just over 200 bytes), but it's in the noise (less than
      0.3% of the overall 70k size of 'query-qmp-capabilities').

      Signed-off-by: Eric Blake <eblake@xxxxxxxxxx>
      Message-Id: <1446791754-23823-12-git-send-email-eblake@xxxxxxxxxx>
      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>

  commit 2533377c7b0c686d1510ed6499cedf938607e805
  Author: Eric Blake <eblake@xxxxxxxxxx>
  Date:   Thu Nov 5 23:35:34 2015 -0700

      qapi: More tests of input arrays

      Our testsuite had no coverage of empty arrays, nor of what
      happens when the input does not match the expected type.
      Useful to have, especially if we start changing the visitor
      contracts.

      I did not think it worth duplicating these additions to
      test-qmp-input-strict; since all strict mode does is add
      the ability to reject JSON input that has more keys than
      what the visitor expects, yet the additions in this patch
      error out earlier than that point regardless of whether
      strict mode was requested.

      Signed-off-by: Eric Blake <eblake@xxxxxxxxxx>
      Message-Id: <1446791754-23823-11-git-send-email-eblake@xxxxxxxxxx>
      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>

  commit dd5ee2c2d3e3a17647ddd9bfa97935b8cb5dfa40
  Author: Eric Blake <eblake@xxxxxxxxxx>
  Date:   Thu Nov 5 23:35:33 2015 -0700

      qapi: Test failure in middle of array parse

      Our generated list visitors have the same problem as has been
      mentioned elsewhere (see commit 2f52e20): they allocate data
      even on failure. An upcoming patch will correct things to
      provide saner guarantees, but first we need to expose the
      behavior in the testsuite to ensure we aren't introducing any
      memory usage bugs.

      There are more test cases throughout the test-qmp-input-* tests
      that already deal with partial allocation; a later commit will
      clean up all visit_type_FOO(), without marking all of the tests
      with FIXME at this time.

      Signed-off-by: Eric Blake <eblake@xxxxxxxxxx>
      Message-Id: <1446791754-23823-10-git-send-email-eblake@xxxxxxxxxx>
      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>

  commit 12fafd7cedad51854c468ea0496a6542b3222b29
  Author: Eric Blake <eblake@xxxxxxxxxx>
  Date:   Thu Nov 5 23:35:32 2015 -0700

      qapi: More tests of alternate output

      The testsuite was only covering that we could output the 'int'
      branch of an alternate (no additional allocation/cleanup required).
      Add a test of the 'str' branch, to make sure that things still
      work even when a branch involves allocation.

      Update to modern style of g_new0() over g_malloc0() while
      touching it.

      Signed-off-by: Eric Blake <eblake@xxxxxxxxxx>
      Message-Id: <1446791754-23823-9-git-send-email-eblake@xxxxxxxxxx>
      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>

  commit a12a5a1a0132527afe87c079e4aae4aad372bd94
  Author: Eric Blake <eblake@xxxxxxxxxx>
  Date:   Thu Nov 5 23:35:31 2015 -0700

      qapi: Simplify error cleanup in test-qmp-*

      We have several tests that perform multiple sub-actions that are
      expected to fail.  Asserting that an error occurred, then clearing
      it up to prepare for the next action, turned into enough
      boilerplate that it was sometimes forgotten (for example, a number
      of tests added to test-qmp-input-visitor.c in d88f5fd leaked err).
      Worse, if an error is not reset to NULL, we risk invalidating
      later use of that error (passing a non-NULL err into a function
      is generally a bad idea).  Encapsulate the boilerplate into a
      single helper function error_free_or_abort(), and consistently
      use it.

      The new function is added into error.c for use everywhere,
      although it is anticipated that testsuites will be the main
      client.

      Signed-off-by: Eric Blake <eblake@xxxxxxxxxx>
      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>

  commit ce278618b088afd10b91a05311eaeb6401bb5004
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Mon Nov 9 15:14:09 2015 +0000

      configure: Don't disable optimization for non-fortify builds

      Commit b553a0428014636bc inadvertently disabled optimization
      for all non-fortify builds. Fix this bug so we only do an
      unoptimized build if we want debug.

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Message-id: 1447082049-25099-1-git-send-email-peter.maydell@xxxxxxxxxx

  commit d17008bc2914d62fd0af6a8f313604ae9f9a102c
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Mon Nov 9 14:56:31 2015 +0000

      hw/timer/hpet.c: Avoid signed integer overflow which results in bugs on 
OSX

      Signed integer overflow in C is undefined behaviour, and the compiler
      is at liberty to assume it can never happen and optimize accordingly.
      In particular, the subtractions in hpet_time_after() and 
hpet_time_after64()
      were causing OSX clang to optimize the code such that it was prone to
      hangs and complaints about the main loop stalling (presumably because
      we were spending all our time trying to service very high frequency
      HPET timer callbacks). The clang sanitizer confirms the UB:

      hw/timer/hpet.c:119:26: runtime error: signed integer overflow: 
-2146967296 - 2147003978 cannot be represented in type 'int'

      Fix this by doing the subtraction as an unsigned operation and then
      converting to signed for the comparison.

      Reported-by: Aaron Elkins <threcius@xxxxxxxxx>
      Cc: qemu-stable@xxxxxxxxxx
      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Message-id: 1447080991-24995-1-git-send-email-peter.maydell@xxxxxxxxxx

  commit 3f66f764ee25f10d3e1144ebc057a949421b7728
  Author: Eric Blake <eblake@xxxxxxxxxx>
  Date:   Thu Nov 5 23:35:30 2015 -0700

      qapi: Simplify non-error testing in test-qmp-*

      By using &error_abort, we can avoid a local err variable in
      situations where we expect success.  It also has the nice
      effect that if the test breaks, the error message from
      error_abort tends to be nicer than that of g_assert().

      This patch has an additional bonus of fixing several call sites that
      were passing &err to two different functions without checking it in
      between.  In general that is unsafe practice; because if the first
      function sets an error, the second function could abort() if it tries to
      set a different error. We got away with it because we were asserting
      that err was NULL through the entire chain, but switching to
      &error_abort avoids the questionable practice up front.

      Signed-off-by: Eric Blake <eblake@xxxxxxxxxx>
      Message-Id: <1446791754-23823-7-git-send-email-eblake@xxxxxxxxxx>
      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>

  commit b18f1141d0afa00de11a8e079f4f5305c9e36893
  Author: Eric Blake <eblake@xxxxxxxxxx>
  Date:   Thu Nov 5 23:35:29 2015 -0700

      qapi: Plug leaks in test-qmp-*

      Make valgrind happy with the current state of the tests, so that
      it is easier to see if future patches introduce new memory problems
      without being drowned in noise.  Many of the leaks were due to
      calling a second init without tearing down the data from an earlier
      visit.  But since teardown is already idempotent, and we already
      register teardown as part of input_visitor_test_add(), it is nicer
      to just make init() safe to call multiple times than it is to have
      to make all tests call teardown.

      Another common leak was forgetting to clean up an error object,
      after testing that an error was raised.

      Another leak was in test_visitor_in_struct_nested(), failing to
      clean the base member of UserDefTwo.  Cleaning that up left
      check_and_free_str() as dead code (since using the qapi_free_*
      takes care of recursion, and we don't want double frees).

      A final leak was in test_visitor_out_any(), which was reassigning
      the qobj local variable to a subset of the overall structure
      needing freeing; it did not result in a use-after-free, but
      was not cleaning up all the qdict.

      test-qmp-event and test-qmp-commands were already clean.

      Signed-off-by: Eric Blake <eblake@xxxxxxxxxx>
      Message-Id: <1446791754-23823-6-git-send-email-eblake@xxxxxxxxxx>
      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>

  commit 0920a17199d23b3def3a60fa1fbbdeadcdda452d
  Author: Eric Blake <eblake@xxxxxxxxxx>
  Date:   Thu Nov 5 23:35:28 2015 -0700

      qapi: Share test_init code in test-qmp-input*

      Rather than duplicate the body of two functions just to
      decide between qobject_from_jsonv() and qobject_from_json(),
      exploit the fact that qobject_from_jsonv() intentionally
      takes 'va_list *' instead of the more common 'va_list', and
      that qobject_from_json() just calls qobject_from_jsonv(,NULL).
      For each file, our two existing init functions then become
      thin wrappers around a new internal function, and future
      updates to initialization don't have to be duplicated.

      Suggested-by: Markus Armbruster <armbru@xxxxxxxxxx>
      Signed-off-by: Eric Blake <eblake@xxxxxxxxxx>
      Message-Id: <1446791754-23823-5-git-send-email-eblake@xxxxxxxxxx>
      [Two old comment typos fixed]
      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>

  commit cc9f60d4a2a4bf2578a9309a18f1c4602c9f5ce7
  Author: Eric Blake <eblake@xxxxxxxxxx>
  Date:   Thu Nov 5 23:35:27 2015 -0700

      qobject: Protect against use-after-free in qobject_decref()

      Adding an assertion to qobject_decref() will ensure that a
      programming error causing use-after-free will result in
      immediate failure (provided no other thread has started
      using the memory) instead of silently attempting to wrap
      refcnt around and leaving the problem to potentially bite
      later at a harder point to diagnose.

      Suggested-by: Markus Armbruster <armbru@xxxxxxxxxx>
      Signed-off-by: Eric Blake <eblake@xxxxxxxxxx>
      Message-Id: <1446791754-23823-4-git-send-email-eblake@xxxxxxxxxx>
      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>

  commit bd20588d19e9ff0e94b2d4ca3b5d6b3b3d6a1274
  Author: Eric Blake <eblake@xxxxxxxxxx>
  Date:   Thu Nov 5 23:35:26 2015 -0700

      qapi: Strengthen test of TestStructList

      Make each list element different, to ensure that order is
      preserved, and use the generated free function instead of
      hand-rolling our own to ensure (under valgrind) that the
      list is properly cleaned.

      Suggested-by: Markus Armbruster <armbru@xxxxxxxxxx>
      Signed-off-by: Eric Blake <eblake@xxxxxxxxxx>
      Message-Id: <1446791754-23823-3-git-send-email-eblake@xxxxxxxxxx>
      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>

  commit 748053c97b11039f657525fd7d57a39806d8083e
  Author: Eric Blake <eblake@xxxxxxxxxx>
  Date:   Thu Nov 5 23:35:25 2015 -0700

      qapi: Use generated TestStruct machinery in tests

      Commit d88f5fd and friends first introduced the various test-qmp-*
      tests in 2011, with duplicated hand-rolled TestStruct machinery,
      to make sure the qapi visitor interface was tested.  Later, commit
      4f193e3 in 2013 added a .json file for further testing use by the
      files, but without consolidating any of the existing hand-rolled
      visitors.  And with four copies, subtle differences have crept in,
      between the tests themselves (mainly whitespace differences, but
      also a question of whether to use NULL or "TestStruct" when
      calling visit_start_struct()) and from what the generator produces
      (the hand-rolled versions did not cater to partially-allocated
      objects, because they did not have a deallocation usage).

      Of course, just because the visitor interface is tested does not
      mean it is a sane interface; and future patches will be changing
      some of the visitor contracts.  Rather than having to duplicate
      the cleanup work in each copy of the TestStruct visitor, and keep
      each hand-rolled copy in sync with what the generator supplies, we
      might as well just test what the generator should give us in the
      first place.

      Signed-off-by: Eric Blake <eblake@xxxxxxxxxx>
      Message-Id: <1446791754-23823-2-git-send-email-eblake@xxxxxxxxxx>
      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>

  commit 9d5c1dc117d1ad881bbc76f6990ee1f9e9f8ef7f
  Merge: b3a9e57 84aa014
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Mon Nov 9 11:20:51 2015 +0000

      Merge remote-tracking branch 'remotes/stefanha/tags/block-pull-request' 
into staging

      # gpg: Signature made Mon 09 Nov 2015 10:08:17 GMT using RSA key ID 
81AB73C8
      # gpg: Good signature from "Stefan Hajnoczi <stefanha@xxxxxxxxxx>"
      # gpg:                 aka "Stefan Hajnoczi <stefanha@xxxxxxxxx>"

      * remotes/stefanha/tags/block-pull-request:
        blockdev: acquire AioContext in hmp_commit()
        monitor: add missed aio_context_acquire into vm_completion call
        aio: Introduce aio-epoll.c
        aio: Introduce aio_context_setup
        aio: Introduce aio_external_disabled
        dataplane: support non-contigious s/g
        dataplane: simplify indirect descriptor read

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 84aa0140dd4f04f5d993f0db14c40da8d3de2706
  Author: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
  Date:   Wed Nov 4 20:27:23 2015 +0300

      blockdev: acquire AioContext in hmp_commit()

      This one slipped through.  Although we acquire AioContext when
      committing all devices we don't for just a single device.

      AioContext must be acquired before calling bdrv_*() functions to
      synchronize access with other threads that may be using the AioContext.

      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Signed-off-by: Denis V. Lunev <den@xxxxxxxxxx>
      Reviewed-by: Jeff Cody <jcody@xxxxxxxxxx>
      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>

  commit 6bf1faa84877514971a20bb180b0ae5270bee571
  Author: Denis V. Lunev <den@xxxxxxxxxx>
  Date:   Wed Nov 4 20:19:42 2015 +0300

      monitor: add missed aio_context_acquire into vm_completion call

      Signed-off-by: Denis V. Lunev <den@xxxxxxxxxx>
      CC: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      CC: Kevin Wolf <kwolf@xxxxxxxxxx>
      CC: Luiz Capitulino <lcapitulino@xxxxxxxxxx>
      CC: Markus Armbruster <armbru@xxxxxxxxxx>
      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>

  commit fbe3fc5cb3cd9f9064e98c549684e821c353fe41
  Author: Fam Zheng <famz@xxxxxxxxxx>
  Date:   Fri Oct 30 12:06:29 2015 +0800

      aio: Introduce aio-epoll.c

      To minimize code duplication, epoll is hooked into aio-posix's
      aio_poll() instead of rolling its own. This approach also has both
      compile-time and run-time switchability.

      1) When QEMU starts with a small number of fds in the event loop, ppoll
      is used.

      2) When QEMU starts with a big number of fds, or when more devices are
      hot plugged, epoll kicks in when the number of fds hits the threshold.

      3) Some fds may not support epoll, such as tty based stdio. In this
      case, it falls back to ppoll.

      A rough benchmark with scsi-disk on virtio-scsi dataplane (epoll gets
      enabled from 64 onward). Numbers are in MB/s.

      ===============================================
                   |     master     |     epoll
                   |                |
      scsi disks # | read    randrw | read    randrw
      -------------|----------------|----------------
      1            | 86      36     | 92      45
      8            | 87      43     | 86      41
      64           | 71      32     | 70      38
      128          | 48      24     | 58      31
      256          | 37      19     | 57      28
      ===============================================

      To comply with aio_{disable,enable}_external, we always use ppoll when
      aio_external_disabled() is true.

      [Removed #ifdef CONFIG_EPOLL around AioContext epollfd field declaration
      since the field is also referenced outside CONFIG_EPOLL code.
      --Stefan]

      Signed-off-by: Fam Zheng <famz@xxxxxxxxxx>
      Message-id: 1446177989-6702-4-git-send-email-famz@xxxxxxxxxx
      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>

  commit 37fcee5d1154b7a03c13582e128bcc31ad43e954
  Author: Fam Zheng <famz@xxxxxxxxxx>
  Date:   Fri Oct 30 12:06:28 2015 +0800

      aio: Introduce aio_context_setup

      This is the place to initialize platform specific bits of AioContext.

      Signed-off-by: Fam Zheng <famz@xxxxxxxxxx>
      Message-id: 1446177989-6702-3-git-send-email-famz@xxxxxxxxxx
      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>

  commit 5ceb9e39284b69d2e1b01da3cb1894ad4b2b4606
  Author: Fam Zheng <famz@xxxxxxxxxx>
  Date:   Fri Oct 30 12:06:27 2015 +0800

      aio: Introduce aio_external_disabled

      This allows AioContext users to check the enable/disable state of
      external clients.

      Signed-off-by: Fam Zheng <famz@xxxxxxxxxx>
      Message-id: 1446177989-6702-2-git-send-email-famz@xxxxxxxxxx
      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>

  commit 8347c53243b58ad5e4d623d2403853404e9043a1
  Author: Michael S. Tsirkin <mst@xxxxxxxxxx>
  Date:   Wed Oct 28 17:48:04 2015 +0200

      dataplane: support non-contigious s/g

      bring_map currently fails if one of the entries it's mapping is
      contigious in GPA but not HVA address space.  Introduce a mapped_len
      parameter so it can handle this, returning the actual mapped length.

      This will still fail if there's no space left in the sg, but luckily max
      queue size in use is currently 256, while max sg size is 1024, so we
      should be OK even is all entries happen to cross a single DIMM boundary.

      Won't work well with very small DIMM sizes, unfortunately:
      e.g. this will fail with 4K DIMMs where a single
      request might span a large number of DIMMs.

      Let's hope these are uncommon - at least we are not breaking things.

      Reported-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Reported-by: Igor Mammedov <imammedo@xxxxxxxxxx>
      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Tested-by: Igor Mammedov <imammedo@xxxxxxxxxx>
      Message-id: 1446047243-3221-2-git-send-email-mst@xxxxxxxxxx
      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>

  commit 572ec519ed6fe68f10ec65963527536c2322eab0
  Author: Michael S. Tsirkin <mst@xxxxxxxxxx>
  Date:   Wed Oct 28 17:48:02 2015 +0200

      dataplane: simplify indirect descriptor read

      Use address_space_read to make sure we handle the case of an indirect
      descriptor crossing DIMM boundary correctly.

      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Reviewed-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Tested-by: Igor Mammedov <imammedo@xxxxxxxxxx>
      Message-id: 1446047243-3221-1-git-send-email-mst@xxxxxxxxxx
      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>

  commit b3a9e57d92dff7dd5822f322e4eb49af9e1b70b8
  Merge: c4a7bf5 0c47242
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Sat Nov 7 21:41:33 2015 +0000

      Merge remote-tracking branch 'remotes/ehabkost/tags/x86-pull-request' 
into staging

      target-i386: tcg: Handle clflushopt/clwb/pcommit instructions

      A small update to TCG code so it can handle the new
      clflushopt/clwb/pcommit instructions.

      # gpg: Signature made Sat 07 Nov 2015 14:50:54 GMT using RSA key ID 
984DC5A6
      # gpg: Good signature from "Eduardo Habkost <ehabkost@xxxxxxxxxx>"

      * remotes/ehabkost/tags/x86-pull-request:
        target-i386: Add clflushopt/clwb/pcommit to TCG_7_0_EBX_FEATURES
        target-i386: tcg: Check right CPUID bits for clflushopt/pcommit
        target-i386: tcg: Accept clwb instruction

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit c4a7bf54e588ff2de9fba0898b686156251b2063
  Merge: 4b59f39 dca6257
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Sat Nov 7 19:55:15 2015 +0000

      Merge remote-tracking branch 'remotes/jnsnow/tags/ide-pull-request' into 
staging

      # gpg: Signature made Fri 06 Nov 2015 20:01:44 GMT using RSA key ID 
AAFC390E
      # gpg: Good signature from "John Snow (John Huston) <jsnow@xxxxxxxxxx>"

      * remotes/jnsnow/tags/ide-pull-request:
        arm: allwinner-a10: Add SATA
        ahci: Add allwinner AHCI
        ahci: split realize and init
        ahci: Add some MMIO debug printfs
        ide: remove hardcoded 2GiB transactional limit

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit dca625768a7da9377cd5886cc03854229c1e18a1
  Author: Peter Crosthwaite <crosthwaitepeter@xxxxxxxxx>
  Date:   Fri Nov 6 14:09:01 2015 -0500

      arm: allwinner-a10: Add SATA

      Add the Allwinner A10 AHCI controller module to the SoC.

      Signed-off-by: Peter Crosthwaite <crosthwaite.peter@xxxxxxxxx>
      Reviewed-by: John Snow <jsnow@xxxxxxxxxx>
      Message-id: 
69d6962f2d14a218bd07e9ac4ccd1947737cc30f.1445917756.git.crosthwaite.peter@xxxxxxxxx
      Signed-off-by: John Snow <jsnow@xxxxxxxxxx>

  commit 377e2145392e5787d35e58d643bd3de4838006b4
  Author: Peter Crosthwaite <crosthwaitepeter@xxxxxxxxx>
  Date:   Fri Nov 6 14:09:01 2015 -0500

      ahci: Add allwinner AHCI

      Add a Sysbus AHCI subclass for the Allwinner AHCI. It has a few extra
      vendor specific registers which are used for phy and power init.

      Signed-off-by: Peter Crosthwaite <crosthwaite.peter@xxxxxxxxx>
      Reviewed-by: John Snow <jsnow@xxxxxxxxxx>
      Message-id: 
833b5b05ed5ade38bf69656679b0a7575e79492b.1445917756.git.crosthwaite.peter@xxxxxxxxx
      [resolved patch context on pull --js]
      Signed-off-by: John Snow <jsnow@xxxxxxxxxx>

  commit 0487eea48ecc6e525d6e626d94da54e203089a95
  Author: Peter Crosthwaite <crosthwaitepeter@xxxxxxxxx>
  Date:   Fri Nov 6 14:09:00 2015 -0500

      ahci: split realize and init

      Do the init level tasks asap and the realize later (mainly when
      num_ports is available). This allows sub-class realize routines
      to work with the device post-init.

      Signed-off-by: Peter Crosthwaite <crosthwaite.peter@xxxxxxxxx>
      Reviewed-by: John Snow <jsnow@xxxxxxxxxx>
      Message-id: 
1a7c7b2b32e5ccf49373a5065da5ece89730d3ac.1445917756.git.crosthwaite.peter@xxxxxxxxx
      Signed-off-by: John Snow <jsnow@xxxxxxxxxx>

  commit 802742670df73773c0dbaa251c63e4561cc794a1
  Author: Peter Crosthwaite <crosthwaitepeter@xxxxxxxxx>
  Date:   Fri Nov 6 14:09:00 2015 -0500

      ahci: Add some MMIO debug printfs

      These are useful for bringup of AHCI.

      Signed-off-by: Peter Crosthwaite <crosthwaite.peter@xxxxxxxxx>
      Reviewed-by: John Snow <jsnow@xxxxxxxxxx>
      Message-id: 
517ba413dce7deb4ab17c0cc1e8bbdaaace2a0db.1445917756.git.crosthwaite.peter@xxxxxxxxx
      Signed-off-by: John Snow <jsnow@xxxxxxxxxx>

  commit 9fbf0fa81fca8f527669dd4fa72662d66e7d6329
  Author: John Snow <jsnow@xxxxxxxxxx>
  Date:   Fri Nov 6 14:09:00 2015 -0500

      ide: remove hardcoded 2GiB transactional limit

      Not that you can request a >2GiB transaction, but that's why checking
      for it makes no sense anymore.

      With the newer 'limit' parameter to prepare_buf, we no longer need a
      static limit. The maximum limit is still 2GiB, but the limit parameter
      is set to the current transaction size, which cannot surpass 32MiB
      (512 * 65536). If the PRDT surpasses the transactional size, then,
      we'll just carry out the normative underflow handling pathways instead
      of needing an extra, strange pathway that worries about hitting some
      logistical cap for the largest sglist we can support -- we'll never
      even attempt to build one that big anymore.

      Reported-by: Kevin Wolf <kwolf@xxxxxxxxxx>
      Signed-off-by: John Snow <jsnow@xxxxxxxxxx>
      Acked-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Message-id: 1445902682-20051-1-git-send-email-jsnow@xxxxxxxxxx

  commit 0c47242b519a224279f13c685aa6e79347f97b85
  Author: Xiao Guangrong <guangrong.xiao@xxxxxxxxxxxxxxx>
  Date:   Thu Oct 29 15:31:39 2015 +0800

      target-i386: Add clflushopt/clwb/pcommit to TCG_7_0_EBX_FEATURES

      Now these instructions are handled by TCG and can be added to the
      TCG_7_0_EBX_FEATURES macro.

      Signed-off-by: Xiao Guangrong <guangrong.xiao@xxxxxxxxxxxxxxx>
      Reviewed-by: Richard Henderson <rth@xxxxxxxxxxx>
      Signed-off-by: Eduardo Habkost <ehabkost@xxxxxxxxxx>

  commit 891bc821a3ee462b09b1ec436f2891f00ab1f85b
  Author: Eduardo Habkost <ehabkost@xxxxxxxxxx>
  Date:   Wed Nov 4 19:24:46 2015 -0200

      target-i386: tcg: Check right CPUID bits for clflushopt/pcommit

      Detect the clflushopt and pcommit instructions and check their
      corresponding feature flags, instead of checking CPUID_SSE and
      CPUID_CLFLUSH.

      Reviewed-by: Richard Henderson <rth@xxxxxxxxxxx>
      Signed-off-by: Eduardo Habkost <ehabkost@xxxxxxxxxx>

  commit 5e1fac2dba7780e0cb2c022d4b39586af70bea0d
  Author: Eduardo Habkost <ehabkost@xxxxxxxxxx>
  Date:   Wed Nov 4 19:24:45 2015 -0200

      target-i386: tcg: Accept clwb instruction

      Accept the clwb instruction (66 0F AE /6) if its corresponding feature
      flag is enabled on CPUID[7].

      Reviewed-by: Richard Henderson <rth@xxxxxxxxxxx>
      Signed-off-by: Eduardo Habkost <ehabkost@xxxxxxxxxx>

  commit 4b59f39bc9a03afcc74b2fa28da7c3189fca507c
  Merge: 9319738 bd54a9f
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Fri Nov 6 12:50:24 2015 +0000

      Merge remote-tracking branch 
'remotes/mjt/tags/pull-trivial-patches-2015-11-06' into staging

      trivial patches for 2015-11-06

      # gpg: Signature made Fri 06 Nov 2015 12:42:43 GMT using RSA key ID 
A4C3D7DB
      # gpg: Good signature from "Michael Tokarev <mjt@xxxxxxxxxx>"
      # gpg:                 aka "Michael Tokarev <mjt@xxxxxxxxx>"
      # gpg:                 aka "Michael Tokarev <mjt@xxxxxxxxxx>"

      * remotes/mjt/tags/pull-trivial-patches-2015-11-06: (24 commits)
        tap-bsd: use user-specified tap device if it already exists
        qemu-sockets: do not test path with access() before unlinking
        taget-ppc: Fix read access to IBAT registers higher than IBAT3
        exec: avoid unnecessary cacheline bounce on ram_list.mru_block
        target-alpha: fix uninitialized variable
        ivshmem-server: fix possible OVERRUN
        pci-assign: do not test path with access() before opening
        qom/object: fix 2 comment typos
        configure: remove help string for 'vnc-tls' option
        usb: Use g_new() & friends where that makes obvious sense
        qxl: Use g_new() & friends where that makes obvious sense
        ui: Use g_new() & friends where that makes obvious sense
        bt: fix use of uninitialized variable seqlen
        hw/dma/pxa2xx: Remove superfluous memset
        linux-user/syscall: Replace g_malloc0 + memcpy with g_memdup
        tests/i44fx-test: No need for zeroing memory before memset
        hw/input/tsc210x: Remove superfluous memset
        xen: fix invalid assertion
        tests: ignore test-qga
        fix bad indentation in pcie_cap_slot_write_config()
        ...

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit bd54a9f9435c85de190a82019faef16c5ecf8e46
  Author: Ed Maste <emaste@xxxxxxxxxxx>
  Date:   Fri Oct 23 11:53:55 2015 -0400

      tap-bsd: use user-specified tap device if it already exists

      Acked-by: Roger Pau Monné <roger.pau@xxxxxxxxxx>
      Signed-off-by: Ed Maste <emaste@xxxxxxxxxxx>
      Signed-off-by: Michael Tokarev <mjt@xxxxxxxxxx>

  commit a2f31f180499593b5edb8ac5ab8ac1b92f0abcd4
  Author: Paolo Bonzini <pbonzini@xxxxxxxxxx>
  Date:   Wed Nov 4 14:48:47 2015 +0100

      qemu-sockets: do not test path with access() before unlinking

      Using access() is a time-of-check/time-of-use race condition.  It is
      okay to use them to provide better error messages, but that is pretty
      much it.

      This is not one such case; on the other hand, access() *will* skip
      unlink() for a non-existent path, so ignore ENOENT return values from
      the unlink() system call.

      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>
      Reviewed-by: Markus Armbruster <armbru@xxxxxxxxxx>
      Reviewed-by: Edgar E. Iglesias <edgar.iglesias@xxxxxxxxxx>
      Signed-off-by: Michael Tokarev <mjt@xxxxxxxxxx>

  commit 3ede8f699645f4ca7cdbc40d8139e5a0275b4805
  Author: Julio Guerra <julio@xxxxxxxxxx>
  Date:   Wed Oct 14 19:43:19 2015 +0200

      taget-ppc: Fix read access to IBAT registers higher than IBAT3

      Fix the index used to read the IBAT's vector which results in IBAT0..3 
instead
      of IBAT4..N.

      The bug appeared by saving/restoring contexts including IBATs values.

      Signed-off-by: Julio Guerra <julio@xxxxxxxxxx>
      Signed-off-by: Michael Tokarev <mjt@xxxxxxxxxx>

  commit 68851b98e5bf6d397498b74f1776801274ab8d48
  Author: Paolo Bonzini <pbonzini@xxxxxxxxxx>
  Date:   Thu Oct 22 13:51:30 2015 +0200

      exec: avoid unnecessary cacheline bounce on ram_list.mru_block

      Whenever the MRU cache hits for the list of RAM blocks, qemu_get_ram_block
      does an unnecessary write that causes a processor cache line to bounce
      from one core to another.  This causes a performance hit.

      Reported-by: Emilio G. Cota <cota@xxxxxxxxx>
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>
      Signed-off-by: Michael Tokarev <mjt@xxxxxxxxxx>

  commit 74de807f794ac5201b2b3c38ddadeef84a676a97
  Author: Paolo Bonzini <pbonzini@xxxxxxxxxx>
  Date:   Mon Oct 19 16:08:38 2015 +0200

      target-alpha: fix uninitialized variable

      I am not sure why the compiler does not catch it.  There is no
      semantic change since gen_excp returns EXIT_NORETURN, but the
      old code is wrong.

      Reported by Coverity.

      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>
      Signed-off-by: Michael Tokarev <mjt@xxxxxxxxxx>

  commit 258133bda9a6f22ba436ef9b63b7c086cc80190b
  Author: Gonglei <arei.gonglei@xxxxxxxxxx>
  Date:   Mon Nov 2 09:13:48 2015 +0800

      ivshmem-server: fix possible OVERRUN

      >>>     CID 1337991:  Memory - illegal accesses  (OVERRUN)
      >>>     Decrementing "i". The value of "i" is now 65534.
      218         while (i--) {
      219             event_notifier_cleanup(&peer->vectors[i]);
      220         }

      Signed-off-by: Gonglei <arei.gonglei@xxxxxxxxxx>
      Reviewed-by: Marc-André Lureau <marcandre.lureau@xxxxxxxxxx>
      Signed-off-by: Michael Tokarev <mjt@xxxxxxxxxx>

  commit 6268520d7df9b3f183bb4397218c9287441bc04f
  Author: Paolo Bonzini <pbonzini@xxxxxxxxxx>
  Date:   Mon Nov 2 15:17:37 2015 +0100

      pci-assign: do not test path with access() before opening

      Using access() is a time-of-check/time-of-use race condition.  It is
      okay to use them to provide better error messages, but that is pretty
      much it.

      In this case we can get the same error from fopen(), so just use
      strerror and errno there---which actually improves the error
      message most of the time.

      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>
      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>
      Signed-off-by: Michael Tokarev <mjt@xxxxxxxxxx>

  commit b30d80546421c6ea919096b596887f496c80af0a
  Author: Cao jin <caoj.fnst@xxxxxxxxxxxxxx>
  Date:   Tue Nov 3 10:36:42 2015 +0800

      qom/object: fix 2 comment typos

      Also change the misleading definition of macro OBJECT_CLASS_CHECK

      Signed-off-by: Cao jin <caoj.fnst@xxxxxxxxxxxxxx>
      Signed-off-by: Michael Tokarev <mjt@xxxxxxxxxx>

  commit 9f503153c78a23bcd44409cea64442c4ecd82ea5
  Author: Daniel P. Berrange <berrange@xxxxxxxxxx>
  Date:   Tue Nov 3 11:34:31 2015 +0000

      configure: remove help string for 'vnc-tls' option

      The '--enable-vnc-tls' option to configure was removed in

        commit 3e305e4a4752f70c0b5c3cf5b43ec957881714f7
        Author: Daniel P. Berrange <berrange@xxxxxxxxxx>
        Date:   Thu Aug 6 14:39:32 2015 +0100

          ui: convert VNC server to use QCryptoTLSSession

      This removes the corresponding help string.

      Signed-off-by: Daniel P. Berrange <berrange@xxxxxxxxxx>
      Signed-off-by: Michael Tokarev <mjt@xxxxxxxxxx>

  commit 98f343395e937fa1db3a28dfb4f303f97cfddd6c
  Author: Markus Armbruster <armbru@xxxxxxxxxx>
  Date:   Thu Oct 29 16:55:22 2015 +0100

      usb: Use g_new() & friends where that makes obvious sense

      g_new(T, n) is neater than g_malloc(sizeof(T) * n).  It's also safer,
      for two reasons.  One, it catches multiplication overflowing size_t.
      Two, it returns T * rather than void *, which lets the compiler catch
      more type errors.

      This commit only touches allocations with size arguments of the form
      sizeof(T).  Same Coccinelle semantic patch as in commit b45c03f.

      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>
      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>
      Reviewed-by: Gerd Hoffmann <kraxel@xxxxxxxxxx>
      Signed-off-by: Michael Tokarev <mjt@xxxxxxxxxx>

  commit 9de68637dff05a18d0eafcff2737e551b70bc490
  Author: Markus Armbruster <armbru@xxxxxxxxxx>
  Date:   Thu Oct 29 16:55:21 2015 +0100

      qxl: Use g_new() & friends where that makes obvious sense

      g_new(T, n) is neater than g_malloc(sizeof(T) * n).  It's also safer,
      for two reasons.  One, it catches multiplication overflowing size_t.
      Two, it returns T * rather than void *, which lets the compiler catch
      more type errors.

      This commit only touches allocations with size arguments of the form
      sizeof(T).  Same Coccinelle semantic patch as in commit b45c03f.

      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>
      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>
      Reviewed-by: Gerd Hoffmann <kraxel@xxxxxxxxxx>
      Signed-off-by: Michael Tokarev <mjt@xxxxxxxxxx>

  commit fedf0d35aafc4f1f1e5f6dbc80cb23ae1ae49f0b
  Author: Markus Armbruster <armbru@xxxxxxxxxx>
  Date:   Tue Nov 3 17:12:03 2015 +0100

      ui: Use g_new() & friends where that makes obvious sense

      g_new(T, n) is neater than g_malloc(sizeof(T) * n).  It's also safer,
      for two reasons.  One, it catches multiplication overflowing size_t.
      Two, it returns T * rather than void *, which lets the compiler catch
      more type errors.

      This commit only touches allocations with size arguments of the form
      sizeof(T).  Same Coccinelle semantic patch as in commit b45c03f.

      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>
      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>
      Signed-off-by: Michael Tokarev <mjt@xxxxxxxxxx>

  commit 374ec0669a1aa3affac7850a16c6cad18221c439
  Author: Paolo Bonzini <pbonzini@xxxxxxxxxx>
  Date:   Mon Oct 19 16:08:40 2015 +0200

      bt: fix use of uninitialized variable seqlen

      sdp_svc_match, sdp_attr_match and sdp_svc_attr_match read the last
      argument.  The only sensible way to change the code is to make that last
      argument "len" instead of "seqlen" which is the length of a subsequence
      in the previous "if" branch.

      To make the structure of the code clearer, use "else" instead of
      "else if".

      Reported by Coverity.

      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>
      Signed-off-by: Michael Tokarev <mjt@xxxxxxxxxx>

  commit 1a13b27273cdc4f6fd18bc1e83950d47c6b5928b
  Author: Thomas Huth <thuth@xxxxxxxxxx>
  Date:   Fri Oct 9 17:56:35 2015 +0200

      hw/dma/pxa2xx: Remove superfluous memset

      g_malloc0 already clears the memory, so no need for
      the additional memset here. And while we're at it,
      also convert the g_malloc0 to the preferred g_new0.

      Signed-off-by: Thomas Huth <thuth@xxxxxxxxxx>
      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>
      Signed-off-by: Michael Tokarev <mjt@xxxxxxxxxx>

  commit e9d49d518d5d2b0411ee2625e46662a6065a909c
  Author: Thomas Huth <thuth@xxxxxxxxxx>
  Date:   Fri Oct 9 17:56:38 2015 +0200

      linux-user/syscall: Replace g_malloc0 + memcpy with g_memdup

      No need to use g_malloc0 to zero the memory if we memcpy to
      the whole buffer afterwards anyway. Actually, there is even
      a function which combines both steps, g_memdup, so let's use
      this function here instead.

      Signed-off-by: Thomas Huth <thuth@xxxxxxxxxx>
      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>
      Signed-off-by: Michael Tokarev <mjt@xxxxxxxxxx>

  commit 112317867d573bb053d431f098060cf996d9b2e8
  Author: Thomas Huth <thuth@xxxxxxxxxx>
  Date:   Fri Oct 9 17:56:37 2015 +0200

      tests/i44fx-test: No need for zeroing memory before memset

      Change a g_malloc0 into g_malloc since the following
      memset fills the whole buffer anyway.

      Signed-off-by: Thomas Huth <thuth@xxxxxxxxxx>
      Reviewed-by: Laszlo Ersek <lersek@xxxxxxxxxx>
      Signed-off-by: Michael Tokarev <mjt@xxxxxxxxxx>

  commit a6c6d827605e416f0e127a325ee1efc9cf16afa5
  Author: Thomas Huth <thuth@xxxxxxxxxx>
  Date:   Fri Oct 9 17:56:36 2015 +0200

      hw/input/tsc210x: Remove superfluous memset

      g_malloc0 already clears the memory, so no need for additional
      memsets here. And while we're at it, let's also remove the
      superfluous typecasts for the return values of g_malloc0
      and use the type-safe g_new0 instead.

      Signed-off-by: Thomas Huth <thuth@xxxxxxxxxx>
      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>
      Signed-off-by: Michael Tokarev <mjt@xxxxxxxxxx>

  commit 2c21ec3d1818cb0395b5a9b73128e6920d44def7
  Author: Paolo Bonzini <pbonzini@xxxxxxxxxx>
  Date:   Mon Oct 19 16:08:39 2015 +0200

      xen: fix invalid assertion

      Asserting "true" is not that useful.

      Reported by Coverity.

      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>
      Acked-by: Stefano Stabellini <stefano.stabellini@xxxxxxxxxxxxx>
      Signed-off-by: Michael Tokarev <mjt@xxxxxxxxxx>

  commit 3cd01b6ed8a1ae472f09cbcc47b7cba4d732f94c
  Author: Eric Blake <eblake@xxxxxxxxxx>
  Date:   Tue Oct 20 13:41:33 2015 -0600

      tests: ignore test-qga

      Commit 62c39b30 added a new test, but did not mark it for
      exclusion in .gitignore.

      Signed-off-by: Eric Blake <eblake@xxxxxxxxxx>
      Signed-off-by: Michael Tokarev <mjt@xxxxxxxxxx>

  commit 6ba9fe86957c3c8febf74c2495d901ac4061a673
  Author: Cao jin <caoj.fnst@xxxxxxxxxxxxxx>
  Date:   Sun Oct 25 16:23:28 2015 +0800

      fix bad indentation in pcie_cap_slot_write_config()

      bad indentation conflicts with CODING_STYLE doc

      Signed-off-by: Cao jin <caoj.fnst@xxxxxxxxxxxxxx>
      Signed-off-by: Michael Tokarev <mjt@xxxxxxxxxx>

  commit 53d47be25a0c8bde5aa5b53625bc810f91c6271f
  Author: Eric Blake <eblake@xxxxxxxxxx>
  Date:   Mon Oct 26 14:27:31 2015 -0600

      maint: Ignore ivshmem binaries

      Commit a75eb03b added ivshmem-client and ivshmem-server binaries,
      but did not mark them for exclusion in .gitignore.

      Signed-off-by: Eric Blake <eblake@xxxxxxxxxx>
      Signed-off-by: Michael Tokarev <mjt@xxxxxxxxxx>

  commit b21de19992cefdfef68217e50a8365ee5e535e10
  Author: Thomas Huth <thuth@xxxxxxxxxx>
  Date:   Thu Oct 15 10:54:15 2015 +0200

      hw/display/tcx: Remove superfluous OBJECT() typecasts

      The tcx_initfn() function is already supplied with an
      Object *obj pointer, so there is no need to cast the
      state pointer back to an Object pointer all over the
      place. And while we're at it, also remove the superfluous
      "return;" statement in this function.

      Signed-off-by: Thomas Huth <thuth@xxxxxxxxxx>
      Reviewed-by: Markus Armbruster <armbru@xxxxxxxxxx>
      Acked-by: Mark Cave-Ayland <mark.cave-ayland@xxxxxxxxxxxx>
      Signed-off-by: Michael Tokarev <mjt@xxxxxxxxxx>

  commit 5accecb3a6b49d8ca79684179610583e9c7c1bf5
  Author: Kevin Wolf <kwolf@xxxxxxxxxx>
  Date:   Tue Oct 13 09:38:50 2015 +0200

      gdbstub: Fix buffer overflows in gdb_handle_packet()

      Some places in gdb_handle_packet() can get an arbitrary length (most
      times directly from the client) and either didn't check it at all or
      checked against the wrong value, potentially causing buffer overflows.

      Cc: qemu-stable@xxxxxxxxxx
      Signed-off-by: Kevin Wolf <kwolf@xxxxxxxxxx>
      Signed-off-by: Michael Tokarev <mjt@xxxxxxxxxx>

  commit 3c15d3a45045de82c744c49ff471d4c7ba405187
  Author: Marc-André Lureau <marcandre.lureau@xxxxxxxxxx>
  Date:   Mon Oct 12 12:54:57 2015 +0200

      hw/acpi/aml-build: remove useless glib version check

      2.22 is the minimum version required

      Signed-off-by: Marc-André Lureau <marcandre.lureau@xxxxxxxxxx>
      Signed-off-by: Michael Tokarev <mjt@xxxxxxxxxx>

  commit 9319738080faeb09876ce2017fcaea4937c475ee
  Merge: 3aa88b3 ee31299
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Fri Nov 6 11:31:40 2015 +0000

      Merge remote-tracking branch 'remotes/bonzini/tags/for-upstream-replay' 
into staging

      So here it is, let's see what happens.

      # gpg: Signature made Fri 06 Nov 2015 09:30:34 GMT using RSA key ID 
78C7AE83
      # gpg: Good signature from "Paolo Bonzini <bonzini@xxxxxxx>"
      # gpg:                 aka "Paolo Bonzini <pbonzini@xxxxxxxxxx>"

      * remotes/bonzini/tags/for-upstream-replay:
        replay: recording of the user input
        replay: command line options
        replay: replay blockers for devices
        replay: initialization and deinitialization
        replay: ptimer
        bottom halves: introduce bh call function
        replay: checkpoints
        icount: improve counting for record/replay
        replay: shutdown event
        replay: recording and replaying clock ticks
        replay: asynchronous events infrastructure
        replay: interrupts and exceptions
        cpu: replay instructions sequence
        cpu-exec: allow temporary disabling icount
        replay: introduce icount event
        replay: introduce mutex to protect the replay log
        replay: internal functions for replay log
        replay: global variables and function stubs

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 3aa88b31290c7cbbbae344efdece659194b95c70
  Author: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
  Date:   Mon Nov 2 14:06:23 2015 +0000

      configure: add missing --disable-modules option

      According to ./configure all options should have both --enable-foo and
      --disable-foo:

        # Always add --enable-foo and --disable-foo command line args.
        # Distributions want to ensure that several features are compiled in, 
and it
        # is impossible without a --enable-foo that exits if a feature is not 
found.

      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Reviewed-by: Fam Zheng <famz@xxxxxxxxxx>
      Message-id: 1446473183-24250-1-git-send-email-stefanha@xxxxxxxxxx
      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 574418132355bae50e829eb7890c8ea5dcb53fd8
  Merge: 496c1b1 f7fda28
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Fri Nov 6 10:10:15 2015 +0000

      Merge remote-tracking branch 'remotes/ehabkost/tags/x86-pull-request' 
into staging

      X86 queue, 2015-11-05

      # gpg: Signature made Thu 05 Nov 2015 19:35:31 GMT using RSA key ID 
984DC5A6
      # gpg: Good signature from "Eduardo Habkost <ehabkost@xxxxxxxxxx>"

      * remotes/ehabkost/tags/x86-pull-request:
        target-i386: Enable clflushopt/clwb/pcommit instructions
        target-i386: Remove POPCNT from qemu64 and qemu32 CPU models
        target-i386: Remove ABM from qemu64 CPU model
        target-i386: Remove SSE4a from qemu64 CPU model
        target-i386: Set "check=off" by default on pc-*-2.4 and older

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit ee312992a323530ea2cda8680f3a34746c72db8f
  Author: Pavel Dovgalyuk <Pavel.Dovgaluk@xxxxxxxxx>
  Date:   Thu Sep 17 19:25:24 2015 +0300

      replay: recording of the user input

      This records user input (keyboard and mouse events) in record mode and 
replays
      these input events in replay mode.

      Signed-off-by: Pavel Dovgalyuk <pavel.dovgaluk@xxxxxxxxx>
      Message-Id: <20150917162524.8676.11696.stgit@xxxxxxxxxxxxxxxxxx>
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>
      Signed-off-by: Pavel Dovgalyuk <Pavel.Dovgaluk@xxxxxxxxx>

  commit 4c27b859722089e0270fd4f41b4b3c63b6647439
  Author: Pavel Dovgalyuk <Pavel.Dovgaluk@xxxxxxxxx>
  Date:   Thu Sep 17 19:25:18 2015 +0300

      replay: command line options

      This patch introduces command line options for enabling recording or 
replaying
      virtual machine behavior. These options are added to icount command line
      parameter. They include 'rr' which switches between record and replay
      and 'rrfile' for specifying the filename for replay log.

      Signed-off-by: Pavel Dovgalyuk <pavel.dovgaluk@xxxxxxxxx>
      Message-Id: <20150917162518.8676.70792.stgit@xxxxxxxxxxxxxxxxxx>
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>
      Signed-off-by: Pavel Dovgalyuk <Pavel.Dovgaluk@xxxxxxxxx>

  commit 0194749ac4131e1bed8e166c5d5cf541678ef204
  Author: Pavel Dovgalyuk <Pavel.Dovgaluk@xxxxxxxxx>
  Date:   Thu Sep 17 19:25:13 2015 +0300

      replay: replay blockers for devices

      Some devices are not supported by record/replay subsystem.
      This patch introduces replay blocker which denies starting record/replay
      if such devices are included into the configuration.

      Signed-off-by: Pavel Dovgalyuk <pavel.dovgaluk@xxxxxxxxx>
      Message-Id: <20150917162512.8676.11367.stgit@xxxxxxxxxxxxxxxxxx>
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>
      Signed-off-by: Pavel Dovgalyuk <Pavel.Dovgaluk@xxxxxxxxx>

  commit 7615936ebf4e60c4565268a30df2356c841526f8
  Author: Pavel Dovgalyuk <Pavel.Dovgaluk@xxxxxxxxx>
  Date:   Thu Sep 17 19:25:07 2015 +0300

      replay: initialization and deinitialization

      This patch introduces the functions for enabling the record/replay and for
      freeing the resources when simulator closes.

      Reviewed-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

      Signed-off-by: Pavel Dovgalyuk <pavel.dovgaluk@xxxxxxxxx>
      Message-Id: <20150917162507.8676.90232.stgit@xxxxxxxxxxxxxxxxxx>
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>
      Signed-off-by: Pavel Dovgalyuk <Pavel.Dovgaluk@xxxxxxxxx>

  commit 8a354bd935a800dd2d98ac8f30707e2912c80ae6
  Author: Pavel Dovgalyuk <Pavel.Dovgaluk@xxxxxxxxx>
  Date:   Thu Sep 17 19:24:56 2015 +0300

      replay: ptimer

      This patch adds deterministic replay for hardware periodic countdown 
timers.
      ptimer uses bottom halves layer to execute such an asynchronous callback.
      We put this callback into the replay queue instead of bottom halves one.
      When checkpoint is met by main loop thread, the replay queue is processed
      and callback is executed. Binding callback moment to one of the 
checkpoints
      makes it deterministic.

      Signed-off-by: Pavel Dovgalyuk <pavel.dovgaluk@xxxxxxxxx>
      Message-Id: <20150917162456.8676.83366.stgit@xxxxxxxxxxxxxxxxxx>
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>
      Signed-off-by: Pavel Dovgalyuk <Pavel.Dovgaluk@xxxxxxxxx>

  commit df281b80b9ecba65d85795aa738c29e5b94d5ef1
  Author: Pavel Dovgalyuk <Pavel.Dovgaluk@xxxxxxxxx>
  Date:   Thu Sep 17 19:24:50 2015 +0300

      bottom halves: introduce bh call function

      This patch introduces aio_bh_call function. It is used to execute
      bottom halves as callbacks without adding them to the queue.

      Signed-off-by: Pavel Dovgalyuk <pavel.dovgaluk@xxxxxxxxx>
      Message-Id: <20150917162450.8676.56980.stgit@xxxxxxxxxxxxxxxxxx>
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>
      Signed-off-by: Pavel Dovgalyuk <Pavel.Dovgaluk@xxxxxxxxx>

  commit 8bd7f71d794b93ce027b856f5b79a98f4f82e44c
  Author: Pavel Dovgalyuk <Pavel.Dovgaluk@xxxxxxxxx>
  Date:   Thu Sep 17 19:24:44 2015 +0300

      replay: checkpoints

      This patch introduces checkpoints that synchronize cpu thread and 
iothread.
      When checkpoint is met in the code all asynchronous events from the queue
      are executed.

      Signed-off-by: Pavel Dovgalyuk <pavel.dovgaluk@xxxxxxxxx>
      Message-Id: <20150917162444.8676.52916.stgit@xxxxxxxxxxxxxxxxxx>
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>
      Signed-off-by: Pavel Dovgalyuk <Pavel.Dovgaluk@xxxxxxxxx>

  commit efab87cf79077a9624f675fc5fc8f034eaedfe4d
  Author: Pavel Dovgalyuk <Pavel.Dovgaluk@xxxxxxxxx>
  Date:   Thu Sep 17 19:24:39 2015 +0300

      icount: improve counting for record/replay

      icount_warp_rt function is called by qemu_clock_warp and as
      callback of icount_warp timer. This patch adds call to qemu_clock_warp
      into main_loop_wait function, because icount warp may be missed
      in record/replay mode, when CPU is sleeping.
      This patch also disables of calling this function by timer, because
      it is not needed after making modifications of main_loop_wait.

      Signed-off-by: Pavel Dovgalyuk <pavel.dovgaluk@xxxxxxxxx>
      Message-Id: <20150917162439.8676.38290.stgit@xxxxxxxxxxxxxxxxxx>
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>
      Signed-off-by: Pavel Dovgalyuk <Pavel.Dovgaluk@xxxxxxxxx>

  commit b60c48a7019614902f2debe4d4181ec8cfa60e0d
  Author: Pavel Dovgalyuk <Pavel.Dovgaluk@xxxxxxxxx>
  Date:   Thu Sep 17 19:24:33 2015 +0300

      replay: shutdown event

      This patch records and replays simulator shutdown event.

      Reviewed-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

      Signed-off-by: Pavel Dovgalyuk <pavel.dovgaluk@xxxxxxxxx>
      Message-Id: <20150917162433.8676.32262.stgit@xxxxxxxxxxxxxxxxxx>
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>
      Signed-off-by: Pavel Dovgalyuk <Pavel.Dovgaluk@xxxxxxxxx>

  commit 8eda206e09089914006bfbdd71467d5246c06e4a
  Author: Pavel Dovgalyuk <Pavel.Dovgaluk@xxxxxxxxx>
  Date:   Thu Sep 17 19:24:28 2015 +0300

      replay: recording and replaying clock ticks

      Clock ticks are considered as the sources of non-deterministic data for
      virtual machine. This patch implements saving the clock values when they
      are acquired (virtual, host clock).
      When replaying the execution corresponding values are read from log and
      transfered to the module, which wants to read the values.
      Such a design required the clock polling to be synchronized. Sometimes
      it is not true - e.g. when timeouts for timer lists are checked. In this 
case
      we use a cached value of the clock, passing it to the client code.

      Signed-off-by: Pavel Dovgalyuk <pavel.dovgaluk@xxxxxxxxx>
      Message-Id: <20150917162427.8676.36558.stgit@xxxxxxxxxxxxxxxxxx>
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>
      Signed-off-by: Pavel Dovgalyuk <Pavel.Dovgaluk@xxxxxxxxx>

  commit c0c071d05279ec1429352200affc5c70bb4e5980
  Author: Pavel Dovgalyuk <Pavel.Dovgaluk@xxxxxxxxx>
  Date:   Thu Sep 17 19:24:22 2015 +0300

      replay: asynchronous events infrastructure

      This patch adds module for saving and replaying asynchronous events.
      These events include network packets, keyboard and mouse input,
      USB packets, thread pool and bottom halves callbacks.
      All events are stored in the queue to be processed at synchronization 
points
      such as beginning of TB execution, or checkpoint in the iothread.

      Signed-off-by: Pavel Dovgalyuk <pavel.dovgaluk@xxxxxxxxx>
      Message-Id: <20150917162422.8676.88696.stgit@xxxxxxxxxxxxxxxxxx>
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

      Signed-off-by: Pavel Dovgalyuk <Pavel.Dovgaluk@xxxxxxxxx>

  commit 6f0609697f3670bf755a91477487507a8ffee471
  Author: Pavel Dovgalyuk <Pavel.Dovgaluk@xxxxxxxxx>
  Date:   Thu Sep 17 19:24:16 2015 +0300

      replay: interrupts and exceptions

      This patch includes modifications of common cpu files. All interrupts and
      exceptions occured during recording are written into the replay log.
      These events allow correct replaying the execution by kicking cpu thread
      when one of these events is found in the log.

      Signed-off-by: Pavel Dovgalyuk <pavel.dovgaluk@xxxxxxxxx>
      Message-Id: <20150917162416.8676.57647.stgit@xxxxxxxxxxxxxxxxxx>
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit f7fda280948a5e74aeb076ef346b991ecb173c56
  Author: Xiao Guangrong <guangrong.xiao@xxxxxxxxxxxxxxx>
  Date:   Thu Oct 29 15:31:39 2015 +0800

      target-i386: Enable clflushopt/clwb/pcommit instructions

      These instructions are used by NVDIMM drivers and the specification is
      located at:
      
https://software.intel.com/sites/default/files/managed/0d/53/319433-022.pdf

      There instructions are available on Skylake Server.

      Signed-off-by: Xiao Guangrong <guangrong.xiao@xxxxxxxxxxxxxxx>
      Reviewed-by: Richard Henderson <rth@xxxxxxxxxxx>
      Signed-off-by: Eduardo Habkost <ehabkost@xxxxxxxxxx>

  commit 6aa91e4a0237ddcebb85e3a95e166f3b3cfa42ae
  Author: Eduardo Habkost <ehabkost@xxxxxxxxxx>
  Date:   Tue Nov 3 17:24:18 2015 -0200

      target-i386: Remove POPCNT from qemu64 and qemu32 CPU models

      POPCNT is not available on Penryn and older and on Opteron_G2 and older,
      and we want to make the default CPU runnable in most hosts, so it won't
      be enabled by default in KVM mode.

      We should eventually have all features supported by TCG enabled by
      default in TCG mode, but as we don't have a good mechanism today to
      ensure we have different defaults in KVM and TCG mode, disable POPCNT in
      the qemu64 and qemu32 CPU models entirely.

      Reviewed-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>
      Signed-off-by: Eduardo Habkost <ehabkost@xxxxxxxxxx>

  commit 711956722c6764336f8b78a2106e57c55f02f36d
  Author: Eduardo Habkost <ehabkost@xxxxxxxxxx>
  Date:   Tue Nov 3 17:24:18 2015 -0200

      target-i386: Remove ABM from qemu64 CPU model

      ABM is not available on Sandy Bridge and older, and we want to make the
      default CPU runnable in most hosts, so it won't be enabled by default in
      KVM mode.

      We should eventually have all features supported by TCG enabled by
      default in TCG mode, but as we don't have a good mechanism today to
      ensure we have different defaults in KVM and TCG mode, disable ABM in
      the qemu64 CPU model entirely.

      Reviewed-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>
      Signed-off-by: Eduardo Habkost <ehabkost@xxxxxxxxxx>

  commit 0909ad24b2769368716c85f79fbb995dbb7041a9
  Author: Eduardo Habkost <ehabkost@xxxxxxxxxx>
  Date:   Tue Nov 3 17:17:33 2015 -0200

      target-i386: Remove SSE4a from qemu64 CPU model

      SSE4a is not available in any Intel CPU, and we want to make the default
      CPU runnable in most hosts, so it doesn't make sense to enable it by
      default in KVM mode.

      We should eventually have all features supported by TCG enabled by
      default in TCG mode, but as we don't have a good mechanism today to
      ensure we have different defaults in KVM and TCG mode, disable SSE4a in
      the qemu64 CPU model entirely.

      Reviewed-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>
      Signed-off-by: Eduardo Habkost <ehabkost@xxxxxxxxxx>

  commit 3e68482224129c3ddc061af7c9d438b882ecfdd1
  Author: Eduardo Habkost <ehabkost@xxxxxxxxxx>
  Date:   Tue Nov 3 17:18:50 2015 -0200

      target-i386: Set "check=off" by default on pc-*-2.4 and older

      The default CPU model (qemu64) have some issues today: it enables some
      features (ABM and SSE4a) that are not present in many host CPUs. That
      means many hosts (but not all of them) had those features silently
      disabled in the default configuration in QEMU 2.4 and older.

      With the new "check=on" default, this causes warnings to be printed in
      the default configuration, because of the lack of SSE4A on all Intel
      hosts, and the lack of ABM on Sandy Bridge and older hosts:

        $ qemu-system-x86_64 -machine pc,accel=kvm
        warning: host doesn't support requested feature: 
CPUID.80000001H:ECX.abm [bit 5]
        warning: host doesn't support requested feature: 
CPUID.80000001H:ECX.sse4a [bit 6]

      Those issues will be fixed in pc-*-2.5 and newer. But as we can't change
      the guest ABI in pc-*-2.4, disable "check" mode by default in pc-*-2.4
      and older so we don't print spurious warnings.

      Reviewed-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>
      Signed-off-by: Eduardo Habkost <ehabkost@xxxxxxxxxx>

  commit 382e1737d3467b76e8ade34b96afaae91509002e
  Author: Gerd Hoffmann <kraxel@xxxxxxxxxx>
  Date:   Thu Nov 5 10:12:18 2015 +0100

      vnc: fix mismerge

      Commit "4d77b1f vnc: fix bug: vnc server can't start when 'to' is
      specified" was rebased incorrectly, fix it.

      Reported-by: Markus Armbruster <armbru@xxxxxxxxxx>
      Signed-off-by: Gerd Hoffmann <kraxel@xxxxxxxxxx>
      Reviewed-by: Markus Armbruster <armbru@xxxxxxxxxx>
      Reviewed-by: Yang Hongyang <hongyang.yang@xxxxxxxxxxxx>
      Message-id: 1446714738-22400-1-git-send-email-kraxel@xxxxxxxxxx

  commit 496c1b19facc7b850fa0c09899fcc07a0702fbfd
  Merge: 8835b9d e01dd3d
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Thu Nov 5 14:31:24 2015 +0000

      Merge remote-tracking branch 'remotes/bonzini/tags/for-upstream' into 
staging

      * Guest ABI fixes for PC machines (hw_version)
      * Fixes for recent Perl
      * John Snow's configure fixes
      * file-backed RAM improvements (Igor, Pavel)
      * -Werror=clobbered fixes (Stefan)
      * Kill -d ioport
      * Fix qemu-system-s390x
      * Performance improvement for kvmclock migration

      # gpg: Signature made Thu 05 Nov 2015 13:42:27 GMT using RSA key ID 
78C7AE83
      # gpg: Good signature from "Paolo Bonzini <bonzini@xxxxxxx>"
      # gpg:                 aka "Paolo Bonzini <pbonzini@xxxxxxxxxx>"

      * remotes/bonzini/tags/for-upstream:
        iscsi: Translate scsi sense into error code
        Revert "Introduce cpu_clean_all_dirty"
        kvmclock: add a new function to update env->tsc.
        configure: disable FORTIFY_SOURCE under clang
        backends/hostmem-file: Allow to specify full pathname for backing file
        configure: disallow ccache during compile tests
        cpu-exec: Fix compiler warning (-Werror=clobbered)
        memory: call begin, log_start and commit when registering a new listener
        megasas: Use qemu_hw_version() instead of QEMU_VERSION
        osdep: Rename qemu_{get, set}_version() to qemu_{, set_}hw_version()
        pc: Set hw_version on all machine classes
        qemu-log: remove -d ioport
        ioport: do not use CPU_LOG_IOPORT
        target-i386: fix pcmpxstrx equal-ordered (strstr) mode
        scripts/text2pod.pl: Escape left brace
        file_ram_alloc: propagate error to caller instead of terminating QEMU

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit e01dd3da5cf9aa90ae844d3b86c2c2762066edac
  Author: Fam Zheng <famz@xxxxxxxxxx>
  Date:   Thu Nov 5 13:00:09 2015 +0800

      iscsi: Translate scsi sense into error code

      Previously we return -EIO blindly when anything goes wrong. Add a helper
      function to parse sense fields and try to make the return code more
      meaningful.

      This also fixes the default werror configuration (enospc) when we're
      using qcow2 on an iscsi lun. The old -EIO not being treated as out of
      space error failed to trigger vm stop.

      Signed-off-by: Fam Zheng <famz@xxxxxxxxxx>
      Message-Id: <1446699609-11376-1-git-send-email-famz@xxxxxxxxxx>
      [libiscsi 1.9 compatibility - Paolo]
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit 8b42704441865611a5ee241ac9fc5cabc47a079b
  Author: Pavel Dovgalyuk <Pavel.Dovgaluk@xxxxxxxxx>
  Date:   Thu Sep 17 19:24:05 2015 +0300

      cpu: replay instructions sequence

      This patch adds calls to replay functions into the icount setup block.
      In record mode number of executed instructions is written to the log.
      In replay mode number of istructions to execute is taken from the replay 
log.
      When replayed instructions counter is expired qemu_notify_event()
      function is called to wake up the iothread.

      Reviewed-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

      Signed-off-by: Pavel Dovgalyuk <pavel.dovgaluk@xxxxxxxxx>
      Message-Id: <20150917162405.8676.31890.stgit@xxxxxxxxxxxxxxxxxx>
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit 56c0269a9ec105d3848d9f900b5e38e6b35e2478
  Author: Pavel Dovgalyuk <Pavel.Dovgaluk@xxxxxxxxx>
  Date:   Thu Sep 17 19:23:59 2015 +0300

      cpu-exec: allow temporary disabling icount

      This patch is required for deterministic replay to generate an exception
      by trying executing an instruction without changing icount.
      It adds new flag to TB for disabling icount while translating it.

      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

      Signed-off-by: Pavel Dovgalyuk <pavel.dovgaluk@xxxxxxxxx>
      Message-Id: <20150917162359.8676.77011.stgit@xxxxxxxxxxxxxxxxxx>
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit 26bc60ac82f88d14e65be5387eb4a136edf94f1b
  Author: Pavel Dovgalyuk <Pavel.Dovgaluk@xxxxxxxxx>
  Date:   Thu Sep 17 19:23:54 2015 +0300

      replay: introduce icount event

      This patch adds icount event to the replay subsystem. This event 
corresponds
      to execution of several instructions and used to synchronize input events
      in the replay phase.

      Reviewed-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

      Signed-off-by: Pavel Dovgalyuk <pavel.dovgaluk@xxxxxxxxx>
      Message-Id: <20150917162354.8676.31351.stgit@xxxxxxxxxxxxxxxxxx>
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit c16861ef1b7b27803b4c068ef778ba0f80fba1c2
  Author: Pavel Dovgalyuk <Pavel.Dovgaluk@xxxxxxxxx>
  Date:   Thu Sep 17 19:23:48 2015 +0300

      replay: introduce mutex to protect the replay log

      This mutex will protect read/write operations for replay log.
      Using mutex is necessary because most of the events consist of
      several fields stored in the log. The mutex will help to avoid races.

      Reviewed-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

      Signed-off-by: Pavel Dovgalyuk <pavel.dovgaluk@xxxxxxxxx>
      Message-Id: <20150917162348.8676.8628.stgit@xxxxxxxxxxxxxxxxxx>
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit c92079f45fec0bc6a2757aa3783dd9b0604089ba
  Author: Pavel Dovgalyuk <Pavel.Dovgaluk@xxxxxxxxx>
  Date:   Thu Sep 17 19:23:43 2015 +0300

      replay: internal functions for replay log

      This patch adds functions to perform read and write operations
      with replay log.

      Reviewed-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

      Signed-off-by: Pavel Dovgalyuk <pavel.dovgaluk@xxxxxxxxx>
      Message-Id: <20150917162342.8676.29445.stgit@xxxxxxxxxxxxxxxxxx>
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit d73abd6dcc105fb5cacc34716046fca63132a264
  Author: Pavel Dovgalyuk <Pavel.Dovgaluk@xxxxxxxxx>
  Date:   Thu Sep 17 19:23:37 2015 +0300

      replay: global variables and function stubs

      This patch adds global variables, defines, function declarations,
      and function stubs for deterministic VM replay used by external modules.

      Reviewed-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>
      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>

      Signed-off-by: Pavel Dovgalyuk <pavel.dovgaluk@xxxxxxxxx>
      Message-Id: <20150917162337.8676.41538.stgit@xxxxxxxxxxxxxxxxxx>
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit 8835b9df3bddf332c883c861d6a1defc12c4ebe9
  Merge: 6c5f30c fb68777
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Thu Nov 5 10:52:35 2015 +0000

      Merge remote-tracking branch 
'remotes/mdroth/tags/qga-pull-2015-11-04-tag' into staging

      qemu-ga patch queue

      * fix file handle cleanup on w32
      * use non-blocking mode for file handles on w32 to avoid
        hangs on guest-file-read/guest-file-write to pipes

      # gpg: Signature made Wed 04 Nov 2015 19:36:16 GMT using RSA key ID 
F108B584
      # gpg: Good signature from "Michael Roth <flukshun@xxxxxxxxx>"
      # gpg:                 aka "Michael Roth <mdroth@xxxxxxxxxx>"
      # gpg:                 aka "Michael Roth <mdroth@xxxxxxxxxxxxxxxxxx>"

      * remotes/mdroth/tags/qga-pull-2015-11-04-tag:
        qga: set file descriptor in qmp_guest_file_open non-blocking on Win32
        qga: fixed CloseHandle in qmp_guest_file_open
        qga: drop hand-made guest_file_toggle_flags helper

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 6388acc853b7862761d3c2864be99033e8b62dcc
  Author: Liang Li <liang.z.li@xxxxxxxxx>
  Date:   Thu Nov 5 11:51:04 2015 +0800

      Revert "Introduce cpu_clean_all_dirty"

      This reverts commit de9d61e83d43be9069e6646fa9d57a3f47779d28.

      Now 'cpu_clean_all_dirty' is useless, we can revert the related code.

      Conflicts:
        include/sysemu/kvm.h

      Signed-off-by: Liang Li <liang.z.li@xxxxxxxxx>
      Message-Id: <1446695464-27116-3-git-send-email-liang.z.li@xxxxxxxxx>
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit 0fd7e098db30e302d27920487f0afec33be8982a
  Author: Liang Li <liang.z.li@xxxxxxxxx>
  Date:   Thu Nov 5 11:51:03 2015 +0800

      kvmclock: add a new function to update env->tsc.

      The commit 317b0a6d8 fixed an issue which caused by the outdated
      env->tsc value, but the fix lead to 'cpu_synchronize_all_states()'
      called twice during live migration. The 'cpu_synchronize_all_states()'
      takes about 130us for a VM which has 4 vcpus, it's a bit expensive.

      Synchronize the whole CPU context just for updating env->tsc is too
      wasting, this patch use a new function to update the env->tsc.
      Comparing to 'cpu_synchronize_all_states()', it only takes about 20us.

      Signed-off-by: Liang Li <liang.z.li@xxxxxxxxx>
      Message-Id: <1446695464-27116-2-git-send-email-liang.z.li@xxxxxxxxx>
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit b553a0428014636bce4951098e97c60dc18a83ed
  Author: John Snow <jsnow@xxxxxxxxxx>
  Date:   Tue Nov 3 15:43:42 2015 -0500

      configure: disable FORTIFY_SOURCE under clang

      Some versions of clang may have difficulty compiling glibc headers when
      -D_FORTIFY_SOURCE is used. For example, Clang++ 3.5.0-9.fc22 cannot
      compile glibc's stdio headers when -D_FORTIFY_SOURCE=2 is used. This
      manifests currently as build failures with clang and any arm target.

      According to LLVM dev Richard Smith, clang does not target or support
      FORTIFY_SOURCE + glibc, and it should not be relied on.
      "It's still an unsupported combination, and while it might compile, some
      of the checks are unlikely to work because they require a frontend
      inliner to be useful"

      See: http://lists.llvm.org/pipermail/cfe-dev/2015-November/045846.html

      Conclusion: disable fortify-source if we appear to be using clang instead
      of testing for compile success or failure, which may be incidental or not
      indicative of proper support of the feature.

      Signed-off-by: John Snow <jsnow@xxxxxxxxxx>
      Message-Id: <1446583422-10153-1-git-send-email-jsnow@xxxxxxxxxx>
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit 6c5f30cad290c745f910481d0e890b3f4fad1f00
  Merge: 2b5a79f 96e5c9b
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Thu Nov 5 10:10:57 2015 +0000

      Merge remote-tracking branch 
'remotes/juanquintela/tags/migration/20151104' into staging

      migration/next for 20151104

      # gpg: Signature made Wed 04 Nov 2015 12:45:19 GMT using RSA key ID 
5872D723
      # gpg: Good signature from "Juan Quintela <quintela@xxxxxxxxxx>"
      # gpg:                 aka "Juan Quintela <quintela@xxxxxxxxxx>"

      * remotes/juanquintela/tags/migration/20151104:
        migration: fix analyze-migration.py script
        migration: code clean up
        migration: rename cancel to cleanup in SaveVMHandles
        migration: rename qemu_savevm_state_cancel
        migration: defer migration_end & blk_mig_cleanup

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit f14c3d85b003d8614144ae67a26157667c1e1245
  Author: Peter Lieven <pl@xxxxxxx>
  Date:   Fri Oct 30 12:10:14 2015 +0100

      buffer: allow a buffer to shrink gracefully

      the idea behind this patch is to allow the buffer to shrink, but
      make this a seldom operation. The buffers average size is measured
      exponentionally smoothed with am alpha of 1/128.

      Signed-off-by: Peter Lieven <pl@xxxxxxx>
      Signed-off-by: Gerd Hoffmann <kraxel@xxxxxxxxxx>
      Reviewed-by: Daniel P. Berrange <berrange@xxxxxxxxxx>
      Message-id: 1446203414-4013-20-git-send-email-kraxel@xxxxxxxxxx

  commit 4ec5ba151ff3f2ac8dc44dabd058eca5846654a6
  Author: Peter Lieven <pl@xxxxxxx>
  Date:   Fri Oct 30 12:10:13 2015 +0100

      buffer: factor out buffer_adj_size

      Signed-off-by: Peter Lieven <pl@xxxxxxx>
      Signed-off-by: Gerd Hoffmann <kraxel@xxxxxxxxxx>
      Reviewed-by: Daniel P. Berrange <berrange@xxxxxxxxxx>
      Message-id: 1446203414-4013-19-git-send-email-kraxel@xxxxxxxxxx

  commit fd95243372f7657c2d24aed269e3be01bed1b87c
  Author: Peter Lieven <pl@xxxxxxx>
  Date:   Fri Oct 30 12:10:12 2015 +0100

      buffer: factor out buffer_req_size

      Signed-off-by: Peter Lieven <pl@xxxxxxx>
      Signed-off-by: Gerd Hoffmann <kraxel@xxxxxxxxxx>
      Reviewed-by: Daniel P. Berrange <berrange@xxxxxxxxxx>
      Message-id: 1446203414-4013-18-git-send-email-kraxel@xxxxxxxxxx

  commit c3d6899c5e67dfd7ff195eccc10541f3b7e141a7
  Author: Peter Lieven <pl@xxxxxxx>
  Date:   Fri Oct 30 12:10:11 2015 +0100

      vnc: recycle empty vs->output buffer

      If the vs->output buffer is empty it will be dropped
      by the next qio_buffer_move_empty in vnc_jobs_consume_buffer
      anyway. So reuse the allocated buffer from this buffer
      in the worker thread where we otherwise would start with
      an empty (unallocated buffer).

      Signed-off-by: Peter Lieven <pl@xxxxxxx>
      Reviewed-by: Daniel P. Berrange <berrange@xxxxxxxxxx>
      Message-id: 1446203414-4013-17-git-send-email-kraxel@xxxxxxxxxx

      [ added a comment describing the non-obvious optimization ]

      Signed-off-by: Gerd Hoffmann <kraxel@xxxxxxxxxx>

  commit 2e0c90af0a33451498d333d72c06e5429c7cd168
  Author: Gerd Hoffmann <kraxel@xxxxxxxxxx>
  Date:   Fri Oct 30 12:10:10 2015 +0100

      vnc: fix local state init

      Signed-off-by: Gerd Hoffmann <kraxel@xxxxxxxxxx>
      Reviewed-by: Peter Lieven <pl@xxxxxxx>
      Reviewed-by: Daniel P. Berrange <berrange@xxxxxxxxxx>
      Message-id: 1446203414-4013-16-git-send-email-kraxel@xxxxxxxxxx

  commit c7628bff4138ce906a3620d12e0820c1cf6c140d
  Author: Gerd Hoffmann <kraxel@xxxxxxxxxx>
  Date:   Fri Oct 30 12:10:09 2015 +0100

      vnc: only alloc server surface with clients connected

      Signed-off-by: Gerd Hoffmann <kraxel@xxxxxxxxxx>
      Reviewed-by: Peter Lieven <pl@xxxxxxx>
      Reviewed-by: Daniel P. Berrange <berrange@xxxxxxxxxx>
      Message-id: 1446203414-4013-15-git-send-email-kraxel@xxxxxxxxxx

  commit f7b3d68c95bc4f8915a3d084360aa07c7f4e4717
  Author: Gerd Hoffmann <kraxel@xxxxxxxxxx>
  Date:   Fri Oct 30 12:10:08 2015 +0100

      vnc: use vnc_{width,height} in vnc_set_area_dirty

      Signed-off-by: Gerd Hoffmann <kraxel@xxxxxxxxxx>
      Reviewed-by: Peter Lieven <pl@xxxxxxx>
      Reviewed-by: Daniel P. Berrange <berrange@xxxxxxxxxx>
      Message-id: 1446203414-4013-14-git-send-email-kraxel@xxxxxxxxxx

  commit 453f842bc4cab49f10c267cff9ad3cf657265d49
  Author: Gerd Hoffmann <kraxel@xxxxxxxxxx>
  Date:   Fri Oct 30 12:10:07 2015 +0100

      vnc: factor out vnc_update_server_surface

      Signed-off-by: Gerd Hoffmann <kraxel@xxxxxxxxxx>
      Reviewed-by: Peter Lieven <pl@xxxxxxx>
      Reviewed-by: Daniel P. Berrange <berrange@xxxxxxxxxx>
      Message-id: 1446203414-4013-13-git-send-email-kraxel@xxxxxxxxxx

  commit d05959c2e111858bb83c40ae5d8b8c10964b7bb0
  Author: Gerd Hoffmann <kraxel@xxxxxxxxxx>
  Date:   Fri Oct 30 12:10:06 2015 +0100

      vnc: add vnc_width+vnc_height helpers

      Signed-off-by: Gerd Hoffmann <kraxel@xxxxxxxxxx>
      Reviewed-by: Peter Lieven <pl@xxxxxxx>
      Reviewed-by: Daniel P. Berrange <berrange@xxxxxxxxxx>
      Message-id: 1446203414-4013-12-git-send-email-kraxel@xxxxxxxxxx

  commit e081aae5ae01f5ff695ba9fee4e622053d8e4bfe
  Author: Gerd Hoffmann <kraxel@xxxxxxxxxx>
  Date:   Fri Oct 30 12:10:05 2015 +0100

      vnc: zap dead code

      Signed-off-by: Gerd Hoffmann <kraxel@xxxxxxxxxx>
      Reviewed-by: Peter Lieven <pl@xxxxxxx>
      Reviewed-by: Daniel P. Berrange <berrange@xxxxxxxxxx>
      Message-id: 1446203414-4013-11-git-send-email-kraxel@xxxxxxxxxx

  commit d90340115a3569caa72063775ff927f4dc353551
  Author: Gerd Hoffmann <kraxel@xxxxxxxxxx>
  Date:   Fri Oct 30 12:10:04 2015 +0100

      vnc-jobs: move buffer reset, use new buffer move

      Signed-off-by: Gerd Hoffmann <kraxel@xxxxxxxxxx>
      Reviewed-by: Peter Lieven <pl@xxxxxxx>
      Reviewed-by: Daniel P. Berrange <berrange@xxxxxxxxxx>
      Message-id: 1446203414-4013-10-git-send-email-kraxel@xxxxxxxxxx

  commit 8305f917c1bc86b1ead0fa9197b5443a4bd611f3
  Author: Gerd Hoffmann <kraxel@xxxxxxxxxx>
  Date:   Fri Oct 30 12:10:03 2015 +0100

      vnc: kill jobs queue buffer

      Signed-off-by: Gerd Hoffmann <kraxel@xxxxxxxxxx>
      Reviewed-by: Peter Lieven <pl@xxxxxxx>
      Reviewed-by: Daniel P. Berrange <berrange@xxxxxxxxxx>
      Message-id: 1446203414-4013-9-git-send-email-kraxel@xxxxxxxxxx

  commit 543b95801f98ab2cb7413c39779fd5b7f363ce3d
  Author: Gerd Hoffmann <kraxel@xxxxxxxxxx>
  Date:   Fri Oct 30 12:10:02 2015 +0100

      vnc: attach names to buffers

      Signed-off-by: Gerd Hoffmann <kraxel@xxxxxxxxxx>
      Reviewed-by: Peter Lieven <pl@xxxxxxx>
      Reviewed-by: Daniel P. Berrange <berrange@xxxxxxxxxx>
      Message-id: 1446203414-4013-8-git-send-email-kraxel@xxxxxxxxxx

  commit d2b90718d25ed6dc8a2bb7f06504e6500dcc7bae
  Author: Gerd Hoffmann <kraxel@xxxxxxxxxx>
  Date:   Fri Oct 30 12:10:01 2015 +0100

      buffer: add tracing

      Signed-off-by: Gerd Hoffmann <kraxel@xxxxxxxxxx>
      Reviewed-by: Peter Lieven <pl@xxxxxxx>
      Reviewed-by: Daniel P. Berrange <berrange@xxxxxxxxxx>
      Message-id: 1446203414-4013-7-git-send-email-kraxel@xxxxxxxxxx

  commit 1ff36b5d4d00a4e3633eb960bf2be562f5e47dbf
  Author: Gerd Hoffmann <kraxel@xxxxxxxxxx>
  Date:   Fri Oct 30 12:10:00 2015 +0100

      buffer: add buffer_shrink

      Signed-off-by: Gerd Hoffmann <kraxel@xxxxxxxxxx>
      Reviewed-by: Peter Lieven <pl@xxxxxxx>
      Reviewed-by: Daniel P. Berrange <berrange@xxxxxxxxxx>
      Message-id: 1446203414-4013-6-git-send-email-kraxel@xxxxxxxxxx

  commit 830a9583206a051c240b74c3f688a015dc5d2967
  Author: Gerd Hoffmann <kraxel@xxxxxxxxxx>
  Date:   Fri Oct 30 12:09:59 2015 +0100

      buffer: add buffer_move

      Signed-off-by: Gerd Hoffmann <kraxel@xxxxxxxxxx>
      Reviewed-by: Peter Lieven <pl@xxxxxxx>
      Reviewed-by: Daniel P. Berrange <berrange@xxxxxxxxxx>
      Message-id: 1446203414-4013-5-git-send-email-kraxel@xxxxxxxxxx

  commit 4d1eb5fdb141c9100eb82e1dc7d4547fb1decd8b
  Author: Gerd Hoffmann <kraxel@xxxxxxxxxx>
  Date:   Fri Oct 30 12:09:58 2015 +0100

      buffer: add buffer_move_empty

      Signed-off-by: Gerd Hoffmann <kraxel@xxxxxxxxxx>
      Reviewed-by: Peter Lieven <pl@xxxxxxx>
      Reviewed-by: Daniel Berrange <berrange@xxxxxxxxxx>
      Message-id: 1446203414-4013-4-git-send-email-kraxel@xxxxxxxxxx

  commit 810082d15c244b8b29470d3bb1c6b11fc9a40c25
  Author: Gerd Hoffmann <kraxel@xxxxxxxxxx>
  Date:   Fri Oct 30 12:09:57 2015 +0100

      buffer: add buffer_init

      Signed-off-by: Gerd Hoffmann <kraxel@xxxxxxxxxx>
      Reviewed-by: Peter Lieven <pl@xxxxxxx>
      Reviewed-by: Daniel P. Berrange <berrange@xxxxxxxxxx>
      Message-id: 1446203414-4013-3-git-send-email-kraxel@xxxxxxxxxx

  commit 5c10dbb7b577370e86ff459973b06d530c3777cf
  Author: Peter Lieven <pl@xxxxxxx>
  Date:   Fri Oct 30 12:09:56 2015 +0100

      buffer: make the Buffer capacity increase in powers of two

      This makes sure the number of reallocs is in O(log N).

      Signed-off-by: Peter Lieven <pl@xxxxxxx>
      Reviewed-by: Daniel P. Berrange <berrange@xxxxxxxxxx>
      Signed-off-by: Gerd Hoffmann <kraxel@xxxxxxxxxx>
      Message-id: 1446203414-4013-2-git-send-email-kraxel@xxxxxxxxxx

      [ rebased to util/buffer.c ]

      Signed-off-by: Gerd Hoffmann <kraxel@xxxxxxxxxx>

  commit 2b5a79f1d961f07332cf77f38cdf9dc2fc7e2b64
  Merge: 79cf9fa 5dfdae8
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Wed Nov 4 18:20:31 2015 +0000

      Merge remote-tracking branch 'remotes/armbru/tags/pull-error-2015-11-03' 
into staging

      vl.c: Error message rework

      # gpg: Signature made Tue 03 Nov 2015 08:40:50 GMT using RSA key ID 
EB918653
      # gpg: Good signature from "Markus Armbruster <armbru@xxxxxxxxxx>"
      # gpg:                 aka "Markus Armbruster <armbru@xxxxxxxxxxxx>"

      * remotes/armbru/tags/pull-error-2015-11-03:
        vl.c: Use "%s support is disabled" error messages consistently
        vl.c: Improve warnings on use of deprecated options
        vl.c: Touch up error messages
        vl.c: Remove unnecessary uppercase in error messages
        vl.c: Use "warning:" prefix consistently on warnings
        vl.c: Remove periods and exclamation points from error messages
        vl.c: Replace fprintf(stderr) with error_report()

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 8d31d6b65a7448582c7bd320fd1b8cfc6cca2720
  Author: Pavel Fedin <p.fedin@xxxxxxxxxxx>
  Date:   Wed Oct 28 12:54:07 2015 +0300

      backends/hostmem-file: Allow to specify full pathname for backing file

      This allows to explicitly specify file name to use with the backend. This
      is important when using it together with ivshmem in order to make it 
backed
      by hugetlbfs. By default filename is autogenerated using mkstemp(), and 
the
      file is unlink()ed after creation, effectively making it anonymous. This 
is
      not very useful with ivshmem because it ends up in a memory which cannot 
be
      accessed by something else.

      Distinction between directory and file name is done by stat() check. If an
      existing directory is given, the code keeps old behavior. Otherwise it
      creates or opens a file with the given pathname.

      Signed-off-by: Pavel Fedin <p.fedin@xxxxxxxxxxx>
      Tested-by: Igor Skalkin <i.skalkin@xxxxxxxxxxx>
      Message-Id: <004301d11166$9672fe30$c358fa90$@samsung.com>
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit 5e4dfd3d4e87e0464d599ecef06aa8fe78420a9b
  Author: John Snow <jsnow@xxxxxxxxxx>
  Date:   Wed Oct 28 13:56:40 2015 -0400

      configure: disallow ccache during compile tests

      If the user is using ccache during the configuration step,
      it may interfere with some of the configuration tests,
      particularly the "Is ccache interfering with macro analysis" step,
      which is a bit of a poetic problem.

      1) Disallow ccache from reading from the cache during configure,
         but don't disable it entirely to allow us to see if it causes other
         problems.

      2) Force off CCACHE_CPP2 during the ccache test to get a deterministic
         answer over whether or not we need to enable that feature later.

      Signed-off-by: John Snow <jsnow@xxxxxxxxxx>
      Message-Id: <1446055000-29150-1-git-send-email-jsnow@xxxxxxxxxx>
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit 0448f5f8b816923b198ab6c32286fd1f3b2f3e45
  Author: Stefan Weil <sw@xxxxxxxxxxx>
  Date:   Sat Sep 26 13:23:26 2015 +0200

      cpu-exec: Fix compiler warning (-Werror=clobbered)

      Reloading of local variables after sigsetjmp is only needed for some
      buggy compilers.

      The code which should reload these variables causes compiler warnings
      with gcc 4.7 when compiler optimizations are enabled:

      cpu-exec.c:204:15: error:
       variable â??cpuâ?? might be clobbered by â??longjmpâ?? or â??vforkâ?? 
[-Werror=clobbered]
      cpu-exec.c:207:15: error:
       variable â??ccâ?? might be clobbered by â??longjmpâ?? or â??vforkâ?? 
[-Werror=clobbered]
      cpu-exec.c:202:28: error:
       argument â??envâ?? might be clobbered by â??longjmpâ?? or â??vforkâ?? 
[-Werror=clobbered]

      Now this code is only used for compilers which need it
      (and gcc 4.5.x, x > 0 which does not need it but won't give warnings).

      There were bug reports for clang and gcc 4.5.0, while gcc 4.5.1
      was reported to work fine without the reload code. For clang it
      is not clear which versions are affected, so simply keep the status quo
      for all clang compilations. This can be improved later.

      Signed-off-by: Stefan Weil <sw@xxxxxxxxxxx>
      Message-Id: <1443266606-21400-1-git-send-email-sw@xxxxxxxxxxx>
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit 680a4783dc13f1059c03d11da58193d76c19ead6
  Author: Paolo Bonzini <pbonzini@xxxxxxxxxx>
  Date:   Mon Nov 2 09:23:52 2015 +0100

      memory: call begin, log_start and commit when registering a new listener

      This ensures that cpu_reload_memory_map() is called as soon as
      tcg_cpu_address_space_init() is called, and before cpu->memory_dispatch
      is used.  qemu-system-s390x never changes the address spaces after
      tcg_cpu_address_space_init() is called, and thus tcg_commit() is never
      called.  This causes a SIGSEGV.

      Because memory_map_init() will now call mem_commit(), we have to
      initialize io_mem_* before address_space_memory and friends.

      Reported-by: Philipp Kern <pkern@xxxxxxxxxx>
      Reviewed-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Fixes: 0a1c71cec63e95f9b8d0dc96d049d2daa00c5210
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit 69fbd0ea25d1f45ab2c8b0d3f431e83063f977f2
  Author: Eduardo Habkost <ehabkost@xxxxxxxxxx>
  Date:   Fri Oct 30 17:36:09 2015 -0200

      megasas: Use qemu_hw_version() instead of QEMU_VERSION

      Guest visible data shouldn't change with a simple QEMU upgrade, so use
      qemu_hw_version() to ensure it won't change (as long as the machine
      class being used has hw_version set).

      Cc: Hannes Reinecke <hare@xxxxxxx>
      Cc: Paolo Bonzini <pbonzini@xxxxxxxxxx>
      Cc: qemu-block@xxxxxxxxxx
      Reviewed-by: Hannes Reinecke <hare@xxxxxxxx>
      Acked-by: Laszlo Ersek <lersek@xxxxxxxxxx>
      Signed-off-by: Eduardo Habkost <ehabkost@xxxxxxxxxx>
      Message-Id: <1446233769-7892-4-git-send-email-ehabkost@xxxxxxxxxx>
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit 35c2c8dc8c0899882a8e0d349d93bd657772f1e7
  Author: Eduardo Habkost <ehabkost@xxxxxxxxxx>
  Date:   Fri Oct 30 17:36:08 2015 -0200

      osdep: Rename qemu_{get, set}_version() to qemu_{, set_}hw_version()

      This makes the purpose of the function clearer: it is not about the
      version of QEMU that's running, but the version string exposed in the
      emulated hardware.

      Cc: Andrzej Zaborowski <balrogg@xxxxxxxxx>
      Cc: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Cc: John Snow <jsnow@xxxxxxxxxx>
      Cc: Paolo Bonzini <pbonzini@xxxxxxxxxx>
      Reviewed-by: John Snow <jsnow@xxxxxxxxxx>
      Signed-off-by: Eduardo Habkost <ehabkost@xxxxxxxxxx>
      Message-Id: <1446233769-7892-3-git-send-email-ehabkost@xxxxxxxxxx>
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit de796d93f59d363409dfd9e186ccd64a21f92204
  Author: Eduardo Habkost <ehabkost@xxxxxxxxxx>
  Date:   Fri Oct 30 17:36:07 2015 -0200

      pc: Set hw_version on all machine classes

      In 2012, QEMU had a bug where it exposed QEMU version information to the
      guest, meaning a QEMU upgrade would expose different hardware to the
      guest OS even if the same machine-type is being used.

      The bug was fixed by commit 93bfef4c6e4b23caea9d51e1099d06433d8835a4, on
      all machines up to pc-1.0. But we kept introducing the same bug on all
      newer machines since then. That means we are breaking guest ABI every
      time QEMU was upgraded.

      Fix this by setting the hw_version on all PC machines, making sure the
      hardware won't change when upgrading QEMU.

      Note that QEMU_VERSION was "1.0" in QEMU 1.0, but starting on QEMU
      1.1.0, it started following the "x.y.0" pattern. We have to follow it,
      to make sure we use the right QEMU_VERSION string from each QEMU
      release.

      The 2.5 machine classes could have hw_version unset, because the default
      value for qemu_get_version() is QEMU_VERSION. But I decided to set it
      explicitly to QEMU_VERSION so we don't forget to update it to "2.5.0"
      after we release 2.5.0 and create a 2.6 machine class.

      Reported-by: Laszlo Ersek <lersek@xxxxxxxxxx>
      Reviewed-by: Laszlo Ersek <lersek@xxxxxxxxxx>
      Signed-off-by: Eduardo Habkost <ehabkost@xxxxxxxxxx>
      Message-Id: <1446233769-7892-2-git-send-email-ehabkost@xxxxxxxxxx>
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit ddcc8e9d51c415a7b7b2983c3552408d9a50be6e
  Author: Paolo Bonzini <pbonzini@xxxxxxxxxx>
  Date:   Fri Oct 16 15:09:01 2015 +0200

      qemu-log: remove -d ioport

      It was disabled at compile-time, and is now replaced by tracepoints.

      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit 6f94b7d97f7e0e486a70fb06b703442e2c04a29a
  Author: Paolo Bonzini <pbonzini@xxxxxxxxxx>
  Date:   Fri Oct 16 15:08:34 2015 +0200

      ioport: do not use CPU_LOG_IOPORT

      These messages are disabled by default; a perfect usecase for tracepoints,
      which in fact already exist.  Add the missing information to them and
      stop using qemu_log_mask.

      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit 54c54f8b56047d3c2420e1ae06a6a8890c220ac4
  Author: Paolo Bonzini <pbonzini@xxxxxxxxxx>
  Date:   Mon Oct 12 11:50:27 2015 +0200

      target-i386: fix pcmpxstrx equal-ordered (strstr) mode

      In this mode, referring an invalid element of the source forces the
      result to false (table 4-7, last column) but referring an invalid
      element of the destination forces the result to true, so the outer
      loop should still be run even if some elements of the destination
      will be invalid.  They will be avoided in the inner loop, which
      correctly bounds "i" to validd, but they will still contribute to a
      positive outcome of the search.

      This fixes tst_strstr in glibc 2.17.

      Reported-by: Florian Weimer <fweimer@xxxxxxxxxx>
      Cc: Richard Henderson <rth@xxxxxxxxxxx>
      Cc: Eduardo Habkost <ehabkost@xxxxxxxxxx>
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit fb68777312887000cd0367d72621fdd67cc4a0a0
  Author: Olga Krishtal <okrishtal@xxxxxxxxxxxxx>
  Date:   Wed Oct 28 18:13:57 2015 +0300

      qga: set file descriptor in qmp_guest_file_open non-blocking on Win32

      Set fd non-blocking to avoid common use cases (like reading from a
      named pipe) from hanging the agent. This was missed in the original
      code.

      The patch introduces qemu_set_handle_nonoblocking, the local analog
      of qemu_set_nonblock for HANDLES.
      The usage of handles in qemu_set_non/block is impossible, because for
      win32 there is a difference between file discriptors and file handles,
      and all file ops are made via Win32 api.

      Signed-off-by: Olga Krishtal <okrishtal@xxxxxxxxxxxxx>
      Signed-off-by: Denis V. Lunev <den@xxxxxxxxxx>
      CC: Michael Roth <mdroth@xxxxxxxxxxxxxxxxxx>
      CC: Stefan Weil <sw@xxxxxxxxxxx>
      Signed-off-by: Michael Roth <mdroth@xxxxxxxxxxxxxxxxxx>

  commit c87d0964ef7534d50a4c729a6ae20045b3a0cd34
  Author: Olga Krishtal <okrishtal@xxxxxxxxxxxxx>
  Date:   Wed Oct 28 18:13:56 2015 +0300

      qga: fixed CloseHandle in qmp_guest_file_open

      CloseHandle use HANDLE as an argument, but not *HANDLE

      Signed-off-by: Olga Krishtal <okrishtal@xxxxxxxxxxxxx>
      Signed-off-by: Denis V. Lunev <den@xxxxxxxxxx>
      Reviewed-by: Stefan Weil <sw@xxxxxxxxxxx>
      CC: Michael Roth <mdroth@xxxxxxxxxxxxxxxxxx>
      Signed-off-by: Michael Roth <mdroth@xxxxxxxxxxxxxxxxxx>

  commit 125053965b05b31427ff5c75dc3b87acaa8d0505
  Author: Denis V. Lunev <den@xxxxxxxxxx>
  Date:   Wed Oct 28 18:13:55 2015 +0300

      qga: drop hand-made guest_file_toggle_flags helper

      We'd better use generic qemu_set_nonblock directly.

      Signed-off-by: Denis V. Lunev <den@xxxxxxxxxx>
      Reviewed-by: Yuri Pudgorodskiy <yur@xxxxxxxxxxxxx>
      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>
      CC: Michael Roth <mdroth@xxxxxxxxxxxxxxxxxx>
      Signed-off-by: Michael Roth <mdroth@xxxxxxxxxxxxxxxxxx>

  commit 96e5c9bc77acef8b7b56cbe23a8a2611feff9e34
  Author: Mark Cave-Ayland <mark.cave-ayland@xxxxxxxxxxxx>
  Date:   Sat Sep 5 20:51:48 2015 +0100

      migration: fix analyze-migration.py script

      Commit 61964 "Add configuration section" broke the analyze-migration.py 
script
      which terminates due to the unrecognised section. Fix the script by 
parsing
      the contents of the configuration section directly into a new
      ConfigurationSection object (although nothing is done with it yet).

      Signed-off-by: Mark Cave-Ayland <mark.cave-ayland@xxxxxxxxxxxx>
      Reviewed-by: Juan Quintela <quintela@xxxxxxxxxx>al3
      Signed-off-by: Juan Quintela <quintela@xxxxxxxxxx>al3

  commit 6ad2a215e7170350430adfda02eb8ef47c1acd8e
  Author: Liang Li <liang.z.li@xxxxxxxxx>
  Date:   Mon Nov 2 15:37:03 2015 +0800

      migration: code clean up

      Just clean up code, no behavior change.

      Signed-off-by: Liang Li <liang.z.li@xxxxxxxxx>
      Reviewed-by: Juan Quintela <quintela@xxxxxxxxxx>al3
      Reviewed-by: Amit Shah <amit.shah@xxxxxxxxxx>al3
      Signed-off-by: Juan Quintela <quintela@xxxxxxxxxx>al3

  commit d1a8548c10bf6d24160ec2aafa4881a3f50a8373
  Author: Liang Li <liang.z.li@xxxxxxxxx>
  Date:   Mon Nov 2 15:37:02 2015 +0800

      migration: rename cancel to cleanup in SaveVMHandles

      'cleanup' seems more appropriate than 'cancel'.

      Signed-off-by: Liang Li <liang.z.li@xxxxxxxxx>
      Reviewed-by: Juan Quintela <quintela@xxxxxxxxxx>al3
      Reviewed-by: Amit Shah <amit.shah@xxxxxxxxxx>al3
      Signed-off-by: Juan Quintela <quintela@xxxxxxxxxx>al3

  commit ea7415fac677c5c1599214ee226ab4a3a438fdd6
  Author: Liang Li <liang.z.li@xxxxxxxxx>
  Date:   Mon Nov 2 15:37:01 2015 +0800

      migration: rename qemu_savevm_state_cancel

      The function qemu_savevm_state_cancel is called after the migration
      in migration_thread, it seems strange to 'cancel' it after completion,
      rename it to qemu_savevm_state_cleanup looks better.

      Signed-off-by: Liang Li <liang.z.li@xxxxxxxxx>
      Reviewed-by: Juan Quintela <quintela@xxxxxxxxxx>al3
      Reviewed-by: Amit Shah <amit.shah@xxxxxxxxxx>al3
      Signed-off-by: Juan Quintela <quintela@xxxxxxxxxx>al3

  commit 94f5a43704129ca4995aa3385303c5ae225bde42
  Author: Liang Li <liang.z.li@xxxxxxxxx>
  Date:   Mon Nov 2 15:37:00 2015 +0800

      migration: defer migration_end & blk_mig_cleanup

      Because of the patch 3ea3b7fa9af067982f34b of kvm, which introduces a
      lazy collapsing of small sptes into large sptes mechanism, now
      migration_end() is a time consuming operation because it calls
      memroy_global_dirty_log_stop(), which will trigger the dropping of small
      sptes operation and takes about dozens of milliseconds, so call
      migration_end() before all the vmsate data has already been transferred
      to the destination will prolong VM downtime. This operation should be
      deferred after all the data has been transferred to the destination.

      blk_mig_cleanup() can be deferred too.

      For a VM with 8G RAM, this patch can reduce the VM downtime about 30 ms.

      Signed-off-by: Liang Li <liang.z.li@xxxxxxxxx>
      Reviewed-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>
      Reviewed-by: Juan Quintela <quintela@xxxxxxxxxx>al3
      Reviewed-by: Amit Shah <amit.shah@xxxxxxxxxx>al3
      Signed-off-by: Juan Quintela <quintela@xxxxxxxxxx>al3

  commit 79cf9fad341e6e7bd6b55395b71d5c5727d7f5b0
  Merge: 19bb546 5d9c175
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Tue Nov 3 14:54:40 2015 +0000

      Merge remote-tracking branch 
'remotes/pmaydell/tags/pull-target-arm-20151103' into staging

      target-arm queue:
       * code cleanup to use symbolic constants for register bank numbers
       * fix direct booting of modern Linux kernels on xilinx_zynq by setting
         SCLR values to what the kernel expects firmware to have done
       * implement SYSRESETREQ for ARMv7M CPU (stellaris boards)
       * update MAINTAINERS to mention new qemu-arm mailing list
       * clean up display of PSTATE in AArch64 debug logs
       * report Secure/Nonsecure status in CPU debug logs
       * fix a missing _CCA attribute in ACPI tables
       * add support for GICv3 to ACPI tables

      # gpg: Signature made Tue 03 Nov 2015 13:58:46 GMT using RSA key ID 
14360CDE
      # gpg: Good signature from "Peter Maydell <peter.maydell@xxxxxxxxxx>"
      # gpg:                 aka "Peter Maydell <pmaydell@xxxxxxxxx>"
      # gpg:                 aka "Peter Maydell 
<pmaydell@xxxxxxxxxxxxxxxxxxxxxx>"

      * remotes/pmaydell/tags/pull-target-arm-20151103:
        ARM: ACPI: Fix MPIDR value in ACPI table
        hw/arm/virt-acpi-build: Add GICC ACPI subtable for GICv3
        hw/arm/virt-acpi-build: _CCA attribute is compulsory
        target-arm: Report S/NS status in the CPU debug logs
        target-arm: Bring AArch64 debug CPU display of PSTATE into line with 
AArch32
        MAINTAINERS: Add new qemu-arm mailing list to ARM related entries
        arm: stellaris: exit on external reset request
        armv7-m: Implement SYSRESETREQ
        armv7-m: Return DeviceState* from armv7m_init()
        arm: xilinx_zynq: Add linux pre-boot
        arm: boot: Add board specific setup code API
        arm: boot: Adjust indentation of FIXUP comments
        target-arm: Add and use symbolic names for register banks

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 19bb5467135df4b234af2c93bf6c50284158d6ca
  Merge: 130d0bc a9be4e7
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Tue Nov 3 14:09:59 2015 +0000

      Merge remote-tracking branch 'remotes/kraxel/tags/pull-usb-20151103-1' 
into staging

      usb: two bugfixes for ehci & usb-host.

      # gpg: Signature made Tue 03 Nov 2015 10:57:28 GMT using RSA key ID 
D3E87138
      # gpg: Good signature from "Gerd Hoffmann (work) <kraxel@xxxxxxxxxx>"
      # gpg:                 aka "Gerd Hoffmann <gerd@xxxxxxxxxx>"
      # gpg:                 aka "Gerd Hoffmann (private) <kraxel@xxxxxxxxx>"

      * remotes/kraxel/tags/pull-usb-20151103-1:
        usb-host: fix usb3ep0quirk test
        ehci: clear suspend bit on detach

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 5d9c1756140d680e66e5b45005a1fb7078b74ee1
  Author: Shannon Zhao <shannon.zhao@xxxxxxxxxx>
  Date:   Tue Nov 3 13:49:42 2015 +0000

      ARM: ACPI: Fix MPIDR value in ACPI table

      Use mp_affinity of ARMCPU as the CPU MPIDR instead of the CPU index.

      Signed-off-by: Shannon Zhao <shannon.zhao@xxxxxxxxxx>
      Message-id: 1446285001-7316-1-git-send-email-zhaoshenglong@xxxxxxxxxx
      Reviewed-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit f2fbfacec024d1e78c10fc8498f3126557c21ed8
  Author: Shannon Zhao <shannon.zhao@xxxxxxxxxx>
  Date:   Tue Nov 3 13:49:42 2015 +0000

      hw/arm/virt-acpi-build: Add GICC ACPI subtable for GICv3

      When booting VM with GICv3, the kernel needs GICC ACPI subtable to
      initialize the CPUs, e.g. MPIDR information. This adds GICC ACPI
      subtable for GICv3, but set GICC base address only when gic_version == 2
      since it donesn't need GICC base address for GICv3.

      Signed-off-by: Shannon Zhao <shannon.zhao@xxxxxxxxxx>
      Message-id: 1446131773-5018-1-git-send-email-shannon.zhao@xxxxxxxxxx
      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit bc64b96c984abfe84f43562ca7480bb4f2af0613
  Author: Graeme Gregory <graeme.gregory@xxxxxxxxxx>
  Date:   Tue Nov 3 13:49:42 2015 +0000

      hw/arm/virt-acpi-build: _CCA attribute is compulsory

      According to ACPI specification 6.2.17 _CCA (Cache Coherency Attribute)
      this attribute is compulsory on ARM systems. Add this attribute to
      the PCI host bridges as required.

      Without this the kernel will produce the error
      [Firmware Bug]: PCI device 0000:00:00.0 fail to setup DMA.

      Signed-off-by: Graeme Gregory <graeme.gregory@xxxxxxxxxx>
      Message-id: 1446460786-13663-1-git-send-email-graeme.gregory@xxxxxxxxxx
      Reviewed-by: Shannon Zhao <shannon.zhao@xxxxxxxxxx>
      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 06e5cf7acd1f94ab7c1cd6945974a1f039672940
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Tue Nov 3 13:49:42 2015 +0000

      target-arm: Report S/NS status in the CPU debug logs

      If this CPU supports EL3, enhance the printing of the current
      CPU mode in debug logging to distinguish S from NS modes as
      appropriate.

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Reviewed-by: Edgar E. Iglesias <edgar.iglesias@xxxxxxxxxx>
      Reviewed-by: Alex Bennée <alex.bennee@xxxxxxxxxx>
      Message-id: 1445883178-576-3-git-send-email-peter.maydell@xxxxxxxxxx

  commit 08b8e0f527930208a548b424d2ab3103bf3c8c02
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Tue Nov 3 13:49:42 2015 +0000

      target-arm: Bring AArch64 debug CPU display of PSTATE into line with 
AArch32

      The AArch64 debug CPU display of PSTATE as "PSTATE=200003c5 (flags --C-)"
      on the end of the same line as the last of the general purpose registers
      is unnecessarily different from the AArch32 display of PSR as
      "PSR=200001d3 --C- A svc32" on its own line. Update the AArch64
      code to put PSTATE in its own line and in the same format, including
      printing the exception level (mode).

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Reviewed-by: Edgar E. Iglesias <edgar.iglesias@xxxxxxxxxx>
      Reviewed-by: Alex Bennée <alex.bennee@xxxxxxxxxx>
      Message-id: 1445883178-576-2-git-send-email-peter.maydell@xxxxxxxxxx

  commit b4f2bd1ce89f3a324fd047c65573897b39d5aaf8
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Tue Nov 3 13:49:42 2015 +0000

      MAINTAINERS: Add new qemu-arm mailing list to ARM related entries

      We now have a qemu-arm mailing list for ARM patches and discussion,
      so add an L: entry for it to the various ARM related entries in
      MAINTAINERS.

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Reviewed-by: Alistair Francis <alistair.francis@xxxxxxxxxx>
      Reviewed-by: Shannon Zhao <shannon.zhao@xxxxxxxxxx>
      Reviewed-by: Peter Crosthwaite <crosthwaite.peter@xxxxxxxxx>
      Message-id: 1446129661-5239-1-git-send-email-peter.maydell@xxxxxxxxxx

  commit d69ffb5b48701d8f33cdfa2570a4ea1d5eb9de4d
  Author: Michael Davidsaver <mdavidsaver@xxxxxxxxx>
  Date:   Tue Nov 3 13:49:41 2015 +0000

      arm: stellaris: exit on external reset request

      Add GPIO in for the stellaris board which calls
      qemu_system_reset_request() on reset request.

      Signed-off-by: Michael Davidsaver <mdavidsaver@xxxxxxxxx>
      Reviewed-by: Peter Crosthwaite <crosthwaite.peter@xxxxxxxxx>
      Reviewed-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit e192becdc7b05276a41ebef9fe11e6c30ddb91e3
  Author: Michael Davidsaver <mdavidsaver@xxxxxxxxx>
  Date:   Tue Nov 3 13:49:41 2015 +0000

      armv7-m: Implement SYSRESETREQ

      Implement the SYSRESETREQ bit of the AIRCR register
      for armv7-m (ie. cortex-m3) to trigger a GPIO out.

      Signed-off-by: Michael Davidsaver <mdavidsaver@xxxxxxxxx>
      Reviewed-by: Peter Crosthwaite <crosthwaite.peter@xxxxxxxxx>
      Reviewed-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 20c59c38927902a8e2c67da7d9a24b5222a31cb7
  Author: Michael Davidsaver <mdavidsaver@xxxxxxxxx>
  Date:   Tue Nov 3 13:49:41 2015 +0000

      armv7-m: Return DeviceState* from armv7m_init()

      Change armv7m_init to return the DeviceState* for the NVIC.
      This allows access to all GPIO blocks, not just the IRQ inputs.
      Move qdev_get_gpio_in() calls out of armv7m_init() into
      board code for stellaris and stm32f205 boards.

      Signed-off-by: Michael Davidsaver <mdavidsaver@xxxxxxxxx>
      Reviewed-by: Peter Crosthwaite <crosthwaite.peter@xxxxxxxxx>
      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit c3a9a689c6ff07ba2e00bafc68626fad84587794
  Author: Peter Crosthwaite <crosthwaitepeter@xxxxxxxxx>
  Date:   Tue Nov 3 13:49:41 2015 +0000

      arm: xilinx_zynq: Add linux pre-boot

      Add a Linux-specific pre-boot routine that matches the device-
      specific bootloaders behaviour. This is needed for modern Linux that
      expects the ARM PLL in SLCR to be a more even value (not 26).

      Cc: Alistair Francis <alistair.francis@xxxxxxxxxx>
      Signed-off-by: Peter Crosthwaite <crosthwaite.peter@xxxxxxxxx>
      Message-id: 
9a9025ea65572586b50dca4e5819032e3c436d64.1446182614.git.crosthwaite.peter@xxxxxxxxx
      Reviewed-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 10b8ec73e610e017ac2fbaf486fce21eec7061b2
  Author: Peter Crosthwaite <crosthwaitepeter@xxxxxxxxx>
  Date:   Tue Nov 3 13:49:41 2015 +0000

      arm: boot: Add board specific setup code API

      Add an API for boards to inject their own preboot software (or
      firmware) sequence.

      The software then returns to the bootloader via the link register. This
      allows boards to do their own little bits of firmware setup without
      needed to replace the bootloader completely (which is the requirement
      for existing firmware support).

      The blob is loaded by a callback if and only if doing a linux boot
      (similar to the existing write_secondary support).

      Rewrite the comment for the primary boot blob.

      Reviewed-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Signed-off-by: Peter Crosthwaite <crosthwaite.peter@xxxxxxxxx>
      Message-id: 
070295644c6ac84696d743913296e8cfefb48c15.1446182614.git.crosthwaite.peter@xxxxxxxxx
      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 84e59397797ff2040439058b689adbfef608b879
  Author: Peter Crosthwaite <crosthwaitepeter@xxxxxxxxx>
  Date:   Tue Nov 3 13:49:41 2015 +0000

      arm: boot: Adjust indentation of FIXUP comments

      These comments start immediately after the current longest name in the
      list. Tab them out to the next tab stop to give a little breathing room
      and prepare for FIXUP_BOARD_SETUP which will require more indent.

      Reviewed-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Signed-off-by: Peter Crosthwaite <crosthwaite.peter@xxxxxxxxx>
      Message-id: 
b9b9bb8f1c307c1ef8a3f26ff1f34fabb34b332e.1446182614.git.crosthwaite.peter@xxxxxxxxx
      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 99a99c1fc8e9bfec1656ac5916c53977a93d3581
  Author: Soren Brinkmann <soren.brinkmann@xxxxxxxxxx>
  Date:   Tue Nov 3 13:49:41 2015 +0000

      target-arm: Add and use symbolic names for register banks

      Add BANK_<cpumode> #defines to index banked registers.

      Suggested-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Signed-off-by: Soren Brinkmann <soren.brinkmann@xxxxxxxxxx>
      Reviewed-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit a9be4e7c48c4892c836bda1be4d550bb1a6732bd
  Author: Gerd Hoffmann <kraxel@xxxxxxxxxx>
  Date:   Fri Oct 23 14:27:10 2015 +0200

      usb-host: fix usb3ep0quirk test

      usb->speed is the usb speed the device is actually running on in the
      qemu emulation (i.e. from the guests point of view).  So when plugging
      usb3 devices into ehci hostadapter this is HIGH not SUPER.

      To figure whenever the host talks to the device with superspeed we
      have to check speedmask instead and see whenever the superspeed bit
      is set there.

      Signed-off-by: Gerd Hoffmann <kraxel@xxxxxxxxxx>
      Message-id: 1445603230-11840-1-git-send-email-kraxel@xxxxxxxxxx

  commit cbf82fa01e6fd4ecb234b235b10ffce548154a95
  Author: Gerd Hoffmann <kraxel@xxxxxxxxxx>
  Date:   Wed Oct 21 09:44:22 2015 +0200

      ehci: clear suspend bit on detach

      When a device is detached, clear the suspend bit (PORTSC_SUSPEND)
      in the port status register.

      The specs are not *that* clear what is supposed to happen in case
      a suspended device is unplugged.  But the enable bit (PORTSC_PED)
      is cleared, and the specs mention setting suspend with enable being
      unset is undefined behavior.  So clearing them both looks reasonable,
      and it actually fixes the reported bug.

      https://bugzilla.redhat.com/show_bug.cgi?id=1268879

      Cc: Hans de Goede <hdegoede@xxxxxxxxxx>
      Signed-off-by: Gerd Hoffmann <kraxel@xxxxxxxxxx>
      Reviewed-by: Hans de Goede <hdegoede@xxxxxxxxxx>
      Message-id: 1445413462-18004-1-git-send-email-kraxel@xxxxxxxxxx

  commit 130d0bc6594d0cc6591d00312841891b3c187b07
  Merge: 3d861a0 4d77b1f
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Tue Nov 3 10:20:04 2015 +0000

      Merge remote-tracking branch 'remotes/kraxel/tags/pull-ui-20151103-1' 
into staging

      ui: fixes for vnc, opengl and curses.

      # gpg: Signature made Tue 03 Nov 2015 09:53:24 GMT using RSA key ID 
D3E87138
      # gpg: Good signature from "Gerd Hoffmann (work) <kraxel@xxxxxxxxxx>"
      # gpg:                 aka "Gerd Hoffmann <gerd@xxxxxxxxxx>"
      # gpg:                 aka "Gerd Hoffmann (private) <kraxel@xxxxxxxxx>"

      * remotes/kraxel/tags/pull-ui-20151103-1:
        vnc: fix bug: vnc server can't start when 'to' is specified
        vnc: allow fall back to RAW encoding
        ui/opengl: Reduce build required libraries for opengl
        ui/curses: Fix pageup/pagedown on -curses
        ui/curses: Support line graphics chars on -curses mode
        ui/curses: Fix monitor color with -curses when 256 colors

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 4d77b1f23877b579b94421d0cab2bebc79f4e171
  Author: Yang Hongyang <hongyang.yang@xxxxxxxxxxxx>
  Date:   Tue Oct 27 14:10:52 2015 +0800

      vnc: fix bug: vnc server can't start when 'to' is specified

      commit e0d03b8ceb52 converted VNC startup to use SocketAddress,
      the interface socket_listen don't have a port_offset param, so
      we need to add the port offset (5900) to both 'port' and 'to' opts.
      currently only 'port' is added by offset.
      This patch add the port offset to 'to' opts.

      Signed-off-by: Yang Hongyang <hongyang.yang@xxxxxxxxxxxx>
      Reviewed-by: Daniel P. Berrange <berrange@xxxxxxxxxx>
      Message-id: 1445926252-14830-1-git-send-email-hongyang.yang@xxxxxxxxxxxx
      Cc: Daniel P. Berrange <berrange@xxxxxxxxxx>
      Cc: Eric Blake <eblake@xxxxxxxxxx>
      Cc: Gerd Hoffmann <kraxel@xxxxxxxxxx>
      Signed-off-by: Gerd Hoffmann <kraxel@xxxxxxxxxx>

  commit de3f7de7f4e257ce44cdabb90f5f17ee99624557
  Author: Peter Lieven <pl@xxxxxxx>
  Date:   Thu Aug 27 14:46:25 2015 +0200

      vnc: allow fall back to RAW encoding

      I have observed that depending on the contents and the encoding it happens
      that sending data as RAW sometimes would take less space than the encoded 
data.
      This is especially the case for small updates or areas with high color 
images.
      If sending RAW encoded data is beneficial allow a fall back to RAW 
encoding
      for the framebuffer update.

      Signed-off-by: Peter Lieven <pl@xxxxxxx>
      Signed-off-by: Gerd Hoffmann <kraxel@xxxxxxxxxx>

  commit fb719563676f8958141a5c984e876a9a1b18f48b
  Author: OGAWA Hirofumi <hirofumi@xxxxxxxxxxxxxxxxxx>
  Date:   Tue Oct 27 02:45:48 2015 +0900

      ui/opengl: Reduce build required libraries for opengl

      We now use epoxy to load opengl libraries. This means we don't need to
      link opengl libraries directly if interfaces handled by epoxy. With
      this, we just need epoxy headers and epoxy's *.so to build.

      Tested with epoxy-1.3.1.

      - sdl2/gtk/console egl stuff doesn't require other than epoxy
      - milkymist-tmu2 glx stuff doesn't require other than epoxy

      (lm32 test is limited, because can't find mmone-bios.bin, so just test
      to load libGL with "./lm32-softmmu/qemu-system-lm32 -M 
milkymist,accel=qtest")

      Signed-off-by: OGAWA Hirofumi <hirofumi@xxxxxxxxxxxxxxxxxx>

      [ lm32 tested by kraxel ]

      Signed-off-by: Gerd Hoffmann <kraxel@xxxxxxxxxx>

  commit e72df72a558cc189bb8681df8059b3a8cff281fc
  Author: OGAWA Hirofumi <hirofumi@xxxxxxxxxxxxxxxxxx>
  Date:   Mon Oct 19 21:24:07 2015 +0900

      ui/curses: Fix pageup/pagedown on -curses

      Current KEY_NPAGE/KEY_PPAGE handling is broken on -curses. Those uses
      "GREY", but "KEY_MASK" masked out "GREY".

      To fix, we have to use correct mask value - SCANCODE_KEYMASK.

      Then, this adds support of "shift + pageup/pagedown". With this,
      -curses mode can use scroll-up/down as usual like other display modes.

      Signed-off-by: OGAWA Hirofumi <hirofumi@xxxxxxxxxxxxxxxxxx>
      Signed-off-by: Gerd Hoffmann <kraxel@xxxxxxxxxx>

  commit e2368dc9684ae5cec2f0558be4803901a0b58b7b
  Author: OGAWA Hirofumi <hirofumi@xxxxxxxxxxxxxxxxxx>
  Date:   Mon Oct 19 21:23:46 2015 +0900

      ui/curses: Support line graphics chars on -curses mode

      This converts vga code to curses code in console_write_bh().

      With this changes, we can see line graphics (for example, dialog uses)
      correctly.

      Signed-off-by: OGAWA Hirofumi <hirofumi@xxxxxxxxxxxxxxxxxx>
      Signed-off-by: Gerd Hoffmann <kraxel@xxxxxxxxxx>

  commit 615220ddaf23db4c5686053257c568b46967e4b5
  Author: OGAWA Hirofumi <hirofumi@xxxxxxxxxxxxxxxxxx>
  Date:   Mon Oct 19 21:23:10 2015 +0900

      ui/curses: Fix monitor color with -curses when 256 colors

      If TERM=xterm-256color, COLOR_PAIRS==256 and monitor passes chtype
      like 0x74xx. Then, the code uses uninitialized color pair. As result,
      monitor uses black for both of fg and bg color, i.e. terminal is
      filled by black.

      To fix, this initialize above than 64 with default color 
(fg=white,bg=black).

      FIXME: on 256 color, curses may be possible better vga color emulation.

      Signed-off-by: OGAWA Hirofumi <hirofumi@xxxxxxxxxxxxxxxxxx>
      Signed-off-by: Gerd Hoffmann <kraxel@xxxxxxxxxx>

  commit 5dfdae814307f7580d56ab4505288224751e0801
  Author: Eduardo Habkost <ehabkost@xxxxxxxxxx>
  Date:   Fri Oct 30 13:08:02 2015 -0200

      vl.c: Use "%s support is disabled" error messages consistently

      Signed-off-by: Eduardo Habkost <ehabkost@xxxxxxxxxx>
      Message-Id: <1446217682-24421-12-git-send-email-ehabkost@xxxxxxxxxx>
      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>

  commit 515cb8ef27874822c64bc81ccde9bd7227383137
  Author: Eduardo Habkost <ehabkost@xxxxxxxxxx>
  Date:   Fri Oct 30 13:08:00 2015 -0200

      vl.c: Improve warnings on use of deprecated options

      Simplify warnings about deprecated options by rewriting them as
      "warning: ignoring deprecated option".

      Reword -no-kvm-pit-reinjection deprecation warning.

      Suggested-by: Andrew Jones <drjones@xxxxxxxxxx>
      Signed-off-by: Eduardo Habkost <ehabkost@xxxxxxxxxx>
      Message-Id: <1446217682-24421-10-git-send-email-ehabkost@xxxxxxxxxx>
      [Squashed in
      Message-Id: <1446217682-24421-11-git-send-email-ehabkost@xxxxxxxxxx>
      and updated commit message]
      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>

  commit 4cd70f34afa817cfc891f6c64fd7e277ba561784
  Author: Eduardo Habkost <ehabkost@xxxxxxxxxx>
  Date:   Fri Oct 30 13:07:56 2015 -0200

      vl.c: Touch up error messages

      Several small improvements:

      * Use "cannot" instead of "can not"
      * Use 'quotes' instead of `quotes'
      * Change "fail to parse" error message to "failed to parse"

      Suggested-by: Eric Blake <eblake@xxxxxxxxxx>
      Suggested-by: Andrew Jones <drjones@xxxxxxxxxx>
      Signed-off-by: Eduardo Habkost <ehabkost@xxxxxxxxxx>
      Message-Id: <1446217682-24421-6-git-send-email-ehabkost@xxxxxxxxxx>
      [Squashed in
      Message-Id: <1446217682-24421-7-git-send-email-ehabkost@xxxxxxxxxx>
      Message-Id: <1446217682-24421-9-git-send-email-ehabkost@xxxxxxxxxx>
      and updated commit message]
      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>

  commit 3e5153732e96d870b3272e662234d664c15e3815
  Author: Eduardo Habkost <ehabkost@xxxxxxxxxx>
  Date:   Fri Oct 30 13:07:58 2015 -0200

      vl.c: Remove unnecessary uppercase in error messages

      Suggested-by: Andrew Jones <drjones@xxxxxxxxxx>
      Signed-off-by: Eduardo Habkost <ehabkost@xxxxxxxxxx>
      Message-Id: <1446217682-24421-8-git-send-email-ehabkost@xxxxxxxxxx>
      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>

  commit eb177ec1843476f278a63d936b0f73f456a86024
  Author: Eduardo Habkost <ehabkost@xxxxxxxxxx>
  Date:   Fri Oct 30 13:07:55 2015 -0200

      vl.c: Use "warning:" prefix consistently on warnings

      Suggested-by: Andrew Jones <drjones@xxxxxxxxxx>
      Signed-off-by: Eduardo Habkost <ehabkost@xxxxxxxxxx>
      Message-Id: <1446217682-24421-5-git-send-email-ehabkost@xxxxxxxxxx>
      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>

  commit 8afb900030b93122a40ef4a636d02ba888bdce12
  Author: Eduardo Habkost <ehabkost@xxxxxxxxxx>
  Date:   Fri Oct 30 13:07:54 2015 -0200

      vl.c: Remove periods and exclamation points from error messages

      Except for removing periods and exclamation points, no other changes
      were made to the error messages (yet).

      Suggested-by: Markus Armbruster <armbru@xxxxxxxxxx>
      Signed-off-by: Eduardo Habkost <ehabkost@xxxxxxxxxx>
      Message-Id: <1446217682-24421-4-git-send-email-ehabkost@xxxxxxxxxx>
      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>

  commit f61eddcb2bb5cbbdd1d911b7e937db9affc29028
  Author: Eduardo Habkost <ehabkost@xxxxxxxxxx>
  Date:   Fri Oct 30 13:07:52 2015 -0200

      vl.c: Replace fprintf(stderr) with error_report()

      Straightforward replacement, except for qemu_kill_report(), which
      printed a common part of its error message first, then the applicable
      special part.  Print each complete message with a single
      error_report() instead.

      Multi-line messages were replaced by error_report() followed by
      error_printf().

      The following changes were made to the error messages:

      * The "invalid date format" message was reworded to better fit
        the new error_report()+error_printf() pattern.
      * On the remaining messages, only the trailing newlines, "qemu:" and
        "error:" message prefixes were removed.

      Signed-off-by: Eduardo Habkost <ehabkost@xxxxxxxxxx>
      Message-Id: <1446217682-24421-2-git-send-email-ehabkost@xxxxxxxxxx>
      [Squashed in
      Message-Id: <1446217682-24421-3-git-send-email-ehabkost@xxxxxxxxxx>
      and updated commit message]
      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>

  commit aa5ccadcca3e6018ebd9d2e8b0a0604f7cb0cd59
  Author: Fam Zheng <famz@xxxxxxxxxx>
  Date:   Tue Oct 20 15:38:46 2015 +0800

      scripts/text2pod.pl: Escape left brace

      Latest perl now deprecates "{" literal in regex and print warnings like
      "unescaped left brace in regex is deprecated".  Add escapes to keep it
      happy.

      Signed-off-by: Fam Zheng <famz@xxxxxxxxxx>

      Message-Id: <1445326726-16031-1-git-send-email-famz@xxxxxxxxxx>
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit cc57501dee37376d0a2fbc5921e0f3a9ed4b117d
  Author: Igor Mammedov <imammedo@xxxxxxxxxx>
  Date:   Mon Oct 19 19:11:11 2015 +0200

      file_ram_alloc: propagate error to caller instead of terminating QEMU

      QEMU shouldn't exits from file_ram_alloc() if -mem-prealloc option is 
specified
      and "object_add memory-backend-file,..." fails allocation during memory 
hotplug.

      Propagate error to a caller and let it decide what to do with allocation 
failure.
      That leaves QEMU alive if it can't create backend during hotplug time and
      kills QEMU at startup time if backends or initial memory were 
misconfigured/
      too large.

      Signed-off-by: Igor Mammedov <imammedo@xxxxxxxxxx>
      Message-Id: <1445274671-17704-1-git-send-email-imammedo@xxxxxxxxxx>
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit 3d861a01093f8eedfac9889746ccafcfd32039b7
  Merge: 24f4a0f 32bc687
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Mon Nov 2 11:11:39 2015 +0000

      Merge remote-tracking branch 'remotes/armbru/tags/pull-qapi-2015-11-02' 
into staging

      QAPI patches

      # gpg: Signature made Mon 02 Nov 2015 09:07:23 GMT using RSA key ID 
EB918653
      # gpg: Good signature from "Markus Armbruster <armbru@xxxxxxxxxx>"
      # gpg:                 aka "Markus Armbruster <armbru@xxxxxxxxxxxx>"

      * remotes/armbru/tags/pull-qapi-2015-11-02: (25 commits)
        qapi: Simplify gen_struct_field()
        qapi: Reserve 'u' member name
        qapi: Finish converting to new qapi union layout
        tpm: Convert to new qapi union layout
        memory: Convert to new qapi union layout
        input: Convert to new qapi union layout
        char: Convert to new qapi union layout
        net: Convert to new qapi union layout
        sockets: Convert to new qapi union layout
        block: Convert to new qapi union layout
        tests: Convert to new qapi union layout
        qapi-visit: Convert to new qapi union layout
        qapi: Start converting to new qapi union layout
        qapi-visit: Remove redundant functions for flat union base
        qapi: Unbox base members
        qapi: Prefer typesafe upcasts to qapi base classes
        qapi-types: Refactor base fields output
        qapi-visit: Split off visit_type_FOO_fields forward decl
        vnc: Hoist allocation of VncBasicInfo to callers
        qapi: Reserve 'q_*' and 'has_*' member names
        ...

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 32bc6879beea0b0cac6196cb15a71d206401e96d
  Author: Eric Blake <eblake@xxxxxxxxxx>
  Date:   Mon Oct 26 16:35:03 2015 -0600

      qapi: Simplify gen_struct_field()

      Rather than having all callers pass a name, type, and optional
      flag, have them instead pass a QAPISchemaObjectTypeMember which
      already has all that information.

      No change to generated code.

      Signed-off-by: Eric Blake <eblake@xxxxxxxxxx>
      Message-Id: <1445898903-12082-25-git-send-email-eblake@xxxxxxxxxx>
      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>

  commit 5e59baf90a72cd25d38a3134edc029f4f022da74
  Author: Eric Blake <eblake@xxxxxxxxxx>
  Date:   Mon Oct 26 16:35:02 2015 -0600

      qapi: Reserve 'u' member name

      Now that we have separated union tag values from colliding with
      non-variant C names, by naming the union 'u', we should reserve
      this name for our use.  Note that we want to forbid 'u' even in
      a struct with no variants, because it is possible for a future
      qemu release to extend QMP in a backwards-compatible manner while
      converting from a struct to a flat union.  Fortunately, no
      existing clients were using this member name.  If we ever find
      the need for QMP to have a member 'u', we could at that time
      relax things, perhaps by having c_name() munge the QMP member to
      'q_u'.

      Note that we cannot forbid 'u' everywhere (by adding the
      rejection code to check_name()), because the existing QKeyCode
      enum already uses it; therefore we only reserve it as a struct
      type member name.

      Signed-off-by: Eric Blake <eblake@xxxxxxxxxx>
      Message-Id: <1445898903-12082-24-git-send-email-eblake@xxxxxxxxxx>
      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>

  commit e4ba22b31943ab02373359555bd7bcd66442632f
  Author: Eric Blake <eblake@xxxxxxxxxx>
  Date:   Mon Oct 26 16:35:01 2015 -0600

      qapi: Finish converting to new qapi union layout

      We have two issues with our qapi union layout:
      1) Even though the QMP wire format spells the tag 'type', the
      C code spells it 'kind', requiring some hacks in the generator.
      2) The C struct uses an anonymous union, which places all tag
      values in the same namespace as all non-variant members. This
      leads to spurious collisions if a tag value matches a non-variant
      member's name.

      This patch is the back end for a series that converts to a
      saner qapi union layout.  Now that all clients have been
      converted to use 'type' and 'obj->u.value', we can drop the
      temporary parallel support for 'kind' and 'obj->value'.

      Given a simple union qapi type:

      { 'union':'Foo', 'data': { 'a':'int', 'b':'bool' } }

      this is the overall effect, when compared to the state before
      this series of patches:

      | struct Foo {
      |-    FooKind kind;
      |-    union { /* union tag is @kind */
      |+    FooKind type;
      |+    union { /* union tag is @type */
      |         void *data;
      |         int64_t a;
      |         bool b;
      |-    };
      |+    } u;
      | };

      The testsuite still contains some examples of artificial restrictions
      (see flat-union-clash-type.json, for example) that are no longer
      technically necessary, now that there is no longer a collision between
      enum tag values and non-variant member names; but fixing this will be
      done in later patches, in part because some further changes are required
      to keep QAPISchema*.check() from asserting.  Also, a later patch will
      add a reservation for the member name 'u' to avoid a collision between a
      user's non-variant names and our internal choice of C union name.

      Note, however, that we do not rename the generated enum, which
      is still 'FooKind'.  A further patch could generate implicit
      enums as 'FooType', but while the generator already reserved
      the '*Kind' namespace (commit 4dc2e69), there are already QMP
      constructs with '*Type' naming, which means changing our
      reservation namespace would have lots of churn to C code to
      deal with a forced name change.

      Signed-off-by: Eric Blake <eblake@xxxxxxxxxx>
      Message-Id: <1445898903-12082-23-git-send-email-eblake@xxxxxxxxxx>
      [Commit message tweaked]
      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>

  commit ce21131a0b9e556bb73bf65eacdc07ccb21f78a9
  Author: Eric Blake <eblake@xxxxxxxxxx>
  Date:   Mon Oct 26 16:35:00 2015 -0600

      tpm: Convert to new qapi union layout

      We have two issues with our qapi union layout:
      1) Even though the QMP wire format spells the tag 'type', the
      C code spells it 'kind', requiring some hacks in the generator.
      2) The C struct uses an anonymous union, which places all tag
      values in the same namespace as all non-variant members. This
      leads to spurious collisions if a tag value matches a non-variant
      member's name.

      Make the conversion to the new layout for TPM-related code.

      Signed-off-by: Eric Blake <eblake@xxxxxxxxxx>
      Message-Id: <1445898903-12082-22-git-send-email-eblake@xxxxxxxxxx>
      [Commit message tweaked slightly]
      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>

  commit 1fd5d4fea4ba686705fd377c7cffc0f0c9f83f93
  Author: Eric Blake <eblake@xxxxxxxxxx>
  Date:   Mon Oct 26 16:34:59 2015 -0600

      memory: Convert to new qapi union layout

      We have two issues with our qapi union layout:
      1) Even though the QMP wire format spells the tag 'type', the
      C code spells it 'kind', requiring some hacks in the generator.
      2) The C struct uses an anonymous union, which places all tag
      values in the same namespace as all non-variant members. This
      leads to spurious collisions if a tag value matches a non-variant
      member's name.

      Make the conversion to the new layout for memory-related code.

      Signed-off-by: Eric Blake <eblake@xxxxxxxxxx>
      Message-Id: <1445898903-12082-21-git-send-email-eblake@xxxxxxxxxx>
      [Commit message tweaked slightly]
      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>

  commit 568c73a4783cd981e9aa6de4f15dcda7829643ad
  Author: Eric Blake <eblake@xxxxxxxxxx>
  Date:   Mon Oct 26 16:34:58 2015 -0600

      input: Convert to new qapi union layout

      We have two issues with our qapi union layout:
      1) Even though the QMP wire format spells the tag 'type', the
      C code spells it 'kind', requiring some hacks in the generator.
      2) The C struct uses an anonymous union, which places all tag
      values in the same namespace as all non-variant members. This
      leads to spurious collisions if a tag value matches a non-variant
      member's name.

      Make the conversion to the new layout for input-related code.

      Signed-off-by: Eric Blake <eblake@xxxxxxxxxx>
      Message-Id: <1445898903-12082-20-git-send-email-eblake@xxxxxxxxxx>
      [Commit message tweaked slightly]
      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>

  commit 130257dc443574a9da91dc293665be2cfc40245a
  Author: Eric Blake <eblake@xxxxxxxxxx>
  Date:   Mon Oct 26 16:34:57 2015 -0600

      char: Convert to new qapi union layout

      We have two issues with our qapi union layout:
      1) Even though the QMP wire format spells the tag 'type', the
      C code spells it 'kind', requiring some hacks in the generator.
      2) The C struct uses an anonymous union, which places all tag
      values in the same namespace as all non-variant members. This
      leads to spurious collisions if a tag value matches a non-variant
      member's name.

      Make the conversion to the new layout for character-related
      code.

      Signed-off-by: Eric Blake <eblake@xxxxxxxxxx>
      Message-Id: <1445898903-12082-19-git-send-email-eblake@xxxxxxxxxx>
      [Commit message tweaked slightly]
      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>

  commit 8d0bcba8370a4e8606dee602393a14d0c48e8bfc
  Author: Eric Blake <eblake@xxxxxxxxxx>
  Date:   Mon Oct 26 16:34:56 2015 -0600

      net: Convert to new qapi union layout

      We have two issues with our qapi union layout:
      1) Even though the QMP wire format spells the tag 'type', the
      C code spells it 'kind', requiring some hacks in the generator.
      2) The C struct uses an anonymous union, which places all tag
      values in the same namespace as all non-variant members. This
      leads to spurious collisions if a tag value matches a non-variant
      member's name.

      Make the conversion to the new layout for net-related code.

      Signed-off-by: Eric Blake <eblake@xxxxxxxxxx>
      Message-Id: <1445898903-12082-18-git-send-email-eblake@xxxxxxxxxx>
      [Commit message tweaked slightly]
      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>

  commit 2d32addae70987521578d8bb27c6b3f52cdcbdcb
  Author: Eric Blake <eblake@xxxxxxxxxx>
  Date:   Mon Oct 26 16:34:55 2015 -0600

      sockets: Convert to new qapi union layout

      We have two issues with our qapi union layout:
      1) Even though the QMP wire format spells the tag 'type', the
      C code spells it 'kind', requiring some hacks in the generator.
      2) The C struct uses an anonymous union, which places all tag
      values in the same namespace as all non-variant members. This
      leads to spurious collisions if a tag value matches a non-variant
      member's name.

      Make the conversion to the new layout for socket-related code.

      Signed-off-by: Eric Blake <eblake@xxxxxxxxxx>
      Message-Id: <1445898903-12082-17-git-send-email-eblake@xxxxxxxxxx>
      [Commit message tweaked slightly]
      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>

  commit 6a8f9661dc3c088ed0d2f5b41d940190407cbdc5
  Author: Eric Blake <eblake@xxxxxxxxxx>
  Date:   Mon Oct 26 16:34:54 2015 -0600

      block: Convert to new qapi union layout

      We have two issues with our qapi union layout:
      1) Even though the QMP wire format spells the tag 'type', the
      C code spells it 'kind', requiring some hacks in the generator.
      2) The C struct uses an anonymous union, which places all tag
      values in the same namespace as all non-variant members. This
      leads to spurious collisions if a tag value matches a non-variant
      member's name.

      Make the conversion to the new layout for block-related code.

      Signed-off-by: Eric Blake <eblake@xxxxxxxxxx>
      Message-Id: <1445898903-12082-16-git-send-email-eblake@xxxxxxxxxx>
      [Commit message tweaked slightly]
      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>

  commit c363acef772647f66becdbf46dd54e70e67f3cc9
  Author: Eric Blake <eblake@xxxxxxxxxx>
  Date:   Mon Oct 26 16:34:53 2015 -0600

      tests: Convert to new qapi union layout

      We have two issues with our qapi union layout:
      1) Even though the QMP wire format spells the tag 'type', the
      C code spells it 'kind', requiring some hacks in the generator.
      2) The C struct uses an anonymous union, which places all tag
      values in the same namespace as all non-variant members. This
      leads to spurious collisions if a tag value matches a non-variant
      member's name.

      Make the conversion to the new layout for testsuite code.

      Signed-off-by: Eric Blake <eblake@xxxxxxxxxx>
      Message-Id: <1445898903-12082-15-git-send-email-eblake@xxxxxxxxxx>
      [Commit message tweaked slightly]
      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>

  commit 150d0564a4c626642897c748f7906260a13c14e1
  Author: Eric Blake <eblake@xxxxxxxxxx>
  Date:   Mon Oct 26 16:34:52 2015 -0600

      qapi-visit: Convert to new qapi union layout

      We have two issues with our qapi union layout:
      1) Even though the QMP wire format spells the tag 'type', the
      C code spells it 'kind', requiring some hacks in the generator.
      2) The C struct uses an anonymous union, which places all tag
      values in the same namespace as all non-variant members. This
      leads to spurious collisions if a tag value matches a non-variant
      member's name.

      Make the conversion to the new layout for qapi-visit.py.

      Generated code changes look like:

      |@@ -4912,16 +4912,16 @@ void visit_type_MemoryDeviceInfo(Visitor
      |     if (!*obj) {
      |         goto out_obj;
      |     }
      |-    visit_type_MemoryDeviceInfoKind(v, &(*obj)->kind, "type", &err);
      |+    visit_type_MemoryDeviceInfoKind(v, &(*obj)->type, "type", &err);
      |     if (err) {
      |         goto out_obj;
      |     }
      |-    if (!visit_start_union(v, !!(*obj)->data, &err) || err) {
      |+    if (!visit_start_union(v, !!(*obj)->u.data, &err) || err) {
      |         goto out_obj;
      |     }
      |-    switch ((*obj)->kind) {
      |+    switch ((*obj)->type) {
      |     case MEMORY_DEVICE_INFO_KIND_DIMM:
      |-        visit_type_PCDIMMDeviceInfo(v, &(*obj)->dimm, "data", &err);
      |+        visit_type_PCDIMMDeviceInfo(v, &(*obj)->u.dimm, "data", &err);
      |         break;
      |     default:
      |         abort();
      |@@ -4930,7 +4930,7 @@ out_obj:
      |     error_propagate(errp, err);
      |     err = NULL;
      |     if (*obj) {
      |-        visit_end_union(v, !!(*obj)->data, &err);
      |+        visit_end_union(v, !!(*obj)->u.data, &err);
      |     }
      |     error_propagate(errp, err);
      |     err = NULL;

      Signed-off-by: Eric Blake <eblake@xxxxxxxxxx>
      Message-Id: <1445898903-12082-14-git-send-email-eblake@xxxxxxxxxx>
      [Commit message tweaked slightly]
      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>

  commit f51d8fab44b231aa299d8de24cfdf9ba41ef4a21
  Author: Eric Blake <eblake@xxxxxxxxxx>
  Date:   Mon Oct 26 16:34:51 2015 -0600

      qapi: Start converting to new qapi union layout

      We have two issues with our qapi union layout:
      1) Even though the QMP wire format spells the tag 'type', the
      C code spells it 'kind', requiring some hacks in the generator.
      2) The C struct uses an anonymous union, which places all tag
      values in the same namespace as all non-variant members. This
      leads to spurious collisions if a tag value matches a non-variant
      member's name.

      This patch is the front end for a series that converts to a
      saner qapi union layout.  By the end of the series, we will no
      longer have the type/kind mismatch, and all tag values will be
      under a named union, which requires clients to access
      'obj->u.value' instead of 'obj->value'.  But since the
      conversion touches a number of files, it is easiest if we
      temporarily support BOTH layouts simultaneously.

      Given a simple union qapi type:

      { 'union':'Foo', 'data': { 'a':'int', 'b':'bool' } }

      make the following changes in generated qapi-types.h:

      | struct Foo {
      |-    FooKind kind;
      |-    union { /* union tag is @kind */
      |+    union {
      |+        FooKind kind;
      |+        FooKind type;
      |+    };
      |+    union { /* union tag is @type */
      |         void *data;
      |         int64_t a;
      |         bool b;
      |+        union { /* union tag is @type */
      |+            void *data;
      |+            int64_t a;
      |+            bool b;
      |+        } u;
      |     };
      | };

      Flat unions do not need the anonymous union for the tag member,
      as we already fixed that to use the member name instead of 'kind'
      back in commit 0f61af3e.

      One additional change is needed in qapi.py: check_union() now
      needs to check for collisions with 'type' in addition to those
      with 'kind'.

      Later, when the conversions are complete, we will remove the
      duplication hacks, and also drop the check_union() restrictions.

      Note, however, that we do not rename the generated enum, which
      is still 'FooKind'.  A further patch could generate implicit
      enums as 'FooType', but while the generator already reserved
      the '*Kind' namespace (commit 4dc2e69), there are already QMP
      constructs with '*Type' naming, which means changing our
      reservation namespace would have lots of churn to C code to
      deal with a forced name change.

      Signed-off-by: Eric Blake <eblake@xxxxxxxxxx>
      Message-Id: <1445898903-12082-13-git-send-email-eblake@xxxxxxxxxx>
      [Commit message tweaked slightly]
      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>

  commit 5c5e51a05b567fd48fb155d94ca6f7679dd0d478
  Author: Eric Blake <eblake@xxxxxxxxxx>
  Date:   Mon Oct 26 16:34:50 2015 -0600

      qapi-visit: Remove redundant functions for flat union base

      The code for visiting the base class of a child struct created
      visit_type_Base_fields() which covers all fields of Base; while
      the code for visiting the base class of a flat union created
      visit_type_Union_fields() covering all fields of the base
      except the discriminator.  But since the base class includes
      the discriminator of a flat union, we can just visit the entire
      base, without needing a separate visit of the discriminator.
      Not only is consistently visiting all fields easier to
      understand, it lets us share code.

      The generated code in qapi-visit.c loses several now-unused
      visit_type_UNION_fields(), along with changes like:

      |@@ -1654,11 +1557,7 @@ void visit_type_BlockdevOptions(Visitor
      |     if (!*obj) {
      |         goto out_obj;
      |     }
      |-    visit_type_BlockdevOptions_fields(v, obj, &err);
      |-    if (err) {
      |-        goto out_obj;
      |-    }
      |-    visit_type_BlockdevDriver(v, &(*obj)->driver, "driver", &err);
      |+    visit_type_BlockdevOptionsBase_fields(v, (BlockdevOptionsBase 
**)obj, &err);
      |     if (err) {
      |         goto out_obj;
      |     }

      and forward declarations where needed.  Note that the cast of obj
      to BASE ** is necessary to call visit_type_BASE_fields() (and we
      can't use our upcast wrappers, because those work on pointers while
      we have a pointer-to-pointer).

      Signed-off-by: Eric Blake <eblake@xxxxxxxxxx>
      Message-Id: <1445898903-12082-12-git-send-email-eblake@xxxxxxxxxx>
      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>

  commit ddf21908961073199f3d186204da4810f2ea150b
  Author: Eric Blake <eblake@xxxxxxxxxx>
  Date:   Mon Oct 26 16:34:49 2015 -0600

      qapi: Unbox base members

      Rather than storing a base class as a pointer to a box, just
      store the fields of that base class in the same order, so that
      a child struct can be directly cast to its parent.  This gives
      less malloc overhead, less pointer dereferencing, and even less
      generated code.  Compare to the earlier commit 1e6c1616a "qapi:
      Generate a nicer struct for flat unions" (although that patch
      had fewer places to change, as less of qemu was directly using
      qapi structs for flat unions).  It also allows us to turn on
      automatic type-safe wrappers for upcasting to the base class
      of a struct.

      Changes to the generated code look like this in qapi-types.h:

      | struct SpiceChannel {
      |-    SpiceBasicInfo *base;
      |+    /* Members inherited from SpiceBasicInfo: */
      |+    char *host;
      |+    char *port;
      |+    NetworkAddressFamily family;
      |+    /* Own members: */
      |     int64_t connection_id;

      as well as additional upcast functions like qapi_SpiceChannel_base().
      Meanwhile, changes to qapi-visit.c look like:

      | static void visit_type_SpiceChannel_fields(Visitor *v, SpiceChannel 
**obj, Error **errp)
      | {
      |     Error *err = NULL;
      |
      |-    visit_type_implicit_SpiceBasicInfo(v, &(*obj)->base, &err);
      |+    visit_type_SpiceBasicInfo_fields(v, (SpiceBasicInfo **)obj, &err);
      |     if (err) {

      (the cast is necessary, since our upcast wrappers only deal with a
      single pointer, not pointer-to-pointer); plus the wholesale
      elimination of some now-unused visit_type_implicit_FOO() functions.

      Without boxing, the corner case of one empty struct having
      another empty struct as its base type now requires inserting a
      dummy member (previously, the 'Base *base' member sufficed).

      And now that we no longer consume a 'base' member in the generated
      C struct, we can delete the former negative struct-base-clash-base
      test.

      Signed-off-by: Eric Blake <eblake@xxxxxxxxxx>
      Message-Id: <1445898903-12082-11-git-send-email-eblake@xxxxxxxxxx>
      [Commit message tweaked slightly]
      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>

  commit 30594fe1cd4355626e73b80645428105d0df3cf6
  Author: Eric Blake <eblake@xxxxxxxxxx>
  Date:   Mon Oct 26 16:34:48 2015 -0600

      qapi: Prefer typesafe upcasts to qapi base classes

      A previous patch (commit 1e6c1616) made it possible to
      directly cast from a qapi flat union type to its base type.
      However, it requires the use of a C cast, which turns off
      compiler type-safety checks.  Fortunately, no such casts
      exist, just yet.

      Regardless, add inline type-safe wrappers named
      qapi_FOO_base() for any union type FOO that has a base,
      which can be used for a safer upcast, and enhance the
      testsuite to cover the new functionality.

      A future patch will extend the upcast support to structs,
      where such conversions do exist already.

      Note that C makes const-correct upcasts annoying because
      it lacks overloads; these functions cast away const so that
      they can accept user pointers whether const or not, and the
      result in turn can be assigned to normal or const pointers.
      Alternatively, this could have been done with macros, but
      type-safe macros are hairy, and not worthwhile here.

      This patch just adds upcasts.  None of our code needed to
      downcast from a base qapi class to a child.  Also, in the
      case of grandchildren (such as BlockdevOptionsQcow2), the
      caller will need to call two functions to get to the inner
      base (although it wouldn't be too hard to generate a
      qapi_FOO_base_base() if desired).  If a user changes qapi
      to alter the base class hierarchy, such as going from
      'A -> C' to 'A -> B -> C', it will change the type of
      'qapi_C_base()', and the compiler will point out the places
      that are affected by the new base.

      One alternative was proposed, but was deemed too ugly to use
      in practice: the generators could output redundant
      information using anonymous types:
      | struct Child {
      |     union {
      |         struct {
      |             Type1 parent_member1;
      |             Type2 parent_member2;
      |         };
      |         Parent base;
      |     };
      | };
      With that ugly proposal, for a given qapi type, obj->member
      and obj->base.member would refer to the same storage; allowing
      convenience in working with members without needing 'base.'
      allowing typesafe upcast without needing a C cast by accessing
      '&obj->base', and allowing downcasts from the parent back to
      the child possible through container_of(obj, Child, base).

      Signed-off-by: Eric Blake <eblake@xxxxxxxxxx>
      Message-Id: <1445898903-12082-10-git-send-email-eblake@xxxxxxxxxx>
      [Commit message tweaked]
      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>

  commit f87ab7f9bd956250c48b5c6e9b607b537fd21543
  Author: Eric Blake <eblake@xxxxxxxxxx>
  Date:   Mon Oct 26 16:34:47 2015 -0600

      qapi-types: Refactor base fields output

      Move code from gen_union() into gen_struct_fields() in order for
      a later patch to share code when enumerating inherited fields
      for struct types.

      No change to generated code.

      Signed-off-by: Eric Blake <eblake@xxxxxxxxxx>
      Message-Id: <1445898903-12082-9-git-send-email-eblake@xxxxxxxxxx>
      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>

  commit d02cf37766ba3cf918d7085aa7848c9dc05fd11a
  Author: Eric Blake <eblake@xxxxxxxxxx>
  Date:   Mon Oct 26 16:34:46 2015 -0600

      qapi-visit: Split off visit_type_FOO_fields forward decl

      We generate a static visit_type_FOO_fields() for every type
      FOO.  However, sometimes we need a forward declaration. Split
      the code to generate the forward declaration out of
      gen_visit_implicit_struct() into a new gen_visit_fields_decl(),
      and also prepare for a forward declaration to be emitted
      during gen_visit_struct(), so that a future patch can switch
      from using visit_type_FOO_implicit() to the simpler
      visit_type_FOO_fields() as part of unboxing the base class
      of a struct.

      No change to generated code.

      Signed-off-by: Eric Blake <eblake@xxxxxxxxxx>
      Message-Id: <1445898903-12082-8-git-send-email-eblake@xxxxxxxxxx>
      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>

  commit 98481bfcd661daa3c160cc87a297b0e60a307788
  Author: Eric Blake <eblake@xxxxxxxxxx>
  Date:   Mon Oct 26 16:34:45 2015 -0600

      vnc: Hoist allocation of VncBasicInfo to callers

      A future qapi patch will rework generated structs with a base
      class to be unboxed.  In preparation for that, change the code
      that allocates then populates an info struct to instead merely
      populate the fields of an info field passed in as a parameter
      (renaming vnc_basic_info_get* to vnc_init_basic_info*). Add
      rudimentary Error handling at the lowest levels for cases
      where the old code returned NULL; but rather than plumb Error
      all the way through the stack, the callers drop the error and
      return NULL as before.

      Signed-off-by: Eric Blake <eblake@xxxxxxxxxx>
      Message-Id: <1445898903-12082-7-git-send-email-eblake@xxxxxxxxxx>
      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>

  commit 9fb081e0b98409556d023c7193eeb68947cd1211
  Author: Eric Blake <eblake@xxxxxxxxxx>
  Date:   Mon Oct 26 16:34:44 2015 -0600

      qapi: Reserve 'q_*' and 'has_*' member names

      c_name() produces names starting with 'q_' when protecting a
      dictionary member name that would fail to directly compile, but
      in doing so can cause clashes with any member name already
      beginning with 'q-' or 'q_'.  Likewise, we create a C name 'has_'
      for any optional member that can clash with any member name
      beginning with 'has-' or 'has_'.

      Technically, rather than blindly reserving the namespace,
      we could try to complain about user names only when an actual
      collision occurs, or even teach c_name() how to munge names
      to avoid collisions.  But it is not trivial, especially when
      collisions can occur across multiple types (such as via
      inheritance or flat unions).  Besides, no existing .json
      files are trying to use these names.  So it's easier to just
      outright forbid the potential for collision.  We can always
      relax things in the future if a real need arises for QMP to
      express member names that have been forbidden here.

      'has_' only has to be reserved for struct/union member names,
      while 'q_' is reserved everywhere (matching the fact that
      only members can be optional, while we use c_name() for munging
      both members and entities).  Note that we could relax 'q_'
      restrictions on entities independently from member names; for
      example, c_name('qmp_' + 'unix') would result in a different
      function name than our current 'qmp_' + c_name('unix').

      Update and add tests to cover the new error messages.

      Signed-off-by: Eric Blake <eblake@xxxxxxxxxx>
      Message-Id: <1445898903-12082-6-git-send-email-eblake@xxxxxxxxxx>
      [Consistently pass protect=False to c_name(); commit message tweaked
      slightly]
      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>

  commit 255960dd374d4497d6ea537305f1b0d8a3433789
  Author: Eric Blake <eblake@xxxxxxxxxx>
  Date:   Mon Oct 26 16:34:43 2015 -0600

      qapi: Reserve '*List' type names for list types

      Type names ending in 'List' can clash with qapi list types in
      generated C.  We don't currently use such names. It is easier to
      outlaw them now than to worry about how to resolve such a clash
      in the future. For precedence, see commit 4dc2e69, which did the
      same for names ending in 'Kind' versus implicit enum types for
      qapi unions.

      Update the testsuite to match.

      Signed-off-by: Eric Blake <eblake@xxxxxxxxxx>
      Message-Id: <1445898903-12082-5-git-send-email-eblake@xxxxxxxxxx>
      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>

  commit f9e6102b48f21e464a847a858a456c521e7a83e5
  Author: Eric Blake <eblake@xxxxxxxxxx>
  Date:   Mon Oct 26 16:34:42 2015 -0600

      qapi: More robust conditions for when labels are needed

      We were using regular expressions to see if ret included
      any earlier text that emitted a 'goto out;' line, to decide
      whether we needed to output an 'out:' label.  But this is
      fragile, if the ret text can possibly combine more than one
      generated function body, where the first function used a
      goto but the second does not.  Change the code to just check
      for the known conditions which cause an error check to be
      needed.  Besides, it's slightly more efficient to use plain
      checks than regular expression searching.

      No change to generated code.

      Signed-off-by: Eric Blake <eblake@xxxxxxxxxx>
      Message-Id: <1445898903-12082-4-git-send-email-eblake@xxxxxxxxxx>
      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>

  commit 8712fa5333ad348da20034b717dd814219d1ec11
  Author: Eric Blake <eblake@xxxxxxxxxx>
  Date:   Mon Oct 26 16:34:41 2015 -0600

      qapi: More idiomatic string operations

      Rather than slicing the end of a string, we can use python's
      endswith().  And rather than creating a set of characters,
      we can search for a character within a string.

      Signed-off-by: Eric Blake <eblake@xxxxxxxxxx>
      Message-Id: <1445898903-12082-3-git-send-email-eblake@xxxxxxxxxx>
      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>

  commit 1976708321f21ed51d0a374db6b28a6cd1bd5d66
  Author: Eric Blake <eblake@xxxxxxxxxx>
  Date:   Mon Oct 26 16:34:40 2015 -0600

      tests/qapi-schema: Test for reserved names, empty struct

      Add some testsuite coverage to ensure future patches are on
      the right track:

      Our current C representation of qapi arrays is done by appending
      'List' to the element name; but we are not preventing the
      creation of an object type with the same name.  Add
      reserved-type-list.json to test this.  Then rename
      enum-union-clash.json to reserved-type-kind.json to cover the
      reservation that we DO detect, and shorten it to match the fact
      that the name is reserved even if there is no clash.

      We are failing to detect a collision between a dictionary member
      and the implicit 'has_*' flag for another optional member. The
      easiest fix would be for a future patch to reserve the entire
      "has[-_]" namespace for member names (the collision is also
      possible for branch names within flat unions, but only as long as
      branch names can collide with (non-variant) members; however,
      since future patches are about to remove that, it is not worth
      testing here). Add reserved-member-has.json to test this.

      A similar collision exists between a dictionary member where
      c_name() munges what might otherwise be a reserved name to start
      with 'q_', and another member explicitly starts with "q[-_]".
      Again, the easiest solution for a future patch will be reserving
      the entire namespace, but here for commands as well as members.
      Add reserved-member-q.json and reserved-command-q.json to test
      this; separate tests since arguably our munging of command 'unix'
      to 'qmp_q_unix()' could be done without a q_, which is different
      than the munging of a member 'unix' to 'foo.q_unix'.

      Finally, our testsuite does not have any compilation coverage
      of struct inheritance with empty qapi structs.  Update
      qapi-schema-test.json to test this.

      Note that there is currently no technical reason to forbid type
      name patterns from member names, or member name patterns from
      types, since the two are not in the same namespace in C and
      won't collide; but it's not worth adding positive tests of these
      corner cases at this time, especially while there is other churn
      pending in patches that rearrange which collisions actually
      happen.

      Signed-off-by: Eric Blake <eblake@xxxxxxxxxx>
      Message-Id: <1445898903-12082-2-git-send-email-eblake@xxxxxxxxxx>
      [Commit message tweaked slightly]
      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>

  commit 2ea1793bd90f04c34fbb75a1b84d71cb5b1f9c08
  Author: Daniel P. Berrange <berrange@xxxxxxxxxx>
  Date:   Thu Oct 22 11:25:43 2015 +0100

      qapi-schema: mark InetSocketAddress as mandatory again

      Revert the qapi-schema.json change done in:

        commit 0983f5e6af76d5df8c6346cbdfff9d8305fb6da0
        Author: Daniel P. Berrange <berrange@xxxxxxxxxx>
        Date:   Tue Sep 1 14:46:50 2015 +0100

          sockets: allow port to be NULL when listening on IP address

      Switching "port" from mandatory to optional causes the QAPI
      code generator to add a 'has_port' field to the InetSocketAddress
      struct. No code that created InetSocketAddress objects was updated
      to set 'has_port = true', which caused the non-NULL port strings
      to be silently dropped when copying InetSocketAddress objects.

      Reported-by: Knut Omang <knuto@xxxxxxxxxx>
      Signed-off-by: Daniel P. Berrange <berrange@xxxxxxxxxx>
      Message-Id: <1445509543-30679-1-git-send-email-berrange@xxxxxxxxxx>
      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>
      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>

  commit 24f4a0f5c969e9077e341402881c1d929d37150b
  Merge: 3a958f5 2a080ce
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Fri Oct 30 21:59:48 2015 +0000

      Merge remote-tracking branch 'remotes/rth/tags/pull-tile-20151030' into 
staging

      Prefetch in y2 pipe

      # gpg: Signature made Fri 30 Oct 2015 20:40:02 GMT using RSA key ID 
4DD0279B
      # gpg: Good signature from "Richard Henderson <rth7680@xxxxxxxxx>"
      # gpg:                 aka "Richard Henderson <rth@xxxxxxxxxx>"
      # gpg:                 aka "Richard Henderson <rth@xxxxxxxxxxx>"

      * remotes/rth/tags/pull-tile-20151030:
        target-tilegx: Implement prefetch instructions in pipe y2

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 3a958f559ecd0511583d27b10011fa7f3cf79b63
  Merge: e79ea9e 37a639a
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Fri Oct 30 19:47:47 2015 +0000

      Merge remote-tracking branch 'remotes/stefanha/tags/block-pull-request' 
into staging

      # gpg: Signature made Thu 29 Oct 2015 18:09:16 GMT using RSA key ID 
81AB73C8
      # gpg: Good signature from "Stefan Hajnoczi <stefanha@xxxxxxxxxx>"
      # gpg:                 aka "Stefan Hajnoczi <stefanha@xxxxxxxxx>"

      * remotes/stefanha/tags/block-pull-request:
        block: Consider all child nodes in bdrv_requests_pending()
        target-arm: xlnx-zynqmp: Add sdhci support.
        sdhci: Split sdhci.h for public and internal device usage
        sd.h: Move sd.h to include/hw/sd/
        virtio: sync the dataplane vring state to the virtqueue before 
virtio_save
        gdb command: qemu handlers
        virtio-blk: switch off scsi-passthrough by default
        ppc/spapr: add 2.4 compat props
        s390x: include HW_COMPAT_* props
        qemu-gdb: add $qemu_coroutine_sp and $qemu_coroutine_pc
        qemu-gdb: extract parts of "qemu coroutine" implementation
        qemu-gdb: allow using glibc_pointer_guard() on core dumps

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit e79ea9e4240971b43494184d68a7f5a67d07e74b
  Merge: fdf9276 60270f8
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Fri Oct 30 16:30:25 2015 +0000

      Merge remote-tracking branch 'remotes/lalrae/tags/mips-20151030' into 
staging

      MIPS patches 2015-10-30

      Changes:
      * R6 CPU can be woken up by non-enabled interrupts
      * PC fix in KVM
      * Coprocessor 0 XContext calculation fix
      * various MIPS R6 updates

      # gpg: Signature made Fri 30 Oct 2015 14:51:56 GMT using RSA key ID 
0B29DA6B
      # gpg: Good signature from "Leon Alrae <leon.alrae@xxxxxxxxxx>"

      * remotes/lalrae/tags/mips-20151030:
        target-mips: fix updating XContext on mmu exception
        target-mips: add SIGRIE instruction
        target-mips: Set Config5.XNP for R6 cores
        target-mips: add PC, XNP reg numbers to RDHWR
        hw/mips_malta: Fix KVM PC initialisation
        target-mips: Add enum for BREAK32
        target-mips: update writing to CP0.Status.KX/SX/UX in MIPS Release R6
        target-mips: implement the CPU wake-up on non-enabled interrupts in R6
        target-mips: move the test for enabled interrupts to a separate function

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 60270f85cc93d2d34e45b7679c374b1d771f0eeb
  Author: Yongbok Kim <yongbok.kim@xxxxxxxxxx>
  Date:   Thu Oct 29 17:17:52 2015 +0000

      target-mips: fix updating XContext on mmu exception

      Correct updating XContext.Region field on mmu exceptions.
      If Config3.CTXTC = 0 then the R field of XContext has to be updated
      with the value of bits 63..62 of the virtual address upon a TLB
      exception.
      Also fixed the below line which overs 80 characters.

      Signed-off-by: Yongbok Kim <yongbok.kim@xxxxxxxxxx>
      Reviewed-by: James Hogan <james.hogan@xxxxxxxxxx>
      Reviewed-by: Leon Alrae <leon.alrae@xxxxxxxxxx>
      Signed-off-by: Leon Alrae <leon.alrae@xxxxxxxxxx>

  commit bb238210bb096534b68dab15a87c6ff0bef43672
  Author: Yongbok Kim <yongbok.kim@xxxxxxxxxx>
  Date:   Thu Oct 29 15:18:38 2015 +0000

      target-mips: add SIGRIE instruction

      Add SIGRIE (Signal Reserved Instruction Exception) for both MIPS and
      microMIPS.
      The instruction allows to use the 16-bit code field for software use.
      This instruction is introduced by and required as of Release 6.

      Signed-off-by: Yongbok Kim <yongbok.kim@xxxxxxxxxx>
      Reviewed-by: Leon Alrae <leon.alrae@xxxxxxxxxx>
      Signed-off-by: Leon Alrae <leon.alrae@xxxxxxxxxx>

  commit 35ac9e342e008e3d47ef18d33a6977fdb99de9cd
  Author: Yongbok Kim <yongbok.kim@xxxxxxxxxx>
  Date:   Mon Oct 5 14:45:45 2015 +0100

      target-mips: Set Config5.XNP for R6 cores

      Set Config5.XNP for R6 cores to indicate the extended LL/SC family
      of instructions NOT present.

      Signed-off-by: Yongbok Kim <yongbok.kim@xxxxxxxxxx>
      Reviewed-by: Leon Alrae <leon.alrae@xxxxxxxxxx>
      Signed-off-by: Leon Alrae <leon.alrae@xxxxxxxxxx>

  commit b00c72180c36510bf9b124e190bd520e3b7e1358
  Author: Yongbok Kim <yongbok.kim@xxxxxxxxxx>
  Date:   Thu Oct 29 15:18:39 2015 +0000

      target-mips: add PC, XNP reg numbers to RDHWR

      Add Performance Counter (4) and XNP (5) register numbers to RDHWR.
      Add check_hwrena() to simplify access control checkings.
      Add RDHWR support to microMIPS R6.

      Signed-off-by: Yongbok Kim <yongbok.kim@xxxxxxxxxx>
      Reviewed-by: Leon Alrae <leon.alrae@xxxxxxxxxx>
      Signed-off-by: Leon Alrae <leon.alrae@xxxxxxxxxx>

  commit ca2f6bbbce32b7e1ba4fdaf54165ab0dee47a3a5
  Author: James Hogan <james.hogan@xxxxxxxxxx>
  Date:   Mon Oct 12 17:54:39 2015 +0100

      hw/mips_malta: Fix KVM PC initialisation

      Commit 71c199c81d29 ("mips_malta: provide ememsize env variable to
      kernels") changed the meaning of loaderparams.ram_size to be the whole
      of RAM rather than just the low part below where the boot code is placed
      for KVM, but it didn't update the PC initialisation for KVM to use
      ram_low_size. Fix that now.

      Fixes: 71c199c81d29 ("mips_malta: provide ememsize env variable to 
kernels")
      Signed-off-by: James Hogan <james.hogan@xxxxxxxxxx>
      Cc: Paul Burton <paul.burton@xxxxxxxxxx>
      Cc: Leon Alrae <leon.alrae@xxxxxxxxxx>
      Cc: Aurelien Jarno <aurelien@xxxxxxxxxxx>
      Reviewed-by: Aurelien Jarno <aurelien@xxxxxxxxxxx>
      Reviewed-by: Leon Alrae <leon.alrae@xxxxxxxxxx>
      Signed-off-by: Leon Alrae <leon.alrae@xxxxxxxxxx>

  commit fdf927621a99711bf1a81712bce054794f2d44c3
  Merge: 7bc8e0c 7f1e7b2
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Fri Oct 30 09:41:14 2015 +0000

      Merge remote-tracking branch 
'remotes/armbru/tags/pull-monitor-2015-10-30' into staging

      QMP and QObject patches

      # gpg: Signature made Fri 30 Oct 2015 08:06:26 GMT using RSA key ID 
EB918653
      # gpg: Good signature from "Markus Armbruster <armbru@xxxxxxxxxx>"
      # gpg:                 aka "Markus Armbruster <armbru@xxxxxxxxxxxx>"

      * remotes/armbru/tags/pull-monitor-2015-10-30:
        docs: Document QMP event rate limiting
        monitor: Throttle event VSERPORT_CHANGE separately by "id"
        monitor: Turn monitor_qapi_event_state[] into a hash table
        glib: add compatibility interface for g_hash_table_add()
        monitor: Split MonitorQAPIEventConf off MonitorQAPIEventState
        monitor: Switch from timer_new() to timer_new_ns()
        monitor: Simplify event throttling
        monitor: Reduce casting of QAPI event QDict
        qstring: Make conversion from QObject * accept null
        qlist: Make conversion from QObject * accept null
        qfloat qint: Make conversion from QObject * accept null
        qdict: Make conversion from QObject * accept null
        qbool: Make conversion from QObject * accept null
        qobject: Drop QObject_HEAD

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 7f1e7b23d57408c86d350b3544673fdcd6be55c0
  Author: Markus Armbruster <armbru@xxxxxxxxxx>
  Date:   Thu Oct 15 17:08:36 2015 +0200

      docs: Document QMP event rate limiting

      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>
      Message-Id: <1444921716-9511-8-git-send-email-armbru@xxxxxxxxxx>
      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>

  commit 7de0be6573afc9dcfb6aa0ded167ad6a8730f727
  Author: Markus Armbruster <armbru@xxxxxxxxxx>
  Date:   Thu Oct 15 17:08:35 2015 +0200

      monitor: Throttle event VSERPORT_CHANGE separately by "id"

      VSERPORT_CHANGE is emitted when the guest opens or closes a
      virtio-serial port.  The event's member "id" identifies the port.

      When several events arrive quickly, throttling drops all but the last
      of them.  Because of that, a QMP client must assume that *any* port
      may have changed state when it receives a VSERPORT_CHANGE event and
      throttling may have happened.

      Make the event more useful by throttling it for each port separately.

      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>
      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>
      Message-Id: <1444921716-9511-7-git-send-email-armbru@xxxxxxxxxx>

  commit a24712af54259dd744a49447658521325f10a721
  Author: Markus Armbruster <armbru@xxxxxxxxxx>
  Date:   Thu Oct 15 17:08:34 2015 +0200

      monitor: Turn monitor_qapi_event_state[] into a hash table

      In preparation of finer grained throttling.

      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>
      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>
      Message-Id: <1444921716-9511-6-git-send-email-armbru@xxxxxxxxxx>

  commit 8681dffa91a0d5767b7c1eb3d5c2acbf7f7dd7ba
  Author: Markus Armbruster <armbru@xxxxxxxxxx>
  Date:   Tue Oct 27 15:44:00 2015 +0100

      glib: add compatibility interface for g_hash_table_add()

      The next commit will use it.

      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>
      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>

  commit 37a639a7fbc5c6b065c80e7e2de78d22af735496
  Author: Kevin Wolf <kwolf@xxxxxxxxxx>
  Date:   Wed Oct 28 11:46:51 2015 +0100

      block: Consider all child nodes in bdrv_requests_pending()

      The function manually recursed into bs->file and bs->backing to check
      whether there were any requests pending, but it ignored other children.

      There's no need to special case file and backing here, so just replace
      these two explicit recursions by a loop recursing for all child nodes.

      Reported-by: Max Reitz <mreitz@xxxxxxxxxx>
      Signed-off-by: Kevin Wolf <kwolf@xxxxxxxxxx>
      Reviewed-by: Alberto Garcia <berto@xxxxxxxxxx>
      Reviewed-by: Jeff Cody <jcody@xxxxxxxxxx>
      Message-id: 1446029211-27148-1-git-send-email-kwolf@xxxxxxxxxx
      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>

  commit 33108e9f3388b07b7daa4e46d476ff89ce7dbec5
  Author: Sai Pavan Boddu <sai.pavan.boddu@xxxxxxxxxx>
  Date:   Thu Oct 8 18:51:03 2015 +0530

      target-arm: xlnx-zynqmp: Add sdhci support.

      Add two SYSBUS_SDHCI devices for xlnx-zynqmp

      Signed-off-by: Sai Pavan Boddu <saipava@xxxxxxxxxx>
      Reviewed-by: Peter Crosthwaite <crosthwaite.peter@xxxxxxxxx>
      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>

  commit 637d23beb607765033067c5cb08e0d66afaf8f4c
  Author: Sai Pavan Boddu <sai.pavan.boddu@xxxxxxxxxx>
  Date:   Thu Oct 8 18:51:02 2015 +0530

      sdhci: Split sdhci.h for public and internal device usage

      Split sdhci.h into pubilc version (i.e include/hw/sd/sdhci.h) and
      internal version (i.e hw/sd/sdhci-interna.h) based on register
      declarations and object declaration.

      Signed-off-by: Sai Pavan Boddu <saipava@xxxxxxxxxx>
      Reviewed-by: Alistair Francis <alistair.francis@xxxxxxxxxx>
      Reviewed-by: Peter Crosthwaite <crosthwaite.peter@xxxxxxxxx>
      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>

  commit e3382ef0ea2724f5f09271a608e8f68ede5d844d
  Author: Sai Pavan Boddu <sai.pavan.boddu@xxxxxxxxxx>
  Date:   Thu Oct 8 18:51:01 2015 +0530

      sd.h: Move sd.h to include/hw/sd/

      Create a sd directory under include/hw/ and move sd.h to
      include/hw/sd/

      Signed-off-by: Sai Pavan Boddu <saipava@xxxxxxxxxx>
      Reviewed-by: Alistair Francis <alistair.francis@xxxxxxxxxx>
      Reviewed-by: Peter Crosthwaite <crosthwaite.peter@xxxxxxxxx>
      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>

  commit 10a06fd65f667a972848ebbbcac11bdba931b544
  Author: Pavel Butsykin <pbutsykin@xxxxxxxxxxxxx>
  Date:   Mon Oct 26 14:42:57 2015 +0300

      virtio: sync the dataplane vring state to the virtqueue before virtio_save

      When creating snapshot with the dataplane enabled, the snapshot file gets
      not the actual state of virtqueue, because the current state is stored in
      VirtIOBlockDataPlane. Therefore, before saving snapshot need to sync
      the dataplane vring state to the virtqueue. The dataplane will resume its
      work at the next notify virtqueue.

      When snapshot loads with loadvm we get a message:
      VQ 0 size 0x80 Guest index 0x15f5 inconsistent with Host index 0x0:
          delta 0x15f5
      error while loading state for instance 0x0 of device
          '0000:00:08.0/virtio-blk'
      Error -1 while loading VM state

      to reproduce the error I used the following hmp commands:
      savevm snap1
      loadvm snap1

      qemu parameters:
      --enable-kvm -smp 4 -m 1024 -drive 
file=/var/lib/libvirt/images/centos6.4.qcow2,if=none,id=drive-virtio-disk0,format=qcow2,cache=none,aio=native
 -device 
virtio-blk-pci,scsi=off,bus=pci.0,addr=0x8,drive=drive-virtio-disk0,id=virtio-disk0
 -set device.virtio-disk0.x-data-plane=on

      Signed-off-by: Pavel Butsykin <pbutsykin@xxxxxxxxxxxxx>
      Signed-off-by: Denis V. Lunev <den@xxxxxxxxxx>
      Message-id: 1445859777-2982-1-git-send-email-den@xxxxxxxxxx
      CC: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      CC: "Michael S. Tsirkin" <mst@xxxxxxxxxx>
      CC: Kevin Wolf <kwolf@xxxxxxxxxx>
      CC: Paolo Bonzini <pbonzini@xxxxxxxxxx>
      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>

  commit c900ef86c5e30e1adec0f79350edc3f30ebee285
  Author: Dr. David Alan Gilbert <dgilbert@xxxxxxxxxx>
  Date:   Tue Oct 27 13:09:45 2015 +0000

      gdb command: qemu handlers

      A new gdb commands are added:

        qemu handlers

           That dumps an AioContext list (by default qemu_aio_context)
           possibly including a backtrace for cases it knows about
           (with the verbose option).  Intended to help find why something
           is hanging waiting for IO.

        Use 'qemu handlers --verbose iohandler_ctx'  to find out why
      your incoming migration is stuck.

      Signed-off-by: Dr. David Alan Gilbert <dgilbert@xxxxxxxxxx>
      Message-id: 1445951385-11924-1-git-send-email-dgilbert@xxxxxxxxxx

      V2:
        Merge into one command with optional handlers arg, and only do
          backtrace in verbose mode

       (gdb) qemu handlers
       ----
       {pfd = {fd = 6, events = 25, revents = 0}, io_read = 0x55869656ffd0
       <event_notifier_dummy_cb>, io_write = 0x0, deleted = 0, opaque =
       0x558698c4ce08, node = {le_next = 0x0, le_prev = 0x558698c4cdc0}}

       (gdb) qemu handlers iohandler_ctx
       ----
       {pfd = {fd = 9, events = 25, revents = 0}, io_read = 0x558696581380
       <fd_coroutine_enter>, io_write = 0x0, deleted = 0, opaque =
       0x558698dc99d0, node = {le_next = 0x558698c4cca0, le_prev =
       0x558698c4c1d0}}
       ----
       {pfd = {fd = 4, events = 25, revents = 0}, io_read = 0x55869657b330
       <sigfd_handler>, io_write = 0x0, deleted = 0, opaque = 0x4, node =
       {le_next = 0x558698c4c260, le_prev = 0x558699f72508}}
       ----
       {pfd = {fd = 5, events = 25, revents = 0}, io_read = 0x55869656ffd0
       <event_notifier_dummy_cb>, io_write = 0x0, deleted = 0, opaque =
       0x558698c4c218, node = {le_next = 0x0, le_prev = 0x558698c4ccc8}}
       ----
       (gdb) qemu handlers --verbose iohandler_ctx
       ----
       {pfd = {fd = 9, events = 25, revents = 0}, io_read = 0x558696581380
       <fd_coroutine_enter>, io_write = 0x0, deleted = 0, opaque =
       0x558698dc99d0, node = {le_next = 0x558698c4cca0, le_prev =
       0x558698c4c1d0}}
       #0  0x0000558696581820 in qemu_coroutine_switch
       (from_=from_@entry=0x558698cb3cf0, to_=to_@entry=0x7f421c37eac8,
       action=action@entry=COROUTINE_YIELD) at
       /home/dgilbert/git/qemu/coroutine-ucontext.c:177
       #1  0x0000558696580c00 in qemu_coroutine_yield () at
       /home/dgilbert/git/qemu/qemu-coroutine.c:145
       #2  0x00005586965814f5 in yield_until_fd_readable (fd=9) at
       /home/dgilbert/git/qemu/qemu-coroutine-io.c:90
       #3  0x0000558696523937 in socket_get_buffer (opaque=0x55869a3dc620,
       buf=0x558698c505a0 "", pos=<optimized out>, size=32768) at
       /home/dgilbert/git/qemu/migration/qemu-file-unix.c:101
       #4  0x0000558696521fac in qemu_fill_buffer (f=0x558698c50570) at
       /home/dgilbert/git/qemu/migration/qemu-file.c:227
       #5  0x0000558696522989 in qemu_peek_byte (f=0x558698c50570, offset=0)
           at /home/dgilbert/git/qemu/migration/qemu-file.c:507
       #6  0x0000558696522bf4 in qemu_get_be32 (f=0x558698c50570) at
       /home/dgilbert/git/qemu/migration/qemu-file.c:520
       #7  0x0000558696522bf4 in qemu_get_be32 (f=f@entry=0x558698c50570)
           at /home/dgilbert/git/qemu/migration/qemu-file.c:604
       #8  0x0000558696347e5c in qemu_loadvm_state (f=f@entry=0x558698c50570)
           at /home/dgilbert/git/qemu/migration/savevm.c:1821
       #9  0x000055869651de8c in process_incoming_migration_co
       (opaque=0x558698c50570)
           at /home/dgilbert/git/qemu/migration/migration.c:336
       #10 0x000055869658188a in coroutine_trampoline (i0=<optimized out>,
       i1=<optimized out>)
           at /home/dgilbert/git/qemu/coroutine-ucontext.c:80
       #11 0x00007f420f05df10 in __start_context () at /lib64/libc.so.6
       #12 0x00007ffc40815f50 in  ()
       #13 0x0000000000000000 in  ()

        ----
      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>

  commit ed65fd1a2750d24290354cc7ea49caec7c13e30b
  Author: Cornelia Huck <cornelia.huck@xxxxxxxxxx>
  Date:   Fri Oct 16 12:25:54 2015 +0200

      virtio-blk: switch off scsi-passthrough by default

      Devices that are compliant with virtio-1 do not support scsi
      passthrough any more (and it has not been a recommended setup
      anyway for quite some time). To avoid having to switch it off
      explicitly in newer qemus that turn on virtio-1 by default, let's
      switch the default to scsi=false for 2.5.

      Signed-off-by: Cornelia Huck <cornelia.huck@xxxxxxxxxx>
      Message-id: 1444991154-79217-4-git-send-email-cornelia.huck@xxxxxxxxxx
      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>

  commit 80fd50f96b8dc46e185f61d9b6438a6414507076
  Author: Cornelia Huck <cornelia.huck@xxxxxxxxxx>
  Date:   Fri Oct 16 12:25:53 2015 +0200

      ppc/spapr: add 2.4 compat props

      HW_COMPAT_2_4 will become non-empty: prepare for it.

      Signed-off-by: Cornelia Huck <cornelia.huck@xxxxxxxxxx>
      Message-id: 1444991154-79217-3-git-send-email-cornelia.huck@xxxxxxxxxx
      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>

  commit 54d8ec84fa444ed7c05e03f96895ba69a2b2e5bc
  Author: Cornelia Huck <cornelia.huck@xxxxxxxxxx>
  Date:   Fri Oct 16 12:25:52 2015 +0200

      s390x: include HW_COMPAT_* props

      We want to inherit generic hw compat as well.

      Signed-off-by: Cornelia Huck <cornelia.huck@xxxxxxxxxx>
      Acked-by: Christian Borntraeger <borntraeger@xxxxxxxxxx>
      Message-id: 1444991154-79217-2-git-send-email-cornelia.huck@xxxxxxxxxx
      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>

  commit a201b0ff28d9fa0f965450c1ba7191eca69f9fd5
  Author: Paolo Bonzini <pbonzini@xxxxxxxxxx>
  Date:   Mon Oct 12 10:02:54 2015 +0200

      qemu-gdb: add $qemu_coroutine_sp and $qemu_coroutine_pc

      These can be useful to manually get a stack trace of a coroutine inside
      a core dump.

      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>
      Message-id: 1444636974-19950-4-git-send-email-pbonzini@xxxxxxxxxx
      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>

  commit 80ab31b257ba3aaa98ce6f1e36592aa20c5366c1
  Author: Paolo Bonzini <pbonzini@xxxxxxxxxx>
  Date:   Mon Oct 12 10:02:53 2015 +0200

      qemu-gdb: extract parts of "qemu coroutine" implementation

      Provide useful Python functions to reach and decipher a jmpbuf.

      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>
      Message-id: 1444636974-19950-3-git-send-email-pbonzini@xxxxxxxxxx
      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>

  commit 1138f24645e9e1e2d55d280caab4e2539dfcdb49
  Author: Paolo Bonzini <pbonzini@xxxxxxxxxx>
  Date:   Mon Oct 12 10:02:52 2015 +0200

      qemu-gdb: allow using glibc_pointer_guard() on core dumps

      get_fs_base() cannot be run on a core dump, because it uses the arch_prctl
      system call.  The fs base is the value that is returned by pthread_self(),
      and it would be nice to just glean it from the "info threads" output:

      * 1    Thread 0x7f16a3fff700 (LWP 33642) pthread_cond_wait@@GLIBC_2.3.2 ()
                    ^^^^^^^^^^^^^^

      but unfortunately the gdb API does not provide that.  Instead, we can
      look for the "arg" argument of the start_thread function if glibc debug
      information are available.  If not, fall back to the old mechanism.

      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>
      Message-id: 1444636974-19950-2-git-send-email-pbonzini@xxxxxxxxxx
      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>

  commit dbd8af9824d0ddc4400f859c2af77543461cba0d
  Author: Yongbok Kim <yongbok.kim@xxxxxxxxxx>
  Date:   Fri Oct 2 17:50:50 2015 +0100

      target-mips: Add enum for BREAK32

      Add enum for BREAK32

      Signed-off-by: Yongbok Kim <yongbok.kim@xxxxxxxxxx>
      Reviewed-by: Leon Alrae <leon.alrae@xxxxxxxxxx>
      Reviewed-by: Aurelien Jarno <aurelien@xxxxxxxxxxx>
      Signed-off-by: Leon Alrae <leon.alrae@xxxxxxxxxx>

  commit 2dcf7908d9e0274c08911400beb7ed14276bb170
  Author: Leon Alrae <leon.alrae@xxxxxxxxxx>
  Date:   Mon Sep 14 13:51:31 2015 +0100

      target-mips: update writing to CP0.Status.KX/SX/UX in MIPS Release R6

      Implement the relationship between CP0.Status.KX, SX and UX. It should not
      be possible to set UX bit if SX is 0, the same applies for setting SX if
      KX is 0.

      Signed-off-by: Leon Alrae <leon.alrae@xxxxxxxxxx>

  commit 7540a43a1d9de71fa7a53ccd2bb24a04e2aace41
  Author: Leon Alrae <leon.alrae@xxxxxxxxxx>
  Date:   Mon Sep 14 13:58:24 2015 +0100

      target-mips: implement the CPU wake-up on non-enabled interrupts in R6

      In Release 6, the behaviour of WAIT has been modified to make it a
      requirement that a processor that has disabled operation as a result of
      executing a WAIT will resume operation on arrival of an interrupt even if
      interrupts are not enabled.

      Signed-off-by: Leon Alrae <leon.alrae@xxxxxxxxxx>

  commit 71ca034a0dee69f77c8ac6ea7d21e5b6a0b0d836
  Author: Leon Alrae <leon.alrae@xxxxxxxxxx>
  Date:   Mon Sep 14 13:58:23 2015 +0100

      target-mips: move the test for enabled interrupts to a separate function

      Signed-off-by: Leon Alrae <leon.alrae@xxxxxxxxxx>

  commit b9b03ab0d47e8cfc0015255c531db41d0b1a1f91
  Author: Markus Armbruster <armbru@xxxxxxxxxx>
  Date:   Thu Oct 15 17:08:33 2015 +0200

      monitor: Split MonitorQAPIEventConf off MonitorQAPIEventState

      In preparation of turning monitor_qapi_event_state[] into a hash table
      for finer grained throttling.

      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>
      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>
      Message-Id: <1444921716-9511-5-git-send-email-armbru@xxxxxxxxxx>

  commit 1824c41a62c1bbb79d32f97037ca579212b8c134
  Author: Markus Armbruster <armbru@xxxxxxxxxx>
  Date:   Thu Oct 15 17:08:32 2015 +0200

      monitor: Switch from timer_new() to timer_new_ns()

      We don't actually care for the scale, so we can just as well use the
      simpler interface.

      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>
      Message-Id: <1444921716-9511-4-git-send-email-armbru@xxxxxxxxxx>
      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>

  commit 93f8f982fedfc9ee9cf5fc8983c3b25efe828967
  Author: Markus Armbruster <armbru@xxxxxxxxxx>
  Date:   Thu Oct 15 17:08:31 2015 +0200

      monitor: Simplify event throttling

      The event throttling state machine is hard to understand.  I'm not
      sure it's entirely correct.  Rewrite it in a more straightforward
      manner:

      State 1: No event sent recently (less than evconf->rate ns ago)

          Invariant: evstate->timer is not pending, evstate->qdict is null

          On event: send event, arm timer, goto state 2

      State 2: Event sent recently, no additional event being delayed

          Invariant: evstate->timer is pending, evstate->qdict is null

          On event: store it in evstate->qdict, goto state 3

          On timer: goto state 1

      State 3: Event sent recently, additional event being delayed

          Invariant: evstate->timer is pending, evstate->qdict is non-null

          On event: store it in evstate->qdict, goto state 3

          On timer: send evstate->qdict, clear evstate->qdict,
                    arm timer, goto state 2

      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>
      Message-Id: <1444921716-9511-3-git-send-email-armbru@xxxxxxxxxx>
      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>

  commit 688b4b7de755f4dd01ec516975ae01590cf9f438
  Author: Markus Armbruster <armbru@xxxxxxxxxx>
  Date:   Thu Oct 15 17:08:30 2015 +0200

      monitor: Reduce casting of QAPI event QDict

      Make the variables holding the event QDict instead of QObject.

      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>
      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>
      Message-Id: <1444921716-9511-2-git-send-email-armbru@xxxxxxxxxx>

  commit 7f0278435df1fa845b3bd9556942f89296d4246b
  Author: Markus Armbruster <armbru@xxxxxxxxxx>
  Date:   Thu Oct 15 16:15:37 2015 +0200

      qstring: Make conversion from QObject * accept null

      qobject_to_qstring() crashes on null, which is a trap for the unwary.
      Return null instead, and simplify a few callers.

      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>
      Message-Id: <1444918537-18107-7-git-send-email-armbru@xxxxxxxxxx>
      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>
      Reviewed-by: Luiz Capitulino <lcapitulino@xxxxxxxxxx>

  commit 2d6421a90047a83f6722832405fe09571040ea5b
  Author: Markus Armbruster <armbru@xxxxxxxxxx>
  Date:   Thu Oct 15 16:15:36 2015 +0200

      qlist: Make conversion from QObject * accept null

      qobject_to_qlist() crashes on null, which is a trap for the unwary.
      Return null instead.

      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>
      Message-Id: <1444918537-18107-6-git-send-email-armbru@xxxxxxxxxx>
      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>
      Reviewed-by: Luiz Capitulino <lcapitulino@xxxxxxxxxx>

  commit fcf73f66a67f5e58c18216f8c8651e38cf4d90af
  Author: Markus Armbruster <armbru@xxxxxxxxxx>
  Date:   Thu Oct 15 16:15:35 2015 +0200

      qfloat qint: Make conversion from QObject * accept null

      qobject_to_qfloat() and qobject_to_qint() crash on null, which is a
      trap for the unwary.  Return null instead, and simplify a few callers.

      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>
      Message-Id: <1444918537-18107-5-git-send-email-armbru@xxxxxxxxxx>
      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>
      Reviewed-by: Luiz Capitulino <lcapitulino@xxxxxxxxxx>

  commit 89cad9f3ec6b30d7550fb5704475fc9c3393a066
  Author: Markus Armbruster <armbru@xxxxxxxxxx>
  Date:   Thu Oct 15 16:15:34 2015 +0200

      qdict: Make conversion from QObject * accept null

      qobject_to_qdict() crashes on null, which is a trap for the unwary.
      Return null instead, and simplify a few callers.

      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>
      Message-Id: <1444918537-18107-4-git-send-email-armbru@xxxxxxxxxx>
      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>
      Reviewed-by: Luiz Capitulino <lcapitulino@xxxxxxxxxx>

  commit 14b6160099f0caf5dc9d62e637b007bc5d719a96
  Author: Markus Armbruster <armbru@xxxxxxxxxx>
  Date:   Thu Oct 15 16:15:33 2015 +0200

      qbool: Make conversion from QObject * accept null

      qobject_to_qbool() crashes on null, which is a trap for the unwary.
      Return null instead, and simplify a few callers.

      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>
      Message-Id: <1444918537-18107-3-git-send-email-armbru@xxxxxxxxxx>
      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>
      Reviewed-by: Luiz Capitulino <lcapitulino@xxxxxxxxxx>

  commit c7c462123cfc3b62d325fd75be9c595b055797db
  Author: Markus Armbruster <armbru@xxxxxxxxxx>
  Date:   Thu Oct 15 16:15:32 2015 +0200

      qobject: Drop QObject_HEAD

      QObject_HEAD is a macro expanding into the common part of structs that
      are sub-types of QObject.  It's always been just QObject base, and
      unlikely to change.  Drop the macro, because the code is clearer with
      out it.

      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>
      Message-Id: <1444918537-18107-2-git-send-email-armbru@xxxxxxxxxx>
      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>
      Reviewed-by: Luiz Capitulino <lcapitulino@xxxxxxxxxx>

  commit 7bc8e0c967a4ef77657174d28af775691e18b4ce
  Merge: 331c5e2 3f1e147
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Thu Oct 29 09:49:52 2015 +0000

      Merge remote-tracking branch 'remotes/mst/tags/for_upstream' into staging

      virtio, pc, memory: fixes+features for 2.5

      New features:
          This enables hotplug for multifunction devices.
          Patches are very small, so I think it's OK to merge
          at this stage.

          There's also some new infrastructure for vhost-user testing
          not enabled yet so it's harmless to merge.

      I've reverted the "gap between DIMMs" workaround, as it seems too risky, 
and
      applied my own patch in virtio, but not in dataplane code.  This means 
that
      dataplane is broken for some complex DIMM configurations for now.  
Waiting for
      Stefan to review the dataplane fix.

      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>

      # gpg: Signature made Thu 29 Oct 2015 09:36:16 GMT using RSA key ID 
D28D5469
      # gpg: Good signature from "Michael S. Tsirkin <mst@xxxxxxxxxx>"
      # gpg:                 aka "Michael S. Tsirkin <mst@xxxxxxxxxx>"

      * remotes/mst/tags/for_upstream:
        enable multi-function hot-add
        remove function during multi-function hot-add
        tests/vhost-user-bridge: add vhost-user bridge application
        Revert "memhp: extend address auto assignment to support gaps"
        Revert "pc: memhp: force gaps between DIMM's GPA"
        virtio: drop virtqueue_map_sg
        virtio-scsi: convert to virtqueue_map
        virtio-serial: convert to virtio_map
        virtio-blk: convert to virtqueue_map
        virtio: switch to virtio_map
        virtio: introduce virtio_map
        mmap-alloc: fix error handling
        pc: memhp: do not emit inserting event for coldplugged DIMMs
        vhost-user-test: fix up rhel6 build
        vhost-user: cleanup msg size math
        vhost-user: cleanup struct size math

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 3f1e1478db2d67098d98f2c3acf5a4946b7fb643
  Author: Cao jin <caoj.fnst@xxxxxxxxxxxxxx>
  Date:   Wed Oct 28 14:20:31 2015 +0800

      enable multi-function hot-add

      Enable PCIe device multi-function hot-add, just ensure function 0 is added
      last, then driver will get the notification to scan the slot.

      Signed-off-by: Cao jin <caoj.fnst@xxxxxxxxxxxxxx>
      Reviewed-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>

  commit 0d1c7d88ad909c5b2bd86211a9fe8abf5c74993b
  Author: Cao jin <caoj.fnst@xxxxxxxxxxxxxx>
  Date:   Wed Oct 28 14:20:30 2015 +0800

      remove function during multi-function hot-add

      In case user want to cancel the hot-add operation, should roll back,
      device_del the added function that still don`t work.

      Signed-off-by: Cao jin <caoj.fnst@xxxxxxxxxxxxxx>
      Reviewed-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>

  commit 3595e2eb0a233a881789fcc71f5b1072e5aaf669
  Author: Victor Kaplansky <victork@xxxxxxxxxx>
  Date:   Wed Oct 28 14:53:07 2015 +0200

      tests/vhost-user-bridge: add vhost-user bridge application

      The test existing in QEMU for vhost-user feature is good for
      testing the management protocol, but does not allow actual
      traffic. This patch proposes Vhost-User Bridge application, which
      can serve the QEMU community as a comprehensive test by running
      real internet traffic by means of vhost-user interface.

      Essentially the Vhost-User Bridge is a very basic vhost-user
      backend for QEMU. It runs as a standalone user-level process.
      For packet processing Vhost-User Bridge uses an additional QEMU
      instance with a backend configured by "-net socket" as a shared
      VLAN.  This way another QEMU virtual machine can effectively
      serve as a shared bus by means of UDP communication.

      For a more simple setup, the another QEMU instance running the
      SLiRP backend can be the same QEMU instance running vhost-user
      client.

      This Vhost-User Bridge implementation is very preliminary.  It is
      missing many features. I has been studying vhost-user protocol
      internals, so I've written vhost-user-bridge bit by bit as I
      progressed through the protocol.  Most probably its internal
      architecture will change significantly.

      To run Vhost-User Bridge application:

      1. Build vhost-user-bridge with a regular procedure. This will
      create a vhost-user-bridge executable under tests directory:

          $ configure; make tests/vhost-user-bridge

      2. Ensure the machine has hugepages enabled in kernel with
      command line like:

          default_hugepagesz=2M hugepagesz=2M hugepages=2048

      3. Run Vhost-User Bridge with:

          $ tests/vhost-user-bridge

      The above will run vhost-user server listening for connections
      on UNIX domain socket /tmp/vubr.sock, and will try to connect
      by UDP to VLAN bridge to localhost:5555, while listening on
      localhost:4444

      Run qemu with a virtio-net backed by vhost-user:

          $ qemu \
              -enable-kvm -m 512 -smp 2 \
              -object 
memory-backend-file,id=mem,size=512M,mem-path=/dev/hugepages,share=on \
              -numa node,memdev=mem -mem-prealloc \
              -chardev socket,id=char0,path=/tmp/vubr.sock \
              -netdev type=vhost-user,id=mynet1,chardev=char0,vhostforce \
              -device virtio-net-pci,netdev=mynet1 \
              -net none \
              -net socket,vlan=0,udp=localhost:4444,localaddr=localhost:5555 \
              -net user,vlan=0 \
              disk.img

      vhost-user-bridge was tested very lightly: it's able to bringup a
      linux on client VM with the virtio-net driver, and execute transmits
      and receives to the internet. I tested with "wget redhat.com",
      "dig redhat.com".

      PS. I've consulted DPDK's code for vhost-user during Vhost-User
      Bridge implementation.

      Signed-off-by: Victor Kaplansky <victork@xxxxxxxxxx>
      Reviewed-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>

  commit d6a9b0b89d27e0a688f37c1732d4dec40613669e
  Author: Michael S. Tsirkin <mst@xxxxxxxxxx>
  Date:   Wed Oct 28 18:55:06 2015 +0200

      Revert "memhp: extend address auto assignment to support gaps"

      This reverts commit df0acded19ec4b826aa095cfc19d341bd66fafd3.

      There's no point to it now that the only user has been reverted.

      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>

  commit 340065e5a11a515382c8b1112424c97e86ad2a3f
  Author: Michael S. Tsirkin <mst@xxxxxxxxxx>
  Date:   Wed Oct 28 18:54:05 2015 +0200

      Revert "pc: memhp: force gaps between DIMM's GPA"

      This reverts commit aa8580cddf011e8cedcf87f7a0fdea7549fc4704.

      As described in
      http://article.gmane.org/gmane.comp.emulators.qemu/371432
      that commit causes linux guests to crash on memory hot-unplug.

      The original problem it's trying to solve has now
      been addressed within virtio.

      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>

  commit 3945ecf1ec4f6e6aa28d0c396a7f5d983c6810d8
  Author: Michael S. Tsirkin <mst@xxxxxxxxxx>
  Date:   Tue Oct 27 10:22:59 2015 +0200

      virtio: drop virtqueue_map_sg

      Deprecated in favor of virtqueue_map.

      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Reviewed-by: Igor Mammedov <imammedo@xxxxxxxxxx>

  commit 4ada5331895551570846e12e7eb00e06616f9152
  Author: Michael S. Tsirkin <mst@xxxxxxxxxx>
  Date:   Tue Oct 27 10:22:13 2015 +0200

      virtio-scsi: convert to virtqueue_map

      Note: virtqueue_map already validates input
      so virtio-scsi does not have to.

      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Reviewed-by: Igor Mammedov <imammedo@xxxxxxxxxx>

  commit bff712dc223f685c684f9caf960e6460e84a96f0
  Author: Michael S. Tsirkin <mst@xxxxxxxxxx>
  Date:   Tue Oct 27 10:19:43 2015 +0200

      virtio-serial: convert to virtio_map

      This also fixes a minor bug:
      -                virtqueue_map_sg(port->elem.out_sg, port->elem.out_addr,
      -                                 port->elem.out_num, 1);
      is wrong: out_sg is not written so should not be marked dirty.

      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Reviewed-by: Igor Mammedov <imammedo@xxxxxxxxxx>

  commit 3d8db153b4b4e12b6d11590ccd318fff0eafd688
  Author: Michael S. Tsirkin <mst@xxxxxxxxxx>
  Date:   Tue Oct 27 10:18:24 2015 +0200

      virtio-blk: convert to virtqueue_map

      Drop deprecated use of virtqueue_map_sg.

      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Reviewed-by: Igor Mammedov <imammedo@xxxxxxxxxx>

  commit 13972ac5e263a7319609253edac5754129489132
  Author: Michael S. Tsirkin <mst@xxxxxxxxxx>
  Date:   Tue Oct 27 10:09:16 2015 +0200

      virtio: switch to virtio_map

      Drop use of the deprecated virtio_map_sg in virtio core.

      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Reviewed-by: Igor Mammedov <imammedo@xxxxxxxxxx>

  commit 8059feee004111534c4c0652e2f0715e9b4e0754
  Author: Michael S. Tsirkin <mst@xxxxxxxxxx>
  Date:   Tue Oct 27 10:01:44 2015 +0200

      virtio: introduce virtio_map

      virtio_map_sg currently fails if one of the entries it's mapping is
      contigious in GPA but not HVA address space.  Introduce virtio_map which
      handles this by splitting sg entries.

      This new API generally turns out to be a good idea since it's harder to
      misuse: at least in one case the existing one was used incorrectly.

      This will still fail if there's no space left in the sg, but luckily max
      queue size in use is currently 256, while max sg size is 1024, so we
      should be OK even is all entries happen to cross a single DIMM boundary.

      Won't work well with very small DIMM sizes, unfortunately:
      e.g. this will fail with 4K DIMMs where a single
      request might span a large number of DIMMs.

      Let's hope these are uncommon - at least we are not breaking things.

      Note: virtio-scsi calls virtio_map_sg on data loaded from network, and
      validates input, asserting on failure.  Copy the validating code here -
      it will be dropped from virtio-scsi in a follow-up patch.

      Reported-by: Igor Mammedov <imammedo@xxxxxxxxxx>
      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Reviewed-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Reviewed-by: Igor Mammedov <imammedo@xxxxxxxxxx>

  commit 9d4ec9370a36f8a564e1ba05519328c0bd60da13
  Author: Michael S. Tsirkin <mst@xxxxxxxxxx>
  Date:   Sun Oct 25 17:07:45 2015 +0200

      mmap-alloc: fix error handling

      Existing callers are checking for MAP_FAILED,
      so we should return that on error.

      Reported-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>
      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>

  commit 4828b10bda6a74a22a7695303e0648157d0e3ea4
  Author: Igor Mammedov <imammedo@xxxxxxxxxx>
  Date:   Fri Oct 23 14:55:26 2015 +0200

      pc: memhp: do not emit inserting event for coldplugged DIMMs

      currently acpi_memory_plug_cb() sets is_inserting for
      cold- and hot-plugged DIMMs as result ASL MHPD.MSCN()
      method issues device check even for every coldplugged
      DIMM. There isn't much harm in it but if we try to
      unplug such DIMM, OSPM will issue device check
      intstead of device eject event. So OSPM won't eject
      memory module as expected and it will try to eject it
      only when another memory device is hot-(un)plugged.

      As a fix do not set 'is_inserting' event and do not
      issue SCI for cold-plugged DIMMs as they are
      enumerated and activated by OSPM during guest's boot.

      Signed-off-by: Igor Mammedov <imammedo@xxxxxxxxxx>
      Reviewed-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>

  commit 12ebf6908333a86775ef18f12ea283601fd1d2df
  Author: Michael S. Tsirkin <mst@xxxxxxxxxx>
  Date:   Thu Oct 22 22:28:37 2015 +0300

      vhost-user-test: fix up rhel6 build

      Build on RHEL6 fails:
      https://gcc.gnu.org/bugzilla/show_bug.cgi?id=42875

      Apparently unnamed unions couldn't use C99  named field initializers.
      Let's just name the payload union field.

      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>

  commit 7fc0246c0792767b732c0989e8eba24bea185feb
  Author: Michael S. Tsirkin <mst@xxxxxxxxxx>
  Date:   Thu Oct 22 22:33:39 2015 +0300

      vhost-user: cleanup msg size math

      We are sending msg fields, use sizeof on these
      and not on local variables which happen to
      have a matching type.

      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>

  commit 86abad0fedc44554adde5e189cf7edfa5b1c948e
  Author: Michael S. Tsirkin <mst@xxxxxxxxxx>
  Date:   Thu Oct 22 22:31:28 2015 +0300

      vhost-user: cleanup struct size math

      We are using local msg structures everywhere, use them
      for sizeof as well.

      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>

  commit 331c5e2091009f170554fed4ef884aeea871e4bb
  Merge: 496fedd 522a0d4
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Wed Oct 28 20:10:22 2015 +0000

      Merge remote-tracking branch 'remotes/rth/tags/pull-tcg-20151028' into 
staging

      Breakpoint fixes

      # gpg: Signature made Wed 28 Oct 2015 17:58:52 GMT using RSA key ID 
4DD0279B
      # gpg: Good signature from "Richard Henderson <rth7680@xxxxxxxxx>"
      # gpg:                 aka "Richard Henderson <rth@xxxxxxxxxx>"
      # gpg:                 aka "Richard Henderson <rth@xxxxxxxxxxx>"

      * remotes/rth/tags/pull-tcg-20151028:
        target-*: Advance pc after recognizing a breakpoint

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 522a0d4e3c0d397ffb45ec400d8cbd426dad9d17
  Author: Richard Henderson <rth@xxxxxxxxxxx>
  Date:   Tue Oct 13 22:07:49 2015 +0000

      target-*: Advance pc after recognizing a breakpoint

      Some targets already had this within their logic, but make sure
      it's present for all targets.

      Reviewed-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Signed-off-by: Richard Henderson <rth@xxxxxxxxxxx>

  commit 496fedddce9a575111df4f912fb9e361037531ed
  Merge: 739680d 15e4134
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Wed Oct 28 15:08:36 2015 +0000

      Merge remote-tracking branch 'remotes/ehabkost/tags/x86-pull-request' 
into staging

      target-i386: finally enable "check" mode by default

      # gpg: Signature made Wed 28 Oct 2015 14:13:10 GMT using RSA key ID 
984DC5A6
      # gpg: Good signature from "Eduardo Habkost <ehabkost@xxxxxxxxxx>"

      * remotes/ehabkost/tags/x86-pull-request:
        target-i386: Enable "check" mode by default
        target-i386: Don't left shift negative constant

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 739680da59de8531a280e9360aae756b6134a3ec
  Merge: c012e1b 637016c
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Wed Oct 28 14:02:27 2015 +0000

      Merge remote-tracking branch 'remotes/mcayland/tags/qemu-openbios-signed' 
into staging

      Update OpenBIOS images

      # gpg: Signature made Wed 28 Oct 2015 00:02:46 GMT using RSA key ID 
AE0F321F
      # gpg: Good signature from "Mark Cave-Ayland 
<mark.cave-ayland@xxxxxxxxxxxx>"

      * remotes/mcayland/tags/qemu-openbios-signed:
        Update OpenBIOS images

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 637016c2603d15d01957eb57f64387262e3ba830
  Author: Mark Cave-Ayland <mark.cave-ayland@xxxxxxxxxxxx>
  Date:   Wed Oct 28 00:01:28 2015 +0000

      Update OpenBIOS images

      Update OpenBIOS images to SVN r1353 built from submodule.

      Signed-off-by: Mark Cave-Ayland <mark.cave-ayland@xxxxxxxxxxxx>

  commit 15e41345906d29a319cc9cdf566347bf79134d24
  Author: Eduardo Habkost <ehabkost@xxxxxxxxxx>
  Date:   Wed Aug 26 13:25:44 2015 -0300

      target-i386: Enable "check" mode by default

      Current default behavior of QEMU is to silently disable features that
      are not supported by the host when a CPU model is requested in the
      command-line. This means that in addition to risking breaking guest ABI
      by default, we are silent about it.

      I would like to enable "enforce" by default, but this can easily break
      existing production systems because of the way libvirt makes assumptions
      about CPU models today (this will change in the future, once QEMU
      provide a proper interface for checking if a CPU model is runnable).

      But there's no reason we should be silent about it. So, change
      target-i386 to enable "check" mode by default so at least we have some
      warning printed to stderr (and hopefully logged somewhere) when QEMU
      disables a feature that is not supported by the host system.

      Reviewed-by: Igor Mammedov <imammedo@xxxxxxxxxx>
      Signed-off-by: Eduardo Habkost <ehabkost@xxxxxxxxxx>

  commit 712b4243c761cb6ab6a4367a160fd2a42e2d4b76
  Author: Eduardo Habkost <ehabkost@xxxxxxxxxx>
  Date:   Tue Sep 29 17:34:23 2015 -0300

      target-i386: Don't left shift negative constant

      Left shift of negative values is undefined behavior. Detected by clang:
        qemu/target-i386/translate.c:2423:26: runtime error:
          left shift of negative value -8

      This changes the code to reverse the sign after the left shift.

      Signed-off-by: Eduardo Habkost <ehabkost@xxxxxxxxxx>

  commit c012e1b7ad066f462ba1c3322fcb43cd8295eaff
  Merge: 7e038b9 9b53926
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Tue Oct 27 16:17:55 2015 +0000

      Merge remote-tracking branch 
'remotes/pmaydell/tags/pull-target-arm-20151027-1' into staging

      target-arm queue:
       * more EL2 preparation: handling for stage 2 translations
       * standardize debug macros in i.MX devices
       * improve error message in a corner case for virt board
       * disable live migration of KVM GIC if the kernel can't handle it
       * add SPSR_(ABT|UND|IRQ|FIQ) registers
       * handle non-executable page-straddling Thumb instructions
       * fix a "no 64-bit EL2" assumption in arm_excp_unmasked()

      # gpg: Signature made Tue 27 Oct 2015 16:03:31 GMT using RSA key ID 
14360CDE
      # gpg: Good signature from "Peter Maydell <peter.maydell@xxxxxxxxxx>"
      # gpg:                 aka "Peter Maydell <pmaydell@xxxxxxxxx>"
      # gpg:                 aka "Peter Maydell 
<pmaydell@xxxxxxxxxxxxxxxxxxxxxx>"

      * remotes/pmaydell/tags/pull-target-arm-20151027-1: (27 commits)
        target-arm: Add support for S1 + S2 MMU translations
        target-arm: Route S2 MMU faults to EL2
        target-arm: Add S2 translation to 32bit S1 PTWs
        target-arm: Add S2 translation to 64bit S1 PTWs
        target-arm: Add ARMMMUFaultInfo
        target-arm: Avoid inline for get_phys_addr
        target-arm: Add support for S2 page-table protection bits
        target-arm: Add computation of starting level for S2 PTW
        target-arm: lpae: Rename granule_sz to stride
        target-arm: lpae: Replace tsz with computed inputsize
        target-arm: Add support for AArch32 S2 negative t0sz
        target-arm: lpae: Move declaration of t0sz and t1sz
        target-arm: lpae: Make t0sz and t1sz signed integers
        target-arm: Add HPFAR_EL2
        i.MX: Standardize i.MX GPT debug
        i.MX: Standardize i.MX EPIT debug
        i.MX: Standardize i.MX FEC debug
        i.MX: Standardize i.MX CCM debug
        i.MX: Standardize i.MX AVIC debug
        i.MX: Standardize i.MX I2C debug
        ...

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 9b539263faa5c1b7fce2551092b5c7b6eea92081
  Author: Edgar E. Iglesias <edgar.iglesias@xxxxxxxxxx>
  Date:   Mon Oct 26 14:02:07 2015 +0100

      target-arm: Add support for S1 + S2 MMU translations

      Signed-off-by: Edgar E. Iglesias <edgar.iglesias@xxxxxxxxxx>
      Message-id: 1445864527-14520-15-git-send-email-edgar.iglesias@xxxxxxxxx
      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit d759a457a144844bff259aafda093b24e92c116d
  Author: Edgar E. Iglesias <edgar.iglesias@xxxxxxxxxx>
  Date:   Mon Oct 26 14:02:06 2015 +0100

      target-arm: Route S2 MMU faults to EL2

      Reviewed-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Signed-off-by: Edgar E. Iglesias <edgar.iglesias@xxxxxxxxxx>
      Message-id: 1445864527-14520-14-git-send-email-edgar.iglesias@xxxxxxxxx
      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit a614e69854a2e601716ee44dfe15c09b8b88f620
  Author: Edgar E. Iglesias <edgar.iglesias@xxxxxxxxxx>
  Date:   Mon Oct 26 14:02:05 2015 +0100

      target-arm: Add S2 translation to 32bit S1 PTWs

      Add support for applying S2 translation to 32bit S1
      page-table walks.

      Reviewed-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Signed-off-by: Edgar E. Iglesias <edgar.iglesias@xxxxxxxxxx>
      Message-id: 1445864527-14520-13-git-send-email-edgar.iglesias@xxxxxxxxx
      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 37785977627295162bff58b1f8777d94e20f4c5b
  Author: Edgar E. Iglesias <edgar.iglesias@xxxxxxxxxx>
  Date:   Mon Oct 26 14:02:04 2015 +0100

      target-arm: Add S2 translation to 64bit S1 PTWs

      Add support for applying S2 translation to 64bit S1
      page-table walks.

      Reviewed-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Signed-off-by: Edgar E. Iglesias <edgar.iglesias@xxxxxxxxxx>
      Message-id: 1445864527-14520-12-git-send-email-edgar.iglesias@xxxxxxxxx
      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit e14b5a23d8c83304559f31397f95d22ada60a19a
  Author: Edgar E. Iglesias <edgar.iglesias@xxxxxxxxxx>
  Date:   Mon Oct 26 14:02:03 2015 +0100

      target-arm: Add ARMMMUFaultInfo

      Introduce ARMMMUFaultInfo to propagate MMU Fault information
      across the MMU translation code path. This is in preparation for
      adding Stage-2 translation.

      No functional changes.

      Reviewed-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Signed-off-by: Edgar E. Iglesias <edgar.iglesias@xxxxxxxxxx>
      Message-id: 1445864527-14520-11-git-send-email-edgar.iglesias@xxxxxxxxx
      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit af51f566ec7106d5e834476e78681a7b354f3c7c
  Author: Edgar E. Iglesias <edgar.iglesias@xxxxxxxxxx>
  Date:   Mon Oct 26 14:02:02 2015 +0100

      target-arm: Avoid inline for get_phys_addr

      Avoid inline for get_phys_addr() to prepare for future recursive use.

      Reviewed-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Signed-off-by: Edgar E. Iglesias <edgar.iglesias@xxxxxxxxxx>
      Message-id: 1445864527-14520-10-git-send-email-edgar.iglesias@xxxxxxxxx
      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 6ab1a5ee1c9d328cacf78805439ed4d3d132decd
  Author: Edgar E. Iglesias <edgar.iglesias@xxxxxxxxxx>
  Date:   Mon Oct 26 14:02:01 2015 +0100

      target-arm: Add support for S2 page-table protection bits

      Reviewed-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Signed-off-by: Edgar E. Iglesias <edgar.iglesias@xxxxxxxxxx>
      Message-id: 1445864527-14520-9-git-send-email-edgar.iglesias@xxxxxxxxx
      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 1853d5a9dcac910322c6cc5b2fddec45fd052d25
  Author: Edgar E. Iglesias <edgar.iglesias@xxxxxxxxxx>
  Date:   Mon Oct 26 14:02:00 2015 +0100

      target-arm: Add computation of starting level for S2 PTW

      The starting level for S2 pagetable walks is computed
      differently from the S1 starting level. Implement the S2
      variant.

      Signed-off-by: Edgar E. Iglesias <edgar.iglesias@xxxxxxxxxx>
      Message-id: 1445864527-14520-8-git-send-email-edgar.iglesias@xxxxxxxxx
      Reviewed-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 973a5434825c076995218868b5b3047e5de400c6
  Author: Edgar E. Iglesias <edgar.iglesias@xxxxxxxxxx>
  Date:   Mon Oct 26 14:01:59 2015 +0100

      target-arm: lpae: Rename granule_sz to stride

      Rename granule_sz to stride to better match the reference manuals.

      No functional change.

      Reviewed-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Signed-off-by: Edgar E. Iglesias <edgar.iglesias@xxxxxxxxxx>
      Message-id: 1445864527-14520-7-git-send-email-edgar.iglesias@xxxxxxxxx
      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 4ca6a051758edf625a17dfc4ce4ab72edabac170
  Author: Edgar E. Iglesias <edgar.iglesias@xxxxxxxxxx>
  Date:   Mon Oct 26 14:01:58 2015 +0100

      target-arm: lpae: Replace tsz with computed inputsize

      Remove the tsz variable and introduce inputsize.
      This simplifies the code a little and makes it easier to
      compare with the reference manuals.

      No functional change.

      Reviewed-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Signed-off-by: Edgar E. Iglesias <edgar.iglesias@xxxxxxxxxx>
      Message-id: 1445864527-14520-6-git-send-email-edgar.iglesias@xxxxxxxxx
      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 4ee38098010240e0b390061fdd0151ff62d80279
  Author: Edgar E. Iglesias <edgar.iglesias@xxxxxxxxxx>
  Date:   Mon Oct 26 14:01:57 2015 +0100

      target-arm: Add support for AArch32 S2 negative t0sz

      Add support for AArch32 S2 negative t0sz. In preparation for
      using 40bit IPAs on AArch32.

      Signed-off-by: Edgar E. Iglesias <edgar.iglesias@xxxxxxxxxx>
      Message-id: 1445864527-14520-5-git-send-email-edgar.iglesias@xxxxxxxxx
      Reviewed-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 1f4c8c18a5b6f4fad13e13b7e3828124c6c8f34d
  Author: Edgar E. Iglesias <edgar.iglesias@xxxxxxxxxx>
  Date:   Mon Oct 26 14:01:56 2015 +0100

      target-arm: lpae: Move declaration of t0sz and t1sz

      Move declaration of t0sz and t1sz to the top of the function
      avoiding a mix of code and variable declarations.

      No functional change.

      Signed-off-by: Edgar E. Iglesias <edgar.iglesias@xxxxxxxxxx>
      Message-id: 1445864527-14520-4-git-send-email-edgar.iglesias@xxxxxxxxx
      Reviewed-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 5c31a10d16c595d6a59e3e7fc1808c3b1d03e02f
  Author: Edgar E. Iglesias <edgar.iglesias@xxxxxxxxxx>
  Date:   Mon Oct 26 14:01:55 2015 +0100

      target-arm: lpae: Make t0sz and t1sz signed integers

      Make t0sz and t1sz signed integers to match tsz and to make
      it easier to implement support for AArch32 negative t0sz.
      t1sz is changed for consistensy.

      No functional change.

      Reviewed-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Signed-off-by: Edgar E. Iglesias <edgar.iglesias@xxxxxxxxxx>
      Message-id: 1445864527-14520-3-git-send-email-edgar.iglesias@xxxxxxxxx
      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 59e055307392fdf99b86c8cbcd33a7e261dcbdb1
  Author: Edgar E. Iglesias <edgar.iglesias@xxxxxxxxxx>
  Date:   Mon Oct 26 14:01:54 2015 +0100

      target-arm: Add HPFAR_EL2

      Reviewed-by: Alex Bennée <alex.bennee@xxxxxxxxxx>
      Signed-off-by: Edgar E. Iglesias <edgar.iglesias@xxxxxxxxxx>
      Message-id: 1445864527-14520-2-git-send-email-edgar.iglesias@xxxxxxxxx
      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 054535262fce994b942039b0a7c4c484c8026c5e
  Author: Jean-Christophe Dubois <jcd@xxxxxxxxxxxxxxx>
  Date:   Sun Oct 25 15:16:26 2015 +0100

      i.MX: Standardize i.MX GPT debug

      The goal is to have debug code always compiled during build.

      We standardize all debug output on the following format:

      [QOM_TYPE_NAME]reporting_function: debug message

      We also replace IPRINTF with qemu_log_mask(). The qemu_log_mask() output
      is following the same format as the above debug.

      Reviewed-by: Peter Crosthwaite <crosthwaite.peter@xxxxxxxxx>
      Signed-off-by: Jean-Christophe Dubois <jcd@xxxxxxxxxxxxxxx>
      Message-id: 
b7ce7e98a051479453744aded122789531d80a44.1445781957.git.jcd@xxxxxxxxxxxxxxx
      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 4929f6563c704dbd057524b38ee519b3a7c8dfe1
  Author: Jean-Christophe Dubois <jcd@xxxxxxxxxxxxxxx>
  Date:   Sun Oct 25 15:16:24 2015 +0100

      i.MX: Standardize i.MX EPIT debug

      The goal is to have debug code always compiled during build.

      We standardize all debug output on the following format:

      [QOM_TYPE_NAME]reporting_function: debug message

      We also replace IPRINTF with qemu_log_mask(). The qemu_log_mask() output
      is following the same format as the above debug.

      Reviewed-by: Peter Crosthwaite <crosthwaite.peter@xxxxxxxxx>
      Signed-off-by: Jean-Christophe Dubois <jcd@xxxxxxxxxxxxxxx>
      Message-id: 
5bbad71517ca728d8865f7b9f998baa0df022794.1445781957.git.jcd@xxxxxxxxxxxxxxx
      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit b72d8d257c187532194f2fca504afb568cd2a3bf
  Author: Jean-Christophe Dubois <jcd@xxxxxxxxxxxxxxx>
  Date:   Sun Oct 25 15:16:21 2015 +0100

      i.MX: Standardize i.MX FEC debug

      The goal is to have debug code always compiled during build.

      We standardize all debug output on the following format:

      [QOM_TYPE_NAME]reporting_function: debug message

      The qemu_log_mask() output is following the same format as the
      above debug.

      Reviewed-by: Peter Crosthwaite <crosthwaite.peter@xxxxxxxxx>
      Signed-off-by: Jean-Christophe Dubois <jcd@xxxxxxxxxxxxxxx>
      Message-id: 
57e565982db94fb433c32dfa17608888464d21de.1445781957.git.jcd@xxxxxxxxxxxxxxx
      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 4a6aa0af8593ee135ef37867ae00109650b95638
  Author: Jean-Christophe Dubois <jcd@xxxxxxxxxxxxxxx>
  Date:   Sun Oct 25 15:16:19 2015 +0100

      i.MX: Standardize i.MX CCM debug

      The goal is to have debug code always compiled during build.

      We standardize all debug output on the following format:

      [QOM_TYPE_NAME]reporting_function: debug message

      The qemu_log_mask() output is following the same format as the
      above debug.

      Adding some missing qemu_log_mask call for bad registers.

      Reviewed-by: Peter Crosthwaite <crosthwaite.peter@xxxxxxxxx>
      Signed-off-by: Jean-Christophe Dubois <jcd@xxxxxxxxxxxxxxx>
      Message-id: 
293e08f31cbb4df84d58f693243e61e770c73b3a.1445781957.git.jcd@xxxxxxxxxxxxxxx
      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit f50ed7853ad658407382dfe1da29f3c88d604592
  Author: Jean-Christophe Dubois <jcd@xxxxxxxxxxxxxxx>
  Date:   Sun Oct 25 15:16:17 2015 +0100

      i.MX: Standardize i.MX AVIC debug

      The goal is to have debug code always compiled during build.

      We standardize all debug output on the following format:

      [QOM_TYPE_NAME]reporting_function: debug message

      We also replace IPRINTF with qemu_log_mask(). The qemu_log_mask() output
      is following the same format as the above debug.

      Reviewed-by: Peter Crosthwaite <crosthwaite.peter@xxxxxxxxx>
      Signed-off-by: Jean-Christophe Dubois <jcd@xxxxxxxxxxxxxxx>
      Message-id: 
29885ffea2577eaf2288c1d17fd87ee951748b49.1445781957.git.jcd@xxxxxxxxxxxxxxx
      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 3afcbb01bc1227bc3a3bade1804c449daf74b262
  Author: Jean-Christophe Dubois <jcd@xxxxxxxxxxxxxxx>
  Date:   Sun Oct 25 15:16:14 2015 +0100

      i.MX: Standardize i.MX I2C debug

      The goal is to have debug code always compiled during build.

      We standardize all debug output on the following format:

      [QOM_TYPE_NAME]reporting_function: debug message

      The qemu_log_mask() output is following the same format as
      the above debug.

      Reviewed-by: Peter Crosthwaite <crosthwaite.peter@xxxxxxxxx>
      Signed-off-by: Jean-Christophe Dubois <jcd@xxxxxxxxxxxxxxx>
      Message-id: 
328acfe6fc09a5afdbfbfd5220e0869fd5082660.1445781957.git.jcd@xxxxxxxxxxxxxxx
      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 564111257468bb772ad0b374dbbb0c969a554cfd
  Author: Jean-Christophe Dubois <jcd@xxxxxxxxxxxxxxx>
  Date:   Sun Oct 25 15:16:11 2015 +0100

      i.MX: Standardize i.MX GPIO debug

      The goal is to have debug code always compiled during build.

      We standardize all debug output on the following format:

      [QOM_TYPE_NAME]reporting_function: debug message

      The qemu_log_mask() outputis following the same format as
      the above debug.

      Reviewed-by: Peter Crosthwaite <crosthwaite.peter@xxxxxxxxx>
      Signed-off-by: Jean-Christophe Dubois <jcd@xxxxxxxxxxxxxxx>
      Message-id: 
4f2007adcf0f579864bb4dd8a825824e0e9098b8.1445781957.git.jcd@xxxxxxxxxxxxxxx
      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 8ccce77c04a23a1451b6e149930e66b6eef75926
  Author: Jean-Christophe Dubois <jcd@xxxxxxxxxxxxxxx>
  Date:   Sun Oct 25 15:16:06 2015 +0100

      i.MX: Standardize i.MX serial debug.

      The goal is to have debug code always compiled during build.

      We standardize all debug output on the following format:

      [QOM_TYPE_NAME]reporting_function: debug message

      We also replace IPRINTF with qemu_log_mask(). The qemu_log_mask() output
      is following the same format as the above debug.

      Reviewed-by: Peter Crosthwaite <crosthwaite.peter@xxxxxxxxx>
      Signed-off-by: Jean-Christophe Dubois <jcd@xxxxxxxxxxxxxxx>
      Message-id: 
47b8759b251d356c633faf7ea34f897f340aea4e.1445781957.git.jcd@xxxxxxxxxxxxxxx
      [PMM: Drop attempt to print the ram_addr of a memory region in
       one DPRINTF, which (a) was using the wrong format string so
       didn't build on 32-bit and (b) was incorrectly looking at a
       private field of a MemoryRegion struct]
      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 4b280b726a329a97db03323d8d03ed554f7872b8
  Author: Andrew Jones <drjones@xxxxxxxxxx>
  Date:   Tue Oct 27 12:00:50 2015 +0000

      hw/arm/virt: don't use a15memmap directly

      We should always go through VirtBoardInfo when we need the memmap.
      To avoid using a15memmap directly, in this case, we need to defer
      the max-cpus check from class init time to instance init time. In
      class init we now use MAX_CPUMASK_BITS for max_cpus initialization,
      which is the maximum QEMU supports, and also, incidentally, the
      maximum KVM/gicv3 currently supports. Also, a nice side-effect of
      delaying the max-cpus check is that we now get more appropriate
      error messages for gicv2 machines that try to configure more than
      123 cpus. Before this patch it would complain that the requested
      number of cpus was greater than 123, but for gicv2 configs, it
      should complain that the number is greater than 8.

      Signed-off-by: Andrew Jones <drjones@xxxxxxxxxx>
      Message-id: 1445189728-860-3-git-send-email-drjones@xxxxxxxxxx
      Reviewed-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 24182fbc19cbc7c387bb350a72e6b55f63ea1747
  Author: Pavel Fedin <p.fedin@xxxxxxxxxxx>
  Date:   Tue Oct 27 12:00:50 2015 +0000

      arm_gic_kvm: Disable live migration if not supported

      Currently, if the kernel does not have live migration API, the migration
      will still be attempted, but vGIC save/restore functions will just not do
      anything. This will result in a broken machine state.

      This patch fixes the problem by adding migration blocker if kernel API is
      not supported.

      Signed-off-by: Pavel Fedin <p.fedin@xxxxxxxxxxx>
      Reviewed-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit b876452507d0b719cff0b478efafb34ac41db683
  Author: Soren Brinkmann <soren.brinkmann@xxxxxxxxxx>
  Date:   Tue Oct 27 12:00:50 2015 +0000

      target-arm: Add support for SPSR_(ABT|UND|IRQ|FIQ)

      Signed-off-by: Soren Brinkmann <soren.brinkmann@xxxxxxxxxx>
      Reviewed-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 541ebcd401ee47f3c1a3ce503ef5466b75e9d20a
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Tue Oct 27 12:00:50 2015 +0000

      target-arm/translate.c: Handle non-executable page-straddling Thumb insns

      When the memory we're trying to translate code from is not executable we 
have
      to turn this into a guest fault. In order to report the correct PC for 
this
      fault, and to make sure it is not reported until after any other possible
      faults for instructions earlier in execution, we must terminate TBs at
      the end of a page, in case the next instruction is in a non-executable 
page.
      This is simple for T16, A32 and A64 instructions, which are always aligned
      to their size. However T32 instructions may be 32-bits but only 
16-aligned,
      so they can straddle a page boundary.

      Correct the condition that checks whether the next instruction will touch
      the following page, to ensure that if we're 2 bytes before the boundary
      and this insn is T32 then we end the TB.

      Reported-by: Pavel Dovgalyuk <pavel.dovgaluk@xxxxxxxxx>
      Reviewed-by: Laurent Desnogues <laurent.desnogues@xxxxxxxxx>
      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 7cd6de3bb1ca55dfa8f53fb9894803eb33f497b3
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Tue Oct 27 12:00:50 2015 +0000

      target-arm: Fix "no 64-bit EL2" assumption in arm_excp_unmasked()

      The code in arm_excp_unmasked() suppresses the ability of PSTATE.AIF
      to mask exceptions from a lower EL targeting EL2 or EL3 if the
      CPU is 64-bit. This is correct for a target of EL3, but not correct
      for targeting EL2. Further, we go to some effort to calculate
      scr and hcr values which are not used at all for the 64-bit CPU
      case.

      Rearrange the code to correctly implement the 64-bit CPU logic
      and keep the hcr/scr calculations in the 32-bit CPU codepath.

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Message-id: 1444327729-4120-1-git-send-email-peter.maydell@xxxxxxxxxx
      Reviewed-by: Edgar E. Iglesias <edgar.iglesias@xxxxxxxxxx>
      Tested-by: Edgar E. Iglesias <edgar.iglesias@xxxxxxxxxx>

  commit 7e038b94e74e1c2d1b3598e2e4b0b5c8b79a7278
  Merge: 9666248 a3e8a3f
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Tue Oct 27 10:10:46 2015 +0000

      Merge remote-tracking branch 'remotes/jasowang/tags/net-pull-request' 
into staging

      # gpg: Signature made Tue 27 Oct 2015 05:47:28 GMT using RSA key ID 
398D6211
      # gpg: Good signature from "Jason Wang (Jason Wang on RedHat) 
<jasowang@xxxxxxxxxx>"
      # gpg: WARNING: This key is not certified with sufficiently trusted 
signatures!
      # gpg:          It is not certain that the signature belongs to the owner.
      # Primary key fingerprint: 215D 46F4 8246 689E C77F  3562 EF04 965B 398D 
6211

      * remotes/jasowang/tags/net-pull-request:
        net: free the string returned by object_get_canonical_path_component
        net: make iov_to_buf take right size argument in nc_sendv_compat()
        net: Remove duplicate data from query-rx-filter on multiqueue net 
devices
        vmxnet3: Do not fill stats if device is inactive
        options: Add documentation for filter-dump
        net/dump: Provide the dumping facility as a net-filter
        net/dump: Separate the NetClientState from the DumpState
        net/dump: Rework net-dump init functions
        net/dump: Add support for receive_iov function
        net: cadence_gem: Set initial MAC address

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit a3e8a3f382363d5fd452cfc15f90a688d70023d9
  Author: Yang Hongyang <yanghy@xxxxxxxxxxxxxx>
  Date:   Tue Oct 20 09:51:26 2015 +0800

      net: free the string returned by object_get_canonical_path_component

      The value returned from object_get_canonical_path_component
      must be freed.

      Signed-off-by: Yang Hongyang <yanghy@xxxxxxxxxxxxxx>
      Cc: Jason Wang <jasowang@xxxxxxxxxx>
      Cc: Paolo Bonzini <pbonzini@xxxxxxxxxx>
      Signed-off-by: Jason Wang <jasowang@xxxxxxxxxx>

  commit edc981443d5bd23e01639c2fbba4fbc2dc30204f
  Author: Yang Hongyang <yanghy@xxxxxxxxxxxxxx>
  Date:   Tue Oct 20 09:51:25 2015 +0800

      net: make iov_to_buf take right size argument in nc_sendv_compat()

      We want "buf, sizeof(buf)" here.  sizeof(buffer) is the size of a
      pointer, which is wrong.
      Thanks to Paolo for pointing it out.

      Signed-off-by: Yang Hongyang <yanghy@xxxxxxxxxxxxxx>
      Cc: Jason Wang <jasowang@xxxxxxxxxx>
      Cc: Paolo Bonzini <pbonzini@xxxxxxxxxx>
      Signed-off-by: Jason Wang <jasowang@xxxxxxxxxx>

  commit 5320c2caf43cc76748a1ffa0fdcaa9eb501d3fcd
  Author: Vladislav Yasevich <vyasevic@xxxxxxxxxx>
  Date:   Mon Oct 19 09:04:38 2015 -0400

      net: Remove duplicate data from query-rx-filter on multiqueue net devices

      When responding to a query-rx-filter command on a multiqueue
      netdev, qemu reports the data for each queue.  The data, however,
      is not per-queue, but per device and the same data is reported
      multiple times.  This causes confusion and may also cause extra
      unnecessary processing when looking at the data.

      Commit 638fb14169 (net: Make qmp_query_rx_filter() with name argument
      more obvious) partially addresses this issue, by limiting the output
      when the name is specified.  However, when the name is not specified,
      the issue still persists.

      Signed-off-by: Vladislav Yasevich <vyasevic@xxxxxxxxxx>
      Signed-off-by: Jason Wang <jasowang@xxxxxxxxxx>

  commit eedeeeffd419ab149e0b0ad5fc4b7cf5e1db6274
  Author: Shmulik Ladkani <shmulik.ladkani@xxxxxxxxxxxxxxxxxx>
  Date:   Thu Oct 15 13:54:30 2015 +0300

      vmxnet3: Do not fill stats if device is inactive

      Guest OS may issue VMXNET3_CMD_GET_STATS even before device was
      activated (for example in linux, after insmod but prior net-dev open).

      Accessing shared descriptors prior device activation is illegal as the
      VMXNET3State structures have not been fully initialized.

      As a result, guest memory gets corrupted and may lead to guest OS
      crashes.

      Fix, by not filling the stats descriptors if device is inactive.

      Reported-by: Leonid Shatz <leonid.shatz@xxxxxxxxxxxxxxxxxx>
      Acked-by: Dmitry Fleytman <dmitry@xxxxxxxxxx>
      Signed-off-by: Dana Rubin <dana.rubin@xxxxxxxxxxxxxxxxxx>
      Signed-off-by: Shmulik Ladkani <shmulik.ladkani@xxxxxxxxxxxxxxxxxx>
      Signed-off-by: Jason Wang <jasowang@xxxxxxxxxx>

  commit d3e0c032f52f4fb855f9bd2892ebd175a9d975a1
  Author: Thomas Huth <thuth@xxxxxxxxxx>
  Date:   Tue Oct 13 12:40:02 2015 +0200

      options: Add documentation for filter-dump

      Add a short description for the filter-dump command line options.

      Signed-off-by: Thomas Huth <thuth@xxxxxxxxxx>
      Signed-off-by: Jason Wang <jasowang@xxxxxxxxxx>

  commit 9d3e12e881bc97bc32ac75d146b5347136f29ca1
  Author: Thomas Huth <thuth@xxxxxxxxxx>
  Date:   Tue Oct 13 12:40:01 2015 +0200

      net/dump: Provide the dumping facility as a net-filter

      Use the net-filter infrastructure to provide the dumping
      functions for netdev devices, too.

      Reviewed-by: Yang Hongyang <yanghy@xxxxxxxxxxxxxx>
      Signed-off-by: Thomas Huth <thuth@xxxxxxxxxx>
      Signed-off-by: Jason Wang <jasowang@xxxxxxxxxx>

  commit 75310e3486ab205d870560b75bbcaba72acb26d7
  Author: Thomas Huth <thuth@xxxxxxxxxx>
  Date:   Tue Oct 13 12:40:00 2015 +0200

      net/dump: Separate the NetClientState from the DumpState

      With the upcoming dumping-via-netfilter patch, the DumpState
      should not be related to NetClientState anymore, so move the
      related information to a new struct called DumpNetClient.

      Reviewed-by: Yang Hongyang <yanghy@xxxxxxxxxxxxxx>
      Signed-off-by: Thomas Huth <thuth@xxxxxxxxxx>
      Signed-off-by: Jason Wang <jasowang@xxxxxxxxxx>

  commit 7bc3074c27bb1eae7c8ccacd920ba55454381786
  Author: Thomas Huth <thuth@xxxxxxxxxx>
  Date:   Tue Oct 13 12:39:59 2015 +0200

      net/dump: Rework net-dump init functions

      Move the creation of the dump client from net_dump_init() into
      net_init_dump(), so we can later use the former function for
      dump via netfilter, too. Also rename net_dump_init() to
      net_dump_state_init() to make it easier distinguishable from
      net_init_dump().

      Reviewed-by: Yang Hongyang <yanghy@xxxxxxxxxxxxxx>
      Signed-off-by: Thomas Huth <thuth@xxxxxxxxxx>
      Signed-off-by: Jason Wang <jasowang@xxxxxxxxxx>

  commit 43192fcc1ac0a61cf9e20a9034eae8d1e91f35c8
  Author: Thomas Huth <thuth@xxxxxxxxxx>
  Date:   Tue Oct 13 12:39:58 2015 +0200

      net/dump: Add support for receive_iov function

      Adding a proper receive_iov function to the net dump module.
      This will make it easier to support the dump filter feature for
      the -netdev option in later patches.

      Reviewed-by: Yang Hongyang <yanghy@xxxxxxxxxxxxxx>
      Signed-off-by: Thomas Huth <thuth@xxxxxxxxxx>
      Signed-off-by: Jason Wang <jasowang@xxxxxxxxxx>

  commit afb4c51fad8cf86104803fc17457b96e86172b98
  Author: Sebastian Huber <sebastian.huber@xxxxxxxxxxxxxxxxxx>
  Date:   Mon Oct 12 10:25:01 2015 +0200

      net: cadence_gem: Set initial MAC address

      Set initial MAC address to the one specified by the command line.

      Signed-off-by: Sebastian Huber <sebastian.huber@xxxxxxxxxxxxxxxxxx>
      Reviewed-by: Jason Wang <jasowang@xxxxxxxxxx>
      Reviewed-by: Peter Crosthwaite <peter.crosthwaite@xxxxxxxxxx>
      Signed-off-by: Jason Wang <jasowang@xxxxxxxxxx>

  commit 9666248a85fd889bfb6118f769e9c73039b998ed
  Merge: 251d7e6 b1ecd51
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Mon Oct 26 13:13:38 2015 +0000

      Merge remote-tracking branch 'remotes/sstabellini/tags/xen-2015-10-26' 
into staging

      Xen 2015-10-26

      # gpg: Signature made Mon 26 Oct 2015 11:32:50 GMT using RSA key ID 
70E1AE90
      # gpg: Good signature from "Stefano Stabellini 
<stefano.stabellini@xxxxxxxxxxxxx>"

      * remotes/sstabellini/tags/xen-2015-10-26:
        xen-platform: Replace assert() with appropriate error reporting
        xen_platform: switch to realize
        Qemu/Xen: Fix early freeing MSIX MMIO memory region

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit b1ecd51bdbb0fc0a7026662b03e7e7df9d129ca0
  Author: Eduardo Habkost <ehabkost@xxxxxxxxxx>
  Date:   Wed Oct 21 13:46:50 2015 -0200

      xen-platform: Replace assert() with appropriate error reporting

      Commit dbb7405d8caad0814ceddd568cb49f163a847561 made it possible to
      trigger an assert using "-device xen-platform". Replace it with
      appropriate error reporting.

      Before:

        $ qemu-system-x86_64 -device xen-platform
        qemu-system-x86_64: hw/i386/xen/xen_platform.c:391: 
xen_platform_initfn: Assertion `xen_enabled()' failed.
        Aborted (core dumped)
        $

      After:

        $ qemu-system-x86_64 -device xen-platform
        qemu-system-x86_64: -device xen-platform: xen-platform device requires 
the Xen accelerator
        $

      Signed-off-by: Eduardo Habkost <ehabkost@xxxxxxxxxx>
      Reviewed-by: Stefano Stabellini <stefano.stabellini@xxxxxxxxxxxxx>
      Signed-off-by: Stefano Stabellini <stefano.stabellini@xxxxxxxxxxxxx>

  commit 4098d49db549e20a2d87ca3cced28ace6e5864bf
  Author: Stefano Stabellini <stefano.stabellini@xxxxxxxxxxxxx>
  Date:   Wed Oct 21 13:46:49 2015 -0200

      xen_platform: switch to realize

      Use realize to initialize the xen_platform device

      Signed-off-by: Stefano Stabellini <stefano.stabellini@xxxxxxxxxxxxx>
      Signed-off-by: Eduardo Habkost <ehabkost@xxxxxxxxxx>

  commit 251d7e60148599be685c6f9f3921aee38dccef5c
  Merge: af25e72 7d4f4bd
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Mon Oct 26 11:32:20 2015 +0000

      Merge remote-tracking branch 'remotes/elmarco/tags/ivshmem-pull-request' 
into staging

      ivshmem series

      # gpg: Signature made Mon 26 Oct 2015 09:27:46 GMT using RSA key ID 
75969CE5
      # gpg: Good signature from "Marc-André Lureau 
<marcandre.lureau@xxxxxxxxxx>"
      # gpg:                 aka "Marc-André Lureau 
<marcandre.lureau@xxxxxxxxx>"
      # gpg: WARNING: This key is not certified with sufficiently trusted 
signatures!
      # gpg:          It is not certain that the signature belongs to the owner.
      # Primary key fingerprint: 87A9 BD93 3F87 C606 D276  F62D DAE8 E109 7596 
9CE5

      * remotes/elmarco/tags/ivshmem-pull-request: (51 commits)
        doc: document ivshmem & hugepages
        ivshmem: use little-endian int64_t for the protocol
        ivshmem: use kvm irqfd for msi notifications
        ivshmem: rename MSI eventfd_table
        ivshmem: remove EventfdEntry.vector
        ivshmem: add hostmem backend
        ivshmem: use qemu_strtosz()
        ivshmem: do not keep shm_fd open
        tests: add ivshmem qtest
        qtest: add qtest_add_abrt_handler()
        msix: implement pba write (but read-only)
        contrib: remove unnecessary strdup()
        ivshmem: add check on protocol version in QEMU
        docs: update ivshmem device spec
        ivshmem-server: fix hugetlbfs support
        ivshmem-server: use a uint16 for client ID
        ivshmem-client: check the number of vectors
        contrib: add ivshmem client and server
        util: const event_notifier_get_fd() argument
        ivshmem: reset mask on device reset
        ...

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 4e494de66800747446e73b5ec0189ad7f4690908
  Author: Lan Tianyu <tianyu.lan@xxxxxxxxx>
  Date:   Sun Oct 11 23:19:24 2015 +0800

      Qemu/Xen: Fix early freeing MSIX MMIO memory region

      msix->mmio is added to XenPCIPassthroughState's object as property.
      object_finalize_child_property is called for XenPCIPassthroughState's
      object, which calls object_property_del_all, which is going to try to
      delete msix->mmio. object_finalize_child_property() will access
      msix->mmio's obj. But the whole msix struct has already been freed
      by xen_pt_msix_delete. This will cause segment fault when msix->mmio
      has been overwritten.

      This patch is to fix the issue.

      Signed-off-by: Lan Tianyu <tianyu.lan@xxxxxxxxx>
      Reviewed-by: Stefano Stabellini <stefano.stabellini@xxxxxxxxxxxxx>
      Signed-off-by: Stefano Stabellini <stefano.stabellini@xxxxxxxxxxxxx>

  commit 7d4f4bdaf785dfe9fc41b06f85cc9aaf1b1474ee
  Author: Marc-André Lureau <marcandre.lureau@xxxxxxxxxx>
  Date:   Wed Oct 7 16:31:47 2015 +0200

      doc: document ivshmem & hugepages

      Document and give some examples of hugepages support with ivshmem device
      and server.

      Signed-off-by: Marc-André Lureau <marcandre.lureau@xxxxxxxxxx>
      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>

  commit f7a199b2b4486242271f769bb4bc2638c0413274
  Author: Marc-André Lureau <marcandre.lureau@xxxxxxxxxx>
  Date:   Thu Sep 24 12:55:01 2015 +0200

      ivshmem: use little-endian int64_t for the protocol

      The current ivshmem protocol uses 'long' for integers. But the
      sizeof(long) depends on the host and the endianess is not defined, which
      may cause portability troubles.

      Instead, switch to using little-endian int64_t. This breaks the
      protocol, except on x64 little-endian host where this change
      should be compatible.

      Signed-off-by: Marc-André Lureau <marcandre.lureau@xxxxxxxxxx>
      Reviewed-by: Claudio Fontana <claudio.fontana@xxxxxxxxxx>

  commit 660c97eef6f8f416c5dc24d3798e29f9f9f698fb
  Author: Marc-André Lureau <marcandre.lureau@xxxxxxxxxx>
  Date:   Thu Jul 9 15:50:13 2015 +0200

      ivshmem: use kvm irqfd for msi notifications

      Use irqfd for improving context switch when notifying the guest.
      If the host doesn't support kvm irqfd, regular msi notifications are
      still supported.

      Note: the ivshmem implementation doesn't allow switching between MSI and
      IO interrupts, this patch doesn't either.

      Signed-off-by: Marc-André Lureau <marcandre.lureau@xxxxxxxxxx>
      Reviewed-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit 0f57350e5c2ee0c6fe979f4d4b6d4e1de0c26e46
  Author: Marc-André Lureau <marcandre.lureau@xxxxxxxxxx>
  Date:   Mon Jul 27 12:59:19 2015 +0200

      ivshmem: rename MSI eventfd_table

      The array is used to have vector specific data, so use a more
      descriptive name.

      Signed-off-by: Marc-André Lureau <marcandre.lureau@xxxxxxxxxx>
      Reviewed-by: Claudio Fontana <claudio.fontana@xxxxxxxxxx>

  commit d160f3f7911bb1f99235ae211269c8f4422f2079
  Author: Marc-André Lureau <marcandre.lureau@xxxxxxxxxx>
  Date:   Fri Jul 24 18:52:19 2015 +0200

      ivshmem: remove EventfdEntry.vector

      No need to store an extra int for the vector number when it can be
      computed easily by looking at the position in the array.

      Signed-off-by: Marc-André Lureau <marcandre.lureau@xxxxxxxxxx>
      Reviewed-by: Claudio Fontana <claudio.fontana@xxxxxxxxxx>

  commit d9453c93fea0c9c67f9c63bfa79a87631317d746
  Author: Marc-André Lureau <marcandre.lureau@xxxxxxxxxx>
  Date:   Tue Jun 30 00:10:16 2015 +0200

      ivshmem: add hostmem backend

      Instead of handling allocation, teach ivshmem to use a memory backend.
      This allows to use hugetlbfs backed memory now.

      Signed-off-by: Marc-André Lureau <marcandre.lureau@xxxxxxxxxx>
      Reviewed-by: Claudio Fontana <claudio.fontana@xxxxxxxxxx>

  commit 2c04752cc8e37b15be4643570b49abb3128a8a46
  Author: Marc-André Lureau <marcandre.lureau@xxxxxxxxxx>
  Date:   Tue Jun 30 00:06:03 2015 +0200

      ivshmem: use qemu_strtosz()

      Use the common qemu utility function to parse the memory size.

      Signed-off-by: Marc-André Lureau <marcandre.lureau@xxxxxxxxxx>
      Reviewed-by: Claudio Fontana <claudio.fontana@xxxxxxxxxx>

  commit f689d2811a36894618087e1e2cc3ade78e758e94
  Author: Marc-André Lureau <marcandre.lureau@xxxxxxxxxx>
  Date:   Tue Jun 30 00:04:19 2015 +0200

      ivshmem: do not keep shm_fd open

      Remove shm_fd from device state, closing it as early as possible to avoid 
leaks.

      Signed-off-by: Marc-André Lureau <marcandre.lureau@xxxxxxxxxx>
      Reviewed-by: Claudio Fontana <claudio.fontana@xxxxxxxxxx>

  commit ddef6a0d68f641ca89466c697d191d07b7e6718c
  Author: Marc-André Lureau <marcandre.lureau@xxxxxxxxxx>
  Date:   Wed Apr 2 16:57:48 2014 +0200

      tests: add ivshmem qtest

      Adds 4 ivshmemtests:
      - single qemu instance and basic IO
      - pair of instances, check memory sharing
      - pair of instances with server, and MSIX
      - hot plug/unplug

      A temporary shm is created as well as a directory to place server
      socket, both should be clear on exit and abort.

      Cc: Cam Macdonell <cam@xxxxxxxxxxxxxx>
      Signed-off-by: Marc-André Lureau <marcandre.lureau@xxxxxxxxxx>
      Reviewed-by: Claudio Fontana <claudio.fontana@xxxxxxxxxx>
      Signed-off-by: Andreas Färber <afaerber@xxxxxxx>

  commit 063c23d909a8d6c9f251347514e34835e0510294
  Author: Marc-André Lureau <marcandre.lureau@xxxxxxxxxx>
  Date:   Fri Jun 19 18:45:14 2015 +0200

      qtest: add qtest_add_abrt_handler()

      Allow a test to add abort handlers, use GHook for all handlers.

      There is currently no way to remove a handler, but it could be
      later added if needed.

      Signed-off-by: Marc-André Lureau <marcandre.lureau@xxxxxxxxxx>
      Reviewed-by: Claudio Fontana <claudio.fontana@xxxxxxxxxx>

  commit 43b11a91dd861a946b231b89b7542856ade23d1b
  Author: Marc-André Lureau <marcandre.lureau@xxxxxxxxxx>
  Date:   Fri Jun 26 14:25:29 2015 +0200

      msix: implement pba write (but read-only)

      qpci_msix_pending() writes on pba region, causing qemu to SEGV:

        Program received signal SIGSEGV, Segmentation fault.
        [Switching to Thread 0x7ffff7fba8c0 (LWP 25882)]
        0x0000000000000000 in ?? ()
        (gdb) bt
        #0  0x0000000000000000 in  ()
        #1  0x00005555556556c5 in memory_region_oldmmio_write_accessor 
(mr=0x5555579f3f80, addr=0, value=0x7fffffffbf68, size=4, shift=0, 
mask=4294967295, attrs=...) at /home/elmarco/src/qemu/memory.c:434
        #2  0x00005555556558e1 in access_with_adjusted_size (addr=0, 
value=0x7fffffffbf68, size=4, access_size_min=1, access_size_max=4, 
access=0x55555565563e <memory_region_oldmmio_write_accessor>, 
mr=0x5555579f3f80, attrs=...) at /home/elmarco/src/qemu/memory.c:506
        #3  0x00005555556581eb in memory_region_dispatch_write 
(mr=0x5555579f3f80, addr=0, data=0, size=4, attrs=...) at 
/home/elmarco/src/qemu/memory.c:1176
        #4  0x000055555560b6f9 in address_space_rw (as=0x555555eff4e0 
<address_space_memory>, addr=3759147008, attrs=..., buf=0x7fffffffc1b0 "", 
len=4, is_write=true) at /home/elmarco/src/qemu/exec.c:2439
        #5  0x000055555560baa2 in cpu_physical_memory_rw (addr=3759147008, 
buf=0x7fffffffc1b0 "", len=4, is_write=1) at /home/elmarco/src/qemu/exec.c:2534
        #6  0x000055555564c005 in cpu_physical_memory_write (addr=3759147008, 
buf=0x7fffffffc1b0, len=4) at 
/home/elmarco/src/qemu/include/exec/cpu-common.h:80
        #7  0x000055555564cd9c in qtest_process_command (chr=0x55555642b890, 
words=0x5555578de4b0) at /home/elmarco/src/qemu/qtest.c:378
        #8  0x000055555564db77 in qtest_process_inbuf (chr=0x55555642b890, 
inbuf=0x55555641b340) at /home/elmarco/src/qemu/qtest.c:569
        #9  0x000055555564dc07 in qtest_read (opaque=0x55555642b890, 
buf=0x7fffffffc2e0 "writel 0xe0100800 0x0\n", size=22) at 
/home/elmarco/src/qemu/qtest.c:581
        #10 0x000055555574ce3e in qemu_chr_be_write (s=0x55555642b890, 
buf=0x7fffffffc2e0 "writel 0xe0100800 0x0\n", len=22) at qemu-char.c:306
        #11 0x0000555555751263 in tcp_chr_read (chan=0x55555642bcf0, 
cond=G_IO_IN, opaque=0x55555642b890) at qemu-char.c:2876
        #12 0x00007ffff64c9a8a in g_main_context_dispatch 
(context=0x55555641c400) at gmain.c:3122

      (without this patch, this can be reproduced with the ivshmem qtest)

      Implement an empty mmio write to avoid the crash.

      Signed-off-by: Marc-André Lureau <marcandre.lureau@xxxxxxxxxx>
      Reviewed-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit 45b00c44ceffeac8143fb8857a12677234114f2b
  Author: Marc-André Lureau <marcandre.lureau@xxxxxxxxxx>
  Date:   Wed Jun 24 13:33:32 2015 +0200

      contrib: remove unnecessary strdup()

      getopt() optarg points to argv memory, no need to dup those values,
      fixes small leaks detected by clang-analyzer.

      Signed-off-by: Marc-André Lureau <marcandre.lureau@xxxxxxxxxx>
      Reviewed-by: Vladimir Sementsov-Ogievskiy <vsementsov@xxxxxxxxxxxxx>

  commit 5105b1d8c2d1ad4a25b8806e86c0f012936b2eed
  Author: David Marchand <david.marchand@xxxxxxxxx>
  Date:   Tue Jun 16 17:43:34 2015 +0200

      ivshmem: add check on protocol version in QEMU

      Send a protocol version as the first message from server, clients must
      close communication if they don't support this protocol version.  Older
      QEMUs should be fine with this change in the protocol since they
      overrides their own vm_id on reception of an id associated to no
      eventfd.

      Signed-off-by: David Marchand <david.marchand@xxxxxxxxx>
      Signed-off-by: Marc-André Lureau <marcandre.lureau@xxxxxxxxxx>
      [use fifo_update_and_get()]
      Reviewed-by: Claudio Fontana <claudio.fontana@xxxxxxxxxx>

  commit 8c4ef202b901d25b88efc55398d4a76dfb2594de
  Author: David Marchand <david.marchand@xxxxxxxxx>
  Date:   Mon Sep 8 11:17:49 2014 +0200

      docs: update ivshmem device spec

      Add some notes on the parts needed to use ivshmem devices: more 
specifically,
      explain the purpose of an ivshmem server and the basic concept to use the
      ivshmem devices in guests.
      Move some parts of the documentation and re-organise it.

      Signed-off-by: David Marchand <david.marchand@xxxxxxxxx>
      Reviewed-by: Claudio Fontana <claudio.fontana@xxxxxxxxxx>
      Reviewed-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Signed-off-by: Marc-André Lureau <marcandre.lureau@xxxxxxxxxx>

  commit 1e21feb6280222a230fda1d87318ab58adde188f
  Author: Marc-André Lureau <marcandre.lureau@xxxxxxxxxx>
  Date:   Mon Jun 29 19:53:15 2015 +0200

      ivshmem-server: fix hugetlbfs support

      As pointed out on the ML by Andrew Jones, glibc no longer permits
      creating POSIX shm on hugetlbfs directly. When given a hugetlbfs path,
      create a shareable file there.

      Signed-off-by: Marc-André Lureau <marcandre.lureau@xxxxxxxxxx>
      Reviewed-by: Vladimir Sementsov-Ogievskiy <vsementsov@xxxxxxxxxxxxx>

  commit 022cffe31360750b405d368e343f3ca5febc0d0a
  Author: Marc-André Lureau <marcandre.lureau@xxxxxxxxxx>
  Date:   Tue Jun 23 17:09:59 2015 +0200

      ivshmem-server: use a uint16 for client ID

      In practice, the number of VM is limited to MAXUINT16 in ivshmem, so use
      the same limit on the server (removes a theorical infinite loop)

      Signed-off-by: Marc-André Lureau <marcandre.lureau@xxxxxxxxxx>
      Reviewed-by: Claudio Fontana <claudio.fontana@xxxxxxxxxx>

  commit 95204aa951ceb28eb6d4ce43bce09a58cbad83d8
  Author: Marc-André Lureau <marcandre.lureau@xxxxxxxxxx>
  Date:   Tue Jun 23 16:41:58 2015 +0200

      ivshmem-client: check the number of vectors

      Check the number of vectors received from the server, to avoid
      out of bound array access.

      Signed-off-by: Marc-André Lureau <marcandre.lureau@xxxxxxxxxx>
      Reviewed-by: Claudio Fontana <claudio.fontana@xxxxxxxxxx>

  commit a75eb03b9fca3af291ec2c433ddda06121ae927d
  Author: David Marchand <david.marchand@xxxxxxxxx>
  Date:   Mon Sep 8 11:17:48 2014 +0200

      contrib: add ivshmem client and server

      When using ivshmem devices, notifications between guests can be sent as
      interrupts using a ivshmem-server (typical use described in 
documentation).
      The client is provided as a debug tool.

      Signed-off-by: Olivier Matz <olivier.matz@xxxxxxxxx>
      Signed-off-by: David Marchand <david.marchand@xxxxxxxxx>
      [fix a valgrind warning, option and server_close() segvs, extra server
      headers includes, getopt() return type, out-of-tree build, use qemu
      event_notifier instead of eventfd, fix x86/osx warnings - Marc-André]
      Signed-off-by: Marc-André Lureau <marcandre.lureau@xxxxxxxxxx>

  commit 12f0b68c82356e4dd24f2f0d370b21eb17f1f42e
  Author: Marc-André Lureau <marcandre.lureau@xxxxxxxxxx>
  Date:   Tue Oct 13 12:12:16 2015 +0200

      util: const event_notifier_get_fd() argument

      Signed-off-by: Marc-André Lureau <marcandre.lureau@xxxxxxxxxx>

  commit 972ad21553fd46738eea91f0085c7bc32cf68d86
  Author: Marc-André Lureau <marcandre.lureau@xxxxxxxxxx>
  Date:   Tue Jun 23 14:13:08 2015 +0200

      ivshmem: reset mask on device reset

      The interrupt mask is a state value, it should be reset, like the
      interrupt status.

      Signed-off-by: Marc-André Lureau <marcandre.lureau@xxxxxxxxxx>
      Reviewed-by: Claudio Fontana <claudio.fontana@xxxxxxxxxx>

  commit 1ee57de444ac7dd0cdb091fec318ba056ed173fd
  Author: Marc-André Lureau <marcandre.lureau@xxxxxxxxxx>
  Date:   Tue Jun 23 14:07:11 2015 +0200

      ivshmem: error on too many eventfd received

      The number of eventfd that can be handled per peer is limited by the
      number of vectors. Return an error when receiving too many of them.

      Signed-off-by: Marc-André Lureau <marcandre.lureau@xxxxxxxxxx>
      Reviewed-by: Claudio Fontana <claudio.fontana@xxxxxxxxxx>

  commit f456179fae249a420dce38a02ad7e2efc6be37cf
  Author: Marc-André Lureau <marcandre.lureau@xxxxxxxxxx>
  Date:   Tue Jun 23 13:38:46 2015 +0200

      ivshmem: replace 'guest' for 'peer' appropriately

      The terms 'guest' and 'peer' are used sometime interchangeably which may
      be confusing. Instead, use 'peer' for the remote instances of ivshmem
      clients, and 'guest' for the local VM.

      Signed-off-by: Marc-André Lureau <marcandre.lureau@xxxxxxxxxx>
      Reviewed-by: Claudio Fontana <claudio.fontana@xxxxxxxxxx>

  commit f64a078d45a4c1d1da074d1c306a5a4994dcda89
  Author: Marc-André Lureau <marcandre.lureau@xxxxxxxxxx>
  Date:   Tue Jun 23 12:57:16 2015 +0200

      ivshmem: fix pci_ivshmem_exit()

      Free all objects owned by the device, making sure the device is free,
      fixing hot-unplug.

      Signed-off-by: Marc-André Lureau <marcandre.lureau@xxxxxxxxxx>
      Reviewed-by: Claudio Fontana <claudio.fontana@xxxxxxxxxx>

  commit d383537d01c1f23d783955963e234d11fce8ec02
  Author: Marc-André Lureau <marcandre.lureau@xxxxxxxxxx>
  Date:   Tue Jun 23 13:01:40 2015 +0200

      ivshmem: add device description

      Signed-off-by: Marc-André Lureau <marcandre.lureau@xxxxxxxxxx>
      Reviewed-by: Claudio Fontana <claudio.fontana@xxxxxxxxxx>

  commit 945001a1af36eafd093b6b1582f5282932cd3d87
  Author: Marc-André Lureau <marcandre.lureau@xxxxxxxxxx>
  Date:   Tue Jun 23 12:55:41 2015 +0200

      ivshmem: check shm isn't already initialized

      The server should not change the shm, and this isn't handled by qemu and
      we should should verify this in qemu.

      Signed-off-by: Marc-André Lureau <marcandre.lureau@xxxxxxxxxx>
      Reviewed-by: Claudio Fontana <claudio.fontana@xxxxxxxxxx>

  commit 86d471bfa4262fa983c0214ace7336843e2181a2
  Author: Marc-André Lureau <marcandre.lureau@xxxxxxxxxx>
  Date:   Tue Jun 23 12:53:42 2015 +0200

      ivshmem: shmfd can be 0

      0 is a valid fd value, so change conditions and set -1 value early

      Signed-off-by: Marc-André Lureau <marcandre.lureau@xxxxxxxxxx>
      Reviewed-by: Claudio Fontana <claudio.fontana@xxxxxxxxxx>

  commit 1f8552df2c7935a4cf883bda22acbe2adbf7d579
  Author: Marc-André Lureau <marcandre.lureau@xxxxxxxxxx>
  Date:   Thu Jun 18 14:05:46 2015 +0200

      ivshmem: migrate with VMStateDescription

      load_state_old() is used to keep compatibility with version 0.

      Signed-off-by: Marc-André Lureau <marcandre.lureau@xxxxxxxxxx>
      Reviewed-by: Claudio Fontana <claudio.fontana@xxxxxxxxxx>

  commit e309366337d636689730f6484e388e46db7b5654
  Author: Marc-André Lureau <marcandre.lureau@xxxxxxxxxx>
  Date:   Thu Jun 18 16:10:33 2015 +0200

      ivshmem: use common is_power_of_2()

      The common version correctly checks for 0 value case.

      Signed-off-by: Marc-André Lureau <marcandre.lureau@xxxxxxxxxx>
      Reviewed-by: Claudio Fontana <claudio.fontana@xxxxxxxxxx>

  commit 6f8a16d55daac5657ccbcf953140685048e15ace
  Author: Marc-André Lureau <marcandre.lureau@xxxxxxxxxx>
  Date:   Fri Jun 19 12:21:46 2015 +0200

      ivshmem: use common return

      Both if branches return, move this out to common end.

      Signed-off-by: Marc-André Lureau <marcandre.lureau@xxxxxxxxxx>
      Reviewed-by: Claudio Fontana <claudio.fontana@xxxxxxxxxx>

  commit 9a2f0e64aeb4c7891244785e88b2b0cfa1d61742
  Author: Marc-André Lureau <marcandre.lureau@xxxxxxxxxx>
  Date:   Fri Jun 19 12:19:55 2015 +0200

      ivshmem: simplify a bit the code

      Use some more explicit variables to simplify the code.

      Signed-off-by: Marc-André Lureau <marcandre.lureau@xxxxxxxxxx>
      Reviewed-by: Claudio Fontana <claudio.fontana@xxxxxxxxxx>

  commit ffa99afd6e4d354cdfae44cc43a2ca7ef056eb35
  Author: Marc-André Lureau <marcandre.lureau@xxxxxxxxxx>
  Date:   Tue Jun 23 13:34:09 2015 +0200

      ivshmem: print error on invalid peer id

      The server shouldn't send invalid peer id, so print an error if it's the
      case.

      Signed-off-by: Marc-André Lureau <marcandre.lureau@xxxxxxxxxx>
      Reviewed-by: Claudio Fontana <claudio.fontana@xxxxxxxxxx>

  commit 36617792b45b5d46d574af4f6ebb3f35c77d1e69
  Author: Marc-André Lureau <marcandre.lureau@xxxxxxxxxx>
  Date:   Thu Jun 18 14:39:49 2015 +0200

      ivshmem: improve error handling

      The test whether the chardev is an AF_UNIX socket rejects
      "-chardev socket,id=chr0,path=/tmp/foo,server,nowait -device
      ivshmem,chardev=chr0", but fails to explain why.

      Use an explicit error on why a chardev may be rejected.

      Signed-off-by: Marc-André Lureau <marcandre.lureau@xxxxxxxxxx>
      Reviewed-by: Claudio Fontana <claudio.fontana@xxxxxxxxxx>

  commit f59bb37898d6ff44cdf68bfbadaf3bd260ae465e
  Author: Marc-André Lureau <marcandre.lureau@xxxxxxxxxx>
  Date:   Thu Jun 18 15:04:13 2015 +0200

      ivshmem: improve debug messages

      Some misc improvements to ivshmem debug.

      Signed-off-by: Marc-André Lureau <marcandre.lureau@xxxxxxxxxx>
      Reviewed-by: Claudio Fontana <claudio.fontana@xxxxxxxxxx>

  commit 95c8425cc3a316c998a7e306799ec6d29811bc32
  Author: Marc-André Lureau <marcandre.lureau@xxxxxxxxxx>
  Date:   Fri Jun 19 12:17:26 2015 +0200

      ivshmem: remove max_peer field

      max_peer isn't really useful, it tracks the maximum received VM id, but
      that quickly matches nb_peers, the size of the peers array. Since VM
      come and go, there might be sparse peers so it doesn't help much in
      general to have this value around.

      Signed-off-by: Marc-André Lureau <marcandre.lureau@xxxxxxxxxx>
      Reviewed-by: Claudio Fontana <claudio.fontana@xxxxxxxxxx>

  commit 95e7c8a0f690f9a0c8b70fd1a4de60bd944371b8
  Author: Marc-André Lureau <marcandre.lureau@xxxxxxxxxx>
  Date:   Thu Jun 25 13:49:09 2015 +0200

      ivshmem: initialize max_peer to -1

      There is no peer when device is initialized, do not let doorbell for
      inexisting peer 0.

      Signed-off-by: Marc-André Lureau <marcandre.lureau@xxxxxxxxxx>
      Reviewed-by: Claudio Fontana <claudio.fontana@xxxxxxxxxx>

  commit d8a5da075a919f7b42f2182cc55f5d3e7e60b264
  Author: Marc-André Lureau <marcandre.lureau@xxxxxxxxxx>
  Date:   Thu Jun 18 15:00:52 2015 +0200

      ivshmem: remove useless ivshmem_update_irq() val argument

      val isn't used in ivshmem_update_irq() function.

      Signed-off-by: Marc-André Lureau <marcandre.lureau@xxxxxxxxxx>
      Reviewed-by: Claudio Fontana <claudio.fontana@xxxxxxxxxx>

  commit 81e507f0bc584f417cb671e88da3f049cb4defb1
  Author: Marc-André Lureau <marcandre.lureau@xxxxxxxxxx>
  Date:   Tue Sep 15 17:23:07 2015 +0200

      ivshmem: allocate eventfds in resize_peers()

      It simplifies a bit the code to allocate the array when setting the
      number of peers instead of lazily when receiving the first vector.

      Signed-off-by: Marc-André Lureau <marcandre.lureau@xxxxxxxxxx>
      Reviewed-by: Claudio Fontana <claudio.fontana@xxxxxxxxxx>

  commit 1300b2733a297f9a59deb4eebbd437a5833f3f41
  Author: Marc-André Lureau <marcandre.lureau@xxxxxxxxxx>
  Date:   Tue Sep 15 17:21:37 2015 +0200

      ivshmem: simplify around increase_dynamic_storage()

      Set the number of peers and array allocation in a single place. Rename
      to better reflect the function content.

      Signed-off-by: Marc-André Lureau <marcandre.lureau@xxxxxxxxxx>
      Reviewed-by: Claudio Fontana <claudio.fontana@xxxxxxxxxx>

  commit 61ea2d8648d32b8e84da62f142dc08fa9ee5b7b9
  Author: Marc-André Lureau <marcandre.lureau@xxxxxxxxxx>
  Date:   Tue Sep 15 16:55:10 2015 +0200

      ivshmem: limit maximum number of peers to G_MAXUINT16

      Limit the maximum number of peers to MAXUINT16. This is more realistic
      and better matches the limit of the doorbell register.

      Signed-off-by: Marc-André Lureau <marcandre.lureau@xxxxxxxxxx>
      Reviewed-by: Claudio Fontana <claudio.fontana@xxxxxxxxxx>

  commit 03977ad552874f6598a8f0ef3089e6846ba01a2b
  Author: Marc-André Lureau <marcandre.lureau@xxxxxxxxxx>
  Date:   Mon Jun 22 12:55:16 2015 +0200

      ivshmem: remove last exit(1)

      Failing to create a chardev shouldn't be fatal.

      Signed-off-by: Marc-André Lureau <marcandre.lureau@xxxxxxxxxx>
      Reviewed-by: Claudio Fontana <claudio.fontana@xxxxxxxxxx>

  commit d58d7e848ec6d5bcd19634212d58dec5f1efbdb8
  Author: Marc-André Lureau <marcandre.lureau@xxxxxxxxxx>
  Date:   Thu Jun 18 14:59:28 2015 +0200

      ivshmem: more qdev conversion

      Use the latest qemu device modeling API, in particular, convert to
      realize to fix the error handling; right now a botched device_add
      ivhsmem command kills the VM.

      Signed-off-by: Marc-André Lureau <marcandre.lureau@xxxxxxxxxx>
      Reviewed-by: Claudio Fontana <claudio.fontana@xxxxxxxxxx>

  commit 49b2951f8416b356001d7b32625da0c555f0d1ce
  Author: Marc-André Lureau <marcandre.lureau@xxxxxxxxxx>
  Date:   Thu Jun 18 16:17:48 2015 +0200

      ivshmem: remove useless doorbell field

      Signed-off-by: Marc-André Lureau <marcandre.lureau@xxxxxxxxxx>
      Reviewed-by: Claudio Fontana <claudio.fontana@xxxxxxxxxx>

  commit 9113e3f394e0a8569713b7aa9ece3e37cb9b61e8
  Author: Marc-André Lureau <marcandre.lureau@xxxxxxxxxx>
  Date:   Thu Jun 18 16:24:33 2015 +0200

      ivshmem: remove superflous ivshmem_attr field

      Signed-off-by: Marc-André Lureau <marcandre.lureau@xxxxxxxxxx>
      Reviewed-by: Claudio Fontana <claudio.fontana@xxxxxxxxxx>

  commit dee2151e7260a65c27495e9cbfc1931d9c9083d9
  Author: Marc-André Lureau <marcandre.lureau@xxxxxxxxxx>
  Date:   Mon Jun 22 12:38:34 2015 +0200

      ivshmem: remove unnecessary dup()

      qemu_chr_fe_get_msgfd() transfers ownership, there is no need to dup the
      fd.

      Signed-off-by: Marc-André Lureau <marcandre.lureau@xxxxxxxxxx>
      Reviewed-by: Claudio Fontana <claudio.fontana@xxxxxxxxxx>

  commit 0f14fd71c170278b35b46d8ae214473680905606
  Author: Marc-André Lureau <marcandre.lureau@xxxxxxxxxx>
  Date:   Tue Jun 23 17:56:37 2015 +0200

      ivshmem: factor out the incoming fifo handling

      Make a new function fifo_update_and_get() that can be reused by other
      functions (in next commits).

      Signed-off-by: Marc-André Lureau <marcandre.lureau@xxxxxxxxxx>
      Reviewed-by: Claudio Fontana <claudio.fontana@xxxxxxxxxx>

  commit 951dada665041e8199e8c572d2981773fa2f0d8c
  Author: Marc-André Lureau <marcandre.lureau@xxxxxxxxxx>
  Date:   Tue Jun 23 17:53:46 2015 +0200

      ivshmem: fix number of bytes to push to fifo

      If the fifo has 0 bytes, and the read is of size 1, the call to
      fifo8_push_all() will copy off boundary data.

      Signed-off-by: Marc-André Lureau <marcandre.lureau@xxxxxxxxxx>
      Reviewed-by: Claudio Fontana <claudio.fontana@xxxxxxxxxx>

  commit b8ab854b27e9b88d9b85b4c572049b29cb96de43
  Author: Marc-André Lureau <marcandre.lureau@xxxxxxxxxx>
  Date:   Fri Jun 19 13:00:32 2015 +0200

      ivhsmem: read do not accept more than sizeof(long)

      ivshmem_read() only reads sizeof(long) from the input buffer.  Accepting
      more could lead to fifo8 abort() on 32bit systems if fifo is not empty.

      A following patch will change the protocol to 64-bit little-endian
      instead.

      Signed-off-by: Marc-André Lureau <marcandre.lureau@xxxxxxxxxx>
      Reviewed-by: Claudio Fontana <claudio.fontana@xxxxxxxxxx>

  commit c246a62f26e5afa8285b21e641b33456f1e69c99
  Author: Marc-André Lureau <marcandre.lureau@xxxxxxxxxx>
  Date:   Thu Jun 18 14:05:13 2015 +0200

      msix: add VMSTATE_MSIX_TEST

      ivshmem is going to use MSIX state conditionally.

      Signed-off-by: Marc-André Lureau <marcandre.lureau@xxxxxxxxxx>
      Reviewed-by: Claudio Fontana <claudio.fontana@xxxxxxxxxx>

  commit 1ad78ea51aad7978638299a27004049935c2d913
  Author: Marc-André Lureau <marcandre.lureau@xxxxxxxxxx>
  Date:   Mon Jun 22 18:20:18 2015 +0200

      char: add qemu_chr_free()

      If a chardev is allowed to be created outside of QMP, then it must be
      also possible to free it. This is useful for ivshmem that creates
      chardev anonymously and must be able to free them.

      Signed-off-by: Marc-André Lureau <marcandre.lureau@xxxxxxxxxx>
      Acked-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>
      Reviewed-by: Claudio Fontana <claudio.fontana@xxxxxxxxxx>

  commit bbfc2efefe9779f85dfe2713aec1568b1ba871ad
  Author: Andreas Färber <afaerber@xxxxxxx>
  Date:   Sun Oct 11 00:18:32 2015 +0200

      tests: Add ivshmem qtest

      Note that it launches two instances, as sharing memory is the purpose of
      ivshmem.

      Cc: Cam Macdonell <cam@xxxxxxxxxxxxxx>
      Cc: Marc-André Lureau <marcandre.lureau@xxxxxxxxxx>
      Signed-off-by: Andreas Färber <afaerber@xxxxxxx>
      [ Remove Nahanni codename, add test to pci set - Marc-André ]
      Signed-off-by: Marc-André Lureau <marcandre.lureau@xxxxxxxxxx>

  commit dd054be35fa355a6ebeab58618d7ff662247a9f6
  Author: Marc-André Lureau <marcandre.lureau@xxxxxxxxxx>
  Date:   Mon Oct 12 15:25:55 2015 +0200

      config: enable ivshmem on POSIX

      ivshmem doesn't actually require kvm, so enable it when POSIX is
      enabled. (it is required however when ioeventfd is enabled)

      Signed-off-by: Marc-André Lureau <marcandre.lureau@xxxxxxxxxx>

  commit af25e7277d3e95a3ea31023f31d8097ab5e2ac84
  Merge: bc79082 c07bc2c
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Fri Oct 23 18:14:42 2015 +0100

      Merge remote-tracking branch 'remotes/kevin/tags/for-upstream' into 
staging

      Block layer patches

      # gpg: Signature made Fri 23 Oct 2015 17:59:56 BST using RSA key ID 
C88F2FD6
      # gpg: Good signature from "Kevin Wolf <kwolf@xxxxxxxxxx>"

      * remotes/kevin/tags/for-upstream: (37 commits)
        tests: Add test case for aio_disable_external
        block: Add "drained begin/end" for internal snapshot
        block: Add "drained begin/end" for transactional blockdev-backup
        block: Add "drained begin/end" for transactional backup
        block: Add "drained begin/end" for transactional external snapshot
        block: Introduce "drained begin/end" API
        aio: introduce aio_{disable,enable}_external
        dataplane: Mark host notifiers' client type as "external"
        nbd: Mark fd handlers client type as "external"
        aio: Add "is_external" flag for event handlers
        throttle: Remove throttle_group_lock/unlock()
        blockdev: Allow more options for BB-less BDS tree
        blockdev: Pull out blockdev option extraction
        blockdev: Do not create BDS for empty drive
        block: Prepare for NULL BDS
        block: Add blk_insert_bs()
        block: Prepare remaining BB functions for NULL BDS
        block: Fail requests to empty BlockBackend
        block: Make some BB functions fall back to BBRS
        block: Add BlockBackendRootState
        ...

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit c07bc2c1658fffeee08eb46402b2f66d55b07586
  Author: Fam Zheng <famz@xxxxxxxxxx>
  Date:   Fri Oct 23 11:08:14 2015 +0800

      tests: Add test case for aio_disable_external

      Signed-off-by: Fam Zheng <famz@xxxxxxxxxx>
      Reviewed-by: Kevin Wolf <kwolf@xxxxxxxxxx>
      Signed-off-by: Kevin Wolf <kwolf@xxxxxxxxxx>

  commit 507306cc8ee7981894a96c380f42d80e2674cb04
  Author: Fam Zheng <famz@xxxxxxxxxx>
  Date:   Fri Oct 23 11:08:13 2015 +0800

      block: Add "drained begin/end" for internal snapshot

      This ensures the atomicity of the transaction by avoiding processing of
      external requests such as those from ioeventfd.

      state->bs is assigned right after bdrv_drained_begin. Because it was
      used as the flag for deletion or not in abort, now we need a separate
      flag - InternalSnapshotState.created.

      Signed-off-by: Fam Zheng <famz@xxxxxxxxxx>
      Signed-off-by: Kevin Wolf <kwolf@xxxxxxxxxx>

  commit ff52bf36a3a6c63b7528fbe64e9ed9976b221e68
  Author: Fam Zheng <famz@xxxxxxxxxx>
  Date:   Fri Oct 23 11:08:12 2015 +0800

      block: Add "drained begin/end" for transactional blockdev-backup

      Similar to the previous patch, make sure that external events are not
      dispatched during transaction operations.

      Signed-off-by: Fam Zheng <famz@xxxxxxxxxx>
      Reviewed-by: Jeff Cody <jcody@xxxxxxxxxx>
      Reviewed-by: Kevin Wolf <kwolf@xxxxxxxxxx>
      Signed-off-by: Kevin Wolf <kwolf@xxxxxxxxxx>

  commit 1fdd4b7be3655d39c3594bc215eb1df5ce225c7d
  Author: Fam Zheng <famz@xxxxxxxxxx>
  Date:   Fri Oct 23 11:08:11 2015 +0800

      block: Add "drained begin/end" for transactional backup

      This ensures the atomicity of the transaction by avoiding processing of
      external requests such as those from ioeventfd.

      Move the assignment to state->bs up right after bdrv_drained_begin, so
      that we can use it in the clean callback. The abort callback will still
      check bs->job and state->job, so it's OK.

      Signed-off-by: Fam Zheng <famz@xxxxxxxxxx>
      Reviewed-by: Jeff Cody <jcody@xxxxxxxxxx>
      Reviewed-by: Kevin Wolf <kwolf@xxxxxxxxxx>
      Signed-off-by: Kevin Wolf <kwolf@xxxxxxxxxx>

  commit da763e83012c066ebe3effbaa8e7e7c8f78b0fbf
  Author: Fam Zheng <famz@xxxxxxxxxx>
  Date:   Fri Oct 23 11:08:10 2015 +0800

      block: Add "drained begin/end" for transactional external snapshot

      This ensures the atomicity of the transaction by avoiding processing of
      external requests such as those from ioeventfd.

      Signed-off-by: Fam Zheng <famz@xxxxxxxxxx>
      Reviewed-by: Jeff Cody <jcody@xxxxxxxxxx>
      Reviewed-by: Kevin Wolf <kwolf@xxxxxxxxxx>
      Signed-off-by: Kevin Wolf <kwolf@xxxxxxxxxx>

  commit 51288d7917e5c5b088985aaa7ff3592561fbc2ba
  Author: Fam Zheng <famz@xxxxxxxxxx>
  Date:   Fri Oct 23 11:08:09 2015 +0800

      block: Introduce "drained begin/end" API

      The semantics is that after bdrv_drained_begin(bs), bs will not get new 
external
      requests until the matching bdrv_drained_end(bs).

      Signed-off-by: Fam Zheng <famz@xxxxxxxxxx>
      Signed-off-by: Kevin Wolf <kwolf@xxxxxxxxxx>

  commit c1e1e5fa8f25f9061b076a05045a6d4950d1a891
  Author: Fam Zheng <famz@xxxxxxxxxx>
  Date:   Fri Oct 23 11:08:08 2015 +0800

      aio: introduce aio_{disable,enable}_external

      Signed-off-by: Fam Zheng <famz@xxxxxxxxxx>
      Signed-off-by: Kevin Wolf <kwolf@xxxxxxxxxx>

  commit 3a1e8074d74ad2acbcedf28d35aebedc3573f19e
  Author: Fam Zheng <famz@xxxxxxxxxx>
  Date:   Fri Oct 23 11:08:07 2015 +0800

      dataplane: Mark host notifiers' client type as "external"

      They will be excluded by type in the nested event loops in block layer,
      so that unwanted events won't be processed there.

      Signed-off-by: Fam Zheng <famz@xxxxxxxxxx>
      Reviewed-by: Kevin Wolf <kwolf@xxxxxxxxxx>
      Signed-off-by: Kevin Wolf <kwolf@xxxxxxxxxx>

  commit 172cc129a5ae58d36feb51f97fd67e2161ae5cc6
  Author: Fam Zheng <famz@xxxxxxxxxx>
  Date:   Fri Oct 23 11:08:06 2015 +0800

      nbd: Mark fd handlers client type as "external"

      So we could distinguish it from internal used fds, thus avoid handling
      unwanted events in nested aio polls.

      Signed-off-by: Fam Zheng <famz@xxxxxxxxxx>
      Reviewed-by: Jeff Cody <jcody@xxxxxxxxxx>
      Reviewed-by: Kevin Wolf <kwolf@xxxxxxxxxx>
      Signed-off-by: Kevin Wolf <kwolf@xxxxxxxxxx>

  commit dca21ef23ba48f6f1428c59f295a857e5dc203c8
  Author: Fam Zheng <famz@xxxxxxxxxx>
  Date:   Fri Oct 23 11:08:05 2015 +0800

      aio: Add "is_external" flag for event handlers

      All callers pass in false, and the real external ones will switch to
      true in coming patches.

      Signed-off-by: Fam Zheng <famz@xxxxxxxxxx>
      Reviewed-by: Jeff Cody <jcody@xxxxxxxxxx>
      Reviewed-by: Kevin Wolf <kwolf@xxxxxxxxxx>
      Signed-off-by: Kevin Wolf <kwolf@xxxxxxxxxx>

  commit d87d01e16a0e59a6af9634162cf0ded142b43e0d
  Author: Alberto Garcia <berto@xxxxxxxxxx>
  Date:   Wed Oct 21 21:36:05 2015 +0300

      throttle: Remove throttle_group_lock/unlock()

      The group throttling code was always meant to handle its locking
      internally. However, bdrv_swap() was touching the ThrottleGroup
      structure directly and therefore needed an API for that.

      Now that bdrv_swap() no longer exists there's no need for the
      throttle_group_lock() API anymore.

      Signed-off-by: Alberto Garcia <berto@xxxxxxxxxx>
      Signed-off-by: Kevin Wolf <kwolf@xxxxxxxxxx>

  commit bd745e238bb9432f40c875b6b4ad96a3d90e16a0
  Author: Max Reitz <mreitz@xxxxxxxxxx>
  Date:   Mon Oct 19 17:53:32 2015 +0200

      blockdev: Allow more options for BB-less BDS tree

      Most of the options which blockdev_init() parses for both the
      BlockBackend and the root BDS are valid for just the root BDS as well
      (e.g. read-only). This patch allows specifying these options even if not
      creating a BlockBackend.

      Signed-off-by: Max Reitz <mreitz@xxxxxxxxxx>
      Signed-off-by: Kevin Wolf <kwolf@xxxxxxxxxx>

  commit fbf8175eac92cca541efb1ac4a202fba941b78df
  Author: Max Reitz <mreitz@xxxxxxxxxx>
  Date:   Mon Oct 19 17:53:31 2015 +0200

      blockdev: Pull out blockdev option extraction

      Extract some of the blockdev option extraction code from blockdev_init()
      into its own function. This simplifies blockdev_init() and will allow
      reusing the code in a different function added in a follow-up patch.

      Signed-off-by: Max Reitz <mreitz@xxxxxxxxxx>
      Signed-off-by: Kevin Wolf <kwolf@xxxxxxxxxx>

  commit 5ec18f8c83583b7e22ed4dd360cd937da801ca40
  Author: Max Reitz <mreitz@xxxxxxxxxx>
  Date:   Mon Oct 19 17:53:30 2015 +0200

      blockdev: Do not create BDS for empty drive

      Do not use "rudimentary" BDSs for empty drives any longer (for
      freshly created drives).

      After a follow-up patch, empty drives will generally use a NULL BDS, not
      only the freshly created drives.

      Signed-off-by: Max Reitz <mreitz@xxxxxxxxxx>
      Signed-off-by: Kevin Wolf <kwolf@xxxxxxxxxx>

  commit 5433c24f0f9306c82ad9bcc2b2b586e5f0ed8fa5
  Author: Max Reitz <mreitz@xxxxxxxxxx>
  Date:   Mon Oct 19 17:53:29 2015 +0200

      block: Prepare for NULL BDS

      blk_bs() will not necessarily return a non-NULL value any more (unless
      blk_is_available() is true or it can be assumed to otherwise, e.g.
      because it is called immediately after a successful blk_new_with_bs() or
      blk_new_open()).

      Signed-off-by: Max Reitz <mreitz@xxxxxxxxxx>
      Signed-off-by: Kevin Wolf <kwolf@xxxxxxxxxx>

  commit 0c3c36d651922ebe9244e68e6d9ed14cdfcac9fd
  Author: Max Reitz <mreitz@xxxxxxxxxx>
  Date:   Mon Oct 19 17:53:28 2015 +0200

      block: Add blk_insert_bs()

      This function associates the given BlockDriverState with the given
      BlockBackend.

      Signed-off-by: Max Reitz <mreitz@xxxxxxxxxx>
      Reviewed-by: Kevin Wolf <kwolf@xxxxxxxxxx>
      Signed-off-by: Kevin Wolf <kwolf@xxxxxxxxxx>

  commit a46fc9c95012f3d7ed2b29b59f042246d62a08d7
  Author: Max Reitz <mreitz@xxxxxxxxxx>
  Date:   Mon Oct 19 17:53:27 2015 +0200

      block: Prepare remaining BB functions for NULL BDS

      There are several BlockBackend functions which, in theory, cannot fail.
      This patch makes them cope with the BlockDriverState pointer being NULL
      by making them fall back to some default action like ignoring the value
      in setters and returning the default in getters.

      Signed-off-by: Max Reitz <mreitz@xxxxxxxxxx>
      Reviewed-by: Kevin Wolf <kwolf@xxxxxxxxxx>
      Signed-off-by: Kevin Wolf <kwolf@xxxxxxxxxx>

  commit c09ba36c9ab62e3043041e429205f57ffbe3ba8b
  Author: Max Reitz <mreitz@xxxxxxxxxx>
  Date:   Mon Oct 19 17:53:26 2015 +0200

      block: Fail requests to empty BlockBackend

      If there is no BlockDriverState in a BlockBackend or if the tray of the
      guest device is open, fail all requests (where that is possible) with
      -ENOMEDIUM.

      The reason the status of the guest device is taken into account is
      because once the guest device's tray is opened, any request on the same
      BlockBackend as the guest uses should fail. If the BDS tree is supposed
      to be usable even after ejecting it from the guest, a different
      BlockBackend must be used.

      Signed-off-by: Max Reitz <mreitz@xxxxxxxxxx>
      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>
      Reviewed-by: Kevin Wolf <kwolf@xxxxxxxxxx>
      Signed-off-by: Kevin Wolf <kwolf@xxxxxxxxxx>

  commit 061959e8da5af59343e2c75d55c40f366d0164f9
  Author: Max Reitz <mreitz@xxxxxxxxxx>
  Date:   Mon Oct 19 17:53:25 2015 +0200

      block: Make some BB functions fall back to BBRS

      If there is no BDS tree attached to a BlockBackend, functions that can
      do so should fall back to the BlockBackendRootState structure.

      Signed-off-by: Max Reitz <mreitz@xxxxxxxxxx>
      Reviewed-by: Kevin Wolf <kwolf@xxxxxxxxxx>
      Signed-off-by: Kevin Wolf <kwolf@xxxxxxxxxx>

  commit 281d22d86ca26bf356284719e44c4bc66b716415
  Author: Max Reitz <mreitz@xxxxxxxxxx>
  Date:   Mon Oct 19 17:53:24 2015 +0200

      block: Add BlockBackendRootState

      This structure will store some of the state of the root BDS if the BDS
      tree is removed, so that state can be restored once a new BDS tree is
      inserted.

      Signed-off-by: Max Reitz <mreitz@xxxxxxxxxx>
      Reviewed-by: Kevin Wolf <kwolf@xxxxxxxxxx>
      Signed-off-by: Kevin Wolf <kwolf@xxxxxxxxxx>

  commit 973f2ddf7b48c27aa8642047796cca3bec0b48d8
  Author: Max Reitz <mreitz@xxxxxxxxxx>
  Date:   Mon Oct 19 17:53:23 2015 +0200

      block/throttle-groups: Make incref/decref public

      Throttle groups are not necessarily referenced by BDSs alone; a later
      patch will essentially allow BBs to reference them, too. Make the
      ref/unref functions public so that reference can be properly accounted
      for.

      Their interface is slightly adjusted in that they return and take a
      ThrottleState pointer, respectively, instead of a ThrottleGroup pointer.
      Functionally, they are equivalent, but since ThrottleGroup is not meant
      to be used outside of block/throttle-groups.c, ThrottleState is easier
      to handle.

      Signed-off-by: Max Reitz <mreitz@xxxxxxxxxx>
      Reviewed-by: Kevin Wolf <kwolf@xxxxxxxxxx>
      Signed-off-by: Kevin Wolf <kwolf@xxxxxxxxxx>

  commit 373340b26caa1572cf0f155131569dfc527aa133
  Author: Max Reitz <mreitz@xxxxxxxxxx>
  Date:   Mon Oct 19 17:53:22 2015 +0200

      block: Move I/O status and error actions into BB

      These options are only relevant for the user of a whole BDS tree (like a
      guest device or a block job) and should thus be moved into the
      BlockBackend.

      Signed-off-by: Max Reitz <mreitz@xxxxxxxxxx>
      Signed-off-by: Kevin Wolf <kwolf@xxxxxxxxxx>

  commit 7f0e9da6f134c5303be51333696e1ff54697f3e0
  Author: Max Reitz <mreitz@xxxxxxxxxx>
  Date:   Mon Oct 19 17:53:21 2015 +0200

      block: Move BlockAcctStats into BlockBackend

      As the comment above bdrv_get_stats() says, BlockAcctStats is something
      which belongs to the device instead of each BlockDriverState. This patch
      therefore moves it into the BlockBackend.

      Signed-off-by: Max Reitz <mreitz@xxxxxxxxxx>
      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>
      Reviewed-by: Alberto Garcia <berto@xxxxxxxxxx>
      Reviewed-by: Kevin Wolf <kwolf@xxxxxxxxxx>
      Signed-off-by: Kevin Wolf <kwolf@xxxxxxxxxx>

  commit 53d8f9d8fbf85f04d423958248f8c2fbe1ece192
  Author: Max Reitz <mreitz@xxxxxxxxxx>
  Date:   Mon Oct 19 17:53:20 2015 +0200

      block: Remove wr_highest_sector from BlockAcctStats

      BlockAcctStats contains statistics about the data transferred from and
      to the device; wr_highest_sector does not fit in with the rest.

      Furthermore, those statistics are supposed to be specific for a certain
      device and not necessarily for a BDS (see the comment above
      bdrv_get_stats()); on the other hand, wr_highest_sector may be a rather
      important information to know for each BDS. When BlockAcctStats is
      finally removed from the BDS, we will want to keep wr_highest_sector in
      the BDS.

      Finally, wr_highest_sector is renamed to wr_highest_offset and given the
      appropriate meaning. Externally, it is represented as an offset so there
      is no point in doing something different internally. Its definition is
      changed to match that in qapi/block-core.json which is "the offset after
      the greatest byte written to". Doing so should not cause any harm since
      if external programs tried to calculate the volume usage by
      (wr_highest_offset + 512) / volume_size, after this patch they will just
      assume the volume to be full slightly earlier than before.

      Signed-off-by: Max Reitz <mreitz@xxxxxxxxxx>
      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>
      Reviewed-by: Alberto Garcia <berto@xxxxxxxxxx>
      Reviewed-by: Kevin Wolf <kwolf@xxxxxxxxxx>
      Signed-off-by: Kevin Wolf <kwolf@xxxxxxxxxx>

  commit 68e9ec017bb00b96633d48b5bf039a37daa3bc21
  Author: Max Reitz <mreitz@xxxxxxxxxx>
  Date:   Mon Oct 19 17:53:19 2015 +0200

      block: Move guest_block_size into BlockBackend

      guest_block_size is a guest device property so it should be moved into
      the interface between block layer and guest devices, which is the
      BlockBackend.

      Signed-off-by: Max Reitz <mreitz@xxxxxxxxxx>
      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>
      Reviewed-by: Alberto Garcia <berto@xxxxxxxxxx>
      Reviewed-by: Kevin Wolf <kwolf@xxxxxxxxxx>
      Signed-off-by: Kevin Wolf <kwolf@xxxxxxxxxx>

  commit 4981bdec0d9b3ddd3e1474de5aa9918f120b54f7
  Author: Max Reitz <mreitz@xxxxxxxxxx>
  Date:   Mon Oct 19 17:53:18 2015 +0200

      block: Fix BB AIOCB AioContext without BDS

      Fix the BlockBackend's AIOCB AioContext for aborting AIO in case there
      is no BDS. If there is no implementation of AIOCBInfo::get_aio_context()
      the AioContext is derived from the BDS the AIOCB belongs to. If that BDS
      is NULL (because it has been removed from the BB) this will not work.

      This patch makes blk_get_aio_context() fall back to the main loop
      context if the BDS pointer is NULL and implements
      AIOCBInfo::get_aio_context() (blk_aiocb_get_aio_context()) which invokes
      blk_get_aio_context().

      Signed-off-by: Max Reitz <mreitz@xxxxxxxxxx>
      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>
      Reviewed-by: Alberto Garcia <berto@xxxxxxxxxx>
      Reviewed-by: Kevin Wolf <kwolf@xxxxxxxxxx>
      Signed-off-by: Kevin Wolf <kwolf@xxxxxxxxxx>

  commit 7d3467d903c0fa663fbe3f1002e7c624a210b634
  Author: Max Reitz <mreitz@xxxxxxxxxx>
  Date:   Mon Oct 19 17:53:17 2015 +0200

      hw/usb-storage: Check whether BB is inserted

      Only call bdrv_add_key() on the BlockDriverState if it is not NULL.

      Signed-off-by: Max Reitz <mreitz@xxxxxxxxxx>
      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>
      Reviewed-by: Alberto Garcia <berto@xxxxxxxxxx>
      Reviewed-by: Kevin Wolf <kwolf@xxxxxxxxxx>
      Signed-off-by: Kevin Wolf <kwolf@xxxxxxxxxx>

  commit 2e1280e8ff95b3145bc6262accc9d447718e5318
  Author: Max Reitz <mreitz@xxxxxxxxxx>
  Date:   Mon Oct 19 17:53:16 2015 +0200

      hw/block/fdc: Implement tray status

      The tray of an FDD is open iff there is no medium inserted (there are
      only two states for an FDD: "medium inserted" or "no medium inserted").

      Signed-off-by: Max Reitz <mreitz@xxxxxxxxxx>
      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>
      Reviewed-by: Kevin Wolf <kwolf@xxxxxxxxxx>
      Signed-off-by: Kevin Wolf <kwolf@xxxxxxxxxx>

  commit b4d02820d95e025e57d82144f7b2ccd677ac2418
  Author: Max Reitz <mreitz@xxxxxxxxxx>
  Date:   Mon Oct 19 17:53:15 2015 +0200

      block: Invoke change media CB before NULLing drv

      In order to handle host device passthrough, some guest device models
      may call blk_is_inserted() to check whether the medium is inserted on
      the host, when checking the guest tray status.

      This tray status is inquired by blk_dev_change_media_cb(); because
      bdrv_is_inserted() (invoked by blk_is_inserted()) always returns false
      for BDS with drv set to NULL, blk_dev_change_media_cb() should therefore
      be called before drv is set to NULL.

      Signed-off-by: Max Reitz <mreitz@xxxxxxxxxx>
      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>
      Reviewed-by: Alberto Garcia <berto@xxxxxxxxxx>
      Reviewed-by: Kevin Wolf <kwolf@xxxxxxxxxx>
      Signed-off-by: Kevin Wolf <kwolf@xxxxxxxxxx>

  commit 1354c473789a91ba603d40bdf2521e3221c0a69f
  Author: Max Reitz <mreitz@xxxxxxxxxx>
  Date:   Mon Oct 19 17:53:14 2015 +0200

      block/raw_bsd: Drop raw_is_inserted()

      With the new automatically-recursive implementation of
      bdrv_is_inserted() checking by default whether all the children of a BDS
      are inserted, we can drop raw's own implementation.

      Signed-off-by: Max Reitz <mreitz@xxxxxxxxxx>
      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>
      Reviewed-by: Kevin Wolf <kwolf@xxxxxxxxxx>
      Reviewed-by: Alberto Garcia <berto@xxxxxxxxxx>
      Signed-off-by: Kevin Wolf <kwolf@xxxxxxxxxx>

  commit 28d7a78996ae73e681d0e061a4be446ed2240c97
  Author: Max Reitz <mreitz@xxxxxxxxxx>
  Date:   Mon Oct 19 17:53:13 2015 +0200

      block: Make bdrv_is_inserted() recursive

      If bdrv_is_inserted() is called on the top level BDS, it should make
      sure all nodes in the BDS tree are actually inserted.

      Signed-off-by: Max Reitz <mreitz@xxxxxxxxxx>
      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>
      Reviewed-by: Kevin Wolf <kwolf@xxxxxxxxxx>
      Signed-off-by: Kevin Wolf <kwolf@xxxxxxxxxx>

  commit db0284f86a31ec66d138f0f7794321c306af969e
  Author: Max Reitz <mreitz@xxxxxxxxxx>
  Date:   Mon Oct 19 17:53:12 2015 +0200

      block: Add blk_is_available()

      blk_is_available() returns true iff the BDS is inserted (which means
      blk_bs() is not NULL and bdrv_is_inserted() returns true) and if the
      tray of the guest device is closed.

      blk_is_inserted() is changed to return true only if blk_bs() is not
      NULL.

      Signed-off-by: Max Reitz <mreitz@xxxxxxxxxx>
      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>
      Reviewed-by: Alberto Garcia <berto@xxxxxxxxxx>
      Reviewed-by: Kevin Wolf <kwolf@xxxxxxxxxx>
      Signed-off-by: Kevin Wolf <kwolf@xxxxxxxxxx>

  commit e031f750483377a5e5de4c92af68dfa68e4d0aae
  Author: Max Reitz <mreitz@xxxxxxxxxx>
  Date:   Mon Oct 19 17:53:11 2015 +0200

      block: Make bdrv_is_inserted() return a bool

      Make bdrv_is_inserted(), blk_is_inserted(), and the callback
      BlockDriver.bdrv_is_inserted() return a bool.

      Suggested-by: Eric Blake <eblake@xxxxxxxxxx>
      Signed-off-by: Max Reitz <mreitz@xxxxxxxxxx>
      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>
      Reviewed-by: Alberto Garcia <berto@xxxxxxxxxx>
      Reviewed-by: Kevin Wolf <kwolf@xxxxxxxxxx>
      Signed-off-by: Kevin Wolf <kwolf@xxxxxxxxxx>

  commit 8e9e653038db97bfd343c3fb217b7bf4da765a89
  Author: Max Reitz <mreitz@xxxxxxxxxx>
  Date:   Mon Oct 19 17:53:10 2015 +0200

      iotests: Only create BB if necessary

      Tests 071 and 081 test giving references in blockdev-add. It is not
      necessary to create a BlockBackend here, so omit it.

      While at it, fix up some blockdev-add invocations in the vicinity
      (s/raw/$IMGFMT/ in 081, drop the format BDS for blkverify's raw child in
      071).

      Signed-off-by: Max Reitz <mreitz@xxxxxxxxxx>
      Signed-off-by: Kevin Wolf <kwolf@xxxxxxxxxx>

  commit be4b67bc7d99da26b7878f7f45370f50a3bd4af5
  Author: Max Reitz <mreitz@xxxxxxxxxx>
  Date:   Mon Oct 19 17:53:09 2015 +0200

      blockdev: Allow creation of BDS trees without BB

      If the "id" field is missing from the options given to blockdev-add,
      just omit the BlockBackend and create the BlockDriverState tree alone.

      However, if "id" is missing, "node-name" must be specified; otherwise,
      the BDS tree would no longer be accessible.

      Many BDS options which are not parsed by bdrv_open() (like caching)
      cannot be specified for these BB-less BDS trees yet. A future patch will
      remove this limitation.

      Signed-off-by: Max Reitz <mreitz@xxxxxxxxxx>
      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>
      Reviewed-by: Kevin Wolf <kwolf@xxxxxxxxxx>
      Reviewed-by: Alberto Garcia <berto@xxxxxxxxxx>
      Signed-off-by: Kevin Wolf <kwolf@xxxxxxxxxx>

  commit d44f928a54497188c25357840a3224925d1b527b
  Author: Max Reitz <mreitz@xxxxxxxxxx>
  Date:   Mon Oct 19 17:53:08 2015 +0200

      block: Set BDRV_O_INCOMING in bdrv_fill_options()

      This flag should not be set for the root BDS only, but for any BDS that
      is being created while incoming migration is pending, so setting it is
      moved from blockdev_init() to bdrv_fill_options().

      Signed-off-by: Max Reitz <mreitz@xxxxxxxxxx>
      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>
      Reviewed-by: Kevin Wolf <kwolf@xxxxxxxxxx>
      Reviewed-by: Alberto Garcia <berto@xxxxxxxxxx>
      Signed-off-by: Kevin Wolf <kwolf@xxxxxxxxxx>

  commit f709623b3d30096c629f6a368670c9cf668da83f
  Author: Max Reitz <mreitz@xxxxxxxxxx>
  Date:   Mon Oct 19 17:53:07 2015 +0200

      block: Remove host floppy support

      It has been deprecated as of 2.3, so we can now remove it.

      Signed-off-by: Max Reitz <mreitz@xxxxxxxxxx>
      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>
      Reviewed-by: Kevin Wolf <kwolf@xxxxxxxxxx>
      Signed-off-by: Kevin Wolf <kwolf@xxxxxxxxxx>

  commit bc79082e4cd12c1241fa03b0abceacf45f537740
  Merge: 1e700f4 31bfa2a
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Fri Oct 23 16:35:43 2015 +0100

      Merge remote-tracking branch 'remotes/ehabkost/tags/x86-pull-request' 
into staging

      X86 queue, 2015-10-23

      # gpg: Signature made Fri 23 Oct 2015 16:30:58 BST using RSA key ID 
984DC5A6
      # gpg: Good signature from "Eduardo Habkost <ehabkost@xxxxxxxxxx>"

      * remotes/ehabkost/tags/x86-pull-request:
        vl: trivial: minor tweaks to a max-cpu error msg
        target-i386: Use 1UL for bit shift
        target-i386: Add DE to TCG_FEATURES
        target-i386: Ensure always-1 bits on DR6 can't be cleared
        target-i386: Check CR4[DE] for processing DR4/DR5
        target-i386: Handle I/O breakpoints
        target-i386: Optimize setting dr[0-3]
        target-i386: Move hw_*breakpoint_* functions
        target-i386: Ensure bit 10 on DR7 is never cleared
        target-i386: Re-introduce optimal breakpoint removal
        target-i386: Introduce cpu_x86_update_dr7
        target-i386: Disable cache info passthrough by default
        target-i386: allow any alignment for SMBASE

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 31bfa2a40004204aee503c6417fbafb5d17e0a51
  Author: Andrew Jones <drjones@xxxxxxxxxx>
  Date:   Sun Oct 18 19:35:27 2015 +0200

      vl: trivial: minor tweaks to a max-cpu error msg

      Signed-off-by: Andrew Jones <drjones@xxxxxxxxxx>

  commit 72370dc1149d7c90d2c2218e0d0658bee23a5bf7
  Author: Eduardo Habkost <ehabkost@xxxxxxxxxx>
  Date:   Tue Sep 29 17:34:22 2015 -0300

      target-i386: Use 1UL for bit shift

      Fix undefined behavior detected by clang runtime check:

        qemu/target-i386/cpu.c:1494:15: runtime error:
          left shift of 1 by 31 places cannot be represented in type 'int'

      While doing that, add extra parenthesis for clarity.

      Reported-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Signed-off-by: Eduardo Habkost <ehabkost@xxxxxxxxxx>

  commit b6c5a6f021f485fc36bca678b2c867e9b6783924
  Author: Eduardo Habkost <ehabkost@xxxxxxxxxx>
  Date:   Wed Oct 7 16:39:43 2015 -0300

      target-i386: Add DE to TCG_FEATURES

      Now DE is supported by TCG so it can be enabled in CPUID bits.

      Reviewed-by: Richard Henderson <rth@xxxxxxxxxxx>
      Signed-off-by: Eduardo Habkost <ehabkost@xxxxxxxxxx>

  commit 462f8ed1f1eac189ef50d9586eae8af90dbe426f
  Author: Eduardo Habkost <ehabkost@xxxxxxxxxx>
  Date:   Wed Oct 7 17:19:18 2015 -0300

      target-i386: Ensure always-1 bits on DR6 can't be cleared

      Bits 4-11 and 16-31 on DR6 are documented as always 1, so ensure they
      can't be cleared by software.

      Reviewed-by: Richard Henderson <rth@xxxxxxxxxxx>
      Signed-off-by: Eduardo Habkost <ehabkost@xxxxxxxxxx>

  commit d0052339236072bbf08c1d600c0906126b1ab258
  Author: Richard Henderson <rth@xxxxxxxxxxx>
  Date:   Tue Sep 15 11:45:13 2015 -0700

      target-i386: Check CR4[DE] for processing DR4/DR5

      Introduce helper_get_dr so that we don't have to put CR4[DE]
      into the scarce HFLAGS resource.  At the same time, rename
      helper_movl_drN_T0 to helper_set_dr and set the helper flags.

      Signed-off-by: Richard Henderson <rth@xxxxxxxxxxx>
      Signed-off-by: Eduardo Habkost <ehabkost@xxxxxxxxxx>

  commit 5223a9423c5fb9e32b0c3eaaa2c0bf8c5cfd6866
  Author: Eduardo Habkost <ehabkost@xxxxxxxxxx>
  Date:   Mon Oct 19 15:14:35 2015 -0200

      target-i386: Handle I/O breakpoints

      Signed-off-by: Richard Henderson <rth@xxxxxxxxxxx>
      Signed-off-by: Eduardo Habkost <ehabkost@xxxxxxxxxx>

  commit 7525b55051277717329cf64a9e1d5cff840d6f38
  Author: Richard Henderson <rth@xxxxxxxxxxx>
  Date:   Tue Sep 15 11:45:11 2015 -0700

      target-i386: Optimize setting dr[0-3]

      If the debug register is not enabled, we need
      do nothing besides update the register.

      Signed-off-by: Richard Henderson <rth@xxxxxxxxxxx>
      Signed-off-by: Eduardo Habkost <ehabkost@xxxxxxxxxx>

  commit 696ad9e4b27a49a9706010d00b31b17fe1f0d569
  Author: Richard Henderson <rth@xxxxxxxxxxx>
  Date:   Tue Sep 15 11:45:10 2015 -0700

      target-i386: Move hw_*breakpoint_* functions

      They're only used from bpt_helper.c now.

      Signed-off-by: Richard Henderson <rth@xxxxxxxxxxx>
      Signed-off-by: Eduardo Habkost <ehabkost@xxxxxxxxxx>

  commit 9055330ffbf5ca85f024c29874799d9c8bd17aa9
  Author: Eduardo Habkost <ehabkost@xxxxxxxxxx>
  Date:   Thu Oct 8 17:10:27 2015 -0300

      target-i386: Ensure bit 10 on DR7 is never cleared

      Bit 10 of DR7 is documented as always set to 1, so ensure that's
      always the case.

      Reviewed-by: Richard Henderson <rth@xxxxxxxxxxx>
      Signed-off-by: Eduardo Habkost <ehabkost@xxxxxxxxxx>

  commit 36eb6e096729f9aade3a6af7dbe4d0a990335d7e
  Author: Richard Henderson <rth@xxxxxxxxxxx>
  Date:   Tue Sep 15 11:45:09 2015 -0700

      target-i386: Re-introduce optimal breakpoint removal

      Before the last patch, we had an efficient loop that disabled
      local breakpoints on task switch.  Re-add that, but in a more
      general way that handles changes to the global enable bits too.

      Signed-off-by: Richard Henderson <rth@xxxxxxxxxxx>
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>
      Signed-off-by: Eduardo Habkost <ehabkost@xxxxxxxxxx>

  commit 93d00d0fbe4711061834730fb70525d167b6f908
  Author: Richard Henderson <rth@xxxxxxxxxxx>
  Date:   Tue Sep 15 11:45:08 2015 -0700

      target-i386: Introduce cpu_x86_update_dr7

      This moves the last of the iteration over breakpoints into
      the bpt_helper.c file.  This also allows us to make several
      breakpoint functions static.

      Signed-off-by: Richard Henderson <rth@xxxxxxxxxxx>
      Signed-off-by: Eduardo Habkost <ehabkost@xxxxxxxxxx>

  commit e265e3e48049fbece9eaf536aa00ca41aa3c54d0
  Author: Eduardo Habkost <ehabkost@xxxxxxxxxx>
  Date:   Wed Sep 2 11:19:11 2015 -0300

      target-i386: Disable cache info passthrough by default

      The host cache information may not make sense for the guest if the VM
      CPU topology doesn't match the host CPU topology. To make sure we won't
      expose broken cache information to the guest, disable cache info
      passthrough by default, and add a new "host-cache-info" property that
      can be used to enable the old behavior for users that really need it.

      Cc: Benoît Canet <benoit@xxxxxxxxxxx>
      Reviewed-by: Igor Mammedov <imammedo@xxxxxxxxxx>
      Signed-off-by: Eduardo Habkost <ehabkost@xxxxxxxxxx>

  commit dd75d4fcb4a82c34d4f466e7fc166162b71ff740
  Author: Paolo Bonzini <pbonzini@xxxxxxxxxx>
  Date:   Mon Oct 12 18:25:40 2015 +0200

      target-i386: allow any alignment for SMBASE

      Processors up to the Pentium (says Bochs---I do not have old enough
      manuals) require a 32KiB alignment for the SMBASE, but newer processors
      do not need that, and Tiano Core will use non-aligned SMBASE values.

      Reported-by: Michael D Kinney <michael.d.kinney@xxxxxxxxx>
      Cc: Laszlo Ersek <lersek@xxxxxxxxxx>
      Cc: Jordan Justen <jordan.l.justen@xxxxxxxxx>
      Cc: Eduardo Habkost <ehabkost@xxxxxxxxxx>
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>
      Reviewed-by: Laszlo Ersek <lersek@xxxxxxxxxx>
      Reviewed-by: Eduardo Habkost <ehabkost@xxxxxxxxxx>
      Signed-off-by: Eduardo Habkost <ehabkost@xxxxxxxxxx>

  commit 1e700f4c6cddaf29ce1d205f0f8e8b9255481930
  Merge: 147482a b3e9e58
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Fri Oct 23 15:55:50 2015 +0100

      Merge remote-tracking branch 
'remotes/mdroth/tags/qga-pull-2015-10-23-tag' into staging

      qemu-ga patch queue

      * unbreak qga-test unit test on travis-ci systems by not assuming a
        disk-based filesystem must be present

      # gpg: Signature made Fri 23 Oct 2015 15:01:47 BST using RSA key ID 
F108B584
      # gpg: Good signature from "Michael Roth <flukshun@xxxxxxxxx>"
      # gpg:                 aka "Michael Roth <mdroth@xxxxxxxxxx>"
      # gpg:                 aka "Michael Roth <mdroth@xxxxxxxxxxxxxxxxxx>"

      * remotes/mdroth/tags/qga-pull-2015-10-23-tag:
        tests: test-qga, loosen assumptions about host filesystems

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit b3e9e584fcef49be8ca0c355d11030f0bf6231b0
  Author: Michael Roth <mdroth@xxxxxxxxxxxxxxxxxx>
  Date:   Tue Oct 20 11:17:36 2015 -0500

      tests: test-qga, loosen assumptions about host filesystems

      QGA skips pseudo-filesystems when querying filesystems via
      guest-get-fsinfo. On some hosts, such as travis-ci which uses
      containers with simfs filesystems, QGA might not report *any*
      filesystems. Our test case assumes there would be at least one,
      leading to false error messages in these situations.

      Instead, sanity-check values iff we get at least one filesystem.

      Cc: Marc-André Lureau <marcandre.lureau@xxxxxxxxxx>
      Cc: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Signed-off-by: Michael Roth <mdroth@xxxxxxxxxxxxxxxxxx>

  commit 147482ae35b896808af68c0051ad86d3aae12979
  Merge: 431429a 659f7f6
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Fri Oct 23 13:09:09 2015 +0100

      Merge remote-tracking branch 'remotes/dgibson/tags/ppc-next-20151023' 
into staging

      ppc patch queue - 2015-10-23

      sPAPR highlights:
        * Allow VFIO devices on the spapr-pci-host-bridge
        * Allow virtio VGA
        * Safer handling of HTAB allocation
        * ibm,pa-features device tree property

      non-sPAPR highlights:
        * Categorization of many ppc specific devices in help output
        * Tweaks to MMU type constants

      # gpg: Signature made Fri 23 Oct 2015 07:27:56 BST using RSA key ID 
20D9B392
      # gpg: Good signature from "David Gibson <david@xxxxxxxxxxxxxxxxxxxxx>"
      # gpg:                 aka "David Gibson (Red Hat) <dgibson@xxxxxxxxxx>"
      # gpg:                 aka "David Gibson (ozlabs.org) 
<dgibson@xxxxxxxxxx>"
      # gpg: WARNING: This key is not certified with sufficiently trusted 
signatures!
      # gpg:          It is not certain that the signature belongs to the owner.
      # Primary key fingerprint: 75F4 6586 AE61 A66C C44E  87DC 6C38 CACA 20D9 
B392

      * remotes/dgibson/tags/ppc-next-20151023: (21 commits)
        prep: do not use CPU_LOG_IOPORT, convert to tracepoints
        openpic: add to misc category
        macio-nvram: add to misc category
        macio: add to bridge category
        uninorth: add to bridge category
        macio-ide: add to storage category
        cuda: add to bridge category
        grackle: add to bridge category
        escc: add to input category
        cmd646: add to storage category
        adb: add to input category
        ppc/spapr: Add "ibm,pa-features" property to the device-tree
        ppc: Add mmu_model defines for arch 2.03 and 2.07
        hw/scsi/spapr_vscsi: Remove superfluous memset
        spapr_pci: Allow VFIO devices to work on the normal PCI host bridge
        spapr_iommu: Provide a function to switch a TCE table to allowing VFIO
        spapr_iommu: Rename vfio_accel parameter
        spapr_pci: Allow PCI host bridge DMA window to be configured
        spapr: Add "slb-size" property to CPU device tree nodes
        spapr: Abort when HTAB of requested size isn't allocated
        ...

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 431429a5b802fccf2701c37f580307c6979f4c3e
  Merge: dfbe064 9024603
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Fri Oct 23 12:09:02 2015 +0100

      Merge remote-tracking branch 
'remotes/berrange/tags/qcrypto-fixes-pull-20151022-2' into staging

      Merge qcrypto-fixes 2015/10/22

      # gpg: Signature made Thu 22 Oct 2015 19:03:45 BST using RSA key ID 
15104FDF
      # gpg: Good signature from "Daniel P. Berrange <dan@xxxxxxxxxxxx>"
      # gpg:                 aka "Daniel P. Berrange <berrange@xxxxxxxxxx>"

      * remotes/berrange/tags/qcrypto-fixes-pull-20151022-2:
        configure: avoid polluting global CFLAGS with tasn1 flags
        crypto: add sanity checking of plaintext/ciphertext length
        crypto: don't let builtin aes crash if no IV is provided
        crypto: allow use of nettle/gcrypt to be selected explicitly

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit dfbe0642ef8e643e7e41956c8ca97f1acc9464a9
  Merge: 6a6739d 7f4a930
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Fri Oct 23 10:24:08 2015 +0100

      Merge remote-tracking branch 'remotes/mst/tags/for_upstream' into staging

      vhost: build fix

      Fix build breakages when using older gcc.

      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>

      # gpg: Signature made Thu 22 Oct 2015 20:36:07 BST using RSA key ID 
D28D5469
      # gpg: Good signature from "Michael S. Tsirkin <mst@xxxxxxxxxx>"
      # gpg:                 aka "Michael S. Tsirkin <mst@xxxxxxxxxx>"

      * remotes/mst/tags/for_upstream:
        vhost-user: fix up rhel6 build

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 659f7f65561e78d720986d61f3112c54a97b2b96
  Author: Paolo Bonzini <pbonzini@xxxxxxxxxx>
  Date:   Fri Oct 16 15:16:11 2015 +0200

      prep: do not use CPU_LOG_IOPORT, convert to tracepoints

      These messages are disabled by default; a perfect usecase for tracepoints.
      Convert them over.

      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>
      Signed-off-by: David Gibson <david@xxxxxxxxxxxxxxxxxxxxx>

  commit 29f8dd66e89d59f66105af9065c10e21f85cc653
  Author: Laurent Vivier <laurent@xxxxxxxxx>
  Date:   Sat Sep 26 18:22:12 2015 +0200

      openpic: add to misc category

      openpic is a programmable interrupt controller, so
      add it to the misc category.

      Signed-off-by: Laurent Vivier <laurent@xxxxxxxxx>
      Reviewed-by: Thomas Huth <thuth@xxxxxxxxxx>
      Signed-off-by: David Gibson <david@xxxxxxxxxxxxxxxxxxxxx>

  commit 175fe9e7c886263258602262c341c472bc64be42
  Author: Laurent Vivier <laurent@xxxxxxxxx>
  Date:   Sat Sep 26 18:22:11 2015 +0200

      macio-nvram: add to misc category

      The macio nvram is a non volatile RAM, so add it
      the misc category.

      Signed-off-by: Laurent Vivier <laurent@xxxxxxxxx>
      Reviewed-by: Thomas Huth <thuth@xxxxxxxxxx>
      Signed-off-by: David Gibson <david@xxxxxxxxxxxxxxxxxxxxx>

  commit f9f2a9f26f74b4572c51e74be7fd97fa34c920d3
  Author: Laurent Vivier <laurent@xxxxxxxxx>
  Date:   Sat Sep 26 18:22:10 2015 +0200

      macio: add to bridge category

      macio is a bridge between the PCI bus and the Mac nvram,
      IDE controller and PIC, so add it to the bridge category.

      Signed-off-by: Laurent Vivier <laurent@xxxxxxxxx>
      Reviewed-by: Thomas Huth <thuth@xxxxxxxxxx>
      Signed-off-by: David Gibson <david@xxxxxxxxxxxxxxxxxxxxx>

  commit 1d16f86a433a323691dcfd0f71acdc7592c114fc
  Author: Laurent Vivier <laurent@xxxxxxxxx>
  Date:   Sat Sep 26 18:22:09 2015 +0200

      uninorth: add to bridge category

      Uninorth is the mac99 PCI host controller, so add
      it to the bridge category.

      Signed-off-by: Laurent Vivier <laurent@xxxxxxxxx>
      Reviewed-by: Thomas Huth <thuth@xxxxxxxxxx>
      Signed-off-by: David Gibson <david@xxxxxxxxxxxxxxxxxxxxx>

  commit 3469d9bce86d2e387777addb25ed8b80b7e9d2a1
  Author: Laurent Vivier <laurent@xxxxxxxxx>
  Date:   Sat Sep 26 18:22:08 2015 +0200

      macio-ide: add to storage category

      macio-ide is an IDE controller, so add it
      to the storage category.

      Signed-off-by: Laurent Vivier <laurent@xxxxxxxxx>
      Reviewed-by: Thomas Huth <thuth@xxxxxxxxxx>
      Reviewed-by: John Snow <jsnow@xxxxxxxxxx>
      Signed-off-by: David Gibson <david@xxxxxxxxxxxxxxxxxxxxx>

  commit 599d7326c35d323c0a2cf18ebf65c613979e7f65
  Author: Laurent Vivier <laurent@xxxxxxxxx>
  Date:   Sat Sep 26 18:22:07 2015 +0200

      cuda: add to bridge category

      Cuda is a bridge between PowerMac system bus and the ADB controller,
      real-time clock, pram and the power management unit.

      So add it to the bridge category.

      Signed-off-by: Laurent Vivier <laurent@xxxxxxxxx>
      Signed-off-by: David Gibson <david@xxxxxxxxxxxxxxxxxxxxx>

  commit e16244355f8d5efc94df965b1f6a5a0b6c50a2f2
  Author: Laurent Vivier <laurent@xxxxxxxxx>
  Date:   Sat Sep 26 18:22:06 2015 +0200

      grackle: add to bridge category

      Grackle is the PCI host controller of oldworld powermac,
      so add it to the bridge category.

      Signed-off-by: Laurent Vivier <laurent@xxxxxxxxx>
      Reviewed-by: Thomas Huth <thuth@xxxxxxxxxx>
      Signed-off-by: David Gibson <david@xxxxxxxxxxxxxxxxxxxxx>

  commit f8d4c07c7807d0f7be02f42d2ee849d2eea4141e
  Author: Laurent Vivier <laurent@xxxxxxxxx>
  Date:   Sat Sep 26 18:22:05 2015 +0200

      escc: add to input category

      ESCC is a serial port controller, so add it
      to the input category.

      Signed-off-by: Laurent Vivier <laurent@xxxxxxxxx>
      Reviewed-by: Thomas Huth <thuth@xxxxxxxxxx>
      Signed-off-by: David Gibson <david@xxxxxxxxxxxxxxxxxxxxx>

  commit 74623e7369b175fa324421f4c0047d06da3baafc
  Author: Laurent Vivier <laurent@xxxxxxxxx>
  Date:   Sat Sep 26 18:22:04 2015 +0200

      cmd646: add to storage category

      cmd646 is an IDE controller, so add it to the
      storage category.

      Signed-off-by: Laurent Vivier <laurent@xxxxxxxxx>
      Reviewed-by: Thomas Huth <thuth@xxxxxxxxxx>
      Signed-off-by: David Gibson <david@xxxxxxxxxxxxxxxxxxxxx>

  commit 32f3a8992ea28a194678832eec1e1ffc09cbb7b1
  Author: Laurent Vivier <laurent@xxxxxxxxx>
  Date:   Sat Sep 26 18:22:03 2015 +0200

      adb: add to input category

      The Apple Desktop Bus is used to connect a keyboard and a mouse,
      so add it to the input category.

      Signed-off-by: Laurent Vivier <laurent@xxxxxxxxx>
      Reviewed-by: Thomas Huth <thuth@xxxxxxxxxx>
      Signed-off-by: David Gibson <david@xxxxxxxxxxxxxxxxxxxxx>

  commit 90da0d5a703839c8db9f37355107955df043b654
  Author: Benjamin Herrenschmidt <benh@xxxxxxxxxxxxxxxxxxx>
  Date:   Thu Oct 22 18:30:59 2015 +1100

      ppc/spapr: Add "ibm,pa-features" property to the device-tree

      LoPAPR defines a "ibm,pa-features" per-CPU device tree property which
      describes extended features of the Processor Architecture.

      This adds the property to the device tree. At the moment this is the
      copy of what pHyp advertises except "I=1 (cache inhibited) Large Pages"
      which is enabled for TCG and disabled when running under HV KVM host
      with 4K system page size.

      Signed-off-by: Benjamin Herrenschmidt <benh@xxxxxxxxxxxxxxxxxxx>
      [aik: rebased, changed commit log, moved ci_large_pages initialization,
      renamed pa_features arrays]
      Signed-off-by: Alexey Kardashevskiy <aik@xxxxxxxxx>
      Signed-off-by: David Gibson <david@xxxxxxxxxxxxxxxxxxxxx>

  commit aa4bb58752310e7906683a2ac99566222c1e7228
  Author: Benjamin Herrenschmidt <benh@xxxxxxxxxxxxxxxxxxx>
  Date:   Thu Oct 22 18:30:58 2015 +1100

      ppc: Add mmu_model defines for arch 2.03 and 2.07

      This removes unused POWERPC_MMU_2_06a/POWERPC_MMU_2_06d.

      This replaces POWERPC_MMU_64B with POWERPC_MMU_2_03 for POWER5+ to be
      more explicit about the version of the PowerISA supported.

      This defines POWERPC_MMU_2_07 and uses it for the POWER8 CPU family.
      This will not have an immediate effect now but it will in the following
      patch.

      This should cause no behavioural change.

      Signed-off-by: Benjamin Herrenschmidt <benh@xxxxxxxxxxxxxxxxxxx>
      [aik: rebased, changed commit log]
      Signed-off-by: Alexey Kardashevskiy <aik@xxxxxxxxx>
      Signed-off-by: David Gibson <david@xxxxxxxxxxxxxxxxxxxxx>

  commit a23dec105c0faed7b9cba5d07d92df63a04dbb2e
  Author: Thomas Huth <thuth@xxxxxxxxxx>
  Date:   Thu Oct 8 21:35:13 2015 +0200

      hw/scsi/spapr_vscsi: Remove superfluous memset

      g_malloc0 already clears the memory, so no need for
      the additional memset here.

      Cc: Paolo Bonzini <pbonzini@xxxxxxxxxx>
      Cc: David Gibson <david@xxxxxxxxxxxxxxxxxxxxx>
      Cc: Alexander Graf <agraf@xxxxxxx>
      Signed-off-by: Thomas Huth <thuth@xxxxxxxxxx>
      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>
      Signed-off-by: David Gibson <david@xxxxxxxxxxxxxxxxxxxxx>

  commit 185181f8835b1b68409ac4381688eafdca0172cc
  Author: David Gibson <david@xxxxxxxxxxxxxxxxxxxxx>
  Date:   Thu Sep 24 10:34:23 2015 +1000

      spapr_pci: Allow VFIO devices to work on the normal PCI host bridge

      The core VFIO infrastructure more or less allows VFIO devices to work
      on any normal guest PCI host bridge (PHB) without extra logic.
      However, the "spapr-pci-host-bridge" device (as opposed to the special
      "spapr-pci-vfio-host-bridge" device) breaks this by using a partially
      KVM accelerated implementation of the guest kernel IOMMU which won't
      work with VFIO devices, without additional kernel support.

      This patch allows VFIO devices to work on the spapr-pci-host-bridge,
      by having it switch off KVM TCE acceleration when a VFIO device is
      added to the PHB (either on startup, or by hotplug).

      Signed-off-by: David Gibson <david@xxxxxxxxxxxxxxxxxxxxx>
      Reviewed-by: Thomas Huth <thuth@xxxxxxxxxx>
      Reviewed-by: Laurent Vivier <lvivier@xxxxxxxxxx>

  commit c10325d6f9af84444120d8a6d1d59f41a282ae1b
  Author: David Gibson <david@xxxxxxxxxxxxxxxxxxxxx>
  Date:   Thu Oct 1 10:46:10 2015 +1000

      spapr_iommu: Provide a function to switch a TCE table to allowing VFIO

      Because of the way non-VFIO guest IOMMU operations are KVM accelerated, 
not
      all TCE tables (guest IOMMU contexts) can support VFIO devices.  
Currently,
      this is decided at creation time.

      To support hotplug of VFIO devices, we need to allow a TCE table which
      previously didn't allow VFIO devices to be switched so that it can.  This
      patch adds an spapr_tce_set_need_vfio() function to do this, by
      reallocating the table in userspace if necessary.

      Currently this doesn't allow the KVM acceleration to be re-enabled if all
      the VFIO devices are removed.  That's an optimization for another time.

      Signed-off-by: David Gibson <david@xxxxxxxxxxxxxxxxxxxxx>
      Reviewed-by: Laurent Vivier <lvivier@xxxxxxxxxx>

  commit 6a81dd172cd5d03fce593741629cb4c78fff10cb
  Author: David Gibson <david@xxxxxxxxxxxxxxxxxxxxx>
  Date:   Wed Sep 30 13:42:55 2015 +1000

      spapr_iommu: Rename vfio_accel parameter

      The vfio_accel parameter used when creating a new TCE table (guest IOMMU
      context) has a confusing name.  What it really means is whether we need 
the
      TCE table created to be able to support VFIO devices.

      VFIO is relevant, because when available we use in-kernel acceleration of
      the TCE table, but that may not work with VFIO devices because updates to
      the table are handled in kernel, bypass qemu and so don't hit qemu's
      infrastructure for keeping the VFIO host IOMMU state in sync with the 
guest
      IOMMU state.

      Rename the parameter to "need_vfio" throughout.  This is a cosmetic 
change,
      with no impact on the logic.

      Signed-off-by: David Gibson <david@xxxxxxxxxxxxxxxxxxxxx>
      Reviewed-by: Laurent Vivier <lvivier@xxxxxxxxxx>

  commit f93caaac36ec3b030184055596cb56f64d0de988
  Author: David Gibson <david@xxxxxxxxxxxxxxxxxxxxx>
  Date:   Thu Sep 24 09:56:44 2015 +1000

      spapr_pci: Allow PCI host bridge DMA window to be configured

      At present the PCI host bridge (PHB) for the pseries machine type has a
      fixed DMA window from 0..1GB (in PCI address space) which is mapped to 
real
      memory via the PAPR paravirtualized IOMMU.

      For better support of VFIO devices, we're going to want to allow for
      different configurations of the DMA window.

      Eventually we'll want to allow the guest itself to reconfigure the window
      via the PAPR dynamic DMA window interface, but as a preliminary this patch
      allows the user to reconfigure the window with new properties on the PHB
      device.

      Signed-off-by: David Gibson <david@xxxxxxxxxxxxxxxxxxxxx>
      Reviewed-by: Thomas Huth <thuth@xxxxxxxxxx>
      Reviewed-by: Laurent Vivier <lvivier@xxxxxxxxxx>

  commit fd5da5c47264a57c7d01507eaf50bf3d288ba8a4
  Author: Thomas Huth <thuth@xxxxxxxxxx>
  Date:   Thu Oct 1 15:30:07 2015 +0200

      spapr: Add "slb-size" property to CPU device tree nodes

      According to a commit message in the Linux kernel (see here
      
https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=b60c31d85a2a
      for example), the name of the property that carries the information
      about the number of SLB entries should be called "slb-size", and
      not "ibm,slb-size". The Linux kernel can deal with both names, but
      to be on the safe side we should support the official name, too.

      [Now that LoPAPR is public, the relevant requirement can be found in
      section C.6.1.8 --dwg]

      Signed-off-by: Thomas Huth <thuth@xxxxxxxxxx>
      Signed-off-by: David Gibson <david@xxxxxxxxxxxxxxxxxxxxx>

  commit 7735fedaf490cf9213cd8d487272b69a4987c851
  Author: Bharata B Rao <bharata@xxxxxxxxxxxxxxxxxx>
  Date:   Thu Sep 24 13:52:48 2015 +0530

      spapr: Abort when HTAB of requested size isn't allocated

      Terminate the guest when HTAB of requested size isn't allocated by
      the host.

      When memory hotplug is attempted on a guest that has booted with
      less than requested HTAB size, the guest kernel will not be able
      to gracefully fail the hotplug request. This patch will ensure that
      we never end up in a situation where memory hotplug fails due to
      less than requested HTAB size.

      Signed-off-by: Bharata B Rao <bharata@xxxxxxxxxxxxxxxxxx>
      Signed-off-by: David Gibson <david@xxxxxxxxxxxxxxxxxxxxx>

  commit b817772a2521defba513b64b1d08238f24c50657
  Author: Bharata B Rao <bharata@xxxxxxxxxxxxxxxxxx>
  Date:   Thu Sep 24 13:52:47 2015 +0530

      spapr: Allocate HTAB from machine init

      Allocate HTAB from ppc_spapr_init() so that we can abort the guest
      if requested HTAB size is't allocated by the host. However retain the
      htab reset call in spapr_reset_htab() so that HTAB gets reset (and
      not allocated) during machine reset.

      Signed-off-by: Bharata B Rao <bharata@xxxxxxxxxxxxxxxxxx>
      Signed-off-by: David Gibson <david@xxxxxxxxxxxxxxxxxxxxx>

  commit 7f4a930e64b9e69cd340395a7e4f0494aef4fcdd
  Author: Michael S. Tsirkin <mst@xxxxxxxxxx>
  Date:   Thu Oct 22 22:28:37 2015 +0300

      vhost-user: fix up rhel6 build

      Build on RHEL6 fails:
      https://gcc.gnu.org/bugzilla/show_bug.cgi?id=42875

      Apparently unnamed unions couldn't use C99  named field initializers.
      Let's just name the payload union field.

      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>

  commit 90246037760a2a1d64da67782200b690de24cc49
  Author: Daniel P. Berrange <berrange@xxxxxxxxxx>
  Date:   Mon Sep 21 17:25:34 2015 +0100

      configure: avoid polluting global CFLAGS with tasn1 flags

      The previous commit

        commit 9a2fd4347c40321f5cbb4ab4220e759fcbf87d03
        Author: Daniel P. Berrange <berrange@xxxxxxxxxx>
        Date:   Mon Apr 13 14:01:39 2015 +0100

          crypto: add sanity checking of TLS x509 credentials

      defined new variables $TEST_LIBS and $TEST_CFLAGS and
      used them in tests/Makefile to augment $LIBS and $CFLAGS.

      Unfortunately this overlooks the fact that tests/Makefile
      is not executed via recursive-make, it is just pulled into
      the top level Makefile via an include statement. So rather
      than just augmenting the compiler/linker flags for tests
      it polluted the global flags.

      This is thought to be behind a reported failure when
      building the pixman module as a sub-module, since global
      $CFLAGS are passed down to configure in pixman.

      This change removes the $TEST_LIBS and $TEST_CFLAGS
      replacing them with $TASN1_LIBS and $TASN1_CFLAGS,
      setting only against specific objects/executables
      that need them.

      Signed-off-by: Daniel P. Berrange <berrange@xxxxxxxxxx>

  commit 3a661f1eabf7e8db66e28489884d9b54aacb94ea
  Author: Daniel P. Berrange <berrange@xxxxxxxxxx>
  Date:   Fri Oct 16 16:35:06 2015 +0100

      crypto: add sanity checking of plaintext/ciphertext length

      When encrypting/decrypting data, the plaintext/ciphertext
      buffers are required to be a multiple of the cipher block
      size. If this is not done, nettle will abort and gcrypt
      will report an error. To get consistent behaviour add
      explicit checks upfront for the buffer sizes.

      Signed-off-by: Daniel P. Berrange <berrange@xxxxxxxxxx>

  commit eb2a770b178b9040c3fc04ee31dc38d1775db09a
  Author: Daniel P. Berrange <berrange@xxxxxxxxxx>
  Date:   Fri Oct 16 13:23:13 2015 +0100

      crypto: don't let builtin aes crash if no IV is provided

      If no IV is provided, then use a default IV of all-zeros
      instead of crashing. This gives parity with gcrypt and
      nettle backends.

      Signed-off-by: Daniel P. Berrange <berrange@xxxxxxxxxx>

  commit 91bfcdb01d4869aa8f4cb67007827de63b8c2217
  Author: Daniel P. Berrange <berrange@xxxxxxxxxx>
  Date:   Fri Oct 16 16:36:53 2015 +0100

      crypto: allow use of nettle/gcrypt to be selected explicitly

      Currently the choice of whether to use nettle or gcrypt is
      made based on what gnutls is linked to. There are times
      when it is desirable to be able to force build against a
      specific library. For example, if testing changes to QEMU's
      crypto code all 3 possible backends need to be checked
      regardless of what the local gnutls uses.

      It is also desirable to be able to enable nettle/gcrypt
      for cipher/hash algorithms, without enabling gnutls
      for TLS support.

      This gives two new configure flags, which allow the
      following possibilities

      Automatically determine nettle vs gcrypt from what
      gnutls links to (recommended to minimize number of
      crypto libraries linked to)

       ./configure

      Automatically determine nettle vs gcrypt based on
      which is installed

       ./configure --disable-gnutls

      Force use of nettle

       ./configure --enable-nettle

      Force use of gcrypt

       ./configure --enable-gcrypt

      Force use of built-in AES & crippled-DES

       ./configure --disable-nettle --disable-gcrypt

      Signed-off-by: Daniel P. Berrange <berrange@xxxxxxxxxx>

  commit 2a080ce26682f35517b0e20f4ad10559e9270b5d
  Author: Chen Gang <gang.chen.5i5j@xxxxxxxxx>
  Date:   Tue Oct 20 23:19:02 2015 +0800

      target-tilegx: Implement prefetch instructions in pipe y2

      Originally, tilegx qemu only implement prefetch instructions in pipe x1,
      did not implement them in pipe y2.

      Signed-off-by: Chen Gang <gang.chen.5i5j@xxxxxxxxx>
      Signed-off-by: Richard Henderson <rth@xxxxxxxxxxx>

  commit 6a6739de510706e1d337180d12be74ebbd0c7666
  Merge: b803894 89a82cd
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Thu Oct 22 18:01:53 2015 +0100

      Merge remote-tracking branch 'remotes/rth/tags/pull-tcg-20151021' into 
staging

      Collected tcg backend patches

      # gpg: Signature made Wed 21 Oct 2015 22:34:28 BST using RSA key ID 
4DD0279B
      # gpg: Good signature from "Richard Henderson <rth7680@xxxxxxxxx>"
      # gpg:                 aka "Richard Henderson <rth@xxxxxxxxxx>"
      # gpg:                 aka "Richard Henderson <rth@xxxxxxxxxxx>"

      * remotes/rth/tags/pull-tcg-20151021:
        cpu-exec: Add "nochain" debug flag
        tcg/mips: Support r6 SEL{NE, EQ}Z instead of MOVN/MOVZ
        tcg/mips: Support r6 multiply/divide encodings
        tcg/mips: Support r6 JR encoding
        tcg/mips: Add use_mips32r6_instructions definition
        disas/mips: Add R6 jr/jr.hb to disassembler
        tcg-opc.h: Simplify insn_start def
        tcg/ppc: Prefer mask over andi.
        tcg/ppc: Revise goto_tb implementation
        tcg/ppc: Adjust exit_tb for change in prologue placement

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit b803894e2c4d744ccc113ca6cbe6654ec80c1dc6
  Merge: ca3e40e 0960be7
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Thu Oct 22 17:33:54 2015 +0100

      Merge remote-tracking branch 'remotes/afaerber/tags/qom-cpu-for-peter' 
into staging

      QOM CPUState and X86CPU

      * Adoption of CPUClass::disas_set_info() hook

      # gpg: Signature made Thu 22 Oct 2015 17:11:24 BST using RSA key ID 
3E7E013F
      # gpg: Good signature from "Andreas Färber <afaerber@xxxxxxx>"
      # gpg:                 aka "Andreas Färber <afaerber@xxxxxxxx>"

      * remotes/afaerber/tags/qom-cpu-for-peter:
        disas: QOMify alpha specific disas setup
        disas: QOMify mips specific disas setup
        disas: QOMify sh4 specific disas setup
        disas: QOMify lm32 specific disas setup
        disas: QOMify sparc specific disas setup
        disas: QOMify m68k specific disas setup
        disas: QOMify moxie specific disas setup
        disas: QOMify s390x specific disas setup

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 0960be7cffa7b30189f2f0f76b1ac3c8115660f3
  Author: Peter Crosthwaite <crosthwaitepeter@xxxxxxxxx>
  Date:   Sat Jul 11 19:00:05 2015 -0700

      disas: QOMify alpha specific disas setup

      Move the target_disas() alpha specifics to the CPUClass::disas_set_info()
      hook and delete the #ifdef specific code in disas.c.

      This also makes monitor_disas() consistent with target_disas(), as
      monitor_disas() was missing a set of the BFD (This was an omission from
      commit b9bec751c8c8b08d8055da32306eb105db03031b).

      Signed-off-by: Peter Crosthwaite <crosthwaite.peter@xxxxxxxxx>
      Acked-by: Richard Henderson <rth@xxxxxxxxxxx>
      Signed-off-by: Andreas Färber <afaerber@xxxxxxx>

  commit 63a946c7e3b081d56e617bf264fcb2881a982848
  Author: Peter Crosthwaite <crosthwaitepeter@xxxxxxxxx>
  Date:   Sat Jul 11 19:00:04 2015 -0700

      disas: QOMify mips specific disas setup

      Move the target_disas() mips specifics to the CPUClass::disas_set_info()
      hook and delete the #ifdef specific code in disas.c.

      Cc: Aurelien Jarno <aurelien@xxxxxxxxxxx>
      Signed-off-by: Peter Crosthwaite <crosthwaite.peter@xxxxxxxxx>
      Acked-by: Leon Alrae <leon.alrae@xxxxxxxxxx>
      Signed-off-by: Andreas Färber <afaerber@xxxxxxx>

  commit d49dd523e459a4c001a0c87a438fd2fa1f5b4bae
  Author: Peter Crosthwaite <crosthwaitepeter@xxxxxxxxx>
  Date:   Sat Jul 11 19:00:03 2015 -0700

      disas: QOMify sh4 specific disas setup

      Move the target_disas() sh4 specifics to the CPUClass::disas_set_info()
      hook and delete the #ifdef specific code in disas.c.

      Signed-off-by: Peter Crosthwaite <crosthwaite.peter@xxxxxxxxx>
      Acked-by: Aurelien Jarno <aurelien@xxxxxxxxxxx>
      Signed-off-by: Andreas Färber <afaerber@xxxxxxx>

  commit 20984673e68ebd069222512c876b846ff2425cc0
  Author: Peter Crosthwaite <crosthwaitepeter@xxxxxxxxx>
  Date:   Sat Jul 11 19:00:02 2015 -0700

      disas: QOMify lm32 specific disas setup

      Move the target_disas() lm32 specifics to the CPUClass::disas_set_info()
      hook and delete the #ifdef specific code in disas.c.

      Signed-off-by: Peter Crosthwaite <crosthwaite.peter@xxxxxxxxx>
      Acked-by: Michael Walle <michael@xxxxxxxx>
      Signed-off-by: Andreas Färber <afaerber@xxxxxxx>

  commit df0900eb89a0672a3f924b7e8d20163dee2383db
  Author: Peter Crosthwaite <crosthwaitepeter@xxxxxxxxx>
  Date:   Sat Jul 11 19:00:01 2015 -0700

      disas: QOMify sparc specific disas setup

      Move the target_disas() sparc specifics to the QOM disas_set_info hook
      and delete the #ifdef specific code in disas.c.

      Cc: Mark Cave-Ayland <mark.cave-ayland@xxxxxxxxxxxx>
      Signed-off-by: Peter Crosthwaite <crosthwaite.peter@xxxxxxxxx>
      Signed-off-by: Andreas Färber <afaerber@xxxxxxx>

  commit 4f669905d95bbb6296338f9e86ffcdd8eae453d2
  Author: Peter Crosthwaite <crosthwaitepeter@xxxxxxxxx>
  Date:   Sat Jul 11 19:00:00 2015 -0700

      disas: QOMify m68k specific disas setup

      Move the target_disas() m68k specifics to the CPUClass::disas_set_info()
      hook and delete the #ifdef specific code in disas.c.

      Signed-off-by: Peter Crosthwaite <crosthwaite.peter@xxxxxxxxx>
      Reviewed-by: Laurent Vivier <laurent@xxxxxxxxx>
      Reviewed-by: Greg Ungerer <gerg@xxxxxxxxxxx>
      Signed-off-by: Andreas Färber <afaerber@xxxxxxx>

  commit 9f87a4cacd397e82e80c9512627ce5e190dfa971
  Author: Peter Crosthwaite <crosthwaitepeter@xxxxxxxxx>
  Date:   Sat Jul 11 18:59:59 2015 -0700

      disas: QOMify moxie specific disas setup

      Move the target_disas() moxie specifics to the CPUClass::disas_set_info()
      hook and delete the #ifdef specific code in disas.c.

      Cc: Anthony Green <green@xxxxxxxxxxxxxx>
      Signed-off-by: Peter Crosthwaite <crosthwaite.peter@xxxxxxxxx>
      Signed-off-by: Andreas Färber <afaerber@xxxxxxx>

  commit dbad6b74b3de6ce839bd870657b6bcc192e3b74a
  Author: Peter Crosthwaite <crosthwaitepeter@xxxxxxxxx>
  Date:   Sat Jul 11 18:59:58 2015 -0700

      disas: QOMify s390x specific disas setup

      Move the target_disas() s390 specifics to the CPUClass::disas_set_info()
      hook and delete the #ifdef specific code in disas.c.

      Cc: Alexander Graf <agraf@xxxxxxx>
      Signed-off-by: Peter Crosthwaite <crosthwaite.peter@xxxxxxxxx>
      Acked-by: Richard Henderson <rth@xxxxxxxxxxx>
      Signed-off-by: Andreas Färber <afaerber@xxxxxxx>

  commit ca3e40e233e87f7b29442311736a82da01c0df7b
  Merge: c1bd899 3c23402
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Thu Oct 22 12:41:44 2015 +0100

      Merge remote-tracking branch 'remotes/mst/tags/for_upstream' into staging

      vhost, pc, virtio features, fixes, cleanups

      New features:
          VT-d support for devices behind a bridge
          vhost-user migration support

      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>

      # gpg: Signature made Thu 22 Oct 2015 12:39:19 BST using RSA key ID 
D28D5469
      # gpg: Good signature from "Michael S. Tsirkin <mst@xxxxxxxxxx>"
      # gpg:                 aka "Michael S. Tsirkin <mst@xxxxxxxxxx>"

      * remotes/mst/tags/for_upstream: (37 commits)
        hw/isa/lpc_ich9: inject the SMI on the VCPU that is writing to APM_CNT
        i386: keep cpu_model field in MachineState uptodate
        vhost: set the correct queue index in case of migration with multiqueue
        piix: fix resource leak reported by Coverity
        seccomp: add memfd_create to whitelist
        vhost-user-test: check ownership during migration
        vhost-user-test: add live-migration test
        vhost-user-test: learn to tweak various qemu arguments
        vhost-user-test: wrap server in TestServer struct
        vhost-user-test: remove useless static check
        vhost-user-test: move wait_for_fds() out
        vhost: add migration block if memfd failed
        vhost-user: use an enum helper for features mask
        vhost user: add rarp sending after live migration for legacy guest
        vhost user: add support of live migration
        net: add trace_vhost_user_event
        vhost-user: document migration log
        vhost: use a function for each call
        vhost-user: add a migration blocker
        vhost-user: send log shm fd along with log_base
        ...

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 3c23402d4032f69af44a87fdb8019ad3229a4f31
  Author: Laszlo Ersek <lersek@xxxxxxxxxx>
  Date:   Tue Oct 20 20:14:00 2015 +0200

      hw/isa/lpc_ich9: inject the SMI on the VCPU that is writing to APM_CNT

      Commit 4d00636e97b7 ("ich9: Add the lpc chip", Nov 14 2012) added the
      ich9_apm_ctrl_changed() ioport write callback function such that it would
      inject the SMI, in response to a write to the APM_CNT register, on the
      first CPU, invariably.

      Since this register is used by guest code to trigger an SMI synchronously,
      the interrupt should be injected on the VCPU that is performing the write.

      apm_ioport_writeb() is the .write callback of the "apm_ops"
      MemoryRegionOps [hw/isa/apm.c]; it is parametrized to call
      ich9_apm_ctrl_changed() by ich9_lpc_init() [hw/isa/lpc_ich9.c], via
      apm_init(). Therefore this change affects no other board.

      ich9_generate_smi() is an unrelated function that is called by the TCO
      watchdog; a watchdog is likely in its right to (asynchronously) inject
      interrupts on the first CPU only.

      This patch allows the combined edk2/OVMF SMM driver stack to work with
      multiple VCPUs on TCG, using both qemu-system-i386 and qemu-system-x86_64.

      Cc: Paolo Bonzini <pbonzini@xxxxxxxxxx>
      Cc: Gerd Hoffmann <kraxel@xxxxxxxxxx>
      Cc: Jordan Justen <jordan.l.justen@xxxxxxxxx>
      Cc: Michael Kinney <michael.d.kinney@xxxxxxxxx>
      Cc: "Michael S. Tsirkin" <mst@xxxxxxxxxx>
      Signed-off-by: Laszlo Ersek <lersek@xxxxxxxxxx>
      Reviewed-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Reviewed-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit 4884b7bfe962e659c0e20c1d0de6f307d58f09be
  Author: Zhu Guihua <zhugh.fnst@xxxxxxxxxxxxxx>
  Date:   Thu Oct 15 11:12:12 2015 +0800

      i386: keep cpu_model field in MachineState uptodate

      Update cpu_model in MachineState for i386, so that the field can be used
      for cpu hotplug, instead of using a static variable.

      This patch is rebased on the latest master.

      Signed-off-by: Zhu Guihua <zhugh.fnst@xxxxxxxxxxxxxx>
      Reviewed-by: Eduardo Habkost <ehabkost@xxxxxxxxxx>
      Reviewed-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Reviewed-by: Marcel Apfelbaum <marcel@xxxxxxxxxx>
      Acked-by: Andreas Färber <afaerber@xxxxxxx>

  commit 25a2a920dddcf72896d94b37b6048a8147bc3198
  Author: Thibaut Collet <thibaut.collet@xxxxxxxxx>
  Date:   Mon Oct 19 14:59:27 2015 +0200

      vhost: set the correct queue index in case of migration with multiqueue

      When a live migration is started the log address to mark dirty pages is 
provided
      to the vhost backend through the vhost_dev_set_log function.
      This function is called for each queue pairs but the queue index is 
wrongly set:
      always set to the first queue pair. Then vhost backend lost descriptor 
addresses
      of the queue pairs greater than 1 and behaviour of the vhost backend is
      unpredictable.

      The queue index is computed by taking account of the vq_index (to 
retrieve the
      queue pair index) and calling the vhost_get_vq_index method of the 
backend.

      Signed-off-by: Thibaut Collet <thibaut.collet@xxxxxxxxx>
      Cc: qemu-stable@xxxxxxxxxx
      Acked-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Reviewed-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>

  commit e3fce97cf500c61f23df8e0245e08625fc375295
  Author: zhanghailiang <zhang.zhanghailiang@xxxxxxxxxx>
  Date:   Mon Sep 14 18:40:10 2015 +0800

      piix: fix resource leak reported by Coverity

      config_fd should be closed before return, or there will
      be a resource leak error.

      Signed-off-by: zhanghailiang <zhang.zhanghailiang@xxxxxxxxxx>
      Reviewed-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Reviewed-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>

  commit f8d82b8eb81d3ea29325b4046fafa8ed41e32449
  Author: Eduardo Otubo <eduardo.otubo@xxxxxxxxxxxxxxxx>
  Date:   Fri Oct 9 17:17:41 2015 +0200

      seccomp: add memfd_create to whitelist

      This is used by memfd code.

      Signed-off-by: Eduardo Otubo <eduardo.otubo@xxxxxxxxxxxxxxxx>
      Signed-off-by: Marc-André Lureau <marcandre.lureau@xxxxxxxxxx>
      Reviewed-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Tested-by: Thibaut Collet <thibaut.collet@xxxxxxxxx>

  commit 1d9edff78fa0b294d6084df76da89e20ee93fdab
  Author: Marc-André Lureau <marcandre.lureau@xxxxxxxxxx>
  Date:   Fri Oct 9 17:17:40 2015 +0200

      vhost-user-test: check ownership during migration

      Check that backend source and destination do not have simultaneous
      ownership during migration.

      Signed-off-by: Marc-André Lureau <marcandre.lureau@xxxxxxxxxx>
      Reviewed-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Tested-by: Thibaut Collet <thibaut.collet@xxxxxxxxx>

  commit b181974724e106c62e4d0ecbe085df09b8a482bb
  Author: Marc-André Lureau <marcandre.lureau@xxxxxxxxxx>
  Date:   Fri Oct 9 17:17:39 2015 +0200

      vhost-user-test: add live-migration test

      This test checks that the log fd is given to the migration source, and
      mark dirty pages during migration.

      Signed-off-by: Marc-André Lureau <marcandre.lureau@xxxxxxxxxx>
      Reviewed-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Tested-by: Thibaut Collet <thibaut.collet@xxxxxxxxx>

  commit 704b216887ef4a6c0fe981206bd6d43f3b6863cd
  Author: Marc-André Lureau <marcandre.lureau@xxxxxxxxxx>
  Date:   Fri Oct 9 17:17:38 2015 +0200

      vhost-user-test: learn to tweak various qemu arguments

      Add a new macro to make the qemu command line with other
      values of memory size, and specific chardev id.

      Signed-off-by: Marc-André Lureau <marcandre.lureau@xxxxxxxxxx>
      Reviewed-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Tested-by: Thibaut Collet <thibaut.collet@xxxxxxxxx>

  commit ae31fb5491493c82fface26f7902da7130b70575
  Author: Marc-André Lureau <marcandre.lureau@xxxxxxxxxx>
  Date:   Fri Oct 9 17:17:37 2015 +0200

      vhost-user-test: wrap server in TestServer struct

      In the coming patches, a test will use several servers
      simultaneously. Wrap the server in a struct, out of the global scope.

      Signed-off-by: Marc-André Lureau <marcandre.lureau@xxxxxxxxxx>
      Reviewed-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Tested-by: Thibaut Collet <thibaut.collet@xxxxxxxxx>

  commit 82755ff202e96ad9bc74c1268481f96e50907ae1
  Author: Marc-André Lureau <marcandre.lureau@xxxxxxxxxx>
  Date:   Fri Oct 9 17:17:36 2015 +0200

      vhost-user-test: remove useless static check

      Signed-off-by: Marc-André Lureau <marcandre.lureau@xxxxxxxxxx>
      Reviewed-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Tested-by: Thibaut Collet <thibaut.collet@xxxxxxxxx>

  commit cf72b57f894dd47c32750cf51de1d195a19c5e48
  Author: Marc-André Lureau <marcandre.lureau@xxxxxxxxxx>
  Date:   Fri Oct 9 17:17:35 2015 +0200

      vhost-user-test: move wait_for_fds() out

      This function is a precondition for most vhost-user tests.

      Signed-off-by: Marc-André Lureau <marcandre.lureau@xxxxxxxxxx>
      Reviewed-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Tested-by: Thibaut Collet <thibaut.collet@xxxxxxxxx>

  commit 31190ed781a81d2de65cea405e4cb3441ab929fc
  Author: Marc-André Lureau <marcandre.lureau@xxxxxxxxxx>
  Date:   Fri Oct 9 17:17:34 2015 +0200

      vhost: add migration block if memfd failed

      Signed-off-by: Marc-André Lureau <marcandre.lureau@xxxxxxxxxx>
      Reviewed-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Tested-by: Thibaut Collet <thibaut.collet@xxxxxxxxx>

  commit de1372d466fb4a7bed13f64f50bff14aaa4a5931
  Author: Thibaut Collet <thibaut.collet@xxxxxxxxx>
  Date:   Fri Oct 9 17:17:33 2015 +0200

      vhost-user: use an enum helper for features mask

      The VHOST_USER_PROTOCOL_FEATURE_MASK will be automatically updated when
      adding new features to the enum.

      Signed-off-by: Thibaut Collet <thibaut.collet@xxxxxxxxx>
      [Adapted from mailing list discussion - Marc-André]
      Signed-off-by: Marc-André Lureau <marcandre.lureau@xxxxxxxxxx>
      Reviewed-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Tested-by: Thibaut Collet <thibaut.collet@xxxxxxxxx>

  commit 3e866365e1eb6bcfa2d01c21debb05b9e47a47f7
  Author: Thibaut Collet <thibaut.collet@xxxxxxxxx>
  Date:   Fri Oct 9 17:17:32 2015 +0200

      vhost user: add rarp sending after live migration for legacy guest

      A new vhost user message is added to allow QEMU to ask to vhost user 
backend to
      broadcast a fake RARP after live migration for guest without 
GUEST_ANNOUNCE
      capability.

      This new message is sent only if the backend supports the new
      VHOST_USER_PROTOCOL_F_RARP protocol feature.
      The payload of this new message is the MAC address of the guest (not 
known by
      the backend). The MAC address is copied in the first 6 bytes of a u64 to 
avoid
      to create a new payload message type.

      This new message has no equivalent ioctl so a new callback is added in the
      userOps structure to send the request.

      Upon reception of this new message the vhost user backend must generate 
and
      broadcast a fake RARP request to notify the migration is terminated.

      Signed-off-by: Thibaut Collet <thibaut.collet@xxxxxxxxx>
      [Rebased and fixed checkpatch errors - Marc-André]
      Signed-off-by: Marc-André Lureau <marcandre.lureau@xxxxxxxxxx>
      Reviewed-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Tested-by: Thibaut Collet <thibaut.collet@xxxxxxxxx>

  commit f6f56291de879827766d17b172465d4377ad2c11
  Author: Thibaut Collet <thibaut.collet@xxxxxxxxx>
  Date:   Fri Oct 9 17:17:31 2015 +0200

      vhost user: add support of live migration

      Some vhost user backends are able to support live migration.
      To provide this service the following features must be added:
      1. Add the VIRTIO_NET_F_GUEST_ANNOUNCE capability to vhost-net when netdev
         backend is vhost-user.
      2. Provide a nop receive callback to vhost-user.
         This callback is called by:
          *  qemu_announce_self after a migration to send fake RARP to avoid 
network
             outage for peers talking to the migrated guest.
               - For guest with GUEST_ANNOUNCE capabilities, guest already 
sends GARP
                 when the bit VIRTIO_NET_S_ANNOUNCE is set.
                 => These packets must be discarded.
               - For guest without GUEST_ANNOUNCE capabilities, migration 
termination
                 is notified when the guest sends packets.
                 => These packets can be discarded.
          * virtio_net_tx_bh with a dummy boot to send fake bootp/dhcp request.
            BIOS guest manages virtio driver to send 4 bootp/dhcp request in 
case of
            dummy boot.
            => These packets must be discarded.

      Signed-off-by: Thibaut Collet <thibaut.collet@xxxxxxxxx>
      Reviewed-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Tested-by: Thibaut Collet <thibaut.collet@xxxxxxxxx>

  commit 69b32a6ce4e1a6096a496996fcda833eb54e81b9
  Author: Marc-André Lureau <marcandre.lureau@xxxxxxxxxx>
  Date:   Fri Oct 9 17:17:30 2015 +0200

      net: add trace_vhost_user_event

      Replace error_report() and use tracing instead. It's not an error to get
      a connection or a disconnection, so silence this and trace it instead.

      Signed-off-by: Marc-André Lureau <marcandre.lureau@xxxxxxxxxx>
      Reviewed-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Tested-by: Thibaut Collet <thibaut.collet@xxxxxxxxx>

  commit c62b91e5804e7d2b1e8e253fc4031b4ea67a11f7
  Author: Marc-André Lureau <marcandre.lureau@xxxxxxxxxx>
  Date:   Fri Oct 9 17:17:29 2015 +0200

      vhost-user: document migration log

      Signed-off-by: Marc-André Lureau <marcandre.lureau@xxxxxxxxxx>
      Reviewed-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Tested-by: Thibaut Collet <thibaut.collet@xxxxxxxxx>

  commit 21e704256dea24baf93b169f5d7b0e7fe684bd15
  Author: Marc-André Lureau <marcandre.lureau@xxxxxxxxxx>
  Date:   Fri Oct 9 17:17:28 2015 +0200

      vhost: use a function for each call

      Replace the generic vhost_call() by specific functions for each
      function call to help with type safety and changing arguments.

      While doing this, I found that "unsigned long long" and "uint64_t" were
      used interchangeably and causing compilation warnings, using uint64_t
      instead, as the vhost & protocol specifies.

      Signed-off-by: Marc-André Lureau <marcandre.lureau@xxxxxxxxxx>
      [Fix enum usage and MQ - Thibaut Collet]
      Signed-off-by: Thibaut Collet <thibaut.collet@xxxxxxxxx>
      Reviewed-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Tested-by: Thibaut Collet <thibaut.collet@xxxxxxxxx>

  commit d2fc4402cb152d3e526f736d7d53dbd050ef8794
  Author: Marc-André Lureau <marcandre.lureau@xxxxxxxxxx>
  Date:   Fri Oct 9 17:17:27 2015 +0200

      vhost-user: add a migration blocker

      If VHOST_USER_PROTOCOL_F_LOG_SHMFD is not announced, block vhost-user
      migration. The blocker is removed in vhost_dev_cleanup().

      Signed-off-by: Marc-André Lureau <marcandre.lureau@xxxxxxxxxx>
      Reviewed-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Tested-by: Thibaut Collet <thibaut.collet@xxxxxxxxx>

  commit 9a78a5dd272a190d262b5ba5d4721ab93d48c564
  Author: Marc-André Lureau <marcandre.lureau@xxxxxxxxxx>
  Date:   Fri Oct 9 17:17:26 2015 +0200

      vhost-user: send log shm fd along with log_base

      Send the shm for the dirty pages logging if the backend supports
      VHOST_USER_PROTOCOL_F_LOG_SHMFD. Wait for a reply to make sure
      the old log is no longer used.

      Signed-off-by: Marc-André Lureau <marcandre.lureau@xxxxxxxxxx>
      Reviewed-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Tested-by: Thibaut Collet <thibaut.collet@xxxxxxxxx>

  commit 15324404f68cde561d0eeee3d18a7b203f57f095
  Author: Marc-André Lureau <marcandre.lureau@xxxxxxxxxx>
  Date:   Fri Oct 9 17:17:25 2015 +0200

      vhost: alloc shareable log

      If the backend is requires it, allocate shareable memory.

      vhost_log_get() now uses 2 globals "vhost_log" and "vhost_log_shm", that
      way there is a common non-shareable log and a common shareable one.

      Signed-off-by: Marc-André Lureau <marcandre.lureau@xxxxxxxxxx>
      Reviewed-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Tested-by: Thibaut Collet <thibaut.collet@xxxxxxxxx>

  commit 1be0ac2109fbaca6e730ac578f0564507d173e2d
  Author: Marc-André Lureau <marcandre.lureau@xxxxxxxxxx>
  Date:   Fri Oct 9 17:17:24 2015 +0200

      vhost-user: add vhost_user_requires_shm_log()

      Check if the backend has VHOST_USER_PROTOCOL_F_LOG_SHMFD feature and
      require a shared log.

      Signed-off-by: Marc-André Lureau <marcandre.lureau@xxxxxxxxxx>
      Reviewed-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Tested-by: Thibaut Collet <thibaut.collet@xxxxxxxxx>

  commit c2bea314f6a2870b847c79e2e11263c5f9334db7
  Author: Marc-André Lureau <marcandre.lureau@xxxxxxxxxx>
  Date:   Fri Oct 9 17:17:23 2015 +0200

      vhost: add vhost_set_log_base op

      Split VHOST_SET_LOG_BASE call in a seperate function callback, so that
      type safety works and more arguments can be added in the next patches.

      Signed-off-by: Marc-André Lureau <marcandre.lureau@xxxxxxxxxx>
      Reviewed-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Tested-by: Thibaut Collet <thibaut.collet@xxxxxxxxx>

  commit 636f4dddfe48ccabaf5198bba440354d6a268d62
  Author: Marc-André Lureau <marcandre.lureau@xxxxxxxxxx>
  Date:   Fri Oct 9 17:17:22 2015 +0200

      vhost: document log resizing

      Signed-off-by: Marc-André Lureau <marcandre.lureau@xxxxxxxxxx>
      Reviewed-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Tested-by: Thibaut Collet <thibaut.collet@xxxxxxxxx>

  commit 35f9b6ef3acc9d0546c395a566b04e63ca84e302
  Author: Marc-André Lureau <marcandre.lureau@xxxxxxxxxx>
  Date:   Fri Oct 9 17:17:21 2015 +0200

      util: add fallback for qemu_memfd_alloc()

      Add an open/unlink/mmap fallback for system that do not support
      memfd (only available since 3.17, ~1y ago).

      This patch may require additional SELinux policies to work for enforced
      systems, but should fail gracefully in this case.

      Signed-off-by: Marc-André Lureau <marcandre.lureau@xxxxxxxxxx>
      Reviewed-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Tested-by: Thibaut Collet <thibaut.collet@xxxxxxxxx>

  commit d3592199ba3db504c6585115b9531b4cf7c50a0d
  Author: Marc-André Lureau <marcandre.lureau@xxxxxxxxxx>
  Date:   Fri Oct 9 17:17:20 2015 +0200

      util: add memfd helpers

      Add qemu_memfd_alloc/free() helpers.

      The function helps to allocate and seal shared memory.

      Signed-off-by: Marc-André Lureau <marcandre.lureau@xxxxxxxxxx>
      Reviewed-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Tested-by: Thibaut Collet <thibaut.collet@xxxxxxxxx>

  commit f04cf9239addd12d6be9e7ff137262755e3680d3
  Author: Marc-André Lureau <marcandre.lureau@xxxxxxxxxx>
  Date:   Fri Oct 9 17:17:19 2015 +0200

      util: add linux-only memfd fallback

      Implement memfd_create() fallback if not available in system libc.
      memfd_create() is still not included in glibc today, atlhough it's been
      available since Linux 3.17 in Oct 2014.

      memfd has numerous advantages over traditional shm/mmap for ipc memory
      sharing with fd handler, which we are going to make use of for
      vhost-user logging memory in following patches.

      The next patches are going to introduce helpers to use best practices of
      memfd usage and provide some compatibility fallback. memfd.c is thus
      temporarily useless and eventually empty if memfd_create() is provided
      by the system.

      Signed-off-by: Marc-André Lureau <marcandre.lureau@xxxxxxxxxx>
      Reviewed-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Tested-by: Thibaut Collet <thibaut.collet@xxxxxxxxx>

  commit e2792004580e42b86345d141493b1f12ba358fd8
  Author: Marc-André Lureau <marcandre.lureau@xxxxxxxxxx>
  Date:   Fri Oct 9 17:17:18 2015 +0200

      build-sys: split util-obj- on multi-lines

      Make it easier to add new unrelated units with shorter lines.

      Signed-off-by: Marc-André Lureau <marcandre.lureau@xxxxxxxxxx>
      Reviewed-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Tested-by: Thibaut Collet <thibaut.collet@xxxxxxxxx>

  commit 1842bdfdbac2ec46f2934d8914c874db83dd1344
  Author: Marc-André Lureau <marcandre.lureau@xxxxxxxxxx>
  Date:   Fri Oct 9 17:17:17 2015 +0200

      linux-headers: add unistd.h

      New syscalls are not yet widely distributed. Add them to qemu
      linux-headers include directory. Update based on v4.3-rc3 kernel headers.

      Exclude mips for now, which is more problematic due to extra header
      inclusion and probably unnecessary here.

      Signed-off-by: Marc-André Lureau <marcandre.lureau@xxxxxxxxxx>
      Reviewed-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Tested-by: Thibaut Collet <thibaut.collet@xxxxxxxxx>

  commit 751bcc3981d80594a3943166401af15b76781a5b
  Author: Marc-André Lureau <marcandre.lureau@xxxxxxxxxx>
  Date:   Fri Oct 9 17:17:16 2015 +0200

      configure: probe for memfd

      Check if memfd_create() is part of system libc.

      Signed-off-by: Marc-André Lureau <marcandre.lureau@xxxxxxxxxx>
      Reviewed-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Tested-by: Thibaut Collet <thibaut.collet@xxxxxxxxx>

  commit 22de58fe152d68b248bc14efd7affe72286079e5
  Author: Cornelia Huck <cornelia.huck@xxxxxxxxxx>
  Date:   Thu Sep 17 18:42:57 2015 +0200

      virtio: add some migration doc

      Try to cover the basics of virtio migration.

      Signed-off-by: Cornelia Huck <cornelia.huck@xxxxxxxxxx>
      Reviewed-by: Greg Kurz <gkurz@xxxxxxxxxxxxxxxxxx>
      Reviewed-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Reviewed-by: Jason Wang <jasowang@xxxxxxxxxx>

  commit aebf81680bf49c5953d7ae9ebb7b98c0f4dad8f3
  Author: Igor Mammedov <imammedo@xxxxxxxxxx>
  Date:   Tue Oct 6 10:37:29 2015 +0200

      vhost: fail backend intialization early

      Don't initialize vhost backend if memslots number exceeds the supported
      limit. This prevents failures down the road when backend
      is actually started.

      [MST: rewrite commit log]

      Signed-off-by: Igor Mammedov <imammedo@xxxxxxxxxx>
      Reviewed-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>

  commit 3fad87881e55aaff659408dcf25fa204f89a7896
  Author: Igor Mammedov <imammedo@xxxxxxxxxx>
  Date:   Tue Oct 6 10:37:28 2015 +0200

      pc-dimm: add vhost slots limit check before commiting to hotplug

      it allows safely cancel memory hotplug if vhost backend
      doesn't support necessary amount of memory slots and prevents
      QEMU crashing in vhost due to hitting vhost limit on amount
      of supported memory ranges.

      Signed-off-by: Igor Mammedov <imammedo@xxxxxxxxxx>
      Reviewed-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>

  commit 2ce68e4cf5be9b5176a3c3c372948d6340724d2d
  Author: Igor Mammedov <imammedo@xxxxxxxxxx>
  Date:   Tue Oct 6 10:37:27 2015 +0200

      vhost: add vhost_has_free_slot() interface

      it will allow for other parts of QEMU check if it's safe
      to map memory region during hotplug/runtime.
      That way hotplug path will have a chance to cancel
      hotplug operation instead of crashing in vhost_commit().

      Signed-off-by: Igor Mammedov <imammedo@xxxxxxxxxx>
      Reviewed-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>

  commit c1bd8997438f1b556acfeab1d52245ff7cc680c0
  Merge: 8bfaa25 19b7bec
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Wed Oct 21 21:21:29 2015 +0100

      Merge remote-tracking branch 'remotes/xtensa/tags/20151021-xtensa' into 
staging

      Xtensa updates:

      - fix register window overflow with l32e/s32e instructions;
      - make MMU events logging dependent on CPU_LOG_MMU;
      - attach FLASH to system I/O region on XTFPGA boards;
      - implement depbits and l32nb instructions.

      # gpg: Signature made Wed 21 Oct 2015 19:34:02 BST using RSA key ID 
F83FA044
      # gpg: Good signature from "Max Filippov 
<max.filippov@xxxxxxxxxxxxxxxxxx>"
      # gpg:                 aka "Max Filippov <jcmvbkbc@xxxxxxxxx>"

      * remotes/xtensa/tags/20151021-xtensa:
        target-xtensa: implement S32NB
        target-xtensa: implement depbits instruction
        target-xtensa: xtfpga: attach FLASH to system IO
        target-xtensa: use CPU_LOG_MMU for MMU event logging
        target-xtensa: add window overflow check to L32E/S32E

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 19b7bec4a37b081ed326293148fd793f04896b59
  Author: Max Filippov <jcmvbkbc@xxxxxxxxx>
  Date:   Sun Jul 19 09:49:00 2015 +0300

      target-xtensa: implement S32NB

      S32NB provides the same functionality as S32I with two exceptions.
      First, when its operation leaves the processor, the external transaction
      is marked Non-Bufferable. Second, it may not be used to write to
      Instruction RAM.
      In QEMU S32NB is equivalent to S32I.

      Signed-off-by: Max Filippov <jcmvbkbc@xxxxxxxxx>

  commit 5eeb40c5b1f00c4ee4fcf2f33087697d7ba6f5f6
  Author: Max Filippov <jcmvbkbc@xxxxxxxxx>
  Date:   Sun Jul 12 02:10:17 2015 +0300

      target-xtensa: implement depbits instruction

      This option provides an instruction for depositing a bit field from the
      least significant position of one register to an arbitrary position in
      another register.

      Signed-off-by: Max Filippov <jcmvbkbc@xxxxxxxxx>

  commit 68931a4082812f56657b39168e815c48f0ab0a8c
  Author: Max Filippov <jcmvbkbc@xxxxxxxxx>
  Date:   Sun Sep 27 18:21:19 2015 +0300

      target-xtensa: xtfpga: attach FLASH to system IO

      XTFPGA FLASH is tied to XTFPGA system IO block. It's not very important
      for systems with MMU where system IO block is visible at single
      location, but it's important for noMMU systems, where system IO block is
      accessible through two separate physical address ranges.

      Map XTFPGA FLASH to system IO block and fix offsets used for mapping.
      Create and initialize FLASH device with series of qdev_prop_set_* as
      that's the preferred interface now. Keep initialization in a separate
      function.

      Signed-off-by: Max Filippov <jcmvbkbc@xxxxxxxxx>
      Reviewed-by: Peter Crosthwaite <crosthwaite.peter@xxxxxxxxx>

  commit 5577e57b078a118595071241aba6dac8725a7640
  Author: Max Filippov <jcmvbkbc@xxxxxxxxx>
  Date:   Mon Sep 21 20:37:07 2015 +0300

      target-xtensa: use CPU_LOG_MMU for MMU event logging

      Signed-off-by: Max Filippov <jcmvbkbc@xxxxxxxxx>

  commit f822b7e497fa6a662094b491f86441015f363362
  Author: Max Filippov <jcmvbkbc@xxxxxxxxx>
  Date:   Sun Jul 19 10:02:37 2015 +0300

      target-xtensa: add window overflow check to L32E/S32E

      Despite L32E and S32E primary use is for window underflow and overflow
      exception handlers they are just normal instructions, and thus need to
      check for window overflow.

      Cc: qemu-stable@xxxxxxxxxx
      Signed-off-by: Max Filippov <jcmvbkbc@xxxxxxxxx>

  commit 8bfaa25fce2c22060a17501980943538801056de
  Merge: 426c0df 1cd4e0f
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Wed Oct 21 15:07:42 2015 +0100

      Merge remote-tracking branch 'remotes/cohuck/tags/s390x-20151021-v2' into 
staging

      More s390x patches. The first ones are fixes: A regression, missed
      compat and a missed part of the SIMD support. The others contain
      optimizations and cleanup.

      # gpg: Signature made Wed 21 Oct 2015 11:24:48 BST using RSA key ID 
C6F02FAF
      # gpg: Good signature from "Cornelia Huck <huckc@xxxxxxxxxxxxxxxxxx>"
      # gpg:                 aka "Cornelia Huck <cornelia.huck@xxxxxxxxxx>"

      * remotes/cohuck/tags/s390x-20151021-v2:
        s390x/cmma: clean up cmma reset
        s390x: reset crypto only on clear reset and QEMU reset
        s390x: machine reset function with new ipl cpu handling
        s390x/ipl: we always have an ipl device
        s390x: unify device reset during subsystem_reset()
        s390x: flagify mcic values
        s390x/kvm: Fix vector validity bit in device machine checks
        s390x/virtio-ccw: fix 2.4 virtio compat
        util/qemu-config: fix missing machine command line options

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 1cd4e0f6f0a6b1978a5868b41d4faae2071dc4ee
  Author: David Hildenbrand <dahi@xxxxxxxxxxxxxxxxxx>
  Date:   Tue Jul 21 11:11:11 2015 +0200

      s390x/cmma: clean up cmma reset

      The cmma reset is per VM, so we don't need a cpu object. We can
      directly make use of kvm_state, as it is already available when
      the reset is called. By moving the cmma reset in our machine reset
      function, we can avoid a manual reset handler.

      Acked-by: Christian Borntraeger <borntraeger@xxxxxxxxxx>
      Reviewed-by: Cornelia Huck <cornelia.huck@xxxxxxxxxx>
      Signed-off-by: David Hildenbrand <dahi@xxxxxxxxxxxxxxxxxx>
      Signed-off-by: Cornelia Huck <cornelia.huck@xxxxxxxxxx>

  commit 4ab729207fe1464b19c6bec609cd545ab717174a
  Author: David Hildenbrand <dahi@xxxxxxxxxxxxxxxxxx>
  Date:   Wed Sep 30 13:48:45 2015 +0200

      s390x: reset crypto only on clear reset and QEMU reset

      Initializing VM crypto in initial cpu reset has multiple problems

      1. We call the exact same function #VCPU times, although one time is 
enough
      2. On SIGP initial cpu reset, we exchange the wrapping key while
         other VCPUs are running. Bad!
      3. It is simply wrong. According to the Pop, a reset happens only during a
         clear reset.

      So, we have to reset the keys
      - on modified clear reset
      - on load clear (QEMU reset - via machine reset)
      - on qemu start (via machine reset)

      Reviewed-by: Christian Borntraeger <borntraeger@xxxxxxxxxx>
      Signed-off-by: David Hildenbrand <dahi@xxxxxxxxxxxxxxxxxx>
      Signed-off-by: Cornelia Huck <cornelia.huck@xxxxxxxxxx>

  commit db3b2566e0fb45e2901b6f9b842d91db6963915d
  Author: David Hildenbrand <dahi@xxxxxxxxxxxxxxxxxx>
  Date:   Tue Jul 21 13:47:32 2015 +0200

      s390x: machine reset function with new ipl cpu handling

      Current implementation depends on the order of resets getting triggered.

      If a cpu reset is triggered after the ipl device reset, the CPU is 
stopped and
      the VM will not run. In fact, that hinders us from converting the ipl 
device
      into a TYPE_DEVICE. Let's change that by manually configuring the ipl cpu
      during a system reset, so we have full control and can demangle that code.

      Also remove the superflous cpu parameter from s390_update_iplstate on the 
way.

      Acked-by: Christian Borntraeger <borntraeger@xxxxxxxxxx>
      Reviewed-by: Cornelia Huck <cornelia.huck@xxxxxxxxxx>
      Signed-off-by: David Hildenbrand <dahi@xxxxxxxxxxxxxxxxxx>
      Signed-off-by: Cornelia Huck <cornelia.huck@xxxxxxxxxx>

  commit feacc6c2c8fff037f67a89402b29923251833425
  Author: David Hildenbrand <dahi@xxxxxxxxxxxxxxxxxx>
  Date:   Thu Jun 25 09:55:55 2015 +0200

      s390x/ipl: we always have an ipl device

      Both s390 machines unconditionally create an ipl device, so no need to
      handle the missing case.

      Now we can also change s390_ipl_update_diag308() to return void.

      Reviewed-by: Cornelia Huck <cornelia.huck@xxxxxxxxxx>
      Acked-by: Christian Borntraeger <borntraeger@xxxxxxxxxx>
      Signed-off-by: David Hildenbrand <dahi@xxxxxxxxxxxxxxxxxx>
      Signed-off-by: Cornelia Huck <cornelia.huck@xxxxxxxxxx>

  commit 09c7f58ca9613ccfb1ca13031d0ff3b1794bd782
  Author: David Hildenbrand <dahi@xxxxxxxxxxxxxxxxxx>
  Date:   Tue Jul 21 10:58:38 2015 +0200

      s390x: unify device reset during subsystem_reset()

      We have to manually reset several devices that are not on a bus: Let's
      collect them in an array.

      Reviewed-by: Cornelia Huck <cornelia.huck@xxxxxxxxxx>
      Acked-by: Christian Borntraeger <borntraeger@xxxxxxxxxx>
      Signed-off-by: David Hildenbrand <dahi@xxxxxxxxxxxxxxxxxx>
      Signed-off-by: Cornelia Huck <cornelia.huck@xxxxxxxxxx>

  commit 052bd52fa978d3f04bc476137ad6e1b9a697f9bd
  Author: Michael S. Tsirkin <mst@xxxxxxxxxx>
  Date:   Wed Oct 14 12:11:27 2015 +0300

      net: don't set native endianness

      commit 5be7d9f1b1452613b95c6ba70b8d7ad3d0797991
          vhost-net: tell tap backend about the vnet endianness
      makes vhost net always try to set LE - even if that matches the
      native endian-ness.

      This makes it fail on older kernels on x86 without TUNSETVNETLE support.

      To fix, make qemu_set_vnet_le/qemu_set_vnet_be skip the
      ioctl if it matches the host endian-ness.

      Reported-by: Marcel Apfelbaum <marcel@xxxxxxxxxx>
      Cc: Greg Kurz <gkurz@xxxxxxxxxxxxxxxxxx>
      Cc: qemu-stable@xxxxxxxxxx
      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Reviewed-by: Marcel Apfelbaum <marcel@xxxxxxxxxx>

  commit 794e8f301a17953efa78ab7538019ec43c59e82a
  Author: Michael S. Tsirkin <mst@xxxxxxxxxx>
  Date:   Thu Sep 24 14:41:17 2015 +0300

      exec: factor out duplicate mmap code

      Anonymous and file-backed RAM allocation are now almost exactly the same.

      Reduce code duplication by moving RAM mmap code out of oslib-posix.c and
      exec.c.

      Reported-by: Marc-André Lureau <mlureau@xxxxxxxxxx>
      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Reviewed-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>
      Acked-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

      Tested-by: Thibaut Collet <thibaut.collet@xxxxxxxxx>

  commit 426c0df9e3e6e64c7ea489092c57088ca4d227d0
  Merge: ee9dfed 88c5f20
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Tue Oct 20 16:51:43 2015 +0100

      Merge remote-tracking branch 
'remotes/berrange/tags/io-channel-3-for-upstream' into staging

      Merge io-channels-3 partial branch

      # gpg: Signature made Tue 20 Oct 2015 16:36:10 BST using RSA key ID 
15104FDF
      # gpg: Good signature from "Daniel P. Berrange <dan@xxxxxxxxxxxx>"
      # gpg:                 aka "Daniel P. Berrange <berrange@xxxxxxxxxx>"

      * remotes/berrange/tags/io-channel-3-for-upstream:
        util: pull Buffer code out of VNC module
        coroutine: move into libqemuutil.a library
        osdep: add qemu_fork() wrapper for safely handling signals
        ui: convert VNC startup code to use SocketAddress
        sockets: allow port to be NULL when listening on IP address
        sockets: move qapi_copy_SocketAddress into qemu-sockets.c
        sockets: add helpers for creating SocketAddress from a socket

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit b080364aedfc294c53c4c4af255efcf007b35d9d
  Author: Cornelia Huck <cornelia.huck@xxxxxxxxxx>
  Date:   Thu Oct 8 15:05:46 2015 +0200

      s390x: flagify mcic values

      Instead of using magic values when building the machine check
      interruption code, add some defines as by chapter 11-14 in the PoP.

      This should make it easier to catch problems like the missing vector
      register validity bit ("s390x/kvm: Fix vector validity bit in device
      machine checks"), and less hassle should we want to generate machine
      checks beyond the channel reports we currently support.

      Acked-by: David Hildenbrand <dahi@xxxxxxxxxxxxxxxxxx>
      Signed-off-by: Cornelia Huck <cornelia.huck@xxxxxxxxxx>

  commit 2ab75df38e34fe9bc271b5115ab52114e6e63a89
  Author: Christian Borntraeger <borntraeger@xxxxxxxxxx>
  Date:   Wed Oct 7 10:29:42 2015 +0200

      s390x/kvm: Fix vector validity bit in device machine checks

      Device hotplugs trigger a crw machine check. All machine checks
      have validity bits for certain register types. With vector support
      we also have to claim that vector registers are valid.
      This is a band-aid suitable for stable. Long term we should
      create the full  mcic value dynamically depending on the active
      features in the kernel interrupt handler.

      Signed-off-by: Christian Borntraeger <borntraeger@xxxxxxxxxx>
      Reviewed-by: Cornelia Huck <cornelia.huck@xxxxxxxxxx>
      Cc: qemu-stable@xxxxxxxxxx
      Signed-off-by: Cornelia Huck <cornelia.huck@xxxxxxxxxx>

  commit 085b0b055b189e8846ca3108e6774e3b9e60c1ce
  Author: Cornelia Huck <cornelia.huck@xxxxxxxxxx>
  Date:   Thu Oct 8 15:11:34 2015 +0200

      s390x/virtio-ccw: fix 2.4 virtio compat

      Commit 542571d5 ("virtio-ccw: enable virtio-1") missed some virtio
      devices for the 2.4 compat handling. Add them.

      Fixes: 542571d5 ("virtio-ccw: enable virtio-1")
      Signed-off-by: Cornelia Huck <cornelia.huck@xxxxxxxxxx>
      Reviewed-by: Christian Borntraeger <borntraeger@xxxxxxxxxx>

  commit 5bcfa0c543b42a560673cafd3b5225900ef617e1
  Author: Tony Krowiak <akrowiak@xxxxxxxxxxxxxxxxxx>
  Date:   Mon Oct 12 11:36:21 2015 -0400

      util/qemu-config: fix missing machine command line options

      Commit 0a7cf217 ("util/qemu-config: fix regression of
      qmp_query_command_line_options") aimed to restore parsing of global
      machine options, but missed two: "aes-key-wrap" and
      "dea-key-wrap" (which were present in the initial version of that
      patch). Let's add them to the machine_opts again.

      Fixes: 0a7cf217 ("util/qemu-config: fix regression of
                        qmp_query_command_line_options")
      CC: Marcel Apfelbaum <marcel@xxxxxxxxxx>
      CC: qemu-stable@xxxxxxxxxx
      Signed-off-by: Tony Krowiak <akrowiak@xxxxxxxxxxxxxxxxxx>
      Reviewed-by: Marcel Apfelbaum <marcel@xxxxxxxxxx>
      Tested-by: Christian Borntraeger <borntraeger@xxxxxxxxxx>
      Message-Id: 
<1444664181-28023-1-git-send-email-akrowiak@xxxxxxxxxxxxxxxxxx>
      Signed-off-by: Cornelia Huck <cornelia.huck@xxxxxxxxxx>

  commit 88c5f205fa4c095db4c50eb7ad72816140206819
  Author: Daniel P. Berrange <berrange@xxxxxxxxxx>
  Date:   Tue Mar 3 17:13:42 2015 +0000

      util: pull Buffer code out of VNC module

      The Buffer code in the VNC server is useful for the IO channel
      code, so pull it out into a shared module, QIOBuffer.

      Signed-off-by: Daniel P. Berrange <berrange@xxxxxxxxxx>

  commit 10817bf09d5f8cb22711fb0ee8d8da49f6f05f89
  Author: Daniel P. Berrange <berrange@xxxxxxxxxx>
  Date:   Tue Sep 1 14:48:02 2015 +0100

      coroutine: move into libqemuutil.a library

      The coroutine files are currently referenced by the block-obj-y
      variable. The coroutine functionality though is already used by
      more than just the block code. eg migration code uses coroutine
      yield. In the future the I/O channel code will also use the
      coroutine yield functionality. Since the coroutine code is nicely
      self-contained it can be easily built as part of the libqemuutil.a
      library, making it widely available.

      The headers are also moved into include/qemu, instead of the
      include/block directory, since they are now part of the util
      codebase, and the impl was never in the block/ directory
      either.

      Signed-off-by: Daniel P. Berrange <berrange@xxxxxxxxxx>

  commit 57cb38b3833c5215131b983f181b26d6ba9b8d35
  Author: Daniel P. Berrange <berrange@xxxxxxxxxx>
  Date:   Fri Aug 28 14:40:01 2015 +0100

      osdep: add qemu_fork() wrapper for safely handling signals

      When using regular fork() the child process of course inherits
      all the parents' signal handlers. If the child then proceeds
      to close() any open file descriptors, it may break some of those
      registered signal handlers. The child generally does not want to
      ever run any of the signal handlers that the parent may have
      installed in the short time before it exec's. The parent may also
      have blocked various signals which the child process will want
      enabled.

      This introduces a wrapper qemu_fork() that takes care to sanitize
      signal handling across fork. Before forking it blocks all signals
      in the parent thread. After fork returns, the parent unblocks the
      signals and carries on as usual. The child, however, resets all the
      signal handlers back to their defaults before it unblocks signals.
      The child process can now exec the binary in a "clean" signal
      environment.

      Signed-off-by: Daniel P. Berrange <berrange@xxxxxxxxxx>

  commit e0d03b8ceb52e390b8b0a5db1762a8435dd8a44e
  Author: Daniel P. Berrange <berrange@xxxxxxxxxx>
  Date:   Fri Aug 14 18:56:44 2015 +0100

      ui: convert VNC startup code to use SocketAddress

      The VNC code is currently using QemuOpts to configure the
      sockets connections / listeners it needs. Convert it to
      use SocketAddress to bring it in line with modern QAPI
      based code elsewhere in QEMU.

      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>
      Signed-off-by: Daniel P. Berrange <berrange@xxxxxxxxxx>

  commit 0983f5e6af76d5df8c6346cbdfff9d8305fb6da0
  Author: Daniel P. Berrange <berrange@xxxxxxxxxx>
  Date:   Tue Sep 1 14:46:50 2015 +0100

      sockets: allow port to be NULL when listening on IP address

      If the port in the SocketAddress struct is NULL, it can allow
      the kernel to automatically select a free port. This is useful
      in particular in unit tests to avoid a race trying to find a
      free port to run a test case on.

      Signed-off-by: Daniel P. Berrange <berrange@xxxxxxxxxx>

  commit 2a8e21c7c8dcb7d235cfd256be36b7e8f9f3fcb3
  Author: Daniel P. Berrange <berrange@xxxxxxxxxx>
  Date:   Fri Aug 14 18:18:41 2015 +0100

      sockets: move qapi_copy_SocketAddress into qemu-sockets.c

      The qapi_copy_SocketAddress method is going to be useful
      in more places than just qemu-char.c, so move it into
      the qemu-sockets.c file to allow its reuse.

      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>
      Signed-off-by: Daniel P. Berrange <berrange@xxxxxxxxxx>

  commit 17c55decec2a516cf7f290ec8a5f4f207531e8b4
  Author: Daniel P. Berrange <berrange@xxxxxxxxxx>
  Date:   Fri May 1 17:36:20 2015 +0100

      sockets: add helpers for creating SocketAddress from a socket

      Add two helper methods that, given a socket file descriptor,
      can return a populated SocketAddress struct containing either
      the local or remote address information.

      Signed-off-by: Daniel P. Berrange <berrange@xxxxxxxxxx>

  commit ee9dfed242610ecb91418270fd46b875ed56e201
  Merge: b38c049 d9460a7
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Tue Oct 20 12:56:45 2015 +0100

      Merge remote-tracking branch 'remotes/kraxel/tags/pull-input-20151020-1' 
into staging

      virtio-input: ignore events until the guest driver is ready

      # gpg: Signature made Tue 20 Oct 2015 08:10:00 BST using RSA key ID 
D3E87138
      # gpg: Good signature from "Gerd Hoffmann (work) <kraxel@xxxxxxxxxx>"
      # gpg:                 aka "Gerd Hoffmann <gerd@xxxxxxxxxx>"
      # gpg:                 aka "Gerd Hoffmann (private) <kraxel@xxxxxxxxx>"

      * remotes/kraxel/tags/pull-input-20151020-1:
        virtio-input: ignore events until the guest driver is ready

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit b38c0494c141e2d7dabb3ecbf380305b74f9e330
  Merge: df81978 5829b09
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Tue Oct 20 12:17:53 2015 +0100

      Merge remote-tracking branch 'remotes/kraxel/tags/pull-vga-20151020-1' 
into staging

      vga: enable virtio-vga for pseries, vmsvga cursor checks.

      # gpg: Signature made Tue 20 Oct 2015 08:27:44 BST using RSA key ID 
D3E87138
      # gpg: Good signature from "Gerd Hoffmann (work) <kraxel@xxxxxxxxxx>"
      # gpg:                 aka "Gerd Hoffmann <gerd@xxxxxxxxxx>"
      # gpg:                 aka "Gerd Hoffmann (private) <kraxel@xxxxxxxxx>"

      * remotes/kraxel/tags/pull-vga-20151020-1:
        vmsvga: more cursor checks
        ppc/spapr: Allow VIRTIO_VGA

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit df8197836844275ef805c9031008eb3b20a89b83
  Merge: c14e42d 2cc06a8
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Tue Oct 20 11:45:23 2015 +0100

      Merge remote-tracking branch 'remotes/kraxel/tags/pull-fw_cfg-20151020-1' 
into staging

      fw_cfg: add dma interface, add strings via cmdline.

      # gpg: Signature made Tue 20 Oct 2015 07:07:34 BST using RSA key ID 
D3E87138
      # gpg: Good signature from "Gerd Hoffmann (work) <kraxel@xxxxxxxxxx>"
      # gpg:                 aka "Gerd Hoffmann <gerd@xxxxxxxxxx>"
      # gpg:                 aka "Gerd Hoffmann (private) <kraxel@xxxxxxxxx>"

      * remotes/kraxel/tags/pull-fw_cfg-20151020-1:
        fw_cfg: Define a static signature to be returned on DMA port reads
        Enable fw_cfg DMA interface for x86
        Enable fw_cfg DMA interface for ARM
        Implement fw_cfg DMA interface
        fw_cfg DMA interface documentation
        fw_cfg: document fw_cfg_modify_iXX() update functions
        fw_cfg: insert string blobs via qemu cmdline

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit c14e42d7a4495ecbad7bf8b3d603272e3a8992a1
  Merge: f52dd72 37bc43f
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Tue Oct 20 10:52:56 2015 +0100

      Merge remote-tracking branch 'remotes/kraxel/tags/pull-usb-20151020-1' 
into staging

      usb: misc small tweaks.

      # gpg: Signature made Tue 20 Oct 2015 08:24:09 BST using RSA key ID 
D3E87138
      # gpg: Good signature from "Gerd Hoffmann (work) <kraxel@xxxxxxxxxx>"
      # gpg:                 aka "Gerd Hoffmann <gerd@xxxxxxxxxx>"
      # gpg:                 aka "Gerd Hoffmann (private) <kraxel@xxxxxxxxx>"

      * remotes/kraxel/tags/pull-usb-20151020-1:
        usb-audio: increate default buffer size
        usb: print device id in "info usb" monitor command
        usb-host: add wakeup call for iso xfers

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit f52dd72dc1a679529e13e51a7b57e787455f92f0
  Merge: 26c7be8 e853ea1
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Tue Oct 20 09:04:20 2015 +0100

      Merge remote-tracking branch 
'remotes/mdroth/tags/qga-pull-2015-10-14-v4-tag' into staging

      qemu-ga patch queue

      * add unit tests for qemu-ga
      * add guest-exec support for posix/w32 guests
      * added 'qemu-ga' target for w32. this allows us to do full MSI build,
        without overloading 'qemu-ga.exe' target with uneeded dependencies.
      * number of s/g_new/g_malloc/ conversions for qga

      v2:
      * commit message and qapi documentation spelling fixes
      * rename 'inp-data' guest-exec param to 'input-data'

      v3:
      * fix OSX build errors for test-qga by using PRId64
        format in place of glib's, and dropping use of G_SPAWN_DEFAULT
        macro for glib 2.22 compat
      * fix win32 build warnings for 32-bit builds by avoid int casts
        of process HANDLEs

      v4:
      * assert connect_qga() doesn't fail
      * only enable test-qga for linux hosts
      * allow get-memory-block-info* to fail if memory blocks aren't exposed in
        sysfs

      # gpg: Signature made Tue 20 Oct 2015 00:33:43 BST using RSA key ID 
F108B584
      # gpg: Good signature from "Michael Roth <flukshun@xxxxxxxxx>"
      # gpg:                 aka "Michael Roth <mdroth@xxxxxxxxxx>"
      # gpg:                 aka "Michael Roth <mdroth@xxxxxxxxxxxxxxxxxx>"

      * remotes/mdroth/tags/qga-pull-2015-10-14-v4-tag:
        qga: fix uninitialized value warning for win32
        qga: guest-exec simple stdin/stdout/stderr redirection
        qga: handle G_IO_STATUS_AGAIN in ga_channel_write_all()
        qga: handle possible SIGPIPE in guest-file-write
        qga: guest exec functionality
        qga: drop guest_file_init helper and replace it with static initializers
        tests: add a local test for guest agent
        qga: guest-get-memory-blocks shouldn't fail for unexposed memory blocks
        glib-compat: add 2.38/2.40/2.46 asserts
        qtest: add a few fd-level qmp helpers
        qga: do not override configuration verbosity
        qga: add QGA_CONF environment variable
        qga: Use g_new() & friends where that makes obvious sense
        build: qemu-ga: add 'qemu-ga' build target for w32

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 5829b097204189c56dd1fb62c7f827360394bb39
  Author: Gerd Hoffmann <kraxel@xxxxxxxxxx>
  Date:   Tue Sep 29 09:58:05 2015 +0200

      vmsvga: more cursor checks

      Check the cursor size more carefully.  Also switch to unsigned while
      being at it, so they can't be negative.

      Signed-off-by: Gerd Hoffmann <kraxel@xxxxxxxxxx>

  commit b798c1905705e6ab44279d8a9ae41e500756eb1c
  Author: Benjamin Herrenschmidt <benh@xxxxxxxxxxxxxxxxxxx>
  Date:   Tue Sep 15 15:51:29 2015 +1000

      ppc/spapr: Allow VIRTIO_VGA

      It works fine with the Linux driver out of the box

      Signed-off-by: Benjamin Herrenschmidt <benh@xxxxxxxxxxxxxxxxxxx>
      Signed-off-by: Gerd Hoffmann <kraxel@xxxxxxxxxx>

  commit 37bc43f7fbfb38003550b327002e59d21b80a3e4
  Author: Gerd Hoffmann <kraxel@xxxxxxxxxx>
  Date:   Tue Oct 6 15:31:56 2015 +0200

      usb-audio: increate default buffer size

      Signed-off-by: Gerd Hoffmann <kraxel@xxxxxxxxxx>

  commit 974826f0ab1efc96cd2f61337ee75bda5cde1c77
  Author: Gerd Hoffmann <kraxel@xxxxxxxxxx>
  Date:   Tue Oct 6 15:31:21 2015 +0200

      usb: print device id in "info usb" monitor command

      Signed-off-by: Gerd Hoffmann <kraxel@xxxxxxxxxx>

  commit e206ddfb57e2595cc43ad3667b3becc6bd2ef62d
  Author: Gerd Hoffmann <kraxel@xxxxxxxxxx>
  Date:   Fri Jul 17 09:12:57 2015 +0200

      usb-host: add wakeup call for iso xfers

      Signed-off-by: Gerd Hoffmann <kraxel@xxxxxxxxxx>

  commit d9460a7557672af9c4d9d4f153200d1075ed5a78
  Author: Gerd Hoffmann <kraxel@xxxxxxxxxx>
  Date:   Fri Oct 16 13:33:07 2015 +0200

      virtio-input: ignore events until the guest driver is ready

      Cc: qemu-stable@xxxxxxxxxx
      Signed-off-by: Gerd Hoffmann <kraxel@xxxxxxxxxx>

  commit e853ea1cc68716c3d9c22d04578020c6dd743306
  Author: Michael Roth <mdroth@xxxxxxxxxxxxxxxxxx>
  Date:   Sat Oct 17 10:31:16 2015 -0500

      qga: fix uninitialized value warning for win32

      Signed-off-by: Michael Roth <mdroth@xxxxxxxxxxxxxxxxxx>

  commit a1853dca74362551ec1434b2e15acfcdd53caa99
  Author: Yuri Pudgorodskiy <yur@xxxxxxxxxxxxx>
  Date:   Tue Oct 13 18:41:23 2015 +0300

      qga: guest-exec simple stdin/stdout/stderr redirection

      Implemented with base64-encoded strings in qga json protocol.
      Glib portable GIOChannel is used for data I/O.

      Optinal stdin parameter of guest-exec command is now used as
      stdin content for spawned subprocess.

      If capture-output bool flag is specified, guest-exec redirects out/err
      file descriptiors internally to pipes and collects subprocess
      output.

      Guest-exe-status is modified to return this collected data to requestor
      in base64 encoding.

      Signed-off-by: Yuri Pudgorodskiy <yur@xxxxxxxxxxxxx>
      Signed-off-by: Denis V. Lunev <den@xxxxxxxxxx>
      Signed-off-by: Michael Roth <mdroth@xxxxxxxxxxxxxxxxxx>
      * switch from 'struct GuestIOExecData' to 'GuestIOExecData'
      * s/TRUE/true/g, s/FALSE/false/g for gboolean return values
      * s/inp_data/input_data/
      Signed-off-by: Michael Roth <mdroth@xxxxxxxxxxxxxxxxxx>

  commit f74df9bfce6d133fc64d6b878327849ed2b89b4b
  Author: Yuri Pudgorodskiy <yur@xxxxxxxxxxxxx>
  Date:   Tue Oct 13 18:41:22 2015 +0300

      qga: handle G_IO_STATUS_AGAIN in ga_channel_write_all()

      glib may return G_IO_STATUS_AGAIN which is actually not an error.
      Also fixed a bug when on incomplete write buf pointer was not adjusted.

      Signed-off-by: Yuri Pudgorodskiy <yur@xxxxxxxxxxxxx>
      Signed-off-by: Denis V. Lunev <den@xxxxxxxxxx>
      Reviewed-by: Michael Roth <mdroth@xxxxxxxxxxxxxxxxxx>
      Signed-off-by: Michael Roth <mdroth@xxxxxxxxxxxxxxxxxx>

  commit 4005b4732e40d3d583510db89ee204b834022d20
  Author: Denis V. Lunev <den@xxxxxxxxxx>
  Date:   Tue Oct 13 18:41:21 2015 +0300

      qga: handle possible SIGPIPE in guest-file-write

      qemu-ga should not exit on guest-file-write to pipe without read end
      but proper error code should be returned. The behavior of the
      spawned process should be default thus SIGPIPE processing should be
      reset to default after fork() but before exec().

      Signed-off-by: Denis V. Lunev <den@xxxxxxxxxx>
      Signed-off-by: Yuri Pudgorodskiy <yur@xxxxxxxxxxxxx>
      Reviewed-by: Michael Roth <mdroth@xxxxxxxxxxxxxxxxxx>
      Signed-off-by: Denis V. Lunev <den@xxxxxxxxxx>
      Signed-off-by: Michael Roth <mdroth@xxxxxxxxxxxxxxxxxx>

  commit d697e30cfff29a6a72e3197a218294ba52e7f0c6
  Author: Yuri Pudgorodskiy <yur@xxxxxxxxxxxxx>
  Date:   Tue Oct 13 18:41:20 2015 +0300

      qga: guest exec functionality

      Guest-exec rewritten in platform-independent style with glib spawn.

      Child process is spawn asynchronously and exit status can later
      be picked up by guest-exec-status command.

      stdin/stdout/stderr of the child now is redirected to /dev/null
      Later we will add ability to specify stdin in guest-exec command
      and to get collected stdout/stderr with guest-exec-status.

      Signed-off-by: Yuri Pudgorodskiy <yur@xxxxxxxxxxxxx>
      Signed-off-by: Denis V. Lunev <den@xxxxxxxxxx>
      CC: Michael Roth <mdroth@xxxxxxxxxxxxxxxxxx>
      * use g_new0 in place of g_malloc for GuestExec struct
      * commit msg spelling fixes
      * s/inp-data/input-data
      * document capture-input mode as false by default
      * use GetProcessId() for pids on w32 instead of casting HANDLE
      Signed-off-by: Michael Roth <mdroth@xxxxxxxxxxxxxxxxxx>

  commit b4fe97c8230c34ebd407a9f23894b9c614807540
  Author: Denis V. Lunev <den@xxxxxxxxxx>
  Date:   Tue Oct 13 18:41:19 2015 +0300

      qga: drop guest_file_init helper and replace it with static initializers

      This just makes code shorter and better.

      Signed-off-by: Denis V. Lunev <den@xxxxxxxxxx>
      Signed-off-by: Yuri Pudgorodskiy <yur@xxxxxxxxxxxxx>
      Reviewed-by: Michael Roth <mdroth@xxxxxxxxxxxxxxxxxx>
      Signed-off-by: Denis V. Lunev <den@xxxxxxxxxx>
      Signed-off-by: Michael Roth <mdroth@xxxxxxxxxxxxxxxxxx>

  commit 62c39b307b3a946f9df4f11396bfeced120c040f
  Author: Marc-André Lureau <marcandre.lureau@xxxxxxxxxx>
  Date:   Fri Oct 2 14:58:18 2015 +0200

      tests: add a local test for guest agent

      Add some local guest agent tests, as it is better than nothing, only
      when CONFIG_POSIX (using unix sockets).

      With the QGA_TEST_SIDE_EFFECTING environment variable, it will include
      tests with side effects, such as freezing/thawing the FS or changing the
      time.

      (a better test would involve a managed VM (or container), but it might
      be better to leave that off to autotest/avocado)

      Signed-off-by: Marc-André Lureau <marcandre.lureau@xxxxxxxxxx>
      * use mkdtemp() in placeof g_mkdtemp() for glib 2.22 compat
      * drop redundant/conflicting compat defines for
        g_assert_{true,false}, since glib-compat has them now.
      * build fixes for OSX: use PRId64 instead of glib formats, drop
        g_spawn_default usage for glib compat
      * assert connect_qga() doesn't fail
      * only enable test-qga for linux hosts
      * allow get-memory-block-info* to fail
      Signed-off-by: Michael Roth <mdroth@xxxxxxxxxxxxxxxxxx>

  commit f693fe6ef402bdcf89b3979bf004c4c5bf646724
  Author: Michael Roth <mdroth@xxxxxxxxxxxxxxxxxx>
  Date:   Mon Oct 19 16:38:25 2015 -0500

      qga: guest-get-memory-blocks shouldn't fail for unexposed memory blocks

      Some guests don't expose memory blocks via sysfs at all. This
      shouldn't be a failure, instead just return an empty list. For
      other access failures we still report an error.

      Signed-off-by: Michael Roth <mdroth@xxxxxxxxxxxxxxxxxx>

  commit 8a0b5421a09ab9b9567300c554d3e169f28fc09d
  Author: Marc-André Lureau <marcandre.lureau@xxxxxxxxxx>
  Date:   Fri Oct 2 14:58:17 2015 +0200

      glib-compat: add 2.38/2.40/2.46 asserts

      Those are mostly useful for writing tests.

      Signed-off-by: Marc-André Lureau <marcandre.lureau@xxxxxxxxxx>
      Reviewed-by: Claudio Fontana <claudio.fontana@xxxxxxxxxx>
      Signed-off-by: Michael Roth <mdroth@xxxxxxxxxxxxxxxxxx>

  commit dc47995e525c386f893b6e023da6b819f9975ece
  Author: Marc-André Lureau <marcandre.lureau@xxxxxxxxxx>
  Date:   Fri Oct 2 14:58:16 2015 +0200

      qtest: add a few fd-level qmp helpers

      Add a few functions to interact with qmp via a simple fd.

      Signed-off-by: Marc-André Lureau <marcandre.lureau@xxxxxxxxxx>
      Reviewed-by: Michael Roth <mdroth@xxxxxxxxxxxxxxxxxx>
      Signed-off-by: Michael Roth <mdroth@xxxxxxxxxxxxxxxxxx>

  commit 6eaeae37a5fdd0a1ef88ed9ab4b807669ffc0e2d
  Author: Marc-André Lureau <marcandre.lureau@xxxxxxxxxx>
  Date:   Fri Oct 2 14:58:15 2015 +0200

      qga: do not override configuration verbosity

      Move the default verbosity settings before loading the configuration
      file, or it will overwrite it. Found thanks to writing qga tests :)

      Signed-off-by: Marc-André Lureau <marcandre.lureau@xxxxxxxxxx>
      Reviewed-by: Michael Roth <mdroth@xxxxxxxxxxxxxxxxxx>
      Signed-off-by: Michael Roth <mdroth@xxxxxxxxxxxxxxxxxx>

  commit 8e34bf364ae518503642d28bdd43661090ae21bd
  Author: Marc-André Lureau <marcandre.lureau@xxxxxxxxxx>
  Date:   Fri Oct 2 14:58:14 2015 +0200

      qga: add QGA_CONF environment variable

      Having a environment variable allows to override default configuration
      path, useful for testing. Note that this can't easily be an argument,
      since loading config is done before parsing the arguments.

      Signed-off-by: Marc-André Lureau <marcandre.lureau@xxxxxxxxxx>
      Reviewed-by: Michael Roth <mdroth@xxxxxxxxxxxxxxxxxx>
      Signed-off-by: Michael Roth <mdroth@xxxxxxxxxxxxxxxxxx>

  commit f3a06403b82c7f036564e4caf18b52ce6885fcfb
  Author: Markus Armbruster <armbru@xxxxxxxxxx>
  Date:   Mon Sep 14 13:50:44 2015 +0200

      qga: Use g_new() & friends where that makes obvious sense

      g_new(T, n) is neater than g_malloc(sizeof(T) * n).  It's also safer,
      for two reasons.  One, it catches multiplication overflowing size_t.
      Two, it returns T * rather than void *, which lets the compiler catch
      more type errors.

      This commit only touches allocations with size arguments of the form
      sizeof(T).  Same Coccinelle semantic patch as in commit b45c03f.

      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>
      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>
      Signed-off-by: Michael Roth <mdroth@xxxxxxxxxxxxxxxxxx>

  commit fafcaf1d7434bd3a44a5cd6a98594b3ec12d83de
  Author: Michael Roth <mdroth@xxxxxxxxxxxxxxxxxx>
  Date:   Mon Sep 7 18:47:05 2015 -0500

      build: qemu-ga: add 'qemu-ga' build target for w32

      Currently POSIX builds rely on 'qemu-ga' target to do qga-only
      distributable build. On w32, as with most standalone binary targets,
      we rely on 'qemu-ga.exe' target.

      Unlike with POSIX, qemu-ga for w32 has a number of related targets
      such as VSS DLL and MSI package. We can do the full distributable
      qga-only build on w32 with:

        make qemu-ga.exe

      or:

        make msi

      To make that work, we tie VSS dependencies onto qemu-ga.exe.
      However, in reality the DLL isn't part of the binary, so we use a
      filter to pull them out of the LINK recipe, which attempts to link
      against prereqs for binary targets. Additionally, it could be argued
      that VSS is a separate distributable, and shouldn't be implied by
      qemu-ga.exe binary target.

      To avoid this, we can tie the VSS dependencies only to the 'msi'
      target, but that would make it impossible to do a qga-only build of
      the w32 distributable without building the 'msi' package, which was
      supported in the past.

      An alternative approach is to add a new target to build the whole
      distributable. w32 allows us to use the same build target we use
      on POSIX, 'qemu-ga', since the current binary-only target on w32
      is 'qemu-ga.exe'.

      To further simplify the build, we also make 'qemu-ga' build the MSI
      package if the appropriate ./configure options are set, making the
      full qga-only build the same on both POSIX and w32: `make qemu-ga`

      Cc: Paolo Bonzini <pbonzini@xxxxxxxxxx>
      Cc: Marc-André Lureau <marcandre.lureau@xxxxxxxxxx>
      Signed-off-by: Michael Roth <mdroth@xxxxxxxxxxxxxxxxxx>

  commit 89a82cd4b6a90fe117fa715e2abe51d5c607560c
  Author: Richard Henderson <rth@xxxxxxxxxxx>
  Date:   Wed Sep 16 15:33:53 2015 -0700

      cpu-exec: Add "nochain" debug flag

      Respect it to avoid linking TBs together.

      Reviewed-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Signed-off-by: Richard Henderson <rth@xxxxxxxxxxx>

  commit 137d63902faf4960081856db9242cbaf234a23af
  Author: James Hogan <james.hogan@xxxxxxxxxx>
  Date:   Fri Oct 2 13:24:17 2015 +0100

      tcg/mips: Support r6 SEL{NE, EQ}Z instead of MOVN/MOVZ

      Extend MIPS movcond implementation to support the SELNEZ/SELEQZ
      instructions introduced in MIPS r6 (where MOVN/MOVZ have been removed).

      Whereas the "MOVN/MOVZ rd, rs, rt" instructions have the following
      semantics:
       rd = [!]rt ? rs : rd

      The "SELNEZ/SELEQZ rd, rs, rt" instructions are slightly different:
       rd = [!]rt ? rs : 0

      First we ensure that if one of the movcond input values is zero that it
      comes last (we can swap the input arguments if we invert the condition).
      This is so that it can exactly match one of the SELNEZ/SELEQZ
      instructions and avoid the need to emit the other one.

      Otherwise we emit the opposite instruction first into a temporary
      register, and OR that into the result:
       SELNEZ/SELEQZ  TMP1, v2, c1
       SELEQZ/SELNEZ  ret, v1, c1
       OR             ret, ret, TMP1

      Which does the following:
       ret = cond ? v1 : v2

      Reviewed-by: Aurelien Jarno <aurelien@xxxxxxxxxxx>
      Signed-off-by: James Hogan <james.hogan@xxxxxxxxxx>
      Signed-off-by: Richard Henderson <rth@xxxxxxxxxxx>
      Message-Id: <1443788657-14537-7-git-send-email-james.hogan@xxxxxxxxxx>

  commit bc6d0c22b09a72897d9db4482076f89e7de97400
  Author: James Hogan <james.hogan@xxxxxxxxxx>
  Date:   Fri Oct 2 13:24:16 2015 +0100

      tcg/mips: Support r6 multiply/divide encodings

      MIPSr6 adds several new integer multiply, divide, and modulo
      instructions, and removes several pre-r6 encodings, along with the HI/LO
      registers which were the implicit operands of some of those
      instructions. Update TCG to use the new instructions when built for r6.

      The new instructions actually map much more directly to the TCG ops, as
      they only provide a single 32-bit half of the result and in a normal
      general purpose register instead of HI or LO.

      The mulu2_i32 and muls2_i32 operations are no longer appropriate for r6,
      so they are removed from the TCG opcode table. This is because they
      would need to emit two separate host instructions anyway (for the high
      and low half of the result), which TCG can arrange automatically for us
      in the absense of mulu2_i32/muls2_i32 by splitting it into mul_i32 and
      mul*h_i32 TCG ops.

      Reviewed-by: Aurelien Jarno <aurelien@xxxxxxxxxxx>
      Signed-off-by: James Hogan <james.hogan@xxxxxxxxxx>
      Signed-off-by: Richard Henderson <rth@xxxxxxxxxxx>
      Message-Id: <1443788657-14537-6-git-send-email-james.hogan@xxxxxxxxxx>

  commit 6e0d096989be52c2b945fc83a9bd15d887bbdb47
  Author: James Hogan <james.hogan@xxxxxxxxxx>
  Date:   Fri Oct 2 13:24:15 2015 +0100

      tcg/mips: Support r6 JR encoding

      MIPSr6 encodes JR as JALR with zero as the link register, and the pre-r6
      JR encoding is removed. Update TCG to use the new encoding when built
      for r6.

      We still use the old encoding for pre-r6, so as not to confuse return
      prediction stack hardware which may detect only particular encodings of
      the return instruction.

      Reviewed-by: Aurelien Jarno <aurelien@xxxxxxxxxxx>
      Signed-off-by: James Hogan <james.hogan@xxxxxxxxxx>
      Signed-off-by: Richard Henderson <rth@xxxxxxxxxxx>
      Message-Id: <1443788657-14537-5-git-send-email-james.hogan@xxxxxxxxxx>

  commit ce14bd4d469f3a14f6cbfceb6360aee066a60d72
  Author: James Hogan <james.hogan@xxxxxxxxxx>
  Date:   Fri Oct 2 13:24:14 2015 +0100

      tcg/mips: Add use_mips32r6_instructions definition

      Add definition use_mips32r6_instructions to the MIPS TCG backend which
      is constant 1 when built for MIPS release 6. This will be used to decide
      between pre-R6 and R6 instruction encodings.

      Reviewed-by: Aurelien Jarno <aurelien@xxxxxxxxxxx>
      Signed-off-by: James Hogan <james.hogan@xxxxxxxxxx>
      Signed-off-by: Richard Henderson <rth@xxxxxxxxxxx>
      Message-Id: <1443788657-14537-4-git-send-email-james.hogan@xxxxxxxxxx>

  commit d76f36535099b5d3d880c5e3ac1d411420c8a086
  Author: James Hogan <james.hogan@xxxxxxxxxx>
  Date:   Fri Oct 2 13:24:13 2015 +0100

      disas/mips: Add R6 jr/jr.hb to disassembler

      MIPS r6 encodes jr as jalr zero, and jr.hb as jalr.hb zero, so add these
      encodings to the MIPS disassembly table.

      Reviewed-by: Aurelien Jarno <aurelien@xxxxxxxxxxx>
      Reviewed-by: Leon Alrae <leon.alrae@xxxxxxxxxx>
      Signed-off-by: James Hogan <james.hogan@xxxxxxxxxx>
      Signed-off-by: Richard Henderson <rth@xxxxxxxxxxx>
      Message-Id: <1443788657-14537-3-git-send-email-james.hogan@xxxxxxxxxx>

  commit c0e40dbdcc291c85faa289a53be60b7b1b7c7598
  Author: James Hogan <james.hogan@xxxxxxxxxx>
  Date:   Fri Oct 2 13:24:12 2015 +0100

      tcg-opc.h: Simplify insn_start def

      We already have a TLADDR_ARGS definition, so rearrange the order
      slightly and use it in the definition of insn_start, instead of
      having an #ifdef.

      Reviewed-by: Aurelien Jarno <aurelien@xxxxxxxxxxx>
      Signed-off-by: James Hogan <james.hogan@xxxxxxxxxx>
      Signed-off-by: Richard Henderson <rth@xxxxxxxxxxx>
      Message-Id: <1443788657-14537-2-git-send-email-james.hogan@xxxxxxxxxx>

  commit 1e1df962e325e18a5188c4814cd1a10215a48f79
  Author: Richard Henderson <rth@xxxxxxxxxxx>
  Date:   Fri Oct 2 22:41:01 2015 +0000

      tcg/ppc: Prefer mask over andi.

      Prefer the instruction that isn't required to modify cr0.

      Signed-off-by: Richard Henderson <rth@xxxxxxxxxxx>

  commit 5bfd75a35c11dd3aa61c73d0d2cd88137c31519c
  Author: Richard Henderson <rth@xxxxxxxxxxx>
  Date:   Fri Oct 2 22:25:28 2015 +0000

      tcg/ppc: Revise goto_tb implementation

      Restrict the size of code_gen_buffer to 2GB on ppc64, which
      lets us assert that everything is reachable with addis+addi
      from tb_ret_addr.  This lets us use a max of 4 insns for goto_tb
      instead of 7.

      Emit the indirect branch portion of goto_tb up front, which
      means we only have to update two insns to update any link.
      With a 64-bit store, we can update the link atomically, which
      may be required in future.

      Signed-off-by: Richard Henderson <rth@xxxxxxxxxxx>

  commit 70f897bdc4ce4101ec008317d43090f532bfb07d
  Author: Richard Henderson <rth@xxxxxxxxxxx>
  Date:   Fri Oct 2 21:09:54 2015 +0000

      tcg/ppc: Adjust exit_tb for change in prologue placement

      Changing the prologue to the beginning of the code_gen_buffer
      changes the direction of the "return" branch.  Need to change
      the logic to match.

      Signed-off-by: Richard Henderson <rth@xxxxxxxxxxx>

  commit 2cc06a8843ace3d03464032eb3c74bc6e2b07579
  Author: Kevin O'Connor <kevin@xxxxxxxxxxxx>
  Date:   Thu Oct 8 17:02:58 2015 +0200

      fw_cfg: Define a static signature to be returned on DMA port reads

      Return a static signature ("QEMU CFG") if the guest does a read to the
      DMA address io register.

      Signed-off-by: Kevin O'Connor <kevin@xxxxxxxxxxxx>
      Reviewed-by: Laszlo Ersek <lersek@xxxxxxxxxx>
      Reviewed-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Signed-off-by: Gerd Hoffmann <kraxel@xxxxxxxxxx>

  commit c886fc4c20ff8456b2f788a1404dd321b8b59243
  Author: Marc Marí <markmb@xxxxxxxxxx>
  Date:   Thu Oct 8 17:02:57 2015 +0200

      Enable fw_cfg DMA interface for x86

      Enable the fw_cfg DMA interface for all the x86 platforms.

      Based on Gerd Hoffman's initial implementation.

      Signed-off-by: Marc Marí <markmb@xxxxxxxxxx>
      Reviewed-by: Laszlo Ersek <lersek@xxxxxxxxxx>
      Signed-off-by: Gerd Hoffmann <kraxel@xxxxxxxxxx>

  commit 0b341a85ca873cfc4faddbf9012c4c5da1b675bc
  Author: Marc Marí <markmb@xxxxxxxxxx>
  Date:   Thu Oct 8 17:02:56 2015 +0200

      Enable fw_cfg DMA interface for ARM

      Enable the fw_cfg DMA interface for the ARM virt machine.

      Based on Gerd Hoffman's initial implementation.

      Signed-off-by: Marc Marí <markmb@xxxxxxxxxx>
      Reviewed-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Reviewed-by: Laszlo Ersek <lersek@xxxxxxxxxx>
      Signed-off-by: Gerd Hoffmann <kraxel@xxxxxxxxxx>

  commit a4c0d1deb785611c96a455f65ec032976b00b36f
  Author: Marc Marí <markmb@xxxxxxxxxx>
  Date:   Thu Oct 8 17:02:55 2015 +0200

      Implement fw_cfg DMA interface

      Based on the specifications on docs/specs/fw_cfg.txt

      This interface is an addon. The old interface can still be used as usual.

      Based on Gerd Hoffman's initial implementation.

      Signed-off-by: Marc Marí <markmb@xxxxxxxxxx>
      Reviewed-by: Laszlo Ersek <lersek@xxxxxxxxxx>
      Signed-off-by: Gerd Hoffmann <kraxel@xxxxxxxxxx>

  commit c9eae1d4b93695d98fa5306a28b7fb7acc34ae67
  Author: Marc Marí <markmb@xxxxxxxxxx>
  Date:   Thu Oct 8 17:02:54 2015 +0200

      fw_cfg DMA interface documentation

      Add fw_cfg DMA interface specification in the documentation.

      Based on Gerd Hoffman's initial implementation.

      Signed-off-by: Marc Marí <markmb@xxxxxxxxxx>
      Reviewed-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Reviewed-by: Laszlo Ersek <lersek@xxxxxxxxxx>
      Signed-off-by: Gerd Hoffmann <kraxel@xxxxxxxxxx>

  commit 57c3d238a5ff7e7ad7aba098b5d55d8d89c2a6a1
  Author: Gabriel L. Somlo <somlo@xxxxxxx>
  Date:   Thu Oct 8 17:02:53 2015 +0200

      fw_cfg: document fw_cfg_modify_iXX() update functions

      Document the behavior of fw_cfg_modify_iXX() for leak-less updating
      of integer-type blobs.

      Currently only fw_cfg_modify_i16() is coded, but 32- and 64-bit versions
      may be added later if necessary..

      Signed-off-by: Gabriel Somlo <somlo@xxxxxxx>
      Reviewed-by: Laszlo Ersek <lersek@xxxxxxxxxx>
      Signed-off-by: Gerd Hoffmann <kraxel@xxxxxxxxxx>

  commit 6407d76eb4e5b5dd4af8613cef0162f31ff739ed
  Author: Gabriel L. Somlo <somlo@xxxxxxx>
  Date:   Tue Sep 29 12:29:01 2015 -0400

      fw_cfg: insert string blobs via qemu cmdline

      Allow users to provide custom fw_cfg blobs with ascii string
      payloads specified directly on the qemu command line.

      Suggested-by: Jordan Justen <jordan.l.justen@xxxxxxxxx>
      Suggested-by: Laszlo Ersek <lersek@xxxxxxxxxx>
      Signed-off-by: Gabriel Somlo <somlo@xxxxxxx>
      Message-id: 1443544141-26568-1-git-send-email-somlo@xxxxxxx
      Reviewd-by: Laszlo Ersek <lersek@xxxxxxxxxx>
      Signed-off-by: Gerd Hoffmann <kraxel@xxxxxxxxxx>

  commit 26c7be842637ee65a79cd77f96a99c23ddcd90ad
  Merge: 526d580 dbb7405
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Mon Oct 19 12:13:27 2015 +0100

      Merge remote-tracking branch 'remotes/sstabellini/tags/2015-10-19-tag' 
into staging

      Xen 2015-10-19

      # gpg: Signature made Mon 19 Oct 2015 11:24:05 BST using RSA key ID 
70E1AE90
      # gpg: Good signature from "Stefano Stabellini 
<stefano.stabellini@xxxxxxxxxxxxx>"

      * remotes/sstabellini/tags/2015-10-19-tag:
        xen-platform: Ensure xen is enabled when initializing
        pc: Require xen when initializing xenfv machine

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit dbb7405d8caad0814ceddd568cb49f163a847561
  Author: Eduardo Habkost <ehabkost@xxxxxxxxxx>
  Date:   Mon Sep 28 17:01:24 2015 -0300

      xen-platform: Ensure xen is enabled when initializing

      The xen-platform code crashes on reset if the xen backend is not
      initialized, because it calls xc_hvm_set_mem_type(). Ensure xen-platform
      won't be created without initializing the xen backend.

      The assert can't be triggered by the user because the device is not
      hotpluggable, and the only code creating it (at pc_xen_hvm_init())
      already checks xen_enabled().

      Signed-off-by: Eduardo Habkost <ehabkost@xxxxxxxxxx>
      Reviewed-by: Stefano Stabellini <stefano.stabellini@xxxxxxxxxxxxx>
      Signed-off-by: Stefano Stabellini <stefano.stabellini@xxxxxxxxxxxxx>

  commit a88ae0d44b6b5830b752641b2198735272f13eaf
  Author: Eduardo Habkost <ehabkost@xxxxxxxxxx>
  Date:   Mon Sep 28 17:01:23 2015 -0300

      pc: Require xen when initializing xenfv machine

      Without this check, the xen-platform device will crash on reset
      if using the accel option with anything other than xen (e.g.
      "-machine xenfv,accel=kvm").

      Signed-off-by: Eduardo Habkost <ehabkost@xxxxxxxxxx>
      Reviewed-by: Stefano Stabellini <stefano.stabellini@xxxxxxxxxxxxx>
      Signed-off-by: Stefano Stabellini <stefano.stabellini@xxxxxxxxxxxxx>

  commit 526d5809a0714edc7f19196f14ec2e607dbd9753
  Merge: aedc880 1c4a55d
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Mon Oct 19 10:52:39 2015 +0100

      Merge remote-tracking branch 'remotes/bonzini/tags/for-upstream' into 
staging

      * KVM page size fix for PPC
      * Support for Linux 4.4's new Hyper-V features
      * Eliminate g_slice from areas I maintain
      * checkpatch fix
      * Peter's cpu_reload_memory_map() cleanups
      * More changes to MAINTAINERS
      * Require Python 2.6
      * chardev creation fixes
      * PCI requester id for ARM KVM
      * cleanups and doc fixes
      * Allow customization of the Hyper-V vendor id

      # gpg: Signature made Mon 19 Oct 2015 09:13:10 BST using RSA key ID 
78C7AE83
      # gpg: Good signature from "Paolo Bonzini <bonzini@xxxxxxx>"
      # gpg:                 aka "Paolo Bonzini <pbonzini@xxxxxxxxxx>"

      * remotes/bonzini/tags/for-upstream: (49 commits)
        kvm: Allow the Hyper-V vendor ID to be specified
        kvm: Move x86-specific functions into target-i386/kvm.c
        kvm: Pass PCI device pointer to MSI routing functions
        hw/pci: Introduce pci_requester_id()
        kvm: Make KVM_CAP_SIGNAL_MSI globally available
        doc/rcu: fix g_free_rcu() usage example
        qemu-char: cleanup after completed conversion to cd->create
        qemu-char: convert ringbuf backend to data-driven creation
        qemu-char: convert vc backend to data-driven creation
        qemu-char: convert spice backend to data-driven creation
        qemu-char: convert console backend to data-driven creation
        qemu-char: convert stdio backend to data-driven creation
        qemu-char: convert testdev backend to data-driven creation
        qemu-char: convert braille backend to data-driven creation
        qemu-char: convert msmouse backend to data-driven creation
        qemu-char: convert mux backend to data-driven creation
        qemu-char: convert null backend to data-driven creation
        qemu-char: convert pty backend to data-driven creation
        qemu-char: convert UDP backend to data-driven creation
        qemu-char: convert socket backend to data-driven creation
        ...

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit aedc8806172dd1ae904f04169ee3b19fce1d7893
  Merge: 40fe17b 8307c29
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Mon Oct 19 10:06:56 2015 +0100

      Merge remote-tracking branch 'remotes/kraxel/tags/pull-audio-20151019-1' 
into staging

      Remove macros IO_READ_PROTO and IO_WRITE_PROTO

      # gpg: Signature made Mon 19 Oct 2015 09:19:21 BST using RSA key ID 
D3E87138
      # gpg: Good signature from "Gerd Hoffmann (work) <kraxel@xxxxxxxxxx>"
      # gpg:                 aka "Gerd Hoffmann <gerd@xxxxxxxxxx>"
      # gpg:                 aka "Gerd Hoffmann (private) <kraxel@xxxxxxxxx>"

      * remotes/kraxel/tags/pull-audio-20151019-1:
        Remove macros IO_READ_PROTO and IO_WRITE_PROTO

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 1c4a55dbed9a47fde9294f7de6c8bb060d874c88
  Author: Alex Williamson <alex.williamson@xxxxxxxxxx>
  Date:   Fri Oct 16 09:38:22 2015 -0600

      kvm: Allow the Hyper-V vendor ID to be specified

      According to Microsoft documentation, the signature in the standard
      hypervisor CPUID leaf at 0x40000000 identifies the Vendor ID and is
      for reporting and diagnostic purposes only.  We can therefore allow
      the user to change it to whatever they want, within the 12 character
      limit.  Add a new hv-vendor-id option to the -cpu flag to allow
      for this, ex:

       -cpu host,hv_time,hv-vendor-id=KeenlyKVM

      Link: http://msdn.microsoft.com/library/windows/hardware/hh975392
      Signed-off-by: Alex Williamson <alex.williamson@xxxxxxxxxx>
      Message-Id: <20151016153356.28104.48612.stgit@xxxxxxxxxx>
      [Adjust error message to match the property name, use error_report. - 
Paolo]
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit 28143b409f698210d85165ca518235ac7e7c5ac5
  Author: Thomas Huth <thuth@xxxxxxxxxx>
  Date:   Thu Oct 15 20:30:20 2015 +0200

      kvm: Move x86-specific functions into target-i386/kvm.c

      The functions for checking xcrs, xsave and pit_state2 are
      only used on x86, so they should reside in target-i386/kvm.c.

      Signed-off-by: Thomas Huth <thuth@xxxxxxxxxx>
      Message-Id: <1444933820-6968-1-git-send-email-thuth@xxxxxxxxxx>
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit dc9f06ca81e6e16d062ec382701142a3a2ab3f7d
  Author: Pavel Fedin <p.fedin@xxxxxxxxxxx>
  Date:   Thu Oct 15 16:44:52 2015 +0300

      kvm: Pass PCI device pointer to MSI routing functions

      In-kernel ITS emulation on ARM64 will require to supply requester IDs.
      These IDs can now be retrieved from the device pointer using new
      pci_requester_id() function.

      This patch adds pci_dev pointer to KVM GSI routing functions and makes
      callers passing it.

      x86 architecture does not use requester IDs, but hw/i386/kvm/pci-assign.c
      also made passing PCI device pointer instead of NULL for consistency with
      the rest of the code.

      Signed-off-by: Pavel Fedin <p.fedin@xxxxxxxxxxx>
      Message-Id: 
<ce081423ba2394a4efc30f30708fca07656bc500.1444916432.git.p.fedin@xxxxxxxxxxx>
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit a05f686ff39c373384772b01f1b7fc71e7eb2500
  Author: Pavel Fedin <p.fedin@xxxxxxxxxxx>
  Date:   Thu Oct 15 16:44:51 2015 +0300

      hw/pci: Introduce pci_requester_id()

      For GICv3 ITS implementation we are going to use requester IDs in KVM IRQ
      routing code. This patch introduces reusable convenient way to obtain this
      ID from the device pointer. The new function is now used in some places,
      where the same calculation was used.

      MemTxAttrs.stream_id also renamed to requester_id in order to better
      reflect semantics of the field.

      Signed-off-by: Pavel Fedin <p.fedin@xxxxxxxxxxx>
      Reviewed-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Acked-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Message-Id: 
<5814bcb03a297f198e796b13ed9c35059c52f89b.1444916432.git.p.fedin@xxxxxxxxxxx>
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit 50bf31b9379cf88c4fe92ec477fdc56f89d1af94
  Author: Pavel Fedin <p.fedin@xxxxxxxxxxx>
  Date:   Thu Oct 15 16:44:50 2015 +0300

      kvm: Make KVM_CAP_SIGNAL_MSI globally available

      This capability is useful to determine whether we can use KVM ITS
      emulation on ARM

      Signed-off-by: Pavel Fedin <p.fedin@xxxxxxxxxxx>
      Message-Id: 
<ff4ccb09b837d37defd639b885526949a25276de.1444916432.git.p.fedin@xxxxxxxxxxx>
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit 9bda456e419273199221625894003bf9307d8451
  Author: Sergey Fedorov <serge.fdrv@xxxxxxxxx>
  Date:   Wed Oct 14 18:46:44 2015 +0300

      doc/rcu: fix g_free_rcu() usage example

      The first argument of g_free_rcu() is a pointer to a structure.  But
      foo_reclaim is used as a function name in the previous example along
      with &foo as a pointer to the structure being reclaimed.  Make the
      example consistent with the previous one.

      Signed-off-by: Sergey Fedorov <serge.fdrv@xxxxxxxxx>
      Message-Id: <1444837604-13712-1-git-send-email-serge.fdrv@xxxxxxxxx>
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit 1c3af0f4f04bd6e6729783a48bb51ca1eb5c3baf
  Author: Paolo Bonzini <pbonzini@xxxxxxxxxx>
  Date:   Mon Oct 12 09:51:41 2015 +0200

      qemu-char: cleanup after completed conversion to cd->create

      All backends now return errors through Error*, so the "Failed to
      create chardev" placeholder error can only be reached if the backend
      is not available (and only from the chardev-add QMP command; instead,
      the -chardev command line option fails earlier).

      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit 479f09a130f774b0275134b5c44081ea71fe00b3
  Author: Paolo Bonzini <pbonzini@xxxxxxxxxx>
  Date:   Tue Sep 29 15:51:14 2015 +0200

      qemu-char: convert ringbuf backend to data-driven creation

      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit fa19d02539a56ac20d03b2eef775be7ffcdd695a
  Author: Paolo Bonzini <pbonzini@xxxxxxxxxx>
  Date:   Tue Sep 29 15:49:06 2015 +0200

      qemu-char: convert vc backend to data-driven creation

      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit 68145e178ac200a27b5f0ab342da80cf60ddd576
  Author: Paolo Bonzini <pbonzini@xxxxxxxxxx>
  Date:   Tue Sep 29 15:45:47 2015 +0200

      qemu-char: convert spice backend to data-driven creation

      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit 122e5ed4412cadce2d44a5f636e4d1bfc67c534b
  Author: Paolo Bonzini <pbonzini@xxxxxxxxxx>
  Date:   Tue Sep 29 15:42:04 2015 +0200

      qemu-char: convert console backend to data-driven creation

      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit 8c84b25d975870bbed2e089fe61e037c58a69854
  Author: Paolo Bonzini <pbonzini@xxxxxxxxxx>
  Date:   Tue Sep 29 15:40:28 2015 +0200

      qemu-char: convert stdio backend to data-driven creation

      The backend now always returns errors via the Error* argument.
      This avoids a double error message.  Before:

          qemu-system-x86_64: -chardev stdio,id=base: cannot use stdio with 
-daemonize
          qemu-system-x86_64: -chardev stdio,id=base: Failed to create chardev

      After:

          qemu-system-x86_64: -chardev stdio,id=base: cannot use stdio with 
-daemonize

      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit 0498790173e462ac3a7e4e0f3608704b8382dd10
  Author: Paolo Bonzini <pbonzini@xxxxxxxxxx>
  Date:   Tue Sep 29 15:33:42 2015 +0200

      qemu-char: convert testdev backend to data-driven creation

      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit e47666b8d1f0a7043d53671587058b3ce539b09d
  Author: Paolo Bonzini <pbonzini@xxxxxxxxxx>
  Date:   Tue Sep 29 15:31:26 2015 +0200

      qemu-char: convert braille backend to data-driven creation

      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit 96d885b93b47243d2fc6ee826abaa8c0017282c9
  Author: Paolo Bonzini <pbonzini@xxxxxxxxxx>
  Date:   Tue Sep 29 15:29:15 2015 +0200

      qemu-char: convert msmouse backend to data-driven creation

      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit 3c0e5a4a845c9e2823c9060631eeefebabc2f093
  Author: Paolo Bonzini <pbonzini@xxxxxxxxxx>
  Date:   Tue Sep 29 15:27:24 2015 +0200

      qemu-char: convert mux backend to data-driven creation

      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit 0d64992b5dfe099b170a0b19922833cc82745620
  Author: Paolo Bonzini <pbonzini@xxxxxxxxxx>
  Date:   Tue Sep 29 15:24:29 2015 +0200

      qemu-char: convert null backend to data-driven creation

      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit c2e75a432b907562cf93772b7d058d1ec8a8f8f1
  Author: Paolo Bonzini <pbonzini@xxxxxxxxxx>
  Date:   Tue Sep 29 15:23:42 2015 +0200

      qemu-char: convert pty backend to data-driven creation

      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit e79b80daa252ffb4bc5c84c836714eb45ab3bb68
  Author: Paolo Bonzini <pbonzini@xxxxxxxxxx>
  Date:   Tue Sep 29 15:17:20 2015 +0200

      qemu-char: convert UDP backend to data-driven creation

      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit dbba8d1be3db5a52cfe200f219fbf8840d75cb14
  Author: Paolo Bonzini <pbonzini@xxxxxxxxxx>
  Date:   Tue Sep 29 15:15:53 2015 +0200

      qemu-char: convert socket backend to data-driven creation

      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit 20cbe7a27980ef7e2ecd307cd210fc23b3f0762e
  Author: Paolo Bonzini <pbonzini@xxxxxxxxxx>
  Date:   Tue Sep 29 15:14:07 2015 +0200

      qemu-char: convert pipe backend to data-driven creation

      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit 38bfb1a63d05d000f128ea740442955070d9ff57
  Author: Paolo Bonzini <pbonzini@xxxxxxxxxx>
  Date:   Mon Oct 12 09:49:28 2015 +0200

      qemu-char: convert parallel backend to data-driven creation

      Conversion to Error * brings better error messages; before:

          qemu-system-x86_64: -chardev id=serial,backend=parallel,path=vl.c: 
Failed to create chardev

      After:

          qemu-system-x86_64: -chardev id=serial,backend=parallel,path=vl.c: 
not a parallel port: Inappropriate ioctl for device

      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit 8307c294a355bbf3c5352e00877365b0cda66d52
  Author: Nutan Shinde <nutanshinde1992@xxxxxxxxx>
  Date:   Wed Oct 7 22:02:54 2015 +0530

      Remove macros IO_READ_PROTO and IO_WRITE_PROTO

      Signed-off-by: Nutan Shinde <nutanshinde1992@xxxxxxxxx>
      Reviewed-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Reviewed-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Signed-off-by: Gerd Hoffmann <kraxel@xxxxxxxxxx>

  commit 40fe17bea478793fc9106a630fa3610dad51f939
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Fri Oct 16 17:19:35 2015 +0100

      hw/ide/ahci.c: Fix shift left into sign bit

      Avoid undefined behaviour from shifting left into the sign bit:

      hw/ide/ahci.c:551:36: runtime error: left shift of 255 by 24 places 
cannot be represented in type 'int'

      (Unfortunately C's promotion rules mean that in the expression
      "some_uint8_t_variable << 24" the LHS gets promoted to signed
      int before shifting.)

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Reviewed-by: John Snow <jsnow@xxxxxxxxxx>

  commit 7df953bd456da45f761064974820ab5c3fd7b2aa
  Author: Knut Omang <knut.omang@xxxxxxxxxx>
  Date:   Sun Oct 4 15:48:50 2015 +0200

      intel_iommu: Add support for translation for devices behind bridges

      - Use a hash table indexed on bus pointers to store information about 
buses
        instead of using the bus numbers.
        Bus pointers are stored in a new VTDBus struct together with the vector
        of device address space pointers indexed by devfn.
      - The bus number is still used for lookup for selective SID based 
invalidate,
        in which case the bus number is lazily resolved from the bus hash table 
and
        cached in a separate index.

      Signed-off-by: Knut Omang <knut.omang@xxxxxxxxxx>
      Reviewed-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>

  commit c737c7a608f4cd2c06e6600303845c4b469822c5
  Merge: 6d57410 6b826af
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Sat Oct 17 22:14:52 2015 +0100

      Merge remote-tracking branch 'remotes/kevin/tags/for-upstream' into 
staging

      Block layer patches

      # gpg: Signature made Fri 16 Oct 2015 14:36:50 BST using RSA key ID 
C88F2FD6
      # gpg: Good signature from "Kevin Wolf <kwolf@xxxxxxxxxx>"

      * remotes/kevin/tags/for-upstream: (29 commits)
        blkdebug: Don't confuse image as backing file
        qcow2: Remove forward declaration of QCowAIOCB
        qemu-nbd: always compile in --aio=MODE option
        blockdev: always compile in -drive aio= parsing
        raw-posix: warn about BDRV_O_NATIVE_AIO if libaio is unavailable
        block: auto-generated node-names
        util - add automated ID generation utility
        blkverify: Fix BDS leak in .bdrv_open error path
        block: Allow bdrv_unref_child(bs, NULL)
        block: Remove bdrv_swap()
        block: Add and use bdrv_replace_in_backing_chain()
        blockjob: Store device name at job creation
        block: Implement bdrv_append() without bdrv_swap()
        block: Introduce parents list
        block-backend: Add blk_set_bs()
        block/io: Make bdrv_requests_pending() public
        block: Split bdrv_move_feature_fields()
        block: Manage backing file references in bdrv_set_backing_hd()
        block: Convert bs->backing_hd to BdrvChild
        block: Remove bdrv_open_image()
        ...

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 6d57410a79d51d92673c54f26624b44f27fa6214
  Merge: 9c1f5bb 5d98bf8
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Sat Oct 17 12:31:33 2015 +0100

      Merge remote-tracking branch 
'remotes/pmaydell/tags/pull-target-arm-20151016' into staging

      target-arm queue:
       * break TBs after ISB instructions
       * more support code for future implementation of EL2 and 64-bit EL3
       * tell guest if KVM is enabled in SMBIOS version string
       * implement OSLAR/OSLSR system registers
       * provide better help text for Sharp PDA machine names
       * rename imx25_pdk to imx25-pdk (since it has never been released
         with the underscore-version name)
       * fix MMIO writes in zynq_slcr
       * implement MDCR_EL2
       * virt: allow the guest to configure PCI BARs with zero PCI addresses
       * fix breakpoint handling code

      # gpg: Signature made Fri 16 Oct 2015 14:56:15 BST using RSA key ID 
14360CDE
      # gpg: Good signature from "Peter Maydell <peter.maydell@xxxxxxxxxx>"
      # gpg:                 aka "Peter Maydell <pmaydell@xxxxxxxxx>"
      # gpg:                 aka "Peter Maydell 
<pmaydell@xxxxxxxxxxxxxxxxxxxxxx>"

      * remotes/pmaydell/tags/pull-target-arm-20151016:
        target-arm: Fix CPU breakpoint handling
        target-arm: Fix GDB breakpoint handling
        target-arm: implement arm_debug_target_el()
        hw/arm/virt: Allow zero address for PCI IO space
        target-arm: Add MDCR_EL2
        misc: zynq_slcr: Fix MMIO writes
        arm: imx25-pdk: Fix machine name
        target-arm: Provide model numbers for Sharp PDAs
        target-arm: Implement AArch64 OSLAR/OSLSR_EL1 sysregs
        hw/arm/virt: smbios: inform guest of kvm
        target-arm: Avoid calling arm_el_is_aa64() function for unimplemented EL
        target-arm: Break the TB after ISB to execute self-modified code 
correctly
        target-arm: Add missing 'static' attribute

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 9c1f5bbc739f3278353becf94839551afed0fdbd
  Merge: 61f7901 468a895
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Fri Oct 16 19:11:59 2015 +0100

      Merge remote-tracking branch 'remotes/pmaydell/tags/pull-cocoa-20151016' 
into staging

      cocoa queue:
       * fixes for compiler warnings
       * fix mouse cursor flickering

      # gpg: Signature made Fri 16 Oct 2015 11:09:46 BST using RSA key ID 
14360CDE
      # gpg: Good signature from "Peter Maydell <peter.maydell@xxxxxxxxxx>"
      # gpg:                 aka "Peter Maydell <pmaydell@xxxxxxxxx>"
      # gpg:                 aka "Peter Maydell 
<pmaydell@xxxxxxxxxxxxxxxxxxxxxx>"

      * remotes/pmaydell/tags/pull-cocoa-20151016:
        ui/cocoa.m: blinky mouse cursor fix
        ui/cocoa.m: addRemovableDevicesMenuItems() warning fix
        ui/cocoa.m: eliminate normalWindow warning

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 61f7901bb8a7f2f2503b5b025c4c33dbeac9cf5b
  Merge: e95bdb4 99df528
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Fri Oct 16 17:13:05 2015 +0100

      Merge remote-tracking branch 'remotes/armbru/tags/pull-qapi-2015-10-15' 
into staging

      QAPI patches

      # gpg: Signature made Thu 15 Oct 2015 07:40:46 BST using RSA key ID 
EB918653
      # gpg: Good signature from "Markus Armbruster <armbru@xxxxxxxxxx>"
      # gpg:                 aka "Markus Armbruster <armbru@xxxxxxxxxxxx>"

      * remotes/armbru/tags/pull-qapi-2015-10-15:
        qapi: Track location that created an implicit type
        qapi: Create simple union type member earlier
        qapi: Lazy creation of array types
        qapi: Don't use info as witness of implicit object type
        qapi: Drop redundant args-member-array test
        qapi: Drop redundant flat-union-reverse-define test
        qapi: Drop redundant returns-int test
        qapi: Move empty-enum to compile-time test
        qapi: Drop redundant alternate-good test
        qapi: Prepare for errors during check()
        qapi: Use predicate callback to determine visit filtering
        qapi: Fix regression with '-netdev help'

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit e95bdb4341c36ee158ff9dda4ade3f94405c69ce
  Merge: c49d341 60be634
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Fri Oct 16 15:47:59 2015 +0100

      Merge remote-tracking branch 
'remotes/juanquintela/tags/migration/20151015' into staging

      migration/next for 20151015

      # gpg: Signature made Thu 15 Oct 2015 07:25:27 BST using RSA key ID 
5872D723
      # gpg: Good signature from "Juan Quintela <quintela@xxxxxxxxxx>"
      # gpg:                 aka "Juan Quintela <quintela@xxxxxxxxxx>"

      * remotes/juanquintela/tags/migration/20151015:
        migration: fix deadlock
        migration: announce VM's new home just before VM is runnable
        Migration: Generate the completed event only when we complete

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 5d98bf8f38c17a348ab6e8af196088cd4953acd0
  Author: Sergey Fedorov <serge.fdrv@xxxxxxxxx>
  Date:   Tue Oct 13 12:56:28 2015 +0300

      target-arm: Fix CPU breakpoint handling

      A QEMU breakpoint match is not definitely an architectural breakpoint
      match. If an exception is generated unconditionally during translation,
      it is hardly possible to ignore it in the debug exception handler.

      Generate a call to a helper to check CPU breakpoints and raise an
      exception only if any breakpoint matches architecturally.

      Signed-off-by: Sergey Fedorov <serge.fdrv@xxxxxxxxx>
      Reviewed-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit e63a2d4d9ed73e33a0b7483085808048be8bbcb1
  Author: Sergey Fedorov <serge.fdrv@xxxxxxxxx>
  Date:   Tue Oct 13 12:56:27 2015 +0300

      target-arm: Fix GDB breakpoint handling

      GDB breakpoints have higher priority so they have to be checked first.
      Should GDB breakpoint match, just return from the debug exception
      handler.

      Signed-off-by: Sergey Fedorov <serge.fdrv@xxxxxxxxx>
      Reviewed-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 6b826af7b010ed1963b1e7bfb5c389dcdbaff222
  Author: Fam Zheng <famz@xxxxxxxxxx>
  Date:   Fri Oct 16 18:46:04 2015 +0800

      blkdebug: Don't confuse image as backing file

      The word "backing file" nowadays refers to the backing_hd in the
      external snapshot sense (i.e. bs->backing_hd), instead of the file sense
      (bs->file). Correct the comment to use the right term.

      Signed-off-by: Fam Zheng <famz@xxxxxxxxxx>
      Reviewed-by: Alberto Garcia <berto@xxxxxxxxxx>
      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>
      Signed-off-by: Kevin Wolf <kwolf@xxxxxxxxxx>

  commit e394621fbda0d9f69df2c9eab73ad5a5189805bb
  Author: Kevin Wolf <kwolf@xxxxxxxxxx>
  Date:   Fri Jul 10 22:19:23 2015 +0200

      qcow2: Remove forward declaration of QCowAIOCB

      This struct doesn't exist any more since commit 3fc48d09 in August 2011,
      it's about time to remove its forward declaration.

      Signed-off-by: Kevin Wolf <kwolf@xxxxxxxxxx>
      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>

  commit bb628e1af8b8b5ecf6420e50123cb696ee18b09f
  Author: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
  Date:   Thu Jul 23 13:48:36 2015 +0100

      qemu-nbd: always compile in --aio=MODE option

      The --aio=MODE option enables Linux AIO or Windows overlapped I/O.

      The #ifdef CONFIG_LINUX_AIO was a layering violation that also prevented
      Windows overlapped I/O from being used.

      Now that raw-posix.c prints an error when Linux AIO has not been
      compiled in, we can unconditionally compile the option into qemu-nbd.

      After this patch qemu-nbd --aio=native works on Windows.

      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Signed-off-by: Kevin Wolf <kwolf@xxxxxxxxxx>

  commit 04d71322c1cf6f527f15397c76bc088ebda7c18b
  Author: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
  Date:   Thu Jul 23 13:48:35 2015 +0100

      blockdev: always compile in -drive aio= parsing

      CONFIG_LINUX_AIO is an implementation detail of raw-posix.c.  Don't
      mention CONFIG_LINUX_AIO in blockdev.c.  Let block drivers decide what
      to do with BDRV_O_NATIVE_AIO.  They may print an error if it is
      unsupported.

      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Signed-off-by: Kevin Wolf <kwolf@xxxxxxxxxx>

  commit 1501ecc1d89231164b4aecddd0219ed4395b693a
  Author: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
  Date:   Thu Jul 23 13:48:34 2015 +0100

      raw-posix: warn about BDRV_O_NATIVE_AIO if libaio is unavailable

      raw-posix.c silently ignores BDRV_O_NATIVE_AIO if libaio is unavailable.
      It is confusing when aio=native performance is identical to aio=threads
      because the binary was accidentally built without libaio.

      Print a deprecation warning if -drive aio=native is used with a binary
      that does not support libaio.  There are probably users using aio=native
      who would be inconvenienced if QEMU suddenly refused to start their
      guests.  In the future this will become an error.

      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Signed-off-by: Kevin Wolf <kwolf@xxxxxxxxxx>

  commit 15489c769b9a4b3bec5b5848af2960689d7b4bd8
  Author: Jeff Cody <jcody@xxxxxxxxxx>
  Date:   Mon Oct 12 19:36:50 2015 -0400

      block: auto-generated node-names

      If a node-name is not specified, automatically generate the node-name.

      Generated node-names will use the "block" sub-system identifier.

      Signed-off-by: Jeff Cody <jcody@xxxxxxxxxx>
      Signed-off-by: Kevin Wolf <kwolf@xxxxxxxxxx>

  commit a0f1913637e6cd711aa721233b75eb2ec84d017b
  Author: Jeff Cody <jcody@xxxxxxxxxx>
  Date:   Mon Oct 12 19:36:49 2015 -0400

      util - add automated ID generation utility

      Multiple sub-systems in QEMU may find it useful to generate IDs
      for objects that a user may reference via QMP or HMP.  This patch
      presents a standardized way to do it, so that automatic ID generation
      follows the same rules.

      This patch enforces the following rules when generating an ID:

      1.) Guarantee no collisions with a user-specified ID
      2.) Identify the sub-system the ID belongs to
      3.) Guarantee of uniqueness
      4.) Spoiling predictability, to avoid creating an assumption
          of object ordering and parsing (i.e., we don't want users to think
          they can guess the next ID based on prior behavior).

      The scheme for this is as follows (no spaces):

                      # subsys D RR
      Reserved char --|    |   | |
      Subsystem String ----|   | |
      Unique number (64-bit) --| |
      Two-digit random number ---|

      For example, a generated node-name for the block sub-system may look
      like this:

          #block076

      The caller of id_generate() is responsible for freeing the generated
      node name string with g_free().

      Reviewed-by: John Snow <jsnow@xxxxxxxxxx>
      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>
      Reviewed-by: Alberto Garcia <berto@xxxxxxxxxx>
      Signed-off-by: Jeff Cody <jcody@xxxxxxxxxx>
      Signed-off-by: Kevin Wolf <kwolf@xxxxxxxxxx>

  commit 7e39d3a2dd34a84900e10b4ea1567f3b352659af
  Author: Kevin Wolf <kwolf@xxxxxxxxxx>
  Date:   Tue Oct 13 14:15:53 2015 +0200

      blkverify: Fix BDS leak in .bdrv_open error path

      Signed-off-by: Kevin Wolf <kwolf@xxxxxxxxxx>
      Reviewed-by: Jeff Cody <jcody@xxxxxxxxxx>

  commit 779020cbdc67011026c10fb620f701bfc6b85547
  Author: Kevin Wolf <kwolf@xxxxxxxxxx>
  Date:   Tue Oct 13 14:09:44 2015 +0200

      block: Allow bdrv_unref_child(bs, NULL)

      bdrv_unref() can be called with a NULL argument and doesn't do anything
      then. Make bdrv_unref_child() consistent with it.

      Signed-off-by: Kevin Wolf <kwolf@xxxxxxxxxx>
      Reviewed-by: Jeff Cody <jcody@xxxxxxxxxx>

  commit 8e419aefa07ca8e640f8db50b450378e84d60a11
  Author: Kevin Wolf <kwolf@xxxxxxxxxx>
  Date:   Wed Sep 16 16:18:38 2015 +0200

      block: Remove bdrv_swap()

      bdrv_swap() is unused now. Remove it and all functions that have
      no other users than bdrv_swap(). In particular, this removes the
      .bdrv_rebind callbacks from block drivers.

      Signed-off-by: Kevin Wolf <kwolf@xxxxxxxxxx>
      Reviewed-by: Max Reitz <mreitz@xxxxxxxxxx>
      Reviewed-by: Alberto Garcia <berto@xxxxxxxxxx>
      Reviewed-by: Fam Zheng <famz@xxxxxxxxxx>
      Reviewed-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>

  commit 3f09bfbc7bee812a44838f4c8b254007a9b86cab
  Author: Kevin Wolf <kwolf@xxxxxxxxxx>
  Date:   Tue Sep 15 11:58:23 2015 +0200

      block: Add and use bdrv_replace_in_backing_chain()

      This cleans up the mess we left behind in the mirror code after the
      previous patch. Instead of using bdrv_swap(), just change pointers.

      The interface change of the mirror job that callers must consider is
      that after job completion, their local BDS pointers still point to the
      same node now. qemu-img must change its code accordingly (which makes it
      easier to understand); the other callers stays unchanged because after
      completion they don't do anything with the BDS, but just with the job,
      and the job is still owned by the source BDS.

      Signed-off-by: Kevin Wolf <kwolf@xxxxxxxxxx>
      Reviewed-by: Max Reitz <mreitz@xxxxxxxxxx>
      Reviewed-by: Fam Zheng <famz@xxxxxxxxxx>
      Reviewed-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>

  commit 8ccb9569a976056c9594bb720ba33d84827648d9
  Author: Kevin Wolf <kwolf@xxxxxxxxxx>
  Date:   Wed Sep 16 13:34:54 2015 +0200

      blockjob: Store device name at job creation

      Some block jobs change the block device graph on completion. This means
      that the device that owns the job and originally was addressed with its
      device name may no longer be what the corresponding BlockBackend points
      to.

      Previously, the effects of bdrv_swap() ensured that the job was (at
      least partially) transferred to the target image. Events that contain
      the device name could still use bdrv_get_device_name(job->bs) and get
      the same result.

      After removing bdrv_swap(), this won't work any more. Instead, save the
      device name at job creation and use that copy for QMP events and
      anything else identifying the job.

      Signed-off-by: Kevin Wolf <kwolf@xxxxxxxxxx>
      Reviewed-by: Max Reitz <mreitz@xxxxxxxxxx>
      Reviewed-by: Alberto Garcia <berto@xxxxxxxxxx>
      Reviewed-by: Fam Zheng <famz@xxxxxxxxxx>
      Reviewed-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>

  commit dd62f1ca433ea60b06590884642ad2c8f8e539f2
  Author: Kevin Wolf <kwolf@xxxxxxxxxx>
  Date:   Thu Jun 18 14:09:57 2015 +0200

      block: Implement bdrv_append() without bdrv_swap()

      Remember all parent nodes and just change the pointers there instead of
      swapping the contents of the BlockDriverState.

      Handling of snapshot=on must be moved further down in bdrv_open()
      because *pbs (which is the bs pointer in the BlockBackend) must already
      be set before bdrv_append() is called. Otherwise bdrv_append() changes
      the BB's pointer to the temporary snapshot, but bdrv_open() overwrites
      it with the read-only original image.

      We also need to be careful to update callers as the interface changes
      (becomes less insane): Previously, the meaning of the two parameters was
      inverted when bdrv_append() returns. Now any BDS pointers keep pointing
      to the same node.

      Signed-off-by: Kevin Wolf <kwolf@xxxxxxxxxx>
      Reviewed-by: Max Reitz <mreitz@xxxxxxxxxx>
      Reviewed-by: Fam Zheng <famz@xxxxxxxxxx>
      Reviewed-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>

  commit d42a8a935b8b2d567331fffa13a70918352668bb
  Author: Kevin Wolf <kwolf@xxxxxxxxxx>
  Date:   Thu Sep 17 13:18:23 2015 +0200

      block: Introduce parents list

      Signed-off-by: Kevin Wolf <kwolf@xxxxxxxxxx>
      Reviewed-by: Max Reitz <mreitz@xxxxxxxxxx>
      Reviewed-by: Fam Zheng <famz@xxxxxxxxxx>
      Reviewed-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>

  commit a2d6190048d01c7012ab4fd6a2558f435b7b2fe8
  Author: Kevin Wolf <kwolf@xxxxxxxxxx>
  Date:   Thu Sep 17 13:01:50 2015 +0200

      block-backend: Add blk_set_bs()

      It allows changing the BlockDriverState that a BlockBackend points to.

      Signed-off-by: Kevin Wolf <kwolf@xxxxxxxxxx>
      Reviewed-by: Max Reitz <mreitz@xxxxxxxxxx>
      Reviewed-by: Alberto Garcia <berto@xxxxxxxxxx>
      Reviewed-by: Fam Zheng <famz@xxxxxxxxxx>
      Reviewed-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>

  commit 439db28cf9d4c29c9a97040bc8e08f047ba7e0af
  Author: Kevin Wolf <kwolf@xxxxxxxxxx>
  Date:   Wed Sep 16 16:08:17 2015 +0200

      block/io: Make bdrv_requests_pending() public

      Signed-off-by: Kevin Wolf <kwolf@xxxxxxxxxx>
      Reviewed-by: Max Reitz <mreitz@xxxxxxxxxx>
      Reviewed-by: Alberto Garcia <berto@xxxxxxxxxx>
      Reviewed-by: Fam Zheng <famz@xxxxxxxxxx>
      Reviewed-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>

  commit 063dd40e110eba7fffff09850ea9116b8dee2ae6
  Author: Kevin Wolf <kwolf@xxxxxxxxxx>
  Date:   Thu Sep 17 12:33:26 2015 +0200

      block: Split bdrv_move_feature_fields()

      After bdrv_swap(), some fields must be moved back to their original BDS
      to compensate for the effects that a swap of the contents of the objects
      has while keeping the old addresses. Other fields must be moved back
      because they should logically be moved and must stay on top

      When replacing bdrv_swap() with operations changing the pointers in the
      parents, we only need the latter and must avoid swapping the former.
      Split the function accordingly.

      Signed-off-by: Kevin Wolf <kwolf@xxxxxxxxxx>
      Reviewed-by: Max Reitz <mreitz@xxxxxxxxxx>
      Reviewed-by: Fam Zheng <famz@xxxxxxxxxx>
      Reviewed-by: Alberto Garcia <berto@xxxxxxxxxx>
      Reviewed-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>

  commit 5db15a57697063b9062a015dbc6d5d38211f2df1
  Author: Kevin Wolf <kwolf@xxxxxxxxxx>
  Date:   Mon Sep 14 15:33:33 2015 +0200

      block: Manage backing file references in bdrv_set_backing_hd()

      This simplifies the code somewhat, especially when dropping whole
      backing file subchains.

      The exception is the mirroring code that does adventurous things with
      bdrv_swap() and in order to keep it working, I had to duplicate most of
      bdrv_set_backing_hd() locally. We'll get rid again of this ugliness
      shortly.

      Signed-off-by: Kevin Wolf <kwolf@xxxxxxxxxx>
      Reviewed-by: Alberto Garcia <berto@xxxxxxxxxx>
      Reviewed-by: Max Reitz <mreitz@xxxxxxxxxx>
      Reviewed-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>

  commit 760e006384ecd5b8b8b1b91b5c85ff8fdcb3a21f
  Author: Kevin Wolf <kwolf@xxxxxxxxxx>
  Date:   Wed Jun 17 14:55:21 2015 +0200

      block: Convert bs->backing_hd to BdrvChild

      This is the final step in converting all of the BlockDriverState
      pointers that block drivers use to BdrvChild.

      After this patch, bs->children contains the full list of child nodes
      that are referenced by a given BDS, and these children are only
      referenced through BdrvChild, so that updating the pointer in there is
      enough for changing edges in the graph.

      Signed-off-by: Kevin Wolf <kwolf@xxxxxxxxxx>
      Reviewed-by: Alberto Garcia <berto@xxxxxxxxxx>
      Reviewed-by: Max Reitz <mreitz@xxxxxxxxxx>
      Reviewed-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>

  commit b26e90f56ad3a494ee6337d2075f4dc55b62b3c6
  Author: Kevin Wolf <kwolf@xxxxxxxxxx>
  Date:   Tue Jun 16 16:23:54 2015 +0200

      block: Remove bdrv_open_image()

      It is unused now.

      Signed-off-by: Kevin Wolf <kwolf@xxxxxxxxxx>
      Reviewed-by: Max Reitz <mreitz@xxxxxxxxxx>
      Reviewed-by: Alberto Garcia <berto@xxxxxxxxxx>
      Reviewed-by: Fam Zheng <famz@xxxxxxxxxx>
      Reviewed-by: Jeff Cody <jcody@xxxxxxxxxx>
      Reviewed-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>

  commit 9a4f4c31563b96a075f3deae83e72c726e0c84f8
  Author: Kevin Wolf <kwolf@xxxxxxxxxx>
  Date:   Tue Jun 16 14:19:22 2015 +0200

      block: Convert bs->file to BdrvChild

      This patch removes the temporary duplication between bs->file and
      bs->file_child by converting everything to BdrvChild.

      Signed-off-by: Kevin Wolf <kwolf@xxxxxxxxxx>
      Reviewed-by: Max Reitz <mreitz@xxxxxxxxxx>
      Reviewed-by: Alberto Garcia <berto@xxxxxxxxxx>
      Reviewed-by: Fam Zheng <famz@xxxxxxxxxx>
      Reviewed-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>

  commit 0bd6e91a7e00129764afb9bed83ae5519e18a111
  Author: Kevin Wolf <kwolf@xxxxxxxxxx>
  Date:   Tue Jun 16 11:29:22 2015 +0200

      quorum: Convert to BdrvChild

      Signed-off-by: Kevin Wolf <kwolf@xxxxxxxxxx>
      Reviewed-by: Max Reitz <mreitz@xxxxxxxxxx>
      Reviewed-by: Alberto Garcia <berto@xxxxxxxxxx>
      Reviewed-by: Fam Zheng <famz@xxxxxxxxxx>
      Reviewed-by: Jeff Cody <jcody@xxxxxxxxxx>
      Reviewed-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>

  commit 3e586be0b2b772394d6ed68c5b5a6da5cbbfe08b
  Author: Kevin Wolf <kwolf@xxxxxxxxxx>
  Date:   Tue Jun 16 11:13:47 2015 +0200

      blkverify: Convert s->test_file to BdrvChild

      Signed-off-by: Kevin Wolf <kwolf@xxxxxxxxxx>
      Reviewed-by: Max Reitz <mreitz@xxxxxxxxxx>
      Reviewed-by: Alberto Garcia <berto@xxxxxxxxxx>
      Reviewed-by: Fam Zheng <famz@xxxxxxxxxx>
      Reviewed-by: Jeff Cody <jcody@xxxxxxxxxx>
      Reviewed-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>

  commit 24bc15d1f6429dac0de47348b4b302855360c492
  Author: Kevin Wolf <kwolf@xxxxxxxxxx>
  Date:   Mon Jun 15 13:50:20 2015 +0200

      vmdk: Use BdrvChild instead of BDS for references to extents

      Signed-off-by: Kevin Wolf <kwolf@xxxxxxxxxx>
      Reviewed-by: Max Reitz <mreitz@xxxxxxxxxx>
      Reviewed-by: Alberto Garcia <berto@xxxxxxxxxx>
      Reviewed-by: Fam Zheng <famz@xxxxxxxxxx>
      Reviewed-by: Jeff Cody <jcody@xxxxxxxxxx>
      Reviewed-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>

  commit 1fdd69330872ef91d92482472eef79350d2f379b
  Author: Kevin Wolf <kwolf@xxxxxxxxxx>
  Date:   Mon Jun 15 14:11:51 2015 +0200

      block: Introduce BDS.file_child

      Store the BdrvChild for bs->file. At this point, bs->file_child->bs just
      duplicates the bs->file pointer. Later, it will completely replace it.

      Signed-off-by: Kevin Wolf <kwolf@xxxxxxxxxx>
      Reviewed-by: Max Reitz <mreitz@xxxxxxxxxx>
      Reviewed-by: Alberto Garcia <berto@xxxxxxxxxx>
      Reviewed-by: Fam Zheng <famz@xxxxxxxxxx>
      Reviewed-by: Jeff Cody <jcody@xxxxxxxxxx>
      Reviewed-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>

  commit 68e517a8d7d89298235913a514af70364e559b78
  Author: Jeff Cody <jcody@xxxxxxxxxx>
  Date:   Mon Oct 12 20:18:07 2015 -0400

      block: qemu-iotests - fix vmdk test 059.out

      In commit fe646693acc13ac48b98435d14149ab04dc597bc, the option
      printout format changed.

      This updates the VMDK test 059.out to the correct output.

      Signed-off-by: Jeff Cody <jcody@xxxxxxxxxx>
      Reviewed-by: Fam Zheng <famz@xxxxxxxxxx>
      Signed-off-by: Kevin Wolf <kwolf@xxxxxxxxxx>

  commit a910523a244c10d6c458e1415f35a92c3b11387f
  Author: Kashyap Chamarthy <kchamart@xxxxxxxxxx>
  Date:   Fri Oct 2 14:12:34 2015 +0200

      qmp-commands.hx: Update the supported 'transaction' operations

      Although the canonical source of reference for QMP commands is
      qapi-schema.json, for consistency's sake, update qmp-commands.hx to
      state the list of supported transactionable operations, namely:

          drive-backup
          blockdev-backup
          blockdev-snapshot-internal-sync
          abort
          block-dirty-bitmap-add
          block-dirty-bitmap-clear

      Also update the possible values for the "type" action array.

      Signed-off-by: Kashyap Chamarthy <kchamart@xxxxxxxxxx>
      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>
      Signed-off-by: Kevin Wolf <kwolf@xxxxxxxxxx>

  commit 317438e6dba5d7bb44bd867c10993c54b927992b
  Author: Alberto Garcia <berto@xxxxxxxxxx>
  Date:   Thu Sep 17 17:33:06 2015 +0300

      throttle: test that snapshots move the throttling configuration

      If a snapshot is performed on a device that has I/O limits they should
      be moved to the target image (the new active layer).

      Signed-off-by: Alberto Garcia <berto@xxxxxxxxxx>
      Reviewed-by: Max Reitz <mreitz@xxxxxxxxxx>
      Signed-off-by: Kevin Wolf <kwolf@xxxxxxxxxx>

  commit efd0fbbcf5d28b18fc629681e3bc8bee1bfadd9a
  Author: Alberto Garcia <berto@xxxxxxxxxx>
  Date:   Mon Sep 28 17:23:00 2015 +0300

      iotests: disable core dumps in test 061

      Commit 934659c460 disabled the supression of segmentation faults in
      bash tests. The new output of test 061, however, assumes that a core
      dump will be produced if a program aborts. This is not necessarily the
      case because core dumps can be disabled using ulimit.

      Since we cannot guarantee that abort() will produce a core dump, we
      should use SIGKILL instead (that does not produce any) and update the
      test output accordingly.

      Signed-off-by: Alberto Garcia <berto@xxxxxxxxxx>
      Reviewed-by: Max Reitz <mreitz@xxxxxxxxxx>
      Signed-off-by: Kevin Wolf <kwolf@xxxxxxxxxx>

  commit 81669b8b81eb450d7b89ee5fdd57bdb73d87022d
  Author: Sergey Fedorov <serge.fdrv@xxxxxxxxx>
  Date:   Mon Sep 14 13:53:48 2015 +0300

      target-arm: implement arm_debug_target_el()

      Implement debug exception routing according to ARM ARM D2.3.1 Pseudocode
      description of routing debug exceptions.

      Signed-off-by: Sergey Fedorov <serge.fdrv@xxxxxxxxx>
      Reviewed-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 74de8c356844080fcabc3a44b08b9d22feda691f
  Author: Alexander Gordeev <agordeev@xxxxxxxxxx>
  Date:   Fri Oct 16 11:14:54 2015 +0100

      hw/arm/virt: Allow zero address for PCI IO space

      Currently PCI IO address 0 is not allowed even though
      the IO space starts from 0. This update makes  PCI IO
      address 0 usable.

      CC: Peter Maydell <peter.maydell@xxxxxxxxxx>
      CC: Andrew Jones <drjones@xxxxxxxxxx>
      Signed-off-by: Alexander Gordeev <agordeev@xxxxxxxxxx>
      Reviewed-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 14cc7b54372995a6ba72c7719372e4f710fc9b5a
  Author: Sergey Fedorov <serge.fdrv@xxxxxxxxx>
  Date:   Fri Oct 16 11:14:54 2015 +0100

      target-arm: Add MDCR_EL2

      Add the MDCR_EL2 register. We don't implement any of
      the debug-related traps this register controls yet, so
      currently it simply reads back as written.

      Signed-off-by: Sergey Fedorov <serge.fdrv@xxxxxxxxx>
      Message-id: 1444383794-16767-1-git-send-email-serge.fdrv@xxxxxxxxx
      Reviewed-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      [PMM: tweaked commit message; moved non-dummy definition from
      debug_cp_reginfo to el2_cp_reginfo.]
      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit c209b0537203c58a051e5d837320335cea23e494
  Author: Peter Crosthwaite <crosthwaitepeter@xxxxxxxxx>
  Date:   Fri Oct 16 11:14:53 2015 +0100

      misc: zynq_slcr: Fix MMIO writes

      The /4 for offset calculation in MMIO writes was happening twice giving
      wrong write offsets. Fix.

      While touching the code, change the if-else to be a short returning if
      and convert the debug message to a GUEST_ERROR, which is more accurate
      for this condition.

      Cc: qemu-stable@xxxxxxxxxx
      Cc: Guenter Roeck <linux@xxxxxxxxxxxx>
      Signed-off-by: Peter Crosthwaite <crosthwaite.peter@xxxxxxxxx>
      Reviewed-by: Alistair Francis <alistair.francis@xxxxxxxxxx>
      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit b64d64de1a5b88de88146e3ad36e7b09b97837eb
  Author: Peter Crosthwaite <crosthwaitepeter@xxxxxxxxx>
  Date:   Fri Oct 16 11:14:53 2015 +0100

      arm: imx25-pdk: Fix machine name

      ARM uses dashes instead of underscores for machine names. Fix imx25_pdk
      which has not seen a release yet (so there is no legacy yet).

      Cc: Jean-Christophe Dubois <jcd@xxxxxxxxxxxxxxx>
      Signed-off-by: Peter Crosthwaite <crosthwaite.peter@xxxxxxxxx>
      Message-id: 1444445785-3648-1-git-send-email-crosthwaite.peter@xxxxxxxxx
      Reviewed-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      [PMM: Added change to tests/ds1338-test.c to use new machine name]
      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit ad1e8db894fa055ffa9447a5d86520ef1cbac6e9
  Author: Ryo ONODERA <ryo_on@xxxxxxxxxxxx>
  Date:   Fri Oct 16 11:14:53 2015 +0100

      target-arm: Provide model numbers for Sharp PDAs

      * For Collie, Akita, Spitz, Borzoi, Terrier and Tosa PDAs, provide
        model numbers and manufacturer (Sharp) information.

      Signed-off-by: Ryo ONODERA <ryo_on@xxxxxxxxxxxx>
      Reviewed-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 1424ca8d4320427c3e93722b65e19077969808a2
  Author: Davorin Mista <davorin.mista@xxxxxxxxxx>
  Date:   Fri Oct 16 11:14:53 2015 +0100

      target-arm: Implement AArch64 OSLAR/OSLSR_EL1 sysregs

      Added oslar_write function to OSLAR_EL1 sysreg, using a status variable
      in ARMCPUState.cp15 struct (oslsr_el1). This variable is also linked
      to the newly added read-only OSLSR_EL1 register.

      Linux reads from this register during its suspend/resume procedure.

      Signed-off-by: Davorin Mista <davorin.mista@xxxxxxxxxx>
      [PMM: folded a long line and tweaked a comment]
      Reviewed-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit bab27ea2e3855b6495a743f19b9d28cb013443ea
  Author: Andrew Jones <drjones@xxxxxxxxxx>
  Date:   Fri Oct 16 11:14:53 2015 +0100

      hw/arm/virt: smbios: inform guest of kvm

      ARM/AArch64 KVM guests don't have any way to identify
      themselves as KVM guests (x86 guests use a CPUID leaf). Now, we
      could discuss all sorts of reasons why guests shouldn't need to
      know that, but then there's always some case where it'd be
      nice... Anyway, now that we have SMBIOS tables in ARM guests,
      it's easy for the guest to know that it's a QEMU instance. This
      patch takes that one step further, also identifying KVM, when
      appropriate. Again, we could debate why generally nothing
      should care whether it's of type QEMU or QEMU/KVM, but again,
      sometimes it's nice to know...

      Signed-off-by: Andrew Jones <drjones@xxxxxxxxxx>
      Reviewed-by: Wei Huang <wei@xxxxxxxxxx>
      Message-id: 1443017892-15567-1-git-send-email-drjones@xxxxxxxxxx
      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 2cde031f5a34996bab32571a26b1a6bcf3e5b5d9
  Author: Sergey Sorokin <afarallax@xxxxxxxxx>
  Date:   Fri Oct 16 11:14:52 2015 +0100

      target-arm: Avoid calling arm_el_is_aa64() function for unimplemented EL

      It is incorrect to call arm_el_is_aa64() function for unimplemented EL.
      This patch fixes several attempts to do so.

      Signed-off-by: Sergey Sorokin <afarallax@xxxxxxxxx>
      [PMM: Reworked several of the comments to be more verbose.]
      Reviewed-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 6df99dec9e81838423d723996e96236693fa31fe
  Author: Sergey Sorokin <afarallax@xxxxxxxxx>
  Date:   Fri Oct 16 11:14:52 2015 +0100

      target-arm: Break the TB after ISB to execute self-modified code correctly

      If any store instruction writes the code inside the same TB
      after this store insn, the execution of the TB must be stopped
      to execute new code correctly.
      As described in ARMv8 manual D3.4.6 self-modifying code must do an
      IC invalidation to be valid, and an ISB after it. So it's enough to end
      the TB after ISB instruction on the code translation.
      Also this TB break is necessary to take any pending interrupts immediately
      after an ISB (as required by ARMv8 ARM D1.14.4).

      Signed-off-by: Sergey Sorokin <afarallax@xxxxxxxxx>
      [PMM: tweaked commit message and comments slightly]
      Reviewed-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 82c39f6a8898b028515eddcdbc4ae50959d0af5d
  Author: Stefan Weil <sw@xxxxxxxxxxx>
  Date:   Fri Oct 16 11:14:52 2015 +0100

      target-arm: Add missing 'static' attribute

      Signed-off-by: Stefan Weil <sw@xxxxxxxxxxx>
      Message-id: 1443213733-9807-1-git-send-email-sw@xxxxxxxxxxx
      Reviewed-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 468a895bce1492cf83bb8be0d995ccdfcf4f2785
  Author: John Arbuckle <programmingkidx@xxxxxxxxx>
  Date:   Tue Oct 13 21:51:18 2015 +0100

      ui/cocoa.m: blinky mouse cursor fix

      The mouse cursor can become blinky when being moved a lot. This patch 
fixes that
      problem by issuing the redraw sooner.

      Signed-off-by: John Arbuckle <programmingkidx@xxxxxxxxx>
      Message-id: AAA87DD7-EC20-4F4B-B71E-C38461D9FCBA@xxxxxxxxx
      Reviewed-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit a7940ec0af4be5d35f65890fe0c722efc5489298
  Author: John Arbuckle <programmingkidx@xxxxxxxxx>
  Date:   Tue Oct 13 21:51:18 2015 +0100

      ui/cocoa.m: addRemovableDevicesMenuItems() warning fix

      Eliminate this warning associated with the addRemovableDevicesMenuItems()
      function:

      ui/cocoa.m:1344:13: warning: function declaration isn't a prototype
      [-Wstrict-prototypes]
       static void addRemovableDevicesMenuItems()
                   ^
      ui/cocoa.m: In function 'addRemovableDevicesMenuItems':
      ui/cocoa.m:1344:13: warning: old-style function definition 
[-Wold-style-definition]

      Signed-off-by: John Arbuckle <programmingkidx@xxxxxxxxx>
      Message-id: 7B365FC2-072B-4E8D-A1D9-922C2D691A83@xxxxxxxxx
      Reviewed-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 99df5289d8c7ebf373c3570d8fba3f3a73360281
  Author: Eric Blake <eblake@xxxxxxxxxx>
  Date:   Mon Oct 12 22:22:32 2015 -0600

      qapi: Track location that created an implicit type

      A future patch will move some error checking from the parser
      to the various QAPISchema*.check() methods, which run only
      after parsing completes.  It will thus be possible to create
      a python instance representing an implicit QAPI type that
      parses fine but will fail validation during check().  Since
      all errors have to have an associated 'info' location, we
      need a location to be associated with those implicit types.
      The intuitive info to use is the location of the enclosing
      entity that caused the creation of the implicit type.

      Note that we do not anticipate builtin types being used in
      an error message (as they are not part of the user's QAPI
      input, the user can't cause a semantic error in their
      behavior), so we exempt those types from requiring info, by
      setting a flag to track the completion of _def_predefineds(),
      and tracking that flag in _def_entity().

      No change to the generated code.

      Signed-off-by: Eric Blake <eblake@xxxxxxxxxx>
      Message-Id: <1444710158-8723-13-git-send-email-eblake@xxxxxxxxxx>
      [Missing QAPISchemaArrayType.is_implicit() supplied]
      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>

  commit 46292ba75c515baf733df18644052b2ce9492728
  Author: Eric Blake <eblake@xxxxxxxxxx>
  Date:   Mon Oct 12 22:22:29 2015 -0600

      qapi: Create simple union type member earlier

      For simple unions, we were creating the implicit 'type' tag
      member during the QAPISchemaObjectTypeVariants constructor.
      This is different from every other implicit QAPISchemaEntity
      object, which get created by QAPISchema methods.  Hoist the
      creation to the caller (renaming _make_tag_enum() to
      _make_implicit_tag()), and pass the entity rather than the
      string name, so that we have the nice property that no
      entities are created as a side effect within a different
      entity.  A later patch will then have an easier time of
      associating location info with each entity creation.

      No change to generated code.

      Signed-off-by: Eric Blake <eblake@xxxxxxxxxx>
      Message-Id: <1444710158-8723-10-git-send-email-eblake@xxxxxxxxxx>
      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>

  commit 9f08c8ec73878122ad4b061ed334f0437afaaa32
  Author: Eric Blake <eblake@xxxxxxxxxx>
  Date:   Mon Oct 12 22:22:28 2015 -0600

      qapi: Lazy creation of array types

      Commit ac88219a had several TODO markers about whether we needed
      to automatically create the corresponding array type alongside
      any other type.  It turns out that most of the time, we don't!

      There are a few exceptions: 1) We have a few situations where we
      use an array type in internal code but do not expose that type
      through QMP; fix it by declaring a dummy type that forces the
      generator to see that we want to use the array type.

      2) The builtin arrays (such as intList for QAPI ['int']) must
      always be generated, because of the way our QAPI_TYPES_BUILTIN
      compile guard works: we have situations (at the very least
      tests/test-qmp-output-visitor.c) that include both top-level
      "qapi-types.h" (via "error.h") and a secondary
      "test-qapi-types.h". If we were to only emit the builtin types
      when used locally, then the first .h file would not include all
      types, but the second .h does not declare anything at all because
      the first .h set QAPI_TYPES_BUILTIN, and we would end up with
      compilation error due to things like unknown type 'int8List'.

      Actually, we may need to revisit how we do type guards, and
      change from a single QAPI_TYPES_BUILTIN over to a different
      usage pattern that does one #ifdef per qapi type - right now,
      the only types that are declared multiple times between two qapi
      .json files for inclusion by a single .c file happen to be the
      builtin arrays.  But now that we have QAPI 'include' statements,
      it is logical to assume that we will soon reach a point where
      we want to reuse non-builtin types (yes, I'm thinking about what
      it will take to add introspection to QGA, where we will want to
      reuse the SchemaInfo type and friends).  One #ifdef per type
      will help ensure that generating the same qapi type into more
      than one qapi-types.h won't cause collisions when both are
      included in the same .c file; but we also have to solve how to
      avoid creating duplicate qapi-types.c entry points.  So that
      is a problem left for another day.

      Generated code for qapi-types and qapi-visit is drastically
      reduced; less than a third of the arrays that were blindly
      created were actually needed (a quick grep shows we dropped
      from 219 to 69 *List types), and the .o files lost more than
      30% of their bulk.  [For best results, diff the generated
      files with 'git diff --patience --no-index pre post'.]

      Interestingly, the introspection output is unchanged - this is
      because we already cull all types that are not indirectly
      reachable from a command or event, so introspection was already
      using only a subset of array types.  The subset of types
      introspected is now a much larger percentage of the overall set
      of array types emitted in qapi-types.h (since the larger set
      shrunk), but still not 100% (evidence that the array types
      emitted for our new Dummy structs, and the new struct itself,
      don't affect QMP).

      Signed-off-by: Eric Blake <eblake@xxxxxxxxxx>
      Message-Id: <1444710158-8723-9-git-send-email-eblake@xxxxxxxxxx>
      [Moved array info tracking to a later patch]
      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>

  commit 49823c4b4304a3e4aa5d67e089946b12d6a52d64
  Author: Eric Blake <eblake@xxxxxxxxxx>
  Date:   Mon Oct 12 22:22:27 2015 -0600

      qapi: Don't use info as witness of implicit object type

      A future patch will enable error reporting from the various
      QAPISchema*.check() methods.  But to report an error related
      to an implicit type, we'll need to associate a location with
      the type (the same location as the top-level entity that is
      causing the creation of the implicit type), and once we do
      that, keying off of whether foo.info exists is no longer a
      viable way to determine if foo is an implicit type.

      Instead, add an is_implicit() method to QAPISchemaEntity, and use it.
      It can be overridden later for ObjectType and EnumType, when implicit
      instances of those classes gain info.

      Signed-off-by: Eric Blake <eblake@xxxxxxxxxx>
      Message-Id: <1444710158-8723-8-git-send-email-eblake@xxxxxxxxxx>
      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>

  commit 849ab13c1657b51b89693282ddd42ca1f6255354
  Author: Eric Blake <eblake@xxxxxxxxxx>
  Date:   Tue Oct 13 12:26:47 2015 -0600

      qapi: Drop redundant args-member-array test

      qapi-schema-test already ensures that we can correctly compile
      an array of enums (__org.qemu_x-command), an array of builtins
      (UserDefNativeListUnion), and an array of structs (again
      __org.qemu_x-command).  That means args-member-array is not
      adding any additional parse-only test coverage, so drop it.

      Signed-off-by: Eric Blake <eblake@xxxxxxxxxx>
      Message-Id: <1444760807-11307-1-git-send-email-eblake@xxxxxxxxxx>
      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>

  commit 70478cef837e86b1cff08073153081ce480e0e6c
  Author: Eric Blake <eblake@xxxxxxxxxx>
  Date:   Mon Oct 12 22:22:26 2015 -0600

      qapi: Drop redundant flat-union-reverse-define test

      As of commit 8c3f8e77, we test compilation of forward references
      for a struct base type (UserDefOne), flat union base type
      (UserDefUnionBase), and flat union branch type
      (UserDefFlatUnion2). The only remaining forward reference being
      tested for parsing in flat-union-reverse-define was a forward
      enum declaration.  Once we make sure that always compiles,
      the smaller parse-only test is redundant and can be deleted.

      Signed-off-by: Eric Blake <eblake@xxxxxxxxxx>
      Message-Id: <1444710158-8723-7-git-send-email-eblake@xxxxxxxxxx>
      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>

  commit cae95eae6270c1ea28a9ba8eee75c441b1015f68
  Author: Eric Blake <eblake@xxxxxxxxxx>
  Date:   Mon Oct 12 22:22:25 2015 -0600

      qapi: Drop redundant returns-int test

      qapi-schema-test was already testing that we could have a
      command returning int, but burned a command name in the whitelist.
      Merge the redundant positive test returns-int, and pick a name
      that reduces the whitelist size.

      Signed-off-by: Eric Blake <eblake@xxxxxxxxxx>
      Message-Id: <1444710158-8723-6-git-send-email-eblake@xxxxxxxxxx>
      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>

  commit 625b251c69d983959efaeadeee12405b1a66d331
  Author: Eric Blake <eblake@xxxxxxxxxx>
  Date:   Mon Oct 12 22:22:24 2015 -0600

      qapi: Move empty-enum to compile-time test

      Rather than just asserting that we can parse an empty enum,
      let's also make sure we can compile it, by including it in
      qapi-schema-test.

      Signed-off-by: Eric Blake <eblake@xxxxxxxxxx>
      Message-Id: <1444710158-8723-5-git-send-email-eblake@xxxxxxxxxx>
      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>

  commit baabb84c5b27115b979d864cb2af4d63b823983f
  Author: Eric Blake <eblake@xxxxxxxxxx>
  Date:   Mon Oct 12 22:22:23 2015 -0600

      qapi: Drop redundant alternate-good test

      The alternate-good.json test was already covered by
      qapi-schema-test.json.  As future commits will be tweaking
      how alternates are laid out, removing the duplicate test now
      reduces churn.

      Signed-off-by: Eric Blake <eblake@xxxxxxxxxx>
      Message-Id: <1444710158-8723-4-git-send-email-eblake@xxxxxxxxxx>
      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>

  commit 7618b91ff80ec42b84b29be24d8ef53ddb377110
  Author: Eric Blake <eblake@xxxxxxxxxx>
  Date:   Mon Oct 12 22:22:22 2015 -0600

      qapi: Prepare for errors during check()

      The next few patches will start migrating error checking from
      ad hoc parse methods into the QAPISchema*.check() methods.  But
      for an error message to display, we first have to fix the
      overall 'try' to catch those errors.  We also want to enable a
      few more assertions, such as making sure every attempt to
      raise a semantic error is passed a valid location info, or that
      various preconditions hold.

      The general approach for moving error checking will then be to
      relax an assertion into an if that raises an exception if the
      condition does not hold, and removing the counterpart ad hoc
      check done during the parse phase.

      Signed-off-by: Eric Blake <eblake@xxxxxxxxxx>
      Message-Id: <1444710158-8723-3-git-send-email-eblake@xxxxxxxxxx>
      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>

  commit 25a0d9c977c2f5db914b0a1619759fd77d97b016
  Author: Eric Blake <eblake@xxxxxxxxxx>
  Date:   Mon Oct 12 22:22:21 2015 -0600

      qapi: Use predicate callback to determine visit filtering

      Previously, qapi-types and qapi-visit filtered out implicit
      objects during visit_object_type() by using 'info' (works since
      implicit objects do not [yet] have associated info); meanwhile
      qapi-introspect filtered out all schema types on the first pass
      by returning a python type from visit_begin(), which was then
      used at a distance in QAPISchema.visit() to do the filtering.

      Rather than keeping these ad hoc approaches, add a new visitor
      callback visit_needed() which returns False to skip a given
      entity, and which defaults to True unless overridden.  Use the
      new mechanism to simplify all three filtering visitors.

      No change to the generated code.

      Suggested-by: Markus Armbruster <armbru@xxxxxxxxxx>
      Signed-off-by: Eric Blake <eblake@xxxxxxxxxx>
      Message-Id: <1444710158-8723-2-git-send-email-eblake@xxxxxxxxxx>
      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>

  commit d08ac81a459258ce20b3184fa9325c6c1350ac9e
  Author: Eric Blake <eblake@xxxxxxxxxx>
  Date:   Wed Oct 14 16:30:25 2015 -0600

      qapi: Fix regression with '-netdev help'

      Commit e36c714e causes 'qemu -netdev help' to dump core, because the
      call to visit_end_union() is no longer conditional on whether *obj was
      allocated.

      Reported by Marc-André Lureau <marcandre.lureau@xxxxxxxxx>
      Signed-off-by: Eric Blake <eblake@xxxxxxxxxx>
      Message-Id: <1444861825-19256-1-git-send-email-eblake@xxxxxxxxxx>
      [Commit message tweaked to say 'help' instead of '?']
      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>

  commit 60be6340796e66b5ac8aac2d98dde5c79336a89c
  Author: Denis V. Lunev <den@xxxxxxxxxx>
  Date:   Mon Sep 28 14:41:58 2015 +0300

      migration: fix deadlock

      Release qemu global mutex before call synchronize_rcu().
      synchronize_rcu() waiting for all readers to finish their critical
      sections. There is at least one critical section in which we try
      to get QGM (critical section is in address_space_rw() and
      prepare_mmio_access() is trying to aquire QGM).

      Both functions (migration_end() and migration_bitmap_extend())
      are called from main thread which is holding QGM.

      Thus there is a race condition that ends up with deadlock:
      main thread     working thread
      Lock QGA                |
      |             Call KVM_EXIT_IO handler
      |                       |
      |        Open rcu reader's critical section
      Migration cleanup bh    |
      |                       |
      synchronize_rcu() is    |
      waiting for readers     |
      |            prepare_mmio_access() is waiting for QGM
        \                   /
               deadlock

      The patch changes bitmap freeing from direct g_free after synchronize_rcu
      to free inside call_rcu.

      Signed-off-by: Denis V. Lunev <den@xxxxxxxxxx>
      Reported-by: Igor Redko <redkoi@xxxxxxxxxxxxx>
      Tested-by: Igor Redko <redkoi@xxxxxxxxxxxxx>
      Reviewed-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>
      Reviewed-by: Juan Quintela <quintela@xxxxxxxxxx>
      Signed-off-by: Juan Quintela <quintela@xxxxxxxxxx>

      CC: Anna Melekhova <annam@xxxxxxxxxxxxx>
      CC: Juan Quintela <quintela@xxxxxxxxxx>
      CC: Amit Shah <amit.shah@xxxxxxxxxx>
      CC: Paolo Bonzini <pbonzini@xxxxxxxxxx>
      CC: Wen Congyang <wency@xxxxxxxxxxxxxx>

  commit 92e3762237475407fe03e1ccac6e30612ab96caf
  Author: Amit Shah <amit.shah@xxxxxxxxxx>
  Date:   Wed Oct 14 17:37:19 2015 +0530

      migration: announce VM's new home just before VM is runnable

      We were announcing the dest host's IP as our new IP a bit too soon -- if
      there were errors detected after this announcement was done, the
      migration is failed and the VM could continue running on the src host --
      causing problems later.

      Move around the qemu_announce_self() call so it's done just before the
      VM is runnable.

      Signed-off-by: Amit Shah <amit.shah@xxxxxxxxxx>
      Reviewed-by: Juan Quintela <quintela@xxxxxxxxxx>
      Reviewed-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: Juan Quintela <quintela@xxxxxxxxxx>

  commit ed1f3e0090069dcb9458aa9e450df12bf8eba0b0
  Author: Dr. David Alan Gilbert <dgilbert@xxxxxxxxxx>
  Date:   Tue Oct 13 12:21:27 2015 +0100

      Migration: Generate the completed event only when we complete

      The current migration-completed event is generated a bit too early,
      which means that an eager libvirt that's ready to go as soon
      as it sees the event ends up racing with the actual end of migration.

      This corresponds to RH bug:
      https://bugzilla.redhat.com/show_bug.cgi?id=1271145

      Signed-off-by: Dr. David Alan Gilbert <dgilbert@xxxxxxxxxx>
      Reviewed-by: Juan Quintela <quintela@xxxxxxxxxx>
      Reviewed-by: Amit Shah <amit.shah@xxxxxxxxxx>
      xSigned-off-by: Juan Quintela <quintela@xxxxxxxxxx>

  commit 6511d39679f296162a90e71685651717a29e78e5
  Author: Paolo Bonzini <pbonzini@xxxxxxxxxx>
  Date:   Tue Sep 29 15:08:05 2015 +0200

      qemu-char: convert serial backend to data-driven creation

      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit fd5b036c5c6dc715bd06769a0023c6e1de2dadb4
  Author: Paolo Bonzini <pbonzini@xxxxxxxxxx>
  Date:   Tue Sep 29 15:06:02 2015 +0200

      qemu-char: convert file backend to data-driven creation

      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit 4ca172817a8c6df0145c16d80abdf04d53a56d92
  Author: Paolo Bonzini <pbonzini@xxxxxxxxxx>
  Date:   Tue Sep 29 14:55:59 2015 +0200

      qemu-char: add create to register_char_driver

      Having creation as a member of the CharDriver struct removes the need
      to export functions for qemu-char.c's usage.  After the conversion,
      chardev backends implemented outside qemu-char.c will not need a stub
      creation function anymore.

      Ultimately all drivers will be converted.  For now, support the case
      where cd->create == NULL.

      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit d809ab9521ace32a806cdf86ee7df40e1bf88443
  Author: Paolo Bonzini <pbonzini@xxxxxxxxxx>
  Date:   Mon Oct 12 09:46:23 2015 +0200

      qemu-char: cleanup HAVE_CHARDEV_*

      Move the #ifdef up into qmp_chardev_add, and avoid duplicating
      the code that reports unavailable backends.  Split HAVE_CHARDEV_TTY
      into HAVE_CHARDEV_SERIAL and HAVE_CHARDEV_PTY.

      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit eaeba65304d9666309f246849adf1eff217b9868
  Author: Paolo Bonzini <pbonzini@xxxxxxxxxx>
  Date:   Tue Sep 29 14:54:05 2015 +0200

      qemu-char: cleanup qmp_chardev_add

      Use the usual idioms for error propagation.

      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit a1dbc05a6f73e63ccfdd538c1825d44aa6347d8f
  Author: John Arbuckle <programmingkidx@xxxxxxxxx>
  Date:   Tue Oct 13 21:51:18 2015 +0100

      ui/cocoa.m: eliminate normalWindow warning

      Eliminate this warning associated with the setting of the normalWindow's 
title:

      ui/cocoa.m: In function '-[QemuCocoaAppController init]':
      ui/cocoa.m:888:9: warning: format not a string literal and no format 
arguments
       [-Wformat-security]
               [normalWindow setTitle:[NSString stringWithFormat:@"QEMU"]];

      Signed-off-by: John Arbuckle <programmingkidx@xxxxxxxxx>
      Message-id: 57057D6E-C108-4AE1-8370-E7E6855B2F2C@xxxxxxxxx
      Reviewed-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 0a3c190098e1cb3daaa946cba6663467d1f4e857
  Author: Daniel P. Berrange <berrange@xxxxxxxxxx>
  Date:   Mon Oct 12 18:41:19 2015 +0100

      README: fill out some useful quickstart information

      The README file is usually the first thing consulted when a user
      or developer obtains a copy of the QEMU source. The current QEMU
      README is lacking immediately useful information and so not very
      friendly for first time encounters. It either redirects users to
      qemu-doc.html (which does not exist until they've actually
      compiled QEMU), or the website (which assumes the user has
      convenient internet access at time of reading).

      This fills out the README file as simple quick-start guide on
      the topics of building source, submitting patches, licensing
      and how to contact the QEMU community. It does not intend to be
      comprehensive, instead referring people to an appropriate web
      page to obtain more detailed information. The intent is to give
      users quick guidance to get them going in the right direction.

      Signed-off-by: Daniel P. Berrange <berrange@xxxxxxxxxx>
      Message-Id: <1444671679-17674-1-git-send-email-berrange@xxxxxxxxxx>
      Reviewed-by: John Snow <jsnow@xxxxxxxxxx>
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit c49d3411faae8ffaab8f7e5db47405a008411c10
  Merge: 5451316 18bdbc3
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Tue Oct 13 10:42:06 2015 +0100

      Merge remote-tracking branch 'remotes/armbru/tags/pull-qapi-2015-10-12' 
into staging

      QAPI patches

      # gpg: Signature made Mon 12 Oct 2015 18:56:35 BST using RSA key ID 
EB918653
      # gpg: Good signature from "Markus Armbruster <armbru@xxxxxxxxxx>"
      # gpg:                 aka "Markus Armbruster <armbru@xxxxxxxxxxxx>"

      * remotes/armbru/tags/pull-qapi-2015-10-12:
        qapi: Simplify gen_visit_fields() error handling
        qapi: Share gen_visit_fields()
        qapi: Share gen_err_check()
        qapi: Consistent generated code: minimize push_indent() usage
        qapi: Consistent generated code: prefer common indentation
        qapi: Consistent generated code: prefer common labels
        qapi: Consistent generated code: prefer visitor 'v'
        qapi: Consistent generated code: prefer error 'err'
        qapi: Reuse code for flat union base validation
        qapi: Test use of 'number' within alternates
        qapi: Add tests for empty unions
        qapi: Avoid assertion failure on union 'type' collision
        qapi: Test for various name collisions
        qapi: Clean up qapi.py per pep8
        qapi: Invoke exception superclass initializer
        qapi: Improve 'include' error message
        qapi: Sort qapi-schema tests
        MAINTAINERS: Specify QAPI include and test files
        MAINTAINERS: Specify QObject include and test files
        docs: Move files from docs/qmp/ to docs/

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 18bdbc3ac8b477e160d56aa6ecd6942495ce44d0
  Author: Eric Blake <eblake@xxxxxxxxxx>
  Date:   Tue Sep 29 16:21:15 2015 -0600

      qapi: Simplify gen_visit_fields() error handling

      Since we have consolidated all generated code to use 'err' as
      the name of the local variable for error detection, we can
      simplify the decision on whether to skip error detection (useful
      for deallocation paths) to be a boolean.

      Signed-off-by: Eric Blake <eblake@xxxxxxxxxx>
      Message-Id: <1443565276-4535-18-git-send-email-eblake@xxxxxxxxxx>
      [Change to gen_visit_fields() simplified]
      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>

  commit 82ca8e469666b169ccf818a0e36136aee97d7db0
  Author: Eric Blake <eblake@xxxxxxxxxx>
  Date:   Tue Sep 29 16:21:14 2015 -0600

      qapi: Share gen_visit_fields()

      Consolidate the code between visit, command marshalling, and
      event generation that iterates over the members of a struct.
      It reduces code duplication in the generator, so that a future
      patch can reduce the size of generated code while touching only
      one instead of three locations.

      There are no changes to the generated marshal code.

      The visitor code becomes slightly more verbose, but remains
      semantically equivalent, and is actually easier to read as
      it follows a more common idiom:

      |     visit_optional(v, &(*obj)->has_device, "device", &err);
      |-    if (!err && (*obj)->has_device) {
      |-        visit_type_str(v, &(*obj)->device, "device", &err);
      |-    }
      |     if (err) {
      |         goto out;
      |     }
      |+    if ((*obj)->has_device) {
      |+        visit_type_str(v, &(*obj)->device, "device", &err);
      |+        if (err) {
      |+            goto out;
      |+        }
      |+    }

      The event code becomes slightly more verbose, but this is
      arguably a bug fix: although the visitors are not well
      documented, use of an optional member should not be attempted
      unless guarded by a prior call to visit_optional().  Works only
      because the output qmp visitor has a no-op visit_optional():

      |+    visit_optional(v, &has_offset, "offset", &err);
      |+    if (err) {
      |+        goto out;
      |+    }
      |     if (has_offset) {
      |         visit_type_int(v, &offset, "offset", &err);

      Signed-off-by: Eric Blake <eblake@xxxxxxxxxx>
      Message-Id: <1443565276-4535-17-git-send-email-eblake@xxxxxxxxxx>
      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>

  commit 1f35334489a43800df4d20cd91362a87cee39a29
  Author: Eric Blake <eblake@xxxxxxxxxx>
  Date:   Tue Sep 29 16:21:13 2015 -0600

      qapi: Share gen_err_check()

      qapi-commands has a nice helper gen_err_check(), but did not
      use it everywhere. In fact, using it in more places makes it
      easier to reduce the lines of code used for generating error
      checks.  This in turn will make it easier for later patches
      to consolidate another common pattern among the generators.

      The generated code has fewer blank lines in qapi-event.c functions,
      but has no semantic difference.

      Signed-off-by: Eric Blake <eblake@xxxxxxxxxx>
      Message-Id: <1443565276-4535-16-git-send-email-eblake@xxxxxxxxxx>
      [Drop another blank line for symmetry]
      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>

  commit 05372f708a8cb3556e4d67458de79417dadf241f
  Author: Eric Blake <eblake@xxxxxxxxxx>
  Date:   Tue Sep 29 16:21:12 2015 -0600

      qapi: Consistent generated code: minimize push_indent() usage

      We had some pointless differences in the generated code for visit,
      command marshalling, and events; unifying them makes it easier for
      future patches to consolidate to common helper functions.
      This is one patch of a series to clean up these differences.

      This patch reduces the number of push_indent()/pop_indent() pairs
      so that generated code is typically already at its natural output
      indentation in the python files.  It is easier to reason about
      generated code if the reader does not have to track how much
      spacing will be inserted alongside the code, and moreso when all
      of the generators use the same patterns (qapi-type and qapi-event
      were already using in-place indentation).

      Arguably, the resulting python may be a bit harder to read with C
      code at the same indentation as python; on the other hand, not
      having to think about push_indent() is a win, and most decent
      editors provide syntax highlighting that makes it easier to
      visually distinguish python code from string literals that will
      become C code.

      There is no change to the generated output.

      Signed-off-by: Eric Blake <eblake@xxxxxxxxxx>
      Message-Id: <1443565276-4535-15-git-send-email-eblake@xxxxxxxxxx>
      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>

  commit e36c714e6aad7c9266132350833e2f263f6d8874
  Author: Eric Blake <eblake@xxxxxxxxxx>
  Date:   Tue Sep 29 16:21:11 2015 -0600

      qapi: Consistent generated code: prefer common indentation

      We had some pointless differences in the generated code for visit,
      command marshalling, and events; unifying them makes it easier for
      future patches to consolidate to common helper functions.
      This is one patch of a series to clean up these differences.

      This patch adjusts gen_visit_union() to use the same indentation
      as other functions, namely, by jumping early to the error label
      if the object was not set rather than placing the rest of the
      body inside an if for when it is set.

      No change in semantics to the generated code.

      Signed-off-by: Eric Blake <eblake@xxxxxxxxxx>
      Message-Id: <1443565276-4535-14-git-send-email-eblake@xxxxxxxxxx>
      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>

  commit f782399cb4fa3fc4182cb046817f65a6db92ab07
  Author: Eric Blake <eblake@xxxxxxxxxx>
  Date:   Tue Sep 29 16:21:10 2015 -0600

      qapi: Consistent generated code: prefer common labels

      We had some pointless differences in the generated code for visit,
      command marshalling, and events; unifying them makes it easier for
      future patches to consolidate to common helper functions.
      This is one patch of a series to clean up these differences.

      This patch names the goto labels 'out' (not 'clean') and 'out_obj'
      (not 'out_end').  Additionally, the generator was inconsistent on
      whether labels had a leading space [our HACKING is silent; while
      emacs 'gnu' style adds the space to avoid littering column 1].
      For minimal churn, prefer no leading space; this also matches
      the style that is more prevalent in current qemu.git.

      No change in semantics to the generated code.

      Signed-off-by: Eric Blake <eblake@xxxxxxxxxx>
      Message-Id: <1443565276-4535-13-git-send-email-eblake@xxxxxxxxxx>
      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>

  commit f8b7f1a8eafa9f565ebecfe409e8741d38cd786b
  Author: Eric Blake <eblake@xxxxxxxxxx>
  Date:   Tue Sep 29 16:21:09 2015 -0600

      qapi: Consistent generated code: prefer visitor 'v'

      We had some pointless differences in the generated code for visit,
      command marshalling, and events; unifying them makes it easier for
      future patches to consolidate to common helper functions.
      This is one patch of a series to clean up these differences.

      This patch names the local visitor variable 'v' rather than 'm'.
      Related objects, such as 'QapiDeallocVisitor', are also named by
      their initials instead of an unrelated leading m.

      No change in semantics to the generated code.

      Signed-off-by: Eric Blake <eblake@xxxxxxxxxx>
      Message-Id: <1443565276-4535-12-git-send-email-eblake@xxxxxxxxxx>
      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>

  commit 2a0f50e8d973b01eda4c63bac4a5c79ea0f584ef
  Author: Eric Blake <eblake@xxxxxxxxxx>
  Date:   Tue Sep 29 16:21:08 2015 -0600

      qapi: Consistent generated code: prefer error 'err'

      We had some pointless differences in the generated code for visit,
      command marshalling, and events; unifying them makes it easier for
      future patches to consolidate to common helper functions.
      This is one patch of a series to clean up these differences.

      This patch consistently names the local error variable 'err' rather
      than 'local_err'.

      No change in semantics to the generated code.

      Signed-off-by: Eric Blake <eblake@xxxxxxxxxx>
      Message-Id: <1443565276-4535-11-git-send-email-eblake@xxxxxxxxxx>
      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>

  commit 376863ef4895ae709aadb6f26365a5973310ef09
  Author: Eric Blake <eblake@xxxxxxxxxx>
  Date:   Tue Sep 29 16:21:07 2015 -0600

      qapi: Reuse code for flat union base validation

      Rather than open-code the check for a valid base type, we
      should reuse the common functionality. This allows for
      consistent error messages, and also makes it easier for a
      later patch to turn on support for inline anonymous base
      structures.

      Test flat-union-inline is updated to test only one feature
      (anonymous branch dictionaries), which can be implemented
      independently (test flat-union-bad-base already covers the
      idea of an anonymous base dictionary).

      Signed-off-by: Eric Blake <eblake@xxxxxxxxxx>
      Message-Id: <1443565276-4535-10-git-send-email-eblake@xxxxxxxxxx>
      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>

  commit 9c51b4412959c5331a8a931d848c4b755b5bb36a
  Author: Eric Blake <eblake@xxxxxxxxxx>
  Date:   Tue Sep 29 16:21:06 2015 -0600

      qapi: Test use of 'number' within alternates

      Add some testsuite exposure for use of a 'number' as part of
      an alternate.  The current state of the tree has a few bugs
      exposed by this: our input parser depends on the ordering of
      how the qapi schema declared the alternate, and the parser
      does not accept integers for a 'number' in an alternate even
      though it does for numbers outside of an alternate.

      Mixing 'int' and 'number' in the same alternate is unusual,
      since both are supplied by json-numbers, but there does not
      seem to be a technical reason to forbid it given that our
      json lexer distinguishes between json-numbers that can be
      represented as an int vs. those that cannot.

      Improve the existing test_visitor_in_alternate() to match the
      style of the new test_visitor_in_alternate_number(), and to
      ensure full coverage of all possible qtype parsing.

      Signed-off-by: Eric Blake <eblake@xxxxxxxxxx>
      Message-Id: <1443565276-4535-9-git-send-email-eblake@xxxxxxxxxx>
      [Eric's follow-up fixes squashed in]
      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>

  commit 8d25dd101f759425456b8005b3180062689d71e7
  Author: Eric Blake <eblake@xxxxxxxxxx>
  Date:   Tue Sep 29 16:21:05 2015 -0600

      qapi: Add tests for empty unions

      The documentation claims that alternates are useful for
      allowing two or more types, although nothing enforces this.
      Meanwhile, it is silent on whether empty unions are allowed.
      In practice, the generated code will compile, in part because
      we have a 'void *data' branch; but attempting to visit such a
      type will cause an abort().  While there's no technical reason
      that a degenerate union could not be made to work, it's harder
      to justify the time spent in chasing known (the current
      abort() during visit) and unknown corner cases, than it would
      be to just outlaw them.  A future patch will probably take the
      approach of forbidding them; in the meantime, we can at least
      add testsuite coverage to make it obvious where things stand.

      In addition to adding tests to expose the problems, we also
      need to adjust existing tests that are meant to test something
      else, but which could fail for the wrong reason if we reject
      degenerate alternates/unions.

      Note that empty structs are explicitly supported (for example,
      right now they are the only way to specify that one branch of a
      flat union adds no additional members), and empty enums are
      covered by the testsuite as working (even if they do not seem
      to have much use).

      Signed-off-by: Eric Blake <eblake@xxxxxxxxxx>
      Message-Id: <1443565276-4535-8-git-send-email-eblake@xxxxxxxxxx>
      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>

  commit 7b2a5c2f9a52c4a08630fa741052f03fe5d3cc8a
  Author: Eric Blake <eblake@xxxxxxxxxx>
  Date:   Tue Sep 29 16:21:04 2015 -0600

      qapi: Avoid assertion failure on union 'type' collision

      The previous commit added two tests that triggered an assertion
      failure. It's fairly straightforward to avoid the failure by
      just outright forbidding the collision between a union's tag
      values and its discriminator name (including the implicit name
      'kind' supplied for simple unions [*]).  Ultimately, we'd like
      to move the collision detection into QAPISchema*.check(), but
      for now it is easier just to enhance the existing checks.

      [*] Of course, down the road, we have plans to rename the simple
      union tag name to 'type' to match the QMP wire name, but the
      idea of the collision will still be present even then.

      Technically, we could avoid the collision by naming the C union
      members representing each enum value as '_case_value' rather
      than 'value'; but until we have an actual qapi client (and not
      just our testsuite) that has a legitimate reason to match a
      case label to the name of a QMP key and needs the name munging
      to satisfy the compiler, it's easier to just reject the qapi
      as invalid.

      Signed-off-by: Eric Blake <eblake@xxxxxxxxxx>
      Message-Id: <1443565276-4535-7-git-send-email-eblake@xxxxxxxxxx>
      [Polished a few comments]
      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>

  commit d220fbcd1db2097de5ff3037e85317fcb5433e4e
  Author: Eric Blake <eblake@xxxxxxxxxx>
  Date:   Tue Sep 29 16:21:03 2015 -0600

      qapi: Test for various name collisions

      Expose some weaknesses in the generator: we don't always forbid
      the generation of structs that contain multiple members that map
      to the same C or QMP name.  This has already been marked FIXME in
      qapi.py in commit d90675f, but having more tests will make sure
      future patches produce desired behavior; and updating existing
      patches to better document things doesn't hurt, either.  Some of
      these collisions are already caught in the old-style parser
      checks, but ultimately we want all collisions to be caught in the
      new-style QAPISchema*.check() methods.

      This patch focuses on C struct members, and does not consider
      collisions between commands and events (affecting C function
      names), or even collisions between generated C type names with
      user type names (for things like automatic FOOList struct
      representing array types or FOOKind for an implicit enum).

      There are two types of struct collisions we want to catch:
       1) Collision between two keys in a JSON object. qapi.py prevents
          that within a single struct (see test duplicate-key), but it is
          possible to have collisions between a type's members and its
          base type's members (existing tests struct-base-clash,
          struct-base-clash-deep), and its flat union variant members
          (renamed test flat-union-clash-member).
       2) Collision between two members of the C struct that is generated
          for a given QAPI type:
          a) Multiple QAPI names map to the same C name (new test
             args-name-clash)
          b) A QAPI name maps to a C name that is used for another purpose
             (new tests flat-union-clash-branch, struct-base-clash-base,
             union-clash-data). We already fixed some such cases in commit
             0f61af3e and 1e6c1616, but more remain.
          c) Two C names generated for other purposes clash
             (updated test alternate-clash, new test union-clash-branches,
             union-clash-type, flat-union-clash-type)

      Ultimately, if we need to have a flat union where a tag value
      clashes with a base member name, we could change the generator to
      name the union (using 'foo.u.value' rather than 'foo.value') or
      otherwise munge the C name corresponding to tag values.  But
      unless such a need arises, it will probably be easier to just
      forbid these collisions.

      Some of these negative tests will be deleted later, and positive
      tests added to qapi-schema-test.json in their place, when the
      generator code is reworked to avoid particular code generation
      collisions in class 2).

      [Note that viewing this patch with git rename detection enabled
      may see some confusion due to renaming some tests while adding
      others, but where the content is similar enough that git picks
      the wrong pre- and post-patch files to associate]

      Signed-off-by: Eric Blake <eblake@xxxxxxxxxx>
      Message-Id: <1443565276-4535-6-git-send-email-eblake@xxxxxxxxxx>
      [Improve commit message and comments a bit, drop an unrelated test]
      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>

  commit 437db2549be383e52acad6cd4bf2862e98fdfc93
  Author: Eric Blake <eblake@xxxxxxxxxx>
  Date:   Tue Sep 29 16:21:02 2015 -0600

      qapi: Clean up qapi.py per pep8

      Silence pep8, and make pylint a bit happier.  Just style cleanups,
      plus killing a useless comment in camel_to_upper(); no semantic
      changes.

      Signed-off-by: Eric Blake <eblake@xxxxxxxxxx>
      Message-Id: <1443565276-4535-5-git-send-email-eblake@xxxxxxxxxx>
      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>

  commit 59b00542659c8947f9d4e8c28d2d528ab3ab61a5
  Author: Eric Blake <eblake@xxxxxxxxxx>
  Date:   Tue Sep 29 16:21:01 2015 -0600

      qapi: Invoke exception superclass initializer

      pylint recommends that every exception class should explicitly
      invoke the superclass __init__, even though things seem to work
      fine without it.

      Signed-off-by: Eric Blake <eblake@xxxxxxxxxx>
      Message-Id: <1443565276-4535-4-git-send-email-eblake@xxxxxxxxxx>
      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>

  commit 7408fb67c0f9403f6e40aecf97cf798fc14e2cd8
  Author: Eric Blake <eblake@xxxxxxxxxx>
  Date:   Tue Sep 29 16:21:00 2015 -0600

      qapi: Improve 'include' error message

      Use of '"...%s" % include' to print non-strings can lead to
      ugly messages, such as this (if the .json change is applied
      without the qapi.py change):
       Expected a file name (string), got: OrderedDict()

      Better is to just omit the actual non-string value in the
      message.

      Signed-off-by: Eric Blake <eblake@xxxxxxxxxx>
      Message-Id: <1443565276-4535-3-git-send-email-eblake@xxxxxxxxxx>
      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>

  commit 1ffe818a395cb883746f3baf8d9a0b6988375e8b
  Author: Eric Blake <eblake@xxxxxxxxxx>
  Date:   Tue Sep 29 16:20:59 2015 -0600

      qapi: Sort qapi-schema tests

      Recent changes to qapi have provided quite a bit of churn in
      the makefile, because we are inconsistent on what order test
      names appear in, and on whether to re-wrap the list of tests or
      just add arbitrary line lengths.  Writing the list in a sorted
      fashion, one test per line, will make future patches easier
      to see what tests are being added or removed by a patch.

      Although it is tempting to use $(wildcard qapi-schema/*.json)
      for a more compact listing, such an approach would risk picking
      up leftover garbage .json files in the directory; so keeping
      the list explicit is safer for ensuring reproducible tarballs
      and test results.

      Signed-off-by: Eric Blake <eblake@xxxxxxxxxx>
      Message-Id: <1443565276-4535-2-git-send-email-eblake@xxxxxxxxxx>
      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>

  commit ac4abb9aeb734f36eb90b149b9eed0cc8fdb2872
  Author: Markus Armbruster <armbru@xxxxxxxxxx>
  Date:   Thu Sep 24 18:11:57 2015 +0200

      MAINTAINERS: Specify QAPI include and test files

      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>
      Message-Id: <1443111117-29831-4-git-send-email-armbru@xxxxxxxxxx>
      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>
      Reviewed-by: Luiz Capitulino <lcapitulino@xxxxxxxxxx>

  commit 7735d2b50477b171446b38efd2d8866d3c966162
  Author: Markus Armbruster <armbru@xxxxxxxxxx>
  Date:   Thu Sep 24 18:11:56 2015 +0200

      MAINTAINERS: Specify QObject include and test files

      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>
      Message-Id: <1443111117-29831-3-git-send-email-armbru@xxxxxxxxxx>
      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>
      Reviewed-by: Luiz Capitulino <lcapitulino@xxxxxxxxxx>

  commit 9b89b6a2872f1473ef82acdcb64c901982e0ef88
  Author: Markus Armbruster <armbru@xxxxxxxxxx>
  Date:   Thu Sep 24 18:11:55 2015 +0200

      docs: Move files from docs/qmp/ to docs/

      Giving QMP its own subdirectory in docs/ is hardly worthwhile when we
      have just four files, and one of them isn't even in the subdirectory.
      Move the files from docs/qmp/ to docs/, renaming docs/qmp/README to
      docs/qmp-intro.

      Update MAINTAINERS.  The new pattern also captures the fourth file
      docs/writing-qmp-commands.txt.

      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>
      Message-Id: <1443111117-29831-2-git-send-email-armbru@xxxxxxxxxx>
      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>
      Reviewed-by: Luiz Capitulino <lcapitulino@xxxxxxxxxx>

  commit b77e7c8e99f9ac726c4eaa2fc3461fd886017dc0
  Author: Paolo Bonzini <pbonzini@xxxxxxxxxx>
  Date:   Mon Oct 12 15:35:16 2015 +0200

      qemu-sockets: fix conversion of ipv4/ipv6 JSON to QemuOpts

      The QemuOpts-based code treats "option not set" and "option set
      to false" the same way for the ipv4 and ipv6 options, because it
      is meant to handle only the ",ipv4" and ",ipv6" substrings in
      hand-crafted option parsers.

      When converting InetSocketAddress to QemuOpts, however, it is
      necessary to handle all three cases (not set, set to true, set
      to false).  Currently we are not handling all cases correctly.
      The rules are:

      * if none or both options are absent, leave things as is

      * if the single present option is Y, the other should be N.
      This can be implemented by leaving things as is, or by setting
      the other option to N as done in this patch.

      * if the single present option is N, the other should be Y.
      This is handled by the "else if" branch of this patch.

      This ensures that the ipv4 option has an effect on Windows,
      where creating the socket with PF_UNSPEC makes an ipv6
      socket.  With this patch, ",ipv4" will result in a PF_INET
      socket instead.

      Reported-by: Sair, Umair <Umair_Sair@xxxxxxxxxx>
      Tested-by: Sair, Umair <Umair_Sair@xxxxxxxxxx>
      Reviewed-by: Daniel P. Berrange <berrange@xxxxxxxxxx>
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit 5ea530491fe9ac56f75bc1833cc3fd7722b24efd
  Author: Paolo Bonzini <pbonzini@xxxxxxxxxx>
  Date:   Tue Sep 22 11:49:41 2015 +0200

      MAINTAINERS: Add more devices to realview board

      Cc: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit 062710000dbd9db81277156d9bdebd96b70cd1d2
  Author: Paolo Bonzini <pbonzini@xxxxxxxxxx>
  Date:   Tue Sep 22 11:45:00 2015 +0200

      MAINTAINERS: Add maintainer for ARM PrimeCell and integrated devices

      Cc: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit 9b31bff02153cf86d4413c6289794175662f7c5c
  Author: Paolo Bonzini <pbonzini@xxxxxxxxxx>
  Date:   Tue Sep 22 11:42:50 2015 +0200

      MAINTAINERS: Add more pxa2xx files and boards

      Cc: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Cc: Andrzej Zaborowski <balrogg@xxxxxxxxx>
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit c92451c2af29784c76527cc5484c33b4ce069d38
  Author: Paolo Bonzini <pbonzini@xxxxxxxxxx>
  Date:   Tue Sep 22 11:36:48 2015 +0200

      MAINTAINERS: Add more Xen files

      Cc: Stefano Stabellini <stefano.stabellini@xxxxxxxxxxxxx?
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit 566dd236e1e0bfe9d9bce326547f883d677cf30a
  Author: Paolo Bonzini <pbonzini@xxxxxxxxxx>
  Date:   Tue Sep 22 11:38:02 2015 +0200

      MAINTAINERS: add two devices to the e500 section

      Cc: Alexander Graf <agraf@xxxxxxx>
      Cc: Scott Wood <scottwood@xxxxxxxxxxxxx>
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit 3e5385fcf536fc4238eb87de55af8dd99089cad4
  Author: Andy Whitcroft <apw@xxxxxxxxxxxxx>
  Date:   Thu Oct 8 10:05:24 2015 +0200

      checkpatch: port fix from kernel "## is not a valid modifier"

      checkpatch currently loops on fpu/softfloat.c
      Turns out this is fixed in the Linux version of checkpatch.

      So this is a port of Andy Whitcrofts fix from Linux,
      Original commit was commit 89a883530fe7 ("checkpatch: ## is not a
      valid modifier")

      As suggested by Peter Maydell for the QEMU version we drop the last "|"
      as there seems to be no need for that. (FWIW, the kernel discusion about
      that dried out:
      http://www.spinics.net/lists/kernel/msg1944421.html
      )

      Cc: Andy Whitcroft <apw@xxxxxxxxxxxxx>
      Signed-off-by: Christian Borntraeger <borntraeger@xxxxxxxxxx>
      Message-Id: <1444291524-66569-1-git-send-email-borntraeger@xxxxxxxxxx>
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit b232c7857aa36d144205134c725114541630b1c2
  Author: Alexey Kardashevskiy <aik@xxxxxxxxx>
  Date:   Tue Oct 6 14:30:57 2015 +1100

      kvm-all: Align to qemu_real_host_page_size in kvm_set_phys_mem

      As the comment in kvm_set_phys_mem() says, KVM works in page size chunks.
      However it uses hardcoded TARGET_PAGE_SIZE which is 4K on most platforms
      while actual host may use different page size, for example, PPC64 hosts
      use 64K system pages.

      This replaces static TARGET_PAGE_SIZE with run-time calculated
      qemu_real_host_page_size.

      Signed-off-by: Alexey Kardashevskiy <aik@xxxxxxxxx>
      Message-Id: <1444102257-17405-1-git-send-email-aik@xxxxxxxxx>
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit 88401cbc5b5730986fd5040425f5015a9cce9080
  Author: Paolo Bonzini <pbonzini@xxxxxxxxxx>
  Date:   Tue Aug 11 10:52:46 2015 +0200

      exec: remove non-TCG stuff from exec-all.h header.

      The header is included from basically everywhere, thanks to cpu.h.
      It should be moved to the (TCG only) files that actually need it.
      As a start, remove non-TCG stuff.

      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit 46eb8f98f2ce402e384d60ddd15020720994c7ca
  Author: Andrey Smetanin <asmetanin@xxxxxxxxxxxxx>
  Date:   Wed Sep 16 12:59:44 2015 +0300

      target-i386/kvm: Hyper-V HV_X64_MSR_VP_RUNTIME support

      HV_X64_MSR_VP_RUNTIME msr used by guest to get
      "the time the virtual processor consumes running guest code,
      and the time the associated logical processor spends running
      hypervisor code on behalf of that guest."

      Calculation of that time is performed by task_cputime_adjusted()
      for vcpu task by KVM side.

      Signed-off-by: Andrey Smetanin <asmetanin@xxxxxxxxxxxxx>
      Signed-off-by: Denis V. Lunev <den@xxxxxxxxxx>
      CC: Paolo Bonzini <pbonzini@xxxxxxxxxx>
      CC: Richard Henderson <rth@xxxxxxxxxxx>
      CC: Eduardo Habkost <ehabkost@xxxxxxxxxx>
      CC: "Andreas Färber" <afaerber@xxxxxxx>
      CC: Marcelo Tosatti <mtosatti@xxxxxxxxxx>
      Message-Id: <1442397584-16698-4-git-send-email-den@xxxxxxxxxx>
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit 8c145d7ca9b4267d2ec1eabe801c6b2aee636f1f
  Author: Andrey Smetanin <asmetanin@xxxxxxxxxxxxx>
  Date:   Wed Sep 16 12:59:43 2015 +0300

      target-i386/kvm: set Hyper-V features cpuid bit 
HV_X64_MSR_VP_INDEX_AVAILABLE

      Hyper-V features bit HV_X64_MSR_VP_INDEX_AVAILABLE value is
      based on cpu option "hv-vpindex" and kernel support of
      HV_X64_MSR_VP_INDEX.

      Signed-off-by: Andrey Smetanin <asmetanin@xxxxxxxxxxxxx>
      Signed-off-by: Denis V. Lunev <den@xxxxxxxxxx>
      CC: Paolo Bonzini <pbonzini@xxxxxxxxxx>
      CC: Richard Henderson <rth@xxxxxxxxxxx>
      CC: Eduardo Habkost <ehabkost@xxxxxxxxxx>
      CC: "Andreas Färber" <afaerber@xxxxxxx>
      CC: Marcelo Tosatti <mtosatti@xxxxxxxxxx>
      Message-Id: <1442397584-16698-3-git-send-email-den@xxxxxxxxxx>
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit 744b8a9440fa2bd78ae64861667337439e25a6dc
  Author: Andrey Smetanin <asmetanin@xxxxxxxxxxxxx>
  Date:   Wed Sep 16 12:59:42 2015 +0300

      target-i386/kvm: Hyper-V HV_X64_MSR_RESET support

      HV_X64_MSR_RESET msr is used by Hyper-V based Windows guest
      to reset guest VM by hypervisor. This msr is stateless so
      no migration/fetch/update is required.

      This code checks cpu option "hv-reset" and support by
      kernel. If both conditions are met appropriate Hyper-V features
      cpuid bit is set.

      Signed-off-by: Andrey Smetanin <asmetanin@xxxxxxxxxxxxx>
      Signed-off-by: Denis V. Lunev <den@xxxxxxxxxx>
      CC: Paolo Bonzini <pbonzini@xxxxxxxxxx>
      CC: Richard Henderson <rth@xxxxxxxxxxx>
      CC: Eduardo Habkost <ehabkost@xxxxxxxxxx>
      CC: "Andreas Färber" <afaerber@xxxxxxx>
      CC: Marcelo Tosatti <mtosatti@xxxxxxxxxx>
      Message-Id: <1442397584-16698-2-git-send-email-den@xxxxxxxxxx>
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit 3a824b1552d68b708c161a900e2956a78d4ea466
  Author: Paolo Bonzini <pbonzini@xxxxxxxxxx>
  Date:   Fri Oct 2 18:19:58 2015 +0200

      linux-headers: update from kvm/next

      linux-headers/linux/vhost.h is currently out of sync with Linux.  Do
      not touch it in this update.

      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit 5b906129524d564d61760d04586d6c2301457ead
  Author: Paolo Bonzini <pbonzini@xxxxxxxxxx>
  Date:   Mon Oct 5 14:45:55 2015 +0200

      checkpatch: allow open braces on typedef lines

      The style here seems to be split according to the maintainer, but
      traditionally open braces were placed on typedef lines.

      Suggested-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit 32857f4d5e165329c03d66000d666975d85f882a
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Thu Oct 1 15:29:50 2015 +0100

      exec.c: Collect AddressSpace related fields into a CPUAddressSpace struct

      Gather up all the fields currently in CPUState which deal with the CPU's
      AddressSpace into a separate CPUAddressSpace struct. This paves the way
      for allowing the CPU to know about more than one AddressSpace.

      The rearrangement also allows us to make the MemoryListener a directly
      embedded object in the CPUAddressSpace (it could not be embedded in
      CPUState because 'struct MemoryListener' isn't defined for the user-only
      builds). This allows us to resolve the FIXME in tcg_commit() by going
      directly from the MemoryListener to the CPUAddressSpace.

      This patch extracts the actual update of the cached dispatch pointer
      from cpu_reload_memory_map() (which is renamed accordingly to
      cpu_reloading_memory_map() as it is only responsible for breaking
      cpu-exec.c's RCU critical section now). This lets us keep the definition
      of the CPUAddressSpace struct private to exec.c.

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Message-Id: <1443709790-25180-4-git-send-email-peter.maydell@xxxxxxxxxx>
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit 53f8a5e9e2633a4a3b6918c36aec725aa80f2887
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Thu Oct 1 15:29:49 2015 +0100

      cpu-exec-common.c: Clarify comment about cpu_reload_memory_map()'s RCU 
operations

      The reason for cpu_reload_memory_map()'s RCU operations is not
      so much because the guest could make the critical section very
      long, but that it could have a critical section within which
      it made an arbitrary number of changes to the memory map and
      thus accumulate an unbounded amount of memory data structures
      awaiting reclamation. Clarify the comment to make this clearer.

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Message-Id: <1443709790-25180-3-git-send-email-peter.maydell@xxxxxxxxxx>
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit 0a1c71cec63e95f9b8d0dc96d049d2daa00c5210
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Thu Oct 1 15:29:48 2015 +0100

      exec.c: Don't call cpu_reload_memory_map() from cpu_exec_init()

      Currently we call cpu_reload_memory_map() from cpu_exec_init(),
      but this is not necessary:
       * KVM doesn't use the data structures maintained by
         cpu_reload_memory_map() (the TLB and cpu->memory_dispatch)
       * for TCG, we will call this function via tcg_commit() either
         as soon as tcg_cpu_address_space_init() registers the listener,
         or when the first MemoryRegion is added to the AddressSpace
         if the AS is empty when we register the listener

      The unnecessary call is awkward for adding support for multiple
      address spaces per CPU, so drop it.

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Reviewed-by: Edgar E. Iglesias <edgar.iglesias@xxxxxxxxx>
      Message-Id: <1443709790-25180-2-git-send-email-peter.maydell@xxxxxxxxxx>
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit fec21036ff516d20721abc01ae7be99ae5bb0c7b
  Author: Markus Armbruster <armbru@xxxxxxxxxx>
  Date:   Fri Sep 4 21:53:03 2015 +0200

      configure: Require Python 2.6

      RHEL-6 and SLES-11 provide Python 2.6.  It'll also work on OS X back
      to 10.6.

      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>
      Message-Id: <1441396383-17304-1-git-send-email-armbru@xxxxxxxxxx>
      Reviewed-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit 8ef2eb8d2cad7400236d6b2c152bdb5506761b4d
  Author: Paolo Bonzini <pbonzini@xxxxxxxxxx>
  Date:   Wed Sep 30 19:21:10 2015 +0200

      megasas: fix megasas_get_sata_addr

      There are two bugs here.  First, the 16-bit id loses the high 8 bits
      when shifted left by 24.  Second, the address must be combined with
      an "or" or we just get zero.

      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit 633dccb458c4eaa40107cd7026737d804f90b6c0
  Author: Paolo Bonzini <pbonzini@xxxxxxxxxx>
  Date:   Thu Oct 1 12:59:01 2015 +0200

      scsi: switch from g_slice allocator to malloc

      Simplify memory allocation by sticking with a single API.  GSlice
      is not that fast anyway (tcmalloc/jemalloc are better).

      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit 1729404c62e1adae501feeaaf61b87262d52ae1b
  Author: Paolo Bonzini <pbonzini@xxxxxxxxxx>
  Date:   Thu Oct 1 12:59:08 2015 +0200

      nbd: switch from g_slice allocator to malloc

      Simplify memory allocation by sticking with a single API.  GSlice
      is not that fast anyway (tcmalloc/jemalloc are better).

      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit 5451316ed07b758a187dedf21047bed8f843f7f1
  Merge: 0bf224d 9201bb9
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Mon Oct 12 15:52:54 2015 +0100

      Merge remote-tracking branch 'remotes/stefanha/tags/block-pull-request' 
into staging

      Pull request

      v2:
       * Fix virtio 16lx -> HWADDR_PRIx format specifier [Peter]

      # gpg: Signature made Mon 12 Oct 2015 11:19:06 BST using RSA key ID 
81AB73C8
      # gpg: Good signature from "Stefan Hajnoczi <stefanha@xxxxxxxxxx>"
      # gpg:                 aka "Stefan Hajnoczi <stefanha@xxxxxxxxx>"

      * remotes/stefanha/tags/block-pull-request:
        sdhci.c: Limit the maximum block size
        block: switch from g_slice allocator to malloc
        virtio dataplane: adapt dataplane for virtio Version 1
        virtio-blk: use blk_io_plug/unplug for Linux AIO batching
        sdhci: Pass drive parameter to sdhci-pci via qdev property

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 0bf224d5da41967a775b328234cda2d19f303908
  Merge: 7684922 89b1273
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Mon Oct 12 14:29:29 2015 +0100

      Merge remote-tracking branch 'remotes/jasowang/tags/net-pull-request' 
into staging

      # gpg: Signature made Mon 12 Oct 2015 08:56:47 BST using RSA key ID 
398D6211
      # gpg: Good signature from "Jason Wang (Jason Wang on RedHat) 
<jasowang@xxxxxxxxxx>"
      # gpg: WARNING: This key is not certified with sufficiently trusted 
signatures!
      # gpg:          It is not certain that the signature belongs to the owner.
      # Primary key fingerprint: 215D 46F4 8246 689E C77F  3562 EF04 965B 398D 
6211

      * remotes/jasowang/tags/net-pull-request:
        tests: add test cases for netfilter object
        netfilter: add a netbuffer filter
        net/queue: export qemu_net_queue_append_iov
        netfilter: print filter info associate with the netdev
        netfilter: add an API to pass the packet to next filter
        net/queue: introduce NetQueueDeliverFunc
        net: merge qemu_deliver_packet and qemu_deliver_packet_iov
        netfilter: hook packets before net queue send
        init/cleanup of netfilter object
        vl.c: init delayed object after net_init_clients
        vmxnet3: Add support for VMXNET3_CMD_GET_ADAPTIVE_RING_INFO command
        e1000: use alias for default model
        vmxnet3: Support reading IMR registers on bar0
        net/vmxnet3: Refine l2 header validation

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 9201bb9a8c7cd3ba2382b7db5b2e40f603e61528
  Author: Alistair Francis <alistair.francis@xxxxxxxxxx>
  Date:   Tue Oct 6 10:40:41 2015 -0700

      sdhci.c: Limit the maximum block size

      It is possible for the guest to set an invalid block
      size which is larger then the fifo_buffer[] array. This
      could cause a buffer overflow.

      To avoid this limit the maximum size of the blksize variable.

      Signed-off-by: Alistair Francis <alistair.francis@xxxxxxxxxx>
      Reported-by: Intel Security ATR <secure@xxxxxxxxx>
      Reviewed-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Reviewed-by: Peter Crosthwaite <crosthwaite.peter@xxxxxxxxx>
      Message-id: 
abe4c51f513290bbb85d1ee271cb1a3d463d7561.1444067470.git.alistair.francis@xxxxxxxxxx
      Suggested-by: Igor Mitsyanko <i.mitsyanko@xxxxxxxxx>
      Reported-by: Intel Security ATR <secure@xxxxxxxxx>
      Reviewed-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>

  commit c84b31926f018af6fea2ab37a1fc47060b4bcfa1
  Author: Paolo Bonzini <pbonzini@xxxxxxxxxx>
  Date:   Thu Oct 1 13:04:39 2015 +0200

      block: switch from g_slice allocator to malloc

      Simplify memory allocation by sticking with a single API.  GSlice
      is not that fast anyway (tcmalloc/jemalloc are better).

      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>
      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>

  commit a9718ef0005d6910097788936dc40c0204713729
  Author: Pierre Morel <pmorel@xxxxxxxxxxxxxxxxxx>
  Date:   Mon Sep 7 13:33:56 2015 +0200

      virtio dataplane: adapt dataplane for virtio Version 1

      Let dataplane allocate different region for the desc/avail/used
      ring regions.
      Take VIRTIO_RING_F_EVENT_IDX into account to increase the used/avail
      rings accordingly.

      [Fix 32-bit builds by changing 16lx format specifier to HWADDR_PRIx.
      --Stefan]

      Signed-off-by: Pierre Morel <pmorel@xxxxxxxxxxxxxxxxxx>
      Tested-by: Greg Kurz <gkurz@xxxxxxxxxxxxxxxxxx>
      Signed-off-by: Greg Kurz <gkurz@xxxxxxxxxxxxxxxxxx>
      Message-id: 1441625636-23773-1-git-send-email-pmorel@xxxxxxxxxxxxxxxxxx
      (changed __virtio16 into uint16_t,
       map descriptor table and available ring read-only)
      Signed-off-by: Greg Kurz <gkurz@xxxxxxxxxxxxxxxxxx>
      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>

  commit 768492239014cb5e6161f1be80a9c8043c4530c2
  Merge: c9003eb 33fe968
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Mon Oct 12 11:07:38 2015 +0100

      Merge remote-tracking branch 
'remotes/armbru/tags/pull-monitor-2015-10-09' into staging

      Fix device introspection regressions

      # gpg: Signature made Fri 09 Oct 2015 14:43:41 BST using RSA key ID 
EB918653
      # gpg: Good signature from "Markus Armbruster <armbru@xxxxxxxxxx>"
      # gpg:                 aka "Markus Armbruster <armbru@xxxxxxxxxxxx>"

      * remotes/armbru/tags/pull-monitor-2015-10-09:
        Revert "qdev: Use qdev_get_device_class() for -device <type>,help"
        qdev: Protect device-list-properties against broken devices
        qmp: Fix device-list-properties not to crash for abstract device
        device-introspect-test: New, covering device introspection
        libqtest: New hmp() & friends
        libqtest: Clean up unused QTestState member sigact_old
        tests: Fix how qom-test is run
        macio: move DBDMA_init from instance_init to realize
        hw: do not pass NULL to memory_region_init from instance_init
        memory: allow destroying a non-empty MemoryRegion
        virtio-input: Fix device introspection on non-Linux hosts
        update-linux-headers: Rename SW_MAX to SW_MAX_

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit fc73548e444ae3239f6cef44a5200b5d2c3e85d1
  Author: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
  Date:   Mon Jul 20 16:54:16 2015 +0100

      virtio-blk: use blk_io_plug/unplug for Linux AIO batching

      The raw-posix block driver implements Linux AIO batching so multiple
      requests can be submitted with a single io_submit(2) system call.
      Batching is currently only used by virtio-scsi and
      virtio-blk-data-plane.

      Enable batching for regular virtio-blk so the number of io_submit(2)
      system calls is reduced for workloads with queue depth > 1.

      In 4KB random read performance tests with queue depth 32, the CPU
      utilization on the host is reduced by 9.4%.  The fio job is as follows:

        [global]
        bs=4k
        ioengine=libaio
        iodepth=32
        direct=1
        sync=0
        time_based=1
        runtime=30
        clocksource=gettimeofday
        ramp_time=5

        [job1]
        rw=randread
        filename=/dev/vdb
        size=4096M
        write_bw_log=fio
        write_iops_log=fio
        write_lat_log=fio
        log_avg_msec=1000

      This benchmark was run on an raw image on LVM.  The disk was an SSD
      drive and -drive cache=none,aio=native was used.

      Tested-by: Pradeep Surisetty <psuriset@xxxxxxxxxx>
      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Reviewed-by: Fam Zheng <famz@xxxxxxxxxx>

  commit 5ec911c30ff4337d4185e29e82a254349f5a22da
  Author: Kevin O'Connor <kevin@xxxxxxxxxxxx>
  Date:   Mon Aug 17 15:20:33 2015 -0400

      sdhci: Pass drive parameter to sdhci-pci via qdev property

      Commit 19109131 disabled the sdhci-pci support because it used
      drive_get_next().  This patch reenables sdhci-pci and changes it to
      pass the drive via a qdev property - for example:
       -device sdhci-pci,drive=drive0 -drive id=drive0,if=sd,file=myimage

      Reviewed-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Signed-off-by: Kevin O'Connor <kevin@xxxxxxxxxxxx>
      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>

  commit 89b1273742f45c30927df203532fca0d9a3e1af7
  Author: Yang Hongyang <yanghy@xxxxxxxxxxxxxx>
  Date:   Wed Oct 7 11:52:22 2015 +0800

      tests: add test cases for netfilter object

      Using qtest qmp interface to implement following cases:
      1) add/remove netfilter
      2) add a netfilter then delete the netdev
      3) add/remove more than one netfilters
      4) add more than one netfilters and then delete the netdev

      Signed-off-by: Yang Hongyang <yanghy@xxxxxxxxxxxxxx>
      Signed-off-by: Jason Wang <jasowang@xxxxxxxxxx>

  commit 7dbb11c84f25e20301b47a77102db00d68a2c4a4
  Author: Yang Hongyang <yanghy@xxxxxxxxxxxxxx>
  Date:   Wed Oct 7 11:52:21 2015 +0800

      netfilter: add a netbuffer filter

      This filter is to buffer/release packets. Can be used when using
      MicroCheckpointing or other Remus like VM FT solutions.
      You can also use it to crudely simulate network delay.  Doesn't
      actually delay individual packets, but batches them together, which is
      a delay of sorts.

      Usage:
       -netdev tap,id=bn0
       -object filter-buffer,id=f0,netdev=bn0,queue=rx,interval=1000

      NOTE:
       Interval is in microseconds, it can't be omitted currently, and can't be 
0.

      Signed-off-by: Yang Hongyang <yanghy@xxxxxxxxxxxxxx>
      Reviewed-by: Markus Armbruster <armbru@xxxxxxxxxx>
      Signed-off-by: Jason Wang <jasowang@xxxxxxxxxx>

  commit b68c7f76926dee3f234ccee88f3167b640d9318e
  Author: Yang Hongyang <yanghy@xxxxxxxxxxxxxx>
  Date:   Wed Oct 7 11:52:20 2015 +0800

      net/queue: export qemu_net_queue_append_iov

      This will be used by buffer filter implementation later to
      queue packets.

      Signed-off-by: Yang Hongyang <yanghy@xxxxxxxxxxxxxx>
      Reviewed-by: Thomas Huth <thuth@xxxxxxxxxx>
      Signed-off-by: Jason Wang <jasowang@xxxxxxxxxx>

  commit a4960f52e7f402a4b7402ace204283de7b9d4879
  Author: Yang Hongyang <burnef@xxxxxxxxx>
  Date:   Wed Oct 7 11:52:19 2015 +0800

      netfilter: print filter info associate with the netdev

      When execute "info network", print filter info also.
      add a info_str member to NetFilterState, store specific filters
      info.

      Signed-off-by: Yang Hongyang <yanghy@xxxxxxxxxxxxxx>
      Signed-off-by: Jason Wang <jasowang@xxxxxxxxxx>

  commit 7ef7bc8586fb0d41742a896b532c7afa2bbb7f84
  Author: Yang Hongyang <yanghy@xxxxxxxxxxxxxx>
  Date:   Wed Oct 7 11:52:18 2015 +0800

      netfilter: add an API to pass the packet to next filter

      add an API qemu_netfilter_pass_to_next() to pass the packet
      to next filter.

      Signed-off-by: Yang Hongyang <yanghy@xxxxxxxxxxxxxx>
      Reviewed-by: Thomas Huth <thuth@xxxxxxxxxx>
      Signed-off-by: Jason Wang <jasowang@xxxxxxxxxx>

  commit 3e033a46a7e39ea31e15f1b53402df990977115a
  Author: Yang Hongyang <yanghy@xxxxxxxxxxxxxx>
  Date:   Wed Oct 7 11:52:17 2015 +0800

      net/queue: introduce NetQueueDeliverFunc

      net/queue.c has logic to send/queue/flush packets but a
      qemu_deliver_packet_iov() call is hardcoded. Abstract this
      func so that we can use our own deliver function in netfilter.

      Signed-off-by: Yang Hongyang <yanghy@xxxxxxxxxxxxxx>
      Cc: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Signed-off-by: Jason Wang <jasowang@xxxxxxxxxx>

  commit fefe2a78abde932e0f340b21bded2c86def1d242
  Author: Yang Hongyang <yanghy@xxxxxxxxxxxxxx>
  Date:   Wed Oct 7 11:52:16 2015 +0800

      net: merge qemu_deliver_packet and qemu_deliver_packet_iov

      qemu_deliver_packet_iov already have the compat delivery, we
      can drop qemu_deliver_packet.

      Signed-off-by: Yang Hongyang <yanghy@xxxxxxxxxxxxxx>
      Signed-off-by: Jason Wang <jasowang@xxxxxxxxxx>

  commit e64c770d1fa859bd8ee583d339b085fe345ac02b
  Author: Yang Hongyang <yanghy@xxxxxxxxxxxxxx>
  Date:   Wed Oct 7 11:52:15 2015 +0800

      netfilter: hook packets before net queue send

      Capture packets that will be sent.

      Signed-off-by: Yang Hongyang <yanghy@xxxxxxxxxxxxxx>
      Reviewed-by: Thomas Huth <thuth@xxxxxxxxxx>
      Signed-off-by: Jason Wang <jasowang@xxxxxxxxxx>

  commit fdccce4596218e49ca4d0f5d4b3f0c453bd99ba0
  Author: Yang Hongyang <yanghy@xxxxxxxxxxxxxx>
  Date:   Wed Oct 7 11:52:14 2015 +0800

      init/cleanup of netfilter object

      Add a netfilter object based on QOM.

      A netfilter is attached to a netdev, captures all network packets
      that pass through the netdev. When we delete the netdev, we also
      delete the netfilter object attached to it, because if the netdev is
      removed, the filter which attached to it is useless.

      Signed-off-by: Yang Hongyang <yanghy@xxxxxxxxxxxxxx>
      Reviewed-by: Markus Armbruster <armbru@xxxxxxxxxx>
      Signed-off-by: Jason Wang <jasowang@xxxxxxxxxx>

  commit 9abce56d7b319b0c78b487720d128706272e0a0c
  Author: Yang Hongyang <yanghy@xxxxxxxxxxxxxx>
  Date:   Wed Oct 7 11:52:13 2015 +0800

      vl.c: init delayed object after net_init_clients

      Init delayed object after net_init_clients, because netfilters need
      to be initialized after net clients initialized.

      Signed-off-by: Yang Hongyang <yanghy@xxxxxxxxxxxxxx>
      Signed-off-by: Jason Wang <jasowang@xxxxxxxxxx>

  commit d62241eb6da9bd2517f07b3219ba4208b90b4e0d
  Author: Shmulik Ladkani <shmulik.ladkani@xxxxxxxxxxxxxxxxxx>
  Date:   Fri Sep 18 08:55:04 2015 +0300

      vmxnet3: Add support for VMXNET3_CMD_GET_ADAPTIVE_RING_INFO command

      Some drivers (e.g. vmware-tools) issue the 
VMXNET3_CMD_GET_ADAPTIVE_RING_INFO
      command.

      Currently, due to lack of support, a bogus value (-1) is returned.

      Support this command, returning the "adaptive-ring disabled" flag.

      Signed-off-by: Shmulik Ladkani <shmulik.ladkani@xxxxxxxxxxxxxxxxxx>
      Signed-off-by: Jason Wang <jasowang@xxxxxxxxxx>

  commit 8304402033e8dbe8e379017d51ed1dd8344f1dce
  Author: Jason Wang <jasowang@xxxxxxxxxx>
  Date:   Mon Sep 28 13:37:26 2015 +0800

      e1000: use alias for default model

      Instead of duplicating the "e1000-82540em" device model as "e1000",
      make the latter an alias for the former.

      Cc: Markus Armbruster <armbru@xxxxxxxxxx>
      Signed-off-by: Jason Wang <jasowang@xxxxxxxxxx
      Reviewed-by: Markus Armbruster <armbru@xxxxxxxxxx>

  commit c6048f849c7e3f009786df76206e895a69de032c
  Author: Shmulik Ladkani <shmulik.ladkani@xxxxxxxxxxxxxxxxxx>
  Date:   Mon Sep 21 17:09:02 2015 +0300

      vmxnet3: Support reading IMR registers on bar0

      Instead of asserting, return the actual IMR register value.
      This is aligned with what's returned on ESXi.

      Signed-off-by: Shmulik Ladkani <shmulik.ladkani@xxxxxxxxxxxxxxxxxx>
      Tested-by: Dana Rubin <dana.rubin@xxxxxxxxxxxxxxxxxx>
      Signed-off-by: Jason Wang <jasowang@xxxxxxxxxx>

  commit a7278b36fcab9af469563bd7b9dadebe2ae25e48
  Author: Dana Rubin <dana.rubin@xxxxxxxxxxxxxxxxxx>
  Date:   Tue Aug 18 12:45:55 2015 +0300

      net/vmxnet3: Refine l2 header validation

      Validation of l2 header length assumed minimal packet size as
      eth_header + 2 * vlan_header regardless of the actual protocol.

      This caused crash for valid non-IP packets shorter than 22 bytes, as
      'tx_pkt->packet_type' hasn't been assigned for such packets, and
      'vmxnet3_on_tx_done_update_stats()' expects it to be properly set.

      Refine header length validation in 'vmxnet_tx_pkt_parse_headers'.
      Check its return value during packet processing flow.

      As a side effect, in case IPv4 and IPv6 header validation failure,
      corrupt packets will be dropped.

      Signed-off-by: Dana Rubin <dana.rubin@xxxxxxxxxxxxxxxxxx>
      Signed-off-by: Shmulik Ladkani <shmulik.ladkani@xxxxxxxxxxxxxxxxxx>
      Signed-off-by: Jason Wang <jasowang@xxxxxxxxxx>

  commit c9003eb4662f44c61be9c8d7d5c9d4a02d58b560
  Merge: b37686f 925a040
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Fri Oct 9 17:30:03 2015 +0100

      Merge remote-tracking branch 'remotes/kraxel/tags/pull-virgl-20151008-1' 
into staging

      virtio-gpu: add 3d rendering support using virgl, misc fixes.
      ui/gtk: add opengl context and scanout support (for virtio-gpu).

      # gpg: Signature made Thu 08 Oct 2015 10:35:39 BST using RSA key ID 
D3E87138
      # gpg: Good signature from "Gerd Hoffmann (work) <kraxel@xxxxxxxxxx>"
      # gpg:                 aka "Gerd Hoffmann <gerd@xxxxxxxxxx>"
      # gpg:                 aka "Gerd Hoffmann (private) <kraxel@xxxxxxxxx>"

      * remotes/kraxel/tags/pull-virgl-20151008-1:
        gtk/opengl: add opengl context and scanout support (GtkGLArea)
        gtk/opengl: add opengl context and scanout support (egl)
        opengl: add egl-context.[ch] helpers
        virtio-gpu: add cursor update tracepoint
        virtio-gpu: add 3d mode and virgl rendering support.
        virtio-gpu: update headers for virgl/3d
        virtio-gpu: change licence from GPLv2 to GPLv2+
        virtio-gpu: move iov free to virtio_gpu_cleanup_mapping_iov
        ui/console: add opengl context and scanout support interfaces.
        sdl2: stop flickering
        shaders: initialize vertexes once

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 33fe96833015cf15f4c0aa5bf8d34f60526e0732
  Author: Markus Armbruster <armbru@xxxxxxxxxx>
  Date:   Thu Oct 1 10:59:59 2015 +0200

      Revert "qdev: Use qdev_get_device_class() for -device <type>,help"

      This reverts commit 31bed5509dfcbdfc293154ce81086a4dbd7a80b6.

      The reverted commit changed qdev_device_help() to reject abstract
      devices and devices that have cannot_instantiate_with_device_add_yet
      set, to fix crash bugs like -device x86_64-cpu,help.

      Rejecting abstract devices makes sense: they're purely internal, and
      the implementation of the help feature can't cope with them.

      Rejecting non-pluggable devices makes less sense: even though you
      can't use them with -device, the help may still be useful elsewhere,
      for instance with -global.  This is a regression: -device FOO,help
      used to help even for FOO that aren't pluggable.

      The previous two commits fixed the crash bug at a lower layer, so
      reverting this one is now safe.  Fixes the -device FOO,help
      regression, except for the broken devices marked
      cannot_even_create_with_object_new_yet.  For those, the error message
      is improved.

      Example of a device where the regression is fixed:

          $ qemu-system-x86_64 -device PIIX4_PM,help
          PIIX4_PM.command_serr_enable=bool (on/off)
          PIIX4_PM.multifunction=bool (on/off)
          PIIX4_PM.rombar=uint32
          PIIX4_PM.romfile=str
          PIIX4_PM.addr=int32 (Slot and optional function number, example: 06.0 
or 06)
          PIIX4_PM.memory-hotplug-support=bool
          PIIX4_PM.acpi-pci-hotplug-with-bridge-support=bool
          PIIX4_PM.s4_val=uint8
          PIIX4_PM.disable_s4=uint8
          PIIX4_PM.disable_s3=uint8
          PIIX4_PM.smb_io_base=uint32

      Example of a device where it isn't fixed:

          $ qemu-system-x86_64 -device host-x86_64-cpu,help
          Can't list properties of device 'host-x86_64-cpu'

      Both failed with "Parameter 'driver' expects pluggable device type"
      before.

      Cc: qemu-stable@xxxxxxxxxx
      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>
      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>
      Reviewed-by: Eduardo Habkost <ehabkost@xxxxxxxxxx>
      Message-Id: <1443689999-12182-11-git-send-email-armbru@xxxxxxxxxx>

  commit 4c315c27661502a0813b129e41c0bf640c34a8d6
  Author: Markus Armbruster <armbru@xxxxxxxxxx>
  Date:   Thu Oct 1 10:59:58 2015 +0200

      qdev: Protect device-list-properties against broken devices

      Several devices don't survive object_unref(object_new(T)): they crash
      or hang during cleanup, or they leave dangling pointers behind.

      This breaks at least device-list-properties, because
      qmp_device_list_properties() needs to create a device to find its
      properties.  Broken in commit f4eb32b "qmp: show QOM properties in
      device-list-properties", v2.1.  Example reproducer:

          $ qemu-system-aarch64 -nodefaults -display none -machine none -S -qmp 
stdio
          {"QMP": {"version": {"qemu": {"micro": 50, "minor": 4, "major": 2}, 
"package": ""}, "capabilities": []}}
          { "execute": "qmp_capabilities" }
          {"return": {}}
          { "execute": "device-list-properties", "arguments": { "typename": 
"pxa2xx-pcmcia" } }
          qemu-system-aarch64: /home/armbru/work/qemu/memory.c:1307: 
memory_region_finalize: Assertion `((&mr->subregions)->tqh_first == ((void 
*)0))' failed.
          Aborted (core dumped)
          [Exit 134 (SIGABRT)]

      Unfortunately, I can't fix the problems in these devices right now.
      Instead, add DeviceClass member cannot_destroy_with_object_finalize_yet
      to mark them:

      * Hang during cleanup (didn't debug, so I can't say why):
        "realview_pci", "versatile_pci".

      * Dangling pointer in cpus: most CPUs, plus "allwinner-a10", "digic",
        "fsl,imx25", "fsl,imx31", "xlnx,zynqmp", because they create such
        CPUs

      * Assert kvm_enabled(): "host-x86_64-cpu", host-i386-cpu",
        "host-powerpc64-cpu", "host-embedded-powerpc-cpu",
        "host-powerpc-cpu" (the powerpc ones can't currently reach the
        assertion, because the CPUs are only registered when KVM is enabled,
        but the assertion is arguably in the wrong place all the same)

      Make qmp_device_list_properties() fail cleanly when the device is so
      marked.  This improves device-list-properties from "crashes, hangs or
      leaves dangling pointers behind" to "fails".  Not a complete fix, just
      a better-than-nothing work-around.  In the above reproducer,
      device-list-properties now fails with "Can't list properties of device
      'pxa2xx-pcmcia'".

      This also protects -device FOO,help, which uses the same machinery
      since commit ef52358 "qdev-monitor: include QOM properties in -device
      FOO, help output", v2.2.  Example reproducer:

          $ qemu-system-aarch64 -machine none -device pxa2xx-pcmcia,help

      Before:

          qemu-system-aarch64: .../memory.c:1307: memory_region_finalize: 
Assertion `((&mr->subregions)->tqh_first == ((void *)0))' failed.

      After:

          Can't list properties of device 'pxa2xx-pcmcia'

      Cc: "Andreas Färber" <afaerber@xxxxxxx>
      Cc: "Edgar E. Iglesias" <edgar.iglesias@xxxxxxxxx>
      Cc: Alexander Graf <agraf@xxxxxxx>
      Cc: Anthony Green <green@xxxxxxxxxxxxxx>
      Cc: Aurelien Jarno <aurelien@xxxxxxxxxxx>
      Cc: Bastian Koppelmann <kbastian@xxxxxxxxxxxxxxxxxxxxx>
      Cc: Blue Swirl <blauwirbel@xxxxxxxxx>
      Cc: Eduardo Habkost <ehabkost@xxxxxxxxxx>
      Cc: Guan Xuetao <gxt@xxxxxxxxxxxxxxx>
      Cc: Jia Liu <proljc@xxxxxxxxx>
      Cc: Leon Alrae <leon.alrae@xxxxxxxxxx>
      Cc: Mark Cave-Ayland <mark.cave-ayland@xxxxxxxxxxxx>
      Cc: Max Filippov <jcmvbkbc@xxxxxxxxx>
      Cc: Michael Walle <michael@xxxxxxxx>
      Cc: Paolo Bonzini <pbonzini@xxxxxxxxxx>
      Cc: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Cc: Richard Henderson <rth@xxxxxxxxxxx>
      Cc: qemu-ppc@xxxxxxxxxx
      Cc: qemu-stable@xxxxxxxxxx
      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>
      Reviewed-by: Eduardo Habkost <ehabkost@xxxxxxxxxx>
      Message-Id: <1443689999-12182-10-git-send-email-armbru@xxxxxxxxxx>

  commit edb1523d90415cb79f60f83b4028ef3820d15612
  Author: Markus Armbruster <armbru@xxxxxxxxxx>
  Date:   Thu Oct 1 10:59:57 2015 +0200

      qmp: Fix device-list-properties not to crash for abstract device

      Broken in commit f4eb32b "qmp: show QOM properties in
      device-list-properties", v2.1.

      Cc: qemu-stable@xxxxxxxxxx
      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>
      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>
      Reviewed-by: Andreas Färber <afaerber@xxxxxxx>
      Message-Id: <1443689999-12182-9-git-send-email-armbru@xxxxxxxxxx>

  commit 2d1abb850fd15fd6eb75a92290be5f93b2772ec5
  Author: Markus Armbruster <armbru@xxxxxxxxxx>
  Date:   Thu Oct 1 10:59:56 2015 +0200

      device-introspect-test: New, covering device introspection

      The test doesn't check that the output makes any sense, only that QEMU
      survives.  Useful since we've had an astounding number of crash bugs
      around there.

      In fact, we have a bunch of them right now: a few devices crash or
      hang, and some leave dangling pointers behind.  The test skips testing
      the broken parts.  The next commits will fix them up, and drop the
      skipping.

      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>
      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>
      Message-Id: <1443689999-12182-8-git-send-email-armbru@xxxxxxxxxx>

  commit 5fb48d9673b76fc53507a0e717a12968e57d846e
  Author: Markus Armbruster <armbru@xxxxxxxxxx>
  Date:   Thu Oct 1 10:59:55 2015 +0200

      libqtest: New hmp() & friends

      New convenience function hmp() to facilitate use of
      human-monitor-command in tests.  Use it to simplify its existing uses.

      To blend into existing libqtest code, also add qtest_hmpv() and
      qtest_hmp().  That, and the egregiously verbose GTK-Doc comment format
      make this patch look bigger than it is.

      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>
      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>
      Reviewed-by: Thomas Huth <thuth@xxxxxxxxxx>
      Message-Id: <1443689999-12182-7-git-send-email-armbru@xxxxxxxxxx>

  commit 82b15c7bdbda6207d1fee2ec824432e64af3ecb4
  Author: Markus Armbruster <armbru@xxxxxxxxxx>
  Date:   Thu Oct 1 10:59:54 2015 +0200

      libqtest: Clean up unused QTestState member sigact_old

      Unused since commit d766825.

      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>
      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>
      Message-Id: <1443689999-12182-6-git-send-email-armbru@xxxxxxxxxx>
      Reviewed-by: Thomas Huth <thuth@xxxxxxxxxx>

  commit e253c287153c6f3ce4177686ac12c196f9bd8292
  Author: Markus Armbruster <armbru@xxxxxxxxxx>
  Date:   Thu Oct 1 10:59:53 2015 +0200

      tests: Fix how qom-test is run

      We want to run qom-test for every architecture, without having to
      manually add it to every architecture's list of tests.  Commit 3687d53
      accomplished this by adding it to every architecture's list
      automatically.

      However, some architectures inherit their tests from others, like this:

          check-qtest-x86_64-y = $(check-qtest-i386-y)
          check-qtest-microblazeel-y = $(check-qtest-microblaze-y)
          check-qtest-xtensaeb-y = $(check-qtest-xtensa-y)

      For such architectures, we ended up running the (slow!) test twice.
      Commit 2b8419c attempted to avoid this by adding the test only when
      it's not already present.  Works only as long as we consider adding
      the test to the architectures on the left hand side *after* the ones
      on the right hand side: x86_64 after i386, microblazeel after
      microblaze, xtensaeb after xtensa.

      Turns out we consider them in $(SYSEMU_TARGET_LIST) order.  Defined as

          SYSEMU_TARGET_LIST := $(subst -softmmu.mak,,$(notdir \
             $(wildcard $(SRC_PATH)/default-configs/*-softmmu.mak)))

      On my machine, this results in the oder xtensa, x86_64, microblazeel,
      microblaze, i386.  Consequently, qom-test runs twice for microblazeel
      and x86_64.

      Replace this complex and flawed machinery with a much simpler one: add
      generic tests (currently just qom-test) to check-qtest-generic-y
      instead of check-qtest-$(target)-y for every target, then run
      $(check-qtest-generic-y) for every target.

      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>
      Reviewed-by: Andreas Färber <afaerber@xxxxxxx>
      Message-Id: <1443689999-12182-5-git-send-email-armbru@xxxxxxxxxx>

  commit c7104402353bf32ac1d3a276e3619a20e910506b
  Author: Paolo Bonzini <pbonzini@xxxxxxxxxx>
  Date:   Thu Oct 1 10:59:52 2015 +0200

      macio: move DBDMA_init from instance_init to realize

      DBDMA_init is not idempotent, and calling it from instance_init
      breaks a simple object_new/object_unref pair.  Work around this,
      pending qdev-ification of DBDMA, by moving the call to realize.

      Reported-by: Markus Armbruster <armbru@xxxxxxxxxx>
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>
      Reviewed-by: Thomas Huth <thuth@xxxxxxxxxx>
      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>
      Message-Id: <1443689999-12182-4-git-send-email-armbru@xxxxxxxxxx>

  commit 81e0ab48dda611e9571dc2e166840205a4208567
  Author: Paolo Bonzini <pbonzini@xxxxxxxxxx>
  Date:   Thu Oct 1 10:59:51 2015 +0200

      hw: do not pass NULL to memory_region_init from instance_init

      This causes the region to outlive the object, because it attaches the
      region to /machine.  This is not nice for the "realize" method, but
      much worse for "instance_init" because it can cause dangling pointers
      after a simple object_new/object_unref pair.

      Reported-by: Markus Armbruster <armbru@xxxxxxxxxx>
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>
      Reviewed-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Tested-by: Markus Armbruster <armbru@xxxxxxxxxx>
      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>
      Message-Id: <1443689999-12182-3-git-send-email-armbru@xxxxxxxxxx>
      Reviewed-by: Thomas Huth <thuth@xxxxxxxxxx>

  commit 2e2b8eb70fdb7dfbec39f3a19b20f9a73f2f813e
  Author: Paolo Bonzini <pbonzini@xxxxxxxxxx>
  Date:   Thu Oct 1 10:59:50 2015 +0200

      memory: allow destroying a non-empty MemoryRegion

      This is legal; the MemoryRegion will simply unreference all the
      existing subregions and possibly bring them down with it as well.
      However, it requires a bit of care to avoid an infinite loop.
      Finalizing a memory region cannot trigger an address space update,
      but memory_region_del_subregion errs on the side of caution and
      might trigger a spurious update: avoid that by resetting mr->enabled
      first.

      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>
      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>
      Message-Id: <1443689999-12182-2-git-send-email-armbru@xxxxxxxxxx>

  commit c6047e9621f77a65993bcda8f58b676996e24bb5
  Author: Markus Armbruster <armbru@xxxxxxxxxx>
  Date:   Thu Oct 8 18:11:40 2015 +0200

      virtio-input: Fix device introspection on non-Linux hosts

      When CONFIG_LINUX is off, devices "virtio-keyboard-device",
      "virtio-mouse-device", "virtio-tablet-device" and
      "virtio-input-host-device" aren't compiled in, yet
      "virtio-keyboard-pci", "virtio-mouse-pci", "virtio-tablet-pci" and
      "virtio-input-host-pci" still are.  Attempts to introspect them crash,
      e.g.

          $ qemu-system-x86_64 -device virtio-tablet-pci,help
          **
          ERROR:/work/armbru/qemu/qom/object.c:333:object_initialize_with_type: 
assertion failed: (type != NULL)

      Broken in commit 710e2d9 and commit 006a5ed.

      Fix by compiling the "virtio-FOO-pci" exactly when compiling the
      "virtio-FOO-device": compile "virtio-keyboard-device",
      "virtio-mouse-device", "virtio-tablet-device" regardless of
      CONFIG_LINUX, and compile "virtio-input-host-pci" only for
      CONFIG_LINUX.

      Reported-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>
      Reviewed-by: Gerd Hoffmann <kraxel@xxxxxxxxxx>
      Message-Id: <1444320700-26260-3-git-send-email-armbru@xxxxxxxxxx>

  commit ac98fa849e834f48e5a64cf4b22218ba4047e142
  Author: Markus Armbruster <armbru@xxxxxxxxxx>
  Date:   Thu Oct 8 18:11:39 2015 +0200

      update-linux-headers: Rename SW_MAX to SW_MAX_

      The next commit will compile hw/input/virtio-input.c and
      hw/input/virtio-input-hid.c even when CONFIG_LINUX is off.  These
      files include both "include/standard-headers/linux/input.h" and
      <windows.h> then.  Doesn't work, because both define SW_MAX.  We don't
      actually use it.  Patch input.h to define SW_MAX_ instead.

      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>
      Message-Id: <1444320700-26260-2-git-send-email-armbru@xxxxxxxxxx>
      Reviewed-by: Gerd Hoffmann <kraxel@xxxxxxxxxx>

  commit b37686f7e84b22cfaf7fd01ac5133f2617cc3027
  Merge: 8be6e62 98cf48f
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Fri Oct 9 12:18:13 2015 +0100

      Merge remote-tracking branch 'remotes/stefanha/tags/tracing-pull-request' 
into staging

      # gpg: Signature made Fri 09 Oct 2015 10:15:13 BST using RSA key ID 
81AB73C8
      # gpg: Good signature from "Stefan Hajnoczi <stefanha@xxxxxxxxxx>"
      # gpg:                 aka "Stefan Hajnoczi <stefanha@xxxxxxxxx>"

      * remotes/stefanha/tags/tracing-pull-request:
        trace: remove malloc tracing
        docs: update the usage example of "dtrace" backend in tracing.txt

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 8be6e623a28497d1dcd10547a573c9143ece525c
  Merge: 1d27b91 deb847b
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Fri Oct 9 10:45:09 2015 +0100

      Merge remote-tracking branch 
'remotes/mjt/tags/pull-trivial-patches-2015-10-08' into staging

      trivial patches for 2015-10-08

      # gpg: Signature made Thu 08 Oct 2015 17:51:05 BST using RSA key ID 
A4C3D7DB
      # gpg: Good signature from "Michael Tokarev <mjt@xxxxxxxxxx>"
      # gpg:                 aka "Michael Tokarev <mjt@xxxxxxxxx>"
      # gpg:                 aka "Michael Tokarev <mjt@xxxxxxxxxx>"

      * remotes/mjt/tags/pull-trivial-patches-2015-10-08:
        tests: Unique test path for /string-visitor/output
        linux-user: Remove type casts to union type
        linux-user: Use g_new() & friends where that makes obvious sense
        rocker: Use g_new() & friends where that makes obvious sense
        .travis.yml: Run make check for all targets, not just some
        hw: char: Remove unnecessary variable
        hw: timer: Remove unnecessary variable
        qapi: add missing @
        MAINTAINERS: Add NSIS file for W32, W64 hosts
        target-ppc: Remove unnecessary variable
        target-microblaze: Remove unnecessary variable
        s/cpu_get_real_ticks/cpu_get_host_ticks/
        pc: check for underflow in load_linux
        pci-assign: do not include sys/io.h
        block/ssh: remove dead code
        imx_serial: Generate interrupt on tx empty if enabled
        sdhci: Change debug prints to compile unconditionally
        sdhci: use PRIx64 for uint64_t type
        Add .dir-locals.el file to configure emacs coding style

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 98cf48f60aa4999f5b2808569a193a401a390e6a
  Author: Paolo Bonzini <pbonzini@xxxxxxxxxx>
  Date:   Wed Sep 16 17:38:44 2015 +0200

      trace: remove malloc tracing

      The malloc vtable is not supported anymore in glib, because it broke
      when constructors called g_malloc.  Remove tracing of g_malloc,
      g_realloc and g_free calls.

      Note that, for systemtap users, glib also provides tracepoints
      glib.mem_alloc, glib.mem_free, glib.mem_realloc, glib.slice_alloc
      and glib.slice_free.

      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>
      Reviewed-by: Alberto Garcia <berto@xxxxxxxxxx>
      Message-id: 1442417924-25831-1-git-send-email-pbonzini@xxxxxxxxxx
      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>

  commit 2e4ccbbc64b212c4d1c7008ca58e141d6a984494
  Author: Lin Ma <lma@xxxxxxxx>
  Date:   Fri Sep 11 14:58:50 2015 +0800

      docs: update the usage example of "dtrace" backend in tracing.txt

      The usage example of dtrace is quite ancient, We have tracetool.py with
      different parameters instead of the original tracetool shell script for
      a long time, So update the old information.

      Signed-off-by: Lin Ma <lma@xxxxxxxx>
      Message-id: 1441954730-17341-1-git-send-email-lma@xxxxxxxx
      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>

  commit deb847bfba7ee0ab8151842f5e9cb12d4daad3a3
  Author: Dr. David Alan Gilbert <dgilbert@xxxxxxxxxx>
  Date:   Mon Oct 5 12:04:20 2015 +0100

      tests: Unique test path for /string-visitor/output

      Newer GLib's want unique test paths, and thus moan at dupes.
      (Seen on Fedora 23 which has glib 2.46)

      Uniquify the paths.

      Signed-off-by: Dr. David Alan Gilbert <dgilbert@xxxxxxxxxx>
      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>
      Signed-off-by: Michael Tokarev <mjt@xxxxxxxxxx>

  commit d1c002b6ae2dc81d97bbe23fe65e1960abdba9a4
  Author: Stefan Weil <sw@xxxxxxxxxxx>
  Date:   Sun Feb 8 15:40:58 2015 +0100

      linux-user: Remove type casts to union type

      Casting to a union type is a gcc (and clang) extension. Other compilers
      might not support it. This is not a problem today, but the type casts
      can be removed easily. Smatch now no longer complains like before:

      linux-user/syscall.c:3190:18: warning: cast to non-scalar
      linux-user/syscall.c:7348:44: warning: cast to non-scalar

      Cc: Riku Voipio <riku.voipio@xxxxxx>
      Signed-off-by: Stefan Weil <sw@xxxxxxxxxxx>
      Signed-off-by: Michael Tokarev <mjt@xxxxxxxxxx>

  commit c78d65e8a7d87badf46eda3a0b41330f5d239132
  Author: Markus Armbruster <armbru@xxxxxxxxxx>
  Date:   Mon Sep 14 13:53:03 2015 +0200

      linux-user: Use g_new() & friends where that makes obvious sense

      g_new(T, n) is neater than g_malloc(sizeof(T) * n).  It's also safer,
      for two reasons.  One, it catches multiplication overflowing size_t.
      Two, it returns T * rather than void *, which lets the compiler catch
      more type errors.

      This commit only touches allocations with size arguments of the form
      sizeof(T).  Same Coccinelle semantic patch as in commit b45c03f.

      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>
      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>
      Reviewed-by: Stefan Weil <sw@xxxxxxxxxxx>
      Signed-off-by: Michael Tokarev <mjt@xxxxxxxxxx>

  commit 778358d0a8f74a76488daea3c1b6fb327d8135b4
  Author: Markus Armbruster <armbru@xxxxxxxxxx>
  Date:   Mon Sep 14 13:52:23 2015 +0200

      rocker: Use g_new() & friends where that makes obvious sense

      g_new(T, n) is neater than g_malloc(sizeof(T) * n).  It's also safer,
      for two reasons.  One, it catches multiplication overflowing size_t.
      Two, it returns T * rather than void *, which lets the compiler catch
      more type errors.

      This commit only touches allocations with size arguments of the form
      sizeof(T).  Same Coccinelle semantic patchas in commit b45c03f.

      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>
      Acked-by: Jiri Pirko <jiri@xxxxxxxxxxx>
      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>
      Reviewed-by: Jiri Pirko <jiri@xxxxxxxxxxxx>
      Signed-off-by: Michael Tokarev <mjt@xxxxxxxxxx>

  commit cb157af23833ca0762125f34b3fe73cfdbac297e
  Author: David Gibson <david@xxxxxxxxxxxxxxxxxxxxx>
  Date:   Wed Sep 23 15:27:12 2015 +1000

      .travis.yml: Run make check for all targets, not just some

      ed173cb ".travis.yml: remove "make check" from main matrix" stopped 
running
      make check for all the Travis build targets for various reasons.  It
      continued to run make check on one Travis build, which builds for a big
      list of all (? nearly all) our supported softmmu targets.

      Unfortunately, due to a spacing / quoting error it only actually builds 
for
      the alpha, arm, aarch64 and cris targets.  Specifically, the list of
      targets is split over several lines.  Even with YAML folding, this will
      leave spaces in the list, meaning $TARGETS won't have the value we need.

      I had a look at the YAML spec and I couldn't quickly see a way of 
splitting
      the list so that it doesn't end up with spaces, so this patch fixes the
      problem by putting the whole list on one huge line.

      Signed-off-by: David Gibson <david@xxxxxxxxxxxxxxxxxxxxx>
      Signed-off-by: Michael Tokarev <mjt@xxxxxxxxxx>

  commit 65cb2a14cacbc08c754f3cb41436fe6ece46593a
  Author: Shraddha Barke <shraddha.6596@xxxxxxxxx>
  Date:   Fri Sep 25 20:06:02 2015 +0530

      hw: char: Remove unnecessary variable

      Compress lines and remove the variable.

      Signed-off-by: Shraddha Barke <shraddha.6596@xxxxxxxxx>
      Signed-off-by: Michael Tokarev <mjt@xxxxxxxxxx>

  commit bf5f78efed26054c2ce71e6f4c30ece13bf06e87
  Author: Shraddha Barke <shraddha.6596@xxxxxxxxx>
  Date:   Fri Sep 25 20:06:03 2015 +0530

      hw: timer: Remove unnecessary variable

      Compress lines and remove the variable.

      Signed-off-by: Shraddha Barke <shraddha.6596@xxxxxxxxx>
      Signed-off-by: Michael Tokarev <mjt@xxxxxxxxxx>

  commit f169f8fbca3999fe59f37a86822f305f7292949d
  Author: Marc-André Lureau <marcandre.lureau@xxxxxxxxxx>
  Date:   Fri Sep 25 16:03:30 2015 +0200

      qapi: add missing @

      Signed-off-by: Marc-André Lureau <marcandre.lureau@xxxxxxxxxx>
      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>
      Signed-off-by: Michael Tokarev <mjt@xxxxxxxxxx>

  commit 885bdc95b165dc2b63bdc756be4919e948b9d27b
  Author: Stefan Weil <sw@xxxxxxxxxxx>
  Date:   Fri Sep 25 22:25:32 2015 +0200

      MAINTAINERS: Add NSIS file for W32, W64 hosts

      The NSIS installer configuration is maintained by me.

      Signed-off-by: Stefan Weil <sw@xxxxxxxxxxx>
      Signed-off-by: Michael Tokarev <mjt@xxxxxxxxxx>

  commit f9b8e7f63acf9418238444aec654aba249a334ba
  Author: Shraddha Barke <shraddha.6596@xxxxxxxxx>
  Date:   Fri Sep 25 14:07:58 2015 +0530

      target-ppc: Remove unnecessary variable

      Compress lines and remove the variable.

      Signed-off-by: Shraddha Barke <shraddha.6596@xxxxxxxxx>
      Signed-off-by: Michael Tokarev <mjt@xxxxxxxxxx>

  commit 738c8b01ba4d020ee42c72e83a6aa3d9408a2530
  Author: Shraddha Barke <shraddha.6596@xxxxxxxxx>
  Date:   Fri Sep 25 14:07:56 2015 +0530

      target-microblaze: Remove unnecessary variable

      Compress lines and remove the variable.

      Signed-off-by: Shraddha Barke <shraddha.6596@xxxxxxxxx>
      Signed-off-by: Michael Tokarev <mjt@xxxxxxxxxx>

  commit 4a7428c5a7e82f4dde3646e4a8cc8e54f3257e2a
  Author: Christopher Covington <cov@xxxxxxxxxxxxxx>
  Date:   Fri Sep 25 10:42:21 2015 -0400

      s/cpu_get_real_ticks/cpu_get_host_ticks/

      This should help clarify the purpose of the function that returns
      the host system's CPU cycle count.

      Signed-off-by: Christopher Covington <cov@xxxxxxxxxxxxxx>
      Acked-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>
      ppc portion
      Acked-by: David Gibson <david@xxxxxxxxxxxxxxxxxxxxx>
      Signed-off-by: Michael Tokarev <mjt@xxxxxxxxxx>

  commit ec5fd402645fd4f03d89dcd5840b0e8542549e82
  Author: Paolo Bonzini <pbonzini@xxxxxxxxxx>
  Date:   Mon Sep 14 12:07:22 2015 +0200

      pc: check for underflow in load_linux

      If (setup_size+1)*512 is small enough, kernel_size -= setup_size can 
allocate
      a huge amount of memory.  Avoid that.

      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>
      Signed-off-by: Michael Tokarev <mjt@xxxxxxxxxx>

  commit 16033ba577059c5675e4c786234c46027380c29b
  Author: Paolo Bonzini <pbonzini@xxxxxxxxxx>
  Date:   Tue Sep 15 10:47:36 2015 +0200

      pci-assign: do not include sys/io.h

      This file does not exist on bionic libc and the functions it defines
      are in fact not used by pci-assign.c.  Remove it.

      Reported-by: Houcheng Lin <houcheng@xxxxxxxxx>
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>
      Signed-off-by: Michael Tokarev <mjt@xxxxxxxxxx>

  commit eab2ac9d3c1675a58989000c2647aa33e440906a
  Author: Paolo Bonzini <pbonzini@xxxxxxxxxx>
  Date:   Mon Sep 14 13:12:34 2015 +0200

      block/ssh: remove dead code

      The "err" label cannot be reached with qp != NULL.  Remove the free-ing
      of qp and avoid future regressions by removing the initializer.

      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>
      ACKed-by: Richard W.M. Jones <rjones@xxxxxxxxxx>
      Reviewed-by: Fam Zheng <famz@xxxxxxxxxx>
      Signed-off-by: Michael Tokarev <mjt@xxxxxxxxxx>

  commit dc1442204a2235b1ad0c4bdceb3580c97f71f1b5
  Author: Guenter Roeck <linux@xxxxxxxxxxxx>
  Date:   Thu Aug 20 08:52:35 2015 -0700

      imx_serial: Generate interrupt on tx empty if enabled

      Generate an interrupt if the tx buffer is empty and the tx empty interrupt
      is enabled. This fixes a problem seen when running a Linux image since
      Linux commit 55c3cb1358e ("serial: imx: remove unneeded 
imx_transmit_buffer()
      from imx_start_tx()"). Linux now waits for the tx empty interrupt before
      starting to send data, causing transmit stalls until there is an interrupt
      for another reason.

      Signed-off-by: Guenter Roeck <linux@xxxxxxxxxxxx>
      Reviewed-by: Peter Crosthwaite <crosthwaite.peter@xxxxxxxxx>
      Signed-off-by: Michael Tokarev <mjt@xxxxxxxxxx>

  commit 7af0fc994e85c0ff16eda6d7e328427b02a01008
  Author: Sai Pavan Boddu <sai.pavan.boddu@xxxxxxxxxx>
  Date:   Mon Sep 7 23:36:41 2015 +0530

      sdhci: Change debug prints to compile unconditionally

      Conditional compilation hides few type mismatch warnings, fix it to
      compile unconditionally.

      Signed-off-by: Sai Pavan Boddu <saipava@xxxxxxxxxx>
      Suggested-by: Eric Blake <eblake@xxxxxxxxxx>
      Reviewed-by: Peter Crosthwaite <crosthwaite.peter@xxxxxxxxx>
      Signed-off-by: Michael Tokarev <mjt@xxxxxxxxxx>

  commit be9c5ddeabb73e9dee2d6922c03ffee4e1f4c8ec
  Author: Sai Pavan Boddu <sai.pavan.boddu@xxxxxxxxxx>
  Date:   Mon Sep 7 23:36:40 2015 +0530

      sdhci: use PRIx64 for uint64_t type

      Fix compile time warnings, because of type mismatch for unsigned long
      long type.

      Signed-off-by: Sai Pavan Boddu <saipava@xxxxxxxxxx>
      Reviewed-by: Peter Crosthwaite <crosthwaite.peter@xxxxxxxxx>
      Signed-off-by: Michael Tokarev <mjt@xxxxxxxxxx>

  commit 91288a58a550be4dc80628456d5e1d2e91424827
  Author: Daniel P. Berrange <berrange@xxxxxxxxxx>
  Date:   Thu Jun 4 14:30:07 2015 +0100

      Add .dir-locals.el file to configure emacs coding style

      Some default emacs setups indent by 2 spaces and uses tabs
      which is counter to the QEMU coding style rules. Adding a
      .dir-locals.el file in the top level of the GIT repo will
      inform emacs about the QEMU coding style, and so assist
      contributors in avoiding common style mistakes before
      they submit patches.

      Signed-off-by: Daniel P. Berrange <berrange@xxxxxxxxxx>
      Reviewed-by: Markus Armbruster <armbru@xxxxxxxxxx>
      Signed-off-by: Michael Tokarev <mjt@xxxxxxxxxx>

  commit 1d27b91723c252d9a97151dc1959cfd89c5816cb
  Merge: 31c9bd1 508ce5e
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Thu Oct 8 16:50:34 2015 +0100

      Merge remote-tracking branch 
'remotes/awilliam/tags/vfio-update-20151007.0' into staging

      VFIO updates 2015-10-07

       - Change platform device IRQ setup sequence for compatibility
         with upcoming IRQ forwarding (Eric Auger)
       - Extensions to support vfio-pci devices on spapr-pci-host-bridge
         (David Gibson) [clang problem patch dropped]

      # gpg: Signature made Wed 07 Oct 2015 16:30:52 BST using RSA key ID 
3BB08B22
      # gpg: Good signature from "Alex Williamson <alex.williamson@xxxxxxxxxx>"
      # gpg:                 aka "Alex Williamson <alex@xxxxxxxxxxx>"
      # gpg:                 aka "Alex Williamson <alwillia@xxxxxxxxxx>"
      # gpg:                 aka "Alex Williamson <alex.l.williamson@xxxxxxxxx>"

      * remotes/awilliam/tags/vfio-update-20151007.0:
        vfio: Allow hotplug of containers onto existing guest IOMMU mappings
        memory: Allow replay of IOMMU mapping notifications
        vfio: Record host IOMMU's available IO page sizes
        vfio: Check guest IOVA ranges against host IOMMU capabilities
        vfio: Generalize vfio_listener_region_add failure path
        vfio: Remove unneeded union from VFIOContainer
        hw/vfio/platform: do not set resamplefd for edge-sensitive IRQS
        hw/vfio/platform: change interrupt/unmask fields into pointer
        hw/vfio/platform: irqfd setup sequence update

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 31c9bd164ddb653915b9029ba0edd40cd57530d9
  Merge: ca4e4b8 126d89e
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Thu Oct 8 15:33:56 2015 +0100

      Merge remote-tracking branch 'remotes/rth/tags/pull-tcg-20151007' into 
staging

      Do away with TB retranslation

      # gpg: Signature made Wed 07 Oct 2015 10:42:08 BST using RSA key ID 
4DD0279B
      # gpg: Good signature from "Richard Henderson <rth7680@xxxxxxxxx>"
      # gpg:                 aka "Richard Henderson <rth@xxxxxxxxxx>"
      # gpg:                 aka "Richard Henderson <rth@xxxxxxxxxxx>"

      * remotes/rth/tags/pull-tcg-20151007: (26 commits)
        tcg: Adjust CODE_GEN_AVG_BLOCK_SIZE
        tcg: Check for overflow via highwater mark
        tcg: Allocate a guard page after code_gen_buffer
        tcg: Emit prologue to the beginning of code_gen_buffer
        tcg: Remove tcg_gen_code_search_pc
        tcg: Remove gen_intermediate_code_pc
        tcg: Save insn data and use it in cpu_restore_state_from_tb
        tcg: Pass data argument to restore_state_to_opc
        tcg: Add TCG_MAX_INSNS
        target-*: Drop cpu_gen_code define
        tcg: Merge cpu_gen_code into tb_gen_code
        target-sparc: Add npc state to insn_start
        target-sparc: Remove gen_opc_jump_pc
        target-sparc: Split out gen_branch_n
        target-sparc: Tidy gen_branch_a interface
        target-cris: Mirror gen_opc_pc into insn_start
        target-sh4: Add flags state to insn_start
        target-s390x: Add cc_op state to insn_start
        target-mips: Add delayed branch state to insn_start
        target-i386: Add cc_op state to insn_start
        ...

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit ca4e4b82848982311a40d0937c1de9db1108fdb0
  Merge: fb6345f fec7daa
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Thu Oct 8 13:37:04 2015 +0100

      Merge remote-tracking branch 'remotes/rth/tags/pull-tile-20151007' into 
staging

      Collected patches

      # gpg: Signature made Wed 07 Oct 2015 10:30:17 BST using RSA key ID 
4DD0279B
      # gpg: Good signature from "Richard Henderson <rth7680@xxxxxxxxx>"
      # gpg:                 aka "Richard Henderson <rth@xxxxxxxxxx>"
      # gpg:                 aka "Richard Henderson <rth@xxxxxxxxxxx>"

      * remotes/rth/tags/pull-tile-20151007:
        target-tilegx: Support iret instruction and related special registers
        target-tilegx: Use TILEGX_EXCP_OPCODE_UNKNOWN and 
TILEGX_EXCP_OPCODE_UNIMPLEMENTED correctly
        target-tilegx: Implement v2mults instruction
        target-tilegx: Implement v?int_* instructions.
        target-tilegx: Implement v2sh* instructions
        target-tilegx: Handle nofault prefetch instructions
        target-tilegx: Fix a typo for mnemonic about "ld_add"
        target-tilegx: Use TILEGX_EXCP_SIGNAL instead of TILEGX_EXCP_SEGV
        target-tilegx: Decode ill pseudo-instructions
        linux-user/tilegx: Implement tilegx signal features
        linux-user/syscall_defs.h: Sync the latest si_code from Linux kernel
        target-tilegx: Let x1 pipe process bpt instruction only
        target-tilegx: Implement complex multiply instructions
        target-tilegx: Implement table index instructions
        target-tilegx: Implement crc instructions
        target-tilegx: Implement v1multu instruction
        target-tilegx: Implement v*add and v*sub instructions
        target-tilegx: Implement v*shl, v*shru, and v*shrs instructions
        target-tilegx: Tidy simd_helper.c

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit fb6345f452ba7cefb395389abb17d0af0e42c54b
  Merge: eed2df6 32532f2
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Thu Oct 8 11:28:17 2015 +0100

      Merge remote-tracking branch 'remotes/ehabkost/tags/numa-pull-request' 
into staging

      NUMA queue, 2015-10-06

      # gpg: Signature made Tue 06 Oct 2015 20:53:42 BST using RSA key ID 
984DC5A6
      # gpg: Good signature from "Eduardo Habkost <ehabkost@xxxxxxxxxx>"

      * remotes/ehabkost/tags/numa-pull-request:
        pc-dimm: Fail realization for invalid nodes in non-NUMA config

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 925a04000231ad865770ba227876ba518ac3e479
  Author: Gerd Hoffmann <kraxel@xxxxxxxxxx>
  Date:   Tue May 26 12:26:21 2015 +0200

      gtk/opengl: add opengl context and scanout support (GtkGLArea)

      This allows virtio-gpu to render in 3d mode.
      Uses native opengl support which is present
      in gtk versions 3.16 and newer.

      Signed-off-by: Gerd Hoffmann <kraxel@xxxxxxxxxx>

  commit 4782aeb79fbcb70bb96b52f6d9bc7cadb3cf7d58
  Author: Gerd Hoffmann <kraxel@xxxxxxxxxx>
  Date:   Fri May 8 11:30:51 2015 +0200

      gtk/opengl: add opengl context and scanout support (egl)

      This allows virtio-gpu to render in 3d mode.
      Uses egl, for gtk versions 3.14 and older.

      Signed-off-by: Gerd Hoffmann <kraxel@xxxxxxxxxx>
      Reviewed-by: Marc-André Lureau <marcandre.lureau@xxxxxxxxxx>

  commit 6c18744d0f99138cb19cd9d1241d7b11c478a944
  Author: Gerd Hoffmann <kraxel@xxxxxxxxxx>
  Date:   Wed Apr 29 10:08:04 2015 +0200

      opengl: add egl-context.[ch] helpers

      Add helper functions to manage opengl contexts using egl.

      Signed-off-by: Gerd Hoffmann <kraxel@xxxxxxxxxx>
      Reviewed-by: Marc-André Lureau <marcandre.lureau@xxxxxxxxxx>

  commit e9c1b459f28fb4dce52dd5afa6a1ad7fb00ee5e2
  Author: Gerd Hoffmann <kraxel@xxxxxxxxxx>
  Date:   Fri Oct 2 08:30:27 2015 +0200

      virtio-gpu: add cursor update tracepoint

      Signed-off-by: Gerd Hoffmann <kraxel@xxxxxxxxxx>
      Reviewed-by: Marc-André Lureau <marcandre.lureau@xxxxxxxxxx>

  commit 9d9e152136bdaa75ea98e5c2105f2a7127e369eb
  Author: Gerd Hoffmann <kraxel@xxxxxxxxxx>
  Date:   Fri Jul 11 12:51:43 2014 +0200

      virtio-gpu: add 3d mode and virgl rendering support.

      Add virglrenderer library detection.  Add 3d mode to virtio-gpu,
      wire up virglrenderer library.  When in 3d mode render using the
      new context management and texture scanout callbacks.

      Signed-off-by: Gerd Hoffmann <kraxel@xxxxxxxxxx>
      Reviewed-by: Max Reitz <mreitz@xxxxxxxxxx>

  commit bc79e96442283471c92c8ea7ae15563274f7b0cb
  Author: Gerd Hoffmann <kraxel@xxxxxxxxxx>
  Date:   Fri May 22 15:38:33 2015 +0200

      virtio-gpu: update headers for virgl/3d

      Sync with linux kernel headers with virgl/3d patches applied.

      Signed-off-by: Gerd Hoffmann <kraxel@xxxxxxxxxx>
      Reviewed-by: Marc-André Lureau <marcandre.lureau@xxxxxxxxxx>

  commit 2e2521452e28399dbc6fecec56d5bbb29f9b6796
  Author: Gerd Hoffmann <kraxel@xxxxxxxxxx>
  Date:   Wed Sep 16 09:15:15 2015 +0200

      virtio-gpu: change licence from GPLv2 to GPLv2+

      Signed-off-by: Gerd Hoffmann <kraxel@xxxxxxxxxx>

  commit 7f3be0f20ff8d976ab982cc06026cac0600f1fb6
  Author: Gerd Hoffmann <kraxel@xxxxxxxxxx>
  Date:   Tue Sep 15 09:23:14 2015 +0200

      virtio-gpu: move iov free to virtio_gpu_cleanup_mapping_iov

      For symmetry reasons: virtio_gpu_create_mapping_iov() allocates it so
      virtio_gpu_cleanup_mapping_iov() should free it, otherwise it's easy to
      miss a free() needed and leak memory.

      Signed-off-by: Gerd Hoffmann <kraxel@xxxxxxxxxx>
      Reviewed-by: Max Reitz <mreitz@xxxxxxxxxx>

  commit 06020b950c0a6a73cbee0527af846b05679c937a
  Author: Gerd Hoffmann <kraxel@xxxxxxxxxx>
  Date:   Fri Jul 11 13:56:51 2014 +0200

      ui/console: add opengl context and scanout support interfaces.

      Add callbacks for opengl context management and scanout texture
      configuration to DisplayChangeListenerOps.

      Signed-off-by: Gerd Hoffmann <kraxel@xxxxxxxxxx>
      Reviewed-by: Marc-André Lureau <marcandre.lureau@xxxxxxxxxx>

  commit 136a8d9d444560f71fca89f27475cfeaffa19cf3
  Author: Gerd Hoffmann <kraxel@xxxxxxxxxx>
  Date:   Fri Jun 12 12:16:02 2015 +0200

      sdl2: stop flickering

      Optimizing updates by copying the dirty rectangle
      only do not work because of double-buffering.

      Signed-off-by: Gerd Hoffmann <kraxel@xxxxxxxxxx>
      Reviewed-by: Marc-André Lureau <marcandre.lureau@xxxxxxxxxx>
      Reviewed-by: Max Reitz <mreitz@xxxxxxxxxx>

  commit c046d8284474a0f7763dea849433bde37a69023d
  Author: Gerd Hoffmann <kraxel@xxxxxxxxxx>
  Date:   Fri Jul 10 14:40:01 2015 +0200

      shaders: initialize vertexes once

      Create a buffer for the vertex data and place vertexes
      there at initialization time.  Then just use the buffer
      for each texture blit.

      Signed-off-by: Gerd Hoffmann <kraxel@xxxxxxxxxx>
      Reviewed-by: Marc-André Lureau <marcandre.lureau@xxxxxxxxxx>
      Reviewed-by: Max Reitz <mreitz@xxxxxxxxxx>

  commit 126d89e8cdfa3be15d51f76906eaccbcd0023f98
  Author: Richard Henderson <rth@xxxxxxxxxxx>
  Date:   Sat Sep 26 09:23:42 2015 -0700

      tcg: Adjust CODE_GEN_AVG_BLOCK_SIZE

      At present, the "average" guestimate of TB size is way too small, leading
      to many unused entries in the pre-allocated TB array.  For a guest with 
1GB
      ram, we're currently allocating 256MB for the array.

      Survey arm, alpha, aarch64, ppc, sparc, i686, x86_64 guests running on
      x86_64 and ppc64 hosts and select a new average.  The size of the array
      drops to 81MB with no more flushing than before.

      Reviewed-by: Aurelien Jarno <aurelien@xxxxxxxxxxx>
      Signed-off-by: Richard Henderson <rth@xxxxxxxxxxx>

  commit b125f9dc7bd68cd4c57189db4da83b0620b28a72
  Author: Richard Henderson <rth@xxxxxxxxxxx>
  Date:   Tue Sep 22 13:01:15 2015 -0700

      tcg: Check for overflow via highwater mark

      We currently pre-compute an worst case code size for any TB, which
      works out to be 122kB.  Since the average TB size is near 1kB, this
      wastes quite a lot of storage.

      Instead, check for overflow in between generating code for each opcode.
      The overhead of the check isn't measurable and wastage is minimized.

      Reviewed-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Signed-off-by: Richard Henderson <rth@xxxxxxxxxxx>

  commit f293709c6af7a65a9bcec09cdba7a60183657a3e
  Author: Richard Henderson <rth@xxxxxxxxxxx>
  Date:   Sat Sep 19 12:03:15 2015 -0700

      tcg: Allocate a guard page after code_gen_buffer

      This will catch any overflow of the buffer.

      Add a native win32 alternative for alloc_code_gen_buffer;
      remove the malloc alternative.

      Signed-off-by: Richard Henderson <rth@xxxxxxxxxxx>

  commit 8163b74938d8b7d12e70597c4553dd0dc49443d5
  Author: Richard Henderson <rth@xxxxxxxxxxx>
  Date:   Fri Sep 18 23:43:05 2015 -0700

      tcg: Emit prologue to the beginning of code_gen_buffer

      By putting the prologue at the end, we risk overwriting the
      prologue should our estimate of maximum TB size.  Given the
      two different placements of the call to tcg_prologue_init,
      move the high water mark computation into tcg_prologue_init.

      Reviewed-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Signed-off-by: Richard Henderson <rth@xxxxxxxxxxx>

  commit 04fe64000162c45d8974da9ca4d266f8d0e67eb7
  Author: Richard Henderson <rth@xxxxxxxxxxx>
  Date:   Tue Sep 1 20:07:48 2015 -0700

      tcg: Remove tcg_gen_code_search_pc

      It's no longer used, so tidy up everything reached by it.

      Reviewed-by: Aurelien Jarno <aurelien@xxxxxxxxxxx>
      Reviewed-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Signed-off-by: Richard Henderson <rth@xxxxxxxxxxx>

  commit 4e5e1215156662b2b153255c49d4640d82c5568b
  Author: Richard Henderson <rth@xxxxxxxxxxx>
  Date:   Tue Sep 1 20:01:40 2015 -0700

      tcg: Remove gen_intermediate_code_pc

      It is no longer used, so tidy up everything reached by it.
      This includes the gen_opc_* arrays, the search_pc parameter
      and the inline gen_intermediate_code_internal functions.

      Reviewed-by: Aurelien Jarno <aurelien@xxxxxxxxxxx>
      Reviewed-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Signed-off-by: Richard Henderson <rth@xxxxxxxxxxx>

  commit fca8a500d519a56abeaedf8073167a61d3c6b9c4
  Author: Richard Henderson <rth@xxxxxxxxxxx>
  Date:   Tue Sep 1 19:11:45 2015 -0700

      tcg: Save insn data and use it in cpu_restore_state_from_tb

      We can now restore state without retranslation.

      Reviewed-by: Aurelien Jarno <aurelien@xxxxxxxxxxx>
      Reviewed-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Signed-off-by: Richard Henderson <rth@xxxxxxxxxxx>

  commit bad729e272387de7dbfa3ec4319036552fc6c107
  Author: Richard Henderson <rth@xxxxxxxxxxx>
  Date:   Tue Sep 1 15:51:12 2015 -0700

      tcg: Pass data argument to restore_state_to_opc

      The gen_opc_* arrays are already redundant with the data stored in
      the insn_start arguments.  Transition restore_state_to_opc to use
      data from the latter.

      Reviewed-by: Aurelien Jarno <aurelien@xxxxxxxxxxx>
      Reviewed-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Signed-off-by: Richard Henderson <rth@xxxxxxxxxxx>

  commit 190ce7fbc79fd0883a6170d7f30da59d366e6830
  Author: Richard Henderson <rth@xxxxxxxxxxx>
  Date:   Mon Aug 31 14:34:41 2015 -0700

      tcg: Add TCG_MAX_INSNS

      Adjust all translators to respect it.

      Reviewed-by: Aurelien Jarno <aurelien@xxxxxxxxxxx>
      Reviewed-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Signed-off-by: Richard Henderson <rth@xxxxxxxxxxx>

  commit dc03246cc377268db63abc8c5663ef571aec2eea
  Author: Richard Henderson <rth@xxxxxxxxxxx>
  Date:   Thu Aug 27 18:18:09 2015 -0700

      target-*: Drop cpu_gen_code define

      This symbol no longer exists.

      Reviewed-by: Aurelien Jarno <aurelien@xxxxxxxxxxx>
      Reviewed-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Signed-off-by: Richard Henderson <rth@xxxxxxxxxxx>

  commit fec88f64bda27846add83e924c8f4def9d94e068
  Author: Richard Henderson <rth@xxxxxxxxxxx>
  Date:   Thu Aug 27 18:17:40 2015 -0700

      tcg: Merge cpu_gen_code into tb_gen_code

      As it's only caller, this tidies things a bit.

      Reviewed-by: Aurelien Jarno <aurelien@xxxxxxxxxxx>
      Reviewed-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Signed-off-by: Richard Henderson <rth@xxxxxxxxxxx>

  commit a3d5ad761cafc669e25f4185e63d8d758a989135
  Author: Richard Henderson <rth@xxxxxxxxxxx>
  Date:   Mon Aug 31 13:30:52 2015 -0700

      target-sparc: Add npc state to insn_start

      Reviewed-by: Aurelien Jarno <aurelien@xxxxxxxxxxx>
      Reviewed-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Signed-off-by: Richard Henderson <rth@xxxxxxxxxxx>

  commit 6c42444f9a53b6af39d46008cb9f650b11e96cb9
  Author: Richard Henderson <rth@xxxxxxxxxxx>
  Date:   Mon Aug 31 13:24:44 2015 -0700

      target-sparc: Remove gen_opc_jump_pc

      Since jump_pc[1] is always npc + 4, we can infer after incrementing
      that jump_pc[1] == pc + 4.  Because of that, we can encode the branch
      destination into a single word, and store that in npc.

      Reviewed-by: Aurelien Jarno <aurelien@xxxxxxxxxxx>
      Reviewed-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Signed-off-by: Richard Henderson <rth@xxxxxxxxxxx>

  commit 2bf2e019ed0a6349220620240c0ba807846793b9
  Author: Richard Henderson <rth@xxxxxxxxxxx>
  Date:   Mon Aug 31 13:01:47 2015 -0700

      target-sparc: Split out gen_branch_n

      Unify three copies of this code from different
      branch types.  Fix the case when npc == DYNAMIC_PC,
      i.e. a branch within a delay slot.

      Reviewed-by: Aurelien Jarno <aurelien@xxxxxxxxxxx>
      Reviewed-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Signed-off-by: Richard Henderson <rth@xxxxxxxxxxx>

  commit bfa31b765798139804ce9e5e35c7e142d233df31
  Author: Richard Henderson <rth@xxxxxxxxxxx>
  Date:   Mon Aug 31 12:44:16 2015 -0700

      target-sparc: Tidy gen_branch_a interface

      We always pass pc2 == dc->npc and r_cond == cpu_cond,
      and always set is_br afterward.  Infer all of that.

      Reviewed-by: Aurelien Jarno <aurelien@xxxxxxxxxxx>
      Reviewed-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Signed-off-by: Richard Henderson <rth@xxxxxxxxxxx>

  commit bd03c791a6ed1bb7aec17df15cfeea649362e8fd
  Author: Richard Henderson <rth@xxxxxxxxxxx>
  Date:   Sun Aug 30 09:35:14 2015 -0700

      target-cris: Mirror gen_opc_pc into insn_start

      This perhaps isn't ideal in terms of (ab)using the "pc" field
      to encode both pc and ppc + delay branch state, as one has to
      be aware of this when examining opcode dumps.

      But it preserves existing logic, which will be good for bisection,
      and it certainly does save storage space.

      Reviewed-by: Aurelien Jarno <aurelien@xxxxxxxxxxx>
      Reviewed-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Signed-off-by: Richard Henderson <rth@xxxxxxxxxxx>

  commit 07f3c16ced2b869228d58683c1dea06e3e1c9aa5
  Author: Richard Henderson <rth@xxxxxxxxxxx>
  Date:   Sun Aug 30 09:28:52 2015 -0700

      target-sh4: Add flags state to insn_start

      Reviewed-by: Aurelien Jarno <aurelien@xxxxxxxxxxx>
      Reviewed-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Signed-off-by: Richard Henderson <rth@xxxxxxxxxxx>

  commit a3fd522048f6728d8259e14596c9632c7c67305a
  Author: Richard Henderson <rth@xxxxxxxxxxx>
  Date:   Sun Aug 30 09:26:10 2015 -0700

      target-s390x: Add cc_op state to insn_start

      Reviewed-by: Aurelien Jarno <aurelien@xxxxxxxxxxx>
      Reviewed-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Signed-off-by: Richard Henderson <rth@xxxxxxxxxxx>

  commit c20d594e45bc8c4b21be1a7637cba0f279f72879
  Author: Richard Henderson <rth@xxxxxxxxxxx>
  Date:   Sun Aug 30 09:25:36 2015 -0700

      target-mips: Add delayed branch state to insn_start

      Reviewed-by: Aurelien Jarno <aurelien@xxxxxxxxxxx>
      Reviewed-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Signed-off-by: Richard Henderson <rth@xxxxxxxxxxx>

  commit 2066d09516ba34d0d180fdea451436d9babb3308
  Author: Richard Henderson <rth@xxxxxxxxxxx>
  Date:   Sun Aug 30 09:24:58 2015 -0700

      target-i386: Add cc_op state to insn_start

      Reviewed-by: Aurelien Jarno <aurelien@xxxxxxxxxxx>
      Reviewed-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Signed-off-by: Richard Henderson <rth@xxxxxxxxxxx>

  commit 52e971d9ff67e340ac2a86bd67e14bd31c7991e0
  Author: Richard Henderson <rth@xxxxxxxxxxx>
  Date:   Sun Aug 30 09:22:06 2015 -0700

      target-arm: Add condexec state to insn_start

      Reviewed-by: Aurelien Jarno <aurelien@xxxxxxxxxxx>
      Reviewed-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Signed-off-by: Richard Henderson <rth@xxxxxxxxxxx>

  commit 9aef40ed1f6e2bd794bbb3ba8c8b773e506334c9
  Author: Richard Henderson <rth@xxxxxxxxxxx>
  Date:   Sun Aug 30 09:21:33 2015 -0700

      tcg: Allow extra data to be attached to insn_start

      With an eye toward having this data replace the gen_opc_* arrays
      that each target collects in order to enable restore_state_from_tb.

      Reviewed-by: Aurelien Jarno <aurelien@xxxxxxxxxxx>
      Reviewed-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Signed-off-by: Richard Henderson <rth@xxxxxxxxxxx>

  commit b933066ae03d924a92b2616b4a24e7d91cd5b841
  Author: Richard Henderson <rth@xxxxxxxxxxx>
  Date:   Thu Sep 17 15:58:10 2015 -0700

      target-*: Introduce and use cpu_breakpoint_test

      Reduce the boilerplate required for each target.  At the same time,
      move the test for breakpoint after calling tcg_gen_insn_start.

      Note that arm and aarch64 do not use cpu_breakpoint_test, but still
      move the inline test down after tcg_gen_insn_start.

      Reviewed-by: Aurelien Jarno <aurelien@xxxxxxxxxxx>
      Reviewed-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Signed-off-by: Richard Henderson <rth@xxxxxxxxxxx>

  commit 959082fc4a93a016a6b697e1e0c2b373d8a3a373
  Author: Richard Henderson <rth@xxxxxxxxxxx>
  Date:   Thu Sep 17 14:25:46 2015 -0700

      target-*: Increment num_insns immediately after tcg_gen_insn_start

      This does tidy the icount test common to all targets.

      Reviewed-by: Aurelien Jarno <aurelien@xxxxxxxxxxx>
      Reviewed-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Signed-off-by: Richard Henderson <rth@xxxxxxxxxxx>

  commit 667b8e29c5b1d8c5b4e6ad5f780ca60914eb6e96
  Author: Richard Henderson <rth@xxxxxxxxxxx>
  Date:   Sat Aug 29 12:59:29 2015 -0700

      target-*: Unconditionally emit tcg_gen_insn_start

      While we're at it, emit the opcode adjacent to where we currently
      record data for search_pc.  This puts gen_io_start et al on the
      "correct" side of the marker.

      Reviewed-by: Aurelien Jarno <aurelien@xxxxxxxxxxx>
      Reviewed-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Signed-off-by: Richard Henderson <rth@xxxxxxxxxxx>

  commit 765b842adec4c5a359e69ca08785553599f71496
  Author: Richard Henderson <rth@xxxxxxxxxxx>
  Date:   Sat Aug 29 12:37:33 2015 -0700

      tcg: Rename debug_insn_start to insn_start

      With an eye toward making it mandatory.

      Reviewed-by: Aurelien Jarno <aurelien@xxxxxxxxxxx>
      Reviewed-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Signed-off-by: Richard Henderson <rth@xxxxxxxxxxx>

  commit fec7daab3d63b7b2ca61581fffc40142b22b2bd5
  Author: Chen Gang <gang.chen.5i5j@xxxxxxxxx>
  Date:   Sun Oct 4 17:41:14 2015 +0800

      target-tilegx: Support iret instruction and related special registers

      EX_CONTEXT_0_0 is used for jumping address, and EX_CONTEXT_0_1 is for
      INTERRUPT_CRITICAL_SECTION, which should only be 0 or 1 in user mode, or
      it will cause target SIGILL (and the patch doesn't support system mode).

      Signed-off-by: Chen Gang <gang.chen.5i5j@xxxxxxxxx>
      Signed-off-by: Richard Henderson <rth@xxxxxxxxxxx>

  commit 77b3adc0012153e629b48b710ad19a8b544bb507
  Author: Chen Gang <gang.chen.5i5j@xxxxxxxxx>
  Date:   Sun Oct 4 13:34:33 2015 +0800

      target-tilegx: Use TILEGX_EXCP_OPCODE_UNKNOWN and 
TILEGX_EXCP_OPCODE_UNIMPLEMENTED correctly

      For some cases, they are for TILEGX_EXCP_OPCODE_UNKNOWN, not for
      TILEGX_EXCP_OPCODE_UNIMPLEMENTED.

      Also for some cases, they are for TILEGX_EXCP_OPCODE_UNIMPLEMENTED, not
      for TILEGX_EXCP_OPCODE_UNKNOWN.

      When analyzing issues, the correct printing information is necessary,
      e.g. grep UIMP in gcc testsuite output log for finding qemu tilegx
      umimplementation issues, grep UNKNOWN for finding unknown instructions.

      Signed-off-by: Chen Gang <gang.chen.5i5j@xxxxxxxxx>
      Signed-off-by: Richard Henderson <rth@xxxxxxxxxxx>

  commit a419e22d703667211521d4257df294047c13eca3
  Author: Chen Gang <gang.chen.5i5j@xxxxxxxxx>
  Date:   Sun Oct 4 19:01:27 2015 +0800

      target-tilegx: Implement v2mults instruction

      Signed-off-by: Chen Gang <gang.chen.5i5j@xxxxxxxxx>
      Message-Id: <1443956491-26850-3-git-send-email-gang.chen.5i5j@xxxxxxxxx>
      Signed-off-by: Richard Henderson <rth@xxxxxxxxxxx>

  commit aaf893a6ad6c7c0a986638ba599000e13f9f4182
  Author: Chen Gang <gang.chen.5i5j@xxxxxxxxx>
  Date:   Sun Oct 4 19:01:26 2015 +0800

      target-tilegx: Implement v?int_* instructions.

      Signed-off-by: Chen Gang <gang.chen.5i5j@xxxxxxxxx>
      Message-Id: <1443956491-26850-2-git-send-email-gang.chen.5i5j@xxxxxxxxx>
      Signed-off-by: Richard Henderson <rth@xxxxxxxxxxx>

  commit 78affcb798516dcb5d44a7ed598d79dcd42cd988
  Author: Chen Gang <gang.chen.5i5j@xxxxxxxxx>
  Date:   Sun Oct 4 19:01:25 2015 +0800

      target-tilegx: Implement v2sh* instructions

      It is just according to v1sh* instructions implementation.

      Signed-off-by: Chen Gang <gang.chen.5i5j@xxxxxxxxx>
      Message-Id: <1443956491-26850-1-git-send-email-gang.chen.5i5j@xxxxxxxxx>
      Signed-off-by: Richard Henderson <rth@xxxxxxxxxxx>

  commit 133b84c819166a6da1425a007cf44d7a96d507a4
  Author: Richard Henderson <rth@xxxxxxxxxxx>
  Date:   Thu Oct 1 12:32:52 2015 +1000

      target-tilegx: Handle nofault prefetch instructions

      These are mapped onto some of the normal load instructions, when the
      destination is the zero register.  Other load insns do fault even
      when targeting the zero register.

      Signed-off-by: Richard Henderson <rth@xxxxxxxxxxx>

  commit 95df61e6238c79c2dc14f2bffa76abb2bd3acba7
  Author: Chen Gang <gang.chen.5i5j@xxxxxxxxx>
  Date:   Wed Sep 30 05:38:40 2015 +0800

      target-tilegx: Fix a typo for mnemonic about "ld_add"

      Signed-off-by: Chen Gang <gang.chen.5i5j@xxxxxxxxx>
      Message-Id: <1443562720-3008-1-git-send-email-gang.chen.5i5j@xxxxxxxxx>
      Signed-off-by: Richard Henderson <rth@xxxxxxxxxxx>

  commit a0577d2aa9bd42d5d584fa03649a166ba45c2f3d
  Author: Richard Henderson <rth@xxxxxxxxxxx>
  Date:   Sun Sep 27 14:26:04 2015 -0700

      target-tilegx: Use TILEGX_EXCP_SIGNAL instead of TILEGX_EXCP_SEGV

      Consolidate signal handling under a single exception.

      Signed-off-by: Richard Henderson <rth@xxxxxxxxxxx>

  commit dd8070d865ad1b32876931f812a80645f97112ff
  Author: Chen Gang <gang.chen.5i5j@xxxxxxxxx>
  Date:   Sat Sep 26 13:00:35 2015 +0800

      target-tilegx: Decode ill pseudo-instructions

      Notice raise and bpt, decoding the constants embedded in the
      nop addil instruction in the x0 slot.

      [rth: Generalize TILEGX_EXCP_OPCODE_ILL to TILEGX_EXCP_SIGNAL.
      Drop validation of signal values.]

      Signed-off-by: Chen Gang <gang.chen.5i5j@xxxxxxxxx>
      Message-Id: <1443243635-4886-1-git-send-email-gang.chen.5i5j@xxxxxxxxx>
      Signed-off-by: Richard Henderson <rth@xxxxxxxxxxx>

  commit bf0f60a61b92f4f9ddf09a3cf4fc41796fa42aed
  Author: Chen Gang <gang.chen.5i5j@xxxxxxxxx>
  Date:   Sun Sep 27 08:10:18 2015 +0800

      linux-user/tilegx: Implement tilegx signal features

      [rth: Remove the spreg[EX1] handling, as it's irrelevant to user-mode.]

      Signed-off-by: Chen Gang <gang.chen.5i5j@xxxxxxxxx>
      Message-Id: <1443312618-13641-1-git-send-email-gang.chen.5i5j@xxxxxxxxx>
      Signed-off-by: Richard Henderson <rth@xxxxxxxxxxx>

  commit de2fdd56b11f4207e6614ee2f56039ef240399f1
  Author: Chen Gang <gang.chen.5i5j@xxxxxxxxx>
  Date:   Sat Sep 26 12:10:05 2015 +0800

      linux-user/syscall_defs.h: Sync the latest si_code from Linux kernel

      They content several new macro members, also contents TARGET_N*.

      Signed-off-by: Chen Gang <gang.chen.5i5j@xxxxxxxxx>
      Message-Id: <1443240605-2924-1-git-send-email-gang.chen.5i5j@xxxxxxxxx>
      Signed-off-by: Richard Henderson <rth@xxxxxxxxxxx>

  commit f723287944c30f1bf230f08b4fb03d6d11a16504
  Author: Chen Gang <gang.chen.5i5j@xxxxxxxxx>
  Date:   Sat Sep 26 07:42:54 2015 +0800

      target-tilegx: Let x1 pipe process bpt instruction only

      According to the related document, bpt can be only in x1 pipe.

      Signed-off-by: Chen Gang <gang.chen.5i5j@xxxxxxxxx>
      Message-Id: <1443224574-2718-1-git-send-email-gang.chen.5i5j@xxxxxxxxx>
      Signed-off-by: Richard Henderson <rth@xxxxxxxxxxx>

  commit 9ff5b57c219f38f025b95ebf4b593b5d4e828b53
  Author: Richard Henderson <rth@xxxxxxxxxxx>
  Date:   Wed Sep 23 10:43:48 2015 -0700

      target-tilegx: Implement complex multiply instructions

      Signed-off-by: Richard Henderson <rth@xxxxxxxxxxx>

  commit 0b4232f10895e863b1759a93ba0d0a1b3380dc31
  Author: Richard Henderson <rth@xxxxxxxxxxx>
  Date:   Wed Sep 23 10:19:44 2015 -0700

      target-tilegx: Implement table index instructions

      Signed-off-by: Richard Henderson <rth@xxxxxxxxxxx>

  commit ba1fc78f65fdea9d4b14d6449514c1351ad64fa4
  Author: Richard Henderson <rth@xxxxxxxxxxx>
  Date:   Wed Sep 23 10:12:16 2015 -0700

      target-tilegx: Implement crc instructions

      Signed-off-by: Richard Henderson <rth@xxxxxxxxxxx>

  commit 38c949ffe7497b1d833bca5f70b22c87df9bd567
  Author: Chen Gang <gang.chen.5i5j@xxxxxxxxx>
  Date:   Tue Sep 22 06:26:54 2015 +0800

      target-tilegx: Implement v1multu instruction

      Signed-off-by: Chen Gang <gang.chen.5i5j@xxxxxxxxx>
      Reviewed-by: Richard Henderson <rth@xxxxxxxxxxx>
      Message-Id: <1442874414-3578-1-git-send-email-gang.chen.5i5j@xxxxxxxxx>
      Signed-off-by: Richard Henderson <rth@xxxxxxxxxxx>

  commit c6876d7e1c3ff04a9b9f751f6260bf427ab8cf1a
  Author: Chen Gang <gang.chen.5i5j@xxxxxxxxx>
  Date:   Tue Sep 22 06:18:38 2015 +0800

      target-tilegx: Implement v*add and v*sub instructions

      [rth: Implement everything inline; handle v1addi and v2addi as well.]

      Signed-off-by: Chen Gang <gang.chen.5i5j@xxxxxxxxx>
      Message-Id: <1442873918-3394-1-git-send-email-gang.chen.5i5j@xxxxxxxxx>
      Signed-off-by: Richard Henderson <rth@xxxxxxxxxxx>

  commit 0ab0a3d768a4f6ab6747b6fd936c5cf70b5069c2
  Author: Chen Gang <gang.chen.5i5j@xxxxxxxxx>
  Date:   Tue Sep 22 05:47:35 2015 +0800

      target-tilegx: Implement v*shl, v*shru, and v*shrs instructions

      v2sh* are implemented with helper functions; v4sh* are implmeneted
      with inline code.

      Signed-off-by: Chen Gang <gang.chen.5i5j@xxxxxxxxx>
      Message-Id: <1442872055-2836-1-git-send-email-gang.chen.5i5j@xxxxxxxxx>
      Signed-off-by: Richard Henderson <rth@xxxxxxxxxxx>

  commit 055130107683c3b199c1848a25e5e2c568230cbf
  Author: Richard Henderson <rth@xxxxxxxxxxx>
  Date:   Mon Sep 21 17:27:11 2015 -0700

      target-tilegx: Tidy simd_helper.c

      Using the V1 macro when we want to replicate a byte across
      the 8 elements of the word.  Using deposit and extract for
      manipulating specific elements.

      Signed-off-by: Richard Henderson <rth@xxxxxxxxxxx>

  commit 32532f215c49f005aaef942adfae34cbcc5fa678
  Author: Bharata B Rao <bharata@xxxxxxxxxxxxxxxxxx>
  Date:   Fri Jul 17 18:19:40 2015 +0530

      pc-dimm: Fail realization for invalid nodes in non-NUMA config

      pc_dimm_realize() validates the NUMA node to which memory hotplug is
      being performed only in case of NUMA configuration. Include a check to
      fail for invalid nodes in case of non-NUMA configuration too.

      Signed-off-by: Bharata B Rao <bharata@xxxxxxxxxxxxxxxxxx>
      Reviewed-by: David Gibson <david@xxxxxxxxxxxxxxxxxxxxx>
      Reviewed-by: Igor Mammedov <imammedo@xxxxxxxxxx>
      Signed-off-by: Eduardo Habkost <ehabkost@xxxxxxxxxx>

  commit eed2df678574f7f17947180a01127a8ba673a226
  Merge: 5fdb467 d9f090e
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Tue Oct 6 16:32:16 2015 +0100

      Merge remote-tracking branch 'remotes/borntraeger/tags/s390x-20151006' 
into staging

      s390: fixes

      Some fixes all over the place:
      - ccw bios and gcc 5.1 (avoid floating point ops)
      - properly print vector registers
      - sclp and sclp-event-facility no longer hang on 
object_unref(object_new(T))
      - better name for io_subsystem_reset

      One feature
      - the gdb server now exposes several virtualization specific register

      # gpg: Signature made Tue 06 Oct 2015 11:20:24 BST using RSA key ID 
B5A61C7C
      # gpg: Good signature from "Christian Borntraeger (IBM) 
<borntraeger@xxxxxxxxxx>"

      * remotes/borntraeger/tags/s390x-20151006:
        s390x: rename io_subsystem_reset -> subsystem_reset
        s390x/info registers: print vector registers properly
        s390x: set missing parent for hotplug and quiesce events
        s390x/gdb: expose virtualization specific registers
        pc-bios/s390-ccw: avoid floating point operations

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 5fdb4671b08e0d1631447e81348b2b50a6b85bf7
  Merge: 006d5c7 dfeb867
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Tue Oct 6 13:42:33 2015 +0100

      Merge remote-tracking branch 'remotes/ehabkost/tags/x86-pull-request' 
into staging

      X86 queue, 2015-10-05

      # gpg: Signature made Mon 05 Oct 2015 17:04:38 BST using RSA key ID 
984DC5A6
      # gpg: Good signature from "Eduardo Habkost <ehabkost@xxxxxxxxxx>"

      * remotes/ehabkost/tags/x86-pull-request:
        icc_bus: drop the unused files
        cpu/apic: drop icc bus/bridge
        x86: use new method to correct reset sequence
        apic: move APIC's MMIO region mapping into APIC
        Correctly re-init EFER state during INIT IPI
        target-i386: add ABM to Haswell* and Broadwell* CPU models
        target-i386: get/put MSR_TSC_AUX across reset and migration
        target-i386: Make check_hw_breakpoints static
        target-i386: Move breakpoint related functions to new file
        target-i386: Convert kvm_default_*features to property/value pairs
        vl: Add another sanity check to smp_parse() function
        cpu: Introduce X86CPUTopoInfo structure for argument simplification

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 006d5c741bbfcdbedeb59e14527fe58d45c9c76b
  Merge: 7fe34ca ec6b69c
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Tue Oct 6 12:09:56 2015 +0100

      Merge remote-tracking branch 'remotes/jnsnow/tags/ide-pull-request' into 
staging

      # gpg: Signature made Mon 05 Oct 2015 17:01:11 BST using RSA key ID 
AAFC390E
      # gpg: Good signature from "John Snow (John Huston) <jsnow@xxxxxxxxxx>"

      * remotes/jnsnow/tags/ide-pull-request:
        qtest/ide-test: ppc64be correction for ATAPI tests
        MAINTAINERS: Small IDE/FDC touchup
        qtest/ahci: fix redundant assertion

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 7fe34ca9c2e99560dc65395d599a6920624b127d
  Author: Michael S. Tsirkin <mst@xxxxxxxxxx>
  Date:   Tue Oct 6 10:17:55 2015 +0100

      tests: vhost-user: disable unless CONFIG_VHOST_NET

      vhost-user depends on vhost-net. We should probably fix that.
      For now, let's disable the test otherwise.

      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 508ce5eb00070809f0d19917a1b2960dfcf5a64b
  Author: David Gibson <david@xxxxxxxxxxxxxxxxxxxxx>
  Date:   Wed Sep 30 12:13:56 2015 +1000

      vfio: Allow hotplug of containers onto existing guest IOMMU mappings

      At present the memory listener used by vfio to keep host IOMMU mappings
      in sync with the guest memory image assumes that if a guest IOMMU
      appears, then it has no existing mappings.

      This may not be true if a VFIO device is hotplugged onto a guest bus
      which didn't previously include a VFIO device, and which has existing
      guest IOMMU mappings.

      Therefore, use the memory_region_register_iommu_notifier_replay()
      function in order to fix this case, replaying existing guest IOMMU
      mappings, bringing the host IOMMU into sync with the guest IOMMU.

      Signed-off-by: David Gibson <david@xxxxxxxxxxxxxxxxxxxxx>
      Signed-off-by: Alex Williamson <alex.williamson@xxxxxxxxxx>

  commit a788f227ef7bd2912fcaacdfe13d13ece2998149
  Author: David Gibson <david@xxxxxxxxxxxxxxxxxxxxx>
  Date:   Wed Sep 30 12:13:55 2015 +1000

      memory: Allow replay of IOMMU mapping notifications

      When we have guest visible IOMMUs, we allow notifiers to be registered
      which will be informed of all changes to IOMMU mappings.  This is used by
      vfio to keep the host IOMMU mappings in sync with guest IOMMU mappings.

      However, unlike with a memory region listener, an iommu notifier won't be
      told about any mappings which already exist in the (guest) IOMMU at the
      time it is registered.  This can cause problems if hotplugging a VFIO
      device onto a guest bus which had existing guest IOMMU mappings, but 
didn't
      previously have an VFIO devices (and hence no host IOMMU mappings).

      This adds a memory_region_iommu_replay() function to handle this case.  It
      replays any existing mappings in an IOMMU memory region to a specified
      notifier.  Because the IOMMU memory region doesn't internally remember the
      granularity of the guest IOMMU it has a small hack where the caller must
      specify a granularity at which to replay mappings.

      If there are finer mappings in the guest IOMMU these will be reported in
      the iotlb structures passed to the notifier which it must handle (probably
      causing it to flag an error).  This isn't new - the VFIO iommu notifier
      must already handle notifications about guest IOMMU mappings too short
      for it to represent in the host IOMMU.

      Signed-off-by: David Gibson <david@xxxxxxxxxxxxxxxxxxxxx>
      Reviewed-by: Laurent Vivier <lvivier@xxxxxxxxxx>
      Acked-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>
      Signed-off-by: Alex Williamson <alex.williamson@xxxxxxxxxx>

  commit 7a140a57c69293a2f19b045f40953a87879e8c76
  Author: David Gibson <david@xxxxxxxxxxxxxxxxxxxxx>
  Date:   Wed Sep 30 12:13:54 2015 +1000

      vfio: Record host IOMMU's available IO page sizes

      Depending on the host IOMMU type we determine and record the available 
page
      sizes for IOMMU translation.  We'll need this for other validation in
      future patches.

      Signed-off-by: David Gibson <david@xxxxxxxxxxxxxxxxxxxxx>
      Reviewed-by: Thomas Huth <thuth@xxxxxxxxxx>
      Reviewed-by: Laurent Vivier <lvivier@xxxxxxxxxx>
      Signed-off-by: Alex Williamson <alex.williamson@xxxxxxxxxx>

  commit 3898aad323475cf19127d9fc0846954d591d8e11
  Author: David Gibson <david@xxxxxxxxxxxxxxxxxxxxx>
  Date:   Wed Sep 30 12:13:53 2015 +1000

      vfio: Check guest IOVA ranges against host IOMMU capabilities

      The current vfio core code assumes that the host IOMMU is capable of
      mapping any IOVA the guest wants to use to where we need.  However, real
      IOMMUs generally only support translating a certain range of IOVAs (the
      "DMA window") not a full 64-bit address space.

      The common x86 IOMMUs support a wide enough range that guests are very
      unlikely to go beyond it in practice, however the IOMMU used on IBM Power
      machines - in the default configuration - supports only a much more 
limited
      IOVA range, usually 0..2GiB.

      If the guest attempts to set up an IOVA range that the host IOMMU can't
      map, qemu won't report an error until it actually attempts to map a bad
      IOVA.  If guest RAM is being mapped directly into the IOMMU (i.e. no guest
      visible IOMMU) then this will show up very quickly.  If there is a guest
      visible IOMMU, however, the problem might not show up until much later 
when
      the guest actually attempt to DMA with an IOVA the host can't handle.

      This patch adds a test so that we will detect earlier if the guest is
      attempting to use IOVA ranges that the host IOMMU won't be able to deal
      with.

      For now, we assume that "Type1" (x86) IOMMUs can support any IOVA, this is
      incorrect, but no worse than what we have already.  We can't do better for
      now because the Type1 kernel interface doesn't tell us what IOVA range the
      IOMMU actually supports.

      For the Power "sPAPR TCE" IOMMU, however, we can retrieve the supported
      IOVA range and validate guest IOVA ranges against it, and this patch does
      so.

      Signed-off-by: David Gibson <david@xxxxxxxxxxxxxxxxxxxxx>
      Reviewed-by: Laurent Vivier <lvivier@xxxxxxxxxx>
      Signed-off-by: Alex Williamson <alex.williamson@xxxxxxxxxx>

  commit ac6dc3894fbb6775245565229953879a0263d27f
  Author: David Gibson <david@xxxxxxxxxxxxxxxxxxxxx>
  Date:   Wed Sep 30 12:13:52 2015 +1000

      vfio: Generalize vfio_listener_region_add failure path

      If a DMA mapping operation fails in vfio_listener_region_add() it
      checks to see if we've already completed initial setup of the
      container.  If so it reports an error so the setup code can fail
      gracefully, otherwise throws a hw_error().

      There are other potential failure cases in vfio_listener_region_add()
      which could benefit from the same logic, so move it to its own
      fail: block.  Later patches can use this to extend other failure cases
      to fail as gracefully as possible under the circumstances.

      Signed-off-by: David Gibson <david@xxxxxxxxxxxxxxxxxxxxx>
      Reviewed-by: Thomas Huth <thuth@xxxxxxxxxx>
      Reviewed-by: Laurent Vivier <lvivier@xxxxxxxxxx>
      Signed-off-by: Alex Williamson <alex.williamson@xxxxxxxxxx>

  commit ee0bf0e59bb1c07c0196142f2ecfd88f7f8b194e
  Author: David Gibson <david@xxxxxxxxxxxxxxxxxxxxx>
  Date:   Wed Sep 30 12:13:51 2015 +1000

      vfio: Remove unneeded union from VFIOContainer

      Currently the VFIOContainer iommu_data field contains a union with
      different information for different host iommu types.  However:
         * It only actually contains information for the x86-like "Type1" iommu
         * Because we have a common listener the Type1 fields are actually used
      on all IOMMU types, including the SPAPR TCE type as well

      In fact we now have a general structure for the listener which is unlikely
      to ever need per-iommu-type information, so this patch removes the union.

      In a similar way we can unify the setup of the vfio memory listener in
      vfio_connect_container() that is currently split across a switch on iommu
      type, but is effectively the same in both cases.

      The iommu_data.release pointer was only needed as a cleanup function
      which would handle potentially different data in the union.  With the
      union gone, it too can be removed.

      Signed-off-by: David Gibson <david@xxxxxxxxxxxxxxxxxxxxx>
      Reviewed-by: Laurent Vivier <lvivier@xxxxxxxxxx>
      Signed-off-by: Alex Williamson <alex.williamson@xxxxxxxxxx>

  commit a5b39cd3f647eaaaef5b648beda5cb2f387418c0
  Author: Eric Auger <eric.auger@xxxxxxxxxx>
  Date:   Mon Oct 5 12:30:12 2015 -0600

      hw/vfio/platform: do not set resamplefd for edge-sensitive IRQS

      In irqfd mode, current code attempts to set a resamplefd whatever
      the type of the IRQ. For an edge-sensitive IRQ this attempt fails
      and as a consequence, the whole irqfd setup fails and we fall back
      to the slow mode. This patch bypasses the resamplefd setting for
      non level-sentive IRQs.

      Signed-off-by: Eric Auger <eric.auger@xxxxxxxxxx>
      Signed-off-by: Alex Williamson <alex.williamson@xxxxxxxxxx>

  commit a22313deca720e038ebc5805cf451b3a685d29ce
  Author: Eric Auger <eric.auger@xxxxxxxxxx>
  Date:   Mon Oct 5 12:30:12 2015 -0600

      hw/vfio/platform: change interrupt/unmask fields into pointer

      unmask EventNotifier might not be initialized in case of edge
      sensitive irq. Using EventNotifier pointers make life simpler to
      handle the edge-sensitive irqfd setup.

      Signed-off-by: Eric Auger <eric.auger@xxxxxxxxxx>
      Signed-off-by: Alex Williamson <alex.williamson@xxxxxxxxxx>

  commit 58892b447f0ffcd0967bc6f1bcb40df288ebeebc
  Author: Eric Auger <eric.auger@xxxxxxxxxx>
  Date:   Mon Oct 5 12:30:12 2015 -0600

      hw/vfio/platform: irqfd setup sequence update

      With current implementation, eventfd VFIO signaling is first set up and
      then irqfd is setup, if supported and allowed.

      This start sequence causes several issues with IRQ forwarding setup
      which, if supported, is transparently attempted on irqfd setup:
      IRQ forwarding setup is likely to fail if the IRQ is detected as under
      injection into the guest (active at irqchip level or VFIO masked).

      This currently always happens because the current sequence explicitly
      VFIO-masks the IRQ before setting irqfd.

      Even if that masking were removed, we couldn't prevent the case where
      the IRQ is under injection into the guest.

      So the simpler solution is to remove this 2-step startup and directly
      attempt irqfd setup. This is what this patch does.

      Also in case the eventfd setup fails, there is no reason to go farther:
      let's abort.

      Signed-off-by: Eric Auger <eric.auger@xxxxxxxxxx>
      Signed-off-by: Alex Williamson <alex.williamson@xxxxxxxxxx>

  commit ec6b69ca0305ab3a3e0461aecb6f190c59a765df
  Author: John Snow <jsnow@xxxxxxxxxx>
  Date:   Mon Oct 5 12:00:56 2015 -0400

      qtest/ide-test: ppc64be correction for ATAPI tests

      the 16bit ide data register is LE by definition.

      Signed-off-by: John Snow <jsnow@xxxxxxxxxx>
      Reviewed-by: Kevin Wolf <kwolf@xxxxxxxxxx>
      Message-id: 1443461938-30039-1-git-send-email-jsnow@xxxxxxxxxx

  commit aee50319873da4ed1c1d6901260c37d6236c74b5
  Author: John Snow <jsnow@xxxxxxxxxx>
  Date:   Mon Oct 5 12:00:56 2015 -0400

      MAINTAINERS: Small IDE/FDC touchup

      libqos/ahci and tests/fdc-test are under my purview also,
      include them in the appropriate stanzas.

      Signed-off-by: John Snow <jsnow@xxxxxxxxxx>
      Message-id: 1443117055-29240-1-git-send-email-jsnow@xxxxxxxxxx

  commit 3d937150dce20cb95cbaae99b6fd48dca4261f32
  Author: John Snow <jsnow@xxxxxxxxxx>
  Date:   Mon Oct 5 12:00:55 2015 -0400

      qtest/ahci: fix redundant assertion

      Fixes https://bugs.launchpad.net/qemu/+bug/1497711

      (!ncq || (ncq && lba48)) is the same as
      (!ncq || lba48).

      The intention is simply: "If a command is NCQ,
      it must also be LBA48."

      Signed-off-by: John Snow <jsnow@xxxxxxxxxx>
      Message-id: 1442868929-17777-1-git-send-email-jsnow@xxxxxxxxxx

  commit dfeb8679db358e1f8e0ee4dd84f903d71f000378
  Author: Zhu Guihua <zhugh.fnst@xxxxxxxxxxxxxx>
  Date:   Wed Sep 16 17:19:15 2015 +0800

      icc_bus: drop the unused files

      ICC bus impl has been droped, so all icc related files are not useful
      any more; delete them.

      Signed-off-by: Zhu Guihua <zhugh.fnst@xxxxxxxxxxxxxx>
      Reviewed-by: Igor Mammedov <imammedo@xxxxxxxxxx>
      Signed-off-by: Eduardo Habkost <ehabkost@xxxxxxxxxx>

  commit 46232aaacb66733d3e16dcbd0d26c32ec388801d
  Author: Chen Fan <chen.fan.fnst@xxxxxxxxxxxxxx>
  Date:   Wed Sep 16 17:19:14 2015 +0800

      cpu/apic: drop icc bus/bridge

      After CPU hotplug has been converted to BUS-less hot-plug infrastructure,
      the only function ICC bus performs is to propagate reset to LAPICs. 
However
      LAPIC could be reset by registering its reset handler after all device are
      initialized.
      Do so and drop ~30LOC of not needed anymore ICCBus related code.

      Signed-off-by: Chen Fan <chen.fan.fnst@xxxxxxxxxxxxxx>
      Signed-off-by: Zhu Guihua <zhugh.fnst@xxxxxxxxxxxxxx>
      Reviewed-by: Igor Mammedov <imammedo@xxxxxxxxxx>
      Signed-off-by: Eduardo Habkost <ehabkost@xxxxxxxxxx>

  commit ae50c55a09b8a90205972518d8129447000ae188
  Author: Zhu Guihua <zhugh.fnst@xxxxxxxxxxxxxx>
  Date:   Wed Sep 16 17:19:13 2015 +0800

      x86: use new method to correct reset sequence

      During reset some devices (such as hpet, rtc) might send IRQ to APIC
      which changes APIC's state from default one it's supposed to have
      at machine startup time.
      Fix this by resetting APIC after devices have been reset to cancel
      any changes that qemu_devices_reset() might have done to its state.

      Signed-off-by: Zhu Guihua <zhugh.fnst@xxxxxxxxxxxxxx>
      Reviewed-by: Igor Mammedov <imammedo@xxxxxxxxxx>
      Signed-off-by: Eduardo Habkost <ehabkost@xxxxxxxxxx>

  commit 8d42d2d32b508484106f1c600f5cdd5496bc867e
  Author: Chen Fan <chen.fan.fnst@xxxxxxxxxxxxxx>
  Date:   Wed Sep 16 17:19:11 2015 +0800

      apic: move APIC's MMIO region mapping into APIC

      When ICC bus/bridge is removed, APIC MMIO will be left
      unmapped since it was mapped into system's address space
      indirectly by ICC bridge.
      Fix it by moving mapping into APIC code, so it would be
      possible to remove ICC bus/bridge code later.

      Signed-off-by: Chen Fan <chen.fan.fnst@xxxxxxxxxxxxxx>
      Signed-off-by: Zhu Guihua <zhugh.fnst@xxxxxxxxxxxxxx>
      Reviewed-by: Igor Mammedov <imammedo@xxxxxxxxxx>
      Signed-off-by: Eduardo Habkost <ehabkost@xxxxxxxxxx>

  commit 2188cc52cb363433751f72b991d8fb05fc60e39d
  Author: Bill Paul <wpaul@xxxxxxxxxxxxx>
  Date:   Wed Sep 30 15:33:29 2015 -0700

      Correctly re-init EFER state during INIT IPI

      When doing a re-initialization of a CPU core, the default state is to 
_not_
      have 64-bit long mode enabled. This means the LME (long mode enable) and 
LMA
      (long mode active) bits in the EFER model-specific register should be 
cleared.

      However, the EFER state is part of the CPU environment which is
      preserved by do_cpu_init(), so if EFER.LME and EFER.LMA were set at the
      time an INIT IPI was received, they will remain set after the init 
completes.

      This is contrary to what the Intel architecture manual describes and what
      happens on real hardware, and it leaves the CPU in a weird state that the
      guest can't clear.

      To fix this, the 'efer' member of the CPUX86State structure has been moved
      to an area outside the region preserved by do_cpu_init(), so that it can
      be properly re-initialized by x86_cpu_reset().

      Signed-off-by: Bill Paul <wpaul@xxxxxxxxxxxxx>
      CC: Paolo Bonzini <pbonzini@xxxxxxxxxx>
      CC: Richard Henderson <rth@xxxxxxxxxxx>
      CC: Eduardo Habkost <ehabkost@xxxxxxxxxx>
      Reviewed-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>
      Signed-off-by: Eduardo Habkost <ehabkost@xxxxxxxxxx>

  commit becb66673ec30cb604926d247ab9449a60ad8b11
  Author: Paolo Bonzini <pbonzini@xxxxxxxxxx>
  Date:   Mon Sep 28 14:00:18 2015 +0200

      target-i386: add ABM to Haswell* and Broadwell* CPU models

      ABM is only implemented as a single instruction set by AMD; all AMD
      processors support both instructions or neither. Intel considers POPCNT
      as part of SSE4.2, and LZCNT as part of BMI1, but Intel also uses AMD's
      ABM flag to indicate support for both POPCNT and LZCNT.  It has to be
      added to Haswell and Broadwell because Haswell, by adding LZCNT, has
      completed the ABM.

      Tested with "qemu-kvm -cpu Haswell-noTSX,enforce" (and also with older
      machine types) on an Haswell-EP machine.

      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>
      Reviewed-by: Eduardo Habkost <ehabkost@xxxxxxxxxx>
      Signed-off-by: Eduardo Habkost <ehabkost@xxxxxxxxxx>

  commit c9b8f6b6210847b4381c5b2ee172b1c7eb9985d6
  Author: Amit Shah <amit.shah@xxxxxxxxxx>
  Date:   Wed Sep 23 11:57:33 2015 +0530

      target-i386: get/put MSR_TSC_AUX across reset and migration

      There's one report of migration breaking due to missing MSR_TSC_AUX
      save/restore.  Fix this by adding a new subsection that saves the state
      of this MSR.

      https://bugzilla.redhat.com/show_bug.cgi?id=1261797

      Reported-by: Xiaoqing Wei <xwei@xxxxxxxxxx>
      Signed-off-by: Amit Shah <amit.shah@xxxxxxxxxx>
      CC: Paolo Bonzini <pbonzini@xxxxxxxxxx>
      CC: Juan Quintela <quintela@xxxxxxxxxx>
      CC: "Dr. David Alan Gilbert" <dgilbert@xxxxxxxxxx>
      CC: Marcelo Tosatti <mtosatti@xxxxxxxxxx>
      CC: Richard Henderson <rth@xxxxxxxxxxx>
      CC: Eduardo Habkost <ehabkost@xxxxxxxxxx>
      Reviewed-by: Eduardo Habkost <ehabkost@xxxxxxxxxx>
      Signed-off-by: Eduardo Habkost <ehabkost@xxxxxxxxxx>

  commit dd941cdcfec536aad6a310a153778142ed9f3e92
  Author: Richard Henderson <rth@xxxxxxxxxxx>
  Date:   Tue Sep 15 11:45:07 2015 -0700

      target-i386: Make check_hw_breakpoints static

      The function is now only used from within a single file.

      Reviewed-by: Eduardo Habkost <ehabkost@xxxxxxxxxx>
      Signed-off-by: Richard Henderson <rth@xxxxxxxxxxx>
      Signed-off-by: Eduardo Habkost <ehabkost@xxxxxxxxxx>

  commit ba4b5c65a98ea91dc3b13e42dd9404808c999dda
  Author: Richard Henderson <rth@xxxxxxxxxxx>
  Date:   Tue Sep 15 11:45:06 2015 -0700

      target-i386: Move breakpoint related functions to new file

      Reviewed-by: Eduardo Habkost <ehabkost@xxxxxxxxxx>
      Signed-off-by: Richard Henderson <rth@xxxxxxxxxxx>
      Signed-off-by: Eduardo Habkost <ehabkost@xxxxxxxxxx>

  commit 5114e8422201190c3e2e1a4d77e38ad70cf001d2
  Author: Eduardo Habkost <ehabkost@xxxxxxxxxx>
  Date:   Fri Sep 11 12:40:27 2015 -0300

      target-i386: Convert kvm_default_*features to property/value pairs

      Convert the kvm_default_features and kvm_default_unset_features arrays
      into a simple list of property/value pairs that will be applied to
      X86CPU objects when using KVM.

      Acked-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>
      Signed-off-by: Eduardo Habkost <ehabkost@xxxxxxxxxx>

  commit a32ef3bfc12c8d0588f43f74dcc5280885bbdb30
  Author: Thomas Huth <thuth@xxxxxxxxxx>
  Date:   Wed Jul 22 15:59:50 2015 +0200

      vl: Add another sanity check to smp_parse() function

      The code in smp_parse already checks the topology information for
      sockets * cores * threads < cpus and bails out with an error in
      that case. However, it is still possible to supply a bad configuration
      the other way round, e.g. with:

       qemu-system-xxx -smp 4,sockets=1,cores=4,threads=2

      QEMU then still starts the guest, with topology configuration that
      is rather incomprehensible and likely not what the user wanted.
      So let's add another check to refuse such wrong configurations.

      Signed-off-by: Thomas Huth <thuth@xxxxxxxxxx>
      Reviewed-by: Eduardo Habkost <ehabkost@xxxxxxxxxx>
      Acked-by: Cornelia Huck <cornelia.huck@xxxxxxxxxx>
      Acked-by: Bastian Koppelmann <kbastian@xxxxxxxxxxxxxxxxxxxxx>
      Signed-off-by: Eduardo Habkost <ehabkost@xxxxxxxxxx>

  commit ed256144cd6f0ca2ff59fc3fc8dca547506f433b
  Author: Chen Fan <chen.fan.fnst@xxxxxxxxxxxxxx>
  Date:   Fri Aug 21 17:34:45 2015 +0800

      cpu: Introduce X86CPUTopoInfo structure for argument simplification

      In order to simplify arguments of function, introduce a new struct
      named X86CPUTopoInfo.

      Signed-off-by: Chen Fan <chen.fan.fnst@xxxxxxxxxxxxxx>
      Signed-off-by: Zhu Guihua <zhugh.fnst@xxxxxxxxxxxxxx>
      Signed-off-by: Eduardo Habkost <ehabkost@xxxxxxxxxx>

  commit c0b520dfb8890294a9f8879f4759172900585995
  Merge: 945507d 6fdac09
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Fri Oct 2 16:59:21 2015 +0100

      Merge remote-tracking branch 'remotes/mst/tags/for_upstream' into staging

      virtio,pc features, fixes

      New features:
          guest RAM buffer overrun mitigation
          RAM physical address gaps for memory hotplug
          (except refactoring which got some review comments)

      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>

      # gpg: Signature made Fri 02 Oct 2015 15:04:56 BST using RSA key ID 
D28D5469
      # gpg: Good signature from "Michael S. Tsirkin <mst@xxxxxxxxxx>"
      # gpg:                 aka "Michael S. Tsirkin <mst@xxxxxxxxxx>"

      * remotes/mst/tags/for_upstream:
        vhost-user-test: fix predictable filename on tmpfs
        vhost-user-test: use tmpfs by default
        pc: memhp: force gaps between DIMM's GPA
        memhp: extend address auto assignment to support gaps
        vhost-user: unit test for new messages
        vhost-user-test: do not reinvent glib-compat.h
        virtio: Notice when the system doesn't support MSIx at all
        pc: Add a comment explaining why pc_compat_2_4() doesn't exist
        exec: allocate PROT_NONE pages on top of RAM
        oslib: allocate PROT_NONE pages on top of RAM
        oslib: rework anonimous RAM allocation
        virtio-net: correctly drop truncated packets
        virtio: introduce virtqueue_discard()
        virtio: introduce virtqueue_unmap_sg()

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 945507d6bcde334f42b00cae134b4d47301d1821
  Merge: 37dd86a 86abac0
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Fri Oct 2 16:04:25 2015 +0100

      Merge remote-tracking branch 'remotes/riku/tags/pull-linux-user-20151002' 
into staging

      First set of Linux-user que patches for 2.5

      # gpg: Signature made Fri 02 Oct 2015 13:38:00 BST using RSA key ID 
DE3C9BC0
      # gpg: Good signature from "Riku Voipio <riku.voipio@xxxxxx>"
      # gpg:                 aka "Riku Voipio <riku.voipio@xxxxxxxxxx>"

      * remotes/riku/tags/pull-linux-user-20151002:
        linux-user: assert that target_mprotect cannot fail
        linux-user/signal.c: Use setup_rt_frame() instead of setup_frame() for 
target openrisc
        linux-user/syscall.c: Add EAGAIN to host_to_target_errno_table for
        linux-user: add name_to_handle_at/open_by_handle_at
        linux-user: Return target error number in do_fork()
        linux-user: fix cmsg conversion in case of multiple headers
        linux-user: remove MAX_ARG_PAGES limit
        linux-user: remove unused image_info members
        linux-user: Treat --foo options the same as -foo
        linux-user: use EXIT_SUCCESS and EXIT_FAILURE
        linux-user: Add proper error messages for bad options
        linux-user: Add -help
        linux-user: Exit 0 when -h is used

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 6fdac09370530be0cc6fe9e8d425c0670ba994b1
  Author: Michael S. Tsirkin <mst@xxxxxxxxxx>
  Date:   Thu Oct 1 15:50:52 2015 +0300

      vhost-user-test: fix predictable filename on tmpfs

      vhost-user-test uses getpid to create a unique filename. This name is
      predictable, and a security problem.  Instead, use a tmp directory
      created by mkdtemp, which is a suggested best practice.

      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Reviewed-by: Marc-André Lureau <marcandre.lureau@xxxxxxxxxx>

  commit 1b7e1e3b463a6e5c117498b192cb07603c04b668
  Author: Michael S. Tsirkin <mst@xxxxxxxxxx>
  Date:   Wed Sep 30 18:01:21 2015 +0300

      vhost-user-test: use tmpfs by default

      Most people don't run make check by default, so they skip vhost-user
      unit tests.  Solve this by using tmpfs instead, unless hugetlbfs is
      specified (using an environment variable).

      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Reviewed-by: Marc-André Lureau <marcandre.lureau@xxxxxxxxxx>

  commit aa8580cddf011e8cedcf87f7a0fdea7549fc4704
  Author: Igor Mammedov <imammedo@xxxxxxxxxx>
  Date:   Tue Sep 29 16:53:29 2015 +0200

      pc: memhp: force gaps between DIMM's GPA

      mapping DIMMs non contiguously allows to workaround
      virtio bug reported earlier:
      http://lists.nongnu.org/archive/html/qemu-devel/2015-08/msg00522.html
      in this case guest kernel doesn't allocate buffers
      that can cross DIMM boundary keeping each buffer
      local to a DIMM.

      Suggested-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: Igor Mammedov <imammedo@xxxxxxxxxx>
      Acked-by: Eduardo Habkost <ehabkost@xxxxxxxxxx>
      Reviewed-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>

  commit df0acded19ec4b826aa095cfc19d341bd66fafd3
  Author: Igor Mammedov <imammedo@xxxxxxxxxx>
  Date:   Tue Sep 29 16:53:28 2015 +0200

      memhp: extend address auto assignment to support gaps

      setting gap to TRUE will make sparse DIMM
      address auto allocation, leaving gaps between
      a new DIMM address and preceeding existing DIMM.

      Signed-off-by: Igor Mammedov <imammedo@xxxxxxxxxx>
      Reviewed-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>

  commit 8a9b6b37dabf00388e8069a2f5c0f659626693b3
  Author: Michael S. Tsirkin <mst@xxxxxxxxxx>
  Date:   Thu Sep 24 18:22:01 2015 +0200

      vhost-user: unit test for new messages

      Data is empty for now, but do make sure master
      sets the new feature bit flag.

      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Reviewed-by: Michael S. Tsirkin <mst@xxxxxxxxxx>

  commit ca06d9cc6691e23b6d02e07b44ea549aeac60151
  Author: Paolo Bonzini <pbonzini@xxxxxxxxxx>
  Date:   Tue Sep 29 14:12:03 2015 +0200

      vhost-user-test: do not reinvent glib-compat.h

      glib-compat.h has the gunk to support both old-style and new-style
      gthread functions.  Use it instead of reinventing it.

      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>
      Reviewed-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Reviewed-by: Marc-André Lureau <marcandre.lureau@xxxxxxxxxx>
      Tested-by: Marc-André Lureau <marcandre.lureau@xxxxxxxxxx>

  commit 37dd86a44cc4298f58ac370e0190b069469b6d25
  Merge: ff770b0 73ba05d
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Fri Oct 2 14:47:10 2015 +0100

      Merge remote-tracking branch 'remotes/kevin/tags/for-upstream' into 
staging

      Block layer patches

      # gpg: Signature made Fri 02 Oct 2015 12:49:13 BST using RSA key ID 
C88F2FD6
      # gpg: Good signature from "Kevin Wolf <kwolf@xxxxxxxxxx>"

      * remotes/kevin/tags/for-upstream:
        block/raw-posix: Open file descriptor O_RDWR to work around glibc 
posix_fallocate emulation issue.
        block: disable I/O limits at the beginning of bdrv_close()
        iotests: Fix test 128 for password-less sudo
        tests: Fix test 049 fallout from improved HMP error messages
        raw-win32: Fix write request error handling

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 73ba05d936e82fe01b2b2cf987bf3aecb4792af5
  Author: Richard W.M. Jones <rjones@xxxxxxxxxx>
  Date:   Tue Sep 29 16:54:10 2015 +0100

      block/raw-posix: Open file descriptor O_RDWR to work around glibc 
posix_fallocate emulation issue.

        https://bugzilla.redhat.com/show_bug.cgi?id=1265196

      The following command fails on an NFS mountpoint:

        $ qemu-img create -f qcow2 -o preallocation=falloc disk.img 262144
        Formatting 'disk.img', fmt=qcow2 size=262144 encryption=off 
cluster_size=65536 preallocation='falloc' lazy_refcounts=off
        qemu-img: disk.img: Could not preallocate data for the new file: Bad 
file descriptor

      The reason turns out to be because NFS doesn't support the
      posix_fallocate call.  glibc emulates it instead.  However glibc's
      emulation involves using the pread(2) syscall.  The pread syscall
      fails with EBADF if the file descriptor is opened without the read
      open-flag (ie. open (..., O_WRONLY)).

      I contacted glibc upstream about this, and their response is here:

        https://bugzilla.redhat.com/show_bug.cgi?id=1265196#c9

      There are two possible fixes: Use Linux fallocate directly, or (this
      fix) work around the problem in qemu by opening the file with O_RDWR
      instead of O_WRONLY.

      Signed-off-by: Richard W.M. Jones <rjones@xxxxxxxxxx>
      BZ: https://bugzilla.redhat.com/show_bug.cgi?id=1265196
      Reviewed-by: Jeff Cody <jcody@xxxxxxxxxx>
      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>
      Signed-off-by: Kevin Wolf <kwolf@xxxxxxxxxx>

  commit 99b7e7756780cec03fe5175db0f53b2fffa9426b
  Author: Alberto Garcia <berto@xxxxxxxxxx>
  Date:   Fri Sep 25 16:41:44 2015 +0300

      block: disable I/O limits at the beginning of bdrv_close()

      Disabling I/O limits from a BDS also drains all pending throttled
      requests, so it should be done at the beginning of bdrv_close() with
      the rest of the bdrv_drain() calls before the BlockDriver is closed.

      Signed-off-by: Alberto Garcia <berto@xxxxxxxxxx>
      Signed-off-by: Kevin Wolf <kwolf@xxxxxxxxxx>

  commit bb3c801df7ed454b663312326bc29c8b9c2e4de6
  Author: Max Reitz <mreitz@xxxxxxxxxx>
  Date:   Fri Sep 25 19:19:24 2015 +0200

      iotests: Fix test 128 for password-less sudo

      As of 934659c460d46c948cf348822fda1d38556ed9a4, $QEMU_IO is generally no
      longer a program name, and therefore "sudo -n $QEMU_IO" will no longer
      work.

      Fix this by copying the qemu-io invocation function from common.config,
      making it use $sudo for invoking $QEMU_IO_PROG, and then use that
      function instead of $QEMU_IO.

      Reported-by: Fam Zheng <famz@xxxxxxxxxx>
      Signed-off-by: Max Reitz <mreitz@xxxxxxxxxx>
      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>
      Signed-off-by: Kevin Wolf <kwolf@xxxxxxxxxx>

  commit 552bb52c4bf199ae9c038570187749b93c91310a
  Author: Eric Blake <eblake@xxxxxxxxxx>
  Date:   Tue Sep 22 17:15:52 2015 -0600

      tests: Fix test 049 fallout from improved HMP error messages

      Commit 50b7b000 improved HMP error messages, but forgot to update
      qemu-iotests to match.

      Reported-by: Kevin Wolf <kwolf@xxxxxxxxxx>
      Signed-off-by: Eric Blake <eblake@xxxxxxxxxx>
      Reviewed-by: John Snow <jsnow@xxxxxxxxxx>
      Reviewed-by: Alberto Garcia <berto@xxxxxxxxxx>
      Signed-off-by: Kevin Wolf <kwolf@xxxxxxxxxx>

  commit 5d555030ba10ef3be12cd75a121a7cd5f6ef9bd2
  Author: Kevin Wolf <kwolf@xxxxxxxxxx>
  Date:   Wed Sep 23 14:58:21 2015 +0200

      raw-win32: Fix write request error handling

      aio_worker() wrote the return code to the wrong variable.

      Signed-off-by: Kevin Wolf <kwolf@xxxxxxxxxx>
      Tested-by: Guangmu Zhu <guangmuzhu@xxxxxxxxx>
      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>

  commit d9f090ec7794d433b8f222ae8c8f95601369a4a5
  Author: David Hildenbrand <dahi@xxxxxxxxxxxxxxxxxx>
  Date:   Thu Oct 1 10:49:47 2015 +0200

      s390x: rename io_subsystem_reset -> subsystem_reset

      According to the Pop:
      "Subsystem reset operates only on those elements in the configuration
      which are not CPUs".

      As this is what we actually do, let's simply rename the function.

      Acked-by: Cornelia Huck <cornelia.huck@xxxxxxxxxx>
      Signed-off-by: David Hildenbrand <dahi@xxxxxxxxxxxxxxxxxx>
      Signed-off-by: Jens Freimann <jfrei@xxxxxxxxxxxxxxxxxx>
      Message-Id: <1443689387-34473-6-git-send-email-jfrei@xxxxxxxxxxxxxxxxxx>
      Signed-off-by: Christian Borntraeger <borntraeger@xxxxxxxxxx>

  commit a6085fab3b6b9f0f9d636170b7d7bd31172b5038
  Author: Christian Borntraeger <borntraeger@xxxxxxxxxx>
  Date:   Thu Oct 1 10:49:46 2015 +0200

      s390x/info registers: print vector registers properly

      We want

      F12=0000000000000000 F13=0000000000000000 F14=0000000000000000 
F15=0000000000000000
      V00=00000000000000000000000000000000 V01=00000000000000000000000000000000

      instead of
      F12=0000000000000000 F13=0000000000000000 F14=0000000000000000 
F15=0000000000000000
      V00=00000000000000000000000000000000
      V01=00000000000000000000000000000000 V02=00000000000000000000000000000000

      Signed-off-by: Christian Borntraeger <borntraeger@xxxxxxxxxx>
      Signed-off-by: Jens Freimann <jfrei@xxxxxxxxxxxxxxxxxx>
      Message-Id: <1443689387-34473-5-git-send-email-jfrei@xxxxxxxxxxxxxxxxxx>
      Signed-off-by: Christian Borntraeger <borntraeger@xxxxxxxxxx>

  commit 7059384c7e27d68c502d8636eb711873a9a6a597
  Author: David Hildenbrand <dahi@xxxxxxxxxxxxxxxxxx>
  Date:   Thu Oct 1 10:49:45 2015 +0200

      s390x: set missing parent for hotplug and quiesce events

      Existing code missed to set a parent for the quiesce and hotplug event.
      While this didn't matter in practise, new introspection APIs basically now
      do an object_unref(object_new(T)), which loops forever.

      When trying to remove the event facility bus, the code tries to
      unparent all childs on the bus, so they are properly deleted and 
therefore removed.
      As object_unparent() on these child devices doesn't work, as there is no 
parent,
      we loop forever.

      Let's fix this by adding the event facility as a parent. Also switch from
      object_initialize to object_new, so the only valid reference is in fact 
the
      parent property. This makes it more obvious when the device (state) is 
actually
      gone (and how the reference counting works).

      Signed-off-by: David Hildenbrand <dahi@xxxxxxxxxxxxxxxxxx>
      Signed-off-by: Jens Freimann <jfrei@xxxxxxxxxxxxxxxxxx>
      Message-Id: <1443689387-34473-4-git-send-email-jfrei@xxxxxxxxxxxxxxxxxx>
      Signed-off-by: Christian Borntraeger <borntraeger@xxxxxxxxxx>

  commit 8a641ff60f38799a10ed44a7c5bddd386bc169ed
  Author: David Hildenbrand <dahi@xxxxxxxxxxxxxxxxxx>
  Date:   Thu Oct 1 10:49:44 2015 +0200

      s390x/gdb: expose virtualization specific registers

      Let's expose some virtual/fake registers as virtualization specific
      registers.

      Signed-off-by: David Hildenbrand <dahi@xxxxxxxxxxxxxxxxxx>
      Signed-off-by: Jens Freimann <jfrei@xxxxxxxxxxxxxxxxxx>
      Message-Id: <1443689387-34473-3-git-send-email-jfrei@xxxxxxxxxxxxxxxxxx>
      Signed-off-by: Christian Borntraeger <borntraeger@xxxxxxxxxx>

  commit af3c15fee54e841d859d003b90a88042daf6cd7a
  Author: Christian Borntraeger <borntraeger@xxxxxxxxxx>
  Date:   Thu Oct 1 10:49:43 2015 +0200

      pc-bios/s390-ccw: avoid floating point operations

      Some gcc versions (e.g. Fedora 22 gcc 5.1.1) seem to use floating
      point registers for spilling and filling of general purpose registers.
      As the BIOS does not activate the AFP register setting of CR0 this can
      cause data exception program checks.
      Disallow floating point in the BIOS as a simple solution.

      Signed-off-by: Christian Borntraeger <borntraeger@xxxxxxxxxx>
      Reviewed-by: David Hildenbrand <dahi@xxxxxxxxxxxxxxxxxx>
      Signed-off-by: Jens Freimann <jfrei@xxxxxxxxxxxxxxxxxx>
      Message-Id: <1443689387-34473-2-git-send-email-jfrei@xxxxxxxxxxxxxxxxxx>
      Signed-off-by: Christian Borntraeger <borntraeger@xxxxxxxxxx>

  commit ff770b07f34d28b79013a83989bd6c85f8f16b2f
  Merge: 5250ced 5279efe
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Fri Oct 2 11:01:18 2015 +0100

      Merge remote-tracking branch 'remotes/cody/tags/block-pull-request' into 
staging

      # gpg: Signature made Thu 01 Oct 2015 20:02:33 BST using RSA key ID 
C0DE3057
      # gpg: Good signature from "Jeffrey Cody <jcody@xxxxxxxxxx>"
      # gpg:                 aka "Jeffrey Cody <jeff@xxxxxxxxxxxxx>"
      # gpg:                 aka "Jeffrey Cody <codyprime@xxxxxxxxx>"

      * remotes/cody/tags/block-pull-request:
        block: mirror - fix full sync mode when target does not support zero 
init

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 5250ced83173c9534b4a2723b7a50b67b7c7a6ee
  Author: Alistair Francis <alistair.francis@xxxxxxxxxx>
  Date:   Thu Jul 23 08:13:56 2015 -0700

      target-microblaze: Set the PC in reset instead of realize

      Set the Microblaze CPU PC in the reset instead of setting it
      in the realize. This is required as the PC is zeroed in the
      reset function and causes problems in some situations.

      Signed-off-by: Alistair Francis <alistair.francis@xxxxxxxxxx>
      Reviewed-by: Edgar E. Iglesias <edgar.iglesias@xxxxxxxxxx>
      Signed-off-by: Edgar E. Iglesias <edgar.iglesias@xxxxxxxxxx>

  commit c8667283a070d810f7917d69ea84209475c6e75e
  Author: Stefan Weil <sw@xxxxxxxxxxx>
  Date:   Fri Sep 25 22:45:53 2015 +0200

      disas/cris: Fix typo in comment

      Signed-off-by: Stefan Weil <sw@xxxxxxxxxxx>
      Reviewed-by: Edgar E. Iglesias <edgar.iglesias@xxxxxxxxxx>
      Signed-off-by: Edgar E. Iglesias <edgar.iglesias@xxxxxxxxxx>

  commit 5279efebcf8f8fbf2ed2feed63cdb9d375c7cd07
  Author: Jeff Cody <jcody@xxxxxxxxxx>
  Date:   Thu Oct 1 00:06:37 2015 -0400

      block: mirror - fix full sync mode when target does not support zero init

      During mirror, if the target device does not support zero init, a
      mirror may result in a corrupted image for sync="full" mode.

      This is due to how the initial dirty bitmap is set up prior to copying
      data - we did not mark sectors as dirty that are unallocated.  This
      means those unallocated sectors are skipped over on the target, and for
      a device without zero init, invalid data may reside in those holes.

      If both of the following conditions are true, then we will explicitly
      mark all sectors as dirty:

          1.) sync = "full"
          2.) bdrv_has_zero_init(target) == false

      If the target does support zero init, but a target image is passed in
      with data already present (i.e. an "existing" image), it is assumed the
      data present in the existing image is valid data for those sectors.

      Reviewed-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>
      Message-id: 
91ed4bc5bda7e2b09eb508b07c83f4071fe0b3c9.1443705220.git.jcody@xxxxxxxxxx
      Signed-off-by: Jeff Cody <jcody@xxxxxxxxxx>

  commit 0d583647a7fc73f621eeb64ed703556c4bbebfcc
  Author: Richard Henderson <rth@xxxxxxxxxxx>
  Date:   Tue May 19 13:29:51 2015 -0700

      virtio: Notice when the system doesn't support MSIx at all

      And do not issue an error_report in that case.

      Signed-off-by: Richard Henderson <rth@xxxxxxxxxxx>
      Reviewed-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>

  commit 798595075bf51c7e3125d260a19d860b9aa63e69
  Author: Eduardo Habkost <ehabkost@xxxxxxxxxx>
  Date:   Mon Sep 28 15:07:21 2015 -0300

      pc: Add a comment explaining why pc_compat_2_4() doesn't exist

      pc_compat_2_4() doesn't exist, and we shouldn't create one. Add a
      comment explaining why the function doesn't exist and why pc_compat_*()
      functions are deprecated.

      Signed-off-by: Eduardo Habkost <ehabkost@xxxxxxxxxx>
      Reviewed-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>

  commit 8561c9244ddf1122dfe7ccac9b23f506062f1499
  Author: Michael S. Tsirkin <mst@xxxxxxxxxx>
  Date:   Thu Sep 10 16:41:17 2015 +0300

      exec: allocate PROT_NONE pages on top of RAM

      This inserts a read and write protected page between RAM and QEMU
      memory, for file-backend RAM.
      This makes it harder to exploit QEMU bugs resulting from buffer
      overflows in devices using variants of cpu_physical_memory_map,
      dma_memory_map etc.

      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Reviewed-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>
      Acked-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit 9fac18f03a9040b67ec38e14d3e1ed34db9c7e06
  Author: Michael S. Tsirkin <mst@xxxxxxxxxx>
  Date:   Thu Sep 10 16:41:17 2015 +0300

      oslib: allocate PROT_NONE pages on top of RAM

      This inserts a read and write protected page between RAM and QEMU
      memory. This makes it harder to exploit QEMU bugs resulting from buffer
      overflows in devices using variants of cpu_physical_memory_map,
      dma_memory_map etc.

      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Reviewed-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>
      Acked-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit c2dfc5ba3fb3a1b7278c99bfd3bf350202169434
  Author: Michael S. Tsirkin <mst@xxxxxxxxxx>
  Date:   Thu Sep 10 16:36:51 2015 +0300

      oslib: rework anonimous RAM allocation

      At the moment we first allocate RAM, sometimes more than necessary for
      alignment reasons.  We then free the extra RAM.

      Rework this to avoid the temporary allocation: reserve the
      range by mapping it with PROT_NONE, then use just the
      necessary range with MAP_FIXED.

      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Reviewed-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>
      Acked-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit 0cf33fb6b49a19de32859e2cdc6021334f448fb3
  Author: Jason Wang <jasowang@xxxxxxxxxx>
  Date:   Fri Sep 25 13:21:30 2015 +0800

      virtio-net: correctly drop truncated packets

      When packet is truncated during receiving, we drop the packets but
      neither discard the descriptor nor add and signal used
      descriptor. This will lead several issues:

      - sg mappings are leaked
      - rx will be stalled if a lots of packets were truncated

      In order to be consistent with vhost, fix by discarding the descriptor
      in this case.

      Cc: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: Jason Wang <jasowang@xxxxxxxxxx>
      Reviewed-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>

  commit 29b9f5efd78ae0f9cc02dd169b6e80d2c404bade
  Author: Jason Wang <jasowang@xxxxxxxxxx>
  Date:   Fri Sep 25 13:21:29 2015 +0800

      virtio: introduce virtqueue_discard()

      This patch introduces virtqueue_discard() to discard a descriptor and
      unmap the sgs. This will be used by the patch that will discard
      descriptor when packet is truncated.

      Cc: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: Jason Wang <jasowang@xxxxxxxxxx>
      Reviewed-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>

  commit ce317461573bac12b10d67699b4ddf1f97cf066c
  Author: Jason Wang <jasowang@xxxxxxxxxx>
  Date:   Fri Sep 25 13:21:28 2015 +0800

      virtio: introduce virtqueue_unmap_sg()

      Factor out sg unmapping logic. This will be reused by the patch that
      can discard descriptor.

      Cc: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Cc: Andrew James <andrew.james@xxxxxxx>
      Signed-off-by: Jason Wang <jasowang@xxxxxxxxxx>
      Reviewed-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>

  commit fa500928ad9da6dd570918e3dfca13c029af07a8
  Merge: b2312c6 dc32562
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Thu Oct 1 10:49:38 2015 +0100

      Merge remote-tracking branch 
'remotes/juanquintela/tags/migration/20150930' into staging

      migration/next for 20150930

      # gpg: Signature made Wed 30 Sep 2015 09:24:02 BST using RSA key ID 
5872D723
      # gpg: Good signature from "Juan Quintela <quintela@xxxxxxxxxx>"
      # gpg:                 aka "Juan Quintela <quintela@xxxxxxxxxx>"

      * remotes/juanquintela/tags/migration/20150930:
        migration: Disambiguate MAX_THROTTLE
        qmp/hmp: Add throttle ratio to query-migrate and info migrate
        migration: Dynamic cpu throttling for auto-converge
        migration: Parameters for auto-converge cpu throttling
        cpu: Provide vcpu throttling interface
        migration: yet more possible state transitions

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 86abac06c142d20772b3f2e04c9bf02b7936a0b3
  Author: Paolo Bonzini <pbonzini@xxxxxxxxxx>
  Date:   Mon Sep 14 12:31:44 2015 +0200

      linux-user: assert that target_mprotect cannot fail

      All error conditions that target_mprotect checks are also checked
      by target_mmap.  EACCESS cannot happen because we are just removing
      PROT_WRITE.  ENOMEM should not happen because we are modifying a
      whole VMA (and we have bigger problems anyway if it happens).

      Fixes a Coverity false positive, where Coverity complains about
      target_mprotect's return value being passed to tb_invalidate_phys_range.

      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>
      Signed-off-by: Riku Voipio <riku.voipio@xxxxxxxxxx>

  commit d0924a26d8f37ab95fdef99f6850b93e9af3ffb2
  Author: Chen Gang <gang.chen.5i5j@xxxxxxxxx>
  Date:   Sat Sep 12 23:32:30 2015 +0800

      linux-user/signal.c: Use setup_rt_frame() instead of setup_frame() for 
target openrisc

      qemu has already considered about some targets may have no traditional
      signals. And openrisc's setup_frame() is dummy, but it can be supported
      by setup_rt_frame().

      Reviewed-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Signed-off-by: Chen Gang <gang.chen.5i5j@xxxxxxxxx>
      Signed-off-by: Riku Voipio <riku.voipio@xxxxxxxxxx>

  commit dc3256272cf70b2152279b013a8abb16e0f6fe96
  Author: Jason J. Herne <jjherne@xxxxxxxxxxxxxxxxxx>
  Date:   Tue Sep 8 13:12:37 2015 -0400

      migration: Disambiguate MAX_THROTTLE

      Migration has a define for MAX_THROTTLE. Update comment to clarify that 
this is
      used for throttling transfer speed. Hopefully this will prevent it from 
being
      confused with a guest cpu throttling entity.

      Signed-off-by: Jason J. Herne <jjherne@xxxxxxxxxxxxxxxxxx>
      Reviewed-by: Dr. David Alan Gilbert <dgilbert@xxxxxxxxxx>
      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>
      Signed-off-by: Juan Quintela <quintela@xxxxxxxxxx>
      Reviewed-by: Juan Quintela <quintela@xxxxxxxxxx>

  commit 4782893e099cde24c0b10a48d0412eea575ddcb3
  Author: Jason J. Herne <jjherne@xxxxxxxxxxxxxxxxxx>
  Date:   Tue Sep 8 13:12:36 2015 -0400

      qmp/hmp: Add throttle ratio to query-migrate and info migrate

      Report throttle percentage in info migrate and query-migrate responses 
when
      cpu throttling is active.

      Signed-off-by: Jason J. Herne <jjherne@xxxxxxxxxxxxxxxxxx>
      Reviewed-by: Dr. David Alan Gilbert <dgilbert@xxxxxxxxxx>
      Signed-off-by: Juan Quintela <quintela@xxxxxxxxxx>
      Reviewed-by: Juan Quintela <quintela@xxxxxxxxxx>

  commit 070afca258f973c704dcadf2769aa1ca921209a1
  Author: Jason J. Herne <jjherne@xxxxxxxxxxxxxxxxxx>
  Date:   Tue Sep 8 13:12:35 2015 -0400

      migration: Dynamic cpu throttling for auto-converge

      Remove traditional auto-converge static 30ms throttling code and replace 
it
      with a dynamic throttling algorithm.

      Additionally, be more aggressive when deciding when to start throttling.
      Previously we waited until four unproductive memory passes. Now we begin
      throttling after only two unproductive memory passes. Four seemed quite
      arbitrary and only waiting for two passes allows us to complete the 
migration
      faster.

      Signed-off-by: Jason J. Herne <jjherne@xxxxxxxxxxxxxxxxxx>
      Reviewed-by: Matthew Rosato <mjrosato@xxxxxxxxxxxxxxxxxx>
      Signed-off-by: Juan Quintela <quintela@xxxxxxxxxx>
      Reviewed-by: Juan Quintela <quintela@xxxxxxxxxx>

  commit 1626fee3bdbb295d5e8aff800f7621357bb376d6
  Author: Jason J. Herne <jjherne@xxxxxxxxxxxxxxxxxx>
  Date:   Tue Sep 8 13:12:34 2015 -0400

      migration: Parameters for auto-converge cpu throttling

      Add migration parameters to allow the user to adjust the parameters
      that control cpu throttling when auto-converge is in effect. The added
      parameters are as follows:

      x-cpu-throttle-initial : Initial percantage of time guest cpus are 
throttled
      when migration auto-converge is activated.

      x-cpu-throttle-increment: throttle percantage increase each time
      auto-converge detects that migration is not making progress.

      Signed-off-by: Jason J. Herne <jjherne@xxxxxxxxxxxxxxxxxx>
      Reviewed-by: Dr. David Alan Gilbert <dgilbert@xxxxxxxxxx>
      Signed-off-by: Juan Quintela <quintela@xxxxxxxxxx>
      Reviewed-by: Juan Quintela <quintela@xxxxxxxxxx>

  commit 2adcc85d407c1ab985f5abed808c78dbb84f4773
  Author: Jason J. Herne <jjherne@xxxxxxxxxxxxxxxxxx>
  Date:   Tue Sep 8 13:12:33 2015 -0400

      cpu: Provide vcpu throttling interface

      Provide a method to throttle guest cpu execution. CPUState is augmented 
with
      timeout controls and throttle start/stop functions. To throttle the guest 
cpu
      the caller simply has to call the throttle set function and provide a 
percentage
      of throttle time.

      Signed-off-by: Jason J. Herne <jjherne@xxxxxxxxxxxxxxxxxx>
      Reviewed-by: Matthew Rosato <mjrosato@xxxxxxxxxxxxxxxxxx>
      Signed-off-by: Juan Quintela <quintela@xxxxxxxxxx>
      Reviewed-by: Juan Quintela <quintela@xxxxxxxxxx>

  commit 2a6e6e59dfdeb0b98e744eb8f110a236f26a3ea4
  Author: Juan Quintela <quintela@xxxxxxxxxx>
  Date:   Tue Jul 28 15:28:28 2015 +0200

      migration: yet more possible state transitions

      On destination, we move from INMIGRATE to FINISH_MIGRATE.  Add that to
      the list of allowed states.

      Signed-off-by: Juan Quintela <quintela@xxxxxxxxxx>
      Reviewed-by: Juan Quintela <quintela@xxxxxxxxxx>

  commit b2312c680084ea18cd55fa7093397cad2224ec14
  Merge: 6996a00 b9e6092
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Tue Sep 29 12:41:19 2015 +0100

      Merge remote-tracking branch 
'remotes/amit-migration/tags/for-juan-201509' into staging

      Migration queue

      # gpg: Signature made Tue 29 Sep 2015 07:13:55 BST using RSA key ID 
854083B6
      # gpg: Good signature from "Amit Shah <amit@xxxxxxxxxxxx>"
      # gpg:                 aka "Amit Shah <amit@xxxxxxxxxx>"
      # gpg:                 aka "Amit Shah <amitshah@xxxxxxx>"

      * remotes/amit-migration/tags/for-juan-201509:
        ram_find_and_save_block: Split out the finding
        Move dirty page search state into separate structure
        migration: Use g_new() & friends where that makes obvious sense
        migration: qemu-file more size_t'ifying
        migration: size_t'ify some of qemu-file
        Init page sizes in qtest
        Split out end of migration code from migration_thread
        migration/ram.c: Use RAMBlock rather than MemoryRegion
        vmstate: Remove redefinition of VMSTATE_UINT32_ARRAY

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit b9e6092814735853cc1149e2e68245b09f621306
  Author: Dr. David Alan Gilbert <dgilbert@xxxxxxxxxx>
  Date:   Wed Sep 23 15:27:11 2015 +0100

      ram_find_and_save_block: Split out the finding

      Split out the finding of the dirty page and all the wrap detection
      into a separate function since it was getting a bit hairy.

      Signed-off-by: Dr. David Alan Gilbert <dgilbert@xxxxxxxxxx>
      Message-Id: <1443018431-11170-3-git-send-email-dgilbert@xxxxxxxxxx>
      Reviewed-by: Amit Shah <amit.shah@xxxxxxxxxx>

      [Fix comment -- Amit]
      Signed-off-by: Amit Shah <amit.shah@xxxxxxxxxx>

  commit b8fb8cb748497aa070304eec27b03edd3b05373d
  Author: Dr. David Alan Gilbert <dgilbert@xxxxxxxxxx>
  Date:   Wed Sep 23 15:27:10 2015 +0100

      Move dirty page search state into separate structure

      Pull the search state for one iteration of the dirty page
      search into a structure.

      Signed-off-by: Dr. David Alan Gilbert <dgilbert@xxxxxxxxxx>
      Reviewed-by: Amit Shah <amit.shah@xxxxxxxxxx>
      Message-Id: <1443018431-11170-2-git-send-email-dgilbert@xxxxxxxxxx>
      Reviewed-by: Amit Shah <amit.shah@xxxxxxxxxx>
      Signed-off-by: Amit Shah <amit.shah@xxxxxxxxxx>

  commit 97f3ad35517e0d02c0149637d1bb10713c52b057
  Author: Markus Armbruster <armbru@xxxxxxxxxx>
  Date:   Mon Sep 14 13:51:31 2015 +0200

      migration: Use g_new() & friends where that makes obvious sense

      g_new(T, n) is neater than g_malloc(sizeof(T) * n).  It's also safer,
      for two reasons.  One, it catches multiplication overflowing size_t.
      Two, it returns T * rather than void *, which lets the compiler catch
      more type errors.

      This commit only touches allocations with size arguments of the form
      sizeof(T).  Same Coccinelle semantic patch as in commit b45c03f.

      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>
      Message-Id: <1442231491-23352-1-git-send-email-armbru@xxxxxxxxxx>
      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>
      Reviewed-by: zhanghailiang <zhang.zhanghailiang@xxxxxxxxxx>
      Reviewed-by: Amit Shah <amit.shah@xxxxxxxxxx>
      Signed-off-by: Amit Shah <amit.shah@xxxxxxxxxx>

  commit 56f3835ff1e70df97f843f4a27abdff6b4a2ae77
  Author: Dr. David Alan Gilbert <dgilbert@xxxxxxxxxx>
  Date:   Thu Aug 13 11:51:34 2015 +0100

      migration: qemu-file more size_t'ifying

      This time convert the external functions:
        qemu_get_buffer, qemu_peek_buffer
        qemu_put_buffer and qemu_put_buffer_async

      Signed-off-by: Dr. David Alan Gilbert <dgilbert@xxxxxxxxxx>
      Message-Id: <1439463094-5394-6-git-send-email-dgilbert@xxxxxxxxxx>
      Reviewed-by: zhanghailiang <zhang.zhanghailiang@xxxxxxxxxx>
      Reviewed-by: Amit Shah <amit.shah@xxxxxxxxxx>
      Signed-off-by: Amit Shah <amit.shah@xxxxxxxxxx>

  commit a202a4c001fd35b50d99abcc329bc9e666eb8eed
  Author: Dr. David Alan Gilbert <dgilbert@xxxxxxxxxx>
  Date:   Thu Aug 13 11:51:33 2015 +0100

      migration: size_t'ify some of qemu-file

      This is a start on using size_t more in qemu-file and friends;
      it fixes up QEMUFilePutBufferFunc and QEMUFileGetBufferFunc
      to take size_t lengths and return ssize_t return values (like read(2))
      and fixes up all the different implementations of them.

      Note that I've not yet followed this deeply into bdrv_ implementations.

      Signed-off-by: Dr. David Alan Gilbert <dgilbert@xxxxxxxxxx>
      Message-Id: <1439463094-5394-5-git-send-email-dgilbert@xxxxxxxxxx>
      Reviewed-by: zhanghailiang <zhang.zhanghailiang@xxxxxxxxxx>
      Reviewed-by: Amit Shah <amit.shah@xxxxxxxxxx>
      Signed-off-by: Amit Shah <amit.shah@xxxxxxxxxx>

  commit c50766f5a99ef7bf6c9a86cd07341c389faf7ae6
  Author: Dr. David Alan Gilbert <dgilbert@xxxxxxxxxx>
  Date:   Thu Aug 13 11:51:32 2015 +0100

      Init page sizes in qtest

      One of my patches used a loop that was based on host page size;
      it dies in qtest since qtest hadn't bothered init'ing it.

      Signed-off-by: Dr. David Alan Gilbert <dgilbert@xxxxxxxxxx>
      Reviewed-by: Juan Quintela <quintela@xxxxxxxxxx>
      Reviewed-by: Amit Shah <amit.shah@xxxxxxxxxx>
      Message-Id: <1439463094-5394-4-git-send-email-dgilbert@xxxxxxxxxx>
      Signed-off-by: Amit Shah <amit.shah@xxxxxxxxxx>

  commit 09f6c85e39ee9e57bd245adbe6f400d387061707
  Author: Dr. David Alan Gilbert <dgilbert@xxxxxxxxxx>
  Date:   Thu Aug 13 11:51:31 2015 +0100

      Split out end of migration code from migration_thread

      The code that gets run at the end of the migration process
      is getting large, and I'm about to add more for postcopy.
      Split it into a separate function.

      Signed-off-by: Dr. David Alan Gilbert <dgilbert@xxxxxxxxxx>
      Message-Id: <1439463094-5394-3-git-send-email-dgilbert@xxxxxxxxxx>
      Reviewed-by: zhanghailiang <zhang.zhanghailiang@xxxxxxxxxx>
      Reviewed-by: Amit Shah <amit.shah@xxxxxxxxxx>
      Signed-off-by: Amit Shah <amit.shah@xxxxxxxxxx>

  commit 2f68e39956b7504f6669671fd95b70859afc340d
  Author: Dr. David Alan Gilbert <dgilbert@xxxxxxxxxx>
  Date:   Thu Aug 13 11:51:30 2015 +0100

      migration/ram.c: Use RAMBlock rather than MemoryRegion

      RAM migration mainly works on RAMBlocks but in a few places
      uses data from MemoryRegions to access the same information that's
      already held in RAMBlocks; clean it up just to avoid the
      MemoryRegion use.

      Signed-off-by: Dr. David Alan Gilbert <dgilbert@xxxxxxxxxx>
      Message-Id: <1439463094-5394-2-git-send-email-dgilbert@xxxxxxxxxx>
      Acked-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>
      Reviewed-by: Amit Shah <amit.shah@xxxxxxxxxx>
      Signed-off-by: Amit Shah <amit.shah@xxxxxxxxxx>

  commit eb5c936e81e2e292ceefec9b6628862599f71c17
  Author: Soren Brinkmann <soren.brinkmann@xxxxxxxxxx>
  Date:   Thu Aug 13 23:16:27 2015 -0700

      vmstate: Remove redefinition of VMSTATE_UINT32_ARRAY

      The macro is defined twice in identical ways.

      Signed-off-by: Soren Brinkmann <soren.brinkmann@xxxxxxxxxx>
      Message-Id: <1439532987-16335-1-git-send-email-soren.brinkmann@xxxxxxxxxx>
      Reviewed-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Reviewed-by: Amit Shah <amit.shah@xxxxxxxxxx>
      Signed-off-by: Amit Shah <amit.shah@xxxxxxxxxx>

  commit 08703b9f7bcd7ca2152d51a4c8893d26f1dc28de
  Author: Chen Gang <gang.chen.5i5j@xxxxxxxxx>
  Date:   Mon Sep 7 10:35:06 2015 +0800

      linux-user/syscall.c: Add EAGAIN to host_to_target_errno_table for

      Under Alpha host, EAGAIN is redefined to 35, so it need be remapped too.

      Reviewed-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Signed-off-by: Chen Gang <gang.chen.5i5j@xxxxxxxxx>
      Signed-off-by: Riku Voipio <riku.voipio@xxxxxxxxxx>

  commit 0f0426f343886fb5c9f137c2830f35cc2dae7327
  Author: Laurent Vivier <laurent@xxxxxxxxx>
  Date:   Tue Sep 1 22:27:33 2015 +0200

      linux-user: add name_to_handle_at/open_by_handle_at

      This patch allows to run example given by open_by_handle_at(2):

            The following shell session demonstrates the use of these two 
programs:

                 $ echo 'Can you please think about it?' > cecilia.txt
                 $ ./t_name_to_handle_at cecilia.txt > fh
                 $ ./t_open_by_handle_at < fh
                 open_by_handle_at: Operation not permitted
                 $ sudo ./t_open_by_handle_at < fh      # Need CAP_SYS_ADMIN
                 Read 31 bytes
                 $ rm cecilia.txt

             Now  we delete and (quickly) re-create the file so that it has the 
same
             content and (by chance) the  same  inode.[...]

                 $ stat --printf="%i\n" cecilia.txt     # Display inode number
                 4072121
                 $ rm cecilia.txt
                 $ echo 'Can you please think about it?' > cecilia.txt
                 $ stat --printf="%i\n" cecilia.txt     # Check inode number
                 4072121
                 $ sudo ./t_open_by_handle_at < fh
                 open_by_handle_at: Stale NFS file handle

      See the man page for source code.

      Reviewed-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Signed-off-by: Laurent Vivier <laurent@xxxxxxxxx>
      Signed-off-by: Riku Voipio <riku.voipio@xxxxxxxxxx>

  commit 93b4eff80af9822e4b726dcf21ee61538e088695
  Author: Timothy E Baldwin <T.E.Baldwin99@xxxxxxxxxxxxxxxxxxx>
  Date:   Mon Aug 31 00:26:21 2015 +0100

      linux-user: Return target error number in do_fork()

      Whilst calls to do_fork() are wrapped in get_errno() this does not
      translate return values.

      Reviewed-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Signed-off-by: Timothy Edward Baldwin <T.E.Baldwin99@xxxxxxxxxxxxxxxxxxx>
      Signed-off-by: Riku Voipio <riku.voipio@xxxxxxxxxx>

  commit ee1045877a7e226945c7cec2bda80039bd2d0c8e
  Author: Jonathan Neuschäfer <j.neuschaefer@xxxxxxx>
  Date:   Thu Sep 3 07:27:26 2015 +0200

      linux-user: fix cmsg conversion in case of multiple headers

      Currently, __target_cmsg_nxthdr compares a pointer derived from
      target_cmsg against the msg_control field of target_msgh (through
      subtraction).  This failed for me when emulating i386 code under x86_64,
      because pointers in the host address space and pointers in the guest
      address space were not the same.  This patch passes the initial value of
      target_cmsg into __target_cmsg_nxthdr.

      I found and fixed two more related bugs:
      - __target_cmsg_nxthdr now returns the new cmsg pointer instead of the
        old one.
      - tgt_space (in host_to_target_cmsg) doesn't count "sizeof (struct
        target_cmsghdr)" twice anymore.

      Reviewed-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Signed-off-by: Jonathan Neuschäfer <j.neuschaefer@xxxxxxx>
      Signed-off-by: Riku Voipio <riku.voipio@xxxxxxxxxx>

  commit 59baae9a626396a3a05840279084c4bf2beb8f40
  Author: Stefan Brüns <stefan.bruens@xxxxxxxxxxxxxx>
  Date:   Wed Sep 2 03:38:53 2015 +0200

      linux-user: remove MAX_ARG_PAGES limit

      Instead of creating a temporary copy for the whole environment and
      the arguments, directly copy everything to the target stack.

      For this to work, we have to change the order of stack creation and
      copying the arguments.

      Reviewed-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Signed-off-by: Stefan Brüns <stefan.bruens@xxxxxxxxxxxxxx>
      Signed-off-by: Riku Voipio <riku.voipio@xxxxxxxxxx>

  commit 84646ee25b68321624ef4768011e91064e4bd440
  Author: Stefan Brüns <stefan.bruens@xxxxxxxxxxxxxx>
  Date:   Wed Sep 2 03:38:52 2015 +0200

      linux-user: remove unused image_info members

      Reviewed-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Signed-off-by: Stefan Brüns <stefan.bruens@xxxxxxxxxxxxxx>
      Signed-off-by: Riku Voipio <riku.voipio@xxxxxxxxxx>

  commit ba02577cadbe5b53db791522310c977f9960f81f
  Author: Meador Inge <meadori@xxxxxxxxxxxxxxxx>
  Date:   Mon Jul 6 11:03:41 2015 -0700

      linux-user: Treat --foo options the same as -foo

      The system mode binaries provide a similar alias
      and it makes common options like --version and --help
      work as expected.

      Signed-off-by: Meador Inge <meadori@xxxxxxxxxxxxxxxx>
      Signed-off-by: Riku Voipio <riku.voipio@xxxxxxxxxx>

  commit 4d1275c24d5d64d22ec4a30ce1b6a0db3ba9a25a
  Author: Riku Voipio <riku.voipio@xxxxxxxxxx>
  Date:   Mon Sep 28 16:12:16 2015 +0300

      linux-user: use EXIT_SUCCESS and EXIT_FAILURE

      As suggested by Laurent, use EXIT_SUCCESS and EXIT_FAILURE from
      stdlib.h instead of numeric values.

      Cc: Laurent Vivier <laurent@xxxxxxxxx>
      Signed-off-by: Riku Voipio <riku.voipio@xxxxxxxxxx>

  commit 138940bf08df1d8e9b862ad019a0d7d451e2413a
  Author: Meador Inge <meadori@xxxxxxxxxxxxxxxx>
  Date:   Mon Jul 6 11:03:40 2015 -0700

      linux-user: Add proper error messages for bad options

      This patch adds better support for diagnosing option
      parser errors.  The previous implementation just printed
      the usage text and exited when a bad option or argument
      was found.  This made it very difficult to determine why
      the usage was being displayed and it was doubly confusing
      for cases like '--help' (it wasn't clear that --help was
      actually an error).

      Signed-off-by: Meador Inge <meadori@xxxxxxxxxxxxxxxx>
      Signed-off-by: Riku Voipio <riku.voipio@xxxxxxxxxx>

  commit daaf8c8eb7135386134bc7075b9cf4dd57107c43
  Author: Meador Inge <meadori@xxxxxxxxxxxxxxxx>
  Date:   Mon Jul 6 11:03:39 2015 -0700

      linux-user: Add -help

      This option is already available on the system mode
      binaries.  It would be better if long options were
      supported (i.e. --help), but this is okay for now.

      Signed-off-by: Meador Inge <meadori@xxxxxxxxxxxxxxxx>
      Signed-off-by: Riku Voipio <riku.voipio@xxxxxxxxxx>

  commit d03f9c320234d2e49ad8b2f4abd049a497afa2be
  Author: Meador Inge <meadori@xxxxxxxxxxxxxxxx>
  Date:   Mon Jul 6 11:03:38 2015 -0700

      linux-user: Exit 0 when -h is used

      Signed-off-by: Meador Inge <meadori@xxxxxxxxxxxxxxxx>
      Signed-off-by: Riku Voipio <riku.voipio@xxxxxxxxxx>

  commit 6996a002d845be0166e155c016448014a6fbfe05
  Merge: 9e07142 365d7f3
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Fri Sep 25 23:20:06 2015 +0100

      Merge remote-tracking branch 
'remotes/pmaydell/tags/pull-cocoa-20150925-1' into staging

      cocoa queue:
       * fix stuck-key bug if keys were down when QEMU lost focus
       * prompt the user whether they really meant to quit
       * remove the 'open image file' dialog box we used to display
         if the user started QEMU without arguments

      # gpg: Signature made Fri 25 Sep 2015 23:17:19 BST using RSA key ID 
14360CDE
      # gpg: Good signature from "Peter Maydell <peter.maydell@xxxxxxxxxx>"
      # gpg:                 aka "Peter Maydell <pmaydell@xxxxxxxxx>"
      # gpg:                 aka "Peter Maydell 
<pmaydell@xxxxxxxxxxxxxxxxxxxxxx>"

      * remotes/pmaydell/tags/pull-cocoa-20150925-1:
        ui/cocoa.m: remove open dialog code
        ui/cocoa.m: prevent stuck key situation
        ui/cocoa.m: verify with user before quitting QEMU

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 365d7f3c7aacc789ead96b8eeb5ba5b0a8d93d48
  Author: John Arbuckle <programmingkidx@xxxxxxxxx>
  Date:   Fri Sep 25 23:14:00 2015 +0100

      ui/cocoa.m: remove open dialog code

      Removes the open dialog code that runs when no arguments are supplied 
with QEMU.
      Not everyone needs a hard drive or cdrom to boot their target. A user 
might only
      need to use their target's bios to do work. With that said, this patch 
removes
      the unneeded open dialog code.

      Signed-off-by: John Arbuckle <programmingkidx@xxxxxxxxx>
      Message-id: 33856864-321C-4367-9170-FB0BF81E789B@xxxxxxxxx
      Reviewed-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 3b178b7130ecf4005cd73d0c40e964c9d0d31a48
  Author: John Arbuckle <programmingkidx@xxxxxxxxx>
  Date:   Fri Sep 25 23:14:00 2015 +0100

      ui/cocoa.m: prevent stuck key situation

      When the user puts QEMU in the background while holding
      down a key, QEMU will not receive the keyup event when
      the user lets go of the key. When the user goes back to
      QEMU, QEMU will think the key is still down causing
      stuck key symptoms. This patch fixes this problem by
      releasing all down keys when QEMU goes into the
      background.

      Signed-off-by: John Arbuckle <programmingkidx@xxxxxxxxx>
      Message-id: 7A3FA6EE-84C8-4422-A786-C899B7229D32@xxxxxxxxx
      Reviewed-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit d9bc14f63e880010ba72b3a0169ff8ef52275a63
  Author: John Arbuckle <programmingkidx@xxxxxxxxx>
  Date:   Fri Sep 25 23:13:59 2015 +0100

      ui/cocoa.m: verify with user before quitting QEMU

      This patch prevents the user from accidentally quitting QEMU by pushing
      Command-Q or by pushing the close button on the main window. When
      the user does one of these two things, a dialog box appears verifying
      with the user if he or she wants to quit QEMU.

      Signed-off-by: John Arbuckle <programmingkidx@xxxxxxxxx>
      Message-id: 29169A74-0347-47F5-934F-A5AD24C225CA@xxxxxxxxx
      Reviewed-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 9e071429e649346c14b2dc76902f84f8352d2333
  Merge: 8bfbbb4 8e9620a
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Fri Sep 25 21:52:30 2015 +0100

      Merge remote-tracking branch 'remotes/bonzini/tags/for-upstream' into 
staging

      * First batch of MAINTAINERS updates
      * IOAPIC fixes (to pass kvm-unit-tests with -machine kernel_irqchip=off)
      * NBD API upgrades from Daniel
      * strtosz fixes from Marc-André
      * improved support for readonly=on on scsi-generic devices
      * new "info ioapic" and "info lapic" monitor commands
      * Peter Crosthwaite's ELF_MACHINE cleanups
      * docs patches from Thomas and Daniel

      # gpg: Signature made Fri 25 Sep 2015 11:20:52 BST using RSA key ID 
78C7AE83
      # gpg: Good signature from "Paolo Bonzini <bonzini@xxxxxxx>"
      # gpg:                 aka "Paolo Bonzini <pbonzini@xxxxxxxxxx>"

      * remotes/bonzini/tags/for-upstream: (52 commits)
        doc: Refresh URLs in the qemu-tech documentation
        docs: describe the QEMU build system structure / design
        typedef: add typedef for QemuOpts
        i386: interrupt poll processing
        i386: partial revert of interrupt poll fix
        ppc: Rename ELF_MACHINE to be PPC specific
        i386: Rename ELF_MACHINE to be x86 specific
        alpha: Remove ELF_MACHINE from cpu.h
        mips: Remove ELF_MACHINE from cpu.h
        sparc: Remove ELF_MACHINE from cpu.h
        s390: Remove ELF_MACHINE from cpu.h
        sh4: Remove ELF_MACHINE from cpu.h
        xtensa: Remove ELF_MACHINE from cpu.h
        tricore: Remove ELF_MACHINE from cpu.h
        or32: Remove ELF_MACHINE from cpu.h
        lm32: Remove ELF_MACHINE from cpu.h
        unicore: Remove ELF_MACHINE from cpu.h
        moxie: Remove ELF_MACHINE from cpu.h
        cris: Remove ELF_MACHINE from cpu.h
        m68k: Remove ELF_MACHINE from cpu.h
        ...

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 8bfbbb4bcb6e06aaf4a3e2264f53c8c44ed4c655
  Merge: 54b3762 9d146b2
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Fri Sep 25 21:11:12 2015 +0100

      Merge remote-tracking branch 
'remotes/awilliam/tags/vfio-update-20150925.0' into staging

      VFIO updates 2015-09-25

       - Remove use of g_malloc0_n for glib2.22 compat

      # gpg: Signature made Fri 25 Sep 2015 17:58:04 BST using RSA key ID 
3BB08B22
      # gpg: Good signature from "Alex Williamson <alex.williamson@xxxxxxxxxx>"
      # gpg:                 aka "Alex Williamson <alex@xxxxxxxxxxx>"
      # gpg:                 aka "Alex Williamson <alwillia@xxxxxxxxxx>"
      # gpg:                 aka "Alex Williamson <alex.l.williamson@xxxxxxxxx>"

      * remotes/awilliam/tags/vfio-update-20150925.0:
        vfio/pci: Remove use of g_malloc0_n() from quirks

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 54b376230c795d9f63490fa2e951cb786f7b1e12
  Merge: 690b286 e6fd57e
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Fri Sep 25 19:01:46 2015 +0100

      Merge remote-tracking branch 'remotes/cody/tags/block-pull-request' into 
staging

      # gpg: Signature made Fri 25 Sep 2015 16:47:31 BST using RSA key ID 
C0DE3057
      # gpg: Good signature from "Jeffrey Cody <jcody@xxxxxxxxxx>"
      # gpg:                 aka "Jeffrey Cody <jeff@xxxxxxxxxxxxx>"
      # gpg:                 aka "Jeffrey Cody <codyprime@xxxxxxxxx>"

      * remotes/cody/tags/block-pull-request:
        sheepdog: refine discard support
        sheepdog: use per AIOCB dirty indexes for non overlapping requests
        Backup: don't do copy-on-read in before_write_notifier
        block: Introduce a new API bdrv_co_no_copy_on_readv()
        sheepdog: add reopen support
        block/nfs: cache allocated filesize for read-only files
        block/nfs: fix calculation of allocated file size

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 690b286fefa806f130dfc1931b5ba0b4dd2fb415
  Merge: cdf9818 ab60b74
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Fri Sep 25 18:03:19 2015 +0100

      Merge remote-tracking branch 
'remotes/vivier-misc/tags/pull-muldiv64-20150925' into staging

      Remove muldiv64() by using period instead of frequency

      # gpg: Signature made Fri 25 Sep 2015 14:54:37 BST using RSA key ID 
3F2FBE3C
      # gpg: Good signature from "Laurent Vivier <lvivier@xxxxxxxxxx>"
      # gpg:                 aka "Laurent Vivier <laurent@xxxxxxxxx>"
      # gpg:                 aka "Laurent Vivier (Red Hat) <lvivier@xxxxxxxxxx>"
      # gpg: WARNING: This key is not certified with a trusted signature!
      # gpg:          There is no indication that the signature belongs to the 
owner.
      # Primary key fingerprint: CD2F 75DD C8E3 A4DC 2E4F  5173 F30C 38BD 3F2F 
BE3C

      * remotes/vivier-misc/tags/pull-muldiv64-20150925:
        net: remove muldiv64()
        bt: remove muldiv64()
        hpet: remove muldiv64()
        arm: clarify the use of muldiv64()
        openrisc: remove muldiv64()
        mips: remove muldiv64()
        pcnet: remove muldiv64()
        rtl8139: remove muldiv64()
        i6300esb: remove muldiv64()

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit cdf98182420e3bec62e2fd957eb8a17761161c0f
  Merge: 8a47d57 f178bc6
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Fri Sep 25 16:40:05 2015 +0100

      Merge remote-tracking branch 'remotes/mst/tags/for_upstream' into staging

      virtio,pc features, fixes

      New features:
          vhost-user multiqueue support
          virtio-ccw virtio 1 support

      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>

      # gpg: Signature made Fri 25 Sep 2015 07:40:35 BST using RSA key ID 
D28D5469
      # gpg: Good signature from "Michael S. Tsirkin <mst@xxxxxxxxxx>"
      # gpg:                 aka "Michael S. Tsirkin <mst@xxxxxxxxxx>"

      * remotes/mst/tags/for_upstream:
        MAINTAINERS: add more devices to the PCI section
        MAINTAINERS: add more devices to the PC section
        vhost-user: add a new message to disable/enable a specific virt queue.
        vhost-user: add multiple queue support
        vhost: introduce vhost_backend_get_vq_index method
        vhost-user: add VHOST_USER_GET_QUEUE_NUM message
        vhost: rename VHOST_RESET_OWNER to VHOST_RESET_DEVICE
        vhost-user: add protocol feature negotiation
        vhost-user: use VHOST_USER_XXX macro for switch statement
        virtio-ccw: enable virtio-1
        virtio-ccw: feature bits > 31 handling
        virtio-ccw: support ring size changes
        virtio: ring sizes vs. reset
        pc: Introduce pc-*-2.5 machine classes
        q35: Move options common to all classes to pc_i440fx_machine_options()
        q35: Move options common to all classes to pc_q35_machine_options()
        virtio-net: unbreak self announcement and guest offloads after migration
        virtio: right size for virtio_queue_get_avail_size

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit e6fd57ea297ec3aad32b24090c5d3757a99df3fe
  Author: Hitoshi Mitake <mitake.hitoshi@xxxxxxxxxxxxx>
  Date:   Tue Sep 1 12:03:10 2015 +0900

      sheepdog: refine discard support

      This patch refines discard support of the sheepdog driver. The
      existing discard mechanism was implemented on SD_OP_DISCARD_OBJ, which
      was introduced before fine grained reference counting on newer
      sheepdog. It doesn't care about relations of snapshots and clones and
      discards objects unconditionally.

      With this patch, the driver just updates an inode object for updating
      reference. Removing the object is done in sheep process side.

      Cc: Teruaki Ishizaki <ishizaki.teruaki@xxxxxxxxxxxxx>
      Cc: Vasiliy Tolstov <v.tolstov@xxxxxxxxx>
      Cc: Jeff Cody <jcody@xxxxxxxxxx>
      Signed-off-by: Hitoshi Mitake <mitake.hitoshi@xxxxxxxxxxxxx>
      Tested-by: Vasiliy Tolstov <v.tolstov@xxxxxxxxx>
      Message-id: 1441076590-8015-3-git-send-email-mitake.hitoshi@xxxxxxxxxxxxx
      Signed-off-by: Jeff Cody <jcody@xxxxxxxxxx>

  commit 498f21405a286f718a0767c791b7d2db19f4e5bd
  Author: Hitoshi Mitake <mitake.hitoshi@xxxxxxxxxxxxx>
  Date:   Tue Sep 1 12:03:09 2015 +0900

      sheepdog: use per AIOCB dirty indexes for non overlapping requests

      In the commit 96b14ff85acf, requests for overlapping areas are
      serialized. However, it cannot handle a case of non overlapping
      requests. In such a case, min_dirty_data_idx and max_dirty_data_idx
      can be overwritten by the requests and invalid inode update can
      happen e.g. a case like create(1, 2) and create(3, 4) are issued in
      parallel.

      This patch lets SheepdogAIOCB have dirty data indexes instead of
      BDRVSheepdogState for avoiding the above situation.

      This patch also does trivial renaming for better description:
      overwrapping -> overlapping

      Cc: Teruaki Ishizaki <ishizaki.teruaki@xxxxxxxxxxxxx>
      Cc: Vasiliy Tolstov <v.tolstov@xxxxxxxxx>
      Cc: Jeff Cody <jcody@xxxxxxxxxx>
      Signed-off-by: Hitoshi Mitake <mitake.hitoshi@xxxxxxxxxxxxx>
      Tested-by: Vasiliy Tolstov <v.tolstov@xxxxxxxxx>
      Message-id: 1441076590-8015-2-git-send-email-mitake.hitoshi@xxxxxxxxxxxxx
      Signed-off-by: Jeff Cody <jcody@xxxxxxxxxx>

  commit ab60b7485cece312ad9c21327ee678f0f9898fb5
  Author: Laurent Vivier <lvivier@xxxxxxxxxx>
  Date:   Tue Aug 25 17:24:39 2015 +0200

      net: remove muldiv64()

      muldiv64() is used to convert nanoseconds to microseconds.

          x = muldiv64(qemu_clock_get_ns(..), 1000000, get_ticks_per_sec());

      As  get_ticks_per_sec() is 10^9, it can be replaced by:

          x = qemu_clock_get_us(..);

      Signed-off-by: Laurent Vivier <lvivier@xxxxxxxxxx>
      Reviewed-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>

  commit fdfea124f9e12232f99d9f235267ca1eeeb23469
  Author: Laurent Vivier <lvivier@xxxxxxxxxx>
  Date:   Tue Aug 25 17:19:57 2015 +0200

      bt: remove muldiv64()

      Originally, timers were ticks based, and it made sense to
      add ticks to current time to know when to trigger an alarm.

      But since commit:

      7447545 change all other clock references to use nanosecond resolution 
accessors

      All timers use nanoseconds and we need to convert ticks to nanoseconds.

      As get_ticks_per_sec() is 10^9,

          a = muldiv64(b, get_ticks_per_sec(), 100);
          y = muldiv64(x, get_ticks_per_sec(), 1000000);

      can be converted to

          a = b * 10000000;
          y = x * 1000;

      Signed-off-by: Laurent Vivier <lvivier@xxxxxxxxxx>
      Reviewed-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit 0a4f9240f5b8b1bfe2d5c5c2748545bc23771bb4
  Author: Laurent Vivier <lvivier@xxxxxxxxxx>
  Date:   Tue Aug 25 17:13:01 2015 +0200

      hpet: remove muldiv64()

      hpet defines a clock period in femtoseconds but
      then converts it to nanoseconds to use the internal
      timers.

      We can define the period in nanoseconds and use it
      directly, this allows to remove muldiv64().

      We only need to convert the period to femtoseconds
      to put it in internal hpet capability register.

      Signed-off-by: Laurent Vivier <lvivier@xxxxxxxxxx>
      Reviewed-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit 352c98e502893dee405d0bd8301264fca3b79179
  Author: Laurent Vivier <lvivier@xxxxxxxxxx>
  Date:   Tue Aug 25 17:09:36 2015 +0200

      arm: clarify the use of muldiv64()

      muldiv64() is used to convert microseconds into CPU ticks.

      But it is not clear and not commented. This patch uses macro
      to clearly identify what is used: time, CPU frequency and ticks.
      For an elapsed time and a given frequency, we compute how many ticks
       we have.

      Signed-off-by: Laurent Vivier <lvivier@xxxxxxxxxx>
      Reviewed-by: Peter Crosthwaite <crosthwaite.peter@xxxxxxxxx>
      Acked-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit ccaf1749239aa33c5a5b755972232ffe1c0cf946
  Author: Laurent Vivier <lvivier@xxxxxxxxxx>
  Date:   Tue Aug 25 17:17:15 2015 +0200

      openrisc: remove muldiv64()

      Originally, timers were ticks based, and it made sense to
      add ticks to current time to know when to trigger an alarm.

      But since commit:

      7447545 change all other clock references to use nanosecond resolution 
accessors

      All timers use nanoseconds and we need to convert ticks to nanoseconds, by
      doing something like:

          y = muldiv64(x, get_ticks_per_sec(), TIMER_FREQ)

      where x is the number of device ticks and y the number of system ticks.

      y is used as nanoseconds in timer functions,
      it works because 1 tick is 1 nanosecond.
      (get_ticks_per_sec() is 10^9)

      But as openrisc timer frequency is 20 MHz, we can also do:

          y = x * 50; /* 20 MHz period is 50 ns */

      Signed-off-by: Laurent Vivier <lvivier@xxxxxxxxxx>

  commit 683dca6bd5057a87d9376475b0c7e30d56d8e532
  Author: Laurent Vivier <lvivier@xxxxxxxxxx>
  Date:   Tue Aug 25 16:16:21 2015 +0200

      mips: remove muldiv64()

      Originally, timers were ticks based, and it made sense to
      add ticks to current time to know when to trigger an alarm.

      But since commit:

      7447545 change all other clock references to use nanosecond resolution 
accessors

      All timers use nanoseconds and we need to convert ticks to nanoseconds, by
      doing something like:

          y = muldiv64(x, get_ticks_per_sec(), TIMER_FREQ)

      where x is the number of device ticks and y the number of system ticks.

      y is used as nanoseconds in timer functions,
      it works because 1 tick is 1 nanosecond.
      (get_ticks_per_sec() is 10^9)

      But as MIPS timer frequency is 100 MHz, we can also do:

          y = x * 10; /* 100 MHz period is 10 ns */

      Signed-off-by: Laurent Vivier <lvivier@xxxxxxxxxx>
      Reviewed-by: Leon Alrae <leon.alrae@xxxxxxxxxx>

  commit c6acbe861f1ed4203f4864baf756686064ba561f
  Author: Laurent Vivier <lvivier@xxxxxxxxxx>
  Date:   Mon Aug 24 19:29:45 2015 +0200

      pcnet: remove muldiv64()

      Originally, timers were ticks based, and it made sense to
      add ticks to current time to know when to trigger an alarm.

      But since commit:

      7447545 change all other clock references to use nanosecond resolution 
accessors

      All timers use nanoseconds and we need to convert ticks to nanoseconds, by
      doing something like:

          y = muldiv64(x, get_ticks_per_sec(), PCI_FREQUENCY)

      where x is the number of device ticks and y the number of system ticks.

      y is used as nanoseconds in timer functions,
      it works because 1 tick is 1 nanosecond.
      (get_ticks_per_sec() is 10^9)

      But as PCI frequency is 33 MHz, we can also do:

          y = x * 30; /* 33 MHz PCI period is 30 ns */

      Which is much more simple.

      This implies a 33.333333 MHz PCI frequency,
      but this is correct.

      Signed-off-by: Laurent Vivier <lvivier@xxxxxxxxxx>
      Reviewed-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>

  commit 37b9ab92f7f8295c61daa4a8893eb8fb1add63e2
  Author: Laurent Vivier <lvivier@xxxxxxxxxx>
  Date:   Mon Aug 24 19:29:45 2015 +0200

      rtl8139: remove muldiv64()

      Originally, timers were ticks based, and it made sense to
      add ticks to current time to know when to trigger an alarm.

      But since commit:

      7447545 change all other clock references to use nanosecond resolution 
accessors

      All timers use nanoseconds and we need to convert ticks to nanoseconds, by
      doing something like:

          y = muldiv64(x, get_ticks_per_sec(), PCI_FREQUENCY)

      where x is the number of device ticks and y the number of system ticks.

      y is used as nanoseconds in timer functions,
      it works because 1 tick is 1 nanosecond.
      (get_ticks_per_sec() is 10^9)

      But as PCI frequency is 33 MHz, we can also do:

          y = x * 30; /* 33 MHz PCI period is 30 ns */

      Which is much more simple.

      This implies a 33.333333 MHz PCI frequency,
      but this is correct.

      Signed-off-by: Laurent Vivier <lvivier@xxxxxxxxxx>
      Reviewed-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>

  commit 9491e9bc019a365dfa9780f462984a0d052f4c0d
  Author: Laurent Vivier <lvivier@xxxxxxxxxx>
  Date:   Mon Aug 24 19:29:45 2015 +0200

      i6300esb: remove muldiv64()

      Originally, timers were ticks based, and it made sense to
      add ticks to current time to know when to trigger an alarm.

      But since commit:

      7447545 change all other clock references to use nanosecond resolution 
accessors

      All timers use nanoseconds and we need to convert ticks to nanoseconds, by
      doing something like:

          y = muldiv64(x, get_ticks_per_sec(), PCI_FREQUENCY)

      where x is the number of device ticks and y the number of system ticks.

      y is used as nanoseconds in timer functions,
      it works because 1 tick is 1 nanosecond.
      (get_ticks_per_sec() is 10^9)

      But as PCI frequency is 33 MHz, we can also do:

          y = x * 30; /* 33 MHz PCI period is 30 ns */

      Which is much more simple.

      This implies a 33.333333 MHz PCI frequency,
      but this is correct.

      Signed-off-by: Laurent Vivier <lvivier@xxxxxxxxxx>

  commit 06c3916b35a1cf6db548450a0cfb96983c33c82f
  Author: Wen Congyang <wency@xxxxxxxxxxxxxx>
  Date:   Tue Sep 8 11:28:33 2015 +0800

      Backup: don't do copy-on-read in before_write_notifier

      We will copy data in before_write_notifier to do backup.
      It is a nested I/O request, so we cannot do copy-on-read.

      The steps to reproduce it:
      1. -drive copy-on-read=on,...  // qemu option
      2. drive_backup -f disk0 /path_to_backup.img // monitor command

      Signed-off-by: Wen Congyang <wency@xxxxxxxxxxxxxx>
      Tested-by: Jeff Cody <jcody@xxxxxxxxxx>
      Message-id: 1441682913-14320-3-git-send-email-wency@xxxxxxxxxxxxxx
      Signed-off-by: Jeff Cody <jcody@xxxxxxxxxx>

  commit 9568b511c9f91c3d21ea3e83426d4ee7168c98bb
  Author: Wen Congyang <wency@xxxxxxxxxxxxxx>
  Date:   Tue Sep 8 11:28:32 2015 +0800

      block: Introduce a new API bdrv_co_no_copy_on_readv()

      In some cases, we need to disable copy-on-read, and just
      read the data.

      Signed-off-by: Wen Congyang <wency@xxxxxxxxxxxxxx>
      Message-id: 1441682913-14320-2-git-send-email-wency@xxxxxxxxxxxxxx
      Signed-off-by: Jeff Cody <jcody@xxxxxxxxxx>

  commit 4da65c80921139f3e0ff63f5ea20c5d9c778364f
  Author: Liu Yuan <liuyuan@xxxxxxxxxxxxxxxxxxxx>
  Date:   Fri Aug 28 10:53:58 2015 +0800

      sheepdog: add reopen support

      With reopen supported, block-commit (and offline commit) is now supported 
for
      image files whose base image uses the Sheepdog protocol driver.

      Cc: qemu-devel@xxxxxxxxxx
      Cc: Jeff Cody <jcody@xxxxxxxxxx>
      Cc: Kevin Wolf <kwolf@xxxxxxxxxx>
      Cc: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Signed-off-by: Liu Yuan <liuyuan@xxxxxxxxxxxxxxxxxxxx>
      Message-id: 1440730438-24676-1-git-send-email-namei.unix@xxxxxxxxx
      Signed-off-by: Jeff Cody <jcody@xxxxxxxxxx>

  commit 18a8056e0bc744e5dd2bb5cb998423b607d99f19
  Author: Peter Lieven <pl@xxxxxxx>
  Date:   Thu Aug 27 12:30:41 2015 +0200

      block/nfs: cache allocated filesize for read-only files

      If the file is readonly its not expected to grow so
      save the blocking call to nfs_fstat_async and use
      the value saved at connection time. Also important
      the monitor (and thus the main loop) will not hang
      if block device info is queried and the NFS share
      is unresponsive.

      Signed-off-by: Peter Lieven <pl@xxxxxxx>
      Reviewed-by: Jeff Cody <jcody@xxxxxxxxxx>
      Reviewed-by: Max Reitz <mreitz@xxxxxxxxxx>
      Message-id: 1440671441-7978-1-git-send-email-pl@xxxxxxx
      Signed-off-by: Jeff Cody <jcody@xxxxxxxxxx>

  commit 055c6f912c8d3cd9a901972ae432c47e5872f71a
  Author: Peter Lieven <pl@xxxxxxx>
  Date:   Thu Aug 20 12:46:47 2015 +0200

      block/nfs: fix calculation of allocated file size

      st.st_blocks is always counted in 512 byte units. Do not
      use st.st_blksize as multiplicator which may be larger.

      Cc: qemu-stable@xxxxxxxxxx
      Signed-off-by: Peter Lieven <pl@xxxxxxx>
      Reviewed-by: Max Reitz <mreitz@xxxxxxxxxx>
      Reviewed-by: Jeff Cody <jcody@xxxxxxxxxx>
      Message-id: 1440067607-14547-1-git-send-email-pl@xxxxxxx
      Signed-off-by: Jeff Cody <jcody@xxxxxxxxxx>

  commit 8e9620a683925daf9900c2ac5f2dfa14b6439932
  Author: Thomas Huth <thuth@xxxxxxxxxx>
  Date:   Fri Sep 25 11:38:36 2015 +0200

      doc: Refresh URLs in the qemu-tech documentation

      The TwoOStwo and Willows page seem to have disappeared completely,
      and also some of the other links were not pointing to the right
      locations anymore.

      Signed-off-by: Thomas Huth <thuth@xxxxxxxxxx>
      Message-Id: <1443173916-8895-1-git-send-email-thuth@xxxxxxxxxx>
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit 717171bd2025f732d7fcf43efc08f1551953a0e3
  Author: Daniel P. Berrange <berrange@xxxxxxxxxx>
  Date:   Thu Sep 24 14:41:38 2015 +0100

      docs: describe the QEMU build system structure / design

      Developers who are new to QEMU, or have a background familiarity
      with GNU autotools, can have trouble getting their head around the
      home-grown QEMU build system. This document attempts to explain
      the structure / design of the configure script and the various
      Makefile pieces that live across the source tree.

      Signed-off-by: Daniel P. Berrange <berrange@xxxxxxxxxx>
      Message-Id: <1443102098-13642-1-git-send-email-berrange@xxxxxxxxxx>
      Acked-by: Laszlo Ersek <lersek@xxxxxxxxxx>
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit ae1e93801d9a60642b349c571122909f0019d59e
  Author: Pavel Dovgalyuk <Pavel.Dovgaluk@xxxxxxxxx>
  Date:   Thu Sep 17 19:25:01 2015 +0300

      typedef: add typedef for QemuOpts

      This patch moves typedefs for QemuOpts and related types
      to qemu/typedefs.h file.

      Reviewed-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

      Signed-off-by: Pavel Dovgalyuk <pavel.dovgaluk@xxxxxxxxx>
      Message-Id: <20150917162501.8676.85435.stgit@xxxxxxxxxxxxxxxxxx>
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit a4fc321219cc1c6bd5ca1262cdbbb2e8cee8d56e
  Author: Pavel Dovgalyuk <Pavel.Dovgaluk@xxxxxxxxx>
  Date:   Thu Sep 17 19:24:11 2015 +0300

      i386: interrupt poll processing

      This patch updates x86_cpu_exec_interrupt function.
      It can process two interrupt request at a time (poll and another one).
      This makes its execution non-deterministic. Determinism is requred
      for recorded icount execution.

      Signed-off-by: Pavel Dovgalyuk <pavel.dovgaluk@xxxxxxxxx>
      Message-Id: <20150917162410.8676.13042.stgit@xxxxxxxxxxxxxxxxxx>
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit 6220e900bcdc524a175b2d2e725ebb9bb11a0008
  Author: Pavel Dovgalyuk <Pavel.Dovgaluk@xxxxxxxxx>
  Date:   Thu Sep 17 19:23:31 2015 +0300

      i386: partial revert of interrupt poll fix

      Processing CPU_INTERRUPT_POLL requests in cpu_has_work functions
      break the determinism of cpu_exec. This patch is required to make
      interrupts processing deterministic.

      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

      Signed-off-by: Pavel Dovgalyuk <pavel.dovgaluk@xxxxxxxxx>
      Message-Id: <20150917162331.8676.15286.stgit@xxxxxxxxxxxxxxxxxx>
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit 4ecd4d16a0af714ff7d9a1ad2559c621bf27649f
  Author: Peter Crosthwaite <crosthwaitepeter@xxxxxxxxx>
  Date:   Sun May 10 23:29:10 2015 -0700

      ppc: Rename ELF_MACHINE to be PPC specific

      Rename ELF_MACHINE to be PPC specific. This is used as-is by the
      various PPC bootloaders and is locally defined to ELF_MACHINE in linux
      user in PPC specific ifdeffery.

      This removes another architecture specific definition from the global
      namespace (as desired by multi-arch).

      Cc: Alexander Graf <agraf@xxxxxxx>
      Cc: qemu-ppc@xxxxxxxxxx
      Reviewed-by: Richard Henderson <rth@xxxxxxxxxxx>
      Acked-By: Riku Voipio <riku.voipio@xxxxxxxxxx>
      Signed-off-by: Peter Crosthwaite <crosthwaite.peter@xxxxxxxxx>
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit a5e8788f89312f19f54dba0454ee5bf7209b4cd7
  Author: Peter Crosthwaite <crosthwaitepeter@xxxxxxxxx>
  Date:   Sun May 10 23:29:10 2015 -0700

      i386: Rename ELF_MACHINE to be x86 specific

      Rename ELF_MACHINE to be I386 specific. This is used as-is by the
      multiboot loader.

      Linux-user previously used this definition but will not anymore,
      falling back to the default bahaviour of using ELF_ARCH as ELF_MACHINE.

      This removes another architecture specific definition from the global
      namespace.

      Cc: Paolo Bonzini <pbonzini@xxxxxxxxxx>
      Cc: Richard Henderson <rth@xxxxxxxxxxx>
      Cc: Eduardo Habkost <ehabkost@xxxxxxxxxx>
      Reviewed-by: Eduardo Habkost <ehabkost@xxxxxxxxxx>
      Acked-by: Eduardo Habkost <ehabkost@xxxxxxxxxx>
      Reviewed-by: Richard Henderson <rth@xxxxxxxxxxx>
      Acked-By: Riku Voipio <riku.voipio@xxxxxxxxxx>
      Signed-off-by: Peter Crosthwaite <crosthwaite.peter@xxxxxxxxx>
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit a0036becd80f8eae260df68d7f2fd2d8d7d90f35
  Author: Peter Crosthwaite <crosthwaitepeter@xxxxxxxxx>
  Date:   Sun May 10 23:29:10 2015 -0700

      alpha: Remove ELF_MACHINE from cpu.h

      ELF_MACHINE is unused by target alpha.

      Cc: Richard Henderson <rth@xxxxxxxxxxx>
      Reviewed-by: Richard Henderson <rth@xxxxxxxxxxx>
      Acked-By: Riku Voipio <riku.voipio@xxxxxxxxxx>
      Signed-off-by: Peter Crosthwaite <crosthwaite.peter@xxxxxxxxx>
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit 04ce380e9e3fad1dbf4e86ebdf9315573a06b30e
  Author: Peter Crosthwaite <crosthwaitepeter@xxxxxxxxx>
  Date:   Sun May 10 23:29:10 2015 -0700

      mips: Remove ELF_MACHINE from cpu.h

      The only generic code relying on this is linux-user, but linux users'
      default behaviour of defaulting ELF_MACHINE to ELF_ARCH will handle
      this.

      The bootloaders can just pass EM_MIPS directly, as that is
      architecture specific code.

      This removes another architecture specific definition from the global
      namespace.

      Cc: Aurelien Jarno <aurelien@xxxxxxxxxxx>
      Cc: Leon Alrae <leon.alrae@xxxxxxxxxx>
      Reviewed-by: Aurelien Jarno <aurelien@xxxxxxxxxxx>
      Reviewed-by: Richard Henderson <rth@xxxxxxxxxxx>
      Acked-By: Riku Voipio <riku.voipio@xxxxxxxxxx>
      Signed-off-by: Peter Crosthwaite <crosthwaite.peter@xxxxxxxxx>
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit 77452383e0c45704e2339b58eac29a3730bc18b1
  Author: Peter Crosthwaite <crosthwaitepeter@xxxxxxxxx>
  Date:   Sun May 10 23:29:10 2015 -0700

      sparc: Remove ELF_MACHINE from cpu.h

      The bootloaders can just pass EM_SPARC or EM_SPARCV9 directly, as
      they are architecture specific code (to one or the other).

      This removes another architecture specific definition from the global
      namespace.

      Cc: Mark Cave-Ayland <mark.cave-ayland@xxxxxxxxxxxx>
      Reviewed-by: Richard Henderson <rth@xxxxxxxxxxx>
      Acked-By: Riku Voipio <riku.voipio@xxxxxxxxxx>
      Signed-off-by: Peter Crosthwaite <crosthwaite.peter@xxxxxxxxx>
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit 99a4434ed7355ba9b282b872ba2c2eb294f5dbec
  Author: Peter Crosthwaite <crosthwaitepeter@xxxxxxxxx>
  Date:   Sun May 10 23:29:10 2015 -0700

      s390: Remove ELF_MACHINE from cpu.h

      The bootloader can just pass EM_S390 directly, as that
      is architecture specific code.

      This removes another architecture specific definition from the global
      namespace.

      Cc: Richard Henderson <rth@xxxxxxxxxxx>
      Cc: Alexander Graf <agraf@xxxxxxx>
      Reviewed-by: Richard Henderson <rth@xxxxxxxxxxx>
      Acked-By: Riku Voipio <riku.voipio@xxxxxxxxxx>
      Signed-off-by: Peter Crosthwaite <crosthwaite.peter@xxxxxxxxx>
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit bf337d4eae5ccf4d7f5d91b8d4471e7523f051de
  Author: Peter Crosthwaite <crosthwaitepeter@xxxxxxxxx>
  Date:   Sun May 10 23:29:10 2015 -0700

      sh4: Remove ELF_MACHINE from cpu.h

      The only generic code relying on this is linux-user, but linux users'
      default behaviour of defaulting ELF_MACHINE to ELF_ARCH will handle
      this.

      This removes another architecture specific definition from the global
      namespace.

      Cc: Aurelien Jarno <aurelien@xxxxxxxxxxx>
      Acked-by: Aurelien Jarno <aurelien@xxxxxxxxxxx>
      Reviewed-by: Richard Henderson <rth@xxxxxxxxxxx>
      Acked-By: Riku Voipio <riku.voipio@xxxxxxxxxx>
      Signed-off-by: Peter Crosthwaite <crosthwaite.peter@xxxxxxxxx>
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit 943cd387223df9398279a473ef20605c315ed2df
  Author: Peter Crosthwaite <crosthwaitepeter@xxxxxxxxx>
  Date:   Sun May 10 23:29:10 2015 -0700

      xtensa: Remove ELF_MACHINE from cpu.h

      The bootloaders can just pass EM_XTENSA directly, as that
      is architecture specific code.

      This removes another architecture specific definition from the global
      namespace.

      Cc: Max Filippov <jcmvbkbc@xxxxxxxxx>
      Reviewed-by: Richard Henderson <rth@xxxxxxxxxxx>
      Acked-By: Riku Voipio <riku.voipio@xxxxxxxxxx>
      Signed-off-by: Peter Crosthwaite <crosthwaite.peter@xxxxxxxxx>
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit 7183128bc9f335d66ed84316431c14e733e01a03
  Author: Peter Crosthwaite <crosthwaitepeter@xxxxxxxxx>
  Date:   Sun May 10 23:29:10 2015 -0700

      tricore: Remove ELF_MACHINE from cpu.h

      The bootloader can just pass EM_TRICORE directly, as that
      is architecture specific code.

      This removes another architecture specific definition from the global
      namespace.

      Cc: Bastian Koppelmann <kbastian@xxxxxxxxxxxxxxxxxxxxx>
      Acked-By: Bastian Koppelmann <kbastian@xxxxxxxxxxxxxxxxxxxxx>
      Reviewed-by: Richard Henderson <rth@xxxxxxxxxxx>
      Acked-By: Riku Voipio <riku.voipio@xxxxxxxxxx>
      Signed-off-by: Peter Crosthwaite <crosthwaite.peter@xxxxxxxxx>
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit ed03ecf8f07a0c59a2fb422f91e80a6edd068d06
  Author: Peter Crosthwaite <crosthwaitepeter@xxxxxxxxx>
  Date:   Sun May 10 23:29:10 2015 -0700

      or32: Remove ELF_MACHINE from cpu.h

      The only generic code relying on this is linux-user, but linux users'
      default behaviour of defaulting ELF_MACHINE to ELF_ARCH will handle
      this.

      The bootloader can just pass EM_OPENRISC directly, as that is
      architecture specific code.

      This removes another architecture specific definition from the global
      namespace.

      Cc: Jia Liu <proljc@xxxxxxxxx>
      Reviewed-by: Richard Henderson <rth@xxxxxxxxxxx>
      Acked-By: Riku Voipio <riku.voipio@xxxxxxxxxx>
      Signed-off-by: Peter Crosthwaite <crosthwaite.peter@xxxxxxxxx>
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit 22d2fb4c594e8ac540f5b3132ce0d7a635112b1a
  Author: Peter Crosthwaite <crosthwaitepeter@xxxxxxxxx>
  Date:   Sun May 10 23:29:10 2015 -0700

      lm32: Remove ELF_MACHINE from cpu.h

      The bootloaders can just pass EM_LATTICEMICO32 directly, as that is
      architecture specific code.

      This removes another architecture specific definition from the global
      namespace.

      Cc: Michael Walle <michael@xxxxxxxx>
      Acked-By: Michael Walle <michael@xxxxxxxx>
      Reviewed-by: Richard Henderson <rth@xxxxxxxxxxx>
      Acked-By: Riku Voipio <riku.voipio@xxxxxxxxxx>
      Signed-off-by: Peter Crosthwaite <crosthwaite.peter@xxxxxxxxx>
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit 663c40a50d06c8c299cc7449bf2c7b8f3261c8a9
  Author: Peter Crosthwaite <crosthwaitepeter@xxxxxxxxx>
  Date:   Sun May 10 23:29:10 2015 -0700

      unicore: Remove ELF_MACHINE from cpu.h

      The only generic code relying on this is linux-user, but linux users'
      default behaviour of defaulting ELF_MACHINE to ELF_ARCH will handle
      this.

      This removes another architecture specific definition from the global
      namespace.

      Cc: Guan Xuetao <gxt@xxxxxxxxxxxxxxx>
      Reviewed-by: Richard Henderson <rth@xxxxxxxxxxx>
      Acked-By: Riku Voipio <riku.voipio@xxxxxxxxxx>
      Signed-off-by: Peter Crosthwaite <crosthwaite.peter@xxxxxxxxx>
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit b744d332f3ef17adc1219be7098b0a4cc30b2dbe
  Author: Peter Crosthwaite <crosthwaitepeter@xxxxxxxxx>
  Date:   Sun May 10 23:29:10 2015 -0700

      moxie: Remove ELF_MACHINE from cpu.h

      The bootloader can just pass EM_MOXIE directly, as that is architecture
      specific code.

      This removes another architecture specific definition from the global
      namespace.

      Cc: Anthony Green <green@xxxxxxxxxxxxxx>
      Reviewed-by: Richard Henderson <rth@xxxxxxxxxxx>
      Acked-By: Riku Voipio <riku.voipio@xxxxxxxxxx>
      Signed-off-by: Peter Crosthwaite <crosthwaite.peter@xxxxxxxxx>
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit 7233df4949df2b6c2b417beaf336a180b3c66e25
  Author: Peter Crosthwaite <crosthwaitepeter@xxxxxxxxx>
  Date:   Sun May 10 23:29:10 2015 -0700

      cris: Remove ELF_MACHINE from cpu.h

      The only generic code relying on this is linux-user, but linux users'
      default behaviour of defaulting ELF_MACHINE to ELF_ARCH will handle
      this.

      The bootloader can just pass EM_CRIS directly, as that is architecture
      specific code.

      This removes another architecture specific definition from the global
      namespace.

      Cc: Edgar E. Iglesias <edgar.iglesias@xxxxxxxxx>
      Reviewed-by: Richard Henderson <rth@xxxxxxxxxxx>
      Acked-By: Riku Voipio <riku.voipio@xxxxxxxxxx>
      Signed-off-by: Peter Crosthwaite <crosthwaite.peter@xxxxxxxxx>
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit 45e6b8b61a7bbb71d1fa6c4193b47ba3a1f9f033
  Author: Peter Crosthwaite <crosthwaitepeter@xxxxxxxxx>
  Date:   Sun May 10 23:29:10 2015 -0700

      m68k: Remove ELF_MACHINE from cpu.h

      The only generic code relying on this is linux-user, but linux users'
      default behaviour of defaulting ELF_MACHINE to ELF_ARCH will handle
      this.

      The machine model bootloaders can just pass EM_68K directly, as that
      is architecture specific code.

      This removes another architecture specific definition from the global
      namespace.

      Cc: Laurent Vivier <laurent@xxxxxxxxx>
      Cc: Greg Ungerer <gerg@xxxxxxxxxxx>
      Reviewed-by: Richard Henderson <rth@xxxxxxxxxxx>
      Acked-By: Riku Voipio <riku.voipio@xxxxxxxxxx>
      Reviewed-by: Greg Ungerer <gerg@xxxxxxxxxxx>
      Reviewed-by: Laurent Vivier <laurent@xxxxxxxxx>
      Signed-off-by: Peter Crosthwaite <crosthwaite.peter@xxxxxxxxx>
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit f4fc2bbfa2abd655ddcc622a8ae18c368bbce992
  Author: Peter Crosthwaite <crosthwaitepeter@xxxxxxxxx>
  Date:   Sun May 10 23:29:10 2015 -0700

      mb: Remove ELF_MACHINE from cpu.h

      The only generic code relying on this is linux-user, but linux-users'
      default behaviour or setting ELF_MACHINE to ELF_ARCH will handle this.

      The microblaze bootloader can just pass EM_MICROBLAZE directly, as that
      is architecture specific code.

      This removes another architecture specific definition from the global
      namespace.

      Cc: Edgar E. Iglesias <edgar.iglesias@xxxxxxxxx>
      Reviewed-by: Richard Henderson <rth@xxxxxxxxxxx>
      Acked-By: Riku Voipio <riku.voipio@xxxxxxxxxx>
      Signed-off-by: Peter Crosthwaite <crosthwaite.peter@xxxxxxxxx>
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit b597c3f7da17fcb37d394a16a6c0ef0a02846177
  Author: Peter Crosthwaite <crosthwaitepeter@xxxxxxxxx>
  Date:   Sun May 10 23:29:25 2015 -0700

      arm: Remove ELF_MACHINE from cpu.h

      The only generic code relying on this is linux-user. Linux user
      already has a lot of #ifdef TARGET_ customisation so instead, define
      ELF_ARCH as either EM_ARM or EM_AARCH64 appropriately.

      The armv7m bootloader can just pass EM_ARM directly, as that
      is architecture specific code. Note that arm_boot already has its own
      logic selecting an arm specific elf machine so this makes V7M more
      consistent with arm_boot.

      This removes another architecture specific definition from the global
      namespace.

      Cc: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Reviewed-by: Richard Henderson <rth@xxxxxxxxxxx>
      Acked-By: Riku Voipio <riku.voipio@xxxxxxxxxx>
      Signed-off-by: Peter Crosthwaite <crosthwaite.peter@xxxxxxxxx>
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit 98dbe5aca8c328b40a0598d6ab478d9b869d1b5c
  Author: Peter Crosthwaite <crosthwaite.peter@xxxxxxxxx>
  Date:   Sat Aug 29 12:07:50 2015 -0700

      elf: Update EM_MOXIE definition

      EM_MOXIE now has a proper assigned elf code. Use it. Register the old
      interim value as EM_MOXIE_OLD and accept either in elf loading.

      Cc: Anthony Green <green@xxxxxxxxxxxxxx>
      Reviewed-by: Richard Henderson <rth@xxxxxxxxxxx>
      Signed-off-by: Peter Crosthwaite <crosthwaite.peter@xxxxxxxxx>
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit 7cc472218c807ef85714ec71b161c39ee29d634e
  Author: Peter Crosthwaite <crosthwaite.peter@xxxxxxxxx>
  Date:   Mon Aug 17 21:53:16 2015 -0700

      elf_ops: Fix coding style for EM alias case statement

      Fix the coding style for these cases as per CODING_STYLE. Reverse the
      Yoda conditions and add missing if braces.

      Reviewed-by: Richard Henderson <rth@xxxxxxxxxxx>
      Signed-off-by: Peter Crosthwaite <crosthwaite.peter@xxxxxxxxx>
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit d276a604bfba002aafc3af2a906b7412907ea598
  Author: Peter Crosthwaite <crosthwaite.peter@xxxxxxxxx>
  Date:   Sun Jul 19 11:29:32 2015 -0700

      linux-user: elfload: Provide default for elf_check_arch

      For many arch's this macro is defined as the predicatable behaviour
      of checking the argument for eqaulity against ELF_ARCH. Provide a
      default define as such, so only archs with special handling (usually
      allowing multiple EM values) need to provide a def.

      Arches that do any of:

      1: provide this def exactly the same way as the new default
              (alpha, x86_64)
      2: check against ELF_MACHINE while defining ELF_ARCH == ELF_MACHINE
              (arm, aarch64)
      3: check against EM_FOO directly while defining ELF_ARCH == EM_FOO
              (unicore32, sparc32, ppc32, mips, openrisc, sh4, cris, m86k)

      have their elf_check_arch removed as the default will provide the
      correct behaviour.

      Reviewed-by: Richard Henderson <rth@xxxxxxxxxxx>
      Acked-By: Riku Voipio <riku.voipio@xxxxxxxxxx>
      Signed-off-by: Peter Crosthwaite <crosthwaite.peter@xxxxxxxxx>
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit 75be901cdcd20acc724534e2dff58bc7b539292f
  Author: Peter Crosthwaite <crosthwaite.peter@xxxxxxxxx>
  Date:   Sun Jul 19 05:02:37 2015 -0700

      linux_user: elfload: Default ELF_MACHINE to ELF_ARCH

      In most (but not all) cases, ELF_MACHINE and ELF_ARCH are safely the
      same. Default ELF_MACHINE to ELF_ARCH. This makes defining ELF_MACHINE
      optional for target-*/cpu.h when they are known to match.

      Reviewed-by: Richard Henderson <rth@xxxxxxxxxxx>
      Acked-By: Riku Voipio <riku.voipio@xxxxxxxxxx>
      Signed-off-by: Peter Crosthwaite <crosthwaite.peter@xxxxxxxxx>
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit 6bde8fd69f874a107f04cea2695ebece849213c5
  Author: Pavel Butsykin <pbutsykin@xxxxxxxxxxxxx>
  Date:   Tue Sep 22 16:18:21 2015 +0300

      hmp: implemented io apic dump state for TCG

      Added support emulator for the hmp command "info ioapic"

      Signed-off-by: Pavel Butsykin <pbutsykin@xxxxxxxxxxxxx>
      Signed-off-by: Denis V. Lunev <den@xxxxxxxxxx>
      CC: Paolo Bonzini <pbonzini@xxxxxxxxxx>
      CC: Andreas F�¤rber <afaerber@xxxxxxx>
      Message-Id: <1442927901-1084-10-git-send-email-den@xxxxxxxxxx>
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit d665d696c53f776ec2cb91505658969b9eb9906b
  Author: Pavel Butsykin <pbutsykin@xxxxxxxxxxxxx>
  Date:   Tue Sep 22 16:18:20 2015 +0300

      hmp: added io apic dump state

      Added the hmp command to query io apic state, may be usefull after guest
      crashes to understand IRQ routing in guest.

      Implementation is only for kvm here. The dump will look like
      (qemu) info ioapic
      ioapic id=0x00 sel=0x26 (redir[11])
      pin 0  0x0000000000010000 dest=0 vec=0   active-hi edge  masked fixed  
physical
      pin 1  0x0000000000000031 dest=0 vec=49  active-hi edge         fixed  
physical
      ...
      pin 23 0x0000000000010000 dest=0 vec=0   active-hi edge  masked fixed  
physical
      IRR        (none)
      Remote IRR (none)

      Signed-off-by: Pavel Butsykin <pbutsykin@xxxxxxxxxxxxx>
      Signed-off-by: Denis V. Lunev <den@xxxxxxxxxx>
      CC: Paolo Bonzini <pbonzini@xxxxxxxxxx>
      CC: Andreas F�¤rber <afaerber@xxxxxxx>
      Message-Id: <1442927901-1084-9-git-send-email-den@xxxxxxxxxx>
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit af599407352a2e05235d96196e8841ad1b39dd0f
  Author: Pavel Butsykin <pbutsykin@xxxxxxxxxxxxx>
  Date:   Tue Sep 22 16:18:19 2015 +0300

      ioapic_internal.h: added more constants

      Added the masks for easy  access to fields of the redirection table entry

      Signed-off-by: Pavel Butsykin <pbutsykin@xxxxxxxxxxxxx>
      Signed-off-by: Denis V. Lunev <den@xxxxxxxxxx>
      CC: Paolo Bonzini <pbonzini@xxxxxxxxxx>
      CC: Andreas F�¤rber <afaerber@xxxxxxx>
      Message-Id: <1442927901-1084-8-git-send-email-den@xxxxxxxxxx>
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit 1f871d49e3446f34a434860ce403c43eaad820a1
  Author: Pavel Butsykin <pbutsykin@xxxxxxxxxxxxx>
  Date:   Tue Sep 22 16:18:18 2015 +0300

      hmp: added local apic dump state

      Added the hmp command to query local apic registers state, may be
      usefull after guest crashes to understand IRQ routing in guest.

      (qemu) info lapic
      dumping local APIC state for CPU 0

      LVT0    0x00010700 active-hi edge  masked                      ExtINT 
(vec 0)
      LVT1    0x00000400 active-hi edge                              NMI
      LVTPC   0x00010000 active-hi edge  masked                      Fixed  
(vec 0)
      LVTERR  0x000000fe active-hi edge                              Fixed  
(vec 254)
      LVTTHMR 0x00010000 active-hi edge  masked                      Fixed  
(vec 0)
      LVTT    0x000000ef active-hi edge                 one-shot     Fixed  
(vec 239)
      Timer   DCR=0x3 (divide by 16) initial_count = 61360
      SPIV    0x000001ff APIC enabled, focus=off, spurious vec 255
      ICR     0x000000fd physical edge de-assert no-shorthand
      ICR2    0x00000001 cpu 1 (X2APIC ID)
      ESR     0x00000000
      ISR     (none)
      IRR     239

      APR 0x00 TPR 0x00 DFR 0x0f LDR 0x00 PPR 0x00

      Signed-off-by: Pavel Butsykin <pbutsykin@xxxxxxxxxxxxx>
      Signed-off-by: Denis V. Lunev <den@xxxxxxxxxx>
      CC: Paolo Bonzini <pbonzini@xxxxxxxxxx>
      CC: Andreas F�¤rber <afaerber@xxxxxxx>
      Message-Id: <1442927901-1084-7-git-send-email-den@xxxxxxxxxx>
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit caf15319e8b636a2606e232a95c1623857db8152
  Author: Pavel Butsykin <pbutsykin@xxxxxxxxxxxxx>
  Date:   Tue Sep 22 16:18:17 2015 +0300

      monitor: make monitor_fprintf and mon_get_cpu externally visible

      monitor_fprintf and mon_get_cpu will be used in the target-specific 
monitor,
      so it is advisable to make it external.

      Signed-off-by: Pavel Butsykin <pbutsykin@xxxxxxxxxxxxx>
      Signed-off-by: Denis V. Lunev <den@xxxxxxxxxx>
      CC: Paolo Bonzini <pbonzini@xxxxxxxxxx>
      CC: Andreas F�¤rber <afaerber@xxxxxxx>
      Message-Id: <1442927901-1084-6-git-send-email-den@xxxxxxxxxx>
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit b6cfc3c2ac5a1025d8fe7d74421a73ec495408f9
  Author: Pavel Butsykin <pbutsykin@xxxxxxxxxxxxx>
  Date:   Tue Sep 22 16:18:16 2015 +0300

      apic_internal.h: fix formatting and drop unused consts

      Fix formatting of local apic definitions and drop unused constant
      APIC_INPUT_POLARITY, APIC_SEND_PENDING. Magic numbers in shifts are
      replaced with constants defined just above.

      Signed-off-by: Pavel Butsykin <pbutsykin@xxxxxxxxxxxxx>
      Signed-off-by: Denis V. Lunev <den@xxxxxxxxxx>
      CC: Paolo Bonzini <pbonzini@xxxxxxxxxx>
      CC: Andreas F�¤rber <afaerber@xxxxxxx>
      Message-Id: <1442927901-1084-5-git-send-email-den@xxxxxxxxxx>
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit 6519d187e301c5a14a8c9b32fb93027b04a4336d
  Author: Pavel Butsykin <pbutsykin@xxxxxxxxxxxxx>
  Date:   Tue Sep 22 16:18:15 2015 +0300

      apic_internal.h: added more constants

      These constants are needed for optimal access to
      bit fields local apic registers without magic numbers.

      Signed-off-by: Pavel Butsykin <pbutsykin@xxxxxxxxxxxxx>
      Signed-off-by: Denis V. Lunev <den@xxxxxxxxxx>
      CC: Paolo Bonzini <pbonzini@xxxxxxxxxx>
      CC: Andreas F�¤rber <afaerber@xxxxxxx>
      Message-Id: <1442927901-1084-4-git-send-email-den@xxxxxxxxxx>
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit a22bf99c5852f369dc620be2c3c93535a5b69a58
  Author: Pavel Butsykin <pbutsykin@xxxxxxxxxxxxx>
  Date:   Tue Sep 22 16:18:14 2015 +0300

      apic_internal.h: rename ESR_ILLEGAL_ADDRESS to APIC_ESR_ILLEGAL_ADDRESS

      Added prefix APIC_ for determining the constant of a particular subsystem,
      improve the overall readability and match other constant names.

      Signed-off-by: Pavel Butsykin <pbutsykin@xxxxxxxxxxxxx>
      Signed-off-by: Denis V. Lunev <den@xxxxxxxxxx>
      CC: Paolo Bonzini <pbonzini@xxxxxxxxxx>
      CC: Andreas F�¤rber <afaerber@xxxxxxx>
      Message-Id: <1442927901-1084-3-git-send-email-den@xxxxxxxxxx>
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit 82a5e042fafe3def60380c847fa194220069f888
  Author: Pavel Butsykin <pbutsykin@xxxxxxxxxxxxx>
  Date:   Tue Sep 22 16:18:13 2015 +0300

      apic_internal.h: make some apic_get_* functions externally visible

      Move apic_get_bit(), apic_set_bit() to apic_internal.h, make the 
apic_get_ppr
      symbol external. It's necessary to work with isr, tmr, irr and ppr outside
      hw/intc/apic.c

      Signed-off-by: Pavel Butsykin <pbutsykin@xxxxxxxxxxxxx>
      Signed-off-by: Denis V. Lunev <den@xxxxxxxxxx>
      CC: Paolo Bonzini <pbonzini@xxxxxxxxxx>
      CC: Andreas F�¤rber <afaerber@xxxxxxx>
      Message-Id: <1442927901-1084-2-git-send-email-den@xxxxxxxxxx>
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit 2f5a3b1252ac238590cba83a38494e1103c32e4e
  Author: Paolo Bonzini <pbonzini@xxxxxxxxxx>
  Date:   Thu Jul 30 10:21:00 2015 +0200

      ioapic: fix contents of arbitration register

      The arbitration register should read to the same value as the
      IOAPIC id register.  Fixes kvm-unit-tests ioapic.flat.

      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit c5955a561ccdb95ede14e83de0ee8eec00868bd3
  Author: Paolo Bonzini <pbonzini@xxxxxxxxxx>
  Date:   Thu Jul 30 10:19:24 2015 +0200

      ioapic: coalesce level interrupts

      If a level-triggered interrupt goes down and back up before the
      corresponding EOI, it should be coalesced.  This fixes one testcase
      in kvm-unit-tests' ioapic.flat.

      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit f536f1124265026a0ab597773bd9df396fb59565
  Author: Paolo Bonzini <pbonzini@xxxxxxxxxx>
  Date:   Tue Sep 22 11:40:00 2015 +0200

      MAINTAINERS: add maintainer for network device front-ends

      Only "Odd Fixes" status, but let's add a point of contact.

      Cc: Jason Wang <jasowang@xxxxxxxxxx>
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit 61af0ee61b551b64f9a59b7e08133e357cae4b64
  Author: Paolo Bonzini <pbonzini@xxxxxxxxxx>
  Date:   Tue Sep 22 11:40:00 2015 +0200

      MAINTAINERS: add maintainer for character device front-ends

      Only "Odd Fixes" status, but let's add a point of contact.

      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit 28d54e58fd21e3176a2825c824a5921215835a3c
  Author: Paolo Bonzini <pbonzini@xxxxxxxxxx>
  Date:   Tue Sep 22 11:37:27 2015 +0200

      MAINTAINERS: add IPack section

      Reviewed-by: Alberto Garcia <berto@xxxxxxxxxx>
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit 0c6aa7ee4026105a43bc36b93279ecb8e55cd843
  Author: Paolo Bonzini <pbonzini@xxxxxxxxxx>
  Date:   Tue Sep 22 11:37:07 2015 +0200

      MAINTAINERS: Add more s390 files

      Cc: Alexander Graf <agraf@xxxxxxx>
      Reviewed-by: Christian Borntraeger <borntraeger@xxxxxxxxxx>
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit c17652ee4094ce4feb1daf2f064c45db0e58ed02
  Author: Paolo Bonzini <pbonzini@xxxxxxxxxx>
  Date:   Tue Sep 22 11:36:16 2015 +0200

      MAINTAINERS: Add disassemblers to the various backends

      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit dcc1a2fd95d9e3e786fd5c7c61466c2fccef1e31
  Author: Paolo Bonzini <pbonzini@xxxxxxxxxx>
  Date:   Tue Sep 22 11:35:49 2015 +0200

      MAINTAINERS: there is no PPC64 TCG backend anymore

      PPC32 and PPC64 were unified.

      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit ba10f729f1f158333fcffe00f8656365a74cc662
  Author: Paolo Bonzini <pbonzini@xxxxxxxxxx>
  Date:   Tue Sep 22 11:54:32 2015 +0200

      get_maintainer.pl: \C is deprecated

      "Match a single C-language char (octet) even if that is part of a larger
      UTF-8 character.  Thus it breaks up characters into their UTF-8 bytes,
      so you may end up with malformed pieces of UTF-8."

      Just use a period instead.

      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit 500887768a2428e480d13f6f0978f85d349bc312
  Author: Marc-André Lureau <marcandre.lureau@xxxxxxxxxx>
  Date:   Fri Sep 18 16:18:40 2015 +0200

      vhost-scsi: include linux/vhost.h

      Replace ad-hoc declarations with the linux header.

      Signed-off-by: Marc-André Lureau <marcandre.lureau@xxxxxxxxxx>
      Message-Id: 
<1442585920-28373-1-git-send-email-marcandre.lureau@xxxxxxxxxx>
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit 57f54629299de6ad2981a275049ace2c3c165173
  Author: Daniel P. Berrange <berrange@xxxxxxxxxx>
  Date:   Fri Sep 18 11:01:35 2015 +0100

      Makefile: fix build when VPATH is outside GIT tree

      Steve Ellcey / Leon Alrae reported that QEMU fails to build when
      the VPATH directory is outside of the GIT tree, and the system
      emulators & tools build is disabled. eg

         cd ..
         mkdir build
         cd build
         ../qemu/configure --disable-system --disable-tools
         make
         (...)
         make[1]: *** No rule to make target `../qom/object.o', needed by 
`qemu-aarch64'. Stop.
         make: *** [subdir-aarch64-linux-user] Error 2

      The problem is due to the fact that some sub directory deps
      were listed against SOFTMMU_SUBDIR_RULES instead of SUBDIR_RULES,
      so were only processed for system emulators, not user emalutors.

      Signed-off-by: Daniel P. Berrange <berrange@xxxxxxxxxx>
      Message-Id: <1442570495-22029-1-git-send-email-berrange@xxxxxxxxxx>
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit 0eb2baeb449d27d6e6208a257dba6be1aad4d476
  Author: Paolo Bonzini <pbonzini@xxxxxxxxxx>
  Date:   Wed Sep 16 17:26:16 2015 +0200

      scsi-generic: let guests recognize readonly=on on passthrough devices

      Passed-through SCSI devices can be opened with the readonly=on option.
      When this happens, Linux filters away write commands so that the guest
      cannot overwrite the contents of the device.

      However, the guest does not know that the device is read-only, and
      accepts writes.  The writes only fail later when the page cache is
      flushed.

      This patch modifies scsi-generic to modify the MODE SENSE data and
      set the read-only bit in the device-specific parameters, so that
      the guest OS treats the disk as write protected.

      Reviewed-by: Fam Zheng <famz@xxxxxxxxxx>
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit 5e43efb29ae877da131e6c1a4761cd7f4eec5a16
  Author: Paolo Bonzini <pbonzini@xxxxxxxxxx>
  Date:   Wed Sep 16 18:35:09 2015 +0200

      checkpatch: do not recommend qemu_strtok over strtok

      If anything it should recommend strtok_r!

      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit fe8545386726a2b1f8af409bcd5ea3d33218af54
  Author: Marc-André Lureau <marcandre.lureau@xxxxxxxxxx>
  Date:   Wed Sep 16 18:02:57 2015 +0200

      tests: add some qemu_strtosz() tests

      While reading the function I decided to write some tests.

      Signed-off-by: Marc-André Lureau <marcandre.lureau@xxxxxxxxxx>
      Message-Id: <1442419377-9309-2-git-send-email-marcandre.lureau@xxxxxxxxxx>
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit 4677bb40f809394bef5fa07329dea855c0371697
  Author: Marc-André Lureau <marcandre.lureau@xxxxxxxxxx>
  Date:   Wed Sep 16 18:02:56 2015 +0200

      utils: rename strtosz to use qemu prefix

      Not only it makes sense, but it gets rid of checkpatch warning:
      WARNING: consider using qemu_strtosz in preference to strtosz

      Also remove get rid of tabs to please checkpatch.

      Signed-off-by: Marc-André Lureau <marcandre.lureau@xxxxxxxxxx>
      Message-Id: <1442419377-9309-1-git-send-email-marcandre.lureau@xxxxxxxxxx>
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit 48bec07e8de2782fea2ea293998044bef2ab676d
  Author: Daniel P. Berrange <berrange@xxxxxxxxxx>
  Date:   Wed Sep 16 14:52:23 2015 +0100

      qemu-nbd: convert to use the QAPI SocketAddress object

      The qemu-nbd program currently uses a QemuOpts objects
      when setting up sockets. Switch it over to use the
      QAPI SocketAddress objects instead.

      Signed-off-by: Daniel P. Berrange <berrange@xxxxxxxxxx>
      Message-Id: <1442411543-28513-3-git-send-email-berrange@xxxxxxxxxx>
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit 7a5ed43764c04866b7642c7b6afcfb67bd2d424f
  Author: Daniel P. Berrange <berrange@xxxxxxxxxx>
  Date:   Wed Sep 16 14:52:22 2015 +0100

      nbd: convert to use the QAPI SocketAddress object

      The nbd block driver currently uses a QemuOpts object
      when setting up sockets. Switch it over to use the
      QAPI SocketAddress object instead.

      Signed-off-by: Daniel P. Berrange <berrange@xxxxxxxxxx>
      Message-Id: <1442411543-28513-2-git-send-email-berrange@xxxxxxxxxx>
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit f178bc6b68e6c65cda7354ec4a671860b3123f7a
  Author: Paolo Bonzini <pbonzini@xxxxxxxxxx>
  Date:   Tue Sep 22 11:56:48 2015 +0200

      MAINTAINERS: add more devices to the PCI section

      Cc: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>
      Reviewed-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>

  commit 9cc3b73cd8a88e16756f5d14fa87e156a4ce1e8d
  Author: Paolo Bonzini <pbonzini@xxxxxxxxxx>
  Date:   Tue Sep 22 11:56:47 2015 +0200

      MAINTAINERS: add more devices to the PC section

      For chipset devices, I can co-maintain it with Michael.

      Cc: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>
      Reviewed-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>

  commit 8a47d575dfac0f6675e2ac56c5921cc520d021a6
  Merge: 9438fe9 4d9310f
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Thu Sep 24 22:09:41 2015 +0100

      Merge remote-tracking branch 'remotes/weil/tags/pull-wxx-20150924' into 
staging

      wxx patch queue

      # gpg: Signature made Thu 24 Sep 2015 20:24:50 BST using RSA key ID 
677450AD
      # gpg: Good signature from "Stefan Weil <sw@xxxxxxxxxxx>"
      # gpg:                 aka "Stefan Weil <stefan.weil@xxxxxxxxxxx>"
      # gpg:                 aka "Stefan Weil <stefan.weil@xxxxxxxxxxxxxxxxxxx>"
      # gpg: WARNING: This key is not certified with sufficiently trusted 
signatures!
      # gpg:          It is not certain that the signature belongs to the owner.
      # Primary key fingerprint: 4923 6FEA 75C9 5D69 8EC2  B78A E08C 21D5 6774 
50AD

      * remotes/weil/tags/pull-wxx-20150924:
        oslib-win32: only provide localtime_r/gmtime_r if missing
        gtk: avoid redefining _WIN32_WINNT macro
        qemu-thread: add a fast path to the Win32 QemuEvent
        slirp: Fix non blocking connect for w32
        nsis: Add QEMU version information to Windows registry

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 4d9310f427b477a126f6f2006c3a73b9764948b6
  Author: Daniel P. Berrange <berrange@xxxxxxxxxx>
  Date:   Tue Sep 22 15:13:26 2015 +0100

      oslib-win32: only provide localtime_r/gmtime_r if missing

      The oslib-win32 file currently provides a localtime_r and
      gmtime_r replacement unconditionally. Some versions of
      Mingw-w64 would provide crude macros for localtime_r/gmtime_r
      which QEMU takes care to disable. Latest versions of Mingw-w64
      now provide actual functions for localtime_r/gmtime_r, but
      with a twist that you have to include unistd.h or pthread.h
      before including time.h.  By luck some files in QEMU have
      such an include order, resulting in compile errors:

        CC    util/osdep.o
      In file included from include/qemu-common.h:48:0,
                       from util/osdep.c:48:
      include/sysemu/os-win32.h:77:12: error: redundant redeclaration of 
'gmtime_r' [-Werror=redundant-decls]
       struct tm *gmtime_r(const time_t *timep, struct tm *result);
                  ^
      In file included from include/qemu-common.h:35:0,
                       from util/osdep.c:48:
      /usr/i686-w64-mingw32/sys-root/mingw/include/time.h:272:107: note: 
previous definition of 'gmtime_r' was here
      In file included from include/qemu-common.h:48:0,
                       from util/osdep.c:48:
      include/sysemu/os-win32.h:79:12: error: redundant redeclaration of 
'localtime_r' [-Werror=redundant-decls]
       struct tm *localtime_r(const time_t *timep, struct tm *result);
                  ^
      In file included from include/qemu-common.h:35:0,
                       from util/osdep.c:48:
      /usr/i686-w64-mingw32/sys-root/mingw/include/time.h:269:107: note: 
previous definition of 'localtime_r' was here

      This change adds a configure test to see if localtime_r
      exits, and only enables the QEMU impl if missing. We also
      re-arrange qemu-common.h try attempt to guarantee that all
      source files get unistd.h before time.h and thus see the
      localtime_r/gmtime_r defs.

      [sw: Use "official" spellings for Mingw-w64, MinGW in comments.]
      [sw: Terminate sentences with a dot in comments.]

      Signed-off-by: Daniel P. Berrange <berrange@xxxxxxxxxx>
      Reviewed-by: Denis V. Lunev <den@xxxxxxxxxx>
      Signed-off-by: Stefan Weil <sw@xxxxxxxxxxx>

  commit c8f3f17cf1015d6621f79aa6a88280539621a108
  Author: Daniel P. Berrange <berrange@xxxxxxxxxx>
  Date:   Tue Sep 8 11:34:35 2015 +0100

      gtk: avoid redefining _WIN32_WINNT macro

      When building for Mingw64 target on Fedora 22 a warning
      is issued about _WIN32_WINNT being redefined.

      In file included from ui/gtk.c:40:0:
      include/ui/gtk.h:5:0: warning: "_WIN32_WINNT" redefined
       # define _WIN32_WINNT 0x0601 /* needed to get definition of 
MAPVK_VK_TO_VSC */
        ^
      In file included from 
/usr/i686-w64-mingw32/sys-root/mingw/include/crtdefs.h:10:0,
                       from 
/usr/i686-w64-mingw32/sys-root/mingw/include/stdio.h:9,
                       from 
/home/berrange/src/virt/qemu/include/qemu/fprintf-fn.h:12,
                       from 
/home/berrange/src/virt/qemu/include/qemu-common.h:18,
                       from ui/gtk.c:37:
      /usr/i686-w64-mingw32/sys-root/mingw/include/_mingw.h:225:0: note: this 
is the location of the previous definition
       #define _WIN32_WINNT 0x502
       ^

      Rather than try to get MAPVK_VK_TO_VSC defined indirectly
      by defining _WIN32_WINNT, instead just define it explicitly
      if missing.

      Signed-off-by: Daniel P. Berrange <berrange@xxxxxxxxxx>
      Signed-off-by: Stefan Weil <sw@xxxxxxxxxxx>
      Acked-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit 7c9b2bf67775ecc1359ce973580807d173e7f710
  Author: Paolo Bonzini <pbonzini@xxxxxxxxxx>
  Date:   Wed Aug 12 15:38:18 2015 +0200

      qemu-thread: add a fast path to the Win32 QemuEvent

      QemuEvents are used heavily by call_rcu.  We do not want them to be slow,
      but the current implementation does a kernel call on every invocation
      of qemu_event_* and won't cut it.

      So, wrap a Win32 manual-reset event with a fast userspace path.  The
      states and transitions are the same as for the futex and mutex/condvar
      implementations, but the slow path is different of course.  The idea
      is to reset the Win32 event lazily, as part of a test-reset-test-wait
      sequence.  Such a sequence is, indeed, how QemuEvents are used by
      RCU and other subsystems!

      The patch includes a formal model of the algorithm.

      Tested-by: Stefan Weil <sw@xxxxxxxxxxx>
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>
      Signed-off-by: Stefan Weil <sw@xxxxxxxxxxx>

  commit a246a01631f90230374c2b8ffce608232e2aa654
  Author: Stefan Weil <sw@xxxxxxxxxxx>
  Date:   Thu Jul 30 23:08:12 2015 +0200

      slirp: Fix non blocking connect for w32

      Signed-off-by: Stefan Weil <sw@xxxxxxxxxxx>

  commit 805d8a67647768173c27761cd86e6f99a9d3b7cd
  Author: Stefan Weil <sw@xxxxxxxxxxx>
  Date:   Sun May 3 19:57:09 2015 +0200

      nsis: Add QEMU version information to Windows registry

      The uninstall keys include an option key "DisplayVersion" which we set
      now. By default the version value is read from file VERSION, but it is
      also possible to pass VERSION=#.#.# to make.

      Signed-off-by: Stefan Weil <sw@xxxxxxxxxxx>

  commit 9438fe9e56760e5e5e11d6c7d12ed9c64a0c8446
  Merge: eb9d0ea 7b02f54
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Thu Sep 24 17:04:31 2015 +0100

      Merge remote-tracking branch 'remotes/elmarco/tags/rm-libcacard' into 
staging

      Remove libcacard

      # gpg: Signature made Wed 23 Sep 2015 22:37:11 BST using RSA key ID 
75969CE5
      # gpg: Good signature from "Marc-André Lureau 
<marcandre.lureau@xxxxxxxxxx>"
      # gpg:                 aka "Marc-André Lureau 
<marcandre.lureau@xxxxxxxxx>"
      # gpg: WARNING: This key is not certified with sufficiently trusted 
signatures!
      # gpg:          It is not certain that the signature belongs to the owner.
      # Primary key fingerprint: 87A9 BD93 3F87 C606 D276  F62D DAE8 E109 7596 
9CE5

      * remotes/elmarco/tags/rm-libcacard:
        libcacard: use the standalone project

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 7263a0ad7899994b719ebed736a1119cc2e08110
  Author: Changchun Ouyang <changchun.ouyang@xxxxxxxxx>
  Date:   Wed Sep 23 12:20:01 2015 +0800

      vhost-user: add a new message to disable/enable a specific virt queue.

      Add a new message, VHOST_USER_SET_VRING_ENABLE, to enable or disable
      a specific virt queue, which is similar to attach/detach queue for
      tap device.

      virtio driver on guest doesn't have to use max virt queue pair, it
      could enable any number of virt queue ranging from 1 to max virt
      queue pair.

      Signed-off-by: Changchun Ouyang <changchun.ouyang@xxxxxxxxx>
      Signed-off-by: Yuanhan Liu <yuanhan.liu@xxxxxxxxxxxxxxx>
      Reviewed-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: Yuanhan Liu <yuanhan.liu@xxxxxxxxxxxxxxx>
      Reviewed-by: Jason Wang <jasowang@xxxxxxxxxx>
      Tested-by: Marcel Apfelbaum <marcel@xxxxxxxxxx>

  commit b931bfbf042983f311b3b09894d8030b2755a638
  Author: Changchun Ouyang <changchun.ouyang@xxxxxxxxx>
  Date:   Wed Sep 23 12:20:00 2015 +0800

      vhost-user: add multiple queue support

      This patch is initially based a patch from Nikolay Nikolaev.

      This patch adds vhost-user multiple queue support, by creating a nc
      and vhost_net pair for each queue.

      Qemu exits if find that the backend can't support the number of requested
      queues (by providing queues=# option). The max number is queried by a
      new message, VHOST_USER_GET_QUEUE_NUM, and is sent only when protocol
      feature VHOST_USER_PROTOCOL_F_MQ is present first.

      The max queue check is done at vhost-user initiation stage. We initiate
      one queue first, which, in the meantime, also gets the max_queues the
      backend supports.

      In older version, it was reported that some messages are sent more times
      than necessary. Here we came an agreement with Michael that we could
      categorize vhost user messages to 2 types: non-vring specific messages,
      which should be sent only once, and vring specific messages, which should
      be sent per queue.

      Here I introduced a helper function vhost_user_one_time_request(), which
      lists following messages as non-vring specific messages:

              VHOST_USER_SET_OWNER
              VHOST_USER_RESET_DEVICE
              VHOST_USER_SET_MEM_TABLE
              VHOST_USER_GET_QUEUE_NUM

      For above messages, we simply ignore them when they are not sent the first
      time.

      Signed-off-by: Nikolay Nikolaev <n.nikolaev@xxxxxxxxxxxxxxxxxxxxxx>
      Signed-off-by: Changchun Ouyang <changchun.ouyang@xxxxxxxxx>
      Signed-off-by: Yuanhan Liu <yuanhan.liu@xxxxxxxxxxxxxxx>
      Reviewed-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: Yuanhan Liu <yuanhan.liu@xxxxxxxxxxxxxxx>
      Reviewed-by: Jason Wang <jasowang@xxxxxxxxxx>
      Tested-by: Marcel Apfelbaum <marcel@xxxxxxxxxx>

  commit fc57fd9900dc6344b8833e7641f63cddc6840301
  Author: Yuanhan Liu <yuanhan.liu@xxxxxxxxxxxxxxx>
  Date:   Wed Sep 23 12:19:59 2015 +0800

      vhost: introduce vhost_backend_get_vq_index method

      Minusing the idx with the base(dev->vq_index) for vhost-kernel, and
      then adding it back for vhost-user doesn't seem right. Here introduces
      a new method vhost_backend_get_vq_index() for getting the right vq
      index for following vhost messages calls.

      Suggested-by: Jason Wang <jasowang@xxxxxxxxxx>
      Signed-off-by: Yuanhan Liu <yuanhan.liu@xxxxxxxxxxxxxxx>
      Reviewed-by: Jason Wang <jasowang@xxxxxxxxxx>
      Reviewed-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: Yuanhan Liu <yuanhan.liu@xxxxxxxxxxxxxxx>
      Tested-by: Marcel Apfelbaum <marcel@xxxxxxxxxx>

  commit e2051e9e004649b53af4db34f78c689fb44e075b
  Author: Yuanhan Liu <yuanhan.liu@xxxxxxxxxxxxxxx>
  Date:   Wed Sep 23 12:19:58 2015 +0800

      vhost-user: add VHOST_USER_GET_QUEUE_NUM message

      This is for querying how many queues the backend supports if it has mq
      support(when VHOST_USER_PROTOCOL_F_MQ flag is set from the quried
      protocol features).

      vhost_net_get_max_queues() is the interface to export that value, and
      to tell if the backend supports # of queues user requested, which is
      done in the following patch.

      Signed-off-by: Yuanhan Liu <yuanhan.liu@xxxxxxxxxxxxxxx>
      Reviewed-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: Yuanhan Liu <yuanhan.liu@xxxxxxxxxxxxxxx>
      Tested-by: Marcel Apfelbaum <marcel@xxxxxxxxxx>

  commit d1f8b30ec8dde0318fd1b98d24a64926feae9625
  Author: Yuanhan Liu <yuanhan.liu@xxxxxxxxxxxxxxx>
  Date:   Wed Sep 23 12:19:57 2015 +0800

      vhost: rename VHOST_RESET_OWNER to VHOST_RESET_DEVICE

      Quote from Michael:

          We really should rename VHOST_RESET_OWNER to VHOST_RESET_DEVICE.

      Suggested-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: Yuanhan Liu <yuanhan.liu@xxxxxxxxxxxxxxx>
      Reviewed-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: Yuanhan Liu <yuanhan.liu@xxxxxxxxxxxxxxx>
      Reviewed-by: Marcel Apfelbaum <marcel@xxxxxxxxxx>
      Tested-by: Marcel Apfelbaum <marcel@xxxxxxxxxx>

  commit dcb10c000cdd4d14f5ac4f07b04fb666494ef4a8
  Author: Michael S. Tsirkin <mst@xxxxxxxxxx>
  Date:   Wed Sep 23 12:19:56 2015 +0800

      vhost-user: add protocol feature negotiation

      Support a separate bitmask for vhost-user protocol features,
      and messages to get/set protocol features.

      Invoke them at init.

      No features are defined yet.

      [ leverage vhost_user_call for request handling -- Yuanhan Liu ]

      Signed-off-by: Michael S. Tsirkin <address@hidden>
      Signed-off-by: Yuanhan Liu <yuanhan.liu@xxxxxxxxxxxxxxx>
      Reviewed-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: Yuanhan Liu <yuanhan.liu@xxxxxxxxxxxxxxx>
      Reviewed-by: Marcel Apfelbaum <marcel@xxxxxxxxxx>
      Tested-by: Marcel Apfelbaum <marcel@xxxxxxxxxx>

  commit 7305483a3d113456681ba6c6e8dd41513decd5f6
  Author: Yuanhan Liu <yuanhan.liu@xxxxxxxxxxxxxxx>
  Date:   Wed Sep 23 12:19:55 2015 +0800

      vhost-user: use VHOST_USER_XXX macro for switch statement

      So that we could let vhost_user_call to handle extented requests,
      such as VHOST_USER_GET/SET_PROTOCOL_FEATURES, instead of invoking
      vhost_user_read/write and constructing the msg again by ourself.

      Signed-off-by: Yuanhan Liu <yuanhan.liu@xxxxxxxxxxxxxxx>
      Reviewed-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: Yuanhan Liu <yuanhan.liu@xxxxxxxxxxxxxxx>
      Reviewed-by: Marcel Apfelbaum <marcel@xxxxxxxxxx>
      Tested-by: Marcel Apfelbaum <marcel@xxxxxxxxxx>

  commit 542571d523268357fd8f5b1a523ba2a6191c4c18
  Author: Cornelia Huck <cornelia.huck@xxxxxxxxxx>
  Date:   Fri Sep 11 15:16:44 2015 +0200

      virtio-ccw: enable virtio-1

      Let's enable revision 1 for virtio-ccw devices. We can always offer
      VERSION_1 as drivers in legacy mode won't be able to see it anyway.

      We have to introduce a way to set a lower maximum revision for a device
      to accommodate the following cases:
      - compat machines (to enforce legacy only)
      - virtio-blk with scsi support (version 1 + scsi is fenced by common
        code, with a user-configured max revision of 0 we can allow scsi
        via not offering VERSION_1)

      Signed-off-by: Cornelia Huck <cornelia.huck@xxxxxxxxxx>
      Reviewed-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>

  commit b4f8f9df152fca0e79b7a3ca40a3eea700a40855
  Author: Cornelia Huck <cornelia.huck@xxxxxxxxxx>
  Date:   Fri Sep 11 15:16:43 2015 +0200

      virtio-ccw: feature bits > 31 handling

      We currently switch off the VERSION_1 feature bit if the guest has
      not negotiated at least revision 1. As no feature bits beyond 31 are
      valid however unless VERSION_1 has been negotiated, make sure that
      legacy guests never see a feature bit beyond 31.

      Reviewed-by: David Hildenbrand <dahi@xxxxxxxxxxxxxxxxxx>
      Signed-off-by: Cornelia Huck <cornelia.huck@xxxxxxxxxx>
      Reviewed-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>

  commit 79cd0c80f82215a32890e3d30ff621b32ece5156
  Author: Cornelia Huck <cornelia.huck@xxxxxxxxxx>
  Date:   Fri Sep 11 15:16:42 2015 +0200

      virtio-ccw: support ring size changes

      Wire up changing the ring size for virtio-1 devices.

      Signed-off-by: Cornelia Huck <cornelia.huck@xxxxxxxxxx>
      Reviewed-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>

  commit 46c5d0823d0186daf4064065bf739858dadfcf8c
  Author: Cornelia Huck <cornelia.huck@xxxxxxxxxx>
  Date:   Fri Sep 11 15:16:41 2015 +0200

      virtio: ring sizes vs. reset

      We allow guests to change the size of the virtqueue rings by supplying
      a number of buffers that is different from the number of buffers the
      device was initialized with. Current code has some problems, however,
      since reset does not reset the ringsizes to the default values (as this
      is not saved anywhere).

      Let's extend the core code to keep track of the default ringsizes and
      migrate them once the guest changed them for any of the virtqueues
      for a device.

      Reviewed-by: Jason Wang <jasowang@xxxxxxxxxx>
      Signed-off-by: Cornelia Huck <cornelia.huck@xxxxxxxxxx>
      Reviewed-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>

  commit 87e896abe6d926caba19a9b8a83936fca2137f05
  Author: Eduardo Habkost <ehabkost@xxxxxxxxxx>
  Date:   Fri Sep 11 17:14:25 2015 -0300

      pc: Introduce pc-*-2.5 machine classes

      Signed-off-by: Eduardo Habkost <ehabkost@xxxxxxxxxx>
      Reviewed-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>

  commit 254bdb1cbfd467ff9897c75a28a472e4381ce4cf
  Author: Eduardo Habkost <ehabkost@xxxxxxxxxx>
  Date:   Fri Sep 11 17:14:24 2015 -0300

      q35: Move options common to all classes to pc_i440fx_machine_options()

      The existing default_machine_opts and default_display settings will
      still apply to future machine classes. So it makes sense to move them to
      pc_i440fx_machine_options() instead of keeping them in a
      version-specific machine_options function.

      Signed-off-by: Eduardo Habkost <ehabkost@xxxxxxxxxx>
      Reviewed-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>

  commit 0b7783a79ef73a06f3a67b68e72d109afe975b77
  Author: Eduardo Habkost <ehabkost@xxxxxxxxxx>
  Date:   Fri Sep 11 17:14:23 2015 -0300

      q35: Move options common to all classes to pc_q35_machine_options()

      The existing default_machine_opts, default_display, no_floppy, and
      no_tco settings will still apply to future machine classes. So it makes
      sense to move them to pc_q35_machine_options() instead of keeping them
      in a version-specific machine_options function.

      Signed-off-by: Eduardo Habkost <ehabkost@xxxxxxxxxx>
      Reviewed-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>

  commit 1f8828ef573c83365b4a87a776daf8bcef1caa21
  Author: Jason Wang <jasowang@xxxxxxxxxx>
  Date:   Fri Sep 11 16:01:56 2015 +0800

      virtio-net: unbreak self announcement and guest offloads after migration

      After commit 019a3edbb25f1571e876f8af1ce4c55412939e5d ("virtio: make
      features 64bit wide"). Device's guest_features was actually set after
      vdc->load(). This breaks the assumption that device specific load()
      function can check guest_features. For virtio-net, self announcement
      and guest offloads won't work after migration.

      Fixing this by defer them to virtio_net_load() where guest_features
      were guaranteed to be set. Other virtio devices looks fine.

      Fixes: 019a3edbb25f1571e876f8af1ce4c55412939e5d
             ("virtio: make features 64bit wide")
      Cc: qemu-stable@xxxxxxxxxx
      Cc: Gerd Hoffmann <kraxel@xxxxxxxxxx>
      Signed-off-by: Jason Wang <jasowang@xxxxxxxxxx>
      Reviewed-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Reviewed-by: Cornelia Huck <cornelia.huck@xxxxxxxxxx>

  commit 50764fc8a382dc17ccc06c0ba29184d0fd73016e
  Author: Pierre Morel <pmorel@xxxxxxxxxxxxxxxxxx>
  Date:   Thu Sep 10 13:37:10 2015 +0200

      virtio: right size for virtio_queue_get_avail_size

      Being working on dataplane I notice something strange:

      virtio_queue_get_avail_size() used a 64bit size index
      for the calculation of the available ring size.

      It is quite strange but it did work with the old calculation
      of the avail ring, at most with performance penalty,
      and I wonder where I missed something.

      This patch let use a 16bit size as defined in virtio_ring.h

      Signed-off-by: Pierre Morel <pmorel@xxxxxxxxxxxxxxxxxx>
      Reviewed-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>

  commit 9d146b2e2fbc1c2e42be1e3ee6c0d507ea79f0f9
  Author: Alex Williamson <alex.williamson@xxxxxxxxxx>
  Date:   Wed Sep 23 21:27:17 2015 -0600

      vfio/pci: Remove use of g_malloc0_n() from quirks

      For compatibility with glib 2.22.

      Reported-by: Wen Congyang <wency@xxxxxxxxxxxxxx>
      Signed-off-by: Alex Williamson <alex.williamson@xxxxxxxxxx>

  commit eb9d0ea063fc7bdfab76b84085602a9e48d13ec7
  Merge: fefa4b1 85b4d5d
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Thu Sep 24 01:32:11 2015 +0100

      Merge remote-tracking branch 
'remotes/pmaydell/tags/pull-target-arm-20150924' into staging

      target-arm queue:
       * support VGICv3 in KVM
       * fix bug in ACPI table entries for flash devices in virt board
       * update Allwinner entry in MAINTAINERS

      # gpg: Signature made Thu 24 Sep 2015 01:29:55 BST using RSA key ID 
14360CDE
      # gpg: Good signature from "Peter Maydell <peter.maydell@xxxxxxxxxx>"
      # gpg:                 aka "Peter Maydell <pmaydell@xxxxxxxxx>"
      # gpg:                 aka "Peter Maydell 
<pmaydell@xxxxxxxxxxxxxxxxxxxxxx>"

      * remotes/pmaydell/tags/pull-target-arm-20150924:
        MAINTAINERS: update Allwinner A10 maintainer
        hw/arm/virt-acpi-build: Fix wrong size of flash in ACPI table
        hw/arm/virt: Add gic-version option to virt machine
        hw/intc: Initial implementation of vGICv3
        arm_kvm: Do not assume particular GIC type in kvm_arch_irqchip_create()
        intc/gic: Extract some reusable vGIC code
        hw/intc: Implement GIC-500 base class

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 85b4d5dae12580ecdd446c0f71afa04a95641c91
  Author: Beniamino Galvani <b.galvani@xxxxxxxxx>
  Date:   Thu Sep 24 01:29:37 2015 +0100

      MAINTAINERS: update Allwinner A10 maintainer

      Change the maintainer for Allwinner A10 to myself as Li Guang's mail
      address bounces. While at it, extend the file pattern for the entry to
      include allwinner_emac.[ch].

      Signed-off-by: Beniamino Galvani <b.galvani@xxxxxxxxx>
      Reviewed-by: Peter Crosthwaite <crosthwaite.peter@xxxxxxxxx>
      Message-id: 1442865156-5598-1-git-send-email-b.galvani@xxxxxxxxx
      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit cd37aaf876717a75d7af3a7465e8706cc4e13661
  Author: Shannon Zhao <shannon.zhao@xxxxxxxxxx>
  Date:   Thu Sep 24 01:29:37 2015 +0100

      hw/arm/virt-acpi-build: Fix wrong size of flash in ACPI table

      While virt machine creates two flash devices with total size 0x08000000,
      the ACPI table generation code was wrongly using this total size as the
      size of each flash device, so it would overlap other MMIO spaces.
      Make each device entry in the table half the total; this brings the
      ACPI table into line with the code which generates the device tree
      and which creates the flash devices themselves.

      Signed-off-by: Shannon Zhao <shannon.zhao@xxxxxxxxxx>
      Reviewed-by: Andrew Jones <drjones@xxxxxxxxxx>
      Reviewed-by: Wei Huang <wei@xxxxxxxxxx>
      Tested-by: Graeme Gregory <graeme.gregory@xxxxxxxxxx>
      Message-id: 1442455041-6596-1-git-send-email-shannon.zhao@xxxxxxxxxx
      [PMM: edited commit message]
      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit b92ad3949bc9cacd1652b4e07e7f6003b9e512af
  Author: Pavel Fedin <p.fedin@xxxxxxxxxxx>
  Date:   Thu Sep 24 01:29:37 2015 +0100

      hw/arm/virt: Add gic-version option to virt machine

      Add gic_version to VirtMachineState, set it to value of the option
      and pass it around where necessary. Instantiate devices and fdt
      nodes according to the choice.

      max_cpus for virt machine increased to 123 (calculated from redistributor
      space available in the memory map). GICv2 compatibility check happens
      inside arm_gic_common_realize().

      ITS region is added to the memory map too, however currently it not used,
      just reserved.

      Signed-off-by: Pavel Fedin <p.fedin@xxxxxxxxxxx>
      Tested-by: Ashok kumar <ashoks@xxxxxxxxxxxx>
      [PMM: Added missing cpu_to_le* calls, thanks to Shannon Zhao]
      Reviewed-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit a7bf30342e6a7924132a5c70047928261d3c7e42
  Author: Pavel Fedin <p.fedin@xxxxxxxxxxx>
  Date:   Thu Sep 24 01:29:37 2015 +0100

      hw/intc: Initial implementation of vGICv3

      This is the initial version of KVM-accelerated GICv3 support.
      State load and save are not yet supported, live migration is
      not possible.

      In order to get correct class name in a simpler way, gicv3_class_name()
      function is implemented, similar to gic_class_name().

      Signed-off-by: Pavel Fedin <p.fedin@xxxxxxxxxxx>
      Reviewed-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Tested-by: Ashok kumar <ashoks@xxxxxxxxxxxx>
      Message-id: 
69d8f01d14994d7a1a140e96aef59fd332d02293.1441784344.git.p.fedin@xxxxxxxxxxx
      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 34e85cd9173816cd48f5578c7838c26afbe592c4
  Author: Pavel Fedin <p.fedin@xxxxxxxxxxx>
  Date:   Thu Sep 24 01:29:37 2015 +0100

      arm_kvm: Do not assume particular GIC type in kvm_arch_irqchip_create()

      This allows us to use different GIC types from v2. There are no kernels
      which could advertise KVM_CAP_DEVICE_CTRL without the actual ability to
      create GIC with it.

      GIC version probe code moved to kvm_arm_vgic_probe() which will be used
      later.

      Signed-off-by: Pavel Fedin <p.fedin@xxxxxxxxxxx>
      Reviewed-by: Eric Auger <eric.auger@xxxxxxxxxx>
      Tested-by: Ashok kumar <ashoks@xxxxxxxxxxxx>
      Reviewed-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Message-id: 
015f4d9e4a8a50dfbdd734c4730558e24a69c6dc.1441784344.git.p.fedin@xxxxxxxxxxx
      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 4b3cfe72d9b9c53be31a88e7eebdda14f1757d3e
  Author: Pavel Fedin <p.fedin@xxxxxxxxxxx>
  Date:   Thu Sep 24 01:29:36 2015 +0100

      intc/gic: Extract some reusable vGIC code

      Some functions previously used only by vGICv2 are useful also for vGICv3
      implementation. Untie them from GICState and make accessible from within
      other modules:
      - kvm_arm_gic_set_irq()
      - kvm_gic_supports_attr() - moved to common code and renamed to
        kvm_device_check_attr()
      - kvm_gic_access() - turned into GIC-independent kvm_device_access().
        Data pointer changed to void * because some GICv3 registers are
        64-bit wide

      Some of these changes are not used right now, but they will be helpful for
      implementing live migration.

      Actually kvm_dist_get() and kvm_dist_put() could also be made reusable, 
but
      they would require two extra parameters (s->dev_fd and s->num_cpu) as 
well as
      lots of typecasts of 's' to DeviceState * and back to GICState *. This 
makes
      the code very ugly so i decided to stop at this point. I tried also an
      approach with making a base class for all possible GICs, but it would 
contain
      only three variables (dev_fd, cpu_num and irq_num), and accessing them 
through
      the rest of the code would be again tedious (either ugly casts or 
qemu-style
      separate object pointer). So i disliked it too.

      Signed-off-by: Pavel Fedin <p.fedin@xxxxxxxxxxx>
      Tested-by: Ashok kumar <ashoks@xxxxxxxxxxxx>
      Reviewed-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Message-id: 
2ef56d1dd64ffb75ed02a10dcdaf605e5b8ff4f8.1441784344.git.p.fedin@xxxxxxxxxxx
      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit ff8f06ee7680fb505079d33caaf8f5ebff0853bc
  Author: Shlomo Pongratz <shlomo.pongratz@xxxxxxxxxx>
  Date:   Thu Sep 24 01:29:36 2015 +0100

      hw/intc: Implement GIC-500 base class

      This class is to be used by both software and KVM implementations of GICv3

      Currently it is mostly a placeholder, but in future it is supposed to hold
      qemu's representation of GICv3 state, which is necessary for migration.

      The interface of this class is fully compatible with GICv2 one. This is
      done in order to simplify integration with existing code.

      Signed-off-by: Shlomo Pongratz <shlomo.pongratz@xxxxxxxxxx>
      Signed-off-by: Pavel Fedin <p.fedin@xxxxxxxxxxx>
      Reviewed-by: Eric Auger <eric.auger@xxxxxxxxxx>
      Tested-by: Ashok kumar <ashoks@xxxxxxxxxxxx>
      Reviewed-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Message-id: 
aff8baaee493cdcab0694b4a1d4dd5ff27c37ed2.1441784344.git.p.fedin@xxxxxxxxxxx
      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 7b02f5447c64d1854468f758398c9f6fe9e5721f
  Author: Marc-André Lureau <marcandre.lureau@xxxxxxxxxx>
  Date:   Sun Aug 30 11:48:40 2015 +0200

      libcacard: use the standalone project

      libcacard is now a standalone project hosted with the Spice project (see
      the 2.5.0 release announcement), remove it from qemu tree.

      Use the library if found during configure or if --enable-smartcard.

      Signed-off-by: Marc-André Lureau <marcandre.lureau@xxxxxxxxxx>
      Reviewed-by: Michael Tokarev <mjt@xxxxxxxxxx>
      Reviewed-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>
      Tested-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit fefa4b128de06cec6d513f00ee61e8208aed4a87
  Merge: 684bb57 89dcccc
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Wed Sep 23 21:39:46 2015 +0100

      Merge remote-tracking branch 
'remotes/awilliam/tags/vfio-update-20150923.0' into staging

      VFIO updates 2015-09-23

       - Tracing improvements to use common prefixes for functional areas
       - Quirks overhaul:
         - Split PCI quirks to separate file
         - Make them understandable and more extensible
         - Improve use of MemoryRegions and eliminate use of target pagesize
       - Eliminate build-time debugging, everything migrated to runtime opts

      # gpg: Signature made Wed 23 Sep 2015 21:09:05 BST using RSA key ID 
3BB08B22
      # gpg: Good signature from "Alex Williamson <alex.williamson@xxxxxxxxxx>"
      # gpg:                 aka "Alex Williamson <alex@xxxxxxxxxxx>"
      # gpg:                 aka "Alex Williamson <alwillia@xxxxxxxxxx>"
      # gpg:                 aka "Alex Williamson <alex.l.williamson@xxxxxxxxx>"

      * remotes/awilliam/tags/vfio-update-20150923.0:
        vfio/pci: Add emulated PCI IDs
        vfio/pci: Cache vendor and device ID
        vfio/pci: Move AMD device specific reset to quirks
        vfio/pci: Remove old config window and mirror quirks
        vfio/pci: Config mirror quirk
        vfio/pci: Config window quirks
        vfio/pci: Rework RTL8168 quirk
        vfio/pci: Cleanup Nvidia 0x3d0 quirk
        vfio/pci: Cleanup ATI 0x3c3 quirk
        vfio/pci: Foundation for new quirk structure
        vfio/pci: Cleanup ROM blacklist quirk
        vfio/pci: Split quirks to a separate file
        vfio/pci: Extract PCI structures to a separate header
        vfio: Change polarity of our no-mmap option
        vfio/pci: Make interrupt bypass runtime configurable
        vfio/pci: Rename MSI/X functions for easier tracing
        vfio/pci: Rename INTx functions for easier tracing
        vfio/pci: Cleanup vfio_early_setup_msix() error path
        vfio/pci: Cleanup RTL8168 quirk and tracing

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 89dcccc5931cc8afc2ccc7cd378695165768148b
  Author: Alex Williamson <alex.williamson@xxxxxxxxxx>
  Date:   Wed Sep 23 13:04:49 2015 -0600

      vfio/pci: Add emulated PCI IDs

      Specifying an emulated PCI vendor/device ID can be useful for testing
      various quirk paths, even though the behavior and functionality of
      the device with bogus IDs is fully unsupportable.  We need to use a
      uint32_t for the vendor/device IDs, even though the registers
      themselves are only 16-bit in order to be able to determine whether
      the value is valid and user set.

      The same support is added for subsystem vendor/device ID, though these
      have the possibility of being useful and supported for more than a
      testing tool.  An emulated platform might want to impose their own
      subsystem IDs or at least hide the physical subsystem ID.  Windows
      guests will often reinstall drivers due to a change in subsystem IDs,
      something that VM users may want to avoid.  Of course careful
      attention would be required to ensure that guest drivers do not rely
      on the subsystem ID as a basis for device driver quirks.

      All of these options are added using the standard experimental option
      prefix and should not be considered stable.

      Signed-off-by: Alex Williamson <alex.williamson@xxxxxxxxxx>

  commit ff635e3775447b7e797f1bad8cf33403199faba1
  Author: Alex Williamson <alex.williamson@xxxxxxxxxx>
  Date:   Wed Sep 23 13:04:49 2015 -0600

      vfio/pci: Cache vendor and device ID

      Simplify access to commonly referenced PCI vendor and device ID by
      caching it on the VFIOPCIDevice struct.

      Signed-off-by: Alex Williamson <alex.williamson@xxxxxxxxxx>

  commit c9c5000991148383d628aac59f1593937be572e4
  Author: Alex Williamson <alex.williamson@xxxxxxxxxx>
  Date:   Wed Sep 23 13:04:49 2015 -0600

      vfio/pci: Move AMD device specific reset to quirks

      This is just another quirk, for reset rather than affecting memory
      regions.  Move it to our new quirks file.

      Signed-off-by: Alex Williamson <alex.williamson@xxxxxxxxxx>

  commit 958d553405462e95b9d15e8ca6cfb602f7815277
  Author: Alex Williamson <alex.williamson@xxxxxxxxxx>
  Date:   Wed Sep 23 13:04:48 2015 -0600

      vfio/pci: Remove old config window and mirror quirks

      These are now unused.

      Signed-off-by: Alex Williamson <alex.williamson@xxxxxxxxxx>

  commit 0d38fb1c5f921acc050d5f80a2ff4e627b565494
  Author: Alex Williamson <alex.williamson@xxxxxxxxxx>
  Date:   Wed Sep 23 13:04:48 2015 -0600

      vfio/pci: Config mirror quirk

      Re-implement our mirror quirk using the new infrastructure.

      Signed-off-by: Alex Williamson <alex.williamson@xxxxxxxxxx>

  commit 0e54f24a5b4bb756715928058b60a7d5f70ccd7f
  Author: Alex Williamson <alex.williamson@xxxxxxxxxx>
  Date:   Wed Sep 23 13:04:48 2015 -0600

      vfio/pci: Config window quirks

      Config windows make use of an address register and a data register.
      In VGA cards, these are often used to provide real mode code in the
      BIOS an easy way to access MMIO registers since the window often
      resides in an I/O port register.  When the MMIO register has a mirror
      of PCI config space, we need to trap those accesses and redirect them
      to emulated config space.

      The previous version of this functionality made use of a single
      MemoryRegion and single match address.  This version uses separate
      MemoryRegions for each of the address and data registers and allows
      for multiple match addresses.  This is useful for Nvidia cards which
      have two ranges which index into PCI config space.

      The previous implementation is left for the follow-on patch for a more
      reviewable diff.

      Signed-off-by: Alex Williamson <alex.williamson@xxxxxxxxxx>

  commit 954258a5f11b51abd1ceed7c96d1204d4cef1353
  Author: Alex Williamson <alex.williamson@xxxxxxxxxx>
  Date:   Wed Sep 23 13:04:47 2015 -0600

      vfio/pci: Rework RTL8168 quirk

      Another rework of this quirk, this time to update to the new quirk
      structure.  We can handle the address and data registers with
      separate MemoryRegions and a quirk specific data structure, making the
      code much more understandable.

      Signed-off-by: Alex Williamson <alex.williamson@xxxxxxxxxx>

  commit 6029a424be37e0d7949546af7593b9b604611480
  Author: Alex Williamson <alex.williamson@xxxxxxxxxx>
  Date:   Wed Sep 23 13:04:47 2015 -0600

      vfio/pci: Cleanup Nvidia 0x3d0 quirk

      The Nvidia 0x3d0 quirk makes use of a two separate registers and gives
      us our first chance to make use of separate memory regions for each to
      simplify the code a bit.

      Signed-off-by: Alex Williamson <alex.williamson@xxxxxxxxxx>

  commit b946d286114e09a81c303c7ec8ec3f7b33dff9e8
  Author: Alex Williamson <alex.williamson@xxxxxxxxxx>
  Date:   Wed Sep 23 13:04:47 2015 -0600

      vfio/pci: Cleanup ATI 0x3c3 quirk

      This is an easy quirk that really doesn't need a data structure if
      its own.  We can pass vdev as the opaque data and access to the
      MemoryRegion isn't required.

      Signed-off-by: Alex Williamson <alex.williamson@xxxxxxxxxx>

  commit 8c4f234853d9d438dc1733ca98674b1139a87c99
  Author: Alex Williamson <alex.williamson@xxxxxxxxxx>
  Date:   Wed Sep 23 13:04:46 2015 -0600

      vfio/pci: Foundation for new quirk structure

      VFIOQuirk hosts a single memory region and a fixed set of data fields
      that try to handle all the quirk cases, but end up making those that
      don't exactly match really confusing.  This patch introduces a struct
      intended to provide more flexibility and simpler code.  VFIOQuirk is
      stripped to its basics, an opaque data pointer for quirk specific
      data and a pointer to an array of MemoryRegions with a counter.  This
      still allows us to have common teardown routines, but adds much
      greater flexibility to support multiple memory regions and quirk
      specific data structures that are easier to maintain.  The existing
      VFIOQuirk is transformed into VFIOLegacyQuirk, which further patches
      will eliminate entirely.

      Signed-off-by: Alex Williamson <alex.williamson@xxxxxxxxxx>

  commit 056dfcb695cde3c62b7dc1d5ed6d2e38b3a73e29
  Author: Alex Williamson <alex.williamson@xxxxxxxxxx>
  Date:   Wed Sep 23 13:04:45 2015 -0600

      vfio/pci: Cleanup ROM blacklist quirk

      Create a vendor:device ID helper that we'll also use as we rework the
      rest of the quirks.  Re-reading the config entries, even if we get
      more blacklist entries, is trivial overhead and only incurred during
      device setup.  There's no need to typedef the blacklist structure,
      it's a static private data type used once.  The elements get bumped
      up to uint32_t to avoid future maintenance issues if PCI_ANY_ID gets
      used for a blacklist entry (avoiding an actual hardware match).  Our
      test loop is also crying out to be simplified as a for loop.

      Signed-off-by: Alex Williamson <alex.williamson@xxxxxxxxxx>

  commit c00d61d8fa22b096b15e19ee2fde846ffc1c0b5d
  Author: Alex Williamson <alex.williamson@xxxxxxxxxx>
  Date:   Wed Sep 23 13:04:45 2015 -0600

      vfio/pci: Split quirks to a separate file

      Signed-off-by: Alex Williamson <alex.williamson@xxxxxxxxxx>

  commit 78f33d2bfd26ec552d9e824bcc1dbb8e2736ce34
  Author: Alex Williamson <alex.williamson@xxxxxxxxxx>
  Date:   Wed Sep 23 13:04:44 2015 -0600

      vfio/pci: Extract PCI structures to a separate header

      Signed-off-by: Alex Williamson <alex.williamson@xxxxxxxxxx>

  commit 5e15d79b8681c7f4e2079833288785708e7520d3
  Author: Alex Williamson <alex.williamson@xxxxxxxxxx>
  Date:   Wed Sep 23 13:04:44 2015 -0600

      vfio: Change polarity of our no-mmap option

      The default should be to allow mmap and new drivers shouldn't need to
      expose an option or set it to other than the allocation default in
      their initfn.  Take advantage of the experimental flag to change this
      option to the correct polarity.

      Signed-off-by: Alex Williamson <alex.williamson@xxxxxxxxxx>

  commit 46746dbaa8c2c421b9bda78193caad57d7fb1136
  Author: Alex Williamson <alex.williamson@xxxxxxxxxx>
  Date:   Wed Sep 23 13:04:44 2015 -0600

      vfio/pci: Make interrupt bypass runtime configurable

      Tracing is more effective when we can completely disable all KVM
      bypass paths.  Make these runtime rather than build-time configurable.

      Signed-off-by: Alex Williamson <alex.williamson@xxxxxxxxxx>

  commit 0de70dc7bab1cd58d02e86ed27e291843983b13b
  Author: Alex Williamson <alex.williamson@xxxxxxxxxx>
  Date:   Wed Sep 23 13:04:43 2015 -0600

      vfio/pci: Rename MSI/X functions for easier tracing

      This allows vfio_msi* tracing.  The MSI/X interrupt tracing is also
      pulled out of #ifdef DEBUG_VFIO to avoid a recompile for tracing this
      path.  A few cycles to read the message is hardly anything if we're
      already in QEMU.

      Signed-off-by: Alex Williamson <alex.williamson@xxxxxxxxxx>

  commit 870cb6f104e5d3364288d894746dd88fe9ac59cb
  Author: Alex Williamson <alex.williamson@xxxxxxxxxx>
  Date:   Wed Sep 23 13:04:43 2015 -0600

      vfio/pci: Rename INTx functions for easier tracing

      Rename functions and tracing callbacks so that we can trace vfio_intx*
      to see all the INTx related activities.

      Signed-off-by: Alex Williamson <alex.williamson@xxxxxxxxxx>

  commit b5bd049fa907bccc4600ad1855e1c9c0e62f0be3
  Author: Alex Williamson <alex.williamson@xxxxxxxxxx>
  Date:   Wed Sep 23 13:04:43 2015 -0600

      vfio/pci: Cleanup vfio_early_setup_msix() error path

      With the addition of the Chelsio quirk we have an error path out of
      vfio_early_setup_msix() that doesn't free the allocated VFIOMSIXInfo
      struct.  This doesn't introduce a leak as it still gets freed in the
      vfio_put_device() path, but it's complicated and sloppy to rely on
      that.  Restructure to free the allocated data on error and only link
      it into the vdev on success.

      Signed-off-by: Alex Williamson <alex.williamson@xxxxxxxxxx>
      Reported-by: Laszlo Ersek <lersek@xxxxxxxxxx>
      Reviewed-by: Laszlo Ersek <lersek@xxxxxxxxxx>

  commit d451008e0fdf7fb817c791397e7999d5f3687e58
  Author: Alex Williamson <alex.williamson@xxxxxxxxxx>
  Date:   Wed Sep 23 13:04:42 2015 -0600

      vfio/pci: Cleanup RTL8168 quirk and tracing

      There's quite a bit of cleanup that can be done to the RTL8168 quirk,
      as well as the tracing to prevent a spew of uninteresting accesses
      for anything else the driver might choose to use the window registers
      for besides the MSI-X table.  There should be no functional change,
      but it's now possible to get compact and useful traces by enabling
      vfio_rtl8168_quirk*, ex:

      vfio_rtl8168_quirk_write 0000:04:00.0 [address]: 0x1f000
      vfio_rtl8168_quirk_read 0000:04:00.0 [address]: 0x8001f000
      vfio_rtl8168_quirk_read 0000:04:00.0 [data]: 0xfee0100c
      vfio_rtl8168_quirk_write 0000:04:00.0 [address]: 0x1f004
      vfio_rtl8168_quirk_read 0000:04:00.0 [address]: 0x8001f004
      vfio_rtl8168_quirk_read 0000:04:00.0 [data]: 0x0
      vfio_rtl8168_quirk_write 0000:04:00.0 [address]: 0x1f008
      vfio_rtl8168_quirk_read 0000:04:00.0 [address]: 0x8001f008
      vfio_rtl8168_quirk_read 0000:04:00.0 [data]: 0x49b1
      vfio_rtl8168_quirk_write 0000:04:00.0 [address]: 0x1f00c
      vfio_rtl8168_quirk_read 0000:04:00.0 [address]: 0x8001f00c
      vfio_rtl8168_quirk_read 0000:04:00.0 [data]: 0x0

      Signed-off-by: Alex Williamson <alex.williamson@xxxxxxxxxx>

  commit 684bb5770ec5d72a66620f64fc5d9672bf8d3509
  Merge: 27c7275 d76548a
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Wed Sep 23 16:52:54 2015 +0100

      Merge remote-tracking branch 'remotes/dgibson/tags/spapr-next-20150923' 
into staging

      sPAPR Patch Queue: 2015-09-23

      Highlights:
          * pseries-2.5 machine type
          * Memory hotplug for "pseries" guests
          * Fixes to the PAPR Dynamic Reconfiguration hotplug code
          * Several PAPR compliance fixes
          * New SLOF with:
              * GPT support
              * Much faster VGA handling

      # gpg: Signature made Wed 23 Sep 2015 02:50:10 BST using DSA key ID 
FDDA6FC6
      # gpg: Good signature from "David Gibson <david@xxxxxxxxxxxxxxxxxxxxx>"
      # gpg: WARNING: This key is not certified with a trusted signature!
      # gpg:          There is no indication that the signature belongs to the 
owner.
      # Primary key fingerprint: F730 2185 38B4 D13E FD80  34F2 6882 CAC6 FDDA 
6FC6

      * remotes/dgibson/tags/spapr-next-20150923: (36 commits)
        sPAPR: Enable EEH on VFIO PCI device only
        sPAPR: Revert don't enable EEH on emulated PCI devices
        ppc/spapr: Implement H_RANDOM hypercall in QEMU
        ppc/spapr: Fix buffer overflow in spapr_populate_drconf_memory()
        spapr: Fix default NUMA node allocation for threads
        spapr: Move memory hotplug to RTAS_LOG_V6_HP_ID_DRC_COUNT type
        spapr: Support hotplug by specifying DRC count
        spapr: Revert to memory@XXXX representation for non-hotplugged memory
        spapr: Populate ibm,associativity-lookup-arrays correctly for non-NUMA
        spapr: Provide better error message when slots exceed max allowed
        spapr: Don't allow memory hotplug to memory less nodes
        spapr: Memory hotplug support
        spapr: Make hash table size a factor of maxram_size
        spapr: Support ibm,dynamic-reconfiguration-memory
        spapr: Add LMB DR connectors
        spapr: Use QEMU limit for maximum CPUs number
        spapr: Don't use QOM [*] syntax for DR connectors.
        spapr_drc: use RTAS return codes for methods called by RTAS
        spapr: Initialize hotplug memory address space
        spapr_drc: don't allow 'empty' DRCs to be unisolated or allocated
        ...

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit d76548a98f4e18d3c65a3d921bbb70caf9be6138
  Author: Gavin Shan <gwshan@xxxxxxxxxxxxxxxxxx>
  Date:   Fri Sep 18 17:30:44 2015 +1000

      sPAPR: Enable EEH on VFIO PCI device only

      This checks if the PCI device retrieved from the PCI device address
      is VFIO PCI device when enabling EEH functionality. If it's not
      VFIO PCI device, the EEH functonality isn't enabled.

      Signed-off-by: Gavin Shan <gwshan@xxxxxxxxxxxxxxxxxx>
      Signed-off-by: David Gibson <david@xxxxxxxxxxxxxxxxxxxxx>

  commit 47445c80fb57035331574ac1ac0bcee67fb84aeb
  Author: Gavin Shan <gwshan@xxxxxxxxxxxxxxxxxx>
  Date:   Fri Sep 18 17:30:43 2015 +1000

      sPAPR: Revert don't enable EEH on emulated PCI devices

      This reverts commit 7cb18007 ("sPAPR: Don't enable EEH on emulated
      PCI devices") as rtas_ibm_set_eeh_option() isn't the right place
      to check if there has the corresponding PCI device for the input
      address, which can be PE address, not PCI device address.

      Signed-off-by: Gavin Shan <gwshan@xxxxxxxxxxxxxxxxxx>
      Signed-off-by: David Gibson <david@xxxxxxxxxxxxxxxxxxxxx>

  commit 4d9392be6c1aada69ce86c0f6584128976985394
  Author: Thomas Huth <thuth@xxxxxxxxxx>
  Date:   Thu Sep 17 10:49:41 2015 +0200

      ppc/spapr: Implement H_RANDOM hypercall in QEMU

      The PAPR interface defines a hypercall to pass high-quality
      hardware generated random numbers to guests. Recent kernels can
      already provide this hypercall to the guest if the right hardware
      random number generator is available. But in case the user wants
      to use another source like EGD, or QEMU is running with an older
      kernel, we should also have this call in QEMU, so that guests that
      do not support virtio-rng yet can get good random numbers, too.

      This patch now adds a new pseudo-device to QEMU that either
      directly provides this hypercall to the guest or is able to
      enable the in-kernel hypercall if available. The in-kernel
      hypercall can be enabled with the use-kvm property, e.g.:

       qemu-system-ppc64 -device spapr-rng,use-kvm=true

      For handling the hypercall in QEMU instead, a "RngBackend" is
      required since the hypercall should provide "good" random data
      instead of pseudo-random (like from a "simple" library function
      like rand() or g_random_int()). Since there are multiple RngBackends
      available, the user must select an appropriate back-end via the
      "rng" property of the device, e.g.:

       qemu-system-ppc64 -object rng-random,filename=/dev/hwrng,id=gid0 \
                         -device spapr-rng,rng=gid0 ...

      See http://wiki.qemu-project.org/Features-Done/VirtIORNG for
      other example of specifying RngBackends.

      Signed-off-by: Thomas Huth <thuth@xxxxxxxxxx>
      Signed-off-by: David Gibson <david@xxxxxxxxxxxxxxxxxxxxx>

  commit ef001f069e0f175a036929782c5c63053df9569a
  Author: Thomas Huth <thuth@xxxxxxxxxx>
  Date:   Tue Sep 15 21:34:20 2015 +0200

      ppc/spapr: Fix buffer overflow in spapr_populate_drconf_memory()

      The buffer that is allocated in spapr_populate_drconf_memory()
      is used for setting both, the "ibm,dynamic-memory" and the
      "ibm,associativity-lookup-arrays" property. However, only the
      size of the first one is taken into account when allocating the
      memory. So if the length of the second property is larger than
      the length of the first one, we run into a buffer overflow here!
      Fix it by taking the length of the second property into account,
      too.

      Fixes: "spapr: Support ibm,dynamic-reconfiguration-memory" patch
      Signed-off-by: Thomas Huth <thuth@xxxxxxxxxx>
      Reviewed-by: David Gibson <david@xxxxxxxxxxxxxxxxxxxxx>
      Signed-off-by: David Gibson <david@xxxxxxxxxxxxxxxxxxxxx>

  commit 20bb648dca6d7fe8cdd1941194e7851950b25dc5
  Author: David Gibson <david@xxxxxxxxxxxxxxxxxxxxx>
  Date:   Tue Sep 8 11:21:52 2015 +1000

      spapr: Fix default NUMA node allocation for threads

      At present, if guest numa nodes are requested, but the cpus in each node
      are not specified, spapr just uses the default behaviour or assigning each
      vcpu round-robin to nodes.

      If smp_threads != 1, that will assign adjacent threads in a core to
      different NUMA nodes.  As well as being just weird, that's a configuration
      that can't be represented in the device tree we give to the guest, which
      means the guest and qemu end up with different ideas of the NUMA topology.

      This patch implements mc->cpu_index_to_socket_id in the spapr code to
      make sure vcpus get assigned to nodes only at the socket granularity.

      Signed-off-by: David Gibson <david@xxxxxxxxxxxxxxxxxxxxx>
      Reviewed-by: Alexey Kardashevskiy <aik@xxxxxxxxx>

  commit 0a4178692c2375a4516da7b71629bd08ee8697ee
  Author: Bharata B Rao <bharata@xxxxxxxxxxxxxxxxxx>
  Date:   Mon Aug 3 11:05:43 2015 +0530

      spapr: Move memory hotplug to RTAS_LOG_V6_HP_ID_DRC_COUNT type

      Till now memory hotplug used RTAS_LOG_V6_HP_ID_DRC_INDEX hotplug type
      which meant that we generated one hotplug type of EPOW event for every
      256MB (SPAPR_MEMORY_BLOCK_SIZE). This quickly overruns the kernel
      rtas log buffer thus resulting in loss of memory hotplug events. Switch
      to RTAS_LOG_V6_HP_ID_DRC_COUNT hotplug type for memory so that we
      generate only one event per hotplug request.

      Signed-off-by: Bharata B Rao <bharata@xxxxxxxxxxxxxxxxxx>
      Reviewed-by: Michael Roth <mdroth@xxxxxxxxxxxxxxxxxx>
      Reviewed-by: David Gibson <david@xxxxxxxxxxxxxxxxxxxxx>
      Signed-off-by: David Gibson <david@xxxxxxxxxxxxxxxxxxxxx>

  commit 7a36ae7a9f4f136d40fe1da4aab66b364d4aa56d
  Author: Bharata B Rao <bharata@xxxxxxxxxxxxxxxxxx>
  Date:   Mon Aug 3 11:05:42 2015 +0530

      spapr: Support hotplug by specifying DRC count

      Support hotplug identifier type RTAS_LOG_V6_HP_ID_DRC_COUNT that allows
      hotplugging of DRCs by specifying the DRC count.

      While we are here, rename

      spapr_hotplug_req_add_event() to spapr_hotplug_req_add_by_index()
      spapr_hotplug_req_remove_event() to spapr_hotplug_req_remove_by_index()

      so that they match with spapr_hotplug_req_add_by_count().

      Signed-off-by: Bharata B Rao <bharata@xxxxxxxxxxxxxxxxxx>
      Reviewed-by: David Gibson <david@xxxxxxxxxxxxxxxxxxxxx>
      Signed-off-by: David Gibson <david@xxxxxxxxxxxxxxxxxxxxx>

  commit e8f986fc57a664a74b9f685b466506366a15201b
  Author: Bharata B Rao <bharata@xxxxxxxxxxxxxxxxxx>
  Date:   Mon Aug 3 11:05:41 2015 +0530

      spapr: Revert to memory@XXXX representation for non-hotplugged memory

      Don't represent non-hotluggable memory under drconf node. With this
      we don't have to create DRC objects for them.

      The effect of this patch is that we revert back to memory@XXXX 
representation
      for all the memory specified with -m option and represent the cold
      plugged memory and hot-pluggable memory under
      ibm,dynamic-reconfiguration-memory.

      Signed-off-by: Bharata B Rao <bharata@xxxxxxxxxxxxxxxxxx>
      Reviewed-by: David Gibson <david@xxxxxxxxxxxxxxxxxxxxx>
      Signed-off-by: David Gibson <david@xxxxxxxxxxxxxxxxxxxxx>

  commit 6663864e950d40c467ae4ab81c4dac64d7a8d9e6
  Author: Bharata B Rao <bharata@xxxxxxxxxxxxxxxxxx>
  Date:   Mon Aug 3 11:05:40 2015 +0530

      spapr: Populate ibm,associativity-lookup-arrays correctly for non-NUMA

      When NUMA isn't configured explicitly, assume node 0 is present for
      the purpose of creating ibm,associativity-lookup-arrays property
      under ibm,dynamic-reconfiguration-memory DT node. This ensures that
      the associativity index property is correctly updated in 
ibm,dynamic-memory
      for the LMB that is hotplugged.

      Signed-off-by: Bharata B Rao <bharata@xxxxxxxxxxxxxxxxxx>
      Reviewed-by: David Gibson <david@xxxxxxxxxxxxxxxxxxxxx>
      Signed-off-by: David Gibson <david@xxxxxxxxxxxxxxxxxxxxx>

  commit 19a35c9e1b964f420ee07141f049e6c96c63b740
  Author: Bharata B Rao <bharata@xxxxxxxxxxxxxxxxxx>
  Date:   Mon Aug 3 11:05:39 2015 +0530

      spapr: Provide better error message when slots exceed max allowed

      Currently when user specifies more slots than allowed max of
      SPAPR_MAX_RAM_SLOTS (32), we error out like this:

      qemu-system-ppc64: unsupported amount of memory slots: 64

      Let the user know about the max allowed slots like this:

      qemu-system-ppc64: Specified number of memory slots 64 exceeds max 
supported 32

      Signed-off-by: Bharata B Rao <bharata@xxxxxxxxxxxxxxxxxx>
      Reviewed-by: David Gibson <david@xxxxxxxxxxxxxxxxxxxxx>
      Signed-off-by: David Gibson <david@xxxxxxxxxxxxxxxxxxxxx>

  commit b556854bd8524c26b8be98ab1bfdf0826831e793
  Author: Bharata B Rao <bharata@xxxxxxxxxxxxxxxxxx>
  Date:   Mon Jun 29 14:14:32 2015 +0530

      spapr: Don't allow memory hotplug to memory less nodes

      Currently PowerPC kernel doesn't allow hot-adding memory to memory-less
      node, but instead will silently add the memory to the first node that has
      some memory. This causes two unexpected behaviours for the user.

      - Memory gets hotplugged to a different node than what the user specified.
      - Since pc-dimm subsystem in QEMU still thinks that memory belongs to
        memory-less node, a reboot will set things accordingly and the 
previously
        hotplugged memory now ends in the right node. This appears as if some
        memory moved from one node to another.

      So until kernel starts supporting memory hotplug to memory-less
      nodes, just prevent such attempts upfront in QEMU.

      Signed-off-by: Bharata B Rao <bharata@xxxxxxxxxxxxxxxxxx>
      Reviewed-by: David Gibson <david@xxxxxxxxxxxxxxxxxxxxx>
      Signed-off-by: David Gibson <david@xxxxxxxxxxxxxxxxxxxxx>

  commit c20d332a85c95245e3b720bfea1bd02e3a311463
  Author: Bharata B Rao <bharata@xxxxxxxxxxxxxxxxxx>
  Date:   Tue Sep 1 11:22:35 2015 +1000

      spapr: Memory hotplug support

      Make use of pc-dimm infrastructure to support memory hotplug
      for PowerPC.

      Signed-off-by: Bharata B Rao <bharata@xxxxxxxxxxxxxxxxxx>
      Reviewed-by: David Gibson <david@xxxxxxxxxxxxxxxxxxxxx>
      Signed-off-by: David Gibson <david@xxxxxxxxxxxxxxxxxxxxx>

  commit ce881f774d69d941eb999c25f0cb1f72cd228795
  Author: Bharata B Rao <bharata@xxxxxxxxxxxxxxxxxx>
  Date:   Mon Jun 29 14:14:30 2015 +0530

      spapr: Make hash table size a factor of maxram_size

      The hash table size is dependent on ram_size, but since with hotplug
      the memory can grow till maxram_size. Hence make hash table size dependent
      on maxram_size.

      This allows to hotplug huge amounts of memory to the guest.

      Signed-off-by: Bharata B Rao <bharata@xxxxxxxxxxxxxxxxxx>
      Reviewed-by: David Gibson <david@xxxxxxxxxxxxxxxxxxxxx>
      Signed-off-by: David Gibson <david@xxxxxxxxxxxxxxxxxxxxx>

  commit 03d196b7c57f22f796197f221f9d95336debee9e
  Author: Bharata B Rao <bharata@xxxxxxxxxxxxxxxxxx>
  Date:   Mon Jul 13 10:34:00 2015 +1000

      spapr: Support ibm,dynamic-reconfiguration-memory

      Parse ibm,architecture.vec table obtained from the guest and enable
      memory node configuration via ibm,dynamic-reconfiguration-memory if guest
      supports it. This is in preparation to support memory hotplug for
      sPAPR guests.

      This changes the way memory node configuration is done. Currently all
      memory nodes are built upfront. But after this patch, only memory@0 node
      for RMA is built upfront. Guest kernel boots with just that and rest of
      the memory nodes (via memory@XXX or ibm,dynamic-reconfiguration-memory)
      are built when guest does ibm,client-architecture-support call.

      Note: This patch needs a SLOF enhancement which is already part of
      SLOF binary in QEMU.

      Signed-off-by: Bharata B Rao <bharata@xxxxxxxxxxxxxxxxxx>
      Reviewed-by: David Gibson <david@xxxxxxxxxxxxxxxxxxxxx>
      Signed-off-by: David Gibson <david@xxxxxxxxxxxxxxxxxxxxx>

  commit 224245bf524189789d231f38434c9f8fd57a249c
  Author: David Gibson <david@xxxxxxxxxxxxxxxxxxxxx>
  Date:   Wed Aug 12 13:16:48 2015 +1000

      spapr: Add LMB DR connectors

      Enable memory hotplug for pseries 2.4 and add LMB DR connectors.
      With memory hotplug, enforce RAM size, NUMA node memory size and maxmem
      to be a multiple of SPAPR_MEMORY_BLOCK_SIZE (256M) since that's the
      granularity in which LMBs are represented and hot-added.

      LMB DR connectors will be used by the memory hotplug code.

      Signed-off-by: Bharata B Rao <bharata@xxxxxxxxxxxxxxxxxx>
      Signed-off-by: Michael Roth <mdroth@xxxxxxxxxxxxxxxxxx>
                     [spapr_drc_reset implementation]
      [since this missed the 2.4 cutoff, changing to only enable for 2.5]
      Signed-off-by: David Gibson <david@xxxxxxxxxxxxxxxxxxxxx>

  commit 38b02bd846672f33bc2eabcb9847c4b78069e097
  Author: Alexey Kardashevskiy <aik@xxxxxxxxx>
  Date:   Thu Aug 6 13:37:24 2015 +1000

      spapr: Use QEMU limit for maximum CPUs number

      sPAPR uses hard coded limit of maximum 255 supported CPUs which is
      exactly the same as QEMU-wide limit which is MAX_CPUMASK_BITS and also
      defined as 255.

      This makes use of a global CPU number limit for the "pseries" machine.

      In order to anticipate future increase of the MAX_CPUMASK_BITS
      (or to help debugging large systems), this also bumps the FDT_MAX_SIZE
      limit from 256K to 1M assuming that 1 CPU core needs roughly 512 bytes
      in the device tree so the new limit can cover up to 2048 CPU cores.

      Signed-off-by: Alexey Kardashevskiy <aik@xxxxxxxxx>
      Reviewed-by: David Gibson <david@xxxxxxxxxxxxxxxxxxxxx>
      Signed-off-by: David Gibson <david@xxxxxxxxxxxxxxxxxxxxx>

  commit 94649d423e4647fca3bc3e8b2b363d6d2adee9ce
  Author: David Gibson <david@xxxxxxxxxxxxxxxxxxxxx>
  Date:   Wed Sep 16 16:57:51 2015 +1000

      spapr: Don't use QOM [*] syntax for DR connectors.

      The dynamic reconfiguration (hotplug) code for the pseries machine type
      uses a "DR connector" QOM object for each resource it will be possible
      to hotplug.  Each of these is added to its owner using
          object_property_add_child(owner, "dr-connector[*], ...);

      That works ok, mostly, but it means that the property indices are
      arbitrary, depending on the order in which the connectors are constructed.
      That might line up to something useful, but it doesn't have to.

      It will get worse once we add hotplug RAM support.  That will add a DR
      connector object for every 256MB of potential memory.  So if maxmem=2T,
      for example, there are 8192 objects under the same parent.

      The QOM interfaces aren't really designed for this.  In particular
      object_property_add() with [*] has O(n^2) time complexity (in the number 
of
      existing children): first it has a linear search through array indices to
      find a free slot, each of which is attempted to a recursive call to
      object_property_add() with a specific [N].  Those calls are O(n) because
      there's a linear search through all properties to check for duplicates.

      By using a meaningful index value, which we already know is unique we can
      avoid the [*] special behaviour.  That lets us reduce the total time for
      creating the DR objects from O(n^3) to O(n^2).

      O(n^2) is still kind of crappy, but it's enough to reduce the startup time
      of qemu (with in-progress memory hotplug support) with maxmem=2T from ~20
      minutes to ~4 seconds.

      Signed-off-by: David Gibson <david@xxxxxxxxxxxxxxxxxxxxx>
      Cc: Bharata B Rao <bharata@xxxxxxxxxxxxxxxxxx>
      Tested-by: Bharata B Rao <bharata@xxxxxxxxxxxxxxxxxx>
      Reviewed-by: Alexey Kardashevskiy <aik@xxxxxxxxx>

  commit 0cb688d22b3941af02fee78ba21dc3a39c367e0b
  Author: Michael Roth <mdroth@xxxxxxxxxxxxxxxxxx>
  Date:   Thu Sep 10 16:11:02 2015 -0500

      spapr_drc: use RTAS return codes for methods called by RTAS

      Certain methods in sPAPRDRConnector objects are only ever called by
      RTAS and in many cases are responsible for the logic that determines
      the RTAS return codes.

      Rather than having a level of indirection requiring RTAS code to
      re-interpret return values from such methods to determine the
      appropriate return code, just pass them through directly.

      This requires changing method return types to uint32_t to match the
      type of values currently passed to RTAS helpers.

      In the case of read accesses like drc->entity_sense() where we weren't
      previously reporting any errors, just the read value, we modify the
      function to return RTAS return code, and pass the read value back via
      reference.

      Suggested-by: Bharata B Rao <bharata@xxxxxxxxxxxxxxxxxx>
      Suggested-by: David Gibson <david@xxxxxxxxxxxxxxxxxxxxx>
      Cc: Bharata B Rao <bharata@xxxxxxxxxxxxxxxxxx>
      Signed-off-by: Michael Roth <mdroth@xxxxxxxxxxxxxxxxxx>
      Reviewed-by: David Gibson <david@xxxxxxxxxxxxxxxxxxxxx>
      Signed-off-by: David Gibson <david@xxxxxxxxxxxxxxxxxxxxx>

  commit 4a1c9cf0073e733b421e7b82ad673e7cf6ed8454
  Author: Bharata B Rao <bharata@xxxxxxxxxxxxxxxxxx>
  Date:   Mon Jun 29 14:14:27 2015 +0530

      spapr: Initialize hotplug memory address space

      Initialize a hotplug memory region under which all the hotplugged
      memory is accommodated. Also enable memory hotplug by setting
      CONFIG_MEM_HOTPLUG.

      Modelled on i386 memory hotplug.

      Signed-off-by: Bharata B Rao <bharata@xxxxxxxxxxxxxxxxxx>
      Reviewed-by: David Gibson <david@xxxxxxxxxxxxxxxxxxxxx>
      Signed-off-by: David Gibson <david@xxxxxxxxxxxxxxxxxxxxx>

  commit 9d1852ce11c888e3ad5096be505d14045d8b49ae
  Author: Michael Roth <mdroth@xxxxxxxxxxxxxxxxxx>
  Date:   Thu Sep 10 16:11:03 2015 -0500

      spapr_drc: don't allow 'empty' DRCs to be unisolated or allocated

      Logical resources start with allocation-state:UNUSABLE /
      isolation-state:ISOLATED. During hotplug, guests will transition
      them to allocation-state:USABLE, and then to
      isolation-state:UNISOLATED.

      For cases where we cannot transition to allocation-state:USABLE,
      in this case due to no device/resource being association with
      the logical DRC, we should return an error -3.

      For physical DRCs, we default to allocation-state:USABLE and stay
      there, so in this case we should report an error -3 when the guest
      attempts to make the isolation-state:ISOLATED transition for a DRC
      with no device associated.

      These are as documented in PAPR 2.7, 13.5.3.4.

      We also ensure allocation-state:USABLE when the guest attempts
      transition to isolation-state:UNISOLATED to deal with misbehaving
      guests attempting to bring online an unallocated logical resource.

      This is as documented in PAPR 2.7, 13.7.

      Currently we implement no such error logic. Fix this by handling
      these error cases as PAPR defines.

      Cc: Bharata B Rao <bharata@xxxxxxxxxxxxxxxxxx>
      Signed-off-by: Michael Roth <mdroth@xxxxxxxxxxxxxxxxxx>
      Reviewed-by: David Gibson <david@xxxxxxxxxxxxxxxxxxxxx>
      Signed-off-by: David Gibson <david@xxxxxxxxxxxxxxxxxxxxx>

  commit a8ad731a001d41582c9cec4015f73ab3bc11a28d
  Author: Michael Roth <mdroth@xxxxxxxxxxxxxxxxxx>
  Date:   Tue Sep 15 16:34:59 2015 -0500

      spapr_pci: fix device tree props for MSI/MSI-X

      PAPR requires ibm,req#msi and ibm,req#msi-x to be present in the
      device node to define the number of msi/msi-x interrupts the device
      supports, respectively.

      Currently we have ibm,req#msi-x hardcoded to a non-sensical constant
      that happens to be 2, and are missing ibm,req#msi entirely. The result
      of that is that msi-x capable devices get limited to 2 msi-x
      interrupts (which can impact performance), and msi-only devices likely
      wouldn't work at all. Additionally, if devices expect a minimum that
      exceeds 2, the guest driver may fail to load entirely.

      SLOF still owns the generation of these properties at boot-time
      (although other device properties have since been offloaded to QEMU),
      but for hotplugged devices we rely on the values generated by QEMU
      and thus hit the limitations above.

      Fix this by generating these properties in QEMU as expected by guests.

      In the future it may make sense to modify SLOF to pass through these
      values directly as we do with other props since we're duplicating SLOF
      code.

      Cc: qemu-ppc@xxxxxxxxxx
      Cc: qemu-stable@xxxxxxxxxx
      Cc: David Gibson <david@xxxxxxxxxxxxxxxxxxxxx>
      Cc: Nikunj A Dadhania <nikunj@xxxxxxxxxxxxxxxxxx>
      Signed-off-by: Michael Roth <mdroth@xxxxxxxxxxxxxxxxxx>
      Reviewed-by: David Gibson <david@xxxxxxxxxxxxxxxxxxxxx>
      Signed-off-by: David Gibson <david@xxxxxxxxxxxxxxxxxxxxx>

  commit ef9971dd69bdd84b0987b0e1e4f421223b080afd
  Author: Alexey Kardashevskiy <aik@xxxxxxxxx>
  Date:   Tue Sep 8 11:25:13 2015 +1000

      spapr: Enable in-kernel H_SET_MODE handling

      For setting debug watchpoints, sPAPR guests use H_SET_MODE hypercall.
      The existing QEMU H_SET_MODE handler does not support this but
      the KVM handler in HV KVM does. However it is not enabled.

      This enables the in-kernel H_SET_MODE handler which handles:
      - Completed Instruction Address Breakpoint Register
      - Watch point 0 registers.

      The rest is still handled in QEMU.

      Reported-by: Anton Blanchard <anton@xxxxxxxxx>
      Signed-off-by: Alexey Kardashevskiy <aik@xxxxxxxxx>
      Reviewed-by: David Gibson <david@xxxxxxxxxxxxxxxxxxxxx>
      Signed-off-by: David Gibson <david@xxxxxxxxxxxxxxxxxxxxx>

  commit 22419c2a90b859dcab49f9472259ad8a3ce091d6
  Author: David Gibson <david@xxxxxxxxxxxxxxxxxxxxx>
  Date:   Tue Sep 8 11:21:31 2015 +1000

      pseries: Fix incorrect calculation of threads per socket for chip-id

      The device tree presented to pseries machine type guests includes an
      ibm,chip-id property which gives essentially the socket number of each
      vcpu core (individual vcpu threads don't get a node in the device
      tree).

      To calculate this, it uses a vcpus_per_socket variable computed as
      (smp_cpus / #sockets).  This is correct for the usual case where
      smp_cpus == smp_threads * smp_cores * #sockets.

      However, you can start QEMU with the number of cores and threads
      mismatching the total number of vcpus (whether that _should_ be
      permitted is a topic for another day).  It's a bit hard to say what
      the "real" number of vcpus per socket here is, but for most purposes
      (smp_threads * smp_cores) will more meaningfully match how QEMU
      behaves with respect to socket boundaries.

      Signed-off-by: David Gibson <david@xxxxxxxxxxxxxxxxxxxxx>
      Reviewed-by: Alexey Kardashevskiy <aik@xxxxxxxxx>

  commit 92d7a30cb3656f577f87b19042d9b66ff3b20e3b
  Author: Alexey Kardashevskiy <aik@xxxxxxxxx>
  Date:   Thu Aug 13 19:24:16 2015 +1000

      pseries: Update SLOF firmware image to qemu-slof-20150813

      The changes are:
      1. GPT support;
      2. Much faster VGA support.

      The full changelog is:
        > Add missing half word access case to _FASTRMOVE and _FASTMOVE
        > Remove unused RMOVE64 stub
        > fbuffer: Implement RFILL as an accelerated primitive
        > fbuffer: Implement MRMOVE as an accelerated primitive
        > fbuffer: Precalculate line length in bytes
        > terminal: Disable the terminal-write trace by default
        > boot: remove trailing ":" in the bootpath
        > ci: implement boot client interface
        > boot: bootpath should be complete device path
        > fbuffer: Use a smaller cursor
        > fbuffer: Improve invert-region helper
        > usb-hid: Caps is not always shift
        > cas: Increase FDT buffer size to accomodate larger ibm, cas node 
properties
        > README: Update with patch submittion note
        > disk-label: add support for booting from GPT FAT partition
        > disk-label: introduce helper to check fat filesystem
        > introduce 8-byte LE helpers
        > disk-label: simplify gpt-prep-partition? routine
        > fbuffer: introduce the invert-region-x helper
        > fbuffer: introduce the invert-region helper
        > fbuffer: simplify address computations in fb8-toggle-cursor

      Signed-off-by: Alexey Kardashevskiy <aik@xxxxxxxxx>
      Signed-off-by: David Gibson <david@xxxxxxxxxxxxxxxxxxxxx>

  commit 785652dc4db2023aeda4e381eb08e0beae67b870
  Author: Laurent Vivier <lvivier@xxxxxxxxxx>
  Date:   Thu Aug 13 14:53:02 2015 +0200

      pseries: define coldplugged devices as "configured"

      When a device is hotplugged, attach() sets "configured" to
      false, waiting an action from the OS to configure it and then
      to call ibm,configure-connector. On ibm,configure-connector,
      the hypervisor sets "configured" to true.

      In case of coldplugged device, attach() sets "configured" to
      false, but firmware and OS never call the ibm,configure-connector
      in this case, so it remains set to false.

      It could be harmless, but when we unplug a device, hypervisor
      waits the device becomes configured because for it, a not configured
      device is a device being configured, so it waits the end of configuration
      to unplug it... and it never happens, so it is never unplugged.

      This patch set by default coldplugged device to "configured=true",
      hotplugged device to "configured=false".

      Signed-off-by: Laurent Vivier <lvivier@xxxxxxxxxx>
      Reviewed-by: David Gibson <david@xxxxxxxxxxxxxxxxxxxxx>
      Signed-off-by: David Gibson <david@xxxxxxxxxxxxxxxxxxxxx>

  commit a14aa92b20c5482b9b694901304b8100b3c4b5a1
  Author: Gavin Shan <gwshan@xxxxxxxxxxxxxxxxxx>
  Date:   Tue Sep 1 11:05:12 2015 +1000

      sPAPR: Introduce rtas_ldq()

      This introduces rtas_ldq() to load 64-bits parameter from continuous
      two 4-bytes memory chunk of RTAS parameter buffer, to simplify the
      code.

      Signed-off-by: Gavin Shan <gwshan@xxxxxxxxxxxxxxxxxx>
      Reviewed-by: Thomas Huth <thuth@xxxxxxxxxx>
      Reviewed-by: David Gibson <david@xxxxxxxxxxxxxxxxxxxxx>
      Signed-off-by: David Gibson <david@xxxxxxxxxxxxxxxxxxxxx>

  commit e6fc9568c865f2f81499475a4e322cd563fdfd90
  Author: Bharata B Rao <bharata@xxxxxxxxxxxxxxxxxx>
  Date:   Tue Sep 1 09:53:52 2015 +1000

      spapr_rtas: Prevent QEMU crash during hotplug without a prior device_add

      If drmgr is used in the guest to hotplug a device before a device_add
      has been issued via the QEMU monitor, QEMU segfaults in 
configure_connector
      call. This occurs due to accessing of NULL FDT which otherwise would have
      been created and associated with the DRC during device_add command.

      Check for NULL FDT and return failure from configure_connector call.
      As per PAPR+, an error value of -9003 seems appropriate for this failure.

      Signed-off-by: Bharata B Rao <bharata@xxxxxxxxxxxxxxxxxx>
      Cc: Michael Roth <mdroth@xxxxxxxxxxxxxxxxxx>
      Reviewed-by: David Gibson <david@xxxxxxxxxxxxxxxxxxxxx>
      Signed-off-by: David Gibson <david@xxxxxxxxxxxxxxxxxxxxx>

  commit aaf87c6616370685a7cff6a21616fc5db7495014
  Author: Thomas Huth <thuth@xxxxxxxxxx>
  Date:   Tue Sep 1 11:29:02 2015 +1000

      ppc/spapr: Use qemu_log_mask() for hcall_dprintf()

      To see the output of the hcall_dprintf statements, you currently have
      to enable the DEBUG_SPAPR_HCALLS macro in include/hw/ppc/spapr.h.
      This is ugly because a) not every user who wants to debug guest
      problems can or wants to recompile QEMU to be able to see such issues,
      and b) since this macro is disabled by default, the code in the
      hcall_dprintf() brackets tends to bitrot until somebody temporarily
      enables that macro again.
      Since the hcall_dprintf statements except one indicate guest
      problems, let's always use qemu_log_mask(LOG_GUEST_ERROR, ...) for
      this macro instead. One spot indicated an unimplemented host feature,
      so this is changed into qemu_log_mask(LOG_UNIMP, ...) instead. Now
      it's possible to see all those messages by simply adding the CLI
      parameter "-d guest_errors,unimp", without the need to re-compile
      the binary.

      Signed-off-by: Thomas Huth <thuth@xxxxxxxxxx>
      Reviewed-by: David Gibson <david@xxxxxxxxxxxxxxxxxxxxx>
      Signed-off-by: David Gibson <david@xxxxxxxxxxxxxxxxxxxxx>

  commit 627c2ef7898794a28d706ecdf094491bebbb083a
  Author: David Gibson <david@xxxxxxxxxxxxxxxxxxxxx>
  Date:   Thu Sep 3 10:08:23 2015 +1000

      spapr_drc: Fix potential undefined behaviour

      The DRC_INDEX_ID_MASK macro does a left shift on ~0, which is a signed
      quantity, and therefore undefined behaviour according to the C spec.  In
      particular this causes warnings from the clang sanitizer.

      This fixes it by calculating the same mask without using ~0 (I think the
      new method is a more common idiom for generating masks anyway).  For good
      measure I also use 1ULL to force the expression's type to unsigned long
      long, which should be good for assigning to anything we're going to want
      to.

      Reported-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Signed-off-by: David Gibson <david@xxxxxxxxxxxxxxxxxxxxx>
      Reviewed-by: Alexey Kardashevskiy <aik@xxxxxxxxx>

  commit ad440b4ae0727dbef5cace419d94d774de96886c
  Author: Andrew Jones <drjones@xxxxxxxxxx>
  Date:   Tue Sep 1 11:25:35 2015 +1000

      spapr: add dumpdtb support

      dumpdtb (-machine dumpdtb=<file>) allows one to inspect the generated
      device tree of machine types that generate device trees. This is
      useful for a) seeing what's there b) debugging/testing device tree
      generator patches. It can be used as follows

      $QEMU_CMDLINE -machine dumpdtb=dtb
      dtc -I dtb -O dts dtb

      Signed-off-by: Andrew Jones <drjones@xxxxxxxxxx>
      Reviewed-by: David Gibson <david@xxxxxxxxxxxxxxxxxxxxx>
      Signed-off-by: David Gibson <david@xxxxxxxxxxxxxxxxxxxxx>

  commit e39432282e2d2db42645c2ce183dfcaa1488752b
  Author: Sam Bobroff <sam.bobroff@xxxxxxxxxxx>
  Date:   Tue Sep 1 11:24:37 2015 +1000

      spapr: SPLPAR Characteristics

      Improve the SPLPAR Characteristics information:

          Add MaxPlatProcs: set to max_cpus, the maximum CPUs that could be
          addded to the system.
          Add DesMem: set to the initial memory of the system.
          Add DesProcs: set to smp_cpus, the inital number of CPUs in the
          system.

      These tokens and values are specified by PAPR.

      Signed-off-by: Sam Bobroff <sam.bobroff@xxxxxxxxxxx>
      Reviewed-by: David Gibson <david@xxxxxxxxxxxxxxxxxxxxx>
      Signed-off-by: David Gibson <david@xxxxxxxxxxxxxxxxxxxxx>

  commit b359bd6a424b8de7db994d7120e87a7465b69337
  Author: Sam Bobroff <sam.bobroff@xxxxxxxxxxx>
  Date:   Tue Sep 1 11:23:47 2015 +1000

      spapr: Make ibm, change-msi respect 3 return values

      Currently, rtas_ibm_change_msi() always returns four values even if
      less are specified.

      Correct this by only returning the fourth parameter if it was
      requested.

      This is specified by PAPR.

      Signed-off-by: Sam Bobroff <sam.bobroff@xxxxxxxxxxx>
      Reviewed-by: David Gibson <david@xxxxxxxxxxxxxxxxxxxxx>
      Signed-off-by: David Gibson <david@xxxxxxxxxxxxxxxxxxxxx>

  commit a95f99224c08efcf91b4259c34754f69d962bf23
  Author: Sam Bobroff <sam.bobroff@xxxxxxxxxxx>
  Date:   Tue Sep 1 11:23:34 2015 +1000

      spapr: Add /rtas/ibm,change-msix-capable

      QEMU is MSI-X capable and makes it available via ibm,change-msi, so
      we should indicate this by adding /rtas/ibm,change-msix-capable to the
      device tree.

      This is specificed by PAPR.

      Signed-off-by: Sam Bobroff <sam.bobroff@xxxxxxxxxxx>
      Reviewed-by: David Gibson <david@xxxxxxxxxxxxxxxxxxxxx>
      Signed-off-by: David Gibson <david@xxxxxxxxxxxxxxxxxxxxx>

  commit 2c1aaa819a0d68a51086f5d7e8f9a0114ae0305c
  Author: Sam Bobroff <sam.bobroff@xxxxxxxxxxx>
  Date:   Tue Sep 1 11:23:19 2015 +1000

      spapr: Add /ibm,partition-name

      QEMU has a notion of the guest name, so if it's present we might as
      well put that into the device tree as /ibm,partition-name.

      This is specificed by PAPR.

      Signed-off-by: Sam Bobroff <sam.bobroff@xxxxxxxxxxx>
      Reviewed-by: David Gibson <david@xxxxxxxxxxxxxxxxxxxxx>
      Signed-off-by: David Gibson <david@xxxxxxxxxxxxxxxxxxxxx>

  commit fb0fc8f62c16b5b0910545f56c64aaafc91533ce
  Author: David Gibson <david@xxxxxxxxxxxxxxxxxxxxx>
  Date:   Wed Aug 12 13:15:56 2015 +1000

      spapr: Create pseries-2.5 machine

      Add pseries-2.5 machine version.

      Signed-off-by: Bharata B Rao <bharata@xxxxxxxxxxxxxxxxxx>
      [Altered to merge before memory hotplug -- dwg]
      [Altered to work with b9f072d01 -- dwg]
      Signed-off-by: David Gibson <david@xxxxxxxxxxxxxxxxxxxxx>

  commit 613e7a764501a236cdfce39561f9bcf60c78cf49
  Author: Bharata B Rao <bharata@xxxxxxxxxxxxxxxxxx>
  Date:   Thu Jul 30 20:25:15 2015 +0530

      spapr: Provide an error message when migration fails due to htab_shift 
mismatch

      Include an error message when migration fails due to mismatch in
      htab_shift values at source and target. This should provide a bit more
      verbose message in addition to the current migration failure message
      that reads like:

      qemu-system-ppc64: error while loading state for instance 0x0 of device 
'spapr/htab'

      After this patch, the failure message will look like this:

      qemu-system-ppc64: htab_shift mismatch: source 29 target 24
      qemu-system-ppc64: error while loading state for instance 0x0 of device 
'spapr/htab'

      Signed-off-by: Bharata B Rao <bharata@xxxxxxxxxxxxxxxxxx>
      Signed-off-by: David Gibson <david@xxxxxxxxxxxxxxxxxxxxx>

  commit 27c7275a56948f48f536e2d1599b22355f5714ac
  Merge: 482d7c0 f479832
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Tue Sep 22 19:22:23 2015 +0100

      Merge remote-tracking branch 'remotes/kraxel/tags/pull-ipxe-20150903-1' 
into staging

      ipxe: update to 35c53797 to 4e03af8, build tweaks.

      # gpg: Signature made Thu 03 Sep 2015 13:52:01 BST using RSA key ID 
D3E87138
      # gpg: Good signature from "Gerd Hoffmann (work) <kraxel@xxxxxxxxxx>"
      # gpg:                 aka "Gerd Hoffmann <gerd@xxxxxxxxxx>"
      # gpg:                 aka "Gerd Hoffmann (private) <kraxel@xxxxxxxxx>"

      * remotes/kraxel/tags/pull-ipxe-20150903-1:
        ipxe: update binaries
        ipxe: use upstream configuration
        ipxe: don't override GITVERSION
        ipxe: update from 35c53797 to 4e03af8

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 482d7c0854423608e20e56b5824b7340bd3af7df
  Merge: 6138fbd abadcbc
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Tue Sep 22 16:51:36 2015 +0100

      Merge remote-tracking branch 
'remotes/armbru/tags/pull-monitor-2015-09-22' into staging

      Monitor patches

      # gpg: Signature made Tue 22 Sep 2015 10:33:34 BST using RSA key ID 
EB918653
      # gpg: Good signature from "Markus Armbruster <armbru@xxxxxxxxxx>"
      # gpg:                 aka "Markus Armbruster <armbru@xxxxxxxxxxxx>"

      * remotes/armbru/tags/pull-monitor-2015-09-22:
        hmp: Restore "info pci"
        monitor: allow device_del to accept QOM paths

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit abadcbc838a3b256819fd8932c34a4af41ec187f
  Author: Paolo Bonzini <pbonzini@xxxxxxxxxx>
  Date:   Fri Sep 18 17:18:29 2015 +0200

      hmp: Restore "info pci"

      Dropped by commit da76ee76f78b9705e2a91e3c964aef28fecededb's
      transition to hmp-commands-info.hx.

      Reported-by: Markus Armbruster <armbru@xxxxxxxxxx>
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>
      Message-Id: <1442589509-10806-1-git-send-email-pbonzini@xxxxxxxxxx>
      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>
      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>

  commit 6287d827d494b5850049584c3f7fb1a589dbb1de
  Author: Daniel P. Berrange <berrange@xxxxxxxxxx>
  Date:   Fri Sep 11 13:33:56 2015 +0100

      monitor: allow device_del to accept QOM paths

      Currently device_del requires that the client provide the
      device short ID. device_add allows devices to be created
      without giving an ID, at which point there is no way to
      delete them with device_del. The QOM object path, however,
      provides an alternative way to identify the devices.

      Allowing device_del to accept an object path ensures all
      devices are deletable regardless of whether they have an
      ID.

       (qemu) device_add usb-mouse
       (qemu) qom-list /machine/peripheral-anon
       device[0] (child<usb-mouse>)
       type (string)
       (qemu) device_del /machine/peripheral-anon/device[0]

      Devices are required to be marked as hotpluggable
      otherwise an error is raised

       (qemu) device_del /machine/unattached/device[4]
       Device 'PIIX3' does not support hotplugging

      Signed-off-by: Daniel P. Berrange <berrange@xxxxxxxxxx>
      Message-Id: <1441974836-17476-1-git-send-email-berrange@xxxxxxxxxx>
      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>
      [Commit message touched up, accidental white-space change dropped]
      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>

  commit 6138fbdebd72f6822367e88d14ddc635b5a5ddfb
  Merge: 9e72681 b2af43c
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Tue Sep 22 00:37:05 2015 +0100

      Merge remote-tracking branch 'remotes/spice/tags/pull-spice-20150921-1' 
into staging

      spice: surface switch fast path requires same format too.

      # gpg: Signature made Mon 21 Sep 2015 10:05:54 BST using RSA key ID 
D3E87138
      # gpg: Good signature from "Gerd Hoffmann (work) <kraxel@xxxxxxxxxx>"
      # gpg:                 aka "Gerd Hoffmann <gerd@xxxxxxxxxx>"
      # gpg:                 aka "Gerd Hoffmann (private) <kraxel@xxxxxxxxx>"

      * remotes/spice/tags/pull-spice-20150921-1:
        spice: surface switch fast path requires same format too.

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 9e72681d16792d0ffc42bab634b1753ff299bdfd
  Merge: 75ebcd7 1a9a507
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Mon Sep 21 22:33:51 2015 +0100

      Merge remote-tracking branch 'remotes/armbru/tags/pull-qapi-2015-09-21' 
into staging

      qapi: QMP introspection

      # gpg: Signature made Mon 21 Sep 2015 08:59:17 BST using RSA key ID 
EB918653
      # gpg: Good signature from "Markus Armbruster <armbru@xxxxxxxxxx>"
      # gpg:                 aka "Markus Armbruster <armbru@xxxxxxxxxxxx>"

      * remotes/armbru/tags/pull-qapi-2015-09-21: (26 commits)
        qapi-introspect: Hide type names
        qapi: New QMP command query-qmp-schema for QMP introspection
        qapi: Pseudo-type '**' is now unused, drop it
        qapi-schema: Fix up misleading specification of netdev_add
        qom: Don't use 'gen': false for qom-get, qom-set, object-add
        qapi: Introduce a first class 'any' type
        qapi: Make output visitor return qnull() instead of NULL
        qapi: Improve built-in type documentation
        qapi-commands: De-duplicate output marshaling functions
        qapi: De-duplicate parameter list generation
        qapi: Rename qmp_marshal_input_FOO() to qmp_marshal_FOO()
        qapi-commands: Rearrange code
        qapi-visit: Rearrange code a bit
        qapi: Clean up after recent conversions to QAPISchemaVisitor
        qapi: Replace dirty is_c_ptr() by method c_null()
        qapi-event: Convert to QAPISchemaVisitor, fixing data with base
        qapi-event: Eliminate global variable event_enum_value
        qapi: De-duplicate enum code generation
        qapi-commands: Convert to QAPISchemaVisitor
        qapi-visit: Convert to QAPISchemaVisitor, fixing bugs
        ...

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 75ebcd7f080fa30893272f6fe07354e4ffa11b46
  Merge: d345e0d 81dfaf1
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Mon Sep 21 19:42:33 2015 +0100

      Merge remote-tracking branch 'remotes/aurel/tags/pull-tcg-mips-20150921' 
into staging

      TCG MIPS queue

      - Fixes for 64-bit guests
      - Small cleanups

      # gpg: Signature made Sun 20 Sep 2015 23:33:15 BST using RSA key ID 
1DDD8C9B
      # gpg: Good signature from "Aurelien Jarno <aurelien@xxxxxxxxxxx>"
      # gpg:                 aka "Aurelien Jarno <aurelien@xxxxxxxx>"
      # gpg:                 aka "Aurelien Jarno <aurel32@xxxxxxxxxx>"
      # gpg: WARNING: This key is not certified with sufficiently trusted 
signatures!
      # gpg:          It is not certain that the signature belongs to the owner.
      # Primary key fingerprint: 7746 2642 A9EF 94FD 0F77  196D BA9C 7806 1DDD 
8C9B

      * remotes/aurel/tags/pull-tcg-mips-20150921:
        tcg/mips: pass oi to tcg_out_tlb_load
        tcg/mips: move tcg_out_addsub2
        tcg/mips: Fix clobbering of qemu_ld inputs

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit d345e0d7b755591da379b23c628613d0a5cd2566
  Merge: 1864098 8f60f8e
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Mon Sep 21 17:01:46 2015 +0100

      Merge remote-tracking branch 'remotes/agraf/tags/signed-ppc-for-upstream' 
into staging

      Patch queue for ppc - 2015-09-20

      Highlights this time around:

        - e500: Fix u-boot boot with -M virt by updating to new version
        - e500: fix ATMU reads
        - book3s: Fixes (unaligned exceptions, vector instructions)
        - yet another dbdma ide fix

      I'm out taking care of my son for the next 2 months. During that time
      please consider David Gibson the interim ppc queue maintainer. I'm sure
      Aurelien will be more than happy to help him review patches as well ;-).

      # gpg: Signature made Sun 20 Sep 2015 21:51:16 BST using RSA key ID 
03FEDC60
      # gpg: Good signature from "Alexander Graf <agraf@xxxxxxx>"
      # gpg:                 aka "Alexander Graf <alex@xxxxxxxxx>"

      * remotes/agraf/tags/signed-ppc-for-upstream:
        target-ppc: fix xscmpodp and xscmpudp decoding
        target-ppc: fix vcipher, vcipherlast, vncipherlast and vpermxor
        PPC: E500: Update u-boot to commit 79c884d7e4
        target-ppc: Fix SRR0 when taking unaligned exceptions
        PPC: e500 pci host: Fix ATMUs register reads
        mac_dbdma: always clear FLUSH bit once DBDMA channel flush is complete
        kvm_ppc: remove kvmppc_timer_hack

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 1a9a507b2e3e90aa719c96b4c092e7fad7215f21
  Author: Markus Armbruster <armbru@xxxxxxxxxx>
  Date:   Wed Sep 16 13:06:29 2015 +0200

      qapi-introspect: Hide type names

      To eliminate the temptation for clients to look up types by name
      (which are not ABI), replace all type names by meaningless strings.

      Reduces output of query-schema by 13 out of 85KiB.

      As a debugging aid, provide option -u to suppress the hiding.

      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>
      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>
      Message-Id: <1442401589-24189-27-git-send-email-armbru@xxxxxxxxxx>

  commit 39a181581650f4d50f4445bc6276d9716cece050
  Author: Markus Armbruster <armbru@xxxxxxxxxx>
  Date:   Wed Sep 16 13:06:28 2015 +0200

      qapi: New QMP command query-qmp-schema for QMP introspection

      qapi/introspect.json defines the introspection schema.  It's designed
      for QMP introspection, but should do for similar uses, such as QGA.

      The introspection schema does not reflect all the rules and
      restrictions that apply to QAPI schemata.  A valid QAPI schema has an
      introspection value conforming to the introspection schema, but the
      converse is not true.

      Introspection lowers away a number of schema details, and makes
      implicit things explicit:

      * The built-in types are declared with their JSON type.

        All integer types are mapped to 'int', because how many bits we use
        internally is an implementation detail.  It could be pressed into
        external interface service as very approximate range information,
        but that's a bad idea.  If we need range information, we better do
        it properly.

      * Implicit type definitions are made explicit, and given
        auto-generated names:

        - Array types, named by appending "List" to the name of their
          element type, like in generated C.

        - The enumeration types implicitly defined by simple union types,
          named by appending "Kind" to the name of their simple union type,
          like in generated C.

        - Types that don't occur in generated C.  Their names start with ':'
          so they don't clash with the user's names.

      * All type references are by name.

      * The struct and union types are generalized into an object type.

      * Base types are flattened.

      * Commands take a single argument and return a single result.

        Dictionary argument or list result is an implicit type definition.

        The empty object type is used when a command takes no arguments or
        produces no results.

        The argument is always of object type, but the introspection schema
        doesn't reflect that.

        The 'gen': false directive is omitted as implementation detail.

        The 'success-response' directive is omitted as well for now, even
        though it's not an implementation detail, because it's not used by
        QMP.

      * Events carry a single data value.

        Implicit type definition and empty object type use, just like for
        commands.

        The value is of object type, but the introspection schema doesn't
        reflect that.

      * Types not used by commands or events are omitted.

        Indirect use counts as use.

      * Optional members have a default, which can only be null right now

        Instead of a mandatory "optional" flag, we have an optional default.
        No default means mandatory, default null means optional without
        default value.  Non-null is available for optional with default
        (possible future extension).

      * Clients should *not* look up types by name, because type names are
        not ABI.  Look up the command or event you're interested in, then
        follow the references.

        TODO Should we hide the type names to eliminate the temptation?

      New generator scripts/qapi-introspect.py computes an introspection
      value for its input, and generates a C variable holding it.

      It can generate awfully long lines.  Marked TODO.

      A new test-qmp-input-visitor test case feeds its result for both
      tests/qapi-schema/qapi-schema-test.json and qapi-schema.json to a
      QmpInputVisitor to verify it actually conforms to the schema.

      New QMP command query-qmp-schema takes its return value from that
      variable.  Its reply is some 85KiBytes for me right now.

      If this turns out to be too much, we have a couple of options:

      * We can use shorter names in the JSON.  Not the QMP style.

      * Optionally return the sub-schema for commands and events given as
        arguments.

        Right now qmp_query_schema() sends the string literal computed by
        qmp-introspect.py.  To compute sub-schema at run time, we'd have to
        duplicate parts of qapi-introspect.py in C.  Unattractive.

      * Let clients cache the output of query-qmp-schema.

        It changes only on QEMU upgrades, i.e. rarely.  Provide a command
        query-qmp-schema-hash.  Clients can have a cache indexed by hash,
        and re-query the schema only when they don't have it cached.  Even
        simpler: put the hash in the QMP greeting.

      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>
      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>

  commit 2d21291ae645955fcc4652ebfec81ad338169ac6
  Author: Markus Armbruster <armbru@xxxxxxxxxx>
  Date:   Wed Sep 16 13:06:27 2015 +0200

      qapi: Pseudo-type '**' is now unused, drop it

      'gen': false needs to stay for now, because netdev_add is still using
      it.

      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>
      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>
      Reviewed-by: Daniel P. Berrange <berrange@xxxxxxxxxx>
      Message-Id: <1442401589-24189-25-git-send-email-armbru@xxxxxxxxxx>

  commit b8a98326d565516bfcaa6582781605d167471b48
  Author: Markus Armbruster <armbru@xxxxxxxxxx>
  Date:   Wed Sep 16 13:06:26 2015 +0200

      qapi-schema: Fix up misleading specification of netdev_add

      It doesn't take a 'props' argument, let alone one in the format
      "NAME=VALUE,..."

      The bogus arguments specification doesn't matter due to 'gen': false.
      Clean it up to be incomplete rather than wrong, and document the
      incompleteness.

      While there, improve netdev_add usage example in the manual: add a
      device option to show how it's done.

      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>
      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>
      Reviewed-by: Daniel P. Berrange <berrange@xxxxxxxxxx>
      Message-Id: <1442401589-24189-24-git-send-email-armbru@xxxxxxxxxx>

  commit 6eb3937e9b20319e1c4f4d53e906fda8f5ccda10
  Author: Markus Armbruster <armbru@xxxxxxxxxx>
  Date:   Wed Sep 16 13:06:25 2015 +0200

      qom: Don't use 'gen': false for qom-get, qom-set, object-add

      With the previous commit, the generated marshalers just work, and save
      us a bit of handwritten code.

      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>
      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>
      Reviewed-by: Daniel P. Berrange <berrange@xxxxxxxxxx>
      Message-Id: <1442401589-24189-23-git-send-email-armbru@xxxxxxxxxx>

  commit 28770e057f265a4e70bcbdfc2447cce7b5f2dc19
  Author: Markus Armbruster <armbru@xxxxxxxxxx>
  Date:   Wed Sep 16 13:06:24 2015 +0200

      qapi: Introduce a first class 'any' type

      It's first class, because unlike '**', it actually works, i.e. doesn't
      require 'gen': false.

      '**' will go away next.

      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>
      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>
      Reviewed-by: Daniel P. Berrange <berrange@xxxxxxxxxx>

  commit 6c2f9a15dfc8c18ba94defb0f819109902a817cb
  Author: Markus Armbruster <armbru@xxxxxxxxxx>
  Date:   Wed Sep 16 13:06:23 2015 +0200

      qapi: Make output visitor return qnull() instead of NULL

      Before commit 1d10b44, it crashed.  Since then, it returns NULL, with
      a FIXME comment.  The FIXME is valid: code that assumes QObject *
      can't be null exists.  I'm not aware of a way to feed this problematic
      return value to code that actually chokes on null in the current code,
      but the next few commits will create one, failing "make check".

      Commit 481b002 solved a very similar problem by introducing a special
      null QObject.  Using this special null QObject is clearly the right
      way to resolve this FIXME, so do that, and update the test
      accordingly.

      However, the patch isn't quite right: it messes up the reference
      counting.  After about SIZE_MAX visits, the reference counter
      overflows, failing the assertion in qnull_destroy_obj().  Because
      that's many orders of magnitude more visits of nulls than we expect,
      we take this patch despite its flaws, to get the QMP introspection
      stuff in without further delay.  We'll want to fix it for real before
      the release.

      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>
      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>
      Reviewed-by: Daniel P. Berrange <berrange@xxxxxxxxxx>
      Message-Id: <1442401589-24189-21-git-send-email-armbru@xxxxxxxxxx>

  commit f133f2db1eedd409d3c1b0892f65b99f83c74754
  Author: Markus Armbruster <armbru@xxxxxxxxxx>
  Date:   Wed Sep 16 13:06:22 2015 +0200

      qapi: Improve built-in type documentation

      Clarify how they map to JSON.  Add how they map to C.  Fix the
      reference to StringInputVisitor.

      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>
      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>
      Reviewed-by: Daniel P. Berrange <berrange@xxxxxxxxxx>
      Message-Id: <1442401589-24189-20-git-send-email-armbru@xxxxxxxxxx>

  commit 56d92b003a223585980df5403ee9e3a55de90adf
  Author: Markus Armbruster <armbru@xxxxxxxxxx>
  Date:   Wed Sep 16 13:06:21 2015 +0200

      qapi-commands: De-duplicate output marshaling functions

      gen_marshal_output() uses its parameter name only for name of the
      generated function.  Name it after the type being marshaled instead of
      its caller, and drop duplicates.

      Saves 7 copies of qmp_marshal_output_int() in qemu-ga, and one copy of
      qmp_marshal_output_str() in qemu-system-*.

      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>
      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>
      Reviewed-by: Daniel P. Berrange <berrange@xxxxxxxxxx>
      Message-Id: <1442401589-24189-19-git-send-email-armbru@xxxxxxxxxx>

  commit 03b4367a556179e3e59affa535493427bd009e9d
  Author: Markus Armbruster <armbru@xxxxxxxxxx>
  Date:   Wed Sep 16 13:06:20 2015 +0200

      qapi: De-duplicate parameter list generation

      Generated qapi-event.[ch] lose line breaks.  No change otherwise.

      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>
      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>
      Reviewed-by: Daniel P. Berrange <berrange@xxxxxxxxxx>
      Message-Id: <1442401589-24189-18-git-send-email-armbru@xxxxxxxxxx>

  commit 7fad30f06eb6aa57aaa8f3d264288f24ae7646f0
  Author: Markus Armbruster <armbru@xxxxxxxxxx>
  Date:   Wed Sep 16 13:06:19 2015 +0200

      qapi: Rename qmp_marshal_input_FOO() to qmp_marshal_FOO()

      These functions marshal both input and output.

      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>
      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>
      Reviewed-by: Daniel P. Berrange <berrange@xxxxxxxxxx>
      Message-Id: <1442401589-24189-17-git-send-email-armbru@xxxxxxxxxx>

  commit f15380190a6e635e6c579ca24d672aa4aa068632
  Author: Markus Armbruster <armbru@xxxxxxxxxx>
  Date:   Wed Sep 16 13:06:18 2015 +0200

      qapi-commands: Rearrange code

      Rename gen_marshal_input() to gen_marshal(), because the generated
      function marshals both arguments and results.

      Rename gen_visitor_input_containers_decl() to gen_marshal_vars(), and
      move the other variable declarations there, too.

      Rename gen_visitor_input_block() to gen_marshal_input_visit(), and
      rearrange its code slightly.

      Rename gen_marshal_input_decl() to gen_marshal_proto(), because the
      result isn't a full declaration, unlike gen_command_decl()'s.

      New gen_marshal_decl() actually returns a full declaration.

      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>
      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>
      Reviewed-by: Daniel P. Berrange <berrange@xxxxxxxxxx>
      Message-Id: <1442401589-24189-16-git-send-email-armbru@xxxxxxxxxx>

  commit 60f8546acd113e636bf2ba8af991ebe0f6e8ad66
  Author: Markus Armbruster <armbru@xxxxxxxxxx>
  Date:   Wed Sep 16 13:06:17 2015 +0200

      qapi-visit: Rearrange code a bit

      Move gen_visit_decl() to a better place.  Inline
      generate_visit_struct_body().

      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>
      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>
      Reviewed-by: Daniel P. Berrange <berrange@xxxxxxxxxx>
      Message-Id: <1442401589-24189-15-git-send-email-armbru@xxxxxxxxxx>

  commit e98859a9b96d71dea8f9af43325edd43c7effe66
  Author: Markus Armbruster <armbru@xxxxxxxxxx>
  Date:   Wed Sep 16 13:06:16 2015 +0200

      qapi: Clean up after recent conversions to QAPISchemaVisitor

      Generate just 'FOO' instead of 'struct FOO' when possible.

      Drop helper functions that are now unused.

      Make pep8 and pylint reasonably happy.

      Rename generate_FOO() functions to gen_FOO() for consistency.

      Use more consistent and sensible variable names.

      Consistently use c_ for mapping keys when their value is a C
      identifier or type.

      Simplify gen_enum() and gen_visit_union()

      Consistently use single quotes for C text string literals.

      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>
      Message-Id: <1442401589-24189-14-git-send-email-armbru@xxxxxxxxxx>
      Reviewed-by: Daniel P. Berrange <berrange@xxxxxxxxxx>
      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>

  commit 5710153e7310995b5d4127af267e36d8529b3b30
  Author: Markus Armbruster <armbru@xxxxxxxxxx>
  Date:   Wed Sep 16 13:06:15 2015 +0200

      qapi: Replace dirty is_c_ptr() by method c_null()

      is_c_ptr() looks whether the end of the C text for the type looks like
      a pointer.  Works, but is fragile.

      We now have a better tool: use QAPISchemaType method c_null().  The
      initializers for non-pointers become prettier: 0, false or the
      enumeration constant with the value 0 instead of {0}.

      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>
      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>
      Reviewed-by: Daniel P. Berrange <berrange@xxxxxxxxxx>
      Message-Id: <1442401589-24189-13-git-send-email-armbru@xxxxxxxxxx>

  commit 05f43a960877cf941635324b2d0a74c0d0f7128e
  Author: Markus Armbruster <armbru@xxxxxxxxxx>
  Date:   Wed Sep 16 13:06:14 2015 +0200

      qapi-event: Convert to QAPISchemaVisitor, fixing data with base

      Fixes events whose data is struct with base to include the struct's
      base members.  Test case is qapi-schema-test.json's event
      __org.qemu_x-command:

          { 'event': '__ORG.QEMU_X-EVENT', 'data': '__org.qemu_x-Struct' }

          { 'struct': '__org.qemu_x-Struct', 'base': '__org.qemu_x-Base',
            'data': { '__org.qemu_x-member2': 'str' } }

          { 'struct': '__org.qemu_x-Base',
            'data': { '__org.qemu_x-member1': '__org.qemu_x-Enum' } }

      Patch's effect on generated qapi_event_send___org_qemu_x_event():

          -void qapi_event_send___org_qemu_x_event(const char 
*__org_qemu_x_member2,
          +void qapi_event_send___org_qemu_x_event(__org_qemu_x_Enum 
__org_qemu_x_member1,
          +                                        const char 
*__org_qemu_x_member2,
                                                   Error **errp)
           {
               QDict *qmp;
          @@ -224,6 +225,10 @@ void qapi_event_send___org_qemu_x_event(
                   goto clean;
               }

          +    visit_type___org_qemu_x_Enum(v, &__org_qemu_x_member1, 
"__org.qemu_x-member1", &local_err);
          +    if (local_err) {
          +        goto clean;
          +    }
               visit_type_str(v, (char **)&__org_qemu_x_member2, 
"__org.qemu_x-member2", &local_err);
               if (local_err) {
                   goto clean;

      Code is generated in a different order now, but that doesn't matter.

      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>
      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>
      Reviewed-by: Daniel P. Berrange <berrange@xxxxxxxxxx>

  commit 7b24626cd019ed5084c8e3370999176a1ebd44be
  Author: Markus Armbruster <armbru@xxxxxxxxxx>
  Date:   Wed Sep 16 13:06:13 2015 +0200

      qapi-event: Eliminate global variable event_enum_value

      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>
      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>
      Reviewed-by: Daniel P. Berrange <berrange@xxxxxxxxxx>
      Message-Id: <1442401589-24189-11-git-send-email-armbru@xxxxxxxxxx>

  commit efd2eaa6c2992c214a13f102b6ddd4dca4697fb3
  Author: Markus Armbruster <armbru@xxxxxxxxxx>
  Date:   Wed Sep 16 13:06:12 2015 +0200

      qapi: De-duplicate enum code generation

      Duplicated in commit 21cd70d.  Yes, we can't import qapi-types, but
      that's no excuse.  Move the helpers from qapi-types.py to qapi.py, and
      replace the duplicates in qapi-event.py.

      The generated event enumeration type's lookup table becomes
      const-correct (see commit 2e4450f), and uses explicit indexes instead
      of relying on order (see commit 912ae9c).

      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>
      Message-Id: <1442401589-24189-10-git-send-email-armbru@xxxxxxxxxx>
      Reviewed-by: Daniel P. Berrange <berrange@xxxxxxxxxx>
      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>

  commit ee44602857660e79f46547de02e26d65bcaf1519
  Author: Markus Armbruster <armbru@xxxxxxxxxx>
  Date:   Wed Sep 16 13:06:11 2015 +0200

      qapi-commands: Convert to QAPISchemaVisitor

      Output unchanged apart from reordering and white-space.

      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>
      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>
      Message-Id: <1442401589-24189-9-git-send-email-armbru@xxxxxxxxxx>
      Reviewed-by: Daniel P. Berrange <berrange@xxxxxxxxxx>

  commit 441cbac0c7e641780decbc674a9a68c6a5200f71
  Author: Markus Armbruster <armbru@xxxxxxxxxx>
  Date:   Wed Sep 16 13:06:10 2015 +0200

      qapi-visit: Convert to QAPISchemaVisitor, fixing bugs

      Fixes flat unions to visit the base's base members (the previous
      commit merely added them to the struct).  Same test case.

      Patch's effect on visit_type_UserDefFlatUnion():

           static void visit_type_UserDefFlatUnion_fields(Visitor *m, 
UserDefFlatUnion **obj, Error **errp)
           {
               Error *err = NULL;

          +    visit_type_int(m, &(*obj)->integer, "integer", &err);
          +    if (err) {
          +        goto out;
          +    }
               visit_type_str(m, &(*obj)->string, "string", &err);
               if (err) {
                   goto out;

      Test cases updated for the bug fix.

      Fixes alternates to generate a visitor for their implicit enumeration
      type.  None of them are currently used, obviously.  Example:
      block-core.json's BlockdevRef now generates
      visit_type_BlockdevRefKind().

      Code is generated in a different order now, and therefore has got a
      few new forward declarations.  Doesn't matter.

      The guard QAPI_VISIT_BUILTIN_VISITOR_DECL is renamed to
      QAPI_VISIT_BUILTIN.

      The previous commit's two ugly special cases exist here, too.  Mark
      both TODO.

      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>
      Reviewed-by: Daniel P. Berrange <berrange@xxxxxxxxxx>
      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>

  commit 2b162ccbe875e5323fc04c1009addbdea4d35220
  Author: Markus Armbruster <armbru@xxxxxxxxxx>
  Date:   Wed Sep 16 13:06:09 2015 +0200

      qapi-types: Convert to QAPISchemaVisitor, fixing flat unions

      Fixes flat unions to get the base's base members.  Test case is from
      commit 2fc0043, in qapi-schema-test.json:

          { 'union': 'UserDefFlatUnion',
            'base': 'UserDefUnionBase',
            'discriminator': 'enum1',
            'data': { 'value1' : 'UserDefA',
                      'value2' : 'UserDefB',
                      'value3' : 'UserDefB' } }

          { 'struct': 'UserDefUnionBase',
            'base': 'UserDefZero',
            'data': { 'string': 'str', 'enum1': 'EnumOne' } }

          { 'struct': 'UserDefZero',
            'data': { 'integer': 'int' } }

      Patch's effect on UserDefFlatUnion:

           struct UserDefFlatUnion {
               /* Members inherited from UserDefUnionBase: */
          +    int64_t integer;
               char *string;
               EnumOne enum1;
               /* Own members: */
               union { /* union tag is @enum1 */
                   void *data;
                   UserDefA *value1;
                   UserDefB *value2;
                   UserDefB *value3;
               };
           };

      Flat union visitors remain broken.  They'll be fixed next.

      Code is generated in a different order now, but that doesn't matter.

      The two guards QAPI_TYPES_BUILTIN_STRUCT_DECL and
      QAPI_TYPES_BUILTIN_CLEANUP_DECL are replaced by just
      QAPI_TYPES_BUILTIN.

      Two ugly special cases for simple unions now stand out like sore
      thumbs:

      1. The type tag is named 'type' everywhere, except in generated C,
         where it's 'kind'.

      2. QAPISchema lowers simple unions to semantically equivalent flat
         unions.  However, the C generated for a simple unions differs from
         the C generated for its equivalent flat union, and we therefore
         need special code to preserve that pointless difference for now.

      Mark both TODO.

      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>
      Reviewed-by: Daniel P. Berrange <berrange@xxxxxxxxxx>
      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>

  commit b2af43cc379e1d4c30d92af257bedebf0e3f618a
  Author: Gerd Hoffmann <kraxel@xxxxxxxxxx>
  Date:   Fri Sep 18 12:07:18 2015 +0200

      spice: surface switch fast path requires same format too.

      Commit "555e72f spice: rework mirror allocation, add no-resize fast path"
      adds a fast path for surface switches which does't go through the full
      primary surface destroy and re-recreation in case the new surface is
      identical to the old one (page-flip).  It checks the size only though,
      but the format must be identical too.  This patch adds the format check.

      Commit "0002a51 ui/spice: Support shared surface for most pixman
      formats" increases the chance to actually trigger this.

      https://bugzilla.redhat.com/show_bug.cgi?id=1247479

      Signed-off-by: Gerd Hoffmann <kraxel@xxxxxxxxxx>

  commit 156402e5042193c45e70c378a93ccafd3832d8ff
  Author: Markus Armbruster <armbru@xxxxxxxxxx>
  Date:   Wed Sep 16 13:06:08 2015 +0200

      tests/qapi-schema: Convert test harness to QAPISchemaVisitor

      The old code prints the result of parsing (list of expression
      dictionaries), and partial results of semantic analysis (list of enum
      dictionaries, list of struct dictionaries).

      The new code prints a trace of a schema visit, i.e. what the back-ends
      are going to use.  Built-in and array types are omitted, because
      they're boring.

      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>
      Reviewed-by: Daniel P. Berrange <berrange@xxxxxxxxxx>
      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>

  commit 3f7dc21bee1e930d5cccf607b8f83831c3bbdb09
  Author: Markus Armbruster <armbru@xxxxxxxxxx>
  Date:   Wed Sep 16 13:06:07 2015 +0200

      qapi: New QAPISchemaVisitor

      The visitor will help keeping the code generation code simple and
      reasonably separated from QAPISchema details.

      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>
      Message-Id: <1442401589-24189-5-git-send-email-armbru@xxxxxxxxxx>
      Reviewed-by: Daniel P. Berrange <berrange@xxxxxxxxxx>
      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>

  commit f51d8c3db11b0f3052b3bb4b8b0c7f0bc76f7136
  Author: Markus Armbruster <armbru@xxxxxxxxxx>
  Date:   Wed Sep 16 13:06:06 2015 +0200

      qapi: QAPISchema code generation helper methods

      New methods c_name(), c_type(), c_null(), json_type(),
      alternate_qtype().

      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>
      Message-Id: <1442401589-24189-4-git-send-email-armbru@xxxxxxxxxx>
      Reviewed-by: Daniel P. Berrange <berrange@xxxxxxxxxx>
      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>

  commit ac88219a6c78302c693fb60fe6cf04358540fbce
  Author: Markus Armbruster <armbru@xxxxxxxxxx>
  Date:   Wed Sep 16 13:06:05 2015 +0200

      qapi: New QAPISchema intermediate reperesentation

      The QAPI code generators work with a syntax tree (nested dictionaries)
      plus a few symbol tables (also dictionaries) on the side.

      They have clearly outgrown these simple data structures.  There's lots
      of rummaging around in dictionaries, and information is recomputed on
      the fly.  For the work I'm going to do, I want more clearly defined
      and more convenient interfaces.

      Going forward, I also want less coupling between the back-ends and the
      syntax tree, to make messing with the syntax easier.

      Create a bunch of classes to represent QAPI schemata.

      Have the QAPISchema initializer call the parser, then walk the syntax
      tree to create the new internal representation, and finally perform
      semantic analysis.

      Shortcut: the semantic analysis still relies on existing check_exprs()
      to do the actual semantic checking.  All this code needs to move into
      the classes.  Mark as TODO.

      Simple unions are lowered to flat unions.  Flat unions and structs are
      represented as a more general object type.

      Catching name collisions in generated code would be nice.  Mark as
      TODO.

      We generate array types eagerly, even though most of them aren't used.
      Mark as TODO.

      Nothing uses the new intermediate representation just yet, thus no
      change to generated files.

      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>
      Reviewed-by: Daniel P. Berrange <berrange@xxxxxxxxxx>
      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>

  commit a4bcb2080d5c1d08bab512d76fb260296e2cae74
  Author: Markus Armbruster <armbru@xxxxxxxxxx>
  Date:   Wed Sep 16 13:06:04 2015 +0200

      qapi: Rename class QAPISchema to QAPISchemaParser

      I want to name a new class QAPISchema.

      While there, make it a new-style class.

      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>
      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>
      Reviewed-by: Daniel P. Berrange <berrange@xxxxxxxxxx>
      Message-Id: <1442401589-24189-2-git-send-email-armbru@xxxxxxxxxx>

  commit 8f60f8e2e574f341709128ff7637e685fd640254
  Author: Aurelien Jarno <aurelien@xxxxxxxxxxx>
  Date:   Sun Sep 13 23:03:45 2015 +0200

      target-ppc: fix xscmpodp and xscmpudp decoding

      The xscmpodp and xscmpudp instructions only have the AX, BX bits in
      there encoding, the lowest bit (usually TX) is marked as an invalid
      bit. We therefore can't decode them with GEN_XX2FORM, which decodes
      the two lowest bit.

      Introduce a new form GEN_XX2FORM, which decodes AX and BX and mark
      the lowest bit as invalid.

      Signed-off-by: Aurelien Jarno <aurelien@xxxxxxxxxxx>
      Reviewed-by: Richard Henderson <rth@xxxxxxxxxxx>
      Tested-by: Richard W.M. Jones <rjones@xxxxxxxxxx>
      Signed-off-by: Alexander Graf <agraf@xxxxxxx>

  commit 65cf1f65be0fc4883edbd66feeab3ddaceb11c00
  Author: Aurelien Jarno <aurelien@xxxxxxxxxxx>
  Date:   Sun Sep 13 23:03:44 2015 +0200

      target-ppc: fix vcipher, vcipherlast, vncipherlast and vpermxor

      For vector instructions, the helpers get pointers to the vector register
      in arguments. Some operands might point to the same register, including
      the operand holding the result.

      When emulating instructions which access the vector elements in a
      non-linear way, we need to store the result in an temporary variable.

      This fixes openssl when emulating a POWER8 CPU.

      Signed-off-by: Aurelien Jarno <aurelien@xxxxxxxxxxx>
      Reviewed-by: Richard Henderson <rth@xxxxxxxxxxx>
      Signed-off-by: Alexander Graf <agraf@xxxxxxx>

  commit d4574435a6530bbd96ae130eddfe5b676f91367a
  Author: Alexander Graf <agraf@xxxxxxx>
  Date:   Fri Aug 28 13:10:17 2015 +0200

      PPC: E500: Update u-boot to commit 79c884d7e4

      The current U-Boot binary in QEMU has a bug where it fails to support
      dynamic CCSR addressing. Without this support, u-boot can not boot the
      ppce500 machine anymore. This has been fixed upstream in u-boot commit
      e834975b.

      Update the u-boot blob we carry in QEMU to the latest u-boot upstream,
      so that we can successfully run u-boot with the ppce500 machine again.

      CC: qemu-stable@xxxxxxxxxx
      Signed-off-by: Alexander Graf <agraf@xxxxxxx>
      Tested-by: Thomas Huth <thuth@xxxxxxxxxx>

  commit 6bb9a0a9ef9b9b1c2434a52d1c1d066ce179adf8
  Author: Anton Blanchard <anton@xxxxxxxxx>
  Date:   Thu Jul 2 14:44:06 2015 +1000

      target-ppc: Fix SRR0 when taking unaligned exceptions

      We are setting SRR0 to the instruction before the one causing the
      unaligned exception. A quick testcase:

      . = 0x100
      .globl _start
      _start:
        /* Cause a 0x600 */
        li      3,0x1
        stwcx.  3,0,3
      1:        b       1b

      . = 0x600
      1:        b       1b

      Built into something we can load as a BIOS image:

      gcc -mbig -c test.S
      ld -EB -Ttext 0x0 -o test test.o
      objcopy -O binary test test.bin

      Run with:

      qemu-system-ppc64 -nographic -bios test.bin

      Shows an incorrect SRR0 (points at the li):

      SRR0 0000000000000100

      With the patch we get the correct SRR0:

      SRR0 0000000000000104

      Signed-off-by: Anton Blanchard <anton@xxxxxxxxx>
      Signed-off-by: Alexander Graf <agraf@xxxxxxx>

  commit e7f08320f055e1093007b3f1d55b145d5f4daaa1
  Author: Rudolf Marek <mar@xxxxxxxxx>
  Date:   Fri Aug 14 13:38:55 2015 +0200

      PPC: e500 pci host: Fix ATMUs register reads

      There is a bug in the register mask when reading
      the ATMUs registers. As the result some registers
      cannot be read, and read is aliased to the other
      registers. Fix it.

      Signed-off-by: Rudolf Marek <rudolf.marek@xxxxxxxxx>
      Signed-off-by: Alexander Graf <agraf@xxxxxxx>

  commit 1cde732d88af34849343dc1f0e68072eab0841b9
  Author: Mark Cave-Ayland <mark.cave-ayland@xxxxxxxxxxxx>
  Date:   Sun Aug 23 11:50:55 2015 +0100

      mac_dbdma: always clear FLUSH bit once DBDMA channel flush is complete

      The code to flush the DBDMA channel was effectively duplicated in
      dbdma_control_write(), except for the fact that the copy executed outside 
of a
      RUN bit transition was broken by not clearing the FLUSH bit once the 
flush was
      complete.

      Newer PPC Linux kernels would timeout waiting for the FLUSH bit to clear 
again
      after submitting a FLUSH command. Fix this by always clearing the FLUSH 
bit
      once the channel flush is complete and removing the repeated code.

      Reported-by: Aurelien Jarno <aurelien@xxxxxxxxxxx>
      Signed-off-by: Mark Cave-Ayland <mark.cave-ayland@xxxxxxxxxxxx>
      Reviewed-by: Aurelien Jarno <aurelien@xxxxxxxxxxx>
      Signed-off-by: Alexander Graf <agraf@xxxxxxx>

  commit 116dc18db6854cc38c6abff799019b7237365a36
  Author: Paolo Bonzini <pbonzini@xxxxxxxxxx>
  Date:   Mon Jul 27 14:46:02 2015 +0200

      kvm_ppc: remove kvmppc_timer_hack

      QEMU does have an I/O thread now, that can be interrupted at any time
      because the VCPU thread runs outside the iothread mutex.

      Therefore, the kvmppc_timer_hack is obsolete.  Remove it.

      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>
      Signed-off-by: Alexander Graf <agraf@xxxxxxx>

  commit 18640989a9f5e4d2e84b566c52ff1fccfa0dbf4a
  Merge: b12a84c 3b53e45
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Sat Sep 19 15:59:52 2015 +0100

      Merge remote-tracking branch 
'remotes/afaerber/tags/qom-devices-for-peter' into staging

      QOM infrastructure fixes and device conversions

      * QOM API error handling fixes
      * Performance improvements for device GPIO property creation
      * Remaining conversion of QEMUMachine to QOM

      # gpg: Signature made Sat 19 Sep 2015 15:40:44 BST using RSA key ID 
3E7E013F
      # gpg: Good signature from "Andreas Färber <afaerber@xxxxxxx>"
      # gpg:                 aka "Andreas Färber <afaerber@xxxxxxxx>"

      * remotes/afaerber/tags/qom-devices-for-peter: (21 commits)
        machine: Eliminate QEMUMachine and qemu_register_machine()
        Revert use of DEFINE_MACHINE() for registrations of multiple machines
        Use DEFINE_MACHINE() to register all machines
        mac_world: Break long line
        machine: DEFINE_MACHINE() macro
        exynos4: Declare each QEMUMachine as a separate variable
        exynos4: Use MachineClass instead of exynos4_machines array
        exynos4: Use EXYNOS4210_NCPUS instead of max_cpus on error message
        machine: Set MachineClass::name automatically
        machine: Ensure all TYPE_MACHINE subclasses have the right suffix
        mac99: Use MACHINE_TYPE_NAME to encode class name
        s390: Rename s390-ccw-virtio-2.4 class name to use MACHINE_TYPE_NAME
        s390-virtio: Rename machine class name to use MACHINE_TYPE_NAME
        pseries: Rename machine class names to use MACHINE_TYPE_NAME
        arm: Rename virt machine class to use MACHINE_TYPE_NAME
        vexpress: Rename machine classes to use MACHINE_TYPE_NAME
        vexpress: Don't set name on abstract class
        machine: MACHINE_TYPE_NAME macro
        qdev: Do not use slow [*] expansion for GPIO creation
        qom: Fix invalid error check in property_get_str()
        ...

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 3b53e45f43825caaaf4fad6a5b85ce6a9949ff02
  Author: Eduardo Habkost <ehabkost@xxxxxxxxxx>
  Date:   Fri Sep 4 15:37:09 2015 -0300

      machine: Eliminate QEMUMachine and qemu_register_machine()

      The struct is not used anymore and can be eliminated.

      Signed-off-by: Eduardo Habkost <ehabkost@xxxxxxxxxx>
      Signed-off-by: Andreas Färber <afaerber@xxxxxxx>

  commit 8a661aea0e7f6e776c6ebc9abe339a85b34fea1d
  Author: Andreas Färber <afaerber@xxxxxxx>
  Date:   Sat Sep 19 10:49:44 2015 +0200

      Revert use of DEFINE_MACHINE() for registrations of multiple machines

      The script used for converting from QEMUMachine had used one
      DEFINE_MACHINE() per machine registered. In cases where multiple
      machines are registered from one source file, avoid the excessive
      generation of module init functions by reverting this unrolling.

      Signed-off-by: Andreas Färber <afaerber@xxxxxxx>

  commit e264d29de28c5b0be3d063307ce9fb613b427cc3
  Author: Eduardo Habkost <ehabkost@xxxxxxxxxx>
  Date:   Fri Sep 4 15:37:08 2015 -0300

      Use DEFINE_MACHINE() to register all machines

      Convert all machines to use DEFINE_MACHINE() instead of QEMUMachine
      automatically using a script.

      Signed-off-by: Eduardo Habkost <ehabkost@xxxxxxxxxx>
      [AF: Style cleanups, convert imx25_pdk machine]
      Signed-off-by: Andreas Färber <afaerber@xxxxxxx>

  commit f309ae852c67833c3cac11747474fbb013529382
  Author: Eduardo Habkost <ehabkost@xxxxxxxxxx>
  Date:   Fri Sep 4 15:37:07 2015 -0300

      mac_world: Break long line

      Coding style change only.

      Signed-off-by: Eduardo Habkost <ehabkost@xxxxxxxxxx>
      Signed-off-by: Andreas Färber <afaerber@xxxxxxx>

  commit ed0b6de343448d1014b53bcf541041373322fa1c
  Author: Eduardo Habkost <ehabkost@xxxxxxxxxx>
  Date:   Fri Sep 4 15:37:06 2015 -0300

      machine: DEFINE_MACHINE() macro

      The macro will allow easy registration of a TYPE_MACHINE subclass, using
      only the machine name and a MachineClass initialization function as
      parameter.

      Signed-off-by: Eduardo Habkost <ehabkost@xxxxxxxxxx>
      Signed-off-by: Andreas Färber <afaerber@xxxxxxx>

  commit 97c6671cf16640f997fc8c54ef456bbad125b635
  Author: Eduardo Habkost <ehabkost@xxxxxxxxxx>
  Date:   Fri Sep 4 15:37:05 2015 -0300

      exynos4: Declare each QEMUMachine as a separate variable

      This will make the code follow the same pattern used for other machines,
      and will make it easier to automatically convert the code to be
      QOM-based.

      Signed-off-by: Eduardo Habkost <ehabkost@xxxxxxxxxx>
      Signed-off-by: Andreas Färber <afaerber@xxxxxxx>

  commit ca17776088e41dabdc3bb07334dbc73d631e30e3
  Author: Eduardo Habkost <ehabkost@xxxxxxxxxx>
  Date:   Fri Sep 4 15:37:04 2015 -0300

      exynos4: Use MachineClass instead of exynos4_machines array

      We don't need a QEMUMachine array to query max_cpus, if we can get the
      corresponding MachineClass.

      Signed-off-by: Eduardo Habkost <ehabkost@xxxxxxxxxx>
      Signed-off-by: Andreas Färber <afaerber@xxxxxxx>

  commit 6aadcc71354bc683fdedd8a3d369095d23095e1c
  Author: Eduardo Habkost <ehabkost@xxxxxxxxxx>
  Date:   Fri Sep 4 15:37:03 2015 -0300

      exynos4: Use EXYNOS4210_NCPUS instead of max_cpus on error message

      The code is checking smp_cpus against EXYNOS4210_NCPUS, not against
      max_cpus, so use EXYNOS4210_NCPUS in the error message for consistency.

      Signed-off-by: Eduardo Habkost <ehabkost@xxxxxxxxxx>
      Signed-off-by: Andreas Färber <afaerber@xxxxxxx>

  commit 98cec76a7076c4a38e16f1a9de170a7942b3be54
  Author: Eduardo Habkost <ehabkost@xxxxxxxxxx>
  Date:   Thu Aug 20 14:54:36 2015 -0700

      machine: Set MachineClass::name automatically

      Now all TYPE_MACHINE subclasses use MACHINE_TYPE_NAME to generate the
      class name. So instead of requiring each subclass to set
      MachineClass::name manually, we can now set it automatically at the
      TYPE_MACHINE class_base_init() function.

      Signed-off-by: Eduardo Habkost <ehabkost@xxxxxxxxxx>
      Reviewed-by: Marcel Apfelbaum <marcel@xxxxxxxxxx>
      [AF/ehabkost: Updated for s390-ccw machines]
      [AF: Cleanup of intermediate virt and vexpress name handling]
      Signed-off-by: Andreas Färber <afaerber@xxxxxxx>

  commit dcb3d601115eed77aef543fe3a920adc17544e06
  Author: Eduardo Habkost <ehabkost@xxxxxxxxxx>
  Date:   Thu Aug 20 14:54:35 2015 -0700

      machine: Ensure all TYPE_MACHINE subclasses have the right suffix

      Now that all non-abstract TYPE_MACHINE subclasses have the -machine
      suffix, add an assert to ensure this will be always true.

      Signed-off-by: Eduardo Habkost <ehabkost@xxxxxxxxxx>
      Reviewed-by: Marcel Apfelbaum <marcel@xxxxxxxxxx>
      Signed-off-by: Andreas Färber <afaerber@xxxxxxx>

  commit c0f365186b30f97ef221489834e7ae146fc22db8
  Author: Eduardo Habkost <ehabkost@xxxxxxxxxx>
  Date:   Thu Aug 20 14:54:34 2015 -0700

      mac99: Use MACHINE_TYPE_NAME to encode class name

      It will result in exactly the same class name, but it will make the code
      consistent with the other classes.

      Signed-off-by: Eduardo Habkost <ehabkost@xxxxxxxxxx>
      Reviewed-by: David Gibson <david@xxxxxxxxxxxxxxxxxxxxx>
      Signed-off-by: Andreas Färber <afaerber@xxxxxxx>

  commit af62e639fcc190f09c51e8b73dc6492b30ae2111
  Author: Eduardo Habkost <ehabkost@xxxxxxxxxx>
  Date:   Thu Aug 20 14:54:33 2015 -0700

      s390: Rename s390-ccw-virtio-2.4 class name to use MACHINE_TYPE_NAME

      Machine class names should use the "-machine" suffix to allow
      class-name-based machine class lookup to work. Rename the
      s390-ccw-virtio-2.4 machine class using the MACHINE_TYPE_NAME macro.

      Signed-off-by: Eduardo Habkost <ehabkost@xxxxxxxxxx>
      Reviewed-by: David Gibson <david@xxxxxxxxxxxxxxxxxxxxx>
      [AF/ehabkost: Updated for 2.5 machine]
      Signed-off-by: Andreas Färber <afaerber@xxxxxxx>

  commit 4c264d4b3d352d55663bd81667b5d177af1e871e
  Author: Eduardo Habkost <ehabkost@xxxxxxxxxx>
  Date:   Thu Aug 20 14:54:32 2015 -0700

      s390-virtio: Rename machine class name to use MACHINE_TYPE_NAME

      Machine class names should use the "-machine" suffix to allow
      class-name-based machine class lookup to work. Rename the s390-virtio
      machine class using the MACHINE_TYPE_NAME macro.

      Signed-off-by: Eduardo Habkost <ehabkost@xxxxxxxxxx>
      Reviewed-by: David Gibson <david@xxxxxxxxxxxxxxxxxxxxx>
      Acked-by: Cornelia Huck <cornelia.huck@xxxxxxxxxx>
      Signed-off-by: Andreas Färber <afaerber@xxxxxxx>

  commit b9f072d01f81786f577c24d4f45050e63872cb13
  Author: Eduardo Habkost <ehabkost@xxxxxxxxxx>
  Date:   Thu Aug 20 14:54:31 2015 -0700

      pseries: Rename machine class names to use MACHINE_TYPE_NAME

      Machine class names should use the "-machine" suffix to allow
      class-name-based machine class lookup to work. Rename the the pseries
      machine classes using the MACHINE_TYPE_NAME macro.

      Signed-off-by: Eduardo Habkost <ehabkost@xxxxxxxxxx>
      Reviewed-by: David Gibson <david@xxxxxxxxxxxxxxxxxxxxx>
      Signed-off-by: Andreas Färber <afaerber@xxxxxxx>

  commit 64d3459c8586c8821970cbc99450340278507cfe
  Author: Eduardo Habkost <ehabkost@xxxxxxxxxx>
  Date:   Thu Aug 20 14:54:30 2015 -0700

      arm: Rename virt machine class to use MACHINE_TYPE_NAME

      Machine class names should use the "-machine" suffix to allow
      class-name-based machine class lookup to work. Rename the arm virt
      machine class using the MACHINE_TYPE_NAME macro.

      Signed-off-by: Eduardo Habkost <ehabkost@xxxxxxxxxx>
      Reviewed-by: David Gibson <david@xxxxxxxxxxxxxxxxxxxxx>
      Signed-off-by: Andreas Färber <afaerber@xxxxxxx>

  commit fc603d29e96a2982f1b02123f83176f00a660b40
  Author: Eduardo Habkost <ehabkost@xxxxxxxxxx>
  Date:   Thu Aug 20 14:54:29 2015 -0700

      vexpress: Rename machine classes to use MACHINE_TYPE_NAME

      Machine class names should use the "-machine" suffix to allow
      class-name-based machine class lookup to work. Rename the vexpress
      machine classes using the MACHINE_TYPE_NAME macro.

      Signed-off-by: Eduardo Habkost <ehabkost@xxxxxxxxxx>
      Reviewed-by: David Gibson <david@xxxxxxxxxxxxxxxxxxxxx>
      [AF: Introduce VEXPRESS_*_MACHINE_NAME]
      Signed-off-by: Andreas Färber <afaerber@xxxxxxx>

  commit 54477b07fb81ab4a55c263f3449bc07469db30fb
  Author: Eduardo Habkost <ehabkost@xxxxxxxxxx>
  Date:   Thu Aug 20 14:54:28 2015 -0700

      vexpress: Don't set name on abstract class

      The MachineClass::name field won't be ever be used on TYPE_VEXPRESS, as
      it is an abstract class and the machine class lookup code explicitly
      skips abstract classes. We can remove it to make the code simpler.

      Signed-off-by: Eduardo Habkost <ehabkost@xxxxxxxxxx>
      Reviewed-by: David Gibson <david@xxxxxxxxxxxxxxxxxxxxx>
      Signed-off-by: Andreas Färber <afaerber@xxxxxxx>

  commit c84a8f01b2a5d8bf98c447796d4a747333a5b1fd
  Author: Eduardo Habkost <ehabkost@xxxxxxxxxx>
  Date:   Thu Aug 20 14:54:27 2015 -0700

      machine: MACHINE_TYPE_NAME macro

      The macro will be useful to ensure the machine class names follow the
      right format to make machine class lookup by class name work correctly.

      Signed-off-by: Eduardo Habkost <ehabkost@xxxxxxxxxx>
      Reviewed-by: Marcel Apfelbaum <marcel@xxxxxxxxxx>
      Reviewed-by: David Gibson <david@xxxxxxxxxxxxxxxxxxxxx>
      Signed-off-by: Andreas Färber <afaerber@xxxxxxx>

  commit 81dfaf1a8f7f95259801da9732472f879023ef77
  Author: Aurelien Jarno <aurelien@xxxxxxxxxxx>
  Date:   Fri Jul 10 22:10:02 2015 +0200

      tcg/mips: pass oi to tcg_out_tlb_load

      Instead of computing mem_index and s_bits in both tcg_out_qemu_ld and
      tcg_out_qemu_st function and passing them to tcg_out_tlb_load, directly
      pass oi to the tcg_out_tlb_load function and compute mem_index and
      s_bits there.

      Reviewed-by: Richard Henderson <rth@xxxxxxxxxxx>
      Signed-off-by: Aurelien Jarno <aurelien@xxxxxxxxxxx>

  commit d9f26847f1429bdb8ccaa4e7bd5f8b57a9da0e8d
  Author: Aurelien Jarno <aurelien@xxxxxxxxxxx>
  Date:   Fri Jul 10 22:04:48 2015 +0200

      tcg/mips: move tcg_out_addsub2

      Somehow the tcg_out_addsub2 function ended-up in the middle of the
      qemu_ld/st related functions. Move it with other arithmetics related
      functions.

      Reviewed-by: Richard Henderson <rth@xxxxxxxxxxx>
      Signed-off-by: Aurelien Jarno <aurelien@xxxxxxxxxxx>

  commit 5eb4f645eba8a79ea643b228c74a79183d436c97
  Author: James Hogan <james.hogan@xxxxxxxxxx>
  Date:   Mon Sep 14 11:34:54 2015 +0100

      tcg/mips: Fix clobbering of qemu_ld inputs

      The MIPS TCG backend implements qemu_ld with 64-bit targets using the v0
      register (base) as a temporary to load the upper half of the QEMU TLB
      comparator (see line 5 below), however this happens before the input
      address is used (line 8 to mask off the low bits for the TLB
      comparison, and line 12 to add the host-guest offset). If the input
      address (addrl) also happens to have been placed in v0 (as in the second
      column below), it gets clobbered before it is used.

           addrl in t2              addrl in v0

       1 srl     a0,t2,0x7        srl     a0,v0,0x7
       2 andi    a0,a0,0x1fe0     andi    a0,a0,0x1fe0
       3 addu    a0,a0,s0         addu    a0,a0,s0
       4 lw      at,9136(a0)      lw      at,9136(a0)      set TCG_TMP0 (at)
       5 lw      v0,9140(a0)      lw      v0,9140(a0)      set base (v0)
       6 li      t9,-4093         li      t9,-4093
       7 lw      a0,9160(a0)      lw      a0,9160(a0)      set addend (a0)
       8 and     t9,t9,t2         and     t9,t9,v0         use addrl
       9 bne     at,t9,0x836d8c8  bne     at,t9,0x836d838  use TCG_TMP0
      10  nop                      nop
      11 bne     v0,t8,0x836d8c8  bne     v0,a1,0x836d838  use base
      12  addu   v0,a0,t2          addu   v0,a0,v0         use addrl, addend
      13 lw      t0,0(v0)         lw      t0,0(v0)

      Fix by using TCG_TMP0 (at) as the temporary instead of v0 (base),
      pushing the load on line 5 forward into the delay slot of the low
      comparison (line 10). The early load of the addend on line 7 also needs
      pushing even further for 64-bit targets, or it will clobber a0 before
      we're done with it. The output for 32-bit targets is unaffected.

       srl     a0,v0,0x7
       andi    a0,a0,0x1fe0
       addu    a0,a0,s0
       lw      at,9136(a0)
      -lw      v0,9140(a0)      load high comparator
       li      t9,-4093
      -lw      a0,9160(a0)      load addend
       and     t9,t9,v0
       bne     at,t9,0x836d838
      - nop
      + lw     at,9140(a0)      load high comparator
      +lw      a0,9160(a0)      load addend
      -bne     v0,a1,0x836d838
      +bne     at,a1,0x836d838
        addu   v0,a0,v0
       lw      t0,0(v0)

      Cc: qemu-stable@xxxxxxxxxx
      Reviewed-by: Richard Henderson <rth@xxxxxxxxxxx>
      Reviewed-by: Aurelien Jarno <aurelien@xxxxxxxxxxx>
      Signed-off-by: James Hogan <james.hogan@xxxxxxxxxx>
      Signed-off-by: Aurelien Jarno <aurelien@xxxxxxxxxxx>

  commit 6c76b37742d4db8176af37b667b5420727e79e2c
  Author: Pavel Fedin <p.fedin@xxxxxxxxxxx>
  Date:   Fri Jul 31 15:23:22 2015 +0300

      qdev: Do not use slow [*] expansion for GPIO creation

      Expansion of [*] suffix is very slow because index expansion is done using
      trial and error strategy, starting every time from zero and retrying with
      the next index until insertion succeeds. With large number of already 
added
      properties this process takes huge amount of time (O(n^2) complexity).

      Some architectures (like ARM) use very large amount of IRQ pins in 
interrupt
      controller models. This flaw makes machine startup extremely slow
      (~20 seconds for ARM64 with 32 CPUs). This patch decreases this time down 
to
      ~10 seconds.

      Also in qdev_init_gpio_out_named() memset() is now called only once for 
the
      whole array instead of per-cell cleaning

      Signed-off-by: Pavel Fedin <p.fedin@xxxxxxxxxxx>
      Reviewed-by: Daniel P. Berrange <berrange@xxxxxxxxxx>
      Signed-off-by: Andreas Färber <afaerber@xxxxxxx>

  commit e1c8237df5395f6a453f18109bd9dd33fb2a397c
  Author: Markus Armbruster <armbru@xxxxxxxxxx>
  Date:   Tue Aug 25 20:00:46 2015 +0200

      qom: Fix invalid error check in property_get_str()

      When a function returns a null pointer on error and only on error, you
      can do

          if (!foo(foos, errp)) {
              ... handle error ...
          }

      instead of the more cumbersome

          Error *err = NULL;

          if (!foo(foos, &err)) {
              error_propagate(errp, err);
              ... handle error ...
          }

      A StringProperty's getter, however, may return null on success!  We
      then fail to call visit_type_str().

      Screwed up in 6a146eb, v1.1.

      Fails tests/qom-test in my current, heavily hacked QAPI branch.  No
      reproducer for master known (but I didn't look hard).

      Cc: Anthony Liguori <anthony@xxxxxxxxxxxxx>
      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>
      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>
      Cc: qemu-stable@xxxxxxxxxx
      Signed-off-by: Andreas Färber <afaerber@xxxxxxx>

  commit 4715d42efe8632b0f9d2594a80e917de45e4ef88
  Author: Markus Armbruster <armbru@xxxxxxxxxx>
  Date:   Tue Aug 25 20:00:45 2015 +0200

      qom: Do not reuse errp after a possible error

      The argument for an Error **errp parameter must point to a null
      pointer.  If it doesn't, and an error happens, error_set() fails its
      assertion.

      Instead of

          foo(foos, errp);
          bar(bars, errp);

      you need to do something like

          Error *err = NULL;

          foo(foos, &err);
          if (err) {
              error_propagate(errp, err);
              goto out;
          }

          bar(bars, errp);
      out:

      Screwed up in commit 0e55884 (v1.3.0): property_get_bool().

      Screwed up in commit 1f21772 (v2.1.0): object_property_get_enum() and
      object_property_get_uint16List().

      Screwed up in commit a8e3fbe (v2.4.0): property_get_enum(),
      property_set_enum().

      Found by inspection, no actual crashes observed.

      Fix them up.

      Cc: Anthony Liguori <anthony@xxxxxxxxxxxxx>
      Cc: Hu Tao <hutao@xxxxxxxxxxxxxx>
      Cc: Daniel P. Berrange <berrange@xxxxxxxxxx>
      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>
      Reviewed-by: Daniel P. Berrange <berrange@xxxxxxxxxx>
      Cc: qemu-stable@xxxxxxxxxx
      Signed-off-by: Andreas Färber <afaerber@xxxxxxx>

  commit b12a84ce3c27e42c8f51c436aa196938d5cc2c71
  Author: Rainer Müller <raimue@xxxxxxxxxxxxx>
  Date:   Wed Sep 9 16:08:30 2015 +0200

      cocoa: Suppress Cocoa window with -display

      Do not open a Cocoa window when another display is selected that will be
      initialized later. The Cocoa display cannot be selected with -display,
      so there is no need to check its argument.

      Signed-off-by: Rainer Müller <raimue@xxxxxxxxxxxxx>
      Reviewed-by: Andreas Färber <andreas.faerber@xxxxxx>
      Message-id: 1441807710-25431-1-git-send-email-raimue@xxxxxxxxxxxxx
      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit a53efe9c47c9a441b307c5cec64d08d9647ab6a4
  Merge: ffa4822 e47f9eb
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Fri Sep 18 16:57:59 2015 +0100

      Merge remote-tracking branch 'remotes/jnsnow/tags/ide-pull-request' into 
staging

      # gpg: Signature made Fri 18 Sep 2015 15:59:02 BST using RSA key ID 
AAFC390E
      # gpg: Good signature from "John Snow (John Huston) <jsnow@xxxxxxxxxx>"

      * remotes/jnsnow/tags/ide-pull-request:
        ahci: clean up initial d2h semantics
        ahci: remove cmd_fis argument from write_fis_d2h
        ahci: fix signature generation
        ahci: remove dead reset code
        atapi: abort transfers with 0 byte limits
        ide: fix ATAPI command permissions
        ide-test: add cdrom dma test
        ide-test: add cdrom pio test
        qtest/ahci: export generate_pattern
        qtest/ahci: use generate_pattern everywhere
        ide: unify io_buffer_offset increments

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit e47f9eb148fc3b9a67d318951ebceb834205f94c
  Author: John Snow <jsnow@xxxxxxxxxx>
  Date:   Tue Sep 1 16:50:41 2015 -0400

      ahci: clean up initial d2h semantics

      with write_fis_d2h and signature generation tidied up,
      let's adjust the initial d2h semantics to make more sense.

      The initial d2h is considered delivered if there is guest
      memory to save it to.

      Signed-off-by: John Snow <jsnow@xxxxxxxxxx>
      Reviewed-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Message-id: 1441140641-17631-5-git-send-email-jsnow@xxxxxxxxxx

  commit 28ee82557cdbf3d9023b58f7229b0d0fd1a3d776
  Author: John Snow <jsnow@xxxxxxxxxx>
  Date:   Tue Sep 1 16:50:40 2015 -0400

      ahci: remove cmd_fis argument from write_fis_d2h

      It's no longer used. We used to generate a D2H FIS based
      upon the command FIS that prompted the update, but in reality,
      the D2H FIS is generated purely from register state.

      cmd_fis is vestigial, so get rid of it.

      Signed-off-by: John Snow <jsnow@xxxxxxxxxx>
      Reviewed-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Message-id: 1441140641-17631-4-git-send-email-jsnow@xxxxxxxxxx

  commit 33a983cb2821600f4ed5720919434256e8371ec2
  Author: John Snow <jsnow@xxxxxxxxxx>
  Date:   Tue Sep 1 16:50:39 2015 -0400

      ahci: fix signature generation

      The initial register device-to-host FIS no longer needs to specially
      set certain fields, as these can be handled generically by setting those
      fields explicitly with the signatures we want at port reset time.

      (1) Signatures are decomposed into their four component registers and
          set upon (AHCI) port reset.
      (2) the signature cache register is no longer set manually per-each
          device type, but instead just once during ahci_init_d2h.

      Signed-off-by: John Snow <jsnow@xxxxxxxxxx>
      Reviewed-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Message-id: 1441140641-17631-3-git-send-email-jsnow@xxxxxxxxxx

  commit f91a0aa3743c8bdf0dc0f646606a3dc8bb2c7df8
  Author: John Snow <jsnow@xxxxxxxxxx>
  Date:   Tue Sep 1 16:50:38 2015 -0400

      ahci: remove dead reset code

      This check is dead due to an earlier conditional.
      AHCI does not currently support hotplugging, so
      checks to see if devices are present or not are useless.

      Remove it.

      Reported-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Signed-off-by: John Snow <jsnow@xxxxxxxxxx>
      Reviewed-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Message-id: 1441140641-17631-2-git-send-email-jsnow@xxxxxxxxxx

  commit 9ef2e93f9b1888c7d0deb4a105149138e6ad2e98
  Author: John Snow <jsnow@xxxxxxxxxx>
  Date:   Thu Sep 17 14:17:05 2015 -0400

      atapi: abort transfers with 0 byte limits

      We're supposed to abort on transfers like this, unless we fill
      Word 125 of our IDENTIFY data with a default transfer size, which
      we don't currently do.

      This is an ATA error, not a SCSI/ATAPI one.
      See ATA8-ACS3 sections 7.17.6.49 or 7.21.5.

      If we don't do this, QEMU will loop forever trying to transfer
      zero bytes, which isn't particularly useful.

      Signed-off-by: John Snow <jsnow@xxxxxxxxxx>
      Reviewed-by: Markus Armbruster <armbru@xxxxxxxxxx>
      Message-id: 1442253685-23349-2-git-send-email-jsnow@xxxxxxxxxx

  commit d9033e1d3aa666c5071580617a57bd853c5d794a
  Author: John Snow <jsnow@xxxxxxxxxx>
  Date:   Thu Sep 17 14:17:05 2015 -0400

      ide: fix ATAPI command permissions

      We're a little too lenient with what we'll let an ATAPI drive handle.
      Clamp down on the IDE command execution table to remove CD_OK permissions
      from commands that are not and have never been ATAPI commands.

      For ATAPI command validity, please see:
      - ATA4 Section 6.5 ("PACKET Command feature set")
      - ATA8/ACS Section 4.3 ("The PACKET feature set")
      - ACS3 Section 4.3 ("The PACKET feature set")

      ACS3 has a historical command validity table in Table B.4
      ("Historical Command Assignments") that can be referenced to find when
      a command was introduced, deprecated, obsoleted, etc.

      The only reference for ATAPI command validity is by checking that
      version's PACKET feature set section.

      ATAPI was introduced by T13 into ATA4, all commands retired prior to ATA4
      therefore are assumed to have never been ATAPI commands.

      Mandatory commands, as listed in ATA8-ACS3, are:

      - DEVICE RESET
      - EXECUTE DEVICE DIAGNOSTIC
      - IDENTIFY DEVICE
      - IDENTIFY PACKET DEVICE
      - NOP
      - PACKET
      - READ SECTOR(S)
      - SET FEATURES

      Optional commands as listed in ATA8-ACS3, are:

      - FLUSH CACHE
      - READ LOG DMA EXT
      - READ LOG EXT
      - WRITE LOG DMA EXT
      - WRITE LOG EXT

      All other commands are illegal to send to an ATAPI device and should
      be rejected by the device.

      CD_OK removal justifications:

      0x06 WIN_DSM              Defined in ACS2. Not valid for ATAPI.
      0x21 WIN_READ_ONCE        Retired in ATA5. Not ATAPI in ATA4.
      0x94 WIN_STANDBYNOW2      Retired in ATA4. Did not coexist with ATAPI.
      0x95 WIN_IDLEIMMEDIATE2   Retired in ATA4. Did not coexist with ATAPI.
      0x96 WIN_STANDBY2         Retired in ATA4. Did not coexist with ATAPI.
      0x97 WIN_SETIDLE2         Retired in ATA4. Did not coexist with ATAPI.
      0x98 WIN_CHECKPOWERMODE2  Retired in ATA4. Did not coexist with ATAPI.
      0x99 WIN_SLEEPNOW2        Retired in ATA4. Did not coexist with ATAPI.
      0xE0 WIN_STANDBYNOW1      Not part of ATAPI in ATA4, ACS or ACS3.
      0xE1 WIN_IDLEIMMDIATE     Not part of ATAPI in ATA4, ACS or ACS3.
      0xE2 WIN_STANDBY          Not part of ATAPI in ATA4, ACS or ACS3.
      0xE3 WIN_SETIDLE1         Not part of ATAPI in ATA4, ACS or ACS3.
      0xE4 WIN_CHECKPOWERMODE1  Not part of ATAPI in ATA4, ACS or ACS3.
      0xE5 WIN_SLEEPNOW1        Not part of ATAPI in ATA4, ACS or ACS3.
      0xF8 WIN_READ_NATIVE_MAX  Obsoleted in ACS3. Not ATAPI in ATA4 or ACS.

      This patch fixes a divide by zero fault that can be caused by sending
      the WIN_READ_NATIVE_MAX command to an ATAPI drive, which causes it to
      attempt to use zeroed CHS values to perform sector arithmetic.

      Reported-by: Qinghao Tang <luodalongde@xxxxxxxxx>
      Signed-off-by: John Snow <jsnow@xxxxxxxxxx>
      Reviewed-by: Markus Armbruster <armbru@xxxxxxxxxx>
      Message-id: 1441816082-21031-1-git-send-email-jsnow@xxxxxxxxxx
      CC: qemu-stable@xxxxxxxxxx

  commit 00ea63fd18d0b7e0248e476c5150a04a06e79a3b
  Author: John Snow <jsnow@xxxxxxxxxx>
  Date:   Thu Sep 17 14:17:05 2015 -0400

      ide-test: add cdrom dma test

      Now, test the DMA functionality of the ATAPI drive.

      Signed-off-by: John Snow <jsnow@xxxxxxxxxx>
      Message-id: 1441926555-19471-5-git-send-email-jsnow@xxxxxxxxxx

  commit f7ba8d7fb6a7f22f8ecf99f61a35079accaba5c4
  Author: John Snow <jsnow@xxxxxxxxxx>
  Date:   Thu Sep 17 14:17:04 2015 -0400

      ide-test: add cdrom pio test

      Add a simple read test for ATAPI devices,
      using the PIO mechanism.

      Signed-off-by: John Snow <jsnow@xxxxxxxxxx>
      Message-id: 1441926555-19471-4-git-send-email-jsnow@xxxxxxxxxx

  commit ab4f705751c39d59e5039a145cf4703320e4207e
  Author: John Snow <jsnow@xxxxxxxxxx>
  Date:   Thu Sep 17 14:17:04 2015 -0400

      qtest/ahci: export generate_pattern

      Share the pattern function for ide and ahci test.

      Signed-off-by: John Snow <jsnow@xxxxxxxxxx>
      Message-id: 1441926555-19471-3-git-send-email-jsnow@xxxxxxxxxx

  commit d7531638db73396c9e89ade086bbeab6023656f9
  Author: John Snow <jsnow@xxxxxxxxxx>
  Date:   Thu Sep 17 14:17:04 2015 -0400

      qtest/ahci: use generate_pattern everywhere

      Fix the pattern generation to actually be interesting,
      and make sure all buffers in the ahci-test actually use it.

      Signed-off-by: John Snow <jsnow@xxxxxxxxxx>
      Message-id: 1441926555-19471-2-git-send-email-jsnow@xxxxxxxxxx

  commit ffa4822c015d5670ef6a2239f3cbd2ff2cec57de
  Merge: 3bf1f5e 0bdaa3a
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Fri Sep 18 14:41:53 2015 +0100

      Merge remote-tracking branch 'remotes/armbru/tags/pull-error-2015-09-18' 
into staging

      Error reporting patches

      # gpg: Signature made Fri 18 Sep 2015 13:42:49 BST using RSA key ID 
EB918653
      # gpg: Good signature from "Markus Armbruster <armbru@xxxxxxxxxx>"
      # gpg:                 aka "Markus Armbruster <armbru@xxxxxxxxxxxx>"

      * remotes/armbru/tags/pull-error-2015-09-18:
        memory: Fix bad error handling in memory_region_init_ram_ptr()
        loader: Fix memory_region_init_resizeable_ram() error handling
        Fix bad error handling after memory_region_init_ram()
        error: New error_fatal
        MAINTAINERS: Add "Error reporting" entry
        error: Copy location information in error_copy()
        hmp: Allow for error message hints on HMP
        error: only prepend timestamp on stderr

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 0bdaa3a429c6d07cd437b442a1f15f70be1addaa
  Author: Markus Armbruster <armbru@xxxxxxxxxx>
  Date:   Fri Sep 11 16:51:45 2015 +0200

      memory: Fix bad error handling in memory_region_init_ram_ptr()

      Commit ef701d7 screwed up handling of out-of-memory conditions.
      Before the commit, we report the error and exit(1), in one place.  The
      commit lifts the error handling up the call chain some, to three
      places.  Fine.  Except it uses &error_abort in these places, changing
      the behavior from exit(1) to abort(), and thus undoing the work of
      commit 3922825 "exec: Don't abort when we can't allocate guest
      memory".

      The previous two commits fixed one of the three places, another one
      was fixed in commit 33e0eb5.  This commit fixes the third one.

      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>
      Message-Id: <1441983105-26376-5-git-send-email-armbru@xxxxxxxxxx>
      Reviewed-by: Peter Crosthwaite <crosthwaite.peter@xxxxxxxxx>

  commit df8abec8cb48f6c439516fd78b3ab6535e6fd493
  Author: Markus Armbruster <armbru@xxxxxxxxxx>
  Date:   Fri Sep 11 16:51:44 2015 +0200

      loader: Fix memory_region_init_resizeable_ram() error handling

      Commit ef701d7 screwed up handling of out-of-memory conditions.
      Before the commit, we report the error and exit(1), in one place.  The
      commit lifts the error handling up the call chain some, to three
      places.  Fine.  Except it uses &error_abort in these places, changing
      the behavior from exit(1) to abort(), and thus undoing the work of
      commit 3922825 "exec: Don't abort when we can't allocate guest
      memory".

      The previous commit fixed up uses of memory_region_init_ram().  One of
      them was replaced by memory_region_init_resizeable_ram() [sic!] in
      commit a166614, so Coccinelle missed it.  Fix it up.

      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>
      Message-Id: <1441983105-26376-4-git-send-email-armbru@xxxxxxxxxx>
      Reviewed-by: Peter Crosthwaite <crosthwaite.peter@xxxxxxxxx>

  commit f8ed85ac992c48814d916d5df4d44f9a971c5de4
  Author: Markus Armbruster <armbru@xxxxxxxxxx>
  Date:   Fri Sep 11 16:51:43 2015 +0200

      Fix bad error handling after memory_region_init_ram()

      Symptom:

          $ qemu-system-x86_64 -m 10000000
          Unexpected error in ram_block_add() at /work/armbru/qemu/exec.c:1456:
          upstream-qemu: cannot set up guest memory 'pc.ram': Cannot allocate 
memory
          Aborted (core dumped)

      Root cause: commit ef701d7 screwed up handling of out-of-memory
      conditions.  Before the commit, we report the error and exit(1), in
      one place, ram_block_add().  The commit lifts the error handling up
      the call chain some, to three places.  Fine.  Except it uses
      &error_abort in these places, changing the behavior from exit(1) to
      abort(), and thus undoing the work of commit 3922825 "exec: Don't
      abort when we can't allocate guest memory".

      The three places are:

      * memory_region_init_ram()

        Commit 4994653 (right after commit ef701d7) lifted the error
        handling further, through memory_region_init_ram(), multiplying the
        incorrect use of &error_abort.  Later on, imitation of existing
        (bad) code may have created more.

      * memory_region_init_ram_ptr()

        The &error_abort is still there.

      * memory_region_init_rom_device()

        Doesn't need fixing, because commit 33e0eb5 (soon after commit
        ef701d7) lifted the error handling further, and in the process
        changed it from &error_abort to passing it up the call chain.
        Correct, because the callers are realize() methods.

      Fix the error handling after memory_region_init_ram() with a
      Coccinelle semantic patch:

          @r@
          expression mr, owner, name, size, err;
          position p;
          @@
                  memory_region_init_ram(mr, owner, name, size,
          (
          -                              &error_abort
          +                              &error_fatal
          |
                                         err@p
          )
                                        );
          @script:python@
              p << r.p;
          @@
          print "%s:%s:%s" % (p[0].file, p[0].line, p[0].column)

      When the last argument is &error_abort, it gets replaced by
      &error_fatal.  This is the fix.

      If the last argument is anything else, its position is reported.  This
      lets us check the fix is complete.  Four positions get reported:

      * ram_backend_memory_alloc()

        Error is passed up the call chain, ultimately through
        user_creatable_complete().  As far as I can tell, it's callers all
        handle the error sanely.

      * fsl_imx25_realize(), fsl_imx31_realize(), dp8393x_realize()

        DeviceClass.realize() methods, errors handled sanely further up the
        call chain.

      We're good.  Test case again behaves:

          $ qemu-system-x86_64 -m 10000000
          qemu-system-x86_64: cannot set up guest memory 'pc.ram': Cannot 
allocate memory
          [Exit 1 ]

      The next commits will repair the rest of commit ef701d7's damage.

      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>
      Message-Id: <1441983105-26376-3-git-send-email-armbru@xxxxxxxxxx>
      Reviewed-by: Peter Crosthwaite <crosthwaite.peter@xxxxxxxxx>

  commit a29a37b994ca3c5a1d39fa0e8934f7e0f2cf57ef
  Author: Markus Armbruster <armbru@xxxxxxxxxx>
  Date:   Fri Sep 11 16:51:42 2015 +0200

      error: New error_fatal

      Similar to error_abort, but doesn't report where the error was
      created, and terminates the process with exit(1) rather than abort().

      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>
      Message-Id: <1441983105-26376-2-git-send-email-armbru@xxxxxxxxxx>
      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>
      Reviewed-by: Peter Crosthwaite <crosthwaite.peter@xxxxxxxxx>

  commit 4f966768acd1d677d24d60a01c160c18a09cce80
  Author: Markus Armbruster <armbru@xxxxxxxxxx>
  Date:   Sat Sep 12 13:29:56 2015 +0200

      MAINTAINERS: Add "Error reporting" entry

      Error reporting work has been flowing through my tree for a while.
      Time for MAINTAINERS to catch up.

      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>
      Message-Id: <1442057396-21989-1-git-send-email-armbru@xxxxxxxxxx>
      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>
      Reviewed-by: Peter Crosthwaite <crosthwaite.peter@xxxxxxxxx>

  commit 88e2ce291595ed8f12636b40523fdb215a9d3374
  Author: Eric Blake <eblake@xxxxxxxxxx>
  Date:   Thu Sep 10 10:34:50 2015 -0600

      error: Copy location information in error_copy()

      Commit 1e9b65bb forgot to propagate source information to copied
      errors.

      Signed-off-by: Eric Blake <eblake@xxxxxxxxxx>
      Message-Id: <1441902890-23064-1-git-send-email-eblake@xxxxxxxxxx>
      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>

  commit 50b7b000c9171c1253c1c875f46f654c3c0e1fc8
  Author: Eric Blake <eblake@xxxxxxxxxx>
  Date:   Thu Sep 10 10:19:16 2015 -0600

      hmp: Allow for error message hints on HMP

      Commits 7216ae3d and d2828429 disabled some error message hints,
      all because a change to use modern error reporting meant that the
      hint would be output prior to the actual error.  Fix this by making
      hints a first-class member of Error.

      For example, we are now back to the pleasant:

       $ qemu-system-x86_64 --nodefaults -S --vnc :0 --chardev null,id=,
       qemu-system-x86_64: --chardev null,id=,: Parameter 'id' expects an 
identifier
       Identifiers consist of letters, digits, '-', '.', '_', starting with a 
letter.

      Signed-off-by: Eric Blake <eblake@xxxxxxxxxx>
      Reviewed-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>
      Message-Id: <1441901956-21991-1-git-send-email-eblake@xxxxxxxxxx>
      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>

  commit 615cf669b55a689f9e535ecf87075e50004b6e0a
  Author: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
  Date:   Mon Aug 10 14:15:41 2015 +0100

      error: only prepend timestamp on stderr

      The -msg timestamp=on option prepends a timestamp to error messages.
      This is useful on stderr where it allows users to identify when an error
      was raised.

      Timestamps do not make sense on the monitor since error_report() is
      called in response to a synchronous monitor command and the user already
      knows "when" the command was issued.  Additionally, the rest of the
      monitor conversation lacks timestamps so the error timestamp cannot be
      correlated with other activity.

      Only prepend timestamps on stderr.  This fixes libvirt's 'drive_del'
      processing, which did not expect a timestamp.  Other QEMU monitor
      clients are probably equally confused by timestamps on monitor error
      messages.

      Cc: Markus Armbruster <armbru@xxxxxxxxxx>
      Cc: Seiji Aguchi <seiji.aguchi@xxxxxxx>
      Cc: Frank Schreuder <fschreuder@xxxxxxxxxx>
      Cc: Daniel P. Berrange <berrange@xxxxxxxxxx>
      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Message-Id: <1439212541-16997-1-git-send-email-stefanha@xxxxxxxxxx>
      Reviewed-by: Daniel P. Berrange <berrange@xxxxxxxxxx>
      Tested-by: Frank Schreuder <fschreuder@xxxxxxxxxx>
      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>

  commit 3bf1f5ec6a7ec8ee06c95bf308d213ebaa129ee0
  Merge: 16a1b6e 9c708c7
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Fri Sep 18 12:55:27 2015 +0100

      Merge remote-tracking branch 'remotes/lalrae/tags/mips-20150918' into 
staging

      MIPS patches 2015-09-18

      Changes:
      * fixes for rdhwr, tlbwr, mtc0, recip.fmt, rsqrt.fmt and daui instructions
      * removal of MIPS_DEBUG code
      * use tcg_gen_extrh_i64_i32()
      * improve random tlb index generation in cpu_mips_get_random()
      * exception handling improvements to correctly restore icount

      # gpg: Signature made Fri 18 Sep 2015 12:15:28 BST using RSA key ID 
0B29DA6B
      # gpg: Good signature from "Leon Alrae <leon.alrae@xxxxxxxxxx>"

      * remotes/lalrae/tags/mips-20150918:
        target-mips: improve exception handling
        target-mips: correct MTC0 instruction on MIPS64
        target-mips: add missing restriction in DAUI instruction
        target-mips: fix corner case in TLBWR causing QEMU to hang
        pic32: use LCG algorithm for generated random index of TLBWR instruction
        target-mips: get rid of MIPS_DEBUG_SIGN_EXTENSIONS
        target-mips: get rid of MIPS_DEBUG
        target-mips: Fix RDHWR on CP0.Count
        target-mips: remove wrong checks for recip.fmt and rsqrt.fmt
        target-mips: Use tcg_gen_extrh_i64_i32

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 9c708c7f9fbb813a3fac02f2728e51e62f2f5ffc
  Author: Pavel Dovgaluk <Pavel.Dovgaluk@xxxxxxxxx>
  Date:   Fri Jul 10 12:57:08 2015 +0300

      target-mips: improve exception handling

      This patch improves exception handling in MIPS.
      Instructions generate several types of exceptions.
      When exception is generated, it breaks the execution of the current
      translation block. Implementation of the exceptions handling does not
      correctly restore icount for the instruction which caused the exception.
      In most cases icount will be decreased by the value equal to the size of
      TB. This patch passes pointer to the translation block internals to the
      exception handler. It allows correct restoring of the icount value.

      Signed-off-by: Pavel Dovgalyuk <pavel.dovgaluk@xxxxxxxxx>
      Reviewed-by: Aurelien Jarno <aurelien@xxxxxxxxxxx>
      Reviewed-by: Leon Alrae <leon.alrae@xxxxxxxxxx>
      [leon.alrae@xxxxxxxxxx: avoid retranslation in linux-user SC, break lines
       which are over 80 chars, remove v3 changelog from the commit message]
      Signed-off-by: Leon Alrae <leon.alrae@xxxxxxxxxx>

  commit d54a299b83a07642c85a22bfe19b69ca4def9ec4
  Author: Leon Alrae <leon.alrae@xxxxxxxxxx>
  Date:   Wed Sep 9 12:44:25 2015 +0100

      target-mips: correct MTC0 instruction on MIPS64

      MTC0 on a 64-bit processor should move entire 64-bit GPR content to CP0
      register.

      Signed-off-by: Leon Alrae <leon.alrae@xxxxxxxxxx>
      Reviewed-by: Aurelien Jarno <aurelien@xxxxxxxxxxx>

  commit db77d8523909b32d798cd2c80de422b68f9e5c42
  Author: Leon Alrae <leon.alrae@xxxxxxxxxx>
  Date:   Wed Sep 9 14:45:36 2015 +0100

      target-mips: add missing restriction in DAUI instruction

      rs cannot be the zero register, Reserved Instruction exception must be
      signalled for this case.

      Signed-off-by: Leon Alrae <leon.alrae@xxxxxxxxxx>
      Reviewed-by: Aurelien Jarno <aurelien@xxxxxxxxxxx>

  commit 3adafef2f35d9061b56a09071b2589b9e0b36f76
  Author: Leon Alrae <leon.alrae@xxxxxxxxxx>
  Date:   Thu Sep 10 10:15:28 2015 +0100

      target-mips: fix corner case in TLBWR causing QEMU to hang

      cpu_mips_get_random() function is used to generate a random index from
      CP0.Wired to TLBSize-1 range. Current implementation avoids generating
      the same as before value, hence the while loop. If the guest sets
      CP0.Wired to TLBSize-1 (which actually does not sound to be very
      practical) QEMU will get stuck in the loop infinitely as we always
      generate the same index.

      Signed-off-by: Leon Alrae <leon.alrae@xxxxxxxxxx>
      Reviewed-by: Aurelien Jarno <aurelien@xxxxxxxxxxx>

  commit ceb0ee147df35adc7b705da1c84a4624c9cabb21
  Author: Serge Vakulenko <serge.vakulenko@xxxxxxxxx>
  Date:   Sun Jul 5 23:14:50 2015 -0700

      pic32: use LCG algorithm for generated random index of TLBWR instruction

      The LFSR algorithm, used for generating random TLB indexes for TLBWR
      instruction, was inclined to produce a degenerate sequence in some cases.
      For example, for 16-entry TLB size and Wired=1, it gives: 15, 6, 7, 2,
      7, 2, 7, 2, 7, 2, 7, 2, 7, 2, 7, 2, 7, 2, 7, 2, 7, 2, 7, 2, 7, 2, 7, 2...
      When replaced with LCG algorithm from ISO/IEC 9899 standard, the sequence
      looks much better, with about the same computational effort needed.

      Signed-off-by: Serge Vakulenko <serge.vakulenko@xxxxxxxxx>
      Reviewed-by: Aurelien Jarno <aurelien@xxxxxxxxxxx>
      Reviewed-by: Leon Alrae <leon.alrae@xxxxxxxxxx>
      Signed-off-by: Leon Alrae <leon.alrae@xxxxxxxxxx>

  commit b307446e04232b3a87e9da04886895a8e5a4a407
  Author: Aurelien Jarno <aurelien@xxxxxxxxxxx>
  Date:   Sun Sep 13 23:07:59 2015 +0200

      target-mips: get rid of MIPS_DEBUG_SIGN_EXTENSIONS

      MIPS_DEBUG_SIGN_EXTENSIONS was used sometimes ago to verify that 32-bit
      instructions correctly sign extend their results. It's now not need
      anymore, remove it.

      Cc: Leon Alrae <leon.alrae@xxxxxxxxxx>
      Signed-off-by: Aurelien Jarno <aurelien@xxxxxxxxxxx>
      Reviewed-by: Leon Alrae <leon.alrae@xxxxxxxxxx>
      Signed-off-by: Leon Alrae <leon.alrae@xxxxxxxxxx>

  commit 9d68ac14dab3f5af33a6b23458941dc6fb261fce
  Author: Aurelien Jarno <aurelien@xxxxxxxxxxx>
  Date:   Sun Sep 13 23:07:58 2015 +0200

      target-mips: get rid of MIPS_DEBUG

      MIPS_DEBUG is a define used to dump the instruction disassembling. It
      has to be defined at compile time. In practice I believe it's more
      efficient to just look at the instruction disassembly and op dump using
      -d in_asm,op. This patch therefore removes the corresponding code, which
      clutters translate.c.

      Cc: Leon Alrae <leon.alrae@xxxxxxxxxx>
      Signed-off-by: Aurelien Jarno <aurelien@xxxxxxxxxxx>
      Reviewed-by: Leon Alrae <leon.alrae@xxxxxxxxxx>
      Signed-off-by: Leon Alrae <leon.alrae@xxxxxxxxxx>

  commit cdfcad788394ff53e317043e07b8e34f4987c659
  Author: Alex Smith <alex.smith@xxxxxxxxxx>
  Date:   Tue Sep 8 11:34:11 2015 +0100

      target-mips: Fix RDHWR on CP0.Count

      For RDHWR on the CP0.Count register, env->CP0_Count was being returned.
      This value is a delta against the QEMU_CLOCK_VIRTUAL clock, not the
      correct current value of CP0.Count. Use cpu_mips_get_count() instead.

      Signed-off-by: Alex Smith <alex.smith@xxxxxxxxxx>
      Cc: Aurelien Jarno <aurelien@xxxxxxxxxxx>
      Cc: Leon Alrae <leon.alrae@xxxxxxxxxx>
      Reviewed-by: Leon Alrae <leon.alrae@xxxxxxxxxx>
      Reviewed-by: Aurelien Jarno <aurelien@xxxxxxxxxxx>
      Signed-off-by: Leon Alrae <leon.alrae@xxxxxxxxxx>

  commit ca6c7803d2beae43299a80f4549d36579881fc0b
  Author: Petar Jovanovic <petar.jovanovic@xxxxxxxxxx>
  Date:   Wed Aug 26 14:12:20 2015 +0200

      target-mips: remove wrong checks for recip.fmt and rsqrt.fmt

      Instructions recip.{s|d} and rsqrt.{s|d} do not require 64-bit FPU neither
      they require any particular mode for its FPU. This patch removes the 
checks
      that may break a program that uses these instructions.

      Signed-off-by: Petar Jovanovic <petar.jovanovic@xxxxxxxxxx>
      Reviewed-by: Leon Alrae <leon.alrae@xxxxxxxxxx>
      Signed-off-by: Leon Alrae <leon.alrae@xxxxxxxxxx>

  commit 71f303cd246ae22ce6fdacb3801b5abbca25c409
  Author: Richard Henderson <rth@xxxxxxxxxxx>
  Date:   Wed Sep 2 15:50:14 2015 -0700

      target-mips: Use tcg_gen_extrh_i64_i32

      We can tidy gen_load_fpr32h, as well as introduce a helper
      to cleanup the MACC instructions.

      Signed-off-by: Richard Henderson <rth@xxxxxxxxxxx>
      Reviewed-by: Leon Alrae <leon.alrae@xxxxxxxxxx>
      Signed-off-by: Leon Alrae <leon.alrae@xxxxxxxxxx>

  commit aaeda4a3c9e4d1d25c65ce8ca98e2de06daf1eec
  Author: John Snow <jsnow@xxxxxxxxxx>
  Date:   Thu Sep 17 14:17:04 2015 -0400

      ide: unify io_buffer_offset increments

      IDEState's io_buffer_offset was originally added to keep track of offsets
      in AHCI rather exclusively, but it was added to IDEState instead of an
      AHCI-specific structure.

      AHCI fakes all PIO transfers using DMA and a scatter-gather list. When
      the core or atapi layers invoke HBA-specific mechanisms for transfers,
      they do not always know that it is being backed by DMA or a sglist, so
      this offset is not always updated by the HBA code everywhere.

      If we modify it in dma_buf_commit, however, any HBA that needs to use
      this offset to manage operating on only part of a sglist will have
      access to it.

      This will fix ATAPI PIO transfers performed through the AHCI HBA,
      which were previously not modifying this value appropriately.

      This will fix ATAPI PIO transfers larger than one sector.

      Reported-by: Hannes Reinecke <hare@xxxxxxx>
      Signed-off-by: John Snow <jsnow@xxxxxxxxxx>
      Reviewed-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>
      Tested-by: Laszlo Ersek <lersek@xxxxxxxxxx>
      Message-id: 1440546331-29087-2-git-send-email-jsnow@xxxxxxxxxx
      CC: qemu-stable@xxxxxxxxxx

  commit 16a1b6e97c2a2919fd296db4bea2f9da2ad3cc4d
  Author: Juan Quintela <quintela@xxxxxxxxxx>
  Date:   Fri May 4 12:54:34 2012 +0200

      target-cris: update CPU state save/load to use VMStateDescription

      Update the CRIS CPU state save/load to use a VMStateDescription struct
      rather than cpu_save/cpu_load functions.

      Have to define TLBSet struct.
      Multidimensional arrays in C are a mess, just unroll them.

      Signed-off-by: Juan Quintela <quintela@xxxxxxxxxx>
      [PMM:
       * expand commit message a little since it's no longer one patch in
         a 35-patch series
       * add header/copyright comment to machine.c; credited copyright is
         Red Hat and author is Juan, since this commit gives the file all-new
         contents; license is LGPL-2-or-later, to match other target-cris code
       * remove hardcoded tab
       * add fields for locked_irq, interrupt_vector, fault_vector, trap_vector
       * drop minimum_version_id_old fields
       * bump version_id to 2 as we are not compatible with old state format
       * remove unnecessary hw/boards.h include
       * update to register via dc->vmsd]
      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Acked-by: Edgar E. Iglesias <edgar.iglesias@xxxxxxxxxx>

  commit cc450bfdc030d1943d99b3cb526a3e2cb4f3cd72
  Merge: 1c9f03b 271a234
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Thu Sep 17 13:07:50 2015 +0100

      Merge remote-tracking branch 'remotes/stefanha/tags/net-pull-request' 
into staging

      # gpg: Signature made Thu 17 Sep 2015 12:43:56 BST using RSA key ID 
81AB73C8
      # gpg: Good signature from "Stefan Hajnoczi <stefanha@xxxxxxxxxx>"
      # gpg:                 aka "Stefan Hajnoczi <stefanha@xxxxxxxxx>"

      * remotes/stefanha/tags/net-pull-request:
        net: smc91c111: flush packets on RCR register changes
        net: smc91c111: gate can_receive() on rx FIFO having a slot
        net: smc91c111: guard flush_queued_packets() on can_rx()
        MAINTAINERS: Stefan will not maintain net subsystem

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 271a234a2359975101396916f37f3c7d347c61b8
  Author: Peter Crosthwaite <crosthwaitepeter@xxxxxxxxx>
  Date:   Thu Sep 10 21:24:12 2015 -0700

      net: smc91c111: flush packets on RCR register changes

      The SOFT_RST or RXEN in the control register can be used as a condition
      to unblock the net layer via can_receive(). So check for possible
      flushes on RCR changes. This will drop all pending packets on soft
      reset or disable which is the functional intent of the can_receive()
      logic.

      Signed-off-by: Peter Crosthwaite <crosthwaite.peter@xxxxxxxxx>
      Reviewed-by: Fam Zheng <famz@xxxxxxxxxx>
      Tested-by: Richard Purdie <richard.purdie@xxxxxxxxxxxxxxxxxxx>
      Message-id: 
b114d4c96f4afbdaa15f1361d9c07e3021755915.1441873621.git.crosthwaite.peter@xxxxxxxxx
      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>

  commit e62cb54cd5d08dc1c029f254b0d18faa138971b2
  Author: Peter Crosthwaite <crosthwaitepeter@xxxxxxxxx>
  Date:   Thu Sep 10 21:23:57 2015 -0700

      net: smc91c111: gate can_receive() on rx FIFO having a slot

      Return false from can_receive() when the FIFO doesn't have a free RX
      slot. This fixes a bug in the current code where the allocated buffer
      is freed before the fifo pop, triggering a premature flush of queued RX
      packets. It also will handle a corner case, where the guest manually
      frees the allocated buffer before popping the rx FIFO (hence it is not
      enough to just delay the flush_queued_packets()).

      Reported-by: Richard Purdie <richard.purdie@xxxxxxxxxxxxxxxxxxx>
      Signed-off-by: Peter Crosthwaite <crosthwaite.peter@xxxxxxxxx>
      Reviewed-by: Fam Zheng <famz@xxxxxxxxxx>
      Tested-by: Richard Purdie <richard.purdie@xxxxxxxxxxxxxxxxxxx>
      Message-id: 
97bfdfc5cbce0bd5e0cbbbff35ce7a1bf6f8603d.1441873621.git.crosthwaite.peter@xxxxxxxxx
      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>

  commit 8d06b149271cbd5b19bed5bde8da5ecef40ecbc6
  Author: Peter Crosthwaite <crosthwaitepeter@xxxxxxxxx>
  Date:   Thu Sep 10 21:23:43 2015 -0700

      net: smc91c111: guard flush_queued_packets() on can_rx()

      Check that the core can once again receive packets before asking the
      net layer to do a flush. This will make it more convenient to flush
      packets when adding new conditions to can_receive.

      Add missing if braces while moving the can_receive() core code.

      Signed-off-by: Peter Crosthwaite <crosthwaite.peter@xxxxxxxxx>
      Reviewed-by: Fam Zheng <famz@xxxxxxxxxx>
      Tested-by: Richard Purdie <richard.purdie@xxxxxxxxxxxxxxxxxxx>
      Message-id: 
92e15e12a6964274f4bc0eb71b61a7d94326f6c6.1441873621.git.crosthwaite.peter@xxxxxxxxx
      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>

  commit 1c9f03b81ce9136cf1bd3c111582b320b507dfec
  Merge: 3c4698d d626834
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Wed Sep 16 18:06:54 2015 +0100

      Merge remote-tracking branch 'remotes/bonzini/tags/for-upstream' into 
staging

      * Linux header update and cleanup
      * Support for HyperV crash report
      * Cleanup of target-specific HMP commands
      * Multiarch batch
      * Checkpatch fix for Perl 5.22
      * NBD fix
      * Revert incorrect commit 5243722376

      # gpg: Signature made Wed 16 Sep 2015 16:39:01 BST using RSA key ID 
78C7AE83
      # gpg: Good signature from "Paolo Bonzini <bonzini@xxxxxxx>"
      # gpg:                 aka "Paolo Bonzini <pbonzini@xxxxxxxxxx>"

      * remotes/bonzini/tags/for-upstream: (24 commits)
        nbd: release exp->blk after all clients are closed
        checkpatch: Escape left braces in regex
        monitor: uninclude cpu_ldst
        include/exec: Move cputlb exec.c defs out
        cputlb: Change tlb_set_dirty() arg to cpu
        cputlb: move CPU_LOOP() for tlb_reset() to exec.c
        translate: move real_host_page setting to -common
        tcg: Move tci_tb_ptr to -common
        tcg: split tcg_op_defs to -common
        translate-all: Move tcg_handle_interrupt() to -common
        cpu-exec: Migrate some generic fns to cpu-exec-common
        qemu-char: Use g_new() & friends where that makes obvious sense
        monitor: added generation of documentation for hmp-commands-info.hx
        hmp-commands.hx: fix end of table info
        monitor: remove target-specific code from monitor.c
        hmp-commands-info: move info_cmds content out of monitor.c
        i386/kvm: Hyper-v crash msrs set/get'ers and migration
        kvm: Add kvm system event crash handler
        cpu: Add crash_occurred flag into CPUState
        target-i386: move asm-x86/hyperv.h to standard-headers
        ...

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit d6268348493f32ecc096caa637620757472a1196
  Author: Wen Congyang <wency@xxxxxxxxxxxxxx>
  Date:   Wed Sep 16 16:35:46 2015 +0800

      nbd: release exp->blk after all clients are closed

      If the socket fd is shutdown, there may be some data which is received 
before
      shutdown. We will read the data and do read/write in nbd_trip(). But the 
exp's
      blk is NULL, and it will cause qemu crashed.

      Reported-by: Li Zhijian <lizhijian@xxxxxxxxxxxxxx>
      Signed-off-by: Wen Congyang <wency@xxxxxxxxxxxxxx>
      Message-Id: <55F929E2.1020501@xxxxxxxxxxxxxx>
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit 04f2562f8ec6af573508880ac607d098a5d3ad7f
  Author: Fam Zheng <famz@xxxxxxxxxx>
  Date:   Fri Sep 11 19:07:36 2015 +0800

      checkpatch: Escape left braces in regex

      Latest perl now deprecates "{" literal in regex and print warnings like
      "unescaped left brace in regex is deprecated".  Add escape to keep it
      happy.

      Signed-off-by: Fam Zheng <famz@xxxxxxxxxx>
      Message-Id: <1441969656-2640-1-git-send-email-famz@xxxxxxxxxx>
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit e6b65fe1c234b5f63af075b9c85691ea744ead34
  Author: Peter Crosthwaite <crosthwaitepeter@xxxxxxxxx>
  Date:   Thu Sep 10 22:39:45 2015 -0700

      monitor: uninclude cpu_ldst

      This header is non-needed anymore and wont work in multi-arch where
      this service is not provided to core code.

      Cc: Markus Armbruster <armbru@xxxxxxxxxx>
      Signed-off-by: Peter Crosthwaite <crosthwaite.peter@xxxxxxxxx>
      Message-Id: 
<4e96622ab5320603829b6f94b8c4e94d573d34fc.1441614289.git.crosthwaite.peter@xxxxxxxxx>
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit dfccc7602374c9fd3b083208b552d62daa244811
  Author: Peter Crosthwaite <crosthwaitepeter@xxxxxxxxx>
  Date:   Thu Sep 10 22:39:43 2015 -0700

      include/exec: Move cputlb exec.c defs out

      Move the architecture agnostic function prototypes for exec.c out of
      cputlb.h to exec-all.h. This allows hiding of the arch specific
      cputlb.h from exec.c which should be getting close to having no
      architecture specifics. Prepares support for multi-arch, which will have
      a minimal cpu.h that services exec.c but not cputlb.h.

      Reviewed-by: Richard Henderson <rth@xxxxxxxxxxx>
      Signed-off-by: Peter Crosthwaite <crosthwaite.peter@xxxxxxxxx>
      Message-Id: 
<b4fe754c58c860315e35d44430c26b1c967ce2c9.1441614289.git.crosthwaite.peter@xxxxxxxxx>
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit bcae01e468d961ad9afaf4148329147e4be209ab
  Author: Peter Crosthwaite <crosthwaitepeter@xxxxxxxxx>
  Date:   Thu Sep 10 22:39:42 2015 -0700

      cputlb: Change tlb_set_dirty() arg to cpu

      Change tlb_set_dirty() to accept a CPU instead of an env pointer. This
      allows for removal of another CPUArchState usage from prototypes that
      need to be QOMified.

      Signed-off-by: Peter Crosthwaite <crosthwaite.peter@xxxxxxxxx>
      Message-Id: 
<d2b1dcbe7945112989861d8ba7369449c11cc273.1441614289.git.crosthwaite.peter@xxxxxxxxx>
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit 9a13565d52bfd321934fb44ee004bbaf5f5913a8
  Author: Peter Crosthwaite <crosthwaitepeter@xxxxxxxxx>
  Date:   Thu Sep 10 22:39:41 2015 -0700

      cputlb: move CPU_LOOP() for tlb_reset() to exec.c

      To prepare for multi-arch, cputlb.c should only have awareness of one
      single architecture. This means it should not have access to the full
      CPU lists which may be heterogeneous. Instead, push the CPU_LOOP() up
      to the one and only caller in exec.c.

      Signed-off-by: Peter Crosthwaite <crosthwaite.peter@xxxxxxxxx>
      Message-Id: 
<db06dc6c49f8970caaf116d0385f00ee10a56f2f.1441614289.git.crosthwaite.peter@xxxxxxxxx>
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit 5f12a788c04cf36442f3be00ebf6fdc3b8c8c4ba
  Author: Peter Crosthwaite <crosthwaitepeter@xxxxxxxxx>
  Date:   Thu Sep 10 22:39:36 2015 -0700

      translate: move real_host_page setting to -common

      Move the size and mask globals for the "real" host page size to
      translate-common. This is to allow system-level code to use
      REAL_HOST_PAGE_ALIGN and friends in builds which hide translate-all
      behind arch-obj.

      Cc: dgilbert@xxxxxxxxxx
      Signed-off-by: Peter Crosthwaite <crosthwaite.peter@xxxxxxxxx>
      Message-Id: 
<b437638691f044bc690a7f03b1240c8b0f34ab57.1441614289.git.crosthwaite.peter@xxxxxxxxx>
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit 162e992270fd3587b21fa77fd4a8ccc879c402c9
  Author: Peter Crosthwaite <crosthwaitepeter@xxxxxxxxx>
  Date:   Thu Sep 10 22:39:35 2015 -0700

      tcg: Move tci_tb_ptr to -common

      This requires global visibility to common code. Move to tcg-common.

      Cc: Stefan Weil <sw@xxxxxxxxxxx>
      Signed-off-by: Peter Crosthwaite <crosthwaite.peter@xxxxxxxxx>
      Message-Id: 
<cb0340eba225ab4945aa6cf7c9013f33aa05bcf8.1441614289.git.crosthwaite.peter@xxxxxxxxx>
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit 7d8f787d9d261d6880b69e35ed682241e3f9242f
  Author: Peter Crosthwaite <crosthwaitepeter@xxxxxxxxx>
  Date:   Thu Sep 10 22:39:34 2015 -0700

      tcg: split tcg_op_defs to -common

      tcg_op_defs (and the _max) are both needed by the TCI disassembler. For
      multi-arch, tcg.c will be multiple-compiled (arch-obj) with its symbols
      hidden from common code. So split the definition off to new file,
      tcg-common.c which will remain a regular obj-y for use by both the TCI
      disas as well as the multiple tcg.c's.

      Cc: Stefan Weil <sw@xxxxxxxxxxx>
      Signed-off-by: Peter Crosthwaite <crosthwaite.peter@xxxxxxxxx>
      Message-Id: 
<4b607425886d85aee65878e4935dfad46b3e6085.1441614289.git.crosthwaite.peter@xxxxxxxxx>
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit 9b68a7754a892d8deb7696cfe609fe2ec3c6034a
  Author: Peter Crosthwaite <crosthwaitepeter@xxxxxxxxx>
  Date:   Thu Sep 10 22:39:33 2015 -0700

      translate-all: Move tcg_handle_interrupt() to -common

      Move this function to common code. It has no arch specific
      dependencies. Prepares support for multi-arch where the translate-all
      interface needs to be virtualised. One less thing to virtualise.

      Reviewed-by: Richard Henderson <rth@xxxxxxxxxxx>
      Signed-off-by: Peter Crosthwaite <crosthwaite.peter@xxxxxxxxx>
      Message-Id: 
<44a7c73604ed2552af47ed02b047b6a772b683e0.1441614289.git.crosthwaite.peter@xxxxxxxxx>
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit 5abf9495ca9ff41160260ac274115825c10545cc
  Author: Peter Crosthwaite <crosthwaitepeter@xxxxxxxxx>
  Date:   Thu Sep 10 22:39:31 2015 -0700

      cpu-exec: Migrate some generic fns to cpu-exec-common

      The goal is to split the functions such that cpu-exec is CPU specific
      content, while cpus-exec-common.c is generic code only. The function
      interface to cpu-exec needs to be virtualised to prepare support for
      multi-arch and moving these definitions out saves bloating the QOM
      interface. So move these definitions out of cpu-exec to a new module,
      cpu-exec-common.

      Signed-off-by: Peter Crosthwaite <crosthwaite.peter@xxxxxxxxx>
      Message-Id: 
<3cefeb3fbbb33031670951a0e74de2778529da3f.1441614289.git.crosthwaite.peter@xxxxxxxxx>
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit 2d528d45ecf5ee3c1a566a9f3d664464925ef830
  Author: Markus Armbruster <armbru@xxxxxxxxxx>
  Date:   Mon Sep 14 13:54:03 2015 +0200

      qemu-char: Use g_new() & friends where that makes obvious sense

      g_new(T, n) is neater than g_malloc(sizeof(T) * n).  It's also safer,
      for two reasons.  One, it catches multiplication overflowing size_t.
      Two, it returns T * rather than void *, which lets the compiler catch
      more type errors.

      This commit only touches allocations with size arguments of the form
      sizeof(T).  Same Coccinelle semantic patch as in commit b45c03f.

      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>
      Message-Id: <1442231643-23630-1-git-send-email-armbru@xxxxxxxxxx>
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit 2cd8af2d44268ffd4d224d6c297e8c644c01fa8d
  Author: Pavel Butsykin <pbutsykin@xxxxxxxxxxxxx>
  Date:   Thu Sep 10 18:39:01 2015 +0300

      monitor: added generation of documentation for hmp-commands-info.hx

      It will be easier if you need to add info-commands to edit
      only hmp-commands-info.hx, before this had to edit monitor.c and
      hmp-commands.hx.

      From the build point of view all documentation is saved into
      qemu-monitor-info.texi which from now on is used for all user
      documentation building.

      Signed-off-by: Pavel Butsykin <pbutsykin@xxxxxxxxxxxxx>
      Signed-off-by: Denis V. Lunev <den@xxxxxxxxxx>
      CC: Paolo Bonzini <pbonzini@xxxxxxxxxx>
      CC: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Message-Id: <1441899541-1856-5-git-send-email-den@xxxxxxxxxx>
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit 70703344de56c2119fcb7c2e01be3fa02087fb3c
  Author: Pavel Butsykin <pbutsykin@xxxxxxxxxxxxx>
  Date:   Thu Sep 10 18:39:00 2015 +0300

      hmp-commands.hx: fix end of table info

      The table info(information about the system state) closes earlier
      and some of its elements are outside(trace-events, rocker, etc). This
      can be confusing and lead to additional bugs.

      Signed-off-by: Pavel Butsykin <pbutsykin@xxxxxxxxxxxxx>
      Signed-off-by: Denis V. Lunev <den@xxxxxxxxxx>
      CC: Paolo Bonzini <pbonzini@xxxxxxxxxx>
      CC: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Message-Id: <1441899541-1856-4-git-send-email-den@xxxxxxxxxx>
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit bf957284006b6325e6ed64fd839c237c15b42029
  Author: Pavel Butsykin <pbutsykin@xxxxxxxxxxxxx>
  Date:   Thu Sep 10 18:38:59 2015 +0300

      monitor: remove target-specific code from monitor.c

      Move target-specific code out of /monitor.c to /target-*/monitor.c,
      this will avoid code cluttering and using random ifdeffery.  The solution
      is quite simple, but solves the issue of the separation of target-specific
      code from monitor.

      Signed-off-by: Pavel Butsykin <pbutsykin@xxxxxxxxxxxxx>
      Signed-off-by: Denis V. Lunev <den@xxxxxxxxxx>
      CC: Paolo Bonzini <pbonzini@xxxxxxxxxx>
      CC: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Message-Id: <1441899541-1856-3-git-send-email-den@xxxxxxxxxx>
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit da76ee76f78b9705e2a91e3c964aef28fecededb
  Author: Pavel Butsykin <pbutsykin@xxxxxxxxxxxxx>
  Date:   Thu Sep 10 18:38:58 2015 +0300

      hmp-commands-info: move info_cmds content out of monitor.c

      For moving target- and device-specific code  from monitor.c,
      to beginning we move info_cmds content to hmp-commands-info.hx

      Signed-off-by: Pavel Butsykin <pbutsykin@xxxxxxxxxxxxx>
      Signed-off-by: Denis V. Lunev <den@xxxxxxxxxx>
      CC: Paolo Bonzini <pbonzini@xxxxxxxxxx>
      CC: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Message-Id: <1441899541-1856-2-git-send-email-den@xxxxxxxxxx>
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit f2a53c9e05a24352a0f9740db0539ce5aeed22ca
  Author: Andrey Smetanin <asmetanin@xxxxxxxxxxxxx>
  Date:   Wed Sep 9 14:41:30 2015 +0200

      i386/kvm: Hyper-v crash msrs set/get'ers and migration

      KVM Hyper-V based guests can notify hypervisor about
      occurred guest crash by writing into Hyper-V crash MSR's.
      This patch does handling and migration of HV_X64_MSR_CRASH_P0-P4,
      HV_X64_MSR_CRASH_CTL msrs. User can enable these MSR's by
      'hv-crash' option.

      Signed-off-by: Andrey Smetanin <asmetanin@xxxxxxxxxxxxx>
      Signed-off-by: Denis V. Lunev <den@xxxxxxxxxx>
      CC: Paolo Bonzini <pbonzini@xxxxxxxxxx>
      CC: Andreas Färber <afaerber@xxxxxxx>
      Message-Id: <1435924905-8926-13-git-send-email-den@xxxxxxxxxx>
      [Folks, stop abrviating variable names!!! Also fix compilation on
       non-Linux/x86. - Paolo]
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit 7c207b90465bc16a39b9fb8d9194f161059f69bf
  Author: Andrey Smetanin <asmetanin@xxxxxxxxxxxxx>
  Date:   Fri Jul 3 15:01:43 2015 +0300

      kvm: Add kvm system event crash handler

      KVM kernel can send guest crash events into userspace.
      Appropriate guest crash handler is called when kernel guest
      crash event received. Guest crash event recognized by a
      KVM_SYSTEM_EVENT_CRASH type of system event.

      Signed-off-by: Andrey Smetanin <asmetanin@xxxxxxxxxxxxx>
      Signed-off-by: Denis V. Lunev <den@xxxxxxxxxx>
      CC: Paolo Bonzini <pbonzini@xxxxxxxxxx>
      CC: Andreas Färber <afaerber@xxxxxxx>
      Message-Id: <1435924905-8926-11-git-send-email-den@xxxxxxxxxx>
      [Rebase: add lock/unlock iothread around qemu_system_guest_panicked - 
Paolo]
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit bac05aa9a77af1ca7972c8dc07560f4daa7c2dfc
  Author: Andrey Smetanin <asmetanin@xxxxxxxxxxxxx>
  Date:   Fri Jul 3 15:01:44 2015 +0300

      cpu: Add crash_occurred flag into CPUState

      CPUState::crash_occurred field inside CPUState marks
      that guest crash occurred. This value is added into
      cpu common migration subsection.

      Signed-off-by: Andrey Smetanin <asmetanin@xxxxxxxxxxxxx>
      Signed-off-by: Denis V. Lunev <den@xxxxxxxxxx>
      CC: Paolo Bonzini <pbonzini@xxxxxxxxxx>
      CC: Andreas Färber <afaerber@xxxxxxx>
      Message-Id: <1435924905-8926-12-git-send-email-den@xxxxxxxxxx>
      [Document the new field. - Paolo]
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit 73aa529a48b4ed7fce21fc74e62fb24db526af5f
  Author: Paolo Bonzini <pbonzini@xxxxxxxxxx>
  Date:   Wed Sep 9 15:25:52 2015 +0200

      target-i386: move asm-x86/hyperv.h to standard-headers

      The Hyper-V definitions are an industry standard and can be used
      from code that is not KVM-specific.

      Reviewed-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Reviewed-by: Cornelia Huck <cornelia.huck@xxxxxxxxxx>
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit eddb4de3cc1403546b29e260068c4c1397cbd62d
  Author: Paolo Bonzini <pbonzini@xxxxxxxxxx>
  Date:   Wed Sep 9 15:25:52 2015 +0200

      update-linux-headers: copy standard-headers files one by one

      cp_virtio is called for both the asm-s390/ and linux/ directories,
      so it looks for pci_regs.h and input.h files in asm-s390/ too.  This
      makes little sense.  In the next patch we will have the opposite
      problem; we want to add asm-x86/hyperv.h, and there's also a
      linux/hyperv.h file with unwanted dependencies on additional Linux
      uapi headers.  We do not want to copy linux/hyperv.h.

      The solution is to make cp_virtio (now renamed to cp_portable) copy
      one file only, instead of using the "find" command, and call it multiple
      times.  The new function is really just a reindentation of the old one.

      Reviewed-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Reviewed-by: Cornelia Huck <cornelia.huck@xxxxxxxxxx>
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit 120758fba4c52d1ccf3a8ae1fe3b7495f2b584d8
  Author: Paolo Bonzini <pbonzini@xxxxxxxxxx>
  Date:   Wed Sep 9 14:50:17 2015 +0200

      update Linux headers to 4.3-rc1

      The update to 4.2 was reviewed by Michael S. Tsirkin and Cornelia
      Huck.  The further update to 4.3-rc1 only touches KVM files.

      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit 84090bbce91a386ae6e5f61b26f36783196712d2
  Author: Paolo Bonzini <pbonzini@xxxxxxxxxx>
  Date:   Thu Sep 10 11:31:12 2015 +0200

      pci: remove Link Training error from AER error list

      The spec says:

          Undefined â?? The value read from this bit is
          undefined. In previous versions of this
          specification, this bit was used to indicate a Link
          Training Error. System software must ignore the
          value read from this bit. System software is
          permitted to write any value to this bit.

      Do not allow injecting it.

      Suggested-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Reviewed-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit 05620f85e930b0ac3dc22fdf8e4c390fa11afdeb
  Author: Paolo Bonzini <pbonzini@xxxxxxxxxx>
  Date:   Wed Sep 16 14:26:59 2015 +0200

      Revert "rcu: init rcu_registry_lock after fork"

      This reverts commit 5243722376873a48e9852a58b91f4d4101ee66e4.
      The patch forgot about rcu_sync_lock and was committed by mistake.

      Reported-by: Laszlo Ersek <lersek@xxxxxxxxxx>
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit 3c4698d0b5cb19212868f94f0ba4743c2c86f91f
  Merge: 1a3abef 4054cde
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Wed Sep 16 16:19:49 2015 +0100

      Merge remote-tracking branch 'remotes/rth/tags/pull-target-i386-20150915' 
into staging

      Exception handling improvments from Pavel Dovgalyuk.

      # gpg: Signature made Tue 15 Sep 2015 20:36:14 BST using RSA key ID 
4DD0279B
      # gpg: Good signature from "Richard Henderson <rth7680@xxxxxxxxx>"
      # gpg:                 aka "Richard Henderson <rth@xxxxxxxxxx>"
      # gpg:                 aka "Richard Henderson <rth@xxxxxxxxxxx>"

      * remotes/rth/tags/pull-target-i386-20150915:
        target-i386: exception handling for other helper functions
        target-i386: exception handling for seg_helper functions
        target-i386: exception handling for memory helpers
        target-i386: exception handling for div instructions
        target-i386: exception handling for FPU instructions
        target-i386: introduce new raise_exception functions

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 5fc51cc3ddcc7035313fc3e0ee6f351b5c083491
  Author: Jason Wang <jasowang@xxxxxxxxxx>
  Date:   Wed Sep 16 11:05:30 2015 +0800

      MAINTAINERS: Stefan will not maintain net subsystem

      Talked with Stefan, he will not maintain net subsystem.

      Cc: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Cc: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: Jason Wang <jasowang@xxxxxxxxxx>
      Message-id: 1442372730-11360-1-git-send-email-jasowang@xxxxxxxxxx
      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>

  commit 4054cdec0423c7190bfc733c27c303d513d531ab
  Author: Pavel Dovgalyuk <Pavel.Dovgaluk@xxxxxxxxx>
  Date:   Fri Jul 10 12:57:41 2015 +0300

      target-i386: exception handling for other helper functions

      This patch fixes exception handling for other helper functions.

      Signed-off-by: Pavel Dovgalyuk <pavel.dovgaluk@xxxxxxxxx>
      Signed-off-by: Richard Henderson <rth@xxxxxxxxxxx>

  commit 100ec0991958d0c1b61f140e64dbe92991c6dd2c
  Author: Pavel Dovgalyuk <Pavel.Dovgaluk@xxxxxxxxx>
  Date:   Fri Jul 10 12:57:36 2015 +0300

      target-i386: exception handling for seg_helper functions

      This patch fixes exception handling for seg_helper functions.

      Signed-off-by: Pavel Dovgalyuk <pavel.dovgaluk@xxxxxxxxx>
      Signed-off-by: Richard Henderson <rth@xxxxxxxxxxx>

  commit 2afbdf84807d673eb682cb78158e11cdacbf4673
  Author: Pavel Dovgalyuk <Pavel.Dovgaluk@xxxxxxxxx>
  Date:   Fri Jul 10 12:57:30 2015 +0300

      target-i386: exception handling for memory helpers

      This patch fixes exception handling for memory helpers
      and removes obsolete PC update from translate.c.

      Reviewed-by: Aurelien Jarno <aurelien@xxxxxxxxxxx>
      Signed-off-by: Pavel Dovgalyuk <pavel.dovgaluk@xxxxxxxxx>
      Signed-off-by: Richard Henderson <rth@xxxxxxxxxxx>

  commit cc33c5d66bb315f77739f761a3f868a7d138c041
  Author: Pavel Dovgalyuk <Pavel.Dovgaluk@xxxxxxxxx>
  Date:   Fri Jul 10 12:57:25 2015 +0300

      target-i386: exception handling for div instructions

      This patch fixes exception handling for div instructions
      and removes obsolete PC update from translate.c.

      Reviewed-by: Richard Henderson <rth@xxxxxxxxxxx>
      Reviewed-by: Aurelien Jarno <aurelien@xxxxxxxxxxx>

      Signed-off-by: Pavel Dovgalyuk <pavel.dovgaluk@xxxxxxxxx>
      Signed-off-by: Richard Henderson <rth@xxxxxxxxxxx>

  commit 6cad09d2f74d7318f737acaa21b3da49a0c9e670
  Author: Pavel Dovgalyuk <Pavel.Dovgaluk@xxxxxxxxx>
  Date:   Fri Jul 10 12:57:19 2015 +0300

      target-i386: exception handling for FPU instructions

      This patch fixes exception handling for FPU instructions
      and removes obsolete PC update from translate.c.

      Reviewed-by: Aurelien Jarno <aurelien@xxxxxxxxxxx>
      Reviewed-by: Richard Henderson <rth@xxxxxxxxxxx>

      Signed-off-by: Pavel Dovgalyuk <pavel.dovgaluk@xxxxxxxxx>
      Signed-off-by: Richard Henderson <rth@xxxxxxxxxxx>

  commit 9198009529d06b6489b68a7505942cca3a50893f
  Author: Pavel Dovgalyuk <Pavel.Dovgaluk@xxxxxxxxx>
  Date:   Fri Jul 10 12:57:13 2015 +0300

      target-i386: introduce new raise_exception functions

      This patch introduces new versions of raise_exception functions
      that receive TB return address as an argument.

      Reviewed-by: Aurelien Jarno <aurelien@xxxxxxxxxxx>
      Reviewed-by: Richard Henderson <rth@xxxxxxxxxxx>

      Signed-off-by: Pavel Dovgalyuk <pavel.dovgaluk@xxxxxxxxx>
      Signed-off-by: Richard Henderson <rth@xxxxxxxxxxx>

  commit 1a3abef74b5df6d6d3e851aaeacac8f265adcf80
  Merge: 6196224 461aa67
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Tue Sep 15 17:24:27 2015 +0100

      Merge remote-tracking branch 'remotes/rth/tags/pull-tile-20150915' into 
staging

      TileGX basic instructions

      # gpg: Signature made Tue 15 Sep 2015 15:57:08 BST using RSA key ID 
4DD0279B
      # gpg: Good signature from "Richard Henderson <rth7680@xxxxxxxxx>"
      # gpg:                 aka "Richard Henderson <rth@xxxxxxxxxx>"
      # gpg:                 aka "Richard Henderson <rth@xxxxxxxxxxx>"

      * remotes/rth/tags/pull-tile-20150915: (35 commits)
        target-tilegx: Handle v1shl, v1shru, v1shrs
        target-tilegx: Handle v1shli, v1shrui
        target-tilegx: Handle v4int_l/h
        target-tilegx: Handle atomic instructions
        target-tilegx: Handle mtspr, mfspr
        target-tilegx: Handle v1cmpeq, v1cmpne
        target-tilegx: Handle mask instructions
        target-tilegx: Handle scalar multiply instructions
        target-tilegx: Handle conditional move instructions
        target-tilegx: Handle shift instructions
        target-tilegx: Handle bitfield instructions
        target-tilegx: Implement system and memory management instructions
        target-tilegx: Handle comparison instructions
        target-tilegx: Handle conditional branch instructions
        target-tilegx: Handle unconditional jump instructions
        target-tilegx: Handle post-increment load and store instructions
        target-tilegx: Handle basic load and store instructions
        target-tilegx: Handle most bit manipulation instructions
        target-arm: Use new revbit functions
        host-utils: Add revbit functions
        ...

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 461aa6783eec27f209b026c6647fc7a83b2997cd
  Author: Richard Henderson <rth@xxxxxxxxxxx>
  Date:   Mon Aug 24 08:56:45 2015 -0700

      target-tilegx: Handle v1shl, v1shru, v1shrs

      Reviewed-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Signed-off-by: Richard Henderson <rth@xxxxxxxxxxx>

  commit 3be19e8c83949b62895dd27866e26a1bf806ad56
  Author: Richard Henderson <rth@xxxxxxxxxxx>
  Date:   Mon Aug 24 08:13:59 2015 -0700

      target-tilegx: Handle v1shli, v1shrui

      Reviewed-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Signed-off-by: Richard Henderson <rth@xxxxxxxxxxx>

  commit 5151c69abcc049a587b894f0b8e19e1c6d72dc1d
  Author: Richard Henderson <rth@xxxxxxxxxxx>
  Date:   Mon Aug 24 08:01:52 2015 -0700

      target-tilegx: Handle v4int_l/h

      Reviewed-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Signed-off-by: Richard Henderson <rth@xxxxxxxxxxx>

  commit 0583b2332355dadb2d4681fe5a4eca882eb5b889
  Author: Richard Henderson <rth@xxxxxxxxxxx>
  Date:   Mon Aug 24 07:55:47 2015 -0700

      target-tilegx: Handle atomic instructions

      Reviewed-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Signed-off-by: Richard Henderson <rth@xxxxxxxxxxx>

  commit 03b217b168edfb45501146e98f60a6aea6bbb943
  Author: Richard Henderson <rth@xxxxxxxxxxx>
  Date:   Sat Aug 22 14:19:45 2015 -0700

      target-tilegx: Handle mtspr, mfspr

      Reviewed-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Signed-off-by: Richard Henderson <rth@xxxxxxxxxxx>

  commit e7346cf0366b2167ddd2cfe9197018bf0ebccbaf
  Author: Richard Henderson <rth@xxxxxxxxxxx>
  Date:   Sat Aug 22 12:37:59 2015 -0700

      target-tilegx: Handle v1cmpeq, v1cmpne

      Reviewed-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Signed-off-by: Richard Henderson <rth@xxxxxxxxxxx>

  commit 661ff7431fb33bc29c6b27e053e1e7656105a106
  Author: Richard Henderson <rth@xxxxxxxxxxx>
  Date:   Sat Aug 22 10:42:44 2015 -0700

      target-tilegx: Handle mask instructions

      Reviewed-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Signed-off-by: Richard Henderson <rth@xxxxxxxxxxx>

  commit 4ff49775ecc5e975ca5e4c1b6be25fb611ab38fa
  Author: Richard Henderson <rth@xxxxxxxxxxx>
  Date:   Sat Aug 22 10:37:38 2015 -0700

      target-tilegx: Handle scalar multiply instructions

      Reviewed-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Signed-off-by: Richard Henderson <rth@xxxxxxxxxxx>

  commit f090f9f7ce6bc112710a693e176341b5031eafd8
  Author: Richard Henderson <rth@xxxxxxxxxxx>
  Date:   Sat Aug 22 00:15:07 2015 -0700

      target-tilegx: Handle conditional move instructions

      Reviewed-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Signed-off-by: Richard Henderson <rth@xxxxxxxxxxx>

  commit 2369976deb9fa03bb32be690025a6f51de4cd377
  Author: Richard Henderson <rth@xxxxxxxxxxx>
  Date:   Fri Aug 21 14:41:41 2015 -0700

      target-tilegx: Handle shift instructions

      Reviewed-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Signed-off-by: Richard Henderson <rth@xxxxxxxxxxx>

  commit c06b1817297b4486c372950b4f65d34417aa01d0
  Author: Richard Henderson <rth@xxxxxxxxxxx>
  Date:   Fri Aug 21 14:06:57 2015 -0700

      target-tilegx: Handle bitfield instructions

      Reviewed-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Signed-off-by: Richard Henderson <rth@xxxxxxxxxxx>

  commit d5dbd6eb388a936bb4ea027c48f8f960ae3977c9
  Author: Richard Henderson <rth@xxxxxxxxxxx>
  Date:   Fri Aug 21 13:14:25 2015 -0700

      target-tilegx: Implement system and memory management instructions

      Most of which are either nops or exceptions.

      Reviewed-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Signed-off-by: Richard Henderson <rth@xxxxxxxxxxx>

  commit 73c543776b6983178026f744d3579ae16ae9b5b2
  Author: Richard Henderson <rth@xxxxxxxxxxx>
  Date:   Fri Aug 21 11:57:42 2015 -0700

      target-tilegx: Handle comparison instructions

      Reviewed-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Signed-off-by: Richard Henderson <rth@xxxxxxxxxxx>

  commit e04e98bf277309c3964cfd773c0d4c0428f64399
  Author: Richard Henderson <rth@xxxxxxxxxxx>
  Date:   Fri Aug 21 11:03:37 2015 -0700

      target-tilegx: Handle conditional branch instructions

      Reviewed-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Signed-off-by: Richard Henderson <rth@xxxxxxxxxxx>

  commit c230a9944dc902e595852b9cd764e4b12d0dc541
  Author: Richard Henderson <rth@xxxxxxxxxxx>
  Date:   Fri Aug 21 10:23:07 2015 -0700

      target-tilegx: Handle unconditional jump instructions

      Reviewed-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Signed-off-by: Richard Henderson <rth@xxxxxxxxxxx>

  commit 01cd675cfe89c62b27d3d6e28c0fae503c803bf0
  Author: Richard Henderson <rth@xxxxxxxxxxx>
  Date:   Fri Aug 21 09:49:44 2015 -0700

      target-tilegx: Handle post-increment load and store instructions

      Reviewed-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Signed-off-by: Richard Henderson <rth@xxxxxxxxxxx>

  commit 0426335d4fedb506197ccfd5aadbee2c9c5cd13b
  Author: Richard Henderson <rth@xxxxxxxxxxx>
  Date:   Fri Aug 21 09:47:56 2015 -0700

      target-tilegx: Handle basic load and store instructions

      Reviewed-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Signed-off-by: Richard Henderson <rth@xxxxxxxxxxx>

  commit 7f41a8d67232bee48ede90ea43f962fdb9e98371
  Author: Richard Henderson <rth@xxxxxxxxxxx>
  Date:   Thu Aug 20 21:30:51 2015 -0700

      target-tilegx: Handle most bit manipulation instructions

      The crc instructions are omitted from this set.

      Reviewed-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Signed-off-by: Richard Henderson <rth@xxxxxxxxxxx>

  commit 42fedbca8f5b54324ed89be3484d4a3dc9946387
  Author: Richard Henderson <rth@xxxxxxxxxxx>
  Date:   Mon Sep 14 13:38:53 2015 -0700

      target-arm: Use new revbit functions

      Reviewed-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Signed-off-by: Richard Henderson <rth@xxxxxxxxxxx>

  commit 652a4b7e736f432a6809d1d2b52d169ab0b9aa3b
  Author: Richard Henderson <rth@xxxxxxxxxxx>
  Date:   Mon Sep 14 13:00:34 2015 -0700

      host-utils: Add revbit functions

      Reviewed-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Signed-off-by: Richard Henderson <rth@xxxxxxxxxxx>

  commit 89b8c7504fbc53a35c76e7738dbdf53f3c254b8f
  Author: Richard Henderson <rth@xxxxxxxxxxx>
  Date:   Thu Aug 20 21:11:28 2015 -0700

      target-tilegx: Handle arithmetic instructions

      Reviewed-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Signed-off-by: Richard Henderson <rth@xxxxxxxxxxx>

  commit a9fdfc7e7bf122f603486f4277db91a3d0d274ab
  Author: Richard Henderson <rth@xxxxxxxxxxx>
  Date:   Mon Aug 24 08:31:10 2015 -0700

      target-tilegx: Handle simple logical operations

      Reviewed-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Signed-off-by: Richard Henderson <rth@xxxxxxxxxxx>

  commit 444e06b17201a16a77f070955dc2d518cbaf36aa
  Author: Chen Gang <xili_gchen_5257@xxxxxxxxxxx>
  Date:   Fri Aug 21 05:43:37 2015 +0800

      target-tilegx: Add TILE-Gx building files

      Add related configuration and make files for tilegx.
      The target can now build, though not run anything.

      Signed-off-by: Chen Gang <gang.chen.5i5j@xxxxxxxxx>
      Reviewed-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Message-Id: <BLU436-SMTP1588E5A03AD5E94B07E988B9660@xxxxxxx>
      Signed-off-by: Richard Henderson <rth@xxxxxxxxxxx>

  commit 9b9dc7aceca411f1fb69d5426e5e88dd204813ed
  Author: Richard Henderson <rth@xxxxxxxxxxx>
  Date:   Fri Aug 21 11:49:38 2015 -0700

      target-tilegx: Generate SEGV properly

      Reviewed-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Signed-off-by: Richard Henderson <rth@xxxxxxxxxxx>

  commit 619622424dba749feef752d76d79ef2569f7f250
  Merge: 1078f5d 3e305e4
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Tue Sep 15 15:42:58 2015 +0100

      Merge remote-tracking branch 
'remotes/berrange/tags/vnc-crypto-v9-for-upstream' into staging

      Merge vnc-crypto-v9

      # gpg: Signature made Tue 15 Sep 2015 15:32:38 BST using RSA key ID 
15104FDF
      # gpg: Good signature from "Daniel P. Berrange <dan@xxxxxxxxxxxx>"
      # gpg:                 aka "Daniel P. Berrange <berrange@xxxxxxxxxx>"

      * remotes/berrange/tags/vnc-crypto-v9-for-upstream:
        ui: convert VNC server to use QCryptoTLSSession
        ui: fix return type for VNC I/O functions to be ssize_t
        crypto: introduce new module for handling TLS sessions
        crypto: add sanity checking of TLS x509 credentials
        crypto: introduce new module for TLS x509 credentials
        crypto: introduce new module for TLS anonymous credentials
        crypto: introduce new base module for TLS credentials
        qom: allow QOM to be linked into tools binaries
        crypto: move crypto objects out of libqemuutil.la
        tests: remove repetition in unit test object deps
        qapi: allow override of default enum prefix naming

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 8fd29dd72b44b08af536248cbfc77f5c6bdf803d
  Author: Richard Henderson <rth@xxxxxxxxxxx>
  Date:   Thu Aug 20 20:36:48 2015 -0700

      target-tilegx: Framework for decoding bundles

      Reviewed-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Signed-off-by: Richard Henderson <rth@xxxxxxxxxxx>

  commit 5b212be632c8ec1e1fd851055445562ebe705352
  Author: Chen Gang <xili_gchen_5257@xxxxxxxxxxx>
  Date:   Fri Aug 21 05:41:51 2015 +0800

      target-tilegx: Add several helpers for instructions translation

      The related instructions are exception, cntlz, cnttz, shufflebytes.

      Reviewed-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Signed-off-by: Chen Gang <gang.chen.5i5j@xxxxxxxxx>
      Message-Id: <BLU436-SMTP83F96FD8422BE49AFDC9DFB9660@xxxxxxx>
      [rth: Remove incorrect implementation of add_saturate.]
      Signed-off-by: Richard Henderson <rth@xxxxxxxxxxx>

  commit 9f64170df2c767ea65adee6434968034fb2ff5aa
  Author: Chen Gang <xili_gchen_5257@xxxxxxxxxxx>
  Date:   Fri Aug 21 05:41:01 2015 +0800

      target-tilegx: Add cpu basic features for linux-user

      It implements minimized cpu features for linux-user.

      Signed-off-by: Chen Gang <gang.chen.5i5j@xxxxxxxxx>
      Reviewed-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Message-Id: <BLU436-SMTP114819BB03D853801AA9C3CB9660@xxxxxxx>
      Signed-off-by: Richard Henderson <rth@xxxxxxxxxxx>

  commit b69773a8a70d64189c5caa8d328dc2b6bfb7007d
  Author: Chen Gang <xili_gchen_5257@xxxxxxxxxxx>
  Date:   Fri Aug 21 05:40:18 2015 +0800

      target-tilegx: Add special register information from Tilera Corporation

      The related copy is from Linux kernel "arch/tile/include/uapi/arch/
      spr_def_64.h".

      Signed-off-by: Chen Gang <gang.chen.5i5j@xxxxxxxxx>
      Reviewed-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Message-Id: <BLU436-SMTP1093D605AAE9B4837B564B8B9660@xxxxxxx>
      Signed-off-by: Richard Henderson <rth@xxxxxxxxxxx>

  commit 4fe221820f99251eaa4307bf45145651740803e5
  Author: Richard Henderson <rth@xxxxxxxxxxx>
  Date:   Fri Aug 21 09:49:30 2015 -0700

      target-tilegx: Fix LDNA_ADD_IMM8_OPCODE_X1

      An obvious typo in the mnemonic here.

      Reviewed-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Signed-off-by: Richard Henderson <rth@xxxxxxxxxxx>

  commit c6c00e17229863dedd710e53da732190f7660aa6
  Author: Richard Henderson <rth@xxxxxxxxxxx>
  Date:   Thu Aug 20 20:40:14 2015 -0700

      target-tilegx: Modify _SPECIAL_ opcodes

      Both ADDX_SPECIAL_0_OPCODE_Y1 and ADD_SPECIAL_0_OPCODE_Y1
      do not appear to be "special" in any way, except that they
      don't follow the normal naming convention using _RRR_.

      Reviewed-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Signed-off-by: Richard Henderson <rth@xxxxxxxxxxx>

  commit 2c56c87fcf1355fbc9da20d06ebe7ddb320ada92
  Author: Chen Gang <xili_gchen_5257@xxxxxxxxxxx>
  Date:   Fri Aug 21 05:39:33 2015 +0800

      target-tilegx: Modify opcode_tilegx.h to fit QEMU usage

      Use 'inline' instead of '__inline', and also use 'uint64_t' instead of
      "unsigned long long"

      Signed-off-by: Chen Gang <gang.chen.5i5j@xxxxxxxxx>
      Reviewed-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Message-Id: <BLU436-SMTP1945B04384351D5EE7D9DECB9660@xxxxxxx>
      Signed-off-by: Richard Henderson <rth@xxxxxxxxxxx>

  commit b1406c6c5912d820b0a0b11b89623fae96fc74bc
  Author: Chen Gang <xili_gchen_5257@xxxxxxxxxxx>
  Date:   Fri Aug 21 05:38:46 2015 +0800

      target-tilegx: Add opcode basic implementation from Tilera Corporation

      It is copied from Linux kernel "arch/tile/include/uapi/arch/
      opcode_tilegx.h".

      Signed-off-by: Chen Gang <gang.chen.5i5j@xxxxxxxxx>
      Reviewed-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Message-Id: <BLU436-SMTP2087FA98B64A20B25155D9AB9660@xxxxxxx>
      Signed-off-by: Richard Henderson <rth@xxxxxxxxxxx>

  commit 704eff6c23fc807e0c7f729518f73fb7ad26d98c
  Author: Chen Gang <xili_gchen_5257@xxxxxxxxxxx>
  Date:   Fri Aug 21 05:37:33 2015 +0800

      linux-user: Conditionalize syscalls which are not defined in tilegx

      Some of architectures (e.g. tilegx), several syscall macros are not
      supported, so switch them.

      Signed-off-by: Chen Gang <gang.chen.5i5j@xxxxxxxxx>
      Reviewed-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Message-Id: <BLU436-SMTP457D6FC9B2B9BA87AEB22CB9660@xxxxxxx>
      Signed-off-by: Richard Henderson <rth@xxxxxxxxxxx>

  commit b16189b22244e4cc158a3425b377b219586ec8ca
  Author: Chen Gang <xili_gchen_5257@xxxxxxxxxxx>
  Date:   Fri Aug 21 05:36:37 2015 +0800

      linux-user: Support tilegx architecture in linux-user

      Add main working flow feature, system call processing feature, and elf64
      tilegx binary loading feature, based on Linux kernel tilegx 64-bit
      implementation.

      [rth: Moved all of the implementation of atomic instructions to a later 
patch.]

      Signed-off-by: Chen Gang <gang.chen.5i5j@xxxxxxxxx>
      Reviewed-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Message-Id: <BLU436-SMTP938552D42808AA60634582B9660@xxxxxxx>
      Signed-off-by: Richard Henderson <rth@xxxxxxxxxxx>

  commit 3e305e4a4752f70c0b5c3cf5b43ec957881714f7
  Author: Daniel P. Berrange <berrange@xxxxxxxxxx>
  Date:   Thu Aug 6 14:39:32 2015 +0100

      ui: convert VNC server to use QCryptoTLSSession

      Switch VNC server over to using the QCryptoTLSSession object
      for the TLS session. This removes the direct use of gnutls
      from the VNC server code. It also removes most knowledge
      about TLS certificate handling from the VNC server code.
      This has the nice effect that all the CONFIG_VNC_TLS
      conditionals go away and the user gets an actual error
      message when requesting TLS instead of it being silently
      ignored.

      With this change, the existing configuration options for
      enabling TLS with -vnc are deprecated.

      Old syntax for anon-DH credentials:

        -vnc hostname:0,tls

      New syntax:

        -object tls-creds-anon,id=tls0,endpoint=server \
        -vnc hostname:0,tls-creds=tls0

      Old syntax for x509 credentials, no client certs:

        -vnc hostname:0,tls,x509=/path/to/certs

      New syntax:

        -object 
tls-creds-x509,id=tls0,dir=/path/to/certs,endpoint=server,verify-peer=no \
        -vnc hostname:0,tls-creds=tls0

      Old syntax for x509 credentials, requiring client certs:

        -vnc hostname:0,tls,x509verify=/path/to/certs

      New syntax:

        -object 
tls-creds-x509,id=tls0,dir=/path/to/certs,endpoint=server,verify-peer=yes \
        -vnc hostname:0,tls-creds=tls0

      This aligns VNC with the way TLS credentials are to be
      configured in the future for chardev, nbd and migration
      backends. It also has the benefit that the same TLS
      credentials can be shared across multiple VNC server
      instances, if desired.

      If someone uses the deprecated syntax, it will internally
      result in the creation of a 'tls-creds' object with an ID
      based on the VNC server ID. This allows backwards compat
      with the CLI syntax, while still deleting all the original
      TLS code from the VNC server.

      Signed-off-by: Daniel P. Berrange <berrange@xxxxxxxxxx>

  commit 2cb154bc19854232b5379236dd9dfc06d83ced1e
  Author: Chen Gang <xili_gchen_5257@xxxxxxxxxxx>
  Date:   Fri Aug 21 05:35:43 2015 +0800

      linux-user: tilegx: Add architecture related features

      They are based on Linux kernel tilegx architecture for 64 bit binary,
      and also based on tilegx ABI reference document, and also reference from
      other targets implementations.

      Signed-off-by: Chen Gang <gang.chen.5i5j@xxxxxxxxx>
      Reviewed-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Message-Id: <BLU436-SMTP2508945F92945BB525605A3B9660@xxxxxxx>
      Signed-off-by: Richard Henderson <rth@xxxxxxxxxxx>

  commit fdd1ab6ad5c27a1564a1c73045908736b228458b
  Author: Daniel P. Berrange <berrange@xxxxxxxxxx>
  Date:   Thu Aug 6 15:35:55 2015 +0100

      ui: fix return type for VNC I/O functions to be ssize_t

      Various VNC server I/O functions return 'long' and then
      also pass this to a method accepting 'int'. All these
      should be ssize_t to match the signature of read/write
      APIs and thus avoid potential for integer truncation /
      wraparound.

      Signed-off-by: Daniel P. Berrange <berrange@xxxxxxxxxx>
      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>

  commit d321e1e5268103af616ec4c623c6326c3f7c7bc7
  Author: Daniel P. Berrange <berrange@xxxxxxxxxx>
  Date:   Mon Mar 2 17:23:31 2015 +0000

      crypto: introduce new module for handling TLS sessions

      Introduce a QCryptoTLSSession object that will encapsulate
      all the code for setting up and using a client/sever TLS
      session. This isolates the code which depends on the gnutls
      library, avoiding #ifdefs in the rest of the codebase, as
      well as facilitating any possible future port to other TLS
      libraries, if desired. It makes use of the previously
      defined QCryptoTLSCreds object to access credentials to
      use with the session. It also includes further unit tests
      to validate the correctness of the TLS session handshake
      and certificate validation. This is functionally equivalent
      to the current TLS session handling code embedded in the
      VNC server, and will obsolete it.

      Signed-off-by: Daniel P. Berrange <berrange@xxxxxxxxxx>

  commit 9a2fd4347c40321f5cbb4ab4220e759fcbf87d03
  Author: Daniel P. Berrange <berrange@xxxxxxxxxx>
  Date:   Mon Apr 13 14:01:39 2015 +0100

      crypto: add sanity checking of TLS x509 credentials

      If the administrator incorrectly sets up their x509 certificates,
      the errors seen at runtime during connection attempts are very
      obscure and difficult to diagnose. This has been a particular
      problem for people using openssl to generate their certificates
      instead of the gnutls certtool, because the openssl tools don't
      turn on the various x509 extensions that gnutls expects to be
      present by default.

      This change thus adds support in the TLS credentials object to
      sanity check the certificates when QEMU first loads them. This
      gives the administrator immediate feedback for the majority of
      common configuration mistakes, reducing the pain involved in
      setting up TLS. The code is derived from equivalent code that
      has been part of libvirt's TLS support and has been seen to be
      valuable in assisting admins.

      It is possible to disable the sanity checking, however, via
      the new 'sanity-check' property on the tls-creds object type,
      with a value of 'no'.

      Unit tests are included in this change to verify the correctness
      of the sanity checking code in all the key scenarios it is
      intended to cope with. As part of the test suite, the pkix_asn1_tab.c
      from gnutls is imported. This file is intentionally copied from the
      (long since obsolete) gnutls 1.6.3 source tree, since that version
      was still under GPLv2+, rather than the GPLv3+ of gnutls >= 2.0.

      Signed-off-by: Daniel P. Berrange <berrange@xxxxxxxxxx>

  commit 85bcbc789eb65b54548a507b747ffffe6175b404
  Author: Daniel P. Berrange <berrange@xxxxxxxxxx>
  Date:   Fri Mar 13 17:39:26 2015 +0000

      crypto: introduce new module for TLS x509 credentials

      Introduce a QCryptoTLSCredsX509 class which is used to
      manage x509 certificate TLS credentials. This will be
      the preferred credential type offering strong security
      characteristics

      Example CLI configuration:

       $QEMU -object tls-creds-x509,id=tls0,endpoint=server,\
                     dir=/path/to/creds/dir,verify-peer=yes

      The 'id' value in the -object args will be used to associate the
      credentials with the network services. For example, when the VNC
      server is later converted it would use

       $QEMU -object tls-creds-x509,id=tls0,.... \
             -vnc 127.0.0.1:1,tls-creds=tls0

      Signed-off-by: Daniel P. Berrange <berrange@xxxxxxxxxx>
      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>

  commit e00adf6c3edf8dbbe7eb60c94e24fe2158e8342f
  Author: Daniel P. Berrange <berrange@xxxxxxxxxx>
  Date:   Fri Mar 13 17:39:26 2015 +0000

      crypto: introduce new module for TLS anonymous credentials

      Introduce a QCryptoTLSCredsAnon class which is used to
      manage anonymous TLS credentials. Use of this class is
      generally discouraged since it does not offer strong
      security, but it is required for backwards compatibility
      with the current VNC server implementation.

      Simple example CLI configuration:

       $QEMU -object tls-creds-anon,id=tls0,endpoint=server

      Example using pre-created diffie-hellman parameters

       $QEMU -object tls-creds-anon,id=tls0,endpoint=server,\
                     dir=/path/to/creds/dir

      The 'id' value in the -object args will be used to associate the
      credentials with the network services. For example, when the VNC
      server is later converted it would use

       $QEMU -object tls-creds-anon,id=tls0,.... \
             -vnc 127.0.0.1:1,tls-creds=tls0

      Signed-off-by: Daniel P. Berrange <berrange@xxxxxxxxxx>
      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>

  commit a090187de116a3d0b8146ca481249c8fc83ad3ee
  Author: Daniel P. Berrange <berrange@xxxxxxxxxx>
  Date:   Fri Mar 13 17:39:26 2015 +0000

      crypto: introduce new base module for TLS credentials

      Introduce a QCryptoTLSCreds class to act as the base class for
      storing TLS credentials. This will be later subclassed to provide
      handling of anonymous and x509 credential types. The subclasses
      will be user creatable objects, so instances can be created &
      deleted via 'object-add' and 'object-del' QMP commands respectively,
      or via the -object command line arg.

      If the credentials cannot be initialized an error will be reported
      as a QMP reply, or on stderr respectively.

      The idea is to make it possible to represent and manage TLS
      credentials independently of the network service that is using
      them. This will enable multiple services to use the same set of
      credentials and minimize code duplication. A later patch will
      convert the current VNC server TLS code over to use this object.

      The representation of credentials will be functionally equivalent
      to that currently implemented in the VNC server with one exception.
      The new code has the ability to (optionally) load a pre-generated
      set of diffie-hellman parameters, if the file dh-params.pem exists,
      whereas the current VNC server will always generate them on startup.
      This is beneficial for admins who wish to avoid the (small) time
      sink of generating DH parameters at startup and/or avoid depleting
      entropy.

      Signed-off-by: Daniel P. Berrange <berrange@xxxxxxxxxx>

  commit 0c7012e0558e4312e575fd4c70652d8ef2265ff7
  Author: Daniel P. Berrange <berrange@xxxxxxxxxx>
  Date:   Wed Sep 2 11:18:16 2015 +0100

      qom: allow QOM to be linked into tools binaries

      The qom objects are currently added to common-obj-y
      which is only linked into the system emulators. The
      later crypto patches will depend on QOM infrastructure
      and will also be used from tools binaries. Thus the QOM
      objects are moved into a new qom-obj-y variable which
      can be referenced when linking tools, system emulators
      and tests.

      Signed-off-by: Daniel P. Berrange <berrange@xxxxxxxxxx>

  commit fb37726db77b21f3731b90693d2c93ade1777528
  Author: Daniel P. Berrange <berrange@xxxxxxxxxx>
  Date:   Wed Sep 2 10:57:27 2015 +0100

      crypto: move crypto objects out of libqemuutil.la

      Future patches will be adding more crypto related APIs which
      rely on QOM infrastructure. This creates a problem, because
      QOM relies on library constructors to register objects. When
      you have a file in a static .a library though which is only
      referenced by a constructor the linker is dumb and will drop
      that file when linking to the final executable :-( The only
      workaround for this is to link the .a library to the executable
      using the -Wl,--whole-archive flag, but this creates its own
      set of problems because QEMU is relying on lazy linking for
      libqemuutil.a. Using --whole-archive majorly increases the
      size of final executables as they now contain a bunch of
      object code they don't actually use.

      The least bad option is to thus not include the crypto objects
      in libqemuutil.la, and instead define a crypto-obj-y variable
      that is referenced directly by all the executables that need
      this code (tools + softmmu, but not qemu-ga). We avoid pulling
      entire of crypto-obj-y into the userspace emulators as that
      would force them to link to gnutls too, which is not required.

      Signed-off-by: Daniel P. Berrange <berrange@xxxxxxxxxx>

  commit 1078f5db8ada5097600443838492ef07103790c2
  Merge: b76a0d5 2cb5d2a
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Tue Sep 15 14:11:28 2015 +0100

      Merge remote-tracking branch 'remotes/kraxel/tags/pull-gtk-20150915-1' 
into staging

      gtk: misc grab tweaks, locale fix.

      # gpg: Signature made Tue 15 Sep 2015 11:35:36 BST using RSA key ID 
D3E87138
      # gpg: Good signature from "Gerd Hoffmann (work) <kraxel@xxxxxxxxxx>"
      # gpg:                 aka "Gerd Hoffmann <gerd@xxxxxxxxxx>"
      # gpg:                 aka "Gerd Hoffmann (private) <kraxel@xxxxxxxxx>"

      * remotes/kraxel/tags/pull-gtk-20150915-1:
        gtk: use setlocale() for LC_MESSAGES only
        gtk: don't grab input when entering fullscreen.
        gtk: set free_scale when setting zoom_fit
        gtk: trace input grab reason
        gtk: move gd_update_caption calls to gd_{grab,ungrab}_{pointer,keyboard}
        gtk: check for existing grabs in gd_grab_{pointer,keyboard}

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit b76a0d5db25ad9f81346930230092fdf1e88a5a1
  Merge: 007e620 737d2b3
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Tue Sep 15 13:03:53 2015 +0100

      Merge remote-tracking branch 'remotes/stefanha/tags/net-pull-request' 
into staging

      This net pull request contains security fixes for qemu.git/master.  The 
patches
      should also be applied to stable trees.

      The ne2000 NIC model has QEMU memory corruption issue.  Both ne2000 and 
e1000
      have an infinite loop.

      Please see the patches for CVE numbers and details on the bugs.

      # gpg: Signature made Tue 15 Sep 2015 13:02:21 BST using RSA key ID 
81AB73C8
      # gpg: Good signature from "Stefan Hajnoczi <stefanha@xxxxxxxxxx>"
      # gpg:                 aka "Stefan Hajnoczi <stefanha@xxxxxxxxx>"

      * remotes/stefanha/tags/net-pull-request:
        net: avoid infinite loop when receiving packets(CVE-2015-5278)
        net: add checks to validate ring buffer pointers(CVE-2015-5279)
        e1000: Avoid infinite loop in processing transmit descriptor 
(CVE-2015-6815)

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 737d2b3c41d59eb8f94ab7eb419b957938f24943
  Author: P J P <pjp@xxxxxxxxxxxxxxxxx>
  Date:   Tue Sep 15 16:46:59 2015 +0530

      net: avoid infinite loop when receiving packets(CVE-2015-5278)

      Ne2000 NIC uses ring buffer of NE2000_MEM_SIZE(49152)
      bytes to process network packets. While receiving packets
      via ne2000_receive() routine, a local 'index' variable
      could exceed the ring buffer size, leading to an infinite
      loop situation.

      Reported-by: Qinghao Tang <luodalongde@xxxxxxxxx>
      Signed-off-by: P J P <pjp@xxxxxxxxxxxxxxxxx>
      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>

  commit 9bbdbc66e5765068dce76e9269dce4547afd8ad4
  Author: P J P <pjp@xxxxxxxxxxxxxxxxx>
  Date:   Tue Sep 15 16:40:49 2015 +0530

      net: add checks to validate ring buffer pointers(CVE-2015-5279)

      Ne2000 NIC uses ring buffer of NE2000_MEM_SIZE(49152)
      bytes to process network packets. While receiving packets
      via ne2000_receive() routine, a local 'index' variable
      could exceed the ring buffer size, which could lead to a
      memory buffer overflow. Added other checks at initialisation.

      Reported-by: Qinghao Tang <luodalongde@xxxxxxxxx>
      Signed-off-by: P J P <pjp@xxxxxxxxxxxxxxxxx>
      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>

  commit b947ac2bf26479e710489739c465c8af336599e7
  Author: P J P <pjp@xxxxxxxxxxxxxxxxx>
  Date:   Fri Sep 4 17:21:06 2015 +0100

      e1000: Avoid infinite loop in processing transmit descriptor 
(CVE-2015-6815)

      While processing transmit descriptors, it could lead to an infinite
      loop if 'bytes' was to become zero; Add a check to avoid it.

      [The guest can force 'bytes' to 0 by setting the hdr_len and mss
      descriptor fields to 0.
      --Stefan]

      Signed-off-by: P J P <pjp@xxxxxxxxxxxxxxxxx>
      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Reviewed-by: Thomas Huth <thuth@xxxxxxxxxx>
      Message-id: 1441383666-6590-1-git-send-email-stefanha@xxxxxxxxxx

  commit 2cb5d2a47c655331bcf0ab16bab8fe4701182c58
  Author: Alberto Garcia <berto@xxxxxxxxxx>
  Date:   Thu Sep 10 18:19:32 2015 +0300

      gtk: use setlocale() for LC_MESSAGES only

      The QEMU code is not internationalized and assumes that it runs under
      the C locale, but if we use the GTK+ UI we'll end up importing the
      locale settings from the environment. This can break things, such as
      the JSON generator and iotest 120 in locales that use a decimal comma.

      We do however have translations for a few simple strings for the GTK+
      menu items, so in order to run QEMU using the C locale, and yet have a
      translated UI let's use setlocale() for LC_MESSAGES only.

      Cc: qemu-stable@xxxxxxxxxx
      Signed-off-by: Alberto Garcia <berto@xxxxxxxxxx>
      Signed-off-by: Gerd Hoffmann <kraxel@xxxxxxxxxx>

  commit 78aee081122837cb488b12657a00deeb676b4730
  Author: Gerd Hoffmann <kraxel@xxxxxxxxxx>
  Date:   Wed Sep 9 10:14:54 2015 +0200

      gtk: don't grab input when entering fullscreen.

      Kick off all grabbing logic from fullscreen mode.  In the current state
      it seems to create more problems than it solves.  Try running qemu/gtk
      fullscreen on one head of a multihead host for example ...

      There probably was a reason the grab-on-fullscreen logic was added in
      the first place.  So please test and report any issues so we can try to
      find a sane way to handle it.

      Signed-off-by: Gerd Hoffmann <kraxel@xxxxxxxxxx>
      Reviewed-by: Marc-André Lureau <marcandre.lureau@xxxxxxxxxx>

  commit 1d73cd782fb910811a2e6b9d9b3375c4803d731c
  Author: Gerd Hoffmann <kraxel@xxxxxxxxxx>
  Date:   Wed Sep 9 10:34:41 2015 +0200

      gtk: set free_scale when setting zoom_fit

      free_scale field tracks zoom-fit menu toggle state,
      so we should keep them in sync ...

      Signed-off-by: Gerd Hoffmann <kraxel@xxxxxxxxxx>
      Reviewed-by: Marc-André Lureau <marcandre.lureau@xxxxxxxxxx>

  commit d531deef119666d4b3605e186a43010782efd899
  Author: Gerd Hoffmann <kraxel@xxxxxxxxxx>
  Date:   Wed Sep 9 10:12:20 2015 +0200

      gtk: trace input grab reason

      Add a reason to grab calls and trace points,
      so it is easier to debug grab related ui issues.

      Signed-off-by: Gerd Hoffmann <kraxel@xxxxxxxxxx>
      Reviewed-by: Marc-André Lureau <marcandre.lureau@xxxxxxxxxx>

  commit 695cc59d42f2e285abd5cf278bdc07360a995eaa
  Author: Gerd Hoffmann <kraxel@xxxxxxxxxx>
  Date:   Wed Sep 9 10:03:59 2015 +0200

      gtk: move gd_update_caption calls to gd_{grab,ungrab}_{pointer,keyboard}

      Then we don't have to pair the grab/ungrab calls with update_caption
      calls any more because things happen automatically ;)

      Signed-off-by: Gerd Hoffmann <kraxel@xxxxxxxxxx>
      Reviewed-by: Marc-André Lureau <marcandre.lureau@xxxxxxxxxx>

  commit aa4f4058ba8cde200e62ef3dafc4e1595f6033e9
  Author: Gerd Hoffmann <kraxel@xxxxxxxxxx>
  Date:   Wed Sep 9 09:57:01 2015 +0200

      gtk: check for existing grabs in gd_grab_{pointer,keyboard}

      If a grab is already active for our window, do nothing.
      If a grab is already active for another window, release it.

      Cleanup some checks and ungrab calls in the code which are
      not needed any more.

      Signed-off-by: Gerd Hoffmann <kraxel@xxxxxxxxxx>
      Reviewed-by: Marc-André Lureau <marcandre.lureau@xxxxxxxxxx>

  commit b124533e069a6624316da2096d170b0bd9197d86
  Author: Daniel P. Berrange <berrange@xxxxxxxxxx>
  Date:   Wed Sep 2 11:35:52 2015 +0100

      tests: remove repetition in unit test object deps

      Most of the unit tests have identical sets of object deps.
      For example all block unit tests need to depend on

       $(block-obj-y) libqemuutil.a libqemustub.a

      Currently each unit test repeats this list of test deps.
      This list of deps will grow as future patches add more
      modules to the build, so define some common variables
      that can be used by all unit tests to remove the
      repetition.

      Signed-off-by: Daniel P. Berrange <berrange@xxxxxxxxxx>

  commit 351d36e454cddc67a1675740916636a7ccbf1c4b
  Author: Daniel P. Berrange <berrange@xxxxxxxxxx>
  Date:   Wed Aug 26 14:21:20 2015 +0100

      qapi: allow override of default enum prefix naming

      The camel_to_upper() method applies some heuristics to turn
      a mixed case type name into an all-uppercase name. This is
      used for example, to generate enum constant name prefixes.

      The heuristics don't also generate a satisfactory name
      though. eg

        { 'enum': 'QCryptoTLSCredsEndpoint',
          'data': ['client', 'server']}

      Results in Q_CRYPTOTLS_CREDS_ENDPOINT_CLIENT. This has
      an undesirable _ after the initial Q and is missing an
      _ between the CRYPTO & TLS strings.

      Rather than try to add more and more heuristics to try
      to cope with this, simply allow the QAPI schema to
      specify the desired enum constant prefix explicitly.

      eg

        { 'enum': 'QCryptoTLSCredsEndpoint',
          'prefix': 'QCRYPTO_TLS_CREDS_ENDPOINT',
          'data': ['client', 'server']}

      Now gives the QCRYPTO_TLS_CREDS_ENDPOINT_CLIENT name.

      Signed-off-by: Daniel P. Berrange <berrange@xxxxxxxxxx>

  commit 007e620a7576e4ce2ea6955541e87d8ae8ed32ae
  Merge: 2752e5b 2ac0152
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Mon Sep 14 18:51:09 2015 +0100

      Merge remote-tracking branch 'remotes/kevin/tags/for-upstream' into 
staging

      Block layer patches (v2)

      # gpg: Signature made Mon 14 Sep 2015 15:56:54 BST using RSA key ID 
C88F2FD6
      # gpg: Good signature from "Kevin Wolf <kwolf@xxxxxxxxxx>"

      * remotes/kevin/tags/for-upstream: (23 commits)
        qcow2: Make qcow2_alloc_bytes() more explicit
        vmdk: Fix next_cluster_sector for compressed write
        iotests: Add test for checking large image files
        qcow2: Make size_to_clusters() return uint64_t
        qemu-iotests: More qcow2 reopen tests
        qemu-iotests: Reopen qcow2 with lazy-refcounts change
        qcow2: Support updating driver-specific options in reopen
        qcow2: Make qcow2_update_options() suitable for transactions
        qcow2: Fix memory leak in qcow2_update_options() error path
        qcow2: Leave s unchanged on qcow2_update_options() failure
        qcow2: Move rest of option handling to qcow2_update_options()
        qcow2: Move qcow2_update_options() call up
        qcow2: Factor out qcow2_update_options()
        qcow2: Improve error message
        qemu-io: Add command 'reopen'
        qemu-io: Remove duplicate 'open' error message
        block: Allow specifying driver-specific options to reopen
        qcow2: Rename BDRVQcowState to BDRVQcow2State
        block: Drop bdrv_find_whitelisted_format()
        block: Drop drv parameter from bdrv_fill_options()
        ...

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 2752e5bedb26fa0c7291f810f9f534b688b2f1d2
  Author: Markus Armbruster <armbru@xxxxxxxxxx>
  Date:   Mon Sep 7 17:45:55 2015 +0200

      qapi: Fix cgen() for Python older than 2.7

      A feature new in Python 2.7 crept into commit 77e703b: re.subn()'s
      fifth argument.  Avoid that, use re.compile().

      Reported-by: Laurent Desnogues <laurent.desnogues@xxxxxxxxx>
      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>
      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>
      Tested-by: Laurent Desnogues <laurent.desnogues@xxxxxxxxx>
      Message-id: 1441640755-23902-1-git-send-email-armbru@xxxxxxxxxx
      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit a2aa09e18186801931763fbd40a751fa39971b18
  Merge: 7e4804d 47d4be1
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Mon Sep 14 16:13:16 2015 +0100

      Merge remote-tracking branch 'remotes/bonzini/tags/for-upstream' into 
staging

      * Support for jemalloc
      * qemu_mutex_lock_iothread "No such process" fix
      * cutils: qemu_strto* wrappers
      * iohandler.c simplification
      * Many other fixes and misc patches.

      And some MTTCG work (with Emilio's fixes squashed):
      * Signal-free TCG kick
      * Removing spinlock in favor of QemuMutex
      * User-mode emulation multi-threading fixes/docs

      # gpg: Signature made Thu 10 Sep 2015 09:03:07 BST using RSA key ID 
78C7AE83
      # gpg: Good signature from "Paolo Bonzini <bonzini@xxxxxxx>"
      # gpg:                 aka "Paolo Bonzini <pbonzini@xxxxxxxxxx>"

      * remotes/bonzini/tags/for-upstream: (44 commits)
        cutils: work around platform differences in strto{l,ul,ll,ull}
        cpu-exec: fix lock hierarchy for user-mode emulation
        exec: make mmap_lock/mmap_unlock globally available
        tcg: comment on which functions have to be called with mmap_lock held
        tcg: add memory barriers in page_find_alloc accesses
        remove unused spinlock.
        replace spinlock by QemuMutex.
        cpus: remove tcg_halt_cond and tcg_cpu_thread globals
        cpus: protect work list with work_mutex
        scripts/dump-guest-memory.py: fix after RAMBlock change
        configure: Add support for jemalloc
        add macro file for coccinelle
        configure: factor out adding disas configure
        vhost-scsi: fix wrong vhost-scsi firmware path
        checkpatch: remove tests that are not relevant outside the kernel
        checkpatch: adapt some tests to QEMU
        CODING_STYLE: update mixed declaration rules
        qmp: Add example usage of strto*l() qemu wrapper
        cutils: Add qemu_strtoull() wrapper
        cutils: Add qemu_strtoll() wrapper
        ...

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 2ac01520be8717f3492b10a083c3e0e22cb52cda
  Author: Max Reitz <mreitz@xxxxxxxxxx>
  Date:   Fri Sep 11 18:47:51 2015 +0200

      qcow2: Make qcow2_alloc_bytes() more explicit

      In case of -EAGAIN returned by update_refcount(), we should discard the
      cluster offset we were trying to allocate and request a new one, because
      in theory that old offset might now be taken by a refcount block.

      In practice, this was not the case due to update_refcount() generally
      returning strictly monotonic increasing cluster offsets. However, this
      behavior is not set in stone, and it is also not obvious when looking at
      qcow2_alloc_bytes() alone, so we should not rely on it.

      Reported-by: Kevin Wolf <kwolf@xxxxxxxxxx>
      Signed-off-by: Max Reitz <mreitz@xxxxxxxxxx>
      Signed-off-by: Kevin Wolf <kwolf@xxxxxxxxxx>

  commit 3efffc3292d94271a15b1606b4a56adf6c6f04ed
  Author: Radoslav Gerganov <rgerganov@xxxxxxxxxx>
  Date:   Thu Sep 10 10:53:14 2015 +0300

      vmdk: Fix next_cluster_sector for compressed write

      When the VMDK is streamOptimized (or compressed), the
      next_cluster_sector must not be incremented by a fixed number of
      sectors. Instead of this, it must be rounded up to the next consecutive
      sector. Fixing this results in much smaller compressed images.

      Signed-off-by: Radoslav Gerganov <rgerganov@xxxxxxxxxx>
      Reviewed-by: Fam Zheng <famz@xxxxxxxxxx>
      Signed-off-by: Kevin Wolf <kwolf@xxxxxxxxxx>

  commit 097b500c2dff7addfcd5f4c8a111f6bfd0cb3977
  Author: Max Reitz <mreitz@xxxxxxxxxx>
  Date:   Wed Sep 9 18:09:47 2015 +0200

      iotests: Add test for checking large image files

      Add a test for checking a qcow2 file with a multiple of 2^32 clusters.

      Signed-off-by: Max Reitz <mreitz@xxxxxxxxxx>
      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>
      Signed-off-by: Kevin Wolf <kwolf@xxxxxxxxxx>

  commit b6d36def6d9e9fd187327182d0abafc9b7085d8f
  Author: Max Reitz <mreitz@xxxxxxxxxx>
  Date:   Mon Sep 14 16:39:47 2015 +0200

      qcow2: Make size_to_clusters() return uint64_t

      Sadly, some images may have more clusters than what can be represented
      using a plain int. We should be prepared for that case (in
      qcow2_check_refcounts() we actually were trying to catch that case, but
      since size_to_clusters() truncated the returned value, that check never
      did anything useful).

      Cc: qemu-stable <qemu-stable@xxxxxxxxxx>
      Signed-off-by: Max Reitz <mreitz@xxxxxxxxxx>
      Signed-off-by: Kevin Wolf <kwolf@xxxxxxxxxx>

  commit 231f66d2a3401473778c70a75d5f670765ab6d91
  Author: Kevin Wolf <kwolf@xxxxxxxxxx>
  Date:   Fri Sep 4 19:13:14 2015 +0200

      qemu-iotests: More qcow2 reopen tests

      Signed-off-by: Kevin Wolf <kwolf@xxxxxxxxxx>
      Reviewed-by: Max Reitz <mreitz@xxxxxxxxxx>

  commit e615053b1bd3e108a73958a54e3d0c5b965e15d3
  Author: Kevin Wolf <kwolf@xxxxxxxxxx>
  Date:   Fri Sep 4 18:26:09 2015 +0200

      qemu-iotests: Reopen qcow2 with lazy-refcounts change

      Signed-off-by: Kevin Wolf <kwolf@xxxxxxxxxx>
      Reviewed-by: Max Reitz <mreitz@xxxxxxxxxx>

  commit 5b0959a7d432062dcd740f8065004285b15695fa
  Author: Kevin Wolf <kwolf@xxxxxxxxxx>
  Date:   Thu Apr 16 13:42:27 2015 +0200

      qcow2: Support updating driver-specific options in reopen

      For updating the cache sizes, disabling lazy refcounts and updating the
      clean_cache_timer there is a bit more to do than just changing the
      variables, but otherwise we're all set for changing options during
      bdrv_reopen().

      Just implement the missing pieces and hook the functions up in
      bdrv_reopen().

      Signed-off-by: Kevin Wolf <kwolf@xxxxxxxxxx>
      Reviewed-by: Max Reitz <mreitz@xxxxxxxxxx>

  commit ee55b17304d998ddf9c792496110da0cca37aac5
  Author: Kevin Wolf <kwolf@xxxxxxxxxx>
  Date:   Thu Apr 16 16:16:02 2015 +0200

      qcow2: Make qcow2_update_options() suitable for transactions

      Before we can allow updating options at runtime with bdrv_reopen(), we
      need to split the function into prepare/commit/abort parts.

      Signed-off-by: Kevin Wolf <kwolf@xxxxxxxxxx>
      Reviewed-by: Max Reitz <mreitz@xxxxxxxxxx>

  commit c1344ded70cf7d471aeb6fc08134997414631811
  Author: Kevin Wolf <kwolf@xxxxxxxxxx>
  Date:   Fri Apr 17 16:35:50 2015 +0200

      qcow2: Fix memory leak in qcow2_update_options() error path

      Signed-off-by: Kevin Wolf <kwolf@xxxxxxxxxx>
      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>
      Reviewed-by: Max Reitz <mreitz@xxxxxxxxxx>

  commit 007dbc396cfc613d72ecea7744fe7398b300aa7d
  Author: Kevin Wolf <kwolf@xxxxxxxxxx>
  Date:   Thu Apr 16 13:11:39 2015 +0200

      qcow2: Leave s unchanged on qcow2_update_options() failure

      On return, either all new options should be applied to BDRVQcowState (on
      success), or all of the old settings should be preserved (on failure).

      Signed-off-by: Kevin Wolf <kwolf@xxxxxxxxxx>
      Reviewed-by: Max Reitz <mreitz@xxxxxxxxxx>

  commit 94edf3fbe8277284ad7d33de632839c7b93414a9
  Author: Kevin Wolf <kwolf@xxxxxxxxxx>
  Date:   Thu Apr 16 11:44:26 2015 +0200

      qcow2: Move rest of option handling to qcow2_update_options()

      With this commit, the handling of driver-specific options in
      qcow2_open() is completely separated out into qcow2_update_options().

      Signed-off-by: Kevin Wolf <kwolf@xxxxxxxxxx>
      Reviewed-by: Max Reitz <mreitz@xxxxxxxxxx>

  commit 90efa0eaef2d1bbd161db6fd7a74d8e5a00d35a8
  Author: Kevin Wolf <kwolf@xxxxxxxxxx>
  Date:   Thu Apr 16 11:36:10 2015 +0200

      qcow2: Move qcow2_update_options() call up

      qcow2_update_options() only updates some variables in BDRVQcowState and
      doesn't really depend on other parts of it being initialised yet, so it
      can be moved so that it immediately follows the other half of option
      handling code in qcow2_open().

      Signed-off-by: Kevin Wolf <kwolf@xxxxxxxxxx>
      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>
      Reviewed-by: Max Reitz <mreitz@xxxxxxxxxx>

  commit 4c75d1a157a6a0a6163c31f775b5e8ee5dd29f11
  Author: Kevin Wolf <kwolf@xxxxxxxxxx>
  Date:   Thu Apr 16 11:29:27 2015 +0200

      qcow2: Factor out qcow2_update_options()

      Eventually we want to be able to change options at runtime. As a first
      step towards that goal, separate some option handling code from the
      general initialisation code in qcow2_open().

      Signed-off-by: Kevin Wolf <kwolf@xxxxxxxxxx>
      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>
      Reviewed-by: Max Reitz <mreitz@xxxxxxxxxx>

  commit f113ae839ec9d6d25169bfa521a1affb999201c2
  Author: Kevin Wolf <kwolf@xxxxxxxxxx>
  Date:   Wed May 13 11:07:07 2015 +0200

      qcow2: Improve error message

      Eric says that "any" sounds better than "either", and my non-native
      feeling says the same, so let's change it.

      Suggested-by: Eric Blake <eblake@xxxxxxxxxx>
      Signed-off-by: Kevin Wolf <kwolf@xxxxxxxxxx>
      Reviewed-by: Max Reitz <mreitz@xxxxxxxxxx>

  commit 5bbd2e595e542ef6e5c76537e2bbad06192f72f4
  Author: Kevin Wolf <kwolf@xxxxxxxxxx>
  Date:   Mon Dec 8 17:37:28 2014 +0100

      qemu-io: Add command 'reopen'

      Signed-off-by: Kevin Wolf <kwolf@xxxxxxxxxx>
      Reviewed-by: Max Reitz <mreitz@xxxxxxxxxx>

  commit ff7cfd7d926eca40abeb9a1440829dc83facf54a
  Author: Kevin Wolf <kwolf@xxxxxxxxxx>
  Date:   Wed May 13 10:39:13 2015 +0200

      qemu-io: Remove duplicate 'open' error message

      qemu_opts_parse_noisily() already prints an error message with the exact
      reason why the parsing failed. No need to add another less specific one.

      Signed-off-by: Kevin Wolf <kwolf@xxxxxxxxxx>
      Reviewed-by: Max Reitz <mreitz@xxxxxxxxxx>

  commit 4d2cb0925176f3eb75ef8e5f9c02cc84d7930de2
  Author: Kevin Wolf <kwolf@xxxxxxxxxx>
  Date:   Fri Apr 10 17:50:50 2015 +0200

      block: Allow specifying driver-specific options to reopen

      Signed-off-by: Kevin Wolf <kwolf@xxxxxxxxxx>
      Reviewed-by: Max Reitz <mreitz@xxxxxxxxxx>

  commit ff99129ab89a532f0ca0a0b89b9aa004c09d9b9d
  Author: Kevin Wolf <kwolf@xxxxxxxxxx>
  Date:   Mon Sep 7 17:12:56 2015 +0200

      qcow2: Rename BDRVQcowState to BDRVQcow2State

      BDRVQcowState is already used by qcow1, and gdb is always confused which
      one to use. Rename the qcow2 one so they can be distinguished.

      Signed-off-by: Kevin Wolf <kwolf@xxxxxxxxxx>
      Reviewed-by: Max Reitz <mreitz@xxxxxxxxxx>
      Reviewed-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Reviewed-by: Alberto Garcia <berto@xxxxxxxxxx>

  commit cf25ff850f0b5d44cb79daea88daaf24ce7e4c44
  Author: Max Reitz <mreitz@xxxxxxxxxx>
  Date:   Wed Aug 26 19:47:52 2015 +0200

      block: Drop bdrv_find_whitelisted_format()

      It is unused by now, so we can drop it.

      Signed-off-by: Max Reitz <mreitz@xxxxxxxxxx>
      Reviewed-by: Alberto Garcia <berto@xxxxxxxxxx>
      Signed-off-by: Kevin Wolf <kwolf@xxxxxxxxxx>

  commit 053e1578c9fa6a58e50e44de689f288063c77dbe
  Author: Max Reitz <mreitz@xxxxxxxxxx>
  Date:   Wed Aug 26 19:47:51 2015 +0200

      block: Drop drv parameter from bdrv_fill_options()

      Now that this parameter is effectively unused, we can drop it and change
      the function accordingly.

      Signed-off-by: Max Reitz <mreitz@xxxxxxxxxx>
      Reviewed-by: Alberto Garcia <berto@xxxxxxxxxx>
      Signed-off-by: Kevin Wolf <kwolf@xxxxxxxxxx>

  commit ce343771243a656b420c7a1b4099130f4a35bd5e
  Author: Max Reitz <mreitz@xxxxxxxxxx>
  Date:   Wed Aug 26 19:47:50 2015 +0200

      block: Drop drv parameter from bdrv_open_inherit()

      Now that this parameter is effectively unused, we can drop it and just
      pass NULL to bdrv_fill_options().

      Signed-off-by: Max Reitz <mreitz@xxxxxxxxxx>
      Reviewed-by: Alberto Garcia <berto@xxxxxxxxxx>
      Signed-off-by: Kevin Wolf <kwolf@xxxxxxxxxx>

  commit 6ebf9aa2ef7f3e094d91ea27140dc6e73774386a
  Author: Max Reitz <mreitz@xxxxxxxxxx>
  Date:   Wed Aug 26 19:47:49 2015 +0200

      block: Drop drv parameter from bdrv_open()

      Now that this parameter is effectively unused, we can drop it and just
      pass NULL on to bdrv_open_inherit().

      Signed-off-by: Max Reitz <mreitz@xxxxxxxxxx>
      Reviewed-by: Alberto Garcia <berto@xxxxxxxxxx>
      Signed-off-by: Kevin Wolf <kwolf@xxxxxxxxxx>

  commit e6641719fed794be8e0c48a69761528ae6c95ed9
  Author: Max Reitz <mreitz@xxxxxxxxxx>
  Date:   Wed Aug 26 19:47:48 2015 +0200

      block: Always pass NULL as drv for bdrv_open()

      Change all callers of bdrv_open() to pass the driver name in the options
      QDict instead of passing its BlockDriver pointer.

      Signed-off-by: Max Reitz <mreitz@xxxxxxxxxx>
      Reviewed-by: Alberto Garcia <berto@xxxxxxxxxx>
      Signed-off-by: Kevin Wolf <kwolf@xxxxxxxxxx>

  commit 7e4804dafd4689312ef1172b549927a973bb5414
  Merge: 2b750d9 f0d574d
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Mon Sep 14 14:57:50 2015 +0100

      Merge remote-tracking branch 
'remotes/pmaydell/tags/pull-target-arm-20150914' into staging

      target-arm queue:
       * fix GIC region size in xlnx-zynqmp
       * xlnx-zynqmp: Remove unnecessary brackets
       * improve A64 generated TCG code
       * add GPIO devices to i.MX25 and i.MX31
       * more missing pieces for EL2 support

      # gpg: Signature made Mon 14 Sep 2015 14:51:12 BST using RSA key ID 
14360CDE
      # gpg: Good signature from "Peter Maydell <peter.maydell@xxxxxxxxxx>"
      # gpg:                 aka "Peter Maydell <pmaydell@xxxxxxxxx>"
      # gpg:                 aka "Peter Maydell 
<pmaydell@xxxxxxxxxxxxxxxxxxxxxx>"

      * remotes/pmaydell/tags/pull-target-arm-20150914: (24 commits)
        target-arm: Add VMPIDR_EL2
        target-arm: Break out mpidr_read_val()
        target-arm: Add VPIDR_EL2
        target-arm: Suppress EPD for S2, EL2 and EL3 translations
        target-arm: Suppress TBI for S2 translations
        target-arm: Add VTTBR_EL2
        target-arm: Add VTCR_EL2
        hw/cpu/{a15mpcore, a9mpcore}: Handle missing has_el3 CPU props 
gracefully
        i.MX: Add GPIO devices to i.MX25 SOC
        i.MX: Add GPIO devices to i.MX31 SOC
        i.MX: Add GPIO device
        target-arm: Use tcg_gen_extrh_i64_i32
        target-arm: Recognize ROR
        target-arm: Eliminate unnecessary zero-extend in disas_bitfield
        target-arm: Recognize UXTB, UXTH, LSR, LSL
        target-arm: Recognize SXTB, SXTH, SXTW, ASR
        target-arm: Implement fcsel with movcond
        target-arm: Implement ccmp branchless
        target-arm: Use setcond and movcond for csel
        target-arm: Handle always condition codes within arm_test_cc
        ...

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit f0d574d63f4603ec431f16ad535a555bf7548b94
  Author: Edgar E. Iglesias <edgar.iglesias@xxxxxxxxxx>
  Date:   Mon Sep 14 14:39:51 2015 +0100

      target-arm: Add VMPIDR_EL2

      Signed-off-by: Edgar E. Iglesias <edgar.iglesias@xxxxxxxxxx>
      Message-id: 1442135278-25281-9-git-send-email-edgar.iglesias@xxxxxxxxx
      Reviewed-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 06a7e6477c129ceaa72bd400cf281d44c456be43
  Author: Edgar E. Iglesias <edgar.iglesias@xxxxxxxxxx>
  Date:   Mon Sep 14 14:39:51 2015 +0100

      target-arm: Break out mpidr_read_val()

      Break out mpidr_read_val() to allow future sharing of the
      code that conditionally sets the M and U bits of MPIDR.

      No functional changes.

      Signed-off-by: Edgar E. Iglesias <edgar.iglesias@xxxxxxxxxx>
      Message-id: 1442135278-25281-8-git-send-email-edgar.iglesias@xxxxxxxxx
      Reviewed-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 731de9e60074620aa7d565f01f989adacd493514
  Author: Edgar E. Iglesias <edgar.iglesias@xxxxxxxxxx>
  Date:   Mon Sep 14 14:39:50 2015 +0100

      target-arm: Add VPIDR_EL2

      Signed-off-by: Edgar E. Iglesias <edgar.iglesias@xxxxxxxxxx>
      Message-id: 1442135278-25281-7-git-send-email-edgar.iglesias@xxxxxxxxx
      Reviewed-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 0c5fbf3b4c1e5210354de71a3dc2ebc8c8a01f31
  Author: Edgar E. Iglesias <edgar.iglesias@xxxxxxxxxx>
  Date:   Mon Sep 14 14:39:50 2015 +0100

      target-arm: Suppress EPD for S2, EL2 and EL3 translations

      Stage-2 translations, EL2 and EL3 regimes don't have the
      EPD control.

      Signed-off-by: Edgar E. Iglesias <edgar.iglesias@xxxxxxxxxx>
      Message-id: 1442135278-25281-6-git-send-email-edgar.iglesias@xxxxxxxxx
      Reviewed-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 1edee4708a0e3163cbf20fac325be456abd960bb
  Author: Edgar E. Iglesias <edgar.iglesias@xxxxxxxxxx>
  Date:   Mon Sep 14 14:39:50 2015 +0100

      target-arm: Suppress TBI for S2 translations

      Stage-2 MMU translations do not have configurable TBI as
      the top byte is always 0 (48-bit IPAs).

      Signed-off-by: Edgar E. Iglesias <edgar.iglesias@xxxxxxxxxx>
      Message-id: 1442135278-25281-5-git-send-email-edgar.iglesias@xxxxxxxxx
      Reviewed-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit b698e9cfd282b228b36d426b75facb83e07a1072
  Author: Edgar E. Iglesias <edgar.iglesias@xxxxxxxxxx>
  Date:   Mon Sep 14 14:39:50 2015 +0100

      target-arm: Add VTTBR_EL2

      Signed-off-by: Edgar E. Iglesias <edgar.iglesias@xxxxxxxxxx>
      Message-id: 1442135278-25281-4-git-send-email-edgar.iglesias@xxxxxxxxx
      Reviewed-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 68e9c2fe65bca7fc1bdc2411923333c3e87544a3
  Author: Edgar E. Iglesias <edgar.iglesias@xxxxxxxxxx>
  Date:   Mon Sep 14 14:39:50 2015 +0100

      target-arm: Add VTCR_EL2

      Signed-off-by: Edgar E. Iglesias <edgar.iglesias@xxxxxxxxxx>
      Message-id: 1442135278-25281-3-git-send-email-edgar.iglesias@xxxxxxxxx
      Reviewed-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      [PMM: fixed typo in comment]
      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 6533a1fcc2efa08570aa6d85851638783dddf2c6
  Author: Edgar E. Iglesias <edgar.iglesias@xxxxxxxxxx>
  Date:   Mon Sep 14 14:39:49 2015 +0100

      hw/cpu/{a15mpcore, a9mpcore}: Handle missing has_el3 CPU props gracefully

      Handle missing CPU support for EL3 gracefully.

      Signed-off-by: Edgar E. Iglesias <edgar.iglesias@xxxxxxxxxx>
      Message-id: 1442135278-25281-2-git-send-email-edgar.iglesias@xxxxxxxxx
      Reviewed-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 6abc7158cb62e559ce7b3a99e116e3ec051a0c45
  Author: Jean-Christophe Dubois <jcd@xxxxxxxxxxxxxxx>
  Date:   Mon Sep 14 14:39:49 2015 +0100

      i.MX: Add GPIO devices to i.MX25 SOC

      Signed-off-by: Jean-Christophe Dubois <jcd@xxxxxxxxxxxxxxx>
      Reviewed-by: Peter Crosthwaite <crosthwaite.peter@xxxxxxxxx>
      Message-id: 
2eb129ba8713aedfe877eaa3d8de80061d880fbb.1441828793.git.jcd@xxxxxxxxxxxxxxx
      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit dde0c4ca6b849eb5c376f255767c019bb45a1d57
  Author: Jean-Christophe Dubois <jcd@xxxxxxxxxxxxxxx>
  Date:   Mon Sep 14 14:39:49 2015 +0100

      i.MX: Add GPIO devices to i.MX31 SOC

      Signed-off-by: Jean-Christophe Dubois <jcd@xxxxxxxxxxxxxxx>
      Reviewed-by: Peter Crosthwaite <crosthwaite.peter@xxxxxxxxx>
      Message-id: 
60b67c9a8b948159f4b4163ead86fbf701c011c6.1441828793.git.jcd@xxxxxxxxxxxxxxx
      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit f4427280977902273f98280b2572d88b6ed53144
  Author: Jean-Christophe Dubois <jcd@xxxxxxxxxxxxxxx>
  Date:   Mon Sep 14 14:39:49 2015 +0100

      i.MX: Add GPIO device

      Signed-off-by: Jean-Christophe Dubois <jcd@xxxxxxxxxxxxxxx>
      Reviewed-by: Peter Crosthwaite <crosthwaite.peter@xxxxxxxxx>
      Message-id: 
5ea3b0021e47cf7f7d883a7edbabee44980f3df7.1441828793.git.jcd@xxxxxxxxxxxxxxx
      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 7cb36e18b2f1c1f971ebdc2121de22a8c2e94fd6
  Author: Richard Henderson <rth@xxxxxxxxxxx>
  Date:   Mon Sep 14 14:39:49 2015 +0100

      target-arm: Use tcg_gen_extrh_i64_i32

      Usually, eliminate an operation from the translator by combining
      a shift with an extract.

      In the case of gen_set_NZ64, we don't need a boolean value for cpu_ZF,
      merely a non-zero value.  Given that we can extract both halves of a
      64-bit input in one call, this simplifies the code.

      Reviewed-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Signed-off-by: Richard Henderson <rth@xxxxxxxxxxx>
      Message-id: 1441909103-24666-12-git-send-email-rth@xxxxxxxxxxx
      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 8fb0ad8e16ab3d03433244a1a03e1df757342ad8
  Author: Richard Henderson <rth@xxxxxxxxxxx>
  Date:   Mon Sep 14 14:39:49 2015 +0100

      target-arm: Recognize ROR

      Reviewed-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Signed-off-by: Richard Henderson <rth@xxxxxxxxxxx>
      Message-id: 1441909103-24666-11-git-send-email-rth@xxxxxxxxxxx
      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit d3a77b42decd0cbfa62a5526e67d1d6d380c83a9
  Author: Richard Henderson <rth@xxxxxxxxxxx>
  Date:   Mon Sep 14 14:39:48 2015 +0100

      target-arm: Eliminate unnecessary zero-extend in disas_bitfield

      For !SF, this initial ext32u can't be optimized away by the
      current TCG code generator.  (It would require backward bit
      liveness propagation.)

      But since the range of bits for !SF are already constrained by
      unallocated_encoding, we'll never reference the high bits anyway.

      Reviewed-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Signed-off-by: Richard Henderson <rth@xxxxxxxxxxx>
      Message-id: 1441909103-24666-10-git-send-email-rth@xxxxxxxxxxx
      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 9924e85829fe21b5f38a5d267c9aea44c5d478ac
  Author: Richard Henderson <rth@xxxxxxxxxxx>
  Date:   Mon Sep 14 14:39:48 2015 +0100

      target-arm: Recognize UXTB, UXTH, LSR, LSL

      These are all special case aliases of UBFM.

      Reviewed-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Signed-off-by: Richard Henderson <rth@xxxxxxxxxxx>
      Message-id: 1441909103-24666-9-git-send-email-rth@xxxxxxxxxxx
      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit ef60151bee9a95e3a5cc98b345a19ed7eb435ddb
  Author: Richard Henderson <rth@xxxxxxxxxxx>
  Date:   Mon Sep 14 14:39:48 2015 +0100

      target-arm: Recognize SXTB, SXTH, SXTW, ASR

      These are all special case aliases of SBFM.

      Reviewed-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Signed-off-by: Richard Henderson <rth@xxxxxxxxxxx>
      Message-id: 1441909103-24666-8-git-send-email-rth@xxxxxxxxxxx
      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 6e061029d74455d83f6fa070ac33de7a356cf60d
  Author: Richard Henderson <rth@xxxxxxxxxxx>
  Date:   Mon Sep 14 14:39:48 2015 +0100

      target-arm: Implement fcsel with movcond

      Reviewed-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Signed-off-by: Richard Henderson <rth@xxxxxxxxxxx>
      Message-id: 1441909103-24666-7-git-send-email-rth@xxxxxxxxxxx
      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 7dd03d773e0dafae9271318fc8d6b2b14de74403
  Author: Richard Henderson <rth@xxxxxxxxxxx>
  Date:   Mon Sep 14 14:39:48 2015 +0100

      target-arm: Implement ccmp branchless

      This can allow much of a ccmp to be elided when particular
      flags are subsequently dead.

      Signed-off-by: Richard Henderson <rth@xxxxxxxxxxx>
      Message-id: 1441909103-24666-6-git-send-email-rth@xxxxxxxxxxx
      Reviewed-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 259cb68491ab36427e7e5d820fe543d53b006ec6
  Author: Richard Henderson <rth@xxxxxxxxxxx>
  Date:   Mon Sep 14 14:39:47 2015 +0100

      target-arm: Use setcond and movcond for csel

      Reviewed-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Signed-off-by: Richard Henderson <rth@xxxxxxxxxxx>
      Message-id: 1441909103-24666-5-git-send-email-rth@xxxxxxxxxxx
      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 9305eac09e61d857c9cc11e20db754dfc25a82db
  Author: Richard Henderson <rth@xxxxxxxxxxx>
  Date:   Mon Sep 14 14:39:47 2015 +0100

      target-arm: Handle always condition codes within arm_test_cc

      Handling this with TCG_COND_ALWAYS will allow these unlikely
      cases to be handled without special cases in the rest of the
      translator.  The TCG optimizer ought to be able to reduce
      these ALWAYS conditions completely.

      Reviewed-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Signed-off-by: Richard Henderson <rth@xxxxxxxxxxx>
      Message-id: 1441909103-24666-4-git-send-email-rth@xxxxxxxxxxx
      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 6c2c63d3a02c79e9035ca0370cc549d0f938a4dd
  Author: Richard Henderson <rth@xxxxxxxxxxx>
  Date:   Mon Sep 14 14:39:47 2015 +0100

      target-arm: Introduce DisasCompare

      Split arm_gen_test_cc into 3 functions, so that it can be reused
      for non-branch TCG comparisons.

      Signed-off-by: Richard Henderson <rth@xxxxxxxxxxx>
      Message-id: 1441909103-24666-3-git-send-email-rth@xxxxxxxxxxx
      Reviewed-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 78bcaa3e37afbd0c5316634f917c13487384b6ca
  Author: Richard Henderson <rth@xxxxxxxxxxx>
  Date:   Mon Sep 14 14:39:47 2015 +0100

      target-arm: Share all common TCG temporaries

      This is a bug fix for aarch64.  At present, we have branches using
      the 32-bit (translate.c) versions of cpu_[NZCV]F, but we set the flags
      using the 64-bit (translate-a64.c) versions of cpu_[NZCV]F.  From
      the view of the TCG code generator, these are unrelated variables.

      The bug is hard to see because we currently only read these variables
      from branches, and upon reaching a branch TCG will first spill live
      variables and then reload the arguments of the branch.  Since the
      32-bit versions were never live until reaching the branch, we'd re-read
      the data that had just been spilled from the 64-bit versions.

      There is currently no such problem with the cpu_exclusive_* variables,
      but there's no point in tempting fate.

      Cc: qemu-stable@xxxxxxxxxx
      Reviewed-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Signed-off-by: Richard Henderson <rth@xxxxxxxxxxx>
      Message-id: 1441909103-24666-2-git-send-email-rth@xxxxxxxxxxx
      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 24cfc8dc583db57303137fd41f9f42806ea315a0
  Author: Alistair Francis <alistair.francis@xxxxxxxxxx>
  Date:   Mon Sep 14 14:39:47 2015 +0100

      xlnx-zynqmp: Remove unnecessary brackets around error messages

      The errp and err variable have unnecessary brackets around them,
      so remove the brackets.

      Signed-off-by: Alistair Francis <alistair.francis@xxxxxxxxxx>
      Reviewed-by: Peter Crosthwaite <crosthwaite.peter@xxxxxxxxx>
      Message-id: 
9900393572b63f2ec3d68785ca98193d81e0ac71.1441758563.git.alistair.francis@xxxxxxxxxx
      Reviewed-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 52c16b458ab2f8766867bc5fc099b0a604a36f77
  Author: Nathan Rossi <nathan@xxxxxxxxxxxxxxx>
  Date:   Mon Sep 14 14:39:47 2015 +0100

      arm: xlnx-zynqmp: Fix up GIC region size

      The GIC in ZynqMP cover a 64K address space, however the actual
      registers are decoded within a 4K address space and mirrored at the 4K
      boundaries. This change fixes the defined size for these regions as it
      was set to 0x4000/16K incorrectly.

      Signed-off-by: Nathan Rossi <nathan@xxxxxxxxxxxxxxx>
      Reviewed-by: Edgar E. Iglesias <edgar.iglesias@xxxxxxxxxx>
      Message-id: 1441719672-25296-1-git-send-email-nathan@xxxxxxxxxxxxxxx
      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 2b750d9d261bda7f75b39dfc1e1e5f22502929d5
  Merge: 8f6e82e cdd14a8
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Mon Sep 14 10:46:38 2015 +0100

      Merge remote-tracking branch 'remotes/aurel/tags/pull-sh4-next-20150913' 
into staging

      sh4-next:

      - TCG optimizations
      - fix initramfs endianness issue

      # gpg: Signature made Sun 13 Sep 2015 22:16:12 BST using RSA key ID 
1DDD8C9B
      # gpg: Good signature from "Aurelien Jarno <aurelien@xxxxxxxxxxx>"
      # gpg:                 aka "Aurelien Jarno <aurelien@xxxxxxxx>"
      # gpg:                 aka "Aurelien Jarno <aurel32@xxxxxxxxxx>"
      # gpg: WARNING: This key is not certified with a trusted signature!
      # gpg:          There is no indication that the signature belongs to the 
owner.
      # Primary key fingerprint: 7746 2642 A9EF 94FD 0F77  196D BA9C 7806 1DDD 
8C9B

      * remotes/aurel/tags/pull-sh4-next-20150913:
        sh4: Fix initramfs initialization for endiannes-mismatched targets
        target-sh4: improve shad instruction
        target-sh4: improve shld instruction
        target-sh4: improve cmp/str instruction
        target-sh4: use deposit in swap.b instruction
        target-sh4: add flags markups for FP helpers

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit cdd14a8cf25c34ff8d0777530e8d16565f6bf7a1
  Author: Guenter Roeck <linux@xxxxxxxxxxxx>
  Date:   Wed Aug 12 07:20:36 2015 -0700

      sh4: Fix initramfs initialization for endiannes-mismatched targets

      If host and target endianness does not match, loding an initramfs does 
not work.
      Fix by writing boot parameters with appropriate endianness conversion.

      Signed-off-by: Guenter Roeck <linux@xxxxxxxxxxxx>
      Signed-off-by: Aurelien Jarno <aurelien@xxxxxxxxxxx>

  commit be654c83608eaba199ed45444debf2dd46a88fe6
  Author: Aurelien Jarno <aurelien@xxxxxxxxxxx>
  Date:   Sun Jul 5 22:39:03 2015 +0200

      target-sh4: improve shad instruction

      The SH4 shad instruction can shift in both direction, depending on the
      sign of the shift. This is currently implemented using branches, which
      is not really efficient and prevents the optimizer to do its job. In
      practice it is often used with a constant loaded in a register just
      before.

      Simplify the implementation by computing both the value shifted to the
      left and to the right, and then selecting the correct one with a
      movcond. As with a negative value the shift amount can go up to 32 which
      is undefined, we shift the value in two steps.

      Reviewed-by: Richard Henderson <rth@xxxxxxxxxxx>
      Signed-off-by: Aurelien Jarno <aurelien@xxxxxxxxxxx>

  commit 577601616dea10db10a716de1be448f8564076f4
  Author: Aurelien Jarno <aurelien@xxxxxxxxxxx>
  Date:   Sun Jul 5 22:37:18 2015 +0200

      target-sh4: improve shld instruction

      The SH4 shld instruction can shift in both direction, depending on the
      sign of the shift. This is currently implemented using branches, which
      is not really efficient and prevents the optimizer to do its job. In
      practice it is often used with a constant loaded in a register just
      before.

      Simplify the implementation by computing both the value shifted to the
      left and to the right, and then selecting the correct one with a
      movcond. As with a negative value the shift amount can go up to 32 which
      is undefined, we shift the value in two steps.

      Reviewed-by: Richard Henderson <rth@xxxxxxxxxxx>
      Signed-off-by: Aurelien Jarno <aurelien@xxxxxxxxxxx>

  commit eb6ca2b4a69325e95526bc0f2897791df04e44dc
  Author: Aurelien Jarno <aurelien@xxxxxxxxxxx>
  Date:   Sun Jul 5 18:50:09 2015 +0200

      target-sh4: improve cmp/str instruction

      Instead of testing bytes one by one, we can use the following trick
      from https://graphics.stanford.edu/~seander/bithacks.html:

        haszero(v) = (v - 0x01010101) & ~v & 0x80808080

      The subexpression v - 0x01010101, evaluates to a high bit set in any
      byte whenever the corresponding byte in v is zero or greater than 0x80.
      The sub-expression ~v & 0x80808080 evaluates to high bits set in bytes
      where the byte of v doesn't have its high bit set (so the byte was less
      than 0x80). Finally, by ANDing these two sub-expressions the result is
      the high bits set where the bytes in v were zero, since the high bits
      set due to a value greater than 0x80 in the first sub-expression are
      masked off by the second.

      Reviewed-by: Richard Henderson <rth@xxxxxxxxxxx>
      Signed-off-by: Aurelien Jarno <aurelien@xxxxxxxxxxx>

  commit 218fd7301f88df440da3e16b9cfca000cd2fe111
  Author: Aurelien Jarno <aurelien@xxxxxxxxxxx>
  Date:   Sun Jul 5 17:05:08 2015 +0200

      target-sh4: use deposit in swap.b instruction

      Reviewed-by: Richard Henderson <rth@xxxxxxxxxxx>
      Signed-off-by: Aurelien Jarno <aurelien@xxxxxxxxxxx>

  commit 7f6bdc431a5c567fca0130d79c8b14f531a0eb14
  Author: Aurelien Jarno <aurelien@xxxxxxxxxxx>
  Date:   Wed Jun 17 12:53:13 2015 +0200

      target-sh4: add flags markups for FP helpers

      Most floating point helpers can trigger an exception, but don't change
      the globals. Mark these helpers as TCG_CALL_NO_WG.

      Reviewed-by: Richard Henderson <rth@xxxxxxxxxxx>
      Signed-off-by: Aurelien Jarno <aurelien@xxxxxxxxxxx>

  commit 8f6e82e4ecec9bc2726725275a138bc30f3ffc81
  Merge: 30c38c9 1c3c8af
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Fri Sep 11 18:01:56 2015 +0100

      Merge remote-tracking branch 'remotes/rth/tags/pull-tcg-20150911' into 
staging

      queued tcg related patches

      # gpg: Signature made Fri 11 Sep 2015 16:17:00 BST using RSA key ID 
4DD0279B
      # gpg: Good signature from "Richard Henderson <rth7680@xxxxxxxxx>"
      # gpg:                 aka "Richard Henderson <rth@xxxxxxxxxx>"
      # gpg:                 aka "Richard Henderson <rth@xxxxxxxxxxx>"

      * remotes/rth/tags/pull-tcg-20150911:
        cpu-exec: introduce loop exit with restore function
        softmmu: remove now unused functions
        softmmu: add helper function to pass through retaddr
        tlb: Add "ifetch" argument to cpu_mmu_index()

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 30c38c90bd3f1bb105ebc069ac1821067c980b7c
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Fri Aug 14 18:46:32 2015 +0100

      scripts/qemu-gdb: Add brief comment describing usage

      Add a brief comment describing how to use the debug support
      from GDB.

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Reviewed-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Message-id: 1439574392-4403-5-git-send-email-peter.maydell@xxxxxxxxxx

  commit 5e3c72d41e6909450e32f0b99545748cc25e9597
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Fri Aug 14 18:46:31 2015 +0100

      scripts/qemu-gdb: Silently pass through SIGUSR1

      SIGUSR1 is QEMU's IPI signal, and it gets sent a lot, so is
      best silently passed through to the guest without stopping.
      Make qemu-gdb.py do this bit of configuration for the user.

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Reviewed-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Message-id: 1439574392-4403-4-git-send-email-peter.maydell@xxxxxxxxxx

  commit 191590f09dcbd26822a8bc67628cbd341dd5c07f
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Fri Aug 14 18:46:30 2015 +0100

      scripts/qemu-gdb: Split CoroutineCommand into its own file

      Split the implementation of CoroutineCommand into its own file.

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Reviewed-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Message-id: 1439574392-4403-3-git-send-email-peter.maydell@xxxxxxxxxx

  commit 93b1b365dc06ff7c69d3131d68c083f824db5311
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Fri Aug 14 18:46:29 2015 +0100

      scripts/qemu-gdb: Split MtreeCommand into its own module

      As we add more commands to our Python gdb debugging support, it's
      going to get unwieldy to have everything in a single file. Split
      the implementation of the 'mtree' command from qemu-gdb.py into
      its own module.

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Reviewed-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Message-id: 1439574392-4403-2-git-send-email-peter.maydell@xxxxxxxxxx

  commit 1c3c8af1fb40a481c07749e0448644d9b7700415
  Author: Pavel Dovgalyuk <Pavel.Dovgaluk@xxxxxxxxx>
  Date:   Fri Jul 10 12:57:02 2015 +0300

      cpu-exec: introduce loop exit with restore function

      This patch introduces loop exit function, which also
      restores guest CPU state according to the value of host
      program counter.

      Reviewed-by: Aurelien Jarno <aurelien@xxxxxxxxxxx>
      Signed-off-by: Pavel Dovgalyuk <pavel.dovgaluk@xxxxxxxxx>
      Message-Id: <20150710095702.13280.97477.stgit@PASHA-ISP>
      Signed-off-by: Richard Henderson <rth@xxxxxxxxxxx>

  commit b8611499b940b1b4db67aa985e3a844437bcbf00
  Author: Pavel Dovgalyuk <Pavel.Dovgaluk@xxxxxxxxx>
  Date:   Fri Jul 10 12:56:56 2015 +0300

      softmmu: remove now unused functions

      Now that the cpu_ld/st_* function directly call helper_ret_ld/st, we can
      drop the old helper_ld/st functions.

      Reviewed-by: Aurelien Jarno <aurelien@xxxxxxxxxxx>
      Signed-off-by: Pavel Dovgalyuk <pavel.dovgaluk@xxxxxxxxx>
      Message-Id: <20150710095656.13280.7085.stgit@PASHA-ISP>
      Signed-off-by: Richard Henderson <rth@xxxxxxxxxxx>

  commit 282dffc8a4bfe8724548cabb8a26698bde0a6e18
  Author: Pavel Dovgalyuk <Pavel.Dovgaluk@xxxxxxxxx>
  Date:   Fri Jul 10 12:56:50 2015 +0300

      softmmu: add helper function to pass through retaddr

      This patch introduces several helpers to pass return address
      which points to the TB. Correct return address allows correct
      restoring of the guest PC and icount. These functions should be used when
      helpers embedded into TB invoke memory operations.

      Reviewed-by: Aurelien Jarno <aurelien@xxxxxxxxxxx>
      Signed-off-by: Pavel Dovgalyuk <pavel.dovgaluk@xxxxxxxxx>
      Message-Id: <20150710095650.13280.32255.stgit@PASHA-ISP>
      Signed-off-by: Richard Henderson <rth@xxxxxxxxxxx>

  commit 97ed5ccdee95f0b98bedc601ff979e368583472c
  Author: Benjamin Herrenschmidt <benh@xxxxxxxxxxxxxxxxxxx>
  Date:   Mon Aug 17 17:34:10 2015 +1000

      tlb: Add "ifetch" argument to cpu_mmu_index()

      This is set to true when the index is for an instruction fetch
      translation.

      The core get_page_addr_code() sets it, as do the SOFTMMU_CODE_ACCESS
      acessors.

      All targets ignore it for now, and all other callers pass "false".

      This will allow targets who wish to split the mmu index between
      instruction and data accesses to do so. A subsequent patch will
      do just that for PowerPC.

      Signed-off-by: Benjamin Herrenschmidt <benh@xxxxxxxxxxxxxxxxxxx>
      Message-Id: <1439796853-4410-2-git-send-email-benh@xxxxxxxxxxxxxxxxxxx>
      Signed-off-by: Richard Henderson <rth@xxxxxxxxxxx>

  commit ba9cef7b6e487a5a8969db81d09b8eec8a2b50c6
  Merge: 7b9c09f af5b83d
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Fri Sep 11 12:07:29 2015 +0100

      Merge remote-tracking branch 
'remotes/mjt/tags/pull-trivial-patches-2015-09-11' into staging

      trivial patches for 2015-09-11

      # gpg: Signature made Fri 11 Sep 2015 12:02:43 BST using RSA key ID 
A4C3D7DB
      # gpg: Good signature from "Michael Tokarev <mjt@xxxxxxxxxx>"
      # gpg:                 aka "Michael Tokarev <mjt@xxxxxxxxx>"
      # gpg:                 aka "Michael Tokarev <mjt@xxxxxxxxxx>"

      * remotes/mjt/tags/pull-trivial-patches-2015-09-11: (26 commits)
        virtio-vga: enable for i386
        hw/arm/spitz: Remove meaningless blank Property
        hw/gpio/zaurus: Remove meaningless blank Property
        hw/virtio/virtio-pci: Remove meaningless blank Property
        hw/s390x/s390-virtio-bus: Remove meaningless blank Property
        typofixes - v4
        qapi-schema: remove legacy<> from doc
        disas/microblaze: Remove unused code
        help: dd missing newline
        Target-ppc: Remove unnecessary variable
        baum: Fix build with debugging enabled
        linux-user: Fix warnings caused by missing 'static' attribute
        opts: produce valid command line in qemu_opts_print
        docs: fix a qga/qapi-schema.json comment
        trivial: remove trailing newline from error_report
        maint: avoid useless "if (foo) free(foo)" pattern
        maint: avoid useless "if (foo) free(foo)" pattern
        maint: remove unused include for strings.h
        maint: remove unused include for signal.h
        maint: remove unused include for dirent.h
        ...

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit af5b83d7d5297f8bdfd3353a420c120c4fd5adfd
  Author: Gerd Hoffmann <kraxel@xxxxxxxxxx>
  Date:   Mon Jul 13 13:58:46 2015 +0200

      virtio-vga: enable for i386

      This one just syncs x86_64 and i386.

      Cc: Paolo Bonzini <pbonzini@xxxxxxxxxx>
      Cc: qemu-trivial@xxxxxxxxxx
      Signed-off-by: Gerd Hoffmann <kraxel@xxxxxxxxxx>
      Signed-off-by: Michael Tokarev <mjt@xxxxxxxxxx>

  commit a3c088a72c70401fd4d1342173dd971c2fce5e4d
  Author: Shannon Zhao <shannon.zhao@xxxxxxxxxx>
  Date:   Tue May 12 10:25:20 2015 +0800

      hw/arm/spitz: Remove meaningless blank Property

      Signed-off-by: Shannon Zhao <zhaoshenglong@xxxxxxxxxx>
      Signed-off-by: Shannon Zhao <shannon.zhao@xxxxxxxxxx>
      Signed-off-by: Michael Tokarev <mjt@xxxxxxxxxx>

  commit c11b05836ead1e6354aa31857d31c0d908e7e08c
  Author: Shannon Zhao <shannon.zhao@xxxxxxxxxx>
  Date:   Tue May 12 10:25:19 2015 +0800

      hw/gpio/zaurus: Remove meaningless blank Property

      Signed-off-by: Shannon Zhao <zhaoshenglong@xxxxxxxxxx>
      Signed-off-by: Shannon Zhao <shannon.zhao@xxxxxxxxxx>
      Signed-off-by: Michael Tokarev <mjt@xxxxxxxxxx>

  commit 6328d69de09243929d90665eb6a6e0c96c4d06fc
  Author: Shannon Zhao <shannon.zhao@xxxxxxxxxx>
  Date:   Tue May 12 10:25:18 2015 +0800

      hw/virtio/virtio-pci: Remove meaningless blank Property

      Signed-off-by: Shannon Zhao <zhaoshenglong@xxxxxxxxxx>
      Signed-off-by: Shannon Zhao <shannon.zhao@xxxxxxxxxx>
      Signed-off-by: Michael Tokarev <mjt@xxxxxxxxxx>

  commit 01630e24b0993adb4874b5416e897646c964bb8f
  Author: Shannon Zhao <shannon.zhao@xxxxxxxxxx>
  Date:   Tue May 12 10:25:16 2015 +0800

      hw/s390x/s390-virtio-bus: Remove meaningless blank Property

      Signed-off-by: Shannon Zhao <zhaoshenglong@xxxxxxxxxx>
      Signed-off-by: Shannon Zhao <shannon.zhao@xxxxxxxxxx>
      Acked-by: Cornelia Huck <cornelia.huck@xxxxxxxxxx>
      Signed-off-by: Michael Tokarev <mjt@xxxxxxxxxx>

  commit 67cc32ebfd8c0ee3fcdb26780a8991baf5eb1d45
  Author: Veres Lajos <vlajos@xxxxxxxxx>
  Date:   Tue Sep 8 22:45:14 2015 +0100

      typofixes - v4

      Signed-off-by: Veres Lajos <vlajos@xxxxxxxxx>
      Signed-off-by: Michael Tokarev <mjt@xxxxxxxxxx>

  commit 33b23b4b5e15923acaf315b01a535c15b239483b
  Author: Marc-André Lureau <marcandre.lureau@xxxxxxxxxx>
  Date:   Fri Sep 4 21:41:01 2015 +0200

      qapi-schema: remove legacy<> from doc

      The legacy<> type is no longer used since 7ce7ffe02.

      Signed-off-by: Marc-André Lureau <marcandre.lureau@xxxxxxxxxx>
      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>
      Signed-off-by: Michael Tokarev <mjt@xxxxxxxxxx>

  commit 76621d1faa25405ab13cfe73890f9069b2890ed4
  Author: Stefan Weil <sw@xxxxxxxxxxx>
  Date:   Sat Aug 29 09:44:33 2015 +0200

      disas/microblaze: Remove unused code

      Signed-off-by: Stefan Weil <sw@xxxxxxxxxxx>
      Reviewed-by: Edgar E. Iglesias <edgar.iglesias@xxxxxxxxxx>
      Signed-off-by: Michael Tokarev <mjt@xxxxxxxxxx>

  commit 2382053f1deea2a2b49cf15571be7b542bec5fcf
  Author: Laurent Vivier <lvivier@xxxxxxxxxx>
  Date:   Fri Sep 4 21:30:04 2015 +0200

      help: dd missing newline

      Signed-off-by: Laurent Vivier <lvivier@xxxxxxxxxx>
      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>
      Signed-off-by: Michael Tokarev <mjt@xxxxxxxxxx>

  commit 74c373e42f3dccae3b3b1e91a82ab8f748a39a6f
  Author: Shraddha Barke <shraddha.6596@xxxxxxxxx>
  Date:   Sat Sep 5 00:50:28 2015 +0530

      Target-ppc: Remove unnecessary variable

      Compress lines and remove the variable ret.

      Change made using Coccinelle script

      @@
      expression ret;
      @@
      - if (ret) return ret;
      - return 0;
      + return ret;
      @@
      local idexpression ret;
      expression e;
      @@
      - ret = e;
      - return ret;
      + return e;
      @@
      type T; identifier i;
      @@
      - T i;
      ... when != i

      Signed-off-by: Shraddha Barke <shraddha.6596@xxxxxxxxx>
      Signed-off-by: Michael Tokarev <mjt@xxxxxxxxxx>

  commit 70cbae1dd85c9b4bb7c42bb282baacaaed0dd9bd
  Author: Samuel Thibault <samuel.thibault@xxxxxxx>
  Date:   Sun Aug 30 17:12:13 2015 +0200

      baum: Fix build with debugging enabled

      cur and buf are pointers, so the difference is a ptrdiff_t

      Signed-off-by: Samuel Thibault <samuel.thibault@xxxxxxxxxxxx>
      Reviewed-by: Stefan Weil <sw@xxxxxxxxxxx>
      Signed-off-by: Michael Tokarev <mjt@xxxxxxxxxx>

  commit 8cb76755615326dd824ee3c7f3588afcd17acb28
  Author: Stefan Weil <sw@xxxxxxxxxxx>
  Date:   Sat Aug 29 09:29:52 2015 +0200

      linux-user: Fix warnings caused by missing 'static' attribute

      Warnings from the Sparse static analysis tool:

      linux-user/main.c:40:12: warning:
       symbol 'filename' was not declared. Should it be static?
      linux-user/main.c:41:12: warning:
       symbol 'argv0' was not declared. Should it be static?
      linux-user/main.c:42:5: warning:
       symbol 'gdbstub_port' was not declared. Should it be static?
      linux-user/main.c:43:11: warning:
       symbol 'envlist' was not declared. Should it be static?

      Signed-off-by: Stefan Weil <sw@xxxxxxxxxxx>
      Reviewed-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Signed-off-by: Michael Tokarev <mjt@xxxxxxxxxx>

  commit fe646693acc13ac48b98435d14149ab04dc597bc
  Author: KÅ?vágó, Zoltán <dirty.ice.hu@xxxxxxxxx>
  Date:   Tue Jul 7 16:42:10 2015 +0200

      opts: produce valid command line in qemu_opts_print

      This will let us print options in a format that the user would actually
      write it on the command line (foo=bar,baz=asd,etc=def), without
      prepending a spurious comma at the beginning of the list, or quoting
      values unnecessarily.  This patch provides the following changes:
      * write and id=, if the option has an id
      * do not print separator before the first element
      * do not quote string arguments
      * properly escape commas (,) for QEMU

      Signed-off-by: KÅ?vágó, Zoltán <DirtY.iCE.hu@xxxxxxxxx>
      Reviewed-by: Markus Armbruster <armbru@xxxxxxxxxx>
      Reviewed-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Reviewed-by: Marc-André Lureau <marcandre.lureau@xxxxxxxxxx>
      Signed-off-by: Michael Tokarev <mjt@xxxxxxxxxx>

  commit 71e0e067b2bef8823c389c3705a8bcbb2bb12429
  Author: Marc-André Lureau <marcandre.lureau@xxxxxxxxxx>
  Date:   Thu Aug 27 12:48:35 2015 +0200

      docs: fix a qga/qapi-schema.json comment

      For consistency with the rest of the comment blocks.

      Signed-off-by: Marc-André Lureau <marcandre.lureau@xxxxxxxxxx>
      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>
      Signed-off-by: Michael Tokarev <mjt@xxxxxxxxxx>

  commit 594fd21102aa7b7dce1509b31944d10836108c6b
  Author: John Snow <jsnow@xxxxxxxxxx>
  Date:   Mon Jun 29 16:56:26 2015 -0400

      trivial: remove trailing newline from error_report

      Minor cleanup.

      Signed-off-by: John Snow <jsnow@xxxxxxxxxx>
      Reviewed-by: Gonglei <arei.gonglei@xxxxxxxxxx>
      Reviewed-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Signed-off-by: Michael Tokarev <mjt@xxxxxxxxxx>

  commit 012aef073461fd24a901d7a8742532093b7f6ae5
  Author: Markus Armbruster <armbru@xxxxxxxxxx>
  Date:   Wed Aug 26 14:02:53 2015 +0200

      maint: avoid useless "if (foo) free(foo)" pattern

      My Coccinelle semantic patch finds a few more, because it also fixes up
      the equally pointless conditional

          if (foo) {
              free(foo);
              foo = NULL;
          }

      Result (feel free to squash it into your patch):

      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>
      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>
      Signed-off-by: Michael Tokarev <mjt@xxxxxxxxxx>

  commit ef1e1e0782e99c9dcf2b35e5310cdd8ca9211374
  Author: Daniel P. Berrange <berrange@xxxxxxxxxx>
  Date:   Wed Aug 26 12:17:18 2015 +0100

      maint: avoid useless "if (foo) free(foo)" pattern

      The free() and g_free() functions both happily accept
      NULL on any platform QEMU builds on. As such putting a
      conditional 'if (foo)' check before calls to 'free(foo)'
      merely serves to bloat the lines of code.

      Signed-off-by: Daniel P. Berrange <berrange@xxxxxxxxxx>
      Reviewed-by: Markus Armbruster <armbru@xxxxxxxxxx>
      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>
      Signed-off-by: Michael Tokarev <mjt@xxxxxxxxxx>

  commit 4595a48a10e576638795950b61957f83d2ed09b4
  Author: Daniel P. Berrange <berrange@xxxxxxxxxx>
  Date:   Wed Aug 26 12:17:17 2015 +0100

      maint: remove unused include for strings.h

      A number of files were including strings.h but not using any
      of the functions it provides

      Signed-off-by: Daniel P. Berrange <berrange@xxxxxxxxxx>
      Reviewed-by: Markus Armbruster <armbru@xxxxxxxxxx>
      Signed-off-by: Michael Tokarev <mjt@xxxxxxxxxx>

  commit 1618d2ae7f1728ea26fa38cb661253f134d389ed
  Author: Daniel P. Berrange <berrange@xxxxxxxxxx>
  Date:   Wed Aug 26 12:17:16 2015 +0100

      maint: remove unused include for signal.h

      A number of files were including signal.h but not using any
      of the functions it provides

      Signed-off-by: Daniel P. Berrange <berrange@xxxxxxxxxx>
      Reviewed-by: Markus Armbruster <armbru@xxxxxxxxxx>
      Signed-off-by: Michael Tokarev <mjt@xxxxxxxxxx>

  commit d7646f241c8efc17b4b86cc7a304472792f0cc74
  Author: Daniel P. Berrange <berrange@xxxxxxxxxx>
  Date:   Wed Aug 26 12:17:15 2015 +0100

      maint: remove unused include for dirent.h

      A number of files were including dirent.h but not using any
      of the functions it provides

      Signed-off-by: Daniel P. Berrange <berrange@xxxxxxxxxx>
      Reviewed-by: Markus Armbruster <armbru@xxxxxxxxxx>
      Signed-off-by: Michael Tokarev <mjt@xxxxxxxxxx>

  commit 8abae4d31d92be2085fd66566585cba7699ad332
  Author: Daniel P. Berrange <berrange@xxxxxxxxxx>
  Date:   Wed Aug 26 12:17:14 2015 +0100

      maint: remove unused include for assert.h

      A number of files were including assert.h but not using any
      of the functions it provides

      Signed-off-by: Daniel P. Berrange <berrange@xxxxxxxxxx>
      Reviewed-by: Markus Armbruster <armbru@xxxxxxxxxx>
      Signed-off-by: Michael Tokarev <mjt@xxxxxxxxxx>

  commit b6af097528caba5b23b79db3f1f1fd08fa4fa11e
  Author: Daniel P. Berrange <berrange@xxxxxxxxxx>
  Date:   Wed Aug 26 12:17:13 2015 +0100

      maint: remove / fix many doubled words

      Many source files have doubled words (eg "the the", "to to",
      and so on). Most of these can simply be removed, but a couple
      were actual mis-spellings (eg "to to" instead of "to do").
      There was even one triple word score "to to to" :-)

      Signed-off-by: Daniel P. Berrange <berrange@xxxxxxxxxx>
      Reviewed-by: Marc-André Lureau <marcandre.lureau@xxxxxxxxxx>
      Reviewed-by: Markus Armbruster <armbru@xxxxxxxxxx>
      Signed-off-by: Michael Tokarev <mjt@xxxxxxxxxx>

  commit a8f15a27752d855d339befd8de4f0ad1c4dbb0ab
  Author: Daniel P. Berrange <berrange@xxxxxxxxxx>
  Date:   Wed Aug 26 12:17:12 2015 +0100

      maint: remove double semicolons in many files

      A number of source files have statements accidentally
      terminated by a double semicolon - eg 'foo = bar;;'.
      This is harmless but a mistake none the less.

      The tcg/ia64/tcg-target.c file is whitelisted because
      it has valid use of ';;' in a comment containing assembly
      code.

      Signed-off-by: Daniel P. Berrange <berrange@xxxxxxxxxx>
      Reviewed-by: Marc-André Lureau <marcandre.lureau@xxxxxxxxxx>
      Reviewed-by: Markus Armbruster <armbru@xxxxxxxxxx>
      Signed-off-by: Michael Tokarev <mjt@xxxxxxxxxx>

  commit fee562e9e41290a22623de83b673a8929ec5280d
  Author: Laurent Vivier <lvivier@xxxxxxxxxx>
  Date:   Tue Aug 4 10:27:31 2015 +0200

      i6300esb: fix timer overflow

      We use muldiv64() to compute the time to wait:

          timeout = muldiv64(get_ticks_per_sec(), timeout, 33000000);

      but get_ticks_per_sec() is 10^9 (30 bit value) and timeout
      is a 35 bit value.

      Whereas muldiv64 is:

          uint64_t muldiv64(uint64_t a, uint32_t b, uint32_t c)

      So we loose 3 bits of timeout.

      Swapping get_ticks_per_sec() and timeout fixes it.

      We can also replace it by a multiplication by 30 ns,
      but this changes PCI clock frequency from 33MHz to 33.333333MHz
      and we need to do this on all the QEMU PCI devices (later...)

      Signed-off-by: Laurent Vivier <lvivier@xxxxxxxxxx>
      Reviewed-by: David Gibson <david@xxxxxxxxxxxxxxxxxxxxx>
      Signed-off-by: Michael Tokarev <mjt@xxxxxxxxxx>

  commit 6883de6c9b647d5629ffe131ed5d97c06bb0db1a
  Author: Andrey Korolyov <andrey@xxxxxxx>
  Date:   Fri Jul 31 22:12:54 2015 +0300

      Trivial: fix commandline help message

      Fix obvious typo in printed help for qemu-nbd.

      Signed-off-by: Andrey Korolyov <andrey@xxxxxxx>
      Signed-off-by: Michael Tokarev <mjt@xxxxxxxxxx>

  commit a23797efb14f4d8f093e3b68f8265c88e9ff1de6
  Author: Stefan Weil <sw@xxxxxxxxxxx>
  Date:   Thu Jul 30 07:46:43 2015 +0200

      Update language files for QEMU 2.4.0

      Signed-off-by: Stefan Weil <sw@xxxxxxxxxxx>
      Signed-off-by: Michael Tokarev <mjt@xxxxxxxxxx>

  commit 7b9c09f7d486647784c605739d69b708a7249c9b
  Merge: fe55641 cae99f1
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Thu Sep 10 18:25:52 2015 +0100

      Merge remote-tracking branch 
'remotes/sstabellini/tags/xen-2015-09-10-tag' into staging

      xen-2015-09-10

      # gpg: Signature made Thu 10 Sep 2015 17:52:08 BST using RSA key ID 
70E1AE90
      # gpg: Good signature from "Stefano Stabellini 
<stefano.stabellini@xxxxxxxxxxxxx>"

      * remotes/sstabellini/tags/xen-2015-09-10-tag: (29 commits)
        xen/pt: Don't slurp wholesale the PCI configuration registers
        xen/pt: Check for return values for xen_host_pci_[get|set] in init
        xen/pt: Move bulk of xen_pt_unregister_device in its own routine.
        xen/pt: Make xen_pt_unregister_device idempotent
        xen/pt: Log xen_host_pci_get/set errors in MSI code.
        xen/pt: Log xen_host_pci_get in two init functions
        xen/pt: Remove XenPTReg->data field.
        xen/pt: Check if reg->init function sets the 'data' past the reg->size
        xen/pt: Sync up the dev.config and data values.
        xen/pt: Use xen_host_pci_get_[byte|word] instead of dev.config
        xen/pt: Use XEN_PT_LOG properly to guard against compiler warnings.
        xen/pt/msi: Add the register value when printing logging and error 
messages
        xen: use errno instead of rc for xc_domain_add_to_physmap
        xen/pt: xen_host_pci_config_read returns -errno, not -1 on failure
        xen/pt: Make xen_pt_msi_set_enable static
        xen/pt: Update comments with proper function name.
        xen/HVM: atomically access pointers in bufioreq handling
        xen-hvm: When using xc_domain_add_to_physmap also include errno when 
reporting
        xen, gfx passthrough: add opregion mapping
        xen, gfx passthrough: register host bridge specific to passthrough
        ...

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit cae99f1d779a6e2c8721ce2dd80bafdbf0abe7a0
  Author: Konrad Rzeszutek Wilk <konrad.wilk@xxxxxxxxxx>
  Date:   Wed Jul 8 15:58:41 2015 -0400

      xen/pt: Don't slurp wholesale the PCI configuration registers

      Instead we have the emulation registers ->init functions which
      consult the host values to see what the initial value should be
      and they are responsible for populating the dev.config.

      Reviewed-by: Stefano Stabellini <stefano.stabellini@xxxxxxxxxxxxx>
      Signed-off-by: Konrad Rzeszutek Wilk <konrad.wilk@xxxxxxxxxx>
      Signed-off-by: Stefano Stabellini <stefano.stabellini@xxxxxxxxxxxxx>

  commit 3d3697f2576424a2c0830a7b2e7c94c79dea9b50
  Author: Konrad Rzeszutek Wilk <konrad.wilk@xxxxxxxxxx>
  Date:   Thu Jul 2 14:33:44 2015 -0400

      xen/pt: Check for return values for xen_host_pci_[get|set] in init

      and if we have failures we call xen_pt_destroy introduced in
      'xen/pt: Move bulk of xen_pt_unregister_device in its own routine.'
      and free all of the allocated structures.

      Acked-by: Stefano Stabellini <stefano.stabellini@xxxxxxxxxxxxx>
      Signed-off-by: Konrad Rzeszutek Wilk <konrad.wilk@xxxxxxxxxx>
      Signed-off-by: Stefano Stabellini <stefano.stabellini@xxxxxxxxxxxxx>

  commit df6aa45752bf8145adcba9b077c346e9b758ebd1
  Author: Konrad Rzeszutek Wilk <konrad.wilk@xxxxxxxxxx>
  Date:   Tue Sep 8 16:21:59 2015 -0400

      xen/pt: Move bulk of xen_pt_unregister_device in its own routine.

      This way we can call it if we fail during init.

      This code movement introduces no changes.

      Acked-by: Stefano Stabellini <stefano.stabellini@xxxxxxxxxxxxx>
      Signed-off-by: Konrad Rzeszutek Wilk <konrad.wilk@xxxxxxxxxx>
      Signed-off-by: Stefano Stabellini <stefano.stabellini@xxxxxxxxxxxxx>

  commit bce33948178e338eac2629284b199c0c1f05f8a3
  Author: Konrad Rzeszutek Wilk <konrad.wilk@xxxxxxxxxx>
  Date:   Tue Sep 8 16:21:29 2015 -0400

      xen/pt: Make xen_pt_unregister_device idempotent

      To deal with xen_host_pci_[set|get]_ functions returning error values
      and clearing ourselves in the init function we should make the
      .exit (xen_pt_unregister_device) function be idempotent in case
      the generic code starts calling .exit (or for fun does it before
      calling .init!).

      Reviewed-by: Stefano Stabellini <stefano.stabellini@xxxxxxxxxxxxx>
      Signed-off-by: Konrad Rzeszutek Wilk <konrad.wilk@xxxxxxxxxx>
      Signed-off-by: Stefano Stabellini <stefano.stabellini@xxxxxxxxxxxxx>

  commit fe2da64c5ab882124aaf14c27d62409d02ff1786
  Author: Konrad Rzeszutek Wilk <konrad.wilk@xxxxxxxxxx>
  Date:   Wed Jun 24 17:27:40 2015 -0400

      xen/pt: Log xen_host_pci_get/set errors in MSI code.

      We seem to only use these functions when de-activating the
      MSI - so just log errors.

      Reviewed-by: Stefano Stabellini <stefano.stabellini@xxxxxxxxxxxxx>
      Signed-off-by: Konrad Rzeszutek Wilk <konrad.wilk@xxxxxxxxxx>
      Signed-off-by: Stefano Stabellini <stefano.stabellini@xxxxxxxxxxxxx>

  commit ea6c50f99de4b36a2c3e90dedabac46aef7992ac
  Author: Konrad Rzeszutek Wilk <konrad.wilk@xxxxxxxxxx>
  Date:   Wed Jun 24 17:18:26 2015 -0400

      xen/pt: Log xen_host_pci_get in two init functions

      To help with troubleshooting in the field.

      Acked-by: Stefano Stabellini <stefano.stabellini@xxxxxxxxxxxxx>
      Signed-off-by: Konrad Rzeszutek Wilk <konrad.wilk@xxxxxxxxxx>
      Signed-off-by: Stefano Stabellini <stefano.stabellini@xxxxxxxxxxxxx>

  commit e2779de053b64f023de382fd87b3596613d47d1e
  Author: Konrad Rzeszutek Wilk <konrad.wilk@xxxxxxxxxx>
  Date:   Wed Jul 1 15:41:33 2015 -0400

      xen/pt: Remove XenPTReg->data field.

      We do not want to have two entries to cache the guest configuration
      registers: XenPTReg->data and dev.config. Instead we want to use
      only the dev.config.

      To do without much complications we rip out the ->data field
      and replace it with an pointer to the dev.config. This way we
      have the type-checking (uint8_t, uint16_t, etc) and as well
      and pre-computed location.

      Alternatively we could compute the offset in dev.config by
      using the XenPTRRegInfo and XenPTRegGroup every time but
      this way we have the pre-computed values.

      This change also exposes some mis-use:
       - In 'xen_pt_status_reg_init' we used u32 for the Capabilities Pointer
         register, but said register is an an u16.
       - In 'xen_pt_msgdata_reg_write' we used u32 but should have only use u16.

      Signed-off-by: Konrad Rzeszutek Wilk <konrad.wilk@xxxxxxxxxx>
      Signed-off-by: Stefano Stabellini <stefano.stabellini@xxxxxxxxxxxxx>

  commit 5b4dd0f55ed3027557ed9a6fd89d5aa379122feb
  Author: Konrad Rzeszutek Wilk <konrad.wilk@xxxxxxxxxx>
  Date:   Mon Jun 29 16:41:14 2015 -0400

      xen/pt: Check if reg->init function sets the 'data' past the reg->size

      It should never happen, but in case it does (an developer adds
      a new register and the 'init_val' expands past the register
      size) we want to report. The code will only write up to
      reg->size so there is no runtime danger of the register spilling
      across other ones - however to catch this sort of thing
      we still return an error.

      Signed-off-by: Konrad Rzeszutek Wilk <konrad.wilk@xxxxxxxxxx>
      Signed-off-by: Stefano Stabellini <stefano.stabellini@xxxxxxxxxxxxx>

  commit 2e87512eccf3c5e40f3142ff5a763f4f850839f4
  Author: Konrad Rzeszutek Wilk <konrad.wilk@xxxxxxxxxx>
  Date:   Mon Jun 29 16:24:40 2015 -0400

      xen/pt: Sync up the dev.config and data values.

      For a passthrough device we maintain a state of emulated
      registers value contained within d->config. We also consult
      the host registers (and apply ro and write masks) whenever
      the guest access the registers. This is done in xen_pt_pci_write_config
      and xen_pt_pci_read_config.

      Also in this picture we call pci_default_write_config which
      updates the d->config and if the d->config[PCI_COMMAND] register
      has PCI_COMMAND_MEMORY (or PCI_COMMAND_IO) acts on those changes.

      On startup the d->config[PCI_COMMAND] are the host values, not
      what the guest initial values should be, which is exactly what
      we do _not_ want to do for 64-bit BARs when the guest just wants
      to read the size of the BAR. Huh you say?

      To get the size of 64-bit memory space BARs,  the guest has
      to calculate ((BAR[x] & 0xFFFFFFF0) + ((BAR[x+1] & 0xFFFFFFFF) << 32))
      which means it has to do two writes of ~0 to BARx and BARx+1.

      prior to this patch and with XSA120-addendum patch (Linux kernel)
      the PCI_COMMAND register is copied from the host it can have
      PCI_COMMAND_MEMORY bit set which means that QEMU will try to
      update the hypervisor's P2M with BARx+1 value to ~0 (0xffffffff)
      (to sync the guest state to host) instead of just having
      xen_pt_pci_write_config and xen_pt_bar_reg_write apply the
      proper masks and return the size to the guest.

      To thwart this, this patch syncs up the host values with the
      guest values taking into account the emu_mask (bit set means
      we emulate, PCI_COMMAND_MEMORY and PCI_COMMAND_IO are set).
      That is we copy the host values - masking out any bits which
      we will emulate. Then merge it with the initial emulation register
      values. Lastly this value is then copied both in
      dev.config _and_ XenPTReg->data field.

      There is also reg->size accounting taken into consideration
      that ends up being used in patch.
       xen/pt: Check if reg->init function sets the 'data' past the reg->size

      This fixes errors such as these:

      (XEN) memory_map:add: dom2 gfn=fffe0 mfn=fbce0 nr=20
      (DEBUG) 189 pci dev 04:0 BAR16 wrote ~0.
      (DEBUG) 200 pci dev 04:0 BAR16 read 0x0fffe0004.
      (XEN) memory_map:remove: dom2 gfn=fffe0 mfn=fbce0 nr=20
      (DEBUG) 204 pci dev 04:0 BAR16 wrote 0x0fffe0004.
      (DEBUG) 217 pci dev 04:0 BAR16 read upper 0x000000000.
      (XEN) memory_map:add: dom2 gfn=ffffffff00000 mfn=fbce0 nr=20
      (XEN) p2m.c:883:d0v0 p2m_set_entry failed! mfn=ffffffffffffffff rc:-22
      (XEN) memory_map:fail: dom2 gfn=ffffffff00000 mfn=fbce0 nr=20 ret:-22
      (XEN) memory_map:remove: dom2 gfn=ffffffff00000 mfn=fbce0 nr=20
      (XEN) p2m.c:920:d0v0 gfn_to_mfn failed! gfn=ffffffff00000 type:4
      (XEN) p2m.c:920:d0v0 gfn_to_mfn failed! gfn=ffffffff00001 type:4
      ..
      (XEN) memory_map: error -22 removing dom2 access to [fbce0,fbcff]
      (DEBUG) 222 pci dev 04:0 BAR16 read upper 0x0ffffffff.
      (XEN) memory_map:remove: dom2 gfn=ffffffff00000 mfn=fbce0 nr=20
      (XEN) memory_map: error -22 removing dom2 access to [fbce0,fbcff]

      [The DEBUG is to illustate what the hvmloader was doing]

      Also we swap from xen_host_pci_long to using 
xen_host_pci_get_[byte,word,long].

      Otherwise we get:

      xen_pt_config_reg_init: Offset 0x0004 mismatch! Emulated=0x0000, 
host=0x2300017, syncing to 0x2300014.
      xen_pt_config_reg_init: Error: Offset 0x0004:0x2300014 expands past 
register size(2)!

      which is not surprising. We read the value as an 32-bit (from host),
      then operate it as a 16-bit - and the remainder is left unchanged.

      We end up writing the value as 16-bit (so 0014) to dev.config
      (as we use proper xen_set_host_[byte,word,long] so we don't spill
      to other registers) but in XenPTReg->data it is as 32-bit (0x2300014)!

      It is harmless as the read/write functions end up using an size mask
      and never modify the bits past 16-bit (reg->size is 2).

      This patch fixes the warnings by reading the value using the
      proper size.

      Note that the check for size is still left in-case the developer
      sets bits past the reg->size in the ->init routines. The author
      tried to fiddle with QEMU_BUILD_BUG to make this work but failed.

      Reviewed-by: Stefano Stabellini <stefano.stabellini@xxxxxxxxxxxxx>
      Reported-by: Sander Eikelenboom <linux@xxxxxxxxxxxxxx>
      Signed-off-by: Konrad Rzeszutek Wilk <konrad.wilk@xxxxxxxxxx>
      Signed-off-by: Stefano Stabellini <stefano.stabellini@xxxxxxxxxxxxx>

  commit 6aa07b1494d2725f24af097ca19c750ac25a7c11
  Author: Konrad Rzeszutek Wilk <konrad.wilk@xxxxxxxxxx>
  Date:   Mon Jun 29 14:01:13 2015 -0400

      xen/pt: Use xen_host_pci_get_[byte|word] instead of dev.config

      During init time we treat the dev.config area as a cache
      of the host view. However during execution time we treat it
      as guest view (by the generic PCI API). We need to sync Xen's
      code to the generic PCI API view. This is the first step
      by replacing all of the code that uses dev.config or
      pci_get_[byte|word] to get host value to actually use the
      xen_host_pci_get_[byte|word] functions.

      Interestingly in 'xen_pt_ptr_reg_init' we also needed to swap
      reg_field from uint32_t to uint8_t - since the access is only
      for one byte not four bytes. We can split this as a seperate
      patch however we would have to use a cast to thwart compiler
      warnings in the meantime.

      We also truncated 'flags' to 'flag' to make the code fit within
      the 80 characters.

      Reviewed-by: Stefano Stabellini <stefano.stabellini@xxxxxxxxxxxxx>
      Signed-off-by: Konrad Rzeszutek Wilk <konrad.wilk@xxxxxxxxxx>
      Signed-off-by: Stefano Stabellini <stefano.stabellini@xxxxxxxxxxxxx>

  commit fe556410cf09d6181a4e694c6db31562fdcfbeba
  Merge: fbf054c 1e9b65b
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Thu Sep 10 14:51:35 2015 +0100

      Merge remote-tracking branch 'remotes/armbru/tags/pull-error-2015-09-10' 
into staging

      error: On abort, report where the error was created

      # gpg: Signature made Thu 10 Sep 2015 13:01:39 BST using RSA key ID 
EB918653
      # gpg: Good signature from "Markus Armbruster <armbru@xxxxxxxxxx>"
      # gpg:                 aka "Markus Armbruster <armbru@xxxxxxxxxxxx>"

      * remotes/armbru/tags/pull-error-2015-09-10:
        error: On abort, report where the error was created
        error: Revamp interface documentation
        error: error_set_errno() is unused, drop
        qga/vss-win32: Document the DLL requires non-null errp
        qga: Clean up unnecessarily dirty casts
        error: Make error_setg() a function
        error: De-duplicate code creating Error objects

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 54fd08136e4ac8b88b88b15c397010e3b0de379f
  Author: Konrad Rzeszutek Wilk <konrad.wilk@xxxxxxxxxx>
  Date:   Mon Jun 29 16:06:19 2015 -0400

      xen/pt: Use XEN_PT_LOG properly to guard against compiler warnings.

      If XEN_PT_LOGGING_ENABLED is enabled the XEN_PT_LOG macros start
      using the first argument. Which means if within the function there
      is only one user of the argument ('d') and XEN_PT_LOGGING_ENABLED
      is not set, we get compiler warnings. This is not the case now
      but with the "xen/pt: Use xen_host_pci_get_[byte|word] instead of 
dev.config"
      we will hit - so this sync up the function to the rest of them.

      Reviewed-by: Stefano Stabellini <stefano.stabellini@xxxxxxxxxxxxx>
      Signed-off-by: Konrad Rzeszutek Wilk <konrad.wilk@xxxxxxxxxx>
      Signed-off-by: Stefano Stabellini <stefano.stabellini@xxxxxxxxxxxxx>

  commit faf5f56bf9f45ffc24a41fc8fc5ab76677aef688
  Author: Konrad Rzeszutek Wilk <konrad.wilk@xxxxxxxxxx>
  Date:   Mon Jun 29 12:30:37 2015 -0400

      xen/pt/msi: Add the register value when printing logging and error 
messages

      We would like to know what the MSI register value is to help
      in troubleshooting in the field. As such modify the logging
      logic to include such details in xen_pt_msgctrl_reg_write.

      Reviewed-by: Stefano Stabellini <stefano.stabellini@xxxxxxxxxxxxx>
      Signed-off-by: Konrad Rzeszutek Wilk <konrad.wilk@xxxxxxxxxx>
      Signed-off-by: Stefano Stabellini <stefano.stabellini@xxxxxxxxxxxxx>

  commit 20a544c7dc2428e8816ed4a87af732884e885f2d
  Author: Konrad Rzeszutek Wilk <konrad.wilk@xxxxxxxxxx>
  Date:   Mon Jun 29 12:51:05 2015 -0400

      xen: use errno instead of rc for xc_domain_add_to_physmap

      In Xen 4.6 commit cd2f100f0f61b3f333d52d1737dd73f02daee592
      "libxc: Fix do_memory_op to return negative value on errors"
      made the libxc API less odd-ball: On errors, return value is
      -1 and error code is in errno. On success the return value
      is either 0 or an positive value.

      Since we could be running with an old toolstack in which the
      Exx value is in rc or the newer, we add an wrapper around
      the xc_domain_add_to_physmap (called xen_xc_domain_add_to_physmap)
      which will always return the EXX.

      Xen 4.6 did not change the libxc functions mentioned (same parameters)
      so we piggyback on the fact that Xen 4.6 has a new function:
      commit 504ed2053362381ac01b98db9313454488b7db40 "tools/libxc: Expose
      new hypercall xc_reserved_device_memory_map" and check for that.

      Reviewed-by: Stefano Stabellini <stefano.stabellini@xxxxxxxxxxxxx>
      Suggested-by: Stefano Stabellini <stefano.stabellini@xxxxxxxxxxxxx>
      Signed-off-by: Konrad Rzeszutek Wilk <konrad.wilk@xxxxxxxxxx>
      Signed-off-by: Stefano Stabellini <stefano.stabellini@xxxxxxxxxxxxx>

  commit 52c7265f602701751b55d437b347bd73debf9d91
  Author: Konrad Rzeszutek Wilk <konrad.wilk@xxxxxxxxxx>
  Date:   Mon Jun 29 13:58:17 2015 -0400

      xen/pt: xen_host_pci_config_read returns -errno, not -1 on failure

      However the init routines assume that on errors the return
      code is -1 (as the libxc API is) - while those xen_host_* routines follow
      another paradigm - negative errno on return, 0 on success.

      Reviewed-by: Stefano Stabellini <stefano.stabellini@xxxxxxxxxxxxx>
      Signed-off-by: Konrad Rzeszutek Wilk <konrad.wilk@xxxxxxxxxx>
      Signed-off-by: Stefano Stabellini <stefano.stabellini@xxxxxxxxxxxxx>

  commit cf8124f0078a7625fdf9836589210267817ae0ae
  Author: Konrad Rzeszutek Wilk <konrad.wilk@xxxxxxxxxx>
  Date:   Wed Jun 24 17:26:43 2015 -0400

      xen/pt: Make xen_pt_msi_set_enable static

      As we do not use it outside our code.

      Reviewed-by: Stefano Stabellini <stefano.stabellini@xxxxxxxxxxxxx>
      Signed-off-by: Konrad Rzeszutek Wilk <konrad.wilk@xxxxxxxxxx>
      Signed-off-by: Stefano Stabellini <stefano.stabellini@xxxxxxxxxxxxx>

  commit d3b9facba71ed45c9c1c09ca28eb5568a194b4de
  Author: Konrad Rzeszutek Wilk <konrad.wilk@xxxxxxxxxx>
  Date:   Wed Jun 24 17:16:01 2015 -0400

      xen/pt: Update comments with proper function name.

      It has changed but the comments still refer to the old names.

      Reviewed-by: Stefano Stabellini <stefano.stabellini@xxxxxxxxxxxxx>
      Signed-off-by: Konrad Rzeszutek Wilk <konrad.wilk@xxxxxxxxxx>
      Signed-off-by: Stefano Stabellini <stefano.stabellini@xxxxxxxxxxxxx>

  commit d8b441a3fbfd075c48ab2a519d779d926624ed79
  Author: Jan Beulich <JBeulich@xxxxxxxx>
  Date:   Fri Jul 24 03:38:28 2015 -0600

      xen/HVM: atomically access pointers in bufioreq handling

      The number of slots per page being 511 (i.e. not a power of two) means
      that the (32-bit) read and write indexes going beyond 2^32 will likely
      disturb operation. The hypervisor side gets I/O req server creation
      extended so we can indicate that we're using suitable atomic accesses
      where needed, allowing it to atomically canonicalize both pointers when
      both have gone through at least one cycle.

      The Xen side counterpart (which is not a functional prereq to this
      change, albeit a build one) went in already (commit b7007bc6f9).

      Signed-off-by: Jan Beulich <jbeulich@xxxxxxxx>
      Signed-off-by: Stefano Stabellini <stefano.stabellini@xxxxxxxxxxxxx>

  commit e763addd19e59dbd1986d4b0faae63dcb9a0f6aa
  Author: Konrad Rzeszutek Wilk <konrad.wilk@xxxxxxxxxx>
  Date:   Fri Mar 13 15:36:58 2015 -0400

      xen-hvm: When using xc_domain_add_to_physmap also include errno when 
reporting

      .errors - as it will most likely have the proper error value.

      Signed-off-by: Konrad Rzeszutek Wilk <konrad.wilk@xxxxxxxxxx>
      Acked-by: Stefano Stabellini <stefano.stabellini@xxxxxxxxxxxxx>
      Signed-off-by: Stefano Stabellini <stefano.stabellini@xxxxxxxxxxxxx>

  commit 5cec8aa38cc3b7c8cf9ce66abdda28b3598e2d88
  Author: Tiejun Chen <tiejun.chen@xxxxxxxxx>
  Date:   Wed Jul 15 13:37:50 2015 +0800

      xen, gfx passthrough: add opregion mapping

      The OpRegion shouldn't be mapped 1:1 because the address in the host
      can't be used in the guest directly.

      This patch traps read and write access to the opregion of the Intel
      GPU config space (offset 0xfc).

      The original patch is from Jean Guyader <jean.guyader@xxxxxxxxxxxxx>

      Signed-off-by: Tiejun Chen <tiejun.chen@xxxxxxxxx>
      Signed-off-by: Yang Zhang <yang.z.zhang@xxxxxxxxx>
      Acked-by: Stefano Stabellini <stefano.stabellini@xxxxxxxxxxxxx>
      Signed-off-by: Stefano Stabellini <stefano.stabellini@xxxxxxxxxxxxx>

  commit 998250e976613decf9e0da68b3922df330eac3f6
  Author: Tiejun Chen <tiejun.chen@xxxxxxxxx>
  Date:   Wed Jul 15 13:37:49 2015 +0800

      xen, gfx passthrough: register host bridge specific to passthrough

      Just register that pci host bridge specific to passthrough.

      Signed-off-by: Tiejun Chen <tiejun.chen@xxxxxxxxx>
      Acked-by: Stefano Stabellini <stefano.stabellini@xxxxxxxxxxxxx>
      Signed-off-by: Stefano Stabellini <stefano.stabellini@xxxxxxxxxxxxx>

  commit f37d630a69992822f2eb4a47a5a5fc6a54a6dd08
  Author: Tiejun Chen <tiejun.chen@xxxxxxxxx>
  Date:   Wed Jul 15 13:37:48 2015 +0800

      xen, gfx passthrough: register a isa bridge

      Currently we just register this isa bridge when we use IGD
      passthrough in Xen side.

      Signed-off-by: Tiejun Chen <tiejun.chen@xxxxxxxxx>
      Acked-by: Stefano Stabellini <stefano.stabellini@xxxxxxxxxxxxx>
      Signed-off-by: Stefano Stabellini <stefano.stabellini@xxxxxxxxxxxxx>

  commit bd8107d7301d3fa44f04aa435e06efb2226ca58c
  Author: Tiejun Chen <tiejun.chen@xxxxxxxxx>
  Date:   Wed Jul 15 13:37:47 2015 +0800

      igd gfx passthrough: create a isa bridge

      Currently IGD drivers always need to access PCH by 1f.0. But we
      don't want to poke that directly to get ID, and although in real
      world different GPU should have different PCH. But actually the
      different PCH DIDs likely map to different PCH SKUs. We do the
      same thing for the GPU. For PCH, the different SKUs are going to
      be all the same silicon design and implementation, just different
      features turn on and off with fuses. The SW interfaces should be
      consistent across all SKUs in a given family (eg LPT). But just
      same features may not be supported.

      Most of these different PCH features probably don't matter to the
      Gfx driver, but obviously any difference in display port connections
      will so it should be fine with any PCH in case of passthrough.

      So currently use one PCH version, 0x8c4e, to cover all HSW(Haswell)
      scenarios, 0x9cc3 for BDW(Broadwell).

      Signed-off-by: Tiejun Chen <tiejun.chen@xxxxxxxxx>
      Signed-off-by: Stefano Stabellini <stefano.stabellini@xxxxxxxxxxxxx>
      Acked-by: Michael S. Tsirkin <mst@xxxxxxxxxx>

  commit 881213f1b9c5a8f4101405a5802d548cb62a4274
  Author: Tiejun Chen <tiejun.chen@xxxxxxxxx>
  Date:   Wed Jul 15 13:37:46 2015 +0800

      xen, gfx passthrough: retrieve VGA BIOS to work

      Now we retrieve VGA bios like kvm stuff in qemu but we need to
      fix Device Identification in case if its not matched with the
      real IGD device since Seabios is always trying to compare this
      ID to work out VGA BIOS.

      Signed-off-by: Tiejun Chen <tiejun.chen@xxxxxxxxx>
      Acked-by: Stefano Stabellini <stefano.stabellini@xxxxxxxxxxxxx>
      Signed-off-by: Stefano Stabellini <stefano.stabellini@xxxxxxxxxxxxx>

  commit 798141799ccd5235a928b8fc0411d7d74e706489
  Author: Tiejun Chen <tiejun.chen@xxxxxxxxx>
  Date:   Wed Jul 15 13:37:45 2015 +0800

      xen, gfx passthrough: basic graphics passthrough support

      basic gfx passthrough support:
      - add a vga type for gfx passthrough
      - register/unregister legacy VGA I/O ports and MMIOs for passthrough GFX

      Signed-off-by: Tiejun Chen <tiejun.chen@xxxxxxxxx>
      Signed-off-by: Yang Zhang <yang.z.zhang@xxxxxxxxx>
      Acked-by: Stefano Stabellini <stefano.stabellini@xxxxxxxxxxxxx>
      Signed-off-by: Stefano Stabellini <stefano.stabellini@xxxxxxxxxxxxx>

  commit bcd7461e7e84a65f1dfaa6af6e00aa498978d29d
  Author: Tiejun Chen <tiejun.chen@xxxxxxxxx>
  Date:   Wed Jul 15 13:37:44 2015 +0800

      hw/pci-assign: split pci-assign.c

      We will try to reuse assign_dev_load_option_rom in xen side, and
      especially its a good beginning to unify pci assign codes both on
      kvm and xen in the future.

      [Fix build for Windows]

      Signed-off-by: Tiejun Chen <tiejun.chen@xxxxxxxxx>
      Signed-off-by: Stefano Stabellini <stefano.stabellini@xxxxxxxxxxxxx>
      Acked-by: Michael S. Tsirkin <mst@xxxxxxxxxx>

  commit 595a4f07d6bd18ba11c78b95d6a78089fee26eca
  Author: Tiejun Chen <tiejun.chen@xxxxxxxxx>
  Date:   Wed Jul 15 13:37:43 2015 +0800

      piix: create host bridge to passthrough

      Implement a pci host bridge specific to passthrough. Actually
      this just inherits the standard one. And we also just expose
      a minimal real host bridge pci configuration subset.

      [Replace pread with lseek and read to fix Windows build]

      Signed-off-by: Tiejun Chen <tiejun.chen@xxxxxxxxx>
      Signed-off-by: Stefano Stabellini <stefano.stabellini@xxxxxxxxxxxxx>
      Acked-by: Michael S. Tsirkin <mst@xxxxxxxxxx>

  commit 1e9b65bb1bad51735cab6c861c29b592dccabf0e
  Author: Markus Armbruster <armbru@xxxxxxxxxx>
  Date:   Fri Jun 19 19:21:59 2015 +0200

      error: On abort, report where the error was created

      This is particularly useful when we abort in error_propagate(),
      because there the stack backtrace doesn't lead to where the error was
      created.  Looks like this:

          Unexpected error in parse_block_error_action() at 
.../qemu/blockdev.c:322:
          qemu-system-x86_64: -drive if=none,werror=foo: 'foo' invalid write 
error action
          Aborted (core dumped)

      Note: to get this example output, I monkey-patched drive_new() to pass
      &error_abort to blockdev_init().

      To keep the error handling boiler plate from growing even more, all
      error_setFOO() become macros expanding into error_setFOO_internal()
      with additional __FILE__, __LINE__, __func__ arguments.  Not exactly
      pretty, but it works.

      The macro trickery breaks down when you take the address of an
      error_setFOO().  Fortunately, we do that in just one place: qemu-ga's
      Windows VSS provider and requester DLL wants to call
      error_setg_win32() through a function pointer "to avoid linking glib
      to the DLL".  Use error_setg_win32_internal() there.  The use of the
      function pointer is already wrapped in a macro, so the churn isn't
      bad.

      Code size increases by some 35KiB for me (0.7%).  Tolerable.  Could be
      less if we passed relative rather than absolute source file names to
      the compiler, or forwent reporting __func__.

      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>
      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>
      Acked-by: Laszlo Ersek <lersek@xxxxxxxxxx>

  commit edf6f3b3358597d37da0cf636ce3ed8a546d0f26
  Author: Markus Armbruster <armbru@xxxxxxxxxx>
  Date:   Fri Jun 19 18:29:24 2015 +0200

      error: Revamp interface documentation

      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>
      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>

  commit 4463dcb85c9f992f0c4d93f2142c8d64dcc85c5c
  Author: Markus Armbruster <armbru@xxxxxxxxxx>
  Date:   Fri Jun 19 22:16:14 2015 +0200

      error: error_set_errno() is unused, drop

      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>
      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>

  commit 08e64640357cd9517aa30fd49840f05f0f2ee3a4
  Author: Markus Armbruster <armbru@xxxxxxxxxx>
  Date:   Sat Jun 20 09:33:56 2015 +0200

      qga/vss-win32: Document the DLL requires non-null errp

      requester.cpp uses this pattern to receive an error and pass it on to
      the caller (err_is_set() macro peeled off for clarity):

          ... code that may set errset->errp ...
          if (errset->errp && *errset->errp) {
              ... handle error ...
          }

      This breaks when errset->errp is null.  As far as I can tell, it
      currently isn't, so this is merely fragile, not actually broken.

      The robust way to do this is to receive the error in a local variable,
      then propagate it up, like this:

          Error *err = NULL;

          ... code that may set err ...
          if (err)
              ... handle error ...
              error_propagate(errset->errp, err);
          }

      See also commit 5e54769, 0f230bf, a903f40.

      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>
      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>

  commit e7cf59e84767e30b507b6bd7c1347072ec12b636
  Author: Markus Armbruster <armbru@xxxxxxxxxx>
  Date:   Fri Jun 19 20:44:54 2015 +0200

      qga: Clean up unnecessarily dirty casts

      qga_vss_fsfreeze() casts error_set_win32() from

          void (*)(Error **, int, ErrorClass, const char *, ...)

      to

          void (*)(void **, int, int, const char *, ...)

      The result is later called.  Since the two types are not compatible,
      the call is undefined behavior.  It works in practice anyway.

      However, there's no real need for trickery here.  Clean it up as
      follows:

      * Declare struct Error, and fix the first parameter.

      * Switch to error_setg_win32().  This gets rid of the troublesome
        ErrorClass parameter.  Requires converting error_setg_win32() from
        macro to function, but that's trivially easy, because this is the
        only user of error_set_win32().

      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>
      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>

  commit a9499ddd82a99c66cc72a08e72427c423acfea1c
  Author: Markus Armbruster <armbru@xxxxxxxxxx>
  Date:   Fri Jun 19 15:36:16 2015 +0200

      error: Make error_setg() a function

      Saves a tiny amount of code at every call site.

      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>
      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>

  commit 552375088a832fd5945ede92d01f98977b4eca13
  Author: Markus Armbruster <armbru@xxxxxxxxxx>
  Date:   Fri Jun 19 13:59:47 2015 +0200

      error: De-duplicate code creating Error objects

      Duplicated when commit 680d16d added error_set_errno(), and again when
      commit 20840d4 added error_set_win32().

      Make the original copy in error_set() reusable by factoring out
      error_setv(), then rewrite error_set_errno() and error_set_win32() on
      top of it.

      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>
      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>

  commit fbf054cb0a8ce2dc8f2d3012fb9204ef50d28d17
  Merge: fc04a73 0f288f8
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Thu Sep 10 10:24:30 2015 +0100

      Merge remote-tracking branch 'remotes/mst/tags/for_upstream' into staging

      virtio,pc,acpi fixes, cleanups

      Fixes all over the place.

      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>

      # gpg: Signature made Thu 10 Sep 2015 10:16:18 BST using RSA key ID 
D28D5469
      # gpg: Good signature from "Michael S. Tsirkin <mst@xxxxxxxxxx>"
      # gpg:                 aka "Michael S. Tsirkin <mst@xxxxxxxxxx>"

      * remotes/mst/tags/for_upstream:
        hw/pci: fix pci_update_mappings() trace events
        pc: memhotplug: keep reserved-memory-end broken on 2.4 and earlier 
machines
        pc: memhotplug: fix incorrectly set reserved-memory-end
        acpi: Remove unused definition.
        virtio: avoid leading underscores for helpers
        pc: Remove redundant arguments from xen_hvm_init()
        pci: Fix pci_device_iommu_address_space() bus propagation

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 0f288f854b96f56247e38f4207f71647133f0184
  Author: Laszlo Ersek <lersek@xxxxxxxxxx>
  Date:   Tue Sep 1 23:33:23 2015 +0200

      hw/pci: fix pci_update_mappings() trace events

      The current trace prototypes and (matching) trace calls lead to
      "unorthodox" PCI BDF notation in at least the stderr trace backend. For
      example, the four BARs of a QXL video card at 00:01.0 (bus 0, slot 1,
      function 0) are traced like this (PID and timestamps removed):

        pci_update_mappings_add d=0x7f14a73bf890 00:00.1 0,0x84000000+0x4000000
        pci_update_mappings_add d=0x7f14a73bf890 00:00.1 1,0x80000000+0x4000000
        pci_update_mappings_add d=0x7f14a73bf890 00:00.1 2,0x88200000+0x2000
        pci_update_mappings_add d=0x7f14a73bf890 00:00.1 3,0xd060+0x20

      The slot and function values are in reverse order.

      Stick with the conventional BDF notation.

      Cc: "Michael S. Tsirkin" <mst@xxxxxxxxxx>
      Cc: Don Koch <dkoch@xxxxxxxxxxx>
      Cc: qemu-trivial@xxxxxxxxxx
      Fixes: 7828d75045
      Signed-off-by: Laszlo Ersek <lersek@xxxxxxxxxx>
      Reviewed-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>

  commit 2f8b50083b321e470ef8e2502910ade40cbfa020
  Author: Igor Mammedov <imammedo@xxxxxxxxxx>
  Date:   Mon Sep 7 13:55:32 2015 +0200

      pc: memhotplug: keep reserved-memory-end broken on 2.4 and earlier 
machines

      it will prevent guests on old machines from seeing
      inconsistent memory mapping in firmware/ACPI views.

      Signed-off-by: Igor Mammedov <imammedo@xxxxxxxxxx>
      Reviewed-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Reviewed-by: Eduardo Habkost <ehabkost@xxxxxxxxxx>

  commit 3385e8e2640e5c38582f6e8413042bd23d97c640
  Author: Igor Mammedov <imammedo@xxxxxxxxxx>
  Date:   Mon Sep 7 13:55:31 2015 +0200

      pc: memhotplug: fix incorrectly set reserved-memory-end

      reserved-memory-end tells firmware address from which
      it could start treating memory as PCI address space
      and map PCI BARs after it to avoid collisions with
      RAM.
      Currently it is incorrectly pointing to address where
      hotplugged memory range starts which could redirect
      hotplugged RAM accesses to PCI BARs when firmware
      maps them over RAM or viceverse.
      Fix this by pointing reserved-memory-end to the end
      of memory hotplug area.

      Signed-off-by: Igor Mammedov <imammedo@xxxxxxxxxx>
      Reviewed-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Reviewed-by: Eduardo Habkost <ehabkost@xxxxxxxxxx>

  commit 9372e3f5678cdd86e1ddfb957d9da4b1889a0dd0
  Author: Richard W.M. Jones <rjones@xxxxxxxxxx>
  Date:   Wed Sep 2 20:03:38 2015 +0100

      acpi: Remove unused definition.

      Signed-off-by: Richard W.M. Jones <rjones@xxxxxxxxxx>
      Reviewed-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>

  commit 95129d6fc9ead97155627a4ca0cfd37282883658
  Author: Cornelia Huck <cornelia.huck@xxxxxxxxxx>
  Date:   Mon Aug 17 11:48:29 2015 +0200

      virtio: avoid leading underscores for helpers

      Commit ef546f1275f6563e8934dd5e338d29d9f9909ca6 ("virtio: add
      feature checking helpers") introduced a helper __virtio_has_feature.
      We don't want to use reserved identifiers, though, so let's
      rename __virtio_has_feature to virtio_has_feature and virtio_has_feature
      to virtio_vdev_has_feature.

      Signed-off-by: Cornelia Huck <cornelia.huck@xxxxxxxxxx>
      Reviewed-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>

  commit 91176e310527fac8414c417c093659e42e4564ea
  Author: Eduardo Habkost <ehabkost@xxxxxxxxxx>
  Date:   Mon Aug 17 11:42:29 2015 -0700

      pc: Remove redundant arguments from xen_hvm_init()

      Remove arguments that can be found in PCMachineState.

      Signed-off-by: Eduardo Habkost <ehabkost@xxxxxxxxxx>
      Reviewed-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>

  commit 5af2ae2305143f1805a696f9554231e1fc246edc
  Author: Benjamin Herrenschmidt <benh@xxxxxxxxxxxxxxxxxxx>
  Date:   Sun Jul 5 09:19:15 2015 +1000

      pci: Fix pci_device_iommu_address_space() bus propagation

      he current code walks up the bus tree for an iommu, however it passes
      to the iommu_fn() callback the bus/devfn of the immediate child of
      the level where the callback was found, rather than the original
      bus/devfn where the search started from.

      This prevents iommu's like POWER8 (and in fact also Q35) to properly
      provide an address space for a subset of devices that aren't immediate
      children of the iommu.

      PCIe carries the originator bdfn acccross to the iommu on all DMA
      transactions, so we must be able to properly identify devices at all
      levels.

      This changes the function pci_device_iommu_address_space() to pass
      the original pointers to the iommu_fn() callback instead.

      Signed-off-by: Benjamin Herrenschmidt <benh@xxxxxxxxxxxxxxxxxxx>
      Reviewed-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>

  commit 47d4be12c3997343e436c6cca89aefbbbeb70863
  Author: Paolo Bonzini <pbonzini@xxxxxxxxxx>
  Date:   Thu Sep 10 10:02:00 2015 +0200

      cutils: work around platform differences in strto{l,ul,ll,ull}

      Linux returns 0 if no conversion was made, while OS X and presumably
      the BSDs return EINVAL.  The OS X convention rejects more invalid
      inputs, so convert to it and adjust the test case.

      Windows returns 1 from strtoul and strtoull (instead of -1) for
      negative out-of-range input; fix it up.

      Reported-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit 9fd1a94888cd6a559f95c3596ec1ac28b74838c1
  Author: Paolo Bonzini <pbonzini@xxxxxxxxxx>
  Date:   Tue Aug 11 11:33:24 2015 +0200

      cpu-exec: fix lock hierarchy for user-mode emulation

      tb_lock has to be taken inside the mmap_lock (example:
      tb_invalidate_phys_range is called by target_mmap), but
      tb_link_page is taking the mmap_lock and it is called
      with the tb_lock held.

      To fix this, take the mmap_lock in tb_find_slow, not
      in tb_link_page.

      Reviewed-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit 8fd19e6cfd5b6cdf028c6ac2ff4157ed831ea3a6
  Author: Paolo Bonzini <pbonzini@xxxxxxxxxx>
  Date:   Tue Aug 11 10:57:52 2015 +0200

      exec: make mmap_lock/mmap_unlock globally available

      There is some iffy lock hierarchy going on in translate-all.c.  To
      fix it, we need to take the mmap_lock in cpu-exec.c.  Make the
      functions globally available.

      Reviewed-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit 756920876f60829fad0d15df4f3fa205077a8131
  Author: Paolo Bonzini <pbonzini@xxxxxxxxxx>
  Date:   Tue Aug 11 10:59:50 2015 +0200

      tcg: comment on which functions have to be called with mmap_lock held

      Reviewed-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit 6940fab84b826175cf90d48d0e3da1b76518f5b4
  Author: Paolo Bonzini <pbonzini@xxxxxxxxxx>
  Date:   Wed Aug 12 09:41:40 2015 +0200

      tcg: add memory barriers in page_find_alloc accesses

      page_find is reading the radix tree outside all locks, so it has to
      use the RCU primitives.  It does not need RCU critical sections
      because the PageDescs are never removed, so there is never a need
      to wait for the end of code sections that use a PageDesc.

      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit 2496ff1311283480f9de3614080b8842d838ade4
  Author: KONRAD Frederic <fred.konrad@xxxxxxxxxxxxx>
  Date:   Mon Aug 10 17:27:03 2015 +0200

      remove unused spinlock.

      This just removes spinlock as it is not used anymore.

      Signed-off-by: KONRAD Frederic <fred.konrad@xxxxxxxxxxxxx>
      Message-Id: <1439220437-23957-6-git-send-email-fred.konrad@xxxxxxxxxxxxx>
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit 677ef6230b603571ae05125db469f7b4c8912a77
  Author: KONRAD Frederic <fred.konrad@xxxxxxxxxxxxx>
  Date:   Mon Aug 10 17:27:02 2015 +0200

      replace spinlock by QemuMutex.

      spinlock is only used in two cases:
        * cpu-exec.c: to protect TranslationBlock
        * mem_helper.c: for lock helper in target-i386 (which seems broken).

      It's a pthread_mutex_t in user-mode, so we can use QemuMutex directly,
      with an #ifdef.  The #ifdef will be removed when multithreaded TCG
      will need the mutex as well.

      Signed-off-by: KONRAD Frederic <fred.konrad@xxxxxxxxxxxxx>
      Message-Id: <1439220437-23957-5-git-send-email-fred.konrad@xxxxxxxxxxxxx>
      Signed-off-by: Emilio G. Cota <cota@xxxxxxxxx>
      [Merge Emilio G. Cota's patch to remove volatile. - Paolo]
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit d5f8d61390de8f2acc0da93f184e421a709cb503
  Author: KONRAD Frederic <fred.konrad@xxxxxxxxxxxxx>
  Date:   Mon Aug 10 17:27:06 2015 +0200

      cpus: remove tcg_halt_cond and tcg_cpu_thread globals

      This hides the tcg_halt_cond and tcg_cpu_thread global variables
      inside qemu_tcg_init_vcpu.  Multi-threaded TCG will need one
      QemuCond and one QemuThread per virtual cpu, so it's preferrable
      to use cpu->halt_cond and cpu->thread.

      Signed-off-by: KONRAD Frederic <fred.konrad@xxxxxxxxxxxxx>
      Message-Id: <1439220437-23957-9-git-send-email-fred.konrad@xxxxxxxxxxxxx>
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit 376692b9dc6f02303ee07a4146d08d8727d79c0c
  Author: Paolo Bonzini <pbonzini@xxxxxxxxxx>
  Date:   Fri Jul 10 12:32:32 2015 +0200

      cpus: protect work list with work_mutex

      Protect the list of queued work items with something other than
      the BQL, as a preparation for running the work items outside it.

      Reviewed-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Signed-off-by: KONRAD Frederic <fred.konrad@xxxxxxxxxxxxx>
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit 0c71d41e2aa3c7356500ae624166f3bb8c201aee
  Author: Michael S. Tsirkin <mst@xxxxxxxxxx>
  Date:   Thu Aug 27 12:06:23 2015 +0300

      scripts/dump-guest-memory.py: fix after RAMBlock change

      commit 9b8424d5735278ca382f11adc7c63072b632ab83
          "exec: split length -> used_length/max_length"
      changed field names in struct RAMBlock

      It turns out that scripts/dump-guest-memory.py was
      poking at this field, update it accordingly.

      Cc: qemu-stable@xxxxxxxxxx
      Cc: Paolo Bonzini <pbonzini@xxxxxxxxxx>
      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Message-Id: <1440666378-3152-1-git-send-email-mst@xxxxxxxxxx>
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit 7b01cb974f1093885c40bf4d0d3e78e27e531363
  Author: Alexandre Derumier <aderumier@xxxxxxxxx>
  Date:   Fri Jun 19 12:56:58 2015 +0200

      configure: Add support for jemalloc

      This adds "--enable-jemalloc" and "--disable-jemalloc" to allow linking
      to jemalloc memory allocator.

      We have already tcmalloc support,
      but it seem to not working well with a lot of iothreads/disks.

      The main problem is that tcmalloc use a shared thread cache of 16MB
      by default.
      With more threads, this cache is shared, and some bad garbage collections
      can occur if the cache is too low.

      It's possible to tcmalloc cache increase it with a env var:
      TCMALLOC_MAX_TOTAL_THREAD_CACHE_BYTES=256MB

      With default 16MB, performances are  really bad with more than 2 disks.
      Increasing to 256MB, it's helping but still have problem with 16 
disks/iothreads.

      Jemalloc don't have performance problem with default configuration.

      Here the benchmark results in iops of 1 qemu vm randread 4K iodepth=32,
      with rbd block backend (librbd is doing a lot of memory allocation),
      1 iothread by disk

      glibc malloc
      ------------

      1 disk      29052
      2 disks     55878
      4 disks     127899
      8 disks     240566
      15 disks    269976

      jemalloc
      --------

      1 disk      41278
      2 disks     75781
      4 disks     195351
      8 disks     294241
      15 disks    298199

      tcmalloc 2.2.1 default 16M cache
      --------------------------------

      1 disk   37911
      2 disks  67698
      4 disks  41076
      8 disks  43312
      15 disks 37569

      tcmalloc : 256M cache
      ---------------------------

      1 disk     33914
      2 disks    58839
      4 disks    148205
      8 disks    213298
      15 disks   218383

      Signed-off-by: Alexandre Derumier <aderumier@xxxxxxxxx>
      Message-Id: <1434711418-20429-1-git-send-email-aderumier@xxxxxxxxx>
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit 3f7a899ff4e0681ed148b1cea07dc65550114fdb
  Author: Paolo Bonzini <pbonzini@xxxxxxxxxx>
  Date:   Mon Sep 7 09:50:09 2015 +0200

      add macro file for coccinelle

      Coccinelle chokes on some idioms from compiler.h and queue.h.
      Extract those in a macro file, to be used with "--macro-file
      scripts/cocci-macro-file.h".

      Reviewed-by: Markus Armbruster <armbru@xxxxxxxxxx>
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit c765fcac96e111199225c7387c01694fe076b341
  Author: Peter Crosthwaite <crosthwaitepeter@xxxxxxxxx>
  Date:   Sat Aug 29 03:33:59 2015 -0700

      configure: factor out adding disas configure

      Every arch adds its disas configury to both its own config as well
      config_disas_all. Make a small function do to both at once.

      Signed-off-by: Peter Crosthwaite <crosthwaite.peter@xxxxxxxxx>
      Message-Id: 
<1440844439-19391-1-git-send-email-crosthwaite.peter@xxxxxxxxx>
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit f42bf6a262ab5923a1a3bc8f731b830396937c47
  Author: Gonglei <arei.gonglei@xxxxxxxxxx>
  Date:   Wed Aug 26 09:52:51 2015 +0800

      vhost-scsi: fix wrong vhost-scsi firmware path

      vhost-scsi bootindex does't work because Qemu passes
      wrong fireware path to seabios.

      before:
        /pci@i0cf8/scsi@7channel@0/vhost-scsi@0,0
      after applying the patch:
        /pci@i0cf8/scsi@7/channel@0/vhost-scsi@0,0

      Reported-by: Subo <subo7@xxxxxxxxxx>
      Signed-off-by: Gonglei <arei.gonglei@xxxxxxxxxx>
      Message-Id: <1440553971-11108-1-git-send-email-arei.gonglei@xxxxxxxxxx>
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit f1e155bbf863ade457019c6f09d4cba06b2d6bb4
  Author: Paolo Bonzini <pbonzini@xxxxxxxxxx>
  Date:   Sun Aug 16 23:01:19 2015 +0200

      checkpatch: remove tests that are not relevant outside the kernel

      Fully removing Sparse support requires more invasive changes.  Only
      remove the really kernel-specific parts such as address space names.

      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit 71c47b01ca0df34d6b41e0975be6e0633c5254cf
  Author: Paolo Bonzini <pbonzini@xxxxxxxxxx>
  Date:   Sun Aug 16 23:15:46 2015 +0200

      checkpatch: adapt some tests to QEMU

      Mostly change severity levels, but some tests can also be adjusted to 
refer
      to QEMU APIs or data structures.

      Reviewed-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit 690a35e1f2acf4ccd0501b18228bc6fba8f9c768
  Author: Paolo Bonzini <pbonzini@xxxxxxxxxx>
  Date:   Fri Jun 19 09:28:13 2015 +0200

      CODING_STYLE: update mixed declaration rules

      Mixed declarations do come in handy at the top of #ifdef blocks.
      Reluctantly allow this particular usage and suggest an alternative.

      Reviewed-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit d4ba8cb0a17e7de54753ff1bdeee4428118bb9ab
  Author: Carlos L. Torres <carlos.torres@xxxxxxxxxxxxx>
  Date:   Sun Jul 19 18:02:21 2015 -0500

      qmp: Add example usage of strto*l() qemu wrapper

      Signed-off-by: Carlos L. Torres <carlos.torres@xxxxxxxxxxxxx>
      Message-Id: 
<11ac63e95d88551f1c2c9b1216b15d3cb8ba4468.1437346779.git.carlos.torres@xxxxxxxxxxxxx>
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit 3904e6bf042391abc749d717465022e96e276fc7
  Author: Carlos L. Torres <carlos.torres@xxxxxxxxxxxxx>
  Date:   Sun Jul 19 18:02:20 2015 -0500

      cutils: Add qemu_strtoull() wrapper

      Add wrapper for strtoull() function. Include unit tests.

      Signed-off-by: Carlos L. Torres <carlos.torres@xxxxxxxxxxxxx>
      Message-Id: 
<e0f0f611c9a81f3c29f451d0b17d755dfab1e90a.1437346779.git.carlos.torres@xxxxxxxxxxxxx>
      [Use uint64_t in prototype. - Paolo]
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit 8ac4df40cc5de606a8ac9174e2340c21093b4e3b
  Author: Carlos L. Torres <carlos.torres@xxxxxxxxxxxxx>
  Date:   Sun Jul 19 18:02:19 2015 -0500

      cutils: Add qemu_strtoll() wrapper

      Add wrapper for strtoll() function. Include unit tests.

      Signed-off-by: Carlos L. Torres <carlos.torres@xxxxxxxxxxxxx>
      Message-Id: 
<7454a6bb9ec03b629e8beb4f109dd30dc2c9804c.1437346779.git.carlos.torres@xxxxxxxxxxxxx>
      [Use int64_t in prototype, since that's what QEMU uses. - Paolo]
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit c817c01548b1500753d0bea3852938d919161778
  Author: Carlos L. Torres <carlos.torres@xxxxxxxxxxxxx>
  Date:   Sun Jul 19 18:02:18 2015 -0500

      cutils: Add qemu_strtoul() wrapper

      Add wrapper for strtoul() function. Include unit tests.

      Signed-off-by: Carlos L. Torres <carlos.torres@xxxxxxxxxxxxx>
      Message-Id: 
<9621b4ae8e35fded31c715c2ae2a98f904f07ad0.1437346779.git.carlos.torres@xxxxxxxxxxxxx>
      [Fix tests for 32-bit build. - Paolo]
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit 764e0fa497ff5bbc9c9d7c116da2f00f34e71716
  Author: Carlos L. Torres <carlos.torres@xxxxxxxxxxxxx>
  Date:   Sun Jul 19 18:02:17 2015 -0500

      cutils: Add qemu_strtol() wrapper

      Add wrapper for strtol() function. Include unit tests.

      Signed-off-by: Carlos L. Torres <carlos.torres@xxxxxxxxxxxxx>
      Message-Id: 
<07199f1c0ff3892790c6322123aee1e92f580550.1437346779.git.carlos.torres@xxxxxxxxxxxxx>
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit d1142fb83efdcf8a6c2dee825569892203e16d2c
  Author: Emilio G. Cota <cota@xxxxxxxxx>
  Date:   Sun Aug 23 20:23:39 2015 -0400

      translate-all: remove obsolete comment about l1_map

      l1_map is based on physical addresses in full-system mode, as pointed
      out in an earlier comment. Said comment also mentions that virtual
      addresses are only used in l1_map in user-only mode.

      Signed-off-by: Emilio G. Cota <cota@xxxxxxxxx>
      Message-Id: <1440375847-17603-11-git-send-email-cota@xxxxxxxxx>
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit 709037636992e9289ce9147e59d56fb35d90b140
  Author: Emilio G. Cota <cota@xxxxxxxxx>
  Date:   Sun Aug 23 20:23:41 2015 -0400

      linux-user: call rcu_(un)register_thread on pthread_(exit|create)

      Signed-off-by: Emilio G. Cota <cota@xxxxxxxxx>
      Message-Id: <1440375847-17603-13-git-send-email-cota@xxxxxxxxx>
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit 492e1ca9bd3f43ba417a5cf918e6c769aa2478b9
  Author: Emilio G. Cota <cota@xxxxxxxxx>
  Date:   Sun Aug 23 20:23:38 2015 -0400

      rcu: fix comment with s/rcu_gp_lock/rcu_registry_lock/

      Signed-off-by: Emilio G. Cota <cota@xxxxxxxxx>
      Message-Id: <1440375847-17603-10-git-send-email-cota@xxxxxxxxx>
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit 5243722376873a48e9852a58b91f4d4101ee66e4
  Author: Emilio G. Cota <cota@xxxxxxxxx>
  Date:   Sun Aug 23 20:23:37 2015 -0400

      rcu: init rcu_registry_lock after fork

      We were unlocking this lock after fork, which is wrong since
      only the thread that holds a mutex is allowed to unlock it.

      Signed-off-by: Emilio G. Cota <cota@xxxxxxxxx>
      Message-Id: <1440375847-17603-9-git-send-email-cota@xxxxxxxxx>
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit 12a1ddc160cb6a73e8a6c319f3962a20da2cd22f
  Author: Michael Marineau <michael.marineau@xxxxxxxxxx>
  Date:   Sun Aug 9 00:02:55 2015 -0700

      Makefile.target: include top level build dir in vpath

      Using ccache with CCACHE_BASEDIR set to $(SRC_PATH) or a parent will
      rewrite all absolute paths to relative paths. This interacts poorly with
      QEMU's two-level build directory scheme. For example, lets say
      BUILD_DIR=$(SRC_PATH)/build so build/blockdev.d will contain:

        blockdev.o: ../blockdev.c ../include/sysemu/block-backend.h \

      Now the target build under build/x86_64-softmmu or similar will depend
      on ../blockdev.o which in turn will get make to source ../blockdev.d to
      check its dependencies. Since make always considers paths relative to
      the current working directory rather than the makefile the path appeared
      in the relative path to ../blockdev.c is useless.

      This change simply adds the top level build directory to vpath so paths
      relative to the source directory, top build directory, and target build
      directory all work just fine.

      Signed-off-by: Michael Marineau <michael.marineau@xxxxxxxxxx>
      Message-Id: 
<1439103775-11836-1-git-send-email-michael.marineau@xxxxxxxxxx>
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit 3c9589e180d98cdadb143bd2a792fb9d19d9aec6
  Author: Dr. David Alan Gilbert <dgilbert@xxxxxxxxxx>
  Date:   Fri Aug 14 11:25:14 2015 +0100

      Move RAMBlock and ram_list to ram_addr.h

      Signed-off-by: Dr. David Alan Gilbert <dgilbert@xxxxxxxxxx>
      Message-Id: <1439547914-18249-1-git-send-email-dgilbert@xxxxxxxxxx>
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit e0c382113f768cc375a0d61b7cb3692f1b4bba58
  Author: Paolo Bonzini <pbonzini@xxxxxxxxxx>
  Date:   Wed Aug 26 00:19:19 2015 +0200

      tcg: signal-free qemu_cpu_kick

      Signals are slow and do not exist on Win32.  The previous patches
      have done most of the legwork to introduce memory barriers (some
      of them were even there already for the sake of Windows!) and
      we can now set the flags directly in the iothread.

      qemu_cpu_kick_thread is not used anymore on TCG, since the TCG thread is
      never outside usermode while the CPU is running (not halted).  Instead run
      the content of the signal handler (now in qemu_cpu_kick_no_halt) directly.
      qemu_cpu_kick_no_halt is also used in qemu_mutex_lock_iothread to avoid
      the overhead of qemu_cond_broadcast.

      Reviewed-by: Richard Henderson <rth@xxxxxxxxxxx>
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit 9102dedaa1ee1e89ce4a81283c403ff4928e9ef9
  Author: Paolo Bonzini <pbonzini@xxxxxxxxxx>
  Date:   Tue Aug 18 06:52:09 2015 -0700

      use qemu_cpu_kick instead of cpu_exit or qemu_cpu_kick_thread

      Use the same API to trigger interruption of a CPU, no matter if
      under TCG or KVM.  There is no difference: these calls come from
      the CPU thread, so the qemu_cpu_kick calls will send a signal
      to the running thread and it will be processed synchronously,
      just like a call to cpu_exit.  The only difference is in the
      overhead, but neither call to cpu_exit (now qemu_cpu_kick)
      is in a hot path.

      Reviewed-by: Richard Henderson <rth@xxxxxxxxxxx>
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit aed807c8e2bf009b2c6a35490d4fd4383887221d
  Author: Paolo Bonzini <pbonzini@xxxxxxxxxx>
  Date:   Tue Aug 18 06:43:15 2015 -0700

      tcg: synchronize exit_request and tcg_current_cpu accesses

      Synchronize the remaining pair of accesses in cpu_signal.  These should
      be necessary on Windows as well, at least in theory.  Probably
      SuspendProcess and ResumeProcess introduce some implicit memory
      barrier.

      Reviewed-by: Richard Henderson <rth@xxxxxxxxxxx>
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit ab096a75cd626dcd4ad34b2a11652df0269bee0d
  Author: Paolo Bonzini <pbonzini@xxxxxxxxxx>
  Date:   Tue Aug 18 06:34:19 2015 -0700

      tcg: synchronize cpu->exit_request and cpu->tcg_exit_req accesses

      Reviewed-by: Richard Henderson <rth@xxxxxxxxxxx>
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit b0a46fa796504c7334202877a68c857e49f7c96c
  Author: Paolo Bonzini <pbonzini@xxxxxxxxxx>
  Date:   Tue Aug 18 06:32:02 2015 -0700

      tcg: assign cpu->current_tb in a simpler place

      TCG has not been reading cpu->current_tb from signal handlers for years.
      The code that synchronized cpu_exec with the signal handler is not
      needed anymore.

      Reviewed-by: Richard Henderson <rth@xxxxxxxxxxx>
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit f240eb6fdcf63a5600e15fb44c6960586459a97f
  Author: Paolo Bonzini <pbonzini@xxxxxxxxxx>
  Date:   Wed Aug 26 00:17:58 2015 +0200

      remove qemu/tls.h

      TLS is now required on all platforms, so DECLARE_TLS/DEFINE_TLS is not
      needed anymore.  Removing it does not break Windows because of the
      previous patch.

      Reviewed-by: Richard Henderson <rth@xxxxxxxxxxx>
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit 9373e63297c43752f9cf085feb7f5aed57d959f8
  Author: Paolo Bonzini <pbonzini@xxxxxxxxxx>
  Date:   Tue Aug 18 06:24:34 2015 -0700

      tcg: introduce tcg_current_cpu

      This is already useful on Windows in order to remove tls.h, because
      accesses to current_cpu are done from a different thread on that
      platform.  It will be used on POSIX platforms as soon TCG stops using
      signals to interrupt the execution of translated code.

      Reviewed-by: Richard Henderson <rth@xxxxxxxxxxx>
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit 5039d6e23586fe6bbedc5e4fe302b48a66890ade
  Author: Paolo Bonzini <pbonzini@xxxxxxxxxx>
  Date:   Mon Feb 16 14:13:11 2015 +0100

      i8257: remove cpu_request_exit irq

      This is unused.  cpu_exit now is almost exclusively an internal function
      to the CPU execution loop.  In a few patches, we'll change the remaining
      occurrences to qemu_cpu_kick, making it truly internal.

      Reviewed-by: Richard henderson <rth@xxxxxxxxxxx>
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit 19d2b5e6ff7202c2bf45c547efa85ae6c2d76bbd
  Author: Paolo Bonzini <pbonzini@xxxxxxxxxx>
  Date:   Mon Feb 16 14:08:22 2015 +0100

      i8257: rewrite DMA_schedule to avoid hooking into the CPU loop

      The i8257 DMA controller uses an idle bottom half, which by default
      does not cause the main loop to exit.  Therefore, the DMA_schedule
      function is there to ensure that the CPU relinquishes the iothread
      mutex to the iothread.

      However, this is not enough since the iothread will call
      aio_compute_timeout() and go to sleep again.  In the iothread
      world, forcing execution of the idle bottom half is much simpler,
      and only requires a call to qemu_notify_event().  Do it, removing
      the need for the "cpu_request_exit" pseudo-irq.  The next patch
      will remove it.

      Reviewed-by: Richard Henderson <rth@xxxxxxxxxxx>
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit fc04a730b7e60f4a62d6260d4eb9c537d1d3643f
  Merge: 8611280 6fdf328
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Tue Sep 8 18:02:36 2015 +0100

      Merge remote-tracking branch 
'remotes/pmaydell/tags/pull-target-arm-20150908' into staging

      target-arm queue:
       * Implement priority handling properly via GICC_APR
       * Enable TZ extensions on the GIC if we're using them
       * Minor preparatory patches for EL3 support
       * cadence_gem: Correct Marvell PHY SPCFC reset value
       * Support AHCI in ZynqMP

      # gpg: Signature made Tue 08 Sep 2015 17:48:33 BST using RSA key ID 
14360CDE
      # gpg: Good signature from "Peter Maydell <peter.maydell@xxxxxxxxxx>"
      # gpg:                 aka "Peter Maydell <pmaydell@xxxxxxxxx>"
      # gpg:                 aka "Peter Maydell 
<pmaydell@xxxxxxxxxxxxxxxxxxxxxx>"

      * remotes/pmaydell/tags/pull-target-arm-20150908:
        xlnx-zynqmp: Connect the sysbus AHCI to ZynqMP
        xlnx-zynqmp.c: Convert some of the error_propagate() calls to 
error_abort
        ahci.c: Don't assume AHCIState's parent is AHCIPCIState
        ahci: Separate the AHCI state structure into the header
        cadence_gem: Correct Marvell PHY SPCFC reset value
        target-arm: Add AArch64 access to PAR_EL1
        target-arm: Correct opc1 for AT_S12Exx
        target-arm: Log the target EL when taking exceptions
        target-arm: Fix default_exception_el() function for the case when EL3 
is not supported
        hw/arm/virt: Enable TZ extensions on the GIC if we are using them
        hw/arm/virt: Default to not providing TrustZone support
        hw/cpu/{a15mpcore, a9mpcore}: enable TrustZone in GIC if it is enabled 
in CPUs
        hw/intc/arm_gic_common: Configure IRQs as NS if doing direct NS kernel 
boot
        hw/arm: new interface for devices which need to behave differently for 
kernel boot
        qom: Add recursive version of object_child_for_each
        hw/intc/arm_gic: Actually set the active bits for active interrupts
        hw/intc/arm_gic: Drop running_irq and last_active arrays
        hw/intc/arm_gic: Fix handling of GICC_APR<n>, GICC_NSAPR<n> registers
        hw/intc/arm_gic: Running priority is group priority, not full priority
        armv7m_nvic: Implement ICSR without using internal GIC state

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 6fdf3282d16e7fb6e798824fb5f4f60c6a73067d
  Author: Alistair Francis <alistair.francis@xxxxxxxxxx>
  Date:   Tue Sep 8 17:38:45 2015 +0100

      xlnx-zynqmp: Connect the sysbus AHCI to ZynqMP

      Connect the Sysbus AHCI device to ZynqMP.

      Signed-off-by: Alistair Francis <alistair.francis@xxxxxxxxxx>
      Reviewed-by: Sai Pavan Boddu <saipava@xxxxxxxxxx>
      [PMM: removed unnecessary brackets in error_propagate call]
      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit e1292517103f7ad6a8dc9f0795d170a78ed408a8
  Author: Alistair Francis <alistair.francis@xxxxxxxxxx>
  Date:   Tue Sep 8 17:38:45 2015 +0100

      xlnx-zynqmp.c: Convert some of the error_propagate() calls to error_abort

      Convert all of the non-realize error_propagate() calls into error_abort
      calls as they shouldn't be user visible failure cases.

      Signed-off-by: Alistair Francis <alistair.francis@xxxxxxxxxx>
      Reviewed-by: Peter Crosthwaite <crosthwaite.peter@xxxxxxxxx>
      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit bb639f829f139ddc83325b3b6825f93096ee44f1
  Author: Alistair Francis <alistair.francis@xxxxxxxxxx>
  Date:   Tue Sep 8 17:38:45 2015 +0100

      ahci.c: Don't assume AHCIState's parent is AHCIPCIState

      The AHCIState struct can either have AHCIPCIState or SysbusAHCIState
      as a parent. The ahci_irq_lower() and ahci_irq_raise() functions
      assume that it is always AHCIPCIState, which is not always the
      case, which causes a seg fault. Verify what the container of AHCIState
      is before setting the PCIDevice struct.

      Signed-off-by: Alistair Francis <alistair.francis@xxxxxxxxxx>
      Acked-by: John Snow <jsnow@xxxxxxxxxx>
      Reviewed-by: Peter Crosthwaite <crosthwaite.peter@xxxxxxxxx>
      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 5ea8b9c5a3e823d1446a7e67d6d3b8d86bfd33d8
  Author: Alistair Francis <alistair.francis@xxxxxxxxxx>
  Date:   Tue Sep 8 17:38:45 2015 +0100

      ahci: Separate the AHCI state structure into the header

      Pull the AHCI state structure out into the header. This allows
      other containers to access the struct. This is required to add
      the device to modern SoC containers.

      Signed-off-by: Alistair Francis <alistair.francis@xxxxxxxxxx>
      Reviewed-by: Sai Pavan Boddu <saipava@xxxxxxxxxx>
      Reviewed-by: Peter Crosthwaite <crosthwaite.peter@xxxxxxxxx>
      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 7777b7a0ba27696ddf34a19818be17cc415551cc
  Author: Alistair Francis <alistair.francis@xxxxxxxxxx>
  Date:   Tue Sep 8 17:38:45 2015 +0100

      cadence_gem: Correct Marvell PHY SPCFC reset value

      Bit 15 of the PHY Specific Status Register is reserved and
      should remain 0. Fix the reset value to ensure that the 15th
      bit is not set.

      Signed-off-by: Alistair Francis <alistair.francis@xxxxxxxxxx>
      Reviewed-by: Edgar E. Iglesias <edgar.iglesias@xxxxxxxxxx>
      Message-id: 
c795069e49040ff770fe2ece19dfe1791b729e22.1441316450.git.alistair.francis@xxxxxxxxxx
      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit c96fc9b52d0a318d8026a0bcaba204d319ad91e0
  Author: Edgar E. Iglesias <edgar.iglesias@xxxxxxxxxx>
  Date:   Tue Sep 8 17:38:44 2015 +0100

      target-arm: Add AArch64 access to PAR_EL1

      Signed-off-by: Edgar E. Iglesias <edgar.iglesias@xxxxxxxxxx>
      Reviewed-by: Alistair Francis <alistair.francis@xxxxxxxxxx>
      Message-id: 1441311266-8644-4-git-send-email-edgar.iglesias@xxxxxxxxx
      Reviewed-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 7a379c7e68f1b2286602b0beeeb58dcef7c9e760
  Author: Edgar E. Iglesias <edgar.iglesias@xxxxxxxxxx>
  Date:   Tue Sep 8 17:38:44 2015 +0100

      target-arm: Correct opc1 for AT_S12Exx

      Signed-off-by: Edgar E. Iglesias <edgar.iglesias@xxxxxxxxxx>
      Reviewed-by: Alistair Francis <alistair.francis@xxxxxxxxxx>
      Message-id: 1441311266-8644-3-git-send-email-edgar.iglesias@xxxxxxxxx
      Reviewed-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit dbc29a868cf5b7e6fa7bb2e6c4f188b9470779c5
  Author: Edgar E. Iglesias <edgar.iglesias@xxxxxxxxxx>
  Date:   Tue Sep 8 17:38:44 2015 +0100

      target-arm: Log the target EL when taking exceptions

      Log the target EL when taking exceptions. This is useful when
      debugging guest SW or QEMU itself while transitioning through
      the various ELs.

      Signed-off-by: Edgar E. Iglesias <edgar.iglesias@xxxxxxxxxx>
      Reviewed-by: Alistair Francis <alistair.francis@xxxxxxxxxx>
      Message-id: 1441311266-8644-2-git-send-email-edgar.iglesias@xxxxxxxxx
      Reviewed-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit cef9ee706792b1e205fe472b67053a0e82cd058e
  Author: Sergey Sorokin <afarallax@xxxxxxxxx>
  Date:   Tue Sep 8 17:38:44 2015 +0100

      target-arm: Fix default_exception_el() function for the case when EL3 is 
not supported

      If EL3 is not supported in current configuration,
      we should not try to get EL3 bitness.

      Signed-off-by: Sergey Sorokin <afarallax@xxxxxxxxx>
      Message-id: 1441208342-10601-2-git-send-email-afarallax@xxxxxxxxx
      Reviewed-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 0e21f183ca2d000bbda1fb63959a3d41a1c3ff42
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Tue Sep 8 17:38:44 2015 +0100

      hw/arm/virt: Enable TZ extensions on the GIC if we are using them

      If we're creating a board with support for TrustZone, then enable
      it on the GIC model as well as on the CPUs.

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Reviewed-by: Peter Crosthwaite <crosthwaite.peter@xxxxxxxxx>
      Reviewed-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Reviewed-by: Edgar E. Iglesias <edgar.iglesias@xxxxxxxxxx>
      Tested-by: Edgar E. Iglesias <edgar.iglesias@xxxxxxxxxx>
      Message-id: 1441383782-24378-7-git-send-email-peter.maydell@xxxxxxxxxx

  commit 2d710006a0da4a9b7ddf5c02d072e178906d0ef6
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Tue Sep 8 17:38:44 2015 +0100

      hw/arm/virt: Default to not providing TrustZone support

      Switch the default for the 'virt' board to not providing TrustZone
      support in either the CPU or the GIC. This is primarily for the
      benefit of UEFI, which currently assumes there is no TrustZone
      support, and does not set the GIC up correctly if it is TZ-aware.
      It also means the board is consistent about its behaviour whether
      we're using KVM or TCG (KVM never has TrustZone support).

      If TrustZone support is required (for instance for running test
      suites or TZ-aware firmware) it can be enabled with the
      "-machine secure=on" command line option.

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Reviewed-by: Peter Crosthwaite <crosthwaite.peter@xxxxxxxxx>
      Reviewed-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Reviewed-by: Edgar E. Iglesias <edgar.iglesias@xxxxxxxxxx>
      Tested-by: Edgar E. Iglesias <edgar.iglesias@xxxxxxxxxx>
      Message-id: 1441383782-24378-6-git-send-email-peter.maydell@xxxxxxxxxx

  commit 4182bbb19d2e266dde0d4ed32e85e1b1be79bc61
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Tue Sep 8 17:38:43 2015 +0100

      hw/cpu/{a15mpcore, a9mpcore}: enable TrustZone in GIC if it is enabled in 
CPUs

      If the A9 and A15 CPUs which we're creating the peripherals for have
      TrustZone (EL3) enabled, then also enable it in the GIC we create.

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Reviewed-by: Peter Crosthwaite <crosthwaite.peter@xxxxxxxxx>
      Reviewed-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Reviewed-by: Edgar E. Iglesias <edgar.iglesias@xxxxxxxxxx>
      Tested-by: Edgar E. Iglesias <edgar.iglesias@xxxxxxxxxx>
      Message-id: 1441383782-24378-5-git-send-email-peter.maydell@xxxxxxxxxx

  commit 8ff41f3995ad2d942ecafb72519c1f09cb811259
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Tue Sep 8 17:38:43 2015 +0100

      hw/intc/arm_gic_common: Configure IRQs as NS if doing direct NS kernel 
boot

      If we directly boot a kernel in NonSecure on a system where the GIC
      supports the security extensions then we must cause the GIC to
      configure its interrupts into group 1 (NonSecure) rather than the
      usual group 0, and with their initial priority set to the highest
      NonSecure priority rather than the usual highest Secure priority.
      Otherwise the guest kernel will be unable to use any interrupts.

      Implement this behaviour, controlled by a flag which we set if
      appropriate when the ARM bootloader code calls our ARMLinuxBootIf
      interface callback.

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Reviewed-by: Peter Crosthwaite <crosthwaite.peter@xxxxxxxxx>
      Reviewed-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Reviewed-by: Edgar E. Iglesias <edgar.iglesias@xxxxxxxxxx>
      Tested-by: Edgar E. Iglesias <edgar.iglesias@xxxxxxxxxx>
      Message-id: 1441383782-24378-4-git-send-email-peter.maydell@xxxxxxxxxx

  commit d8b1ae4237b5f8cf5037a7f341ff43dc02955256
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Tue Sep 8 17:38:43 2015 +0100

      hw/arm: new interface for devices which need to behave differently for 
kernel boot

      For ARM we have a little minimalist bootloader in hw/arm/boot.c which
      takes the place of firmware if we're directly booting a Linux kernel.
      Unfortunately a few devices need special case handling in this situation
      to do the initialization which on real hardware would be done by
      firmware. (In particular if we're booting a kernel in NonSecure state
      then we need to make a TZ-aware GIC put all its interrupts into Group 1,
      or the guest will be unable to use them.)

      Create a new QOM interface which can be implemented by devices which
      need to do something different from their default reset behaviour.
      The callback will be called after machine initialization and before
      first reset.

      Suggested-by: Peter Crosthwaite <peter.crosthwaite@xxxxxxxxxx>
      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Reviewed-by: Edgar E. Iglesias <edgar.iglesias@xxxxxxxxxx>
      Reviewed-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Tested-by: Edgar E. Iglesias <edgar.iglesias@xxxxxxxxxx>
      Message-id: 1441383782-24378-3-git-send-email-peter.maydell@xxxxxxxxxx

  commit d714b8de7747f20fe42e5716d1d44f91e2b891f4
  Author: Peter Crosthwaite <peter.crosthwaite@xxxxxxxxxx>
  Date:   Tue Sep 8 17:38:43 2015 +0100

      qom: Add recursive version of object_child_for_each

      Useful for iterating through an entire QOM subtree.

      Signed-off-by: Peter Crosthwaite <peter.crosthwaite@xxxxxxxxxx>
      Reviewed-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Reviewed-by: Edgar E. Iglesias <edgar.iglesias@xxxxxxxxxx>
      Tested-by: Edgar E. Iglesias <edgar.iglesias@xxxxxxxxxx>
      Message-id: 1441383782-24378-2-git-send-email-peter.maydell@xxxxxxxxxx

  commit d5523a13656fb8df902a15a9fd8bd652b85e97e0
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Tue Sep 8 17:38:43 2015 +0100

      hw/intc/arm_gic: Actually set the active bits for active interrupts

      Although we were correctly handling interrupts becoming active
      and then inactive, we weren't actually exposing this to the guest
      by setting the 'active' flag for the interrupt, so reads
      of GICD_ICACTIVERn and GICD_ISACTIVERn would generally incorrectly
      return zeroes. Correct this oversight.

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Message-id: 1438089748-5528-6-git-send-email-peter.maydell@xxxxxxxxxx

  commit 72889c8a809f4c65796b98d5af6a18c92510ed86
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Tue Sep 8 17:38:42 2015 +0100

      hw/intc/arm_gic: Drop running_irq and last_active arrays

      The running_irq and last_active arrays represent state which
      doesn't exist in a real hardware GIC. The only thing we use
      them for is updating the running priority when an interrupt
      is completed, but in fact we can use the active-priority
      registers to do this. The running priority is always the
      priority corresponding to the lowest set bit in the active
      priority registers, because only one interrupt at any
      particular priority can be active at once.

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Message-id: 1438089748-5528-5-git-send-email-peter.maydell@xxxxxxxxxx

  commit 51fd06e0eee8257fdcc147200796e362cf2298ea
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Tue Sep 8 17:38:42 2015 +0100

      hw/intc/arm_gic: Fix handling of GICC_APR<n>, GICC_NSAPR<n> registers

      A GICv2 has both GICC_APR<n> and GICC_NSAPR<n> registers, with
      the latter holding the active priority bits for Group 1 interrupts
      (usually Nonsecure interrupts), and the Nonsecure view of the
      GICC_APR<n> is the second half of the GICC_NSAPR<n> registers.
      Turn our half-hearted implementation of APR<n> into a proper
      implementation of both APR<n> and NSAPR<n>:

       * Add the underlying state for NSAPR<n>
       * Make sure APR<n> aren't visible for pre-GICv2
       * Implement reading of NSAPR<n>
       * Make non-secure reads of APR<n> behave correctly
       * Implement writing to APR<n> and NSAPR<n>

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Message-id: 1438089748-5528-4-git-send-email-peter.maydell@xxxxxxxxxx

  commit df92cfa60eef82dad112ca5c5d0239ec5ba7aac3
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Tue Sep 8 17:38:42 2015 +0100

      hw/intc/arm_gic: Running priority is group priority, not full priority

      Priority values for the GIC are divided into a "group priority"
      and a "subpriority" (with the division being determined by the
      binary point register). The running priority is only determined
      by the group priority of the active interrupts, not the
      subpriority. In particular, this means that there can't be more
      than one active interrupt at any particular group priority.

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Message-id: 1438089748-5528-3-git-send-email-peter.maydell@xxxxxxxxxx

  commit b06c262b45cf7afcf56dd0f2189ad8948b117e7d
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Tue Sep 8 17:38:42 2015 +0100

      armv7m_nvic: Implement ICSR without using internal GIC state

      Change the implementation of the Interrupt Control and State Register
      in the v7M NVIC to not use the running_irq and last_active internal
      state fields in the GIC. These fields don't correspond to state in
      a real GIC and will be removed soon.
      The changes to the ICSR are:
       * the VECTACTIVE field is documented as identical to the IPSR[8:0]
         field, so implement it that way
       * implement RETTOBASE via looking at the active state bits

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Message-id: 1438089748-5528-2-git-send-email-peter.maydell@xxxxxxxxxx

  commit 76d39ab49ec68608a3c0bafec7bed70f21302b0e
  Author: Tiejun Chen <tiejun.chen@xxxxxxxxx>
  Date:   Wed Jul 15 13:37:42 2015 +0800

      pc_init1: pass parameters just with types

      Pass types to configure pc_init1().

      Signed-off-by: Tiejun Chen <tiejun.chen@xxxxxxxxx>
      Signed-off-by: Stefano Stabellini <stefano.stabellini@xxxxxxxxxxxxx>
      Acked-by: Michael S. Tsirkin <mst@xxxxxxxxxx>

  commit 7bb836e4a27b7e364f3c8c4ebe41172fc8c70f75
  Author: Michael S. Tsirkin <mst@xxxxxxxxxx>
  Date:   Wed Jul 15 13:37:41 2015 +0800

      i440fx: make types configurable at run-time

      IGD passthrough wants to supply a different pci and
      host devices, inheriting i440fx devices. Make types
      configurable.

      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: Tiejun Chen <tiejun.chen@xxxxxxxxx>
      Signed-off-by: Stefano Stabellini <stefano.stabellini@xxxxxxxxxxxxx>

  commit eeb6b13a5a45d16a7b348891921d496bc5d6df2c
  Author: Don Slutz <dslutz@xxxxxxxxxxx>
  Date:   Thu Apr 30 14:27:09 2015 -0400

      xen-hvm: Add trace to ioreq

      Signed-off-by: Stefano Stabellini <stefano.stabellini@xxxxxxxxxxxxx>
      Signed-off-by: Don Slutz <dslutz@xxxxxxxxxxx>

  commit 8611280505119e296757a60711a881341603fa5a
  Author: Richard Henderson <rth@xxxxxxxxxxx>
  Date:   Wed Sep 2 14:46:01 2015 -0700

      target-microblaze: Use setcond for pcmp*

      Signed-off-by: Richard Henderson <rth@xxxxxxxxxxx>
      Reviewed-by: Edgar E. Iglesias <edgar.iglesias@xxxxxxxxxx>
      Tested-by: Edgar E. Iglesias <edgar.iglesias@xxxxxxxxxx>
      Signed-off-by: Edgar E. Iglesias <edgar.iglesias@xxxxxxxxxx>

  commit 88174019d2e1d2e1c304d507654d37f6d7504957
  Author: Richard Henderson <rth@xxxxxxxxxxx>
  Date:   Wed Sep 2 11:38:10 2015 -0700

      target-cris: Use movcond and setcond

      Signed-off-by: Richard Henderson <rth@xxxxxxxxxxx>
      Reviewed-by: Edgar E. Iglesias <edgar.iglesias@xxxxxxxxxx>
      Tested-by: Edgar E. Iglesias <edgar.iglesias@xxxxxxxxxx>
      Signed-off-by: Edgar E. Iglesias <edgar.iglesias@xxxxxxxxxx>

  commit 5f5b5942d56a138baad0ae01458d5d0e62d5be68
  Author: Andrey Smetanin <asmetanin@xxxxxxxxxxxxx>
  Date:   Fri Jul 3 15:01:42 2015 +0300

      Added generic panic handler qemu_system_guest_panicked()

      There are pieces of guest panic handling code
      that can be shared in one generic function.
      These code replaced by call qemu_system_guest_panicked().

      Signed-off-by: Andrey Smetanin <asmetanin@xxxxxxxxxxxxx>
      Signed-off-by: Denis V. Lunev <den@xxxxxxxxxx>
      CC: Paolo Bonzini <pbonzini@xxxxxxxxxx>
      CC: Andreas F�¤rber <afaerber@xxxxxxx>
      Message-Id: <1435924905-8926-10-git-send-email-den@xxxxxxxxxx>
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit 6d1f252d8c1ba73bf6ed9af28731a9c9c3d473a2
  Author: Peter Lieven <pl@xxxxxxx>
  Date:   Fri Aug 14 13:33:36 2015 +0200

      block/iscsi: validate block size returned from target

      It has been reported that at least tgtd returns a block size of 0
      for LUN 0. To avoid running into divide by zero later on and protect
      against other problematic block sizes validate the block size right
      at connection time.

      Cc: qemu-stable@xxxxxxxxxx
      Reported-by: Andrey Korolyov <andrey@xxxxxxx>
      Signed-off-by: Peter Lieven <pl@xxxxxxx>
      Message-Id: <1439552016-8557-1-git-send-email-pl@xxxxxxx>
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit f3926945c85689e8af324c0db0b39be771dbbebb
  Author: Fam Zheng <famz@xxxxxxxxxx>
  Date:   Mon Sep 7 11:28:58 2015 +0800

      iohandler: Use aio API

      iohandler.c shares the same interface with aio, but with duplicated
      code. It's better to rebase iohandler, also because that aio is a
      more friendly interface to multi-threads.

      Create a global AioContext instance and let its GSource handle the
      iohandler events.

      Signed-off-by: Fam Zheng <famz@xxxxxxxxxx>
      Message-Id: <1441596538-4412-1-git-send-email-famz@xxxxxxxxxx>
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit 46036b2462c7ff56c0af6466ea6b9248197a38a8
  Author: Aníbal Limón <anibal.limon@xxxxxxxxxxxxxxx>
  Date:   Thu Sep 3 15:48:33 2015 -0500

      cpus.c: qemu_mutex_lock_iothread fix race condition at cpu thread init

      When QEMU starts the RCU thread executes qemu_mutex_lock_thread
      causing error "qemu:qemu_cpu_kick_thread: No such process" and exits.

      This isn't occur frequently but in glibc the thread id can exist and
      this not guarantee that the thread is on active/running state. If is
      inserted a sleep(1) after newthread assignment [1] the issue appears.

      So not make assumption that thread exist if first_cpu->thread is set
      then change the validation of cpu to created that is set into cpu
      threads (kvm, tcg, dummy).

      [1] 
https://sourceware.org/git/?p=glibc.git;a=blob;f=nptl/pthread_create.c;h=d10f4ea8004e1d8f3a268b95cc0f8d93b8d89867;hb=HEAD#l621

      Cc: qemu-stable@xxxxxxxxxx
      Signed-off-by: Aníbal Limón <anibal.limon@xxxxxxxxxxxxxxx>
      Message-Id: 
<1441313313-3040-1-git-send-email-anibal.limon@xxxxxxxxxxxxxxx>
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit d12f7309483e20d1bae9304f4b812bf53a8e6510
  Author: Emilio G. Cota <cota@xxxxxxxxx>
  Date:   Sun Aug 23 20:23:36 2015 -0400

      seqlock: read sequence number atomically

      With this change we make sure that the compiler will not
      optimise the read of the sequence number in any way.

      Signed-off-by: Emilio G. Cota <cota@xxxxxxxxx>
      Message-Id: <1440375847-17603-8-git-send-email-cota@xxxxxxxxx>
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit 123fdbac9b8f1e394fbe92e8b5359193e94ba5bf
  Author: Emilio G. Cota <cota@xxxxxxxxx>
  Date:   Sun Aug 23 20:23:35 2015 -0400

      seqlock: add missing 'inline' to seqlock_read_retry

      Signed-off-by: Emilio G. Cota <cota@xxxxxxxxx>
      Message-Id: <1440375847-17603-7-git-send-email-cota@xxxxxxxxx>
      Reviewed-by: Alex Bennée <alex.bennee@xxxxxxxxxx>
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit 9d34158a5af734e8de0b42b0a7228200c426a8d0
  Merge: 8f1ed5f bd80a8a
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Mon Sep 7 16:07:47 2015 +0100

      Merge remote-tracking branch 'remotes/cohuck/tags/s390x-20150907' into 
staging

      s390x fixes and improvements:
      - various bugfixes (css/event-facility)
      - more efficient adapter interrupt routes setup
      - gdb enhancement
      - sclp got treated with a lot of remodelling/cleanup

      # gpg: Signature made Mon 07 Sep 2015 15:42:43 BST using RSA key ID 
C6F02FAF
      # gpg: Good signature from "Cornelia Huck <huckc@xxxxxxxxxxxxxxxxxx>"
      # gpg:                 aka "Cornelia Huck <cornelia.huck@xxxxxxxxxx>"

      * remotes/cohuck/tags/s390x-20150907: (23 commits)
        s390/sclp: simplify calculation of rnmax
        s390/sclp: store the increment_size in the sclp device
        s390: unify allocation of initial memory
        s390: move memory calculation into the sclp device
        s390/sclp: ignore memory hotplug operations if it is disabled
        s390: disallow memory hotplug for the s390-virtio machine
        s390: no need to manually parse for slots and maxmem
        s390/sclp: move sclp_service_interrupt into the sclp device
        s390/sclp: move sclp_execute related functions into the SCLP class
        s390/sclp: introduce a root sclp device
        s390/sclp: temporarily fix unassignment/reassignment of memory 
subregions
        s390/sclp: replace sclp event types with proper defines
        s390/sclp: rework sclp event facility initialization + device 
realization
        sclp/s390: rework sclp cpu hotplug device notification
        s390x/gdb: support reading/writing of control registers
        s390x/kvm: make setting of in-kernel irq routes more efficient
        pc-bios/s390-ccw: rebuild image
        pc-bios/s390-ccw: Device detection in higher subchannel sets
        s390x/event-facility: fix location of receive mask
        s390x/css: start with cleared cstat/dstat
        ...

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit bd80a8ad555c2b5f79591b29edcf8196b8a5109b
  Author: David Hildenbrand <dahi@xxxxxxxxxxxxxxxxxx>
  Date:   Mon Jun 1 13:04:03 2015 +0200

      s390/sclp: simplify calculation of rnmax

      rnmax can be directly calculated using machine->maxram_size.

      Reviewed-by: Matthew Rosato <mjrosato@xxxxxxxxxxxxxxxxxx>
      Signed-off-by: David Hildenbrand <dahi@xxxxxxxxxxxxxxxxxx>
      Signed-off-by: Cornelia Huck <cornelia.huck@xxxxxxxxxx>

  commit 71a2fd355d8fa429bcc04740c260635e084255f2
  Author: David Hildenbrand <dahi@xxxxxxxxxxxxxxxxxx>
  Date:   Mon Jun 1 13:03:23 2015 +0200

      s390/sclp: store the increment_size in the sclp device

      Let's calculate it once and reuse it.

      Suggested-by: Matthew Rosato <mjrosato@xxxxxxxxxxxxxxxxxx>
      Reviewed-by: Matthew Rosato <mjrosato@xxxxxxxxxxxxxxxxxx>
      Signed-off-by: David Hildenbrand <dahi@xxxxxxxxxxxxxxxxxx>
      Signed-off-by: Cornelia Huck <cornelia.huck@xxxxxxxxxx>

  commit 80d23275e3c4bc93fa6f123613d5ff389ed3fc62
  Author: David Hildenbrand <dahi@xxxxxxxxxxxxxxxxxx>
  Date:   Fri May 29 15:01:55 2015 +0200

      s390: unify allocation of initial memory

      Now that the calculation of the initial memory is hidden in the sclp
      device, we can unify the allocation of the initial memory.

      The remaining ugly part is the reserved memory for the virtio queues,
      but that can be cleaned up later.

      Reviewed-by: Matthew Rosato <mjrosato@xxxxxxxxxxxxxxxxxx>
      Signed-off-by: David Hildenbrand <dahi@xxxxxxxxxxxxxxxxxx>
      Signed-off-by: Cornelia Huck <cornelia.huck@xxxxxxxxxx>

  commit 1cf065fb87e8787e3e9cebcdb4713b81e4e61422
  Author: David Hildenbrand <dahi@xxxxxxxxxxxxxxxxxx>
  Date:   Fri May 29 13:53:08 2015 +0200

      s390: move memory calculation into the sclp device

      The restrictions for memory calculation belong to the sclp device.

      Let's move the calculation to that point, so we are able to unify it for
      both s390 machines. The sclp device is the first device to be initialized.
      It performs the calculation and safely stores it in the machine, where
      other parts of the system can access an reuse it.

      The memory hotplug device is now only created when it is really needed.

      Reviewed-by: Matthew Rosato <mjrosato@xxxxxxxxxxxxxxxxxx>
      Signed-off-by: David Hildenbrand <dahi@xxxxxxxxxxxxxxxxxx>
      Signed-off-by: Cornelia Huck <cornelia.huck@xxxxxxxxxx>

  commit b02ef3d92b19ad304a84433d3817f0903296ebc7
  Author: David Hildenbrand <dahi@xxxxxxxxxxxxxxxxxx>
  Date:   Fri May 29 14:06:39 2015 +0200

      s390/sclp: ignore memory hotplug operations if it is disabled

      If no memory hotplug device was created, the sclp command facility is
      not exposed (SCLP_FC_ASSIGN_ATTACH_READ_STOR). We therefore have no
      memory hotplug and should correctly report SCLP_RC_INVALID_SCLP_COMMAND
      if any such command is executed.

      This gets rid of these ugly asserts that could have been triggered
      for the s390-virtio machine.

      Reviewed-by: Matthew Rosato <mjrosato@xxxxxxxxxxxxxxxxxx>
      Signed-off-by: David Hildenbrand <dahi@xxxxxxxxxxxxxxxxxx>
      Signed-off-by: Cornelia Huck <cornelia.huck@xxxxxxxxxx>

  commit 2998ffee245e3a141ce1b6fca127744c3e19dc63
  Author: David Hildenbrand <dahi@xxxxxxxxxxxxxxxxxx>
  Date:   Fri May 29 13:22:12 2015 +0200

      s390: disallow memory hotplug for the s390-virtio machine

      That machine type doesn't currently support memory hotplug, so let's abort
      if it is requested. Reason is, that the virtio queues are allocated for 
now
      at the end of the initial ram - extending the ram is therefore not 
possible.

      Reviewed-by: Matthew Rosato <mjrosato@xxxxxxxxxxxxxxxxxx>
      Signed-off-by: David Hildenbrand <dahi@xxxxxxxxxxxxxxxxxx>
      Signed-off-by: Cornelia Huck <cornelia.huck@xxxxxxxxxx>

  commit 311467f77eab5c3e1f8e0f6f446201e3a1f46e70
  Author: David Hildenbrand <dahi@xxxxxxxxxxxxxxxxxx>
  Date:   Fri May 29 13:14:50 2015 +0200

      s390: no need to manually parse for slots and maxmem

      ram_slots and maxram_size has already been parsed and verified by
      common code for us.

      Reviewed-by: Matthew Rosato <mjrosato@xxxxxxxxxxxxxxxxxx>
      Signed-off-by: David Hildenbrand <dahi@xxxxxxxxxxxxxxxxxx>
      Signed-off-by: Cornelia Huck <cornelia.huck@xxxxxxxxxx>

  commit 1723a1b6313851d9704961e1f527312ee0a5fce4
  Author: David Hildenbrand <dahi@xxxxxxxxxxxxxxxxxx>
  Date:   Wed May 13 15:06:44 2015 +0200

      s390/sclp: move sclp_service_interrupt into the sclp device

      Let's make that function a method of the new sclp device, keeping
      the wrapper for existing users.

      We can now let go of get_event_facility().

      Reviewed-by: Matthew Rosato <mjrosato@xxxxxxxxxxxxxxxxxx>
      Signed-off-by: David Hildenbrand <dahi@xxxxxxxxxxxxxxxxxx>
      Signed-off-by: Cornelia Huck <cornelia.huck@xxxxxxxxxx>

  commit 25a3c5af57db0319f5cfb4c439efbc78b230599e
  Author: David Hildenbrand <dahi@xxxxxxxxxxxxxxxxxx>
  Date:   Wed May 27 10:04:56 2015 +0200

      s390/sclp: move sclp_execute related functions into the SCLP class

      Let's move the sclp_execute related functions into the SCLP class
      and pass the device state as parameter, so we have easy access to
      the SCLPDevice later on.

      Reviewed-by: Matthew Rosato <mjrosato@xxxxxxxxxxxxxxxxxx>
      Signed-off-by: David Hildenbrand <dahi@xxxxxxxxxxxxxxxxxx>
      Signed-off-by: Cornelia Huck <cornelia.huck@xxxxxxxxxx>

  commit 515190d9da0c85084d32d6ad36afb15a6d35729e
  Author: David Hildenbrand <dahi@xxxxxxxxxxxxxxxxxx>
  Date:   Wed May 27 09:49:43 2015 +0200

      s390/sclp: introduce a root sclp device

      Let's create a root sclp device, which has other sclp devices as
      children (e.g. the event facility for now) and can later be used
      for migration of sclp specific attributes and setup of memory.

      Reviewed-by: Matthew Rosato <mjrosato@xxxxxxxxxxxxxxxxxx>
      Signed-off-by: David Hildenbrand <dahi@xxxxxxxxxxxxxxxxxx>
      Signed-off-by: Cornelia Huck <cornelia.huck@xxxxxxxxxx>

  commit 732bdd383ee06be2655b1a849a628ff03b0000b8
  Author: David Hildenbrand <dahi@xxxxxxxxxxxxxxxxxx>
  Date:   Sat Jun 13 08:46:54 2015 +0200

      s390/sclp: temporarily fix unassignment/reassignment of memory subregions

      Commit 374f2981d1f1 ("memory: protect current_map by RCU") broke
      unassignment of standby memory on s390x. Looks like that the new
      parallelism allows races with our (semi broken) memory hotplug code. The
      flatview_unref() can now be executed after our unparenting. Therefore
      memory_region_unref() tries to unreference the MemoryRegion itself instead
      of the parent.

      In theory, MemoryRegions are now bound to separate devices that control
      their lifetime. We don't have this yet, so we really want to control their
      lifetime manually.

      This patch fixes it temporarily, until we have a proper rework. The only
      drawback is that they won't pop up in "info qom-tree", but that's better
      than qemu crashes.

      We have to release the reference to a memory region after a
      memory_region_find, as it automatically takes a reference. As we're now
      able to reassign memory, the MemoryRegion is in fact deleted (otherwise
      vmstate_register_ram() would complain).

      Reviewed-by: Matthew Rosato <mjrosato@xxxxxxxxxxxxxxxxxx>
      Signed-off-by: David Hildenbrand <dahi@xxxxxxxxxxxxxxxxxx>
      Signed-off-by: Cornelia Huck <cornelia.huck@xxxxxxxxxx>

  commit 35925a7a73e7df4118cb11667095bd2d8fc4e091
  Author: David Hildenbrand <dahi@xxxxxxxxxxxxxxxxxx>
  Date:   Mon May 11 15:31:47 2015 +0200

      s390/sclp: replace sclp event types with proper defines

      Introduce TYPE_SCLP_QUIESCE and make use of it. Also use
      TYPE_SCLP_CPU_HOTPLUG where applicable.

      Reviewed-by: Matthew Rosato <mjrosato@xxxxxxxxxxxxxxxxxx>
      Signed-off-by: David Hildenbrand <dahi@xxxxxxxxxxxxxxxxxx>
      Signed-off-by: Cornelia Huck <cornelia.huck@xxxxxxxxxx>

  commit f6102c329c43d7d5e0bee1fc2fe4043e05f9810c
  Author: David Hildenbrand <dahi@xxxxxxxxxxxxxxxxxx>
  Date:   Thu May 21 12:43:31 2015 +0200

      s390/sclp: rework sclp event facility initialization + device realization

      The current code only works by chance. The event facility is a sysbus
      device, but specifies in its class structure as parent the DeviceClass
      (instead of a device class).

      The init function in return lies therefore at the same position as
      the init function of SysBusDeviceClass and gets triggered instead -
      a very bad idea of doing that (e.g. the parameter types don't match).

      Let's bring the initialization code up to date, initializing the event
      facility + child events in .instance_init and moving the realization of
      the child events out of the init call, into the realization step.

      Device realization is now automatically performed when the event facility
      itself is realized. That realization implicitly triggers realization of
      the child bus, which in turn initializes the events.

      Please note that we have to manually propagate the realization of the bus
      children, common code still has a TODO set for that task.

      Reviewed-by: Matthew Rosato <mjrosato@xxxxxxxxxxxxxxxxxx>
      Signed-off-by: David Hildenbrand <dahi@xxxxxxxxxxxxxxxxxx>
      Signed-off-by: Cornelia Huck <cornelia.huck@xxxxxxxxxx>

  commit 073f57ae347a41cbcc940ae0286bbbab993b9148
  Author: David Hildenbrand <dahi@xxxxxxxxxxxxxxxxxx>
  Date:   Mon May 11 15:30:43 2015 +0200

      sclp/s390: rework sclp cpu hotplug device notification

      Let's get rid of this strange local variable + irq logic and
      work directly on the QOM. (hint: what happens if two such devices
      are created?)

      We could introduce proper QOM class + state for the cpu hotplug device,
      however that would result in too much overhead for a simple
      "trigger_signal" function.

      Also remove one unnecessary class function initialization.

      Reviewed-by: Matthew Rosato <mjrosato@xxxxxxxxxxxxxxxxxx>
      Signed-off-by: David Hildenbrand <dahi@xxxxxxxxxxxxxxxxxx>
      Signed-off-by: Cornelia Huck <cornelia.huck@xxxxxxxxxx>

  commit 5b9f6345a616c321a5ea2f35e09043edd933767e
  Author: David Hildenbrand <dahi@xxxxxxxxxxxxxxxxxx>
  Date:   Tue Jun 23 11:00:09 2015 +0200

      s390x/gdb: support reading/writing of control registers

      Let's support reading and writing of control registers for kvm and tcg.

      We have to take care of flushing the tlb (tcg) and pushing the changed
      registers into kvm.

      Reviewed-by: Christian Borntraeger <borntraeger@xxxxxxxxxx>
      Signed-off-by: David Hildenbrand <dahi@xxxxxxxxxxxxxxxxxx>
      Signed-off-by: Cornelia Huck <cornelia.huck@xxxxxxxxxx>

  commit c0194a00b0beb66814756ee255a8a86b2a92c27e
  Author: Jens Freimann <jfrei@xxxxxxxxxxxxxxxxxx>
  Date:   Mon Jul 27 16:53:27 2015 +0200

      s390x/kvm: make setting of in-kernel irq routes more efficient

      When we add new adapter routes we call kvm_irqchip_add_route() for every
      virtqueue and in the same step also do the KVM_SET_GSI_ROUTING ioctl.

      This is unnecessary costly as the interface allows us to set multiple
      routes in one go. Let's first add all routes to the table stored in the
      global kvm_state and then do the ioctl to commit the routes to the
      in-kernel irqchip.

      This saves us several ioctls to the kernel where for each call a list
      is reallocated and populated.

      Signed-off-by: Jens Freimann <jfrei@xxxxxxxxxxxxxxxxxx>
      Reviewed-by: David Hildenbrand <dahi@xxxxxxxxxxxxxxxxxx>
      Acked-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>
      Signed-off-by: Cornelia Huck <cornelia.huck@xxxxxxxxxx>

  commit 9f70b85c405093f24d9df22215ead6596819832f
  Author: Cornelia Huck <cornelia.huck@xxxxxxxxxx>
  Date:   Tue Aug 11 10:53:41 2015 +0200

      pc-bios/s390-ccw: rebuild image

      Contains:
      - Device detection in higher subchannel sets

      Signed-off-by: Cornelia Huck <cornelia.huck@xxxxxxxxxx>

  commit 0f79b89bc2bdbed35d2c57d722acc4c31a5a2ce4
  Author: Alexander Yarygin <yarygin@xxxxxxxxxxxxxxxxxx>
  Date:   Thu Jun 25 18:35:58 2015 +0300

      pc-bios/s390-ccw: Device detection in higher subchannel sets

      If no bootdevice was specified, we try to autodetect a suitable IPL
      device. Current code only searched in subchannel set 0; extend this
      search to higher subchannel sets as well.

      Signed-off-by: Alexander Yarygin <yarygin@xxxxxxxxxxxxxxxxxx>
      Reviewed-by: David Hildenbrand <dahi@xxxxxxxxxxxxxxxxxx>
      Reviewed-by: Cornelia Huck <cornelia.huck@xxxxxxxxxx>
      Signed-off-by: Cornelia Huck <cornelia.huck@xxxxxxxxxx>

  commit f7822aa8b610a4fec57a09066974e5c088592c08
  Author: Cornelia Huck <cornelia.huck@xxxxxxxxxx>
  Date:   Mon Jul 27 16:55:23 2015 +0200

      s390x/event-facility: fix location of receive mask

      For read event mask, we assumed that the layout of the sccb was

      |sccb header|event buffer header|receive mask|...|

      The correct layout, however, is

      |sccb header|receive mask|...|

      as in-buffer and

      |sccb header|event buffer header|...|

      as out-buffer.

      Fix this: This makes selective read work.

      Reviewed-by: David Hildenbrand <dahi@xxxxxxxxxxxxxxxxxx>
      Signed-off-by: Cornelia Huck <cornelia.huck@xxxxxxxxxx>

  commit 6b7741c2bedeae2e8c54fffce81723ca0a0c25c0
  Author: Cornelia Huck <cornelia.huck@xxxxxxxxxx>
  Date:   Fri Jul 24 12:08:37 2015 +0200

      s390x/css: start with cleared cstat/dstat

      When executing the start function, we should start with a clear state
      regarding subchannel and device status; it is easy to forget updating one
      of them after the ccw has been processed.

      Note that we don't need to care about resetting the various control
      fields: They are cleared by tsch(), and if they were still pending,
      we wouldn't be able to execute the start function in the first
      place.

      Also note that we don't want to clear cstat/dstat if a suspended
      subchannel is resumed.

      This fixes a bug where we would continue to present channel-program
      check in cstat even though later ccw requests for the subchannel
      finished without error (i.e. cstat should be 0).

      Cc: qemu-stable@xxxxxxxxxx
      Signed-off-by: Cornelia Huck <cornelia.huck@xxxxxxxxxx>
      Reviewed-by: David Hildenbrand <dahi@xxxxxxxxxxxxxxxxxx>

  commit 3335ddddf9e5ba7743dc8e3f767f4ef857ccd20c
  Author: Cornelia Huck <cornelia.huck@xxxxxxxxxx>
  Date:   Wed Jul 1 15:28:06 2015 +0200

      s390x/event-facility: fix receive mask check

      For selective read event, we need to check if any event is requested
      that is not active instead of whether none of the requested events is
      active.

      Reviewed-by: David Hildenbrand <dahi@xxxxxxxxxxxxxxxxxx>
      Reviewed-by: Eric Farman <farman@xxxxxxxxxxxxxxxxxx>
      Signed-off-by: Cornelia Huck <cornelia.huck@xxxxxxxxxx>

  commit fa4463e0432ab66432a28d6b975f8eed99b3f4fa
  Author: Cornelia Huck <cornelia.huck@xxxxxxxxxx>
  Date:   Thu Jul 16 10:42:18 2015 +0200

      s390x/css: ccw-0 enforces count > 0

      Type-0 ccws need to have a count > 0 for any command other than TIC.
      Generate a channel-program check if this is not the case.

      Reviewed-by: Matthew Rosato <mjrosato@xxxxxxxxxxxxxxxxxx>
      Signed-off-by: Cornelia Huck <cornelia.huck@xxxxxxxxxx>

  commit fde8206b8061f808c880709c2ac26a645b11c211
  Author: Pierre Morel <pmorel@xxxxxxxxxxxxxxxxxx>
  Date:   Wed Jul 15 16:16:20 2015 +0200

      s390x/css: handle ccw-0 TIC correctly

      In CCW-0 format TIC command 4 highest bits are ignored in the subchannel.
      In CCW-1 format the TIC command 4 highest bits must be 0.
      To convert TIC from CCW-0 to CCW-1 we clear the 4 highest bits
      to guarantee compatibility.

      Signed-off-by: Pierre Morel <pmorel@xxxxxxxxxxxxxxxxxx>
      Reviewed-by: Cornelia Huck <cornelia.huck@xxxxxxxxxx>
      Signed-off-by: Cornelia Huck <cornelia.huck@xxxxxxxxxx>

  commit 8f1ed5f5081416d5d1cc9569aa826114c5b21213
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Fri Jul 24 13:33:12 2015 +0100

      Make pow2ceil() and pow2floor() inline

      Since the pow2floor() function is now used in a hot code path,
      make it inline; for consistency, provide pow2ceil() as an inline
      function too.

      Because these functions use ctz64() we have to put the inline
      versions into host-utils.h, so they have access to ctz64(),
      and move the inline is_power_of_2() along with them.

      We then need to include host-utils.h from qemu-common.h so that
      the files which use these functions via qemu-common.h still have
      access to them.

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Reviewed-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>
      Message-id: 1437741192-20955-7-git-send-email-peter.maydell@xxxxxxxxxx

  commit 10944a19209bb520054569e0f156f50338901264
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Fri Jul 24 13:33:11 2015 +0100

      Remove unused qemu_fls function

      Nothing uses qemu_fls() any more, so delete it.

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Reviewed-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>
      Message-id: 1437741192-20955-6-git-send-email-peter.maydell@xxxxxxxxxx

  commit 6554f5c03793bb8a3d5dedcebf758a1694fa186c
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Fri Jul 24 13:33:10 2015 +0100

      exec.c: Use pow2floor() rather than hand-calculation

      Use pow2floor() to round down to the nearest power of 2,
      rather than an inline calculation.

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Reviewed-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>
      Message-id: 1437741192-20955-5-git-send-email-peter.maydell@xxxxxxxxxx

  commit 26efcec158a87133bb6255ae7d3127a5fa6e66fd
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Fri Jul 24 13:33:09 2015 +0100

      hw/block/nvme.c: Use pow2ceil() rather than hand-calculation

      Use pow2ceil() to round up to the next power of 2, rather
      than an inline calculation.

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Reviewed-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>
      Message-id: 1437741192-20955-4-git-send-email-peter.maydell@xxxxxxxxxx

  commit 1d0148fe6c121b21476ac1ba5120f8990e7fe6cd
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Fri Jul 24 13:33:08 2015 +0100

      hw/virtio/virtio-pci: Use pow2ceil() rather than hand-calculation

      Use the utility function pow2ceil() for rounding up to the next
      largest power of 2, rather than inline calculation.

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Reviewed-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Message-id: 1437741192-20955-3-git-send-email-peter.maydell@xxxxxxxxxx

  commit 9bff5d8135fc3f37932d4177727d293aa93ce79b
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Fri Jul 24 13:33:07 2015 +0100

      hw/pci: Use pow2ceil() rather than hand-calculation

      A couple of places in hw/pci use an inline calculation to round a
      size up to the next largest power of 2. We have a utility routine
      for this, so use it.

      (The behaviour of the old code is different if the size value
      is 0 -- it would leave it as 0 rather than rounding up to 1,
      but in both cases we know the size can't be 0.
      In the case where the size value had bit 31 set, the old code
      would invoke undefined behaviour; the new code will give a
      result of 0. Presumably that could never happen either.)

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Reviewed-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Message-id: 1437741192-20955-2-git-send-email-peter.maydell@xxxxxxxxxx

  commit 4169198617dc8d3e80697964b91eaea551e7f956
  Merge: 298fae3 c804b57
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Mon Sep 7 11:23:08 2015 +0100

      Merge remote-tracking branch 'remotes/kevin/tags/for-upstream' into 
staging

      Block layer patches

      # gpg: Signature made Fri 04 Sep 2015 20:45:33 BST using RSA key ID 
C88F2FD6
      # gpg: Good signature from "Kevin Wolf <kwolf@xxxxxxxxxx>"

      * remotes/kevin/tags/for-upstream:
        quorum: validate vote threshold against num_children even if 
read-pattern is fifo
        qcow2: reorder fields in Qcow2CachedTable to reduce padding
        docs: document how to configure the qcow2 L2/refcount caches
        qcow2: add option to clean unused cache entries after some time
        qcow2: mark the memory as no longer needed after qcow2_cache_empty()
        iotests: Warn if python subprocess is killed
        iotests: Do not suppress segfaults in bash tests
        iotests: Respect -nodefaults in tests 41 and 55
        iotests: More options for VM.add_drive()
        qemu-img: Fix crash in amend invocation
        block/raw-posix: Use raw_normalize_devicepath()
        qemu-iotests: s390x: fix test 130
        qemu-iotests: s390x: fix test 049, reject negative sizes in QemuOpts
        qemu-iotests: s390x: fix test 041 and 055
        qemu-iotests: disable default qemu devices for cross-platform 
compatibility
        qemu-iotests: qemu machine type support

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 298fae38972cc0165415ead04b64bfcae55640d9
  Merge: b597aa0 8d45c54
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Mon Sep 7 10:43:18 2015 +0100

      Merge remote-tracking branch 
'remotes/pmaydell/tags/pull-target-arm-20150907' into staging

      target-arm queue:
       * cleanup to use g_new() and friends
       * support semihosting in A64
       * add SMBIOS support to mach-virt
       * remove hw_error() usages
       * fix bug in the AArch32:AArch64 register mapping
       * add a second PCI memory window in highmem on virt board
       * fix bug in arm_excp_unmasked()
       * add i.MX31 SoC
       * remove restriction on handling affinity values in virt board

      # gpg: Signature made Mon 07 Sep 2015 10:40:48 BST using RSA key ID 
14360CDE
      # gpg: Good signature from "Peter Maydell <peter.maydell@xxxxxxxxxx>"
      # gpg:                 aka "Peter Maydell <pmaydell@xxxxxxxxx>"
      # gpg:                 aka "Peter Maydell 
<pmaydell@xxxxxxxxxxxxxxxxxxxxxx>"

      * remotes/pmaydell/tags/pull-target-arm-20150907: (27 commits)
        arm/virt: Add full-sized CPU affinity handling
        target-arm: Refactor CPU affinity handling
        i.MX: Add i2C devices to i.MX31 SOC
        i.MX: Add qtest support for I2C device emulator.
        i.MX: Add the i.MX25 PDK platform
        i.MX: Add SOC support for i.MX25
        i.MX: Add FEC Ethernet Emulator
        i.MX: Add I2C controller emulator
        i.MX: KZM: use standalone i.MX31 SOC support
        i.MX: Add SOC support for i.MX31
        target-arm: Fix arm_excp_unmasked() function
        hw/arm/virt: Add high MMIO PCI region, 512G in size
        target-arm: Fix AArch32:AArch64 general-purpose register mapping
        arm: Remove hw_error() usages.
        arm: cpu: assert() on no-EL2 virt IRQ error condition.
        smbios: implement smbios support for mach-virt
        smbios: add smbios 3.0 support
        target-arm: Wire up HLT 0xf000 as the A64 semihosting instruction
        target-arm/arm-semi.c: SYS_EXIT on A64 takes a parameter block
        target-arm/arm-semi.c: Implement A64 specific SyncCacheRange call
        ...

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 8d45c54d4fd3612bd616afcc5c278394f312927b
  Author: Pavel Fedin <p.fedin@xxxxxxxxxxx>
  Date:   Mon Sep 7 10:39:31 2015 +0100

      arm/virt: Add full-sized CPU affinity handling

      At least with KVM, currently there's no reason why QEMU would not be
      capable of handling Aff3 != 0. This commit fixes up FDT creation in such
      a case.

      Signed-off-by: Pavel Fedin <p.fedin@xxxxxxxxxxx>
      Message-id: 
eef5a86e6d9a313780dbc23b35fcb65df42a3e9e.1441366248.git.p.fedin@xxxxxxxxxxx
      [PMM: folded two overlong lines]
      Reviewed-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 0f4a9e45ec35811ee250ac232d84d3c6d4fcd7fc
  Author: Pavel Fedin <p.fedin@xxxxxxxxxxx>
  Date:   Mon Sep 7 10:39:31 2015 +0100

      target-arm: Refactor CPU affinity handling

      Introduces reusable definitions for CPU affinity masks/shifts and gets rid
      of hardcoded magic numbers.

      Signed-off-by: Pavel Fedin <p.fedin@xxxxxxxxxxx>
      Message-id: 
7e6def4d0d91ae64615cdd2035b94d408d0a23c6.1441366248.git.p.fedin@xxxxxxxxxxx
      [PMM: folded overlong line]
      Reviewed-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit d4e26d106a1ea35a81176cb5398406b08316adc7
  Author: Jean-Christophe Dubois <jcd@xxxxxxxxxxxxxxx>
  Date:   Mon Sep 7 10:39:31 2015 +0100

      i.MX: Add i2C devices to i.MX31 SOC

      Signed-off-by: Jean-Christophe Dubois <jcd@xxxxxxxxxxxxxxx>
      Reviewed-by: Peter Crosthwaite <crosthwaite.peter@xxxxxxxxx>
      Message-id: 
fb20e6bf5cf946c4530b2cfb55c7e37f5a0fc051.1441057361.git.jcd@xxxxxxxxxxxxxxx
      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 7f3986278b0bc214e83111ea55c8d12bac79c4fa
  Author: Jean-Christophe Dubois <jcd@xxxxxxxxxxxxxxx>
  Date:   Mon Sep 7 10:39:31 2015 +0100

      i.MX: Add qtest support for I2C device emulator.

      This is using a ds1338 RTC chip on the I2C bus. This RTC chip is
      not present on the real 3DS PDK board.

      Signed-off-by: Jean-Christophe Dubois <jcd@xxxxxxxxxxxxxxx>
      Acked-by: Peter Crosthwaite <crosthwaite.peter@xxxxxxxxx>
      Message-id: 
05601683a2a95c881cbc9f22651a044d969bd0ae.1441057361.git.jcd@xxxxxxxxxxxxxxx
      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 65f57c43632b102f8b1ef20baf1fc218c6b8d9cd
  Author: Jean-Christophe Dubois <jcd@xxxxxxxxxxxxxxx>
  Date:   Mon Sep 7 10:39:31 2015 +0100

      i.MX: Add the i.MX25 PDK platform

      Tested by booting a minimal Linux system on the emulated platform
      Tested by booting the Xvisor hypervisor on the emulated platform

      Signed-off-by: Jean-Christophe Dubois <jcd@xxxxxxxxxxxxxxx>
      Reviewed-by: Peter Crosthwaite <crosthwaite.peter@xxxxxxxxx>
      Message-id: 
d27347300d253509d921bc27a6d0a14db877478b.1441057361.git.jcd@xxxxxxxxxxxxxxx
      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit ee708c999d45e3f742d2f1287694a1b9da87044b
  Author: Jean-Christophe Dubois <jcd@xxxxxxxxxxxxxxx>
  Date:   Mon Sep 7 10:39:30 2015 +0100

      i.MX: Add SOC support for i.MX25

          For now we support the following devices:
            * CPU: ARM926
            * Interrupt Controller: AVIC
            * CCM
            * UART x 5
            * EPIT x 2
            * GPT x 4
            * FEC
            * I2C x 3

      Signed-off-by: Jean-Christophe Dubois <jcd@xxxxxxxxxxxxxxx>
      Reviewed-by: Peter Crosthwaite <crosthwaite.peter@xxxxxxxxx>
      Message-id: 
62218bfa90f9101f79098e768c3d58bd92dcb7f3.1441057361.git.jcd@xxxxxxxxxxxxxxx
      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit fcbd8018e645f3ab1ef9af94dc88a0d3272926d3
  Author: Jean-Christophe Dubois <jcd@xxxxxxxxxxxxxxx>
  Date:   Mon Sep 7 10:39:30 2015 +0100

      i.MX: Add FEC Ethernet Emulator

      This is based on mcf_fec.c FEC implementation for Coldfire

        * A generic PHY was added (borrowwed from LAN9118)
        * The buffer management is also modified as buffers are
          slightly different between Coldfire and i.MX

      Signed-off-by: Jean-Christophe Dubois <jcd@xxxxxxxxxxxxxxx>
      Reviewed-by: Peter Crosthwaite <peter.crosthwaite@xxxxxxxxxx>
      Message-id: 
fb314f8a120aa49f8f6ad886f312c649b484fb5a.1441057361.git.jcd@xxxxxxxxxxxxxxx
      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 20d0f9cf6a41bad52baba3ebc485849617cc42cf
  Author: Jean-Christophe Dubois <jcd@xxxxxxxxxxxxxxx>
  Date:   Mon Sep 7 10:39:30 2015 +0100

      i.MX: Add I2C controller emulator

      The slave mode is not implemented.

      Signed-off-by: Jean-Christophe Dubois <jcd@xxxxxxxxxxxxxxx>
      Reviewed-by: Peter Crosthwaite <peter.crosthwaite@xxxxxxxxxx>
      Message-id: 
508dbf2ebe26ec383d3a12a1db5a7890ac8acf20.1441057361.git.jcd@xxxxxxxxxxxxxxx
      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit f044ac4980922e23b608afc2f35648ebadb42950
  Author: Jean-Christophe Dubois <jcd@xxxxxxxxxxxxxxx>
  Date:   Mon Sep 7 10:39:30 2015 +0100

      i.MX: KZM: use standalone i.MX31 SOC support

      Convert the KZM board to use the i.MX31 SoC defintition instead of
      redefining the entire SoC on the machine level. Major rewrite of the
      machine init code.

      While touching the memory map comment de-indent to the correct level
      of indentation.

      This obsoletes the legacy i.MX device device creation helpers which are 
removed.

      Tested by booting a minimal Linux system on the emulated platform

      Signed-off-by: Jean-Christophe Dubois <jcd@xxxxxxxxxxxxxxx>
      Reviewed-by: Peter Crosthwaite <crosthwaite.peter@xxxxxxxxx>
      Message-id: 
5e783561f092e1c939562fdff001f1ab1194b07f.1441057361.git.jcd@xxxxxxxxxxxxxxx
      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 558df83db778dc2e839353357a508349b180d79b
  Author: Jean-Christophe Dubois <jcd@xxxxxxxxxxxxxxx>
  Date:   Mon Sep 7 10:39:30 2015 +0100

      i.MX: Add SOC support for i.MX31

      For now we support the following devices:
        * CPU: ARM1136
        * Interrupt Controller: AVIC
        * CCM
        * UART x 2
        * EPIT x 2
        * GPT

      Signed-off-by: Jean-Christophe Dubois <jcd@xxxxxxxxxxxxxxx>
      Reviewed-by: Peter Crosthwaite <peter.crosthwaite@xxxxxxxxxx>
      Message-id: 
f146d819594e41568daec42a1d0f440cdfe3df76.1441057361.git.jcd@xxxxxxxxxxxxxxx
      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 771842585f3119f69641ed90a97d56eb9ed6f5ae
  Author: Sergey Sorokin <afarallax@xxxxxxxxx>
  Date:   Mon Sep 7 10:39:30 2015 +0100

      target-arm: Fix arm_excp_unmasked() function

      There is an error in arm_excp_unmasked() function:
      bitwise operator & is used with integer and bool operands
      causing an incorrect zeroed result.
      The patch fixes it.

      Signed-off-by: Sergey Sorokin <afarallax@xxxxxxxxx>
      Message-id: 1441209238-16881-1-git-send-email-afarallax@xxxxxxxxx
      Reviewed-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 5125f9cd2532f0aca25d966ecd27d0e30d4af7c9
  Author: Pavel Fedin <p.fedin@xxxxxxxxxxx>
  Date:   Mon Sep 7 10:39:29 2015 +0100

      hw/arm/virt: Add high MMIO PCI region, 512G in size

      This large region is necessary for some devices like ivshmem and video 
cards
      32-bit kernels can be built without LPAE support. In this case such a 
kernel
      will not be able to use PCI controller which has windows in high 
addresses.
      In order to work around the problem, "highmem" option is introduced. It
      defaults to on on, but can be manually set to off in order to be able to 
run
      those old 32-bit guests.

      Signed-off-by: Pavel Fedin <p.fedin@xxxxxxxxxxx>
      Reviewed-by: Alexander Graf <agraf@xxxxxxx>
      Reviewed-by: Igor Mammedov <imammedo@xxxxxxxxxx>
      Reviewed-by: Shannon Zhao <shannon.zhao@xxxxxxxxxx>
      [PMM: Added missing ULL suffixes and a comment to the a15memmap[] entry]
      Reviewed-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 3a9148d0bdcee990fbe86759b9b1f5723c1d7fbc
  Author: Sergey Sorokin <afarallax@xxxxxxxxx>
  Date:   Mon Sep 7 10:39:29 2015 +0100

      target-arm: Fix AArch32:AArch64 general-purpose register mapping

      There is an error in functions aarch64_sync_32_to_64() and
      aarch64_sync_64_to_32() with mapping of registers between AArch32 and
      AArch64.  This commit fixes the mapping to match the v8 ARM ARM
      section D1.20.1 (table D1-77).

      Signed-off-by: Sergey Sorokin <afarallax@xxxxxxxxx>
      Message-id: 1440796451-15276-1-git-send-email-afarallax@xxxxxxxxx
      Reviewed-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      [PMM: tidied commit message a bit]
      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 8f6fd322f6e25995629a1a07b56bc5b91fb947ca
  Author: Peter Crosthwaite <crosthwaitepeter@xxxxxxxxx>
  Date:   Mon Sep 7 10:39:29 2015 +0100

      arm: Remove hw_error() usages.

      All of these hw_errors are fatal and indicate something wrong with
      QEMU implementation.

      Convert to g_assert_not_reached.

      Reviewed-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Signed-off-by: Peter Crosthwaite <crosthwaite.peter@xxxxxxxxx>
      Message-id: 
169194d09017e5725535d31a1507d454c0043706.1440842587.git.crosthwaite.peter@xxxxxxxxx
      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit f128bf297ba100877313cb3e9c0da845da0bb58c
  Author: Peter Crosthwaite <crosthwaitepeter@xxxxxxxxx>
  Date:   Mon Sep 7 10:39:29 2015 +0100

      arm: cpu: assert() on no-EL2 virt IRQ error condition.

      Replace the hw_error() for no-EL2 VIRQ with an assert.

      Signed-off-by: Peter Crosthwaite <crosthwaite.peter@xxxxxxxxx>
      Message-id: 
93b6acdee6cafe8ff0422a294a5640c3d35f0e17.1440842587.git.crosthwaite.peter@xxxxxxxxx
      Reviewed-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit c30e15658b1b3dc9c241a515322ca5dc6fa6b4fe
  Author: Wei Huang <wei@xxxxxxxxxx>
  Date:   Mon Sep 7 10:39:29 2015 +0100

      smbios: implement smbios support for mach-virt

      This patch generates smbios tables for ARM mach-virt. Also add
      CONFIG_SMBIOS=y for ARM default config.

      Acked-by: Gabriel Somlo <somlo@xxxxxxx>
      Tested-by: Gabriel Somlo <somlo@xxxxxxx>
      Reviewed-by: Laszlo Ersek <lersek@xxxxxxxxxx>
      Reviewed-by: Shannon Zhao <shannon.zhao@xxxxxxxxxx>
      Tested-by: Leif Lindholm <leif.lindholm@xxxxxxxxxx>
      Signed-off-by: Wei Huang <wei@xxxxxxxxxx>
      Message-id: 1440615870-9518-3-git-send-email-wei@xxxxxxxxxx
      [PMM: Added missing braces around an if().]
      Reviewed-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 86299120060f734a2f7c1137a46de0b8c78135b7
  Author: Wei Huang <wei@xxxxxxxxxx>
  Date:   Mon Sep 7 10:39:28 2015 +0100

      smbios: add smbios 3.0 support

      This patch adds support for SMBIOS 3.0 entry point. When caller invokes
      smbios_set_defaults(), it can specify entry point as 2.1 or 3.0. Then
      smbios_get_tables() will return the entry point table in right format.

      Acked-by: Gabriel Somlo <somlo@xxxxxxx>
      Tested-by: Gabriel Somlo <somlo@xxxxxxx>
      Tested-by: Leif Lindholm <leif.lindholm@xxxxxxxxxx>
      Signed-off-by: Wei Huang <wei@xxxxxxxxxx>
      Reviewed-by: Laszlo Ersek <lersek@xxxxxxxxxx>
      Message-id: 1440615870-9518-2-git-send-email-wei@xxxxxxxxxx
      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 8012c84ff92a36d05dfe61af9b24dd01a7ea25e4
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Mon Sep 7 10:39:28 2015 +0100

      target-arm: Wire up HLT 0xf000 as the A64 semihosting instruction

      For the A64 instruction set, the semihosting call instruction
      is 'HLT 0xf000'. Wire this up to call do_arm_semihosting()
      if semihosting is enabled.

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Reviewed-by: Christopher Covington <christopher.covington@xxxxxxxxxx>
      Tested-by: Christopher Covington <cov@xxxxxxxxxxxxxx>
      Message-id: 1439483745-28752-10-git-send-email-peter.maydell@xxxxxxxxxx

  commit 7446d35e1dd69e1da8241277eae09e293741b362
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Mon Sep 7 10:39:28 2015 +0100

      target-arm/arm-semi.c: SYS_EXIT on A64 takes a parameter block

      The A64 semihosting API changes the interface for SYS_EXIT so
      that instead of taking a single exception type in a register,
      it takes a parameter block containing the exception type and
      a sub-code. Implement this.

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Tested-by: Christopher Covington <cov@xxxxxxxxxxxxxx>
      Message-id: 1439483745-28752-9-git-send-email-peter.maydell@xxxxxxxxxx

  commit e9ebfbfcf31c11fb3bd2fc436fa17ce45a4e7086
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Mon Sep 7 10:39:28 2015 +0100

      target-arm/arm-semi.c: Implement A64 specific SyncCacheRange call

      The A64 semihosting ABI defines a new call SyncCacheRange
      for doing a 'clean D-cache and invalidate I-cache' sequence.
      Since QEMU doesn't implement caches, we can implement this as a nop.

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Reviewed-by: Christopher Covington <christopher.covington@xxxxxxxxxx>
      Tested-by: Christopher Covington <cov@xxxxxxxxxxxxxx>
      Message-id: 1439483745-28752-8-git-send-email-peter.maydell@xxxxxxxxxx

  commit faacc041619581c566c21ed87aa1933420731282
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Mon Sep 7 10:39:28 2015 +0100

      target-arm/arm-semi.c: Support widening APIs to 64 bits

      The 64-bit A64 semihosting API has some pervasive changes from
      the 32-bit version:
       * all parameter blocks are arrays of 64-bit values, not 32-bit
       * the semihosting call number is passed in W0
       * the return value is a 64-bit value in X0

      Implement the necessary handling for this widening.

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Reviewed-by: Christopher Covington <christopher.covington@xxxxxxxxxx>
      Tested-by: Christopher Covington <cov@xxxxxxxxxxxxxx>
      Message-id: 1439483745-28752-7-git-send-email-peter.maydell@xxxxxxxxxx

  commit 44d4a499b79d12d5c29f32bf2070c89335573c03
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Mon Sep 7 10:39:27 2015 +0100

      include/exec/softmmu-semi.h: Add support for 64-bit values

      Add support for getting and setting 64-bit values in the
      softmmu semihosting support functions. This will be needed
      for 64-bit ARM semihosting.

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Tested-by: Christopher Covington <cov@xxxxxxxxxxxxxx>
      Message-id: 1439483745-28752-6-git-send-email-peter.maydell@xxxxxxxxxx

  commit bb19cbc95ada89ce5e02c132bc6f3268b1a1bfa3
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Mon Sep 7 10:39:27 2015 +0100

      target-arm/arm-semi.c: Factor out repeated 'return env->regs[0]'

      Factor out a repeated pattern in the semihosting code:

          gdb_do_syscall(arm_semi_cb, "system,%s", arg0, (int)arg1+1);
          /* arm_semi_cb sets env->regs[0] to the syscall return value */
          return env->regs[0];

      For A64 the return value will go in a different register; pull
      the sequence out into its own function that passes the return
      value in a static variable rather than overloading regs[0]
      for the purpose, so the code will work on both A32/T32 and A64.

      Note that the lack-of-synchronization bug noted in the FIXME
      comment is not introduced by this commit, but was already present.

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Reviewed-by: Christopher Covington <christopher.covington@xxxxxxxxxx>
      Tested-by: Christopher Covington <cov@xxxxxxxxxxxxxx>
      Message-id: 1439483745-28752-5-git-send-email-peter.maydell@xxxxxxxxxx

  commit 19239b39e7501dedec8d92f0eca79c187685bcce
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Mon Sep 7 10:39:27 2015 +0100

      gdbstub: Implement gdb_do_syscallv()

      Implement a variant of the existing gdb_do_syscall() which
      takes a va_list.

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Tested-by: Christopher Covington <cov@xxxxxxxxxxxxxx>
      Message-id: 1439483745-28752-4-git-send-email-peter.maydell@xxxxxxxxxx

  commit 205ace55ffff77964e50af08c99639ec47db53f6
  Author: Christopher Covington <christopher.covington@xxxxxxxxxx>
  Date:   Mon Sep 7 10:39:27 2015 +0100

      target-arm: Improve semihosting debug prints

      Print semihosting debugging information before the
      do_arm_semihosting() call so that angel_SWIreason_ReportException,
      which causes the function to not return, gets the same debug prints as
      other semihosting calls. Also print out the semihosting call number.

      Signed-off-by: Christopher Covington <christopher.covington@xxxxxxxxxx>
      Reviewed-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Tested-by: Christopher Covington <cov@xxxxxxxxxxxxxx>
      Message-id: 1439483745-28752-3-git-send-email-peter.maydell@xxxxxxxxxx

  commit 857b55adb77004d9ec9202078b7f1f3a1a076112
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Mon Sep 7 10:39:27 2015 +0100

      target-arm/arm-semi.c: Fix broken SYS_WRITE0 via gdb

      A spurious trailing "\n" in the gdb syscall format string used
      for SYS_WRITE0 meant that gdb would reject the remote syscall,
      with the effect that the output from the guest was silently dropped.
      Remove the newline so that gdb accepts the packet.

      Cc: qemu-stable@xxxxxxxxxx

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit b45c03f585ea9bb1af76c73e82195418c294919d
  Author: Markus Armbruster <armbru@xxxxxxxxxx>
  Date:   Mon Sep 7 10:39:27 2015 +0100

      arm: Use g_new() & friends where that makes obvious sense

      g_new(T, n) is neater than g_malloc(sizeof(T) * n).  It's also safer,
      for two reasons.  One, it catches multiplication overflowing size_t.
      Two, it returns T * rather than void *, which lets the compiler catch
      more type errors.

      This commit only touches allocations with size arguments of the form
      sizeof(T).

      Coccinelle semantic patch:

          @@
          type T;
          @@
          -g_malloc(sizeof(T))
          +g_new(T, 1)
          @@
          type T;
          @@
          -g_try_malloc(sizeof(T))
          +g_try_new(T, 1)
          @@
          type T;
          @@
          -g_malloc0(sizeof(T))
          +g_new0(T, 1)
          @@
          type T;
          @@
          -g_try_malloc0(sizeof(T))
          +g_try_new0(T, 1)
          @@
          type T;
          expression n;
          @@
          -g_malloc(sizeof(T) * (n))
          +g_new(T, n)
          @@
          type T;
          expression n;
          @@
          -g_try_malloc(sizeof(T) * (n))
          +g_try_new(T, n)
          @@
          type T;
          expression n;
          @@
          -g_malloc0(sizeof(T) * (n))
          +g_new0(T, n)
          @@
          type T;
          expression n;
          @@
          -g_try_malloc0(sizeof(T) * (n))
          +g_try_new0(T, n)
          @@
          type T;
          expression p, n;
          @@
          -g_realloc(p, sizeof(T) * (n))
          +g_renew(T, p, n)
          @@
          type T;
          expression p, n;
          @@
          -g_try_realloc(p, sizeof(T) * (n))
          +g_try_renew(T, p, n)
          @@
          type T;
          expression n;
          @@
          -(T *)g_new(T, n)
          +g_new(T, n)
          @@
          type T;
          expression n;
          @@
          -(T *)g_new0(T, n)
          +g_new0(T, n)
          @@
          type T;
          expression p, n;
          @@
          -(T *)g_renew(T, p, n)
          +g_renew(T, p, n)

      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>
      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>
      Message-id: 1440524394-15640-1-git-send-email-armbru@xxxxxxxxxx
      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit c804b5791d51608c0e12e4cc2b40b3d763ce796c
  Merge: 2ef6093 834cb2a
  Author: Kevin Wolf <kwolf@xxxxxxxxxx>
  Date:   Fri Sep 4 21:43:40 2015 +0200

      Merge remote-tracking branch 
'mreitz/tags/pull-block-for-kevin-2015-09-04' into queue-block

      Block patches from 2015-08-24 until 2015-09-04.

      # gpg: Signature made Fri Sep  4 21:02:10 2015 CEST using RSA key ID 
E838ACAD
      # gpg: Good signature from "Max Reitz <mreitz@xxxxxxxxxx>"

      * mreitz/tags/pull-block-for-kevin-2015-09-04:
        quorum: validate vote threshold against num_children even if 
read-pattern is fifo
        qcow2: reorder fields in Qcow2CachedTable to reduce padding
        docs: document how to configure the qcow2 L2/refcount caches
        qcow2: add option to clean unused cache entries after some time
        qcow2: mark the memory as no longer needed after qcow2_cache_empty()

      Signed-off-by: Kevin Wolf <kwolf@xxxxxxxxxx>

  commit 834cb2ada5db197a11c99142d50222945d196fc0
  Author: Wen Congyang <wency@xxxxxxxxxxxxxx>
  Date:   Fri Jul 3 14:45:06 2015 +0800

      quorum: validate vote threshold against num_children even if read-pattern 
is fifo

      We need to use threshold to check if too many write operation fails.
      If threshold is larger than num children, we always get write error
      event even if all write operations success.

      Signed-off-by: Wen Congyang <wency@xxxxxxxxxxxxxx>
      Message-id: 55962F72.3060003@xxxxxxxxxxxxxx
      Reviewed-by: Alberto Garcia <berto@xxxxxxxxxx>
      Reviewed-by: Max Reitz <mreitz@xxxxxxxxxx>
      Signed-off-by: Max Reitz <mreitz@xxxxxxxxxx>

  commit 909c260c71d1bee7018e17034580ffd0743508db
  Author: Alberto Garcia <berto@xxxxxxxxxx>
  Date:   Tue Aug 4 15:14:42 2015 +0300

      qcow2: reorder fields in Qcow2CachedTable to reduce padding

      Changing the current ordering saves 8 bytes per cache entry in x86_64.

      Signed-off-by: Alberto Garcia <berto@xxxxxxxxxx>
      Reviewed-by: Max Reitz <mreitz@xxxxxxxxxx>
      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>
      Reviewed-by: Kevin Wolf <kwolf@xxxxxxxxxx>
      Message-id: 
0bd55291211df3dfb514d0e7d2031dd5c4f9f807.1438690126.git.berto@xxxxxxxxxx
      Signed-off-by: Max Reitz <mreitz@xxxxxxxxxx>

  commit 7f65ce834accce0b7e4bc79313bacf229b957783
  Author: Alberto Garcia <berto@xxxxxxxxxx>
  Date:   Tue Aug 4 15:14:41 2015 +0300

      docs: document how to configure the qcow2 L2/refcount caches

      QEMU has options to configure the size of the L2 and refcount
      caches for the qcow2 format. However, choosing the right sizes for
      a particular disk image is not a straightforward operation since
      the ratio between the cache size and the allocated disk space is
      not obvious and depends on the size of the cluster and the refcount
      entries.

      This document attempts to give an overview of both caches and how to
      configure their sizes.

      Signed-off-by: Alberto Garcia <berto@xxxxxxxxxx>
      Reviewed-by: Max Reitz <mreitz@xxxxxxxxxx>
      Message-id: 
55de928e139b1ba3f3d40fe9c6c88f30b1f36410.1438690126.git.berto@xxxxxxxxxx
      Signed-off-by: Max Reitz <mreitz@xxxxxxxxxx>

  commit 279621c046ce57de0af9e3c00663b48d3a7835ae
  Author: Alberto Garcia <berto@xxxxxxxxxx>
  Date:   Tue Aug 4 15:14:40 2015 +0300

      qcow2: add option to clean unused cache entries after some time

      This adds a new 'cache-clean-interval' option that cleans all qcow2
      cache entries that haven't been used in a certain interval, given in
      seconds.

      This allows setting a large L2 cache size so it can handle scenarios
      with lots of I/O and at the same time use little memory during periods
      of inactivity.

      This feature currently relies on MADV_DONTNEED to free that memory, so
      it is not useful in systems that don't follow that behavior.

      Signed-off-by: Alberto Garcia <berto@xxxxxxxxxx>
      Reviewed-by: Max Reitz <mreitz@xxxxxxxxxx>
      Message-id: 
a70d12da60433df9360ada648b3f34b8f6f354ce.1438690126.git.berto@xxxxxxxxxx
      Signed-off-by: Max Reitz <mreitz@xxxxxxxxxx>

  commit 355ee2d0e8ca536a6278c9c763ddd2f136eace3f
  Author: Alberto Garcia <berto@xxxxxxxxxx>
  Date:   Tue Aug 4 15:14:39 2015 +0300

      qcow2: mark the memory as no longer needed after qcow2_cache_empty()

      After having emptied the cache, the data in the cache tables is no
      longer useful, so we can tell the kernel that we are done with it. In
      Linux this frees the resources associated with it.

      The effect of this can be seen in the HMP commit operation: it moves
      data from the top to the base image (and fills both caches), then it
      empties the top image. At this point the data in that cache is no
      longer needed so it's just wasting memory.

      Signed-off-by: Alberto Garcia <berto@xxxxxxxxxx>
      Reviewed-by: Max Reitz <mreitz@xxxxxxxxxx>
      Message-id: 
08538b098e1faf6c92496477cf9b47a20e5aacea.1438690126.git.berto@xxxxxxxxxx
      Signed-off-by: Max Reitz <mreitz@xxxxxxxxxx>

  commit 2ef6093cd6990314304f2d3b18eb476ee418d73c
  Author: Max Reitz <mreitz@xxxxxxxxxx>
  Date:   Wed Sep 2 20:52:28 2015 +0200

      iotests: Warn if python subprocess is killed

      Currently, if a subprocess of a python test (i.e. qemu-io, qemu-img, or
      qemu) receives a signal and is subsequently aborted, this is not logged.

      This patch makes python tests always check the exit code of these
      subprocesses, and emit a message if they have been killed.

      Signed-off-by: Max Reitz <mreitz@xxxxxxxxxx>
      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>
      Signed-off-by: Kevin Wolf <kwolf@xxxxxxxxxx>

  commit 934659c460d46c948cf348822fda1d38556ed9a4
  Author: Max Reitz <mreitz@xxxxxxxxxx>
  Date:   Wed Sep 2 20:52:27 2015 +0200

      iotests: Do not suppress segfaults in bash tests

      Currently, if a qemu/qemu-io/qemu-img/qemu-nbd invocation receives a
      segmentation fault, that message is invisible in most cases since the
      output is generally filtered and bash suppresses the segmentation fault
      notice for any but the last element of a pipe.

      Most of the time, the test will then fail anyway because of missing
      output, but not necessarily (as happened with test 82 recently).

      Fix this by making the corresponding environment variables point to
      wrapper functions which execute the respective command in a subshell.

      Giving options to qemu/qemu-io/qemu-img and path names with spaces were
      broken for the Python tests; this patch "accidentally" fixes that.

      Signed-off-by: Max Reitz <mreitz@xxxxxxxxxx>
      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>
      Signed-off-by: Kevin Wolf <kwolf@xxxxxxxxxx>

  commit 0ed82f7a096537923ef3705946f254d2f61eaf93
  Author: Max Reitz <mreitz@xxxxxxxxxx>
  Date:   Wed Sep 2 20:52:26 2015 +0200

      iotests: Respect -nodefaults in tests 41 and 55

      While -nodefaults is set in $QEMU_OPTIONS, this is currently (wrongly)
      ignored for Python iotests. In order to be prepared for when this is
      fixed, we should explicitly add an IDE CD-ROM drive instead of relying
      on it being created automatically.

      Signed-off-by: Max Reitz <mreitz@xxxxxxxxxx>
      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>
      Signed-off-by: Kevin Wolf <kwolf@xxxxxxxxxx>

  commit 8e4922535b6479c7a2fa6b14b0148c6ae4fcc003
  Author: Max Reitz <mreitz@xxxxxxxxxx>
  Date:   Wed Sep 2 20:52:25 2015 +0200

      iotests: More options for VM.add_drive()

      This patch allows specifying the interface to be used for the drive, and
      makes specifying a path optional (if the path is None, the "file" option
      will be omitted, thus creating an empty drive).

      Signed-off-by: Max Reitz <mreitz@xxxxxxxxxx>
      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>
      Signed-off-by: Kevin Wolf <kwolf@xxxxxxxxxx>

  commit e814dffcc9810ed77fe99081be9751b620a894c4
  Author: Max Reitz <mreitz@xxxxxxxxxx>
  Date:   Thu Aug 20 16:00:38 2015 -0700

      qemu-img: Fix crash in amend invocation

      Example:
      $ ./qemu-img create -f qcow2 /tmp/t.qcow2 64M
      $ ./qemu-img amend -f qcow2 -o backing_file=/tmp/t.qcow2, -o help \
          /tmp/t.qcow2

      This should not crash. This actually is tested by iotest 082, but not
      caught due to the segmentation fault being silent (which is something
      that needs to be fixed, too).

      Reported-by: Dr. David Alan Gilbert <dgilbert@xxxxxxxxxx>
      Cc: qemu-stable <qemu-stable@xxxxxxxxxx>
      Signed-off-by: Max Reitz <mreitz@xxxxxxxxxx>
      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>
      Signed-off-by: Kevin Wolf <kwolf@xxxxxxxxxx>

  commit bdd03cdf5dc3176bc7169a1d5709303e9279fffb
  Author: Max Reitz <mreitz@xxxxxxxxxx>
  Date:   Wed Aug 12 17:33:31 2015 +0200

      block/raw-posix: Use raw_normalize_devicepath()

      The filename given to qemu_open() in block/raw-posix.c should generally
      have been processed by raw_normalize_devicepath(); unless we are only
      probing (in which case the caller often checks whether the file is a
      block device or not, and this property will be changed by
      raw_normalize_devicepath() on NetBSD) or it is about a deprecated device
      (i.e. floppy).

      Signed-off-by: Max Reitz <mreitz@xxxxxxxxxx>
      Signed-off-by: Kevin Wolf <kwolf@xxxxxxxxxx>

  commit 137a905fdf43880c077438d57ef2d319569da9eb
  Author: Bo Tu <tubo@xxxxxxxxxxxxxxxxxx>
  Date:   Fri Jul 3 15:28:50 2015 +0800

      qemu-iotests: s390x: fix test 130

      The default device id of hard disk on the s390 platform is "virtio0"
      which differs to the "ide0-hd0" for the x86 platform. Setting id in
      the drive definition, ie:"qemu -drive id=testdisk", will be the same
      on all platforms.

      Reviewed-by: Max Reitz <mreitz@xxxxxxxxxx>
      Signed-off-by: Bo Tu <tubo@xxxxxxxxxxxxxxxxxx>
      Signed-off-by: Kevin Wolf <kwolf@xxxxxxxxxx>

  commit 212789925efffe1c552b114321ee74081a7efb03
  Author: Bo Tu <tubo@xxxxxxxxxxxxxxxxxx>
  Date:   Fri Jul 3 15:28:49 2015 +0800

      qemu-iotests: s390x: fix test 049, reject negative sizes in QemuOpts

      when creating an image qemu-img enable us specifying the size of the
      image using -o size=xx options. But when we specify an invalid size
      such as a negtive size then different platform gives different result.

      parse_option_size() function in util/qemu-option.c will be called to
      parse the size, a cast was called in the function to cast the input
      (saved as a double in the function) size to an unsigned int64 value,
      when the input is a negtive value or exceeds the maximum of uint64, then
      the result is undefined.

      According to C99 6.3.1.4, the result of converting a floating point
      number to an integer that cannot represent the (integer part of) number
      is undefined.  And sure enough the results are different on x86 and
      s390.

      C99 Language spec 6.3.1.4 Real floating and integers:
      the result of this assignment/cast is undefined if the float is not
      in the open interval (-1, U<type>_MAX+1).

      Reviewed-by: Max Reitz <mreitz@xxxxxxxxxx>
      Reviewed-by: Sascha Silbe <silbe@xxxxxxxxxxxxxxxxxx>
      Signed-off-by: Bo Tu <tubo@xxxxxxxxxxxxxxxxxx>
      Signed-off-by: Kevin Wolf <kwolf@xxxxxxxxxx>

  commit d8683155fa76cabff112271771e43e21034ff2ba
  Author: Bo Tu <tubo@xxxxxxxxxxxxxxxxxx>
  Date:   Fri Jul 3 15:28:48 2015 +0800

      qemu-iotests: s390x: fix test 041 and 055

      There is no 'ide-cd' device defined on non-pc platform, so
      test_medium_not_found() test should be skipped.

      Reviewed-by: Max Reitz <mreitz@xxxxxxxxxx>
      Reviewed-by: Michael Mueller <mimu@xxxxxxxxxxxxxxxxxx>
      Reviewed-by: Sascha Silbe <silbe@xxxxxxxxxxxxxxxxxx>
      Signed-off-by: Xiao Guang Chen <chenxg@xxxxxxxxxxxxxxxxxx>
      Signed-off-by: Kevin Wolf <kwolf@xxxxxxxxxx>

  commit 2711fd33a4b18c5e35a6f7efe57b5d868def829e
  Author: Bo Tu <tubo@xxxxxxxxxxxxxxxxxx>
  Date:   Fri Jul 3 15:28:47 2015 +0800

      qemu-iotests: disable default qemu devices for cross-platform 
compatibility

      This patch fixes an io test suite issue that was introduced with the
      commit c88930a6866e74953e931ae749781e98e486e5c8 'qemu-char: Permit only
      a single "stdio" character device'. The option supresses the creation of
      default devices such as the floopy and cdrom. Output files for test case
      067, 071, 081 and 087 need to be updated to accommodate this change.
      Use virtio-blk instead of virtio-blk-pci as the device driver for test
      case 067. For virtio-blk-pci is the same with virtio-blk as device
      driver but other platform such as s390 may not recognize the 
virtio-blk-pci.

      The default devices differ across machines. As the qemu output often
      contains these devices (or events for them, like opening a CD tray on
      reset), the reference output currently is rather machine-specific.

      All existing qemu tests explicitly configure the devices they're working
      with, so just pass -nodefaults to qemu by default to disable the default
      devices. Update the reference outputs accordingly.

      Reviewed-by: Max Reitz <mreitz@xxxxxxxxxx>
      Reviewed-by: Michael Mueller <mimu@xxxxxxxxxxxxxxxxxx>
      Reviewed-by: Sascha Silbe <silbe@xxxxxxxxxxxxxxxxxx>
      Signed-off-by: Xiao Guang Chen <chenxg@xxxxxxxxxxxxxxxxxx>
      Signed-off-by: Kevin Wolf <kwolf@xxxxxxxxxx>

  commit e166b4148208656635ea2fe39df8b1e875a34fb8
  Author: Bo Tu <tubo@xxxxxxxxxxxxxxxxxx>
  Date:   Fri Jul 3 15:28:46 2015 +0800

      qemu-iotests: qemu machine type support

      This patch adds qemu machine type support to the io test suite.
      Based on the qemu default machine type and alias of the default machine
      type the reference output file can now vary from the default to a
      machine specific output file if necessary. When using a machine specific
      reference file if the default machine has an alias then use the alias as 
the output
      file name otherwise use the default machine name as the output file name.

      Reviewed-by: Max Reitz <mreitz@xxxxxxxxxx>
      Reviewed-by: Michael Mueller <mimu@xxxxxxxxxxxxxxxxxx>
      Reviewed-by: Sascha Silbe <silbe@xxxxxxxxxxxxxxxxxx>
      Signed-off-by: Xiao Guang Chen <chenxg@xxxxxxxxxxxxxxxxxx>
      Signed-off-by: Kevin Wolf <kwolf@xxxxxxxxxx>

  commit b597aa037dbd98014c8dec3d69a5e2240f432533
  Merge: b5bff75 6231316
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Fri Sep 4 17:37:50 2015 +0100

      Merge remote-tracking branch 
'remotes/armbru/tags/pull-monitor-2015-09-04' into staging

      Monitor patches

      # gpg: Signature made Fri 04 Sep 2015 12:40:11 BST using RSA key ID 
EB918653
      # gpg: Good signature from "Markus Armbruster <armbru@xxxxxxxxxx>"
      # gpg:                 aka "Markus Armbruster <armbru@xxxxxxxxxxxx>"

      * remotes/armbru/tags/pull-monitor-2015-09-04:
        hmp: add info iothreads command
        qmp-shell: add documentation

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit b5bff7518d8e4feda95f5c523cb24f72863c1df6
  Merge: b041066 c4f498f
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Fri Sep 4 15:53:48 2015 +0100

      Merge remote-tracking branch 'remotes/armbru/tags/pull-qapi-2015-09-04' 
into staging

      qapi: Another round of fixes and cleanups

      # gpg: Signature made Fri 04 Sep 2015 14:48:54 BST using RSA key ID 
EB918653
      # gpg: Good signature from "Markus Armbruster <armbru@xxxxxxxxxx>"
      # gpg:                 aka "Markus Armbruster <armbru@xxxxxxxxxxxx>"

      * remotes/armbru/tags/pull-qapi-2015-09-04: (33 commits)
        qapi: Generators crash when --output-dir isn't given, fix
        docs/qapi-code-gen.txt: Fix QAPI schema examples
        qapi: Simplify error reporting for array types
        qapi: Fix errors for non-string, non-dictionary members
        tests/qapi-schema: Cover non-string, non-dictionary members
        tests/qapi-schema: Cover two more syntax errors
        qapi: Drop one of two "simple union must not have base" checks
        qapi: Generated code cleanup
        qapi-commands: Drop useless initialization
        qapi-commands: Don't feed output of mcgen() to mcgen() again
        qapi-commands: Inline gen_marshal_output_call()
        qapi-commands: Fix gen_err_check(e) for e and e != 'local_err'
        qapi: Command returning anonymous type doesn't work, outlaw
        qapi: Fix to reject union command and event arguments
        qapi-tests: New tests for union, alternate command arguments
        tests/qapi-schema: Rename tests from data- to args-
        tests/qapi-schema: Restore test case for flat union base bug
        qapi: Document flaws in checking of names
        qapi: Document shortcoming with union 'data' branch
        qapi: Document that input visitor semantics are prone to leaks
        ...

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit c4f498fe8532cdacc609262b104322911108df54
  Author: Markus Armbruster <armbru@xxxxxxxxxx>
  Date:   Thu Sep 3 10:24:25 2015 +0200

      qapi: Generators crash when --output-dir isn't given, fix

      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>
      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>

  commit 94a3f0af388820d74a9d89d1a856d2baa448c696
  Author: Markus Armbruster <armbru@xxxxxxxxxx>
  Date:   Thu Sep 3 10:18:06 2015 +0200

      docs/qapi-code-gen.txt: Fix QAPI schema examples

      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>
      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>

  commit eddf817bd823a90df209dfbdc2a0b2ec33b7cb77
  Author: Markus Armbruster <armbru@xxxxxxxxxx>
  Date:   Mon Aug 31 13:54:39 2015 +0200

      qapi: Simplify error reporting for array types

      check_type() first checks and peels off the array type, then checks
      the element type.  For two out of four error messages, it takes pains
      to report errors for "array of T" instead of just T.  Odd.  Let's
      examine the errors.

      * Unknown element type, e.g.
        tests/qapi-schema/args-array-unknown.json:

            Member 'array' of 'data' for command 'oops' uses unknown type
            'array of NoSuchType'

        To make sense of this, you need to know that 'array of NoSuchType'
        refers to '[NoSuchType]'.  Easy enough.  However, simply reporting

            Member 'array' of 'data' for command 'oops' uses unknown type
            'NoSuchType'

        is at least as easy to understand.

      * Element type's meta-type is inadmissible, e.g.
        tests/qapi-schema/returns-whitelist.json:

            'returns' for command 'no-way-this-will-get-whitelisted' cannot
            use built-in type 'array of int'

        'array of int' is technically not a built-in type, but that's
        pedantry.  However, simply reporting

            'returns' for command 'no-way-this-will-get-whitelisted' cannot
            use built-in type 'int'

        avoids the issue, and is at least as easy to understand.

      * The remaining two errors are unreachable, because the array checking
        ensures that value is a string.

      Thus, reporting some errors for "array of T" instead of just T works,
      but doesn't really improve things.  Drop it.

      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>
      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>

  commit c6b71e5ae73802057d700e2419b80aef1651f213
  Author: Markus Armbruster <armbru@xxxxxxxxxx>
  Date:   Mon Aug 31 17:28:52 2015 +0200

      qapi: Fix errors for non-string, non-dictionary members

      Fixes the errors demonstrated by the previous commit.

      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>
      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>

  commit 10689e36eb99e99751497ac8cef2a946e9a3a850
  Author: Markus Armbruster <armbru@xxxxxxxxxx>
  Date:   Mon Aug 31 17:17:42 2015 +0200

      tests/qapi-schema: Cover non-string, non-dictionary members

      We always report "should be a dictionary" then.  This is misleading:
      when allow_dict, it can be a dictionary or a type name string, else it
      can only be a type name.

      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>
      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>

  commit 91f9816da4d505d379753896f3f7b6abb910324b
  Author: Markus Armbruster <armbru@xxxxxxxxxx>
  Date:   Mon Aug 31 15:47:55 2015 +0200

      tests/qapi-schema: Cover two more syntax errors

      Syntax error coverage should now be complete.

      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>
      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>

  commit 65fbe125451da9421070ab03944c9600a264eefc
  Author: Markus Armbruster <armbru@xxxxxxxxxx>
  Date:   Mon Aug 31 15:37:42 2015 +0200

      qapi: Drop one of two "simple union must not have base" checks

      The first check ensures the second one can't trigger.  Drop the first
      one, because the second one is in a more logical place, and emits a
      nicer error message.

      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>
      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>

  commit 3a864e7c52af15017d5082a9ee39a7919f46d2b5
  Author: Markus Armbruster <armbru@xxxxxxxxxx>
  Date:   Wed Jul 1 16:55:15 2015 +0200

      qapi: Generated code cleanup

      Clean up white-space, brace placement, and superfluous #ifdef
      QAPI_TYPES_BUILTIN_CLEANUP_DEF.

      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>
      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>

  commit 3f99144cd9afbf51a7fbddf20b921402c2d4f68c
  Author: Markus Armbruster <armbru@xxxxxxxxxx>
  Date:   Fri Jul 31 18:51:18 2015 +0200

      qapi-commands: Drop useless initialization

      In generated command handlers, the assignment to retval dominates its
      only use.  Therefore, its initialization is useless.  Drop it.

      Suggested-by: Eric Blake <eblake@xxxxxxxxxx>
      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>
      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>

  commit 1f9a7a1a5862ad224aa86f9b4c046248ffc27aa3
  Author: Markus Armbruster <armbru@xxxxxxxxxx>
  Date:   Sat Jun 27 17:49:34 2015 +0200

      qapi-commands: Don't feed output of mcgen() to mcgen() again

      Multiple passes through mcgen() is prone to produce unwanted blank
      lines, which we then combat by sprinkling .rstrip() on top.  Just
      don't do it.

      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>
      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>

  commit e02bca281c82f874d84578af4deea46142232115
  Author: Markus Armbruster <armbru@xxxxxxxxxx>
  Date:   Sat Jun 27 17:21:12 2015 +0200

      qapi-commands: Inline gen_marshal_output_call()

      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>
      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>

  commit 8102307f51e68280ac965a140a87073d5c31e9a5
  Author: Markus Armbruster <armbru@xxxxxxxxxx>
  Date:   Sat Jun 27 16:48:14 2015 +0200

      qapi-commands: Fix gen_err_check(e) for e and e != 'local_err'

      gen_err_check() hard-codes 'local_err' instead of substituting the
      argument.  Currently harmless, since all callers pass either None or
      'local_err'.

      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>
      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>

  commit 9b090d42aea9a0abbf39a1d75561a186057b5fe6
  Author: Markus Armbruster <armbru@xxxxxxxxxx>
  Date:   Fri Jul 31 17:59:38 2015 +0200

      qapi: Command returning anonymous type doesn't work, outlaw

      Reproducer: with

          { 'command': 'user_def_cmd4', 'returns': { 'a': 'int' } }

      added to qapi-schema-test.json, qapi-commands.py dies when it tries to
      generate the command handler function

          Traceback (most recent call last):
            File "/work/armbru/qemu/scripts/qapi-commands.py", line 359, in 
<module>
              ret = generate_command_decl(cmd['command'], arglist, ret_type) + 
"\n"
            File "/work/armbru/qemu/scripts/qapi-commands.py", line 29, in 
generate_command_decl
              ret_type=c_type(ret_type), name=c_name(name),
            File "/work/armbru/qemu/scripts/qapi.py", line 927, in c_type
              assert isinstance(value, str) and value != ""
          AssertionError

      because the return type doesn't exist.

      Simply outlaw this usage, and drop or dumb down test cases accordingly.

      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>
      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>

  commit 315932b5edb86597adafbd1faa2d29c46499d8c3
  Author: Markus Armbruster <armbru@xxxxxxxxxx>
  Date:   Wed Jul 1 10:12:24 2015 +0200

      qapi: Fix to reject union command and event arguments

      A command's or event's 'data' must be a struct type, given either as a
      dictionary, or as struct type name.

      Commit dd883c6 tightened the checking there, but not enough: we still
      accept 'union'.  Fix to reject it.

      We may want to support union types there, but we'll have to extend
      qapi-commands.py and qapi-events.py for it.

      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>
      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>

  commit d9658d58e33128df32093b7a84bed76b527fb884
  Author: Markus Armbruster <armbru@xxxxxxxxxx>
  Date:   Wed Jul 1 09:54:11 2015 +0200

      qapi-tests: New tests for union, alternate command arguments

      A command's 'data' must be a struct type, given either as a
      dictionary, or as struct type name.

      Existing test case data-int.json covers simple type 'int'.  Add test
      cases for type names referring to union and alternate types.

      The latter is caught (good), but the former is not (bug).

      Events have the same problem, but since they get checked by the same
      code, we don't bother to duplicate the tests.

      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>
      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>

  commit 6af9a8fc8ec83f823c079211bc7a2414b1d4e5fe
  Author: Markus Armbruster <armbru@xxxxxxxxxx>
  Date:   Fri Jul 31 13:30:50 2015 +0200

      tests/qapi-schema: Rename tests from data- to args-

      Since every schema entity has 'data', the data- prefix conveys no
      information.  These tests actually exercise commands.  Only commands
      have arguments, so change the prefix to to args-.

      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>
      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>

  commit 80e60a19a82cf872652d1923e800fecef5cc7def
  Author: Markus Armbruster <armbru@xxxxxxxxxx>
  Date:   Fri Jun 26 13:21:10 2015 +0200

      tests/qapi-schema: Restore test case for flat union base bug

      Test case added in commit 2fc0043, and messed up in commit 5223070.

      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>
      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>

  commit d90675fa4bc256238b3dd3a7fdd5f9029eca00b8
  Author: Markus Armbruster <armbru@xxxxxxxxxx>
  Date:   Fri Jul 31 11:33:52 2015 +0200

      qapi: Document flaws in checking of names

      We don't actually enforce our "other than downstream extensions [...],
      all names should begin with a letter" rule.  Add a FIXME.

      We should reject names that differ only in '_' vs. '.'  vs. '-',
      because they're liable to clash in generated C.  Add a FIXME.

      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>
      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>

  commit ca56a822dd538017715345cbbe1f8829e0cc2742
  Author: Eric Blake <eblake@xxxxxxxxxx>
  Date:   Thu Jul 30 17:07:17 2015 -0600

      qapi: Document shortcoming with union 'data' branch

      Add a FIXME to remind us to fully audit whether removing the
      'void *data' branch of each qapi union type can be done safely.

      Signed-off-by: Eric Blake <eblake@xxxxxxxxxx>
      Message-Id: <1438297637-26789-1-git-send-email-eblake@xxxxxxxxxx>
      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>

  commit 2f52e20597ebd55ede668b2b7d162a84f419b03e
  Author: Eric Blake <eblake@xxxxxxxxxx>
  Date:   Thu Jul 30 16:33:07 2015 -0600

      qapi: Document that input visitor semantics are prone to leaks

      Most functions that can return a pointer or set an Error ** value
      are decent enough to guarantee a NULL return when reporting an error.
      Not so with our generated qapi visitor functions.  If the caller
      is not careful to clean up partially-allocated objects on error,
      then the caller suffers a memory leak.

      Properly fixing it is probably complex enough to save for a later
      day, so merely document it for now.

      Signed-off-by: Eric Blake <eblake@xxxxxxxxxx>
      Message-Id: <1438295587-19069-1-git-send-email-eblake@xxxxxxxxxx>
      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>

  commit 999387782f736d7ac0083f4f02e2bc4ce7a9a27b
  Author: Markus Armbruster <armbru@xxxxxxxxxx>
  Date:   Fri Jun 26 13:14:02 2015 +0200

      tests/qapi-schema: Document events with base don't work

      When event FOO's 'data' is a struct with a base, we consider only the
      struct's direct members, and ignore its base.  The generated
      qapi_event_send_foo() doesn't take arguments for base members.

      No such events currently exist in the QMP schema.

      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>
      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>

  commit 422e16aac4bd4476f5b40bee3049089de34ef6b6
  Author: Markus Armbruster <armbru@xxxxxxxxxx>
  Date:   Fri Jun 26 17:52:45 2015 +0200

      tests/qapi-schema: Document alternate's enum lacks visit function

      We generate a declaration, but no definition.

      The QMP schema has two: Qcow2OverlapChecks and BlockdevRef.  Neither
      visit_type_Qcow2OverlapChecksKind() nor visit_type_BlockdevRefKind()
      is actually used.

      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>
      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>

  commit 40b3adec13a9e022ff5a2e2b81c243fc0a026746
  Author: Markus Armbruster <armbru@xxxxxxxxxx>
  Date:   Fri Jun 26 17:21:42 2015 +0200

      qapi-visit: Fix two name arguments passed to visitors

      The generated code passes mangled schema names to visit_type_enum()
      and union's visit_start_struct().  Fix it to pass the names
      unadulterated, like we do everywhere else.

      Only qapi-schema-test.json actually has names where this makes a
      difference: enum __org.qemu_x-Enum, flat union __org.qemu_x-Union2,
      simple union __org.qemu_x-Union1 and its implicit enum
      __org.qemu_x-Union1Kind.

      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>
      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>

  commit 8c07eddc619d618965fdd7a96bfe3b5c59f42b52
  Author: Markus Armbruster <armbru@xxxxxxxxxx>
  Date:   Tue Jun 30 09:27:04 2015 +0200

      qapi-visit: Replace list implicit_structs by set

      Use set because that's what it is.  While there, rename to
      implicit_structs_seen.

      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>
      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>

  commit 8c3f8e77215bfedb7854221868f655e148506936
  Author: Markus Armbruster <armbru@xxxxxxxxxx>
  Date:   Fri Jun 26 10:19:11 2015 +0200

      qapi-visit: Fix generated code when schema has forward refs

      The visit_type_implicit_FOO() are generated on demand, right before
      their first use.  Used by visit_type_STRUCT_fields() when STRUCT has
      base FOO, and by visit_type_UNION() when flat UNION has member a FOO.

      If the schema defines FOO after its first use as struct base or flat
      union member, visit_type_implicit_FOO() calls
      visit_type_implicit_FOO() before its definition, which doesn't
      compile.

      Rearrange qapi-schema-test.json to demonstrate the bug.

      Fix by generating the necessary forward declaration.

      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>
      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>

  commit 1e6c1616a91cdcbe9a8387541f7689b8c11632aa
  Author: Markus Armbruster <armbru@xxxxxxxxxx>
  Date:   Sun Jun 28 20:05:53 2015 +0200

      qapi: Generate a nicer struct for flat unions

      The struct generated for a flat union is weird: the members of its
      base are at the end, except for the union tag, which is at the
      beginning.

      Example: qapi-schema-test.json has

          { 'struct': 'UserDefUnionBase',
            'data': { 'string': 'str', 'enum1': 'EnumOne' } }

          { 'union': 'UserDefFlatUnion',
            'base': 'UserDefUnionBase',
            'discriminator': 'enum1',
            'data': { 'value1' : 'UserDefA',
                      'value2' : 'UserDefB',
                      'value3' : 'UserDefB' } }

      We generate:

          struct UserDefFlatUnion
          {
              EnumOne enum1;
              union {
                  void *data;
                  UserDefA *value1;
                  UserDefB *value2;
                  UserDefB *value3;
              };
              char *string;
          };

      Change to put all base members at the beginning, unadulterated.  Not
      only is this easier to understand, it also permits casting the flat
      union to its base, if that should become useful.

      We now generate:

          struct UserDefFlatUnion
          {
              /* Members inherited from UserDefUnionBase: */
              char *string;
              EnumOne enum1;
              /* Own members: */
              union { /* union tag is @enum1 */
                  void *data;
                  UserDefA *value1;
                  UserDefB *value2;
                  UserDefB *value3;
              };
          };

      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>
      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>

  commit 0f61af3eb396ae163cd1572ce12e05f5d08d7c15
  Author: Markus Armbruster <armbru@xxxxxxxxxx>
  Date:   Fri Jul 31 10:30:04 2015 +0200

      qapi: Fix generated code when flat union has member 'kind'

      A flat union's tag member gets renamed to 'kind' in the generated
      code.  Breaks when another member named 'kind' exists.

      Example, adapted from qapi-schema-test.json:

          { 'struct': 'UserDefUnionBase',
            'data': { 'kind': 'str', 'enum1': 'EnumOne' } }

      We generate:

          struct UserDefFlatUnion
          {
              EnumOne kind;
              union {
                  void *data;
                  UserDefA *value1;
                  UserDefB *value2;
                  UserDefB *value3;
              };
              char *kind;
          };

      Kill the silly rename.

      Reported-by: Eric Blake <eblake@xxxxxxxxxx>
      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>
      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>

  commit 5aa05d3f72e556752167f7005d6a3dea0f4432c5
  Author: Markus Armbruster <armbru@xxxxxxxxxx>
  Date:   Sun Jun 28 21:36:26 2015 +0200

      qapi: Drop unused and useless parameters and variables

      gen_sync_call()'s parameter indent is useless: gen_sync_call() uses it
      only as optional argument for push_indent() and pop_indent(), their
      default is four, and gen_sync_call()'s only caller passes four.  Drop
      the parameter.

      gen_visitor_input_containers_decl()'s parameter obj is always
      "QOBJECT(args)".  Use that, and drop the parameter.

      Drop unused parameters of gen_marshal_output(),
      gen_marshal_input_decl(), generate_visit_struct_body(),
      generate_visit_list(), generate_visit_enum(), generate_declaration(),
      generate_enum_declaration(), generate_decl_enum().

      Drop unused variables in generate_event_enum_lookup(),
      generate_enum_lookup(), generate_visit_struct_fields(), check_event().

      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>
      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>

  commit 1cf47a15f18312436c7fa2d97be5fbe6df0292f5
  Author: Markus Armbruster <armbru@xxxxxxxxxx>
  Date:   Wed Jul 1 13:13:54 2015 +0200

      qapi: Reject -p arguments that break qapi-event.py

      qapi-event.py breaks when you ask for a funny prefix like '@'.
      Protect it.

      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>
      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>

  commit 016a335bd8ca624f43adbb08fa1698c29ec52a1a
  Author: Markus Armbruster <armbru@xxxxxxxxxx>
  Date:   Wed Jul 1 12:59:40 2015 +0200

      qapi-event: Clean up how name of enum QAPIEvent is made

      Use c_name() instead of ad hoc code.  Doesn't upcase the -p prefix,
      which is an improvement in my book.  Unbreaks prefix containing '.',
      but other funny characters remain broken.  To be fixed next.

      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>
      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>

  commit 00dfc3b2c272d98556ec6095d56bdd8b036babf9
  Author: Markus Armbruster <armbru@xxxxxxxxxx>
  Date:   Sat Jun 27 07:27:21 2015 +0200

      qapi: Simplify guardname()

      The guards around built-in declarations lose their _H.  It never made
      much sense anyway.

      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>
      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>

  commit 77e703b861d34bb2879f3e845482d5cf0a3a0ad1
  Author: Markus Armbruster <armbru@xxxxxxxxxx>
  Date:   Wed Jun 24 19:27:32 2015 +0200

      qapi: Clean up cgen() and mcgen()

      Commit 05dfb26 added eatspace stripping to mcgen().  Move it to
      cgen(), just in case somebody gets tempted to use cgen() directly
      instead of via mcgen().

      cgen() indents blank lines.  No such lines get generated right now,
      but fix it anyway.

      We use triple-quoted strings for program text, like this:

          '''
          Program text
          any number of lines
          '''

      Keeps the program text relatively readable, but puts an extra newline
      at either end.  mcgen() "fixes" that by dropping the first and last
      line outright.  Drop only the newlines.

      This unmasks a bug in qapi-commands.py: four quotes instead of three.
      Fix it up.

      Output doesn't change

      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>
      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>

  commit 4247f839009159cb2cbaddfbd41513e180c4fe52
  Author: Markus Armbruster <armbru@xxxxxxxxxx>
  Date:   Tue Jun 9 15:24:36 2015 +0200

      qapi: Clarify docs on including the same file multiple times

      It's idempotent.

      While there, update examples to current code.

      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>
      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>

  commit 62313160cb5b6bdfbd77a063e94a5a7d25e59f2b
  Author: Ting Wang <kathy.wangting@xxxxxxxxxx>
  Date:   Fri Jun 26 16:07:13 2015 +0800

      hmp: add info iothreads command

      Make "info iothreads" available on the HMP monitor.

      For example, the results are as follows when executing qemu
      command with "-object iothread,id=iothread-1 -object
      iothread,id=iothread-2".
      (qemu) info iothreads
      iothread-1: thread_id=123
      iothread-2: thread_id=456

      Signed-off-by: Ting Wang <kathy.wangting@xxxxxxxxxx>
      Message-Id: <1435306033-58372-1-git-send-email-kathy.wangting@xxxxxxxxxx>
      Reviewed-by: Luiz Capitulino <lcapitulino@xxxxxxxxxx>
      Reviewed-by: Amos Jianjun Kong <kongjianjun@xxxxxxxxx>
      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>

  commit e2f9a6572bb400e64e7a56526c5f7a4a9f8f6f90
  Author: John Snow <jsnow@xxxxxxxxxx>
  Date:   Wed Jul 1 14:25:49 2015 -0400

      qmp-shell: add documentation

      I should probably document the changes that were made.

      Signed-off-by: John Snow <jsnow@xxxxxxxxxx>
      Message-Id: <1435775149-17285-1-git-send-email-jsnow@xxxxxxxxxx>
      Reviewed-By: Kashyap Chamarthy <kchamart@xxxxxxxxxx>
      Reviewed-by: Luiz Capitulino <lcapitulino@xxxxxxxxxx>
      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>

  commit b041066421e8dcc7d080dfcfd83551c9c9f24ade
  Merge: 550e66e 987bd27
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Thu Sep 3 16:17:28 2015 +0100

      Merge remote-tracking branch 'remotes/stefanha/tags/tracing-pull-request' 
into staging

      # gpg: Signature made Thu 03 Sep 2015 15:46:52 BST using RSA key ID 
81AB73C8
      # gpg: Good signature from "Stefan Hajnoczi <stefanha@xxxxxxxxxx>"
      # gpg:                 aka "Stefan Hajnoczi <stefanha@xxxxxxxxx>"

      * remotes/stefanha/tags/tracing-pull-request:
        trace-events: Add hmp completion

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 987bd27000b6e21df6c73f6badb945ab5e42996a
  Author: Dr. David Alan Gilbert <dgilbert@xxxxxxxxxx>
  Date:   Fri Aug 14 11:27:43 2015 +0100

      trace-events: Add hmp completion

      Add completion for the trace event names in the hmp trace-event
      command.

      Signed-off-by: Dr. David Alan Gilbert <dgilbert@xxxxxxxxxx>
      Message-id: 1439548063-18410-1-git-send-email-dgilbert@xxxxxxxxxx
      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>

  commit 550e66ea4cce7b6664d6caf7e651814cc2d30421
  Merge: 561578c 9ef4017
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Thu Sep 3 14:33:03 2015 +0100

      Merge remote-tracking branch 'remotes/cohuck/tags/s390x-20150903' into 
staging

      First batch of s390x patches for 2.5:
      - introduce 2.5 compat machine
      - support for migration of storage keys

      # gpg: Signature made Thu 03 Sep 2015 11:28:06 BST using RSA key ID 
C6F02FAF
      # gpg: Good signature from "Cornelia Huck <huckc@xxxxxxxxxxxxxxxxxx>"
      # gpg:                 aka "Cornelia Huck <cornelia.huck@xxxxxxxxxx>"

      * remotes/cohuck/tags/s390x-20150903:
        s390x: Disable storage key migration on old machine type
        s390x: Migrate guest storage keys (initial memory only)
        s390x: Info skeys sub-command
        s390x: Dump-skeys hmp support
        s390x: Dump storage keys qmp command
        s390x: Enable new s390-storage-keys device
        s390x: Create QOM device for s390 storage keys
        s390x: add 2.5 compat s390-ccw-virtio machine

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit f4798320144245da66128edb840bd940fd287d28
  Author: Gerd Hoffmann <kraxel@xxxxxxxxxx>
  Date:   Thu Apr 9 11:39:28 2015 +0200

      ipxe: update binaries

      Signed-off-by: Gerd Hoffmann <kraxel@xxxxxxxxxx>
      Reviewed-by: Laszlo Ersek <lersek@xxxxxxxxxx>

  commit cf2b4b5b77a7bfe9216efc76117447b88acd47a9
  Author: Gerd Hoffmann <kraxel@xxxxxxxxxx>
  Date:   Thu Sep 3 14:40:29 2015 +0200

      ipxe: use upstream configuration

      Upstream supports named configurations now and ships with
      settings for qemu.  Use them, drop our config header copying.

      Signed-off-by: Gerd Hoffmann <kraxel@xxxxxxxxxx>

  commit f927f16213506a493ac416d9a9fa73c7460a766e
  Author: Gerd Hoffmann <kraxel@xxxxxxxxxx>
  Date:   Thu Apr 9 11:37:15 2015 +0200

      ipxe: don't override GITVERSION

      We had build problems due to the git version checking in the ipxe build
      system in the past.  Don't remember the details, but the problem seems
      to be gone now, so lets remove the workaround.

      Signed-off-by: Gerd Hoffmann <kraxel@xxxxxxxxxx>

      [ most likely ipxe commit 6153c09c41034250408f3596555fcaae715da46c:
        [build] Set GITVERSION only if there is a git repository ]

      Reviewed-by: Laszlo Ersek <lersek@xxxxxxxxxx>

  commit d4517d170c041ab654c9e65e5bbd3d79956af5b7
  Author: Gerd Hoffmann <kraxel@xxxxxxxxxx>
  Date:   Thu Apr 9 10:52:19 2015 +0200

      ipxe: update from 35c53797 to 4e03af8

      git shortlog
      ============

      Alex Williamson (1):
            [dhcp] Extract timing parameters out to config/dhcp.h

      Bernd Wiebelt (1):
            [tg3] Add support for BCM57766

      Christian Hesse (3):
            [intel] Add PCI device IDs for Intel I218-LM and I218-V
            [build] Add missing "const" qualifiers
            [ath9k] Remove confusing logic inversion in an ANI variable

      Christian Nilsson (1):
            [bios] Add ANSI blink attribute

      Daniel Pieczko (1):
            [prefix] Use correct register for KEEP_IT_REAL physical address 
conversion

      Ed Swierk (1):
            [intel] Update PCI device IDs for Intel 82599 and X540 10G NICs

      Fabrice Bacchella (2):
            [efi] Improve NII driver logging
            [efi] Work around bugs in Emulex NII driver

      Laszlo Ersek (1):
            [virtio] Downgrade per-iobuf debug messages to DBGC2

      Michael Brown (284):
            [device] Provide a driver-private data field for root devices
            [iobuf] Add iob_split() to split an I/O buffer into portions
            [rndis] Add generic RNDIS device abstraction
            [hyperv] Add support for Hyper-V hypervisor
            [hyperv] Add support for VMBus devices
            [hyperv] Add support for NetVSC paravirtual network devices
            [rndis] Send RNDIS_INITIALISE_MSG
            [rndis] Send RNDIS_HALT_MSG
            [hyperv] Tear down NetVSC RX buffer GPADL after closing VMBus device
            [rndis] Clear receive filter when closing the device
            [hyperv] Receive all VMBus messages in a poll
            [hyperv] Increase TX ring size
            [hyperv] Assume that VMBus xfer page ranges correspond to RNDIS 
messages
            [rndis] Ignore start-of-day RNDIS_INDICATE_STATUS_MSG with status 
0x40020006
            [hyperv] Tidy up debug output
            [hyperv] Require support for VMBus version 3.0 or newer
            [build] Include Hyper-V driver in the all-drivers build
            [pci] Allow drivers to specify a PCI class
            [romprefix] Ensure UNDI loader can be included by all ROM types
            [usb] Add basic support for USB devices
            [usb] Add basic support for USB hubs
            [usb] Add support for xHCI host controllers
            [ncm] Add support for CDC-NCM USB Ethernet devices
            [usb] Report xHCI host controller events
            [ncm] Use large multi-packet buffers by default
            [tftp] Explicitly abort connection whenever parent interface is 
closed
            [uri] Allow tftp_uri() to construct a URI with a custom port
            [pxe] Use tftp_uri() to construct PXE TFTP URIs
            [pxe] Maintain a queue for received PXE UDP packets
            [ncm] Reserve headroom in received packets
            [usb] Try multiple USB device configurations
            [usb] Handle CDC union functional descriptors
            [usb] Parse endpoint descriptor bInterval field
            [usb] Allow usb_stream() to enforce a terminating short packet
            [ecm] Add support for CDC-ECM USB Ethernet devices
            [xhci] Delay after (possibly) forcing port link state to RxDetect
            [build] Move branding information to config/branding.h
            [build] Use PRODUCT_SHORT_NAME for end-user visible strings
            [build] Allow product URI to be customised via config/branding.h
            [build] Allow error message URI to be customised via 
config/branding.h
            [build] Allow command help text URI to be customised via 
config/branding.h
            [build] Allow setting help text URI to be customised via 
config/branding.h
            [build] Allow product tag line to be customised via 
config/branding.h
            [rndis] Add rndis_rx_err()
            [usb] Handle port status changes received after failing to find a 
driver
            [efi] Disallow R_X86_64_32 relocations
            [build] Apply the "-fno-PIE -nopie" workaround only to i386 builds
            [usb] Provide generic framework for refilling receive endpoints
            [usb] Use generic refill framework for USB hub interrupt endpoints
            [ecm] Use generic refill framework for bulk IN and interrupt 
endpoints
            [ncm] Use generic refill framework for bulk IN and interrupt 
endpoints
            [libc] Remove unused string functions
            [libc] Rewrite string functions
            [test] Add self-tests for more string functions
            [test] Add constant-length memset() self-tests
            [libc] Reduce size of memset()
            [usb] Add generic USB network device framework
            [ecm] Use generic USB network device framework
            [ncm] Use generic USB network device framework
            [timer] Rewrite the 8254 Programmable Interval Timer support
            [xhci] Leak memory if controller fails to disable slot
            [xhci] Abort commands on timeout
            [test] Add IPv4 self-tests
            [legal] Add missing copyright header to net/ipv4.c
            [ipv4] Rewrite inet_aton()
            [libc] Rewrite strtoul()
            [hyperv] Check for required features
            [prefix] Use .bss16 as temporary stack space for calls to 
install_block
            [zbin] Use LZMA compression
            [zbin] Perform extra normalisation after completing decompression
            [prefix] Call decompressor in flat real mode when DEBUG=libprefix 
is enabled
            [zbin] Allow decompressor to generate debug output via BIOS console
            [zbin] Fix check for existence of most recent output byte
            [zbin] Remove now-unused unnrv2b.S decompressor
            [legal] Update GPLv2 licence text
            [legal] Include full licence text for all GPL2_OR_LATER files
            [mucurses] Add missing FILE_LICENCE declarations
            [legal] Add support for the Unmodified Binary Distribution Licence
            [legal] Add UBDL relicensing tool
            [legal] Relicense files under GPL2_OR_LATER_OR_UBDL
            [legal] Relicense files under GPL2_OR_LATER_OR_UBDL
            [legal] Relicense files under GPL2_OR_LATER_OR_UBDL
            [legal] Relicense files under GPL2_OR_LATER_OR_UBDL
            [libc] Rewrite unrelicensable portions of stddef.h
            [libc] Rewrite unrelicensable portions of ctype.h
            [libc] Rewrite setjmp() and longjmp()
            [libc] Rewrite byte-swapping code
            [elf] Rewrite ELF header
            [list] Relicense list.h
            [iscsi] Rewrite unrelicensable portions of iscsi.c
            [pci] Remove outdated and mostly-unused pci_ids.h file
            [pci] Rewrite unrelicensable portions of pci.h
            [settings] Use list_first_entry() when unregistering child settings
            [settings] Rewrite unrelicensable portions of settings.c
            [menu] Abstract out the generic concept of a jump scroller
            [settings] Use generic jump scrolling abstraction
            [malloc] Move valgrind headers out of arch/x86
            [malloc] Rewrite unrelicensable portions of malloc.c
            [build] Remove unused IMPORT_SYMBOL() and EXPORT_SYMBOL() macros
            [build] Remove unused __keepme macro
            [pxe] Remove obsolete references to pxeparent_dhcp
            [build] Remove obsolete and unused portions of config.c
            [build] Use REQUIRE_OBJECT() to drag in per-object configuration
            [build] Fix the REQUIRE_SYMBOL mechanism
            [i386] Move real_to_user() to realmode.h
            [linux] Rewrite headers included in all builds
            [retry] Rewrite unrelicensable portions of retry.c
            [retry] Colourise debug output
            [legal] Relicense files under GPL2_OR_LATER_OR_UBDL
            [xhci] Enable USB3 ports on Intel PCH8/PCH9 controllers
            [xhci] Undo PCH-specific quirk fixes when removing device
            [xen] Set the "feature-rx-notify" flag for netfront devices
            [http] Abstract out HTTP Digest hash algorithm operations
            [http] Support MD5-sess Digest authentication
            [dm96xx] Add driver for Davicom DM96xx USB Ethernet NICs
            [legal] Relicense Davicom DM96xx drivers
            [mii] Add generic mii_check_link() function
            [smsc75xx] Add driver for SMSC/Microchip LAN75xx USB Ethernet NICs
            [legal] Relicense files under GPL2_OR_LATER_OR_UBDL
            [tcp] Implement support for TCP Selective Acknowledgements (SACK)
            [smsc75xx] Move RX FIFO overflow message to DBGLVL_EXTRA
            [tcpip] Fix dubious calculation of min_port
            [libc] Add ffs(), ffsl(), and ffsll()
            [usb] Add the concept of a USB bus maximum transfer size
            [ncm] Respect maximum transfer size of the bus
            [usb] Add functions for manual device address assignment
            [xhci] Forcibly disable SMIs if BIOS fails to release ownership
            [autoboot] Match against parent devices when matching by bus type 
and location
            [usb] Add config/usb.h for USB configuration options
            [xhci] Do not release ownership back to BIOS when booting an OS
            [ehci] Add support for EHCI host controllers
            [netdevice] Add missing bus types to netdev_fetch_bustype()
            [usb] Fix USB timeouts to match specification
            [libprefix] Fix building on 64-bit FreeBSD 8.4
            [xhci] Ring doorbell as part of endpoint reset
            [usb] Reset endpoints without waiting for a new transfer to be 
enqueued
            [usb] Add clear_tt() hub method to clear transaction translator 
buffer
            [usb] Clear transaction translator buffers when applicable
            [ehci] Support USB1 devices attached via transaction translators
            [usb] Improve debug messages for failed control transactions
            [xhci] Support USB1 devices attached via transaction translators
            [libc] Fix typo in longjmp()
            [libc] Add x86_64 versions of setjmp() and longjmp()
            [test] Add setjmp()/longjmp() self-tests
            [test] Simplify digest algorithm self-tests
            [crypto] Add SHA-224 algorithm
            [crypto] Add SHA-512 algorithm
            [crypto] Add SHA-384 algorithm
            [crypto] Add SHA-512/256 algorithm
            [crypto] Add SHA-512/224 algorithm
            [efi] Ensure drivers are disconnected when ExitBootServices() is 
called
            [peerdist] Add support for decoding PeerDist Content Information
            [xhci] Always reset root hub ports
            [romprefix] Allow autoboot device filter to be disabled
            [util] Add ability to dump PCI device ID list
            [efi] Add EFI entropy source
            [efi] Add EFI time source
            [efi] Provide a dummy data block in nii_initialise()
            [efi] Poll media status only if advertised as supported
            [efi] Poll for TX completions only when there is an outstanding TX 
buffer
            [efi] Use the EFI_RNG_PROTOCOL as an entropy source if available
            [eepro100] Remove duplicate PCI_ROM() line
            [prism2] Remove duplicate PCI_ROM() lines
            [build] Allow building PCI ROMs with device ID lists
            [build] Fix compiler warning on OpenBSD 5.7
            [build] Work around binutils quirk on OpenBSD 5.7
            [build] Use a single call to parserom.pl to speed up building
            [intel] Report any unexpected interrupt causes
            [intel] Force RX polling on VMware emulated 82545em
            [realtek] Do not attempt to access EEPROM on RTL8169 chips
            [rtl818x] Obviate RTL_ROM() hack
            [build] Construct all-drivers list based on driver class
            [test] Include IPv6 support when performing settings self-tests
            [base16] Add buffer size parameter to base16_encode() and 
base16_decode()
            [base64] Add buffer size parameter to base64_encode() and 
base64_decode()
            [settings] Add "base64" setting type
            [vram] Add "vram" built-in setting to dump video RAM
            [usb] Include setup packet within I/O buffer for message transfers
            [pci] Provide PCI_CLASS() to calculate a scalar PCI class value
            [usb] Detect missed disconnections
            [usb] Maintain a list of all USB buses
            [usb] Maintain single lists of halted endpoints and changed ports
            [ehci] Poll child companion controllers after disowning port
            [usb] Add find_usb_bus_by_location() helper function
            [ehci] Allow UHCI/OHCI controllers to locate the EHCI companion 
controller
            [uhci] Add support for UHCI host controllers
            [usb] Provide usb_endpoint_name() for use by host controller drivers
            [xhci] Use meaningful device names in debug messages
            [ehci] Use meaningful device names in debug messages
            [uhci] Use meaningful device names in debug messages
            [ipv6] Disambiguate received ICMPv6 errors
            [usb] Add USB_INTERRUPT_OUT internal type
            [usb] Add generic USB human interface device (HID) framework
            [usb] Add basic support for USB keyboards
            [usb] Do not call usb_hotplug() when registering a new hub
            [usb] Always clear recorded disconnections after performing hotplug 
actions
            [intel] Expose intel_diag() for use by other Intel NIC drivers
            [intel] Allow for the use of advanced TX descriptors
            [intel] Add support for mailbox used by virtual functions
            [intel] Add intelxvf driver for Intel 10 GigE virtual function NICs
            [int13con] Add basic ability to log to a local disk via INT 13
            [intel] Add intelxvf_stats() to dump packet statistics registers
            [intel] Fix operation when physical function has jumbo frames 
enabled
            [neighbour] Return success when deferring a packet
            [xhci] Fix length of allocated slot array
            [build] Fix .ids.o creation for drivers not in the all-drivers build
            [xhci] Fix comparison of signed and unsigned integers
            [ipoib] Fix REMAC cache discarder
            [xhci] Record device-specific quirks in xHCI device structure
            [xhci] Ignore invalid protocol speed ID values on Intel Skylake 
platforms
            [pci] Use flat real mode to call INT 1a,b101
            [tcp] Do not shrink window when discarding received packets
            [mromprefix] Report a dummy size at offset 0x02 of .mrom payload
            [ethernet] Add minimal support for receiving LLC frames
            [netdevice] Add a generic concept of a "blocked link"
            [stp] Add support for detecting Spanning Tree Protocol 
non-forwarding ports
            [stp] Fix interpretaton of hello time
            [dhcp] Defer discovery if link is blocked
            [pxe] Always reconstruct packet for PXENV_GET_CACHED_INFO
            [serial] Add general abstraction of a 16550-compatible UART
            [gdb] Use new UART abstraction in GDB serial transport
            [serial] Use new UART abstraction in serial console driver
            [ipoib] Mark REMAC cache as expensive
            [ipoib] Attempt to generate ARPs as needed to repopulate REMAC cache
            [gdb] Allow gdbstub to be started on an arbitrary serial port
            [xen] Wait for and clear XenStore event before receiving data
            [tcp] Gracefully close connections during shutdown
            [ipoib] Transmit multicast packets as broadcasts
            [efi] Fix receive and transmit completion reporting
            [efi] Allow user experience to be downgraded
            [build] Add named configuration for qemu
            [tcp] Ensure FIN is actually sent if connection is closed while idle
            [fault] Generalise NETDEV_DISCARD_RATE fault injection mechanism
            [fault] Add inject_corruption() to randomly corrupt data
            [profile] Add profile_custom() for profiling with arbitrary time 
units
            [interface] Add intf_poke() helper
            [xfer] Use intf_poke() to implement xfer_window_changed()
            [xfer] Add xfer_check_order() utility function
            [xferbuf] Generalise to handle umalloc()-based buffers
            [xferbuf] Add xfer_buffer() to provide direct access to underlying 
buffer
            [downloader] Use generic data-transfer buffer mechanism
            [downloader] Provide direct access to the underlying data transfer 
buffer
            [build] Fix compiler warnings on some gcc versions
            [crypto] Add bit-rotation functions for 8-bit and 16-bit values
            [802.11] Use correct SHA1_DIGEST_SIZE constant name
            [crypto] Add ECB block cipher mode (for debug and self-tests only)
            [test] Generalise cipher tests and use okx()
            [test] Define shortcuts for frequently-used NIST AES test vectors
            [test] Add NIST self-tests for AES128 and AES256 in ECB mode
            [crypto] Replace AES implementation
            [test] Add NIST self-tests for AES192 in ECB and CBC modes
            [crypto] Remove AXTLS headers
            [build] Fix strict-aliasing warning on older gcc versions
            [ipv6] Treat a missing network device name as "netX"
            [netdevice] Avoid using zero as a network device index
            [ipv4] Redefine IP address constants to avoid unnecessary byte 
swapping
            [ipv4] Allow IPv4 socket addresses to include a scope ID
            [iscsi] Add missing "break" statements
            [netdevice] Allow network devices to disclaim IRQ support at runtime
            [peerdist] Include trimmed range within content information block
            [peerdist] Add support for constructing and decoding discovery 
messages
            [peerdist] Add support for constructing and decoding retrieval 
messages
            [pool] Add a generic concept of a pooled connection
            [linebuf] Support buffering of multiple lines
            [elf] Reject ELFBoot images requiring virtual addressing
            [comboot] Avoid dragging in serial console support unconditionally
            [serial] Check for UART existence in uart_select()
            [tls] Do not access beyond the end of a 24-bit integer
            [tls] Report supported signature algorithms in ClientHello
            [crypto] Support SHA-{224,384,512} in X.509 certificates
            [efi] Hold off watchdog timer while running
            [efi] Add missing "ULL" suffix on 64-bit constant
            [block] Add generic block device translator
            [http] Rewrite HTTP core to support content encodings
            [peerdist] Add segment discovery mechanism
            [peerdist] Add individual block download mechanism
            [peerdist] Add block download multiplexer
            [peerdist] Add support for PeerDist (aka BranchCache) HTTP content 
encoding
            [dhcp] Allow pseudo-DHCP servers to use pseudo-identifiers
            [dhcp] Ignore ProxyDHCPACKs without PXE options
            [pxe] Warn about PXE NBPs that may be EFI executables
            [test] Allow self-tests to report exit status when running under 
Linux
            [image] Detect image type when image is first registered
            [autoboot] Display image information as part of the default control 
flow

      Olaf Hering (1):
            [build] Sort objects in blib.a

      Robin Smidsrød (2):
            [vbox] Enable some more features now that we have LZMA compression
            [build] Rewrite parserom.pl to support multiple source files

      Thomas Miletich (1):
            [intel] Add PCI ID for I218-LM

      Tufan Karadere (1):
            [crypto] Add ASN.1 OIDs for sha{224,384,512}WithRsaEncryption

      Wissam Shoukair (2):
            [comboot] Implement INT22,0x000c
            [ipoib] Fix a race when chain-loading undionly.kpxe in IPoIB

      Signed-off-by: Gerd Hoffmann <kraxel@xxxxxxxxxx>

  commit 561578c2a82292ddf55737791d2838b797f49f35
  Merge: fc8135a 08b0b23
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Thu Sep 3 13:05:45 2015 +0100

      Merge remote-tracking branch 'remotes/rth/tags/pull-tcg-20150902' into 
staging

      queued tcg patches

      # gpg: Signature made Wed 02 Sep 2015 22:35:37 BST using RSA key ID 
4DD0279B
      # gpg: Good signature from "Richard Henderson <rth7680@xxxxxxxxx>"
      # gpg:                 aka "Richard Henderson <rth@xxxxxxxxxx>"
      # gpg:                 aka "Richard Henderson <rth@xxxxxxxxxxx>"

      * remotes/rth/tags/pull-tcg-20150902:
        tcg/i386: omit a few REXW prefixes in softmmu code
        tcg/aarch64: Fix tcg_out_qemu_{ld, st} for guest_base == 0

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit fc8135a46d095f865d285e697a874f617bfeeb90
  Merge: 654cd2c 112e451
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Thu Sep 3 12:09:41 2015 +0100

      Merge remote-tracking branch 'remotes/rth/tags/pull-axp-20150902' into 
staging

      cmpbge emulation improvements

      # gpg: Signature made Wed 02 Sep 2015 20:25:10 BST using RSA key ID 
4DD0279B
      # gpg: Good signature from "Richard Henderson <rth7680@xxxxxxxxx>"
      # gpg:                 aka "Richard Henderson <rth@xxxxxxxxxx>"
      # gpg:                 aka "Richard Henderson <rth@xxxxxxxxxxx>"

      * remotes/rth/tags/pull-axp-20150902:
        target-alpha: Special case cmpbge with zero
        target-alpha: Rewrite helper_cmpbge using bit tests

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 9ef40173fbe99c0562d227980779a73613788782
  Author: Jason J. Herne <jjherne@xxxxxxxxxxxxxxxxxx>
  Date:   Thu Jul 9 13:56:44 2015 -0400

      s390x: Disable storage key migration on old machine type

      This code disables storage key migration when an older machine type is
      specified.

      Reviewed-by: David Hildenbrand <dahi@xxxxxxxxxxxxxxxxxx>
      Signed-off-by: Jason J. Herne <jjherne@xxxxxxxxxxxxxxxxxx>
      Signed-off-by: Cornelia Huck <cornelia.huck@xxxxxxxxxx>

  commit 186208fa1fa1b4fa1fe0b77c0fa61b9c0de6d66d
  Author: Jason J. Herne <jjherne@xxxxxxxxxxxxxxxxxx>
  Date:   Fri Jun 26 14:11:23 2015 -0400

      s390x: Migrate guest storage keys (initial memory only)

      Routines to save/load guest storage keys are provided. register_savevm is
      called to register them as migration handlers.

      We prepare the protocol to support more complex parameters. So we will
      later be able to support standby memory (having empty holes), compression
      and "state live migration" like done for ram.

      Reviewed-by: David Hildenbrand <dahi@xxxxxxxxxxxxxxxxxx>
      Signed-off-by: Jason J. Herne <jjherne@xxxxxxxxxxxxxxxxxx>
      Signed-off-by: Cornelia Huck <cornelia.huck@xxxxxxxxxx>

  commit a08f0081c9886c1914d7bc2e6a29636a769fec84
  Author: Jason J. Herne <jjherne@xxxxxxxxxxxxxxxxxx>
  Date:   Fri Jun 26 14:10:16 2015 -0400

      s390x: Info skeys sub-command

      Provide an  info skeys hmp sub-command to allow the end user to dump a 
storage
      key for a given address. This is useful for guest operating system 
developers.

      Reviewed-by: Thomas Huth <thuth@xxxxxxxxxxxxxxxxxx>
      Reviewed-by: David Hildenbrand <dahi@xxxxxxxxxxxxxxxxxx>
      Signed-off-by: Jason J. Herne <jjherne@xxxxxxxxxxxxxxxxxx>
      Signed-off-by: Cornelia Huck <cornelia.huck@xxxxxxxxxx>

  commit a4538a5cc57dd493ed1545be98fa0ead0d391b8a
  Author: Jason J. Herne <jjherne@xxxxxxxxxxxxxxxxxx>
  Date:   Fri Jun 26 14:07:21 2015 -0400

      s390x: Dump-skeys hmp support

      Add dump-skeys command to the human monitor.

      Reviewed-by: Thomas Huth <thuth@xxxxxxxxxxxxxxxxxx>
      Reviewed-by: David Hildenbrand <dahi@xxxxxxxxxxxxxxxxxx>
      Signed-off-by: Jason J. Herne <jjherne@xxxxxxxxxxxxxxxxxx>
      Signed-off-by: Cornelia Huck <cornelia.huck@xxxxxxxxxx>

  commit 7ee0c3e33a0f8664c529ce621ea83326817fc14a
  Author: Jason J. Herne <jjherne@xxxxxxxxxxxxxxxxxx>
  Date:   Fri Jun 26 14:03:16 2015 -0400

      s390x: Dump storage keys qmp command

      Provide a dump-skeys qmp command to allow the end user to dump storage
      keys. This is useful for debugging problems with guest storage key support
      within Qemu and for guest operating system developers.

      Reviewed-by: Thomas Huth <thuth@xxxxxxxxxxxxxxxxxx>
      Reviewed-by: David Hildenbrand <dahi@xxxxxxxxxxxxxxxxxx>
      Signed-off-by: Jason J. Herne <jjherne@xxxxxxxxxxxxxxxxxx>
      Signed-off-by: Cornelia Huck <cornelia.huck@xxxxxxxxxx>
      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>

  commit 0f5f669147b52f89928bdf180165f74c4219210e
  Author: Jason J. Herne <jjherne@xxxxxxxxxxxxxxxxxx>
  Date:   Fri Jun 26 14:01:00 2015 -0400

      s390x: Enable new s390-storage-keys device

      s390 guest initialization is modified to make use of new s390-storage-keys
      device. Old code that globally allocated storage key array is removed.
      The new device enables storage key access for kvm guests.

      Cache storage key QOM objects in frequently used helper functions to 
avoid a
      performance hit every time we use one of these functions.

      Reviewed-by: Cornelia Huck <cornelia.huck@xxxxxxxxxx>
      Reviewed-by: Thomas Huth <thuth@xxxxxxxxxxxxxxxxxx>
      Reviewed-by: David Hildenbrand <dahi@xxxxxxxxxxxxxxxxxx>
      Signed-off-by: Jason J. Herne <jjherne@xxxxxxxxxxxxxxxxxx>
      Signed-off-by: Cornelia Huck <cornelia.huck@xxxxxxxxxx>

  commit 0efe406cac8a4d9f0b52eada4c6c2a768fe4b7d2
  Author: Jason J. Herne <jjherne@xxxxxxxxxxxxxxxxxx>
  Date:   Fri Jun 26 11:54:51 2015 -0400

      s390x: Create QOM device for s390 storage keys

      A new QOM style device is provided to back guest storage keys. A special
      version for KVM is created, which handles the storage key access via
      KVM_S390_GET_SKEYS and KVM_S390_SET_SKEYS ioctl.

      Reviewed-by: David Hildenbrand <dahi@xxxxxxxxxxxxxxxxxx>
      Signed-off-by: Jason J. Herne <jjherne@xxxxxxxxxxxxxxxxxx>
      Signed-off-by: Cornelia Huck <cornelia.huck@xxxxxxxxxx>

  commit 84b48ad63ba1da6345c3f22da7cdefc93fbc07f0
  Author: Cornelia Huck <cornelia.huck@xxxxxxxxxx>
  Date:   Fri Jul 17 13:16:52 2015 +0200

      s390x: add 2.5 compat s390-ccw-virtio machine

      Reviewed-by: Jason J. Herne <jjherne@xxxxxxxxxxxxxxxxxx>
      Signed-off-by: Cornelia Huck <cornelia.huck@xxxxxxxxxx>
      Acked-by: Christian Borntraeger <borntraeger@xxxxxxxxxx>

  commit 654cd2c5841d70e8053b39fb1a9162d5c113326b
  Merge: 0eac598 c5a9378
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Thu Sep 3 11:15:01 2015 +0100

      Merge remote-tracking branch 'remotes/stefanha/tags/net-pull-request' 
into staging

      # gpg: Signature made Wed 02 Sep 2015 17:14:40 BST using RSA key ID 
81AB73C8
      # gpg: Good signature from "Stefan Hajnoczi <stefanha@xxxxxxxxxx>"
      # gpg:                 aka "Stefan Hajnoczi <stefanha@xxxxxxxxx>"

      * remotes/stefanha/tags/net-pull-request:
        ne2000: Drop ne2000_can_receive
        vmxnet3: Drop net_vmxnet3_info.can_receive
        rtl8139: Do not consume the packet during overflow in standard mode.
        rtl8139: Fix receive buffer overflow check
        rtl8139: use ldl/stl wrapper for unaligned 32-bit access
        rtl8139: use net/eth.h macros instead of custom macros
        rtl8139: remove duplicate net/eth.h definitions

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 0eac5986fc4cfe845d6d656c3a4dc29e004b3a3e
  Merge: f8b8091 e12f378
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Thu Sep 3 09:50:37 2015 +0100

      Merge remote-tracking branch 'remotes/stefanha/tags/block-pull-request' 
into staging

      # gpg: Signature made Wed 02 Sep 2015 17:01:33 BST using RSA key ID 
81AB73C8
      # gpg: Good signature from "Stefan Hajnoczi <stefanha@xxxxxxxxxx>"
      # gpg:                 aka "Stefan Hajnoczi <stefanha@xxxxxxxxx>"

      * remotes/stefanha/tags/block-pull-request:
        block: more check for replaced node
        MAINTAINERS: add responsible person for Parallels format driver

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 08b0b23be639b955e5e3d84dc42fa4e5ce6a8728
  Author: Aurelien Jarno <aurelien@xxxxxxxxxxx>
  Date:   Sun Jul 19 13:50:32 2015 +0200

      tcg/i386: omit a few REXW prefixes in softmmu code

      When computing the TLB address we are likely to mask out the high
      32-bits by using shr + and. We can use 32-bit instructions in that
      case. This saves 2 bytes per TLB access.

      Signed-off-by: Aurelien Jarno <aurelien@xxxxxxxxxxx>
      Message-Id: <1437306632-20655-1-git-send-email-aurelien@xxxxxxxxxxx>
      Signed-off-by: Richard Henderson <rth@xxxxxxxxxxx>

  commit 352bcb0a2b816ff9ab9d75d0f2384650d9e9ab19
  Author: Richard Henderson <rth@xxxxxxxxxxx>
  Date:   Tue Sep 1 15:58:02 2015 -0400

      tcg/aarch64: Fix tcg_out_qemu_{ld, st} for guest_base == 0

      In ffc6372851d8631a9f9fa56ec613b3244dc635b9, we swapped the guest
      base to the address base register from the address index register.
      Except that 31 in the base slot is SP not XZR, so we need to be
      more intelligent about which reg gets placed in which slot.

      Cc: qemu-stable@xxxxxxxxxx (v2.4.0)
      Reviewed-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>
      Reported-by: Andreas Färber <afaerber@xxxxxxx>
      Signed-off-by: Richard Henderson <rth@xxxxxxxxxxx>

  commit 16ef9d0252318d7e32e445fd7474af55dbaab7db
  Author: Emilio G. Cota <cota@xxxxxxxxx>
  Date:   Sun Aug 23 20:23:40 2015 -0400

      qemu-thread: handle spurious futex_wait wakeups

      Signed-off-by: Emilio G. Cota <cota@xxxxxxxxx>
      Message-Id: <1440375847-17603-12-git-send-email-cota@xxxxxxxxx>
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit e12f3784097a26a1ba51be420f41038b4c0ae5d1
  Author: Wen Congyang <wency@xxxxxxxxxxxxxx>
  Date:   Fri Jul 17 10:12:22 2015 +0800

      block: more check for replaced node

      We use mirror+replace to fix quorum's broken child. bs/s->common.bs
      is quorum, and to_replace is the broken child. The new child is target_bs.
      Without this patch, the replace node can be any node, and it can be
      top BDS with BB, or another quorum's child. We just check if the broken
      child is part of the quorum BDS in this patch.

      Signed-off-by: Wen Congyang <wency@xxxxxxxxxxxxxx>
      Message-id: 55A86486.1000404@xxxxxxxxxxxxxx
      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>

  commit f307371217c42d62015b8d83300a11cd9d3966f3
  Author: Denis V. Lunev <den@xxxxxxxxxx>
  Date:   Fri Aug 21 20:44:16 2015 +0300

      MAINTAINERS: add responsible person for Parallels format driver

      Denis has spent 6 years working with this format in Parallels and QEMU
      code was rewritten almost completely by his. Thus it would be quite
      natural to add him as a maintainer and point of contact.

      Patches are going to flow though Stefan's tree.

      Signed-off-by: Denis V. Lunev <den@xxxxxxxxxx>
      Message-id: 1440179056-12934-1-git-send-email-den@xxxxxxxxxx
      CC: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>

  commit c5a93780453e6da919287c17e873c843544ef2a3
  Author: Fam Zheng <famz@xxxxxxxxxx>
  Date:   Wed Jul 1 13:25:05 2015 +0800

      ne2000: Drop ne2000_can_receive

      ne2000_receive already checks the same conditions and drops the packet
      if it's not ready, removing the .can_receive callback avoids the
      necessity to add explicit flushes when the conditions turn true (which
      is required by the new semantics of .can_receive since 6e99c63
      "net/socket: Drop net_socket_can_send").

      Plus the "return 1" if E8390_STOP is also suspicious.

      Signed-off-by: Fam Zheng <famz@xxxxxxxxxx>
      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>

  commit 2734a20b8161831ba68c9166014e00522599d1e2
  Author: Fam Zheng <famz@xxxxxxxxxx>
  Date:   Wed Jul 1 10:26:27 2015 +0800

      vmxnet3: Drop net_vmxnet3_info.can_receive

      Commit 6e99c63 ("net/socket: Drop net_socket_can_send") changed the
      semantics around .can_receive for sockets to now require the device to
      flush queued pkts when transitioning to a .can_receive=true state. But
      it's OK to drop incoming packets when the link is not active.

      Signed-off-by: Fam Zheng <famz@xxxxxxxxxx>
      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>

  commit 26c4e7ca72d970d120f0f51244bc8d37458512a0
  Author: Vladislav Yasevich <vyasevic@xxxxxxxxxx>
  Date:   Tue Sep 1 11:26:46 2015 -0400

      rtl8139: Do not consume the packet during overflow in standard mode.

      When operation in standard mode, we currently return the size
      of packet during buffer overflow.  This consumes the overflow
      packet.  Return 0 instead so we can re-process the overflow packet
      when we have room.

      This fixes issues with lost/dropped fragments of large messages.

      Signed-off-by: Vladislav Yasevich <vyasevic@xxxxxxxxxx>
      Reviewed-by: Jason Wang <jasowang@xxxxxxxxxx>
      Message-id: 1441121206-6997-3-git-send-email-vyasevic@xxxxxxxxxx
      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>

  commit fabdcd3392f16fc666b1d04fc1bbe5f1dbbf10a4
  Author: Vladislav Yasevich <vyasevic@xxxxxxxxxx>
  Date:   Tue Sep 1 11:26:45 2015 -0400

      rtl8139: Fix receive buffer overflow check

      rtl8139_do_receive() tries to check for the overflow condition
      by making sure that packet_size + 8 does not exceed the
      available buffer space.  The issue here is that RxBuffAddr,
      used to calculate available buffer space, is aligned to a
      a 4 byte boundry after every update.  So it is possible that
      every packet ends up being slightly padded when written
      to the receive buffer.  This padding is not taken into
      account when checking for overflow and we may end up missing
      the overflow condition can causing buffer overwrite.

      This patch takes alignment into consideration when
      checking for overflow condition.

      Signed-off-by: Vladislav Yasevich <vyasevic@xxxxxxxxxx>
      Reviewed-by: Jason Wang <jasowang@xxxxxxxxxx>
      Message-id: 1441121206-6997-2-git-send-email-vyasevic@xxxxxxxxxx
      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>

  commit 26c0114d3f69c3accaf83d56ff1d850bd0213b58
  Author: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
  Date:   Mon Aug 3 13:15:57 2015 +0100

      rtl8139: use ldl/stl wrapper for unaligned 32-bit access

      The tx offload feature accesses a 16-bit aligned TCP header struct.  The
      32-bit fields must be accessed using ldl/stl wrappers since some host
      architectures fault on unaligned access.

      Suggested-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Reviewed-by: Jason Wang <jasowang@xxxxxxxxxx>
      Message-id: 1438604157-29664-4-git-send-email-stefanha@xxxxxxxxxx

  commit 1bf11332c4770e2750247733c713a4e771047282
  Author: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
  Date:   Mon Aug 3 13:15:56 2015 +0100

      rtl8139: use net/eth.h macros instead of custom macros

      Eliminate the following "custom" macros since they are just duplicates
      of net/eth.h macros under a different name:

        ETHER_ADDR_LEN -> ETH_ALEN
        ETH_P_8021Q -> ETH_P_VLAN
        IP_HEADER_LENGTH -> IP_HDR_GET_LEN
        TCP_FLAG_FIN -> TH_FIN
        TCP_FLAG_PUSH -> TH_PUSH

      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Reviewed-by: Jason Wang <jasowang@xxxxxxxxxx>
      Message-id: 1438604157-29664-3-git-send-email-stefanha@xxxxxxxxxx

  commit 5d61721a621ef28d2f43fb5008afd38376be552b
  Author: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
  Date:   Mon Aug 3 13:15:55 2015 +0100

      rtl8139: remove duplicate net/eth.h definitions

      The transmit offload features inspect Ethernet, IP, TCP, and UDP
      headers.  Avoid redefining these net/eth.h structs.

      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Reviewed-by: Jason Wang <jasowang@xxxxxxxxxx>
      Message-id: 1438604157-29664-2-git-send-email-stefanha@xxxxxxxxxx

  commit f8b8091d2779d956011a3fb83ff60dbf7465c71d
  Merge: 090d0bf 15b19ed
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Tue Sep 1 19:42:43 2015 +0100

      Merge remote-tracking branch 
'remotes/mdroth/tags/qga-pull-2015-09-01-v2-tag' into staging

      qemu-ga patch queue

      * add config file dump/load support for qemu-ga
      * various w32 build fixes, particularly WRT to msi package creation
      * fixes for msi installer
      * w32 support for guest-set-user-password

      v2:
      * replaced g_list_free_full with g_list_foreach to maintain glib 2.22
        compatibility

      # gpg: Signature made Tue 01 Sep 2015 19:34:15 BST using RSA key ID 
F108B584
      # gpg: Good signature from "Michael Roth <flukshun@xxxxxxxxx>"
      # gpg:                 aka "Michael Roth <mdroth@xxxxxxxxxx>"
      # gpg:                 aka "Michael Roth <mdroth@xxxxxxxxxxxxxxxxxx>"

      * remotes/mdroth/tags/qga-pull-2015-09-01-v2-tag: (26 commits)
        Makefile: qemu-ga: fix msi target error message
        build: qemu-ga: fix VSS dependencies
        configure: qemu-ga: explicitly enable qemu-ga MSI support when probed
        configure: qemu-ga: move MSI installer probe after qga probe
        qemu-ga: implement win32 guest-set-user-password
        qga: start a man page
        qga: add --dump-conf option
        qga: add an optional qemu-ga.conf system configuration
        qga: free a bit more
        qga: move agent run in a separate function
        qga: fill default options in main()
        qga: move option parsing to separate function
        qga: copy argument strings
        qga: rename 'path' to 'channel_path'
        qga: make split_list() return allocated strings
        qga: move string split in separate function
        qga: use exit() when parsing options
        qga: misc spelling
        configure: qemu-ga: report MSI install support in summary
        qemu-ga: Fixed paths issue with MSI build
        ...

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 15b19ed85fb5464b736ef0ece1edce194de2194a
  Author: Michael Roth <mdroth@xxxxxxxxxxxxxxxxxx>
  Date:   Wed Aug 26 17:05:01 2015 -0500

      Makefile: qemu-ga: fix msi target error message

      'msi' target reports error if we attempt to use it when QEMU hasn't
      been ./configure'd to enable it. The parenthesis cause an interpreter
      error if we don't enclose the error in quotes.

      Reviewed-by: Marc-André Lureau <marcandre.lureau@xxxxxxxxxx>
      Signed-off-by: Michael Roth <mdroth@xxxxxxxxxxxxxxxxxx>

  commit f33ca81f134a4f528117aafe11bfbd09f8c7fcfc
  Author: Michael Roth <mdroth@xxxxxxxxxxxxxxxxxx>
  Date:   Wed Aug 26 16:19:41 2015 -0500

      build: qemu-ga: fix VSS dependencies

      Currently VSS dll/tlb files for use in w32 builds are only built as a
      result of having been added to the general 'tools' target alongside
      qemu-ga. This is fine for default make target, but if we build
      qemu-ga directly via `make qemu-ga.exe`, the VSS files are not
      created.

      Fix this by moving the VSS dependencies to qemu-ga.exe directly.
      With this move we can move the VSS files back out of 'tools',
      and drop the extra handling from MSI target in Makefile.

      Now we can build qemu-ga MSI package with:
        ./configure ...
        make qemu-ga.exe
        make msi

      or simply:
        ./configure ...
        make msi

      and no longer need to do a full build beforehand.

      Reviewed-by: Marc-André Lureau <marcandre.lureau@xxxxxxxxxx>
      Signed-off-by: Michael Roth <mdroth@xxxxxxxxxxxxxxxxxx>

  commit 1a34904e5b59fd42f238dc50992af1c3a11a458b
  Author: Michael Roth <mdroth@xxxxxxxxxxxxxxxxxx>
  Date:   Wed Aug 26 11:14:31 2015 -0500

      configure: qemu-ga: explicitly enable qemu-ga MSI support when probed

      Currently, if we don't explicitly disable support for MSI installer
      via --disable-guest-agent-msi, the configure variable that tracks
      the flag, 'guest_agent_msi', never gets set unless one of the probes
      fails. Subsequent code then treats this unset value the same as if it
      were a "yes" value (via != "no" style checks).

      Instead, set the default "yes" value explicitly after the probes, then
      make subsequent code expect the values to be set.

      This makes it easier to report on whether or not MSI support was
      enabled via probe by looking at the ./configure summary.

      Signed-off-by: Michael Roth <mdroth@xxxxxxxxxxxxxxxxxx>

  commit 9d6bc27b7e0e8520f1f91721d9c738e027eeb6c4
  Author: Michael Roth <mdroth@xxxxxxxxxxxxxxxxxx>
  Date:   Wed Aug 26 10:49:13 2015 -0500

      configure: qemu-ga: move MSI installer probe after qga probe

      MSI probe assumes that qemu-ga support has been probed already, but in
      cases where --enable-guest-agent/--disable-guest-agent have not been
      passed to configure, qemu-ga support may end up getting enabled later,
      as is the case with w32 builds. This leads to MSI probe prematurely
      reporting error due to lack of qemu-ga support.

      Fix this by moving MSI installer probe after the final qga probes.

      Reviewed-by: Marc-André Lureau <marcandre.lureau@xxxxxxxxxx>
      Signed-off-by: Michael Roth <mdroth@xxxxxxxxxxxxxxxxxx>

  commit 259434b8067e1c61017e9a5b8667b6526b474ff2
  Author: Marc-André Lureau <marcandre.lureau@xxxxxxxxx>
  Date:   Tue Jun 30 16:37:13 2015 +0200

      qemu-ga: implement win32 guest-set-user-password

      Use NetUserSetInfo() to set the user password.

      This function is notoriously known to be problematic for users with EFS
      encrypted files. But the alternative, NetUserChangePassword() requires
      the old password. Nevertheless, The EFS file should be recovered by
      changing back to the old password.

      Signed-off-by: Marc-André Lureau <marcandre.lureau@xxxxxxxxx>
      Reviewed-by: Daniel P. Berrange <berrange@xxxxxxxxxx>
      Signed-off-by: Michael Roth <mdroth@xxxxxxxxxxxxxxxxxx>

  commit 665b5d0dff3b1cc9e9dd6ca84e8fa4070e46ee9f
  Author: Marc-André Lureau <marcandre.lureau@xxxxxxxxxx>
  Date:   Thu Aug 27 01:34:59 2015 +0200

      qga: start a man page

      Add a simple man page for the qemu agent.

      Signed-off-by: Marc-André Lureau <marcandre.lureau@xxxxxxxxxx>
      Reviewed-by: Michael Roth <mdroth@xxxxxxxxxxxxxxxxxx>
      *squashed in review comments from Eric Blake <eblake@xxxxxxxxxx>
      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>
      Signed-off-by: Michael Roth <mdroth@xxxxxxxxxxxxxxxxxx>

  commit aeadcbb6338ddd8aedbc1473ba7e254623951248
  Author: Marc-André Lureau <marcandre.lureau@xxxxxxxxxx>
  Date:   Thu Aug 27 01:34:58 2015 +0200

      qga: add --dump-conf option

      This new option allows to review the agent configuration,
      and ease the task of writing a configuration file.

      Signed-off-by: Marc-André Lureau <marcandre.lureau@xxxxxxxxxx>
      Reviewed-by: Michael Roth <mdroth@xxxxxxxxxxxxxxxxxx>
      Reviewed-by: Denis V. Lunev <den@xxxxxxxxxx>
      * removed unecessary keyfile != NULL prior to free
      * documented --dump-conf is qemu-ga --help output
      Signed-off-by: Michael Roth <mdroth@xxxxxxxxxxxxxxxxxx>

  commit e236d060cba8d2d6d26a7e076c895d2a6812dafb
  Author: Marc-André Lureau <marcandre.lureau@xxxxxxxxxx>
  Date:   Thu Aug 27 01:34:57 2015 +0200

      qga: add an optional qemu-ga.conf system configuration

      Learn to configure the agent with a system configuration.

      This may simplify command-line handling, especially when the blacklist
      is long.

      Among the other benefits, this may standardize the configuration of an
      init service (instead of distro-specific init keys/files)

      Signed-off-by: Marc-André Lureau <marcandre.lureau@xxxxxxxxxx>
      Reviewed-by: Michael Roth <mdroth@xxxxxxxxxxxxxxxxxx>
      Reviewed-by: Denis V. Lunev <den@xxxxxxxxxx>
      * removed unecessary keyfile != NULL prior to free
      Signed-off-by: Michael Roth <mdroth@xxxxxxxxxxxxxxxxxx>

  commit d4c8a5d49e514bfeac2040ee5371b4e6a7d8d561
  Author: Marc-André Lureau <marcandre.lureau@xxxxxxxxxx>
  Date:   Thu Aug 27 01:34:56 2015 +0200

      qga: free a bit more

      Now that main() has a single exit point, we can free a few
      more allocations.

      Signed-off-by: Marc-André Lureau <marcandre.lureau@xxxxxxxxxx>
      Reviewed-by: Denis V. Lunev <den@xxxxxxxxxx>
      Signed-off-by: Michael Roth <mdroth@xxxxxxxxxxxxxxxxxx>

  commit e3d3103975112a1ab8a0129a4be1cfe3314bce8b
  Author: Marc-André Lureau <marcandre.lureau@xxxxxxxxxx>
  Date:   Thu Aug 27 01:34:55 2015 +0200

      qga: move agent run in a separate function

      Once the options are populated, move the running state to
      a run_agent() function.

      Signed-off-by: Marc-André Lureau <marcandre.lureau@xxxxxxxxxx>
      Reviewed-by: Michael Roth <mdroth@xxxxxxxxxxxxxxxxxx>
      Reviewed-by: Denis V. Lunev <den@xxxxxxxxxx>
      * fixed up an s/ga_state/s/ artifact causing segfault
      * replaced g_list_free_full with g_list_foreach to maintain glib
        2.22 compatibility
      Signed-off-by: Michael Roth <mdroth@xxxxxxxxxxxxxxxxxx>

  commit ef8be55429b9a6718c7e07ede20391c09be65974
  Author: Marc-André Lureau <marcandre.lureau@xxxxxxxxxx>
  Date:   Thu Aug 27 01:34:54 2015 +0200

      qga: fill default options in main()

      Fill all default options during main(). This is a preparation patch
      to allow to dump the configuration.

      Signed-off-by: Marc-André Lureau <marcandre.lureau@xxxxxxxxxx>
      Reviewed-by: Michael Roth <mdroth@xxxxxxxxxxxxxxxxxx>
      Reviewed-by: Denis V. Lunev <den@xxxxxxxxxx>
      Signed-off-by: Michael Roth <mdroth@xxxxxxxxxxxxxxxxxx>

  commit 7a40669491b344a4fe66a0957fe47d594b808f08
  Author: Marc-André Lureau <marcandre.lureau@xxxxxxxxxx>
  Date:   Thu Aug 27 01:34:53 2015 +0200

      qga: move option parsing to separate function

      Move option parsing out of giant main().

      Signed-off-by: Marc-André Lureau <marcandre.lureau@xxxxxxxxxx>
      Reviewed-by: Michael Roth <mdroth@xxxxxxxxxxxxxxxxxx>
      Reviewed-by: Denis V. Lunev <den@xxxxxxxxxx>
      Signed-off-by: Michael Roth <mdroth@xxxxxxxxxxxxxxxxxx>

  commit 2e38d9903be28493ccd6de4a55e5226e9f07dea9
  Author: Marc-André Lureau <marcandre.lureau@xxxxxxxxxx>
  Date:   Thu Aug 27 01:34:52 2015 +0200

      qga: copy argument strings

      Following patch will return allocated strings, so we must correctly
      initialize alloc & free them. The nice side effect is that we no longer
      have to check for "fixed_state_dir" to call ga_install_service() with a
      NULL state dir. The default values are set after parsing the command
      line options.

      Signed-off-by: Marc-André Lureau <marcandre.lureau@xxxxxxxxxx>
      Reviewed-by: Michael Roth <mdroth@xxxxxxxxxxxxxxxxxx>
      Reviewed-by: Denis V. Lunev <den@xxxxxxxxxx>
      Signed-off-by: Michael Roth <mdroth@xxxxxxxxxxxxxxxxxx>

  commit 44de156ca7bfaf899745291a0d603d4f7550f5ea
  Author: Marc-André Lureau <marcandre.lureau@xxxxxxxxxx>
  Date:   Thu Aug 27 01:34:51 2015 +0200

      qga: rename 'path' to 'channel_path'

      'path' is already a global function, rename the variable since it's
      going to be in global scope in a later patch.

      Signed-off-by: Marc-André Lureau <marcandre.lureau@xxxxxxxxxx>
      Reviewed-by: Michael Roth <mdroth@xxxxxxxxxxxxxxxxxx>
      Reviewed-by: Denis V. Lunev <den@xxxxxxxxxx>
      Signed-off-by: Michael Roth <mdroth@xxxxxxxxxxxxxxxxxx>

  commit 4bca81ceedb59397f6082777f6ed4b39d456be85
  Author: Marc-André Lureau <marcandre.lureau@xxxxxxxxxx>
  Date:   Thu Aug 27 01:34:50 2015 +0200

      qga: make split_list() return allocated strings

      In order to avoid any confusion, let's allocate new strings when
      splitting.

      Signed-off-by: Marc-André Lureau <marcandre.lureau@xxxxxxxxxx>
      Reviewed-by: Denis V. Lunev <den@xxxxxxxxxx>
      Signed-off-by: Michael Roth <mdroth@xxxxxxxxxxxxxxxxxx>

  commit 23b42894b389eccb45ab66da3a3e77d3a8cfc2b6
  Author: Marc-André Lureau <marcandre.lureau@xxxxxxxxxx>
  Date:   Thu Aug 27 01:34:49 2015 +0200

      qga: move string split in separate function

      The function is going to be reused in a later patch.

      Signed-off-by: Marc-André Lureau <marcandre.lureau@xxxxxxxxxx>
      Reviewed-by: Michael Roth <mdroth@xxxxxxxxxxxxxxxxxx>
      Reviewed-by: Denis V. Lunev <den@xxxxxxxxxx>
      Signed-off-by: Michael Roth <mdroth@xxxxxxxxxxxxxxxxxx>

  commit c6c84523cd890e95b946c6a8f264ff54a7d5b930
  Author: Marc-André Lureau <marcandre.lureau@xxxxxxxxxx>
  Date:   Thu Aug 27 01:34:48 2015 +0200

      qga: use exit() when parsing options

      The option parsing is going to be moved to a separate function,
      use exit() consistently.

      Signed-off-by: Marc-André Lureau <marcandre.lureau@xxxxxxxxxx>
      Reviewed-by: Denis V. Lunev <den@xxxxxxxxxx>
      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>
      Reviewed-by: Michael Roth <mdroth@xxxxxxxxxxxxxxxxxx>
      Signed-off-by: Michael Roth <mdroth@xxxxxxxxxxxxxxxxxx>

  commit 2e2a58e0e49ddb3561b541dc01c3206543b3a1a3
  Author: Marc-André Lureau <marcandre.lureau@xxxxxxxxxx>
  Date:   Thu Aug 27 01:34:47 2015 +0200

      qga: misc spelling

      Signed-off-by: Marc-André Lureau <marcandre.lureau@xxxxxxxxxx>
      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>
      Reviewed-by: Denis V. Lunev <den@xxxxxxxxxx>
      Reviewed-by: Michael Roth <mdroth@xxxxxxxxxxxxxxxxxx>
      Signed-off-by: Michael Roth <mdroth@xxxxxxxxxxxxxxxxxx>

  commit 4c875d89cb11f4033012eebd63963ab725f8108e
  Author: Michael Roth <mdroth@xxxxxxxxxxxxxxxxxx>
  Date:   Tue Aug 25 15:46:18 2015 -0500

      configure: qemu-ga: report MSI install support in summary

      Currently we need to examine config-host.mak to determine whether
      options/probes for MSI package generation had desired result. Report
      this more prominently in ./configure summary as we do with other
      guest agent configure options.

      Reviewed-by: Marc-André Lureau <marcandre.lureau@xxxxxxxxxx>
      Signed-off-by: Michael Roth <mdroth@xxxxxxxxxxxxxxxxxx>

  commit decdfbd28d754f6ff596c0201ab55e9ff4df5b4e
  Author: Leonid Bloch <leonid@xxxxxxxxxx>
  Date:   Wed Aug 26 15:07:16 2015 +0300

      qemu-ga: Fixed paths issue with MSI build

      Previously, if building out-of-tree, the MSI build would fail since
      it wasn't able to find the needed files.

      Signed-off-by: Leonid Bloch <leonid@xxxxxxxxxx>
      Reviewed-by: Marc-André Lureau <marcandre.lureau@xxxxxxxxxx>
      * fixed up commit msg formating
      Signed-off-by: Michael Roth <mdroth@xxxxxxxxxxxxxxxxxx>

  commit 848849dddf68630021351f5068de12f5c54ae2f8
  Author: Leonid Bloch <leonid@xxxxxxxxxx>
  Date:   Mon Aug 3 20:54:24 2015 +0300

      qemu-ga: Prevent QEMU-GA VSS provider from being unregistered on MSI 
reinstall

      Previously, running the .msi would unregister the QEMU GA VSS service if 
QEMU GA was already installed on the machine, and then register it only if QEMU 
GA was NOT previously installed. This behavior caused the service to be 
registered only after the INITIAL installation, and any subsequent run of the 
.msi (to redo, repair, or upgrade the installation) ended in the service being 
unregistered.

      Now, the VSS service is still unregistered if QEMU GA is already 
installed (so that a fix or an update could be performed) but then it is 
registered again (if the GA is not being uninstalled) thus finishing the 
repair/upgrade correctly. Additionally, downgrading is now prevented. If a user 
would like to downgrade a version, he/she must uninstall the newer version 
first.

      Signed-off-by: Leonid Bloch <leonid@xxxxxxxxxx>
      Reviewed-by: Marc-André Lureau <marcandre.lureau@xxxxxxxxxx>
      Signed-off-by: Michael Roth <mdroth@xxxxxxxxxxxxxxxxxx>

  commit 5e994f94121cdb9c48939cb489e2da646c229a48
  Author: Leonid Bloch <leonid@xxxxxxxxxx>
  Date:   Mon Aug 3 20:54:23 2015 +0300

      qemu-ga: Created a separate component for each installed file in the MSI

      This is done to follow the recommendations given here: 
https://msdn.microsoft.com/en-us/library/aa368269%28VS.85%29.aspx

      Signed-off-by: Leonid Bloch <leonid@xxxxxxxxxx>
      Reviewed-by: Marc-André Lureau <marcandre.lureau@xxxxxxxxxx>
      Signed-off-by: Michael Roth <mdroth@xxxxxxxxxxxxxxxxxx>

  commit 8b17ccccb23bcd7554d327f46bf4e07ae6da60c0
  Author: Leonid Bloch <leonid@xxxxxxxxxx>
  Date:   Mon Aug 3 20:54:22 2015 +0300

      qemu-ga: Minor cosmetic changes to the WXS file

      Signed-off-by: Leonid Bloch <leonid@xxxxxxxxxx>
      Signed-off-by: Michael Roth <mdroth@xxxxxxxxxxxxxxxxxx>

  commit 1d394fb78771f4ca307c6020ff3b041905350f70
  Author: Leonid Bloch <leonid@xxxxxxxxxx>
  Date:   Mon Aug 3 20:54:21 2015 +0300

      qemu-ga: Fixed GUID capitalization

      For compatibility, all the letters in GUID should be capital.

      Signed-off-by: Leonid Bloch <leonid@xxxxxxxxxx>
      Signed-off-by: Michael Roth <mdroth@xxxxxxxxxxxxxxxxxx>

  commit 0a18750f296c85a5a446dc04e1c49cd35ad9e7d5
  Author: Leonid Bloch <leonid@xxxxxxxxxx>
  Date:   Wed Jul 29 20:10:51 2015 +0300

      qemu-ga: Two MSI related cosmetic changes

      Signed-off-by: Leonid Bloch <leonid@xxxxxxxxxx>
      Signed-off-by: Michael Roth <mdroth@xxxxxxxxxxxxxxxxxx>

  commit 9f3917804dfda737650a22c745469809725b3c6e
  Author: Leonid Bloch <leonid@xxxxxxxxxx>
  Date:   Wed Jul 29 20:10:50 2015 +0300

      qemu-ga: Add .msi files to .gitignore

      Signed-off-by: Leonid Bloch <leonid@xxxxxxxxxx>
      Signed-off-by: Michael Roth <mdroth@xxxxxxxxxxxxxxxxxx>

  commit 090d0bfd948343d522cd20bc634105b5cfe2483b
  Author: Laurent Vivier <laurent@xxxxxxxxx>
  Date:   Fri Aug 28 12:23:41 2015 +0200

      s390: fix softmmu compilation

      guest_base must be used only in linux-user mode.

      Signed-off-by: Laurent Vivier <laurent@xxxxxxxxx>
      Message-id: 1440757421-9674-1-git-send-email-laurent@xxxxxxxxx
      Reviewed-by: Richard Henderson <rth@xxxxxxxxxxx>
      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 6c76ec68f68494d4a31b5d82073ed4d2798b8e13
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Fri Aug 28 11:42:53 2015 +0100

      qemu-doc.texi: Fix capitalization error in OS X build instructions

      Fix a capitalization error in the OS X build instructions;
      this was picked up in review of commit b352153f5f and intended to be
      corrected before I applied it, but I accidentally didn't include it.

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit b352153f5f7eb12b56602fc03ae4361e01201f90
  Author: G 3 <programmingkidx@xxxxxxxxx>
  Date:   Fri Aug 14 13:54:25 2015 -0400

      From: John Arbuckle <programmingkidx@xxxxxxxxx>

      qemu-doc.texi: Add information on compiling source code on Mac OS X

      Add information to the documentation on how to build QEMU
      on Mac OS X.

      Signed-off-by: John Arbuckle <programmingkidx@xxxxxxxxx>
      Reviewed-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      [PMM: fixed a minor capitalization error]
      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 351053e76d21d0eaa2e0f27c9b69c8ebf65f3650
  Merge: 47c9dfe a17d448
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Thu Aug 27 13:31:55 2015 +0100

      Merge remote-tracking branch 'remotes/weil/tags/pull-tci-20150826' into 
staging

      tci patch queue

      # gpg: Signature made Wed 26 Aug 2015 19:51:07 BST using RSA key ID 
677450AD
      # gpg: Good signature from "Stefan Weil <sw@xxxxxxxxxxx>"
      # gpg:                 aka "Stefan Weil <stefan.weil@xxxxxxxxxxx>"
      # gpg:                 aka "Stefan Weil <stefan.weil@xxxxxxxxxxxxxxxxxxx>"
      # gpg: WARNING: This key is not certified with a trusted signature!
      # gpg:          There is no indication that the signature belongs to the 
owner.
      # Primary key fingerprint: 4923 6FEA 75C9 5D69 8EC2  B78A E08C 21D5 6774 
50AD

      * remotes/weil/tags/pull-tci-20150826:
        exec-all: Translate TCI return addresses backwards too

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit a17d448274575efbfcc1c04ec2641a0afeb74e17
  Author: Peter Crosthwaite <crosthwaitepeter@xxxxxxxxx>
  Date:   Mon Aug 17 20:28:18 2015 -0700

      exec-all: Translate TCI return addresses backwards too

      This subtraction of return addresses applies directly to TCI as well as
      host-TCG. This fixes Linux boots for at least Microblaze, CRIS, ARM and
      SH4 when using TCI.

      [sw: Removed indentation for preprocessor statement]
      [sw: The patch also fixes Linux boot for x86_64]

      Reviewed-by: Richard Henderson <rth@xxxxxxxxxxx>
      Signed-off-by: Stefan Weil <sw@xxxxxxxxxxx>
      Signed-off-by: Peter Crosthwaite <crosthwaite.peter@xxxxxxxxx>

  commit 47c9dfee808f9455d732aea7c4390ad0972bbd84
  Merge: 7df9671 eb8934b
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Wed Aug 26 17:45:09 2015 +0100

      Merge remote-tracking branch 
'remotes/kraxel/tags/pull-cve-2015-5225-20150826-1' into staging

      vnc: fix memory corruption (CVE-2015-5225)

      # gpg: Signature made Wed 26 Aug 2015 17:37:21 BST using RSA key ID 
D3E87138
      # gpg: Good signature from "Gerd Hoffmann (work) <kraxel@xxxxxxxxxx>"
      # gpg:                 aka "Gerd Hoffmann <gerd@xxxxxxxxxx>"
      # gpg:                 aka "Gerd Hoffmann (private) <kraxel@xxxxxxxxx>"

      * remotes/kraxel/tags/pull-cve-2015-5225-20150826-1:
        vnc: fix memory corruption (CVE-2015-5225)

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit eb8934b0418b3b1d125edddc4fc334a54334a49b
  Author: Gerd Hoffmann <kraxel@xxxxxxxxxx>
  Date:   Mon Aug 17 19:56:53 2015 +0200

      vnc: fix memory corruption (CVE-2015-5225)

      The _cmp_bytes variable added by commit "bea60dd ui/vnc: fix potential
      memory corruption issues" can become negative.  Result is (possibly
      exploitable) memory corruption.  Reason for that is it uses the stride
      instead of bytes per scanline to apply limits.

      For the server surface is is actually fine.  vnc creates that itself,
      there is never any padding and thus scanline length always equals stride.

      For the guest surface scanline length and stride are typically identical
      too, but it doesn't has to be that way.  So add and use a new variable
      (guest_ll) for the guest scanline length.  Also rename min_stride to
      line_bytes to make more clear what it actually is.  Finally sprinkle
      in an assert() to make sure we never use a negative _cmp_bytes again.

      Reported-by: è??ç¥?è?³(åº?ç?¹) <zuozhi.fzz@xxxxxxxxxxxxxxx>
      Reviewed-by: P J P <ppandit@xxxxxxxxxx>
      Signed-off-by: Gerd Hoffmann <kraxel@xxxxxxxxxx>

  commit 7df9671989c1cfa693764f9ae6349324b2ada02a
  Merge: 34a4450 cea66e9
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Tue Aug 25 16:24:06 2015 +0100

      Merge remote-tracking branch 
'remotes/pmaydell/tags/pull-target-arm-20150825-1' into staging

      target-arm queue:
       * add missing EL2/EL3 TLBI operations
       * add missing EL2/EL3 ATS operations
       * add missing EL2/EL3 registers
       * update Xilinx MAINTAINERS info
       * Xilinx: connect the four OCM banks

      # gpg: Signature made Tue 25 Aug 2015 16:22:43 BST using RSA key ID 
14360CDE
      # gpg: Good signature from "Peter Maydell <peter.maydell@xxxxxxxxxx>"
      # gpg:                 aka "Peter Maydell <pmaydell@xxxxxxxxx>"
      # gpg:                 aka "Peter Maydell 
<pmaydell@xxxxxxxxxxxxxxxxxxxxxx>"

      * remotes/pmaydell/tags/pull-target-arm-20150825-1:
        target-arm: Implement AArch64 TLBI operations on IPAs
        target-arm: Implement missing EL3 TLB invalidate operations
        target-arm: Implement missing EL2 TLBI operations
        target-arm: Restrict AArch64 TLB flushes to the MMU indexes they must 
touch
        target-arm: Move TLBI ALLE1/ALLE1IS definitions into numeric order
        cputlb: Add functions for flushing TLB for a single MMU index
        target-arm: Implement AArch32 ATS1H* operations
        target-arm: Enable the AArch32 ATS12NSO ops
        target-arm: Add CP_ACCESS_TRAP_UNCATEGORIZED_EL2, 3
        target-arm: Wire up AArch64 EL2 and EL3 address translation ops
        target-arm: there is no TTBR1 for 32-bit EL2 stage 1 translations
        target-arm: Implement missing ACTLR registers
        target-arm: Implement missing AFSR registers
        target-arm: Implement missing AMAIR registers
        target-arm: Add missing MAIR_EL3 and TPIDR_EL3 registers
        MAINTAINERS: Add ZynqMP to MAINTAINERS file
        MAINTAINERS: Update Xilinx Maintainership
        xlnx-zynqmp: Connect the four OCM banks

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit cea66e91212164e02ad1d245c2371f7e8eb59e7f
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Tue Aug 25 15:45:10 2015 +0100

      target-arm: Implement AArch64 TLBI operations on IPAs

      Implement the AArch64 TLBI operations which take an intermediate
      physical address and invalidate stage 2 translations.

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Reviewed-by: Edgar E. Iglesias <edgar.iglesias@xxxxxxxxxx>
      Message-id: 1439548879-1972-7-git-send-email-peter.maydell@xxxxxxxxxx

  commit 43efaa33faa2bdaed789b9ddaa76b30880e57554
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Tue Aug 25 15:45:10 2015 +0100

      target-arm: Implement missing EL3 TLB invalidate operations

      Implement the remaining stage 1 TLB invalidate operations
      visible from EL3.

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Reviewed-by: Edgar E. Iglesias <edgar.iglesias@xxxxxxxxxx>
      Message-id: 1439548879-1972-6-git-send-email-peter.maydell@xxxxxxxxxx

  commit 2bfb9d75d37ceab6ef1674f54fca06c74f6978e7
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Tue Aug 25 15:45:09 2015 +0100

      target-arm: Implement missing EL2 TLBI operations

      Implement the missing TLBI operations that exist only
      if EL2 is implemented.

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Reviewed-by: Edgar E. Iglesias <edgar.iglesias@xxxxxxxxxx>
      Message-id: 1439548879-1972-5-git-send-email-peter.maydell@xxxxxxxxxx

  commit fd3ed969227f54f08f87d9eb6de2d4e48e99279b
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Tue Aug 25 15:45:09 2015 +0100

      target-arm: Restrict AArch64 TLB flushes to the MMU indexes they must 
touch

      Now we have the ability to flush the TLB only for specific MMU indexes,
      update the AArch64 TLB maintenance instruction implementations to only
      flush the parts of the TLB they need to, rather than doing full flushes.

      We take the opportunity to remove some duplicate functions (the per-asid
      tlb ops work like the non-per-asid ones because we don't support
      flushing a TLB only by ASID) and to bring the function names in line
      with the architectural TLBI operation names.

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Reviewed-by: Edgar E. Iglesias <edgar.iglesias@xxxxxxxxxx>
      Message-id: 1439548879-1972-4-git-send-email-peter.maydell@xxxxxxxxxx

  commit 83ddf975777cc23337b7ef92e83b1b9c949396f3
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Tue Aug 25 15:45:09 2015 +0100

      target-arm: Move TLBI ALLE1/ALLE1IS definitions into numeric order

      Move the two regdefs for TLBI ALLE1 and TLBI ALLE1IS down so that the
      whole set of AArch64 TLBI regdefs is arranged in numeric order.

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Reviewed-by: Edgar E. Iglesias <edgar.iglesias@xxxxxxxxxx>
      Message-id: 1439548879-1972-3-git-send-email-peter.maydell@xxxxxxxxxx

  commit d7a74a9d4a68e27b3a8ceda17bb95cb0a23d8e4d
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Tue Aug 25 15:45:09 2015 +0100

      cputlb: Add functions for flushing TLB for a single MMU index

      Guest CPU TLB maintenance operations may be sufficiently
      specialized to only need to flush TLB entries corresponding
      to a particular MMU index. Implement cputlb functions for
      this, to avoid the inefficiency of flushing TLB entries
      which we don't need to.

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Reviewed-by: Edgar E. Iglesias <edgar.iglesias@xxxxxxxxxx>
      Message-id: 1439548879-1972-2-git-send-email-peter.maydell@xxxxxxxxxx

  commit 14db7fe09a2c8d561ff37f98b328409906a560d7
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Tue Aug 25 15:45:08 2015 +0100

      target-arm: Implement AArch32 ATS1H* operations

      Implement the AArch32 ATS1H* operations which perform
      Hyp mode stage 1 translations.

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Reviewed-by: Edgar E. Iglesias <edgar.iglesias@xxxxxxxxxx>
      Message-id: 1437751263-21913-6-git-send-email-peter.maydell@xxxxxxxxxx

  commit 87562e4f4a2bdd028eef3549ce9cb4e7c83cb0bf
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Tue Aug 25 15:45:08 2015 +0100

      target-arm: Enable the AArch32 ATS12NSO ops

      Apply the correct conditions in the ats_access() function for
      the ATS12NSO* address translation operations:
       * succeed at EL2 or EL3
       * normal UNDEF trap from NS EL1
       * trap to EL3 from S EL1 (only possible if EL3 is AArch64)

      (This change means they're now available in our EL3-supporting
      CPUs when they would previously always UNDEF.)

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Reviewed-by: Edgar E. Iglesias <edgar.iglesias@xxxxxxxxxx>
      Message-id: 1437751263-21913-5-git-send-email-peter.maydell@xxxxxxxxxx

  commit e76157264da20b85698b09fa5eb8e02e515e232c
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Tue Aug 25 15:45:08 2015 +0100

      target-arm: Add CP_ACCESS_TRAP_UNCATEGORIZED_EL2, 3

      Some coprocessor register access functions need to be able
      to report "trap to EL3 with an 'uncategorized' syndrome";
      add the necessary CPAccessResult enum and handling for it.

      I don't currently know of any registers that need to trap
      to EL2 with the 'uncategorized' syndrome, but adding the
      _EL2 enum as well is trivial and fills in what would
      otherwise be an odd gap in the handling.

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Reviewed-by: Edgar E. Iglesias <edgar.iglesias@xxxxxxxxxx>
      Message-id: 1437751263-21913-4-git-send-email-peter.maydell@xxxxxxxxxx

  commit 2a47df953202e1f226aa045ea974427c4540a167
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Tue Aug 25 15:45:08 2015 +0100

      target-arm: Wire up AArch64 EL2 and EL3 address translation ops

      Wire up the AArch64 EL2 and EL3 address translation operations
      (AT S12E1*, AT S12E0*, AT S1E2*, AT S1E3*), and correct some
      errors in the ats_write64() function in previously unused code
      that would have done the wrong kind of lookup for accesses from
      EL3 when SCR.NS==0.

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Reviewed-by: Edgar E. Iglesias <edgar.iglesias@xxxxxxxxxx>
      Message-id: 1437751263-21913-3-git-send-email-peter.maydell@xxxxxxxxxx

  commit d0a2cbceb2aa20d64d53e1c20c7d26a78ade8382
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Tue Aug 25 15:45:08 2015 +0100

      target-arm: there is no TTBR1 for 32-bit EL2 stage 1 translations

      For EL2 stage 1 translations, there is no TTBR1. We were already
      handling this for 64-bit EL2; add the code to take the 'no TTBR1'
      code path for 64-bit EL2 as well.

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Reviewed-by: Edgar E. Iglesias <edgar.iglesias@xxxxxxxxxx>
      Message-id: 1437751263-21913-2-git-send-email-peter.maydell@xxxxxxxxxx

  commit 834a6c6920316d39aaf0e68ac936c0a3ad164815
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Tue Aug 25 15:45:07 2015 +0100

      target-arm: Implement missing ACTLR registers

      We already implemented ACTLR_EL1; add the missing ACTLR_EL2 and
      ACTLR_EL3, for consistency.

      Since we don't currently have any CPUs that need the EL2/EL3
      versions to reset to non-zero values, implement as RAZ/WI.

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Reviewed-by: Edgar E. Iglesias <edgar.iglesias@xxxxxxxxxx>
      Message-id: 1438281398-18746-5-git-send-email-peter.maydell@xxxxxxxxxx

  commit 37cd6c2478196623ca28526627ca8c69afe0d654
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Tue Aug 25 15:45:07 2015 +0100

      target-arm: Implement missing AFSR registers

      The AFSR registers are implementation dependent auxiliary fault
      status registers. We already implemented a RAZ/WI AFSR0_EL1 and
      AFSR_EL1; add the missing AFSR{0,1}_EL{2,3} for consistency.

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Reviewed-by: Edgar E. Iglesias <edgar.iglesias@xxxxxxxxxx>
      Message-id: 1438281398-18746-4-git-send-email-peter.maydell@xxxxxxxxxx

  commit 2179ef958c81480b841ffa0aab5e265688ffd2b0
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Tue Aug 25 15:45:07 2015 +0100

      target-arm: Implement missing AMAIR registers

      The AMAIR registers are for providing auxiliary implementation
      defined memory attributes. We already implemented a RAZ/WI
      AMAIR_EL1; add the EL2 and EL3 versions for consistency.

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Reviewed-by: Edgar E. Iglesias <edgar.iglesias@xxxxxxxxxx>
      Message-id: 1438281398-18746-3-git-send-email-peter.maydell@xxxxxxxxxx

  commit 4cfb8ad896a6f85953038bd913ce3d82d347013d
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Tue Aug 25 15:45:07 2015 +0100

      target-arm: Add missing MAIR_EL3 and TPIDR_EL3 registers

      Add the AArch64 registers MAIR_EL3 and TPIDR_EL3, which are the only
      two which we had implemented the 32-bit Secure equivalents of but
      not the 64-bit Secure versions.

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Reviewed-by: Edgar E. Iglesias <edgar.iglesias@xxxxxxxxxx>
      Message-id: 1438281398-18746-2-git-send-email-peter.maydell@xxxxxxxxxx

  commit 137805f5d8504933faa4fe129cdab88f2695a8c2
  Author: Alistair Francis <alistair.francis@xxxxxxxxxx>
  Date:   Tue Aug 25 15:45:07 2015 +0100

      MAINTAINERS: Add ZynqMP to MAINTAINERS file

      Add the Xilinx ZynqMP SoC and EP108 machine to the maintainers
      file.

      Signed-off-by: Alistair Francis <alistair.francis@xxxxxxxxxx>
      Reviewed-by: Peter Crosthwaite <peter.crosthwaite@xxxxxxxxxx>
      Message-id: 
fed078103a0b02cfb3adadbe8e80e4420d554505.1436486024.git.alistair.francis@xxxxxxxxxx
      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 4b46ba6145c4c9b79641efdcc9f1aa92fdbf779c
  Author: Alistair Francis <alistair.francis@xxxxxxxxxx>
  Date:   Tue Aug 25 15:45:06 2015 +0100

      MAINTAINERS: Update Xilinx Maintainership

      Peter C is leaving Xilinx, so update the maintainer list
      to point to Alistair and Edgar from Xilinx and Peter's
      personal email address.

      Signed-off-by: Alistair Francis <alistair.francis@xxxxxxxxxx>
      Reviewed-by: Peter Crosthwaite <peter.crosthwaite@xxxxxxxxxx>
      Message-id: 
54b4c070452bac05aa3a9c1d75899bc097fef831.1436486024.git.alistair.francis@xxxxxxxxxx
      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 6675d719154969456e841a7e1729c0dc14113a44
  Author: Alistair Francis <alistair.francis@xxxxxxxxxx>
  Date:   Tue Aug 25 15:45:06 2015 +0100

      xlnx-zynqmp: Connect the four OCM banks

      The Xilinx EP108 has four separate OCM banks which are located
      adjacent to each other. This patch adds the four banks to
      the ZynqMP SoC.

      Signed-off-by: Alistair Francis <alistair.francis@xxxxxxxxxx>
      Reviewed-by: Peter Crosthwaite <peter.crosthwaite@xxxxxxxxxx>
      Message-id: 
afa6ba31163a5d541a0bef4b0dc11f2597e0c495.1436813543.git.alistair.francis@xxxxxxxxxx
      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 34a4450434f1a5daee06fca223afcbb9c8f1ee24
  Merge: a30878e b76f21a
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Tue Aug 25 13:34:57 2015 +0100

      Merge remote-tracking branch 'remotes/rth/tags/pull-tcg-20150824' into 
staging

      queued tcg patches

      # gpg: Signature made Mon 24 Aug 2015 19:37:15 BST using RSA key ID 
4DD0279B
      # gpg: Good signature from "Richard Henderson <rth7680@xxxxxxxxx>"
      # gpg:                 aka "Richard Henderson <rth@xxxxxxxxxx>"
      # gpg:                 aka "Richard Henderson <rth@xxxxxxxxxxx>"

      * remotes/rth/tags/pull-tcg-20150824:
        linux-user: remove useless macros GUEST_BASE and RESERVED_VA
        linux-user: remove --enable-guest-base/--disable-guest-base
        tcg/aarch64: Use softmmu fast path for unaligned accesses
        tcg/s390: Use softmmu fast path for unaligned accesses
        tcg/ppc: Improve unaligned load/store handling on 64-bit backend
        tcg/i386: use softmmu fast path for unaligned accesses
        tcg: Remove tcg_gen_trunc_i64_i32
        tcg: Split trunc_shr_i32 opcode into extr[lh]_i64_i32
        tcg: update README about size changing ops
        tcg/optimize: add optimizations for ext_i32_i64 and extu_i32_i64 ops
        tcg: implement real ext_i32_i64 and extu_i32_i64 ops
        tcg: don't abuse TCG type in tcg_gen_trunc_shr_i64_i32
        tcg: rename trunc_shr_i32 into trunc_shr_i64_i32
        tcg/optimize: allow constant to have copies
        tcg/optimize: track const/copy status separately
        tcg/optimize: add temp_is_const and temp_is_copy functions
        tcg/optimize: optimize temps tracking
        tcg/optimize: fix constant signedness

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit b76f21a70748b735d6ac84fec4bb9bdaafa339b1
  Author: Laurent Vivier <laurent@xxxxxxxxx>
  Date:   Mon Aug 24 14:53:54 2015 +0200

      linux-user: remove useless macros GUEST_BASE and RESERVED_VA

      As we have removed CONFIG_USE_GUEST_BASE, we always use a guest base
      and the macros GUEST_BASE and RESERVED_VA become useless: replace
      them by their values.

      Reviewed-by: Alexander Graf <agraf@xxxxxxx>
      Signed-off-by: Laurent Vivier <laurent@xxxxxxxxx>
      Message-Id: <1440420834-8388-1-git-send-email-laurent@xxxxxxxxx>
      Signed-off-by: Richard Henderson <rth@xxxxxxxxxxx>

  commit 4cbea5986981998cda07b13794c7e3ff7bc42e80
  Author: Laurent Vivier <laurent@xxxxxxxxx>
  Date:   Mon Aug 24 01:42:07 2015 +0200

      linux-user: remove --enable-guest-base/--disable-guest-base

      All tcg host architectures now support the guest base and as
      there is no real performance lost, it can be always enabled.

      Anyway, guest base use can be disabled lively by setting guest
      base to 0.

      CONFIG_USE_GUEST_BASE is defined as (USE_GUEST_BASE && USER_ONLY),
      it should have to be replaced by CONFIG_USER_ONLY in non CONFIG_USER_ONLY
      parts, but as some other parts are using !CONFIG_SOFTMMU I have chosen to
      use !CONFIG_SOFTMMU instead.

      Reviewed-by: Alexander Graf <agraf@xxxxxxx>
      Signed-off-by: Laurent Vivier <laurent@xxxxxxxxx>
      Message-Id: <1440373328-9788-2-git-send-email-laurent@xxxxxxxxx>
      Signed-off-by: Richard Henderson <rth@xxxxxxxxxxx>

  commit 9ee14902bf107e37fb2c8119fa7bca424396237c
  Author: Richard Henderson <rth@xxxxxxxxxxx>
  Date:   Mon Aug 17 12:18:05 2015 -0700

      tcg/aarch64: Use softmmu fast path for unaligned accesses

      Signed-off-by: Richard Henderson <rth@xxxxxxxxxxx>

  commit a5e39810b9088b5d20fac8e0293f281e1c8b608f
  Author: Richard Henderson <rth@xxxxxxxxxxx>
  Date:   Thu Jul 23 13:32:35 2015 -0700

      tcg/s390: Use softmmu fast path for unaligned accesses

      Signed-off-by: Richard Henderson <rth@xxxxxxxxxxx>

  commit 68d45bb61c5bbfb3999486f78cf026c1e79eb301
  Author: Benjamin Herrenschmidt <benh@xxxxxxxxxxxxxxxxxxx>
  Date:   Tue Jul 21 15:19:38 2015 +1000

      tcg/ppc: Improve unaligned load/store handling on 64-bit backend

      Currently, we get to the slow path for any unaligned access in the
      backend, because we effectively preserve the bottom address bits
      below the alignment requirement when comparing with the TLB entry,
      so any non-0 bit there will cause the compare to fail.

      For the same number of instructions, we can instead add the access
      size - 1 to the address and stick to clearing all the bottom bits.

      That means that normal unaligned accesses will not fallback (the HW
      will handle them fine). Only when crossing a page boundary well we
      end up having a mismatch because we'll end up pointing to the next
      page which cannot possibly be in that same TLB entry.

      Reviewed-by: Aurelien Jarno <aurelien@xxxxxxxxxxx>
      Signed-off-by: Benjamin Herrenschmidt <benh@xxxxxxxxxxxxxxxxxxx>
      Message-Id: <1437455978.5809.2.camel@xxxxxxxxxxxxxxxxxxx>
      Signed-off-by: Richard Henderson <rth@xxxxxxxxxxx>

  commit 8cc580f6a0d8c0e2f590c1472cf5cd8e51761760
  Author: Aurelien Jarno <aurelien@xxxxxxxxxxx>
  Date:   Thu Jul 9 20:39:57 2015 +0200

      tcg/i386: use softmmu fast path for unaligned accesses

      Softmmu unaligned load/stores currently goes through through the slow
      path for two reasons:
        - to support unaligned access on host with strict alignement
        - to correctly handle accesses crossing pages

      x86 is only concerned by the second reason. Unaligned accesses are
      avoided by compilers, but are not uncommon. We therefore would like
      to see them going through the fast path, if they don't cross pages.

      For that we can use the fact that two adjacent TLB entries can't contain
      the same page. Therefore accessing the TLB entry corresponding to the
      first byte, but comparing its content to page address of the last byte
      ensures that we don't cross pages. We can do this check without adding
      more instructions in the TLB code (but increasing its length by one
      byte) by using the LEA instruction to combine the existing move with the
      size addition.

      On an x86-64 host, this gives a 3% boot time improvement for a powerpc
      guest and 4% for an x86-64 guest.

      [rth: Tidied calculation of the offset mask]

      Signed-off-by: Aurelien Jarno <aurelien@xxxxxxxxxxx>
      Message-Id: <1436467197-2183-1-git-send-email-aurelien@xxxxxxxxxxx>
      Signed-off-by: Richard Henderson <rth@xxxxxxxxxxx>

  commit ecc7b3aa71f5fdcf9ee87e74ca811d988282641d
  Author: Richard Henderson <rth@xxxxxxxxxxx>
  Date:   Fri Jul 24 11:49:53 2015 -0700

      tcg: Remove tcg_gen_trunc_i64_i32

      Replacing it with tcg_gen_extrl_i64_i32.

      Signed-off-by: Richard Henderson <rth@xxxxxxxxxxx>

  commit 609ad70562793937257c89d07bf7c1370b9fc9aa
  Author: Richard Henderson <rth@xxxxxxxxxxx>
  Date:   Fri Jul 24 07:16:00 2015 -0700

      tcg: Split trunc_shr_i32 opcode into extr[lh]_i64_i32

      Rather than allow arbitrary shift+trunc, only concern ourselves
      with low and high parts.  This is all that was being used anyway.

      Signed-off-by: Richard Henderson <rth@xxxxxxxxxxx>

  commit 870ad1547ac53bc79c21d86cf453b3b20cc660a2
  Author: Aurelien Jarno <aurelien@xxxxxxxxxxx>
  Date:   Mon Jul 27 12:41:45 2015 +0200

      tcg: update README about size changing ops

      Signed-off-by: Aurelien Jarno <aurelien@xxxxxxxxxxx>
      Signed-off-by: Richard Henderson <rth@xxxxxxxxxxx>

  commit 8bcb5c8f34f9215d4f88f388c7ff14c9bd5cecd3
  Author: Aurelien Jarno <aurelien@xxxxxxxxxxx>
  Date:   Mon Jul 27 12:41:45 2015 +0200

      tcg/optimize: add optimizations for ext_i32_i64 and extu_i32_i64 ops

      They behave the same as ext32s_i64 and ext32u_i64 from the constant
      folding and zero propagation point of view, except that they can't
      be replaced by a mov, so we don't compute the affected value.

      Signed-off-by: Aurelien Jarno <aurelien@xxxxxxxxxxx>
      Signed-off-by: Richard Henderson <rth@xxxxxxxxxxx>

  commit 4f2331e5b67af8172419eb1c8db510b497b30a7b
  Author: Aurelien Jarno <aurelien@xxxxxxxxxxx>
  Date:   Mon Jul 27 12:41:45 2015 +0200

      tcg: implement real ext_i32_i64 and extu_i32_i64 ops

      Implement real ext_i32_i64 and extu_i32_i64 ops. They ensure that a
      32-bit value is always converted to a 64-bit value and not propagated
      through the register allocator or the optimizer.

      Cc: Andrzej Zaborowski <balrogg@xxxxxxxxx>
      Cc: Alexander Graf <agraf@xxxxxxx>
      Cc: Blue Swirl <blauwirbel@xxxxxxxxx>
      Cc: Stefan Weil <sw@xxxxxxxxxxx>
      Acked-by: Claudio Fontana <claudio.fontana@xxxxxxxxxx>
      Signed-off-by: Aurelien Jarno <aurelien@xxxxxxxxxxx>
      Signed-off-by: Richard Henderson <rth@xxxxxxxxxxx>

  commit 6acd2558fdb7dd9de6b10697914bdc1d75d624e5
  Author: Aurelien Jarno <aurelien@xxxxxxxxxxx>
  Date:   Mon Jul 27 12:41:45 2015 +0200

      tcg: don't abuse TCG type in tcg_gen_trunc_shr_i64_i32

      The tcg_gen_trunc_shr_i64_i32 function takes a 64-bit argument and
      returns a 32-bit value. Directly call tcg_gen_op3 with the correct
      types instead of calling tcg_gen_op3i_i32 and abusing the TCG types.

      Signed-off-by: Aurelien Jarno <aurelien@xxxxxxxxxxx>
      Signed-off-by: Richard Henderson <rth@xxxxxxxxxxx>

  commit 0632e555fc4d281d69cb08d98d500d96185b041f
  Author: Aurelien Jarno <aurelien@xxxxxxxxxxx>
  Date:   Mon Jul 27 12:41:45 2015 +0200

      tcg: rename trunc_shr_i32 into trunc_shr_i64_i32

      The op is sometimes named trunc_shr_i32 and sometimes trunc_shr_i64_i32,
      and the name in the README doesn't match the name offered to the
      frontends.

      Always use the long name to make it clear it is a size changing op.

      Signed-off-by: Aurelien Jarno <aurelien@xxxxxxxxxxx>
      Signed-off-by: Richard Henderson <rth@xxxxxxxxxxx>

  commit 299f80130401153af1a6ddb3cc011781bcd47600
  Author: Aurelien Jarno <aurelien@xxxxxxxxxxx>
  Date:   Mon Jul 27 12:41:44 2015 +0200

      tcg/optimize: allow constant to have copies

      Now that copies and constants are tracked separately, we can allow
      constant to have copies, deferring the choice to use a register or a
      constant to the register allocation pass. This prevent this kind of
      regular constant reloading:

      -OUT: [size=338]
      +OUT: [size=298]
         mov    -0x4(%r14),%ebp
         test   %ebp,%ebp
         jne    0x7ffbe9cb0ed6
         mov    $0x40002219f8,%rbp
         mov    %rbp,(%r14)
      -  mov    $0x40002219f8,%rbp
         mov    $0x4000221a20,%rbx
         mov    %rbp,(%rbx)
         mov    $0x4000000000,%rbp
         mov    %rbp,(%r14)
      -  mov    $0x4000000000,%rbp
         mov    $0x4000221d38,%rbx
         mov    %rbp,(%rbx)
         mov    $0x40002221a8,%rbp
         mov    %rbp,(%r14)
      -  mov    $0x40002221a8,%rbp
         mov    $0x4000221d40,%rbx
         mov    %rbp,(%rbx)
         mov    $0x4000019170,%rbp
         mov    %rbp,(%r14)
      -  mov    $0x4000019170,%rbp
         mov    $0x4000221d48,%rbx
         mov    %rbp,(%rbx)
         mov    $0x40000049ee,%rbp
         mov    %rbp,0x80(%r14)
         mov    %r14,%rdi
         callq  0x7ffbe99924d0
         mov    $0x4000001680,%rbp
         mov    %rbp,0x30(%r14)
         mov    0x10(%r14),%rbp
         mov    $0x4000001680,%rbp
         mov    %rbp,0x30(%r14)
         mov    0x10(%r14),%rbp
         shl    $0x20,%rbp
         mov    (%r14),%rbx
         mov    %ebx,%ebx
         mov    %rbx,(%r14)
         or     %rbx,%rbp
         mov    %rbp,0x10(%r14)
         mov    %rbp,0x90(%r14)
         mov    0x60(%r14),%rbx
         mov    %rbx,0x38(%r14)
         mov    0x28(%r14),%rbx
         mov    $0x4000220e60,%r12
         mov    %rbx,(%r12)
         mov    $0x40002219c8,%rbx
         mov    %rbp,(%rbx)
         mov    0x20(%r14),%rbp
         sub    $0x8,%rbp
         mov    $0x4000004a16,%rbx
         mov    %rbx,0x0(%rbp)
         mov    %rbp,0x20(%r14)
         mov    $0x19,%ebp
         mov    %ebp,0xa8(%r14)
         mov    $0x4000015110,%rbp
         mov    %rbp,0x80(%r14)
         xor    %eax,%eax
         jmpq   0x7ffbebcae426
         lea    -0x5f6d72a(%rip),%rax        # 0x7ffbe3d437b3
         jmpq   0x7ffbebcae426

      Signed-off-by: Aurelien Jarno <aurelien@xxxxxxxxxxx>
      Signed-off-by: Richard Henderson <rth@xxxxxxxxxxx>

  commit b41059dd9deec367a4ccd296659f0bc5de2dc705
  Author: Aurelien Jarno <aurelien@xxxxxxxxxxx>
  Date:   Mon Jul 27 12:41:44 2015 +0200

      tcg/optimize: track const/copy status separately

      Instead of using an enum which could be either a copy or a const, track
      them separately. This will be used in the next patch.

      Constants are tracked through a bool. Copies are tracked by initializing
      temp's next_copy and prev_copy to itself, allowing to simplify the code
      a bit.

      Signed-off-by: Aurelien Jarno <aurelien@xxxxxxxxxxx>
      Signed-off-by: Richard Henderson <rth@xxxxxxxxxxx>

  commit d9c769c60948815ee03b2684b1c1c68ee4375149
  Author: Aurelien Jarno <aurelien@xxxxxxxxxxx>
  Date:   Mon Jul 27 12:41:44 2015 +0200

      tcg/optimize: add temp_is_const and temp_is_copy functions

      Add two accessor functions temp_is_const and temp_is_copy, to make the
      code more readable and make code change easier.

      Reviewed-by: Alex Bennée <alex.bennee@xxxxxxxxxx>
      Signed-off-by: Aurelien Jarno <aurelien@xxxxxxxxxxx>
      Signed-off-by: Richard Henderson <rth@xxxxxxxxxxx>

  commit 1208d7dd5fddc1fbd98de800d17429b4e5578848
  Author: Aurelien Jarno <aurelien@xxxxxxxxxxx>
  Date:   Mon Jul 27 12:41:44 2015 +0200

      tcg/optimize: optimize temps tracking

      The tcg_temp_info structure uses 24 bytes per temp. Now that we emulate
      vector registers on most guests, it's not uncommon to have more than 100
      used temps. This means we have initialize more than 2kB at least twice
      per TB, often more when there is a few goto_tb.

      Instead used a TCGTempSet bit array to track which temps are in used in
      the current basic block. This means there are only around 16 bytes to
      initialize.

      This improves the boot time of a MIPS guest on an x86-64 host by around
      7% and moves out tcg_optimize from the the top of the profiler list.

      [rth: Handle TCG_CALL_DUMMY_ARG]

      Signed-off-by: Aurelien Jarno <aurelien@xxxxxxxxxxx>
      Signed-off-by: Richard Henderson <rth@xxxxxxxxxxx>

  commit 29f3ff8d6cbc28f79933aeaa25805408d0984a8f
  Author: Aurelien Jarno <aurelien@xxxxxxxxxxx>
  Date:   Fri Jul 10 18:03:31 2015 +0200

      tcg/optimize: fix constant signedness

      By convention, on a 64-bit host TCG internally stores 32-bit constants
      as sign-extended. This is not the case in the optimizer when a 32-bit
      constant is folded.

      This doesn't seem to have more consequences than suboptimal code
      generation. For instance the x86 backend assumes sign-extended constants,
      and in some rare cases uses a 32-bit unsigned immediate 0xffffffff
      instead of a 8-bit signed immediate 0xff for the constant -1. This is
      with a ppc guest:

      before
      ------

       ---- 0x9f29cc
       movi_i32 tmp1,$0xffffffff
       movi_i32 tmp2,$0x0
       add2_i32 tmp0,CA,CA,tmp2,r6,tmp2
       add2_i32 tmp0,CA,tmp0,CA,tmp1,tmp2
       mov_i32 r10,tmp0

      0x7fd8c7dfe90c:  xor    %ebp,%ebp
      0x7fd8c7dfe90e:  mov    %ebp,%r11d
      0x7fd8c7dfe911:  mov    0x18(%r14),%r9d
      0x7fd8c7dfe915:  add    %r9d,%r10d
      0x7fd8c7dfe918:  adc    %ebp,%r11d
      0x7fd8c7dfe91b:  add    $0xffffffff,%r10d
      0x7fd8c7dfe922:  adc    %ebp,%r11d
      0x7fd8c7dfe925:  mov    %r11d,0x134(%r14)
      0x7fd8c7dfe92c:  mov    %r10d,0x28(%r14)

      after
      -----

       ---- 0x9f29cc
       movi_i32 tmp1,$0xffffffffffffffff
       movi_i32 tmp2,$0x0
       add2_i32 tmp0,CA,CA,tmp2,r6,tmp2
       add2_i32 tmp0,CA,tmp0,CA,tmp1,tmp2
       mov_i32 r10,tmp0

      0x7f37010d490c:  xor    %ebp,%ebp
      0x7f37010d490e:  mov    %ebp,%r11d
      0x7f37010d4911:  mov    0x18(%r14),%r9d
      0x7f37010d4915:  add    %r9d,%r10d
      0x7f37010d4918:  adc    %ebp,%r11d
      0x7f37010d491b:  add    $0xffffffffffffffff,%r10d
      0x7f37010d491f:  adc    %ebp,%r11d
      0x7f37010d4922:  mov    %r11d,0x134(%r14)
      0x7f37010d4929:  mov    %r10d,0x28(%r14)

      Signed-off-by: Aurelien Jarno <aurelien@xxxxxxxxxxx>
      Message-Id: <1436544211-2769-2-git-send-email-aurelien@xxxxxxxxxxx>
      Signed-off-by: Richard Henderson <rth@xxxxxxxxxxx>

  commit a30878e708c2149ce07d709a8b62edd944628449
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Fri Aug 14 16:10:52 2015 +0100

      configure: Don't permit SDL or GTK on OSX

      The cocoa GUI frontend assumes it is the only GUI (it redefines
      main() so it always gets control before the rest of QEMU), so
      it does not play well with other UIs like SDL or GTK. (Mostly
      people building QEMU on OSX don't have the necessary dependencies
      available for configure to build those other front ends, so
      mostly this problem goes unnoticed.)

      Make configure automatically disable the SDL and GTK front ends
      if the cocoa front end is enabled. (We were sort of attempting
      to do this for SDL before, but not in a way that worked very well.)

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Reviewed-by: Daniel P. Berrange <berrange@xxxxxxxxxx>
      Reviewed-by: John Arbuckle <programmingkidx@xxxxxxxxx>
      Message-id: 1439565052-3457-1-git-send-email-peter.maydell@xxxxxxxxxx

  commit 20fbcfdd58ea47607a5755979d43f8c48ac93f08
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Wed Aug 19 16:20:20 2015 +0100

      apic_internal.h: Include cpu.h directly

      apic_internal.h relies on cpu.h having been included (for the
      X86CPU type); include it directly rather than relying on it
      being pulled in via one of the other includes like timer.h.

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Reviewed-by: Daniel P. Berrange <berrange@xxxxxxxxxx>

  commit 49caffe0cc95a9d0dc344e3328be8197f3536cf8
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Wed Aug 19 16:20:20 2015 +0100

      qemu-common.h: Move muldiv64() to host-utils.h

      Move the muldiv64() function from qemu-common.h to host-utils.h.
      This puts it together with all the other arithmetic functions
      where we provide a version with __int128_t and a fallback
      without, and allows headers which need muldiv64() to avoid
      including qemu-common.h.

      We don't include host-utils from qemu-common.h, to avoid dragging
      more things into qemu-common.h than it already has; in practice
      everywhere that needs muldiv64() can get it via qemu/timer.h.

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Reviewed-by: Daniel P. Berrange <berrange@xxxxxxxxxx>

  commit 03557b9abaee78e9d1ef5cd236d32a7b3e75e6f8
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Wed Aug 19 16:20:20 2015 +0100

      osdep.h: Add header comment

      Add a header comment to osdep.h, explaining what the header is for
      and some rules to avoid circular-include difficulties.

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Reviewed-by: Daniel P. Berrange <berrange@xxxxxxxxxx>

  commit bfe7e449f14313f646da621288ca2fd12223414f
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Wed Aug 19 16:20:19 2015 +0100

      osdep.h: Move some OS header includes and fixups from qemu-common.h

      qemu-common.h has some system header includes and fixups for
      things that might be missing. This is really an OS dependency
      and belongs in osdep.h, so move it across.

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Reviewed-by: Daniel P. Berrange <berrange@xxxxxxxxxx>

  commit 1aad8104f3b69206da1f868639e1f69c26f6d482
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Wed Aug 19 16:20:19 2015 +0100

      qemu-common.h: Move Win32 fixups into os-win32.h

      qemu-common.h includes some fixups for things the Win32
      headers don't define or define weirdly. These really
      belong in os-win32.h, so move them there.

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Reviewed-by: Daniel P. Berrange <berrange@xxxxxxxxxx>

  commit 24134c4e9126bf505b612e901c63a102fc471083
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Wed Aug 19 16:20:19 2015 +0100

      compiler.h: Use glue() in QEMU_BUILD_BUG_ON define

      Rather than rolling custom concatenate-strings macros for the
      QEMU_BUILD_BUG_ON macro to use, use the glue() macro we already
      have (since it's now available to us in this header).

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Reviewed-by: Daniel P. Berrange <berrange@xxxxxxxxxx>

  commit 4912086865083a008f4fb73173fd0ddf2206c4d9
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Wed Aug 19 16:20:19 2015 +0100

      osdep.h: Move some compiler-specific things to compiler.h

      osdep.h has a few things which are really compiler specific;
      move them to compiler.h, and include compiler.h from osdep.h.

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Reviewed-by: Daniel P. Berrange <berrange@xxxxxxxxxx>

  commit 71baf787d8fa2a5d186f22d8154069fd212be37f
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Wed Aug 19 16:20:19 2015 +0100

      osdep.h: Remove qemu_printf

      qemu_printf is an ancient remnant which has been a simple #define to
      printf for over a decade, and is used in only a few places. Expand
      it out in those places and remove the #define.

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Reviewed-by: Daniel P. Berrange <berrange@xxxxxxxxxx>

  commit 38e20cac669083e2e10a2a9a9602cb99ec19299e
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Wed Aug 19 16:20:19 2015 +0100

      qapi/qmp-event.c: Don't manually include os-win32.h/os-posix.h

      qmp-event.c already includes qemu-common.h, so manually including
      os-win32.h/os-posix.h is unnecessary (and potentially fragile,
      since it's duplicating the #ifdef logic that chooses which of the
      two we need). Remove the unnecessary include logic.

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Reviewed-by: Daniel P. Berrange <berrange@xxxxxxxxxx>

  commit 4c4a29cb681ec0374616e07c69714b909641e929
  Merge: 5452b6f 6c05d3d
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Wed Aug 19 00:25:52 2015 +0100

      Merge remote-tracking branch 'remotes/rth/tags/pull-axp-201508018' into 
staging

      Alpha shadow register optimization

      # gpg: Signature made Tue 18 Aug 2015 19:09:41 BST using RSA key ID 
4DD0279B
      # gpg: Good signature from "Richard Henderson <rth7680@xxxxxxxxx>"
      # gpg:                 aka "Richard Henderson <rth@xxxxxxxxxx>"
      # gpg:                 aka "Richard Henderson <rth@xxxxxxxxxxx>"

      * remotes/rth/tags/pull-axp-201508018:
        target-alpha: Inline hw_ret
        target-alpha: Inline call_pal
        target-alpha: Use separate TCGv temporaries for the shadow registers

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 6c05d3ded7b51154e67c35e270c48784b7046883
  Author: Richard Henderson <rth@xxxxxxxxxxx>
  Date:   Tue Sep 16 12:55:12 2014 -0700

      target-alpha: Inline hw_ret

      Reviewed-by: Aurelien Jarno <aurelien@xxxxxxxxxxx>
      Signed-off-by: Richard Henderson <rth@xxxxxxxxxxx>

  commit 2f458b7c311f8d79028b04930f8c820b326fbcdd
  Author: Richard Henderson <rth@xxxxxxxxxxx>
  Date:   Tue Sep 16 12:35:59 2014 -0700

      target-alpha: Inline call_pal

      Reviewed-by: Aurelien Jarno <aurelien@xxxxxxxxxxx>
      Signed-off-by: Richard Henderson <rth@xxxxxxxxxxx>

  commit 591243846f7d0dc59f482a89e241a6ce02d25fae
  Author: Richard Henderson <rth@xxxxxxxxxxx>
  Date:   Tue Sep 16 12:16:38 2014 -0700

      target-alpha: Use separate TCGv temporaries for the shadow registers

      This avoids having to manually swap them around when swapping to and
      from PALmode.  We simply encode the shadow registers into the translation.

      The VMStateDescription version changes, because the meaning of "shadow"
      changes in the save file when in PALmode.  It would be possible to fix
      this, but I don't think it's worth the effort.

      Reviewed-by: Aurelien Jarno <aurelien@xxxxxxxxxxx>
      Signed-off-by: Richard Henderson <rth@xxxxxxxxxxx>

  commit 112e4518f0d38fc3c52e55c7d7e77b66a295ec2b
  Author: Richard Henderson <rth@xxxxxxxxxxx>
  Date:   Wed Aug 5 11:04:11 2015 -0700

      target-alpha: Special case cmpbge with zero

      Knowing the comparator is zero leads to a simpler operation.

      Signed-off-by: Richard Henderson <rth@xxxxxxxxxxx>

  commit 5452b6f61ae943aff5c13cdd65fb476efff636d3
  Merge: 6b324b3 9504c54
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Tue Aug 18 17:06:41 2015 +0100

      Merge remote-tracking branch 'remotes/bonzini/tags/for-upstream' into 
staging

      * SCSI fixes from Stefan and Fam
      * vhost-scsi fix from Igor and Lu Lina
      * a build system fix from Daniel
      * two more multi-arch-related patches from Peter C.
      * TCG patches from myself and Sergey Fedorov
      * RCU improvement from Wen Congyang
      * a few more simple cleanups

      # gpg: Signature made Fri 14 Aug 2015 22:41:52 BST using RSA key ID 
78C7AE83
      # gpg: Good signature from "Paolo Bonzini <bonzini@xxxxxxx>"
      # gpg:                 aka "Paolo Bonzini <pbonzini@xxxxxxxxxx>"
      # gpg: WARNING: This key is not certified with sufficiently trusted 
signatures!
      # gpg:          It is not certain that the signature belongs to the owner.
      # Primary key fingerprint: 46F5 9FBD 57D6 12E7 BFD4  E2F7 7E15 100C CD36 
69B1
      #      Subkey fingerprint: F133 3857 4B66 2389 866C  7682 BFFB D25F 78C7 
AE83

      * remotes/bonzini/tags/for-upstream:
        disas: Defeature print_target_address
        hw: fix mask for ColdFire UART command register
        scsi-generic: identify AIO callbacks more clearly
        scsi-disk: identify AIO callbacks more clearly
        scsi: create restart bottom half in the right AioContext
        configure: only add CONFIG_RDMA to config-host.h once
        qemu-nbd: remove unnecessary qemu_notify_event()
        vhost-scsi: Clarify vhost_virtqueue_mask argument
        exec: use macro ROUND_UP for alignment
        rcu: Allow calling rcu_(un)register_thread() during synchronize_rcu()
        exec: drop cpu_can_do_io, just read cpu->can_do_io
        cpu_defs: Simplify CPUTLB padding logic
        cpu-exec: Do not invalidate original TB in cpu_exec_nocache()
        vhost/scsi: call vhost_dev_cleanup() at unrealize() time
        virtio-scsi-test: Add test case for tail unaligned WRITE SAME
        scsi-disk: Fix assertion failure on WRITE SAME
        tests: virtio-scsi: clear unit attention after reset
        scsi-disk: fix cmd.mode field typo
        virtio-scsi: use virtqueue_map_sg() when loading requests

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 5f2a80adc6fd2b2e4e0579a6613a9913e3cc9a05
  Author: Richard Henderson <rth@xxxxxxxxxxx>
  Date:   Wed Aug 5 10:33:12 2015 -0700

      target-alpha: Rewrite helper_cmpbge using bit tests

      Not quite as good as using a proper host vector compare,
      but certainly better than a loop.

      Signed-off-by: Richard Henderson <rth@xxxxxxxxxxx>

  commit 9504c5445cb709415aea509954a922983925c2d3
  Author: Peter Crosthwaite <crosthwaitepeter@xxxxxxxxx>
  Date:   Sun Jul 5 13:50:32 2015 -0700

      disas: Defeature print_target_address

      It does not work in multi-arch as it requires the CPU specific
      TARGET_VIRT_ADDR_SPACE_BITS global define. Just use the generic
      version that does no masking. Targets should be responsible for
      passing in a sane virtual address.

      Signed-off-by: Peter Crosthwaite <crosthwaite.peter@xxxxxxxxx>
      Message-Id: 
<1436129432-16617-1-git-send-email-crosthwaite.peter@xxxxxxxxx>
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit 491ffc1f7ce857b88e9d310ce901ce033e45b75d
  Author: Paolo Bonzini <pbonzini@xxxxxxxxxx>
  Date:   Wed Jun 24 13:55:51 2015 +0200

      hw: fix mask for ColdFire UART command register

      The "miscellaneous commands" part of the register is 3 bits wide.
      Spotted by Coverity and confirmed in the datasheet, downloadable from
      http://cache.freescale.com/files/32bit/doc/ref_manual/MCF5307BUM.pdf
      (figure 14-6).

      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit fa0d653b06cec7b3188a733dc7394e030948018e
  Author: Paolo Bonzini <pbonzini@xxxxxxxxxx>
  Date:   Sun Jul 19 19:15:26 2015 +0200

      scsi-generic: identify AIO callbacks more clearly

      Functions that are not callbacks should assert that aiocb is NULL and
      have a SCSIGenericReq argument.

      AIO callbacks should assert that aiocb is not NULL.  They also have an
      opaque argument.

      Reviewed-by: Fam Zheng <famz@xxxxxxxxxx>
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit 5fd2b563a7624959ae7f000202785a30279021f8
  Author: Paolo Bonzini <pbonzini@xxxxxxxxxx>
  Date:   Sun Jul 19 19:15:26 2015 +0200

      scsi-disk: identify AIO callbacks more clearly

      Functions that are not callbacks should assert that aiocb is NULL and
      have a non-opaque argument (usually a pointer to SCSIDiskReq).

      AIO callbacks should assert that aiocb is not NULL and take care of
      calling block_acct done.  They also have an opaque argument.

      Reviewed-by: Fam Zheng <famz@xxxxxxxxxx>
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit d223c10453f1a7909349fd3e52a6047295d0e94f
  Author: Paolo Bonzini <pbonzini@xxxxxxxxxx>
  Date:   Wed Jul 22 16:38:17 2015 +0200

      scsi: create restart bottom half in the right AioContext

      This matches commit 4407c1c (virtio-blk: Schedule BH in the right context,
      2014-06-17), which did the same thing for virtio-blk.

      Reviewed-by: Fam Zheng <famz@xxxxxxxxxx>
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit 416471916542f30c49f2ed2187d634e9ad26d57d
  Author: Daniel P. Berrange <berrange@xxxxxxxxxx>
  Date:   Fri Jul 31 13:23:23 2015 +0100

      configure: only add CONFIG_RDMA to config-host.h once

      For unknown reasons (probably a git rebase merge mistake)

        commit 2da776db4846eadcb808598a5d3484d149773c05
        Author: Michael R. Hines <mrhines@xxxxxxxxxx>
        Date:   Mon Jul 22 10:01:54 2013 -0400

          rdma: core logic

      Adds CONFIG_RDMA to config-host.h twice, as can be seen
      in the generated file:

       $ grep CONFIG_RDMA config-host.h
       #define CONFIG_RDMA 1
       #define CONFIG_RDMA 1

      Signed-off-by: Daniel P. Berrange <berrange@xxxxxxxxxx>
      Message-Id: <1438345403-32467-1-git-send-email-berrange@xxxxxxxxxx>
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit 06832648e1dbd268d7b719b9a49df476af689c6d
  Author: Paolo Bonzini <pbonzini@xxxxxxxxxx>
  Date:   Mon Jul 27 13:52:55 2015 +0200

      qemu-nbd: remove unnecessary qemu_notify_event()

      This was needed when qemu-nbd was using qemu_set_fd_handler2.  It is
      not needed anymore now that nbd_update_server_fd_handler is called
      whenever nbd_can_accept() can change from false to true.
      nbd_update_server_fd_handler will call qemu_set_fd_handler(),
      which will call qemu_notify_event().

      Reviewed-by: Max Reitz <mreitz@xxxxxxxxxx>
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit fe2d1a81d96e8ffe74974bd4b3ebc608f1f6a25d
  Author: Lu Lina <lina.lulina@xxxxxxxxxx>
  Date:   Mon Jul 27 14:25:59 2015 +0800

      vhost-scsi: Clarify vhost_virtqueue_mask argument

      vhost_virtqueue_mask takes an "absolute" virtqueue index, while the
      code looks like it's passing an index that is relative to
      s->dev.vq_index.  In reality, s->dev.vq_index is always zero, so
      this patch does not make any difference, but the code is clearer.

      Signed-off-by: Lu Lina <lina.lulina@xxxxxxxxxx>
      Signed-off-by: Gonglei <arei.gonglei@xxxxxxxxxx>
      Message-Id: <1437978359-17960-1-git-send-email-arei.gonglei@xxxxxxxxxx>
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit 9284f31994919c001b54af57fc7d1bbb0d19b6fd
  Author: Chen Hanxiao <chenhanxiao@xxxxxxxxxxxxxx>
  Date:   Fri Jul 24 11:12:03 2015 +0800

      exec: use macro ROUND_UP for alignment

      Use ROUND_UP instead.

      Signed-off-by: Chen Hanxiao <chenhanxiao@xxxxxxxxxxxxxx>
      Message-Id: <1437707523-4910-1-git-send-email-chenhanxiao@xxxxxxxxxxxxxx>
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit c097a60b100c10d79d8bd5c91ce804e865d7e70b
  Author: Wen Congyang <wency@xxxxxxxxxxxxxx>
  Date:   Mon Jul 27 10:24:18 2015 +0800

      rcu: Allow calling rcu_(un)register_thread() during synchronize_rcu()

      If rcu_(un)register_thread() is called together with synchronize_rcu(),
      it will wait for the synchronize_rcu() to finish. But when 
synchronize_rcu()
      waits for some events, we can modify the list registry.
      We also use the lock rcu_gp_lock to assume that synchronize_rcu() isn't
      executed in more than one thread at the same time. Add a new mutex lock
      rcu_sync_lock to assume it and rename rcu_gp_lock to rcu_registry_lock.
      Release rcu_registry_lock when synchronize_rcu() waits for some events.

      Signed-off-by: Wen Congyang <wency@xxxxxxxxxxxxxx>
      Message-Id: <55B59652.4090503@xxxxxxxxxxxxxx>
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit 414b15c909c88e4cf5f10e80d033b3aa90bcc9e1
  Author: Paolo Bonzini <pbonzini@xxxxxxxxxx>
  Date:   Wed Jun 24 14:16:26 2015 +0200

      exec: drop cpu_can_do_io, just read cpu->can_do_io

      After commit 626cf8f (icount: set can_do_io outside TB execution,
      2014-12-08), can_do_io is set to 1 if not executing code.  It is
      no longer necessary to make this assumption in cpu_can_do_io.

      It is also possible to remove the use_icount test, simply by
      never setting cpu->can_do_io to 0 unless use_icount is true.

      With these changes cpu_can_do_io boils down to a read of
      cpu->can_do_io.

      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit 6b324b3e5906fd9a9ce7f4f24decd1f1c7afde97
  Merge: 074a992 8887f84
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Fri Aug 14 18:06:44 2015 +0100

      Merge remote-tracking branch 'remotes/stefanha/tags/net-pull-request' 
into staging

      # gpg: Signature made Fri 14 Aug 2015 16:01:19 BST using RSA key ID 
81AB73C8
      # gpg: Good signature from "Stefan Hajnoczi <stefanha@xxxxxxxxxx>"
      # gpg:                 aka "Stefan Hajnoczi <stefanha@xxxxxxxxx>"

      * remotes/stefanha/tags/net-pull-request:
        tests: test rx recovery from cont
        tests: introduce basic pci test for virtio-net
        net/vmxnet3: Fix incorrect debug message

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 074a9925e1cfd659d5376dcaccd1436d3840e611
  Merge: 8e0adf6 e424aff
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Fri Aug 14 16:52:34 2015 +0100

      Merge remote-tracking branch 'remotes/cody/tags/block-pull-request' into 
staging

      # gpg: Signature made Fri 14 Aug 2015 14:54:27 BST using RSA key ID 
C0DE3057
      # gpg: Good signature from "Jeffrey Cody <jcody@xxxxxxxxxx>"
      # gpg:                 aka "Jeffrey Cody <jeff@xxxxxxxxxxxxx>"
      # gpg:                 aka "Jeffrey Cody <codyprime@xxxxxxxxx>"
      # gpg: WARNING: This key is not certified with sufficiently trusted 
signatures!
      # gpg:          It is not certain that the signature belongs to the owner.
      # Primary key fingerprint: 9957 4B4D 3474 90E7 9D98  D624 BDBE 7B27 C0DE 
3057

      * remotes/cody/tags/block-pull-request:
        mirror: Fix coroutine reentrance
        block/mirror: limit qiov to IOV_MAX elements

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 8e0adf64140ab93aba79be2f0227a47eda78e464
  Merge: be1f13a 92e11a1
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Fri Aug 14 15:51:24 2015 +0100

      Merge remote-tracking branch 'remotes/stefanha/tags/block-pull-request' 
into staging

      # gpg: Signature made Fri 14 Aug 2015 15:41:14 BST using RSA key ID 
81AB73C8
      # gpg: Good signature from "Stefan Hajnoczi <stefanha@xxxxxxxxxx>"
      # gpg:                 aka "Stefan Hajnoczi <stefanha@xxxxxxxxx>"

      * remotes/stefanha/tags/block-pull-request:
        throttle: add throttle_max_is_missing_limit() test
        throttle: refuse bps_max/iops_max without bps/iops

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit e424aff5f307227b1c2512bbb8ece891bb895cef
  Author: Kevin Wolf <kwolf@xxxxxxxxxx>
  Date:   Thu Aug 13 10:41:50 2015 +0200

      mirror: Fix coroutine reentrance

      This fixes a regression introduced by commit dcfb3beb ("mirror: Do zero
      write on target if sectors not allocated"), which was reported to cause
      aborts with the message "Co-routine re-entered recursively".

      The cause for this bug is the following code in mirror_iteration_done():

          if (s->common.busy) {
              qemu_coroutine_enter(s->common.co, NULL);
          }

      This has always been ugly because - unlike most places that reenter - it
      doesn't have a specific yield that it pairs with, but is more
      uncontrolled.  What we really mean here is "reenter the coroutine if
      it's in one of the four explicit yields in mirror.c".

      This used to be equivalent with s->common.busy because neither
      mirror_run() nor mirror_iteration() call any function that could yield.
      However since commit dcfb3beb this doesn't hold true any more:
      bdrv_get_block_status_above() can yield.

      So what happens is that bdrv_get_block_status_above() wants to take a
      lock that is already held, so it adds itself to the queue of waiting
      coroutines and yields. Instead of being woken up by the unlock function,
      however, it gets woken up by mirror_iteration_done(), which is obviously
      wrong.

      In most cases the code actually happens to cope fairly well with such
      cases, but in this specific case, the unlock must already have scheduled
      the coroutine for wakeup when mirror_iteration_done() reentered it. And
      then the coroutine happened to process the scheduled restarts and tried
      to reenter itself recursively.

      This patch fixes the problem by pairing the reenter in
      mirror_iteration_done() with specific yields instead of abusing
      s->common.busy.

      Cc: qemu-stable@xxxxxxxxxx
      Signed-off-by: Kevin Wolf <kwolf@xxxxxxxxxx>
      Reviewed-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>
      Reviewed-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Reviewed-by: Jeff Cody <jcody@xxxxxxxxxx>
      Message-id: 1439455310-11263-1-git-send-email-kwolf@xxxxxxxxxx
      Signed-off-by: Jeff Cody <jcody@xxxxxxxxxx>

  commit d90dedfcd5b9faad105bf28b718c9477d8467e77
  Merge: be1f13a cae98cb
  Author: Jeff Cody <jcody@xxxxxxxxxx>
  Date:   Fri Aug 14 09:41:30 2015 -0400

      Merge branch 'block-next' into HEAD

  commit be1f13ac9d9fc21908975460652a72f5f0c018c5
  Merge: 5c314a2 c855701
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Thu Aug 13 17:47:44 2015 +0100

      Merge remote-tracking branch 'remotes/lalrae/tags/mips-20150813' into 
staging

      MIPS patches 2015-08-13

      Changes:
      * mips32r5-generic CPU updated and renamed to P5600
      * improvements in LWL/LDL, logging and fulong2e

      # gpg: Signature made Thu 13 Aug 2015 17:10:59 BST using RSA key ID 
0B29DA6B
      # gpg: Good signature from "Leon Alrae <leon.alrae@xxxxxxxxxx>"
      # gpg: WARNING: This key is not certified with a trusted signature!
      # gpg:          There is no indication that the signature belongs to the 
owner.
      # Primary key fingerprint: 8DD3 2F98 5495 9D66 35D4  4FC0 5211 8E3C 0B29 
DA6B

      * remotes/lalrae/tags/mips-20150813:
        target-mips: Use CPU_LOG_INT for logging related to interrupts
        hw/pci-host/bonito: Avoid buffer overrun for bad LDMA/COP accesses
        target-mips: simplify LWL/LDL mask generation
        target-mips: update mips32r5-generic into P5600

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit c85570163bdf1ba29cb52a63f22ff1c48f1b9398
  Author: Richard Henderson <rth@xxxxxxxxxxx>
  Date:   Mon Aug 3 11:49:12 2015 -0700

      target-mips: Use CPU_LOG_INT for logging related to interrupts

      There are now no unconditional uses of qemu_log in the subdirectory.

      Signed-off-by: Richard Henderson <rth@xxxxxxxxxxx>
      Reviewed-by: Aurelien Jarno <aurelien@xxxxxxxxxxx>
      Reviewed-by: Leon Alrae <leon.alrae@xxxxxxxxxx>
      Signed-off-by: Leon Alrae <leon.alrae@xxxxxxxxxx>

  commit 58d479786b11a7e982419c1e0905b8490ef9a787
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Thu Jul 30 16:33:42 2015 +0100

      hw/pci-host/bonito: Avoid buffer overrun for bad LDMA/COP accesses

      The LDMA and COP memory regions represent four 32 bit registers
      each, but the memory regions themselves are 0x100 bytes large.
      Add guards to the read and write accessors so that bogus accesses
      beyond the four defined registers don't just run off the end of
      the bonldma and boncop structs and into whatever lies beyond.

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Acked-by: Aurelien Jarno <aurelien@xxxxxxxxxxx>
      Signed-off-by: Leon Alrae <leon.alrae@xxxxxxxxxx>

  commit eb02cc3f89013612cb05df23b5441741e902bbd2
  Author: Aurelien Jarno <aurelien@xxxxxxxxxxx>
  Date:   Wed Jul 15 17:05:09 2015 +0200

      target-mips: simplify LWL/LDL mask generation

      The LWL/LDL instructions mask the GPR with a mask depending on the
      address alignement. It is currently computed by doing:

          mask = 0x7fffffffffffffffull >> (t1 ^ 63)

      It's simpler to generate it by doing:

          mask = ~(-1 << t1)

      It uses one TCG instruction less, and it avoids a 32/64-bit constant
      loading which can take a few instructions on RISC hosts.

      Cc: Leon Alrae <leon.alrae@xxxxxxxxxx>
      Signed-off-by: Aurelien Jarno <aurelien@xxxxxxxxxxx>
      Reviewed-by: Richard Henderson <rth@xxxxxxxxxxx>
      Reviewed-by: Leon Alrae <leon.alrae@xxxxxxxxxx>
      Signed-off-by: Leon Alrae <leon.alrae@xxxxxxxxxx>

  commit aff2bc6dc6d839caf6df0900437cc2cc9e180605
  Author: Yongbok Kim <yongbok.kim@xxxxxxxxxx>
  Date:   Fri Jul 10 12:10:52 2015 +0100

      target-mips: update mips32r5-generic into P5600

      As full specification of P5600 is available, mips32r5-generic should
      be renamed to P5600 and corrected as its intention.
      Correct PRid and detail of configuration.
      Features which are not currently supported are described as FIXME.

      Fix Config.MM bit location

      Signed-off-by: Yongbok Kim <yongbok.kim@xxxxxxxxxx>
      [leon.alrae@xxxxxxxxxx: correct cache line sizes and LLAddr shift]
      Signed-off-by: Leon Alrae <leon.alrae@xxxxxxxxxx>

  commit 5c314a2eb713f560d753cb194d194fd462cff719
  Merge: 425591e d31e5ae
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Thu Aug 13 15:07:34 2015 +0100

      Merge remote-tracking branch 'remotes/mst/tags/for_upstream' into staging

      virtio,pc,acpi fixes, cleanups

      Mostly cleanups, notably Eduardo's compat code rework,
      and smbios rearrangement for use by ARM.

      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>

      # gpg: Signature made Thu 13 Aug 2015 12:59:16 BST using RSA key ID 
D28D5469
      # gpg: Good signature from "Michael S. Tsirkin <mst@xxxxxxxxxx>"
      # gpg:                 aka "Michael S. Tsirkin <mst@xxxxxxxxxx>"

      * remotes/mst/tags/for_upstream: (24 commits)
        MAINTAINERS: list smbios maintainers
        smbios: move smbios code into a common folder
        smbios: remove dependency on x86 e820 tables
        smbios: extract x86 smbios building code into a function
        acpi: avoid potential uninitialized access to cpu_hp_io_base
        virtio-net: remove useless codes
        pci: allow 0 address for PCI IO/MEM regions
        pc: Remove redundant arguments from pc_memory_init()
        pc: Remove redundant arguments from pc_cmos_init()
        pc: Remove redundant arguments from *load_linux()
        pc: Use PCMachineState as pc_guest_info_init() argument
        pc: Move {above,below}_4g_mem_size variables to PCMachineState
        pc: Use PCMachineState for pc_memory_init() argument
        pc: Use PCMachineState for pc_cmos_init() argument
        pc: Eliminate pc_default_machine_options()
        pc: Eliminate pc_common_machine_options()
        pc: Move PCMachineClass, PCMachineState to qemu/typedefs.h
        pc: Rename pc_machine variables to pcms
        pc: Use error_abort when registering properties
        target-i386: Remove x86_cpu_compat_set_features()
        ...

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit d31e5ae7f2c16de2caf752b7f7f903569fea894d
  Author: Michael S. Tsirkin <mst@xxxxxxxxxx>
  Date:   Wed Aug 12 12:17:36 2015 +0300

      MAINTAINERS: list smbios maintainers

      Now that smbios has its own directory, list its
      maintainers. Same people as ACPI so just reuse that
      entry.

      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>

  commit 60d8f328b878ead45a5e5e347935097e3426bbd9
  Author: Wei Huang <wei@xxxxxxxxxx>
  Date:   Tue Aug 11 22:08:20 2015 -0400

      smbios: move smbios code into a common folder

      To share smbios among different architectures, this patch moves SMBIOS
      code (smbios.c and smbios.h) from x86 specific folders into new
      hw/smbios directories. As a result, CONFIG_SMBIOS=y is defined in
      x86 default config files.

      Acked-by: Gabriel Somlo <somlo@xxxxxxx>
      Tested-by: Gabriel Somlo <somlo@xxxxxxx>
      Reviewed-by: Laszlo Ersek <lersek@xxxxxxxxxx>
      Tested-by: Leif Lindholm <leif.lindholm@xxxxxxxxxx>
      Signed-off-by: Wei Huang <wei@xxxxxxxxxx>
      Reviewed-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>

  commit 89cc4a2760be800b5924dd705b1369bc29783c9f
  Author: Wei Huang <wei@xxxxxxxxxx>
  Date:   Tue Aug 11 22:08:19 2015 -0400

      smbios: remove dependency on x86 e820 tables

      Current smbios builds type 19 table from e820, which is x86 specific.
      This patch removes smbios' dependency on e820 by passing an array
      of memory area to smbios_get_tables().

      Acked-by: Gabriel Somlo <somlo@xxxxxxx>
      Tested-by: Gabriel Somlo <somlo@xxxxxxx>
      Reviewed-by: Laszlo Ersek <lersek@xxxxxxxxxx>
      Tested-by: Leif Lindholm <leif.lindholm@xxxxxxxxxx>
      Signed-off-by: Wei Huang <wei@xxxxxxxxxx>
      Reviewed-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>

  commit 5fd0a9d410dc876ce134359c489d1d639ea32889
  Author: Wei Huang <wei@xxxxxxxxxx>
  Date:   Tue Aug 11 22:08:18 2015 -0400

      smbios: extract x86 smbios building code into a function

      This patch extracts out the procedure of buidling x86 SMBIOS tables
      into a dedicated function.

      Acked-by: Gabriel Somlo <somlo@xxxxxxx>
      Tested-by: Gabriel Somlo <somlo@xxxxxxx>
      Reviewed-by: Laszlo Ersek <lersek@xxxxxxxxxx>
      Tested-by: Leif Lindholm <leif.lindholm@xxxxxxxxxx>
      Signed-off-by: Wei Huang <wei@xxxxxxxxxx>
      Reviewed-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>

  commit 94aaca6457e52bb9c8a53af3c89bfeec40afadfc
  Author: Daniel P. Berrange <berrange@xxxxxxxxxx>
  Date:   Fri Jul 31 11:14:35 2015 +0100

      acpi: avoid potential uninitialized access to cpu_hp_io_base

      When building QEMU with Mingw64 toolchain I see a warning

       CC    x86_64-softmmu/hw/i386/acpi-build.o
        hw/i386/acpi-build.c: In function 'acpi_build':
        hw/i386/acpi-build.c:1138:9: warning: 'pm.cpu_hp_io_base' may be used 
uninitialized in this function [-Wmaybe-uninitialized]
                 aml_append(crs,
                 ^
        hw/i386/acpi-build.c:1666:16: note: 'pm.cpu_hp_io_base' was declared 
here
             AcpiPmInfo pm;
                        ^

      In acpi_get_pm_info() some of the fields are pre-initialized
      to 0, but this one was missed.

      Signed-off-by: Daniel P. Berrange <berrange@xxxxxxxxxx>
      Reviewed-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Reviewed-by: Igor Mammedov <imammedo@xxxxxxxxxx>

  commit bd89dd98b2b835bbff43f02f2e7c823eb0c61331
  Author: Jason Wang <jasowang@xxxxxxxxxx>
  Date:   Mon Aug 3 13:20:38 2015 +0800

      virtio-net: remove useless codes

      After commit 40bad8f3deba15e2074ff34cfe923c12916b1cc5("virtio-net: fix
      used len for tx"), async_tx.len was no longer used afterwards. So
      remove useless codes with it.

      Signed-off-by: Jason Wang <jasowang@xxxxxxxxxx>
      Reviewed-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>

  commit e402463073ae51d00dc6cf98556e2f5c4b008a31
  Author: Laurent Vivier <lvivier@xxxxxxxxxx>
  Date:   Fri Jul 24 10:35:13 2015 +0200

      pci: allow 0 address for PCI IO/MEM regions

      Some kernels program a 0 address for io regions. PCI 3.0 spec
      section 6.2.5.1 doesn't seem to disallow this.

      based on patch by Michael Roth <mdroth@xxxxxxxxxxxxxxxxxx>

      Add pci_allow_0_addr in MachineClass to conditionally
      allow addr 0 for pseries, as this can break other architectures.

      This patch allows to hotplug PCI card in pseries machine, as the first
      added card BAR0 is always set to 0 address.

      This as a temporary hack, waiting to fix PCI memory priorities for more
      machine types...

      Signed-off-by: Laurent Vivier <lvivier@xxxxxxxxxx>
      Reviewed-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>

  commit c8d163bc9e037ec32b2250b2d7950b1d1bc3fd61
  Author: Eduardo Habkost <ehabkost@xxxxxxxxxx>
  Date:   Fri Aug 7 16:55:55 2015 -0300

      pc: Remove redundant arguments from pc_memory_init()

      Remove arguments that can be found in PCMachineState.

      Signed-off-by: Eduardo Habkost <ehabkost@xxxxxxxxxx>
      Reviewed-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>

  commit 880768546eabea369068f30f22e5d26aa4c6970b
  Author: Eduardo Habkost <ehabkost@xxxxxxxxxx>
  Date:   Fri Aug 7 16:55:54 2015 -0300

      pc: Remove redundant arguments from pc_cmos_init()

      Remove arguments that can be found in PCMachineState.

      Signed-off-by: Eduardo Habkost <ehabkost@xxxxxxxxxx>
      Reviewed-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>

  commit df1f79fdbb98f948f0f9d77a5a48a643026ef31d
  Author: Eduardo Habkost <ehabkost@xxxxxxxxxx>
  Date:   Fri Aug 7 16:55:53 2015 -0300

      pc: Remove redundant arguments from *load_linux()

      Remove arguments that can be found in PCMachineState.

      Signed-off-by: Eduardo Habkost <ehabkost@xxxxxxxxxx>
      Reviewed-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>

  commit b9cfc918ddcbbb5d3b8c1a47675b927cc25eb632
  Author: Eduardo Habkost <ehabkost@xxxxxxxxxx>
  Date:   Fri Aug 7 16:55:52 2015 -0300

      pc: Use PCMachineState as pc_guest_info_init() argument

      Signed-off-by: Eduardo Habkost <ehabkost@xxxxxxxxxx>
      Reviewed-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>

  commit c0aa4e1ecbcad29bb9f1d654f930300b975c3ba8
  Author: Eduardo Habkost <ehabkost@xxxxxxxxxx>
  Date:   Fri Aug 7 16:55:51 2015 -0300

      pc: Move {above,below}_4g_mem_size variables to PCMachineState

      This will make the info readily available for the other initialization
      functions, and will allow us to simplify their argument list.

      Signed-off-by: Eduardo Habkost <ehabkost@xxxxxxxxxx>
      Reviewed-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>

  commit 62b160c02ca46f0b5a06cc4416c47708c7ffd76b
  Author: Eduardo Habkost <ehabkost@xxxxxxxxxx>
  Date:   Fri Aug 7 16:55:50 2015 -0300

      pc: Use PCMachineState for pc_memory_init() argument

      pc_memory_init() already expects a PCMachineState object, there's no
      point in upcasting it to MachineState before calling the function.

      Signed-off-by: Eduardo Habkost <ehabkost@xxxxxxxxxx>
      Reviewed-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>

  commit 23d3040704e8e2a10f3e21e2c6594b3a8c7b20db
  Author: Eduardo Habkost <ehabkost@xxxxxxxxxx>
  Date:   Fri Aug 7 16:55:49 2015 -0300

      pc: Use PCMachineState for pc_cmos_init() argument

      pc_cmos_init() already expects a PCMachineState object, there's no point
      in upcasting it to MachineState before calling the function.

      While doing it, reorder the arguments so PCMachineState is the first
      function argument.

      Signed-off-by: Eduardo Habkost <ehabkost@xxxxxxxxxx>
      Reviewed-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>

  commit 4458fb3a7993249f466662b18ccae75f1a313200
  Author: Eduardo Habkost <ehabkost@xxxxxxxxxx>
  Date:   Fri Aug 7 16:55:48 2015 -0300

      pc: Eliminate pc_default_machine_options()

      The only PC machines that didn't call pc_default_machine_options() were
      isaps and xenfv. Both were already overwriting max_cpus, and only isapc
      was not overwriting hot_add_cpu.

      After making isapc set hot_add_cpu to NULL, we can move the
      pc_default_machine_options() code the PC common class_init.

      Signed-off-by: Eduardo Habkost <ehabkost@xxxxxxxxxx>
      Reviewed-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>

  commit 41742767bfa8127954b6f57b39b590adcde3ac6c
  Author: Eduardo Habkost <ehabkost@xxxxxxxxxx>
  Date:   Fri Aug 7 16:55:47 2015 -0300

      pc: Eliminate pc_common_machine_options()

      All TYPE_PC_MACHINE subclasses call pc_common_machine_options().
      TYPE_PC_MACHINE can simply initialize the common options on class_init
      directly.

      Signed-off-by: Eduardo Habkost <ehabkost@xxxxxxxxxx>
      Reviewed-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>

  commit 8170dfa077761ed979b45f608cf706253a764f0d
  Author: Eduardo Habkost <ehabkost@xxxxxxxxxx>
  Date:   Fri Aug 7 16:55:46 2015 -0300

      pc: Move PCMachineClass, PCMachineState to qemu/typedefs.h

      They will be used inside hw/xen/xen.h, which doesn't include
      hw/i386/pc.h.

      Signed-off-by: Eduardo Habkost <ehabkost@xxxxxxxxxx>
      Reviewed-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>

  commit ec68007a29bff36dab96ae3ea731c85b4b66fdca
  Author: Eduardo Habkost <ehabkost@xxxxxxxxxx>
  Date:   Fri Aug 7 16:55:45 2015 -0300

      pc: Rename pc_machine variables to pcms

      Make the code use the same variable name everywhere. "pcms" is already
      being used in existing code and it's shorter.

      Signed-off-by: Eduardo Habkost <ehabkost@xxxxxxxxxx>
      Reviewed-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>

  commit dda65c7c4b9b4925bdd056c66d4e1ef5cf4a8fb8
  Author: Eduardo Habkost <ehabkost@xxxxxxxxxx>
  Date:   Fri Aug 7 16:55:44 2015 -0300

      pc: Use error_abort when registering properties

      No errors should happen when registering the properties, but we
      shouldn't silently ignore them if they happen.

      Signed-off-by: Eduardo Habkost <ehabkost@xxxxxxxxxx>
      Reviewed-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>

  commit e8963e5cecd4bb47ec3a7221ae591f278de6b5d0
  Author: Eduardo Habkost <ehabkost@xxxxxxxxxx>
  Date:   Fri Aug 7 16:55:43 2015 -0300

      target-i386: Remove x86_cpu_compat_set_features()

      The function is not used by PC code anymore and can be removed.

      Signed-off-by: Eduardo Habkost <ehabkost@xxxxxxxxxx>
      Reviewed-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>

  commit 27add3814157f5506672e85ff918d1b379ae8ac0
  Author: Eduardo Habkost <ehabkost@xxxxxxxxxx>
  Date:   Fri Aug 7 16:55:42 2015 -0300

      pc: Use PC_COMPAT_* for CPUID feature compatibility

      Now we can use compat_props to keep CPUID feature compatibility, using
      the boolean QOM properties for CPUID feature flags.

      This simplifies the compatibility code, and reduces duplication between
      pc_piix.c and pc_q35.c.

      Signed-off-by: Eduardo Habkost <ehabkost@xxxxxxxxxx>
      Reviewed-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>

  commit e33d22fab3ad64bedc1c9addb0a0fa437995c12a
  Author: Eduardo Habkost <ehabkost@xxxxxxxxxx>
  Date:   Fri Aug 7 16:15:31 2015 -0300

      piix: Document coreboot-specific RAM size config register

      The existing i440fx initialization code sets a PCI config register that
      isn't documented anywhere in the Intel 440FX datasheet. Register 0x57 is
      DRAMC (DRAM Control) and has nothing to do with the RAM size.

      This was implemented in commit ec5f92ce6ac8ec09056be77e03c941be188648fa
      because old coreboot code tried to read registers 0x5a-0x5f,0x56,0x57 to
      get the RAM size from QEMU, but I couldn't find out why coreboot did
      that. I assume it was a mistake, and the original code was supposed to
      be reading the DRB[0-7] registers (offsets 0x60-0x67).

      Document that coreboot-specific register offset in a macro and a
      comment, for future reference.

      Cc: Ed Swierk <eswierk@xxxxxxxxxxxxxxxxxx>
      Cc: Richard Smith <smithbone@xxxxxxxxx>
      Signed-off-by: Eduardo Habkost <ehabkost@xxxxxxxxxx>
      Reviewed-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>

  commit 27fa7479801ac23609110535a997b2e3ed6eb867
  Author: Victor Kaplansky <victork@xxxxxxxxxx>
  Date:   Sun Aug 9 12:39:59 2015 +0300

      make: load only required dependency files.

      The old rules.mak loads dependency .d files using include directive
      with file glob pattern "*.d". This breaks the build when build tree has
      left-over *.d files from another build.

      This patch fixes this by
        - loading precise list of .d files made from *.o and *.mo.
        - specifying explicit list of required dependency info files for
           *.hex autogenerated sources.

      Note that Makefile still includes some .d in root directory by including
      "*.d".

      Signed-off-by: Victor Kaplansky <victork@xxxxxxxxxx>
      Reviewed-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>

  commit 998b7b1db4f61ee2784d8e9050c3dda15abd4425
  Author: Victor Kaplansky <victork@xxxxxxxxxx>
  Date:   Sun Aug 9 12:39:53 2015 +0300

      make: fix where dependency *.d are stored.

      In rules like "bar/%.o: %.c" there is a difference between $(*D) and
      $(@D). $(*D) expands to '.', while $(@D) expands to 'bar'.  It is
      cleaner to generate *.d in the same directory where appropriate *.o
      resides. This allows precise including of dependency info from .d files.

      As a hack, we also touch two sources for generated *.hex files.  Without
      this hack, anyone doing "git pull; make" will not get *.hex rebuilt
      correctly since the dependency file would be missing.

      Signed-off-by: Victor Kaplansky <victork@xxxxxxxxxx>
      Reviewed-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>

  commit 425591e3effb0bdd4dec2a5b0d092009ee1a8f32
  Merge: ca0e5d8 f7a6785
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Thu Aug 13 12:04:24 2015 +0100

      Merge remote-tracking branch 
'remotes/pmaydell/tags/pull-target-arm-20150813' into staging

      target-arm queue:
       * i.MX code cleanup/refactorings
       * i.MX UART fix to work with uninitialized chardev
       * minor GIC code refactorings
       * implement the ARM Secure physical timer
       * implement the ARM Hypervisor timer

      # gpg: Signature made Thu 13 Aug 2015 11:40:56 BST using RSA key ID 
14360CDE
      # gpg: Good signature from "Peter Maydell <peter.maydell@xxxxxxxxxx>"

      * remotes/pmaydell/tags/pull-target-arm-20150813: (27 commits)
        i.MX: Fix UART driver to work with unitialized "chardev" device
        hw/cpu/a15mpcore: Wire up hyp and secure physical timer interrupts
        hw/arm/virt: Wire up secure timer interrupt
        target-arm: Add AArch32 banked register access to secure physical timer
        target-arm: Add the AArch64 view of the Secure physical timer
        target-arm: Add debug check for mismatched cpreg resets
        Introduce gic_class_name() instead of repeating condition
        hw/arm/gic: Kill code duplication
        Merge memory_region_init_reservation() into memory_region_init_io()
        i.MX: Fix Coding style for GPT emulator
        i.MX: Split GPT emulator in a header file and a source file
        i.MX: Fix Coding style for EPIT emulator
        i.MX: Split EPIT emulator in a header file and a source file
        i.MX: Fix Coding style for CCM emulator
        i.MX: Split CCM emulator in a header file and a source file
        i.MX: Fix Coding style for AVIC emulator.
        i.MX: Split AVIC emulator in a header file and a source file
        i.MX:Fix Coding style for UART emulator.
        i.MX: Move serial initialization to init/realize of DeviceClass.
        i.MX: Split UART emulator in a header file and a source file
        ...

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit f7a6785e12d834d05200b0595070db453344b25d
  Author: Jean-Christophe Dubois <jcd@xxxxxxxxxxxxxxx>
  Date:   Thu Aug 13 11:26:22 2015 +0100

      i.MX: Fix UART driver to work with unitialized "chardev" device

      The "chardev" property initialization might have failed (for example 
because
      there are not enough chardevs provided by QEMU).

      The serial device emulator needs to be able to work with an uninitialized
      (NULL) chardev device pointer.

      This patch adds some missing tests on the chr pointer value before
      using it.

      Signed-off-by: Jean-Christophe Dubois <jcd@xxxxxxxxxxxxxxx>
      Reviewed-by: Peter Crosthwaite <peter.crosthwaite@xxxxxxxxxx>
      Message-id: 1438342461-18967-1-git-send-email-jcd@xxxxxxxxxxxxxxx
      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 5dfaa75b4d96fe88858a98d947b97e697e2811e6
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Thu Aug 13 11:26:22 2015 +0100

      hw/cpu/a15mpcore: Wire up hyp and secure physical timer interrupts

      Since we now support both the hypervisor and the secure physical timer, 
wire
      their interrupt lines up in the a15mpcore wrapper object.

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Message-id: 1437047249-2357-5-git-send-email-peter.maydell@xxxxxxxxxx
      Reviewed-by: Edgar E. Iglesias <edgar.iglesias@xxxxxxxxxx>

  commit a007b1f85813ef6450ad3e761e46c189e3f40e04
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Thu Aug 13 11:26:22 2015 +0100

      hw/arm/virt: Wire up secure timer interrupt

      Wire up the secure timer interrupt. Since we've defined
      that the plain old physical timer is the NS timer, we can
      drop the now-out-of-date comment about QEMU not having TZ.

      Use a data-driven loop to wire up the timer interrupts, since
      we now have four of them and the code is the same for each.

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Message-id: 1437047249-2357-4-git-send-email-peter.maydell@xxxxxxxxxx
      Reviewed-by: Edgar E. Iglesias <edgar.iglesias@xxxxxxxxxx>

  commit 9ff9dd3c875956523bb4c19ca712e5d05aab3c65
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Thu Aug 13 11:26:22 2015 +0100

      target-arm: Add AArch32 banked register access to secure physical timer

      If EL3 is AArch32, then the secure physical timer is accessed via
      banking of the registers used for the non-secure physical timer.
      Implement this banking.

      Note that the access controls for the AArch32 banked registers
      remain the same as the physical-timer checks; they are not the
      same as the controls on the AArch64 secure timer registers.

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Message-id: 1437047249-2357-3-git-send-email-peter.maydell@xxxxxxxxxx
      Reviewed-by: Edgar E. Iglesias <edgar.iglesias@xxxxxxxxxx>

  commit b4d3978c2fdf944e428a46d2850dbd950b6fbe78
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Thu Aug 13 11:26:22 2015 +0100

      target-arm: Add the AArch64 view of the Secure physical timer

      On CPUs with EL3, there are two physical timers, one for Secure and one
      for Non-secure. Implement this extra timer and the AArch64 registers
      which access it.

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Reviewed-by: Edgar E. Iglesias <edgar.iglesias@xxxxxxxxxx>
      Message-id: 1437047249-2357-2-git-send-email-peter.maydell@xxxxxxxxxx

  commit 49a661910c1374858602a3002b67115893673c25
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Thu Aug 13 11:26:21 2015 +0100

      target-arm: Add debug check for mismatched cpreg resets

      It's easy to accidentally define two cpregs which both try
      to reset the same underlying state field (for instance a
      clash between an AArch64 EL3 definition and an AArch32
      banked register definition). if the two definitions disagree
      about the reset value then the result is dependent on which
      one happened to be reached last in the hashtable enumeration.

      Add a consistency check to detect and assert in these cases:
      after reset, we run a second pass where we check that the
      reset operation doesn't change the value of the register.

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Reviewed-by: Edgar E. Iglesias <edgar.iglesias@xxxxxxxxxx>
      Message-id: 1436797559-20835-1-git-send-email-peter.maydell@xxxxxxxxxx

  commit e6fbcbc4e57322a8de1307556e68a4cd6d0d8c8b
  Author: Pavel Fedin <p.fedin@xxxxxxxxxxx>
  Date:   Thu Aug 13 11:26:21 2015 +0100

      Introduce gic_class_name() instead of repeating condition

      This small inline returns correct GIC class name depending on whether we
      use KVM acceleration or not. Avoids duplicating the condition everywhere.

      Signed-off-by: Pavel Fedin <p.fedin@xxxxxxxxxxx>
      Reviewed-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Message-id: 
4f26901be9b844b563673ce3ad08eeedbb7a7132.1438758065.git.p.fedin@xxxxxxxxxxx
      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 7926c210ab0c44fc3612461a50f487d16be98dca
  Author: Pavel Fedin <p.fedin@xxxxxxxxxxx>
  Date:   Thu Aug 13 11:26:21 2015 +0100

      hw/arm/gic: Kill code duplication

      Extracted duplicated initialization code from SW-emulated and KVM GIC
      implementations and put into gic_init_irqs_and_mmio()

      Signed-off-by: Pavel Fedin <p.fedin@xxxxxxxxxxx>
      Message-id: 
8ea5b2781ef39cb5989420987fc73c70e377687d.1438758065.git.p.fedin@xxxxxxxxxxx
      Reviewed-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 6d6d2abf2c2e52c0f404d0a31a963e945b0cc7ad
  Author: Pavel Fedin <p.fedin@xxxxxxxxxxx>
  Date:   Thu Aug 13 11:26:21 2015 +0100

      Merge memory_region_init_reservation() into memory_region_init_io()

      Just specifying ops = NULL in some cases can be more convenient than 
having
      two functions.

      Signed-off-by: Pavel Fedin <p.fedin@xxxxxxxxxxx>
      Acked-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>
      Reviewed-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Message-id: 
78a379ab1b6b30ab497db7971ad336dad1dbee76.1438758065.git.p.fedin@xxxxxxxxxxx
      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 68b85290c7e23cfa159e1a5058d959814c6fa289
  Author: Jean-Christophe Dubois <jcd@xxxxxxxxxxxxxxx>
  Date:   Thu Aug 13 11:26:21 2015 +0100

      i.MX: Fix Coding style for GPT emulator

      Signed-off-by: Jean-Christophe Dubois <jcd@xxxxxxxxxxxxxxx>
      Reviewed-by: Peter Crosthwaite <crosthwaite.peter@xxxxxxxxx>
      Message-id: 
cc7d1589e774e87c346b75a6c25e07957f436ced.1437080501.git.jcd@xxxxxxxxxxxxxxx
      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit d647b26dc68a71db89a0c431841f1532ef7502e9
  Author: Jean-Christophe Dubois <jcd@xxxxxxxxxxxxxxx>
  Date:   Thu Aug 13 11:26:20 2015 +0100

      i.MX: Split GPT emulator in a header file and a source file

      Signed-off-by: Jean-Christophe Dubois <jcd@xxxxxxxxxxxxxxx>
      Reviewed-by: Peter Crosthwaite <peter.crosthwaite@xxxxxxxxxx>
      Message-id: 
e32fba56b9dae3cc7c83726550514b2d0c890ae0.1437080501.git.jcd@xxxxxxxxxxxxxxx
      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 565328fcc35f34242b29182313e4d7cf525d9b1c
  Author: Jean-Christophe Dubois <jcd@xxxxxxxxxxxxxxx>
  Date:   Thu Aug 13 11:26:20 2015 +0100

      i.MX: Fix Coding style for EPIT emulator

      Signed-off-by: Jean-Christophe Dubois <jcd@xxxxxxxxxxxxxxx>
      Reviewed-by: Peter Crosthwaite <crosthwaite.peter@xxxxxxxxx>
      Message-id: 
d8d70683c6a48ac318c1635595619cfb0eb31681.1437080501.git.jcd@xxxxxxxxxxxxxxx
      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 951cd00e924ed06a72f4c2831f4cf7be9e6b90ef
  Author: Jean-Christophe Dubois <jcd@xxxxxxxxxxxxxxx>
  Date:   Thu Aug 13 11:26:20 2015 +0100

      i.MX: Split EPIT emulator in a header file and a source file

      Signed-off-by: Jean-Christophe Dubois <jcd@xxxxxxxxxxxxxxx>
      Reviewed-by: Peter Crosthwaite <peter.crosthwaite@xxxxxxxxxx>
      Message-id: 
948927cab0c85da9a753c5f6d5501323d5604c8e.1437080501.git.jcd@xxxxxxxxxxxxxxx
      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit c14875b2e1b70b470492a000e0bc0b19978d34a2
  Author: Jean-Christophe Dubois <jcd@xxxxxxxxxxxxxxx>
  Date:   Thu Aug 13 11:26:20 2015 +0100

      i.MX: Fix Coding style for CCM emulator

      Signed-off-by: Jean-Christophe Dubois <jcd@xxxxxxxxxxxxxxx>
      Reviewed-by: Peter Crosthwaite <crosthwaite.peter@xxxxxxxxx>
      Message-id: 
ff0b6720b1c55204e663f07be47c0203f6871084.1437080501.git.jcd@xxxxxxxxxxxxxxx
      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 282e74c83fd8af08d14fb1220a960e34b60e505f
  Author: Jean-Christophe Dubois <jcd@xxxxxxxxxxxxxxx>
  Date:   Thu Aug 13 11:26:20 2015 +0100

      i.MX: Split CCM emulator in a header file and a source file

      Signed-off-by: Jean-Christophe Dubois <jcd@xxxxxxxxxxxxxxx>
      Reviewed-by: Peter Crosthwaite <peter.crosthwaite@xxxxxxxxxx>
      Message-id: 
b1d6f990229b2608bbaba24f4ff359571c0b07da.1437080501.git.jcd@xxxxxxxxxxxxxxx
      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit dbeedce78eea56ac4d482722291d6a7ebfd414d2
  Author: Jean-Christophe Dubois <jcd@xxxxxxxxxxxxxxx>
  Date:   Thu Aug 13 11:26:20 2015 +0100

      i.MX: Fix Coding style for AVIC emulator.

      Signed-off-by: Jean-Christophe Dubois <jcd@xxxxxxxxxxxxxxx>
      Reviewed-by: Peter Crosthwaite <crosthwaite.peter@xxxxxxxxx>
      Message-id: 
01e1d9026220992405819f25640ebd5bb843fc93.1437080501.git.jcd@xxxxxxxxxxxxxxx
      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit f250c6a7510e0069fdc7fd1fb76700db4daa9ddd
  Author: Jean-Christophe Dubois <jcd@xxxxxxxxxxxxxxx>
  Date:   Thu Aug 13 11:26:19 2015 +0100

      i.MX: Split AVIC emulator in a header file and a source file

      Signed-off-by: Jean-Christophe Dubois <jcd@xxxxxxxxxxxxxxx>
      Reviewed-by: Peter Crosthwaite <peter.crosthwaite@xxxxxxxxxx>
      Message-id: 
06829257e845d693be05c7d491134313c1615d1a.1437080501.git.jcd@xxxxxxxxxxxxxxx
      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit fa2650a37e58877d889a726a47aadbf4578ef87e
  Author: Jean-Christophe Dubois <jcd@xxxxxxxxxxxxxxx>
  Date:   Thu Aug 13 11:26:19 2015 +0100

      i.MX:Fix Coding style for UART emulator.

      Signed-off-by: Jean-Christophe Dubois <jcd@xxxxxxxxxxxxxxx>
      Reviewed-by: Peter Crosthwaite <crosthwaite.peter@xxxxxxxxx>
      Message-id: 
23ab872b7cd30b1399384fb26a2ebb75e9761d7b.1437080501.git.jcd@xxxxxxxxxxxxxxx
      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit f6c64000f966d17ef1bead1e066f039d0be64d74
  Author: Jean-Christophe Dubois <jcd@xxxxxxxxxxxxxxx>
  Date:   Thu Aug 13 11:26:19 2015 +0100

      i.MX: Move serial initialization to init/realize of DeviceClass.

      Move constructor to DeviceClass methods
       * imx_serial_init
       * imx_serial_realize

      imx32_serial_properties is renamed to imx_serial_properties.

      Signed-off-by: Jean-Christophe Dubois <jcd@xxxxxxxxxxxxxxx>
      Reviewed-by: Peter Crosthwaite <crosthwaite.peter@xxxxxxxxx>
      Message-id: 
6854bd75e2b5af312e04e760587e249dbaff807f.1437080501.git.jcd@xxxxxxxxxxxxxxx
      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit cd0bda20874d65b5ac4ab6e69d3eec4f095a924b
  Author: Jean-Christophe Dubois <jcd@xxxxxxxxxxxxxxx>
  Date:   Thu Aug 13 11:26:19 2015 +0100

      i.MX: Split UART emulator in a header file and a source file

      Signed-off-by: Jean-Christophe Dubois <jcd@xxxxxxxxxxxxxxx>
      Reviewed-by: Peter Crosthwaite <peter.crosthwaite@xxxxxxxxxx>
      Message-id: 
a51ef50fa222a614169056d5389a6d3ed6a63b04.1437080501.git.jcd@xxxxxxxxxxxxxxx
      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit a5c6a584a74c9c66a07a2ce019bbdd3bcf4e4909
  Author: Edgar E. Iglesias <edgar.iglesias@xxxxxxxxxx>
  Date:   Thu Aug 13 11:26:19 2015 +0100

      hw/arm/virt: Connect the Hypervisor timer

      Reviewed-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Signed-off-by: Edgar E. Iglesias <edgar.iglesias@xxxxxxxxxx>
      Message-id: 1436791864-4582-8-git-send-email-edgar.iglesias@xxxxxxxxx
      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 0e3e858f6a88b3c3befe9c98227aec846c01d9a1
  Author: Edgar E. Iglesias <edgar.iglesias@xxxxxxxxxx>
  Date:   Thu Aug 13 11:26:18 2015 +0100

      hw/arm/virt: Replace magic IRQ constants with macros

      Replace magic constants with macros from
      hw/arm/virt.h and hw/intc/arm_gic_common.h.

      Reviewed-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Signed-off-by: Edgar E. Iglesias <edgar.iglesias@xxxxxxxxxx>
      Message-id: 1436791864-4582-7-git-send-email-edgar.iglesias@xxxxxxxxx
      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit b0e66d95e4f587b5818d2760668301ee0871ba5e
  Author: Edgar E. Iglesias <edgar.iglesias@xxxxxxxxxx>
  Date:   Thu Aug 13 11:26:18 2015 +0100

      target-arm: Add the Hypervisor timer

      Signed-off-by: Edgar E. Iglesias <edgar.iglesias@xxxxxxxxxx>
      Reviewed-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Message-id: 1436791864-4582-6-git-send-email-edgar.iglesias@xxxxxxxxx
      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 0e3eca4c26d6aa4f082db8e63fd81a16df061f3c
  Author: Edgar E. Iglesias <edgar.iglesias@xxxxxxxxxx>
  Date:   Thu Aug 13 11:26:18 2015 +0100

      target-arm: Pass timeridx as argument to various timer functions

      Prepare for adding the Hypervisor timer, no functional change.

      Signed-off-by: Edgar E. Iglesias <edgar.iglesias@xxxxxxxxxx>
      Reviewed-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Message-id: 1436791864-4582-5-git-send-email-edgar.iglesias@xxxxxxxxx
      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit d57b9ee84f6b2786f025712609edb259d0de086d
  Author: Edgar E. Iglesias <edgar.iglesias@xxxxxxxxx>
  Date:   Thu Aug 13 11:26:18 2015 +0100

      target-arm: Rename and move gt_cnt_reset

      Rename gt_cnt_reset to gt_timer_reset as the function really
      resets the timers and not the counters. Move the registration
      from counter regs to timer regs.

      Signed-off-by: Edgar E. Iglesias <edgar.iglesias@xxxxxxxxxx>
      Reviewed-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Message-id: 1436791864-4582-4-git-send-email-edgar.iglesias@xxxxxxxxx
      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 0b6440afb807a80c6d64dcc987bcfed87e1ace17
  Author: Edgar E. Iglesias <edgar.iglesias@xxxxxxxxxx>
  Date:   Thu Aug 13 11:26:18 2015 +0100

      target-arm: Add CNTHCTL_EL2

      Adds control for trapping selected timer and counter accesses to EL2.

      Reviewed-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Signed-off-by: Edgar E. Iglesias <edgar.iglesias@xxxxxxxxxx>
      Message-id: 1436791864-4582-3-git-send-email-edgar.iglesias@xxxxxxxxx
      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit edac4d8a168b9c0c4a765bbc5507e46fa5557b78
  Author: Edgar E. Iglesias <edgar.iglesias@xxxxxxxxxx>
  Date:   Thu Aug 13 11:26:17 2015 +0100

      target-arm: Add CNTVOFF_EL2

      Adds support for the virtual timer offset controlled by EL2.

      Reviewed-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Signed-off-by: Edgar E. Iglesias <edgar.iglesias@xxxxxxxxxx>
      Message-id: 1436791864-4582-2-git-send-email-edgar.iglesias@xxxxxxxxx
      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit ca0e5d8b0d065a95d0f9042f71b2ace45b015596
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Tue Aug 11 23:15:55 2015 +0100

      Open 2.5 development tree

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 5c79ae3615d5dafdf1bb09b7a356a3a005714e3d
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Tue Aug 11 15:30:34 2015 +0100

      Update version for v2.4.0 release

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit b4a4b8d0e0767c85946fd8fc404643bf5766351a
  Author: Peter Crosthwaite <crosthwaitepeter@xxxxxxxxx>
  Date:   Sun Jul 5 14:08:53 2015 -0700

      cpu_defs: Simplify CPUTLB padding logic

      There was a complicated subtractive arithmetic for determining the
      padding on the CPUTLBEntry structure. Simplify this with a union.

      Signed-off-by: Peter Crosthwaite <crosthwaite.peter@xxxxxxxxx>
      Message-Id: 
<1436130533-18565-1-git-send-email-crosthwaite.peter@xxxxxxxxx>
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit 02d57ea115b7669f588371c86484a2e8ebc369be
  Author: Sergey Fedorov <serge.fdrv@xxxxxxxxx>
  Date:   Tue Jun 30 12:35:09 2015 +0300

      cpu-exec: Do not invalidate original TB in cpu_exec_nocache()

      Instead of invalidating an original TB in cpu_exec_nocache()
      prematurely, just save a link to it in the temporary generated TB. If
      cpu_io_recompile() is raised subsequently from the temporary TB,
      invalidate the original one as well. That allows reusing the original TB
      each time cpu_exec_nocache() is called to handle expired instruction
      counter in icount mode.

      Signed-off-by: Sergey Fedorov <serge.fdrv@xxxxxxxxx>
      Message-Id: <1435656909-29116-1-git-send-email-serge.fdrv@xxxxxxxxx>
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit cae98cb87d269c33d23b2bccd79bb8d99a60d811
  Author: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
  Date:   Wed Jul 1 15:45:50 2015 +0100

      block/mirror: limit qiov to IOV_MAX elements

      If mirror has more free buffers than IOV_MAX, preadv(2)/pwritev(2)
      EINVAL failures may be encountered.

      It is possible to trigger this by setting granularity to a low value
      like 8192.

      This patch stops appending chunks once IOV_MAX is reached.

      The spurious EINVAL failure can be reproduced with a qcow2 image file
      and the following QMP invocation:

        qmp.command('drive-mirror', device='virtio0', target='/tmp/r7.s1',
                    granularity=8192, sync='full', mode='absolute-paths',
                    format='raw')

      While the guest is running dd if=/dev/zero of=/var/tmp/foo oflag=direct
      bs=4k.

      Cc: Jeff Cody <jcody@xxxxxxxxxx>
      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Reviewed-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>
      Message-id: 1435761950-26714-1-git-send-email-stefanha@xxxxxxxxxx
      Signed-off-by: Jeff Cody <jcody@xxxxxxxxxx>

  commit 2d697366a14ce95da2e9a59ea9872d3034eb49e4
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Wed Aug 5 17:02:58 2015 +0100

      Update version for v2.4.0-rc4 release

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 0175409df42c20257171df87657dd705558aa94d
  Merge: e94867e 74aae7b
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Wed Aug 5 16:02:00 2015 +0100

      Merge remote-tracking branch 'remotes/mst/tags/for_upstream' into staging

      virtio fix for 2.4

      Fixes migration in virtio 1 mode.
      We still have a known bug with memory hotplug, it doesn't
      look like we can fix that in time for 2.4.

      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>

      # gpg: Signature made Wed 05 Aug 2015 15:57:39 BST using RSA key ID 
D28D5469
      # gpg: Good signature from "Michael S. Tsirkin <mst@xxxxxxxxxx>"
      # gpg:                 aka "Michael S. Tsirkin <mst@xxxxxxxxxx>"

      * remotes/mst/tags/for_upstream:
        virtio: fix 1.0 virtqueue migration

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit e94867ed5f241008d0f53142b2704a075f9ed505
  Author: Sascha Silbe <silbe@xxxxxxxxxxxxxxxxxx>
  Date:   Tue Aug 4 16:48:25 2015 +0200

      block: don't register quorum driver if SHA256 support is unavailable

      Commit 488981a4 [block: convert quorum blockdrv to use crypto APIs]
      broke qemu-iotest 041 on hosts with GnuTLS < 2.10.0. It converted a
      compile-time check to a run-time check at device open time. The result
      is that we now advertise a feature (the quorum block driver) that will
      never work (on those hosts). There's no way (short of parsing
      human-readable error messages) for qemu-iotests or any other API
      consumer to recognise that the quorum block driver isn't _actually_
      available and shouldn't be used or tested.

      Move the run-time check to bdrv_quorum_init() to avoid registering the
      quorum block driver if we know it cannot work. This way API consumers
      can recognise it's unavailable.

      Fixes: 488981a4af396551a3178d032cc2b41d9553ada2
      Signed-off-by: Sascha Silbe <silbe@xxxxxxxxxxxxxxxxxx>
      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>
      Reviewed-by: Daniel P. Berrange <berrange@xxxxxxxxxx>
      Reviewed-by: Alberto Garcia <berto@xxxxxxxxxx>
      Message-id: 1438699705-21761-1-git-send-email-silbe@xxxxxxxxxxxxxxxxxx
      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 74aae7b22b8a67cf31937b2f4bdefe2881e799e9
  Author: Jason Wang <jasowang@xxxxxxxxxx>
  Date:   Wed Aug 5 17:50:07 2015 +0800

      virtio: fix 1.0 virtqueue migration

      1.0 does not requires physically-contiguous pages layout for a
      virtqueue. So we could not infer avail and used from desc. This means
      we need to migrate vring.avail and vring.used when host support virtio
      1.0. This fixes malfunction of virtio 1.0 device after migration.

      Cc: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Cc: Cornelia Huck <cornelia.huck@xxxxxxxxxx>
      Cc: Dr. David Alan Gilbert <dgilbert@xxxxxxxxxx>
      Signed-off-by: Jason Wang <jasowang@xxxxxxxxxx>
      Reviewed-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>

  commit 92e11a17612108b1729bde4ce61aad0cc1ce5889
  Author: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
  Date:   Tue Aug 4 11:22:13 2015 +0100

      throttle: add throttle_max_is_missing_limit() test

      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Reviewed-by: Alberto Garcia <berto@xxxxxxxxxx>
      Message-id: 1438683733-21111-3-git-send-email-stefanha@xxxxxxxxxx

  commit ee2bdc33c913b7d765baa5aa338c29fb30a05c9a
  Author: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
  Date:   Tue Aug 4 11:22:12 2015 +0100

      throttle: refuse bps_max/iops_max without bps/iops

      The bps_max/iops_max values are meaningless without corresponding
      bps/iops values.  Reported an error if bps_max/iops_max is given without
      bps/iops.

      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Reviewed-by: Alberto Garcia <berto@xxxxxxxxxx>
      Message-id: 1438683733-21111-2-git-send-email-stefanha@xxxxxxxxxx

  commit 2be4f242b50a84bf360df02480b173bfed161107
  Merge: 426d0e7 27751aa
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Tue Aug 4 16:51:24 2015 +0100

      Merge remote-tracking branch 'remotes/ehabkost/tags/x86-pull-request' 
into staging

      X86 queue, 2015-08-04

      # gpg: Signature made Tue 04 Aug 2015 16:49:42 BST using RSA key ID 
984DC5A6
      # gpg: Good signature from "Eduardo Habkost <ehabkost@xxxxxxxxxx>"
      # gpg: WARNING: This key is not certified with sufficiently trusted 
signatures!
      # gpg:          It is not certain that the signature belongs to the owner.
      # Primary key fingerprint: 5A32 2FD5 ABC4 D3DB ACCF  D1AA 2807 936F 984D 
C5A6

      * remotes/ehabkost/tags/x86-pull-request:
        target-i386: fix IvyBridge xlevel in PC_COMPAT_2_3

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 27751aabd1e0359d84314bc230beccdef2168d1f
  Author: Radim KrÄ?máÅ? <rkrcmar@xxxxxxxxxx>
  Date:   Tue Aug 4 16:17:21 2015 +0200

      target-i386: fix IvyBridge xlevel in PC_COMPAT_2_3

      Previous patch changed xlevel and missed the compatibility code.

      Fixes: 3046bb5debc8 ("target-i386: emulate CPUID level of real hardware")
      Signed-off-by: Radim KrÄ?máÅ? <rkrcmar@xxxxxxxxxx>
      Reviewed-by: Andreas Färber <afaerber@xxxxxxx>
      Reviewed-by: Eduardo Habkost <ehabkost@xxxxxxxxxx>
      Acked-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: Eduardo Habkost <ehabkost@xxxxxxxxxx>

  commit 426d0e7b7e031a1592292b3eb275483b341a2f28
  Merge: 260425a b7f26e5
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Tue Aug 4 12:57:06 2015 +0100

      Merge remote-tracking branch 'remotes/lalrae/tags/mips-20150804' into 
staging

      MIPS patches 2015-08-04

      Changes:
      * fix semihosting for microMIPS R6
      * fix an abort when booting mips64 kernel with --enable-tcg-debug

      # gpg: Signature made Tue 04 Aug 2015 12:32:17 BST using RSA key ID 
0B29DA6B
      # gpg: Good signature from "Leon Alrae <leon.alrae@xxxxxxxxxx>"
      # gpg: WARNING: This key is not certified with a trusted signature!
      # gpg:          There is no indication that the signature belongs to the 
owner.
      # Primary key fingerprint: 8DD3 2F98 5495 9D66 35D4  4FC0 5211 8E3C 0B29 
DA6B

      * remotes/lalrae/tags/mips-20150804:
        target-mips: Copy restrictions from ext/ins to dext/dins
        target-mips: fix semihosting for microMIPS R6

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit b7f26e523914b982a1c1bfa8295f77ff9787c33c
  Author: Richard Henderson <rth@xxxxxxxxxxx>
  Date:   Mon Aug 3 12:35:53 2015 -0700

      target-mips: Copy restrictions from ext/ins to dext/dins

      The checks in dins is required to avoid triggering an assertion
      in tcg_gen_deposit_tl.  The check in dext is just for completeness.
      Fold the other D cases in via fallthru.

      In this case the errant dins appears to be data, not code, as
      translation failed to stop after a break insn.

      Signed-off-by: Richard Henderson <rth@xxxxxxxxxxx>
      Reviewed-by: Aurelien Jarno <aurelien@xxxxxxxxxxx>
      Reviewed-by: Leon Alrae <leon.alrae@xxxxxxxxxx>
      Signed-off-by: Leon Alrae <leon.alrae@xxxxxxxxxx>

  commit 060ebfef1a09b58fb219b3769b72efb407515bf1
  Author: Leon Alrae <leon.alrae@xxxxxxxxxx>
  Date:   Mon Aug 3 13:01:19 2015 +0100

      target-mips: fix semihosting for microMIPS R6

      In semihosting mode the SDBBP 1 instructions should trigger UHI syscall,
      but in QEMU this does not happen for recently added microMIPS R6.
      Consequently bare metal microMIPS R6 programs supporting UHI will not run.

      Signed-off-by: Leon Alrae <leon.alrae@xxxxxxxxxx>
      Reviewed-by: Aurelien Jarno <aurelien@xxxxxxxxxxx>

  commit 8887f84c54f6e74124544d1700a205e5b6821b3d
  Author: Jason Wang <jasowang@xxxxxxxxxx>
  Date:   Fri Jul 17 15:25:54 2015 +0800

      tests: test rx recovery from cont

      Rx should be recovered after cont.

      Signed-off-by: Jason Wang <jasowang@xxxxxxxxxx>
      Message-id: 1437117954-16342-2-git-send-email-jasowang@xxxxxxxxxx
      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>

  commit 2af40254bf0cb49c50656eb8be172e111c9c70c6
  Author: Jason Wang <jasowang@xxxxxxxxxx>
  Date:   Fri Jul 17 15:25:53 2015 +0800

      tests: introduce basic pci test for virtio-net

      Signed-off-by: Jason Wang <jasowang@xxxxxxxxxx>
      Reviewed-by: Fam Zheng <famz@xxxxxxxxxx>
      Message-id: 1437117954-16342-1-git-send-email-jasowang@xxxxxxxxxx
      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>

  commit b9f7c377df4f04e9119cb0e917438dd37ef34029
  Author: Dana Rubin <dana.rubin@xxxxxxxxxxxxxxxxxx>
  Date:   Tue Jul 28 21:44:50 2015 +0300

      net/vmxnet3: Fix incorrect debug message

      From: Dana Rubin <dana.rubin@xxxxxxxxxxxxxxxxxx>

      In commit 80da311d81,
         "net/vmxnet3: Fix RX TCP/UDP checksum on partially summed packets"
      a debug message was introduced in vmxnet3_rx_need_csum_calculate() for
      an unlikely input condition.

      The message accidentally printed 'len' variable instead of 'pkt_len'.
      Fix, providing the correct argument.

      Signed-off-by: Dana Rubin <dana.rubin@xxxxxxxxxxxxxxxxxx>
      Signed-off-by: Shmulik Ladkani <shmulik.ladkani@xxxxxxxxxxxxxxxxxx>
      Message-id: 
1438109090-18957-1-git-send-email-shmulik.ladkani@xxxxxxxxxxxxxxxxxx
      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>

  commit 260425ab405ea76c44dd59744d05176d4f579a52
  Merge: e95edef 6cd3878
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Mon Aug 3 18:52:55 2015 +0100

      Merge remote-tracking branch 'remotes/sstabellini/tags/cve-2015-5166-tag' 
into staging

      cve-2015-5166

      # gpg: Signature made Mon 03 Aug 2015 15:27:44 BST using RSA key ID 
70E1AE90
      # gpg: Good signature from "Stefano Stabellini 
<stefano.stabellini@xxxxxxxxxxxxx>"

      * remotes/sstabellini/tags/cve-2015-5166-tag:
        Fix release_drive on unplugged devices (pci_piix3_xen_ide_unplug)

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit e95edefbd0559e1d0aa09549641b5d9af1f96fac
  Merge: f60c871 8c6dc68
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Mon Aug 3 17:33:35 2015 +0100

      Merge remote-tracking branch 
'remotes/sstabellini/tags/xen-migration-2.4-tag' into staging

      xen-migration-2.4

      # gpg: Signature made Mon 03 Aug 2015 17:18:36 BST using RSA key ID 
70E1AE90
      # gpg: Good signature from "Stefano Stabellini 
<stefano.stabellini@xxxxxxxxxxxxx>"

      * remotes/sstabellini/tags/xen-migration-2.4-tag:
        migration: Fix regression for xenfv and pc,accel=xen machine.
        migration: Fix global state with Xen.

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 8c6dc68f4cff9eef870497a19a5373dde9dbdcc2
  Author: Anthony PERARD <anthony.perard@xxxxxxxxxx>
  Date:   Mon Aug 3 15:29:21 2015 +0100

      migration: Fix regression for xenfv and pc,accel=xen machine.

      This fix migration from the same QEMU version and from previous QEMU
      version.

      >From the global state section, we don't need runstate with Xen. Right 
now,
      the way the Xen toolstack knows when QEMU is ready is when QEMU reach
      "running" runstate.

      The configuration section and the section footers are not going to be
      present in previous version of QEMU with xenfv machine, so we skip them.

      The Xen toolstack libxenlight does not specify a particular version of the
      'pc' machine, so migration from older version of QEMU used by Xen to newer
      one would break due to missing "configuration" section and section 
footers.

      Signed-off-by: Anthony PERARD <anthony.perard@xxxxxxxxxx>
      Signed-off-by: Stefano Stabellini <stefano.stabellini@xxxxxxxxxxxxx>

  commit c69adea462a97c02001b2dd1edd2a0692d27f5a2
  Author: Anthony PERARD <anthony.perard@xxxxxxxxxx>
  Date:   Mon Aug 3 15:29:19 2015 +0100

      migration: Fix global state with Xen.

      When doing migration via the QMP command xen_save_devices_state, the
      current runstate is not store into the global state section. Also the
      current runstate is not the one we want on the receiver side.

      During migration, the Xen toolstack paused QEMU before save the devices
      state. Also, the toolstack expect QEMU to autostart when the migration is
      finished.
      So this patch store "running" as it's current runstate.

      Signed-off-by: Anthony PERARD <anthony.perard@xxxxxxxxxx>
      Signed-off-by: Stefano Stabellini <stefano.stabellini@xxxxxxxxxxxxx>

  commit f60c87154ac722c528fd5582f7137914a93c5eec
  Author: Andreas Färber <afaerber@xxxxxxx>
  Date:   Fri Jul 24 16:47:37 2015 +0200

      configure: Drop vnc-ws feature from help text

      Commit 8e9b0d2 (ui: convert VNC websockets to use crypto APIs) dropped
      the --enable-vnc-ws option but forgot to update the help text. Fix this.

      Cc: Daniel P. Berrange <berrange@xxxxxxxxxx>
      Cc: Paolo Bonzini <pbonzini@xxxxxxxxxx>
      Signed-off-by: Andreas Färber <afaerber@xxxxxxx>
      Reviewed-by: Daniel P. Berrange <berrange@xxxxxxxxxx>
      Message-id: 1437749257-3313-1-git-send-email-afaerber@xxxxxxx
      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 6cd387833d05e8ad31829d97e474dc420625aed9
  Author: Stefano Stabellini <stefano.stabellini@xxxxxxxxxxxxx>
  Date:   Mon Aug 3 13:56:57 2015 +0000

      Fix release_drive on unplugged devices (pci_piix3_xen_ide_unplug)

      pci_piix3_xen_ide_unplug should completely unhook the unplugged
      IDEDevice from the corresponding BlockBackend, otherwise the next call
      to release_drive will try to detach the drive again.

      Suggested-by: Kevin Wolf <kwolf@xxxxxxxxxx>
      Signed-off-by: Stefano Stabellini <stefano.stabellini@xxxxxxxxxxxxx>

  commit 2a3612ccc1fa9cea77bd193afbfe21c77e7e91ef
  Merge: bd80b59 8357946
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Mon Aug 3 13:09:10 2015 +0100

      Merge remote-tracking branch 
'remotes/stefanha/tags/rtl8139-cplus-tx-input-validation-pull-request' into 
staging

      Pull request

      # gpg: Signature made Mon Aug  3 13:08:25 2015 BST using RSA key ID 
81AB73C8
      # gpg: Good signature from "Stefan Hajnoczi <stefanha@xxxxxxxxxx>"
      # gpg:                 aka "Stefan Hajnoczi <stefanha@xxxxxxxxx>"

      * remotes/stefanha/tags/rtl8139-cplus-tx-input-validation-pull-request:
        rtl8139: check TCP Data Offset field (CVE-2015-5165)
        rtl8139: skip offload on short TCP header (CVE-2015-5165)
        rtl8139: check IP Total Length field (CVE-2015-5165)
        rtl8139: check IP Header Length field (CVE-2015-5165)
        rtl8139: skip offload on short Ethernet/IP header (CVE-2015-5165)
        rtl8139: drop tautologous if (ip) {...} statement (CVE-2015-5165)
        rtl8139: avoid nested ifs in IP header parsing (CVE-2015-5165)

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 8357946b15f0a31f73dd691b7da95f29318ed310
  Author: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
  Date:   Wed Jul 15 17:39:29 2015 +0100

      rtl8139: check TCP Data Offset field (CVE-2015-5165)

      The TCP Data Offset field contains the length of the header.  Make sure
      it is valid and does not exceed the IP data length.

      Reported-by: ��海(�路) <donghai.zdh@xxxxxxxxxxxxxxx>
      Reviewed-by: Jason Wang <jasowang@xxxxxxxxxx>
      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>

  commit 4240be45632db7831129f124bcf53c1223825b0f
  Author: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
  Date:   Wed Jul 15 17:36:15 2015 +0100

      rtl8139: skip offload on short TCP header (CVE-2015-5165)

      TCP Large Segment Offload accesses the TCP header in the packet.  If the
      packet is too short we must not attempt to access header fields:

        tcp_header *p_tcp_hdr = (tcp_header*)(eth_payload_data + hlen);
        int tcp_hlen = TCP_HEADER_DATA_OFFSET(p_tcp_hdr);

      Reported-by: ��海(�路) <donghai.zdh@xxxxxxxxxxxxxxx>
      Reviewed-by: Jason Wang <jasowang@xxxxxxxxxx>
      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>

  commit c6296ea88df040054ccd781f3945fe103f8c7c17
  Author: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
  Date:   Wed Jul 15 17:34:40 2015 +0100

      rtl8139: check IP Total Length field (CVE-2015-5165)

      The IP Total Length field includes the IP header and data.  Make sure it
      is valid and does not exceed the Ethernet payload size.

      Reported-by: ��海(�路) <donghai.zdh@xxxxxxxxxxxxxxx>
      Reviewed-by: Jason Wang <jasowang@xxxxxxxxxx>
      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>

  commit 03247d43c577dfea8181cd40177ad5ba77c8db76
  Author: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
  Date:   Wed Jul 15 17:32:32 2015 +0100

      rtl8139: check IP Header Length field (CVE-2015-5165)

      The IP Header Length field was only checked in the IP checksum case, but
      is used in other cases too.

      Reported-by: ��海(�路) <donghai.zdh@xxxxxxxxxxxxxxx>
      Reviewed-by: Jason Wang <jasowang@xxxxxxxxxx>
      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>

  commit e1c120a9c54872f8a538ff9129d928de4e865cbd
  Author: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
  Date:   Wed Jul 15 14:30:37 2015 +0100

      rtl8139: skip offload on short Ethernet/IP header (CVE-2015-5165)

      Transmit offload features access Ethernet and IP headers the packet.  If
      the packet is too short we must not attempt to access header fields:

        int proto = be16_to_cpu(*(uint16_t *)(saved_buffer + 12));
        ...
        eth_payload_data = saved_buffer + ETH_HLEN;
        ...
        ip = (ip_header*)eth_payload_data;
        if (IP_HEADER_VERSION(ip) != IP_HEADER_VERSION_4) {

      Reported-by: ��海(�路) <donghai.zdh@xxxxxxxxxxxxxxx>
      Reviewed-by: Jason Wang <jasowang@xxxxxxxxxx>
      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>

  commit d6812d60e7932de3cd0f602c0ee63dd3d09f1847
  Author: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
  Date:   Wed Jul 15 17:17:28 2015 +0100

      rtl8139: drop tautologous if (ip) {...} statement (CVE-2015-5165)

      The previous patch stopped using the ip pointer as an indicator that the
      IP header is present.  When we reach the if (ip) {...} statement we know
      ip is always non-NULL.

      Remove the if statement to reduce nesting.

      Reported-by: ��海(�路) <donghai.zdh@xxxxxxxxxxxxxxx>
      Reviewed-by: Jason Wang <jasowang@xxxxxxxxxx>
      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>

  commit 39b8e7dcaf04cbdb926b478f825b160d852752b5
  Author: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
  Date:   Wed Jul 15 17:13:32 2015 +0100

      rtl8139: avoid nested ifs in IP header parsing (CVE-2015-5165)

      Transmit offload needs to parse packet headers.  If header fields have
      unexpected values the offload processing is skipped.

      The code currently uses nested ifs because there is relatively little
      input validation.  The next patches will add missing input validation
      and a goto label is more appropriate to avoid deep if statement nesting.

      Reported-by: ��海(�路) <donghai.zdh@xxxxxxxxxxxxxxx>
      Reviewed-by: Jason Wang <jasowang@xxxxxxxxxx>
      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>

  commit bd80b5963f58c601f31d3186b89887bf8e182fb5
  Merge: ff90f84 c99d696
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Mon Aug 3 11:44:07 2015 +0100

      Merge remote-tracking branch 
'remotes/aurel/tags/pull-tcg-mips-s390-20150803' into staging

      TCG MIPS and S390 fixes for 2.4.

      # gpg: Signature made Mon Aug  3 09:09:59 2015 BST using RSA key ID 
1DDD8C9B
      # gpg: Good signature from "Aurelien Jarno <aurelien@xxxxxxxxxxx>"
      # gpg:                 aka "Aurelien Jarno <aurelien@xxxxxxxx>"
      # gpg:                 aka "Aurelien Jarno <aurel32@xxxxxxxxxx>"
      # gpg: WARNING: This key is not certified with a trusted signature!
      # gpg:          There is no indication that the signature belongs to the 
owner.
      # Primary key fingerprint: 7746 2642 A9EF 94FD 0F77  196D BA9C 7806 1DDD 
8C9B

      * remotes/aurel/tags/pull-tcg-mips-s390-20150803:
        tcg/mips: fix add2
        tcg/s390x: Mask TCGMemOp appropriately for indexing
        tcg/mips: Mask TCGMemOp appropriately for indexing
        tcg/mips: fix TLB loading for BE host with 32-bit guests

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit ff90f84e74d7c8641a493585ba9ea8d6e0d19855
  Merge: cb48f67 91ced51
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Mon Aug 3 10:44:23 2015 +0100

      Merge remote-tracking branch 'remotes/jnsnow/tags/ide-pull-request' into 
staging

      # gpg: Signature made Fri Jul 31 23:24:06 2015 BST using RSA key ID 
AAFC390E
      # gpg: Good signature from "John Snow (John Huston) <jsnow@xxxxxxxxxx>"
      # gpg: WARNING: This key is not certified with sufficiently trusted 
signatures!
      # gpg:          It is not certain that the signature belongs to the owner.
      # Primary key fingerprint: FAEB 9711 A12C F475 812F  18F2 88A9 064D 1835 
61EB
      #      Subkey fingerprint: F9B7 ABDB BCAC DF95 BE76  CBD0 7DEF 8106 AAFC 
390E

      * remotes/jnsnow/tags/ide-pull-request:
        ahci: fix ICC mask definition
        macio: re-add TRIM support

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit c99d69694af4ed15b33e3f7c2e3ef6972c14358d
  Author: Aurelien Jarno <aurelien@xxxxxxxxxxx>
  Date:   Fri Jul 31 16:38:25 2015 +0200

      tcg/mips: fix add2

      The add2 code in the tcg_out_addsub2 function doesn't take into account
      the case where rl == al == bl. In that case we can't compute the carry
      after the addition. As it corresponds to a multiplication by 2, the
      carry bit is the bit 31.

      While this is a corner case, this prevents x86-64 guests to boot on a
      MIPS host.

      Cc: qemu-stable@xxxxxxxxxx
      Reviewed-by: Richard Henderson <rth@xxxxxxxxxxx>
      Signed-off-by: Aurelien Jarno <aurelien@xxxxxxxxxxx>

  commit 3c8691f568f49bf623dcb2850464d4156d95e61b
  Author: Aurelien Jarno <aurelien@xxxxxxxxxxx>
  Date:   Thu Jul 30 22:13:26 2015 +0200

      tcg/s390x: Mask TCGMemOp appropriately for indexing

      Commit 2b7ec66f fixed TCGMemOp masking following the MO_AMASK addition,
      but two cases were forgotten in the TCG S390 backend.

      Reviewed-by: Richard Henderson <rth@xxxxxxxxxxx>
      Signed-off-by: Aurelien Jarno <aurelien@xxxxxxxxxxx>

  commit 4214a8cb7c15ec43d4b2a43ebf248b273a0f4d45
  Author: Aurelien Jarno <aurelien@xxxxxxxxxxx>
  Date:   Thu Jul 30 22:11:51 2015 +0200

      tcg/mips: Mask TCGMemOp appropriately for indexing

      Commit 2b7ec66f fixed TCGMemOp masking following the MO_AMASK addition,
      but two cases were forgotten in the TCG MIPS backend.

      Reviewed-by: Richard Henderson <rth@xxxxxxxxxxx>
      Signed-off-by: Aurelien Jarno <aurelien@xxxxxxxxxxx>

  commit e72c4fb81db52be881c9356f1c60e0a7817d2d32
  Author: Aurelien Jarno <aurelien@xxxxxxxxxxx>
  Date:   Thu Jul 30 23:39:34 2015 +0200

      tcg/mips: fix TLB loading for BE host with 32-bit guests

      For 32-bit guest, we load a 32-bit address from the TLB, so there is no
      need to compensate for the low or high part. This fixes 32-bit guests on
      big-endian hosts.

      Cc: qemu-stable@xxxxxxxxxx
      Reviewed-by: Richard Henderson <rth@xxxxxxxxxxx>
      Signed-off-by: Aurelien Jarno <aurelien@xxxxxxxxxxx>

  commit 91ced514461e1a533bfb9e2eea32bd7df678b1cd
  Author: John Snow <jsnow@xxxxxxxxxx>
  Date:   Tue Jul 21 14:02:01 2015 -0400

      ahci: fix ICC mask definition

      There are likely others that could be updated, but we'll
      go with a light touch for 2.4 for now.

      Without the Unsigned specifier, this shifts bits into the
      signed bit, which makes clang unhappy and could cause
      unwanted behavior.

      Reported-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Signed-off-by: John Snow <jsnow@xxxxxxxxxx>
      Message-id: 1437501721-24495-1-git-send-email-jsnow@xxxxxxxxxx

  commit 0e826a061a3e8e8485488a7da02cc139fc07d620
  Author: Aurelien Jarno <aurelien@xxxxxxxxxxx>
  Date:   Wed Jul 29 21:27:48 2015 +0200

      macio: re-add TRIM support

      Commit bd4214fc dropped TRIM support by mistake. Given it is still
      advertised to the host when using a drive with discard=on, this cause
      the IDE bus to hang when the host issues a TRIM command.

      This patch fixes that by re-adding the TRIM code, ported to the new
      new DMA implementation.

      Cc: Mark Cave-Ayland <mark.cave-ayland@xxxxxxxxxxxx>
      Cc: John Snow <jsnow@xxxxxxxxxx>
      Signed-off-by: Aurelien Jarno <aurelien@xxxxxxxxxxx>
      Message-id: 1438198068-32428-1-git-send-email-aurelien@xxxxxxxxxxx
      Signed-off-by: John Snow <jsnow@xxxxxxxxxx>

  commit af103c9310b7ab56a2552965d9d1274b0024f27b
  Author: Igor Mammedov <imammedo@xxxxxxxxxx>
  Date:   Thu Jul 30 15:29:59 2015 +0200

      vhost/scsi: call vhost_dev_cleanup() at unrealize() time

      vhost-scsi calls vhost_dev_init() at realize() time
      but forgets to call it's counterpart vhost_dev_cleanup()
      at unrealize() time.

      Calling it should fix leaking of memory table and
      mem_sections table in vhost device. And also unregister
      vhost's memory listerner to prevent access from
      memory core to freed memory.

      Signed-off-by: Igor Mammedov <imammedo@xxxxxxxxxx>
      Message-Id: <1438262999-287627-1-git-send-email-imammedo@xxxxxxxxxx>
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit 975b66555cb56af453c6852e7e821e2451700527
  Author: Fam Zheng <famz@xxxxxxxxxx>
  Date:   Wed Jul 29 16:45:12 2015 +0800

      virtio-scsi-test: Add test case for tail unaligned WRITE SAME

      Signed-off-by: Fam Zheng <famz@xxxxxxxxxx>
      Message-Id: <1438159512-3871-3-git-send-email-famz@xxxxxxxxxx>
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit a56537a12757a8cdee24ad8c83e5af7a9833ea70
  Author: Fam Zheng <famz@xxxxxxxxxx>
  Date:   Wed Jul 29 16:45:11 2015 +0800

      scsi-disk: Fix assertion failure on WRITE SAME

      The last portion of an unaligned WRITE SAME command could fail the
      assertion in bdrv_aligned_pwritev:

          assert(!qiov || bytes == qiov->size);

      Because we updated data->iov.iov_len right above this if block, but
      data->qiov still has the old size.

      Reinitialize the qiov to make them equal and keep block layer happy.

      Cc: qemu-stable@xxxxxxxxxx
      Signed-off-by: Fam Zheng <famz@xxxxxxxxxx>
      Message-Id: <1438159512-3871-2-git-send-email-famz@xxxxxxxxxx>
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit 4bb7b0daf8ea34bcc582642d35a2e4902f7841db
  Author: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
  Date:   Thu Jul 30 14:16:13 2015 +0100

      tests: virtio-scsi: clear unit attention after reset

      The unit attention after reset (power on) prevents normal commands from
      running.  The unaligned WRITE SAME test never executed its command!

      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Message-Id: <1438262173-11546-4-git-send-email-stefanha@xxxxxxxxxx>
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit c85a7a0057ca454607a40cde991d495e0deec34d
  Author: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
  Date:   Thu Jul 30 14:16:12 2015 +0100

      scsi-disk: fix cmd.mode field typo

      The cmd.xfer field is the data length.  The cmd.mode field is the data
      transfer direction.

      scsi_handle_rw_error() was using the wrong error policy for read
      requests.

      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Message-Id: <1438262173-11546-3-git-send-email-stefanha@xxxxxxxxxx>
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit 1cc933453bf2baae1feb7c8e757bdfd0ef639002
  Author: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
  Date:   Thu Jul 30 14:16:11 2015 +0100

      virtio-scsi: use virtqueue_map_sg() when loading requests

      The VirtQueueElement struct is serialized during migration but the
      in_sg[]/out_sg[] iovec arrays are not usable on the destination host
      because the pointers are meaningless.

      Use virtqueue_map_sg() to refresh in_sg[]/out_sg[] to valid pointers
      based on in_addr[]/out_addr[] hwaddrs.

      Cc: Paolo Bonzini <pbonzini@xxxxxxxxxx>
      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Message-Id: <1438262173-11546-2-git-send-email-stefanha@xxxxxxxxxx>
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit cb48f67ad8c7b33c617d4f8144a27706e69fd688
  Author: Richard Henderson <rth@xxxxxxxxxxx>
  Date:   Wed Jul 29 11:40:52 2015 -0700

      bsd-user: Fix operand to cpu_x86_exec

      Signed-off-by: Richard Henderson <rth@xxxxxxxxxxx>
      Reviewed-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Message-id: 1438195252-21968-1-git-send-email-rth@xxxxxxxxxxx
      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 7008d580acad326148a725bd20695882ba10247a
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Wed Jul 29 18:50:11 2015 +0100

      Update version for v2.4.0-rc3 release

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 46739a2d7ace71b43cacf73ea71c10429db0d5e8
  Merge: b83d017 ca96ac4
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Wed Jul 29 17:08:38 2015 +0100

      Merge remote-tracking branch 'remotes/stefanha/tags/block-pull-request' 
into staging

      Pull request

      These fixes make dataplane work again after the notify_me optimization was
      added.  They also solve QEMUBH memory leaks and fix a bug in dataplane's
      cleanup code.

      # gpg: Signature made Wed Jul 29 14:50:26 2015 BST using RSA key ID 
81AB73C8
      # gpg: Good signature from "Stefan Hajnoczi <stefanha@xxxxxxxxxx>"
      # gpg:                 aka "Stefan Hajnoczi <stefanha@xxxxxxxxx>"

      * remotes/stefanha/tags/block-pull-request:
        AioContext: force event loop iteration using BH
        AioContext: avoid leaking BHs on cleanup
        virtio-blk-dataplane: delete bottom half before the AioContext is freed

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit ca96ac44dcd290566090b2435bc828fded356ad9
  Author: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
  Date:   Tue Jul 28 18:34:09 2015 +0200

      AioContext: force event loop iteration using BH

      The notify_me optimization introduced in commit eabc97797310
      ("AioContext: fix broken ctx->dispatching optimization") skips
      event_notifier_set() calls when the event loop thread is not blocked in
      ppoll(2).

      This optimization causes a deadlock if two aio_context_acquire() calls
      race.  notify_me = 0 during the race so the winning thread can enter
      ppoll(2) unaware that the other thread is waiting its turn to acquire
      the AioContext.

      This patch forces ppoll(2) to return by scheduling a BH instead of
      calling aio_notify().

      The following deadlock with virtio-blk dataplane is fixed:

        qemu ... -object iothread,id=iothread0 \
                 -drive if=none,id=drive0,file=test.img,... \
                 -device virtio-blk-pci,iothread=iothread0,drive=drive0

      This command-line results in a hang early on without this patch.

      Thanks to Paolo Bonzini <pbonzini@xxxxxxxxxx> for investigating this bug
      with me.

      Cc: Christian Borntraeger <borntraeger@xxxxxxxxxx>
      Cc: Cornelia Huck <cornelia.huck@xxxxxxxxxx>
      Cc: Paolo Bonzini <pbonzini@xxxxxxxxxx>
      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>
      Message-id: 1438101249-25166-4-git-send-email-pbonzini@xxxxxxxxxx
      Message-Id: <1438014819-18125-3-git-send-email-stefanha@xxxxxxxxxx>
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>
      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>

  commit a076972a4d36381d610a854f0c336507650a1d34
  Author: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
  Date:   Tue Jul 28 18:34:08 2015 +0200

      AioContext: avoid leaking BHs on cleanup

      BHs are freed during aio_bh_poll().  This leads to memory leaks if there
      is no aio_bh_poll() between qemu_bh_delete() and aio_ctx_finalize().

      Suggested-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>
      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>
      Message-id: 1438101249-25166-3-git-send-email-pbonzini@xxxxxxxxxx
      Message-Id: <1438014819-18125-2-git-send-email-stefanha@xxxxxxxxxx>
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>
      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>

  commit fed105e2756dde98efa5e80baca02ae516dd1e51
  Author: Paolo Bonzini <pbonzini@xxxxxxxxxx>
  Date:   Tue Jul 28 18:34:07 2015 +0200

      virtio-blk-dataplane: delete bottom half before the AioContext is freed

      Other uses of aio_bh_new are safe as long as all scheduled bottom
      halves are run before an iothread is destroyed, which bdrv_drain will
      ensure:

      - archipelago_finish_aiocb: BH deletes itself

      - inject_error: BH deletes itself

      - blkverify_aio_bh: BH deletes itself

      - abort_aio_request: BH deletes itself

      - curl_aio_readv: BH deletes itself

      - gluster_finish_aiocb: BH deletes itself

      - bdrv_aio_rw_vector: BH deletes itself

      - bdrv_co_maybe_schedule_bh: BH deletes itself

      - iscsi_schedule_bh, iscsi_co_generic_cb: BH deletes itself

      - laio_attach_aio_context: deleted in laio_detach_aio_context,
      called through bdrv_detach_aio_context before deleting the iothread

      - nfs_co_generic_cb: BH deletes itself

      - null_aio_common: BH deletes itself

      - qed_aio_complete: BH deletes itself

      - rbd_finish_aiocb: BH deletes itself

      - dma_blk_cb: BH deletes itself

      - virtio_blk_dma_restart_cb: BH deletes itself

      - qemu_bh_new: main loop AioContext is never destroyed

      - test-aio.c: bh_delete_cb deletes itself, otherwise deleted in
      the same function that calls aio_bh_new

      Reported-by: Cornelia Huck <cornelia.huck@xxxxxxxxxx>
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>
      Message-id: 1438101249-25166-2-git-send-email-pbonzini@xxxxxxxxxx
      Message-Id: <1438086628-13000-1-git-send-email-pbonzini@xxxxxxxxxx>
      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>

  commit b83d017d88b2c4710c7a4614ecf9f845e4db80ba
  Merge: 170f209 7bba83b
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Tue Jul 28 19:02:04 2015 +0100

      Merge remote-tracking branch 'remotes/stefanha/tags/net-pull-request' 
into staging

      Pull request

      These two .can_receive() are now reviewed.  The net subsystem queue for 
2.4 is now empty.

      # gpg: Signature made Tue Jul 28 13:26:03 2015 BST using RSA key ID 
81AB73C8
      # gpg: Good signature from "Stefan Hajnoczi <stefanha@xxxxxxxxxx>"
      # gpg:                 aka "Stefan Hajnoczi <stefanha@xxxxxxxxx>"

      * remotes/stefanha/tags/net-pull-request:
        xen: Drop net_rx_ok
        hw/net: handle flow control in mcf_fec driver receiver

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 170f209d7848dc2f14b3f3dccc34a49558680d4d
  Merge: 8b89b3a c147b51
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Tue Jul 28 17:09:56 2015 +0100

      Merge remote-tracking branch 'remotes/mst/tags/for_upstream' into staging

      virtio fixes for 2.4

      Mostly virtio 1 spec compliance fixes.
      We are unlikely to make it perfectly compliant in
      the first release, but it seems worth it to try.

      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>

      # gpg: Signature made Mon Jul 27 21:55:48 2015 BST using RSA key ID 
D28D5469
      # gpg: Good signature from "Michael S. Tsirkin <mst@xxxxxxxxxx>"
      # gpg:                 aka "Michael S. Tsirkin <mst@xxxxxxxxxx>"

      * remotes/mst/tags/for_upstream:
        virtio: minor cleanup
        acpi: fix pvpanic device is not shown in ui
        virtio-blk: only clear VIRTIO_F_ANY_LAYOUT for legacy device
        virtio-blk: fail get_features when both scsi and 1.0 were set
        virtio: get_features() can fail
        virtio-pci: fix memory MR cleanup for modern
        virtio: set any_layout in virtio core
        virtio-9p: fix any_layout
        virtio-serial: fix ANY_LAYOUT
        virtio: hide legacy features from modern guests

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 8b89b3a8df0a7d1ddbc9744f66a495986af667ca
  Merge: 5e868d2 52579c6
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Tue Jul 28 15:25:24 2015 +0100

      Merge remote-tracking branch 'remotes/lalrae/tags/mips-20150728' into 
staging

      MIPS patches 2015-07-28

      Changes:
      * net/dp8393x fixes
      * Vectored Interrupts bug fix
      * fix for a bug in machine.c which was provoking a warning on FreeBSD

      # gpg: Signature made Tue Jul 28 10:47:19 2015 BST using RSA key ID 
0B29DA6B
      # gpg: Good signature from "Leon Alrae <leon.alrae@xxxxxxxxxx>"
      # gpg: WARNING: This key is not certified with a trusted signature!
      # gpg:          There is no indication that the signature belongs to the 
owner.
      # Primary key fingerprint: 8DD3 2F98 5495 9D66 35D4  4FC0 5211 8E3C 0B29 
DA6B

      * remotes/lalrae/tags/mips-20150728:
        net/dp8393x: do not use memory_region_init_rom_device with NULL
        net/dp8393x: remove check of runt packets
        net/dp8393x: disable user creation
        target-mips: fix offset calculation for Interrupts
        target-mips: fix passing incompatible pointer type in machine.c

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 5e868d2e5e4aff76bdef787e44bc2d1eca18901f
  Merge: 9f8c5b6 52c91da
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Tue Jul 28 14:19:16 2015 +0100

      Merge remote-tracking branch 'remotes/bonzini/tags/for-upstream' into 
staging

      * crypto fixes
      * megasas SIGSEGV fix
      * memory refcount change to fix virtio hot-unplug

      # gpg: Signature made Tue Jul 28 08:29:07 2015 BST using RSA key ID 
78C7AE83
      # gpg: Good signature from "Paolo Bonzini <bonzini@xxxxxxx>"
      # gpg:                 aka "Paolo Bonzini <pbonzini@xxxxxxxxxx>"
      # gpg: WARNING: This key is not certified with sufficiently trusted 
signatures!
      # gpg:          It is not certain that the signature belongs to the owner.
      # Primary key fingerprint: 46F5 9FBD 57D6 12E7 BFD4  E2F7 7E15 100C CD36 
69B1
      #      Subkey fingerprint: F133 3857 4B66 2389 866C  7682 BFFB D25F 78C7 
AE83

      * remotes/bonzini/tags/for-upstream:
        memory: do not add a reference to the owner of aliased regions
        megasas: Add write function to handle write access to PCI BAR 3
        crypto: extend unit tests to cover decryption too
        crypto: fix built-in AES decrypt function

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 9f8c5b69c2b9ca8b9c3e569b0f41bd60a0b9e9fe
  Merge: 776f878 325e390
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Tue Jul 28 13:22:57 2015 +0100

      Merge remote-tracking branch 
'remotes/cody/tags/jtc-for-upstream-pull-request' into staging

      # gpg: Signature made Tue Jul 28 05:22:29 2015 BST using RSA key ID 
C0DE3057
      # gpg: Good signature from "Jeffrey Cody <jcody@xxxxxxxxxx>"
      # gpg:                 aka "Jeffrey Cody <jeff@xxxxxxxxxxxxx>"
      # gpg:                 aka "Jeffrey Cody <codyprime@xxxxxxxxx>"
      # gpg: WARNING: This key is not certified with sufficiently trusted 
signatures!
      # gpg:          It is not certain that the signature belongs to the owner.
      # Primary key fingerprint: 9957 4B4D 3474 90E7 9D98  D624 BDBE 7B27 C0DE 
3057

      * remotes/cody/tags/jtc-for-upstream-pull-request:
        block/ssh: Avoid segfault if inet_connect doesn't set errno.
        sheepdog: serialize requests to overwrapping area

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 7bba83bf80eae9c9e323319ff40d0ca477b0a77a
  Author: Fam Zheng <famz@xxxxxxxxxx>
  Date:   Tue Jul 28 17:52:56 2015 +0800

      xen: Drop net_rx_ok

      Let net_rx_packet() (which checks the same conditions) drops the packet
      if the device is not ready. Drop net_xen_info.can_receive and update the
      return value for the buffer full case.

      We rely on the qemu_flush_queued_packets() in net_event() to wake up
      the peer when the buffer becomes available again.

      Signed-off-by: Fam Zheng <famz@xxxxxxxxxx>
      Message-id: 1438077176-378-1-git-send-email-famz@xxxxxxxxxx
      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>

  commit 776f87845137a9b300a4815ba6bf6879310795aa
  Merge: 84a29c7 226d007
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Tue Jul 28 11:28:44 2015 +0100

      Merge remote-tracking branch 
'remotes/mjt/tags/pull-trivial-patches-2015-07-27' into staging

      trivial patches for 2015-07-27

      # gpg: Signature made Mon Jul 27 20:50:14 2015 BST using RSA key ID 
A4C3D7DB
      # gpg: Good signature from "Michael Tokarev <mjt@xxxxxxxxxx>"
      # gpg:                 aka "Michael Tokarev <mjt@xxxxxxxxx>"
      # gpg:                 aka "Michael Tokarev <mjt@xxxxxxxxxx>"

      * remotes/mjt/tags/pull-trivial-patches-2015-07-27:
        gdbstub: Set current CPU on interruptions
        qapi: add missing @
        Fix Cortex-A9 global timer
        gitignore: Ignore shader generated files
        vmstate: remove unused declaration
        make: Clean build messages
        qemu-common.h: Document cutils.c string functions
        device_tree: Fix a typo
        hw/acpi/ich9: clean up stale comment about KVM not supporting SMM
        hw/acpi/ich9: clear smi_en on reset

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit ff1d2ac949dc94d8a0e71fd46939fb69c2ef075b
  Author: Greg Ungerer <gerg@xxxxxxxxxxx>
  Date:   Tue Jul 28 11:02:54 2015 +1000

      hw/net: handle flow control in mcf_fec driver receiver

      The network mcf_fec driver emulated receive side method is not dealing
      with network queue flow control properly.

      Modify the receive side to check if we have enough space in the
      descriptors to store the current packet. If not we process none of it
      and return 0. When the guest frees up some buffers through its descriptors
      we signal the qemu net layer to send more packets.

      [Fixed coding style: 4-space indent and curly braces on if statement.
      --Stefan]

      Signed-off-by: Greg Ungerer <gerg@xxxxxxxxxxx>
      Message-id: 1438045374-10358-1-git-send-email-gerg@xxxxxxxxxxx
      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>

  commit 52579c681cb12bf64de793e85edc50d990f4d42f
  Author: Hervé Poussineau <hpoussin@xxxxxxxxxxx>
  Date:   Sun Jul 26 22:32:55 2015 +0200

      net/dp8393x: do not use memory_region_init_rom_device with NULL

      Replace memory_region_init_rom_device() with memory_region_init_ram() and
      memory_region_set_readonly().
      This fixes a guest-triggerable QEMU crash when guest tries to write to 
PROM.

      Signed-off-by: Hervé Poussineau <hpoussin@xxxxxxxxxxx>
      [leon.alrae@xxxxxxxxxx: shorten subject length]
      Signed-off-by: Leon Alrae <leon.alrae@xxxxxxxxxx>

  commit 30dfa9a46cd845db3f43f5c11b129f4a50941b02
  Author: Hervé Poussineau <hpoussin@xxxxxxxxxxx>
  Date:   Fri Jul 24 20:42:23 2015 +0200

      net/dp8393x: remove check of runt packets

      Ethernet requires that messages are at least 64 bytes on the wire. This
      limitation does not exist on emulation (no wire message), so remove the
      check. Netcard is now able to receive small network packets.

      Signed-off-by: Hervé Poussineau <hpoussin@xxxxxxxxxxx>
      Reviewed-by: Aurelien Jarno <aurelien@xxxxxxxxxxx>
      Signed-off-by: Leon Alrae <leon.alrae@xxxxxxxxxx>

  commit f6351288b65130deb8102b17143f5d84f817a02a
  Author: Hervé Poussineau <hpoussin@xxxxxxxxxxx>
  Date:   Fri Jul 24 20:42:21 2015 +0200

      net/dp8393x: disable user creation

      Netcard needs an address space to write data to, which can't be specified
      on command line.
      This fixes a crash when user starts QEMU with "-device dp8393x"

      Signed-off-by: Hervé Poussineau <hpoussin@xxxxxxxxxxx>
      Reviewed-by: Aurelien Jarno <aurelien@xxxxxxxxxxx>
      Signed-off-by: Leon Alrae <leon.alrae@xxxxxxxxxx>

  commit 84a29c7efd02baa97b0d60d1e59e8357f7a5e0f1
  Merge: f8787f8 77c102c
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Tue Jul 28 09:11:48 2015 +0100

      Merge remote-tracking branch 'remotes/kevin/tags/for-upstream' into 
staging

      Block layer patches for 2.4.0-rc3

      # gpg: Signature made Mon Jul 27 16:19:17 2015 BST using RSA key ID 
C88F2FD6
      # gpg: Good signature from "Kevin Wolf <kwolf@xxxxxxxxxx>"

      * remotes/kevin/tags/for-upstream:
        block: qemu-iotests - add check for multiplication overflow in vpc
        block: vpc - prevent overflow if max_table_entries >= 0x40000000

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit da52a4dfcc4864fd2260ec4eab331f75b1f0240b
  Author: Yongbok Kim <yongbok.kim@xxxxxxxxxx>
  Date:   Fri Jul 10 12:10:02 2015 +0100

      target-mips: fix offset calculation for Interrupts

      Correct computation of vector offsets for EXCP_EXT_INTERRUPT.
      For instance, if Cause.IV is 0 the vector offset should be 0x180.

      Simplify the finding vector number logic for the Vectored Interrupts.

      Signed-off-by: Yongbok Kim <yongbok.kim@xxxxxxxxxx>
      Reviewed-by: Leon Alrae <leon.alrae@xxxxxxxxxx>
      [leon.alrae@xxxxxxxxxx: cosmetic changes]
      Signed-off-by: Leon Alrae <leon.alrae@xxxxxxxxxx>

  commit 8bcbb834a015432bfb4d09a883c21f017eadd978
  Author: Leon Alrae <leon.alrae@xxxxxxxxxx>
  Date:   Wed Jul 22 14:59:23 2015 +0100

      target-mips: fix passing incompatible pointer type in machine.c

      Reported-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Signed-off-by: Leon Alrae <leon.alrae@xxxxxxxxxx>

  commit 325e3904210c779a13fbbc9ee156056d045d7eee
  Author: Richard W.M. Jones <rjones@xxxxxxxxxx>
  Date:   Wed Jul 22 14:27:47 2015 +0100

      block/ssh: Avoid segfault if inet_connect doesn't set errno.

      On some (but not all) systems:

        $ qemu-img create -f qcow2 overlay -b ssh://xen/
        Segmentation fault

      It turns out this happens when inet_connect returns -1 in the
      following code, but errno == 0.

        s->sock = inet_connect(s->hostport, errp);
        if (s->sock < 0) {
            ret = -errno;
            goto err;
        }

      In the test case above, no host called "xen" exists, so getaddrinfo fails.

      On Fedora 22, getaddrinfo happens to set errno = ENOENT (although it
      is *not* documented to do that), so it doesn't segfault.

      On RHEL 7, errno is not set by the failing getaddrinfo, so ret =
      -errno = 0, so the caller doesn't know there was an error and
      continues with a half-initialized BDRVSSHState struct, and everything
      goes south from there, eventually resulting in a segfault.

      Fix this by setting ret to -EIO (same as block/nbd.c and
      block/sheepdog.c).  The real error is saved in the Error** errp
      struct, so it is printed correctly:

        $ ./qemu-img create -f qcow2 overlay -b ssh://xen/
        qemu-img: overlay: address resolution failed for xen:22: No address 
associated with hostname

      Signed-off-by: Richard W.M. Jones <rjones@xxxxxxxxxx>
      Reported-by: Jun Li
      BZ: https://bugzilla.redhat.com/show_bug.cgi?id=1147343
      Signed-off-by: Jeff Cody <jcody@xxxxxxxxxx>

  commit 6a55c82cece217ab99ed95a412fa7ddf5d5f257b
  Author: Hitoshi Mitake <mitake.hitoshi@xxxxxxxxxxxxx>
  Date:   Sat Jul 18 01:44:24 2015 +0900

      sheepdog: serialize requests to overwrapping area

      Current sheepdog driver only serializes create requests in oid
      unit. This mechanism isn't enough for handling requests to
      overwrapping area spanning multiple oids, so it can result bugs like
      below:
      https://bugs.launchpad.net/sheepdog-project/+bug/1456421

      This patch adds a new serialization mechanism for the problem. The
      difference from the old one is:
      1. serialize entire aiocb if their targetting areas overwrap
      2. serialize all requests (read, write, and discard), not only creates

      This patch also removes the old mechanism because the new one can be
      an alternative.

      Cc: Kevin Wolf <kwolf@xxxxxxxxxx>
      Cc: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Cc: Teruaki Ishizaki <ishizaki.teruaki@xxxxxxxxxxxxx>
      Cc: Vasiliy Tolstov <v.tolstov@xxxxxxxxx>
      Signed-off-by: Hitoshi Mitake <mitake.hitoshi@xxxxxxxxxxxxx>
      Tested-by: Vasiliy Tolstov <v.tolstov@xxxxxxxxx>
      Signed-off-by: Jeff Cody <jcody@xxxxxxxxxx>

  commit 52c91dac6bd891656f297dab76da51fc8bc61309
  Author: Paolo Bonzini <pbonzini@xxxxxxxxxx>
  Date:   Mon Jul 27 16:29:56 2015 +0200

      memory: do not add a reference to the owner of aliased regions

      Very often the owner of the aliased region is the same as the owner of 
the alias
      region itself.  When this happens, the reference count can never go back 
to 0 and
      the owner is leaked.  This is for example breaking hot-unplug of 
virtio-pci
      devices (the device cannot be plugged back again with the same id).

      Another common use for alias is to transform the system I/O address space
      into an MMIO regions; in this case the aliased region never dies, so there
      is no problem.  Otherwise the owner is always the same for aliasing
      and aliased region.

      I checked all calls to memory_region_init_alias introduced after commit
      dfde4e6 (memory: add ref/unref calls, 2013-05-06) and they do not need the
      reference in order to keep the owner of the aliased region alive.

      Reported-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Tested-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit 55875fc4ca45a35e36134663ade946d86fe7bfcd
  Author: Salva Peiró <speirofr@xxxxxxxxx>
  Date:   Mon Jul 27 10:51:52 2015 +0200

      megasas: Add write function to handle write access to PCI BAR 3

      This patch fixes a QEMU SEGFAULT when a write operation is performed on
      the memory region of the PCI BAR 3 (base address space).
      When a writeb(0xe0000000) is performed the .write function is invoked to
      handle the write access, however, since the .write is not initialised,
      the call to 0, causes QEMU to SEGFAULT.

      Signed-off-by: Salva Peiró <speirofr@xxxxxxxxx>
      Acked-by: Hannes Reinecke <hare@xxxxxxxx>
      Message-Id: <1437987112-24744-1-git-send-email-speirofr@xxxxxxxxx>
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit c147b5153e733a14fc65d2098e7036754c185ad1
  Author: Michael S. Tsirkin <mst@xxxxxxxxxx>
  Date:   Mon Jul 27 18:39:37 2015 +0300

      virtio: minor cleanup

      There's no need for blk to set ANY_LAYOUT, it's
      done by virtio core as necessary.

      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>

  commit 8ef3ea253b5aaaa00f3b9999f3ff19e74cfa26f8
  Author: Gal Hammer <ghammer@xxxxxxxxxx>
  Date:   Sun Jul 26 11:00:51 2015 +0300

      acpi: fix pvpanic device is not shown in ui

      Commit 2332333c added a _STA method that hides the device. The fact
      that the device is not shown in the gui make it harder to install its
      Windows' device.

      https://bugzilla.redhat.com/show_bug.cgi?id=1238141

      Signed-off-by: Gal Hammer <ghammer@xxxxxxxxxx>
      Reviewed-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Reviewed-by: Igor Mammedov <imammedo@xxxxxxxxxx>

  commit 226d007dbd75ec8d0f12d0f9e1ce66caf55d49e4
  Author: Jan Kiszka <jan.kiszka@xxxxxxxxxxx>
  Date:   Fri Jul 24 18:52:31 2015 +0200

      gdbstub: Set current CPU on interruptions

      gdb expects that the thread ID for c and g-class operations is set to
      the CPU we provide when reporting VM stop conditions. If the stub is
      still tuned to a different CPU, the wrong information is delivered to
      the gdb frontend.

      Signed-off-by: Jan Kiszka <jan.kiszka@xxxxxxxxxxx>
      Signed-off-by: Michael Tokarev <mjt@xxxxxxxxxx>

  commit 801db5ecdac7575a1b0250243eea1767da553e50
  Author: Marc-André Lureau <marcandre.lureau@xxxxxxxxxx>
  Date:   Fri Jul 3 11:51:01 2015 +0200

      qapi: add missing @

      Signed-off-by: Marc-André Lureau <marcandre.lureau@xxxxxxxxxx>
      Reviewed-by: Markus Armbruster <armbru@xxxxxxxxxx>
      Signed-off-by: Michael Tokarev <mjt@xxxxxxxxxx>

  commit 786f9ce20382704249883d7052f6869011d44281
  Author: Johannes Schlatow <schlatow@xxxxxxxxxxxxxxxx>
  Date:   Mon Jun 29 17:45:41 2015 +0200

      Fix Cortex-A9 global timer

      The auto increment bit of the timer control register was wrongly
      defined.

      See Cortex-A9 MPcore Technical Reference Manual, Section 4.4.2.

      Signed-off-by: Johannes Schlatow <schlatow@xxxxxxxxxxxxxxxx>
      Signed-off-by: Michael Tokarev <mjt@xxxxxxxxxx>

  commit 7e71e111e0544ec35af40c3dc29f21697c8f17bf
  Author: Michal Privoznik <mprivozn@xxxxxxxxxx>
  Date:   Tue Jun 23 14:30:20 2015 +0200

      gitignore: Ignore shader generated files

      As of d98bc0b65 there are two files that are automatically generated:
      ui/shader/texture-blit-frag.h and /ui/shader/texture-blit-vert.h. None
      of them is wanted to be tracked by git. Put them into the ignore file
      then.

      Signed-off-by: Michal Privoznik <mprivozn@xxxxxxxxxx>
      Signed-off-by: Michael Tokarev <mjt@xxxxxxxxxx>

  commit 7155f2ca9d66f5598fd8d071e71d6758019a6e48
  Author: Marc-André Lureau <marcandre.lureau@xxxxxxxxx>
  Date:   Tue Jun 23 18:41:27 2015 +0200

      vmstate: remove unused declaration

      Since 38e0735e, register_device_unmigratable() has been removed

      Signed-off-by: Marc-André Lureau <marcandre.lureau@xxxxxxxxx>
      Signed-off-by: Michael Tokarev <mjt@xxxxxxxxxx>

  commit f6288b9c88bae7d76d8bfe17e672976d79079296
  Author: Stefan Weil <sw@xxxxxxxxxxx>
  Date:   Sat Jul 18 16:54:32 2015 +0200

      make: Clean build messages

      We want to have uniform build messages, so fix some messages
      which did not follow the standard pattern.

      Signed-off-by: Stefan Weil <sw@xxxxxxxxxxx>
      Signed-off-by: Michael Tokarev <mjt@xxxxxxxxxx>

  commit ab6036630865eff8bb12dd51dfa6921b4607fc81
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Sun Jul 19 21:34:22 2015 +0100

      qemu-common.h: Document cutils.c string functions

      Add documentation comments for various utility string functions
      which we have implemented in util/cutils.c:
       pstrcpy()
       strpadcpy()
       pstrcat()
       strstart()
       stristart()
       qemu_strnlen()
       qemu_strsep()

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>
      Signed-off-by: Michael Tokarev <mjt@xxxxxxxxxx>

  commit cc47a16bcbbc2d1f79511799ca3625c6522f5838
  Author: Kamalesh Babulal <kamalesh@xxxxxxxxxxxxxxxxxx>
  Date:   Fri Jul 24 13:48:13 2015 +0530

      device_tree: Fix a typo

      Fix spelling of 'allocting' -> 'allocating'.

      Signed-off-by: Kamalesh Babulal <kamalesh@xxxxxxxxxxxxxxxxxx>
      Signed-off-by: Michael Tokarev <mjt@xxxxxxxxxx>

  commit f3c30aeaa7888aee96a1fa28f259fb8312d47ab2
  Author: Laszlo Ersek <lersek@xxxxxxxxxx>
  Date:   Fri Jul 24 20:16:01 2015 +0200

      hw/acpi/ich9: clean up stale comment about KVM not supporting SMM

      Commit fba72476c6 ("ich9: add smm_enabled field and arguments") detached
      SMM availability from kvm_enabled(). However, the comment in pm_reset()
      was not updated; let's do it now.

      Cc: "Michael S. Tsirkin" <mst@xxxxxxxxxx>
      Cc: Igor Mammedov <imammedo@xxxxxxxxxx>
      Cc: Gerd Hoffmann <kraxel@xxxxxxxxxx>
      Cc: Paolo Bonzini <pbonzini@xxxxxxxxxx>
      Cc: qemu-trivial@xxxxxxxxxx
      Signed-off-by: Laszlo Ersek <lersek@xxxxxxxxxx>
      Reviewed-by: Igor Mammedov <imammedo@xxxxxxxxxx>
      Signed-off-by: Michael Tokarev <mjt@xxxxxxxxxx>

  commit be66680e8320d612f1c96096a217e642e458f47b
  Author: Laszlo Ersek <lersek@xxxxxxxxxx>
  Date:   Fri Jul 24 20:16:00 2015 +0200

      hw/acpi/ich9: clear smi_en on reset

      Otherwise on reboot firmware might think (due to APMC_EN remaining set
      from the previous boot) that SMI support is absent.

      Cc: "Michael S. Tsirkin" <mst@xxxxxxxxxx>
      Cc: Igor Mammedov <imammedo@xxxxxxxxxx>
      Cc: Gerd Hoffmann <kraxel@xxxxxxxxxx>
      Cc: Paolo Bonzini <pbonzini@xxxxxxxxxx>
      Cc: qemu-trivial@xxxxxxxxxx
      Signed-off-by: Laszlo Ersek <lersek@xxxxxxxxxx>
      Reviewed-by: Igor Mammedov <imammedo@xxxxxxxxxx>
      Signed-off-by: Michael Tokarev <mjt@xxxxxxxxxx>

  commit f8787f8723eaca1be99e3b1873e54de163fffa93
  Merge: edec47c bbeb823
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Mon Jul 27 19:37:09 2015 +0100

      Merge remote-tracking branch 'remotes/rth/tags/pull-tcg-20150727' into 
staging

      Fix buglets for 2.4

      # gpg: Signature made Mon Jul 27 15:26:48 2015 BST using RSA key ID 
4DD0279B
      # gpg: Good signature from "Richard Henderson <rth7680@xxxxxxxxx>"
      # gpg:                 aka "Richard Henderson <rth@xxxxxxxxxx>"
      # gpg:                 aka "Richard Henderson <rth@xxxxxxxxxxx>"

      * remotes/rth/tags/pull-tcg-20150727:
        tcg: mark temps as mem_coherent = 0 for mov with a constant
        tcg: correctly mark dead inputs for mov with a constant

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit edec47cfef96209987cb7922286cb384916aae02
  Author: Paolo Bonzini <pbonzini@xxxxxxxxxx>
  Date:   Fri Jul 24 13:42:55 2015 +0200

      main-loop: fix qemu_notify_event for aio_notify optimization

      aio_notify can be optimized away, and in fact almost always will.  
However,
      qemu_notify_event is used in places where this is incorrect---most 
notably,
      when handling SIGTERM.  When aio_notify is optimized away, it is possible 
that
      QEMU enters a blocking ppoll immediately afterwards and stays there, 
without
      reaching main_loop_should_exit().

      Fix this by using a bottom half.  The bottom half can be optimized too, 
but
      scheduling it is enough for the ppoll not to block.  The hang is thus 
avoided.

      Reported-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>
      Reviewed-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Message-id: 1437738175-23624-1-git-send-email-pbonzini@xxxxxxxxxx
      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 77c102c26ead946fe7589d4bddcdfa5cb431ebfe
  Author: Jeff Cody <jcody@xxxxxxxxxx>
  Date:   Fri Jul 24 10:26:52 2015 -0400

      block: qemu-iotests - add check for multiplication overflow in vpc

      This checks that VPC is able to successfully fail (without segfault)
      on an image file with a max_table_entries that exceeds 0x40000000.

      This table entry is within the valid range for VPC (although too large
      for this sample image).

      Cc: qemu-stable@xxxxxxxxxx
      Signed-off-by: Jeff Cody <jcody@xxxxxxxxxx>
      Signed-off-by: Kevin Wolf <kwolf@xxxxxxxxxx>

  commit b15deac79530d818092cb49a8021bcce83d71b5b
  Author: Jeff Cody <jcody@xxxxxxxxxx>
  Date:   Fri Jul 24 10:26:51 2015 -0400

      block: vpc - prevent overflow if max_table_entries >= 0x40000000

      When we allocate the pagetable based on max_table_entries, we multiply
      the max table entry value by 4 to accomodate a table of 32-bit integers.
      However, max_table_entries is a uint32_t, and the VPC driver accepts
      ranges for that entry over 0x40000000.  So during this allocation:

      s->pagetable = qemu_try_blockalign(bs->file, s->max_table_entries * 4);

      The size arg overflows, allocating significantly less memory than
      expected.

      Since qemu_try_blockalign() size argument is size_t, cast the
      multiplication correctly to prevent overflow.

      The value of "max_table_entries * 4" is used elsewhere in the code as
      well, so store the correct value for use in all those cases.

      We also check the Max Tables Entries value, to make sure that it is <
      SIZE_MAX / 4, so we know the pagetable size will fit in size_t.

      Cc: qemu-stable@xxxxxxxxxx
      Reported-by: Richard W.M. Jones <rjones@xxxxxxxxxx>
      Signed-off-by: Jeff Cody <jcody@xxxxxxxxxx>
      Signed-off-by: Kevin Wolf <kwolf@xxxxxxxxxx>

  commit 3737129917c918767cdb8acd8ca6b342c45fa154
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Fri Jul 24 18:28:08 2015 +0100

      configure: Work around broken static pkg-config info for Ubuntu gnutls

      Unfortunately Ubuntu's pkg-config information for gnutls is broken
      for the static linking case, and outputs --libs options which the
      compiler does not recognize. Work around this problem by testing
      that the --cflags/--libs output will at least allow compilation
      before enabling gnutls support.

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Reviewed-by: Daniel P. Berrange <berrange@xxxxxxxxxx>
      Message-id: 1437758888-22486-1-git-send-email-peter.maydell@xxxxxxxxxx

  commit c9b11f971cfa1fd3eed716f62f4b835553b75490
  Author: Jason Wang <jasowang@xxxxxxxxxx>
  Date:   Mon Jul 27 17:49:21 2015 +0800

      virtio-blk: only clear VIRTIO_F_ANY_LAYOUT for legacy device

      Chapter 6.3 of spec said

      "
      Transitional devices MUST offer, and if offered by the device
      transitional drivers MUST accept the following:

      VIRTIO_F_ANY_LAYOUT (27)
      "

      So this patch only clear VIRTIO_F_LAYOUT for legacy device.

      Cc: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Cc: Kevin Wolf <kwolf@xxxxxxxxxx>
      Cc: qemu-block@xxxxxxxxxx
      Signed-off-by: Jason Wang <jasowang@xxxxxxxxxx>
      Reviewed-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Acked-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit efb8206ca7f19f5a6ece1f2851a73a29de309b1e
  Author: Jason Wang <jasowang@xxxxxxxxxx>
  Date:   Mon Jul 27 17:49:20 2015 +0800

      virtio-blk: fail get_features when both scsi and 1.0 were set

      SCSI passthrough was no longer supported in virtio 1.0, so this patch
      fail the get_features() when both 1.0 and scsi is set. And also only
      advertise VIRTIO_BLK_F_SCSI for legacy virtio-blk device.

      Signed-off-by: Jason Wang <jasowang@xxxxxxxxxx>
      Reviewed-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Acked-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit 9d5b731dd2d64deb3bc798ef4e3c08603d54ae02
  Author: Jason Wang <jasowang@xxxxxxxxxx>
  Date:   Mon Jul 27 17:49:19 2015 +0800

      virtio: get_features() can fail

      Signed-off-by: Jason Wang <jasowang@xxxxxxxxxx>
      Reviewed-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Acked-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit 27462695cde2a2208b1ff8074c2e917b8203590b
  Author: Michael S. Tsirkin <mst@xxxxxxxxxx>
  Date:   Mon Jul 27 11:06:17 2015 +0300

      virtio-pci: fix memory MR cleanup for modern

      Each memory_region_add_subregion must be paired with
      memory_region_del_subregion.

      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Reviewed-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit bbeb82395eaca0e3c38b433b2d2a5bad4a5fbd81
  Author: Aurelien Jarno <aurelien@xxxxxxxxxxx>
  Date:   Mon Jul 27 12:55:58 2015 +0200

      tcg: mark temps as mem_coherent = 0 for mov with a constant

      When a constant has to be loaded in a mov op, we fail to set
      mem_coherent = 0. This patch fixes that.

      Cc: Richard Henderson <rth@xxxxxxxxxxx>
      Signed-off-by: Aurelien Jarno <aurelien@xxxxxxxxxxx>
      Message-Id: <1437994568-7825-3-git-send-email-aurelien@xxxxxxxxxxx>
      Signed-off-by: Richard Henderson <rth@xxxxxxxxxxx>

  commit 7df69deadf2f25c19b3ac121404ee31f71dce845
  Author: Aurelien Jarno <aurelien@xxxxxxxxxxx>
  Date:   Mon Jul 27 12:55:57 2015 +0200

      tcg: correctly mark dead inputs for mov with a constant

      When tcg_reg_alloc_mov propagate a constant, we failed to correctly mark
      a temp as dead if the liveness analysis hints so. This fixes the
      following assert when configure with --enable-debug-tcg:

        qemu-x86_64: tcg/tcg.c:1827: tcg_reg_alloc_bb_end: Assertion 
`ts->val_type == TEMP_VAL_DEAD' failed.

      Cc: Richard Henderson <rth@xxxxxxxxxxx>
      Reported-by: Richard Henderson <rth@xxxxxxxxxxx>
      Signed-off-by: Aurelien Jarno <aurelien@xxxxxxxxxxx>
      Message-Id: <1437994568-7825-2-git-send-email-aurelien@xxxxxxxxxxx>
      Signed-off-by: Richard Henderson <rth@xxxxxxxxxxx>

  commit 122e7dab8ac549c8c5a9e1e13aa2464190e888de
  Merge: e40db4c f9f7492
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Mon Jul 27 14:53:42 2015 +0100

      Merge remote-tracking branch 'remotes/stefanha/tags/net-pull-request' 
into staging

      Pull request

      Here are NIC fixes from Fam Zheng that prevent rx hangs (caused by NIC 
models
      where .can_receive() stops rx but qemu_flush_queued_packets() isn't 
called).

      # gpg: Signature made Mon Jul 27 14:51:48 2015 BST using RSA key ID 
81AB73C8
      # gpg: Good signature from "Stefan Hajnoczi <stefanha@xxxxxxxxxx>"
      # gpg:                 aka "Stefan Hajnoczi <stefanha@xxxxxxxxx>"

      * remotes/stefanha/tags/net-pull-request:
        axienet: Flush queued packets when rx is done
        dp8393x: Flush packets when link comes up
        stellaris_enet: Flush queued packets when read done
        mipsnet: Flush queued packets when receiving is enabled
        milkymist-minimac2: Flush queued packets when link comes up
        mcf_fec: Drop mcf_fec_can_receive
        etsec: Flush queue when rx buffer is consumed
        etsec: Move etsec_can_receive into etsec_receive
        usbnet: Drop usbnet_can_receive
        eepro100: Drop nic_can_receive
        pcnet: Drop pcnet_can_receive
        xgmac: Drop packets with eth_can_rx is false.
        hw/net: fix mcf_fec driver receiver
        hw/net: add simple phy support to mcf_fec driver
        hw/net: add ANLPAR bit definitions to generic mii
        hw/net: create common collection of MII definitions

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit f9f7492ea4a9dda538fedeec31399fb940533a16
  Author: Fam Zheng <famz@xxxxxxxxxx>
  Date:   Wed Jul 15 18:19:13 2015 +0800

      axienet: Flush queued packets when rx is done

      eth_can_rx checks s->rxsize and returns false if it is non-zero. Because
      of the .can_receive semantics change, this will make the incoming queue
      disabled by peer, until it is explicitly flushed. So we should flush it
      when s->rxsize is becoming zero.

      Squash eth_can_rx semantics into etx_rx and drop .can_receive()
      callback, also add flush when rx buffer becomes available again after a
      packet gets queued.

      The other conditions, "!axienet_rx_resetting(s) &&
      axienet_rx_enabled(s)" are OK because enet_write already calls
      qemu_flush_queued_packets when the register bits are changed.

      Signed-off-by: Fam Zheng <famz@xxxxxxxxxx>
      Reviewed-by: Jason Wang <jasowang@xxxxxxxxxx>
      Reviewed-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Message-id: 1436955553-22791-13-git-send-email-famz@xxxxxxxxxx
      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>

  commit 4594f93a732f1f5936c3a5225481586e24bffa9e
  Author: Fam Zheng <famz@xxxxxxxxxx>
  Date:   Wed Jul 15 18:19:12 2015 +0800

      dp8393x: Flush packets when link comes up

      .can_receive callback changes semantics that once return 0, backend will
      try sending again until explicitly flushed, change the device to meet
      that.

      dp8393x_can_receive checks SONIC_CR_RXEN bit in SONIC_CR register and
      SONIC_ISR_RBE bit in SONIC_ISR register, try flushing the queue when
      either bit is being updated.

      Signed-off-by: Fam Zheng <famz@xxxxxxxxxx>
      Reviewed-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Reviewed-by: Jason Wang <jasowang@xxxxxxxxxx>
      Message-id: 1436955553-22791-12-git-send-email-famz@xxxxxxxxxx
      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>

  commit 1ef4a6069f8b4c09c3383cd4b8e27b6ff25b2d41
  Author: Fam Zheng <famz@xxxxxxxxxx>
  Date:   Wed Jul 15 18:19:11 2015 +0800

      stellaris_enet: Flush queued packets when read done

      If s->np reaches 31, the queue will be disabled by peer when it sees
      stellaris_enet_can_receive() returns false, until we explicitly flushes
      it which notifies the peer. Do this when guest is done reading all
      existing data.

      Move the semantics to stellaris_enet_receive, by returning 0 when the
      buffer is full, so that new packets will be queued.  In
      stellaris_enet_read, flush and restart the queue when guest has done
      reading.

      Signed-off-by: Fam Zheng <famz@xxxxxxxxxx>
      Reviewed-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Reviewed-by: Jason Wang <jasowang@xxxxxxxxxx>
      Message-id: 1436955553-22791-11-git-send-email-famz@xxxxxxxxxx
      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>

  commit 1dd58ae0583c3d3fb15fa1d563d6b497558d3ad0
  Author: Fam Zheng <famz@xxxxxxxxxx>
  Date:   Wed Jul 15 18:19:10 2015 +0800

      mipsnet: Flush queued packets when receiving is enabled

      Drop .can_receive and move the semantics to mipsnet_receive, by
      returning 0.

      After 0 is returned, we must flush the queue explicitly to restart it:
      Call qemu_flush_queued_packets when s->busy or s->rx_count is being
      updated.

      Signed-off-by: Fam Zheng <famz@xxxxxxxxxx>
      Reviewed-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Reviewed-by: Jason Wang <jasowang@xxxxxxxxxx>
      Message-id: 1436955553-22791-10-git-send-email-famz@xxxxxxxxxx
      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>

  commit 3b7031e9609baf710823aa7880fd9802b39c4563
  Author: Fam Zheng <famz@xxxxxxxxxx>
  Date:   Wed Jul 15 18:19:09 2015 +0800

      milkymist-minimac2: Flush queued packets when link comes up

      Drop .can_receive and move the semantics into minimac2_rx, by returning
      0.

      That is once minimac2_rx returns 0, incoming packets will be queued
      until the queue is explicitly flushed. We do this when s->regs[R_STATE0]
      or s->regs[R_STATE1] is changed in minimac2_write.

      Also drop the unused trace point.

      Signed-off-by: Fam Zheng <famz@xxxxxxxxxx>
      Reviewed-by: Jason Wang <jasowang@xxxxxxxxxx>
      Reviewed-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Message-id: 1436955553-22791-9-git-send-email-famz@xxxxxxxxxx
      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>

  commit e813f0d8813944061fa9bde861cf6899379843e6
  Author: Fam Zheng <famz@xxxxxxxxxx>
  Date:   Wed Jul 15 18:19:08 2015 +0800

      mcf_fec: Drop mcf_fec_can_receive

      The semantics of .can_receive requires us to flush the queue explicitly
      when s->rx_enabled becomes true after it returns 0, but the packet being
      queued is not meaningful since the guest hasn't activated the card.
      Let's just drop the packet in this case.

      Signed-off-by: Fam Zheng <famz@xxxxxxxxxx>
      Reviewed-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Reviewed-by: Jason Wang <jasowang@xxxxxxxxxx>
      Message-id: 1436955553-22791-8-git-send-email-famz@xxxxxxxxxx
      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>

  commit 575bafd1f387c5f06b59cf2515f6bb1eff9d119d
  Author: Fam Zheng <famz@xxxxxxxxxx>
  Date:   Wed Jul 15 18:19:07 2015 +0800

      etsec: Flush queue when rx buffer is consumed

      The BH will be scheduled when etsec->rx_buffer_len is becoming 0, which
      is the condition of queuing.

      Signed-off-by: Fam Zheng <famz@xxxxxxxxxx>
      Reviewed-by: Jason Wang <jasowang@xxxxxxxxxx>
      Reviewed-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Message-id: 1436955553-22791-7-git-send-email-famz@xxxxxxxxxx
      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>

  commit b6cb6610c27c5b0773a340499f19c3477bf45aeb
  Author: Fam Zheng <famz@xxxxxxxxxx>
  Date:   Wed Jul 15 18:19:06 2015 +0800

      etsec: Move etsec_can_receive into etsec_receive

      When etsec_reset returns 0, peer would queue the packet as if
      .can_receive returns false. Drop etsec_can_receive and let etsec_receive
      carry the semantics.

      Signed-off-by: Fam Zheng <famz@xxxxxxxxxx>
      Reviewed-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Reviewed-by: Jason Wang <jasowang@xxxxxxxxxx>
      Message-id: 1436955553-22791-6-git-send-email-famz@xxxxxxxxxx
      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>

  commit 913440249ea2e697177e9d43167ac325a8dfe907
  Author: Fam Zheng <famz@xxxxxxxxxx>
  Date:   Wed Jul 15 18:19:05 2015 +0800

      usbnet: Drop usbnet_can_receive

      usbnet_receive already drops packet if rndis_state is not
      RNDIS_DATA_INITIALIZED, and queues packet if in buffer is not available.
      The only difference is s->dev.config but that is similar to rndis_state.

      Drop usbnet_can_receive and move these checks to usbnet_receive, so that
      we don't need to explicitly flush the queue when s->dev.config changes
      value.

      Signed-off-by: Fam Zheng <famz@xxxxxxxxxx>
      Reviewed-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Reviewed-by: Jason Wang <jasowang@xxxxxxxxxx>
      Message-id: 1436955553-22791-5-git-send-email-famz@xxxxxxxxxx
      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>

  commit 363db4b249244f31d3c47fbd5a8b128c95ba8fe7
  Author: Fam Zheng <famz@xxxxxxxxxx>
  Date:   Wed Jul 15 18:19:04 2015 +0800

      eepro100: Drop nic_can_receive

      nic_receive already checks the conditions and drop packets if false.
      Due to the new semantics since 6e99c63 ("net/socket: Drop
      net_socket_can_send"), having .can_receive returning 0 requires us to
      explicitly flush the queued packets when the conditions are becoming
      true, but queuing the packets when guest driver is not ready doesn't
      make much sense.

      Signed-off-by: Fam Zheng <famz@xxxxxxxxxx>
      Reviewed-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Reviewed-by: Jason Wang <jasowang@xxxxxxxxxx>
      Message-id: 1436955553-22791-4-git-send-email-famz@xxxxxxxxxx
      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>

  commit b0ba0b9b6b402d738f11f27eea6c94d97bf84cbf
  Author: Fam Zheng <famz@xxxxxxxxxx>
  Date:   Wed Jul 15 18:19:03 2015 +0800

      pcnet: Drop pcnet_can_receive

      pcnet_receive already checks the conditions and drop packets if false.
      Due to the new semantics since 6e99c63 ("net/socket: Drop
      net_socket_can_send"), having .can_receive returning 0 requires us to
      explicitly flush the queued packets when the conditions are becoming
      true, but queuing the packets when guest driver is not ready doesn't
      make much sense.

      Signed-off-by: Fam Zheng <famz@xxxxxxxxxx>
      Reviewed-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Reviewed-by: Jason Wang <jasowang@xxxxxxxxxx>
      Message-id: 1436955553-22791-3-git-send-email-famz@xxxxxxxxxx
      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>

  commit 8c8c460c5f38f878675631a66286a6e87bb4d111
  Author: Fam Zheng <famz@xxxxxxxxxx>
  Date:   Wed Jul 15 18:19:02 2015 +0800

      xgmac: Drop packets with eth_can_rx is false.

      Signed-off-by: Fam Zheng <famz@xxxxxxxxxx>
      Reviewed-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Reviewed-by: Jason Wang <jasowang@xxxxxxxxxx>
      Message-id: 1436955553-22791-2-git-send-email-famz@xxxxxxxxxx
      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>

  commit 491a1f494ed4c0d1a8593dd04b645f8e63c4cfae
  Author: Greg Ungerer <gerg@xxxxxxxxxxx>
  Date:   Fri Jun 26 15:27:16 2015 +1000

      hw/net: fix mcf_fec driver receiver

      The network mcf_fec driver emulated receive side method is returning a
      result of 0 causing the network layer to disable receive for this emulated
      device. This results in the guest only ever receiving one packet.

      Fix the recieve side processing to return the number of bytes that we
      passed back through to the guest.

      Signed-off-by: Greg Ungerer <gerg@xxxxxxxxxxx>
      Reviewed-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Message-id: 1435296436-12152-5-git-send-email-gerg@xxxxxxxxxxx
      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>

  commit 299f7bec5a109db7563e1286cedf1f4d84e69e6d
  Author: Greg Ungerer <gerg@xxxxxxxxxxx>
  Date:   Fri Jun 26 15:27:15 2015 +1000

      hw/net: add simple phy support to mcf_fec driver

      The Linux fec driver needs at least basic phy support to probe and work.
      The current qemu mcf_fec emulation has no support for the reading or
      writing of the MDIO lines to access an attached phy.

      This code adds a very simple set of register results for a fixed phy
      setup - very similar to that used on an m5208evb board. This is enough
      to probe and identify an emulated attached phy.

      Signed-off-by: Greg Ungerer <gerg@xxxxxxxxxxx>
      Reviewed-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Message-id: 1435296436-12152-4-git-send-email-gerg@xxxxxxxxxxx
      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>

  commit 3634869b27b6b2ff538bcc5bf8dfd1235ede7034
  Author: Greg Ungerer <gerg@xxxxxxxxxxx>
  Date:   Fri Jun 26 15:27:14 2015 +1000

      hw/net: add ANLPAR bit definitions to generic mii

      Add a base set of bit definitions for the standard MII phy 
"Auto-Negotiation
      Link Partner Ability Register" (ANLPAR).

      The original definitions moved into mii.h from the allwinner_emac driver
      did not define these.

      Signed-off-by: Greg Ungerer <gerg@xxxxxxxxxxx>
      Reviewed-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Message-id: 1435296436-12152-3-git-send-email-gerg@xxxxxxxxxxx
      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>

  commit 3e230569bf16aa36562967cd76b742c6824481b1
  Author: Greg Ungerer <gerg@xxxxxxxxxxx>
  Date:   Fri Jun 26 15:27:13 2015 +1000

      hw/net: create common collection of MII definitions

      Create a common set of definitions of address and register values for
      ethernet MII phys. A few of the current ethernet drivers have at least
      a partial set of these definitions. Others just use hard coded raw
      constant numbers.

      This initial set is copied directly from the allwinner_emac code.

      Signed-off-by: Greg Ungerer <gerg@xxxxxxxxxxx>
      Reviewed-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Message-id: 1435296436-12152-2-git-send-email-gerg@xxxxxxxxxxx
      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>

  commit e40db4c6d391419c0039fe274c74df32a6ca1a28
  Merge: f793d97 cb72cba
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Mon Jul 27 13:10:00 2015 +0100

      Merge remote-tracking branch 
'remotes/jnsnow/tags/cve-2015-5154-pull-request' into staging

      # gpg: Signature made Mon Jul 27 13:01:10 2015 BST using RSA key ID 
AAFC390E
      # gpg: Good signature from "John Snow (John Huston) <jsnow@xxxxxxxxxx>"
      # gpg: WARNING: This key is not certified with sufficiently trusted 
signatures!
      # gpg:          It is not certain that the signature belongs to the owner.
      # Primary key fingerprint: FAEB 9711 A12C F475 812F  18F2 88A9 064D 1835 
61EB
      #      Subkey fingerprint: F9B7 ABDB BCAC DF95 BE76  CBD0 7DEF 8106 AAFC 
390E

      * remotes/jnsnow/tags/cve-2015-5154-pull-request:
        ide: Clear DRQ after handling all expected accesses
        ide/atapi: Fix START STOP UNIT command completion
        ide: Check array bounds before writing to io_buffer (CVE-2015-5154)

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 019c2ab8623daee210df8b1085a33b1e83c9ee11
  Author: Daniel P. Berrange <berrange@xxxxxxxxxx>
  Date:   Tue Jul 21 09:55:02 2015 +0100

      crypto: extend unit tests to cover decryption too

      The current unit test only verifies the encryption API,
      resulting in us missing a recently introduced bug in the
      decryption API from commit d3462e3. It was fortunately
      later discovered & fixed by commit bd09594, thanks to the
      QEMU I/O tests for qcow2 encryption, but we should really
      detect this directly in the crypto unit tests. Also remove
      an accidental debug message and simplify some asserts.

      Signed-off-by: Daniel P. Berrange <berrange@xxxxxxxxxx>
      Message-Id: <1437468902-23230-1-git-send-email-berrange@xxxxxxxxxx>
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit 6775e2c4298618828de9bb3c5584d4de20120e46
  Author: Daniel P. Berrange <berrange@xxxxxxxxxx>
  Date:   Fri Jul 24 13:23:54 2015 +0100

      crypto: fix built-in AES decrypt function

      The qcrypto_cipher_decrypt_aes method was using the wrong
      key material, and passing the wrong mode. This caused it
      to incorrectly decrypt ciphertext.

      Signed-off-by: Daniel P. Berrange <berrange@xxxxxxxxxx>
      Message-Id: <1437740634-6261-1-git-send-email-berrange@xxxxxxxxxx>
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit 09999a5f7fc8e3636feda4358a79a25a09467594
  Author: Michael S. Tsirkin <mst@xxxxxxxxxx>
  Date:   Wed Jul 22 12:32:25 2015 +0300

      virtio: set any_layout in virtio core

      Exceptions:
          - virtio-blk
          - compat machine types

      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>

  commit cd4bfbb20d957a480032e2626ef1188b62c74d00
  Author: Michael S. Tsirkin <mst@xxxxxxxxxx>
  Date:   Thu Jul 23 20:57:53 2015 +0300

      virtio-9p: fix any_layout

      virtio pci allows any device to have a modern interface,
      this in turn requires ANY_LAYOUT support.
      Fix up ANY_LAYOUT for virtio-9p.

      Reported-by: Jason Wang <jasowang@xxxxxxxxxx>
      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Reviewed-by: Jason Wang <jasowang@xxxxxxxxxx>

  commit 7882080388be5088e72c425b02223c02e6cb4295
  Author: Michael S. Tsirkin <mst@xxxxxxxxxx>
  Date:   Thu Jul 23 17:52:02 2015 +0300

      virtio-serial: fix ANY_LAYOUT

      Don't assume a specific layout for control messages.
      Required by virtio 1.

      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Reviewed-by: Amit Shah <amit.shah@xxxxxxxxxx>
      Reviewed-by: Jason Wang <jasowang@xxxxxxxxxx>

  commit 5f456073aa9ba54e421aa82dd38e4d40d0a0af85
  Author: Michael S. Tsirkin <mst@xxxxxxxxxx>
  Date:   Wed Jul 22 13:09:25 2015 +0300

      virtio: hide legacy features from modern guests

      NOTIFY_ON_EMPTY, ANY_LAYOUT and BAD are only valid on the legacy
      interface.

      Hide them from modern guests.

      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>

  commit cb72cba83021fa42719e73a5249c12096a4d1cfc
  Author: Kevin Wolf <kwolf@xxxxxxxxxx>
  Date:   Sun Jul 26 23:42:53 2015 -0400

      ide: Clear DRQ after handling all expected accesses

      This is additional hardening against an end_transfer_func that fails to
      clear the DRQ status bit. The bit must be unset as soon as the PIO
      transfer has completed, so it's better to do this in a central place
      instead of duplicating the code in all commands (and forgetting it in
      some).

      Signed-off-by: Kevin Wolf <kwolf@xxxxxxxxxx>
      Reviewed-by: John Snow <jsnow@xxxxxxxxxx>

  commit 03441c3a4a42beb25460dd11592539030337d0f8
  Author: Kevin Wolf <kwolf@xxxxxxxxxx>
  Date:   Sun Jul 26 23:42:53 2015 -0400

      ide/atapi: Fix START STOP UNIT command completion

      The command must be completed on all code paths. START STOP UNIT with
      pwrcnd set should succeed without doing anything.

      Signed-off-by: Kevin Wolf <kwolf@xxxxxxxxxx>
      Reviewed-by: John Snow <jsnow@xxxxxxxxxx>

  commit d2ff85854512574e7209f295e87b0835d5b032c6
  Author: Kevin Wolf <kwolf@xxxxxxxxxx>
  Date:   Sun Jul 26 23:42:53 2015 -0400

      ide: Check array bounds before writing to io_buffer (CVE-2015-5154)

      If the end_transfer_func of a command is called because enough data has
      been read or written for the current PIO transfer, and it fails to
      correctly call the command completion functions, the DRQ bit in the
      status register and s->end_transfer_func may remain set. This allows the
      guest to access further bytes in s->io_buffer beyond s->data_end, and
      eventually overflowing the io_buffer.

      One case where this currently happens is emulation of the ATAPI command
      START STOP UNIT.

      This patch fixes the problem by adding explicit array bounds checks
      before accessing the buffer instead of relying on end_transfer_func to
      function correctly.

      Cc: qemu-stable@xxxxxxxxxx
      Signed-off-by: Kevin Wolf <kwolf@xxxxxxxxxx>
      Reviewed-by: John Snow <jsnow@xxxxxxxxxx>

  commit f793d97e454a56d17e404004867985622ca1a63b
  Merge: 30fdfae 178846b
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Fri Jul 24 13:07:10 2015 +0100

      Merge remote-tracking branch 'remotes/bonzini/tags/for-upstream' into 
staging

      * qemu-char fixes
      * SCSI fixes (including CVE-2015-5158)
      * RCU fixes
      * Framebuffer logic to set DIRTY_MEMORY_VGA
      * Fix compiler warning for --disable-vnc
      * qemu-doc fixes
      * x86 TCG pasto fix

      # gpg: Signature made Fri Jul 24 12:57:52 2015 BST using RSA key ID 
78C7AE83
      # gpg: Good signature from "Paolo Bonzini <bonzini@xxxxxxx>"
      # gpg:                 aka "Paolo Bonzini <pbonzini@xxxxxxxxxx>"
      # gpg: WARNING: This key is not certified with sufficiently trusted 
signatures!
      # gpg:          It is not certain that the signature belongs to the owner.
      # Primary key fingerprint: 46F5 9FBD 57D6 12E7 BFD4  E2F7 7E15 100C CD36 
69B1
      #      Subkey fingerprint: F133 3857 4B66 2389 866C  7682 BFFB D25F 78C7 
AE83

      * remotes/bonzini/tags/for-upstream:
        target-i386/FPU: a misprint in helper_fistll_ST0
        qemu-doc: fix typos
        framebuffer: set DIRTY_MEMORY_VGA on RAM that is used for the 
framebuffer
        memory: count number of active VGA logging clients
        vl: Fix compiler warning for builds without VNC
        scsi: Handle no media case for scsi_get_configuration
        rcu: actually register threads that have RCU read-side critical sections
        scsi: fix buffer overflow in scsi_req_parse_cdb (CVE-2015-5158)
        vnc: fix memory leak
        qemu-char: Fix missed data on unix socket
        qemu-char: handle EINTR for TCP character devices
        exec.c: Use atomic_rcu_read() to access dispatch in 
memory_region_section_get_iotlb()

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 178846bdd93994c1acafe4423f99ead8bb24cf38
  Author: Dmitry Poletaev <poletaev-qemu@xxxxxxxxx>
  Date:   Wed Jul 8 12:48:40 2015 +0300

      target-i386/FPU: a misprint in helper_fistll_ST0

      There is a cut-and-paste mistake in the patch
      https://lists.gnu.org/archive/html/qemu-devel/2014-11/msg01657.html .
      It cause errors in guest work.  Here is the bugfix.

      Signed-off-by: Dmitry Poletaev <poletaev-qemu@xxxxxxxxx>
      Reported-by: Kirill Batuzov <batuzovk@xxxxxxxxx>
      Message-Id: <2692911436348920@xxxxxxxxxxxxxxx>
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit d274e07c6df4cc8207b01892ff6f81118ea6083c
  Author: Gonglei <arei.gonglei@xxxxxxxxxx>
  Date:   Fri Jul 3 17:50:57 2015 +0800

      qemu-doc: fix typos

      Signed-off-by: Gonglei <arei.gonglei@xxxxxxxxxx>
      Message-Id: <1435917057-9396-1-git-send-email-arei.gonglei@xxxxxxxxxx>
      Reviewed-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit c1076c3e13a86140cc2ba29866512df8460cc7c2
  Author: Paolo Bonzini <pbonzini@xxxxxxxxxx>
  Date:   Mon Jul 13 12:00:29 2015 +0200

      framebuffer: set DIRTY_MEMORY_VGA on RAM that is used for the framebuffer

      The MemoryRegionSection contains enough information to access the
      RAM region underlying the framebuffer, and can be cached inside the
      display device.

      By doing this, the new framebuffer_update_memory_section function can
      enable dirty memory logging on the relevant RAM region.  The function
      must be called whenever the stride or base of the framebuffer changes;
      a simple way to cover these cases is to call it on every full frame
      invalidation, which is a rare case.

      framebuffer_update_display now works entirely on a MemoryRegionSection,
      without going through cpu_physical_memory_map/unmap.

      Reviewed-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit deb809edb85334c8e90530e1071b98f4da25ebaa
  Author: Paolo Bonzini <pbonzini@xxxxxxxxxx>
  Date:   Tue Jul 14 13:56:53 2015 +0200

      memory: count number of active VGA logging clients

      For a board that has multiple framebuffer devices, both of them
      might want to use DIRTY_MEMORY_VGA on the same memory region.
      The lack of reference counting in memory_region_set_log makes
      this very awkward to implement.

      Suggested-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit fb4309695905de889d318caec8eb13d3b2c118d5
  Author: Stefan Weil <sw@xxxxxxxxxxx>
  Date:   Wed Jul 22 19:53:30 2015 +0200

      vl: Fix compiler warning for builds without VNC

      This regression was caused by commit 70b94331.

        CC    vl.o
      vl.c: In function â??select_displayâ??:
      vl.c:2064:12: error: unused variable â??errâ?? [-Werror=unused-variable]
           Error *err = NULL;
                  ^

      Reported-by: Claudio Fontana <claudio.fontana@xxxxxxxxxx>
      Signed-off-by: Stefan Weil <sw@xxxxxxxxxxx>
      Message-Id: <1437587610-26433-1-git-send-email-sw@xxxxxxxxxxx>
      Reviewed-by: Wen Congyang <wency@xxxxxxxxxxxxxx>
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit 7d99f4c1b5d12de7644a5bd8c3d46bff05c9ca7c
  Author: Matthew Rosato <mjrosato@xxxxxxxxxxxxxxxxxx>
  Date:   Wed Jul 15 14:52:32 2015 -0400

      scsi: Handle no media case for scsi_get_configuration

      Currently, scsi_get_configuration always returns a current
      profile (DVD or CD), even when there is actually no media present.
      By comparison, ide/atapi uses a default profile of 0 (MMC_PROFILE_NONE)
      for this case and checks for tray_open, so let's do the same for scsi.

      This fixes a problem I'm seeing with Fedora 22 guests where systemd
      cdrom_id fails to unmount after a QEMU-initiated eject against a
      scsi cdrom device because it believes the media is still present
      (but unreadable).

      Signed-off-by: Matthew Rosato <mjrosato@xxxxxxxxxxxxxxxxxx>
      Message-Id: 
<1436986352-10695-1-git-send-email-mjrosato@xxxxxxxxxxxxxxxxxx>
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit ab28bd23125fb4a0411c3a3f01c4edacbc261486
  Author: Paolo Bonzini <pbonzini@xxxxxxxxxx>
  Date:   Thu Jul 9 08:55:38 2015 +0200

      rcu: actually register threads that have RCU read-side critical sections

      Otherwise, grace periods are detected too early!

      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit c170aad8b057223b1139d72e5ce7acceafab4fa9
  Author: Paolo Bonzini <pbonzini@xxxxxxxxxx>
  Date:   Tue Jul 21 08:59:39 2015 +0200

      scsi: fix buffer overflow in scsi_req_parse_cdb (CVE-2015-5158)

      This is a guest-triggerable buffer overflow present in QEMU 2.2.0
      and newer.  scsi_cdb_length returns -1 as an error value, but the
      caller does not check it.

      Luckily, the massive overflow means that QEMU will just SIGSEGV,
      making the impact much smaller.

      Reported-by: Zhu Donghai (��海) <donghai.zdh@xxxxxxxxxxxxxxx>
      Fixes: 1894df02811f6b79ea3ffbf1084599d96f316173
      Reviewed-by: Fam Zheng <famz@xxxxxxxxxx>
      Cc: qemu-stable@xxxxxxxxxx
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit 60928458e5eea3c77a7eb0a4194927872f463947
  Author: Gonglei <arei.gonglei@xxxxxxxxxx>
  Date:   Wed Jul 22 17:08:53 2015 +0800

      vnc: fix memory leak

      If vnc's password is configured, it will leak memory
      which cipher variable pointed on every vnc connection.

      Cc: Daniel P. Berrange <berrange@xxxxxxxxxx>
      Reviewed-by: Daniel P. Berrange <berrange@xxxxxxxxxx>
      Signed-off-by: Gonglei <arei.gonglei@xxxxxxxxxx>
      Message-Id: <1437556133-11268-1-git-send-email-arei.gonglei@xxxxxxxxxx>
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit 30fdfae49d53cfc678859095e49ac60b79562d6f
  Merge: f75b709 9615212
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Fri Jul 24 11:11:30 2015 +0100

      Merge remote-tracking branch 'remotes/rth/tags/pull-tcg-20150723' into 
staging

      Last minute fixes for 2.4.

      # gpg: Signature made Fri Jul 24 04:42:31 2015 BST using RSA key ID 
4DD0279B
      # gpg: Good signature from "Richard Henderson <rth7680@xxxxxxxxx>"
      # gpg:                 aka "Richard Henderson <rth@xxxxxxxxxx>"
      # gpg:                 aka "Richard Henderson <rth@xxxxxxxxxxx>"

      * remotes/rth/tags/pull-tcg-20150723:
        tcg/optimize: fix tcg_opt_gen_movi
        tcg/aarch64: use 32-bit offset for 32-bit softmmu emulation
        tcg/aarch64: use 32-bit offset for 32-bit user-mode emulation
        tcg/aarch64: add ext argument to tcg_out_insn_3310
        tcg/i386: Extend addresses for 32-bit guests

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit f75b709853d2b2b0f2a8e149229aa1c7c1ee1c60
  Merge: 12e21eb 759b484
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Fri Jul 24 09:17:44 2015 +0100

      Merge remote-tracking branch 
'remotes/awilliam/tags/vfio-fixes-20150723.0' into staging

      VFIO fixes for v2.4.0-rc3
      - Fix Realtek NIC quirk (Alex Williamson)
      - Restore bootindex functionality (Alex Williamson)

      # gpg: Signature made Thu Jul 23 19:51:23 2015 BST using RSA key ID 
3BB08B22
      # gpg: Good signature from "Alex Williamson <alex.williamson@xxxxxxxxxx>"
      # gpg:                 aka "Alex Williamson <alex@xxxxxxxxxxx>"
      # gpg:                 aka "Alex Williamson <alwillia@xxxxxxxxxx>"
      # gpg:                 aka "Alex Williamson <alex.l.williamson@xxxxxxxxx>"

      * remotes/awilliam/tags/vfio-fixes-20150723.0:
        vfio/pci: Fix bootindex
        vfio/pci: Fix RTL8168 NIC quirks

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 961521261a3d600b0695b2e6d2b0f490076f7e90
  Author: Aurelien Jarno <aurelien@xxxxxxxxxxx>
  Date:   Fri Jul 10 18:03:30 2015 +0200

      tcg/optimize: fix tcg_opt_gen_movi

      Due to a copy&paste, the new op value is tested against mov_i32 instead
      of movi_i32. The test is therefore always false. Fix that.

      Signed-off-by: Aurelien Jarno <aurelien@xxxxxxxxxxx>
      Message-Id: <1436544211-2769-1-git-send-email-aurelien@xxxxxxxxxxx>
      Signed-off-by: Richard Henderson <rth@xxxxxxxxxxx>

  commit 80adb8fcad4778376a11d394a9e01516819e2327
  Author: Richard Henderson <rth@xxxxxxxxxxx>
  Date:   Thu Jul 23 18:04:52 2015 -0400

      tcg/aarch64: use 32-bit offset for 32-bit softmmu emulation

      Similar to the same fix for user-mode, except this instance
      occurs on the softmmu path.  Again, the tlb addend must be
      the base register, while the guest address is the index.

      Reviewed-by: Aurelien Jarno <aurelien@xxxxxxxxxxx>
      Signed-off-by: Richard Henderson <rth@xxxxxxxxxxx>

  commit ffc6372851d8631a9f9fa56ec613b3244dc635b9
  Author: Paolo Bonzini <pbonzini@xxxxxxxxxx>
  Date:   Wed Jul 15 17:27:01 2015 +0200

      tcg/aarch64: use 32-bit offset for 32-bit user-mode emulation

      Thanks to the previous patch, it is now easy for tcg_out_qemu_ld and
      tcg_out_qemu_st to use a 32-bit zero extended offset.  However, the
      guest base register x28 must be the base and addr_reg must be the
      index.

      Reported-by: Leon Alrae <leon.alrae@xxxxxxxxxx>
      Reviewed-by: Aurelien Jarno <aurelien@xxxxxxxxxxx>
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>
      Message-Id: <1436974021-28978-3-git-send-email-pbonzini@xxxxxxxxxx>
      Signed-off-by: Richard Henderson <rth@xxxxxxxxxxx>

  commit 6c0f0c0f124718650a8d682ba275044fc02f6fe2
  Author: Paolo Bonzini <pbonzini@xxxxxxxxxx>
  Date:   Wed Jul 15 17:27:00 2015 +0200

      tcg/aarch64: add ext argument to tcg_out_insn_3310

      The new argument lets you pick uxtw or uxtx mode for the offset
      register.  For now, all callers pass TCG_TYPE_I64 so that uxtx
      is generated.  The bits for uxtx are removed from I3312_TO_I3310.

      Reported-by: Leon Alrae <leon.alrae@xxxxxxxxxx>
      Reviewed-by: Aurelien Jarno <aurelien@xxxxxxxxxxx>
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>
      Message-Id: <1436974021-28978-2-git-send-email-pbonzini@xxxxxxxxxx>
      Signed-off-by: Richard Henderson <rth@xxxxxxxxxxx>

  commit ee8ba9e4d8458b8bba5455a7ae704620c4f2ef4b
  Author: Richard Henderson <rth@xxxxxxxxxxx>
  Date:   Thu Jul 16 22:25:49 2015 +0100

      tcg/i386: Extend addresses for 32-bit guests

      Removing the ??? comment explaining why it (mostly) worked.

      Reviewed-by: Aurelien Jarno <aurelien@xxxxxxxxxxx>
      Signed-off-by: Richard Henderson <rth@xxxxxxxxxxx>
      Message-Id: <1437081950-7206-2-git-send-email-rth@xxxxxxxxxxx>

  commit 12e21eb088a51161c78ee39ed54ac56ebcff4243
  Merge: b69b305 6b26996
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Thu Jul 23 12:54:53 2015 +0100

      Merge remote-tracking branch 'remotes/ehabkost/tags/numa-pull-request' 
into staging

      NUMA queue, 2015-07-22

      # gpg: Signature made Wed Jul 22 19:11:04 2015 BST using RSA key ID 
984DC5A6
      # gpg: Good signature from "Eduardo Habkost <ehabkost@xxxxxxxxxx>"
      # gpg: WARNING: This key is not certified with sufficiently trusted 
signatures!
      # gpg:          It is not certain that the signature belongs to the owner.
      # Primary key fingerprint: 5A32 2FD5 ABC4 D3DB ACCF  D1AA 2807 936F 984D 
C5A6

      * remotes/ehabkost/tags/numa-pull-request:
        hostmem: Fix qemu_opt_get_bool() crash in host_memory_backend_init()

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 4bf1cb03fbc43b0055af60d4ff093d6894aa4338
  Author: Nils Carlson <pyssling@xxxxxxxxxxx>
  Date:   Sun Jul 19 20:39:56 2015 +0000

      qemu-char: Fix missed data on unix socket

      Commit 812c1057 introduced HUP detection on unix and tcp sockets prior
      to a read in tcp_chr_read. This unfortunately broke CloudStack 4.2
      which relied on the old behaviour where data on a socket was readable
      even if a HUP was present.

      A working solution is to properly check the return values from recv,
      handling a closed socket once there is no more data to read.

      Also enable polling for G_IO_NVAL to ensure the callback is called
      for all possible events as these should now be possible to handle
      with the improved error detection.

      Signed-off-by: Nils Carlson <pyssling@xxxxxxxxxxx>
      Message-Id: <1437338396-22336-1-git-send-email-pyssling@xxxxxxxxxxx>
      [Do not handle EINTR; use socket_error(). - Paolo]
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit 9172f428afc1461b1d9b33ebca3a679b9adf7c3a
  Author: Paolo Bonzini <pbonzini@xxxxxxxxxx>
  Date:   Tue Jul 21 09:25:54 2015 +0200

      qemu-char: handle EINTR for TCP character devices

      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit 0b8e2c1002afddc8ef3d52fa6fc29e4768429f98
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Mon Jul 20 12:27:16 2015 +0100

      exec.c: Use atomic_rcu_read() to access dispatch in 
memory_region_section_get_iotlb()

      When accessing the dispatch pointer in an AddressSpace within an RCU
      critical section we should always use atomic_rcu_read(). Fix an
      access within memory_region_section_get_iotlb() which was incorrectly
      doing a direct pointer access.

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Message-Id: <1437391637-31576-1-git-send-email-peter.maydell@xxxxxxxxxx>
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit 759b484c5d7f92bd01f98797c07e8543ee187888
  Author: Alex Williamson <alex.williamson@xxxxxxxxxx>
  Date:   Wed Jul 22 14:56:01 2015 -0600

      vfio/pci: Fix bootindex

      bootindex was incorrectly changed to a device Property during the
      platform code split, resulting in it no longer working.  Remove it.

      Signed-off-by: Alex Williamson <alex.williamson@xxxxxxxxxx>
      Cc: qemu-stable@xxxxxxxxxx # v2.3+

  commit 69970fcef937bddd7f745efe39501c7716fdfe56
  Author: Alex Williamson <alex.williamson@xxxxxxxxxx>
  Date:   Wed Jul 22 14:56:01 2015 -0600

      vfio/pci: Fix RTL8168 NIC quirks

      The RTL8168 quirk correctly describes using bit 31 as a signal to
      mark a latch/completion, but the code mistakenly uses bit 28.  This
      causes the Realtek driver to spin on this register for quite a while,
      20k cycles on Windows 7 v7.092 driver.  Then it gets frustrated and
      tries to set the bit itself and spins for another 20k cycles.  For
      some this still results in a working driver, for others not.  About
      the only thing the code really does in its current form is protect
      the guest from sneaking in writes to the real hardware MSI-X table.
      The fix is obviously to use bit 31 as we document that we should.

      The other problem doesn't seem to affect current drivers as nobody
      seems to use these window registers for writes to the MSI-X table, but
      we need to use the stored data when a write is triggered, not the
      value of the current write, which only provides the offset.

      Note that only the Windows drivers from Realtek seem to use these
      registers, the Microsoft drivers provided with Windows 8.1 do not
      access them, nor do Linux in-kernel drivers.

      Link: https://bugs.launchpad.net/qemu/+bug/1384892
      Signed-off-by: Alex Williamson <alex.williamson@xxxxxxxxxx>
      Cc: qemu-stable@xxxxxxxxxx # v2.1+

  commit 6b2699672d5b56f8c2902fb9db9879e8cafb2afe
  Author: Eduardo Habkost <ehabkost@xxxxxxxxxx>
  Date:   Thu Jul 16 17:29:12 2015 -0300

      hostmem: Fix qemu_opt_get_bool() crash in host_memory_backend_init()

      This fixes the following crash, introduced by commit
      49d2e648e8087d154d8bf8b91f27c8e05e79d5a6:

        $ gdb --args qemu-system-x86_64 -machine pc,mem-merge=off -object 
memory-backend-ram,id=ram-node0,size=1024
        [...]
        Program received signal SIGABRT, Aborted.
        (gdb) bt
        #0  0x00007ffff253b8c7 in raise () at /lib64/libc.so.6
        #1  0x00007ffff253d52a in abort () at /lib64/libc.so.6
        #2  0x00007ffff253446d in __assert_fail_base () at /lib64/libc.so.6
        #3  0x00007ffff2534522 in  () at /lib64/libc.so.6
        #4  0x00005555558bb80a in qemu_opt_get_bool_helper 
(opts=0x55555621b650, name=name@entry=0x5555558ec922 "mem-merge", 
defval=defval@entry=true, del=del@entry=false) at qemu/util/qemu-option.c:388
        #5  0x00005555558bbb5a in qemu_opt_get_bool (opts=<optimized out>, 
name=name@entry=0x5555558ec922 "mem-merge", defval=defval@entry=true) at 
qemu/util/qemu-option.c:398
        #6  0x0000555555720a24 in host_memory_backend_init (obj=0x5555562ac970) 
at qemu/backends/hostmem.c:226

      Instead of using qemu_opt_get_bool(), that didn't work with
      qemu_machine_opts for a long time, we can use the corresponding
      MachineState fields.

      Reviewed-by: Marcel Apfelbaum <marcel@xxxxxxxxxx>
      Signed-off-by: Eduardo Habkost <ehabkost@xxxxxxxxxx>

  commit b69b30532e0a80e25449244c01b0cbed000c99a3
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Wed Jul 22 18:17:19 2015 +0100

      Update version for v2.4.0-rc2 release

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 3edf6b3f1e68104dba692337fdcecdba39e73c59
  Merge: dc94bd9 a52b2cb
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Wed Jul 22 16:22:49 2015 +0100

      Merge remote-tracking branch 'remotes/elmarco/tags/for-upstream' into 
staging

      qxl: build fix for 2.4

      # gpg: Signature made Wed Jul 22 15:55:00 2015 BST using DSA key ID 
F43F0992
      # gpg: Good signature from "Marc-André Lureau 
<marcandre.lureau@xxxxxxxxxx>"
      # gpg:                 aka "Marc-Andre Lureau 
<marcandre.lureau@xxxxxxxxx>"
      # gpg:                 aka "Marc-Andre Lureau 
<marc-andre.lureau@xxxxxxxxx>"
      # gpg:                 aka "Marc-André Lureau 
<marc-andre.lureau@xxxxxxxxx>"
      # gpg:                 aka "Marc-André Lureau (elmarco) 
<marcandre.lureau@xxxxxxxxx>"
      # gpg: WARNING: This key is not certified with a trusted signature!
      # gpg:          There is no indication that the signature belongs to the 
owner.
      # Primary key fingerprint: 7346 2483 9404 4E20 ABFF  7D48 D864 9487 F43F 
0992

      * remotes/elmarco/tags/for-upstream:
        qxl: Fix new function name for spice-server library

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit a52b2cbf218d52f9e357961acb271a98a2bdff71
  Author: Frediano Ziglio <fziglio@xxxxxxxxxx>
  Date:   Mon Jul 20 09:43:23 2015 +0100

      qxl: Fix new function name for spice-server library

      The new spice-server function to limit the number of monitors (0.12.6)
      changed while development from spice_qxl_set_monitors_config_limit to
      spice_qxl_max_monitors (accepted upstream).
      By mistake I post patch with former name.
      This patch fix the function name.

      Signed-off-by: Frediano Ziglio <fziglio@xxxxxxxxxx>
      Acked-by: Christophe Fergeau <cfergeau@xxxxxxxxxx>
      Acked-by: Martin Kletzander <mkletzan@xxxxxxxxxx>
      Signed-off-by: Marc-André Lureau <marcandre.lureau@xxxxxxxxxx>

  commit dc94bd9166af5236a56bd5bb06845911915a925c
  Merge: b9c4630 05e514b
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Wed Jul 22 12:52:34 2015 +0100

      Merge remote-tracking branch 'remotes/stefanha/tags/block-pull-request' 
into staging

      # gpg: Signature made Wed Jul 22 12:43:35 2015 BST using RSA key ID 
81AB73C8
      # gpg: Good signature from "Stefan Hajnoczi <stefanha@xxxxxxxxxx>"
      # gpg:                 aka "Stefan Hajnoczi <stefanha@xxxxxxxxx>"

      * remotes/stefanha/tags/block-pull-request:
        AioContext: optimize clearing the EventNotifier
        AioContext: fix broken placement of event_notifier_test_and_clear
        AioContext: fix broken ctx->dispatching optimization
        aio-win32: reorganize polling loop
        tests: remove irrelevant assertions from test-aio
        qemu-timer: initialize "timers_done_ev" to set
        mirror: Speed up bitmap initial scanning

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 05e514b1d4d5bd4209e2c8bbc76ff05c85a235f3
  Author: Paolo Bonzini <pbonzini@xxxxxxxxxx>
  Date:   Tue Jul 21 16:07:53 2015 +0200

      AioContext: optimize clearing the EventNotifier

      It is pretty rare for aio_notify to actually set the EventNotifier.  It
      can happen with worker threads such as thread-pool.c's, but otherwise it
      should never be set thanks to the ctx->notify_me optimization.  The
      previous patch, unfortunately, added an unconditional call to
      event_notifier_test_and_clear; now add a userspace fast path that
      avoids the call.

      Note that it is not possible to do the same with event_notifier_set;
      it would break, as proved (again) by the included formal model.

      This patch survived over 3000 reboots on aarch64 KVM.

      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>
      Reviewed-by: Fam Zheng <famz@xxxxxxxxxx>
      Tested-by: Richard W.M. Jones <rjones@xxxxxxxxxx>
      Message-id: 1437487673-23740-7-git-send-email-pbonzini@xxxxxxxxxx
      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>

  commit 21a03d17f2edb1e63f7137d97ba355cc6f19d79f
  Author: Paolo Bonzini <pbonzini@xxxxxxxxxx>
  Date:   Tue Jul 21 16:07:52 2015 +0200

      AioContext: fix broken placement of event_notifier_test_and_clear

      event_notifier_test_and_clear must be called before processing events.
      Otherwise, an aio_poll could "eat" the notification before the main
      I/O thread invokes ppoll().  The main I/O thread then never wakes up.
      This is an example of what could happen:

         i/o thread       vcpu thread                     worker thread
         ---------------------------------------------------------------------
         lock_iothread
         notify_me = 1
         ...
         unlock_iothread
                                                           bh->scheduled = 1
                                                           event_notifier_set
                          lock_iothread
                          notify_me = 3
                          ppoll
                          notify_me = 1
                          aio_dispatch
                           aio_bh_poll
                            thread_pool_completion_bh
                                                           bh->scheduled = 1
                                                           event_notifier_set
                           node->io_read(node->opaque)
                            event_notifier_test_and_clear
         ppoll
         *** hang ***

      "Tracing" with qemu_clock_get_ns shows pretty much the same behavior as
      in the previous bug, so there are no new tricks here---just stare more
      at the code until it is apparent.

      One could also use a formal model, of course.  The included one shows
      this with three processes: notifier corresponds to a QEMU thread pool
      worker, temporary_waiter to a VCPU thread that invokes aio_poll(),
      waiter to the main I/O thread.  I would be happy to say that the
      formal model found the bug for me, but actually I wrote it after the
      fact.

      This patch is a bit of a big hammer.  The next one optimizes it,
      with help (this time for real rather than a posteriori :)) from
      another, similar formal model.

      Reported-by: Richard W. M. Jones <rjones@xxxxxxxxxx>
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>
      Reviewed-by: Fam Zheng <famz@xxxxxxxxxx>
      Tested-by: Richard W.M. Jones <rjones@xxxxxxxxxx>
      Message-id: 1437487673-23740-6-git-send-email-pbonzini@xxxxxxxxxx
      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>

  commit eabc977973103527bbb8fed69c91cfaa6691f8ab
  Author: Paolo Bonzini <pbonzini@xxxxxxxxxx>
  Date:   Tue Jul 21 16:07:51 2015 +0200

      AioContext: fix broken ctx->dispatching optimization

      This patch rewrites the ctx->dispatching optimization, which was the cause
      of some mysterious hangs that could be reproduced on aarch64 KVM only.
      The hangs were indirectly caused by aio_poll() and in particular by
      flash memory updates's call to blk_write(), which invokes aio_poll().
      Fun stuff: they had an extremely short race window, so much that
      adding all kind of tracing to either the kernel or QEMU made it
      go away (a single printf made it half as reproducible).

      On the plus side, the failure mode (a hang until the next keypress)
      made it very easy to examine the state of the process with a debugger.
      And there was a very nice reproducer from Laszlo, which failed pretty
      often (more than half of the time) on any version of QEMU with a non-debug
      kernel; it also failed fast, while still in the firmware.  So, it could
      have been worse.

      For some unknown reason they happened only with virtio-scsi, but
      that's not important.  It's more interesting that they disappeared with
      io=native, making thread-pool.c a likely suspect for where the bug arose.
      thread-pool.c is also one of the few places which use bottom halves
      across threads, by the way.

      I hope that no other similar bugs exist, but just in case :) I am
      going to describe how the successful debugging went...  Since the
      likely culprit was the ctx->dispatching optimization, which mostly
      affects bottom halves, the first observation was that there are two
      qemu_bh_schedule() invocations in the thread pool: the one in the aio
      worker and the one in thread_pool_completion_bh.  The latter always
      causes the optimization to trigger, the former may or may not.  In
      order to restrict the possibilities, I introduced new functions
      qemu_bh_schedule_slow() and qemu_bh_schedule_fast():

           /* qemu_bh_schedule_slow: */
           ctx = bh->ctx;
           bh->idle = 0;
           if (atomic_xchg(&bh->scheduled, 1) == 0) {
               event_notifier_set(&ctx->notifier);
           }

           /* qemu_bh_schedule_fast: */
           ctx = bh->ctx;
           bh->idle = 0;
           assert(ctx->dispatching);
           atomic_xchg(&bh->scheduled, 1);

      Notice how the atomic_xchg is still in qemu_bh_schedule_slow().  This
      was already debated a few months ago, so I assumed it to be correct.
      In retrospect this was a very good idea, as you'll see later.

      Changing thread_pool_completion_bh() to qemu_bh_schedule_fast() didn't
      trigger the assertion (as expected).  Changing the worker's invocation
      to qemu_bh_schedule_slow() didn't hide the bug (another assumption
      which luckily held).  This already limited heavily the amount of
      interaction between the threads, hinting that the problematic events
      must have triggered around thread_pool_completion_bh().

      As mentioned early, invoking a debugger to examine the state of a
      hung process was pretty easy; the iothread was always waiting on a
      poll(..., -1) system call.  Infinite timeouts are much rarer on x86,
      and this could be the reason why the bug was never observed there.
      With the buggy sequence more or less resolved to an interaction between
      thread_pool_completion_bh() and poll(..., -1), my "tracing" strategy was
      to just add a few qemu_clock_get_ns(QEMU_CLOCK_REALTIME) calls, hoping
      that the ordering of aio_ctx_prepare(), aio_ctx_dispatch, poll() and
      qemu_bh_schedule_fast() would provide some hint.  The output was:

          (gdb) p last_prepare
          $3 = 103885451
          (gdb) p last_dispatch
          $4 = 103876492
          (gdb) p last_poll
          $5 = 115909333
          (gdb) p last_schedule
          $6 = 115925212

      Notice how the last call to qemu_poll_ns() came after aio_ctx_dispatch().
      This makes little sense unless there is an aio_poll() call involved,
      and indeed with a slightly different instrumentation you can see that
      there is one:

          (gdb) p last_prepare
          $3 = 107569679
          (gdb) p last_dispatch
          $4 = 107561600
          (gdb) p last_aio_poll
          $5 = 110671400
          (gdb) p last_schedule
          $6 = 110698917

      So the scenario becomes clearer:

         iothread                   VCPU thread
      --------------------------------------------------------------------------
         aio_ctx_prepare
         aio_ctx_check
         qemu_poll_ns(timeout=-1)
                                    aio_poll
                                      aio_dispatch
                                        thread_pool_completion_bh
                                          qemu_bh_schedule()

      At this point bh->scheduled = 1 and the iothread has not been woken up.
      The solution must be close, but this alone should not be a problem,
      because the bottom half is only rescheduled to account for rare situations
      (see commit 3c80ca1, thread-pool: avoid deadlock in nested aio_poll()
      calls, 2014-07-15).

      Introducing a third thread---a thread pool worker thread, which
      also does qemu_bh_schedule()---does bring out the problematic case.
      The third thread must be awakened *after* the callback is complete and
      thread_pool_completion_bh has redone the whole loop, explaining the
      short race window.  And then this is what happens:

                                                            thread pool worker
      --------------------------------------------------------------------------
                                                            <I/O completes>
                                                            qemu_bh_schedule()

      Tada, bh->scheduled is already 1, so qemu_bh_schedule() does nothing
      and the iothread is never woken up.  This is where the bh->scheduled
      optimization comes into play---it is correct, but removing it would
      have masked the bug.

      So, what is the bug?

      Well, the question asked by the ctx->dispatching optimization ("is any
      active aio_poll dispatching?") was wrong.  The right question to ask
      instead is "is any active aio_poll *not* dispatching", i.e. in the prepare
      or poll phases?  In that case, the aio_poll is sleeping or might go to
      sleep anytime soon, and the EventNotifier must be invoked to wake
      it up.

      In any other case (including if there is *no* active aio_poll at all!)
      we can just wait for the next prepare phase to pick up the event (e.g. a
      bottom half); the prepare phase will avoid the blocking and service the
      bottom half.

      Expressing the invariant with a logic formula, the broken one looked like:

         !(exists(thread): in_dispatching(thread)) => !optimize

      or equivalently:

         !(exists(thread):
                in_aio_poll(thread) && in_dispatching(thread)) => !optimize

      In the correct one, the negation is in a slightly different place:

         (exists(thread):
               in_aio_poll(thread) && !in_dispatching(thread)) => !optimize

      or equivalently:

         (exists(thread): in_prepare_or_poll(thread)) => !optimize

      Even if the difference boils down to moving an exclamation mark :)
      the implementation is quite different.  However, I think the new
      one is simpler to understand.

      In the old implementation, the "exists" was implemented with a boolean
      value.  This didn't really support well the case of multiple concurrent
      event loops, but I thought that this was okay: aio_poll holds the
      AioContext lock so there cannot be concurrent aio_poll invocations, and
      I was just considering nested event loops.  However, aio_poll _could_
      indeed be concurrent with the GSource.  This is why I came up with the
      wrong invariant.

      In the new implementation, "exists" is computed simply by counting how 
many
      threads are in the prepare or poll phases.  There are some interesting
      points to consider, but the gist of the idea remains:

      1) AioContext can be used through GSource as well; as mentioned in the
      patch, bit 0 of the counter is reserved for the GSource.

      2) the counter need not be updated for a non-blocking aio_poll, because
      it won't sleep forever anyway.  This is just a matter of checking
      the "blocking" variable.  This requires some changes to the win32
      implementation, but is otherwise not too complicated.

      3) as mentioned above, the new implementation will not call aio_notify
      when there is *no* active aio_poll at all.  The tests have to be
      adjusted for this change.  The calls to aio_notify in async.c are fine;
      they only want to kick aio_poll out of a blocking wait, but need not
      do anything if aio_poll is not running.

      4) nested aio_poll: these just work with the new implementation; when
      a nested event loop is invoked, the outer event loop is never in the
      prepare or poll phases.  The outer event loop thus has already decremented
      the counter.

      Reported-by: Richard W. M. Jones <rjones@xxxxxxxxxx>
      Reported-by: Laszlo Ersek <lersek@xxxxxxxxxx>
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>
      Reviewed-by: Fam Zheng <famz@xxxxxxxxxx>
      Tested-by: Richard W.M. Jones <rjones@xxxxxxxxxx>
      Message-id: 1437487673-23740-5-git-send-email-pbonzini@xxxxxxxxxx
      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>

  commit 6493c975af75be5b8d9ade954239bdf5492b7911
  Author: Paolo Bonzini <pbonzini@xxxxxxxxxx>
  Date:   Tue Jul 21 16:07:50 2015 +0200

      aio-win32: reorganize polling loop

      Preparatory bugfixes and tweaks to the loop before the next patch:

      - disable dispatch optimization during aio_prepare.  This fixes a bug.

      - do not modify "blocking" until after the first WaitForMultipleObjects
      call.  This is needed in the next patch.

      - change the loop to do...while.  This makes it obvious that the loop
      is always entered at least once.  In the next patch this is important
      because the first iteration undoes the ctx->notify_me increment that
      happened before entering the loop.

      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>
      Reviewed-by: Fam Zheng <famz@xxxxxxxxxx>
      Tested-by: Richard W.M. Jones <rjones@xxxxxxxxxx>
      Message-id: 1437487673-23740-4-git-send-email-pbonzini@xxxxxxxxxx
      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>

  commit 12d69ac03b45156356b240424623719f15d8143e
  Author: Paolo Bonzini <pbonzini@xxxxxxxxxx>
  Date:   Tue Jul 21 16:07:49 2015 +0200

      tests: remove irrelevant assertions from test-aio

      In these tests, the purpose of the initial calls to aio_poll and
      g_main_context_iteration is simply to put the AioContext in a
      known state; the return value of the function does not really
      matter.  The next patch will change those return values; change
      the assertions to a while loop which expresses the intention
      better.

      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>
      Reviewed-by: Fam Zheng <famz@xxxxxxxxxx>
      Tested-by: Richard W.M. Jones <rjones@xxxxxxxxxx>
      Message-id: 1437487673-23740-3-git-send-email-pbonzini@xxxxxxxxxx
      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>

  commit e4efd8a488d0a68b0af34d8ee245463df7c8bdf4
  Author: Paolo Bonzini <pbonzini@xxxxxxxxxx>
  Date:   Tue Jul 21 16:07:48 2015 +0200

      qemu-timer: initialize "timers_done_ev" to set

      The normal value for the event is to be set.  If we do not do
      this, pause_all_vcpus (through qemu_clock_enable) hangs unless
      timerlist_run_timers has been run at least once for the timerlist.
      This can happen with the following patches, that make aio_notify do
      nothing most of the time.

      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>
      Reviewed-by: Fam Zheng <famz@xxxxxxxxxx>
      Tested-by: Richard W.M. Jones <rjones@xxxxxxxxxx>
      Message-id: 1437487673-23740-2-git-send-email-pbonzini@xxxxxxxxxx
      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>

  commit 999006975840f8cdf2038a587d852a6cbfe58e3b
  Author: Fam Zheng <famz@xxxxxxxxxx>
  Date:   Thu Jul 9 11:47:58 2015 +0800

      mirror: Speed up bitmap initial scanning

      Limiting to sectors_per_chunk for each bdrv_is_allocated_above is slow,
      because the underlying protocol driver would issue much more queries
      than necessary. We should coalesce the query.

      Signed-off-by: Fam Zheng <famz@xxxxxxxxxx>
      Reviewed-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Message-id: <1436413678-7114-4-git-send-email-famz@xxxxxxxxxx>
      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>

  commit b9c46307996856d03ddc1527468ff5401ac03a79
  Merge: 774ee47 5f8343d
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Tue Jul 21 20:56:20 2015 +0100

      Merge remote-tracking branch 
'remotes/mdroth/tags/qga-pull-2015-07-21-tag' into staging

      tag for qga-pull-2015-07-21

      Small fix to correct schema versioning annotations for recently-added
      GuestDiskBusType enum values. Not the end of the world, but ideally
      this inconsistency would be corrected prior to 2.4 release.

      # gpg: Signature made Tue Jul 21 20:43:24 2015 BST using RSA key ID 
F108B584
      # gpg: Good signature from "Michael Roth <flukshun@xxxxxxxxx>"
      # gpg:                 aka "Michael Roth <mdroth@xxxxxxxxxx>"
      # gpg:                 aka "Michael Roth <mdroth@xxxxxxxxxxxxxxxxxx>"
      # gpg: WARNING: This key is not certified with sufficiently trusted 
signatures!
      # gpg:          It is not certain that the signature belongs to the owner.
      # Primary key fingerprint: CEAC C9E1 5534 EBAB B82D  3FA0 3353 C9CE F108 
B584

      * remotes/mdroth/tags/qga-pull-2015-07-21-tag:
        qga: fixed versions for guest bus types in qapi-schema

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 5f8343d0670e91adadb7898304c8ed4355af05a2
  Author: Olga Krishtal <okrishtal@xxxxxxxxxxxxx>
  Date:   Tue Jul 21 15:25:08 2015 +0300

      qga: fixed versions for guest bus types in qapi-schema

      Signed-off-by: Olga Krishtal <okrishtal@xxxxxxxxxxxxx>
      Signed-off-by: Denis V. Lunev <den@xxxxxxxxxx>
      CC: Eric Blake <eblake@xxxxxxxxxx>
      CC: Michael Roth <mdroth@xxxxxxxxxxxxxxxxxx>
      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>
      *added semi-colon to better delineate 2.2 vs. 2.4 versioning
      Signed-off-by: Michael Roth <mdroth@xxxxxxxxxxxxxxxxxx>

  commit 774ee4772b6838b78741ea52d4bf26b8922244c5
  Merge: a1bc040 57b7309
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Tue Jul 21 12:21:08 2015 +0100

      Merge remote-tracking branch 
'remotes/pmaydell/tags/pull-target-arm-20150721' into staging

      target-arm queue:
       * don't sync CNTVCT with kernel all the time (fixes VM time weirdnesses)
       * fix a warning compiling disas/arm-a64 with -Wextra

      # gpg: Signature made Tue Jul 21 12:15:33 2015 BST using RSA key ID 
14360CDE
      # gpg: Good signature from "Peter Maydell <peter.maydell@xxxxxxxxxx>"

      * remotes/pmaydell/tags/pull-target-arm-20150721:
        disas/arm-a64: Add missing compiler attribute GCC_FMT_ATTR
        target-arm: kvm: Differentiate registers based on write-back levels

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 57b73090e041ece40cc619a3c43a6fafcb3dd647
  Author: Stefan Weil <sw@xxxxxxxxxxx>
  Date:   Tue Jul 21 11:18:45 2015 +0100

      disas/arm-a64: Add missing compiler attribute GCC_FMT_ATTR

      Type fprintf_function which fits here was defined with this attribute.

      Signed-off-by: Stefan Weil <sw@xxxxxxxxxxx>
      Reviewed-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Message-id: 1437208027-14584-1-git-send-email-sw@xxxxxxxxxxx
      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 4b7a6bf402bd064605c287eecadc493ccf2d4897
  Author: Christoffer Dall <christoffer.dall@xxxxxxxxxx>
  Date:   Tue Jul 21 11:18:45 2015 +0100

      target-arm: kvm: Differentiate registers based on write-back levels

      Some registers like the CNTVCT register should only be written to the
      kernel as part of machine initialization or on vmload operations, but
      never during runtime, as this can potentially make time go backwards or
      create inconsistent time observations between VCPUs.

      Introduce a list of registers that should not be written back at runtime
      and check this list on syncing the register state to the KVM state.

      Signed-off-by: Christoffer Dall <christoffer.dall@xxxxxxxxxx>
      Message-id: 1437046488-10773-1-git-send-email-christoffer.dall@xxxxxxxxxx
      [PMM: tweaked a few comments, added the new argument to the stub
       write_list_to_kvmstate() in target-arm/kvm-stub.c]
      Reviewed-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit a1bc040dabc12039944e22d9529f20d6132400dd
  Merge: bd03a38 47c7199
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Tue Jul 21 10:04:32 2015 +0100

      Merge remote-tracking branch 'remotes/jnsnow/tags/ide-pull-request' into 
staging

      # gpg: Signature made Mon Jul 20 19:27:04 2015 BST using RSA key ID 
AAFC390E
      # gpg: Good signature from "John Snow (John Huston) <jsnow@xxxxxxxxxx>"
      # gpg: WARNING: This key is not certified with sufficiently trusted 
signatures!
      # gpg:          It is not certain that the signature belongs to the owner.
      # Primary key fingerprint: FAEB 9711 A12C F475 812F  18F2 88A9 064D 1835 
61EB
      #      Subkey fingerprint: F9B7 ABDB BCAC DF95 BE76  CBD0 7DEF 8106 AAFC 
390E

      * remotes/jnsnow/tags/ide-pull-request:
        tests: Fix broken targets check-report-qtest-*
        ahci: Force ICC bits in PxCMD to zero
        qtest/ide: add another short PRDT test flavor

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 47c719964a8240c99d4b7a2b4695ae026c619b83
  Author: Stefan Weil <sw@xxxxxxxxxxx>
  Date:   Mon Jul 20 12:21:18 2015 -0400

      tests: Fix broken targets check-report-qtest-*

      They need QTEST_QEMU_IMG. Without it, the tests raise an assertion:

      $ make -C bin check-report-qtest-i386.xml
      make: Entering directory 'bin'
      GTESTER check-report-qtest-i386.xml
      blkdebug: Suspended request 'A'
      blkdebug: Resuming request 'A'
      ahci-test: tests/libqos/libqos.c:162:
       mkimg: Assertion `qemu_img_path' failed.
      main-loop: WARNING: I/O thread spun for 1000 iterations

      Signed-off-by: Stefan Weil <sw@xxxxxxxxxxx>
      Reviewed-by: John Snow <jsnow@xxxxxxxxxx>
      Message-id: 1437231284-17455-1-git-send-email-sw@xxxxxxxxxxx
      Signed-off-by: John Snow <jsnow@xxxxxxxxxx>

  commit bd03a38fdf85fb1d4f0c9f59bbc154b516f66360
  Merge: 13566fe 625de44
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Mon Jul 20 18:26:53 2015 +0100

      Merge remote-tracking branch 'remotes/stefanha/tags/net-pull-request' 
into staging

      # gpg: Signature made Mon Jul 20 18:25:14 2015 BST using RSA key ID 
81AB73C8
      # gpg: Good signature from "Stefan Hajnoczi <stefanha@xxxxxxxxxx>"
      # gpg:                 aka "Stefan Hajnoczi <stefanha@xxxxxxxxx>"

      * remotes/stefanha/tags/net-pull-request:
        net: Flush queued packets when guest resumes
        lan9118: Drop lan9118_can_receive
        etraxfs_eth: Drop eth_can_receive
        musicpal: Drop eth_can_receive
        net/vmxnet3: Fix RX TCP/UDP checksum on partially summed packets
        net/vmxnet3: Refactor 'vmxnet_rx_pkt_attach_data'
        socket: pass correct size in net_socket_send()

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 625de449fc5597f2e1aff9cb586e249e198f03c9
  Author: Fam Zheng <famz@xxxxxxxxxx>
  Date:   Tue Jul 7 09:21:07 2015 +0800

      net: Flush queued packets when guest resumes

      Since commit 6e99c63 "net/socket: Drop net_socket_can_send" and friends,
      net queues need to be explicitly flushed after qemu_can_send_packet()
      returns false, because the netdev side will disable the polling of fd.

      This fixes the case of "cont" after "stop" (or migration).

      Signed-off-by: Fam Zheng <famz@xxxxxxxxxx>
      Message-id: 1436232067-29144-1-git-send-email-famz@xxxxxxxxxx
      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>

  commit b49b8c572f885ea2b16fc744e8837e974df34401
  Author: Fam Zheng <famz@xxxxxxxxxx>
  Date:   Wed Jul 1 15:10:47 2015 +0800

      lan9118: Drop lan9118_can_receive

      True is the default.

      Signed-off-by: Fam Zheng <famz@xxxxxxxxxx>
      Reviewed-by: Jason Wang <jasowang@xxxxxxxxxx>
      Message-id: 1435734647-8371-4-git-send-email-famz@xxxxxxxxxx
      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>

  commit da69028261abd12dbf974754e69d017f6e8710b5
  Author: Fam Zheng <famz@xxxxxxxxxx>
  Date:   Wed Jul 1 15:10:46 2015 +0800

      etraxfs_eth: Drop eth_can_receive

      True is the default.

      Signed-off-by: Fam Zheng <famz@xxxxxxxxxx>
      Reviewed-by: Jason Wang <jasowang@xxxxxxxxxx>
      Message-id: 1435734647-8371-3-git-send-email-famz@xxxxxxxxxx
      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>

  commit f63eab8becf92b18c18b6c31950f99f764848902
  Author: Fam Zheng <famz@xxxxxxxxxx>
  Date:   Wed Jul 1 15:10:45 2015 +0800

      musicpal: Drop eth_can_receive

      True is the default.

      Signed-off-by: Fam Zheng <famz@xxxxxxxxxx>
      Reviewed-by: Jason Wang <jasowang@xxxxxxxxxx>
      Message-id: 1435734647-8371-2-git-send-email-famz@xxxxxxxxxx
      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>

  commit 80da311d81c389860bc387fbe6677c71f7a3c596
  Author: Dana Rubin <dana.rubin@xxxxxxxxxxxxxxxxxx>
  Date:   Tue Jul 14 11:55:16 2015 +0300

      net/vmxnet3: Fix RX TCP/UDP checksum on partially summed packets

      Convert partially summed packets to be fully checksummed.

      In case csum offloaded packet, vmxnet3 implementation always passes an
      RxCompDesc with the "Checksum calculated and found correct" notification
      to the OS. This emulates the observed ESXi behavior.

      Therefore, if packet has the NEEDS_CSUM bit set, we must calculate and
      place a fully computed checksum into the tcp/udp header. Otherwise, the
      OS driver will receive a checksum-correct indication but with the actual
      tcp/udp checksum field having just the pseudo header csum value.

      If host OS performs forwarding, it will forward an incorrectly
      checksummed packet.

      Signed-off-by: Dana Rubin <dana.rubin@xxxxxxxxxxxxxxxxxx>
      Signed-off-by: Shmulik Ladkani <shmulik.ladkani@xxxxxxxxxxxxxxxxxx>
      Message-id: 
1436864116-19154-3-git-send-email-shmulik.ladkani@xxxxxxxxxxxxxxxxxx
      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>

  commit fcf0cdc362dd96cb8d2935b892d3dd9ab73ad393
  Author: Shmulik Ladkani <shmulik.ladkani@xxxxxxxxxxxxxxxxxx>
  Date:   Tue Jul 14 11:55:15 2015 +0300

      net/vmxnet3: Refactor 'vmxnet_rx_pkt_attach_data'

      Separate RX packet protocol parsing out of 'vmxnet_rx_pkt_attach_data'.

      Signed-off-by: Shmulik Ladkani <shmulik.ladkani@xxxxxxxxxxxxxxxxxx>
      Message-id: 
1436864116-19154-2-git-send-email-shmulik.ladkani@xxxxxxxxxxxxxxxxxx
      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>

  commit 091f1f52963d7093ea578e4a05e67bc015b21192
  Author: Jason Wang <jasowang@xxxxxxxxxx>
  Date:   Tue Jul 7 17:00:56 2015 +0800

      socket: pass correct size in net_socket_send()

      We should pass the size of packet instead of the remaining to
      qemu_send_packet_async().

      Fixes: 6e99c631f116221d169ea53953d91b8aa74d297a
             ("net/socket: Drop net_socket_can_send")

      Signed-off-by: Jason Wang <jasowang@xxxxxxxxxx>
      Reviewed-by: Fam Zheng <famz@xxxxxxxxxx>
      Message-id: 1436259656-24263-1-git-send-email-jasowang@xxxxxxxxxx
      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>

  commit 09b61db7c140c5a71bfde36614c5a1f4f0d382a6
  Author: Stefan Fritsch <sf@xxxxxxxxxxx>
  Date:   Mon Jul 20 12:21:18 2015 -0400

      ahci: Force ICC bits in PxCMD to zero

      The AHCI spec requires that the HBA sets the ICC bits to zero after the
      ICC change is done. Since we don't do any ICC change, force the bits to
      zero all the time.

      This fixes delays with some OSs (e.g. OpenBSD) waiting for the ICC bits
      to change to 0.

      Signed-off-by: Stefan Fritsch <sf@xxxxxxxxxxx>
      Reviewed-by: Kevin Wolf <kwolf@xxxxxxxxxx>
      Reviewed-by: John Snow <jsnow@xxxxxxxxxx>
      Message-id: E1ZFpg7-00027N-HW@xxxxxxxxxxxxxxx
      Signed-off-by: John Snow <jsnow@xxxxxxxxxx>

  commit 58732810230719765a6618004be8f0070c9f3d31
  Author: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
  Date:   Mon Jul 20 12:21:18 2015 -0400

      qtest/ide: add another short PRDT test flavor

      The existing short PRDT test case does not transfer any data because the
      first PRD is less than 1 sector.

      This patch adds another short PRDT test case where the first sector can
      be read but the PRDT is still smaller than the requested number of
      sectors.  This exercises a different code path in ide_dma_cb().

      Cc: John Snow <jsnow@xxxxxxxxxx>
      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Reviewed-by: John Snow <jsnow@xxxxxxxxxx>
      Message-id: 1435770571-9906-1-git-send-email-stefanha@xxxxxxxxxx
      Signed-off-by: John Snow <jsnow@xxxxxxxxxx>

  commit 13566fe3e584e7b14a6f45246976b91677dc2a77
  Author: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
  Date:   Wed Jul 8 15:10:09 2015 +0100

      timer: rename NSEC_PER_SEC due to Mac OS X header clash

      Commit e0cf11f31c24cfb17f44ed46c254d84c78e7f6e9 ("timer: Use a single
      definition of NSEC_PER_SEC for the whole codebase") renamed
      NANOSECONDS_PER_SECOND to NSEC_PER_SEC.

      On Mac OS X there is a <dispatch/time.h> system header which also
      defines NSEC_PER_SEC.  This causes compiler warnings.

      Let's use the old name instead.  It's longer but it doesn't clash.

      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Message-id: 1436364609-7929-1-git-send-email-stefanha@xxxxxxxxxx
      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit dcc8a3ab632d0f11a1bf3b08381cf0f93e616b9f
  Merge: f73ca73 bd09594
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Mon Jul 20 16:01:31 2015 +0100

      Merge remote-tracking branch 'remotes/kevin/tags/for-upstream' into 
staging

      Block layer patches for 2.4.0-rc2

      # gpg: Signature made Mon Jul 20 15:48:56 2015 BST using RSA key ID 
C88F2FD6
      # gpg: Good signature from "Kevin Wolf <kwolf@xxxxxxxxxx>"

      * remotes/kevin/tags/for-upstream:
        crypto: Fix aes_decrypt_wrapper()

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit f73ca7363440240b7ee5ee7f7ddb1c64751efb54
  Merge: 7135847 f9d6dbf
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Mon Jul 20 13:25:28 2015 +0100

      Merge remote-tracking branch 'remotes/mst/tags/for_upstream' into staging

      virtio, vhost, pc fixes for 2.4

      The only notable thing here is vhost-user multiqueue
      revert. We'll work on making it stable in 2.5,
      reverting now means we won't have to maintain
      bug for bug compability forever.

      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>

      # gpg: Signature made Mon Jul 20 12:24:00 2015 BST using RSA key ID 
D28D5469
      # gpg: Good signature from "Michael S. Tsirkin <mst@xxxxxxxxxx>"
      # gpg:                 aka "Michael S. Tsirkin <mst@xxxxxxxxxx>"

      * remotes/mst/tags/for_upstream:
        virtio-net: remove virtio queues if the guest doesn't support multiqueue
        virtio-net: Flush incoming queues when DRIVER_OK is being set
        pci_add_capability: remove duplicate comments
        virtio-net: unbreak any layout
        Revert "vhost-user: add multi queue support"
        ich9: fix skipped vmstate_memhp_state subsection

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit bd09594603f1498e7623f0030988b62e2052f7da
  Author: Kevin Wolf <kwolf@xxxxxxxxxx>
  Date:   Fri Jul 17 19:44:10 2015 +0200

      crypto: Fix aes_decrypt_wrapper()

      Commit d3462e3 broke qcow2's encryption functionality by using encrypt
      instead of decrypt in the wrapper function it introduces. This was found
      by qemu-iotests case 134.

      Signed-off-by: Kevin Wolf <kwolf@xxxxxxxxxx>
      Reviewed-by: Daniel P. Berrange <berrange@xxxxxxxxxx>

  commit f9d6dbf0bf6e91b8ed896369ab1b7e91e5a1a4df
  Author: Wen Congyang <wency@xxxxxxxxxxxxxx>
  Date:   Wed Jul 15 17:20:59 2015 +0800

      virtio-net: remove virtio queues if the guest doesn't support multiqueue

      commit da51a335 adds all queues in .realize(). But if the
      guest doesn't support multiqueue, we forget to remove them. And
      we cannot handle the ctrl vq corretly. The guest will hang.

      Signed-off-by: Wen Congyang <wency@xxxxxxxxxxxxxx>
      Reviewed-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Acked-by: Jason Wang <jasowang@xxxxxxxxxx>

  commit 38705bb57bf1cd9e3f837cf11bcdee3876786c07
  Author: Fam Zheng <famz@xxxxxxxxxx>
  Date:   Wed Jul 15 11:02:27 2015 +0800

      virtio-net: Flush incoming queues when DRIVER_OK is being set

      This patch fixes network hang after "stop" then "cont", while network
      packets keep arriving.

      Tested both manually (tap, host pinging guest) and with Jason's qtest
      series (plus his "[PATCH 2.4] socket: pass correct size in
      net_socket_send()" fix).

      As virtio_net_set_status is called when guest driver is setting status
      byte and when vm state is changing, it is a good opportunity to flush
      queued packets.

      This is necessary because during vm stop the backend (e.g. tap) would
      stop rx processing after .can_receive returns false, until the queue is
      explicitly flushed or purged.

      The other interesting condition in .can_receive, virtio_queue_ready(),
      is handled by virtio_net_handle_rx() when guest kicks; the 3rd condition
      is invalid queue index which doesn't need flushing.

      Signed-off-by: Fam Zheng <famz@xxxxxxxxxx>
      Reviewed-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>

  commit 9a2a66238e3bf2b681d6321c4667a2d589c8ebed
  Author: Chen Hanxiao <chenhanxiao@xxxxxxxxxxxxxx>
  Date:   Tue Jul 14 16:16:11 2015 +0800

      pci_add_capability: remove duplicate comments

      Signed-off-by: Chen Hanxiao <chenhanxiao@xxxxxxxxxxxxxx>
      Reviewed-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>

  commit feb93f361739071778ca2d23df3876db399548f7
  Author: Jason Wang <jasowang@xxxxxxxxxx>
  Date:   Fri Jul 17 15:19:18 2015 +0800

      virtio-net: unbreak any layout

      Commit 032a74a1c0fcdd5fd1c69e56126b4c857ee36611
      ("virtio-net: byteswap virtio-net header") breaks any layout by
      requiring out_sg[0].iov_len >= n->guest_hdr_len. Fixing this by
      copying header to temporary buffer if swap is needed, and then use
      this buffer as part of out_sg.

      Fixes 032a74a1c0fcdd5fd1c69e56126b4c857ee36611
      ("virtio-net: byteswap virtio-net header")
      Cc: qemu-stable@xxxxxxxxxx
      Cc: clg@xxxxxxxxxx
      Signed-off-by: Jason Wang <jasowang@xxxxxxxxxx>
      Reviewed-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>

  commit d345ed2da3279b015605823397235b8c5ca5251f
  Author: Michael S. Tsirkin <mst@xxxxxxxxxx>
  Date:   Wed Jul 15 13:47:31 2015 +0300

      Revert "vhost-user: add multi queue support"

      This reverts commit 830d70db692e374b55555f4407f96a1ceefdcc97.

      The interface isn't fully backwards-compatible, which is bad.
      Let's redo this properly after 2.4.

      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>

  commit 75d663611e81c748522d9cdcb5230bd02db86d05
  Author: Paulo Alcantara <pcacjr@xxxxxxxxx>
  Date:   Mon Jul 13 17:45:42 2015 -0300

      ich9: fix skipped vmstate_memhp_state subsection

      By declaring another .subsections array for vmstate_tco_io_state made
      vmstate_memhp_state not registered anymore. There must be only one
      .subsections array for all subsections.

      Cc: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Cc: Amit Shah <amit.shah@xxxxxxxxxx>
      Reported-by: Amit Shah <amit.shah@xxxxxxxxxx>
      Signed-off-by: Paulo Alcantara <pcacjr@xxxxxxxxx>
      Reviewed-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Reviewed-by: Amit Shah <amit.shah@xxxxxxxxxx>

  commit 71358470eec668f5dc53def25e585ce250cea9bf
  Merge: 5b5e8cd 621a20e
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Fri Jul 17 15:22:45 2015 +0100

      Merge remote-tracking branch 'remotes/amit-virtio-rng/tags/vrng-2.4' into 
staging

      Fire timer only when required.  Brings down wakeups by a big number.

      # gpg: Signature made Fri Jul 17 14:41:40 2015 BST using RSA key ID 
854083B6
      # gpg: Good signature from "Amit Shah <amit@xxxxxxxxxxxx>"
      # gpg:                 aka "Amit Shah <amit@xxxxxxxxxx>"
      # gpg:                 aka "Amit Shah <amitshah@xxxxxxx>"

      * remotes/amit-virtio-rng/tags/vrng-2.4:
        virtio-rng: trigger timer only when guest requests for entropy

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 621a20e08155179b1902c428361e80f41429f50d
  Author: Pankaj Gupta <pagupta@xxxxxxxxxx>
  Date:   Wed Jul 15 17:46:47 2015 +0530

      virtio-rng: trigger timer only when guest requests for entropy

      This patch triggers timer only when guest requests for
      entropy. As soon as first request from guest for entropy
      comes we set the timer. Timer bumps up the quota value
      when it gets triggered.

      Signed-off-by: Pankaj Gupta <pagupta@xxxxxxxxxx>
      Reviewed-by: Amit Shah <amit.shah@xxxxxxxxxx>
      Message-Id: <1436962608-9961-2-git-send-email-pagupta@xxxxxxxxxx>

      [Re-worded patch subject, removed extra whitespace -- Amit]

      Signed-off-by: Amit Shah <amit.shah@xxxxxxxxxx>

  commit 5b5e8cdd7da7a2214dd062afff5b866234aab228
  Merge: fd1a9ef 92fdfa4
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Fri Jul 17 12:39:12 2015 +0100

      Merge remote-tracking branch 'remotes/kraxel/tags/pull-usb-20150717-1' 
into staging

      usb: fixes for 2.4 (ccid, xhci and usb-host)

      # gpg: Signature made Fri Jul 17 12:21:42 2015 BST using RSA key ID 
D3E87138
      # gpg: Good signature from "Gerd Hoffmann (work) <kraxel@xxxxxxxxxx>"
      # gpg:                 aka "Gerd Hoffmann <gerd@xxxxxxxxxx>"
      # gpg:                 aka "Gerd Hoffmann (private) <kraxel@xxxxxxxxx>"

      * remotes/kraxel/tags/pull-usb-20150717-1:
        Revert "xhci: set timer to retry xfers"
        usb-ccid: add missing wakeup calls
        usb-ccid: fix 61b4887b41b270bc837ead57bc502d904af023bb
        Re-attach usb device to kernel while usb_host_open fails

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 92fdfa4bef9c92addcc009dd3e0131172b4fdc78
  Author: Gerd Hoffmann <kraxel@xxxxxxxxxx>
  Date:   Fri Jul 17 10:12:55 2015 +0200

      Revert "xhci: set timer to retry xfers"

      This reverts commit 4e8cfbe1143d8384387595b500212d7a7f11aeae.

      We should not poll via timer, and with ccid being fixed
      to properly notify us about pending transfers we don't have to.

      Signed-off-by: Gerd Hoffmann <kraxel@xxxxxxxxxx>

  commit 86d7e214c224f939c897cfa3b6d597f7af4b5bba
  Author: Gerd Hoffmann <kraxel@xxxxxxxxxx>
  Date:   Thu Jul 16 16:33:07 2015 +0200

      usb-ccid: add missing wakeup calls

      Properly notify the host adapter that we have
      data pending, so it doesn't has to poll us.

      Signed-off-by: Gerd Hoffmann <kraxel@xxxxxxxxxx>

  commit cfda2cef3d0320d7a133600ffdb6e33547aaba8f
  Author: Gerd Hoffmann <kraxel@xxxxxxxxxx>
  Date:   Fri Jul 17 11:34:11 2015 +0200

      usb-ccid: fix 61b4887b41b270bc837ead57bc502d904af023bb

      QOMification dropped the parent device lookup, fix it.

      Signed-off-by: Gerd Hoffmann <kraxel@xxxxxxxxxx>

  commit fd1a9ef9c2493b5bc98e8e041333a57b635c5d71
  Merge: b4329bf 562f937
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Fri Jul 17 10:52:12 2015 +0100

      Merge remote-tracking branch 'remotes/kraxel/tags/pull-input-20150717-1' 
into staging

      input: fixes for 2.4

      # gpg: Signature made Fri Jul 17 07:45:17 2015 BST using RSA key ID 
D3E87138
      # gpg: Good signature from "Gerd Hoffmann (work) <kraxel@xxxxxxxxxx>"
      # gpg:                 aka "Gerd Hoffmann <gerd@xxxxxxxxxx>"
      # gpg:                 aka "Gerd Hoffmann (private) <kraxel@xxxxxxxxx>"

      * remotes/kraxel/tags/pull-input-20150717-1:
        hid: clarify hid_keyboard_process_keycode
        virtio-input: move sys/ioctl.h include
        virtio-input: fix segfault in virtio_input_hid_properties

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 562f93754b95fd6dc65ad9a2aa15a90b2da7e8a4
  Author: Paolo Bonzini <pbonzini@xxxxxxxxxx>
  Date:   Tue Jul 14 11:18:06 2015 +0200

      hid: clarify hid_keyboard_process_keycode

      Coverity thinks the fallthroughs are smelly.  They are correct, but
      everything else in this function is like "wut?".

      Refer explicitly to bits 8 and 9 of hs->kbd.modifiers instead of
      shifting right first and using (1 << 7).  Document what the scancode
      is when hid_code is 0xe0.  And add plenty of comments.

      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>
      Signed-off-by: Gerd Hoffmann <kraxel@xxxxxxxxxx>

  commit b4329bf41c86bac8b56cadb097081960cc4839a0
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Thu Jul 16 20:32:20 2015 +0100

      Update version for v2.4.0-rc1 release

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit b92304ee814f0fe8109c8946dfb4dd4b63e89871
  Merge: 67ff64e d3462e3
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Thu Jul 16 19:18:15 2015 +0100

      Merge remote-tracking branch 'remotes/bonzini/tags/for-upstream' into 
staging

      * MIPS-KVM fixes.
      * Coverity fixes.
      * Nettle function prototype fixes.
      * Memory API refcount fix.

      # gpg: Signature made Thu Jul 16 19:01:27 2015 BST using RSA key ID 
78C7AE83
      # gpg: Good signature from "Paolo Bonzini <bonzini@xxxxxxx>"
      # gpg:                 aka "Paolo Bonzini <pbonzini@xxxxxxxxxx>"
      # gpg: WARNING: This key is not certified with sufficiently trusted 
signatures!
      # gpg:          It is not certain that the signature belongs to the owner.
      # Primary key fingerprint: 46F5 9FBD 57D6 12E7 BFD4  E2F7 7E15 100C CD36 
69B1
      #      Subkey fingerprint: F133 3857 4B66 2389 866C  7682 BFFB D25F 78C7 
AE83

      * remotes/bonzini/tags/for-upstream:
        crypto: avoid undefined behavior in nettle calls
        crypto: fix build with nettle >= 3.0.0
        memory: fix refcount leak in memory_region_present
        RDMA: Fix error exits
        arm/xlnx-zynqmp: fix memory leak
        ppc/spapr_drc: fix memory leak
        mips/kvm: Sign extend registers written to KVM
        mips/kvm: Fix Big endian 32-bit register access

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit d3462e378f40ba6838b6c42584c30769ca633e6f
  Author: Radim KrÄ?máÅ? <rkrcmar@xxxxxxxxxx>
  Date:   Fri Jul 10 19:18:01 2015 +0200

      crypto: avoid undefined behavior in nettle calls

      Calling a function pointer that was cast from an incompatible function
      results in undefined behavior.  'void *' isn't compatible with 'struct
      XXX *', so we can't cast to nettle_cipher_func, but have to provide a
      wrapper.  (Conversion from 'void *' to 'struct XXX *' might require
      computation, which won't be done if we drop argument's true type, and
      pointers can have different sizes so passing arguments on stack would
      bug.)

      Having two different prototypes based on nettle version doesn't make
      this solution any nicer.

      Reported-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Signed-off-by: Radim KrÄ?máÅ? <rkrcmar@xxxxxxxxxx>
      Message-Id: <1437062641-12684-3-git-send-email-rkrcmar@xxxxxxxxxx>
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit becaeb726ae7da4212a788773ebdfe87b4833f5c
  Author: Radim KrÄ?máÅ? <rkrcmar@xxxxxxxxxx>
  Date:   Fri Jul 10 19:18:00 2015 +0200

      crypto: fix build with nettle >= 3.0.0

      In nettle 3, cbc_encrypt() accepts 'nettle_cipher_func' instead of
      'nettle_crypt_func' and these two differ in 'const' qualifier of the
      first argument.  The build fails with:

        In file included from crypto/cipher.c:71:0:
        ./crypto/cipher-nettle.c: In function â??qcrypto_cipher_encryptâ??:
        ./crypto/cipher-nettle.c:154:38: error: passing argument 2 of
        â??nettle_cbc_encryptâ?? from incompatible pointer type
                 cbc_encrypt(ctx->ctx_encrypt, ctx->alg_encrypt,
                                                     ^
        In file included from ./crypto/cipher-nettle.c:24:0,
                         from crypto/cipher.c:71:
        /usr/include/nettle/cbc.h:48:1: note: expected
        â??void (*)(const void *, size_t, uint8_t *, const uint8_t *)
        but argument is of type
        â??void (*)(      void *, size_t, uint8_t *, const uint8_t *)

      To allow both versions, we switch to the new definition and #if typedef
      it for old versions.

      Signed-off-by: Radim KrÄ?máÅ? <rkrcmar@xxxxxxxxxx>
      Message-Id: <1436548682-9315-2-git-send-email-rkrcmar@xxxxxxxxxx>
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit c6742b14fe7352059cd4954a356a8105757af31b
  Author: Paolo Bonzini <pbonzini@xxxxxxxxxx>
  Date:   Tue Jul 14 13:45:34 2015 +0200

      memory: fix refcount leak in memory_region_present

      memory_region_present() leaks a reference to a MemoryRegion in the
      case "mr == container".  While fixing it, avoid reference counting
      altogether for memory_region_present(), by using RCU only.

      The return value could in principle be already invalid immediately
      after memory_region_present returns, but presumably the caller knows
      that and it's using memory_region_present to probe for devices that
      are unpluggable, or something like that.  The RCU critical section
      is needed anyway, because it protects as->current_map.

      Reported-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit 24b41d66c8ad8f77839fca777b92e365dad0cf5c
  Author: Dr. David Alan Gilbert <dgilbert@xxxxxxxxxx>
  Date:   Fri Jul 10 20:08:52 2015 +0100

      RDMA: Fix error exits

      The error checks I added used 'break' after the error, but I'm
      in a switch inside the while loop, so they need to be 'goto out'.

      Spotted by coverity; entries 1311368 and 1311369

      Fixes: afcddefd

      Signed-off-by: Dr. David Alan Gilbert <dgilbert@xxxxxxxxxx>
      Message-Id: <1436555332-19076-1-git-send-email-dgilbert@xxxxxxxxxx>
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit 5348c62cab309b68ecd13a33c9f21e8d6071af72
  Author: Gonglei <arei.gonglei@xxxxxxxxxx>
  Date:   Fri Jul 10 08:51:29 2015 +0800

      arm/xlnx-zynqmp: fix memory leak

      fix CID 1311372.

      Signed-off-by: Gonglei <arei.gonglei@xxxxxxxxxx>
      Message-Id: <1436489490-236-4-git-send-email-arei.gonglei@xxxxxxxxxx>
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit 586d2142a9f1aa5a1dceb0941e7b3f0953974a8b
  Author: Gonglei <arei.gonglei@xxxxxxxxxx>
  Date:   Fri Jul 10 08:51:28 2015 +0800

      ppc/spapr_drc: fix memory leak

      fix CID 1311373.

      Signed-off-by: Gonglei <arei.gonglei@xxxxxxxxxx>
      Message-Id: <1436489490-236-3-git-send-email-arei.gonglei@xxxxxxxxxx>
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit 02dae26ac4ceb1e82c432cfca4d9b65ae82343c6
  Author: James Hogan <james.hogan@xxxxxxxxxx>
  Date:   Fri Apr 24 11:26:53 2015 +0100

      mips/kvm: Sign extend registers written to KVM

      In case we're running on a 64-bit host, be sure to sign extend the
      general purpose registers and hi/lo/pc before writing them to KVM, so as
      to take advantage of MIPS32/MIPS64 compatibility.

      Signed-off-by: James Hogan <james.hogan@xxxxxxxxxx>
      Cc: Paolo Bonzini <pbonzini@xxxxxxxxxx>
      Cc: Leon Alrae <leon.alrae@xxxxxxxxxx>
      Cc: Aurelien Jarno <aurelien@xxxxxxxxxxx>
      Cc: kvm@xxxxxxxxxxxxxxx
      Cc: qemu-stable@xxxxxxxxxx
      Message-Id: <1429871214-23514-3-git-send-email-james.hogan@xxxxxxxxxx>
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit f8b3e48b2d269551cd40f94770dc20da2f402325
  Author: James Hogan <james.hogan@xxxxxxxxxx>
  Date:   Fri Apr 24 11:26:52 2015 +0100

      mips/kvm: Fix Big endian 32-bit register access

      Fix access to 32-bit registers on big endian targets. The pointer passed
      to the kernel must be for the actual 32-bit value, not a temporary
      64-bit value, otherwise on big endian systems the kernel will only
      interpret the upper half.

      Signed-off-by: James Hogan <james.hogan@xxxxxxxxxx>
      Cc: Paolo Bonzini <pbonzini@xxxxxxxxxx>
      Cc: Leon Alrae <leon.alrae@xxxxxxxxxx>
      Cc: Aurelien Jarno <aurelien@xxxxxxxxxxx>
      Cc: kvm@xxxxxxxxxxxxxxx
      Cc: qemu-stable@xxxxxxxxxx
      Message-Id: <1429871214-23514-2-git-send-email-james.hogan@xxxxxxxxxx>
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit 67ff64e08245a5b8de98d9b2acefb840a1fae340
  Merge: 2d5ee9e 567161f
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Thu Jul 16 16:55:00 2015 +0100

      Merge remote-tracking branch 'remotes/spice/tags/pull-spice-20150716-1' 
into staging

      qxl: allow to specify head limit to qxl driver

      # gpg: Signature made Thu Jul 16 16:31:40 2015 BST using RSA key ID 
D3E87138
      # gpg: Good signature from "Gerd Hoffmann (work) <kraxel@xxxxxxxxxx>"
      # gpg:                 aka "Gerd Hoffmann <gerd@xxxxxxxxxx>"
      # gpg:                 aka "Gerd Hoffmann (private) <kraxel@xxxxxxxxx>"

      * remotes/spice/tags/pull-spice-20150716-1:
        qxl: allow to specify head limit to qxl driver

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 6110ce59af199194ef63cb31ec722487df3f42fe
  Author: Lin Ma <lma@xxxxxxxx>
  Date:   Wed Jun 24 13:40:11 2015 +0800

      Re-attach usb device to kernel while usb_host_open fails

      Signed-off-by: Lin Ma <lma@xxxxxxxx>
      Reviewed-by: Gonglei <arei.gonglei@xxxxxxxxxx>
      Signed-off-by: Gerd Hoffmann <kraxel@xxxxxxxxxx>

  commit e2f6bac3010419426b636d2b307f66deecd60813
  Author: Gerd Hoffmann <kraxel@xxxxxxxxxx>
  Date:   Tue Jul 14 13:44:12 2015 +0200

      virtio-input: move sys/ioctl.h include

      Drop from include/standard-headers/linux/input.h
      Add to hw/input/virtio-input-host.c instead.

      That allows to build virtio-input (except pass-through) on windows.

      Signed-off-by: Gerd Hoffmann <kraxel@xxxxxxxxxx>

  commit 2a19b229f6c2f7288bb8c2498bffb01d67810dee
  Author: Lin Ma <lma@xxxxxxxx>
  Date:   Tue Jul 14 19:27:30 2015 +0800

      virtio-input: fix segfault in virtio_input_hid_properties

      commit 5cce173 introduced virtio-input segfault, This patch fixes it.

      Signed-off-by: Lin Ma <lma@xxxxxxxx>
      Signed-off-by: Gerd Hoffmann <kraxel@xxxxxxxxxx>

  commit 567161fdd47aeb6987e700702f6bbfef04ae0236
  Author: Frediano Ziglio <fziglio@xxxxxxxxxx>
  Date:   Mon Jul 6 07:56:38 2015 +0100

      qxl: allow to specify head limit to qxl driver

      This patch allow to limit number of heads using qxl driver. By default
      qxl driver is not limited on any kind on head use so can decide to use
      as much heads.

      libvirt has this as a video card parameter (actually set to 1 but not
      used). This parameter will allow to limit setting a use can do (which
      could be confusing).

      Signed-off-by: Frediano Ziglio <fziglio@xxxxxxxxxx>
      Signed-off-by: Gerd Hoffmann <kraxel@xxxxxxxxxx>

  commit 2d5ee9e7a7dd495d233cf9613a865f63f88e3375
  Merge: 3749c11 908680c
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Thu Jul 16 10:40:22 2015 +0100

      Merge remote-tracking branch 'remotes/lalrae/tags/mips-20150716' into 
staging

      MIPS patches 2015-07-16

      Changes:
      * bug fixes

      # gpg: Signature made Thu Jul 16 09:04:56 2015 BST using RSA key ID 
0B29DA6B
      # gpg: Good signature from "Leon Alrae <leon.alrae@xxxxxxxxxx>"
      # gpg: WARNING: This key is not certified with a trusted signature!
      # gpg:          There is no indication that the signature belongs to the 
owner.
      # Primary key fingerprint: 8DD3 2F98 5495 9D66 35D4  4FC0 5211 8E3C 0B29 
DA6B

      * remotes/lalrae/tags/mips-20150716:
        target-mips: fix page fault address for LWL/LWR/LDL/LDR
        linux-user: Fix MIPS N64 trap and break instruction bug
        target-mips: fix resource leak reported by Coverity
        target-mips: fix logically dead code reported by Coverity
        target-mips: correct DERET instruction
        target-mips: fix ASID synchronisation for MIPS MT
        disas/mips: fix disassembling R6 instructions
        target-mips: fix to clear MSACSR.Cause
        target-mips: fix MIPS64R6-generic configuration

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 3749c11a720689694101dcf2ebc43217a02f960f
  Merge: be0df8c 3046bb5
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Wed Jul 15 22:05:13 2015 +0100

      Merge remote-tracking branch 'remotes/ehabkost/tags/x86-pull-request' 
into staging

      X86 queue, 2015-07-15

      Two bug fixes:
      * Memory leak due to extra g_strdup() when registering X86CPU alias 
properties
      * Fix CPUID levels so that W10 insider can run as guest OS

      # gpg: Signature made Wed Jul 15 21:26:59 2015 BST using RSA key ID 
984DC5A6
      # gpg: Good signature from "Eduardo Habkost <ehabkost@xxxxxxxxxx>"
      # gpg: WARNING: This key is not certified with sufficiently trusted 
signatures!
      # gpg:          It is not certain that the signature belongs to the owner.
      # Primary key fingerprint: 5A32 2FD5 ABC4 D3DB ACCF  D1AA 2807 936F 984D 
C5A6

      * remotes/ehabkost/tags/x86-pull-request:
        target-i386: emulate CPUID level of real hardware
        target-i386: Don't strdup() alias property name

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit be0df8cd1eb8e182a9b61a2b4d1c57824cffadc4
  Merge: 7692401 672558d
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Wed Jul 15 21:06:54 2015 +0100

      Merge remote-tracking branch 'remotes/ehabkost/tags/numa-pull-request' 
into staging

      NUMA queue, 2015-07-15

      # gpg: Signature made Wed Jul 15 21:01:37 2015 BST using RSA key ID 
984DC5A6
      # gpg: Good signature from "Eduardo Habkost <ehabkost@xxxxxxxxxx>"
      # gpg: WARNING: This key is not certified with sufficiently trusted 
signatures!
      # gpg:          It is not certain that the signature belongs to the owner.
      # Primary key fingerprint: 5A32 2FD5 ABC4 D3DB ACCF  D1AA 2807 936F 984D 
C5A6

      * remotes/ehabkost/tags/numa-pull-request:
        numa: Fix memory leak in numa_set_mem_node_id()

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 3046bb5debc8153a542acb1df93b2a1a85527a15
  Author: Radim KrÄ?máÅ? <rkrcmar@xxxxxxxxxx>
  Date:   Thu Jul 9 21:07:39 2015 +0200

      target-i386: emulate CPUID level of real hardware

      W10 insider has a bug where it ignores CPUID level and interprets
      CPUID.(EAX=07H, ECX=0H) incorrectly, because CPUID in fact returned
      CPUID.(EAX=04H, ECX=0H);  this resulted in execution of unsupported
      instructions.

      While it's a Windows bug, there is no reason to emulate incorrect level.

      I used http://instlatx64.atw.hu/ as a source of CPUID and checked that
      it matches Penryn Xeon X5472, Westmere Xeon W3520, SandyBridge i5-2540M,
      and Haswell i5-4670T.

      kvm64 and qemu64 were bumped to 0xD to allow all available features for
      them (and to avoid the same Windows bug).

      Signed-off-by: Radim KrÄ?máÅ? <rkrcmar@xxxxxxxxxx>
      Reviewed-by: Eduardo Habkost <ehabkost@xxxxxxxxxx>
      Signed-off-by: Eduardo Habkost <ehabkost@xxxxxxxxxx>

  commit d461a44ca4b164549fe19b14d2cdf0524f778ce1
  Author: Eduardo Habkost <ehabkost@xxxxxxxxxx>
  Date:   Thu Jul 9 12:24:43 2015 -0300

      target-i386: Don't strdup() alias property name

      Now object_property_add_alias() calls g_strdup() on the target property
      name, so we don't need to call g_strdup() ourselves.

      Signed-off-by: Eduardo Habkost <ehabkost@xxxxxxxxxx>

  commit 672558d2ea8dd782d1d2adc6e16af3bc34029a36
  Author: Bharata B Rao <bharata@xxxxxxxxxxxxxxxxxx>
  Date:   Thu Jul 9 20:57:36 2015 +0530

      numa: Fix memory leak in numa_set_mem_node_id()

      Fix a memory leak in numa_set_mem_node_id().

      Signed-off-by: Bharata B Rao <bharata@xxxxxxxxxxxxxx>
      Reported-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>
      Reviewed-by: Eduardo Habkost <ehabkost@xxxxxxxxxx>
      Signed-off-by: Eduardo Habkost <ehabkost@xxxxxxxxxx>

  commit 7692401a0826803522cfde533bdcc149932ddc6a
  Merge: 711dc6f 76e2aef
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Wed Jul 15 17:28:59 2015 +0100

      Merge remote-tracking branch 
'remotes/pmaydell/tags/pull-target-arm-20150715' into staging

      target arm queue:
       * handle broken AArch64 kernels which assume DTB won't cross a 2MB 
boundary
       * correct broken SCTLR_EL3 reset value

      # gpg: Signature made Wed Jul 15 17:24:24 2015 BST using RSA key ID 
14360CDE
      # gpg: Good signature from "Peter Maydell <peter.maydell@xxxxxxxxxx>"

      * remotes/pmaydell/tags/pull-target-arm-20150715:
        hw/arm/boot: Increase fdt alignment
        target-arm: Fix broken SCTLR_EL3 reset

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 76e2aef392629f2b2a468f5158d5c397cc5beed2
  Author: Alexander Graf <agraf@xxxxxxx>
  Date:   Wed Jul 15 17:16:26 2015 +0100

      hw/arm/boot: Increase fdt alignment

      The Linux kernel on aarch64 creates a page table entry at early bootup
      that spans the 2MB range on memory spanning the fdt start address:

        [ ALIGN_DOWN(fdt, 2MB) ... ALIGN_DOWN(fdt, 2MB) + 2MB ]

      This means that when our current 4k alignment happens to fall at the end
      of the aligned region, Linux tries to access memory that is not mapped.

      The easy fix is to instead increase the alignment to 2MB, making Linux's
      logic always succeed.

      We leave the existing 4k alignment for 32bit kernels to not cause any
      regressions due to space constraints.

      Reported-by: Andreas Schwab <schwab@xxxxxxx>
      Signed-off-by: Alexander Graf <agraf@xxxxxxx>
      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit e46e1a74ef482f1ef773e750df9654ef4442ca29
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Wed Jul 15 17:16:26 2015 +0100

      target-arm: Fix broken SCTLR_EL3 reset

      The SCTLR_EL3 cpreg definition was implicitly resetting the
      register state to 0, which is both wrong and clashes with
      the reset done via the SCTLR definition (since sctlr[3]
      is unioned with sctlr_s). This went unnoticed until recently,
      when an unrelated change (commit a903c449b41f105aa) happened to
      perturb the order of enumeration through the cpregs hashtable for
      reset such that the erroneous reset happened after the correct one
      rather than before it. Fix this by marking SCTLR_EL3 as an alias,
      so its reset is left up to the AArch32 view.

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Reviewed-by: Edgar E. Iglesias <edgar.iglesias@xxxxxxxxxx>

  commit 711dc6f36b74fe65a6e5a1847f1152717d887f8a
  Merge: f5dec79 796a060
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Wed Jul 15 14:23:58 2015 +0100

      Merge remote-tracking branch 
'remotes/cody/tags/jtc-for-upstream-pull-request' into staging

      # gpg: Signature made Wed Jul 15 03:25:16 2015 BST using RSA key ID 
C0DE3057
      # gpg: Good signature from "Jeffrey Cody <jcody@xxxxxxxxxx>"
      # gpg:                 aka "Jeffrey Cody <jeff@xxxxxxxxxxxxx>"
      # gpg:                 aka "Jeffrey Cody <codyprime@xxxxxxxxx>"
      # gpg: WARNING: This key is not certified with sufficiently trusted 
signatures!
      # gpg:          It is not certain that the signature belongs to the owner.
      # Primary key fingerprint: 9957 4B4D 3474 90E7 9D98  D624 BDBE 7B27 C0DE 
3057

      * remotes/cody/tags/jtc-for-upstream-pull-request:
        block/curl: Don't lose original error when a connection fails.
        mirror: correct buf_size
        block: keep bitmap if incremental backup job is cancelled
        blockdev: no need to drain in qmp_block_commit
        block/mirror: Sleep periodically during bitmap scanning

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 908680c6441ac468f4871d513f42be396ea0d264
  Author: Aurelien Jarno <aurelien@xxxxxxxxxxx>
  Date:   Tue Jul 14 17:45:16 2015 +0200

      target-mips: fix page fault address for LWL/LWR/LDL/LDR

      When a LWL, LWR, LDL or LDR instruction triggers a page fault, QEMU
      currently reports the aligned address in CP0 BadVAddr, while the Windows
      NT kernel expects the unaligned address.

      This patch adds a byte access with the unaligned address at the
      beginning of the LWL/LWR/LDL/LDR instructions to possibly trigger a page
      fault and fill the QEMU TLB.

      Cc: Leon Alrae <leon.alrae@xxxxxxxxxx>
      Reported-by: Hervé Poussineau <hpoussin@xxxxxxxxxxx>
      Tested-by: Hervé Poussineau <hpoussin@xxxxxxxxxxx>
      Signed-off-by: Aurelien Jarno <aurelien@xxxxxxxxxxx>
      Signed-off-by: Leon Alrae <leon.alrae@xxxxxxxxxx>

  commit f01a361bfcce4bd0c439b0e051ef2a1e56727a44
  Author: Andrew Bennett <andrew.bennett@xxxxxxxxxx>
  Date:   Mon Jun 29 10:20:07 2015 +0000

      linux-user: Fix MIPS N64 trap and break instruction bug

      For the MIPS N64 ABI when QEMU reads the break/trap instruction so that
      it can inspect the break/trap code it reads 8 rather than 4 bytes
      which means it finds the code field from the instruction after the
      break/trap instruction.  This then causes the break/trap handling
      code to fail because it does not understand the code number.

      The fix forces QEMU to always read 4 bytes of instruction data rather
      than deciding how much to read based on the ABI.

      Signed-off-by: Andrew Bennett <andrew.bennett@xxxxxxxxxx>
      Reviewed-by: Leon Alrae <leon.alrae@xxxxxxxxxx>
      Signed-off-by: Leon Alrae <leon.alrae@xxxxxxxxxx>

  commit 26e7e982b267e71d40cd20e9e234fedef6770a90
  Author: Leon Alrae <leon.alrae@xxxxxxxxxx>
  Date:   Tue Jul 14 11:08:15 2015 +0100

      target-mips: fix resource leak reported by Coverity

      UHI assert and link operations call lock_user_string() twice to obtain two
      strings pointed by gpr[4] and gpr[5]. If the second lock_user_string()
      fails, then the first one won't get freed. Fix this by introducing another
      macro responsible for obtaining two strings and handling allocation
      failure.

      Signed-off-by: Leon Alrae <leon.alrae@xxxxxxxxxx>
      Reviewed-by: Aurelien Jarno <aurelien@xxxxxxxxxxx>

  commit 47ada0ad3431b39863918dc80386634693d317b5
  Author: Leon Alrae <leon.alrae@xxxxxxxxxx>
  Date:   Tue Jul 14 11:08:14 2015 +0100

      target-mips: fix logically dead code reported by Coverity

      Make use of CMPOP in floating-point compare instructions.

      Signed-off-by: Leon Alrae <leon.alrae@xxxxxxxxxx>
      Reviewed-by: Aurelien Jarno <aurelien@xxxxxxxxxxx>

  commit fe87c2b36ae9c1c9a5279f3891f3bce1b573baa0
  Author: Leon Alrae <leon.alrae@xxxxxxxxxx>
  Date:   Tue Jul 14 11:08:13 2015 +0100

      target-mips: correct DERET instruction

      Fix Debug Mode flag clearing, and when DERET is placed between LL and SC
      do not make SC fail.

      Signed-off-by: Leon Alrae <leon.alrae@xxxxxxxxxx>
      Reviewed-by: Aurelien Jarno <aurelien@xxxxxxxxxxx>

  commit 6a973e6b6584221bed89a01e755b88e58b496652
  Author: Aurelien Jarno <aurelien@xxxxxxxxxxx>
  Date:   Wed Jul 1 15:59:13 2015 +0200

      target-mips: fix ASID synchronisation for MIPS MT

      When syncing the task ASID with EntryHi, correctly or the value instead
      of assigning it.

      Reported-by: "Dr. David Alan Gilbert" <dgilbert@xxxxxxxxxx>
      Signed-off-by: Aurelien Jarno <aurelien@xxxxxxxxxxx>
      Cc: Leon Alrae <leon.alrae@xxxxxxxxxx>
      Reviewed-by: Leon Alrae <leon.alrae@xxxxxxxxxx>
      Signed-off-by: Leon Alrae <leon.alrae@xxxxxxxxxx>

  commit 6b9c26fb5eed2345398daca4eef601da2f3d7867
  Author: Yongbok Kim <yongbok.kim@xxxxxxxxxx>
  Date:   Tue Jun 30 16:33:15 2015 +0100

      disas/mips: fix disassembling R6 instructions

      In the Release 6 of the MIPS Architecture, LL, SC, LLD, SCD, PREF
      and CACHE instructions have 9 bits offsets.

      Signed-off-by: Yongbok Kim <yongbok.kim@xxxxxxxxxx>
      Reviewed-by: Aurelien Jarno <aurelien@xxxxxxxxxxx>
      Reviewed-by: Leon Alrae <leon.alrae@xxxxxxxxxx>
      Signed-off-by: Leon Alrae <leon.alrae@xxxxxxxxxx>

  commit d4f4f0d5d9e74c19614479592c8bc865d92773d0
  Author: Yongbok Kim <yongbok.kim@xxxxxxxxxx>
  Date:   Tue Jun 30 15:44:28 2015 +0100

      target-mips: fix to clear MSACSR.Cause

      MSACSR.Cause bits are needed to be cleared before a vector floating-point
      instructions.
      FEXDO.df, FEXUPL.df and FEXUPR.df were missed out.

      Signed-off-by: Yongbok Kim <yongbok.kim@xxxxxxxxxx>
      Reviewed-by: Aurelien Jarno <aurelien@xxxxxxxxxxx>
      Reviewed-by: Leon Alrae <leon.alrae@xxxxxxxxxx>
      Signed-off-by: Leon Alrae <leon.alrae@xxxxxxxxxx>

  commit 4dc89b782095d7a0b919fafd7b1322b3cb1279f1
  Author: Yongbok Kim <yongbok.kim@xxxxxxxxxx>
  Date:   Mon Jun 29 10:11:23 2015 +0100

      target-mips: fix MIPS64R6-generic configuration

      Fix core configuration for MIPS64R6-generic to make it as close as
      I6400.
      I6400 core has 48-bit of Virtual Address available (SEGBITS).
      MIPS SIMD Architecture is available.
      Rearrange order of bits to match the specification.

      Signed-off-by: Yongbok Kim <yongbok.kim@xxxxxxxxxx>
      Reviewed-by: Aurelien Jarno <aurelien@xxxxxxxxxxx>
      Reviewed-by: Leon Alrae <leon.alrae@xxxxxxxxxx>
      Signed-off-by: Leon Alrae <leon.alrae@xxxxxxxxxx>

  commit f5dec79ee88034b2da52463145a2056500db9ff2
  Merge: 661725d 560d027
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Wed Jul 15 12:22:31 2015 +0100

      Merge remote-tracking branch 
'remotes/juanquintela/tags/migration/20150715-1' into staging

      migration/next for 20150715

      # gpg: Signature made Wed Jul 15 11:23:33 2015 BST using RSA key ID 
5872D723
      # gpg: Good signature from "Juan Quintela <quintela@xxxxxxxxxx>"
      # gpg:                 aka "Juan Quintela <quintela@xxxxxxxxxx>"

      * remotes/juanquintela/tags/migration/20150715-1:
        migration: We also want to store the global state for savevm
        migration: reduce the count of strlen call
        migration: Register global state section before loadvm
        migration: Write documetation for events capabilites
        migration: Trace event and migration event are different things
        migration: Only change state after migration has finished

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 560d027b54067ffa4e79c6f7c0a499abb0d749a3
  Author: Juan Quintela <quintela@xxxxxxxxxx>
  Date:   Wed Jul 15 09:53:46 2015 +0200

      migration: We also want to store the global state for savevm

      Commit df4b1024526cae3479da3492d6371fd4a7324a03 introduced global_state
      section.  But it only filled the state while doing migration.  While
      doing a savevm, we stored an empty string as state.  So when we did a
      loadvm, it complained that state was invalid.

      Fedora 21, 4.1.1, qemu 2.4.0-rc0
      > ../../configure --target-list="x86_64-softmmu"

      068 2s ... - output mismatch (see 068.out.bad)
      --- /home/bos/jhuston/src/qemu/tests/qemu-iotests/068.out 2015-07-08
      17:56:18.588164979 -0400
      +++ 068.out.bad   2015-07-09 17:39:58.636651317 -0400
      @@ -6,6 +6,8 @@
       QEMU X.Y.Z monitor - type 'help' for more information
       (qemu) savevm 0
       (qemu) quit
      +qemu-system-x86_64: Unknown savevm section or instance 'globalstate' 0
      +qemu-system-x86_64: Error -22 while loading VM state
       QEMU X.Y.Z monitor - type 'help' for more information
       (qemu) quit
       *** done
      Failures: 068
      Failed 1 of 1 tests

      Actually, there were two problems here:
      - we registered global_state too late for load_vm (fixed on another
        patch on the list)
      - we didn't store a valid state for savevm (fixed by this patch).

      Reported-by: John Snow <jsnow@xxxxxxxxxx>
      Signed-off-by: Juan Quintela <quintela@xxxxxxxxxx>
      Reviewed-by: Dr. David Alan Gilbert <dgilbert@xxxxxxxxxx>
      Reviewed-by: Amit Shah <amit.shah@xxxxxxxxxx>
      Tested-by:  Christian Borntraeger <borntraeger@xxxxxxxxxx>

  commit 9f5f380b54d6ad80cf35d93c8cd71c8d7a1b52b7
  Author: Liang Li <liang.z.li@xxxxxxxxx>
  Date:   Mon Jul 13 17:34:10 2015 +0800

      migration: reduce the count of strlen call

      'strlen' is called three times in 'save_page_header', it's
      inefficient.

      Signed-off-by: Liang Li <liang.z.li@xxxxxxxxx>
      Reviewed-by: Juan Quintela <quintela@xxxxxxxxxx>
      Reviewed-by: Amit Shah <amit.shah@xxxxxxxxxx>
      Signed-off-by: Juan Quintela <quintela@xxxxxxxxxx>

  commit 48212d87d6655b029231d830a77983c21552fe49
  Author: Juan Quintela <quintela@xxxxxxxxxx>
  Date:   Fri Jul 10 14:51:58 2015 +0200

      migration: Register global state section before loadvm

      Otherwise, it is not found

      Signed-off-by: Juan Quintela <quintela@xxxxxxxxxx>

  commit 72e72e1a71e5e67a11204606a5c09f6cc3089a53
  Author: Juan Quintela <quintela@xxxxxxxxxx>
  Date:   Wed Jul 8 14:13:10 2015 +0200

      migration: Write documetation for events capabilites

      Reported-by: Jiri Denemark <jdenemar@xxxxxxxxxx>
      Signed-off-by: Juan Quintela <quintela@xxxxxxxxxx>

  commit 4ba4bc5e9bfab457a96ac56dc470730a330aded8
  Author: Juan Quintela <quintela@xxxxxxxxxx>
  Date:   Wed Jul 8 13:58:27 2015 +0200

      migration: Trace event and migration event are different things

      We can want the trace event even without migration events enabled.

      Reported-by:  Wen Congyang <ghostwcy@xxxxxxxxx>
      Signed-off-by: Juan Quintela <quintela@xxxxxxxxxx>
      Reviewed-by: Dr. David Alan Gilbert <dgilbert@xxxxxxxxxx>

  commit 172c4356f38fbf91675256447a3bedd08220214f
  Author: Juan Quintela <quintela@xxxxxxxxxx>
  Date:   Wed Jul 8 13:56:26 2015 +0200

      migration: Only change state after migration has finished

      On previous change, we changed state at post load time if it was not
      running, special casing the "running" change.  Now, we change any states
      at the end of the migration.

      Signed-off-by: Juan Quintela <quintela@xxxxxxxxxx>
      Tested-by: Christian Borntraeger <borntraeger@xxxxxxxxxx>

  commit 796a060bc0fab40953997976a2e30d9d6235bc7b
  Author: Richard W.M. Jones <rjones@xxxxxxxxxx>
  Date:   Wed Jul 8 14:37:48 2015 +0100

      block/curl: Don't lose original error when a connection fails.

      Currently if qemu is connected to a curl source (eg. web server), and
      the web server fails / times out / dies, you always see a bogus EIO
      "Input/output error".

      For example, choose a large file located on any local webserver which
      you control:

        $ qemu-img convert -p http://example.com/large.iso /tmp/test

      Once it starts copying the file, stop the webserver and you will see
      qemu-img fail with:

        qemu-img: error while reading sector 61440: Input/output error

      This patch does two things: Firstly print the actual error from curl
      so it doesn't get lost.  Secondly, change EIO to EPROTO.  EPROTO is a
      POSIX.1 compatible errno which more accurately reflects that there was
      a protocol error, rather than some kind of hardware failure.

      After this patch is applied, the error changes to:

        $ qemu-img convert -p http://example.com/large.iso /tmp/test
        qemu-img: curl: transfer closed with 469989 bytes remaining to read
        qemu-img: error while reading sector 16384: Protocol error

      Signed-off-by: Richard W.M. Jones <rjones@xxxxxxxxxx>
      Reviewed-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Signed-off-by: Jeff Cody <jcody@xxxxxxxxxx>

  commit 48ac0a4df84662f23da25262443e1810b70c2228
  Author: Wen Congyang <wency@xxxxxxxxxxxxxx>
  Date:   Fri May 15 15:51:36 2015 +0800

      mirror: correct buf_size

      If bus_size is less than 0, the command fails.
      If buf_size is 0, use DEFAULT_MIRROR_BUF_SIZE.
      If buf_size % granularity is not 0, mirror_free_init() will
      do dangerous things.

      Signed-off-by: Wen Congyang <wency@xxxxxxxxxxxxxx>
      Reviewed-by: Fam Zheng <famz@xxxxxxxxxx>
      Message-id: 5555A588.3080907@xxxxxxxxxxxxxx
      Signed-off-by: Jeff Cody <jcody@xxxxxxxxxx>

  commit 17d9716d7b5381c4b6566bb1a06267d2bfcd1821
  Author: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
  Date:   Mon Jun 15 16:02:14 2015 +0100

      block: keep bitmap if incremental backup job is cancelled

      Reclaim the dirty bitmap if an incremental backup block job is
      cancelled.  The ret variable may be 0 when the job is cancelled so it's
      not enough to check ret < 0.

      Reviewed-by: John Snow <jsnow@xxxxxxxxxx>
      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Message-id: 1434380534-7680-1-git-send-email-stefanha@xxxxxxxxxx
      Signed-off-by: Jeff Cody <jcody@xxxxxxxxxx>

  commit 299bf097375f9d148cda579ad85477304e38856b
  Author: Paolo Bonzini <pbonzini@xxxxxxxxxx>
  Date:   Thu May 28 16:21:43 2015 +0200

      blockdev: no need to drain in qmp_block_commit

      Draining is not necessary, I/O can happen as soon as the
      commit coroutine yields.  Draining can be necessary before
      reopening the file for read/write, or while modifying the
      backing file chain, but that is done separately in
      bdrv_reopen_multiple or bdrv_close; this particular
      bdrv_drain_all does nothing for that.

      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>
      Reviewed-by: Fam Zheng <famz@xxxxxxxxxx>
      Reviewed-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Message-id: 1432822903-25821-1-git-send-email-pbonzini@xxxxxxxxxx
      Signed-off-by: Jeff Cody <jcody@xxxxxxxxxx>

  commit 4c0cbd6fec7db182a6deb52d5a8a8e7b0c5cbe64
  Author: Fam Zheng <famz@xxxxxxxxxx>
  Date:   Wed May 13 11:11:13 2015 +0800

      block/mirror: Sleep periodically during bitmap scanning

      Before, we only yield after initializing dirty bitmap, where the QMP
      command would return. That may take very long, and guest IO will be
      blocked.

      Add sleep points like the later mirror iterations.

      Signed-off-by: Fam Zheng <famz@xxxxxxxxxx>
      Reviewed-by: Wen Congyang <wency@xxxxxxxxxxxxxx>
      Reviewed-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>
      Reviewed-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Message-id: 1431486673-19280-1-git-send-email-famz@xxxxxxxxxx
      Signed-off-by: Jeff Cody <jcody@xxxxxxxxxx>

  commit 661725da09f47eb92d356fac10a4cf3b7ad1f61d
  Merge: f394798 2af9170
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Tue Jul 14 18:50:16 2015 +0100

      Merge remote-tracking branch 'remotes/cohuck/tags/s390x-20150714' into 
staging

      s390x fixes for 2.4:
      - virtio migration regression
      - missing diag288 watchdog resets

      # gpg: Signature made Tue Jul 14 18:17:54 2015 BST using RSA key ID 
C6F02FAF
      # gpg: Good signature from "Cornelia Huck <huckc@xxxxxxxxxxxxxxxxxx>"
      # gpg:                 aka "Cornelia Huck <cornelia.huck@xxxxxxxxxx>"

      * remotes/cohuck/tags/s390x-20150714:
        s390/virtio-ccw: Fix migration
        watchdog/diag288: correctly register for system reset requests

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 2af9170c8c269c4fba73e5271453ca15a57f5844
  Author: Christian Borntraeger <borntraeger@xxxxxxxxxx>
  Date:   Tue Jul 7 13:47:23 2015 +0200

      s390/virtio-ccw: Fix migration

      commit 213941d73b ("virtio-ccw: migrate ->revision") broke
      migration:
      2015-07-07T11:22:55.570968Z qemu-system-s390x: VQ 39 address 0x0 
inconsistent with Host index 0x100
      2015-07-07T11:22:55.571008Z qemu-system-s390x: error while loading state 
for instance 0x0 of

      If thinint support is active, the config_load function returns early.
      Make sure to load the revision all the time.

      Signed-off-by: Christian Borntraeger <borntraeger@xxxxxxxxxx>
      Fixes: 213941d73b ("virtio-ccw: migrate ->revision")
      Message-Id: <1436269643-66303-1-git-send-email-borntraeger@xxxxxxxxxx>
      Signed-off-by: Cornelia Huck <cornelia.huck@xxxxxxxxxx>

  commit 0c7322cfd3fd382c0096c2a9f00775818a878e13
  Author: Xu Wang <gesaint@xxxxxxxxxxxxxxxxxx>
  Date:   Mon Jun 29 08:21:10 2015 +0200

      watchdog/diag288: correctly register for system reset requests

      The diag288 watchdog is no sysbus device, therefore it doesn't get
      triggered on resets automatically using dc->reset.

      Let's register the reset handler manually, so we get correctly notified
      again when a system reset was requested. Also reset the watchdog on
      subsystem resets that don't trigger a full system reset.

      Signed-off-by: Xu Wang <gesaint@xxxxxxxxxxxxxxxxxx>
      Reviewed-by: David Hildenbrand <dahi@xxxxxxxxxxxxxxxxxx>
      Signed-off-by: Cornelia Huck <cornelia.huck@xxxxxxxxxx>
      Tested-by: Christian Borntraeger <borntraeger@xxxxxxxxxx>
      Reviewed-by: Andreas Färber <afaerber@xxxxxxx>

  commit f3947986d9bbbae1087c4c33880d3f8dbf1f1384
  Merge: 0030ff4 e34d8f2
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Tue Jul 14 16:51:44 2015 +0100

      Merge remote-tracking branch 'remotes/kevin/tags/for-upstream' into 
staging

      Block layer patches for 2.4.0-rc1

      # gpg: Signature made Tue Jul 14 16:15:35 2015 BST using RSA key ID 
C88F2FD6
      # gpg: Good signature from "Kevin Wolf <kwolf@xxxxxxxxxx>"

      * remotes/kevin/tags/for-upstream:
        rbd: fix ceph settings precedence
        rbd: make qemu's cache setting override any ceph setting
        MAINTAINERS: update email address
        rbd: remove unused constants and fields
        block: Fix backing file child when modifying graph
        block: Reorder cleanups in bdrv_close()
        block: Introduce bdrv_unref_child()
        block: Introduce bdrv_open_child()
        block: Move bdrv_attach_child() calls up the call chain
        nvme: properly report volatile write caches
        nvme: implement the Flush command

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit e34d8f297d51b7ffa5dce72df1e45fa94cff989c
  Author: Josh Durgin <jdurgin@xxxxxxxxxx>
  Date:   Wed Jun 10 20:28:46 2015 -0700

      rbd: fix ceph settings precedence

      Apply the ceph settings from a config file before any ceph settings
      from the command line. Since the ceph config file location may be
      specified on the command line, parse it once to read the config file,
      and do a second pass to apply the rest of the command line ceph
      options.

      Signed-off-by: Josh Durgin <jdurgin@xxxxxxxxxx>
      Signed-off-by: Kevin Wolf <kwolf@xxxxxxxxxx>

  commit 99a3c89d5d538dc6c360e35dffb797cfe06e9cda
  Author: Josh Durgin <jdurgin@xxxxxxxxxx>
  Date:   Wed Jun 10 20:28:45 2015 -0700

      rbd: make qemu's cache setting override any ceph setting

      To be safe, when cache=none is used ceph settings should not be able
      to override it to turn on caching. This was previously possible with
      rbd_cache=true in the rbd device configuration or a ceph configuration
      file. Similarly, rbd settings could have turned off caching when qemu
      requested it, although this would just be a performance problem.

      Fix this by changing rbd's cache setting to match qemu after all other
      ceph settings have been applied.

      Signed-off-by: Josh Durgin <jdurgin@xxxxxxxxxx>
      Reviewed-by: Jeff Cody <jcody@xxxxxxxxxx>
      Signed-off-by: Kevin Wolf <kwolf@xxxxxxxxxx>

  commit 5a8ac6d9d70e1a078d04ad75a5c055b00a041d70
  Author: Josh Durgin <jdurgin@xxxxxxxxxx>
  Date:   Wed Jun 10 20:28:44 2015 -0700

      MAINTAINERS: update email address

      The old one still works for now, but will not work indefinitely.

      Signed-off-by: Josh Durgin <jdurgin@xxxxxxxxxx>
      Reviewed-by: Jeff Cody <jcody@xxxxxxxxxx>
      Signed-off-by: Kevin Wolf <kwolf@xxxxxxxxxx>

  commit 3dbf00e058e450173c6f892bb572df871eb4ea58
  Author: Josh Durgin <jdurgin@xxxxxxxxxx>
  Date:   Wed Jun 10 20:28:43 2015 -0700

      rbd: remove unused constants and fields

      RBDAIOCB.status was only used for cancel, which was removed in
      7691e24dbebb46658e89b3f950fda6ec78bbb823.

      RBDAIOCB.sector_num was never used.

      RADOSCB.done and rcbid were never used.

      RBD_FD* are obsolete since the pipe was removed in
      e04fb07fd1676e9facd7f3f878c1bbe03bccd26b.

      Signed-off-by: Josh Durgin <jdurgin@xxxxxxxxxx>
      Reviewed-by: Jeff Cody <jcody@xxxxxxxxxx>
      Signed-off-by: Kevin Wolf <kwolf@xxxxxxxxxx>

  commit 80a1e130917e0745625129553c943743eb663727
  Author: Kevin Wolf <kwolf@xxxxxxxxxx>
  Date:   Wed Jun 17 15:52:09 2015 +0200

      block: Fix backing file child when modifying graph

      This patch moves bdrv_attach_child() from the individual places that add
      a backing file to a BDS to bdrv_set_backing_hd(), which is called by all
      of them. It also adds bdrv_detach_child() there.

      For normal operation (starting with one backing file chain and not
      changing it until the topmost image is closed) and live snapshots, this
      constitutes no change in behaviour.

      For all other cases, this is a fix for the bug that the old backing file
      was still referenced as a child, and the new one wasn't referenced.

      Signed-off-by: Kevin Wolf <kwolf@xxxxxxxxxx>
      Reviewed-by: Max Reitz <mreitz@xxxxxxxxxx>

  commit 9a7dedbc43c7c400663d2876a8ccb6d942a1429a
  Author: Kevin Wolf <kwolf@xxxxxxxxxx>
  Date:   Tue Jun 16 10:58:20 2015 +0200

      block: Reorder cleanups in bdrv_close()

      Block drivers may still want to access their child nodes in their
      .bdrv_close handler. If they unref and/or detach a child by themselves,
      this should not result in a double free.

      There is additional code for backing files, which are just a special
      case of child nodes. The same applies for them.

      Signed-off-by: Kevin Wolf <kwolf@xxxxxxxxxx>
      Reviewed-by: Max Reitz <mreitz@xxxxxxxxxx>

  commit 33a604075c51e5528eed970eeaeefe609ea2337d
  Author: Kevin Wolf <kwolf@xxxxxxxxxx>
  Date:   Mon Jun 15 13:51:04 2015 +0200

      block: Introduce bdrv_unref_child()

      This is the counterpart for bdrv_open_child(). It decreases the
      reference count of the child BDS and removes it from the list of
      children of the given parent BDS.

      Signed-off-by: Kevin Wolf <kwolf@xxxxxxxxxx>
      Reviewed-by: Max Reitz <mreitz@xxxxxxxxxx>

  commit b4b059f628173dd1d722ee8a9c592a80aec1fc2f
  Author: Kevin Wolf <kwolf@xxxxxxxxxx>
  Date:   Mon Jun 15 13:24:19 2015 +0200

      block: Introduce bdrv_open_child()

      It is the same as bdrv_open_image(), except that it doesn't only return
      success or failure, but the newly created BdrvChild object for the new
      child node.

      As the BdrvChild object already contains a BlockDriverState pointer (and
      this is supposed to become the only pointer so that bdrv_append() and
      friends can just change a single pointer in BdrvChild), the pbs
      parameter is removed for bdrv_open_child().

      Signed-off-by: Kevin Wolf <kwolf@xxxxxxxxxx>
      Reviewed-by: Max Reitz <mreitz@xxxxxxxxxx>

  commit df5817926790f6e84d1936eab523556f96fa577a
  Author: Kevin Wolf <kwolf@xxxxxxxxxx>
  Date:   Mon Jun 15 11:53:47 2015 +0200

      block: Move bdrv_attach_child() calls up the call chain

      Let the callers of bdrv_open_inherit() call bdrv_attach_child(). It
      needs to be called in all cases where bdrv_open_inherit() succeeds (i.e.
      returns 0) and a child_role is given.

      bdrv_attach_child() is moved upwards to avoid a forward declaration.

      Signed-off-by: Kevin Wolf <kwolf@xxxxxxxxxx>
      Reviewed-by: Max Reitz <mreitz@xxxxxxxxxx>

  commit 30349fd038ffb26528fad21abe1e264031364449
  Author: Christoph Hellwig <hch@xxxxxx>
  Date:   Thu Jun 11 12:01:39 2015 +0200

      nvme: properly report volatile write caches

      Implement support in Identify and Get/Set Features to properly report
      and allow to change the Volatile Write Cache status reported by the
      virtual NVMe device.

      Signed-off-by: Christoph Hellwig <hch@xxxxxx>
      Acked-by: Keith Busch <keith.busch@xxxxxxxxx>
      Signed-off-by: Kevin Wolf <kwolf@xxxxxxxxxx>

  commit 8b9d74e0eebb2106b767d66355d38086be72ad2b
  Author: Christoph Hellwig <hch@xxxxxx>
  Date:   Thu Jun 11 12:01:38 2015 +0200

      nvme: implement the Flush command

      Implement a real flush instead of faking it.  This is especially important
      as Qemu assume Write back cashing by default and thus requires a working
      cache flush operation for data integrity.

      Signed-off-by: Christoph Hellwig <hch@xxxxxx>
      Acked-by: Keith Busch <keith.busch@xxxxxxxxx>
      Signed-off-by: Kevin Wolf <kwolf@xxxxxxxxxx>

  commit 0030ff40472b9ebf0e0595afbc8d7e428218c5d7
  Merge: f3a1b50 a169513
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Tue Jul 14 14:52:45 2015 +0100

      Merge remote-tracking branch 'remotes/kraxel/tags/pull-vnc-20150714-1' 
into staging

      vnc: fix vnc client authentication

      # gpg: Signature made Tue Jul 14 14:38:48 2015 BST using RSA key ID 
D3E87138
      # gpg: Good signature from "Gerd Hoffmann (work) <kraxel@xxxxxxxxxx>"
      # gpg:                 aka "Gerd Hoffmann <gerd@xxxxxxxxxx>"
      # gpg:                 aka "Gerd Hoffmann (private) <kraxel@xxxxxxxxx>"

      * remotes/kraxel/tags/pull-vnc-20150714-1:
        vnc: fix vnc client authentication

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit a16951375f7669b7faf27f72ca753e25325c5179
  Author: Wolfgang Bumiller <w.bumiller@xxxxxxxxxxx>
  Date:   Tue Jul 14 14:51:40 2015 +0200

      vnc: fix vnc client authentication

      Commit 800567a61 updated the code to the generic crypto API
      and mixed up encrypt and decrypt functions in
      procotol_client_auth_vnc.
      (Used to be: deskey(key, EN0) which encrypts, and was
      changed to qcrypto_cipher_decrypt in 800567a61.)
      Changed it to qcrypto_cipher_encrypt now.

      Signed-off-by: Wolfgang Bumiller <w.bumiller@xxxxxxxxxxx>
      Signed-off-by: Gerd Hoffmann <kraxel@xxxxxxxxxx>

  commit f3a1b5068cea303a55e2a21a97e66d057eaae638
  Merge: 6e3c0c6 4421c6a
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Mon Jul 13 13:35:51 2015 +0100

      Merge remote-tracking branch 'remotes/mst/tags/for_upstream' into staging

      pc,virtio: fixes for 2.4

      pc and virtio changes, bugfixes only.

      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>

      # gpg: Signature made Mon Jul 13 13:03:38 2015 BST using RSA key ID 
D28D5469
      # gpg: Good signature from "Michael S. Tsirkin <mst@xxxxxxxxxx>"
      # gpg:                 aka "Michael S. Tsirkin <mst@xxxxxxxxxx>"

      * remotes/mst/tags/for_upstream:
        pc: fix reuse of pc-i440fx-2.4 in pc-i440fx-2.3
        Revert "virtio-net: enable virtio 1.0"
        virtio-pci: don't crash on illegal length
        qdev: fix 64 bit properties

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 4421c6a38a37d558b8e6f82d2d54aee30350f57f
  Author: Eduardo Habkost <ehabkost@xxxxxxxxxx>
  Date:   Tue Jun 23 14:00:51 2015 -0300

      pc: fix reuse of pc-i440fx-2.4 in pc-i440fx-2.3

      commit fddd179ab962f6f78a8493742e1068d6a620e059,
          "pc: Convert *_MACHINE_OPTIONS macros into functions"
      broke the chaining of *_machine_options() functions on
      pc-i440fx-2.3, at:

        -#define PC_I440FX_2_3_MACHINE_OPTIONS \
        -    PC_I440FX_2_4_MACHINE_OPTIONS, \
        -    .alias = NULL, \
        -    .is_default = 0
        +static void pc_i440fx_2_3_machine_options(QEMUMachine *m)
        +{
        +    pc_i440fx_machine_options(m);
        +    m->alias = NULL;
        +    m->is_default = 0;
        +}

      I have replaced PC_I440FX_2_4_MACHINE_OPTIONS with a
      pc_i440fx_machine_options() call, instead of calling
      pc_i440fx_2_4_machine_options(). This broke the setting of 
default_machine_opts
      and default_display on pc-i440fx-{2.0,2,1,2.2,2.3}.

      Fix this by making pc_i440fx_2_3_machine_options() reuse
      pc_i440fx_2_4_machine_options().

      Reported-by: "Dr. David Alan Gilbert" <dgilbert@xxxxxxxxxx>
      Signed-off-by: Eduardo Habkost <ehabkost@xxxxxxxxxx>
      Signed-off-by: Michael Roth <mdroth@xxxxxxxxxxxxxxxxxx>
      Reviewed-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Reviewed-by: Laszlo Ersek <lersek@xxxxxxxxxx>

  commit 06c4670ff6d4acdc5a24e3d25748ee4a489d5869
  Author: Jason Wang <jasowang@xxxxxxxxxx>
  Date:   Mon Jul 13 13:46:50 2015 +0800

      Revert "virtio-net: enable virtio 1.0"

      This reverts commit df91055db5c9cee93d70ca8c08d72119a240b987.

      This is because:
      - vhost support virtio 1.0 now
      - transport code (e.g virtio-pci) set this feature when modern is
        enabled, setting this unconditionally will break disable-modern=on.

      Cc: Cornelia Huck <cornelia.huck@xxxxxxxxxx>
      Signed-off-by: Jason Wang <jasowang@xxxxxxxxxx>
      Reviewed-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>

  commit 2a6391232fa58f32469fb61d55343eff32a91083
  Author: Michael S. Tsirkin <mst@xxxxxxxxxx>
  Date:   Mon Jul 13 10:32:50 2015 +0300

      virtio-pci: don't crash on illegal length

      Some guests seem to access cfg with an illegal length value.
      It's worth fixing them but debugging is easier if
      qemu does not crash.

      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>

  commit 8aedc369c6ae4fb4c4c6920f703b000015df3d8d
  Author: Cornelia Huck <cornelia.huck@xxxxxxxxxx>
  Date:   Thu Jul 9 13:01:14 2015 +0200

      qdev: fix 64 bit properties

      64 bit props used 32 bit callbacks in two places, leading to broken
      feature bits on virtio (example: got 0x31000000000006d4 which is
      obviously bogus). Fix this.

      Fixes: fdba6d96 ("qdev: add 64bit properties")
      Signed-off-by: Cornelia Huck <cornelia.huck@xxxxxxxxxx>
      Reviewed-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Tested-by: Christian Borntraeger <borntraeger@xxxxxxxxxx>
      Acked-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit 6e3c0c6edbdddb8dd676bec1ac51b5faffc19a77
  Author: Stefan Weil <sw@xxxxxxxxxxx>
  Date:   Fri Jul 10 21:22:39 2015 +0200

      tci: Fix regression with INDEX_op_qemu_st_i32, INDEX_op_qemu_st_i64

      Commit 59227d5d45bb3c31dc2118011691c35b3c00879c did not update the
      code in tcg/tci/tcg-target.c for those two cases.

      Signed-off-by: Stefan Weil <sw@xxxxxxxxxxx>
      Message-id: 1436556159-3002-1-git-send-email-sw@xxxxxxxxxxx
      Reviewed-by: Richard Henderson <rth@xxxxxxxxxxx>
      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 6169b60285fe1ff730d840a49527e721bfb30899
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Thu Jul 9 17:56:56 2015 +0100

      Update version for v2.4.0-rc0 release

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 16c1321bd78ad79a7252b714184ee2a0b5944c56
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Thu Jul 9 17:46:24 2015 +0100

      tci: Fix compile failure by including qemu-common.h

      Compilation of TCI was accidentally broken by the recent disassembler
      changes:

        CC    x86_64-softmmu/arch_init.o
      In file included from target-i386/cpu-qom.h:23:0,
                       from target-i386/cpu.h:986,
                       from include/qemu-common.h:122,
                       from include/disas/bfd.h:12,
                       from disas/tci.c:20:
      include/qom/cpu.h:178:43: error: unknown type name â??disassemble_infoâ??
           void (*disas_set_info)(CPUState *cpu, disassemble_info *info);
                                                 ^
      include/qom/cpu.h:179:1: error:
      no semicolon at end of struct or union [-Werror]
       } CPUClass;
       ^
      cc1: all warnings being treated as errors

      The underlying cause of this is an include loop:
       bfd.h -> qemu-common.h -> target-arm/cpu.h ->  target-arm/cpu-qom.h
        -> qom/cpu.h -> bfd.h

      which means that if bfd.h is included first then qom/cpu.h doesn't
      get the definition of the disassemble_info type that it wanted.
      The easiest fix for this is to include qemu-common.h from tci.c
      before including disas/bfd.h.

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit a9dc4cf94c182f03c0061483891f53d1d21e5e68
  Merge: 0326248 4f4f697
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Thu Jul 9 16:22:37 2015 +0100

      Merge remote-tracking branch 'remotes/bonzini/tags/for-upstream' into 
staging

      Fixes for two bad bugs.  For 2.4-rc0.

      # gpg: Signature made Thu Jul  9 15:54:19 2015 BST using RSA key ID 
78C7AE83
      # gpg: Good signature from "Paolo Bonzini <bonzini@xxxxxxx>"
      # gpg:                 aka "Paolo Bonzini <pbonzini@xxxxxxxxxx>"
      # gpg: WARNING: This key is not certified with sufficiently trusted 
signatures!
      # gpg:          It is not certain that the signature belongs to the owner.
      # Primary key fingerprint: 46F5 9FBD 57D6 12E7 BFD4  E2F7 7E15 100C CD36 
69B1
      #      Subkey fingerprint: F133 3857 4B66 2389 866C  7682 BFFB D25F 78C7 
AE83

      * remotes/bonzini/tags/for-upstream:
        crypto: fix builtin qcrypto_cipher_free
        migration: fix RCU deadlock

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 4f4f6976d80614e2d81cea4385885876f24bb257
  Author: Paolo Bonzini <pbonzini@xxxxxxxxxx>
  Date:   Thu Jul 9 16:52:48 2015 +0200

      crypto: fix builtin qcrypto_cipher_free

      This was dereferencing a pointer before checking if it was NULL.

      Reported-by: Christian Borntraeger <borntraeger@xxxxxxxxxx>
      Reported-by: Aurelien Jarno <aurelien@xxxxxxxxxxx>
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit 032624868df264d395ee9900331f08bad1431022
  Merge: 5a2db89 6b625fd
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Thu Jul 9 15:00:37 2015 +0100

      Merge remote-tracking branch 'remotes/afaerber/tags/qom-cpu-for-peter' 
into staging

      QOM CPUState and X86CPU

      * Further QOM'ification of CPU initialization
      * Propagation of CPUState arguments and elimination of ENV_GET_CPU() usage
      * cpu_set_pc() abstraction
      * CPUClass::disas_set_info() hook

      # gpg: Signature made Thu Jul  9 14:23:12 2015 BST using RSA key ID 
3E7E013F
      # gpg: Good signature from "Andreas Färber <afaerber@xxxxxxx>"
      # gpg:                 aka "Andreas Färber <afaerber@xxxxxxxx>"

      * remotes/afaerber/tags/qom-cpu-for-peter: (22 commits)
        disas: cris: QOMify target specific disas setup
        disas: cris: Fix 0 buffer length case
        disas: microblaze: QOMify target specific disas setup
        disas: arm: QOMify target specific disas setup
        disas: arm-a64: Make printfer and stream variable
        disas: QOMify target specific setup
        disas: Add print_insn to disassemble info
        microblaze: boot: Use cpu_set_pc()
        hw/arm/boot: Use cpu_set_pc()
        gdbstub: Use cpu_set_pc() helper
        cpu: Add wrapper for the set_pc() hook
        cpu-exec: Purge all uses of ENV_GET_CPU()
        cpu: Change cpu_exec_init() arg to cpu, not env
        cpu: Change tcg_cpu_exec() arg to cpu, not env
        gdbstub: Change gdbserver_fork() to accept cpu instead of env
        translate-all: Change tb_flush() env argument to cpu
        target-ppc: Move cpu_exec_init() call to realize function
        cpu: Convert cpu_index into a bitmap
        cpu: Add Error argument to cpu_exec_init()
        cpu: Reorder cpu->as, cpu->thread_id, cpu->memory_dispatch init
        ...

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 6b625fde5eb8d1c969969392f1c92b58beed2183
  Author: Peter Crosthwaite <crosthwaitepeter@xxxxxxxxx>
  Date:   Tue Jun 23 20:57:38 2015 -0700

      disas: cris: QOMify target specific disas setup

      Move the target_disas() cris specifics to the QOM disas_set_info() hook
      and delete the cris specific code in disas.c.

      This also now adds support for monitor_disas() to cris.

      E.g.
      (qemu) xp 0x40004000
      0000000040004000: 0x1e6f25f0

      And before this patch:
      (qemu) xp/i 0x40004000
      0x40004000: Asm output not supported on this arch

      After:
      (qemu) xp/i 0x40004000
      0x40004000:  di
      (qemu) xp/i 0x40004002
      0x40004002:  move.d 0xb003c004,$r1

      Note: second example is 6-byte misaligned instruction!

      Reviewed-by: Edgar E. Iglesias <edgar.iglesias@xxxxxxxxxx>
      Signed-off-by: Peter Crosthwaite <crosthwaite.peter@xxxxxxxxx>
      Signed-off-by: Andreas Färber <afaerber@xxxxxxx>

  commit 51d373cf5f5a39fa315342d12ec910fe59d87090
  Author: Peter Crosthwaite <crosthwaitepeter@xxxxxxxxx>
  Date:   Tue Jun 23 20:57:37 2015 -0700

      disas: cris: Fix 0 buffer length case

      Cris has the complication of variable length instructions and has
      a check in place to clamp memory reads in case the disas request
      doesn't have enough bytes for the instruction being disas'd. This
      breaks down in the case where disassembling for the monitor where
      the buffer length is defaulted to 0.

      The buffer length should never be zero for a regular target_disas,
      so we can safely assume the 0 case is for the monitor in which case
      consider the buffer length to be the max for cris instructions.

      Reviewed-by: Edgar E. Iglesias <edgar.iglesias@xxxxxxxxxx>
      Signed-off-by: Peter Crosthwaite <crosthwaite.peter@xxxxxxxxx>
      Signed-off-by: Andreas Färber <afaerber@xxxxxxx>

  commit efc6674be845e40d443b62e80eb9ea9a9adfee3c
  Author: Peter Crosthwaite <crosthwaitepeter@xxxxxxxxx>
  Date:   Tue Jun 23 20:57:36 2015 -0700

      disas: microblaze: QOMify target specific disas setup

      Move the target_disas() MB specifics to the QOM disas_set_info hook
      and delete the MB specific code in disas.c.

      This also now adds support for monitor_disas() to Microblaze.

      E.g.
      (qemu) xp 0x90000000
      0000000090000000: 0x94208001

      And before this patch:
      (qemu) xp/i 0x90000000
      0x90000000: Asm output not supported on this arch

      After:
      (qemu) xp/i 0x90000000
      0x90000000:  mfs    r1, rmsr

      Reviewed-by: Edgar E. Iglesias <edgar.iglesias@xxxxxxxxxx>
      Signed-off-by: Peter Crosthwaite <crosthwaite.peter@xxxxxxxxx>
      Signed-off-by: Andreas Färber <afaerber@xxxxxxx>

  commit 484406200e51eac023b346fdf987f86af1f6fe75
  Author: Peter Crosthwaite <crosthwaitepeter@xxxxxxxxx>
  Date:   Tue Jun 23 20:57:35 2015 -0700

      disas: arm: QOMify target specific disas setup

      Move the target_disas() ARM specifics to the QOM disas_set_info hook
      and delete the ARM specific code in disas.c.

      This has the extra advantage of the more fully featured target_disas()
      implementation now applying to monitor_disas().

      Currently, target_disas() has multi-endian, thumb and AArch64
      support whereas the existing monitor_disas() support only has vanilla
      AA32 support.

      E.G. Running an AA64 linux kernel the following -d in_asm disas happens
      (taget_disas()):

      IN:
      0x0000000040000000:  580000c0      ldr x0, pc+24 (addr 0x40000018)
      0x0000000040000004:  aa1f03e1      mov x1, xzr

      However before this patch, disasing the same from the monitor:

      (qemu) xp/i 0x40000000
      0x0000000040000000:  580000c0      stmdapl  r0, {r6, r7}

      After this patch:
      (qemu) xp/i 0x40000000
      0x0000000040000000:  580000c0      ldr x0, pc+24 (addr 0x40000018)

      Reviewed-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Signed-off-by: Peter Crosthwaite <crosthwaite.peter@xxxxxxxxx>
      Signed-off-by: Andreas Färber <afaerber@xxxxxxx>

  commit fb200d5f003118f63205f34bbe553efcf3a66a81
  Author: Peter Crosthwaite <crosthwaitepeter@xxxxxxxxx>
  Date:   Tue Jun 23 20:57:34 2015 -0700

      disas: arm-a64: Make printfer and stream variable

      In a normal disassembly flow, the printf() and stream being used varies
      from disas job to job. In particular it varies if mixing monitor_disas
      and target_disas.

      Make both the printf() function and target stream settable in the
      QEMUDisassmbler class.

      Reviewed-by: Claudio Fontana <claudio.fontana@xxxxxxxxxx>
      Tested-by: Claudio Fontana <claudio.fontana@xxxxxxxxxx>
      Reviewed-by: Richard Henderson <rth@xxxxxxxxxxx>
      Signed-off-by: Peter Crosthwaite <crosthwaite.peter@xxxxxxxxx>
      Signed-off-by: Andreas Färber <afaerber@xxxxxxx>

  commit 37b9de463bff4fc786bb5f0778829e68d2c97bd0
  Author: Peter Crosthwaite <crosthwaitepeter@xxxxxxxxx>
  Date:   Tue Jun 23 20:57:33 2015 -0700

      disas: QOMify target specific setup

      Add a QOM function hook for target-specific disassembly setup. This
      allows removal of the #ifdeffery currently implementing target specific
      disas setup from disas.c.

      Reviewed-by: Richard Henderson <rth@xxxxxxxxxxx>
      Signed-off-by: Peter Crosthwaite <crosthwaite.peter@xxxxxxxxx>
      Signed-off-by: Andreas Färber <afaerber@xxxxxxx>

  commit 2de295c544dda8680a82fe465c92d236d49c4d4f
  Author: Peter Crosthwaite <crosthwaitepeter@xxxxxxxxx>
  Date:   Tue Jun 23 20:57:32 2015 -0700

      disas: Add print_insn to disassemble info

      Add the print_insn pointer to the disassemble info structure. This is
      to prepare for QOMification support, where a QOM CPU hook function will
      be responsible for setting the print_insn() function. Add this function
      to the existing struct to consolidate such that only the one struct
      needs to be passed to the new QOM API.

      Reviewed-by: Richard Henderson <rth@xxxxxxxxxxx>
      Signed-off-by: Peter Crosthwaite <crosthwaite.peter@xxxxxxxxx>
      Signed-off-by: Andreas Färber <afaerber@xxxxxxx>

  commit 691b9572e337f2d74b4b527c3dc76f542c6a5734
  Author: Peter Crosthwaite <crosthwaitepeter@xxxxxxxxx>
  Date:   Tue Jun 23 20:19:23 2015 -0700

      microblaze: boot: Use cpu_set_pc()

      Use cpu_set_pc() for setting program counters when bootloading. This
      removes an instance of system level code having to reach into the CPU
      env.

      Reviewed-by: Andreas Färber <afaerber@xxxxxxx>
      Signed-off-by: Peter Crosthwaite <crosthwaite.peter@xxxxxxxxx>
      [AF: Avoid duplicated CPU() casts through local variable]
      Signed-off-by: Andreas Färber <afaerber@xxxxxxx>

  commit 4df81c6ed1eddcbbb920a977e76f599e05b39b77
  Author: Peter Crosthwaite <crosthwaitepeter@xxxxxxxxx>
  Date:   Tue Jun 23 20:19:22 2015 -0700

      hw/arm/boot: Use cpu_set_pc()

      Use cpu_set_pc() across the board for setting program counters. This
      removes instances of system level code having to reach into the CPU
      env.

      Reviewed-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Reviewed-by: Andreas Färber <afaerber@xxxxxxx>
      Signed-off-by: Peter Crosthwaite <crosthwaite.peter@xxxxxxxxx>
      [AF: Avoid repeated casts with local variables]
      Signed-off-by: Andreas Färber <afaerber@xxxxxxx>

  commit 4a2b24edb73f98fa58fd8965db5b312617de7a02
  Author: Peter Crosthwaite <crosthwaitepeter@xxxxxxxxx>
  Date:   Tue Jun 23 20:19:21 2015 -0700

      gdbstub: Use cpu_set_pc() helper

      Use the cpu_set_pc() helper which will take care of CPUClass retrieval
      for us.

      Signed-off-by: Peter Crosthwaite <crosthwaite.peter@xxxxxxxxx>
      Signed-off-by: Andreas Färber <afaerber@xxxxxxx>

  commit 2991b8904730d663f12ad42e35798ecc22fe151c
  Author: Peter Crosthwaite <crosthwaitepeter@xxxxxxxxx>
  Date:   Tue Jun 23 20:19:20 2015 -0700

      cpu: Add wrapper for the set_pc() hook

      Add a wrapper around the CPUClass::set_pc() hook.

      Signed-off-by: Peter Crosthwaite <crosthwaite.peter@xxxxxxxxx>
      Signed-off-by: Andreas Färber <afaerber@xxxxxxx>

  commit ea3e9847408131abc840240bd61e892d28459452
  Author: Peter Crosthwaite <crosthwaitepeter@xxxxxxxxx>
  Date:   Thu Jun 18 10:24:55 2015 -0700

      cpu-exec: Purge all uses of ENV_GET_CPU()

      Remove un-needed usages of ENV_GET_CPU() by converting the APIs to use
      CPUState pointers and retrieving the env_ptr as minimally needed.

      Scripted conversion for target-* change:

      for I in target-*/cpu.h; do
          sed -i \
          's/\(^int cpu_[^_]*_exec(\)[^ ][^ ]* \*s);$/\1CPUState *cpu);/' \
          $I;
      done

      Signed-off-by: Peter Crosthwaite <crosthwaite.peter@xxxxxxxxx>
      Signed-off-by: Andreas Färber <afaerber@xxxxxxx>

  commit 4bad9e392e788a218967167a38ce2ae7a32a6231
  Author: Peter Crosthwaite <crosthwaitepeter@xxxxxxxxx>
  Date:   Tue Jun 23 19:31:18 2015 -0700

      cpu: Change cpu_exec_init() arg to cpu, not env

      The callers (most of them in target-foo/cpu.c) to this function all
      have the cpu pointer handy. Just pass it to avoid an ENV_GET_CPU() from
      core code (in exec.c).

      Cc: Paolo Bonzini <pbonzini@xxxxxxxxxx>
      Cc: Richard Henderson <rth@xxxxxxxxxxx>
      Cc: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Cc: "Edgar E. Iglesias" <edgar.iglesias@xxxxxxxxx>
      Cc: Eduardo Habkost <ehabkost@xxxxxxxxxx>
      Cc: Michael Walle <michael@xxxxxxxx>
      Cc: Leon Alrae <leon.alrae@xxxxxxxxxx>
      Cc: Anthony Green <green@xxxxxxxxxxxxxx>
      Cc: Jia Liu <proljc@xxxxxxxxx>
      Cc: Alexander Graf <agraf@xxxxxxx>
      Cc: Blue Swirl <blauwirbel@xxxxxxxxx>
      Cc: Mark Cave-Ayland <mark.cave-ayland@xxxxxxxxxxxx>
      Cc: Bastian Koppelmann <kbastian@xxxxxxxxxxxxxxxxxxxxx>
      Cc: Guan Xuetao <gxt@xxxxxxxxxxxxxxx>
      Cc: Max Filippov <jcmvbkbc@xxxxxxxxx>
      Reviewed-by: Andreas Färber <afaerber@xxxxxxx>
      Reviewed-by: Aurelien Jarno <aurelien@xxxxxxxxxxx>
      Signed-off-by: Peter Crosthwaite <crosthwaite.peter@xxxxxxxxx>
      Signed-off-by: Andreas Färber <afaerber@xxxxxxx>

  commit 3d57f7893c90d911d786cb2c622b0926fc808b57
  Author: Peter Crosthwaite <crosthwaitepeter@xxxxxxxxx>
  Date:   Tue Jun 23 19:31:17 2015 -0700

      cpu: Change tcg_cpu_exec() arg to cpu, not env

      The sole caller of this function navigates the cpu->env_ptr only for
      this function to take it back the cpu pointer straight away. Pass in
      cpu pointer instead and grab the env pointer locally in the function.
      Removes a core code usage of ENV_GET_CPU().

      Reviewed-by: Andreas Färber <afaerber@xxxxxxx>
      Reviewed-by: Eduardo Habkost <ehabkost@xxxxxxxxxx>
      Signed-off-by: Peter Crosthwaite <crosthwaite.peter@xxxxxxxxx>
      Signed-off-by: Andreas Färber <afaerber@xxxxxxx>

  commit f7ec7f7b269813603b1d64bb9833f9e711f0115c
  Author: Peter Crosthwaite <crosthwaitepeter@xxxxxxxxx>
  Date:   Tue Jun 23 19:31:16 2015 -0700

      gdbstub: Change gdbserver_fork() to accept cpu instead of env

      All callsites to this function navigate the cpu->env_ptr only for the
      function to take the env ptr back to the original cpu ptr. Change the
      function to just pass in the CPU pointer instead. Removes a core code
      usage of ENV_GET_CPU() (in gdbstub.c).

      Cc: Riku Voipio <riku.voipio@xxxxxx>
      Reviewed-by: Andreas Färber <afaerber@xxxxxxx>
      Reviewed-by: Eduardo Habkost <ehabkost@xxxxxxxxxx>
      Signed-off-by: Peter Crosthwaite <crosthwaite.peter@xxxxxxxxx>
      Signed-off-by: Andreas Färber <afaerber@xxxxxxx>

  commit bbd77c180d7ff1b04a7661bb878939b2e1d23798
  Author: Peter Crosthwaite <crosthwaitepeter@xxxxxxxxx>
  Date:   Tue Jun 23 19:31:15 2015 -0700

      translate-all: Change tb_flush() env argument to cpu

      All of the core-code usages of this API have the cpu pointer handy so
      pass it in. There are only 3 architecture specific usages (2 of which
      are commented out) which can just use ENV_GET_CPU() locally to get the
      cpu pointer. The reduces core code usage of the CPU env, which brings
      us closer to common-obj'ing these core files.

      Cc: Riku Voipio <riku.voipio@xxxxxx>
      Cc: Paolo Bonzini <pbonzini@xxxxxxxxxx>
      Reviewed-by: Eduardo Habkost <ehabkost@xxxxxxxxxx>
      Acked-by: Eduardo Habkost <ehabkost@xxxxxxxxxx>
      Signed-off-by: Peter Crosthwaite <crosthwaite.peter@xxxxxxxxx>
      Signed-off-by: Andreas Färber <afaerber@xxxxxxx>

  commit 6dd0f8342ddfbd8db3e3de1a17686cedbc14e9f1
  Author: Bharata B Rao <bharata@xxxxxxxxxxxxxxxxxx>
  Date:   Tue Jun 23 19:31:14 2015 -0700

      target-ppc: Move cpu_exec_init() call to realize function

      Move cpu_exec_init() call from instance_init to realize. This allows
      any failures from cpu_exec_init() to be handled appropriately.
      Also add corresponding cpu_exec_exit() call from unrealize.

      cpu_dt_id assignment from instance_init is no longer needed since
      correct assignment for cpu_dt_id is already present in realizefn.

      Signed-off-by: Bharata B Rao <bharata@xxxxxxxxxxxxxxxxxx>
      Reviewed-by: David Gibson <david@xxxxxxxxxxxxxxxxxxxxx>
      Reviewed-by: Peter Crosthwaite <peter.crosthwaite@xxxxxxxxxx>
      Acked-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>
      Signed-off-by: Peter Crosthwaite <crosthwaite.peter@xxxxxxxxx>
      [AF: Keep calling cpu_exec_init() for CONFIG_USER_ONLY]
      Signed-off-by: Andreas Färber <afaerber@xxxxxxx>

  commit b7bca7333411bd19c449147e8202ae6b0e4a8e09
  Author: Bharata B Rao <bharata@xxxxxxxxxxxxxxxxxx>
  Date:   Tue Jun 23 19:31:13 2015 -0700

      cpu: Convert cpu_index into a bitmap

      Currently CPUState::cpu_index is monotonically increasing and a newly
      created CPU always gets the next higher index. The next available
      index is calculated by counting the existing number of CPUs. This is
      fine as long as we only add CPUs, but there are architectures which
      are starting to support CPU removal, too. For an architecture like PowerPC
      which derives its CPU identifier (device tree ID) from cpu_index, the
      existing logic of generating cpu_index values causes problems.

      With the currently proposed method of handling vCPU removal by parking
      the vCPU fd in QEMU
      (Ref: http://lists.gnu.org/archive/html/qemu-devel/2015-02/msg02604.html),
      generating cpu_index this way will not work for PowerPC.

      This patch changes the way cpu_index is handed out by maintaining
      a bit map of the CPUs that tracks both addition and removal of CPUs.

      The CPU bitmap allocation logic is part of cpu_exec_init(), which is
      called by instance_init routines of various CPU targets. Newly added
      cpu_exec_exit() API handles the deallocation part and this routine is
      called from generic CPU instance_finalize.

      Note: This new CPU enumeration is for !CONFIG_USER_ONLY only.
      CONFIG_USER_ONLY continues to have the old enumeration logic.

      Signed-off-by: Bharata B Rao <bharata@xxxxxxxxxxxxxxxxxx>
      Reviewed-by: Eduardo Habkost <ehabkost@xxxxxxxxxx>
      Reviewed-by: Igor Mammedov <imammedo@xxxxxxxxxx>
      Reviewed-by: David Gibson <david@xxxxxxxxxxxxxxxxxxxxx>
      Reviewed-by: Peter Crosthwaite <peter.crosthwaite@xxxxxxxxxx>
      Acked-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>
      Signed-off-by: Peter Crosthwaite <crosthwaite.peter@xxxxxxxxx>
      [AF: max_cpus -> MAX_CPUMASK_BITS]
      Signed-off-by: Andreas Färber <afaerber@xxxxxxx>

  commit 5a790cc4b942e651fec7edc597c19b637fad5a76
  Author: Bharata B Rao <bharata@xxxxxxxxxxxxxxxxxx>
  Date:   Tue Jun 23 19:31:12 2015 -0700

      cpu: Add Error argument to cpu_exec_init()

      Add an Error argument to cpu_exec_init() to let users collect the
      error. This is in preparation to change the CPU enumeration logic
      in cpu_exec_init(). With the new enumeration logic, cpu_exec_init()
      can fail if cpu_index values corresponding to max_cpus have already
      been handed out.

      Since all current callers of cpu_exec_init() are from instance_init,
      use error_abort Error argument to abort in case of an error.

      Signed-off-by: Bharata B Rao <bharata@xxxxxxxxxxxxxxxxxx>
      Reviewed-by: Eduardo Habkost <ehabkost@xxxxxxxxxx>
      Reviewed-by: Igor Mammedov <imammedo@xxxxxxxxxx>
      Reviewed-by: David Gibson <david@xxxxxxxxxxxxxxxxxxxxx>
      Reviewed-by: Peter Crosthwaite <peter.crosthwaite@xxxxxxxxxx>
      Acked-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>
      Signed-off-by: Peter Crosthwaite <crosthwaite.peter@xxxxxxxxx>
      Signed-off-by: Andreas Färber <afaerber@xxxxxxx>

  commit 291135b5da228e58900c120e12354cc0a23608e3
  Author: Eduardo Habkost <ehabkost@xxxxxxxxxx>
  Date:   Mon Apr 27 17:00:33 2015 -0300

      cpu: Reorder cpu->as, cpu->thread_id, cpu->memory_dispatch init

      Instead of initializing cpu->as, cpu->thread_id, and reloading memory
      map while holding cpu_list_lock(), do it earlier, before locking the CPU
      list and initializing cpu_index.

      This allows the code handling cpu_index and global CPU list to be
      isolated from the rest.

      Cc: Paolo Bonzini <pbonzini@xxxxxxxxxx>
      Signed-off-by: Eduardo Habkost <ehabkost@xxxxxxxxxx>
      Signed-off-by: Andreas Färber <afaerber@xxxxxxx>

  commit 7c39163e389e6e6e16965606fb5a26abcdb6ad73
  Author: Eduardo Habkost <ehabkost@xxxxxxxxxx>
  Date:   Mon Apr 27 17:00:32 2015 -0300

      cpu: Initialize breakpoint/watchpoint lists in cpu_common_initfn()

      One small step in the simplification of cpu_exec_init().

      Reviewed-by: Igor Mammedov <imammedo@xxxxxxxxxx>
      Signed-off-by: Eduardo Habkost <ehabkost@xxxxxxxxxx>
      Signed-off-by: Andreas Färber <afaerber@xxxxxxx>

  commit 199fc85acd0571902eeefef6ea861b8ba4c8201f
  Author: Eduardo Habkost <ehabkost@xxxxxxxxxx>
  Date:   Mon Apr 27 17:00:31 2015 -0300

      cpu: No need to zero-initialize CPUState::numa_node

      QOM objects are already zero-filled when instantiated, there's no need
      to explicitly set numa_node to 0.

      Reviewed-by: Igor Mammedov <imammedo@xxxxxxxxxx>
      Signed-off-by: Eduardo Habkost <ehabkost@xxxxxxxxxx>
      Signed-off-by: Andreas Färber <afaerber@xxxxxxx>

  commit 5a2db89615c8efabbeca74fe5e0f14f312d3bbe3
  Author: James Hogan <james.hogan@xxxxxxxxxx>
  Date:   Thu Jul 9 10:17:15 2015 +0100

      mips/kvm: Sync with newer MIPS KVM headers

      The KVM_REG_MIPS_COUNT_* definitions are now included in
      linux-headers/asm-mips/kvm.h since commit b061808d39fa ("linux-headers:
      update linux headers to kvm/next"), therefore the duplicate definitions
      in target-mips/kvm.c can now be dropped (the definitions were tweaked
      slightly in commit 7a52ce8a1607 ("linux-headers: update") which
      triggered the following build warnings turned errors):

      target-mips/kvm.c:232:0: error: "KVM_REG_MIPS_COUNT_CTL" redefined 
[-Werror]
      linux-headers/asm/kvm.h:129:0: note: this is the location of the previous 
definition
      target-mips/kvm.c:236:0: error: "KVM_REG_MIPS_COUNT_RESUME" redefined 
[-Werror]
      linux-headers/asm/kvm.h:141:0: note: this is the location of the previous 
definition
      target-mips/kvm.c:239:0: error: "KVM_REG_MIPS_COUNT_HZ" redefined 
[-Werror]
      linux-headers/asm/kvm.h:147:0: note: this is the location of the previous 
definition

      Also update the MIPS_C0_{32,64} macros to utilise definitions more
      recently added to the asm-mips/kvm.h header.

      Signed-off-by: James Hogan <james.hogan@xxxxxxxxxx>
      Reviewed-by: Leon Alrae <leon.alrae@xxxxxxxxxx>
      Message-id: 1436433435-24898-3-git-send-email-james.hogan@xxxxxxxxxx
      Cc: Paolo Bonzini <pbonzini@xxxxxxxxxx>
      Cc: Leon Alrae <leon.alrae@xxxxxxxxxx>
      Cc: Aurelien Jarno <aurelien@xxxxxxxxxxx>
      Cc: kvm@xxxxxxxxxxxxxxx
      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit a8f13961fdcff3a5969b9884368e875aa068f1c9
  Author: James Hogan <james.hogan@xxxxxxxxxx>
  Date:   Thu Jul 9 10:17:14 2015 +0100

      tcg/mips: Fix build error from merged memop+mmu_idx parameter

      Commit 3972ef6f830d ("tcg: Push merged memop+mmu_idx parameter to
      softmmu routines") caused the following build errors when building TCG
      for MIPS:

      In file included from tcg/tcg.c:258:0:
      tcg/mips/tcg-target.c In function â??tcg_out_qemu_ld_slow_pathâ??:
      tcg/mips/tcg-target.c:1015:22: error: â??lbâ?? undeclared (first use in 
this function)
      tcg/mips/tcg-target.c In function â??tcg_out_qemu_st_slow_pathâ??:
      tcg/mips/tcg-target.c:1058:22: error: â??lbâ?? undeclared (first use in 
this function)

      It looks like lb was meant to refer to the TCGLabelQemuLdst *l
      parameter, so fix both references to lb to refer to just l.

      Fixes: 3972ef6f830d ("tcg: Push merged memop+mmu_idx parameter to softmmu 
routines")
      Signed-off-by: James Hogan <james.hogan@xxxxxxxxxx>
      Reviewed-by: Leon Alrae <leon.alrae@xxxxxxxxxx>
      Message-id: 1436433435-24898-2-git-send-email-james.hogan@xxxxxxxxxx
      Cc: Aurelien Jarno <aurelien@xxxxxxxxxxx>
      Cc: Leon Alrae <leon.alrae@xxxxxxxxxx>
      Cc: Richard Henderson <rth@xxxxxxxxxxx>
      Cc: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit d09a6fde1590ca3a45b608b6873a680f208dfeb5
  Author: Paolo Bonzini <pbonzini@xxxxxxxxxx>
  Date:   Thu Jul 9 08:47:58 2015 +0200

      migration: fix RCU deadlock

      migration_end calls synchronize_rcu() within a critical section.
      That causes a deadlock; move the call after rcu_read_unlock().

      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit acf7b7fdf31fa76b53803790917c8acf23a2badb
  Merge: c8e8428 2828a30
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Wed Jul 8 20:46:35 2015 +0100

      Merge remote-tracking branch 'remotes/bonzini/tags/for-upstream' into 
staging

      Bugfixes and Daniel Berrange's crypto library.

      # gpg: Signature made Wed Jul  8 12:12:29 2015 BST using RSA key ID 
78C7AE83
      # gpg: Good signature from "Paolo Bonzini <bonzini@xxxxxxx>"
      # gpg:                 aka "Paolo Bonzini <pbonzini@xxxxxxxxxx>"
      # gpg: WARNING: This key is not certified with sufficiently trusted 
signatures!
      # gpg:          It is not certain that the signature belongs to the owner.
      # Primary key fingerprint: 46F5 9FBD 57D6 12E7 BFD4  E2F7 7E15 100C CD36 
69B1
      #      Subkey fingerprint: F133 3857 4B66 2389 866C  7682 BFFB D25F 78C7 
AE83

      * remotes/bonzini/tags/for-upstream:
        ossaudio: fix memory leak
        ui: convert VNC to use generic cipher API
        block: convert qcow/qcow2 to use generic cipher API
        ui: convert VNC websockets to use crypto APIs
        block: convert quorum blockdrv to use crypto APIs
        crypto: add a nettle cipher implementation
        crypto: add a gcrypt cipher implementation
        crypto: introduce generic cipher API & built-in implementation
        crypto: move built-in D3DES implementation into crypto/
        crypto: move built-in AES implementation into crypto/
        crypto: introduce new module for computing hash digests
        vl: move rom_load_all after machine init done

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit c8e84287da7dd6a46c0bb0e53190e79ba4eedf24
  Merge: d09952e 702c8c8
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Wed Jul 8 19:44:28 2015 +0100

      Merge remote-tracking branch 'remotes/jnsnow/tags/ide-pull-request' into 
staging

      # gpg: Signature made Wed Jul  8 19:08:28 2015 BST using RSA key ID 
AAFC390E
      # gpg: Good signature from "John Snow (John Huston) <jsnow@xxxxxxxxxx>"
      # gpg: WARNING: This key is not certified with sufficiently trusted 
signatures!
      # gpg:          It is not certain that the signature belongs to the owner.
      # Primary key fingerprint: FAEB 9711 A12C F475 812F  18F2 88A9 064D 1835 
61EB
      #      Subkey fingerprint: F9B7 ABDB BCAC DF95 BE76  CBD0 7DEF 8106 AAFC 
390E

      * remotes/jnsnow/tags/ide-pull-request:
        ahci: Fix CD-ROM signature
        libqos/ahci: fix ahci_write_fis for ncq on ppc64

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 702c8c8be2f3317c81fff83f82d8a5f1d50d41b8
  Author: Hannes Reinecke <hare@xxxxxxx>
  Date:   Mon Jul 6 17:49:51 2015 -0400

      ahci: Fix CD-ROM signature

      The CD-ROM signature is 0xeb140101, not 0xeb140000.
      Without this change OVMF/Duet runs into a timeout trying
      to detect a SATA cdrom.

      Signed-off-by: Hannes Reinecke <hare@xxxxxxx>
      Signed-off-by: John Snow <jsnow@xxxxxxxxxx>
      Reviewed-by: Kevin Wolf <kwolf@xxxxxxxxxx>
      Message-id: 1436219392-31915-2-git-send-email-jsnow@xxxxxxxxxx

  commit 9ab9993f71b7eac6788deae2fbb7ec659ceb4a1e
  Author: John Snow <jsnow@xxxxxxxxxx>
  Date:   Mon Jul 6 15:17:09 2015 -0400

      libqos/ahci: fix ahci_write_fis for ncq on ppc64

      Don't try to correct the endianness of NCQ commands, which do not
      use any fields wider than a single byte.

      This corrects the /x86_64/ahci/io/ncq/simple test (and others)
      for ppc64 BE hosts.

      Reported-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Signed-off-by: John Snow <jsnow@xxxxxxxxxx>
      Tested-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Message-id: 1436210229-4118-2-git-send-email-jsnow@xxxxxxxxxx

  commit d09952ee8caeea928695d5a3dc3ec50d8afb98c6
  Author: Paul Durrant <paul.durrant@xxxxxxxxxx>
  Date:   Tue Jul 7 14:32:38 2015 +0100

      Fix the compatibility typedef of ioservid_t to match the Xen headers

      There is a mismatch between the definition of ioservid_t in
      xen_common.h and the definition in the Xen public headers. This patch
      corrects the definition in xen_common.h.

      Signed-off-by: Paul Durrant <paul.durrant@xxxxxxxxxx>
      Tested-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Message-id: 1436275958-25174-1-git-send-email-paul.durrant@xxxxxxxxxx
      Cc: Stefano Stabellini <stefano.stabellini@xxxxxxxxxxxxx>
      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit c8232b39bb18a91cde39b8e0b60e731a4ce782b1
  Merge: 62a3864 c4fc82b
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Wed Jul 8 13:36:19 2015 +0100

      Merge remote-tracking branch 'remotes/mst/tags/for_upstream' into staging

      pc,virtio,pci: fixes and updates

      Most notably, this includes the TCO support for ICH: the last feature for 
2.4
      as we are entering the hard freeze.

      Bugfixes only from now on.

      virtio pci also gained cfg access capability - arguably a bugfix
      since virtio spec makes it mandatory, but it's a big patch.

      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>

      # gpg: Signature made Wed Jul  8 10:40:07 2015 BST using RSA key ID 
D28D5469
      # gpg: Good signature from "Michael S. Tsirkin <mst@xxxxxxxxxx>"
      # gpg:                 aka "Michael S. Tsirkin <mst@xxxxxxxxxx>"

      * remotes/mst/tags/for_upstream:
        tco-test: fix up config accesses and re-enable
        virtio fix cfg endian-ness for BE targets
        virtio-pci: implement cfg capability
        virtio: define virtio_pci_cfg_cap in header.
        pcie: Set the "link active" in the link status register
        pci_regs.h: import from linux
        virtio_net: reuse constants from linux
        hw/i386/pc: don't carry FDC from pc_basic_device_init() to 
pc_cmos_init()
        hw/i386/pc: reflect any FDC @ ioport 0x3f0 in the CMOS
        hw/i386/pc: factor out pc_cmos_init_floppy()
        ich9: implement strap SPKR pin logic
        tests: add testcase for TCO watchdog emulation
        ich9: add TCO interface emulation
        acpi: split out ICH ACPI support
        Revert "dataplane: allow virtio-1 devices"
        dataplane: fix cross-endian issues

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 62a3864eb09414d3cee94a2a592ecd414200912f
  Merge: 59dc0a1 c54e1eb
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Wed Jul 8 12:35:14 2015 +0100

      Merge remote-tracking branch 
'remotes/mdroth/tags/qga-pull-2015-07-06-v3-tag' into staging

      tag for qga-pull-2015-07-06-v3

      v3:
        - fix missing <windows.h> in configure test program.

      v2:
        - added configure check for guest-get-fs-info to avoid breakage on older
          MinGWs
        - removed extraneous include of ws2ipdef.h in w32
          guest-network-get-interfaces. ws2tcpip.h already provides those
          definitions, and older MinGWs don't have it.
        - rebased on latest master

      # gpg: Signature made Wed Jul  8 03:01:18 2015 BST using RSA key ID 
F108B584
      # gpg: Good signature from "Michael Roth <flukshun@xxxxxxxxx>"
      # gpg:                 aka "Michael Roth <mdroth@xxxxxxxxxx>"
      # gpg:                 aka "Michael Roth <mdroth@xxxxxxxxxxxxxxxxxx>"
      # gpg: WARNING: This key is not certified with sufficiently trusted 
signatures!
      # gpg:          It is not certain that the signature belongs to the owner.
      # Primary key fingerprint: CEAC C9E1 5534 EBAB B82D  3FA0 3353 C9CE F108 
B584

      * remotes/mdroth/tags/qga-pull-2015-07-06-v3-tag:
        qga: added GuestPCIAddress information
        qga: added bus type and disk location path
        configure: add configure check for ntdddisk.h
        qga: added mountpoint and filesystem type for single volume
        qga: added empty qmp_quest_get_fsinfo functionality.
        qga: fail early for invalid time
        qga: win32 qmp_guest_network_get_interfaces implementation
        qga: add win32 library iphlpapi
        Revert "guest agent: remove g_strcmp0 usage"
        qga/qmp_guest_fstrim: Return per path fstrim result
        qga/commands-posix: Fix bug in guest-fstrim

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 2828a307232ffceeddec9feb6a87ac660b68b693
  Author: Gonglei <arei.gonglei@xxxxxxxxxx>
  Date:   Tue Jun 23 09:01:10 2015 +0800

      ossaudio: fix memory leak

      Variable "conf" going out of scope leaks the storage
      it points to in line 856.

      Signed-off-by: Gonglei <arei.gonglei@xxxxxxxxxx>
      Message-Id: <1435021270-7768-1-git-send-email-arei.gonglei@xxxxxxxxxx>
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit 800567a613510c77a55decac4d25fea154d1ee22
  Author: Daniel P. Berrange <berrange@xxxxxxxxxx>
  Date:   Wed Jul 1 18:10:38 2015 +0100

      ui: convert VNC to use generic cipher API

      Switch the VNC server over to use the generic cipher API, this
      allows it to use the pluggable DES implementations, instead of
      being hardcoded to use QEMU's built-in impl.

      Signed-off-by: Daniel P. Berrange <berrange@xxxxxxxxxx>
      Message-Id: <1435770638-25715-11-git-send-email-berrange@xxxxxxxxxx>
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit f6fa64f6d22b0ed53fb3be5883cd9719d17cb4f0
  Author: Daniel P. Berrange <berrange@xxxxxxxxxx>
  Date:   Wed Jul 1 18:10:37 2015 +0100

      block: convert qcow/qcow2 to use generic cipher API

      Switch the qcow/qcow2 block driver over to use the generic cipher
      API, this allows it to use the pluggable AES implementations,
      instead of being hardcoded to use QEMU's built-in impl.

      Signed-off-by: Daniel P. Berrange <berrange@xxxxxxxxxx>
      Message-Id: <1435770638-25715-10-git-send-email-berrange@xxxxxxxxxx>
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit 8e9b0d24fb986d4241ae3b77752eca5dab4cb486
  Author: Daniel P. Berrange <berrange@xxxxxxxxxx>
  Date:   Wed Jul 1 18:10:36 2015 +0100

      ui: convert VNC websockets to use crypto APIs

      Remove the direct use of gnutls for hash processing in the
      websockets code, in favour of using the crypto APIs. This
      allows the websockets code to be built unconditionally
      removing countless conditional checks from the VNC code.

      Signed-off-by: Daniel P. Berrange <berrange@xxxxxxxxxx>
      Message-Id: <1435770638-25715-9-git-send-email-berrange@xxxxxxxxxx>
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit 488981a4af396551a3178d032cc2b41d9553ada2
  Author: Daniel P. Berrange <berrange@xxxxxxxxxx>
  Date:   Wed Jul 1 18:10:35 2015 +0100

      block: convert quorum blockdrv to use crypto APIs

      Get rid of direct use of gnutls APIs in quorum blockdrv in
      favour of using the crypto APIs. This avoids the need to
      do conditional compilation of the quorum driver. It can
      simply report an error at file open file instead if the
      required hash algorithm isn't supported by QEMU.

      Signed-off-by: Daniel P. Berrange <berrange@xxxxxxxxxx>
      Message-Id: <1435770638-25715-8-git-send-email-berrange@xxxxxxxxxx>
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit ed754746fea55df726f4de3dadb5bea0b6aa7409
  Author: Daniel P. Berrange <berrange@xxxxxxxxxx>
  Date:   Wed Jul 1 18:10:34 2015 +0100

      crypto: add a nettle cipher implementation

      If we are linking to gnutls already and gnutls is built against
      nettle, then we should use nettle as a cipher backend in
      preference to our built-in backend.

      This will be used when linking against some GNUTLS 2.x versions
      and all GNUTLS 3.x versions.

      Signed-off-by: Daniel P. Berrange <berrange@xxxxxxxxxx>
      Message-Id: <1435770638-25715-7-git-send-email-berrange@xxxxxxxxxx>
      [Change "#elif" to "#elif defined". - Paolo]
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit 62893b67cd82bbd48b013c1cec25f0d863612c80
  Author: Daniel P. Berrange <berrange@xxxxxxxxxx>
  Date:   Wed Jul 1 18:10:33 2015 +0100

      crypto: add a gcrypt cipher implementation

      If we are linking to gnutls already and gnutls is built against
      gcrypt, then we should use gcrypt as a cipher backend in
      preference to our built-in backend.

      This will be used when linking against GNUTLS 1.x and many
      GNUTLS 2.x versions.

      Signed-off-by: Daniel P. Berrange <berrange@xxxxxxxxxx>
      Message-Id: <1435770638-25715-6-git-send-email-berrange@xxxxxxxxxx>
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit ca38a4cc9e36647437b837b346a41981fb8880cd
  Author: Daniel P. Berrange <berrange@xxxxxxxxxx>
  Date:   Wed Jul 1 18:10:32 2015 +0100

      crypto: introduce generic cipher API & built-in implementation

      Introduce a generic cipher API and an implementation of it that
      supports only the built-in AES and DES-RFB algorithms.

      The test suite checks the supported algorithms + modes to
      validate that every backend implementation is actually correctly
      complying with the specs.

      Signed-off-by: Daniel P. Berrange <berrange@xxxxxxxxxx>
      Message-Id: <1435770638-25715-5-git-send-email-berrange@xxxxxxxxxx>
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit c4fc82bf1ad088a84ccedf779f6aa928e4fadb5f
  Author: Michael S. Tsirkin <mst@xxxxxxxxxx>
  Date:   Wed Jul 8 10:06:15 2015 +0300

      tco-test: fix up config accesses and re-enable

      The mistake that made the test fail was that it tried to
      use a BAR address as an offset for config accesses to LPC.

      Config accesses don't need a BAR, and LPC does not have one. Don't
      attempt to map it.

      With this change applied, TCO test passes, so re-enable it.

      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>

  commit 1e40356ce5f6ccfa0bb57104a533c62952c560ce
  Author: Michael S. Tsirkin <mst@xxxxxxxxxx>
  Date:   Sun Jul 5 15:08:09 2015 +0200

      virtio fix cfg endian-ness for BE targets

      address_space_rw assumes data is in target format
      and byte-swaps it if target is BE and device is LE.
      Use fixed-endian LE APIs instead.

      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>

  commit ada434cd0b44ce984318621e4bb79e067360d737
  Author: Michael S. Tsirkin <mst@xxxxxxxxxx>
  Date:   Thu Jul 2 14:59:49 2015 +0200

      virtio-pci: implement cfg capability

      spec says we must, so let's do it!

      Note: the implementation is incorrect for BE targets.
      Will fix with a patch on top, not a big deal now as
      the only user is seabios, used on x86 only.

      Tested-by: Gerd Hoffmann <kraxel@xxxxxxxxxx>
      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>

  commit c36f24a2045d7a002b767ce023acfd9be63df692
  Author: Michael S. Tsirkin <mst@xxxxxxxxxx>
  Date:   Thu Jul 2 12:52:44 2015 +0200

      virtio: define virtio_pci_cfg_cap in header.

      Update virtio pci header from linux-next virtio maintainer tree.
      We already have VIRTIO_PCI_CAP_PCI_CFG, let's define the structure
      that goes with it.

      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>

  commit b2101eae63ea57b571cee4a9075a4287d24ba4a4
  Author: Benjamin Herrenschmidt <benh@xxxxxxxxxxxxxxxxxxx>
  Date:   Sun Jul 5 09:26:03 2015 +1000

      pcie: Set the "link active" in the link status register

      Some firmwares can test that and assume the device hasn't come
      up if that bit isn't set

      Signed-off-by: Benjamin Herrenschmidt <benh@xxxxxxxxxxxxxxxxxxx>
      Reviewed-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>

  commit 412a82457ef54821362ba27804e24a92fce09761
  Author: Michael S. Tsirkin <mst@xxxxxxxxxx>
  Date:   Wed Jul 1 11:42:18 2015 +0200

      pci_regs.h: import from linux

      It seems to make sense to import pci_regs.h from linux:
      why maintain our own?
      As a first step, move the header to standard-headers,
      and add it to the update script.

      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>

  commit f56fc2d319b18d5e510988374929188867a5f930
  Author: Michael S. Tsirkin <mst@xxxxxxxxxx>
  Date:   Wed Jul 1 11:36:57 2015 +0200

      virtio_net: reuse constants from linux

      VIRTIO_NET_F_CTRL_GUEST_OFFLOADS now appears in the
      linux header, let's reuse it.

      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>

  commit 220a8846429ac954932e16010efb07af0aba4529
  Author: Laszlo Ersek <lersek@xxxxxxxxxx>
  Date:   Thu Jun 25 15:35:07 2015 +0200

      hw/i386/pc: don't carry FDC from pc_basic_device_init() to pc_cmos_init()

      Thanks to the last patch, pc_cmos_init() doesn't need the (optional)
      board-default FDC any longer as an input parameter. Update
      pc_basic_device_init() not to hand it back to pc_init1() / pc_q35_init(),
      and update the latter not to carry the FDC to pc_cmos_init(). This
      simplifies the code.

      pc_init1() | pc_q35_init()
        pc_basic_device_init()
        pc_cmos_init()

      Cc: Jan Tomko <jtomko@xxxxxxxxxx>
      Cc: John Snow <jsnow@xxxxxxxxxx>
      Cc: Markus Armbruster <armbru@xxxxxxxxxx>
      Cc: Paolo Bonzini <pbonzini@xxxxxxxxxx>
      Signed-off-by: Laszlo Ersek <lersek@xxxxxxxxxx>
      Reviewed-by: John Snow <jsnow@xxxxxxxxxx>
      Reviewed-by: Markus Armbruster <armbru@xxxxxxxxxx>
      Reviewed-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>

  commit b86f46132cd86b03f9e4a1cf6295f8b416e16afa
  Author: Laszlo Ersek <lersek@xxxxxxxxxx>
  Date:   Thu Jun 25 15:35:06 2015 +0200

      hw/i386/pc: reflect any FDC @ ioport 0x3f0 in the CMOS

      With the pc-q35-2.4 machine type, if the user creates an ISA FDC manually:

        -device isa-fdc,driveA=drive-fdc0-0-0 \
        -drive file=...,if=none,id=drive-fdc0-0-0,format=raw

      then the board-default FDC will be skipped, and only the explicitly
      requested FDC will exist. qtree-wise, this is correct; however such an FDC
      is currently not registered in the CMOS, because that code is only reached
      for the board-default FDC.

      The pc_cmos_init_late() one-shot reset handler -- one-shot because the
      CMOS is not reprogrammed during warm reset -- should search for any ISA
      FDC devices, created implicitly (by board code) or explicitly, and set the
      CMOS accordingly to the ISA FDC(s) with iobase=0x3f0:

      - if there is no such FDC, report both drives absent,
      - if there is exactly one such FDC, report its drives in the CMOS,
      - if there are more than one such FDCs, then pick one (it is not specified
        which one), and print a warning about the ambiguity.

      Cc: Jan Tomko <jtomko@xxxxxxxxxx>
      Cc: John Snow <jsnow@xxxxxxxxxx>
      Cc: Markus Armbruster <armbru@xxxxxxxxxx>
      Cc: Paolo Bonzini <pbonzini@xxxxxxxxxx>
      Reported-by: Jan Tomko <jtomko@xxxxxxxxxx>
      Suggested-by: Markus Armbruster <armbru@xxxxxxxxxx>
      Signed-off-by: Laszlo Ersek <lersek@xxxxxxxxxx>
      Reviewed-by: John Snow <jsnow@xxxxxxxxxx>
      Reviewed-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>

  commit 7444ca4ee2382170774ae201c473270d65620d75
  Author: Laszlo Ersek <lersek@xxxxxxxxxx>
  Date:   Thu Jun 25 15:35:05 2015 +0200

      hw/i386/pc: factor out pc_cmos_init_floppy()

      Extract the pc_cmos_init_floppy() function from pc_cmos_init(). The
      function sets two RTC registers: floppy drive types (0x10), overwriting
      the earlier value in there), and REG_EQUIPMENT_BYTE (0x14), setting bits
      in the prior value.

      Cc: Jan Tomko <jtomko@xxxxxxxxxx>
      Cc: John Snow <jsnow@xxxxxxxxxx>
      Cc: Markus Armbruster <armbru@xxxxxxxxxx>
      Cc: Paolo Bonzini <pbonzini@xxxxxxxxxx>
      Signed-off-by: Laszlo Ersek <lersek@xxxxxxxxxx>
      Reviewed-by: John Snow <jsnow@xxxxxxxxxx>
      Reviewed-by: Markus Armbruster <armbru@xxxxxxxxxx>
      Reviewed-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>

  commit 5add35bec1e249bb5345a47008c8f298d4760be4
  Author: Paulo Alcantara <pcacjr@xxxxxxxxx>
  Date:   Sun Jun 28 14:58:58 2015 -0300

      ich9: implement strap SPKR pin logic

      If the signal is sampled high, this indicates that the system is
      strapped to the "No Reboot" mode (ICH9 will disable the TCO Timer system
      reboot feature). The status of this strap is readable via the NO_REBOOT
      bit (CC: offset 0x3410:bit 5).

      The NO_REBOOT bit is set when SPKR pin on ICH9 is sampled high. This bit
      may be set or cleared by software if the strap is sampled low but may
      not override the strap when it indicates "No Reboot".

      This patch implements the logic where hardware has ability to set SPKR
      pin through a property named "noreboot" and it's sampled high by
      default.

      Signed-off-by: Paulo Alcantara <pcacjr@xxxxxxxxx>
      Reviewed-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>

  commit 45dcdb9da632b5a5e7639707e12b1b17029c5a1e
  Author: Paulo Alcantara <pcacjr@xxxxxxxxx>
  Date:   Sun Jun 28 14:58:57 2015 -0300

      tests: add testcase for TCO watchdog emulation

      This patch adds a testcase that covers the following:
        1) TCO default values
        2) first and second TCO timeout
        3) watch and validate ticks counter through TCO_RLD register
        4) maximum supported TCO timeout (0x3ff)
        5) watchdog actions (pause/reset/shutdown/none) upon second TCO
           timeout
        6) set and get of TCO control and status bits

      MST: The test does not pass yet, so it's disabled by default.

      Signed-off-by: Paulo Alcantara <pcacjr@xxxxxxxxx>
      Reviewed-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>

  commit c54e1eb4928d4e6762c7100d1d1ef5f08ddf922b
  Author: Michael Roth <mdroth@xxxxxxxxxxxxxxxxxx>
  Date:   Tue Jul 7 19:12:18 2015 -0500

      qga: added GuestPCIAddress information

      PCIAddress inforfation is obtained via SetupApi, which provides the
      information about address, bus, etc. We look throught entire device tree
      in the system and try to find device object for given volume. For this PDO
      SetupDiGetDeviceRegistryProperty is called, which reads PCI configuration
      for a given devicei if it is possible.

      This is the most convinient way for a userspace service. The lookup is
      performed for every volume available. However, this information is
      not mandatory for vss-provider.

      In order to use SetupApi we need to notify linker about it. We do not need
      to install additional libs, so we do not make separate configuration
      option to use libsetupapi.su

      SetupApi gives as the same information as kernel driver
      with IRP_MN_QUERY_INTERFACE.
      https://support.microsoft.com/en-us/kb/253232

      Signed-off-by: Olga Krishtal <okrishtal@xxxxxxxxxxxxx>
      Signed-off-by: Denis V. Lunev <den@xxxxxxxxxx>
      CC: Eric Blake <eblake@xxxxxxxxxx>
      CC: Michael Roth <mdroth@xxxxxxxxxxxxxxxxxx>
      * stub out get_pci_info if !CONFIG_QGA_NTDDSCSI
      Signed-off-by: Michael Roth <mdroth@xxxxxxxxxxxxxxxxxx>

  commit a3ef3b2272d8349c932f8c440bcaa31d8518b1c0
  Author: Olga Krishtal <okrishtal@xxxxxxxxxxxxx>
  Date:   Tue Jun 30 13:25:22 2015 +0300

      qga: added bus type and disk location path

      According to Microsoft disk location path can be obtained via
      IOCTL_SCSI_GET_ADDRESS. Unfortunately this ioctl can not be used for all
      devices. There are certain bus types which could be obtained with this
      API. Please, refer to the following link for more details
      https://technet.microsoft.com/en-us/library/ee851589(v=ws.10).aspx

      Bus type could be obtained using IOCTL_STORAGE_QUERY_PROPERTY. Enum
      STORAGE_BUS_TYPE describes all buses supported by OS.

      Windows defines more bus types than Linux. Thus some values have been 
added
      to GuestDiskBusType.

      Signed-off-by: Olga Krishtal <okrishtal@xxxxxxxxxxxxx>
      Signed-off-by: Denis V. Lunev <den@xxxxxxxxxx>
      CC: Eric Blake <eblake@xxxxxxxxxx>
      CC: Michael Roth <mdroth@xxxxxxxxxxxxxxxxxx>
      * fixed warning in CreateFile due to use of NULL instead of 0
      * only provide disk info when CONFIG_QGA_NTDDSCSI=y
      Signed-off-by: Michael Roth <mdroth@xxxxxxxxxxxxxxxxxx>

  commit 50cbebb9a339f43cda2005785010361497151882
  Author: Michael Roth <mdroth@xxxxxxxxxxxxxxxxxx>
  Date:   Tue Jul 7 18:10:09 2015 -0500

      configure: add configure check for ntdddisk.h

      This header file provides w32 ioctl definitions for working with disk
      devices. Older versions of mingw do not expose this in a useable way,
      so add a configure check and report it via CONFIG_QGA_NTDDSCSI.

      Subsequent patches will use this macro to stub out functionality that
      relies on this in cases where it's not available.

      Signed-off-by: Michael Roth <mdroth@xxxxxxxxxxxxxxxxxx>

  commit d2b3f390d4e4b5d9dd74ae703d365a7b75a234ea
  Author: Olga Krishtal <okrishtal@xxxxxxxxxxxxx>
  Date:   Tue Jun 30 13:25:21 2015 +0300

      qga: added mountpoint and filesystem type for single volume

      We should use GetVolumeXXX api to work with volumes. This will help us to
      resolve the situation with volumes without drive letter, i.e. when the
      volume is mounted as a folder. Such volume is called mounted folder.
      This volume is a regular mounted volume from all other points of view.
      The information about non mounted volume is reported as System Reserved.
      This volume is not mounted and thus it is not writable.

      GuestDiskAddressList API is not used because operations are performed with
      volumes but no with disks. This means that spanned disk will
      be counted and handled as a single volume. It is worth mentioning
      that the information about every disk in the volume can be queried
      via IOCTL_VOLUME_GET_VOLUME_DISK_EXTENTS.

      Signed-off-by: Olga Krishtal <okrishtal@xxxxxxxxxxxxx>
      Signed-off-by: Denis V. Lunev <den@xxxxxxxxxx>
      CC: Eric Blake <eblake@xxxxxxxxxx>
      CC: Michael Roth <mdroth@xxxxxxxxxxxxxxxxxx>
      Signed-off-by: Michael Roth <mdroth@xxxxxxxxxxxxxxxxxx>

  commit ef0a03f23061b9994fe5b2c3a208bc9fcba0099d
  Author: Olga Krishtal <okrishtal@xxxxxxxxxxxxx>
  Date:   Tue Jun 30 13:25:20 2015 +0300

      qga: added empty qmp_quest_get_fsinfo functionality.

      We need qmp_quest_get_fsinfo togather with vss-provider, which works with
      volumes. The call to this function is implemented via
      FindFirst/NextVolumes. Moreover, volumes in Windows OS are filesystem 
unit,
      so it will be more effective to work with them rather with devices.

      Signed-off-by: Olga Krishtal <okrishtal@xxxxxxxxxxxxx>
      Signed-off-by: Denis V. Lunev <den@xxxxxxxxxx>
      CC: Eric Blake <eblake@xxxxxxxxxx>
      CC: Michael Roth <mdroth@xxxxxxxxxxxxxxxxxx>
      Signed-off-by: Michael Roth <mdroth@xxxxxxxxxxxxxxxxxx>

  commit 00d2f3707a63881a0cec8d00cbd467f9b2d8af41
  Author: Marc-André Lureau <marcandre.lureau@xxxxxxxxxx>
  Date:   Sun Jul 5 16:28:58 2015 +0200

      qga: fail early for invalid time

      It's possible to set system time with dates after 2070, however, it's
      not possible to set the RTC. It has limitation to up to year
      2070 (1970+100). In order to keep both clock in sync and before the
      kernel complains on invalid values, bail out early.

      Signed-off-by: Marc-André Lureau <marcandre.lureau@xxxxxxxxxx>
      Signed-off-by: Michael Roth <mdroth@xxxxxxxxxxxxxxxxxx>

  commit d6c5528b0ce91667714b8c7dabaf4fbf8a898a9c
  Author: Kirk Allan <kallan@xxxxxxxx>
  Date:   Tue Jun 2 11:41:07 2015 -0600

      qga: win32 qmp_guest_network_get_interfaces implementation

      By default, IPv4 prefixes will be derived by matching the address
      to those returned by GetAdaptersInfo.  IPv6 prefixes can not be
      matched this way due to the unpredictable order of entries.

      In Windows Vista/2008 guests and newer, both IPv4 and IPv6 prefixes
      can be retrieved from OnLinkPrefixLength.  Setting --extra-cflags
      in the build configuration to "-D_WIN32_WINNT=0x600"
      or greater makes OnLinkPrefixLength available.  Setting --extra-cflags
      is not required and if not set, the default approach to get the prefix
      will be taken.

      Signed-off-by: Kirk Allan <kallan@xxxxxxxx>
      * drop ws2ipdef.h, it's missing on old mingw, and ws2tcpip.h already
        includes it automatically on new builds
      Signed-off-by: Michael Roth <mdroth@xxxxxxxxxxxxxxxxxx>

  commit 601e5a0618ef3238e18fc38ece55ea4260910d5f
  Author: Kirk Allan <kallan@xxxxxxxx>
  Date:   Tue Jun 2 11:41:06 2015 -0600

      qga: add win32 library iphlpapi

      Add the iphlpapi library to use APIs such as GetAdaptersInfo and
      GetAdaptersAddresses.

      Signed-off-by: Kirk Allan <kallan@xxxxxxxx>
      Signed-off-by: Michael Roth <mdroth@xxxxxxxxxxxxxxxxxx>

  commit f300414cfe9bb9e7b86411a670b68c1aa8edbd35
  Author: Markus Armbruster <armbru@xxxxxxxxxx>
  Date:   Wed May 27 19:53:49 2015 +0200

      Revert "guest agent: remove g_strcmp0 usage"

      Since we now require GLib 2.22+ (commit f40685c), we don't have to
      work around lack of g_strcmp0() anymore.

      This reverts commit 8f4774789947bc4bc4c8d026a289fe980d3d2ee1.

      Conflicts:
        qemu-ga.c

      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>
      Reviewed-by: John Snow <jsnow@xxxxxxxxxx>
      Signed-off-by: Michael Roth <mdroth@xxxxxxxxxxxxxxxxxx>

  commit e82855d9aa4580620773b1b145ecab6ca1f2578c
  Author: Justin Ossevoort <justin@xxxxxxxxxxxxxxxxx>
  Date:   Mon May 11 08:58:45 2015 +0200

      qga/qmp_guest_fstrim: Return per path fstrim result

      The current guest-fstrim support only returns an error if some
      mountpoint was unable to be trimmed, skipping any possible additional
      mountpoints. The result of the TRIM operation itself is also discarded.

      This change returns a per mountpoint result of the TRIM operation. If an
      error occurs on some mountpoints that error is returned and the
      guest-fstrim continue with any additional mountpoints.

      The returned values for errors, minimum and trimmed are dependant on the
      filesystem, storage stacks and kernel version.

      Signed-off-by: Justin Ossevoort <justin@xxxxxxxxxxxxxxxxx>
      * s/type/struct/ in schema type definitions
      * moved version annotation for new guest-fstrim return field to
        the field itself rather than applying to the entire command
      Signed-off-by: Michael Roth <mdroth@xxxxxxxxxxxxxxxxxx>

  commit 73a652a1b08445e8d91e50cdbb2da50e571c61b3
  Author: Justin Ossevoort <justin@xxxxxxxxxxxxxxxxx>
  Date:   Mon May 11 08:58:44 2015 +0200

      qga/commands-posix: Fix bug in guest-fstrim

      The FITRIM ioctl updates the fstrim_range structure it receives. This
      way the caller can determine how many bytes were trimmed. The
      guest-fstrim logic reuses the same fstrim_range for each filesystem,
      effectively limiting each filesystem to trim at most as much as the
      previous was able to trim.

      If a previous filesystem would have trimmed 0 bytes, than the next
      filesystem would report an error 'Invalid argument' because a FITRIM
      request with length 0 is not valid.

      This change resets the fstrim_range structure for each filesystem.

      Signed-off-by: Justin Ossevoort <justin@xxxxxxxxxxxxxxxxx>
      Reviewed-by: Thomas Huth <thuth@xxxxxxxxxx>
      Signed-off-by: Michael Roth <mdroth@xxxxxxxxxxxxxxxxxx>

  commit 59dc0a1e9b4ccd9d8d7366fdc31acd5c1fbb240a
  Merge: 7ce0f7d cd3b29b
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Tue Jul 7 23:16:42 2015 +0100

      Merge remote-tracking branch 
'remotes/agraf/tags/signed-s390-for-upstream' into staging

      Patch queue for s390 - 2015-07-07

      A few last minute fixes for 2.4. All of them are s390 TCG bug fixes.

      # gpg: Signature made Tue Jul  7 16:52:22 2015 BST using RSA key ID 
03FEDC60
      # gpg: Good signature from "Alexander Graf <agraf@xxxxxxx>"
      # gpg:                 aka "Alexander Graf <alex@xxxxxxxxx>"

      * remotes/agraf/tags/signed-s390-for-upstream:
        tcg/s390: fix branch target change during code retranslation
        target-s390x: fix CONVERT TO BINARY (CVD, CVDY)
        target-s390x: fix EXECUTE instruction executing TRT
        target-s390x: fix MOVE LONG instruction

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 7ce0f7dc87e50ebf58ac756ff6be17ec97d3ba4e
  Merge: 1a63203 6319b1d
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Tue Jul 7 21:16:06 2015 +0100

      Merge remote-tracking branch 'remotes/agraf/tags/signed-ppc-for-upstream' 
into staging

      Patch queue for ppc - 2015-07-07

      A few last minute PPC changes for 2.4:

        - spapr: Update SLOF
        - spapr: Fix a few bugs
        - spapr: Preparation for hotplug
        - spapr: Minor code cleanups
        - linux-user: Add mftb handling
        - kvm: Enable hugepage support with memory-backend-file
        - mac99: Remove nonexistent interrupt pin (Mac OS 9 fix)

      # gpg: Signature made Tue Jul  7 16:48:41 2015 BST using RSA key ID 
03FEDC60
      # gpg: Good signature from "Alexander Graf <agraf@xxxxxxx>"
      # gpg:                 aka "Alexander Graf <alex@xxxxxxxxx>"

      * remotes/agraf/tags/signed-ppc-for-upstream: (30 commits)
        sPAPR: Clear stale MSIx table during EEH reset
        sPAPR: Reenable EEH functionality on reboot
        sPAPR: Don't enable EEH on emulated PCI devices
        spapr-vty: Use TYPE_ definition instead of hardcoding
        spapr_vty: lookup should only return valid VTY objects
        spapr_pci: drop redundant args in spapr_[populate, create]_pci_child_dt
        spapr_pci: populate ibm,loc-code
        spapr_pci: enumerate and add PCI device tree
        xics_kvm: Don't enable KVM_CAP_IRQ_XICS if already enabled
        ppc: Update cpu_model in MachineState
        spapr: Consolidate cpu init code into a routine
        spapr: Reorganize CPU dt generation code
        cpus: Add a macro to walk CPUs in reverse
        spapr: Support ibm, lrdr-capacity device tree property
        spapr: Consider max_cpus during xics initialization
        Revert "hw/ppc/spapr_pci.c: Avoid functions not in glib 2.12 
(g_hash_table_iter_*)"
        spapr_iommu: translate sPAPRTCEAccess to IOMMUAccessFlags
        spapr_iommu: drop erroneous check in h_put_tce_indirect()
        spapr_pci: set device node unit address as hex
        spapr_pci: encode class code including Prog IF register
        ...

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 1a632032d1ea09a09dc424ac2b10a4a11cd52ab9
  Merge: 30c6672 06ef227
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Tue Jul 7 20:12:55 2015 +0100

      Merge remote-tracking branch 'remotes/ehabkost/tags/x86-pull-request' 
into staging

      X86 queue, 2015-07-07

      Patch "target-i386: emulate CPUID level of real hardware" was removed 
after the
      2015-07-03 pull request.

      # gpg: Signature made Tue Jul  7 15:46:23 2015 BST using RSA key ID 
984DC5A6
      # gpg: Good signature from "Eduardo Habkost <ehabkost@xxxxxxxxxx>"
      # gpg: WARNING: This key is not certified with sufficiently trusted 
signatures!
      # gpg:          It is not certain that the signature belongs to the owner.
      # Primary key fingerprint: 5A32 2FD5 ABC4 D3DB ACCF  D1AA 2807 936F 984D 
C5A6

      * remotes/ehabkost/tags/x86-pull-request:
        target-i386: avoid overflow in the tsc-frequency property
        i386: Introduce ARAT CPU feature

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 30c6672aa4b4bc9bdba3a7e46c49bba191660143
  Merge: 9861b71 9703116
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Tue Jul 7 19:12:45 2015 +0100

      Merge remote-tracking branch 'remotes/stefanha/tags/block-pull-request' 
into staging

      Pull request

      v2:
       * Drop block/nfs patch since it exposes an unfinished QAPI interface 
[kwolf]

      # gpg: Signature made Tue Jul  7 14:29:47 2015 BST using RSA key ID 
81AB73C8
      # gpg: Good signature from "Stefan Hajnoczi <stefanha@xxxxxxxxxx>"
      # gpg:                 aka "Stefan Hajnoczi <stefanha@xxxxxxxxx>"

      * remotes/stefanha/tags/block-pull-request:
        blockjob: add block_job_release function
        block/raw-posix: Don't think /dev/fd/<NN> is a floppy drive.
        block: Use bdrv_drain to replace uncessary bdrv_drain_all
        block: Initialize local_err in bdrv_append_temp_snapshot
        block: update bdrv_drain_all()/bdrv_drain() comments
        qcow2: remove unnecessary check

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 9861b71fd63f04175fddd1e93a417bae4a7808d7
  Merge: f2562fb dd63169
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Tue Jul 7 17:19:59 2015 +0100

      Merge remote-tracking branch 
'remotes/juanquintela/tags/migration/20150707' into staging

      migration/next for 20150707

      # gpg: Signature made Tue Jul  7 13:56:30 2015 BST using RSA key ID 
5872D723
      # gpg: Good signature from "Juan Quintela <quintela@xxxxxxxxxx>"
      # gpg:                 aka "Juan Quintela <quintela@xxxxxxxxxx>"

      * remotes/juanquintela/tags/migration/20150707: (28 commits)
        migration: extend migration_bitmap
        migration: protect migration_bitmap
        check_section_footers: Check the correct section_id
        migration: Add migration events on target side
        migration: Make events a capability
        migration: create migration event
        migration: No need to call trace_migrate_set_state()
        migration: Use always helper to set state
        migration: ensure we start in NONE state
        migration: Use cmpxchg correctly
        migration: Add configuration section
        vmstate: Create optional sections
        global_state: Make section optional
        migration: create new section to store global state
        runstate: migration allows more transitions now
        runstate: Add runstate store
        Fix older machine type compatibility on power with section footers
        Fail more cleanly in mismatched RAM cases
        Sanity check RDMA remote data
        Sort destination RAMBlocks to be the same as the source
        ...

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit cd3b29b745b0ff393b2d37317837bc726b8dacc8
  Author: Aurelien Jarno <aurelien@xxxxxxxxxxx>
  Date:   Tue Jun 16 07:11:41 2015 +0200

      tcg/s390: fix branch target change during code retranslation

      Make sure to not modify the branch target. This ensure that the
      branch target is not corrupted during partial retranslation.

      Signed-off-by: Aurelien Jarno <aurelien@xxxxxxxxxxx>
      Tested-by: Alexander Graf <agraf@xxxxxxx>
      Reviewed-by: Richard Henderson <rth@xxxxxxxxxxx>
      Signed-off-by: Alexander Graf <agraf@xxxxxxx>

  commit 92f2b4e71e988ad2751c71717e9fe3387753442a
  Author: Aurelien Jarno <aurelien@xxxxxxxxxxx>
  Date:   Thu Jun 25 21:16:58 2015 +0200

      target-s390x: fix CONVERT TO BINARY (CVD, CVDY)

      current_number being shift left by more than 32 bits, we can't use a
      simple int. Similarly use an int64_t type for the input binary value,
      to not get the -2^31 case wrong. Finally don't initialize shift to 4,
      it's already done in the for loop.

      Signed-off-by: Aurelien Jarno <aurelien@xxxxxxxxxxx>
      Reviewed-by: Richard Henderson <rth@xxxxxxxxxxx>
      Signed-off-by: Alexander Graf <agraf@xxxxxxx>

  commit c9c19b493286db7358f9ee26401b927bbbd21604
  Author: Aurelien Jarno <aurelien@xxxxxxxxxxx>
  Date:   Sun Jun 21 18:51:08 2015 +0200

      target-s390x: fix EXECUTE instruction executing TRT

      A break is missing in the EXECUTE instruction, when executing the
      TRANSLATE AND TEST instruction.

      Reported-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>
      Signed-off-by: Aurelien Jarno <aurelien@xxxxxxxxxxx>
      Reviewed-By: Richard Henderson <rth@xxxxxxxxxxx>
      Signed-off-by: Alexander Graf <agraf@xxxxxxx>

  commit b5edcddda31b464e73cc0a79e88457e603c3b247
  Author: Aurelien Jarno <aurelien@xxxxxxxxxxx>
  Date:   Tue Jun 16 22:57:47 2015 +0200

      target-s390x: fix MOVE LONG instruction

      The MOVE LONG instruction should pad the destination operand with the
      byte from bit positions 32-39 of the source length (r2 + 1), not with
      the same byte in the source address.

      Signed-off-by: Aurelien Jarno <aurelien@xxxxxxxxxxx>
      Reviewed-by: Richard Henderson <rth@xxxxxxxxxxx>
      Signed-off-by: Alexander Graf <agraf@xxxxxxx>

  commit 6319b1dad04e66f450fb3ac6c31d2bf3940068b8
  Author: Gavin Shan <gwshan@xxxxxxxxxxxxxxxxxx>
  Date:   Thu Jul 2 16:23:28 2015 +1000

      sPAPR: Clear stale MSIx table during EEH reset

      The PCI device MSIx table is cleaned out in hardware after EEH PE
      reset. However, we still hold the stale MSIx entries in QEMU, which
      should be cleared accordingly. Otherwise, we will run into another
      (recursive) EEH error and the PCI devices contained in the PE have
      to be offlined exceptionally.

      The patch introduces function spapr_phb_vfio_eeh_pre_reset(), which
      is called by sPAPR when asserting hot or fundamental reset, to clear
      stale MSIx table for VFIO PCI devices before EEH PE reset so that
      MSIx table could be restored properly after EEH PE reset.

      Signed-off-by: Gavin Shan <gwshan@xxxxxxxxxxxxxxxxxx>
      Signed-off-by: David Gibson <david@xxxxxxxxxxxxxxxxxxxxx>
      Signed-off-by: Alexander Graf <agraf@xxxxxxx>

  commit aef87d1b879416909a4ac73e6fe2cea4a5630f40
  Author: Gavin Shan <gwshan@xxxxxxxxxxxxxxxxxx>
  Date:   Thu Jul 2 16:23:27 2015 +1000

      sPAPR: Reenable EEH functionality on reboot

      When rebooting the guest, some PEs might be in frozen state. The
      contained PCI devices won't work properly if their frozen states
      aren't cleared in time. One case running into this situation would
      be maximal EEH error times encountered in the guest.

      The patch reenables the EEH functinality on PEs on PHB's reset
      callback, which will clear their frozen states if needed.

      Signed-off-by: Gavin Shan <gwshan@xxxxxxxxxxxxxxxxxx>
      Reviewed-by: David Gibson <david@xxxxxxxxxxxxxxxxxxxxx>
      Signed-off-by: David Gibson <david@xxxxxxxxxxxxxxxxxxxxx>
      Signed-off-by: Alexander Graf <agraf@xxxxxxx>

  commit 7cb180079e245024cf92ca218ca58858b679a7d6
  Author: Gavin Shan <gwshan@xxxxxxxxxxxxxxxxxx>
  Date:   Thu Jul 2 16:23:26 2015 +1000

      sPAPR: Don't enable EEH on emulated PCI devices

      There might have emulated PCI devices, together with VFIO PCI
      devices under one PHB. The EEH capability shouldn't enabled
      on emulated PCI devices.

      The patch returns error when enabling EEH capability on emulated
      PCI devices by RTAS call "ibm,set-eeh-option".

      Signed-off-by: Gavin Shan <gwshan@xxxxxxxxxxxxxxxxxx>
      Signed-off-by: David Gibson <david@xxxxxxxxxxxxxxxxxxxxx>
      Signed-off-by: Alexander Graf <agraf@xxxxxxx>

  commit e275934d2dd44e38e0c6d53f9c22383d2ba57c17
  Author: David Gibson <david@xxxxxxxxxxxxxxxxxxxxx>
  Date:   Thu Jul 2 16:23:25 2015 +1000

      spapr-vty: Use TYPE_ definition instead of hardcoding

      There's a call to object_dynamic_cast() in spapr_vty which uses the type
      name "spapr-vty" directly, instead of the usual idiom of using the 
#defined
      TYPE_VIO_SPAPR_VTY_DEVICE.  Fix it.

      Signed-off-by: David Gibson <david@xxxxxxxxxxxxxxxxxxxxx>
      Signed-off-by: Alexander Graf <agraf@xxxxxxx>

  commit 0f888bfaddfc5f55b0d82cde2e1164658a672375
  Author: David Gibson <david@xxxxxxxxxxxxxxxxxxxxx>
  Date:   Thu Jul 2 16:23:24 2015 +1000

      spapr_vty: lookup should only return valid VTY objects

      If a guest passes the reg property of a valid VIO object that is not a VTY
      to either H_GET_TERM_CHAR or H_PUT_TERM_CHAR, QEMU hits a dynamic cast
      assertion and aborts.

      PAPR+ says "Hypervisor checks the termno parameter for validity against 
the
      Vterm IOA unit addresses assigned to the partition, else return 
H_Parameter."

      This patch adds a type check to ensure vty_lookup() either returns a 
pointer
      to a valid VTY object or NULL.  H_GET_TERM_CHAR and H_PUT_TERM_CHAR will
      now return H_PARAMETER to the guest instead of crashing.

      The patch has no effect on the reg == 0 hack used to implement the RTAS 
call
      display-character.

      Signed-off-by: Greg Kurz <gkurz@xxxxxxxxxxxxxxxxxx>
      Signed-off-by: David Gibson <david@xxxxxxxxxxxxxxxxxxxxx>
      Signed-off-by: Alexander Graf <agraf@xxxxxxx>

  commit e634b89c6ed2309814de7a89bd7c5ced96f59291
  Author: Nikunj A Dadhania <nikunj@xxxxxxxxxxxxxxxxxx>
  Date:   Thu Jul 2 16:23:23 2015 +1000

      spapr_pci: drop redundant args in spapr_[populate, create]_pci_child_dt

      * phb_index is not being used and if required can be obtained from sphb
      * use helper to get drc_index in spapr_populate_pci_child_dt()
      * Check if drc_index is zero

      Suggested-by: Alexey Kardashevskiy <aik@xxxxxxxxx>
      Signed-off-by: Nikunj A Dadhania <nikunj@xxxxxxxxxxxxxxxxxx>
      Signed-off-by: David Gibson <david@xxxxxxxxxxxxxxxxxxxxx>
      Signed-off-by: Alexander Graf <agraf@xxxxxxx>

  commit 16b0ea1d852873cf17630133d86df6a68e23f38c
  Author: Nikunj A Dadhania <nikunj@xxxxxxxxxxxxxxxxxx>
  Date:   Thu Jul 2 16:23:22 2015 +1000

      spapr_pci: populate ibm,loc-code

      Each hardware instance has a platform unique location code.  The OF
      device tree that describes a part of a hardware entity must include
      the â??ibm,loc-codeâ?? property with a value that represents the location
      code for that hardware entity.

      Populate ibm,loc-code.

      1) PCI passthru devices need to identify with its own ibm,loc-code
         available on the host. In failure cases use:
         vfio_<name>:<phb-index>:<bus>:<slot>.<fn>

      2) Emulated devices encode as following:
         qemu_<name>:<phb-index>:<bus>:<slot>.<fn>

      Signed-off-by: Nikunj A Dadhania <nikunj@xxxxxxxxxxxxxxxxxx>
      Signed-off-by: David Gibson <david@xxxxxxxxxxxxxxxxxxxxx>
      Signed-off-by: Alexander Graf <agraf@xxxxxxx>

  commit 1d2d974244c6f1629ca83f1de293eaa557634627
  Author: Nikunj A Dadhania <nikunj@xxxxxxxxxxxxxxxxxx>
  Date:   Thu Jul 2 16:23:21 2015 +1000

      spapr_pci: enumerate and add PCI device tree

      All the PCI enumeration and device node creation was off-loaded to
      SLOF. With PCI hotplug support, code needed to be added to add device
      node. This creates multiple copy of the code one in SLOF and other in
      hotplug code. To unify this, the patch adds the pci device node
      creation in Qemu. For backward compatibility, a flag
      "qemu,phb-enumerated" is added to the phb, suggesting to SLOF to not
      do device node creation.

      Signed-off-by: Nikunj A Dadhania <nikunj@xxxxxxxxxxxxxxxxxx>
      [ Squashed Michael's drc_index changes ]
      Signed-off-by: Michael Roth <mdroth@xxxxxxxxxxxxxxxxxx>
      Signed-off-by: Nikunj A Dadhania <nikunj@xxxxxxxxxxxxxxxxxx>
      Signed-off-by: David Gibson <david@xxxxxxxxxxxxxxxxxxxxx>
      Signed-off-by: Alexander Graf <agraf@xxxxxxx>

  commit a45863bda90daa8ec39e5a312b9734fd4665b016
  Author: Bharata B Rao <bharata@xxxxxxxxxxxxxxxxxx>
  Date:   Thu Jul 2 16:23:20 2015 +1000

      xics_kvm: Don't enable KVM_CAP_IRQ_XICS if already enabled

      When supporting CPU hot removal by parking the vCPU fd and reusing
      it during hotplug again, there can be cases where we try to reenable
      KVM_CAP_IRQ_XICS CAP for the vCPU for which it was already enabled.
      Introduce a boolean member in ICPState to track this and don't
      reenable the CAP if it was already enabled earlier.

      Re-enabling this CAP should ideally work, but currently it results in
      kernel trying to create and associate ICP with this vCPU and that
      fails since there is already an ICP associated with it. Hence this
      patch is needed to work around this problem in the kernel.

      This change allows CPU hot removal to work for sPAPR.

      Signed-off-by: Bharata B Rao <bharata@xxxxxxxxxxxxxxxxxx>
      Reviewed-by: David Gibson <david@xxxxxxxxxxxxxxxxxxxxx>
      Signed-off-by: David Gibson <david@xxxxxxxxxxxxxxxxxxxxx>
      Signed-off-by: Alexander Graf <agraf@xxxxxxx>

  commit 19fb2c36e2475a2c68e7287e0e089d858dd7cc50
  Author: Bharata B Rao <bharata@xxxxxxxxxxxxxxxxxx>
  Date:   Thu Jul 2 16:23:19 2015 +1000

      ppc: Update cpu_model in MachineState

      Keep cpu_model field in MachineState uptodate so that it can be used
      from the CPU hotplug path.

      Signed-off-by: Bharata B Rao <bharata@xxxxxxxxxxxxxxxxxx>
      Reviewed-by: David Gibson <david@xxxxxxxxxxxxxxxxxxxxx>
      Signed-off-by: David Gibson <david@xxxxxxxxxxxxxxxxxxxxx>
      Signed-off-by: Alexander Graf <agraf@xxxxxxx>

  commit bab99ea09897fb65255cc4e147d87c077fafcfe6
  Author: Bharata B Rao <bharata@xxxxxxxxxxxxxxxxxx>
  Date:   Thu Jul 2 16:23:18 2015 +1000

      spapr: Consolidate cpu init code into a routine

      Factor out bits of sPAPR specific CPU initialization code into
      a separate routine so that it can be called from CPU hotplug
      path too.

      Signed-off-by: Bharata B Rao <bharata@xxxxxxxxxxxxxxxxxx>
      Signed-off-by: David Gibson <david@xxxxxxxxxxxxxxxxxxxxx>
      Signed-off-by: Alexander Graf <agraf@xxxxxxx>

  commit 0da6f3fef9ae52127c14dfad1fdf1781e33ec5ec
  Author: Bharata B Rao <bharata@xxxxxxxxxxxxxxxxxx>
  Date:   Thu Jul 2 16:23:17 2015 +1000

      spapr: Reorganize CPU dt generation code

      Reorganize CPU device tree generation code so that it be reused from
      hotplug path. CPU dt entries are now generated from spapr_finalize_fdt()
      instead of spapr_create_fdt_skel().

      Note: This is how the split-up looks like now:

      Boot path
      ---------
      spapr_finalize_fdt
       spapr_populate_cpus_dt_node
        spapr_populate_cpu_dt
         spapr_fixup_cpu_numa_dt
         spapr_fixup_cpu_smt_dt

      ibm,cas path
      ------------
      spapr_h_cas_compose_response
       spapr_fixup_cpu_dt
        spapr_fixup_cpu_numa_dt
        spapr_fixup_cpu_smt_dt

      Signed-off-by: Bharata B Rao <bharata@xxxxxxxxxxxxxxxxxx>
      Signed-off-by: David Gibson <david@xxxxxxxxxxxxxxxxxxxxx>
      Signed-off-by: Alexander Graf <agraf@xxxxxxx>

  commit 8487d1231830917099c801e4f2f0e698e8535063
  Author: Bharata B Rao <bharata@xxxxxxxxxxxxxxxxxx>
  Date:   Thu Jul 2 16:23:16 2015 +1000

      cpus: Add a macro to walk CPUs in reverse

      Add CPU_FOREACH_REVERSE that walks CPUs in reverse.

      Needed for PowerPC CPU device tree reorganization.

      Signed-off-by: Bharata B Rao <bharata@xxxxxxxxxxxxxxxxxx>
      Reviewed-by: Andreas Färber <afaerber@xxxxxxx>
      Signed-off-by: David Gibson <david@xxxxxxxxxxxxxxxxxxxxx>
      Signed-off-by: Alexander Graf <agraf@xxxxxxx>

  commit db4ef288f4a6d285b39dc8ac477092d76971a300
  Author: Bharata B Rao <bharata@xxxxxxxxxxxxxxxxxx>
  Date:   Thu Jul 2 16:23:15 2015 +1000

      spapr: Support ibm, lrdr-capacity device tree property

      Add support for ibm,lrdr-capacity since this is needed by the guest
      kernel to know about the possible hot-pluggable CPUs and Memory. With
      this, pseries kernels will start reporting correct maxcpus in
      /sys/devices/system/cpu/possible.

      Also define the minimum hotpluggable memory size as 256MB.

      Signed-off-by: Bharata B Rao <bharata@xxxxxxxxxxxxxxxxxx>
      Reviewed-by: David Gibson <david@xxxxxxxxxxxxxxxxxxxxx>
      Signed-off-by: David Gibson <david@xxxxxxxxxxxxxxxxxxxxx>
      [agraf: Fix compile error on 32bit hosts]
      Signed-off-by: Alexander Graf <agraf@xxxxxxx>

  commit 9e734e3deefd460188ea9bd107b65a528ccb7255
  Author: Bharata B Rao <bharata@xxxxxxxxxxxxxxxxxx>
  Date:   Thu Jul 2 16:23:14 2015 +1000

      spapr: Consider max_cpus during xics initialization

      Use max_cpus instead of smp_cpus when intializating xics system. Also
      report max_cpus in ibm,interrupt-server-ranges device tree property of
      interrupt controller node.

      Signed-off-by: Bharata B Rao <bharata@xxxxxxxxxxxxxxxxxx>
      Signed-off-by: David Gibson <david@xxxxxxxxxxxxxxxxxxxxx>
      Signed-off-by: Alexander Graf <agraf@xxxxxxx>

  commit 708414f03c3bebbd7ba8e4e98fb92602d2af8d0c
  Author: Markus Armbruster <armbru@xxxxxxxxxx>
  Date:   Thu Jul 2 16:23:13 2015 +1000

      Revert "hw/ppc/spapr_pci.c: Avoid functions not in glib 2.12 
(g_hash_table_iter_*)"

      Since we now require GLib 2.22+ (commit f40685c), we don't have to
      work around lack of g_hash_table_iter_init() & friends anymore.

      This reverts commit f8833a37c0c6b22ddd57b45e48cfb0f97dbd5af4.

      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>
      Signed-off-by: David Gibson <david@xxxxxxxxxxxxxxxxxxxxx>
      Signed-off-by: Alexander Graf <agraf@xxxxxxx>

  commit 5709af3b9520c6912fc909128ae284512b127600
  Author: Greg Kurz <gkurz@xxxxxxxxxxxxxxxxxx>
  Date:   Thu Jul 2 16:23:12 2015 +1000

      spapr_iommu: translate sPAPRTCEAccess to IOMMUAccessFlags

      The fact that these enums have matching values is pure coincidence. We
      actually need to translate from the PAPR definition to the QEMU one.

      This patch doesn't fix any bug, it is only code cleanup.

      Suggested-by: Alexey Kardashevskiy <aik@xxxxxxxxx>
      Signed-off-by: Greg Kurz <gkurz@xxxxxxxxxxxxxxxxxx>
      Signed-off-by: David Gibson <david@xxxxxxxxxxxxxxxxxxxxx>
      Signed-off-by: Alexander Graf <agraf@xxxxxxx>

  commit 4d9ab7d4ed46c63d047862d11946996005742a09
  Author: Greg Kurz <gkurz@xxxxxxxxxxxxxxxxxx>
  Date:   Thu Jul 2 16:23:11 2015 +1000

      spapr_iommu: drop erroneous check in h_put_tce_indirect()

      The tce_list variable is not a TCE but the address to a TCE: we shouldn't
      clear permission bits as we do now. And this is dead code anyway since we
      check tce_list is 4K aligned a few lines above.

      This patch doesn't fix any bug, it is only code cleanup.

      Suggested-by: Alexey Kardashevskiy <aik@xxxxxxxxx>
      Signed-off-by: Greg Kurz <gkurz@xxxxxxxxxxxxxxxxxx>
      Signed-off-by: David Gibson <david@xxxxxxxxxxxxxxxxxxxxx>
      Signed-off-by: Alexander Graf <agraf@xxxxxxx>

  commit 9b7d9284c3b114112a7759ce0a885df0767fe8d9
  Author: Nikunj A Dadhania <nikunj@xxxxxxxxxxxxxxxxxx>
  Date:   Thu Jul 2 16:23:10 2015 +1000

      spapr_pci: set device node unit address as hex

      Device node names should encode the unit address as hex, while the
      code was encodind it as integers.

      Also, use FDT_NAME_MAX macro for allocating and composing the name.

      Signed-off-by: Nikunj A Dadhania <nikunj@xxxxxxxxxxxxxxxxxx>
      Reviewed-by: Thomas Huth <thuth@xxxxxxxxxx>
      Signed-off-by: David Gibson <david@xxxxxxxxxxxxxxxxxxxxx>
      Signed-off-by: Alexander Graf <agraf@xxxxxxx>

  commit 4a7c34741584e91aa838a9e45b8ec5cdc65a343b
  Author: Nikunj A Dadhania <nikunj@xxxxxxxxxxxxxxxxxx>
  Date:   Thu Jul 2 16:23:09 2015 +1000

      spapr_pci: encode class code including Prog IF register

      Current code missed the Prog IF register. All Class Code, Subclass,
      and Prog IF registers are needed to identify the accurate device type.

      For example: USB controllers use the PROG IF for denoting: USB
      FullSpeed, HighSpeed or SuperSpeed.

      Signed-off-by: Nikunj A Dadhania <nikunj@xxxxxxxxxxxxxxxxxx>
      Reviewed-by: Thomas Huth <thuth@xxxxxxxxxx>
      Signed-off-by: David Gibson <david@xxxxxxxxxxxxxxxxxxxxx>
      Signed-off-by: Alexander Graf <agraf@xxxxxxx>

  commit 72187935b475454792512d44782a33f112b120e6
  Author: Nikunj A Dadhania <nikunj@xxxxxxxxxxxxxxxxxx>
  Date:   Thu Jul 2 16:23:08 2015 +1000

      spapr_pci: encode missing 64-bit memory address space

      The properties reg/assigned-resources need to encode 64-bit memory
      address space as part of phys.hi dword.

        00 if configuration space
        01 if IO region,
        10 if 32-bit MEM region
        11 if 64-bit MEM region

      Signed-off-by: Nikunj A Dadhania <nikunj@xxxxxxxxxxxxxxxxxx>
      Reviewed-by: Thomas Huth <thuth@xxxxxxxxxx>
      Signed-off-by: David Gibson <david@xxxxxxxxxxxxxxxxxxxxx>
      Signed-off-by: Alexander Graf <agraf@xxxxxxx>

  commit 183930c0d753e53d22c27d573b1803b04f8d68ac
  Author: David Gibson <david@xxxxxxxxxxxxxxxxxxxxx>
  Date:   Thu Jul 2 16:23:07 2015 +1000

      spapr: Add sPAPRMachineClass

      Currently although we have an sPAPRMachineState descended from 
MachineState
      we don't have an sPAPRMAchineClass descended from MachineClass.  So far it
      hasn't been needed, but several upcoming features are going to want it,
      so this patch creates a stub implementation.

      Signed-off-by: Michael Roth <mdroth@xxxxxxxxxxxxxxxxxx>
      Signed-off-by: Bharata B Rao <bharata@xxxxxxxxxxxxxxxxxx>
      Signed-off-by: David Gibson <david@xxxxxxxxxxxxxxxxxxxxx>
      Signed-off-by: Alexander Graf <agraf@xxxxxxx>

  commit 1b71890729953825c57d52ace48a7671c295e899
  Author: David Gibson <david@xxxxxxxxxxxxxxxxxxxxx>
  Date:   Thu Jul 2 16:23:06 2015 +1000

      spapr: Remove obsolete entry_point field from sPAPRMachineState

      The sPAPRMachineState structure includes an entry_point field containing
      the initial PC value for starting the machine, even though this always has
      the value 0x100.

      I think this is a hangover from very early versions which bypassed the
      firmware when using -kernel.  In any case it has no function now, so 
remove
      it.

      Signed-off-by: David Gibson <david@xxxxxxxxxxxxxxxxxxxxx>
      Signed-off-by: Alexander Graf <agraf@xxxxxxx>

  commit fb16499418aa7d71d2a4f2e3d79de444c4d054c0
  Author: David Gibson <david@xxxxxxxxxxxxxxxxxxxxx>
  Date:   Thu Jul 2 16:23:05 2015 +1000

      spapr: Remove obsolete ram_limit field from sPAPRMachineState

      The ram_limit field was imported from sPAPREnvironment where it predates
      the machine's ram size being available generically from machine->ram_size.

      Worse, the existing code was inconsistent about where it got the ram size
      from.  Sometimes it used spapr->ram_limit, sometimes the global 'ram_size'
      and sometimes a local 'ram_size' masking the global.

      This cleans up the code to consistently use machine->ram_size, eliminating
      spapr->ram_limit in the process.

      Signed-off-by: David Gibson <david@xxxxxxxxxxxxxxxxxxxxx>
      Signed-off-by: Alexander Graf <agraf@xxxxxxx>

  commit 28e0204254c3f03e77106056a3a5730c4b8a2ac6
  Author: David Gibson <david@xxxxxxxxxxxxxxxxxxxxx>
  Date:   Thu Jul 2 16:23:04 2015 +1000

      spapr: Merge sPAPREnvironment into sPAPRMachineState

      The code for -machine pseries maintains a global sPAPREnvironment 
structure
      which keeps track of general state information about the guest platform.
      This predates the existence of the MachineState structure, but performs
      basically the same function.

      Now that we have the generic MachineState, fold sPAPREnvironment into
      sPAPRMachineState, the pseries specific subclass of MachineState.

      This is mostly a matter of search and replace, although a few places which
      relied on the global spapr variable are changed to find the structure via
      qdev_get_machine().

      Signed-off-by: David Gibson <david@xxxxxxxxxxxxxxxxxxxxx>
      Signed-off-by: Alexander Graf <agraf@xxxxxxx>

  commit 780184aae65d72378737e9cdb8fb61b0121e1e21
  Author: Alexey Kardashevskiy <aik@xxxxxxxxx>
  Date:   Thu Jul 2 16:23:03 2015 +1000

      pseries: Update SLOF firmware image to qemu-slof-20150429

      The changelog is:
        > version: update to 20150429
        > pci: Use QEMU created PCI device nodes
        > usb: support 64-bit pci bars
        > pci: Support 64-bit address translation
        > pci: program correct bridge limit registers during probe
        > scsi: handle report-luns failure
        > Fix "key?" Forth word when using USB keyboards
        > Remove bulk.fs package
        > Include make.rules in the library Makefiles

      Signed-off-by: Alexey Kardashevskiy <aik@xxxxxxxxx>
      Signed-off-by: Alexander Graf <agraf@xxxxxxx>

  commit f303f117fec32c0705f88860e3eadf94135211c9
  Author: Greg Kurz <gkurz@xxxxxxxxxxxxxxxxxx>
  Date:   Thu Jul 2 16:23:02 2015 +1000

      spapr: ensure we have at least one XICS server

      XICS needs to know the upper value for cpu_index as it is used to compute
      the number of servers:

          smp_cpus * kvmppc_smt_threads() / smp_threads

      When passing -smp cpus=1,threads=9 on a POWER8 host, we end up with:

          1 * 8 / 9 = 0

      ... which leads to an assertion in both emulated:

      Number of servers needs to be greater 0
      Aborted (core dumped)

      ... and in-kernel XICS:

      xics_kvm_realize: Assertion `icp->nr_servers' failed.
      Aborted (core dumped)

      With this patch, we are sure that nr_servers > 0. Passing the same bogus
      -smp option then leads to:

      qemu-system-ppc64: Cannot support more than 8 threads on PPC with KVM

      ... which is a lot more explicit than the XICS errors.

      Signed-off-by: Greg Kurz <gkurz@xxxxxxxxxxxxxxxxxx>
      Signed-off-by: David Gibson <david@xxxxxxxxxxxxxxxxxxxxx>
      Signed-off-by: Alexander Graf <agraf@xxxxxxx>

  commit 2d103aae876518a91636ad6f4a4d866269c0d953
  Author: Michael Roth <mdroth@xxxxxxxxxxxxxxxxxx>
  Date:   Thu Jul 2 15:46:14 2015 -0500

      target-ppc: fix hugepage support when using memory-backend-file

      Current PPC code relies on -mem-path being used in order for
      hugepage support to be detected. With the introduction of
      MemoryBackendFile we can now handle this via:
        -object memory-file-backend,mem-path=...,id=hugemem0 \
        -numa node,id=mem0,memdev=hugemem0

      Management tools like libvirt treat the 2 approaches as
      interchangeable in some cases, which can lead to user-visible
      regressions even for previously supported guest configurations.

      Fix these by also iterating through any configured memory
      backends that may be backed by hugepages.

      Since the old code assumed hugepages always backed the entirety
      of guest memory, play it safe an pick the minimum across the
      max pages sizes for all backends, even ones that aren't backed
      by hugepages.

      Signed-off-by: Michael Roth <mdroth@xxxxxxxxxxxxxxxxxx>
      Reviewed-by: David Gibson <david@xxxxxxxxxxxxxxxxxxxxx>
      Signed-off-by: Alexander Graf <agraf@xxxxxxx>

  commit 5c464f66f5696724c892339de242fac41f4d57a6
  Author: Cormac O'Brien <i.am.cormac.obrien@xxxxxxxxx>
  Date:   Wed Jun 17 17:04:11 2015 -0500

      macio: remove nonexistent interrupt on pin 1

      The current macio implementation declares an interrupt that doesn't 
appear to
      exist in the hardware or any other emulator implementation. OpenBIOS 
detects
      this interrupt and generates an 'interrupts' property in the macio device 
tree
      entry. Mac OS 9 halts boot when it detects this interrupt, so it has been
      removed to permit further progress in the boot process.

      Signed-off-by: Cormac O'Brien <i.am.cormac.obrien@xxxxxxxxx>
      Reviewed-by: Mark Cave-Ayland <mark.cave-ayland@xxxxxxxxxxxx>
      Signed-off-by: Alexander Graf <agraf@xxxxxxx>

  commit 7d6b1daedd00b35e50ce87ea835f662b36a23160
  Author: Laurent Vivier <laurent@xxxxxxxxx>
  Date:   Tue Jun 30 11:49:54 2015 +0200

      linux-user, ppc: mftbl can be used by user application

      In qemu-linux-user, when calling gethostbyname2(),
      it was hanging in .__res_nmkquery.

      (gdb) bt
      0 in .__res_nmkquery () from /lib64/libresolv.so.2
      1 in .__libc_res_nquery () from /lib64/libresolv.so.2
      2 in .__libc_res_nsearch () from /lib64/libresolv.so.2
      3 in ._nss_dns_gethostbyname3_r () from /lib64/libnss_dns.so.2
      4 in ._nss_dns_gethostbyname2_r () from /lib64/libnss_dns.so.2
      5 in .gethostbyname2_r () from /lib64/libc.so.6
      6 in .gethostbyname2 () from /lib64/libc.so.6

      .__res_nmkquery() is:

      ...
      do { RANDOM_BITS (randombits); } while ((randombits & 0xffff) == 0);
      ...

      <.__res_nmkquery+112>:    mftbl   r11
      <.__res_nmkquery+116>:    clrlwi  r10,r11,16
      <.__res_nmkquery+120>:    cmpwi   cr7,r10,0
      <.__res_nmkquery+124>:    beq     cr7,<.__res_nmkquery+112>

      but as mftbl (Move From Time Base Lower) is not implemented,
      r11 is always 0, so we have an infinite loop.

      This patch fills the Time Base register with cpu_get_real_ticks().

      Signed-off-by: Laurent Vivier <laurent@xxxxxxxxx>
      Signed-off-by: Alexander Graf <agraf@xxxxxxx>

  commit f2562fbb7ac54d597cfe05f613d30296d1850d1b
  Merge: aeb7218 849729b
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Tue Jul 7 15:48:49 2015 +0100

      Merge remote-tracking branch 'remotes/stefanha/tags/net-pull-request' 
into staging

      # gpg: Signature made Tue Jul  7 13:38:13 2015 BST using RSA key ID 
81AB73C8
      # gpg: Good signature from "Stefan Hajnoczi <stefanha@xxxxxxxxxx>"
      # gpg:                 aka "Stefan Hajnoczi <stefanha@xxxxxxxxx>"

      * remotes/stefanha/tags/net-pull-request:
        rocker: tests: don't need to specify master/self when setting vlans
        rocker: mark copy-to-cpu pkts as forwarding offloaded
        rocker: return -1 when dropping packet on ingress
        rocker: fix missing break statements
        rocker: fix misplaced break statement
        rocker: don't queue receive pkts when port is disabled
        vmxnet3: Fix incorrect small packet padding
        e1000: flush packets when link comes up
        rocker: fix memory leak

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 06ef227e5158cca6710e6c268d6a7f65a5e2811b
  Author: Paolo Bonzini <pbonzini@xxxxxxxxxx>
  Date:   Wed Jun 24 14:11:27 2015 +0200

      target-i386: avoid overflow in the tsc-frequency property

      The TSC frequency fits comfortably in an int when expressed in kHz,
      but it may overflow when converted to Hz.  In this case,
      tsc-frequency returns a negative value because x86_cpuid_get_tsc_freq
      does a 32-bit multiplication before assigning to int64_t.

      For simplicity just make tsc_khz a 64-bit value.

      Spotted by Coverity.

      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>
      Reviewed-by: Eduardo Habkost <ehabkost@xxxxxxxxxx>
      Signed-off-by: Eduardo Habkost <ehabkost@xxxxxxxxxx>

  commit 28b8e4d0bf93ba176b4b7be819d537383c5a9060
  Author: Jan Kiszka <jan.kiszka@xxxxxxxxxxx>
  Date:   Sun Jun 7 11:15:08 2015 +0200

      i386: Introduce ARAT CPU feature

      ARAT signals that the APIC timer does not stop in power saving states.
      As our APICs are emulated, it's fine to expose this feature to guests,
      at least when asking for KVM host features or with CPU types that
      include the flag. The exact model number that introduced the feature is
      not known, but reports can be found that it's at least available since
      Sandy Bridge.

      Signed-off-by: Jan Kiszka <jan.kiszka@xxxxxxxxxxx>
      Acked-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>
      Acked-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Reviewed-by: Eduardo Habkost <ehabkost@xxxxxxxxxx>
      Signed-off-by: Eduardo Habkost <ehabkost@xxxxxxxxxx>

  commit aeb72188e073d515e1f5a80f6b603692a396477b
  Merge: 1452673 501eea4
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Tue Jul 7 14:44:19 2015 +0100

      Merge remote-tracking branch 'remotes/kraxel/tags/pull-vga-20150707-1' 
into staging

      virtio-gpu property fixes, add testcase

      # gpg: Signature made Tue Jul  7 10:24:16 2015 BST using RSA key ID 
D3E87138
      # gpg: Good signature from "Gerd Hoffmann (work) <kraxel@xxxxxxxxxx>"
      # gpg:                 aka "Gerd Hoffmann <gerd@xxxxxxxxxx>"
      # gpg:                 aka "Gerd Hoffmann (private) <kraxel@xxxxxxxxx>"

      * remotes/kraxel/tags/pull-vga-20150707-1:
        virtio-gpu: add to display-vga test
        virtio-gpu: use virtio_instance_init_common, fixup properties
        virtio-gpu: update console device property.

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 970311646a701eecb103eb28093e8924d2fa6861
  Author: Ting Wang <kathy.wangting@xxxxxxxxxx>
  Date:   Fri Jun 26 17:37:35 2015 +0800

      blockjob: add block_job_release function

      There is job resource leak in function mirror_start_job,
      although bdrv_create_dirty_bitmap is unlikely failed.
      Add block_job_release for each release when needed.

      Signed-off-by: Ting Wang <kathy.wangting@xxxxxxxxxx>
      Reviewed-by: John Snow <jsnow@xxxxxxxxxx>
      Message-id: 1435311455-56048-1-git-send-email-kathy.wangting@xxxxxxxxxx
      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>

  commit 25d9747b6427de8253221d544b45e50888d4cef7
  Author: Richard W.M. Jones <rjones@xxxxxxxxxx>
  Date:   Wed Jul 1 15:40:14 2015 +0100

      block/raw-posix: Don't think /dev/fd/<NN> is a floppy drive.

      In libguestfs we use /dev/fd/<NN> to pass pre-opened file descriptors
      to qemu-img.  Lately I've discovered that although this works, qemu
      believes that these are floppy disk images.  That in itself isn't much
      of a problem, but now qemu prints a warning about host floppy
      pass-thru being deprecated.

      Extend the existing test so that it ignores /dev/fd/ as well as
      /dev/fdset/

      A simple test of this, if you are using the bash shell, is:

        qemu-img info <( cat /dev/null )

      without this patch:

        $ qemu-img info <( cat /dev/null )
        qemu-img: Host floppy pass-through is deprecated
        Support for it will be removed in a future release.
        qemu-img: Could not open '/dev/fd/63': Could not refresh total sector 
count: Illegal seek

      with this patch:

        $ qemu-img info <( cat /dev/null )
        qemu-img: Could not open '/dev/fd/63': Could not refresh total sector 
count: Illegal seek

      Signed-off-by: Richard W.M. Jones <rjones@xxxxxxxxxx>
      Reviewed-by: Markus Armbruster <armbru@xxxxxxxxxx>
      Message-id: 1435761614-31358-1-git-send-email-rjones@xxxxxxxxxx
      Fixes: https://bugs.launchpad.net/qemu/+bug/1470536
      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>

  commit 53ec73e264f481b79b52efcadc9ceb8f8996975c
  Author: Fam Zheng <famz@xxxxxxxxxx>
  Date:   Fri May 29 18:53:14 2015 +0800

      block: Use bdrv_drain to replace uncessary bdrv_drain_all

      There callers work on a single BlockDriverState subtree, where using
      bdrv_drain() is more accurate.

      Signed-off-by: Fam Zheng <famz@xxxxxxxxxx>
      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>

  commit c2e0dbbfd7265eb9a7170ab195d8f9f8a1cbd1af
  Author: Fam Zheng <famz@xxxxxxxxxx>
  Date:   Mon Jul 6 12:24:44 2015 +0800

      block: Initialize local_err in bdrv_append_temp_snapshot

      Cc: qemu-stable@xxxxxxxxxx
      Signed-off-by: Fam Zheng <famz@xxxxxxxxxx>
      Message-id: 1436156684-16526-1-git-send-email-famz@xxxxxxxxxx
      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>

  commit dd63169766abd2b8dc33f4451dac5e778458a47c
  Author: Li Zhijian <lizhijian@xxxxxxxxxxxxxx>
  Date:   Thu Jul 2 20:18:06 2015 +0800

      migration: extend migration_bitmap

      Prevously, if we hotplug a device(e.g. device_add e1000) during
      migration is processing in source side, qemu will add a new ram
      block but migration_bitmap is not extended.
      In this case, migration_bitmap will overflow and lead qemu abort
      unexpectedly.

      Signed-off-by: Li Zhijian <lizhijian@xxxxxxxxxxxxxx>
      Signed-off-by: Wen Congyang <wency@xxxxxxxxxxxxxx>
      Signed-off-by: Juan Quintela <quintela@xxxxxxxxxx>

  commit 2ff64038a59e8de2baa485806be0838f49f70b79
  Author: Li Zhijian <lizhijian@xxxxxxxxxxxxxx>
  Date:   Thu Jul 2 20:18:05 2015 +0800

      migration: protect migration_bitmap

      Signed-off-by: Li Zhijian <lizhijian@xxxxxxxxxxxxxx>
      Signed-off-by: Wen Congyang <wency@xxxxxxxxxxxxxx>
      Signed-off-by: Juan Quintela <quintela@xxxxxxxxxx>

  commit 59f39a47411ab6007a592555dc639aa9753f8d23
  Author: Dr. David Alan Gilbert <dgilbert@xxxxxxxxxx>
  Date:   Thu Jul 2 09:22:03 2015 +0100

      check_section_footers: Check the correct section_id

      The section footers check was incorrectly checking the section_id
      in the SaveStateEntry not the LoadStateEntry.  These can validly be 
different
      if the two QEMU instances have instantiated their devices in a
      different order.  The test only cares that we're finishing the same
      section we started, and hence it's the LoadStateEntry that we care about.

      Signed-off-by: Dr. David Alan Gilbert <dgilbert@xxxxxxxxxx>
      Reported-by: Christian Borntraeger <borntraeger@xxxxxxxxxx>
      Signed-off-by: Juan Quintela <quintela@xxxxxxxxxx>

  commit 7cf1fe6d68eb2ad3b77e2a89f097354db5d627e2
  Author: Juan Quintela <quintela@xxxxxxxxxx>
  Date:   Wed May 20 17:15:42 2015 +0200

      migration: Add migration events on target side

      We reuse the migration events from the source side, sending them on the
      appropiate place.

      Signed-off-by: Juan Quintela <quintela@xxxxxxxxxx>
      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>
      Reviewed-by: Dr. David Alan Gilbert <dgilbert@xxxxxxxxxx>

  commit b05dc72342b27585909d9e99d95d17fd3dfbb269
  Author: Juan Quintela <quintela@xxxxxxxxxx>
  Date:   Tue Jul 7 14:44:05 2015 +0200

      migration: Make events a capability

      Make check fails with events.  THis is due to the parser/lexer that it
      uses.  Just in case that they are more broken parsers, just only send
      events when there are capabilities.

      Signed-off-by: Juan Quintela <quintela@xxxxxxxxxx>
      Reviewed-by: Dr. David Alan Gilbert <dgilbert@xxxxxxxxxx>

  commit 598cd2bda0845096d2f06500e45b4d0d399b384a
  Author: Juan Quintela <quintela@xxxxxxxxxx>
  Date:   Wed May 20 12:16:15 2015 +0200

      migration: create migration event

      We have one argument that tells us what event has happened.

      Signed-off-by: Juan Quintela <quintela@xxxxxxxxxx>
      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>

  commit f2bb932491185a39922dff0514c4b08c092f3c35
  Author: Juan Quintela <quintela@xxxxxxxxxx>
  Date:   Wed Jun 17 01:38:25 2015 +0200

      migration: No need to call trace_migrate_set_state()

      We now use the helper everywhere, so no need to call this on this two
      places.  See on previous commit that there were a place where we missed
      to mark the trace.  Now all tracing is done in migrate_set_state().

      Signed-off-by: Juan Quintela <quintela@xxxxxxxxxx>
      Reviewed-by: Dr. David Alan Gilbert <dgilbert@xxxxxxxxxx>

  commit 7844337d1efb2c47dc3f306d7621e1cafca8ba67
  Author: Juan Quintela <quintela@xxxxxxxxxx>
  Date:   Wed Jun 17 01:36:40 2015 +0200

      migration: Use always helper to set state

      There were three places that were not using the migrate_set_state()
      helper, just fix that.

      Signed-off-by: Juan Quintela <quintela@xxxxxxxxxx>
      Reviewed-by: Dr. David Alan Gilbert <dgilbert@xxxxxxxxxx>

  commit 656a233440e552230f9d1da016b94a81b86658dc
  Author: Juan Quintela <quintela@xxxxxxxxxx>
  Date:   Wed Jul 1 09:32:29 2015 +0200

      migration: ensure we start in NONE state

      Signed-off-by: Juan Quintela <quintela@xxxxxxxxxx>
      Reviewed-by: Dr. David Alan Gilbert <dgilbert@xxxxxxxxxx>

  commit a5c17b5f68ff7e37ce6e6e1f5457307fe07629e7
  Author: Juan Quintela <quintela@xxxxxxxxxx>
  Date:   Wed Jun 17 02:06:20 2015 +0200

      migration: Use cmpxchg correctly

      cmpxchg returns the old value

      Signed-off-by: Juan Quintela <quintela@xxxxxxxxxx>
      Reviewed-by: Dr. David Alan Gilbert <dgilbert@xxxxxxxxxx>

  commit 61964c23e5ddd5a33f15699e45ce126f879e3e33
  Author: Juan Quintela <quintela@xxxxxxxxxx>
  Date:   Wed May 13 18:17:43 2015 +0200

      migration: Add configuration section

      It needs to be the first one and it is not optional, that is the reason
      why it is opencoded.  For new machine types, it is required that machine
      type name is the same in both sides.

      It is just done right now for pc's.

      Signed-off-by: Juan Quintela <quintela@xxxxxxxxxx>
      Reviewed-by: Dr. David Alan Gilbert <dgilbert@xxxxxxxxxx>

  commit df8961522a3d6bc7bb60c2830ef59e7c6c67a928
  Author: Juan Quintela <quintela@xxxxxxxxxx>
  Date:   Wed Oct 15 09:39:14 2014 +0200

      vmstate: Create optional sections

      To make sections optional, we need to do it at the beggining of the code.

      Signed-off-by: Juan Quintela <quintela@xxxxxxxxxx>
      Reviewed-by: Dr. David Alan Gilbert <dgilbert@xxxxxxxxxx>

  commit 13d16814d2058f10461e6987c8216950389c1310
  Author: Juan Quintela <quintela@xxxxxxxxxx>
  Date:   Wed Oct 8 13:58:24 2014 +0200

      global_state: Make section optional

      This section would be sent:

      a- for all new machine types
      b- for old machine types if section state is different form 
{running,paused}
         that were the only giving us troubles.

      So, in new qemus: it is alwasy there.  In old qemus: they are only
      there if it an error has happened, basically stoping on target.

      Signed-off-by: Juan Quintela <quintela@xxxxxxxxxx>
      Reviewed-by: Dr. David Alan Gilbert <dgilbert@xxxxxxxxxx>

  commit df4b1024526cae3479da3492d6371fd4a7324a03
  Author: Juan Quintela <quintela@xxxxxxxxxx>
  Date:   Wed Oct 8 10:58:10 2014 +0200

      migration: create new section to store global state

      This includes a new section that for now just stores the current qemu 
state.

      Right now, there are only one way to control what is the state of the
      target after migration.

      - If you run the target qemu with -S, it would start stopped.
      - If you run the target qemu without -S, it would run just after 
migration finishes.

      The problem here is what happens if we start the target without -S and
      there happens one error during migration that puts current state as
      -EIO.  Migration would ends (notice that the error happend doing block
      IO, network IO, i.e. nothing related with migration), and when
      migration finish, we would just "continue" running on destination,
      probably hanging the guest/corruption data, whatever.

      Signed-off-by: Juan Quintela <quintela@xxxxxxxxxx>
      Reviewed-by: Dr. David Alan Gilbert <dgilbert@xxxxxxxxxx>

  commit ca3fc39ea9045188e37b84c4f92ee79c7ed4b1c3
  Author: Juan Quintela <quintela@xxxxxxxxxx>
  Date:   Wed Oct 8 12:47:08 2014 +0200

      runstate: migration allows more transitions now

      Next commit would allow to move from incoming migration to error 
happening on source.

      Should we add more states to this transition?  Luiz?

      Signed-off-by: Juan Quintela <quintela@xxxxxxxxxx>
      Reviewed-by: Dr. David Alan Gilbert <dgilbert@xxxxxxxxxx>

  commit 5e0f1940caf49f56e3bee123aa92e42a3f7fad20
  Author: Juan Quintela <quintela@xxxxxxxxxx>
  Date:   Wed Oct 8 11:53:22 2014 +0200

      runstate: Add runstate store

      This allows us to store the current state to send it through migration.

      Signed-off-by: Juan Quintela <quintela@xxxxxxxxxx>
      Reviewed-by: Dr. David Alan Gilbert <dgilbert@xxxxxxxxxx>

  commit ff14e817f6c5f110b77e22185b256a17a96aa881
  Author: Dr. David Alan Gilbert <dgilbert@xxxxxxxxxx>
  Date:   Fri Jun 12 18:37:52 2015 +0100

      Fix older machine type compatibility on power with section footers

      I forgot to add compatibility for Power when adding section footers.

      Signed-off-by: Dr. David Alan Gilbert <dgilbert@xxxxxxxxxx>

      Fixes: 37fb569c0198cba58e3e
      Signed-off-by: Juan Quintela <quintela@xxxxxxxxxx>

  commit ef4b722d19cab845eaa0d1f912018b09a9d8288b
  Author: Dr. David Alan Gilbert <dgilbert@xxxxxxxxxx>
  Date:   Thu Jun 11 18:17:28 2015 +0100

      Fail more cleanly in mismatched RAM cases

      If the number of RAMBlocks was different on the source from the
      destination, QEMU would hang waiting for a disconnect on the source
      and wouldn't release from that hang until the destination was manually
      killed.

      Mark the stream as being in error, this causes the destination to die
      and the source to carry on.

      (It still gets a whole bunch of warnings on the destination, and I've
      not managed to complete another migration after the 1st one, still
      progress).

      Signed-off-by: Dr. David Alan Gilbert <dgilbert@xxxxxxxxxx>
      Signed-off-by: Juan Quintela <quintela@xxxxxxxxxx>

  commit afcddefdbe75d0c20bf6e11b5512ba768ce0700c
  Author: Dr. David Alan Gilbert <dgilbert@xxxxxxxxxx>
  Date:   Thu Jun 11 18:17:27 2015 +0100

      Sanity check RDMA remote data

      Perform some basic (but probably not complete) sanity checking on
      requests from the RDMA source.

      Signed-off-by: Dr. David Alan Gilbert <dgilbert@xxxxxxxxxx>
      Reviewed-by: Michael R. Hines <mrhines@xxxxxxxxxx>
      Signed-off-by: Juan Quintela <quintela@xxxxxxxxxx>

  commit e4d633207c129dc5b7d145240ac4a1997ef3902f
  Author: Dr. David Alan Gilbert <dgilbert@xxxxxxxxxx>
  Date:   Thu Jun 11 18:17:26 2015 +0100

      Sort destination RAMBlocks to be the same as the source

      Use the order of incoming RAMBlocks from the source to record
      an index number; that then allows us to sort the destination
      local RAMBlock list to match the source.

      Now that the RAMBlocks are known to be in the same order, this
      simplifies the RDMA Registration step which previously tried to
      match RAMBlocks based on offset (which isn't guaranteed to match).

      Looking at the existing compress code, I think it was erroneously
      relying on an assumption of matching ordering, which this fixes.

      Signed-off-by: Dr. David Alan Gilbert <dgilbert@xxxxxxxxxx>
      Signed-off-by: Juan Quintela <quintela@xxxxxxxxxx>

  commit 760ff4bebc86d08b252809e0da7261c986d022ff
  Author: Dr. David Alan Gilbert <dgilbert@xxxxxxxxxx>
  Date:   Thu Jun 11 18:17:25 2015 +0100

      Rework ram block hash

      RDMA uses a hash from block offset->RAM Block; this isn't needed
      on the destination, and it becomes harder to maintain after the next
      patch in the series that sorts the block list.

      Split the hash so that it's only generated on the source.

      Signed-off-by: Dr. David Alan Gilbert <dgilbert@xxxxxxxxxx>
      Signed-off-by: Juan Quintela <quintela@xxxxxxxxxx>

  commit 03fcab38617ac9bcd6ed28cb1b6a0ecd8fb3bc82
  Author: Dr. David Alan Gilbert <dgilbert@xxxxxxxxxx>
  Date:   Thu Jun 11 18:17:24 2015 +0100

      Allow rdma_delete_block to work without the hash

      In the next patch we remove the hash on the destination,
      rdma_delete_block does two things with the hash which can be avoided:
        a) The caller passes the offset and rdma_delete_block looks it up
           in the hash; fixed by getting the caller to pass the block
        b) The hash gets recreated after deletion; fixed by making that
           conditional on the hash being initialised.

      While this function is currently only used during cleanup, Michael
      asked that we keep it general for future dynamic block registration
      work.

      Signed-off-by: Dr. David Alan Gilbert <dgilbert@xxxxxxxxxx>
      Signed-off-by: Juan Quintela <quintela@xxxxxxxxxx>

  commit 632e3a5cd812d6bbd38fd2f3ffc189ff5ea51926
  Author: Dr. David Alan Gilbert <dgilbert@xxxxxxxxxx>
  Date:   Thu Jun 11 18:17:23 2015 +0100

      Rework ram_control_load_hook to hook during block load

      We need the names of RAMBlocks as they're loaded for RDMA,
      reuse a slightly modified ram_control_load_hook:
        a) Pass a 'data' parameter to use for the name in the block-reg
           case
        b) Only some hook types now require the presence of a hook function.

      Signed-off-by: Dr. David Alan Gilbert <dgilbert@xxxxxxxxxx>
      Signed-off-by: Juan Quintela <quintela@xxxxxxxxxx>

  commit b12f7777981953b7d939496283014740bdd6de64
  Author: Dr. David Alan Gilbert <dgilbert@xxxxxxxxxx>
  Date:   Thu Jun 11 18:17:22 2015 +0100

      Translate offsets to destination address space

      The 'offset' field in RDMACompress and 'current_addr' field
      in RDMARegister are commented as being offsets within a particular
      RAMBlock, however they appear to actually be offsets within the
      ram_addr_t space.

      The code currently assumes that the offsets on the source/destination
      match, this change removes the need for the assumption for these
      structures by translating the addresses into the ram_addr_t space of
      the destination host.

      Note: An alternative would be to change the fields to actually
      take the data they're commented for; this would potentially be
      simpler but would break stream compatibility for those cases
      that currently work.

      Signed-off-by: Dr. David Alan Gilbert <dgilbert@xxxxxxxxxx>
      Signed-off-by: Juan Quintela <quintela@xxxxxxxxxx>

  commit 4fb5364b9096d6110c46604dbf1e19b7e766e757
  Author: Dr. David Alan Gilbert <dgilbert@xxxxxxxxxx>
  Date:   Thu Jun 11 18:17:21 2015 +0100

      Store block name in local blocks structure

      In a later patch the block name will be used to match up two views
      of the block list.  Keep a copy of the block name with the local block
      list.

      (At some point it could be argued that it would be best just to let
      migration see the innards of RAMBlock and avoid the need to use
      foreach).

      Signed-off-by: Dr. David Alan Gilbert <dgilbert@xxxxxxxxxx>
      Reviewed-by: Michael R. Hines <mrhines@xxxxxxxxxx>
      Signed-off-by: Juan Quintela <quintela@xxxxxxxxxx>

  commit 24ec68ef84fdacd5dddb83f3b341165c4815e6d6
  Author: Dr. David Alan Gilbert <dgilbert@xxxxxxxxxx>
  Date:   Thu Jun 11 18:17:20 2015 +0100

      rdma typos

      A couple of typo fixes.

      Signed-off-by: Dr. David Alan Gilbert <dgilbert@xxxxxxxxxx>
      Signed-off-by: Juan Quintela <quintela@xxxxxxxxxx>

  commit 1aca9a5f7d5a1ef9ee0233eac0fccc77ea6f0626
  Author: Dr. David Alan Gilbert <dgilbert@xxxxxxxxxx>
  Date:   Tue Jun 23 17:34:35 2015 +0100

      Only try and read a VMDescription if it should be there

      The VMDescription section maybe after the EOF mark, the current code
      does a 'qemu_get_byte' and either gets the header byte identifying the
      description or an error (which it ignores).  Doing the 'get' upsets
      RDMA which hangs on old machine types without the VMDescription.

      Just avoid reading the VMDescription if we wouldn't send it.

      Signed-off-by: Dr. David Alan Gilbert <dgilbert@xxxxxxxxxx>
      Signed-off-by: Juan Quintela <quintela@xxxxxxxxxx>

  commit 728470bea15b11ba7b3e3db54f0d9939908e0e65
  Author: Gonglei <arei.gonglei@xxxxxxxxxx>
  Date:   Tue Jun 23 15:56:38 2015 +0800

      rdma: fix memory leak

      Variable "r" going out of scope leaks the storage
      it points to in line 3268.

      Signed-off-by: Gonglei <arei.gonglei@xxxxxxxxxx>
      Reviewed-by: Amit Shah <amit.shah@xxxxxxxxxx>
      Signed-off-by: Juan Quintela <quintela@xxxxxxxxxx>

  commit 849729bb796e0ecbb3f370f119682f2821dd1441
  Author: Scott Feldman <sfeldma@xxxxxxxxx>
  Date:   Wed Jul 1 03:33:12 2015 -0700

      rocker: tests: don't need to specify master/self when setting vlans

      4.1 Linux kernel doesn't require specifying "master" or "self" when 
setting
      vlans on a port, so clean these up from the tests that use vlans.

      Signed-off-by: Scott Feldman <sfeldma@xxxxxxxxx>
      Message-id: 1435746792-41278-6-git-send-email-sfeldma@xxxxxxxxx
      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>

  commit d0d2555852c5e684a97dce787d3c2a65b9a6d64c
  Author: Scott Feldman <sfeldma@xxxxxxxxx>
  Date:   Wed Jul 1 03:33:11 2015 -0700

      rocker: mark copy-to-cpu pkts as forwarding offloaded

      For pkts copied to the CPU (to be processed by guest driver), mark the Rx
      descriptor with flag "OFFLOAD_FWD" to indicate device has already 
forwarded
      pkt.  The guest driver will use this indicator to avoid duplicate
      forwarding in the guest OS.

      Examples include bcast/mcast/unknown ucast pkts flooded to bridged ports.
      We want to avoid both the device and the guest bridge driver flooding 
these
      pkts, which would result in duplicates pkts on the wire.  Packet sampling,
      such as sFlow, can also use this technique to mark pkts for the guest OS 
to
      record but otherwise drop.

      Signed-off-by: Scott Feldman <sfeldma@xxxxxxxxx>
      Message-id: 1435746792-41278-5-git-send-email-sfeldma@xxxxxxxxx
      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>

  commit 96497af0afd60e57749316f1bc196b417055c585
  Author: Scott Feldman <sfeldma@xxxxxxxxx>
  Date:   Wed Jul 1 03:33:10 2015 -0700

      rocker: return -1 when dropping packet on ingress

      Signed-off-by: Scott Feldman <sfeldma@xxxxxxxxx>
      Message-id: 1435746792-41278-4-git-send-email-sfeldma@xxxxxxxxx
      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>

  commit f211fcd75fec96ec9850885622ed028c6f7ebdf4
  Author: Scott Feldman <sfeldma@xxxxxxxxx>
  Date:   Wed Jul 1 03:33:09 2015 -0700

      rocker: fix missing break statements

      Signed-off-by: Scott Feldman <sfeldma@xxxxxxxxx>
      Reported-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>
      Message-id: 1435746792-41278-3-git-send-email-sfeldma@xxxxxxxxx
      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>

  commit d1a88c96b7f94c8e12c07518f55fce8873e814d0
  Author: Scott Feldman <sfeldma@xxxxxxxxx>
  Date:   Wed Jul 1 03:33:08 2015 -0700

      rocker: fix misplaced break statement

      Premature break in switch case block.  This particular case (group L2 
rewrite)
      will be used for L2 LAG and L3 ECMP support, neither of which are enabled 
in
      the guest driver at this time, but are under development.

      Signed-off-by: Scott Feldman <sfeldma@xxxxxxxxx>
      Reported-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>
      Message-id: 1435746792-41278-2-git-send-email-sfeldma@xxxxxxxxx
      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>

  commit 66851f640b73a5a84160ee6ab19ab429f68bbb9f
  Author: Scott Feldman <sfeldma@xxxxxxxxx>
  Date:   Tue Jun 30 19:25:53 2015 -0700

      rocker: don't queue receive pkts when port is disabled

      Commit 6e99c63 ("net/socket: Drop net_socket_can_send") changed the
      semantics around .can_receive for sockets to now require the device to
      flush queued pkts when transitioning to a .can_receive=true state.  Rocker
      device was not flushing the queue on .can_receive=true transition, so the
      receiver was stuck.

      But, turns out we really don't want any queuing at all on the port when 
the
      port is disabled, otherwise when the port transitions to enabled, we'd
      receive and forward stale pkts that really should have been dropped.  So,
      let's remove .can_receive so avoid queuing and drop the pkt in .receive if
      the port is disabled.

      Signed-off-by: Scott Feldman <sfeldma@xxxxxxxxx>
      Reviewed-by: Fam Zheng <famz@xxxxxxxxxx>
      Message-id: 1435717553-36187-1-git-send-email-sfeldma@xxxxxxxxx
      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>

  commit b83b5f2ef9753713c2fb64ff4cae7cb1e080624e
  Author: Brian Kress <kressb@xxxxxxxxx>
  Date:   Tue Jun 23 11:49:25 2015 -0400

      vmxnet3: Fix incorrect small packet padding

      When running ESXi under qemu there is an issue with the ESXi guest
      discarding packets that are too short.  The guest discards any packets
      under the normal minimum length for an ethernet packet (60).  This
      results in odd behaviour where other hosts or VMs on other hosts can
      communicate with the ESXi guest just fine (since there's a physical NIC
      somewhere doing padding), but VMs on the host and the host itself cannot
      because the ARP request packets are too small for the ESXi host to
      accept.

      Someone in the past thought this was worth fixing, and added code to the
      vmxnet3 qemu emulation such that if it is receiving packets smaller than
      60 bytes to pad the packet out to 60. Unfortunately this code is wrong
      (or at least in the wrong place). It does so BEFORE before taking into
      account the vnet_hdr at the front of the packet added by the tap device.
      As a result, it might add padding, but it never adds enough.
      Specifically it adds 10 less (the length of the vnet_hdr) than it needs
      to.

      The following (hopefully "obviously correct") patch simply swaps the
      order of processing the vnet header and the padding.  With this patch an
      ESXi guest is able to communicate with the host or other local VMs.

      Signed-off-by: Brian Kress <kressb@xxxxxxxxx>
      Reviewed-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>
      Reviewed-by: Dmitry Fleytman <dmitry@xxxxxxxxxx>
      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>

  commit 5df6a1855b62dc653515d919e48c5b6f00c48f32
  Author: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
  Date:   Thu Jun 25 10:18:05 2015 +0100

      e1000: flush packets when link comes up

      e1000_can_receive() checks the link up status register bit.  If the bit
      is clear, packets will be queued and the peer may disable receive to
      avoid wasting CPU reading packets that cannot be delivered.  The queue
      must be flushed once the link comes back up again.

      This patch fixes broken e1000 receive with Mac OS X Snow Leopard guests
      and tap networking.  Flushing the queue invokes the async send callback,
      which re-enables tap fd read.

      Reported-by: Jonathan Liu <net147@xxxxxxxxx>
      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Reviewed-by: Fam Zheng <famz@xxxxxxxxxx>
      Message-id: 1435223885-12745-1-git-send-email-stefanha@xxxxxxxxxx

  commit ec50dd4634ae06091e61f42b7ba975f9ed510ad0
  Author: Gonglei <arei.gonglei@xxxxxxxxxx>
  Date:   Thu Jun 25 14:24:10 2015 +0800

      rocker: fix memory leak

      Meanwhile, using g_new0 instead of g_malloc0,
      refer to commit 5839e53.

      Signed-off-by: Gonglei <arei.gonglei@xxxxxxxxxx>
      Message-id: 1435213450-6700-1-git-send-email-arei.gonglei@xxxxxxxxxx
      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>

  commit 920557971b60e53c2f3f22e5d6c620ab1ed411fd
  Author: Paulo Alcantara <pcacjr@xxxxxxxxx>
  Date:   Sun Jun 28 14:58:56 2015 -0300

      ich9: add TCO interface emulation

      This interface provides some registers within a 32-byte range and can be
      acessed through PCI-to-LPC bridge interface (PMBASE + 0x60).

      It's commonly used as a watchdog timer to detect system lockups through
      SMIs that are generated -- if TCO_EN bit is set -- on every timeout. If
      NO_REBOOT bit is not set in GCS (General Control and Status register),
      the system will be resetted upon second timeout if TCO_RLD register
      wasn't previously written to prevent timeout.

      This patch adds support to TCO watchdog logic and few other features
      like mapping NMIs to SMIs (NMI2SMI_EN bit), system intruder detection,
      etc. are not implemented yet.

      Signed-off-by: Paulo Alcantara <pcacjr@xxxxxxxxx>
      Reviewed-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>

  commit 71ba2f0af398f616e154137d9fdda25c2da01324
  Author: Michael S. Tsirkin <mst@xxxxxxxxxx>
  Date:   Tue Jul 7 13:00:56 2015 +0300

      acpi: split out ICH ACPI support

      MIPS doesn't need it, and including it creates problem as we are adding
      dependency on ISA LPC bridge.

      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>

  commit 9fd72468dfe40532df7c64d35054994058106c42
  Author: Daniel P. Berrange <berrange@xxxxxxxxxx>
  Date:   Wed Jul 1 18:10:31 2015 +0100

      crypto: move built-in D3DES implementation into crypto/

      To prepare for a generic internal cipher API, move the
      built-in D3DES implementation into the crypto/ directory.

      This is not in fact a normal D3DES implementation, it is
      D3DES with double & triple length modes removed, and the
      key bytes in reversed bit order. IOW it is crippled
      specifically for the "benefit" of RFB, so call the new
      files desrfb.c instead of d3des.c to make it clear that
      it isn't a generally useful impl.

      Signed-off-by: Daniel P. Berrange <berrange@xxxxxxxxxx>
      Message-Id: <1435770638-25715-4-git-send-email-berrange@xxxxxxxxxx>
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit 6f2945cde60545aae7f31ab9d5ef29531efbc94f
  Author: Daniel P. Berrange <berrange@xxxxxxxxxx>
  Date:   Wed Jul 1 18:10:30 2015 +0100

      crypto: move built-in AES implementation into crypto/

      To prepare for a generic internal cipher API, move the
      built-in AES implementation into the crypto/ directory

      Signed-off-by: Daniel P. Berrange <berrange@xxxxxxxxxx>
      Message-Id: <1435770638-25715-3-git-send-email-berrange@xxxxxxxxxx>
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit ddbb0d09661f5fce21b335ba9aea8202d189b98e
  Author: Daniel P. Berrange <berrange@xxxxxxxxxx>
  Date:   Wed Jul 1 18:10:29 2015 +0100

      crypto: introduce new module for computing hash digests

      Introduce a new crypto/ directory that will (eventually) contain
      all the cryptographic related code. This initially defines a
      wrapper for initializing gnutls and for computing hashes with
      gnutls. The former ensures that gnutls is guaranteed to be
      initialized exactly once in QEMU regardless of CLI args. The
      block quorum code currently fails to initialize gnutls so it
      only works by luck, if VNC server TLS is not requested. The
      hash APIs avoids the need to litter the rest of the code with
      preprocessor checks and simplifies callers by allocating the
      correct amount of memory for the requested hash.

      Signed-off-by: Daniel P. Berrange <berrange@xxxxxxxxxx>
      Message-Id: <1435770638-25715-2-git-send-email-berrange@xxxxxxxxxx>
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit 7a63f3cdc44230109c91cdc0ee912c3cc7837141
  Author: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
  Date:   Thu Jul 2 17:24:41 2015 +0100

      block: update bdrv_drain_all()/bdrv_drain() comments

      The doc comments for bdrv_drain_all() and bdrv_drain() are outdated:

       * The bdrv_drain() comment is a poor man's bdrv_lock()/bdrv_unlock()
         which Fam Zheng is currently developing.  Unfortunately this warning
         was never really enough because devices keep submitting I/O and op
         blockers don't prevent that.

       * The bdrv_drain_all() comment is still partially correct but reflects
         the nature of the implementation rather than API documentation.

      Do make it clear that bdrv_drain() is only appropriate within an
      AioContext.  For anything spanning AioContexts you need
      bdrv_drain_all().

      Cc: Markus Armbruster <armbru@xxxxxxxxxx>
      Cc: Paolo Bonzini <pbonzini@xxxxxxxxxx>
      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Reviewed-by: Markus Armbruster <armbru@xxxxxxxxxx>
      Reviewed-by: Fam Zheng <famz@xxxxxxxxxx>
      Message-id: 1435854281-6078-1-git-send-email-stefanha@xxxxxxxxxx

  commit 1bd84ee717bf146c19281cce48a36a2f4d71748d
  Author: Alberto Garcia <berto@xxxxxxxxxx>
  Date:   Thu Jul 2 11:06:11 2015 +0300

      qcow2: remove unnecessary check

      The value of 'i' is guaranteed to be >= 0

      Signed-off-by: Alberto Garcia <berto@xxxxxxxxxx>
      Message-id: 1435824371-2660-1-git-send-email-berto@xxxxxxxxxx
      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>

  commit 501eea4f4187b6c62b6cf348ab0b100d57d8c56b
  Author: Gerd Hoffmann <kraxel@xxxxxxxxxx>
  Date:   Mon Apr 28 11:10:12 2014 +0200

      virtio-gpu: add to display-vga test

      Signed-off-by: Gerd Hoffmann <kraxel@xxxxxxxxxx>

  commit b3409a31001e86d48221ea967b1c696c6497f318
  Author: Gerd Hoffmann <kraxel@xxxxxxxxxx>
  Date:   Wed Jun 24 12:22:09 2015 +0200

      virtio-gpu: use virtio_instance_init_common, fixup properties

      Switch over to virtio_instance_init_common.  Drop duplicate properties
      in virtio-gpu-pci and virtio-vga as they are properly aliased now.  Also
      drop the indirection via DEFINE_VIRTIO_GPU_PROPERTIES, we don't need it
      any more as the properties are defined in a single place now.

      Signed-off-by: Gerd Hoffmann <kraxel@xxxxxxxxxx>

  commit e18882952e46634ab7f53ef018a5e2e980996d48
  Author: Gerd Hoffmann <kraxel@xxxxxxxxxx>
  Date:   Wed Jun 24 12:19:42 2015 +0200

      virtio-gpu: update console device property.

      Update the device link of the QemuConsole, so it points to the
      virtio-gpu-pci or virtio-vga device instead of virtio-gpu-device.

      This is needed because we want to find the device by id, for
      example for input routing, and the id specified on the command
      line is attached to the pci proxy, not the virtio device.

      Signed-off-by: Gerd Hoffmann <kraxel@xxxxxxxxxx>

  commit 6b3f7f639ed8861cd034292f9bb85b00c73658a6
  Author: Eric Auger <eric.auger@xxxxxxxxxx>
  Date:   Tue Jun 16 17:07:54 2015 +0100

      vl: move rom_load_all after machine init done

      On ARM, commit ac9d32e39664e060cd1b538ff190980d57ad69e4 postponed the
      memory preparation for boot until the machine init done notifier. This
      has for consequence to insert ROM at machine init done time.

      However the rom_load_all function stayed called before the ROM are
      inserted. As a consequence the rom_load_all function does not do
      everything it is expected to do, on ARM.

      It currently registers the ROM reset notifier but does not iterate through
      the registered ROM list. the isrom field is not set properly. This latter
      is used to report info in the monitor and also to decide whether the
      rom->data can be freed on ROM reset notifier.

      To fix that regression the patch moves the rom_load_all call after
      machine init done. We also take the opportunity to rename the rom_load_all
      function into rom_check_and_resgister_reset() and integrate the
      rom_load_done in it.

      Signed-off-by: Eric Auger <eric.auger@xxxxxxxxxx>
      Reported-by: Peter Crosthwaite <peter.crosthwaite@xxxxxxxxxx>
      Message-Id: <1434470874-22573-1-git-send-email-eric.auger@xxxxxxxxxx>
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit 1452673888f6d7f0454276d049846c9bec659233
  Merge: f6e3035 4330296
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Tue Jul 7 09:22:40 2015 +0100

      Merge remote-tracking branch 
'remotes/awilliam/tags/vfio-update-20150706.0' into staging

      VFIO updates for 2.4-rc0
      - "real" host page size API (Peter Crosthwaite)
      - platform device irqfd support (Eric Auger)
      - spapr container disconnect fix (Alexey Kardashevskiy)
      - quirk for broken Chelsio hardware (Gabriel Laupre)
      - coverity fix (Paolo Bonzini)

      # gpg: Signature made Mon Jul  6 19:23:49 2015 BST using RSA key ID 
3BB08B22
      # gpg: Good signature from "Alex Williamson <alex.williamson@xxxxxxxxxx>"
      # gpg:                 aka "Alex Williamson <alex@xxxxxxxxxxx>"
      # gpg:                 aka "Alex Williamson <alwillia@xxxxxxxxxx>"
      # gpg:                 aka "Alex Williamson <alex.l.williamson@xxxxxxxxx>"

      * remotes/awilliam/tags/vfio-update-20150706.0:
        vfio/pci : Add pba_offset PCI quirk for Chelsio T5 devices
        vfio: Unregister IOMMU notifiers when container is destroyed
        hw/vfio/platform: add irqfd support
        kvm: some fixes to kvm_resamplefds_allowed
        sysbus: add irq_routing_notifier
        intc: arm_gic_kvm: set the qemu_irq/gsi mapping
        kvm-all.c: add qemu_irq/gsi hash table and utility routines
        kvm: rename kvm_irqchip_[add,remove]_irqfd_notifier with gsi suffix
        vfio: cpu: Use "real" page size API
        cpu-all: complete "real" host page size API
        vfio: fix return type of pread

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

      Conflicts:
        kvm-all.c

  commit f329c74c1e7f08399f0d237f78571eb0ca6a89dd
  Author: Cornelia Huck <cornelia.huck@xxxxxxxxxx>
  Date:   Tue Jun 23 15:52:56 2015 +0200

      Revert "dataplane: allow virtio-1 devices"

      This reverts commit f5a5628cf0b65b223fa0c9031714578dfac4cf04.

      This was an old patch that had been already superseded by b0e5d90eb
      ("dataplane: endianness-aware accesses").

      Signed-off-by: Cornelia Huck <cornelia.huck@xxxxxxxxxx>
      Reviewed-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Acked-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>

  commit be1e50a27d5b6845729ae0854f57f3816cf47edb
  Author: Greg Kurz <gkurz@xxxxxxxxxxxxxxxxxx>
  Date:   Fri Jun 26 09:32:28 2015 +0200

      dataplane: fix cross-endian issues

      Accesses to vring_avail_event and vring_used_event must honor the queue
      endianness.

      This patch allows cross-endian setups to use dataplane (tested with ppc64
      on ppc64le, and vice-versa).

      Suggested-by: Cornelia Huck <cornelia.huck@xxxxxxxxxx>
      Signed-off-by: Greg Kurz <gkurz@xxxxxxxxxxxxxxxxxx>
      Reviewed-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Reviewed-by: Cornelia Huck <cornelia.huck@xxxxxxxxxx>

  commit f6e3035f75e5c6a73485335765ae070304c7a110
  Merge: 7edd8e4 355023f
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Mon Jul 6 23:37:53 2015 +0100

      Merge remote-tracking branch 'remotes/bonzini/tags/for-upstream-smm' into 
staging

      This series implements KVM support for SMM, and lets you enable/disable
      it through the "smm" property of x86 machine types.

      # gpg: Signature made Mon Jul  6 17:41:05 2015 BST using RSA key ID 
78C7AE83
      # gpg: Good signature from "Paolo Bonzini <bonzini@xxxxxxx>"
      # gpg:                 aka "Paolo Bonzini <pbonzini@xxxxxxxxxx>"
      # gpg: WARNING: This key is not certified with sufficiently trusted 
signatures!
      # gpg:          It is not certain that the signature belongs to the owner.
      # Primary key fingerprint: 46F5 9FBD 57D6 12E7 BFD4  E2F7 7E15 100C CD36 
69B1
      #      Subkey fingerprint: F133 3857 4B66 2389 866C  7682 BFFB D25F 78C7 
AE83

      * remotes/bonzini/tags/for-upstream-smm:
        pc: add SMM property
        ich9: add smm_enabled field and arguments
        pc_piix: rename kvm_enabled to smm_enabled
        target-i386: register a separate KVM address space including SMRAM 
regions
        kvm-all: kvm_irqchip_create is not expected to fail
        kvm-all: add support for multiple address spaces
        kvm-all: make KVM's memory listener more generic
        kvm-all: move internal types to kvm_int.h
        kvm-all: remove useless typedef
        kvm-all: put kvm_mem_flags to more work
        target-i386: add support for SMBASE MSR and SMIs
        piix4/ich9: do not raise SMI on ACPI enable/disable commands
        linux-headers: Update to 4.2-rc1

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 43302969966bc3a95470bfc300289a83068ef5d9
  Author: Gabriel Laupre <glaupre@xxxxxxxxxxx>
  Date:   Mon Jul 6 12:15:15 2015 -0600

      vfio/pci : Add pba_offset PCI quirk for Chelsio T5 devices

      Fix pba_offset initialization value for Chelsio T5 Virtual Function
      device. The T5 hardware has a bug in it where it reports a Pending 
Interrupt
      Bit Array Offset of 0x8000 for its SR-IOV Virtual Functions instead
      of the 0x1000 that the hardware actually uses internally. As the hardware
      doesn't return the correct pba_offset value, add a quirk to instead
      return a hardcoded value of 0x1000 when a Chelsio T5 VF device is
      detected.

      This bug has been fixed in the Chelsio's next chip series T6 but there are
      no plans to respin the T5 ASIC for this bug. It is just documented in the
      T5 Errata and left it at that.

      Signed-off-by: Gabriel Laupre <glaupre@xxxxxxxxxxx>
      Reviewed-by: Bandan Das <bsd@xxxxxxxxxx>
      Signed-off-by: Alex Williamson <alex.williamson@xxxxxxxxxx>

  commit f8d8a944009b7e836c718a05590ea6b36146978f
  Author: Alexey Kardashevskiy <aik@xxxxxxxxx>
  Date:   Mon Jul 6 12:15:15 2015 -0600

      vfio: Unregister IOMMU notifiers when container is destroyed

      On systems with guest visible IOMMU, adding a new memory region onto
      PCI bus calls vfio_listener_region_add() for every DMA window. This
      installs a notifier for IOMMU memory regions. The notifier is supposed
      to be removed vfio_listener_region_del(), however in the case of mixed
      PHB (emulated + VFIO devices) when last VFIO device is unplugged and
      container gets destroyed, all existing DMA windows stay alive altogether
      with the notifiers which are on the linked list which head was in
      the destroyed container.

      This unregisters IOMMU memory region notifier when a container is
      destroyed.

      Signed-off-by: Alexey Kardashevskiy <aik@xxxxxxxxx>
      Reviewed-by: David Gibson <david@xxxxxxxxxxxxxxxxxxxxx>
      Signed-off-by: Alex Williamson <alex.williamson@xxxxxxxxxx>

  commit fb5f816499a5184a1336d72db030b8419b523082
  Author: Eric Auger <eric.auger@xxxxxxxxxx>
  Date:   Mon Jul 6 12:15:14 2015 -0600

      hw/vfio/platform: add irqfd support

      This patch aims at optimizing IRQ handling using irqfd framework.

      Instead of handling the eventfds on user-side they are handled on
      kernel side using
      - the KVM irqfd framework,
      - the VFIO driver virqfd framework.

      the virtual IRQ completion is trapped at interrupt controller
      This removes the need for fast/slow path swap.

      Overall this brings significant performance improvements.

      Signed-off-by: Alvise Rigo <a.rigo@xxxxxxxxxxxxxxxxxxxxxx>
      Signed-off-by: Eric Auger <eric.auger@xxxxxxxxxx>
      Reviewed-by: Alex Bennée <alex.bennee@xxxxxxxxxx>
      Tested-by: Vikram Sethi <vikrams@xxxxxxxxxxxxxx>
      Acked-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Signed-off-by: Alex Williamson <alex.williamson@xxxxxxxxxx>

  commit 879904e8635b316de18393222f02d46d2d1f7f4e
  Author: Eric Auger <eric.auger@xxxxxxxxxx>
  Date:   Mon Jul 6 12:15:14 2015 -0600

      kvm: some fixes to kvm_resamplefds_allowed

      Commit f41389ae3c54b introduced kvm_resamplefds_enabled() and
      associated kvm_resamplefds_allowed boolean. This patch adds
      non-KVM version for kvm_resamplefds_enabled and also declares
      kvm_resamplefds_allowed in kvm-stub as it is done for fellow
      kvm_irqfds_allowed.

      Signed-off-by: Eric Auger <eric.auger@xxxxxxxxxx>
      Reviewed-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Signed-off-by: Alex Williamson <alex.williamson@xxxxxxxxxx>

  commit 715ca691daca081108b33306faa6fa102f0df8d8
  Author: Eric Auger <eric.auger@xxxxxxxxxx>
  Date:   Mon Jul 6 12:15:14 2015 -0600

      sysbus: add irq_routing_notifier

      Add a new connect_irq_notifier notifier in the SysBusDeviceClass. This
      notifier, if populated, is called after sysbus_connect_irq.

      This mechanism is used to setup VFIO signaling once VFIO platform
      devices get attached to their platform bus, on a machine init done
      notifier.

      Signed-off-by: Eric Auger <eric.auger@xxxxxxxxxx>
      Reviewed-by: Peter Crosthwaite <peter.crosthwaite@xxxxxxxxxx>
      Tested-by: Vikram Sethi <vikrams@xxxxxxxxxxxxxx>
      Reviewed-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Signed-off-by: Alex Williamson <alex.williamson@xxxxxxxxxx>

  commit 6a1a9cfa1c4a3e5b521d82e6adb94311fc5b9f8b
  Author: Eric Auger <eric.auger@xxxxxxxxxx>
  Date:   Mon Jul 6 12:15:13 2015 -0600

      intc: arm_gic_kvm: set the qemu_irq/gsi mapping

      The arm_gic_kvm now calls kvm_irqchip_set_qemuirq_gsi to build
      the hash table storing qemu_irq/gsi mappings. From that point on
      irqfd can be setup directly from the qemu_irq using
      kvm_irqchip_add_irqfd_notifier.

      Signed-off-by: Eric Auger <eric.auger@xxxxxxxxxx>
      Tested-by: Vikram Sethi <vikrams@xxxxxxxxxxxxxx>
      Acked-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>
      Reviewed-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Signed-off-by: Alex Williamson <alex.williamson@xxxxxxxxxx>

  commit 197e35249a7360534e1aea0f2268ad0e1aa27121
  Author: Eric Auger <eric.auger@xxxxxxxxxx>
  Date:   Mon Jul 6 12:15:13 2015 -0600

      kvm-all.c: add qemu_irq/gsi hash table and utility routines

      VFIO platform device needs to setup irqfd but it does not know the
      gsi corresponding to the device qemu_irq. This patch proposes to
      store a hash table in kvm_state using the qemu_irq as key and the gsi
      as a value.

      kvm_irqchip_set_qemuirq_gsi allows to insert such a pair. The interrupt
      controller is supposed to use it.

      kvm_irqchip_[add, remove]_irqfd_notifier allows to setup/tear down
      irqfd directly from the qemu_irq.

      Signed-off-by: Eric Auger <eric.auger@xxxxxxxxxx>
      Tested-by: Vikram Sethi <vikrams@xxxxxxxxxxxxxx>
      Acked-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>
      Reviewed-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Signed-off-by: Alex Williamson <alex.williamson@xxxxxxxxxx>

  commit 1c9b71a7311ed99635a2d007fc8a856879537a05
  Author: Eric Auger <eric.auger@xxxxxxxxxx>
  Date:   Mon Jul 6 12:15:13 2015 -0600

      kvm: rename kvm_irqchip_[add,remove]_irqfd_notifier with gsi suffix

      Anticipating for the introduction of new add/remove functions taking
      a qemu_irq parameter, let's rename existing ones with a gsi suffix.

      Signed-off-by: Eric Auger <eric.auger@xxxxxxxxxx>
      Tested-by: Vikram Sethi <vikrams@xxxxxxxxxxxxxx>
      Acked-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>
      Reviewed-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Signed-off-by: Alex Williamson <alex.williamson@xxxxxxxxxx>

  commit f7ceed190d7dcd907afe4b46b23809aaad09a619
  Author: Peter Crosthwaite <crosthwaitepeter@xxxxxxxxx>
  Date:   Mon Jul 6 12:15:12 2015 -0600

      vfio: cpu: Use "real" page size API

      This is system level code, and should only depend on the host page
      size, not the target page size.

      Note that HOST_PAGE_SIZE is misleadingly lead and is really aligning
      to both host and target page size. Hence it's replacement with
      REAL_HOST_PAGE_SIZE.

      Signed-off-by: Peter Crosthwaite <crosthwaite.peter@xxxxxxxxx>
      Tested-by: Alexey Kardashevskiy <aik@xxxxxxxxx>
      Acked-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>
      Signed-off-by: Alex Williamson <alex.williamson@xxxxxxxxxx>

  commit 4e51361d79289aee2985dfed472f8d87bd53a8df
  Author: Peter Crosthwaite <crosthwaitepeter@xxxxxxxxx>
  Date:   Mon Jul 6 12:15:12 2015 -0600

      cpu-all: complete "real" host page size API

      Currently the "host" page size alignment API is really aligning to both
      host and target page sizes. There is the qemu_real_page_size which can
      be used for the actual host page size but it's missing a mask and ALIGN
      macro as provided for qemu_page_size. Complete the API. This allows
      system level code that cares about the host page size to use a
      consistent alignment interface without having to un-needingly align to
      the target page size. This also reduces system level code dependency
      on the cpu specific TARGET_PAGE_SIZE.

      Signed-off-by: Peter Crosthwaite <crosthwaite.peter@xxxxxxxxx>
      Tested-by: Alexey Kardashevskiy <aik@xxxxxxxxx>
      Acked-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>
      Signed-off-by: Alex Williamson <alex.williamson@xxxxxxxxxx>

  commit 7d489dcdf5fd71b5052ffd401b869a627e1c751f
  Author: Paolo Bonzini <pbonzini@xxxxxxxxxx>
  Date:   Mon Jul 6 12:15:12 2015 -0600

      vfio: fix return type of pread

      size_t is an unsigned type, thus the error case is never reached in
      the below call to pread.  If bytes is negative, it will be seen as
      a very high positive value.

      Spotted by Coverity.

      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>
      Signed-off-by: Alex Williamson <alex.williamson@xxxxxxxxxx>

  commit 355023f2010c4df619d88a0dd7012b4b9c74c12c
  Author: Paolo Bonzini <pbonzini@xxxxxxxxxx>
  Date:   Thu Jun 18 18:30:52 2015 +0200

      pc: add SMM property

      The property can take values on, off or auto.  The default is "off"
      for KVM and pre-2.4 machines, otherwise "auto" (which makes it
      available on TCG or on new-enough kernels).

      Acked-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit fba72476c6b7be60ac74c5bcdc06c61242d1fe4f
  Author: Paolo Bonzini <pbonzini@xxxxxxxxxx>
  Date:   Thu Jun 18 18:30:51 2015 +0200

      ich9: add smm_enabled field and arguments

      Q35's ACPI device is hard-coding SMM availability to KVM.  Place the
      logic where the board is created instead, so that it will be possible
      to override it.

      Acked-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit 61e66c6237a0ca3eac35cf3145ccbb3ab5b6354c
  Author: Paolo Bonzini <pbonzini@xxxxxxxxxx>
  Date:   Thu Jun 18 18:30:17 2015 +0200

      pc_piix: rename kvm_enabled to smm_enabled

      We will enable SMM even if KVM is in use.  Rename the field and
      arguments.

      Acked-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit 6410848bec38089424d54a6a8f10d4cf77182b5d
  Author: Paolo Bonzini <pbonzini@xxxxxxxxxx>
  Date:   Thu Jun 18 18:30:16 2015 +0200

      target-i386: register a separate KVM address space including SMRAM regions

      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit 8db4936bb648e15173d687bc162be14fd0d4260c
  Author: Paolo Bonzini <pbonzini@xxxxxxxxxx>
  Date:   Thu Jun 18 18:30:15 2015 +0200

      kvm-all: kvm_irqchip_create is not expected to fail

      KVM_CREATE_IRQCHIP should never fail, and so should its userspace
      wrapper kvm_irqchip_create.  The function does not do anything
      if the irqchip capability is not available, as is the case for PPC.

      With this patch, kvm_arch_init can allocate memory and it will not
      be leaked.

      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit 38bfe69180f99d05611a14bab4bb72c95e755b58
  Author: Paolo Bonzini <pbonzini@xxxxxxxxxx>
  Date:   Thu Jun 18 18:30:14 2015 +0200

      kvm-all: add support for multiple address spaces

      Make kvm_memory_listener_register public, and assign a kernel
      address space id to each KVMMemoryListener.

      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit 7bbda04c8d13d0a599b31ed1c10dc76a62f9d4dc
  Author: Paolo Bonzini <pbonzini@xxxxxxxxxx>
  Date:   Thu Jun 18 18:30:13 2015 +0200

      kvm-all: make KVM's memory listener more generic

      No semantic change, but s->slots moves into a new struct
      KVMMemoryListener.  KVM's memory listener becomes a member of struct
      KVMState, and becomes of type KVMMemoryListener.

      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit 8571ed35cfa50ed6b2aaee484dfa4f58176ebe00
  Author: Paolo Bonzini <pbonzini@xxxxxxxxxx>
  Date:   Thu Jun 18 18:28:45 2015 +0200

      kvm-all: move internal types to kvm_int.h

      i386 code will have to define a different KVMMemoryListener.  Create
      an internal header so that KVMSlot is not exposed outside.

      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit 714f78c587ba628169b8ae6f91866c52fe6a799f
  Author: Paolo Bonzini <pbonzini@xxxxxxxxxx>
  Date:   Thu Jun 18 18:28:44 2015 +0200

      kvm-all: remove useless typedef

      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit d6ff5cbc1231a5aec997abf3a809c7013e60472f
  Author: Andrew Jones <drjones@xxxxxxxxxx>
  Date:   Thu Jun 18 18:28:43 2015 +0200

      kvm-all: put kvm_mem_flags to more work

      Currently kvm_mem_flags just translates bools to bits, let's
      make it also determine the bools first. This avoids its parameter
      list growing each time we add a flag.

      Signed-off-by: Andrew Jones <drjones@xxxxxxxxxx>
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit fc12d72e10828ca6ff75f2ad432b741f07a10cef
  Author: Paolo Bonzini <pbonzini@xxxxxxxxxx>
  Date:   Thu Jun 18 18:28:42 2015 +0200

      target-i386: add support for SMBASE MSR and SMIs

      Apart from the MSR, the smi field of struct kvm_vcpu_events has to be
      translated into the corresponding CPUX86State fields.  Also,
      memory transaction flags depend on SMM state, so pull it from struct
      kvm_run on every exit from KVM to userspace.

      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit afd6895b45f20eb43b7ff95f7a76cc5af8d36cd7
  Author: Paolo Bonzini <pbonzini@xxxxxxxxxx>
  Date:   Thu Jun 18 18:28:41 2015 +0200

      piix4/ich9: do not raise SMI on ACPI enable/disable commands

      These commands are handled entirely by QEMU.  Do not raise an SMI
      when they happen, because Windows (at least 2008r2) expects these
      commands to work and (depending on the value of APMC_EN at
      startup) the firmware might not have installed an SMI handler.

      When this happens (e.g. the kernel supports SMIs, or you are using
      TCG, but you have used "-machine smm=off") RIP is moved to 0x38000
      where there is no code to execute.

      Acked-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit 25b8b39b6d7de95d0dd5ae7b66b3ac4b9b83e060
  Author: Alexey Kardashevskiy <aik@xxxxxxxxx>
  Date:   Mon Jul 6 12:10:57 2015 +1000

      linux-headers: Update to 4.2-rc1

      This updates linux-headers against master 4.2-rc1 (commit
      d770e558e21961ad6cfdf0ff7df0eb5d7d4f0754). This is the result of
      ./scripts/update-linux-headers.sh work.

      Cc: Paolo Bonzini <pbonzini@xxxxxxxxxx>
      Cc: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: Alexey Kardashevskiy <aik@xxxxxxxxx>
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit 7edd8e4660beb301d527257f8e04ebec0f841cb0
  Merge: 3fa18bc b242e0e
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Mon Jul 6 14:03:44 2015 +0100

      Merge remote-tracking branch 'remotes/bonzini/tags/for-upstream' into 
staging

      * more of Peter Crosthwaite's multiarch preparation patches
      * unlocked MMIO support in KVM
      * support for compilation with ICC

      # gpg: Signature made Mon Jul  6 13:59:20 2015 BST using RSA key ID 
78C7AE83
      # gpg: Good signature from "Paolo Bonzini <bonzini@xxxxxxx>"
      # gpg:                 aka "Paolo Bonzini <pbonzini@xxxxxxxxxx>"
      # gpg: WARNING: This key is not certified with sufficiently trusted 
signatures!
      # gpg:          It is not certain that the signature belongs to the owner.
      # Primary key fingerprint: 46F5 9FBD 57D6 12E7 BFD4  E2F7 7E15 100C CD36 
69B1
      #      Subkey fingerprint: F133 3857 4B66 2389 866C  7682 BFFB D25F 78C7 
AE83

      * remotes/bonzini/tags/for-upstream:
        exec: skip MMIO regions correctly in 
cpu_physical_memory_write_rom_internal
        Stop including qemu-common.h in memory.h
        kvm: Switch to unlocked MMIO
        acpi: mark PMTIMER as unlocked
        kvm: Switch to unlocked PIO
        kvm: First step to push iothread lock out of inner run loop
        memory: let address_space_rw/ld*/st* run outside the BQL
        exec: pull qemu_flush_coalesced_mmio_buffer() into 
address_space_rw/ld*/st*
        memory: Add global-locking property to memory regions
        main-loop: introduce qemu_mutex_iothread_locked
        main-loop: use qemu_mutex_lock_iothread consistently
        Fix irq route entries exceeding KVM_MAX_IRQ_ROUTES
        cpu-defs: Move out TB_JMP defines
        include/exec: Move tb hash functions out
        include/exec: Move standard exceptions to cpu-all.h
        cpu-defs: Move CPU_TEMP_BUF_NLONGS to tcg
        memory_mapping: Rework cpu related includes
        cutils: allow compilation with icc
        qemu-common: add VEC_OR macro

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit b242e0e0e2969c044a318e56f7988bbd84de1f63
  Author: Paolo Bonzini <pbonzini@xxxxxxxxxx>
  Date:   Sat Jul 4 00:24:51 2015 +0200

      exec: skip MMIO regions correctly in 
cpu_physical_memory_write_rom_internal

      Loading the BIOS in the mac99 machine is interesting, because there is a
      PROM in the middle of the BIOS region (from 16K to 32K).  Before memory
      region accesses were clamped, when QEMU was asked to load a BIOS from
      0xfff00000 to 0xffffffff it would put even those 16K from the BIOS file
      into the region.  This is weird because those 16K were not actually
      visible between 0xfff04000 and 0xfff07fff.  However, it worked.

      After clamping was added, this also worked.  In this case, the
      cpu_physical_memory_write_rom_internal function split the write in
      three parts: the first 16K were copied, the PROM area (second 16K) were
      ignored, then the rest was copied.

      Problems then started with commit 965eb2f (exec: do not clamp accesses
      to MMIO regions, 2015-06-17).  Clamping accesses is not done for MMIO
      regions because they can overlap wildly, and MMIO registers can be
      expected to perform full-width accesses based only on their address
      (with no respect for adjacent registers that could decode to completely
      different MemoryRegions).  However, this lack of clamping also applied
      to the PROM area!  cpu_physical_memory_write_rom_internal thus failed
      to copy the third range above, i.e. only copied the first 16K of the BIOS.

      In effect, address_space_translate is expecting _something else_ to do
      the clamping for MMIO regions if the incoming length is large.  This
      "something else" is memory_access_size in the case of address_space_rw,
      so use the same logic in cpu_physical_memory_write_rom_internal.

      Reported-by: Alexander Graf <agraf@xxxxxxxxxx>
      Reviewed-by: Laurent Vivier <lvivier@xxxxxxxxxx>
      Tested-by: Laurent Vivier <lvivier@xxxxxxxxxx>
      Fixes: 965eb2f
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit fba0a593b2809ecdda68650952cf3d3332ac1990
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Fri Jul 3 15:18:24 2015 +0100

      Stop including qemu-common.h in memory.h

      Including qemu-common.h from other header files is generally a bad
      idea, because it means it's very easy to end up with a circular
      dependency. For instance, if we wanted to include memory.h from
      qom/cpu.h we'd end up with this loop:
       memory.h -> qemu-common.h -> cpu.h -> cpu-qom.h -> qom/cpu.h -> memory.h

      Remove the include from memory.h. This requires us to fix up a few
      other files which were inadvertently getting declarations indirectly
      through memory.h.

      The biggest change is splitting the fprintf_function typedef out
      into its own header so other headers can get at it without having
      to include qemu-common.h.

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Message-Id: <1435933104-15216-1-git-send-email-peter.maydell@xxxxxxxxxx>
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit 3fa18bc9a55e067ba3012ab1d394f5d5a7e51419
  Merge: 261ccf4 1479073
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Mon Jul 6 12:51:51 2015 +0100

      Merge remote-tracking branch 'remotes/xtensa/tags/20150706-xtensa' into 
staging

      Xtensa fixes:

      - add 64-bit floating point registers;
      - fix gdb register map construction.

      # gpg: Signature made Mon Jul  6 11:27:45 2015 BST using RSA key ID 
F83FA044
      # gpg: Good signature from "Max Filippov 
<max.filippov@xxxxxxxxxxxxxxxxxx>"
      # gpg:                 aka "Max Filippov <jcmvbkbc@xxxxxxxxx>"

      * remotes/xtensa/tags/20150706-xtensa:
        target-xtensa: fix gdb register map construction
        target-xtensa: add 64-bit floating point registers

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 1479073b7e849fa03e5892eea0e0b5dadde1a98a
  Author: Max Filippov <jcmvbkbc@xxxxxxxxx>
  Date:   Wed Jul 1 13:00:29 2015 +0300

      target-xtensa: fix gdb register map construction

      Due to different gdb overlay organization between windowed/call0
      configurations core import script doesn't always work correctly.
      Simplify the script: always copy complete gdb register map from overlay,
      count registers at core registerstion time. Update existing cores.

      Signed-off-by: Max Filippov <jcmvbkbc@xxxxxxxxx>

  commit ddd44279fdbc545a9182cb642645af8a4672c267
  Author: Max Filippov <jcmvbkbc@xxxxxxxxx>
  Date:   Mon Jun 29 10:50:03 2015 +0300

      target-xtensa: add 64-bit floating point registers

      Xtensa ISA got specification for 64-bit floating point registers and
      opcodes, see ISA, 4.3.11 "Floating point coprocessor option".

      Add 64-bit FP registers.

      Although 64-bit floating point is currently not supported by xtensa
      translator, these registers need to be reported to gdb with proper size,
      otherwise it wouldn't find other registers.

      Signed-off-by: Max Filippov <jcmvbkbc@xxxxxxxxx>

  commit 261ccf426a6df854ba398be92413476919dd67f9
  Merge: f50a164 257621a
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Mon Jul 6 11:04:54 2015 +0100

      Merge remote-tracking branch 
'remotes/pmaydell/tags/pull-target-arm-20150706' into staging

      target-arm queue:
       * TLBI ALLEI1IS should operate on all CPUs, not just this one
       * Fix interval interrupt of cadence ttc in decrement mode
       * Implement YIELD insn to yield in ARM and Thumb translators
       * ARM GIC: reset all registers
       * arm_mptimer: fix timer shutdown and mode change
       * arm_mptimer: respect IT bit state

      # gpg: Signature made Mon Jul  6 10:58:27 2015 BST using RSA key ID 
14360CDE
      # gpg: Good signature from "Peter Maydell <peter.maydell@xxxxxxxxxx>"

      * remotes/pmaydell/tags/pull-target-arm-20150706:
        arm_mptimer: Respect IT bit state
        arm_mptimer: Fix timer shutdown and mode change
        hw/intc/arm_gic_common.c: Reset all registers
        target-arm: Implement YIELD insn to yield in ARM and Thumb translators
        target-arm: Split DISAS_YIELD from DISAS_WFE
        Fix interval interrupt of cadence ttc when timer is in decrement mode
        target-arm: fix write helper for TLBI ALLE1IS

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 257621a9566054472d1d55a819880d0f9da02bda
  Author: Dmitry Osipenko <digetx@xxxxxxxxx>
  Date:   Mon Jul 6 04:27:12 2015 +0300

      arm_mptimer: Respect IT bit state

      The timer should fire the interrupt only if the IT (interrupt enable) bit
      state of the control register is enabled.

      Signed-off-by: Dmitry Osipenko <digetx@xxxxxxxxx>
      Reviewed-by: Peter Crosthwaite <peter.crosthwaite@xxxxxxxxxx>
      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 8a52340cbaf60d4dd0a78bbfe12632639fe3da6d
  Author: Dmitry Osipenko <digetx@xxxxxxxxx>
  Date:   Mon Jul 6 01:47:47 2015 +0300

      arm_mptimer: Fix timer shutdown and mode change

      The running timer can't be stopped because timer control code just
      doesn't handle disabling the timer. Fix it by deleting the timer if
      the enable bit is cleared.

      The timer won't start periodic ticking if a ONE-SHOT -> PERIODIC mode
      change happens after a one-shot tick was completed. Fix it by
      re-starting ticking if the timer isn't ticking right now.

      To avoid code churning, these two fixes are squashed in one commit.

      Signed-off-by: Dmitry Osipenko <digetx@xxxxxxxxx>
      Reviewed-by: Peter Crosthwaite <peter.crosthwaite@xxxxxxxxxx>
      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 12dc273e98e4e111880b25c12bf671dc8951b8e6
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Mon Jun 29 19:25:45 2015 +0100

      hw/intc/arm_gic_common.c: Reset all registers

      The arm_gic_common reset function was missing reset code for
      several of the GIC's state fields:
       * bpr[]
       * abpr[]
       * priority1[]
       * priority2[]
       * sgi_pending[]
       * irq_target[] (SMP configurations only)

      These probably went unnoticed because most guests will either
      never touch them, or will write to them in the process of
      configuring the GIC before enabling interrupts.

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Message-id: 1435602345-32210-1-git-send-email-peter.maydell@xxxxxxxxxx
      Reviewed-by: Edgar E. Iglesias <edgar.iglesias@xxxxxxxxxx>

  commit c87e5a61c2b3024116f52f7e68273f864ff7ab82
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Mon Jul 6 10:05:44 2015 +0100

      target-arm: Implement YIELD insn to yield in ARM and Thumb translators

      Implement the YIELD instruction in the ARM and Thumb translators to
      actually yield control back to the top level loop rather than being
      a simple no-op. (We already do this for A64.)

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Reviewed-by: Peter Crosthwaite <peter.crosthwaite@xxxxxxxxxx>
      Message-id: 1435672316-3311-3-git-send-email-peter.maydell@xxxxxxxxxx

  commit 049e24a191c212d9468db84169197887f2c91586
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Mon Jul 6 10:05:44 2015 +0100

      target-arm: Split DISAS_YIELD from DISAS_WFE

      Currently we use DISAS_WFE for both WFE and YIELD instructions.
      This is functionally correct because at the moment both of them
      are implemented as "yield this CPU back to the top level loop so
      another CPU has a chance to run". However it's rather confusing
      that YIELD ends up calling HELPER(wfe), and if we ever want to
      implement real behaviour for WFE and SEV it's likely to trip us up.

      Split out the yield codepath to use DISAS_YIELD and a new
      HELPER(yield) function, and have HELPER(wfe) call HELPER(yield).

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Message-id: 1435672316-3311-2-git-send-email-peter.maydell@xxxxxxxxxx
      Reviewed-by: Peter Crosthwaite <peter.crosthwaite@xxxxxxxxxx>

  commit a7ffaf5c96e26820edffa94eeac766fe60bfdd31
  Author: Johannes Schlatow <schlatow@xxxxxxxxxxxxxxxx>
  Date:   Mon Jul 6 10:05:44 2015 +0100

      Fix interval interrupt of cadence ttc when timer is in decrement mode

      The interval interrupt is not set if the timer is in decrement mode.
      This is because x >=0 and x < interval after leaving the while-loop.

      Signed-off-by: Johannes Schlatow <schlatow@xxxxxxxxxxxxxxxx>
      Message-id: 20150630135821.51f3b4fd@johanness-latitude
      Reviewed-by: Peter Crosthwaite <peter.crosthwaite@xxxxxxxxxx>
      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 2a6332d968297266dbabf9d33f959e3a5efdd0f9
  Author: Sergey Fedorov <serge.fdrv@xxxxxxxxx>
  Date:   Mon Jul 6 10:05:43 2015 +0100

      target-arm: fix write helper for TLBI ALLE1IS

      TLBI ALLE1IS is an operation that does invalidate TLB entries on all PEs
      in the same Inner Sharable domain, not just on the current CPU. So we
      must use tlbiall_is_write() here.

      Signed-off-by: Sergey Fedorov <serge.fdrv@xxxxxxxxx>
      Message-id: 1435676538-31345-1-git-send-email-serge.fdrv@xxxxxxxxx
      Reviewed-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit f50a1640fb82708a5d528dee1ace42a224b95b15
  Merge: 63a9294 7c649ac
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Sun Jul 5 20:35:47 2015 +0100

      Merge remote-tracking branch 'remotes/jnsnow/tags/ide-pull-request' into 
staging

      # gpg: Signature made Sat Jul  4 07:06:08 2015 BST using RSA key ID 
AAFC390E
      # gpg: Good signature from "John Snow (John Huston) <jsnow@xxxxxxxxxx>"
      # gpg: WARNING: This key is not certified with sufficiently trusted 
signatures!
      # gpg:          It is not certain that the signature belongs to the owner.
      # Primary key fingerprint: FAEB 9711 A12C F475 812F  18F2 88A9 064D 1835 
61EB
      #      Subkey fingerprint: F9B7 ABDB BCAC DF95 BE76  CBD0 7DEF 8106 AAFC 
390E

      * remotes/jnsnow/tags/ide-pull-request: (35 commits)
        ahci: fix sdb fis semantics
        qtest/ahci: halted ncq migration test
        ahci: Do not map cmd_fis to generate response
        ahci: ncq migration
        ahci: add get_cmd_header helper
        ahci: add cmd header to ncq transfer state
        qtest/ahci: halted NCQ test
        ahci: correct ncq sector count
        ahci: correct types in NCQTransferState
        ahci: add rwerror=stop support for ncq
        ahci: factor ncq_finish out of ncq_cb
        ahci: refactor process_ncq_command
        ahci: assert is_ncq for process_ncq
        ahci: stash ncq command
        ide: add limit to .prepare_buf()
        qtest/ahci: ncq migration test
        qtest/ahci: simple ncq data test
        libqos/ahci: Force all NCQ commands to be LBA48
        libqos/ahci: set the NCQ tag on command_commit
        libqos/ahci: adjust expected NCQ interrupts
        ...

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 63a9294ddc9cf4f2bdcd0179324fedcbb6fae59f
  Merge: 3536064 e75e2a1
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Sun Jul 5 19:33:51 2015 +0100

      Merge remote-tracking branch 'remotes/ehabkost/tags/numa-pull-request' 
into staging

      NUMA queue, 2015-07-03

      # gpg: Signature made Fri Jul  3 21:49:58 2015 BST using RSA key ID 
984DC5A6
      # gpg: Good signature from "Eduardo Habkost <ehabkost@xxxxxxxxxx>"
      # gpg: WARNING: This key is not certified with sufficiently trusted 
signatures!
      # gpg:          It is not certain that the signature belongs to the owner.
      # Primary key fingerprint: 5A32 2FD5 ABC4 D3DB ACCF  D1AA 2807 936F 984D 
C5A6

      * remotes/ehabkost/tags/numa-pull-request:
        numa: API to lookup NUMA node by address
        numa: Store boot memory address range in node_info
        numa,pc-dimm: Store pc-dimm memory information in numa_info
        pc: Abort if HotplugHandlerClass::plug() fails
        pc,pc-dimm: Factor out reusable parts in pc_dimm_plug to a separate 
routine
        pc,pc-dimm: Extract hotplug related fields in PCMachineState to a 
structure

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 7c649ac5b607e2339fb54fc0fc01311ba5eacadd
  Author: John Snow <jsnow@xxxxxxxxxx>
  Date:   Sat Jul 4 02:06:05 2015 -0400

      ahci: fix sdb fis semantics

      There are two things to fix here:

      The first one is subtle: the PxSACT register in the AHCI HBA has different
      semantics from the field it is shadowing, the ACT field in the
      Set Device Bits FIS.

      In the HBA register, PxSACT acts as a bitfield indicating outstanding
      NCQ commands where a set bit indicates a pending NCQ operation. The FIS
      field however operates as an RWC register update to PxSACT, where a set
      bit indicates a *successfully* completed command.

      Correct the FIS semantics. At the same time, move the "clear finished"
      action to the SDB FIS generation instead of the register read to mimick
      how the other shadow registers work, which always just report the last
      reported value from a FIS, and not the most current values which may
      not have been reported by a FIS yet.

      Lastly and more simply, SATA 3.2 section 13.6.4.2 (and later sections)
      all specify that the Interrupt bit for the SDB FIS should always be set
      to one for NCQ commands. That's currently the only time we generate this
      FIS, so set it on all the time.

      Signed-off-by: John Snow <jsnow@xxxxxxxxxx>
      Reviewed-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Message-id: 1435767578-32743-16-git-send-email-jsnow@xxxxxxxxxx

  commit 8146d7dc2756138bd4011e8d882ead929f25f2d0
  Author: John Snow <jsnow@xxxxxxxxxx>
  Date:   Sat Jul 4 02:06:05 2015 -0400

      qtest/ahci: halted ncq migration test

      Signed-off-by: John Snow <jsnow@xxxxxxxxxx>
      Reviewed-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Message-id: 1435767578-32743-15-git-send-email-jsnow@xxxxxxxxxx

  commit dd6282217d8fee36e3854eab2635bec9cc5d5236
  Author: John Snow <jsnow@xxxxxxxxxx>
  Date:   Sat Jul 4 02:06:05 2015 -0400

      ahci: Do not map cmd_fis to generate response

      The Register D2H FIS should copy the current values of
      the registers instead of just parroting back the same
      values the guest sent back to it.

      In this case, the SECTOR COUNT variables are actually
      not generally meaningful in terms of standard commands
      (See ATA8-AC3 Section 9.2 Normal Outputs), so it actually
      probably doesn't matter what we put in here.

      Meanwhile, we do need to use the Register update FIS from
      the NCQ pathways (in error cases), so getting rid of
      references to cur_cmd here is a win for AHCI concurrency.

      Signed-off-by: John Snow <jsnow@xxxxxxxxxx>
      Reviewed-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Message-id: 1435767578-32743-14-git-send-email-jsnow@xxxxxxxxxx

  commit 684d50132fdd68f4c2cba9e65b50f9b8ef4c5164
  Author: John Snow <jsnow@xxxxxxxxxx>
  Date:   Sat Jul 4 02:06:05 2015 -0400

      ahci: ncq migration

      Migrate the NCQ queue. This is solely for the benefit of halted commands,
      since anything else should have completed and had any relevant status
      flushed to the HBA registers already.

      Signed-off-by: John Snow <jsnow@xxxxxxxxxx>
      Reviewed-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Message-id: 1435767578-32743-13-git-send-email-jsnow@xxxxxxxxxx

  commit ee364416c1b5ed1adc779ca7197451a131666236
  Author: John Snow <jsnow@xxxxxxxxxx>
  Date:   Sat Jul 4 02:06:05 2015 -0400

      ahci: add get_cmd_header helper

      cur_cmd is an internal bookmark that points to the
      current AHCI Command Header being processed by the
      AHCI state machine. With NCQ needing to occasionally
      rely on some of the same AHCI helpers, we cannot use
      cur_cmd and will need to grab explicit pointers instead.

      In an attempt to begin relying on the cur_cmd pointer
      less, add a helper to let us specifically get the pointer
      to the command header of particular interest.

      Signed-off-by: John Snow <jsnow@xxxxxxxxxx>
      Reviewed-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Message-id: 1435767578-32743-12-git-send-email-jsnow@xxxxxxxxxx

  commit c82bd3c893825fc76af3634f5461f5eabd94e9df
  Author: John Snow <jsnow@xxxxxxxxxx>
  Date:   Sat Jul 4 02:06:05 2015 -0400

      ahci: add cmd header to ncq transfer state

      While the rest of the AHCI device can rely on a single bookmarked
      pointer for the AHCI Command Header currently being processed, NCQ
      is asynchronous and may have many commands in flight simultaneously.

      Add a cmdh pointer to the ncq_tfs object and make the sglist prepare
      function take an AHCICmdHeader pointer so we can be explicit about
      where we'd like to build SGlists from.

      Signed-off-by: John Snow <jsnow@xxxxxxxxxx>
      Reviewed-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Message-id: 1435767578-32743-11-git-send-email-jsnow@xxxxxxxxxx

  commit 7f6cf5ee1236d94fc25830a47438e57aa294d9fe
  Author: John Snow <jsnow@xxxxxxxxxx>
  Date:   Sat Jul 4 02:06:05 2015 -0400

      qtest/ahci: halted NCQ test

      Signed-off-by: John Snow <jsnow@xxxxxxxxxx>
      Reviewed-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Message-id: 1435767578-32743-10-git-send-email-jsnow@xxxxxxxxxx

  commit e08a98357b5811e7933ff077f6da4b85175caf8a
  Author: John Snow <jsnow@xxxxxxxxxx>
  Date:   Sat Jul 4 02:06:05 2015 -0400

      ahci: correct ncq sector count

      uint16_t isn't enough to hold the real sector count, since a value of
      zero implies a full 64K sectors, so we need a uint32_t here.

      We *could* cheat and pretend that this value is 0-based and fit it in
      a uint16_t, but I'd rather waste 2 bytes instead of a future dev's
      10 minutes when they forget to +1/-1 accordingly somewhere.

      See SATA 3.2, section 13.6.4.1 "READ FPDMA QUEUED".

      Signed-off-by: John Snow <jsnow@xxxxxxxxxx>
      Reviewed-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Message-id: 1435767578-32743-9-git-send-email-jsnow@xxxxxxxxxx

  commit 9364384de0e3b8a5bdea67ba49bee9ea7f1b8f26
  Author: John Snow <jsnow@xxxxxxxxxx>
  Date:   Sat Jul 4 02:06:05 2015 -0400

      ahci: correct types in NCQTransferState

      Signed-off-by: John Snow <jsnow@xxxxxxxxxx>
      Reviewed-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Message-id: 1435767578-32743-8-git-send-email-jsnow@xxxxxxxxxx

  commit 7c03a691077e71a08bbca06568cd97f09537458c
  Author: John Snow <jsnow@xxxxxxxxxx>
  Date:   Sat Jul 4 02:06:04 2015 -0400

      ahci: add rwerror=stop support for ncq

      Handle NCQ failures for cases where we want to halt the VM on IO errors.
      Upon a VM state change, retry the halted NCQ commands.

      Signed-off-by: John Snow <jsnow@xxxxxxxxxx>
      Reviewed-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Message-id: 1435767578-32743-7-git-send-email-jsnow@xxxxxxxxxx

  commit 54f3223730736fca1e6e89bb7f99c4f8432fdabb
  Author: John Snow <jsnow@xxxxxxxxxx>
  Date:   Sat Jul 4 02:06:04 2015 -0400

      ahci: factor ncq_finish out of ncq_cb

      When we add werror=stop or rerror=stop support to NCQ,
      we'll want to take a codepath where we don't actually
      complete the command, so factor that out into a new routine.

      Signed-off-by: John Snow <jsnow@xxxxxxxxxx>
      Reviewed-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Message-id: 1435767578-32743-6-git-send-email-jsnow@xxxxxxxxxx

  commit 631ddc22cbb401f2777dc8b117196f0988df4eea
  Author: John Snow <jsnow@xxxxxxxxxx>
  Date:   Sat Jul 4 02:06:04 2015 -0400

      ahci: refactor process_ncq_command

      Split off execute_ncq_command so that we can call
      it separately later if we desire.

      Signed-off-by: John Snow <jsnow@xxxxxxxxxx>
      Reviewed-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Message-id: 1435767578-32743-5-git-send-email-jsnow@xxxxxxxxxx

  commit 922f893e57da24bc80db3e79bea56485d1c111fa
  Author: John Snow <jsnow@xxxxxxxxxx>
  Date:   Sat Jul 4 02:06:04 2015 -0400

      ahci: assert is_ncq for process_ncq

      We already checked this in the handle_cmd phase, so just
      change this to an assertion and simplify the error logic.

      (Also, fix the switch indent, because checkpatch.pl yelled.)
      ((Sorry for churn.))

      Signed-off-by: John Snow <jsnow@xxxxxxxxxx>
      Reviewed-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Message-id: 1435767578-32743-4-git-send-email-jsnow@xxxxxxxxxx

  commit 4614619ee4ad96d2715dc41f9430fb43335c15d2
  Author: John Snow <jsnow@xxxxxxxxxx>
  Date:   Sat Jul 4 02:06:04 2015 -0400

      ahci: stash ncq command

      For migration and werror=stop/rerror=stop resume purposes,
      it will be convenient to have the command handy inside of
      ncq_tfs.

      Eventually, we'd like to avoid reading from the FIS entirely
      after the initial read, so this is a byte (hah!) sized step
      in that direction.

      Signed-off-by: John Snow <jsnow@xxxxxxxxxx>
      Reviewed-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Message-id: 1435767578-32743-3-git-send-email-jsnow@xxxxxxxxxx

  commit a718978ed58abc1ad92567a9c17525136be02a71
  Author: John Snow <jsnow@xxxxxxxxxx>
  Date:   Sat Jul 4 02:06:04 2015 -0400

      ide: add limit to .prepare_buf()

      prepare_buf should not always grab as many descriptors
      as it can, sometimes it should self-limit.

      For example, an NCQ transfer of 1 sector with a PRDT that
      describes 4GiB of data should not copy 4GiB of data, it
      should just transfer that first 512 bytes.

      PIO is not affected, because the dma_buf_rw dma helpers
      already have a byte limit built-in to them, but DMA/NCQ
      will exhaust the entire list regardless of requested size.

      AHCI 1.3 specifies in section 6.1.6 Command List Underflow that
      NCQ is not required to detect underflow conditions. Non-NCQ
      pathways signal underflow by writing to the PRDBC field, which
      will already occur by writing the actual transferred byte count
      to the PRDBC, signaling the underflow.

      Our NCQ pathways aren't required to detect underflow, but since our DMA
      backend uses the size of the PRDT to determine the size of the transer,
      if our PRDT is bigger than the transaction (the underflow condition) it
      doesn't cost us anything to detect it and truncate the PRDT.

      This is a recoverable error and is not signaled to the guest, in either
      NCQ or normal DMA cases.

      For BMDMA, the existing pathways should see no guest-visible difference,
      but any bytes described in the overage will no longer be transferred
      before indicating to the guest that there was an underflow.

      Signed-off-by: John Snow <jsnow@xxxxxxxxxx>
      Reviewed-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Message-id: 1435767578-32743-2-git-send-email-jsnow@xxxxxxxxxx

  commit 07a1ee7958cc3433706ab0d3a07c42fdd9d98fe6
  Author: John Snow <jsnow@xxxxxxxxxx>
  Date:   Sat Jul 4 02:06:04 2015 -0400

      qtest/ahci: ncq migration test

      Signed-off-by: John Snow <jsnow@xxxxxxxxxx>
      Reviewed-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Message-id: 1435016308-6150-17-git-send-email-jsnow@xxxxxxxxxx

  commit 26ad004585835e7c126bb94fd5161db1c60169f3
  Author: John Snow <jsnow@xxxxxxxxxx>
  Date:   Sat Jul 4 02:06:04 2015 -0400

      qtest/ahci: simple ncq data test

      Test the NCQ pathways for a simple IO RW test.
      Also, test that libqos doesn't explode when
      running NCQ commands :)

      Signed-off-by: John Snow <jsnow@xxxxxxxxxx>
      Reviewed-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Message-id: 1435016308-6150-16-git-send-email-jsnow@xxxxxxxxxx

  commit e38cc93aca5d40a58e65bb0dfa23eaf3290bbf76
  Author: John Snow <jsnow@xxxxxxxxxx>
  Date:   Sat Jul 4 02:06:04 2015 -0400

      libqos/ahci: Force all NCQ commands to be LBA48

      NCQ commands are LBA48 by definition.

      See SATA 3.2 13.6.4.1 "READ FPDMA QUEUED", or
          SATA 3.2 13.6.5.1 "WRITE FPDMA QUEUED."

      Signed-off-by: John Snow <jsnow@xxxxxxxxxx>
      Reviewed-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Message-id: 1435016308-6150-15-git-send-email-jsnow@xxxxxxxxxx

  commit a8973ff50a04f96c3ce5c803c8fd3ec16ed8d6c5
  Author: John Snow <jsnow@xxxxxxxxxx>
  Date:   Sat Jul 4 02:06:04 2015 -0400

      libqos/ahci: set the NCQ tag on command_commit

      NCQ commands have the concept of a "TAG" that they need to set,
      but in the AHCI world, it is mandated that the TAG always match
      the command slot that you executed the NCQ from.

      See AHCI 9.3.1.1.5.2 "Native Queued Commands".

      Signed-off-by: John Snow <jsnow@xxxxxxxxxx>
      Reviewed-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Message-id: 1435016308-6150-14-git-send-email-jsnow@xxxxxxxxxx

  commit 359790c2542a8c4da3d4c8fb626ca2675a417d51
  Author: John Snow <jsnow@xxxxxxxxxx>
  Date:   Sat Jul 4 02:06:04 2015 -0400

      libqos/ahci: adjust expected NCQ interrupts

      NCQ commands will expect the SDBS interrupt,
      and in the normative case, do not expect to see
      a D2H Register FIS unless something went wrong.

      Signed-off-by: John Snow <jsnow@xxxxxxxxxx>
      Reviewed-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Message-id: 1435016308-6150-13-git-send-email-jsnow@xxxxxxxxxx

  commit 4de484698bdda6c5e093dfbe4368cdb364fdf87f
  Author: John Snow <jsnow@xxxxxxxxxx>
  Date:   Sat Jul 4 02:06:03 2015 -0400

      libqos/ahci: edit wait to be ncq aware

      The wait command should check to make sure SACT is clear as well
      as the Command Issue register.

      Signed-off-by: John Snow <jsnow@xxxxxxxxxx>
      Reviewed-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Message-id: 1435016308-6150-12-git-send-email-jsnow@xxxxxxxxxx

  commit cb45304108ab733aaf2e4351e77cb6d07ac88fd5
  Author: John Snow <jsnow@xxxxxxxxxx>
  Date:   Sat Jul 4 02:06:03 2015 -0400

      libqos/ahci: add NCQ frame support

      NCQ frames are generated a little differently than
      their non-NCQ cousins. Add support for them.

      Signed-off-by: John Snow <jsnow@xxxxxxxxxx>
      Reviewed-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Message-id: 1435016308-6150-11-git-send-email-jsnow@xxxxxxxxxx

  commit 40d29928caa6db154182f5314f497020f81e640e
  Author: John Snow <jsnow@xxxxxxxxxx>
  Date:   Sat Jul 4 02:06:03 2015 -0400

      libqos/ahci: fix cmd_sanity for ncq

      NCQ commands should not / do not update the byte count
      in the command header post command, so this field is
      meaningless for NCQ tests.

      Signed-off-by: John Snow <jsnow@xxxxxxxxxx>
      Reviewed-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Message-id: 1435016308-6150-10-git-send-email-jsnow@xxxxxxxxxx

  commit 34475239b8f1fff0b715cb20f8b534b9d07a897e
  Author: John Snow <jsnow@xxxxxxxxxx>
  Date:   Sat Jul 4 02:06:03 2015 -0400

      ahci/qtest: Execute IDENTIFY prior to data commands

      If you try to execute an NCQ command before trying to engage with the
      device by issuing an IDENTIFY command, the error bits that are part of
      the signature will fool the test suite into thinking there was a failure.

      Issue IDENTIFY first on "boot", which will clear the signature out of
      the registers for us.

      Signed-off-by: John Snow <jsnow@xxxxxxxxxx>
      Reviewed-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Message-id: 1435016308-6150-9-git-send-email-jsnow@xxxxxxxxxx

  commit 0437d32ae232af37d3b94064a563eb51d4eedd62
  Author: John Snow <jsnow@xxxxxxxxxx>
  Date:   Sat Jul 4 02:06:03 2015 -0400

      ahci: ncq sector count correction

      This value should not be size-corrected, 0 sectors does not imply
      1 sector(s). This is just debug information, but it's misleading!

      Signed-off-by: John Snow <jsnow@xxxxxxxxxx>
      Reviewed-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Message-id: 1435016308-6150-8-git-send-email-jsnow@xxxxxxxxxx

  commit 5d5f89212f19e3d7d3da1328137ca9e33eead7bf
  Author: John Snow <jsnow@xxxxxxxxxx>
  Date:   Sat Jul 4 02:06:03 2015 -0400

      ahci: add ncq debug checks

      Most of the time, these bits can be safely ignored. For the purposes
      of debugging however, it's nice to know that they're not being used.

      Signed-off-by: John Snow <jsnow@xxxxxxxxxx>
      Reviewed-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Message-id: 1435016308-6150-7-git-send-email-jsnow@xxxxxxxxxx

  commit d56f4d6965ebcf8f3c496845c286e3a66496fdff
  Author: John Snow <jsnow@xxxxxxxxxx>
  Date:   Sat Jul 4 02:06:03 2015 -0400

      ahci: separate prdtl from opts

      There's no real reason to have it bundled together, and this way
      is a little nicer to follow if you have the AHCI spec pulled up.

      Signed-off-by: John Snow <jsnow@xxxxxxxxxx>
      Reviewed-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Message-id: 1435016308-6150-6-git-send-email-jsnow@xxxxxxxxxx

  commit 3bcbe4aa803c1a41e5392ecac7b4fc3c99a42f89
  Author: John Snow <jsnow@xxxxxxxxxx>
  Date:   Sat Jul 4 02:06:03 2015 -0400

      ahci: check for ncq prdtl overflow

      Don't attempt the NCQ transfer if the PRDT we were given is not big
      enough to perform the entire transfer.

      Signed-off-by: John Snow <jsnow@xxxxxxxxxx>
      Reviewed-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Message-id: 1435016308-6150-5-git-send-email-jsnow@xxxxxxxxxx

  commit a55c8231d04e3023bc5c3da9290f01e7d6989a94
  Author: John Snow <jsnow@xxxxxxxxxx>
  Date:   Sat Jul 4 02:06:03 2015 -0400

      ahci: add ncq_err helper

      Set some appropriate error bits for NCQ for us.

      Signed-off-by: John Snow <jsnow@xxxxxxxxxx>
      Reviewed-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Message-id: 1435016308-6150-4-git-send-email-jsnow@xxxxxxxxxx

  commit b6fe41fa6dbdf7b92b76cd4848ef442de18e03d3
  Author: John Snow <jsnow@xxxxxxxxxx>
  Date:   Sat Jul 4 02:06:03 2015 -0400

      ahci: use shorter variables

      Trivial cleanup that I didn't want to tack-on to anything else.

      Signed-off-by: John Snow <jsnow@xxxxxxxxxx>
      Reviewed-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Message-id: 1435016308-6150-3-git-send-email-jsnow@xxxxxxxxxx

  commit 7763ed1506a9ffe74a80332182cc4f229251f998
  Author: John Snow <jsnow@xxxxxxxxxx>
  Date:   Sat Jul 4 02:06:03 2015 -0400

      ahci: Rename NCQFIS structure fields

      Several fields of the NCQFIS structure are ambiguously named. This patch
      clarifies the intended (if unsupported) usage of the NCQ fields to aid
      in creating more meaningful debug messages through the NCQ codepaths.

      Signed-off-by: John Snow <jsnow@xxxxxxxxxx>
      Reviewed-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Message-id: 1435016308-6150-2-git-send-email-jsnow@xxxxxxxxxx

  commit d31a3ebc28bf401cc5cce43f36068697d670c3f9
  Author: John Snow <jsnow@xxxxxxxxxx>
  Date:   Sat Jul 4 02:06:02 2015 -0400

      qtest/ahci: add port_reset test

      Test that we can survive a couple of cycles of running a basic identify
      test, some IO, and resetting the HBA. Ensures that we can bring the HBA
      back to compliant spec during the lifecycle of the VM.

      Signed-off-by: John Snow <jsnow@xxxxxxxxxx>
      Message-id: 1434470575-21625-5-git-send-email-jsnow@xxxxxxxxxx

  commit 95ea663693fdf4f39976f9aadb004fc77c2058ee
  Author: John Snow <jsnow@xxxxxxxxxx>
  Date:   Sat Jul 4 02:06:02 2015 -0400

      libqos/ahci: fix memory management bugs

      There's a handful of trivial bugs in the libqos/ahci functions,
      squish them together.

      - Zero cached pointers after freeing them
      - The Command List Buffer is an array of 32x 32 byte structures, not
        32x 8 byte pointers -- it's 1MiB, not 256 bytes. Zero it ALL.
      - Free the correct command in ahci_pick_cmd.

      Signed-off-by: John Snow <jsnow@xxxxxxxxxx>
      Message-id: 1434470575-21625-4-git-send-email-jsnow@xxxxxxxxxx

  commit 0d3e9d1f598e803a02c9bf43ec0b053e873ca79a
  Author: John Snow <jsnow@xxxxxxxxxx>
  Date:   Sat Jul 4 02:06:02 2015 -0400

      qtest/ahci: add test_max

      Test that the FIS delivered after a nondata command has appropriately
      updated registers, just as we'd expect a data command to do.

      Signed-off-by: John Snow <jsnow@xxxxxxxxxx>
      Message-id: 1434470575-21625-3-git-send-email-jsnow@xxxxxxxxxx

  commit e9ebb2f76778d19227476e34c3d7aa6b8975c1b6
  Author: John Snow <jsnow@xxxxxxxxxx>
  Date:   Sat Jul 4 02:06:02 2015 -0400

      ahci: Do not ignore memory access read size

      The only guidance the AHCI specification gives on memory access is:
      "Register accesses shall have a maximum size of 64-bits; 64-bit access
      must not cross an 8-byte alignment boundary."

      I interpret this to mean that aligned or unaligned 1, 2 and 4 byte
      accesses should work, as well as aligned 8 byte accesses.

      In practice, a real Q35/ICH9 responds to 1, 2, 4 and 8 byte reads
      regardless of alignment. Windows 7 can be observed making 1 byte
      reads to the middle of 32 bit registers to fetch error codes.

      Introduce a wrapper to support unaligned accesses to AHCI.
      This wrapper will support aligned 8 byte reads, but will make
      no effort to support unaligned 8 byte reads, which although they
      will work on real hardware, are not guaranteed to work and do
      not appear to be used by either Windows or Linux.

      Signed-off-by: John Snow <jsnow@xxxxxxxxxx>
      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>
      Message-id: 1434470575-21625-2-git-send-email-jsnow@xxxxxxxxxx

  commit e75e2a14d5c13ad38dcf72b69922dee2dafbb0d0
  Author: Bharata B Rao <bharata@xxxxxxxxxxxxxxxxxx>
  Date:   Mon Jun 29 13:50:27 2015 +0530

      numa: API to lookup NUMA node by address

      Introduce an API numa_get_node(ram_addr_t addr, Error **errp) that
      returns the NUMA node to which the given address belongs to. This
      API works uniformly for both boot time as well as hotplugged memory.

      This API is needed by sPAPR PowerPC to support
      ibm,dynamic-reconfiguration-memory device tree node which is needed for
      memory hotplug.

      Signed-off-by: Bharata B Rao <bharata@xxxxxxxxxxxxxxxxxx>
      Reviewed-by: David Gibson <david@xxxxxxxxxxxxxxxxxxxxx>
      Tested-by: Igor Mammedov <imammedo@xxxxxxxxxx>
      Signed-off-by: Eduardo Habkost <ehabkost@xxxxxxxxxx>

  commit abafabd8c982e875d60a10d37f0b91cff1003c55
  Author: Bharata B Rao <bharata@xxxxxxxxxxxxxxxxxx>
  Date:   Mon Jun 29 13:50:26 2015 +0530

      numa: Store boot memory address range in node_info

      Store memory address range information of boot memory  in address
      range list of numa_info.

      This helps to have a common NUMA node lookup by address function that
      works for both boot-time memory and hotplugged memory.

      Signed-off-by: Bharata B Rao <bharata@xxxxxxxxxxxxxxxxxx>
      Reviewed-by: David Gibson <david@xxxxxxxxxxxxxxxxxxxxx>
      Tested-by: Igor Mammedov <imammedo@xxxxxxxxxx>
      Signed-off-by: Eduardo Habkost <ehabkost@xxxxxxxxxx>

  commit fa9ea81d15d459f6c4a39d77ae680af94cebd65e
  Author: Bharata B Rao <bharata@xxxxxxxxxxxxxxxxxx>
  Date:   Mon Jun 29 13:50:25 2015 +0530

      numa,pc-dimm: Store pc-dimm memory information in numa_info

      Start storing the (start_addr, end_addr) of the pc-dimm memory
      in corresponding numa_info[node] so that this information can be used
      to lookup node by address.

      Signed-off-by: Bharata B Rao <bharata@xxxxxxxxxxxxxxxxxx>
      Reviewed-by: David Gibson <david@xxxxxxxxxxxxxxxxxxxxx>
      Reviewed-by: Igor Mammedov <imammedo@xxxxxxxxxx>
      Tested-by: Igor Mammedov <imammedo@xxxxxxxxxx>
      Signed-off-by: Eduardo Habkost <ehabkost@xxxxxxxxxx>

  commit 8e23184b6b2f8426041854b18fb56a3ff197d5a0
  Author: Bharata B Rao <bharata@xxxxxxxxxxxxxxxxxx>
  Date:   Mon Jun 29 13:50:24 2015 +0530

      pc: Abort if HotplugHandlerClass::plug() fails

      HotplugHandlerClass::plug() shouldn't fail and hence use error_abort
      to abort if it fails.

      Signed-off-by: Bharata B Rao <bharata@xxxxxxxxxxxxxxxxxx>
      Reviewed-by: David Gibson <david@xxxxxxxxxxxxxxxxxxxxx>
      Reviewed-by: Igor Mammedov <imammedo@xxxxxxxxxx>
      Tested-by: Igor Mammedov <imammedo@xxxxxxxxxx>
      Signed-off-by: Eduardo Habkost <ehabkost@xxxxxxxxxx>

  commit 43bbb49ef7032a8bfdafbd02d0286512af161089
  Author: Bharata B Rao <bharata@xxxxxxxxxxxxxxxxxx>
  Date:   Mon Jun 29 13:50:23 2015 +0530

      pc,pc-dimm: Factor out reusable parts in pc_dimm_plug to a separate 
routine

      pc_dimm_plug() has code that will be needed for memory plug handlers
      in other archs too. Extract code from pc_dimm_plug() into a generic
      routine pc_dimm_memory_plug() that resides in pc-dimm.c. Also
      correspondingly refactor re-usable unplug code into 
pc_dimm_memory_unplug().

      Signed-off-by: Bharata B Rao <bharata@xxxxxxxxxxxxxxxxxx>
      Reviewed-by: David Gibson <david@xxxxxxxxxxxxxxxxxxxxx>
      Reviewed-by: Igor Mammedov <imammedo@xxxxxxxxxx>
      Tested-by: Igor Mammedov <imammedo@xxxxxxxxxx>
      Signed-off-by: Eduardo Habkost <ehabkost@xxxxxxxxxx>

  commit a7d69ff10b085ba6f8236600829532984cdea714
  Author: Bharata B Rao <bharata@xxxxxxxxxxxxxxxxxx>
  Date:   Mon Jun 29 13:50:22 2015 +0530

      pc,pc-dimm: Extract hotplug related fields in PCMachineState to a 
structure

      Move hotplug_memory_base and hotplug_memory fields of PCMachineState
      into a separate structure so that the same can be made use of from
      other architectures supporing memory hotplug.

      Signed-off-by: Bharata B Rao <bharata@xxxxxxxxxxxxxxxxxx>
      Reviewed-by: David Gibson <david@xxxxxxxxxxxxxxxxxxxxx>
      Reviewed-by: Igor Mammedov <imammedo@xxxxxxxxxx>
      Tested-by: Igor Mammedov <imammedo@xxxxxxxxxx>
      Signed-off-by: Eduardo Habkost <ehabkost@xxxxxxxxxx>

  commit 35360642d043c2a5366e8a04a10e5545e7353bd5
  Merge: 5317b0f 496eaca
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Fri Jul 3 12:05:31 2015 +0100

      Merge remote-tracking branch 'remotes/kraxel/tags/pull-input-20150703-1' 
into staging

      virtio-input: add input routing support, update multiseat docs.

      # gpg: Signature made Fri Jul  3 11:22:33 2015 BST using RSA key ID 
D3E87138
      # gpg: Good signature from "Gerd Hoffmann (work) <kraxel@xxxxxxxxxx>"
      # gpg:                 aka "Gerd Hoffmann <gerd@xxxxxxxxxx>"
      # gpg:                 aka "Gerd Hoffmann (private) <kraxel@xxxxxxxxx>"

      * remotes/kraxel/tags/pull-input-20150703-1:
        update pci-bridge-seat section in docs/multiseat.txt
        virtio-input: add input routing support

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 496eacaa67653023540e090fb70b7caba429bbc0
  Author: Gerd Hoffmann <kraxel@xxxxxxxxxx>
  Date:   Wed Jul 1 10:59:47 2015 +0200

      update pci-bridge-seat section in docs/multiseat.txt

      Signed-off-by: Gerd Hoffmann <kraxel@xxxxxxxxxx>

  commit 5cce173323cfe1bb22f7a10f9b73ac7796909cef
  Author: Gerd Hoffmann <kraxel@xxxxxxxxxx>
  Date:   Wed Jun 24 11:59:16 2015 +0200

      virtio-input: add input routing support

      Add display and head properties for input routing to
      virtio-input devices, update multiseat documentation.

      Signed-off-by: Gerd Hoffmann <kraxel@xxxxxxxxxx>

  commit 5317b0f6d4bb581c5c8f88f31138ee301ad2b7e5
  Merge: 6686ce3 c4d3c0a
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Thu Jul 2 15:20:55 2015 +0100

      Merge remote-tracking branch 'remotes/cohuck/tags/s390x-20150702-v3' into 
staging

      Several s390x patches including:
      - missing virtio-1 related code for virtio-ccw
      - bugfixes in ipl device, gdb, virtio-ccw
      - bugfix in s390-ccw bios + rebuild
      - introduce versioned machines for s390-ccw-virtio

      # gpg: Signature made Thu Jul  2 15:05:34 2015 BST using RSA key ID 
C6F02FAF
      # gpg: Good signature from "Cornelia Huck <huckc@xxxxxxxxxxxxxxxxxx>"
      # gpg:                 aka "Cornelia Huck <cornelia.huck@xxxxxxxxxx>"

      * remotes/cohuck/tags/s390x-20150702-v3:
        s390x/migration: Introduce 2.4 machine
        s390x/gdb: synchronize cpu state after modifying acrs
        s390x/ipl: Fix boot if no bootindex was specified
        virtio-ccw: migrate ->revision
        s390x/virtio-ccw: support virtio-1 set_vq format
        s390x/virtio-ccw: add virtio set-revision call
        s390x/css: Add a callback for when subchannel gets disabled
        s390-ccw.img: update
        s390-ccw.img: Consume service interrupts
        css: mss/mcss-e vs. migration
        virtio-ccw: complete handling of guest-initiated resets

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit c4d3c0a2696c09a884b680d15b03325e46656a6c
  Author: Christian Borntraeger <borntraeger@xxxxxxxxxx>
  Date:   Wed Jul 1 11:16:57 2015 +0200

      s390x/migration: Introduce 2.4 machine

      The section footer changes commit f68945d42bab ("Add a protective
      section footer") and commit 37fb569c0198 ("Disable section footers
      on older machine types") broke migration for any non-versioned
      machines.

      This pinpoints a problem of s390-ccw machines: it needs to
      be versioned to be compatible with future changes in common
      code data structures such as section footers.

      Let's introduce a version scheme for s390-ccw-virtio machines.
      We will use the old s390-ccw-virtio name as alias to the latest
      version as all existing libvirt XML for the ccw type were expanded
      by libvirt to that name.

      The only downside of this patch is, that the old alias s390-ccw
      will no longer be available as machines can have only one alias,
      but it should not really matter.

      Cc: Dr. David Alan Gilbert <dgilbert@xxxxxxxxxx>
      Cc: Juan Quintela <quintela@xxxxxxxxxx>
      Cc: Boris Fiuczynski <fiuczy@xxxxxxxxxxxxxxxxxx>
      Cc: Jason J. Herne <jjherne@xxxxxxxxxxxxxxxxxx>
      Signed-off-by: Christian Borntraeger <borntraeger@xxxxxxxxxx>
      Message-Id: <1435742217-62246-1-git-send-email-borntraeger@xxxxxxxxxx>
      Reviewed-by: Juan Quintela <quintela@xxxxxxxxxx>
      Signed-off-by: Cornelia Huck <cornelia.huck@xxxxxxxxxx>

  commit 55b1b753dff022dcc95123bed35946b4977d31fa
  Author: David Hildenbrand <dahi@xxxxxxxxxxxxxxxxxx>
  Date:   Tue Jun 23 09:10:51 2015 +0200

      s390x/gdb: synchronize cpu state after modifying acrs

      Whenever we touch the access control registers, we have to make sure that
      the values will make it into kvm. Otherwise the change will simply be 
lost.

      When synchronizing qemu and kvm, a normal KVM_PUT_RUNTIME_STATE does not 
take
      care of these registers. Let's simply trigger a KVM_PUT_FULL_STATE sync,
      so the values will directly be written to kvm. The performance overhead 
can
      be ignored and this is much cleaner than manually writing these registers 
to kvm
      via our two supported ways.

      Reviewed-by: Christian Borntraeger <borntraeger@xxxxxxxxxx>
      Signed-off-by: David Hildenbrand <dahi@xxxxxxxxxxxxxxxxxx>
      Signed-off-by: Cornelia Huck <cornelia.huck@xxxxxxxxxx>

  commit 6efd2c2a125b4369b8def585b0dac35c849b5eb3
  Author: Christian Borntraeger <borntraeger@xxxxxxxxxx>
  Date:   Thu Jun 18 16:37:39 2015 +0200

      s390x/ipl: Fix boot if no bootindex was specified

      commit fa92e218df1d ("s390x/ipl: avoid sign extension") introduced
      a regression:

      qemu-system-s390x -drive file=image.qcow,format=qcow2
      does not boot, the bios states
      "No virtio-blk device found!"

      adding bootindex=1 does boot.

      The reason is that the uint32_t as return value will not do the right
      thing for the return -1 (default without bootindex).
      The bios itself, will interpret a 64bit -1 as autodetect (but it will
      interpret 32bit -1 as ccw device address ff.ff.ffff)

      Signed-off-by: Christian Borntraeger <borntraeger@xxxxxxxxxx>
      Cc: Paolo Bonzini <pbonzini@xxxxxxxxxx>
      Cc: Cornelia Huck <cornelia.huck@xxxxxxxxxx>
      Cc: qemu-stable@xxxxxxxxxx # v2.3.0
      Tested-by: Aurelien Jarno <aurelien@xxxxxxxxxxx>
      Reviewed-by: Aurelien Jarno <aurelien@xxxxxxxxxxx>
      Signed-off-by: Cornelia Huck <cornelia.huck@xxxxxxxxxx>

  commit 213941d73baf8ba7ec5381c8402fed7925d613d4
  Author: Cornelia Huck <cornelia.huck@xxxxxxxxxx>
  Date:   Thu Jun 25 12:20:08 2015 +0200

      virtio-ccw: migrate ->revision

      We need to migrate the revision field as well. No compatibility
      concerns as we already introduced migration of ->config_vector in
      this release.

      Signed-off-by: Cornelia Huck <cornelia.huck@xxxxxxxxxx>

  commit 0db87e0d1763d3fb4039c2cffb0f3264da88ab30
  Author: Cornelia Huck <cornelia.huck@xxxxxxxxxx>
  Date:   Thu Dec 11 14:25:13 2014 +0100

      s390x/virtio-ccw: support virtio-1 set_vq format

      Support the new CCW_CMD_SET_VQ format for virtio-1 devices.

      While we're at it, refactor the code a bit and enforce big endian
      fields (which had always been required, even for legacy).

      Reviewed-by: Thomas Huth <thuth@xxxxxxxxxxxxxxxxxx>
      Signed-off-by: Cornelia Huck <cornelia.huck@xxxxxxxxxx>
      Reviewed-by: Michael S. Tsirkin <mst@xxxxxxxxxx>

  commit c42767f2bbd18d4ec895395c01c64bbec16b5b84
  Author: Thomas Huth <thuth@xxxxxxxxxxxxxxxxxx>
  Date:   Thu Dec 11 14:25:12 2014 +0100

      s390x/virtio-ccw: add virtio set-revision call

      Handle the virtio-ccw revision according to what the guest sets.
      When revision 1 is selected, we have a virtio-1 standard device
      with byteswapping for the virtio rings.

      When a channel gets disabled, we have to revert to the legacy behavior
      in case the next user of the device does not negotiate the revision 1
      anymore (e.g. the boot firmware uses revision 1, but the operating
      system only uses the legacy mode).

      Note that revisions > 0 are still disabled.

      [CH: assure memory accesses are always BE]
      Signed-off-by: Thomas Huth <thuth@xxxxxxxxxxxxxxxxxx>
      Signed-off-by: Cornelia Huck <cornelia.huck@xxxxxxxxxx>
      Acked-by: Michael S. Tsirkin <mst@xxxxxxxxxx>

  commit 6686ce3f1628f045035d58db8890d20705fd5c34
  Merge: d2966f8 764ba3a
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Thu Jul 2 10:44:34 2015 +0100

      Merge remote-tracking branch 'remotes/stefanha/tags/block-pull-request' 
into staging

      # gpg: Signature made Thu Jul  2 10:10:39 2015 BST using RSA key ID 
81AB73C8
      # gpg: Good signature from "Stefan Hajnoczi <stefanha@xxxxxxxxxx>"
      # gpg:                 aka "Stefan Hajnoczi <stefanha@xxxxxxxxx>"

      * remotes/stefanha/tags/block-pull-request:
        block: remove redundant check before g_slist_find()
        block/nfs: limit maximum readahead size to 1MB
        block/iscsi: restore compatiblity with libiscsi 1.9.0
        iotests: Use event_wait in wait_ready
        qemu-iotests: Add test case for mirror with unmap
        qemu-iotests: Make block job methods common
        block: Remove bdrv_reset_dirty
        block: Fix dirty bitmap in bdrv_co_discard
        mirror: Do zero write on target if sectors not allocated
        qmp: Add optional bool "unmap" to drive-mirror
        block: Add bdrv_get_block_status_above
        timer: Use a single definition of NSEC_PER_SEC for the whole codebase
        timer: Move NANOSECONDS_PER_SECONDS to timer.h
        blockdev: no need to drain+flush in hmp_drive_del
        qapi: Rename 'dirty-bitmap' mode to 'incremental'
        qcow2: Handle EAGAIN returned from update_refcount
        block/iscsi: add support for request timeouts

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 764ba3ae511adddfa750db290ac8375d660ca5b9
  Author: Alberto Garcia <berto@xxxxxxxxxx>
  Date:   Mon Jun 29 16:12:13 2015 +0300

      block: remove redundant check before g_slist_find()

      An empty GSList is represented by a NULL pointer, therefore it's a
      perfectly valid argument for g_slist_find() and there's no need to
      make any additional check.

      Signed-off-by: Alberto Garcia <berto@xxxxxxxxxx>
      Message-id: 1435583533-5758-1-git-send-email-berto@xxxxxxxxxx
      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>

  commit 29c838cdc96c4d117f00c75bbcb941e1be9590fb
  Author: Peter Lieven <pl@xxxxxxx>
  Date:   Fri Jun 26 13:14:01 2015 +0200

      block/nfs: limit maximum readahead size to 1MB

      a malicious caller could otherwise specify a very
      large value via the URI and force libnfs to allocate
      a large amount of memory for the readahead buffer.

      Cc: qemu-stable@xxxxxxxxxx
      Signed-off-by: Peter Lieven <pl@xxxxxxx>
      Message-id: 1435317241-25585-1-git-send-email-pl@xxxxxxx
      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>

  commit 9049736ec70fdc886ac0df521fdd8b2886b2cb63
  Author: Peter Lieven <pl@xxxxxxx>
  Date:   Fri Jun 26 12:18:01 2015 +0200

      block/iscsi: restore compatiblity with libiscsi 1.9.0

      RHEL7 and others are stuck with libiscsi 1.9.0 since there
      unfortunately was an ABI breakage after that release.

      Signed-off-by: Peter Lieven <pl@xxxxxxx>
      Reviewed-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>
      Message-id: 1435313881-19366-1-git-send-email-pl@xxxxxxx
      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>

  commit d7b25297920d18fa2a2cde1ed21fde38a88c935f
  Author: Fam Zheng <famz@xxxxxxxxxx>
  Date:   Mon Jun 8 13:56:14 2015 +0800

      iotests: Use event_wait in wait_ready

      Only poll the specific type of event we are interested in, to avoid
      stealing events that should be consumed by someone else.

      Suggested-by: John Snow <jsnow@xxxxxxxxxx>
      Signed-off-by: Fam Zheng <famz@xxxxxxxxxx>
      Reviewed-by: John Snow <jsnow@xxxxxxxxxx>
      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>

  commit c615091793f53ff33b8f6c1b1ba711cf7c93e97b
  Author: Fam Zheng <famz@xxxxxxxxxx>
  Date:   Mon Jun 8 13:56:13 2015 +0800

      qemu-iotests: Add test case for mirror with unmap

      This checks that the discard on mirror source that effectively zeroes
      data is also reflected by the data of target.

      Signed-off-by: Fam Zheng <famz@xxxxxxxxxx>
      Reviewed-by: John Snow <jsnow@xxxxxxxxxx>
      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>

  commit 866323f39d5c7bb053f5e5bf753908ad9f5abec7
  Author: Fam Zheng <famz@xxxxxxxxxx>
  Date:   Mon Jun 8 13:56:12 2015 +0800

      qemu-iotests: Make block job methods common

      Signed-off-by: Fam Zheng <famz@xxxxxxxxxx>
      Reviewed-by: John Snow <jsnow@xxxxxxxxxx>
      Reviewed-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>
      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>

  commit 6e82e4bce127654b2dd42ef393587775be792334
  Author: Fam Zheng <famz@xxxxxxxxxx>
  Date:   Mon Jun 8 13:56:11 2015 +0800

      block: Remove bdrv_reset_dirty

      Using this function would always be wrong because a dirty bitmap must
      have a specific owner that consumes the dirty bits and calls
      bdrv_reset_dirty_bitmap().

      Remove the unused function to avoid future misuse.

      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>
      Signed-off-by: Fam Zheng <famz@xxxxxxxxxx>
      Reviewed-by: John Snow <jsnow@xxxxxxxxxx>
      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>

  commit 508249952c0ea7472c62e17bf8132295dab4912d
  Author: Fam Zheng <famz@xxxxxxxxxx>
  Date:   Mon Jun 8 13:56:10 2015 +0800

      block: Fix dirty bitmap in bdrv_co_discard

      Unsetting dirty globally with discard is not very correct. The discard 
may zero
      out sectors (depending on can_write_zeroes_with_unmap), we should 
replicate
      this change to destination side to make sure that the guest sees the same 
data.

      Calling bdrv_reset_dirty also troubles mirror job because the hbitmap 
iterator
      doesn't expect unsetting of bits after current position.

      So let's do it the opposite way which fixes both problems: set the dirty 
bits
      if we are to discard it.

      Reported-by: wangxiaolong@xxxxxxxxx
      Signed-off-by: Fam Zheng <famz@xxxxxxxxxx>
      Reviewed-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>
      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>
      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>

  commit dcfb3beb5130694b76b57de109619fcbf9c7e5b5
  Author: Fam Zheng <famz@xxxxxxxxxx>
  Date:   Mon Jun 8 13:56:09 2015 +0800

      mirror: Do zero write on target if sectors not allocated

      If guest discards a source cluster, mirroring with bdrv_aio_readv is 
overkill.
      Some protocols do zero upon discard, where it's best to use
      bdrv_aio_write_zeroes, otherwise, bdrv_aio_discard will be enough.

      Signed-off-by: Fam Zheng <famz@xxxxxxxxxx>
      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>

  commit 0fc9f8ea2800b76eaea20a8a3a91fbeeb4bfa81b
  Author: Fam Zheng <famz@xxxxxxxxxx>
  Date:   Mon Jun 8 13:56:08 2015 +0800

      qmp: Add optional bool "unmap" to drive-mirror

      If specified as "true", it allows discarding on target sectors where 
source is
      not allocated.

      Signed-off-by: Fam Zheng <famz@xxxxxxxxxx>
      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>

  commit ba3f0e2545c365ebe1dbddb0e53058710d41881e
  Author: Fam Zheng <famz@xxxxxxxxxx>
  Date:   Mon Jun 8 13:56:07 2015 +0800

      block: Add bdrv_get_block_status_above

      Like bdrv_is_allocated_above, this function follows the backing chain 
until seeing
      BDRV_BLOCK_ALLOCATED.  Base is not included.

      Reimplement bdrv_is_allocated on top.

      [Initialized bdrv_co_get_block_status_above() ret to 0 to silence
      mingw64 compiler warning about the unitialized variable.  assert(bs !=
      base) prevents that case but I suppose the program could be compiled
      with -DNDEBUG.
      --Stefan]

      Signed-off-by: Fam Zheng <famz@xxxxxxxxxx>
      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>

  commit e0cf11f31c24cfb17f44ed46c254d84c78e7f6e9
  Author: Alberto Garcia <berto@xxxxxxxxxx>
  Date:   Fri Jun 12 16:01:30 2015 +0300

      timer: Use a single definition of NSEC_PER_SEC for the whole codebase

      Signed-off-by: Alberto Garcia <berto@xxxxxxxxxx>
      Message-id: 
c6e55468856ba0b8f95913c4da111cc0ef266541.1434113783.git.berto@xxxxxxxxxx
      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>

  commit 471fae3c98d4f44b1957eb09d51ace440c585a20
  Author: Alberto Garcia <berto@xxxxxxxxxx>
  Date:   Fri Jun 12 16:01:29 2015 +0300

      timer: Move NANOSECONDS_PER_SECONDS to timer.h

      We want to be able to reuse this define by making it common to
      multiple QEMU modules.

      This also makes it an integer since there's no need for it to be a
      float.

      Signed-off-by: Alberto Garcia <berto@xxxxxxxxxx>
      Message-id: 
6375912849da2ab561046dd013684535ccecca44.1434113783.git.berto@xxxxxxxxxx
      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>

  commit 126b8bbdfe8bc4042f13f230a4b36f90646f47c6
  Author: Paolo Bonzini <pbonzini@xxxxxxxxxx>
  Date:   Thu May 28 16:17:09 2015 +0200

      blockdev: no need to drain+flush in hmp_drive_del

      bdrv_close already does that, and in fact hmp_drive_del would need
      another drain after the flush (which bdrv_close does).  So remove
      the duplication.

      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>
      Reviewed-by: Alberto Garcia <berto@xxxxxxxxxx>
      Reviewed-by: Fam Zheng <famz@xxxxxxxxxx>
      Reviewed-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Message-id: 1432822629-25401-1-git-send-email-pbonzini@xxxxxxxxxx
      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>

  commit 4b80ab2b7d950d5b22647b364e37eb81c756f061
  Author: John Snow <jsnow@xxxxxxxxxx>
  Date:   Thu Jun 4 20:20:34 2015 -0400

      qapi: Rename 'dirty-bitmap' mode to 'incremental'

      If we wish to make differential backups a feature that's easy to access,
      it might be pertinent to rename the "dirty-bitmap" mode to "incremental"
      to make it clear what /type/ of backup the dirty-bitmap is helping us
      perform.

      This is an API breaking change, but 2.4 has not yet gone live,
      so we have this flexibility.

      Signed-off-by: John Snow <jsnow@xxxxxxxxxx>
      Message-id: 1433463642-21840-2-git-send-email-jsnow@xxxxxxxxxx
      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>
      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>

  commit 3e5feb6202149e8a963a33b911216e40d790f1d7
  Author: JindÅ?ich MakoviÄ?ka <makovick@xxxxxxxxx>
  Date:   Wed Jun 24 07:05:25 2015 +0200

      qcow2: Handle EAGAIN returned from update_refcount

      Fixes a crash during image compression

      Signed-off-by: JindÅ?ich MakoviÄ?ka <makovick@xxxxxxxxx>
      Tested-by: Richard W.M. Jones <rjones@xxxxxxxxxx>
      Reviewed-by: Max Reitz <mreitz@xxxxxxxxxx>
      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>

  commit 5dd7a535b71a0f2f8e7af75c5d694174359ce323
  Author: Peter Lieven <pl@xxxxxxx>
  Date:   Tue Jun 16 13:45:07 2015 +0200

      block/iscsi: add support for request timeouts

      libiscsi starting with 1.15 will properly support timeout of iscsi
      commands. The default will remain no timeout, but this can
      be changed via cmdline parameters, e.g.:

      qemu -iscsi timeout=30 -drive file=iscsi://...

      If a timeout occurs a reconnect is scheduled and the timed out command
      will be requeued for processing after a successful reconnect.

      The required API call iscsi_set_timeout is present since libiscsi
      1.10 which was released in October 2013. However, due to some bugs
      in the libiscsi code the use is not recommended before version 1.15.

      Please note that this patch bumps the libiscsi requirement to 1.10
      to have all function and macros defined. The patch fixes also a
      off-by-one error in the NOP timeout calculation which was fixed
      while touching these code parts.

      Signed-off-by: Peter Lieven <pl@xxxxxxx>
      Message-id: 1434455107-19328-1-git-send-email-pl@xxxxxxx
      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>

  commit de7ea885c5394c1fba7443cbf33bd2745d32e6c2
  Author: Paolo Bonzini <pbonzini@xxxxxxxxxx>
  Date:   Thu Jun 18 18:47:26 2015 +0200

      kvm: Switch to unlocked MMIO

      Do not take the BQL before dispatching MMIO requests of KVM VCPUs.
      Instead, address_space_rw will do it if necessary. This enables completely
      BQL-free MMIO handling in KVM mode for upcoming devices with fine-grained
      locking.

      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>
      Message-Id: <1434646046-27150-10-git-send-email-pbonzini@xxxxxxxxxx>

  commit 7070e085d490c396f9237c8f10bf8b6e69cd0066
  Author: Paolo Bonzini <pbonzini@xxxxxxxxxx>
  Date:   Thu Jun 18 18:47:25 2015 +0200

      acpi: mark PMTIMER as unlocked

      Accessing QEMU_CLOCK_VIRTUAL is thread-safe.

      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>
      Message-Id: <1434646046-27150-9-git-send-email-pbonzini@xxxxxxxxxx>

  commit 80b7d2efb63c225797345c152cdd3392b9fe7b72
  Author: Jan Kiszka <jan.kiszka@xxxxxxxxxxx>
  Date:   Thu Jun 18 18:47:24 2015 +0200

      kvm: Switch to unlocked PIO

      Do not take the BQL before dispatching PIO requests of KVM VCPUs.
      Instead, address_space_rw will do it if necessary. This enables
      completely BQL-free PIO handling in KVM mode for upcoming devices with
      fine-grained locking.

      Signed-off-by: Jan Kiszka <jan.kiszka@xxxxxxxxxxx>
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>
      Message-Id: <1434646046-27150-8-git-send-email-pbonzini@xxxxxxxxxx>

  commit 4b8523ee896750c37b4fa224a40d34703cbdf4c6
  Author: Jan Kiszka <jan.kiszka@xxxxxxxxxxx>
  Date:   Thu Jun 18 18:47:23 2015 +0200

      kvm: First step to push iothread lock out of inner run loop

      This opens the path to get rid of the iothread lock on vmexits in KVM
      mode. On x86, the in-kernel irqchips has to be used because we otherwise
      need to synchronize APIC and other per-cpu state accesses that could be
      changed concurrently.

      Regarding pre/post-run callbacks, s390x and ARM should be fine without
      specific locking as the callbacks are empty. MIPS and POWER require
      locking for the pre-run callback.

      For the handle_exit callback, it is non-empty in x86, POWER and s390.
      Some POWER cases could do without the locking, but it is left in
      place for now.

      Signed-off-by: Jan Kiszka <jan.kiszka@xxxxxxxxxxx>
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>
      Message-Id: <1434646046-27150-7-git-send-email-pbonzini@xxxxxxxxxx>

  commit 4840f10eff37eebc609fcc933ab985dc66df95c6
  Author: Jan Kiszka <jan.kiszka@xxxxxxxxxxx>
  Date:   Thu Jun 18 18:47:22 2015 +0200

      memory: let address_space_rw/ld*/st* run outside the BQL

      The MMIO case is further broken up in two cases: if the caller does not
      hold the BQL on invocation, the unlocked one takes or avoids BQL depending
      on the locking strategy of the target memory region and its coalesced
      MMIO handling.  In this case, the caller should not hold _any_ lock
      (a friendly suggestion which is disregarded by virtio-scsi-dataplane).

      Signed-off-by: Jan Kiszka <jan.kiszka@xxxxxxxxxxx>
      Cc: Frederic Konrad <fred.konrad@xxxxxxxxxxxxx>
      Message-Id: <1434646046-27150-6-git-send-email-pbonzini@xxxxxxxxxx>
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit 125b3806668106667dd2ae049593852859e12b63
  Author: Paolo Bonzini <pbonzini@xxxxxxxxxx>
  Date:   Thu Jun 18 18:47:21 2015 +0200

      exec: pull qemu_flush_coalesced_mmio_buffer() into 
address_space_rw/ld*/st*

      As memory_region_read/write_accessor will now be run also without BQL 
held,
      we need to move coalesced MMIO flushing earlier in the dispatch process.

      Cc: Frederic Konrad <fred.konrad@xxxxxxxxxxxxx>
      Message-Id: <1434646046-27150-5-git-send-email-pbonzini@xxxxxxxxxx>
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit 196ea13104f802c508e57180b2a0d2b3418989a3
  Author: Jan Kiszka <jan.kiszka@xxxxxxxxxxx>
  Date:   Thu Jun 18 18:47:20 2015 +0200

      memory: Add global-locking property to memory regions

      This introduces the memory region property "global_locking". It is true
      by default. By setting it to false, a device model can request BQL-free
      dispatching of region accesses to its r/w handlers. The actual BQL
      break-up will be provided in a separate patch.

      Signed-off-by: Jan Kiszka <jan.kiszka@xxxxxxxxxxx>
      Cc: Frederic Konrad <fred.konrad@xxxxxxxxxxxxx>
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>
      Message-Id: <1434646046-27150-4-git-send-email-pbonzini@xxxxxxxxxx>

  commit afbe70535ff1a8a7a32910cc15ebecc0ba92e7da
  Author: Paolo Bonzini <pbonzini@xxxxxxxxxx>
  Date:   Thu Jun 18 18:47:19 2015 +0200

      main-loop: introduce qemu_mutex_iothread_locked

      This function will be used to avoid recursive locking of the iothread lock
      whenever address_space_rw/ld*/st* are called with the BQL held, which is
      almost always the case.

      Tracking whether the iothread is owned is very cheap (just use a TLS
      variable) but requires some care because now the lock must always be
      taken with qemu_mutex_lock_iothread().  Previously this wasn't the case.
      Outside TCG mode this is not a problem.  In TCG mode, we need to be
      careful and avoid the "prod out of compiled code" step if already
      in a VCPU thread.  This is easily done with a check on current_cpu,
      i.e. qemu_in_vcpu_thread().

      Hopefully, multithreaded TCG will get rid of the whole logic to kick
      VCPUs whenever an I/O event occurs!

      Cc: Frederic Konrad <fred.konrad@xxxxxxxxxxxxx>
      Message-Id: <1434646046-27150-3-git-send-email-pbonzini@xxxxxxxxxx>
      Reviewed-by: Fam Zheng <famz@xxxxxxxxxx>
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit 2e7f7a3c86f884a77296a137b7c730a4d580c5c9
  Author: Paolo Bonzini <pbonzini@xxxxxxxxxx>
  Date:   Thu Jun 18 18:47:18 2015 +0200

      main-loop: use qemu_mutex_lock_iothread consistently

      The next patch will require the BQL to be always taken with
      qemu_mutex_lock_iothread(), while right now this isn't the case.

      Outside TCG mode this is not a problem.  In TCG mode, we need to be
      careful and avoid the "prod out of compiled code" step if already
      in a VCPU thread.  This is easily done with a check on current_cpu,
      i.e. qemu_in_vcpu_thread().

      Hopefully, multithreaded TCG will get rid of the whole logic to kick
      VCPUs whenever an I/O event occurs!

      Cc: Frederic Konrad <fred.konrad@xxxxxxxxxxxxx>
      Message-Id: <1434646046-27150-2-git-send-email-pbonzini@xxxxxxxxxx>
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit bdf026317daa3b9dfa281f29e96fbb6fd48394c8
  Author: 马æ??é?? <kevinnma@xxxxxxxxxxx>
  Date:   Wed Jul 1 15:41:41 2015 +0200

      Fix irq route entries exceeding KVM_MAX_IRQ_ROUTES

      Last month, we experienced several guests crash(6cores-8cores), qemu logs
      display the following messages:

      qemu-system-x86_64: /build/qemu-2.1.2/kvm-all.c:976:
      kvm_irqchip_commit_routes: Assertion `ret == 0' failed.

      After analysis and verification, we can confirm it's irq-balance
      daemon(in guest) leads to the assertion failure. Start a 8 core guest with
      two disks, execute the following scripts will reproduce the BUG quickly:

      irq_affinity.sh
      ========================================================================

      vda_irq_num=25
      vdb_irq_num=27
      while [ 1 ]
      do
          for irq in {1,2,4,8,10,20,40,80}
              do
                  echo $irq > /proc/irq/$vda_irq_num/smp_affinity
                  echo $irq > /proc/irq/$vdb_irq_num/smp_affinity
                  dd if=/dev/vda of=/dev/zero bs=4K count=100 iflag=direct
                  dd if=/dev/vdb of=/dev/zero bs=4K count=100 iflag=direct
              done
      done
      ========================================================================

      QEMU setup static irq route entries in kvm_pc_setup_irq_routing(), PIC and
      IOAPIC share the first 15 GSI numbers, take up 23 GSI numbers, but take up
      38 irq route entries. When change irq smp_affinity in guest, a dynamic 
route
      entry may be setup, the current logic is: if allocate GSI number succeeds,
      a new route entry can be added. The available dynamic GSI numbers is
      1021(KVM_MAX_IRQ_ROUTES-23), but available irq route entries is only
      986(KVM_MAX_IRQ_ROUTES-38), GSI numbers greater than route entries.
      irq-balance's behavior will eventually leads to total irq route entries
      exceed KVM_MAX_IRQ_ROUTES, ioctl(KVM_SET_GSI_ROUTING) fail and
      kvm_irqchip_commit_routes() trigger assertion failure.

      This patch fix the BUG.

      Signed-off-by: Wenshuang Ma <kevinnma@xxxxxxxxxxx>
      Cc: qemu-stable@xxxxxxxxxx
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit 62ac4a52e27c706c860403fd1d8535a9a1073a19
  Author: Thomas Huth <thuth@xxxxxxxxxxxxxxxxxx>
  Date:   Thu Dec 11 14:25:11 2014 +0100

      s390x/css: Add a callback for when subchannel gets disabled

      We need a possibility to run code when a subchannel gets disabled.
      This patch adds the necessary infrastructure.

      Signed-off-by: Thomas Huth <thuth@xxxxxxxxxxxxxxxxxx>
      Signed-off-by: Cornelia Huck <cornelia.huck@xxxxxxxxxx>
      Reviewed-by: Michael S. Tsirkin <mst@xxxxxxxxxx>

  commit 6e7cd94462d65405037c993fc4401d6fceed6660
  Author: Cornelia Huck <cornelia.huck@xxxxxxxxxx>
  Date:   Thu Jun 25 13:48:58 2015 +0200

      s390-ccw.img: update

      Update for "s390-ccw.img: Consume service interrupts".

      Signed-off-by: Cornelia Huck <cornelia.huck@xxxxxxxxxx>

  commit bdc7fe3638fa7693eed5886b5b2afe0858d875fc
  Author: Christian Borntraeger <borntraeger@xxxxxxxxxx>
  Date:   Fri Jun 19 15:40:45 2015 +0200

      s390-ccw.img: Consume service interrupts

      We have to consume the outstanding service interrupt after each
      service call, otherwise a correct implementation will return
      CC=2 on subsequent service calls.

      Signed-off-by: Christian Borntraeger <borntraeger@xxxxxxxxxx>
      Reviewed-by: David Hildenbrand <dahi@xxxxxxxxxxxxxxxxxx>
      Signed-off-by: Cornelia Huck <cornelia.huck@xxxxxxxxxx>

  commit ec7353a146bb39c3bb3e5ccc50ca585aed97b7cf
  Author: Cornelia Huck <cornelia.huck@xxxxxxxxxx>
  Date:   Wed Jun 24 10:57:23 2015 +0200

      css: mss/mcss-e vs. migration

      Our main channel_subsys structure is not a device (yet), but we need
      to setup mss/mcss-e again if the guest had enabled it before. Use
      a hack that should catch most configurations (assuming that the guest
      will have enabled at least one device in higher subchannel sets or
      channel subsystems if it enabled the functionality.)

      Signed-off-by: Cornelia Huck <cornelia.huck@xxxxxxxxxx>

  commit fa8b0ca5d1b69975b715a259d3586cadf7a5280f
  Author: Cornelia Huck <cornelia.huck@xxxxxxxxxx>
  Date:   Tue Jun 23 15:46:31 2015 +0200

      virtio-ccw: complete handling of guest-initiated resets

      For a guest-initiated reset, we need to not only reset the virtio device,
      but also reset the VirtioCcwDevice into a clean state. This includes
      resetting the indicators, or else a guest will not be able to e.g.
      switch from classic interrupts to adapter interrupts.

      Split off this routine into a new function virtio_ccw_reset_virtio()
      to make the distinction between resetting the virtio-related devices
      and the base subchannel device clear.

      CC: qemu-stable@xxxxxxxxxx
      Signed-off-by: Cornelia Huck <cornelia.huck@xxxxxxxxxx>
      Reviewed-by: Christian Borntraeger <borntraeger@xxxxxxxxxx>

  commit d2966f804d70a244f5dde395fc5d22a50ed3e74e
  Merge: 2b464e1 a435612
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Mon Jun 29 17:03:20 2015 +0100

      Merge remote-tracking branch 'remotes/vivier/tags/pull-m68k-20150629' 
into staging

      Trivial m68k cleanup

      # gpg: Signature made Mon Jun 29 16:38:40 2015 BST using DSA key ID 
ABF36C53
      # gpg: Good signature from "Laurent Vivier <laurent@xxxxxxxxx>"
      # gpg:                 aka "Laurent Vivier <Laurent@xxxxxxxxx>"
      # gpg:                 aka "Laurent Vivier <Laurent@xxxxxxxxxxxx>"
      # gpg:                 aka "Laurent Vivier (Red Hat) <lvivier@xxxxxxxxxx>"
      # gpg:                 aka "[jpeg image of size 3881]"
      # gpg: WARNING: This key is not certified with a trusted signature!
      # gpg:          There is no indication that the signature belongs to the 
owner.
      # Primary key fingerprint: 9EC7 B78A C0AC E697 5E4B  BDE3 34A4 F6C9 ABF3 
6C53

      * remotes/vivier/tags/pull-m68k-20150629:
        m68k: remove useless parameter op_size from gen_lea_indexed()
        m68k: remove useless file m68k-qreg.h
        m68k: is_mem is useless

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit a435612616202c837d62626dbe3e33a4e9a95772
  Author: Laurent Vivier <laurent@xxxxxxxxx>
  Date:   Wed Jun 24 02:51:49 2015 +0200

      m68k: remove useless parameter op_size from gen_lea_indexed()

      Signed-off-by: Laurent Vivier <laurent@xxxxxxxxx>
      Reviewed-by: Thomas Huth <huth@xxxxxxxxxxxxx>

  commit bb337ac978b6def085eabf17830d5cc2a1bce6a8
  Author: Laurent Vivier <laurent@xxxxxxxxx>
  Date:   Wed Jun 24 02:07:24 2015 +0200

      m68k: remove useless file m68k-qreg.h

      Unused since:

          commit e1f3808e03f73e7a7fa966afbed2455dd052202e
          Author: pbrook <pbrook@c046a42c-6fe2-441c-8c8c-71466251a162>
          Date:   Sat May 24 22:29:16 2008 +0000

              Convert m68k target to TCG.

      Signed-off-by: Laurent Vivier <laurent@xxxxxxxxx>
      Reviewed-by: Thomas Huth <huth@xxxxxxxxxxxxx>

  commit 805167adcb900fa7b2b114d639c418f5313d0b42
  Author: Laurent Vivier <laurent@xxxxxxxxx>
  Date:   Wed Jun 24 01:00:22 2015 +0200

      m68k: is_mem is useless

      Remove is_mem as it is never tested anymore since:

          commit bfa50bc2638d877cf2900712b7503be22e8811cb
          Author: aliguori <aliguori@c046a42c-6fe2-441c-8c8c-71466251a162>
          Date:   Tue Nov 18 20:26:41 2008 +0000

              Remove premature memop TB terminations (Jan Kiszka)

      Signed-off-by: Laurent Vivier <laurent@xxxxxxxxx>
      Reviewed-by: Thomas Huth <huth@xxxxxxxxxxxxx>

  commit 2b464e13f0d30e6c0b8f69ec908fceab30aea986
  Merge: dc1e135 5f37fd8
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Mon Jun 29 13:26:43 2015 +0100

      Merge remote-tracking branch 
'remotes/bkoppelmann/tags/pull-tricore-20150629' into staging

      TriCore bugfixes

      # gpg: Signature made Mon Jun 29 13:08:17 2015 BST using RSA key ID 
6B69CA14
      # gpg: Good signature from "Bastian Koppelmann 
<kbastian@xxxxxxxxxxxxxxxxxxxxx>"

      * remotes/bkoppelmann/tags/pull-tricore-20150629:
        target-tricore: fix depositing bits from PCXI into ICR

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 5f37fd8e2980818ab71bc4b4e21129e29acd73f7
  Author: Paolo Bonzini <pbonzini@xxxxxxxxxx>
  Date:   Wed Jun 24 14:01:10 2015 +0200

      target-tricore: fix depositing bits from PCXI into ICR

      Spotted by Coverity, because (env->PCXI & MASK_PCXI_PCPN) >> 24
      is always zero.  The immediately preceding assignment is also
      wrong though.

      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>
      Signed-off-by: Bastian Koppelmann <kbastian@xxxxxxxxxxxxxxxxxxxxx>
      Message-Id: <1435147270-1040-1-git-send-email-pbonzini@xxxxxxxxxx>

  commit dc1e1350f8061021df765b396295329797d66933
  Merge: d14b9d7 d46f7c9
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Fri Jun 26 15:57:43 2015 +0100

      Merge remote-tracking branch 'remotes/mst/tags/for_upstream' into staging

      virtio, pci fixes, enhancements

      Almost exclusively bugfixes, though in this case,
      we are adding functionality to the pxb in order
      to make OVMF work on it.

      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>

      # gpg: Signature made Fri Jun 26 14:43:27 2015 BST using RSA key ID 
D28D5469
      # gpg: Good signature from "Michael S. Tsirkin <mst@xxxxxxxxxx>"
      # gpg:                 aka "Michael S. Tsirkin <mst@xxxxxxxxxx>"

      * remotes/mst/tags/for_upstream:
        Fix glib_subprocess test
        hw/pci-bridge: format special OFW unit address for PXB host
        hw/core: explicit OFW unit address callback for SysBusDeviceClass
        hw/pci-bridge: disable SHPC in PXB
        hw/pci-bridge: introduce "shpc" property
        hw/pci: introduce shpc_present() helper function
        hw/pci-bridge: add macro for "msi" property
        hw/pci-bridge: add macro for "chassis_nr" property
        hw/pci-bridge: expose _test parameter in SHPC_VMSTATE()
        migration: introduce VMSTATE_BUFFER_UNSAFE_INFO_TEST()
        add pci-bridge-seat
        pc: cleanup and convert TMP ACPI device description to AML API
        MAINTAINERS: add ACPI entry
        vhost: correctly pass error to caller in vhost_dev_enable_notifiers()
        balloon: add a feature bit to let Guest OS deflate balloon on oom
        qdev: fix OVERFLOW_BEFORE_WIDEN
        virito-pci: fix OVERRUN problem

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 41da4bd6420afd1209c408974920f63ff9c658e1
  Author: Peter Crosthwaite <crosthwaitepeter@xxxxxxxxx>
  Date:   Sat May 30 23:11:46 2015 -0700

      cpu-defs: Move out TB_JMP defines

      These are not Architecture specific in any way so move them out of
      cpu-defs.h. tb-hash.h is an appropriate place as a leading user and
      their strong relationship to TB hashing and caching.

      Reviewed-by: Richard Henderson <rth@xxxxxxxxxx>
      Signed-off-by: Peter Crosthwaite <crosthwaite.peter@xxxxxxxxx>
      Message-Id: 
<43ceca65a3fa240efac49aa0bf604ad0442e1710.1433052532.git.crosthwaite.peter@xxxxxxxxx>
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit e1b89321bafea9fb33d87852fc91fee579d17dfe
  Author: Peter Crosthwaite <crosthwaitepeter@xxxxxxxxx>
  Date:   Sat May 30 23:11:45 2015 -0700

      include/exec: Move tb hash functions out

      This is one of very few things in exec-all with a genuine CPU
      architecture dependency. Move these hashing helpers to a new
      header to trim exec-all.h down to a near architecture-agnostic
      header.

      The defs are only used by cpu-exec and translate-all which are both
      arch-obj's so the new tb-hash.h has no core code usage.

      Reviewed-by: Richard Henderson <rth@xxxxxxxxxx>
      Signed-off-by: Peter Crosthwaite <crosthwaite.peter@xxxxxxxxx>
      Message-Id: 
<9d048b96f7cfa64a4d9c0b88e0dd2877fac51d41.1433052532.git.crosthwaite.peter@xxxxxxxxx>
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit 9e0dc48c9f05505b53cb28f860456a0648e56ddf
  Author: Peter Crosthwaite <crosthwaitepeter@xxxxxxxxx>
  Date:   Sat May 30 23:11:42 2015 -0700

      include/exec: Move standard exceptions to cpu-all.h

      These exception indicies are generic and don't have any reliance on the
      per-arch cpu.h defs. Move them to cpu-all.h so they can be used by core
      code that does not have access to cpu-defs.h.

      Reviewed-by: Richard Henderson <rth@xxxxxxxxxx>
      Signed-off-by: Peter Crosthwaite <crosthwaite.peter@xxxxxxxxx>
      Message-Id: 
<dbebd3062c7cd4332240891a3564e73f374ddfcd.1433052532.git.crosthwaite.peter@xxxxxxxxx>
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit 6e0b07306d1793e8402dd218d2e38a7377b5fc27
  Author: Peter Crosthwaite <crosthwaitepeter@xxxxxxxxx>
  Date:   Sat May 30 23:11:34 2015 -0700

      cpu-defs: Move CPU_TEMP_BUF_NLONGS to tcg

      The usages of this define are pure TCG and there is no architecture
      specific variation of the value. Localise it to the TCG engine to
      remove another architecture agnostic piece from cpu-defs.h.

      This follows on from a28177820a868eafda8fab007561cc19f41941f4 where
      temp_buf was moved out of the CPU_COMMON obsoleting the need for
      the super early definition.

      Reviewed-by: Richard Henderson <rth@xxxxxxxxxxx>
      Signed-off-by: Peter Crosthwaite <crosthwaite.peter@xxxxxxxxx>
      Message-Id: 
<498e8e5325c1a1aff79e5bcfc28cb760ef6b214e.1433052532.git.crosthwaite.peter@xxxxxxxxx>
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit 94beb661bd90bcb477eed6d3b07aced988c40163
  Author: Peter Crosthwaite <crosthwaitepeter@xxxxxxxxx>
  Date:   Sun Jun 7 14:59:09 2015 -0700

      memory_mapping: Rework cpu related includes

      This makes it more consistent with all other core code files, which
      either just rely on qemu-common.h inclusion or precede cpu.h with
      qemu-common.h.

      cpu-all.h should not be included in addition to cpu.h. Remove it.

      Signed-off-by: Peter Crosthwaite <crosthwaite.peter@xxxxxxxxx>
      Message-Id: <1433714349-7262-1-git-send-email-crosthwaite.peter@xxxxxxxxx>
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit 27e7755bea57c66097000f7612271ceefcbeb4a4
  Author: Artyom Tarasenko <atar4qemu@xxxxxxxxx>
  Date:   Tue Jun 23 14:30:18 2015 +0200

      cutils: allow compilation with icc

      Use VEC_OR macro for operations on VECTYPE operands

      Signed-off-by: Artyom Tarasenko <atar4qemu@xxxxxxxxx>
      Message-Id: 
<3f62d7a3a265f7dd99e50d016a0333a99a4a082a.1435062067.git.atar4qemu@xxxxxxxxx>
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit 34664507c7f038842f20a2c787915680b1fabba2
  Author: Artyom Tarasenko <atar4qemu@xxxxxxxxx>
  Date:   Tue Jun 23 14:30:17 2015 +0200

      qemu-common: add VEC_OR macro

      Intel C Compiler version 15.0.3.187 Build 20150407 doesn't support
      '|' function for non floating-point simd operands.

      Define VEC_OR macro which uses _mm_or_si128 supported
      both in icc and gcc on x86 platform.

      Signed-off-by: Artyom Tarasenko <atar4qemu@xxxxxxxxx>
      Message-Id: 
<54c804cdb3b3a93e93ef98f085dc57c4092580b7.1435062067.git.atar4qemu@xxxxxxxxx>
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit d14b9d79be8a424ebc66450d565b81eff2296d55
  Merge: ccb0c7e 4e2c0b2
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Fri Jun 26 14:40:47 2015 +0100

      Merge remote-tracking branch 
'remotes/pmaydell/tags/pull-target-arm-20150626' into staging

      target-arm queue:
       * Change the virt board's default interface type for block devices to 
virtio
       * Improve some error messages that will now be triggered by some 
incorrect
         but previously worked-by-accident command lines
       * Print ELR if we're doing debug logging of AArch64 exception entry
       * Handle the "completely empty semihosting commandline" correctly for
         softmmu (we already did for linux-user)
       * Add GICv2m description to ACPI tables for virt board
       * Fix some incorrect table revision entries in virt board ACPI tables

      # gpg: Signature made Fri Jun 26 14:29:39 2015 BST using RSA key ID 
14360CDE
      # gpg: Good signature from "Peter Maydell <peter.maydell@xxxxxxxxxx>"

      * remotes/pmaydell/tags/pull-target-arm-20150626:
        hw/arm/virt: Make block devices default to virtio
        qdev-properties-system: Improve error message for drive assignment 
conflict
        qdev-properties-system: Change set_pointer's parse callback to use Error
        target-arm: A64: Print ELR when taking exceptions
        target-arm: default empty semihosting cmdline
        hw/arm/virt-acpi-build: Add GICv2m description in ACPI MADT table
        hw/arm/virt-acpi-build: Fix table revision and some comments

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 4e2c0b2a4ab810c8989e181a010e75aeaa1c55f3
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Fri Jun 26 14:22:37 2015 +0100

      hw/arm/virt: Make block devices default to virtio

      Now we have virtio-pci, we can make the virt board's default block
      device type be IF_VIRTIO. This allows users to use simplified
      command lines that don't have to explicitly create virtio-pci-blk
      devices; the -hda &c very short options now also work.

      This means we also need to set no_cdrom to avoid getting a
      default cdrom device -- this is needed because the virtio-blk
      device will fail if it is connected to a block backend with
      no media, which is what the default cdrom device typically is.
      Providing a cdrom with media via -cdrom will succeed, but silently
      create a device with non-removable medium. this is probably
      not really what the user wants, but is the best we can do now.

      Note that this change means that some command lines which used
      to work (by accident) will stop working. Where a drive was connected
      manually to a device but without 'if=none' being specified, we
      used to treat this as an IDE drive, which we would then not autoplug
      because the board doesn't support IDE. Now we will treat it as a
      virtio disk and autoplug it, which means the attempt to use the
      drive manually will fail:
        qemu-system-arm: -drive file=img.qcow2,id=foo: Drive 'foo' is already
        in use because it has been automatically connected to another device
        (did you need 'if=none' in the drive options?)
      The command line will have to be changed to include 'if=none', as the
      error message suggests.

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Reviewed-by: Markus Armbruster <armbru@xxxxxxxxxx>
      Reviewed-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Message-id: 1435068107-12594-4-git-send-email-peter.maydell@xxxxxxxxxx

  commit 62f7dbde4c75e48921fd1b773865250130c57bd8
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Fri Jun 26 14:22:36 2015 +0100

      qdev-properties-system: Improve error message for drive assignment 
conflict

      If the user forgot if=none on their drive specification they're likely
      to get an error message because the drive is assigned once automatically
      by QEMU and once by the manual id=/drive= user command line specification.
      Improve the error message produced in this case to explicitly guide the
      user towards if=none.

      We rephrase the "drive conflict but not for an if=something" error as
      well to keep the wording in line.

      The two cases that change are:

      (1) Drive specified as to be auto-connected and also manually connected
      (and the board does handle this if= type):

        qemu-system-x86_64 -nodefaults -display none \
           -drive if=scsi,file=tmp.qcow2,id=foo -device ide-hd,drive=foo

      Previously:
        qemu-system-x86_64: -device ide-hd,drive=foo: Property 'ide-hd.drive'
        can't take value 'foo', it's in use

      Now:
        qemu-system-x86_64: -device ide-hd,drive=foo: Drive 'foo' is already in
        use because it has been automatically connected to another device (did
        you need 'if=none' in the drive options?)

      (2) Drive specified to be manually connected in two different ways:

        qemu-system-x86_64 -nodefaults -display none \
         -drive if=none,file=tmp.qcow2,id=foo -device ide-hd,drive=foo \
         -device ide-hd,drive=foo

      Previously:
        qemu-system-x86_64: -device ide-hd,drive=foo: Property 'ide-hd.drive'
        can't take value 'foo', it's in use

      Now:
        qemu-system-x86_64: -device ide-hd,drive=foo: Drive 'foo' is already in
        use by another device

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Reviewed-by: Markus Armbruster <armbru@xxxxxxxxxx>
      Reviewed-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Message-id: 1435068107-12594-3-git-send-email-peter.maydell@xxxxxxxxxx

  commit f1fb9f0dc087c02b230be4cc96c5c76521f188fa
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Fri Jun 26 14:22:36 2015 +0100

      qdev-properties-system: Change set_pointer's parse callback to use Error

      Instead of having set_pointer() call a parse callback which returns
      an error number that we then convert to an Error string with
      error_set_from_qdev_prop_error(), make the parse callback take an
      Error** and set the error itself. This will allow parse routines
      to provide more helpful error messages than the generic ones.

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Reviewed-by: Markus Armbruster <armbru@xxxxxxxxxx>
      Reviewed-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Message-id: 1435068107-12594-2-git-send-email-peter.maydell@xxxxxxxxxx

  commit b21ab1fc217b4a2b8f2f85d16bdd8510a7817a34
  Author: Soren Brinkmann <soren.brinkmann@xxxxxxxxxx>
  Date:   Fri Jun 26 14:22:36 2015 +0100

      target-arm: A64: Print ELR when taking exceptions

      When taking an exception print the content of the exception link
      register. This is useful especially for synchronous exceptions because
      in that case this registers holds the address of the instruction that
      generated the exception.

      Signed-off-by: Soren Brinkmann <soren.brinkmann@xxxxxxxxxx>
      Message-id: 1435036655-16132-1-git-send-email-soren.brinkmann@xxxxxxxxxx
      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit f3c2bda216a00676e40301b5843ac3d6c3b2537a
  Author: Liviu Ionescu <ilg@xxxxxxxxxx>
  Date:   Fri Jun 26 14:22:36 2015 +0100

      target-arm: default empty semihosting cmdline

      If neither explicit semihosting args nor -kernel are used,
      make SYS_GET_CMDLINE return an empty string.

      Signed-off-by: Liviu Ionescu <ilg@xxxxxxxxxx>
      Message-id: AC7B5AFC-06AE-4FAD-9852-B65708E80E09@xxxxxxxxxx
      Reviewed-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit ca7937365305d144cf0c97b907dac6f70ea152ef
  Author: Shannon Zhao <shannon.zhao@xxxxxxxxxx>
  Date:   Fri Jun 26 14:22:36 2015 +0100

      hw/arm/virt-acpi-build: Add GICv2m description in ACPI MADT table

      Add GICv2m description in ACPI MADT table, so guest can use MSI when
      booting with ACPI.

      Signed-off-by: Shannon Zhao <zhaoshenglong@xxxxxxxxxx>
      Signed-off-by: Shannon Zhao <shannon.zhao@xxxxxxxxxx>
      Reviewed-by: Andrew Jones <drjones@xxxxxxxxxx>
      Tested-by: Andrew Jones <drjones@xxxxxxxxxx>
      Message-id: 1434676210-2276-1-git-send-email-shannon.zhao@xxxxxxxxxx
      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit d0652b5765859049c96a13372bbe075be44e756b
  Author: Shannon Zhao <shannon.zhao@xxxxxxxxxx>
  Date:   Fri Jun 26 14:22:36 2015 +0100

      hw/arm/virt-acpi-build: Fix table revision and some comments

      The table revision is not the ACPI spec version. Fix the wrong revision
      and also some comments.

      Signed-off-by: Shannon Zhao <shannon.zhao@xxxxxxxxxx>
      Reviewed-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Message-id: 1433820378-8336-1-git-send-email-zhaoshenglong@xxxxxxxxxx
      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit ccb0c7e122db72d3a5da798c6414d4912bba828f
  Merge: 0a4a031 4b3bcd0
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Fri Jun 26 11:32:58 2015 +0100

      Merge remote-tracking branch 'remotes/lalrae/tags/mips-20150626' into 
staging

      MIPS patches 2015-06-26

      Changes:
      * MIPS UHI semihosting support
      * microMIPS32 R6 support

      # gpg: Signature made Fri Jun 26 10:42:33 2015 BST using RSA key ID 
0B29DA6B
      # gpg: Good signature from "Leon Alrae <leon.alrae@xxxxxxxxxx>"
      # gpg: WARNING: This key is not certified with a trusted signature!
      # gpg:          There is no indication that the signature belongs to the 
owner.
      # Primary key fingerprint: 8DD3 2F98 5495 9D66 35D4  4FC0 5211 8E3C 0B29 
DA6B

      * remotes/lalrae/tags/mips-20150626:
        target-mips: add mips32r6-generic CPU definition
        target-mips: microMIPS32 R6 POOL16{A, C} instructions
        target-mips: microMIPS32 R6 Major instructions
        target-mips: microMIPS32 R6 POOL32{I, C} instructions
        target-mips: microMIPS32 R6 POOL32F instructions
        target-mips: microMIPS32 R6 POOL32A{XF} instructions
        target-mips: microMIPS32 R6 branches and jumps
        target-mips: add microMIPS32 R6 opcode enum
        target-mips: signal RI for removed instructions in microMIPS R6
        target-mips: raise RI exceptions when FIR.PS = 0
        target-mips: rearrange gen_compute_compact_branch
        target-mips: refactor {D}LSA, {D}ALIGN, {D}BITSWAP
        target-mips: remove an unused argument
        target-mips: add microMIPS TLBINV, TLBINVF
        target-mips: fix {RD, WR}PGPR in microMIPS
        target-mips: convert host to MIPS errno values when required
        target-mips: add Unified Hosting Interface (UHI) support
        target-mips: remove identical code in different branch
        hw/mips: Do not clear BEV for MIPS malta kernel load
        include/softmmu-semi.h: Make semihosting support 64-bit clean

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 4b3bcd016d83cc75f6a495c1db54b6c77f037adc
  Author: Yongbok Kim <yongbok.kim@xxxxxxxxxx>
  Date:   Thu Jun 25 00:24:27 2015 +0100

      target-mips: add mips32r6-generic CPU definition

      Define a new CPU definition supporting MIPS32 Release 6 ISA and
      microMIPS32 Release 6 ISA.

      Signed-off-by: Yongbok Kim <yongbok.kim@xxxxxxxxxx>
      Reviewed-by: Aurelien Jarno <aurelien@xxxxxxxxxxx>
      Signed-off-by: Leon Alrae <leon.alrae@xxxxxxxxxx>

  commit ed7ce6c0f9d4370826557ce33d652beb88ccb3e6
  Author: Yongbok Kim <yongbok.kim@xxxxxxxxxx>
  Date:   Thu Jun 25 00:24:26 2015 +0100

      target-mips: microMIPS32 R6 POOL16{A, C} instructions

      microMIPS32 Release 6 POOL16A/ POOL16C instructions

      Signed-off-by: Yongbok Kim <yongbok.kim@xxxxxxxxxx>
      Reviewed-by: Leon Alrae <leon.alrae@xxxxxxxxxx>
      Reviewed-by: Aurelien Jarno <aurelien@xxxxxxxxxxx>
      Signed-off-by: Leon Alrae <leon.alrae@xxxxxxxxxx>

  commit ab39ee452d74855adec91056812b8e1e5166302c
  Author: Yongbok Kim <yongbok.kim@xxxxxxxxxx>
  Date:   Thu Jun 25 00:24:25 2015 +0100

      target-mips: microMIPS32 R6 Major instructions

      Add new microMIPS32 Release 6 Major opcode instructions

      Signed-off-by: Yongbok Kim <yongbok.kim@xxxxxxxxxx>
      Reviewed-by: Aurelien Jarno <aurelien@xxxxxxxxxxx>
      Signed-off-by: Leon Alrae <leon.alrae@xxxxxxxxxx>

  commit 3b4a5489447e7ed17cc504572cf729833853e7ab
  Author: Yongbok Kim <yongbok.kim@xxxxxxxxxx>
  Date:   Thu Jun 25 00:24:24 2015 +0100

      target-mips: microMIPS32 R6 POOL32{I, C} instructions

      Add new microMIPS32 Release 6 POOL32I/POOL32C type instructions

      Signed-off-by: Yongbok Kim <yongbok.kim@xxxxxxxxxx>
      Reviewed-by: Leon Alrae <leon.alrae@xxxxxxxxxx>
      Reviewed-by: Aurelien Jarno <aurelien@xxxxxxxxxxx>
      Signed-off-by: Leon Alrae <leon.alrae@xxxxxxxxxx>

  commit 2a24a7badeb6ad3ba72e7984f299623035d564d6
  Author: Yongbok Kim <yongbok.kim@xxxxxxxxxx>
  Date:   Thu Jun 25 00:24:23 2015 +0100

      target-mips: microMIPS32 R6 POOL32F instructions

      Add new microMIPS32 Release 6 POOL32F instructions

      Signed-off-by: Yongbok Kim <yongbok.kim@xxxxxxxxxx>
      Reviewed-by: Leon Alrae <leon.alrae@xxxxxxxxxx>
      Reviewed-by: Aurelien Jarno <aurelien@xxxxxxxxxxx>
      Signed-off-by: Leon Alrae <leon.alrae@xxxxxxxxxx>

  commit e03320958305a68f2bc6a32c87d7ed48303438f9
  Author: Yongbok Kim <yongbok.kim@xxxxxxxxxx>
  Date:   Thu Jun 25 00:24:22 2015 +0100

      target-mips: microMIPS32 R6 POOL32A{XF} instructions

      Add new microMIPS32 Release 6 pool32a/pool32axf instructions.

      Signed-off-by: Yongbok Kim <yongbok.kim@xxxxxxxxxx>
      Reviewed-by: Leon Alrae <leon.alrae@xxxxxxxxxx>
      Reviewed-by: Aurelien Jarno <aurelien@xxxxxxxxxxx>
      Signed-off-by: Leon Alrae <leon.alrae@xxxxxxxxxx>

  commit 65935f070aa710cf340e96ae7ee36d2c1d5c8d15
  Author: Yongbok Kim <yongbok.kim@xxxxxxxxxx>
  Date:   Thu Jun 25 00:24:21 2015 +0100

      target-mips: microMIPS32 R6 branches and jumps

      Add new microMIPS32 Release 6 branch and jump instructions.

      Signed-off-by: Yongbok Kim <yongbok.kim@xxxxxxxxxx>
      Reviewed-by: Leon Alrae <leon.alrae@xxxxxxxxxx>
      Reviewed-by: Aurelien Jarno <aurelien@xxxxxxxxxxx>
      Signed-off-by: Leon Alrae <leon.alrae@xxxxxxxxxx>

  commit 3a1f426828cd8ffeec1a4fa8ca6ca3ed4f800edb
  Author: Yongbok Kim <yongbok.kim@xxxxxxxxxx>
  Date:   Thu Jun 25 00:24:20 2015 +0100

      target-mips: add microMIPS32 R6 opcode enum

      Add microMIPS32 Release 6 opcode enum.
      Remove RI checking for pre-R6 reserved opcode.

      Signed-off-by: Yongbok Kim <yongbok.kim@xxxxxxxxxx>
      Reviewed-by: Aurelien Jarno <aurelien@xxxxxxxxxxx>
      Signed-off-by: Leon Alrae <leon.alrae@xxxxxxxxxx>

  commit 9e8f441a7e094c0dc33a1c8f521d9e5bcfc1b4da
  Author: Yongbok Kim <yongbok.kim@xxxxxxxxxx>
  Date:   Thu Jun 25 00:24:19 2015 +0100

      target-mips: signal RI for removed instructions in microMIPS R6

      Signal a Reserved Instruction exception for removed instruction encoding
      in microMIPS Release 6.

      Signed-off-by: Yongbok Kim <yongbok.kim@xxxxxxxxxx>
      Reviewed-by: Leon Alrae <leon.alrae@xxxxxxxxxx>
      Reviewed-by: Aurelien Jarno <aurelien@xxxxxxxxxxx>
      Signed-off-by: Leon Alrae <leon.alrae@xxxxxxxxxx>

  commit e29c962804c4dd3fabd44e703aa87eec555ed910
  Author: Yongbok Kim <yongbok.kim@xxxxxxxxxx>
  Date:   Thu Jun 25 00:24:18 2015 +0100

      target-mips: raise RI exceptions when FIR.PS = 0

      64-bit paired-single (PS) floating point data type is optional in the
      pre-Release 6.
      It has to raise RI exception when PS type is not implemented. (FIR.PS = 0)
      (The PS data type is removed in the Release 6.)
      Loongson-2E and Loongson-2F don't have any implementation field in
      FCSR0(FIR) but do support PS data format, therefore for these cores RI 
will
      not be signalled regardless of PS bit.

      Signed-off-by: Yongbok Kim <yongbok.kim@xxxxxxxxxx>
      Reviewed-by: Leon Alrae <leon.alrae@xxxxxxxxxx>
      Reviewed-by: Aurelien Jarno <aurelien@xxxxxxxxxxx>
      Signed-off-by: Leon Alrae <leon.alrae@xxxxxxxxxx>

  commit 6893f07466b045c5faf314ab9e57ef3b4a6f9e49
  Author: Yongbok Kim <yongbok.kim@xxxxxxxxxx>
  Date:   Thu Jun 25 00:24:17 2015 +0100

      target-mips: rearrange gen_compute_compact_branch

      The function will be also used for microMIPS Release 6.

      Signed-off-by: Yongbok Kim <yongbok.kim@xxxxxxxxxx>
      Reviewed-by: Leon Alrae <leon.alrae@xxxxxxxxxx>
      Reviewed-by: Aurelien Jarno <aurelien@xxxxxxxxxxx>
      Signed-off-by: Leon Alrae <leon.alrae@xxxxxxxxxx>

  commit 1f1b4c008e250f870719ed38fbd0bcc14322fc01
  Author: Yongbok Kim <yongbok.kim@xxxxxxxxxx>
  Date:   Thu Jun 25 00:24:16 2015 +0100

      target-mips: refactor {D}LSA, {D}ALIGN, {D}BITSWAP

      Refactor those instructions in order to reuse them for microMIPS32
      Release 6.
      Rearrange gen_move_low32().

      Signed-off-by: Yongbok Kim <yongbok.kim@xxxxxxxxxx>
      Reviewed-by: Leon Alrae <leon.alrae@xxxxxxxxxx>
      Reviewed-by: Aurelien Jarno <aurelien@xxxxxxxxxxx>
      Signed-off-by: Leon Alrae <leon.alrae@xxxxxxxxxx>

  commit f60eeb0c5ddd8ceb8ca6b3ba032159027afab67a
  Author: Yongbok Kim <yongbok.kim@xxxxxxxxxx>
  Date:   Thu Jun 25 00:24:15 2015 +0100

      target-mips: remove an unused argument

      Remove an unused argument from decode_micromips32_opc()

      Signed-off-by: Yongbok Kim <yongbok.kim@xxxxxxxxxx>
      Reviewed-by: Leon Alrae <leon.alrae@xxxxxxxxxx>
      Reviewed-by: Aurelien Jarno <aurelien@xxxxxxxxxxx>
      Signed-off-by: Leon Alrae <leon.alrae@xxxxxxxxxx>

  commit e60ec06357470db5a0f25901ca19b6237e6da927
  Author: Yongbok Kim <yongbok.kim@xxxxxxxxxx>
  Date:   Thu Jun 25 00:24:14 2015 +0100

      target-mips: add microMIPS TLBINV, TLBINVF

      Add microMIPS TLBINV, TLBINVF

      Signed-off-by: Yongbok Kim <yongbok.kim@xxxxxxxxxx>
      Reviewed-by: Aurelien Jarno <aurelien@xxxxxxxxxxx>
      Reviewed-by: Leon Alrae <leon.alrae@xxxxxxxxxx>
      Signed-off-by: Leon Alrae <leon.alrae@xxxxxxxxxx>

  commit 1bf5902de03732d4067c4e90171a1741d6542c45
  Author: Yongbok Kim <yongbok.kim@xxxxxxxxxx>
  Date:   Thu Jun 25 00:24:13 2015 +0100

      target-mips: fix {RD, WR}PGPR in microMIPS

      rt, rs were swapped

      Signed-off-by: Yongbok Kim <yongbok.kim@xxxxxxxxxx>
      Reviewed-by: Aurelien Jarno <aurelien@xxxxxxxxxxx>
      Reviewed-by: Leon Alrae <leon.alrae@xxxxxxxxxx>
      Signed-off-by: Leon Alrae <leon.alrae@xxxxxxxxxx>

  commit 2c44b19c199f4ce2f1721120744d3d6e5d01d274
  Author: Leon Alrae <leon.alrae@xxxxxxxxxx>
  Date:   Fri Jun 19 11:08:44 2015 +0100

      target-mips: convert host to MIPS errno values when required

      Convert only errno values which can be returned by system calls in
      mips-semi.c and are not generic to all archs.

      Signed-off-by: Leon Alrae <leon.alrae@xxxxxxxxxx>
      Reviewed-by: Aurelien Jarno <aurelien@xxxxxxxxxxx>

  commit 3b3c1694cfd394b73de426edebdbf90c28f664fd
  Author: Leon Alrae <leon.alrae@xxxxxxxxxx>
  Date:   Fri Jun 19 11:08:43 2015 +0100

      target-mips: add Unified Hosting Interface (UHI) support

      Add UHI semihosting support for MIPS. QEMU run with "-semihosting" option
      will alter the behaviour of SDBBP 1 instruction -- UHI operation will be
      called instead of generating a debug exception.

      Also tweak Malta's pseudo-bootloader. On CPU reset the $4 register is set
      to -1 if semihosting arguments are passed to indicate that the UHI
      operations should be used to obtain input arguments.

      Signed-off-by: Leon Alrae <leon.alrae@xxxxxxxxxx>
      Reviewed-by: Aurelien Jarno <aurelien@xxxxxxxxxxx>

  commit ff334767728011218c62f7476232d260cb5b28e6
  Author: Leon Alrae <leon.alrae@xxxxxxxxxx>
  Date:   Fri Jun 19 11:08:42 2015 +0100

      target-mips: remove identical code in different branch

      Signed-off-by: Leon Alrae <leon.alrae@xxxxxxxxxx>
      Reviewed-by: Aurelien Jarno <aurelien@xxxxxxxxxxx>

  commit d6ca4277eee98b3c561e21ac105199891d346d79
  Author: Matthew Fortune <matthew.fortune@xxxxxxxxxx>
  Date:   Fri Jun 19 11:08:41 2015 +0100

      hw/mips: Do not clear BEV for MIPS malta kernel load

      The BEV flag controls whether the boot exception vector is still
      in place when starting a kernel.  When cleared the exception vector
      at EBASE (or hard coded address of 0x80000000) is used instead.

      The early stages of the linux kernel would benefit from BEV still
      being set to ensure any faults get handled by the boot rom exception
      handlers.  This is a moot point for system qemu as there aren't really
      any BEV handlers, but there are other good reasons to change this...

      The UHI (semi-hosting interface) defines special behaviours depending
      on whether an application starts in an environment with BEV set or
      cleared. When BEV is set then UHI assumes that a bootloader is
      relatively dumb and has no advanced exception handling logic.
      However, when BEV is cleared then UHI assumes that the bootloader
      has the ability to handle UHI exceptions with its exception handlers
      and will unwind and forward UHI SYSCALL exceptions to the exception
      vector that was installed prior to running the application.

      Signed-off-by: Matthew Fortune <matthew.fortune@xxxxxxxxxx>
      Signed-off-by: Leon Alrae <leon.alrae@xxxxxxxxxx>

  commit 9f6f7ca1490563d98003149e6de32caf25c670da
  Author: Maciej W. Rozycki <macro@xxxxxxxxxxxxxxxx>
  Date:   Fri Jun 19 11:08:40 2015 +0100

      include/softmmu-semi.h: Make semihosting support 64-bit clean

      Correct addresses passed around in semihosting to use a data type suitable
      for both 32-bit and 64-bit targets.

      Signed-off-by: Maciej W. Rozycki <macro@xxxxxxxxxxxxxxxx>
      Signed-off-by: Leon Alrae <leon.alrae@xxxxxxxxxx>
      Reviewed-by: Aurelien Jarno <aurelien@xxxxxxxxxxx>

  commit 0a4a0312bf8b029cbd32a97db2cad669cf65ac49
  Merge: 58e8b33 1e81aba
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Thu Jun 25 14:03:55 2015 +0100

      Merge remote-tracking branch 'remotes/stefanha/tags/net-pull-request' 
into staging

      # gpg: Signature made Wed Jun 24 16:37:23 2015 BST using RSA key ID 
81AB73C8
      # gpg: Good signature from "Stefan Hajnoczi <stefanha@xxxxxxxxxx>"
      # gpg:                 aka "Stefan Hajnoczi <stefanha@xxxxxxxxx>"

      * remotes/stefanha/tags/net-pull-request:
        net: simplify net_client_init1()
        net: drop if expression that is always true
        net: raise an error if -net type is invalid
        net: replace net_client_init1() netdev whitelist with blacklist
        net: add missing "netmap" to host_net_devices[]

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 58e8b33518fd2bb6dce0ba7b6347c3df85aea3c6
  Merge: 355df30 1204854
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Thu Jun 25 11:19:46 2015 +0100

      Merge remote-tracking branch 'remotes/stefanha/tags/block-pull-request' 
into staging

      # gpg: Signature made Wed Jun 24 16:27:53 2015 BST using RSA key ID 
81AB73C8
      # gpg: Good signature from "Stefan Hajnoczi <stefanha@xxxxxxxxxx>"
      # gpg:                 aka "Stefan Hajnoczi <stefanha@xxxxxxxxx>"

      * remotes/stefanha/tags/block-pull-request:
        virito-blk: drop duplicate check
        qemu-iotests: fix 051.out after qdev error message change
        iov: don't touch iov in iov_send_recv()
        raw-posix: Introduce hdev_is_sg()
        raw-posix: Use DPRINTF for DEBUG_FLOPPY
        raw-posix: DPRINTF instead of DEBUG_BLOCK_PRINT
        Fix migration in case of scsi-generic
        block: Use bdrv_is_sg() everywhere
        nvme: Fix memleak in nvme_dma_read_prp
        vvfat: add a label option
        util/hbitmap: Add an API to reset all set bits in hbitmap
        virtio-blk: Use blk_drain() to drain IO requests
        block-backend: Introduce blk_drain()
        throttle: Check current timers before updating any_timer_armed[]
        block: Let bdrv_drain_all() to call aio_poll() for each AioContext

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 1e81aba5ac0b908ab859bf8ddf43ece33732d49c
  Author: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
  Date:   Wed May 27 17:16:52 2015 +0100

      net: simplify net_client_init1()

      Drop the union and move the hubport creation into the !is_netdev case.

      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Reviewed-by: Thomas Huth <thuth@xxxxxxxxxx>
      Message-id: 1432743412-15943-6-git-send-email-stefanha@xxxxxxxxxx

  commit 4ef0defbad9bc8b195f3392d1b7dcb42cd7ebe11
  Author: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
  Date:   Wed May 27 17:16:51 2015 +0100

      net: drop if expression that is always true

      Both is_netdev and !is_netdev paths already check that
      net_client_init_func[opts->kind] is non-NULL so there is no need for the
      if statement.

      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Reviewed-by: Thomas Huth <thuth@xxxxxxxxxx>
      Message-id: 1432743412-15943-5-git-send-email-stefanha@xxxxxxxxxx

  commit d139e9a6cf01b8c31f5904b4ba40521d7224f7de
  Author: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
  Date:   Wed May 27 17:16:50 2015 +0100

      net: raise an error if -net type is invalid

      When a -net type is used that was not compiled into the binary there
      should be an error message.

      Note the special case for -net none, which is a no-op.

      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Reviewed-by: Thomas Huth <thuth@xxxxxxxxxx>
      Message-id: 1432743412-15943-4-git-send-email-stefanha@xxxxxxxxxx

  commit 1322629b4f25730aed973d51983e7a3b021fe9c9
  Author: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
  Date:   Wed May 27 17:16:49 2015 +0100

      net: replace net_client_init1() netdev whitelist with blacklist

      It's cumbersome to keep the whitelist up-to-date.  New netdev backends
      should most likely be allowed so a blacklist makes more sense than a
      whitelist.

      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Reviewed-by: Thomas Huth <thuth@xxxxxxxxxx>
      Message-id: 1432743412-15943-3-git-send-email-stefanha@xxxxxxxxxx

  commit 027a247bbf703e94258d07e38948946d7b85e91c
  Author: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
  Date:   Wed May 27 17:16:48 2015 +0100

      net: add missing "netmap" to host_net_devices[]

      Although hmp-commands.hx lists "netmap" as a valid host_net_add type,
      the command rejects it because it's missing from the list.

      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Message-id: 1432743412-15943-2-git-send-email-stefanha@xxxxxxxxxx

  commit 12048545019cd1d64c8147ea9277648e685fa489
  Author: Gonglei <arei.gonglei@xxxxxxxxxx>
  Date:   Wed Jun 24 17:29:24 2015 +0800

      virito-blk: drop duplicate check

      in_num = req->elem.in_num, and req->elem.in_num is
      checked in line 489, so the check about in_num variable
      is superflous, let's drop it.

      Signed-off-by: Gonglei <arei.gonglei@xxxxxxxxxx>
      Reviewed-by: Fam Zheng <famz@xxxxxxxxxx>
      Message-id: 1435138164-11728-1-git-send-email-arei.gonglei@xxxxxxxxxx
      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>

  commit a30c4eb2ce7b2c15ab556be3cfe2340c17271ddd
  Author: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
  Date:   Tue Jun 23 15:56:09 2015 +0100

      qemu-iotests: fix 051.out after qdev error message change

      Commit f006cf7fa9a63ba8e4ccf57d46231ce594301727 ("qdev-monitor:
      Propagate errors through qdev_device_add()") dropped a meaningless error
      message.  This change in output caused qemu-iotests 051 to fail:

         QEMU_PROG: -device ide-drive,drive=disk: Device initialization failed.
        -QEMU_PROG: -device ide-drive,drive=disk: Device 'ide-drive' could not 
be initialized

      Update 051.out so the test passes again.

      Cc: Markus Armbruster <armbru@xxxxxxxxxx>
      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Reviewed-by: Fam Zheng <famz@xxxxxxxxxx>
      Message-id: 1435071369-30936-1-git-send-email-stefanha@xxxxxxxxxx

  commit d46f7c9e648d8098ac73b36834ac81237b8c2c2d
  Author: Dr. David Alan Gilbert <dgilbert@xxxxxxxxxx>
  Date:   Wed Jun 24 10:45:42 2015 +0100

      Fix glib_subprocess test

      A typo means that the tests dependent on glib with subprocess
      support are never run.

      Fixes: 9d41401b90fa10b335d2e739149d36437cfbf622

      Signed-off-by: Dr. David Alan Gilbert <dgilbert@xxxxxxxxxx>
      Reviewed-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>

  commit 48ea3dedc54dbcb3c738ddef02a336739910ecfd
  Author: Laszlo Ersek <lersek@xxxxxxxxxx>
  Date:   Fri Jun 19 04:40:17 2015 +0200

      hw/pci-bridge: format special OFW unit address for PXB host

      We have agreed that OpenFirmware device paths in the "bootorder" fw_cfg
      file should follow the pattern

        /pci@i0cf8,%x/...

      for devices that live behind an extra root bus. The extra root bus in
      question is the %x'th among the extra root buses. (In other words, %x
      gives the position of the affected extra root bus relative to the other
      extra root buses, in bus_nr order.) %x starts at 1, and is formatted in
      hex.

      The portion of the unit address that comes before the comma is dynamically
      taken from the main host bridge, similarly to sysbus_get_fw_dev_path().

      Cc: Kevin O'Connor <kevin@xxxxxxxxxxxx>
      Cc: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Cc: Marcel Apfelbaum <marcel@xxxxxxxxxx>
      Signed-off-by: Laszlo Ersek <lersek@xxxxxxxxxx>
      Reviewed-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>

  commit 0b336b3b98d8983d821ef9b0f159acc7c77cbac7
  Author: Laszlo Ersek <lersek@xxxxxxxxxx>
  Date:   Fri Jun 19 04:40:16 2015 +0200

      hw/core: explicit OFW unit address callback for SysBusDeviceClass

      The sysbus_get_fw_dev_path() function formats OpenFirmware device path
      nodes ("driver-name@unit-address") for sysbus devices. The first choice
      for "unit-address" is the base address of the device's first MMIO region.
      The second choice is its first IO port.

      However, if two sysbus devices with the same "driver-name" lack both MMIO
      and PIO resources, then there is no good way to distinguish them based on
      their OFW nodes, because in this case unit-address is omitted completely
      for both devices. An example is TYPE_PXB_HOST ("pxb-host").

      For the sake of such devices, introduce the explicit_ofw_unit_address()
      "virtual member function". With this function, each sysbus device in the
      same SysBusDeviceClass can state its own address.

      Cc: Markus Armbruster <armbru@xxxxxxxxxx>
      Cc: Marcel Apfelbaum <marcel@xxxxxxxxxx>
      Cc: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: Laszlo Ersek <lersek@xxxxxxxxxx>
      Reviewed-by: Marcel Apfelbaum <marcel@xxxxxxxxxx>
      Tested-by: Marcel Apfelbaum <marcel@xxxxxxxxxx>
      Reviewed-by: Markus Armbruster <armbru@xxxxxxxxxx>
      Reviewed-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>

  commit d10dda2d60c8c225a89a53d53add799b69f6bb46
  Author: Laszlo Ersek <lersek@xxxxxxxxxx>
  Date:   Fri Jun 19 04:40:14 2015 +0200

      hw/pci-bridge: disable SHPC in PXB

      OVMF downloads the ACPI linker/loader script from QEMU when the edk2 PCI
      Bus driver globally signals the firmware that PCI enumeration and resource
      allocation have completed. At this point QEMU regenerates the ACPI payload
      in an fw_cfg read callback, and this is when the PXB's _CRS gets
      populated.

      Unfortunately, when this happens, the PCI_COMMAND_MEMORY bit is clear in
      the root bus's command register, *unlike* under SeaBIOS. The consequences
      unfold as follows:

      - When build_crs() fetches dev->io_regions[i].addr, it is all-bits-one,
        because pci_update_mappings() --> pci_bar_address() calculated it as
        PCI_BAR_UNMAPPED, due to the PCI_COMMAND_MEMORY bit being clear.

      - Consequently, the SHPC MMIO BAR (bar 0) of the bridge is not added to
        the _CRS, *despite* having been programmed in PCI config space.

      - Similarly, the SHPC MMIO BAR of the PXB is not removed from the main
        root bus's DWordMemory descriptor.

      - Guest OSes (Linux and Windows alike) notice the pre-programmed SHPC BAR
        within the PXB's config space, and notice that it conflicts with the
        main root bus's memory resource descriptors. Linux reports

        pci 0000:04:00.0: BAR 0: can't assign mem (size 0x100)
        pci 0000:04:00.0: BAR 0: trying firmware assignment [mem
                                 0x88200000-0x882000ff 64bit]
        pci 0000:04:00.0: BAR 0: [mem 0x88200000-0x882000ff 64bit] conflicts
                                 with PCI Bus 0000:00 [mem
                                 0x88200000-0xfebfffff]

        While Windows Server 2012 R2 reports

          https://technet.microsoft.com/en-us/library/cc732199%28v=ws.10%29.aspx

          This device cannot find enough free resources that it can use. If you
          want to use this device, you will need to disable one of the other
          devices on this system. (Code 12)

      This issue was apparently encountered earlier, see the "hack" in:

        https://lists.nongnu.org/archive/html/qemu-devel/2015-01/msg02983.html

      and the current hole-punching logic in build_crs() and build_ssdt() is
      probably supposed to remedy exactly that problem -- however, for OVMF they
      don't work, because at the end of the PCI enumeration and resource
      allocation, which cues the ACPI linker/loader client, the command register
      is clear.

      The "shpc" property of "pci-bridge", introduced in the previous patches,
      allows us to disable the standard hotplug controller cleanly, eliminating
      the SHPC bar and the conflict.

      Cc: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Cc: Marcel Apfelbaum <marcel@xxxxxxxxxx>
      Signed-off-by: Laszlo Ersek <lersek@xxxxxxxxxx>
      Reviewed-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>

  commit 4e5c9bfecf5da13e8e0f790002a55bb1cc0437b1
  Author: Laszlo Ersek <lersek@xxxxxxxxxx>
  Date:   Fri Jun 19 04:40:13 2015 +0200

      hw/pci-bridge: introduce "shpc" property

      In the PCI expander bridge, we will want to disable those features of
      pci-bridge that relate to SHPC (standard hotplug controller):

      - SHPC bar and underlying MemoryRegion
      - interrupt (INTx or MSI)
      - effective hotplug callbacks
      - other SHPC hooks (initialization, cleanup, migration etc)

      Introduce a new feature request bit in the PCIBridgeDev.flags field, and
      turn off the above if the bit is explicitly cleared.

      Suggested-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Cc: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Cc: Marcel Apfelbaum <marcel@xxxxxxxxxx>
      Signed-off-by: Laszlo Ersek <lersek@xxxxxxxxxx>
      Reviewed-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>

  commit 23ab143dcce8d7f758eb6946ebf68d8689018a9c
  Author: Laszlo Ersek <lersek@xxxxxxxxxx>
  Date:   Fri Jun 19 04:40:12 2015 +0200

      hw/pci: introduce shpc_present() helper function

      It follows msi_present() in "include/hw/pci/msi.h".

      Cc: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Cc: Marcel Apfelbaum <marcel@xxxxxxxxxx>
      Signed-off-by: Laszlo Ersek <lersek@xxxxxxxxxx>
      Reviewed-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>

  commit 7a7c6a41c5583b24f6a35b02c7f68c84ebd7e177
  Author: Laszlo Ersek <lersek@xxxxxxxxxx>
  Date:   Fri Jun 19 04:40:11 2015 +0200

      hw/pci-bridge: add macro for "msi" property

      This should help catch property name typos at compile time.

      Cc: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Cc: Marcel Apfelbaum <marcel@xxxxxxxxxx>
      Signed-off-by: Laszlo Ersek <lersek@xxxxxxxxxx>
      Reviewed-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>

  commit 3cf0ecb3c4f9bb6a7a58a62c0209509b4c9d13c6
  Author: Laszlo Ersek <lersek@xxxxxxxxxx>
  Date:   Fri Jun 19 04:40:10 2015 +0200

      hw/pci-bridge: add macro for "chassis_nr" property

      This should help catch property name typos at compile time.

      Cc: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Cc: Marcel Apfelbaum <marcel@xxxxxxxxxx>
      Signed-off-by: Laszlo Ersek <lersek@xxxxxxxxxx>
      Reviewed-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>

  commit 0034e56209c1333bfca53356ce82663d801a15c5
  Author: Laszlo Ersek <lersek@xxxxxxxxxx>
  Date:   Fri Jun 19 04:40:09 2015 +0200

      hw/pci-bridge: expose _test parameter in SHPC_VMSTATE()

      Change the signature of the function-like macro SHPC_VMSTATE(), so that we
      can produce and expect this field conditionally in the migration stream,
      starting with an upcoming patch.

      Cc: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Cc: Marcel Apfelbaum <marcel@xxxxxxxxxx>
      Signed-off-by: Laszlo Ersek <lersek@xxxxxxxxxx>
      Reviewed-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>

  commit 9df0b0e09c48ad543e6d12ee0c17d1857f83d3ca
  Author: Laszlo Ersek <lersek@xxxxxxxxxx>
  Date:   Fri Jun 19 04:40:08 2015 +0200

      migration: introduce VMSTATE_BUFFER_UNSAFE_INFO_TEST()

      There is no _TEST() variant of VMSTATE_BUFFER_UNSAFE_INFO() yet, but we'll
      soon need it. Introduce it and rebase the original
      VMSTATE_BUFFER_UNSAFE_INFO() on top.

      The parameter order of the new function-like macro follows that of
      VMSTATE_SINGLE_TEST(): "_test" is introduced between "_state" and
      "_version".

      Cc: Juan Quintela <quintela@xxxxxxxxxx>
      Cc: Amit Shah <amit.shah@xxxxxxxxxx>
      Cc: Marcel Apfelbaum <marcel@xxxxxxxxxx>
      Cc: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: Laszlo Ersek <lersek@xxxxxxxxxx>
      Reviewed-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>

  commit 355df30554445c043a12168e9c5f912742050548
  Merge: 000d604 3de3d69
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Tue Jun 23 18:25:55 2015 +0100

      Merge remote-tracking branch 
'remotes/mjt/tags/pull-trivial-patches-2015-06-23' into staging

      trivial patches for 2015-06-23

      # gpg: Signature made Tue Jun 23 18:23:45 2015 BST using RSA key ID 
A4C3D7DB
      # gpg: Good signature from "Michael Tokarev <mjt@xxxxxxxxxx>"
      # gpg:                 aka "Michael Tokarev <mjt@xxxxxxxxx>"
      # gpg:                 aka "Michael Tokarev <mjt@xxxxxxxxxx>"

      * remotes/mjt/tags/pull-trivial-patches-2015-06-23: (21 commits)
        util/qemu-sockets: improve ai_flag hints for ipv6 hosts
        hw/display/tcx.c: Fix memory leak
        hw/display/cg3.c: Fix memory leak
        Makefile: Add "make ctags"
        Makefile: Fix "make cscope TAGS"
        qemu-options: Use @itemx where appropriate
        qemu-options: Improve -global documentation
        throttle: Fix typo in the documentation of block_set_io_throttle
        hw/display/qxl-logger.c: Constify some variable
        configure: rearrange --help and consolidate enable/disable together
        libcacard: pkgconfig: tidy dependent libs
        vt82c686: QOMify
        xen_pt: QOMify
        wdt_i6300esb: QOMify
        piix4: QOMify
        piix: piix3 QOMify
        pci-assign: QOMify
        Print error when failing to load PCI config data
        Grammar: 'as to'->'as for'
        remove libdecnumber/dpd/decimal128Local.h
        ...

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 3de3d698d942d1116152417f882c897b26b44e41
  Author: Wolfgang Bumiller <w.bumiller@xxxxxxxxxxx>
  Date:   Thu May 21 14:33:29 2015 +0200

      util/qemu-sockets: improve ai_flag hints for ipv6 hosts

      *) Do not use AI_ADDRCONFIG on listening sockets, because this flag
      makes it impossible to explicitly listen on '127.0.0.1' if no global
      ipv4 address is configured additionally, making this a very
      uncomfortable option.
      *) Add AI_V4MAPPED hint for connecting sockets.

      If your system is globally only connected via ipv6 you often still want
      to be able to use '127.0.0.1' and 'localhost' (even if localhost doesn't
      also have an ipv6 entry).
      For example, PVE - unless explicitly asking for insecure mode - uses
      ipv4 loopback addresses with QEMU for live migrations tunneled over SSH.
      These fail to start because AI_ADDRCONFIG makes getaddrinfo refuse to
      work with '127.0.0.1'.

      As for the AI_V4MAPPED flag: glibc uses it by default, and providing
      non-0 flags removes it. I think it makes sense to use it.

      I also want to point out that glibc explicitly sidesteps POSIX standards
      when passing 0 as hints by then assuming both AI_V4MAPPED and
      AI_ADDRCONFIG (the latter being a rather weird choice IMO), while
      according to POSIX.1-2001 it should be assumed 0. (glibc considers its
      choice an improvement.)
      Since either AI_CANONNAME or AI_PASSIVE are passed in our cases, glibc's
      default flags in turn are disabled again unless explicitly added, which
      I do with this patch.

      Signed-off-by: Wolfgang Bumiller <w.bumiller@xxxxxxxxxxx>
      Signed-off-by: Michael Tokarev <mjt@xxxxxxxxxx>

  commit 8684e85ca911b41d6a82ac5bcc5a0bfaba5eb7da
  Author: Shannon Zhao <shannon.zhao@xxxxxxxxxx>
  Date:   Thu May 28 19:13:45 2015 +0800

      hw/display/tcx.c: Fix memory leak

      Signed-off-by: Shannon Zhao <zhaoshenglong@xxxxxxxxxx
      Signed-off-by: Shannon Zhao <shannon.zhao@xxxxxxxxxx>
      Signed-off-by: Michael Tokarev <mjt@xxxxxxxxxx>

  commit 22b2aeb82c811b227862c21e7a607087efbe5563
  Author: Shannon Zhao <shannon.zhao@xxxxxxxxxx>
  Date:   Thu May 28 19:13:42 2015 +0800

      hw/display/cg3.c: Fix memory leak

      Signed-off-by: Shannon Zhao <zhaoshenglong@xxxxxxxxxx>
      Signed-off-by: Shannon Zhao <shannon.zhao@xxxxxxxxxx>
      Signed-off-by: Michael Tokarev <mjt@xxxxxxxxxx>

  commit ae5fdc81a16534ea04fc475f8723e81857c46ad4
  Author: Fam Zheng <famz@xxxxxxxxxx>
  Date:   Fri May 22 13:35:08 2015 +0800

      Makefile: Add "make ctags"

      This generates ctags file

      Signed-off-by: Fam Zheng <famz@xxxxxxxxxx>
      Reviewed-by: John Snow <jsnow@xxxxxxxxxx>
      Signed-off-by: Michael Tokarev <mjt@xxxxxxxxxx>

  commit eaa2ddbb76798ec70d12351c0db43a7728d29150
  Author: Fam Zheng <famz@xxxxxxxxxx>
  Date:   Fri May 22 13:35:07 2015 +0800

      Makefile: Fix "make cscope TAGS"

      Cscope and TAGS files work in source directory rather than the build
      directory, also, don't ask users to run configure first, because they
      may have an out of tree build.

      Signed-off-by: Fam Zheng <famz@xxxxxxxxxx>
      Reviewed-by: John Snow <jsnow@xxxxxxxxxx>
      Signed-off-by: Michael Tokarev <mjt@xxxxxxxxxx>

  commit f9cfd6555a3afb142a74a68438c6f4ee4c127e66
  Author: Markus Armbruster <armbru@xxxxxxxxxx>
  Date:   Mon Jun 15 14:35:59 2015 +0200

      qemu-options: Use @itemx where appropriate

      Doesn't appear to make a difference, but let's use it consistently.

      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>
      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>
      Signed-off-by: Michael Tokarev <mjt@xxxxxxxxxx>

  commit ae08fd5a365e650d70acfe1d9027501707041b52
  Author: Markus Armbruster <armbru@xxxxxxxxxx>
  Date:   Mon Jun 15 14:35:58 2015 +0200

      qemu-options: Improve -global documentation

      Recent commit 3751d7c "vl: allow full-blown QemuOpts syntax for
      -global" overloaded its existing argument syntax DRIVER.PROP=VALUE
      with QemuOpts syntax.  Unambigious as long as no DRIVER contains '='.

      Its documentation claims that "the two syntaxes are equivalent."
      Improve it to spell out how exactly the old syntax gets desugared into
      the new one.

      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>
      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>
      Signed-off-by: Michael Tokarev <mjt@xxxxxxxxxx>

  commit 6b932c0a5f951f1cfd3c459d8946074b9df8b829
  Author: Alberto Garcia <berto@xxxxxxxxxx>
  Date:   Mon Jun 15 16:12:52 2015 +0300

      throttle: Fix typo in the documentation of block_set_io_throttle

      Signed-off-by: Alberto Garcia <berto@xxxxxxxxxx>
      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>
      Signed-off-by: Michael Tokarev <mjt@xxxxxxxxxx>

  commit a91e21186f81f712af8c02c7eec996ce25fb391f
  Author: Frediano Ziglio <fziglio@xxxxxxxxxx>
  Date:   Thu Jun 11 14:17:56 2015 +0100

      hw/display/qxl-logger.c: Constify some variable

      Signed-off-by: Frediano Ziglio <fziglio@xxxxxxxxxx>
      Signed-off-by: Michael Tokarev <mjt@xxxxxxxxxx>

  commit c23f23b970ae8ce75d2254c64cf23d95a757811e
  Author: Michael Tokarev <mjt@xxxxxxxxxx>
  Date:   Wed Jun 17 22:19:26 2015 +0300

      configure: rearrange --help and consolidate enable/disable together

      This is an attempt to rearrange configure --help output a bit
      and consolidate pairs of --enable/disable into its own section.

      After this, help text is easier to sort, manage and read.
      More descriptive text can be added as well, since we now have
      more space.

      While at it, mention en/dis-able-vte.

      Signed-off-by: Michael Tokarev <mjt@xxxxxxxxxx>

  commit 1e4db0595777b9b9a5a6a9f49ac3d187dda341f9
  Author: Michael Tokarev <mjt@xxxxxxxxxx>
  Date:   Wed Jun 17 21:02:03 2015 +0300

      libcacard: pkgconfig: tidy dependent libs

      libcacard.pc file lists only one package in Requires
      field, which is nss, while glib-2.0 is also a requiriment.
      Furthermore, for libraries used internally by the library
      (this is the way nss and glib are used by libcacard),
      Requires.private shold be used instead of Requires.

      Fix both issues.

      This does not affect linking of qemu because it links
      with objects from libcacard directly.

      Signed-off-by: Michael Tokarev <mjt@xxxxxxxxxx>

  commit 417349e6e95d9aa4e0fbc01434de30e8d405ab56
  Author: Gonglei <arei.gonglei@xxxxxxxxxx>
  Date:   Wed May 13 08:43:27 2015 +0800

      vt82c686: QOMify

      Signed-off-by: Gonglei <arei.gonglei@xxxxxxxxxx>
      Signed-off-by: Michael Tokarev <mjt@xxxxxxxxxx>

  commit f9b9d292afcb55f23b8863c0388a4b3e42c79747
  Author: Gonglei <arei.gonglei@xxxxxxxxxx>
  Date:   Wed May 13 08:43:26 2015 +0800

      xen_pt: QOMify

      Cc: Stefano Stabellini <stefano.stabellini@xxxxxxxxxxxxx>
      Signed-off-by: Gonglei <arei.gonglei@xxxxxxxxxx>
      Tested-by: Stefano Stabellini <stefano.stabellini@xxxxxxxxxxxxx>
      Signed-off-by: Michael Tokarev <mjt@xxxxxxxxxx>

  commit 41fc9050fed524d300062fd8fe7aecd5c7adf5ac
  Author: Gonglei <arei.gonglei@xxxxxxxxxx>
  Date:   Wed May 13 08:43:25 2015 +0800

      wdt_i6300esb: QOMify

      Signed-off-by: Gonglei <arei.gonglei@xxxxxxxxxx>
      Signed-off-by: Michael Tokarev <mjt@xxxxxxxxxx>

  commit acff3e48b7e1ac18e034cc612346bdc38ad96ee1
  Author: Gonglei <arei.gonglei@xxxxxxxxxx>
  Date:   Wed May 13 08:43:24 2015 +0800

      piix4: QOMify

      Signed-off-by: Gonglei <arei.gonglei@xxxxxxxxxx>
      Signed-off-by: Michael Tokarev <mjt@xxxxxxxxxx>

  commit b7c69719d21bea305b7cff6ecde0974edc5ff4b8
  Author: Gonglei <arei.gonglei@xxxxxxxxxx>
  Date:   Wed May 13 08:43:23 2015 +0800

      piix: piix3 QOMify

      Signed-off-by: Gonglei <arei.gonglei@xxxxxxxxxx>
      Signed-off-by: Michael Tokarev <mjt@xxxxxxxxxx>

  commit 1ea6305a834a01bba55309d012ee1fdc46c3eff2
  Author: Gonglei <arei.gonglei@xxxxxxxxxx>
  Date:   Wed May 13 08:43:22 2015 +0800

      pci-assign: QOMify

      Signed-off-by: Gonglei <arei.gonglei@xxxxxxxxxx>
      Signed-off-by: Michael Tokarev <mjt@xxxxxxxxxx>

  commit 7c59364d0329d36a7759033962a469ca714f884d
  Author: Dr. David Alan Gilbert <dgilbert@xxxxxxxxxx>
  Date:   Wed Jun 3 17:58:01 2015 +0100

      Print error when failing to load PCI config data

      When loading migration fails due to a disagreement about
      PCI config data we don't currently get any errors explaining
      that was the cause of the problem or which byte in the config
      data was at fault.

      Signed-off-by: Dr. David Alan Gilbert <dgilbert@xxxxxxxxxx>
      Signed-off-by: Michael Tokarev <mjt@xxxxxxxxxx>

  commit 4aab6282f8e1f7652b0470b078a08ab5678fb929
  Author: Dr. David Alan Gilbert <dgilbert@xxxxxxxxxx>
  Date:   Wed Jun 3 19:43:56 2015 +0100

      Grammar: 'as to'->'as for'

      Fixup migrate-incoming text as requested by Eric in:

       http://lists.nongnu.org/archive/html/qemu-devel/2015-03/msg03362.html

      Signed-off-by: Dr. David Alan Gilbert <dgilbert@xxxxxxxxxx>
      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>
      Signed-off-by: Michael Tokarev <mjt@xxxxxxxxxx>

  commit bfa3ab619731653e752c7cf0ab3395ec8e70fe79
  Author: Michael Tokarev <mjt@xxxxxxxxxx>
  Date:   Wed Jun 3 17:37:27 2015 +0300

      remove libdecnumber/dpd/decimal128Local.h

      Commit 72ac97cdfc added two equivalent versions of decimal128Local.h,
      one in libdecnumber/dpd/ and another in include/libdecnumber/dpd/.
      Being identical by the code, the two files however differs in the
      licensing terms.  The one in libdecnumber/dpd/ (which is being
      removed by this patch) is licensed as GPL3.1 (plus gcc runtime
      exception), which, as far as I know, is not compatible with GPL-2.
      This file is not used (it is included from
      include/libdecnumber/dpd/decimal128.h, so version in include/ is
      used).

      More, the version in include/ can also be removed, since none
      of the 3 defines from that file are actually used by the code.
      Even more, one of the defines from there, decimal128SetSign,
      is redefined (to equivalent value) in libdecnumber/dpd/decimal128.c,
      but again, never used.

      What a mess...

      Signed-off-by: Michael Tokarev <mjt@xxxxxxxxxx>
      Reviewed-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit a4969e90b8110d6880d1a7fcb3cab27c316a0d3e
  Author: Alex Bennée <alex.bennee@xxxxxxxxxx>
  Date:   Wed Jun 3 14:22:41 2015 +0100

      configure: append --extra-ldflags to LDFLAGS

      The help text says --extra-ldflags is appended to LDFLAGS so make it so.

      Signed-off-by: Alex Bennée <alex.bennee@xxxxxxxxxx>
      Signed-off-by: Michael Tokarev <mjt@xxxxxxxxxx>

  commit 000d6042da0d73e5a71318b5fa96e5a084534d12
  Merge: 6966b2a ffffbb3
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Tue Jun 23 17:46:20 2015 +0100

      Merge remote-tracking branch 'remotes/sstabellini/tags/xen-220615-3' into 
staging

      xen-220615, more SOB lines

      # gpg: Signature made Tue Jun 23 17:19:08 2015 BST using RSA key ID 
70E1AE90
      # gpg: Good signature from "Stefano Stabellini 
<stefano.stabellini@xxxxxxxxxxxxx>"

      * remotes/sstabellini/tags/xen-220615-3:
        Revert "xen-hvm: increase maxmem before calling 
xc_domain_populate_physmap"
        xen/pass-through: constify some static data
        xen/pass-through: log errno values rather than function return ones
        xen/pass-through: ROM BAR handling adjustments
        xen/pass-through: fold host PCI command register writes

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit ffffbb369f3ed9bca5ff2867143f76d0c6e069c0
  Author: Stefano Stabellini <stefano.stabellini@xxxxxxxxxxxxx>
  Date:   Mon Jun 22 13:00:42 2015 +0000

      Revert "xen-hvm: increase maxmem before calling 
xc_domain_populate_physmap"

      This reverts commit c1d322e6048796296555dd36fdd102d7fa2f50bf.

      The original commit fixes a bug when assigning a large number of
      devices which require option roms to a guest.  (One known
      configuration that needs extra memory is having more than 4 emulated
      NICs assigned.  Three or fewer NICs seems to work without this
      functionality.)

      However, by unilaterally increasing maxmem, it introduces two
      problems.

      First, now libxl's calculation of the required maxmem during migration
      is broken -- any guest which exercised this functionality will fail on
      migration.  (Guests which have the default number of devices are not
      affected.)

      Secondly, it makes it impossible for a higher-level toolstack or
      administer to predict how much memory a VM will actually use, making
      it much more difficult to effectively use all of the memory on a
      machine.

      Signed-off-by: George Dunlap <george.dunlap@xxxxxxxxxxxxx>
      Signed-off-by: Stefano Stabellini <stefano.stabellini@xxxxxxxxxxxxx>

  commit 74526eb01886ca45774c1e9c736f61536fa2bda1
  Author: Jan Beulich <JBeulich@xxxxxxxx>
  Date:   Fri Jun 5 13:04:55 2015 +0100

      xen/pass-through: constify some static data

      This is done indirectly by adjusting two typedefs and helps emphasizing
      that the respective tables aren't supposed to be modified at runtime
      (as they may be shared between devices).

      Signed-off-by: Jan Beulich <jbeulich@xxxxxxxx>
      Reviewed-by: Stefano Stabellini <stefano.stabellini@xxxxxxxxxxxxx>

  commit 3782f60d2047cb86567889307ce78baacf518635
  Author: Jan Beulich <JBeulich@xxxxxxxx>
  Date:   Fri Jun 5 13:04:18 2015 +0100

      xen/pass-through: log errno values rather than function return ones

      Functions setting errno commonly return just -1, which is of no
      particular use in the log file.

      Signed-off-by: Jan Beulich <jbeulich@xxxxxxxx>
      Reviewed-by: Stefano Stabellini <stefano.stabellini@xxxxxxxxxxxxx>

  commit 69976894c1d91c4b0c985fa05936cb6b8d01382b
  Author: Jan Beulich <JBeulich@xxxxxxxx>
  Date:   Mon Jun 8 14:11:51 2015 +0100

      xen/pass-through: ROM BAR handling adjustments

      Expecting the ROM BAR to be written with an all ones value when sizing
      the region is wrong - the low bit has another meaning (enable/disable)
      and bits 1..10 are reserved. The PCI spec also mandates writing all
      ones to just the address portion of the register.

      Use suitable constants also for initializing the ROM BAR register field
      description.

      Signed-off-by: Stefano Stabellini <stefano.stabellini@xxxxxxxxxxxxx>
      Signed-off-by: Jan Beulich <jbeulich@xxxxxxxx>

  commit 950fe0aa3f55ad6bb135fc9cde9ebf4df05f62fc
  Author: Jan Beulich <JBeulich@xxxxxxxx>
  Date:   Fri May 15 13:46:11 2015 +0100

      xen/pass-through: fold host PCI command register writes

      The code introduced to address XSA-126 allows simplification of other
      code in xen_pt_initfn(): All we need to do is update "cmd" suitably,
      as it'll be written back to the host register near the end of the
      function anyway.

      Signed-off-by: Stefano Stabellini <stefano.stabellini@xxxxxxxxxxxxx>
      Signed-off-by: Jan Beulich <jbeulich@xxxxxxxx>

  commit eb6c6a604890201e321a6ace32973d10dc033245
  Author: Gerd Hoffmann <kraxel@xxxxxxxxxx>
  Date:   Thu Jun 18 12:17:29 2015 +0200

      add pci-bridge-seat

      Simplifies multiseat configuration, see
      docs/multiseat.txt update for details.

      Signed-off-by: Gerd Hoffmann <kraxel@xxxxxxxxxx>
      Reviewed-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>

  commit 72d97b3a543a9c2c820bd463ba24751ae4247ac3
  Author: Igor Mammedov <imammedo@xxxxxxxxxx>
  Date:   Tue Jun 9 05:31:53 2015 +0200

      pc: cleanup and convert TMP ACPI device description to AML API

      remove some code duplication in acpi-build.c and drop 5
      ASL and binary blobs files with TPM ACPI device description,
      replacing them with 1 small hunk written in AML API.

      Signed-off-by: Igor Mammedov <imammedo@xxxxxxxxxx>
      Reviewed-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>

  commit 0e0b3592f6cfc56b3a4cc2c040552b7caaf2329f
  Author: Michael S. Tsirkin <mst@xxxxxxxxxx>
  Date:   Tue Jun 23 08:09:34 2015 +0200

      MAINTAINERS: add ACPI entry

      Igor agreed to help review ACPI patches, add an entry to MAINTAINERS
      with all ACPI stuff I could think of.
      Note: I listed ARM ACPI files here just to make sure we are Cc'd, no
      plan to maintain ACPI for ARM through my tree :)

      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>

  commit 16617e36b02ebdc83f215d89db9ac00f7d6d6d83
  Author: Jason Wang <jasowang@xxxxxxxxxx>
  Date:   Fri May 29 14:13:14 2015 +0800

      vhost: correctly pass error to caller in vhost_dev_enable_notifiers()

      We override the error value r in fail_vq, this will cause the caller
      can't detect the failure which may cause the caller may disable the
      notifiers twice if vhost is failed to start. Fix this by using another
      variable to keep track the return value of set_host_notifier().

      Fixes b0b3db79559e57db340b292621c397e7a6cdbdc5 ("vhost-net: cleanup
      host notifiers at last step")

      Cc: qemu-stable@xxxxxxxxxx
      Cc: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: Jason Wang <jasowang@xxxxxxxxxx>
      Reviewed-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>

  commit e3816255bf4b6377bb405331e2ee0dc14d841b80
  Author: Denis V. Lunev <den@xxxxxxxxxx>
  Date:   Mon Jun 15 13:52:52 2015 +0300

      balloon: add a feature bit to let Guest OS deflate balloon on oom

      Excessive virtio_balloon inflation can cause invocation of OOM-killer,
      when Linux is under severe memory pressure. Various mechanisms are
      responsible for correct virtio_balloon memory management. Nevertheless it
      is often the case that these control tools does not have enough time to
      react on fast changing memory load. As a result OS runs out of memory and
      invokes OOM-killer. The balancing of memory by use of the virtio balloon
      should not cause the termination of processes while there are pages in the
      balloon. Now there is no way for virtio balloon driver to free memory at
      the last moment before some process get killed by OOM-killer.

      This does not provide a security breach as balloon itself is running
      inside Guest OS and is working in the cooperation with the host. Thus
      some improvements from Guest side should be considered as normal.

      To solve the problem, introduce a virtio_balloon callback which is
      expected to be called from the oom notifier call chain in out_of_memory()
      function. If virtio balloon could release some memory, it will make the
      system return and retry the allocation that forced the out of memory
      killer to run.

      This behavior should be enabled if and only if appropriate feature bit
      is set on the device. It is off by default.

      This functionality was recently merged into vanilla Linux.

        commit 5a10b7dbf904bfe01bb9fcc6298f7df09eed77d5
        Author: Raushaniya Maksudova <rmaksudova@xxxxxxxxxxxxx>
        Date:   Mon Nov 10 09:36:29 2014 +1030

      This patch adds respective control bits into QEMU. It introduces
      deflate-on-oom option for balloon device which does the trick.

      Signed-off-by: Denis V. Lunev <den@xxxxxxxxxx>
      CC: Raushaniya Maksudova <rmaksudova@xxxxxxxxxxxxx>
      CC: Anthony Liguori <aliguori@xxxxxxxxxx>
      CC: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Reviewed-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>

      Acked-by: James Bottomley <JBottomley@xxxxxxxx>
      Reviewed-by: Christian Borntraeger <borntraeger@xxxxxxxxxx>

  commit 6b64640dd25846c4de42aa433db56e0ff975993a
  Author: Wen Congyang <wency@xxxxxxxxxxxxxx>
  Date:   Thu May 21 09:50:10 2015 +0800

      iov: don't touch iov in iov_send_recv()

      Signed-off-by: Wen Congyang <wency@xxxxxxxxxxxxxx>
      Message-id: 555D39D2.4000705@xxxxxxxxxxxxxx
      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>

  commit 3307ed7b3fac5ba99eb3b84904b0b7cdc3592a61
  Author: Dimitris Aragiorgis <dimara@xxxxxxxxxxx>
  Date:   Tue Jun 23 13:45:00 2015 +0300

      raw-posix: Introduce hdev_is_sg()

      Until now, an SG device was identified only by checking if its path
      started with "/dev/sg". Then, hdev_open() would set the bs->sg flag
      accordingly. The patch relies on the actual properties of the device
      instead of the specified file path.

      To this end, test for an SG device (e.g. /dev/sg0) by ensuring that
      all of the following holds:

       - The specified file name corresponds to a character device
       - The device supports the SG_GET_VERSION_NUM ioctl
       - The device supports the SG_GET_SCSI_ID ioctl

      Signed-off-by: Dimitris Aragiorgis <dimara@xxxxxxxxxxx>
      Message-id: 1435056300-14924-6-git-send-email-dimara@xxxxxxxxxxx
      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>

  commit a93a3982a6645463fa822131d38b17284edd5633
  Author: Dimitris Aragiorgis <dimara@xxxxxxxxxxx>
  Date:   Tue Jun 23 13:44:59 2015 +0300

      raw-posix: Use DPRINTF for DEBUG_FLOPPY

      Get rid of several #ifdef DEBUG_FLOPPY and substitute them with
      DPRINTF.

      Signed-off-by: Dimitris Aragiorgis <dimara@xxxxxxxxxxx>
      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>
      Reviewed-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Message-id: 1435056300-14924-5-git-send-email-dimara@xxxxxxxxxxx
      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>

  commit bcb225550dcc0d6fcef8e97012bae572ba78f73a
  Author: Dimitris Aragiorgis <dimara@xxxxxxxxxxx>
  Date:   Tue Jun 23 13:44:58 2015 +0300

      raw-posix: DPRINTF instead of DEBUG_BLOCK_PRINT

      Building the QEMU tools fails if we #define DEBUG_BLOCK inside
      block/raw-posix.c. Here instead of adding qemu-log.o in block-obj-y
      so that DEBUG_BLOCK_PRINT can be used, we substitute the latter with
      a simple DPRINTF() (that does not cause bit-rot).

      Signed-off-by: Dimitris Aragiorgis <dimara@xxxxxxxxxxx>
      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>
      Reviewed-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Message-id: 1435056300-14924-4-git-send-email-dimara@xxxxxxxxxxx
      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>

  commit 1b6bc94d5d43ff3e39abadae19f2dbcb0954eb93
  Author: Dimitris Aragiorgis <dimara@xxxxxxxxxxx>
  Date:   Tue Jun 23 13:44:57 2015 +0300

      Fix migration in case of scsi-generic

      During migration, QEMU uses fsync()/fdatasync() on the open file
      descriptor for read-write block devices to flush data just before
      stopping the VM.

      However, fsync() on a scsi-generic device returns -EINVAL which
      causes the migration to fail. This patch skips flushing data in case
      of an SG device, since submitting SCSI commands directly via an SG
      character device (e.g. /dev/sg0) bypasses the page cache completely,
      anyway.

      Note that fsync() not only flushes the page cache but also the disk
      cache. The scsi-generic device never sends flushes, and for
      migration it assumes that the same SCSI device is used by the
      destination host, so it does not issue any SCSI SYNCHRONIZE CACHE
      (10) command.

      Finally, remove the bdrv_is_sg() test from iscsi_co_flush() since
      this is now redundant (we flush the underlying protocol at the end
      of bdrv_co_flush() which, with this patch, we never reach).

      Signed-off-by: Dimitris Aragiorgis <dimara@xxxxxxxxxxx>
      Reviewed-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Message-id: 1435056300-14924-3-git-send-email-dimara@xxxxxxxxxxx
      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>

  commit b192af8acc597a6e8068873434e56e0c7de1b7d3
  Author: Dimitris Aragiorgis <dimara@xxxxxxxxxxx>
  Date:   Tue Jun 23 13:44:56 2015 +0300

      block: Use bdrv_is_sg() everywhere

      Instead of checking bs->sg use bdrv_is_sg() consistently throughout
      the code.

      Signed-off-by: Dimitris Aragiorgis <dimara@xxxxxxxxxxx>
      Reviewed-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>
      Reviewed-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Message-id: 1435056300-14924-2-git-send-email-dimara@xxxxxxxxxxx
      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>

  commit 25940fa7e57ffce9d495b4c2aadc39790535856d
  Author: Lu Lina <lina.lulina@xxxxxxxxxx>
  Date:   Fri Jun 19 14:27:34 2015 +0800

      nvme: Fix memleak in nvme_dma_read_prp

      Signed-off-by: Lu Lina <lina.lulina@xxxxxxxxxx>
      Acked-by: Keith Busch <keith.busch@xxxxxxxxx>
      Message-id: 1434695254-69808-1-git-send-email-kathy.wangting@xxxxxxxxxx
      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>

  commit d5941ddae82a35771656d7e35f64f7f8f19c5627
  Author: Wolfgang Bumiller <w.bumiller@xxxxxxxxxxx>
  Date:   Fri Jun 19 11:35:29 2015 +0200

      vvfat: add a label option

      Until now the vvfat volume label was hardcoded to be
      "QEMU VVFAT", now you can pass a file.label=labelname option
      to the -drive to change it.

      The FAT structure defines the volume label to be limited to
      11 bytes and is filled up spaces when shorter than that. The
      trailing spaces however aren't exposed to the user by
      operating systems.

      [Added missing comment '#' characters in block-core.json to fix build
      errors.
      --Stefan]

      Signed-off-by: Wolfgang Bumiller <w.bumiller@xxxxxxxxxxx>
      Message-id: 1434706529-13895-2-git-send-email-w.bumiller@xxxxxxxxxxx
      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>
      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>

  commit c6a8c3283f1d53e360073bdb32f87a97e78e2880
  Author: Wen Congyang <wency@xxxxxxxxxxxxxx>
  Date:   Fri May 22 09:29:46 2015 +0800

      util/hbitmap: Add an API to reset all set bits in hbitmap

      The function bdrv_clear_dirty_bitmap() is updated to use
      faster hbitmap_reset_all() call.

      Signed-off-by: Wen Congyang <wency@xxxxxxxxxxxxxx>
      Signed-off-by: zhanghailiang <zhang.zhanghailiang@xxxxxxxxxx>
      Signed-off-by: Gonglei <arei.gonglei@xxxxxxxxxx>
      Acked-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>
      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>
      Reviewed-by: John Snow <jsnow@xxxxxxxxxx>
      Message-id: 555E868A.60506@xxxxxxxxxxxxxx
      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>

  commit 6e40b3bfc7e82823cf4df5f0bf668f56db41e53a
  Author: Alexander Yarygin <yarygin@xxxxxxxxxxxxxxxxxx>
  Date:   Wed Jun 17 13:37:20 2015 +0300

      virtio-blk: Use blk_drain() to drain IO requests

      Each call of the virtio_blk_reset() function calls blk_drain_all(),
      which works for all existing BlockDriverStates, while draining only
      one is needed.

      This patch replaces blk_drain_all() by blk_drain() in
      virtio_blk_reset(). virtio_blk_data_plane_stop() should be called
      after draining because it restores vblk->complete_request.

      Cc: "Michael S. Tsirkin" <mst@xxxxxxxxxx>
      Cc: Christian Borntraeger <borntraeger@xxxxxxxxxx>
      Cc: Cornelia Huck <cornelia.huck@xxxxxxxxxx>
      Cc: Kevin Wolf <kwolf@xxxxxxxxxx>
      Cc: Paolo Bonzini <pbonzini@xxxxxxxxxx>
      Cc: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Signed-off-by: Alexander Yarygin <yarygin@xxxxxxxxxxxxxxxxxx>
      Message-id: 1434537440-28236-3-git-send-email-yarygin@xxxxxxxxxxxxxxxxxx
      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>

  commit 97b0385a346829cf03efe131a26a4b6a4cd0a21f
  Author: Alexander Yarygin <yarygin@xxxxxxxxxxxxxxxxxx>
  Date:   Wed Jun 17 13:37:19 2015 +0300

      block-backend: Introduce blk_drain()

      This patch introduces the blk_drain() function which allows to replace
      blk_drain_all() when only one BlockDriverState needs to be drained.

      Cc: Christian Borntraeger <borntraeger@xxxxxxxxxx>
      Cc: Cornelia Huck <cornelia.huck@xxxxxxxxxx>
      Cc: Kevin Wolf <kwolf@xxxxxxxxxx>
      Cc: Paolo Bonzini <pbonzini@xxxxxxxxxx>
      Cc: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Signed-off-by: Alexander Yarygin <yarygin@xxxxxxxxxxxxxxxxxx>
      Reviewed-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>
      Acked-by: Kevin Wolf <kwolf@xxxxxxxxxx>
      Message-id: 1434537440-28236-2-git-send-email-yarygin@xxxxxxxxxxxxxxxxxx
      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>

  commit 2f388b93a147258f9dbc83ebe63365edac4aa7a2
  Author: Alberto Garcia <berto@xxxxxxxxxx>
  Date:   Mon Jun 15 18:41:15 2015 +0300

      throttle: Check current timers before updating any_timer_armed[]

      Calling throttle_group_config() cancels all timers from a particular
      BlockDriverState, so any_timer_armed[] should be updated accordingly.

      However, with the current code it may happen that a timer is armed in
      a different BlockDriverState from the same group, so any_timer_armed[]
      would be set to false in a situation where there is still a timer
      armed.

      The consequence is that we might end up with two timers armed. This
      should not have any noticeable impact however, since all accesses to
      the ThrottleGroup are protected by a lock, and the situation would
      become normal again shortly thereafter as soon as all timers have been
      fired.

      The correct way to solve this is to check that we're actually
      cancelling a timer before updating any_timer_armed[].

      Signed-off-by: Alberto Garcia <berto@xxxxxxxxxx>
      Message-id: 1434382875-3998-1-git-send-email-berto@xxxxxxxxxx
      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>

  commit f406c03c093f1451ac0ba7fde31eeb78e5e5e417
  Author: Alexander Yarygin <yarygin@xxxxxxxxxxxxxxxxxx>
  Date:   Wed Jun 10 14:38:17 2015 +0300

      block: Let bdrv_drain_all() to call aio_poll() for each AioContext

      After the commit 9b536adc ("block: acquire AioContext in
      bdrv_drain_all()") the aio_poll() function got called for every
      BlockDriverState, in assumption that every device may have its own
      AioContext. If we have thousands of disks attached, there are a lot of
      BlockDriverStates but only a few AioContexts, leading to tons of
      unnecessary aio_poll() calls.

      This patch changes the bdrv_drain_all() function allowing it find shared
      AioContexts and to call aio_poll() only for unique ones.

      Cc: Christian Borntraeger <borntraeger@xxxxxxxxxx>
      Cc: Cornelia Huck <cornelia.huck@xxxxxxxxxx>
      Cc: Kevin Wolf <kwolf@xxxxxxxxxx>
      Cc: Paolo Bonzini <pbonzini@xxxxxxxxxx>
      Cc: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Signed-off-by: Alexander Yarygin <yarygin@xxxxxxxxxxxxxxxxxx>
      Reviewed-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Tested-by: Christian Borntraeger <borntraeger@xxxxxxxxxx>
      Message-id: 1433936297-7098-4-git-send-email-yarygin@xxxxxxxxxxxxxxxxxx
      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>

  commit 6966b2a07190004e18ede33ce50a65009b36f3a6
  Merge: a320697 a5d4d7b
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Tue Jun 23 13:32:50 2015 +0100

      Merge remote-tracking branch 'remotes/kraxel/tags/pull-input-20150623-1' 
into staging

      virtio-input: property fixes, add evdev passthrough

      # gpg: Signature made Tue Jun 23 09:33:29 2015 BST using RSA key ID 
D3E87138
      # gpg: Good signature from "Gerd Hoffmann (work) <kraxel@xxxxxxxxxx>"
      # gpg:                 aka "Gerd Hoffmann <gerd@xxxxxxxxxx>"
      # gpg:                 aka "Gerd Hoffmann (private) <kraxel@xxxxxxxxx>"

      * remotes/kraxel/tags/pull-input-20150623-1:
        Add MAINTAINERS entry for virtio-input
        virtio-input: evdev passthrough
        virtio-input: move properties, use virtio_instance_init_common

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit a3206972a9eab65ec8e8f9ae320ad628ba4b58f1
  Merge: 0c8ff72 a0b1a66
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Tue Jun 23 10:38:00 2015 +0100

      Merge remote-tracking branch 
'remotes/armbru/tags/pull-monitor-2015-06-22' into staging

      Monitor patches

      # gpg: Signature made Mon Jun 22 18:56:18 2015 BST using RSA key ID 
EB918653
      # gpg: Good signature from "Markus Armbruster <armbru@xxxxxxxxxx>"
      # gpg:                 aka "Markus Armbruster <armbru@xxxxxxxxxxxx>"

      * remotes/armbru/tags/pull-monitor-2015-06-22: (24 commits)
        Include monitor/monitor.h exactly where needed
        Include qapi/qmp/qerror.h exactly where needed
        qerror: Move #include out of qerror.h
        qerror: Finally unused, clean up
        qmp: Wean off qerror_report()
        tpm: Avoid qerror_report() outside QMP command handlers
        qerror: Clean up QERR_ macros to expand into a single string
        qerror: Eliminate QERR_DEVICE_NOT_FOUND
        vl: Use error_report() for --display errors
        vl: Avoid qerror_report() outside QMP command handlers
        QemuOpts: Wean off qerror_report_err()
        qdev-monitor: Propagate errors through qdev_device_add()
        qdev-monitor: Propagate errors through set_property()
        qdev-monitor: Convert qbus_find() to Error
        qdev-monitor: Fix check for full bus
        qdev-monitor: Stop error avalanche in qbus_find_recursive()
        disas: Remove uses of CPU env
        monitor: Split mon_get_cpu fn to remove ENV_GET_CPU
        monitor: Fix failure path for "S" argument
        monitor: Point to "help" command on syntax error
        ...

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit a5d4d7b580f42c47d240a2068c810e4147147f6e
  Author: Gerd Hoffmann <kraxel@xxxxxxxxxx>
  Date:   Fri Jun 19 10:25:34 2015 +0200

      Add MAINTAINERS entry for virtio-input

      Signed-off-by: Gerd Hoffmann <kraxel@xxxxxxxxxx>

  commit 006a5edebe656114e0e0a6fb24b8aae6401c1cf4
  Author: Gerd Hoffmann <kraxel@xxxxxxxxxx>
  Date:   Fri Mar 28 09:18:47 2014 +0100

      virtio-input: evdev passthrough

      This allows to assign host input devices to the guest:

      qemu -device virtio-input-host-pci,evdev=/dev/input/event<nr>

      The guest gets exclusive access to the input device, so be careful
      with assigning the keyboard if you have only one connected to your
      machine.

      Signed-off-by: Gerd Hoffmann <kraxel@xxxxxxxxxx>

  commit 6f2b9a5b24c488d38ace01910c684749ff922e26
  Author: Gerd Hoffmann <kraxel@xxxxxxxxxx>
  Date:   Thu Jun 18 17:45:47 2015 +0200

      virtio-input: move properties, use virtio_instance_init_common

      Move properties from virtio-*-pci to virtio-*-device.
      Also make better use of QOM and attach common properties
      to the abstract parent classes (virtio-input-device and
      virtio-input-pci-device).

      Switch the hid device instance init functions over to use
      virtio_instance_init_common, so we get the properties of the
      virtio device aliased properly to the virtio pci proxy.

      Signed-off-by: Gerd Hoffmann <kraxel@xxxxxxxxxx>

  commit 1fa795a853255fcc93e5d3e2a92d161a2ed96eb8
  Author: Gonglei <arei.gonglei@xxxxxxxxxx>
  Date:   Tue Jun 23 09:53:05 2015 +0800

      qdev: fix OVERFLOW_BEFORE_WIDEN

      Potentially overflowing expression "1 << prop->bitnr" with
      type "int" (32 bits, signed) is evaluated using 32-bit arithmetic,
      and then used in a context that expects an expression of type
      "uint64_t" (64 bits, unsigned).

      Cc: Gerd Hoffmann <kraxel@xxxxxxxxxx>
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>
      Signed-off-by: Gonglei <arei.gonglei@xxxxxxxxxx>
      Reviewed-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>

  commit 3750dabc69d76f0938cc726a64a70e4ae2fe21df
  Author: Gonglei <arei.gonglei@xxxxxxxxxx>
  Date:   Tue Jun 23 09:53:04 2015 +0800

      virito-pci: fix OVERRUN problem

      Overrunning array "proxy->guest_features" of 2 4-byte
      elements at element index 2 (byte offset 8) using index
      "proxy->gfselect" (which evaluates to 2). Normally, the
      Linux kernel driver just read/write '0' or '1' as the
      "proxy->gfselect" values, so using '<' instead of '=<' to
      make coverity happy and avoid potential harm.

      Cc: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: Gonglei <arei.gonglei@xxxxxxxxxx>
      Reviewed-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>

  commit a0b1a66ea39bca011108734147a72232a4d08c7a
  Author: Markus Armbruster <armbru@xxxxxxxxxx>
  Date:   Tue Mar 17 18:16:21 2015 +0100

      Include monitor/monitor.h exactly where needed

      In particular, don't include it into headers.

      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>
      Reviewed-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>
      Reviewed-by: Luiz Capitulino <lcapitulino@xxxxxxxxxx>

  commit cc7a8ea740ec74a144e866a1d24aa6b490e31923
  Author: Markus Armbruster <armbru@xxxxxxxxxx>
  Date:   Tue Mar 17 17:22:46 2015 +0100

      Include qapi/qmp/qerror.h exactly where needed

      In particular, don't include it into headers.

      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>
      Reviewed-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>
      Reviewed-by: Luiz Capitulino <lcapitulino@xxxxxxxxxx>

  commit d49b68364414d649b8e26232f2a600d415611662
  Author: Markus Armbruster <armbru@xxxxxxxxxx>
  Date:   Tue Mar 17 18:29:20 2015 +0100

      qerror: Move #include out of qerror.h

      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>
      Reviewed-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>
      Reviewed-by: Luiz Capitulino <lcapitulino@xxxxxxxxxx>

  commit 4629ed1e98961bbe678db68ef5f4342ff174a6c3
  Author: Markus Armbruster <armbru@xxxxxxxxxx>
  Date:   Tue Mar 17 14:29:59 2015 +0100

      qerror: Finally unused, clean up

      Remove it except for two things in qerror.h:

      * Two #include to be cleaned up separately to avoid cluttering this
        patch.

      * The QERR_ macros.  Mark as obsolete.

      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>
      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>
      Reviewed-by: Luiz Capitulino <lcapitulino@xxxxxxxxxx>

  commit 485febc6d1382a82e4e1640729fffbf0c1392a44
  Author: Markus Armbruster <armbru@xxxxxxxxxx>
  Date:   Fri Mar 13 17:25:50 2015 +0100

      qmp: Wean off qerror_report()

      The traditional QMP command handler interface

          int qmp_FOO(Monitor *mon, const QDict *params, QObject **ret_data);

      doesn't provide for returning an Error object.  Instead, the handler
      is expected to stash it in the monitor with qerror_report().

      When we rebased QMP on top of QAPI, we didn't change this interface.
      Instead, commit 776574d introduced "middle mode" as a temporary aid
      for converting existing QMP commands to QAPI one by one.  More than
      three years later, we're still using it.

      Middle mode has two effects:

      * Instead of the native input marshallers

            static void qmp_marshal_input_FOO(QDict *, QObject **, Error **)

        it generates input marshallers conforming to the traditional QMP
        command handler interface.

      * It suppresses generation of code to register them with
        qmp_register_command()

        This permits giving them internal linkage.

      As long as we need qmp-commands.hx, we can't use the registry behind
      qmp_register_command(), so the latter has to stay for now.

      The former has to go to get rid of qerror_report().  Changing all QMP
      commands to fit the QAPI mold in one go was impractical back when we
      started, but by now there are just a few stragglers left:
      do_qmp_capabilities(), qmp_qom_set(), qmp_qom_get(), qmp_object_add(),
      qmp_netdev_add(), do_device_add().

      Switch middle mode to generate native input marshallers, and adapt the
      stragglers.  Simplifies both the monitor code and the stragglers.

      Rename do_qmp_capabilities() to qmp_capabilities(), and
      do_device_add() to qmp_device_add, because that's how QMP command
      handlers are named today.

      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>
      Reviewed-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>
      Reviewed-by: Luiz Capitulino <lcapitulino@xxxxxxxxxx>

  commit 8b53a19675d2329695179e47aa3797692fb0d9ba
  Author: Markus Armbruster <armbru@xxxxxxxxxx>
  Date:   Tue Mar 17 12:09:02 2015 +0100

      tpm: Avoid qerror_report() outside QMP command handlers

      qerror_report() is a transitional interface to help with converting
      existing monitor commands to QMP.  It should not be used elsewhere.
      Replace by error_report().

      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>
      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>
      Reviewed-by: Luiz Capitulino <lcapitulino@xxxxxxxxxx>

  commit c6bd8c706a799eb0fece99f468aaa22b818036f3
  Author: Markus Armbruster <armbru@xxxxxxxxxx>
  Date:   Tue Mar 17 11:54:50 2015 +0100

      qerror: Clean up QERR_ macros to expand into a single string

      These macros expand into error class enumeration constant, comma,
      string.  Unclean.  Has been that way since commit 13f59ae.

      The error class is always ERROR_CLASS_GENERIC_ERROR since the previous
      commit.

      Clean up as follows:

      * Prepend every use of a QERR_ macro by ERROR_CLASS_GENERIC_ERROR, and
        delete it from the QERR_ macro.  No change after preprocessing.

      * Rewrite error_set(ERROR_CLASS_GENERIC_ERROR, ...) into
        error_setg(...).  Again, no change after preprocessing.

      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>
      Reviewed-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>
      Reviewed-by: Luiz Capitulino <lcapitulino@xxxxxxxxxx>

  commit 75158ebbe259f0bd8bf435e8f4827a43ec89c877
  Author: Markus Armbruster <armbru@xxxxxxxxxx>
  Date:   Mon Mar 16 08:57:47 2015 +0100

      qerror: Eliminate QERR_DEVICE_NOT_FOUND

      Error classes other than ERROR_CLASS_GENERIC_ERROR should not be used
      in new code.  Hiding them in QERR_ macros makes new uses hard to spot.
      Fortunately, there's just one such macro left.  Eliminate it with this
      coccinelle semantic patch:

          @@
          expression EP, E;
          @@
          -error_set(EP, QERR_DEVICE_NOT_FOUND, E)
          +error_set(EP, ERROR_CLASS_DEVICE_NOT_FOUND, "Device '%s' not found", 
E)

      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>
      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>
      Reviewed-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Reviewed-by: Luiz Capitulino <lcapitulino@xxxxxxxxxx>

  commit c6bf0f7ffa90c720377eb6bddd27037041acbc5b
  Author: Markus Armbruster <armbru@xxxxxxxxxx>
  Date:   Fri Feb 13 18:23:45 2015 +0100

      vl: Use error_report() for --display errors

      Results in nicer error messages.  Before this patch:

          Invalid GTK option string: gtk,lirum-larum

      After:

          qemu-system-x86_64: -display gtk,lirum-larum: Invalid GTK option 
string

      Of course, the thing ought to use QemuOpts instead of parsing by hand.

      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>
      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>
      Reviewed-by: Luiz Capitulino <lcapitulino@xxxxxxxxxx>

  commit 1459407e88632e6d66cd6b71326eaf78e0a80772
  Author: Markus Armbruster <armbru@xxxxxxxxxx>
  Date:   Fri Feb 27 09:47:12 2015 +0100

      vl: Avoid qerror_report() outside QMP command handlers

      qerror_report() is a transitional interface to help with converting
      existing monitor commands to QMP.  It should not be used elsewhere.
      Replace by error_report() in initial startup helpers parse_sandbox()
      and parse_add_fd().

      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>
      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>
      Reviewed-by: Luiz Capitulino <lcapitulino@xxxxxxxxxx>

  commit 70b9433109ed99217b812f19800de550e2e0ecd5
  Author: Markus Armbruster <armbru@xxxxxxxxxx>
  Date:   Fri Feb 13 12:50:26 2015 +0100

      QemuOpts: Wean off qerror_report_err()

      qerror_report_err() is a transitional interface to help with
      converting existing monitor commands to QMP.  It should not be used
      elsewhere.

      The only remaining user in qemu-option.c is qemu_opts_parse().  Is it
      used in QMP context?  If not, we can simply replace
      qerror_report_err() by error_report_err().

      The uses in qemu-img.c, qemu-io.c, qemu-nbd.c and under tests/ are
      clearly not in QMP context.

      The uses in vl.c aren't either, because the only QMP command handlers
      there are qmp_query_status() and qmp_query_machines(), and they don't
      call it.

      Remaining uses:

      * drive_def(): Command line -drive and such, HMP drive_add and pci_add

      * hmp_chardev_add(): HMP chardev-add

      * monitor_parse_command(): HMP core

      * tmp_config_parse(): Command line -tpmdev

      * net_host_device_add(): HMP host_net_add

      * net_client_parse(): Command line -net and -netdev

      * qemu_global_option(): Command line -global

      * vnc_parse_func(): Command line -display, -vnc, default display, HMP
        change, QMP change.  Bummer.

      * qemu_pci_hot_add_nic(): HMP pci_add

      * usb_net_init(): Command line -usbdevice, HMP usb_add

      Propagate errors through qemu_opts_parse().  Create a convenience
      function qemu_opts_parse_noisily() that passes errors to
      error_report_err().  Switch all non-QMP users outside tests to it.

      That leaves vnc_parse_func().  Propagate errors through it.  Since I'm
      touching it anyway, rename it to vnc_parse().

      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>
      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>
      Reviewed-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Reviewed-by: Luiz Capitulino <lcapitulino@xxxxxxxxxx>

  commit f006cf7fa9a63ba8e4ccf57d46231ce594301727
  Author: Markus Armbruster <armbru@xxxxxxxxxx>
  Date:   Thu Mar 12 14:00:41 2015 +0100

      qdev-monitor: Propagate errors through qdev_device_add()

      Also polish an error message while I'm touching the line anyway,

      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>
      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>
      Reviewed-by: Andreas Färber <afaerber@xxxxxxx>

  commit 4caa489d1337c1a72d2e36185e4586ad246b98e1
  Author: Markus Armbruster <armbru@xxxxxxxxxx>
  Date:   Thu Mar 12 13:58:02 2015 +0100

      qdev-monitor: Propagate errors through set_property()

      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>
      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>
      Reviewed-by: Andreas Färber <afaerber@xxxxxxx>

  commit d282842999b914c38c8be4659012aa619c22af8b
  Author: Markus Armbruster <armbru@xxxxxxxxxx>
  Date:   Wed Mar 11 19:16:04 2015 +0100

      qdev-monitor: Convert qbus_find() to Error

      As usual, the conversion breaks printing explanatory messages after
      the error: actual printing of the error gets delayed, so the
      explanations precede rather than follow it.

      Pity.  Disable them for now.  See also commit 7216ae3.

      While there, eliminate QERR_BUS_NOT_FOUND, and clean up unusual
      spelling in the error message.

      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>
      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>

  commit ed238ba2a0239368dd0cec9bfaf3300a5bd303ce
  Author: Markus Armbruster <armbru@xxxxxxxxxx>
  Date:   Wed Mar 11 18:39:16 2015 +0100

      qdev-monitor: Fix check for full bus

      Property bus has always been too screwed up to be really usable for
      values other than plain bus IDs.  This just fixes a bug that crept in
      in commit 1395af6 "qdev: add a maximum device allowed field for the
      bus."

      It doesn't always fail when it should:

          $ qemu-system-x86_64 -nodefaults -device virtio-serial-pci -device 
virtio-rng-device,bus=pci.0/virtio-serial-pci/virtio-bus

      Happily plugs the virtio-rng-device into the virtio-bus provided by
      virtio-serial-pci, even though its only slot is already occupied by a
      virtio-serial-device.

      And sometimes fails when it shouldn't:

          $ qemu-system-x86_64 -nodefaults -device virtio-serial-pci -device 
virtserialport,bus=virtio-bus/virtio-serial-device

      Yes, the virtio-bus is full, but the virtio-serial-bus provided by
      virtio-serial-device isn't, and that's the one we're trying to use.

      Root cause: we check "bus full" when we resolve the first element of
      the path.  That's the correct one only when it's also the last one.

      Fix by moving the "bus full" check to right before we return a bus.

      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>
      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>

  commit a5ec494e274ddcad6d487e3872e16964ef57e0de
  Author: Markus Armbruster <armbru@xxxxxxxxxx>
  Date:   Wed Mar 11 17:26:31 2015 +0100

      qdev-monitor: Stop error avalanche in qbus_find_recursive()

      Reproducer:

          $ qemu-system-x86_64 -nodefaults -device virtio-rng-pci -device 
virtio-rng-pci -device virtio-rng-device,bus=virtio-bus
          qemu-system-x86_64: -device virtio-rng-device,bus=virtio-bus: Bus 
'virtio-bus' is full
          qemu-system-x86_64: -device virtio-rng-device,bus=virtio-bus: Bus 
'virtio-bus' is full
          qemu-system-x86_64: -device virtio-rng-device,bus=virtio-bus: Bus 
'virtio-bus' not found

      qbus_find_recursive() reports the "is full" error itself, and leaves
      reporting "not found" to its caller.  The result is confusion.  Write
      it a function contract that permits leaving all error reporting to the
      caller, and implement it.  Update callers to detect and report "is
      full".

      Screwed up when commit 1395af6 added the max_dev limit and the "is
      full" error condition to enforce it.

      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>
      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>

  commit d49190c4208f2c556c3a01962a81f8a85d522bb1
  Author: Peter Crosthwaite <crosthwaitepeter@xxxxxxxxx>
  Date:   Sun May 24 14:20:41 2015 -0700

      disas: Remove uses of CPU env

      disas does not need to access the CPU env for any reason. Change the
      APIs to accept CPU pointers instead. Small change pattern needs to be
      applied to all target translate.c. This brings us closer to making
      disas.o a common-obj and less architecture specific in general.

      Cc: Richard Henderson <rth@xxxxxxxxxxx>
      Cc: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Cc: "Edgar E. Iglesias" <edgar.iglesias@xxxxxxxxx>
      Cc: Paolo Bonzini <pbonzini@xxxxxxxxxx>
      Cc: Eduardo Habkost <ehabkost@xxxxxxxxxx>
      Cc: Michael Walle <michael@xxxxxxxx>
      Cc: Aurelien Jarno <aurelien@xxxxxxxxxxx>
      Cc: Leon Alrae <leon.alrae@xxxxxxxxxx>
      Cc: Jia Liu <proljc@xxxxxxxxx>
      Cc: Alexander Graf <agraf@xxxxxxx>
      Cc: Mark Cave-Ayland <mark.cave-ayland@xxxxxxxxxxxx>
      Cc: Bastian Koppelmann <kbastian@xxxxxxxxxxxxxxxxxxxxx>
      Cc: Guan Xuetao <gxt@xxxxxxxxxxxxxxx>
      Cc: Max Filippov <jcmvbkbc@xxxxxxxxx>
      Reviewed-by: Richard Henderson <rth@xxxxxxxxxxx>
      Reviewed-by: Eduardo Habkost <ehabkost@xxxxxxxxxx>
      Signed-off-by: Peter Crosthwaite <crosthwaite.peter@xxxxxxxxx>
      Acked-by: Luiz Capitulino <lcapitulino@xxxxxxxxxx>
      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>

  commit 5bcda5f7349da01aded719b595f32ce2b9d396db
  Author: Peter Crosthwaite <crosthwaitepeter@xxxxxxxxx>
  Date:   Sun May 24 14:20:40 2015 -0700

      monitor: Split mon_get_cpu fn to remove ENV_GET_CPU

      The monitor currently has one helper, mon_get_cpu() which will return
      an env pointer. The target specific users of this API want an env, but
      all the target agnostic users really just want the cpu pointer. These
      users then need to use the target-specifically defined ENV_GET_CPU to
      navigate back up to the CPU from the ENV. Split the API for the two
      uses cases to remove all need for ENV_GET_CPU.

      Reviewed-by: Richard Henderson <rth@xxxxxxxxxxx>
      Reviewed-by: Andreas Färber <afaerber@xxxxxxx>
      Signed-off-by: Peter Crosthwaite <crosthwaite.peter@xxxxxxxxx>
      Acked-by: Luiz Capitulino <lcapitulino@xxxxxxxxxx>
      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>

  commit e549d2aaeba1cfac207c9a9675cc203e6372a22e
  Author: Bandan Das <bsd@xxxxxxxxxx>
  Date:   Wed Jun 3 18:38:10 2015 -0400

      monitor: Fix failure path for "S" argument

      Since the "S" argument type is only used with the "?" flag,
      the bug can't bite.

      Signed-off-by: Bandan Das <bsd@xxxxxxxxxx>
      Acked-by: Luiz Capitulino <lcapitulino@xxxxxxxxxx>
      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>

  commit dd41eea77129a4cd8ae5170b02e0fee175af314e
  Author: Bandan Das <bsd@xxxxxxxxxx>
  Date:   Wed Jun 3 18:38:09 2015 -0400

      monitor: Point to "help" command on syntax error

      When a command fails due to incorrect syntax or input, suggest using
      the "help" command to get more information about the command.  This
      is only applicable for HMP.

      Signed-off-by: Bandan Das <bsd@xxxxxxxxxx>
      Acked-by: Luiz Capitulino <lcapitulino@xxxxxxxxxx>
      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>

  commit ae50212ff717f3d295ebff352eb7d6cc08332b7e
  Author: Bandan Das <bsd@xxxxxxxxxx>
  Date:   Wed Jun 3 18:38:08 2015 -0400

      monitor: cleanup parsing of cmd name and cmd arguments

      There's too much going on in monitor_parse_command().
      Split up the arguments parsing bits into a separate function
      monitor_parse_arguments(). Let the original function check for
      command validity and sub-commands if any and return data (*cmd)
      that the newly introduced function can process and return a
      QDict. Also, pass a pointer to the cmdline to track current
      parser location.

      Suggested-by: Markus Armbruster <armbru@xxxxxxxxxx>
      Signed-off-by: Bandan Das <bsd@xxxxxxxxxx>
      Acked-by: Luiz Capitulino <lcapitulino@xxxxxxxxxx>
      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>

  commit 19f2db5c84e563597bd8b3c3190aef591060dec2
  Author: Bandan Das <bsd@xxxxxxxxxx>
  Date:   Wed Jun 3 18:38:07 2015 -0400

      monitor: remove debug prints

      The preferred solution is to use tracepoints and there
      is good chance of bitrot with the debug prints not being
      enabled at compile time. Remove them.

      Suggested-by: Markus Armbruster <armbru@xxxxxxxxxx>
      Signed-off-by: Bandan Das <bsd@xxxxxxxxxx>
      Acked-by: Luiz Capitulino <lcapitulino@xxxxxxxxxx>
      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>

  commit 34acbc95229f9f841bde83691a5af949c15e105b
  Author: Eric Blake <eblake@xxxxxxxxxx>
  Date:   Fri May 15 16:25:00 2015 -0600

      qobject: Use 'bool' inside qdict

      Now that qbool is fixed, let's fix getting and setting a bool
      value to a qdict member to also use C99 bool rather than int.

      I audited all callers to ensure that the changed return type
      will not cause any changed semantics.

      Signed-off-by: Eric Blake <eblake@xxxxxxxxxx>
      Reviewed-by: Alberto Garcia <berto@xxxxxxxxxx>
      Acked-by: Luiz Capitulino <lcapitulino@xxxxxxxxxx>
      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>

  commit fc48ffc39ed1060856475e4320d5896f26c945e8
  Author: Eric Blake <eblake@xxxxxxxxxx>
  Date:   Fri May 15 16:24:59 2015 -0600

      qobject: Use 'bool' for qbool

      We require a C99 compiler, so let's use 'bool' instead of 'int'
      when dealing with boolean values.  There are few enough clients
      to fix them all in one pass.

      Signed-off-by: Eric Blake <eblake@xxxxxxxxxx>
      Reviewed-by: Andreas Färber <afaerber@xxxxxxx>
      Reviewed-by: Alberto Garcia <berto@xxxxxxxxxx>
      Acked-by: Luiz Capitulino <lcapitulino@xxxxxxxxxx>
      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>

  commit 0c8ff723bd29e5c8b2ca989f857ae5c37ec49c4e
  Author: Greg Ungerer <gerg@xxxxxxxxxxx>
  Date:   Fri Jun 19 23:43:26 2015 +1000

      m68k: fix usp processing on interrupt entry and exception exit

      The action to potentially switch sp register is not occurring at the 
correct
      point in the interrupt entry or exception exit sequences.

      For the interrupt entry case the sp on entry is used to create the stack
      exception frame - but this may well be the user stack pointer, since we
      haven't done the switch yet. Re-order the flow to switch the sp regs then
      use the current sp to create the exception frame.

      For the return from exception case the code is unwinding the sp after
      switching sp registers. But it should always unwind the supervisor sp
      first, then carry out any required sp switch.

      Note that these problems don't effect operation unless the user sp bit is
      set in the CACR register. Only a single sp is used in the default power up
      state. Previously Linux only used this single sp mode. But modern versions
      of Linux use the user sp mode now, so we need correct behavior for Linux
      to work.

      Signed-off-by: Greg Ungerer <gerg@xxxxxxxxxxx>
      Reviewed-by: Peter Crosthwaite <peter.crosthwaite@xxxxxxxxxx>
      Reviewed-by: Laurent Vivier <laurent@xxxxxxxxx>
      Tested-by: Laurent Vivier <laurent@xxxxxxxxx>
      Message-id: 1434721406-25288-4-git-send-email-gerg@xxxxxxxxxxx
      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 2a8327e8a8288e301a2f01bc3ca2d465a3a4ca78
  Author: Greg Ungerer <gerg@xxxxxxxxxxx>
  Date:   Fri Jun 19 23:43:25 2015 +1000

      m68k: implement move to/from usp register instruction

      Fill out the code support for the move to/from usp instructions. They are
      being decoded, but there is no code to support there actions. So add it.

      Current versions of Linux running on the ColdFire 5208 use these 
instructions.

      Signed-off-by: Greg Ungerer <gerg@xxxxxxxxxxx>
      Reviewed-by: Richard Henderson <rth@xxxxxxxxxxx>
      Reviewed-by: Laurent Vivier <laurent@xxxxxxxxx>
      Tested-by: Laurent Vivier <laurent@xxxxxxxxx>
      Message-id: 1434721406-25288-3-git-send-email-gerg@xxxxxxxxxxx
      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 8c52f0cbba76310ad626e54996dbce08c7a8a820
  Author: Greg Ungerer <gerg@xxxxxxxxxxx>
  Date:   Fri Jun 19 23:43:24 2015 +1000

      m68k: implement more ColdFire 5208 interrupt controller functionality

      Implement the SIMR and CIMR registers of the 5208 interrupt controller.
      These are used by modern versions of Linux running on ColdFire (not sure
      of the exact version they were introduced, but they have been in for quite
      a while now).

      Without this change when attempting to run a linux-3.5 kernel you will
      see:

        qemu: hardware error: mcf_intc_write: Bad write offset 28

      and execution will stop and dump out.

      Signed-off-by: Greg Ungerer <gerg@xxxxxxxxxxx>
      Reviewed-by: Peter Crosthwaite <peter.crosthwaite@xxxxxxxxxx>
      Tested-by: Laurent Vivier <laurent@xxxxxxxxx>
      Message-id: 1434721406-25288-2-git-send-email-gerg@xxxxxxxxxxx
      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 0a3346f5dea0a679322df804e1e78d7c10d12a9f
  Merge: cb4e0f9 daeba96
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Mon Jun 22 12:50:30 2015 +0100

      Merge remote-tracking branch 
'remotes/afaerber/tags/qom-devices-for-peter' into staging

      QOM infrastructure fixes and device conversions

      * Changes to name string ownership for alias properties
      * Improvements around enum properties
      * Cleanups around -object handling
      * New helper functions
      * Cleanups of qdev init helper functions
      * Add path argument to qom-tree script
      * QTest cleanup to use new qtest_add_data_func() consistently

      # gpg: Signature made Fri Jun 19 18:14:38 2015 BST using RSA key ID 
3E7E013F
      # gpg: Good signature from "Andreas Färber <afaerber@xxxxxxx>"
      # gpg:                 aka "Andreas Färber <afaerber@xxxxxxxx>"

      * remotes/afaerber/tags/qom-devices-for-peter:
        qdev: Un-deprecate qdev_init_nofail()
        qdev: Deprecated qdev_init() is finally unused, drop
        qom: Don't pass string table to object_get_enum() function
        qom: Add an object_property_add_enum() helper function
        qom: Make enum string tables const-correct
        qom: Add object_new_with_props() / object_new_withpropv() helpers
        qom: Add helper function for getting user objects root
        vl: Create (most) objects before creating chardev backends
        doc: Document user creatable object types in help text
        backends: Fix typename of 'policy' enum property in hostmem obj
        scripts: Add support for path as argument of qom-tree
        tests: Use qtest_add_data_func() consistently
        qdev: Free property names after registering gpio aliases
        qom: strdup() target property name on object_property_add_alias()

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit cb4e0f9ddf7d45de7e4716cbab661ea568bd0b6c
  Merge: ad7020a e4a511f
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Mon Jun 22 11:50:07 2015 +0100

      Merge remote-tracking branch 'remotes/bonzini/tags/for-upstream' into 
staging

      * i8254 security fix
      * Avoid long 100% CPU wait after restarting guests that use the periodic 
timer
      * Fixes for access clamping (WinXP, MIPS)
      * wixl/.msi support for qemu-ga on Windows

      # gpg: Signature made Fri Jun 19 11:30:53 2015 BST using RSA key ID 
78C7AE83
      # gpg: Good signature from "Paolo Bonzini <bonzini@xxxxxxx>"
      # gpg:                 aka "Paolo Bonzini <pbonzini@xxxxxxxxxx>"
      # gpg: WARNING: This key is not certified with sufficiently trusted 
signatures!
      # gpg:          It is not certain that the signature belongs to the owner.
      # Primary key fingerprint: 46F5 9FBD 57D6 12E7 BFD4  E2F7 7E15 100C CD36 
69B1
      #      Subkey fingerprint: F133 3857 4B66 2389 866C  7682 BFFB D25F 78C7 
AE83

      * remotes/bonzini/tags/for-upstream:
        exec: clamp accesses against the MemoryRegionSection
        exec: do not clamp accesses to MMIO regions
        mc146818rtc: Reset the periodic timer on load
        qemu-timer: Call clock reset notifiers on forward jumps
        tests: virtio-scsi: Add test for unaligned WRITE SAME
        tests: virtio-scsi: Move start/stop to individual test functions
        libqos: Complete virtio device ID definition list
        libqos: Allow calling guest_free on NULL pointer
        tests: Link libqos virtio object to virtio-scsi-test
        i8254: fix out-of-bounds memory access in pit_ioport_read()
        qemu-ga: Building Windows MSI installation with configure/Makefile
        qemu-ga: Introduce Windows MSI script
        qemu-ga: debug printouts to help troubleshoot installation
        qemu-ga: adding vss-[un]install options
        qemu-log: Open file for logging when specified

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit ad7020a7e7b27d468ecc2aacb04ba4eb09017074
  Author: Alistair Francis <alistair.francis@xxxxxxxxxx>
  Date:   Thu Jun 18 21:16:52 2015 -0700

      target-microblaze: Remove dead code

      This code is already being run in the mb_cpu_realizefn()
      function. As PVR registers are preserved on reset this
      code is not required.

      Signed-off-by: Alistair Francis <alistair.francis@xxxxxxxxxx>
      Reviewed-by: Edgar E. Iglesias <edgar.iglesias@xxxxxxxxxx>
      Reviewed-by: Peter Crosthwaite <peter.crosthwaite@xxxxxxxxxx>
      Signed-off-by: Edgar E. Iglesias <edgar.iglesias@xxxxxxxxxx>

  commit 033af8e9aaba1994c4816cea5828aaddc383a907
  Author: Alistair Francis <alistair.francis@xxxxxxxxxx>
  Date:   Thu Jun 18 21:16:48 2015 -0700

      s3adsp1800: Remove the hardcoded values from the reset

      Remove the hardcoded values from the machine specific reset
      function, as the same values are already set in the standard
      MicroBlaze reset.

      This also allows the entire reset function to be deleted, as
      PVR registers are now preserved on reset.

      Signed-off-by: Alistair Francis <alistair.francis@xxxxxxxxxx>
      Reviewed-by: Edgar E. Iglesias <edgar.iglesias@xxxxxxxxxx>
      Reviewed-by: Peter Crosthwaite <peter.crosthwaite@xxxxxxxxxx>
      Signed-off-by: Edgar E. Iglesias <edgar.iglesias@xxxxxxxxxx>

  commit a87310a62d1885b8f6d6b5b30227cbd9792d2c3c
  Author: Alistair Francis <alistair.francis@xxxxxxxxxx>
  Date:   Thu Jun 18 21:16:45 2015 -0700

      ml605_mmu: Move the hardcoded values to the init function

      Move the hard coded register values to the init function.
      This also allows the entire reset function to be deleted, as
      PVR registers are now preserved on reset.

      The hardcoded PVR0 values can be removed as they are setting
      the endianness and stack protection, which is already done
      or invalid.

      Signed-off-by: Alistair Francis <alistair.francis@xxxxxxxxxx>
      Reviewed-by: Peter Crosthwaite <peter.crosthwaite@xxxxxxxxxx>
      Signed-off-by: Edgar E. Iglesias <edgar.iglesias@xxxxxxxxxx>

  commit 6fad9e986b82c7c7ed7cfa0cc3ee38b3510a5432
  Author: Alistair Francis <alistair.francis@xxxxxxxxxx>
  Date:   Thu Jun 18 21:16:42 2015 -0700

      target-microblaze: Convert pvr-full to a CPU property

      Originally the pvr-full PVR bits were manually set for each machine. This
      is a hassle and difficult to read, instead set them based on the CPU
      properties.

      Signed-off-by: Alistair Francis <alistair.francis@xxxxxxxxxx>
      Reviewed-by: Peter Crosthwaite <peter.crosthwaite@xxxxxxxxxx>
      Signed-off-by: Edgar E. Iglesias <edgar.iglesias@xxxxxxxxxx>

  commit 72e38754853443830152a3cfe586db1d9b15e8fe
  Author: Alistair Francis <alistair.francis@xxxxxxxxxx>
  Date:   Thu Jun 18 21:16:38 2015 -0700

      target-microblaze: Convert version_mask to a CPU property

      Originally the version_mask PVR bits were manually set for each
      machine. This is a hassle and difficult to read, instead set them
      based on the CPU properties.

      Signed-off-by: Alistair Francis <alistair.francis@xxxxxxxxxx>
      Reviewed-by: Peter Crosthwaite <peter.crosthwaite@xxxxxxxxxx>
      Signed-off-by: Edgar E. Iglesias <edgar.iglesias@xxxxxxxxxx>

  commit a88bbb006a523deabb90245a283d1914abd34e3e
  Author: Alistair Francis <alistair.francis@xxxxxxxxxx>
  Date:   Thu Jun 18 21:16:35 2015 -0700

      target-microblaze: Convert endi to a CPU property

      Originally the endi PVR bits were manually set for each machine. This
      is a hassle and difficult to read, instead set them based on the CPU
      properties.

      Signed-off-by: Alistair Francis <alistair.francis@xxxxxxxxxx>
      Reviewed-by: Edgar E. Iglesias <edgar.iglesias@xxxxxxxxxx>
      Reviewed-by: Peter Crosthwaite <peter.crosthwaite@xxxxxxxxxx>
      Signed-off-by: Edgar E. Iglesias <edgar.iglesias@xxxxxxxxxx>

  commit a6c3ed24748f06742413e174167b0faa7030c244
  Author: Alistair Francis <alistair.francis@xxxxxxxxxx>
  Date:   Thu Jun 18 21:16:32 2015 -0700

      target-microblaze: Convert dcache-writeback to a CPU property

      Originally  the dcache-writeback PVR bits were manually set for each 
machine.
      This is a hassle and difficult to read, instead set them based on the CPU
      properties.

      Signed-off-by: Alistair Francis <alistair.francis@xxxxxxxxxx>
      Reviewed-by: Edgar E. Iglesias <edgar.iglesias@xxxxxxxxxx>
      Reviewed-by: Peter Crosthwaite <peter.crosthwaite@xxxxxxxxxx>
      Signed-off-by: Edgar E. Iglesias <edgar.iglesias@xxxxxxxxxx>

  commit 714461237083c1eadcb9d686f8ce4088737c1d0a
  Author: Alistair Francis <alistair.francis@xxxxxxxxxx>
  Date:   Thu Jun 18 21:16:29 2015 -0700

      target-microblaze: Convert use-mmu to a CPU property

      Originally the use-mmu PVR bits were manually set for each machine. This
      is a hassle and difficult to read, instead set them based on the CPU
      properties.

      Signed-off-by: Alistair Francis <alistair.francis@xxxxxxxxxx>
      Reviewed-by: Peter Crosthwaite <peter.crosthwaite@xxxxxxxxxx>
      Signed-off-by: Edgar E. Iglesias <edgar.iglesias@xxxxxxxxxx>

  commit be67e9ab9740d5a80e5c37bfd35247a4e449bc5a
  Author: Alistair Francis <alistair.francis@xxxxxxxxxx>
  Date:   Thu Jun 18 21:16:25 2015 -0700

      target-microblaze: Rename the usefpu variable

      Rename the usefpu variable to use_fpu.

      Signed-off-by: Alistair Francis <alistair.francis@xxxxxxxxxx>
      Reviewed-by: Peter Crosthwaite <peter.crosthwaite@xxxxxxxxxx>
      Signed-off-by: Edgar E. Iglesias <edgar.iglesias@xxxxxxxxxx>

  commit f44c475cb6ded298486a589c4205ab70e485b48c
  Author: Alistair Francis <alistair.francis@xxxxxxxxxx>
  Date:   Fri May 29 16:32:35 2015 +1000

      target-microblaze: Disable stack protection by default

      Stack protection is not available when the MMU is enabled.
      As the MMU is enabled by default, disable stack protection
      by default.

      Signed-off-by: Alistair Francis <alistair.francis@xxxxxxxxxx>
      Signed-off-by: Edgar E. Iglesias <edgar.iglesias@xxxxxxxxxx>

  commit 4e5d45ae5756123b3b7000c8b0b3d3a9ea4737da
  Author: Alistair Francis <alistair.francis@xxxxxxxxxx>
  Date:   Fri May 29 16:31:58 2015 +1000

      target-microblaze: Convert use-fpu to a CPU property

      Originally the use-fpu PVR bits were manually set for each machine. This
      is a hassle and difficult to read, instead set them based on the CPU
      properties.

      Signed-off-by: Alistair Francis <alistair.francis@xxxxxxxxxx>
      Reviewed-by: Peter Crosthwaite <peter.crosthwaite@xxxxxxxxxx>
      Signed-off-by: Edgar E. Iglesias <edgar.iglesias@xxxxxxxxxx>

  commit f27183abaaaf48e9d1f8469c7e99a987444f4410
  Author: Alistair Francis <alistair.francis@xxxxxxxxxx>
  Date:   Fri May 29 16:31:20 2015 +1000

      target-microblaze: Tidy up the base-vectors property

      Rename the "xlnx.base-vectors" string to "base-vectors" and
      move the base_vectors variable into the cfg struct.

      Signed-off-by: Alistair Francis <alistair.francis@xxxxxxxxxx>
      Reviewed-by: Peter Crosthwaite <peter.crosthwaite@xxxxxxxxxx>
      Signed-off-by: Edgar E. Iglesias <edgar.iglesias@xxxxxxxxxx>

  commit 9aaaa181949e4a23ca298fb7006e2d8bac842e92
  Author: Alistair Francis <alistair.francis@xxxxxxxxxx>
  Date:   Fri May 29 16:30:43 2015 +1000

      target-microblaze: Allow the stack protection to be disabled

      Microblaze stack protection is configurable and isn't always enabled.
      This patch allows the stack protection to be disabled from the
      CPU properties.

      Signed-off-by: Alistair Francis <alistair.francis@xxxxxxxxxx>
      Signed-off-by: Edgar E. Iglesias <edgar.iglesias@xxxxxxxxxx>

  commit 8bac22423e4c3b70082dd6c1b492ccf21f3b5a0c
  Author: Alistair Francis <alistair.francis@xxxxxxxxxx>
  Date:   Fri May 29 16:30:05 2015 +1000

      target-microblaze: Preserve the pvr registers during reset

      Move the Microblaze PVR registers to the end of the CPUMBState
      and preserve them during reset. This is similar to what the
      QEMU ARM model does with some of it's registers.

      This allows the Microblaze PVR registers to only be set once
      at realise instead of constantly at reset.

      Signed-off-by: Alistair Francis <alistair.francis@xxxxxxxxxx>
      Reviewed-by: Peter Crosthwaite <peter.crosthwaite@xxxxxxxxxx>
      Reviewed-by: Edgar E. Iglesias <edgar.iglesias@xxxxxxxxxx>
      Signed-off-by: Edgar E. Iglesias <edgar.iglesias@xxxxxxxxxx>

  commit 53432dc9ea37d3be4c8efc3023c2382e9da5334a
  Author: Alistair Francis <alistair.francis@xxxxxxxxxx>
  Date:   Fri May 29 16:29:28 2015 +1000

      target-microblaze: Fix up indentation

      Fix up the incorrect indentation level in the helper_stackprot() function.

      Signed-off-by: Alistair Francis <alistair.francis@xxxxxxxxxx>
      Reviewed-by: Peter Crosthwaite <peter.crosthwaite@xxxxxxxxxx>
      Reviewed-by: Edgar E. Iglesias <edgar.iglesias@xxxxxxxxxx>
      Signed-off-by: Edgar E. Iglesias <edgar.iglesias@xxxxxxxxxx>

  commit d87636b18f8de901e76bedd9c7f55d3eaed924ee
  Author: Peter Crosthwaite <crosthwaitepeter@xxxxxxxxx>
  Date:   Sun May 24 20:31:40 2015 -0700

      microblaze: s3adsp: Instantiate CPU using QOM

      Instantiate and realise the CPU directly, rather than using
      cpu_mb_init. Microblazes cpu_model argument is a dummy so remove the
      default cpu_model set logic.

      Reviewed-by: Edgar E. Iglesias <edgar.iglesias@xxxxxxxxxx>
      Signed-off-by: Peter Crosthwaite <crosthwaite.peter@xxxxxxxxx>
      Signed-off-by: Edgar E. Iglesias <edgar.iglesias@xxxxxxxxxx>

  commit daeba9699d41ad79e2f3d34acea9c85c5d67a2ac
  Author: Markus Armbruster <armbru@xxxxxxxxxx>
  Date:   Fri Jun 19 16:17:23 2015 +0200

      qdev: Un-deprecate qdev_init_nofail()

      It's a perfectly sensible helper function.

      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>
      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>
      Signed-off-by: Andreas Färber <afaerber@xxxxxxx>

  commit 0210afe6690be045cb849b2f16bffabda575a9bf
  Author: Markus Armbruster <armbru@xxxxxxxxxx>
  Date:   Fri Jun 19 16:17:22 2015 +0200

      qdev: Deprecated qdev_init() is finally unused, drop

      qdev_init() is a wrapper around setting property "realized" to true,
      plus error handling that passes errors to qerror_report_err().
      qerror_report_err() is a transitional interface to help with
      converting existing monitor commands to QMP.  It should not be used
      elsewhere.

      All code has been modernized to avoid qdev_init() and its
      inappropriate error handling.  We can finally drop it.

      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>
      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>
      Signed-off-by: Andreas Färber <afaerber@xxxxxxx>

  commit a3590dacce94519c1747d8bf423744c6bb7d9941
  Author: Daniel P. Berrange <berrange@xxxxxxxxxx>
  Date:   Wed May 27 16:07:56 2015 +0100

      qom: Don't pass string table to object_get_enum() function

      Now that properties can be explicitly registered as an enum
      type, there is no need to pass the string table to the
      object_get_enum() function. The object property registration
      already has a pointer to the string table.

      In changing this method signature, the hostmem backend object
      has to be converted to use the new enum property registration
      code, which simplifies it somewhat.

      Signed-off-by: Daniel P. Berrange <berrange@xxxxxxxxxx>
      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>
      Signed-off-by: Andreas Färber <afaerber@xxxxxxx>

  commit a8e3fbedc827f992657f5670212e854f62ec12ad
  Author: Daniel P. Berrange <berrange@xxxxxxxxxx>
  Date:   Wed May 13 17:14:08 2015 +0100

      qom: Add an object_property_add_enum() helper function

      A QOM property can be parsed as enum using the visit_type_enum()
      helper function, but this forces callers to use the more complex
      generic object_property_add() method when registering it. It
      also requires that users of that object have access to the
      string map when they want to read the property value.

      This patch introduces a specialized object_property_add_enum()
      method which simplifies the use of enum properties, so the
      setters/getters directly get passed the int value.

        typedef enum {
           MYDEV_TYPE_FROG,
           MYDEV_TYPE_ALLIGATOR,
           MYDEV_TYPE_PLATYPUS,

           MYDEV_TYPE_LAST
        } MyDevType;

      Then provide a table of enum <-> string mappings

        static const char *const mydevtypemap[MYDEV_TYPE_LAST + 1] = {
           [MYDEV_TYPE_FROG] = "frog",
           [MYDEV_TYPE_ALLIGATOR] = "alligator",
           [MYDEV_TYPE_PLATYPUS] = "platypus",
           [MYDEV_TYPE_LAST] = NULL,
        };

      Assuming an object struct of

         typedef struct {
            Object parent_obj;
            MyDevType devtype;
            ...other fields...
         } MyDev;

      The property can then be registered as follows:

         static int mydev_prop_get_devtype(Object *obj,
                                           Error **errp G_GNUC_UNUSED)
         {
             MyDev *dev = MYDEV(obj);

             return dev->devtype;
         }

         static void mydev_prop_set_devtype(Object *obj,
                                            int value,
                                            Error **errp G_GNUC_UNUSED)
         {
             MyDev *dev = MYDEV(obj);

             dev->devtype = value;
         }

         object_property_add_enum(obj, "devtype",
                                  mydevtypemap, "MyDevType",
                                  mydev_prop_get_devtype,
                                  mydev_prop_set_devtype,
                                  NULL);

      Note there is no need to check the range of 'value' in
      the setter, because the string->enum conversion code will
      have already done that and reported an error as required.

      Signed-off-by: Daniel P. Berrange <berrange@xxxxxxxxxx>
      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>
      Signed-off-by: Andreas Färber <afaerber@xxxxxxx>

  commit 2e4450ff432daef524cb3557fca68a3b7b5c7823
  Author: Daniel P. Berrange <berrange@xxxxxxxxxx>
  Date:   Wed May 13 17:14:07 2015 +0100

      qom: Make enum string tables const-correct

      The enum string table parameters in various QOM/QAPI methods
      are declared 'const char *strings[]'. This results in const
      warnings if passed a variable that was declared as

         static const char * const strings[] = { .... };

      Add the extra const annotation to the parameters, since
      neither the string elements, nor the array itself should
      ever be modified.

      Signed-off-by: Daniel P. Berrange <berrange@xxxxxxxxxx>
      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>
      Signed-off-by: Andreas Färber <afaerber@xxxxxxx>

  commit a31bdae5a76ecc060c1eb8a66be1896072c1e8b2
  Author: Daniel P. Berrange <berrange@xxxxxxxxxx>
  Date:   Wed May 13 17:14:06 2015 +0100

      qom: Add object_new_with_props() / object_new_withpropv() helpers

      It is reasonably common to want to create an object, set a
      number of properties, register it in the hierarchy and then
      mark it as complete (if a user creatable type). This requires
      quite a lot of error prone, verbose, boilerplate code to achieve.

      First a pair of functions object_set_props() / object_set_propv()
      are added which allow for a list of objects to be set in
      one single API call.

      Then object_new_with_props() / object_new_with_propv() constructors
      are added which simplify the sequence of calls to create an
      object, populate properties, register in the object composition
      tree and mark the object complete, into a single method call.

      Usage would be:

         Error *err = NULL;
         Object *obj;
         obj = object_new_with_propv(TYPE_MEMORY_BACKEND_FILE,
                                     object_get_objects_root(),
                                     "hostmem0",
                                     &err,
                                     "share", "yes",
                                     "mem-path", "/dev/shm/somefile",
                                     "prealloc", "yes",
                                     "size", "1048576",
                                     NULL);

      Note all property values are passed in string form and will
      be parsed into their required data types, using normal QOM
      semantics for parsing from string format.

      Signed-off-by: Daniel P. Berrange <berrange@xxxxxxxxxx>
      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>
      Signed-off-by: Andreas Färber <afaerber@xxxxxxx>

  commit bc2256c4ae86308a1521c89456b599d441119418
  Author: Daniel P. Berrange <berrange@xxxxxxxxxx>
  Date:   Wed May 13 17:14:05 2015 +0100

      qom: Add helper function for getting user objects root

      Add object_get_objects_root() function which is a convenience for
      obtaining the Object * located at /objects in the object
      composition tree. Convert existing code over to use the new
      API where appropriate.

      Signed-off-by: Daniel P. Berrange <berrange@xxxxxxxxxx>
      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>
      Signed-off-by: Andreas Färber <afaerber@xxxxxxx>

  commit f08f9271bfe3f19a5eb3d7a2f48532065304d5c8
  Author: Daniel P. Berrange <berrange@xxxxxxxxxx>
  Date:   Wed May 13 17:14:04 2015 +0100

      vl: Create (most) objects before creating chardev backends

      Some types of object must be created before chardevs, other types of
      object must be created after chardevs. As such there is no option but
      to create objects in two phases.

      This takes the decision to create as many object types as possible
      right away before anyother backends are created, and only delay
      creation of those few which have an explicit dependency on the
      chardevs. Hopefully the set which need delaying will remain small
      over time.

      Signed-off-by: Daniel P. Berrange <berrange@xxxxxxxxxx>
      Reviewed-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>
      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>
      Signed-off-by: Andreas Färber <afaerber@xxxxxxx>

  commit b9174d4f250cacb43b7cd9e07cf9f86818d62afd
  Author: Daniel P. Berrange <berrange@xxxxxxxxxx>
  Date:   Wed May 13 17:14:03 2015 +0100

      doc: Document user creatable object types in help text

      The QEMU help for -object is essentially useless, just giving users
      the generic syntax. Move it down into its own section and introduce
      a nested table where each user creatable object can be documented.
      The existing memory-backend-file, rng-random and rng-egd object
      types are documented.

      Signed-off-by: Daniel P. Berrange <berrange@xxxxxxxxxx>
      Reviewed-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>
      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>
      Signed-off-by: Andreas Färber <afaerber@xxxxxxx>

  commit b1028b4e8683740cd257a9b77577734664e61511
  Author: Daniel P. Berrange <berrange@xxxxxxxxxx>
  Date:   Wed May 13 17:14:02 2015 +0100

      backends: Fix typename of 'policy' enum property in hostmem obj

      The 'policy' property was being registered with a typename of
      'str', but it is in fact an enum of the 'HostMemPolicy' type.

      Signed-off-by: Daniel P. Berrange <berrange@xxxxxxxxxx>
      Reviewed-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>
      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>
      Signed-off-by: Andreas Färber <afaerber@xxxxxxx>

  commit 799810fb2810ec4cb82f12ec9b023e1bfe434d71
  Merge: ffdb140 a59d31a
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Fri Jun 19 17:05:15 2015 +0100

      Merge remote-tracking branch 
'remotes/pmaydell/tags/pull-target-arm-20150619' into staging

      target-arm queue:
       * support --semihosting-config,arg=value
       * Cortex-R5 support (including implementing them on the Zynq board)
       * Cortex-M4 support (without FPU)
       * enable vfio-calxeda-xgmac
       * don't reset ALIAS sysregs

      # gpg: Signature made Fri Jun 19 14:41:54 2015 BST using RSA key ID 
14360CDE
      # gpg: Good signature from "Peter Maydell <peter.maydell@xxxxxxxxxx>"

      * remotes/pmaydell/tags/pull-target-arm-20150619:
        semihosting: add --semihosting-config arg sub-argument
        semihosting: create SemihostingConfig structure and semihost.h
        arm: xlnx-zynqmp: Add 2xCortexR5 CPUs
        arm: xlnx-zynqmp: Add boot-cpu property
        arm: xlnx-zynqmp: Preface CPU variables with "apu"
        target-arm: Add support for Cortex-R5
        target-arm: Implement PMSAv7 MPU
        target-arm: Add registers for PMSAv7
        target-arm/helper.c: define MPUIR register
        target-arm: Do not reset sysregs marked as ALIAS
        hw/arm/sysbus-fdt: enable vfio-calxeda-xgmac dynamic instantiation
        target-arm: Add the Cortex-M4 CPU

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit a59d31a1ebdce796a469242800db89bf09c94580
  Author: Leon Alrae <leon.alrae@xxxxxxxxxx>
  Date:   Fri Jun 19 14:17:45 2015 +0100

      semihosting: add --semihosting-config arg sub-argument

      Add new "arg" sub-argument to the --semihosting-config allowing the user
      to pass multiple input arguments separately. It is required for example
      by UHI semihosting to construct argc and argv.

      Also, update ARM semihosting to support new option (at the moment it is
      the only target which cares about arguments).

      If the semihosting is enabled and no semihosting args have been specified,
      then fall back to -kernel/-append. The -append string is split on 
whitespace
      before initializing semihosting.argv[1..n]; this is different from what
      QEMU MIPS machines' pseudo-bootloaders do (i.e. argv[1] contains the whole
      -append), but is more intuitive from UHI user's point of view and Linux
      kernel just does not care as it concatenates argv[1..n] into single 
cmdline
      string anyway.

      Signed-off-by: Leon Alrae <leon.alrae@xxxxxxxxxx>
      Message-id: 1434643256-16858-3-git-send-email-leon.alrae@xxxxxxxxxx
      Reviewed-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit cfe67cef48696e8b901aff38a82056ae64d69c98
  Author: Leon Alrae <leon.alrae@xxxxxxxxxx>
  Date:   Fri Jun 19 14:17:45 2015 +0100

      semihosting: create SemihostingConfig structure and semihost.h

      Remove semihosting_enabled and semihosting_target and replace them with
      SemihostingConfig structure containing equivalent fields. The structure
      is defined in vl.c where it is actually set.

      Also introduce separate header file include/exec/semihost.h allowing to
      access semihosting config related stuff from target specific semihosting
      code.

      Signed-off-by: Leon Alrae <leon.alrae@xxxxxxxxxx>
      Reviewed-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Message-id: 1434643256-16858-2-git-send-email-leon.alrae@xxxxxxxxxx
      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit b58850e79d8df1185bd4999df81fbe6954cd2790
  Author: Peter Crosthwaite <peter.crosthwaite@xxxxxxxxxx>
  Date:   Fri Jun 19 14:17:45 2015 +0100

      arm: xlnx-zynqmp: Add 2xCortexR5 CPUs

      Add the 2xCortexR5 CPUs to zynqmp board. They are powered off on reset
      (this is true of real hardware) by default or selectable as the boot
      processor.

      Signed-off-by: Peter Crosthwaite <peter.crosthwaite@xxxxxxxxxx>
      Message-id: 
da34128c73ca13fc4f8c3293e1a33d1e1e345655.1434501320.git.peter.crosthwaite@xxxxxxxxxx
      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 6396a193d36e10ff38f26d4ef785aba97362f29e
  Author: Peter Crosthwaite <peter.crosthwaite@xxxxxxxxxx>
  Date:   Fri Jun 19 14:17:45 2015 +0100

      arm: xlnx-zynqmp: Add boot-cpu property

      Add a string property that specifies the primary boot cpu. All CPUs
      except the one selected will start-powered-off. This allows for elf
      boots on any CPU, which prepares support for booting R5 elfs directly
      on the R5 processors.

      Signed-off-by: Peter Crosthwaite <peter.crosthwaite@xxxxxxxxxx>
      Message-id: 
53331c00d80c7ce9c6a83712348773f1b38fae2b.1434501320.git.peter.crosthwaite@xxxxxxxxxx
      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 2e5577bc5563ccf453249e884be9a223deabab5b
  Author: Peter Crosthwaite <peter.crosthwaite@xxxxxxxxxx>
  Date:   Fri Jun 19 14:17:45 2015 +0100

      arm: xlnx-zynqmp: Preface CPU variables with "apu"

      The CPUs currently supported by zynqmp are the APU (application
      processing unit) CPUs. There are other CPUs in Zynqmp so unqualified
      "cpus" in ambiguous. Preface the variables with "APU" accordingly, to
      prepare support adding the RPU (realtime processing unit) processors.

      Signed-off-by: Peter Crosthwaite <peter.crosthwaite@xxxxxxxxxx>
      Reviewed-by: Edgar E. Iglesias <edgar.iglesias@xxxxxxxxxx>
      Message-id: 
ce32287fc365aea898465e981da3546a227e0811.1434501320.git.peter.crosthwaite@xxxxxxxxxx
      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit d6a6b13ea1dfeb25c43a648e94cfe4395906f1da
  Author: Peter Crosthwaite <peter.crosthwaite@xxxxxxxxxx>
  Date:   Fri Jun 19 14:17:45 2015 +0100

      target-arm: Add support for Cortex-R5

      Introduce a CPU model for the Cortex R5 processor. ARMv7 with MPU,
      and both thumb and ARM div instructions.

      Also implement dummy ATCM and BTCM. These CPs are defined for R5 but
      don't have a lot of meaning in QEMU yet. Raz them so the guest can
      proceed if they are read. The TCM registers will return a size of 0,
      indicating no TCM.

      Reviewed-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Signed-off-by: Peter Crosthwaite <peter.crosthwaite@xxxxxxxxxx>
      Reviewed-by: Edgar E. Iglesias <edgar.iglesias@xxxxxxxxxx>
      Message-id: 
efe213163e6800578494aba864ac30329de4d396.1434501320.git.peter.crosthwaite@xxxxxxxxxx
      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit f6bda88ff839e2adefe4959b7def420b90703855
  Author: Peter Crosthwaite <peter.crosthwaite@xxxxxxxxxx>
  Date:   Fri Jun 19 14:17:45 2015 +0100

      target-arm: Implement PMSAv7 MPU

      Unified MPU only. Uses ARM architecture major revision to switch
      between PMSAv5 and v7 when ARM_FEATURE_MPU is set. PMSA v6 remains
      unsupported and is asserted against.

      Reviewed-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Signed-off-by: Peter Crosthwaite <peter.crosthwaite@xxxxxxxxxx>
      Message-id: 
dcb03cda6dd754c5cc6a962fa11f25089811e954.1434501320.git.peter.crosthwaite@xxxxxxxxxx
      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 6cb0b013a1fa421cdfb83257cd33f855cc90649a
  Author: Peter Crosthwaite <peter.crosthwaite@xxxxxxxxxx>
  Date:   Fri Jun 19 14:17:44 2015 +0100

      target-arm: Add registers for PMSAv7

      Define the arm CP registers for PMSAv7 and their accessor functions.
      RGNR serves as a shared index that indexes into arrays storing the
      DRBAR, DRSR and DRACR registers. DRBAR and friends have to be VMSDd
      separately from the CP interface using a new PMSA specific VMSD
      subsection.

      Reviewed-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Signed-off-by: Peter Crosthwaite <peter.crosthwaite@xxxxxxxxxx>
      Message-id: 
172cf135fbd8f5cea413c00e71cc1c3cac704744.1434501320.git.peter.crosthwaite@xxxxxxxxxx
      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 3281af8114c6b8ead02f08b58e3c36895c1ea047
  Author: Peter Crosthwaite <peter.crosthwaite@xxxxxxxxxx>
  Date:   Fri Jun 19 14:17:44 2015 +0100

      target-arm/helper.c: define MPUIR register

      Define the MPUIR register for MPU supporting ARMv6 and onwards.
      Currently we only support unified MPU.

      The size of the unified MPU is defined via the number of "dregions".
      So just a single config is added to specify this size. (When split MPU
      is implemented we will add an extra iregions config).

      Signed-off-by: Peter Crosthwaite <peter.crosthwaite@xxxxxxxxxx>
      Message-id: 
9f248950b803a08c8b3c978931663182f7e882e7.1434501320.git.peter.crosthwaite@xxxxxxxxxx
      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit b061a82b8afcc45ce09d770d9c0acdf429401054
  Author: Sergey Fedorov <serge.fdrv@xxxxxxxxx>
  Date:   Fri Jun 19 14:17:44 2015 +0100

      target-arm: Do not reset sysregs marked as ALIAS

      cp_reg_reset() is called from g_hash_table_foreach() which does not
      define a specific ordering of the hash table iteration. Thus doing reset
      for registers marked as ALIAS would give an ambiguous result when
      resetvalue is different for original and alias registers. Exit
      cp_reg_reset() early when passed an alias register. Then clean up alias
      register definitions from needless resetvalue and resetfn.

      In particular, this fixes a bug in the handling of the PMCR register,
      which had different resetvalues for its 32 and 64-bit views.

      Signed-off-by: Sergey Fedorov <serge.fdrv@xxxxxxxxx>
      Message-id: 1434554713-10220-1-git-send-email-serge.fdrv@xxxxxxxxx
      Reviewed-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit decf4f807b4498ca35a87e9de82bc9a4e64cc29a
  Author: Eric Auger <eric.auger@xxxxxxxxxx>
  Date:   Fri Jun 19 14:17:44 2015 +0100

      hw/arm/sysbus-fdt: enable vfio-calxeda-xgmac dynamic instantiation

      This patch allows the instantiation of the vfio-calxeda-xgmac device
      from the QEMU command line (-device vfio-calxeda-xgmac,host="<device>").

      A specialized device tree node is created for the guest, containing
      compat, dma-coherent, reg and interrupts properties.

      Signed-off-by: Eric Auger <eric.auger@xxxxxxxxxx>
      Acked-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Message-id: 1434455898-17895-1-git-send-email-eric.auger@xxxxxxxxxx
      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit ba890a9b2509a0087bb7eafddae02ea5ecbb7bb4
  Author: Aurelio C. Remonda <aurelioremonda@xxxxxxxxx>
  Date:   Fri Jun 19 14:17:44 2015 +0100

      target-arm: Add the Cortex-M4 CPU

      This patch adds the Cortex-M4 CPU. The M4 is basically the same as
      the M3, the main differences being the DSP instructions and an
      optional FPU.  Only no-FPU cortex-M4 is implemented here, cortex-M4F
      is not because the core target-arm code doesn't support the M-profile
      FPU model yet.

      Signed-off-by: Aurelio C. Remonda <aurelioremonda@xxxxxxxxx>
      Message-id: 1434461850-4104-1-git-send-email-aurelioremonda@xxxxxxxxx
      Reviewed-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit ffdb1409a79c9cc91afd9f58df625fdca16bf8b9
  Merge: 89e9429 693a3e0
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Fri Jun 19 12:54:08 2015 +0100

      Merge remote-tracking branch 
'remotes/pmaydell/tags/pull-cocoa-20150619-1' into staging

      cocoa queue:
       * Add Machine menu, with entries for pause, resume, reset, power down, 
and
         media change and eject for removable drives

      # gpg: Signature made Fri Jun 19 11:24:11 2015 BST using RSA key ID 
14360CDE
      # gpg: Good signature from "Peter Maydell <peter.maydell@xxxxxxxxxx>"

      * remotes/pmaydell/tags/pull-cocoa-20150619-1:
        ui/cocoa.m: Add machine menu items to change and eject removable drive 
media
        ui/cocoa.m: Add Reset and Power Down menu items to Machine menu
        ui/cocoa.m: Add Machine menu with pause and resume menu items

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 89e9429c3cb42400f3a80890e0c20b18aa62a11d
  Merge: 473a494 1e7398a
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Fri Jun 19 11:30:57 2015 +0100

      Merge remote-tracking branch 'remotes/mst/tags/for_upstream' into staging

      virtio, pci fixes, enhancements

      Most notably this includes virtio cross-endian patches.

      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>

      # gpg: Signature made Fri Jun 19 11:18:05 2015 BST using RSA key ID 
D28D5469
      # gpg: Good signature from "Michael S. Tsirkin <mst@xxxxxxxxxx>"
      # gpg:                 aka "Michael S. Tsirkin <mst@xxxxxxxxxx>"

      * remotes/mst/tags/for_upstream:
        vhost: enable vhost without without MSI-X
        pci: Don't register a specialized 'config_write' if default behavior is 
intended
        hw/core: rebase sysbus_get_fw_dev_path() to g_strdup_printf()
        vhost_net: re-enable when cross endian
        vhost-net: tell tap backend about the vnet endianness
        tap: fix non-linux build
        tap: add VNET_LE/VNET_BE operations
        vhost: set vring endianness for legacy virtio
        virtio: introduce virtio_legacy_is_cross_endian()
        linux-headers: sync vhost.h
        vhost-user: part of virtio

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit e4a511f8cc6f4a46d409fb5c9f72c38ba45f8d83
  Author: Paolo Bonzini <pbonzini@xxxxxxxxxx>
  Date:   Wed Jun 17 10:36:54 2015 +0200

      exec: clamp accesses against the MemoryRegionSection

      Because the clamping was done against the MemoryRegion,
      address_space_rw was effectively broken if a write spanned
      multiple sections that are not linear in underlying memory
      (with the memory not being under an IOMMU).

      This is visible with the MIPS rc4030 IOMMU, which is implemented
      as a series of alias memory regions that point to the actual RAM.

      Tested-by: Hervé Poussineau <hpoussin@xxxxxxxxxxx>
      Tested-by: Mark Cave-Ayland <mark.cave-ayland@xxxxxxxxxxxx>
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit 965eb2fcdfe919ecced6c34803535ad32dc1249c
  Author: Paolo Bonzini <pbonzini@xxxxxxxxxx>
  Date:   Wed Jun 17 10:40:27 2015 +0200

      exec: do not clamp accesses to MMIO regions

      It is common for MMIO registers to overlap, for example a 4 byte register
      at 0xcf8 (totally random choice... :)) and a 1 byte register at 0xcf9.
      If these registers are implemented via separate MemoryRegions, it is
      wrong to clamp the accesses as the value written would be truncated.

      Hence for these regions the effects of commit 23820db (exec: Respect
      as_translate_internal length clamp, 2015-03-16, previously applied as
      commit c3c1bb99) must be skipped.

      Tested-by: Hervé Poussineau <hpoussin@xxxxxxxxxxx>
      Tested-by: Mark Cave-Ayland <mark.cave-ayland@xxxxxxxxxxxx>
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit ae46e23964ad45d5bc72374040e87d8f52ac2178
  Author: Paul Donohue <qemu-devel@xxxxxxxxxx>
  Date:   Fri Jun 12 10:10:14 2015 -0400

      mc146818rtc: Reset the periodic timer on load

      When loading a VM from a snapshot or migration, clock changes can cause
      the periodic timer to stall or loop rapidly.

      qemu-timer has a reset notifier mechanism that is used to avoid timer
      stalls or loops if the host clock changes while the VM is running when
      using QEMU_CLOCK_HOST.  However, when loading a snapshot or migration,
      qemu-timer is initialized and fires the reset notifier before
      mc146818rtc is initialized and has registered its reset handler.  In
      addition, this mechanism isn't used when using QEMU_CLOCK_REALTIME,
      which might also change when loading a snapshot or migration.

      To correct that problem, this commit resets the periodic timer after
      loading from a snapshot or migration if the clock has either jumped
      backward or has jumped forward by more than the clock jump limit that
      is used by the reset notifier code in qemu-timer.

      Signed-off-by: Paul Donohue <qemu-git@xxxxxxxxxx>
      Message-Id: <20150612141013.GE2749@xxxxxxxxxxxx>
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit fb1a3a051d89975f26296163066bb0745ecca49d
  Author: Paul Donohue <qemu-devel@xxxxxxxxxx>
  Date:   Fri Jun 12 10:08:45 2015 -0400

      qemu-timer: Call clock reset notifiers on forward jumps

      Commit 691a0c9c introduced a mechanism by which QEMU_CLOCK_HOST can
      notify other parts of the emulator when the host clock has jumped
      backward.  This is used to avoid stalling timers that were scheduled
      based on the host clock.

      However, if the host clock jumps forward, then timers that were
      scheduled based on the host clock may fire rapidly and cause other
      problems.  For example, the mc146818rtc periodic timer will block
      execution of the VM and consume host CPU while firing every interrupt
      for the time period that was skipped by the host clock.

      To correct that problem, this commit fires the reset notification if the
      host clock jumps forward by more than a hard-coded limit.  The limit is
      currently set to a value of 60 seconds, which should be small enough to
      prevent excessive timer loops, but large enough to avoid frequent resets
      in idle VMs.

      Signed-off-by: Paul Donohue <qemu-git@xxxxxxxxxx>
      Message-Id: <20150612140845.GD2749@xxxxxxxxxxxx>
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit 397c767b2de5b918a7b890d02aae83d6dcb2a470
  Author: Fam Zheng <famz@xxxxxxxxxx>
  Date:   Fri Apr 24 19:35:20 2015 +0800

      tests: virtio-scsi: Add test for unaligned WRITE SAME

      This is an exercise for virtio-scsi tests using the libqos virtio
      library. A few common routines are added to facilitate future extensions
      of the test set.

      The added test case is a regression test for the bug in d7f4b1999e.

      Signed-off-by: Fam Zheng <famz@xxxxxxxxxx>
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit 693a3e01af8082f855094061650311fcaf3e1269
  Author: John Arbuckle <programmingkidx@xxxxxxxxx>
  Date:   Fri Jun 19 10:53:27 2015 +0100

      ui/cocoa.m: Add machine menu items to change and eject removable drive 
media

      Adds all removable devices to the Machine menu as a Change and Eject menu
      item pair. ide-cd0 would have a "Change ide-cd0..." and "Eject ide-cd0"
      menu items.

      Signed-off-by: John Arbuckle <programmingkidx@xxxxxxxxx>
      Reviewed-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 270746142c3c96549ecd82c6097a6d85a35f27cf
  Author: John Arbuckle <programmingkidx@xxxxxxxxx>
  Date:   Fri Jun 19 10:53:27 2015 +0100

      ui/cocoa.m: Add Reset and Power Down menu items to Machine menu

      Add "Reset" and "Power Down" menu items to Machine menu.

      Signed-off-by: John Arbuckle <programmingkidx@xxxxxxxxx>
      Reviewed-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 1e7398a140f7a6bd9f5a438e7ad0f1ef50990e25
  Author: Pankaj Gupta <pagupta@xxxxxxxxxx>
  Date:   Tue Jun 16 13:48:59 2015 +0530

      vhost: enable vhost without without MSI-X

      We use vhostforce to enable vhost even if Guests don't have MSI-X
      support and we fall back to QEMU virtio-net.

      This gives a very small performance gain, but the disadvantage
      is that guest now controls which virtio code is running
      (qemu or vhost) so our attack surface is doubled.

      This patch will enable vhost unconditionally whenever it's requested.
      For compatibility, enable vhost when vhostforce is set, as well.

      Signed-off-by: Pankaj Gupta <pagupta@xxxxxxxxxx>
      Reviewed-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Reviewed-by: Jason Wang <jasowang@xxxxxxxxxx>

  commit 74de5504fd063019433ec0746105da774ede790d
  Author: Shmulik Ladkani <shmulik.ladkani@xxxxxxxxxxxxxxxxxx>
  Date:   Tue Jun 16 11:24:39 2015 +0300

      pci: Don't register a specialized 'config_write' if default behavior is 
intended

      Few devices have their specialized 'config_write' methods which simply
      call 'pci_default_write_config' followed by a 'msix_write_config' or
      'msi_write_config' calls, using exact same arguments.

      This is unnecessary as 'pci_default_write_config' already invokes
      'msi_write_config' and 'msix_write_config'.

      Also, since 'pci_default_write_config' is the default 'config_write'
      handler, we can simply avoid the registration of these specialized
      versions.

      Cc: Leonid Shatz <leonid.shatz@xxxxxxxxxxxxxxxxxx>
      Signed-off-by: Shmulik Ladkani <shmulik.ladkani@xxxxxxxxxxxxxxxxxx>
      Reviewed-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>

  commit 5ba03e2dd785362026917e4cc8a1fd2c64e8e62c
  Author: Laszlo Ersek <lersek@xxxxxxxxxx>
  Date:   Wed Jun 17 14:45:03 2015 +0200

      hw/core: rebase sysbus_get_fw_dev_path() to g_strdup_printf()

      This is done mainly for improving readability, and in preparation for the
      next patch, but Markus pointed out another bonus for the string being
      returned:

      "No arbitrary length limit. Before the patch, it's 39 characters, and the
      code breaks catastrophically when qdev_fw_name() is longer: the second
      snprintf() is called with its first argument pointing beyond path[], and
      its second argument underflowing to a huge size."

      Cc: qemu-stable@xxxxxxxxxx
      Signed-off-by: Laszlo Ersek <lersek@xxxxxxxxxx>
      Tested-by: Marcel Apfelbaum <marcel@xxxxxxxxxx>
      Reviewed-by: Marcel Apfelbaum <marcel@xxxxxxxxxx>
      Reviewed-by: Markus Armbruster <armbru@xxxxxxxxxx>
      Reviewed-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>

  commit 1717388645670336c48aa05d19b0acd07687a821
  Author: Cédric Le Goater <clg@xxxxxxxxxx>
  Date:   Wed Jun 17 15:23:54 2015 +0200

      vhost_net: re-enable when cross endian

      Cross-endianness is now checked by the core vhost code.

      revert 371df9f5e0f1 "vhost-net: disable when cross-endian"

      Signed-off-by: Cédric Le Goater <clg@xxxxxxxxxx>
      [ added commit message, Greg Kurz <gkurz@xxxxxxxxxxxxxxxxxx> ]
      Signed-off-by: Greg Kurz <gkurz@xxxxxxxxxxxxxxxxxx>
      Reviewed-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>

  commit 5be7d9f1b1452613b95c6ba70b8d7ad3d0797991
  Author: Greg Kurz <gkurz@xxxxxxxxxxxxxxxxxx>
  Date:   Wed Jun 17 15:23:49 2015 +0200

      vhost-net: tell tap backend about the vnet endianness

      The default behaviour for TAP/MACVTAP is to consider vnet as native 
endian.

      This patch handles the cases when this is not true:
      - virtio 1.0: always little-endian
      - legacy cross-endian

      Signed-off-by: Greg Kurz <gkurz@xxxxxxxxxxxxxxxxxx>
      Reviewed-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>

  commit 4ee9b43be9a6e4ae161a1e6322bfef90818589f6
  Author: Michael S. Tsirkin <mst@xxxxxxxxxx>
  Date:   Thu Jun 18 16:52:23 2015 +0200

      tap: fix non-linux build

      tap_fd_set_vnet_le/tap_fd_set_vnet_be was missing,
      fix it up.

      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Reviewed-by: Thomas Huth <thuth@xxxxxxxxxx>
      Reviewed-by: Greg Kurz <gkurz@xxxxxxxxxxxxxxxxxx>

  commit 8524f1c79e614552c0165db9cc75a8a6bd8607a5
  Author: John Arbuckle <programmingkidx@xxxxxxxxx>
  Date:   Fri Jun 19 10:53:27 2015 +0100

      ui/cocoa.m: Add Machine menu with pause and resume menu items

      Add Machine menu to the Macintosh interface with pause
      and resume menu items. These items can either pause or
      resume execution of the guest operating system.

      Signed-off-by: John Arbuckle <programmingkidx@xxxxxxxxx>
      Message-id: 6D7AE6AA-0595-4FAD-AACF-9DFAB87248F0@xxxxxxxxx
      Reviewed-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 473a49460db0a90bfda046b8f3662b49f94098eb
  Author: Eduardo Habkost <ehabkost@xxxxxxxxxx>
  Date:   Thu Jun 18 13:49:28 2015 -0300

      q35: Re-enable FDC on pc-q35-2.3 and older

      commit ea96bc629cbd52be98b2967a4b4f72e91dfc3ee4 doesn't match the patch
      submitted by Laszlo to qemu-devel. We reuse pc_q35_2_4_machine_options()
      inside pc_q35_2_3_machine_options(), so we need to undo the no_floppy
      change in pc_q35_2_3_machine_options().

      (This discrepancy was due to a bad merge.)

      This restores the previous behavior where all the 2.3 and older machines
      had no_floppy=0.

      Reported-by: Ján Tomko <jtomko@xxxxxxxxxx>
      Reviewed-by: Laszlo Ersek <lersek@xxxxxxxxxx>
      Signed-off-by: Eduardo Habkost <ehabkost@xxxxxxxxxx>
      Message-id: 1434646168-3100-1-git-send-email-ehabkost@xxxxxxxxxx
      Cc: Laszlo Ersek <lersek@xxxxxxxxxx>
      Signed-off-by: Eduardo Habkost <ehabkost@xxxxxxxxxx>
      [PMM: mention that this was a merge issue, not a review issue]
      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit ff5397bc72a1716bb34302dd470343ebee7d6bf2
  Author: Martin Cerveny <M.Cerveny@xxxxxxxxxxxx>
  Date:   Wed May 13 14:14:54 2015 +0200

      scripts: Add support for path as argument of qom-tree

      Add processing of optional argument path as "tree base".

      Signed-off-by: Martin Cerveny <M.Cerveny@xxxxxxxxxxxx>
      Signed-off-by: Andreas Färber <afaerber@xxxxxxx>

  commit 53f77e4562f85ccf82c8831a4448e9aefb538837
  Author: Andreas Färber <afaerber@xxxxxxx>
  Date:   Wed Mar 25 18:40:15 2015 +0100

      tests: Use qtest_add_data_func() consistently

      Replace uses of g_test_add_data_func() for QTest test cases.

      It is still valid to use it for any non-QTest test cases,
      which are not run for multiple target binaries.

      Suggested-by: John Snow <jsnow@xxxxxxxxxx>
      Reviewed-by: John Snow <jsnow@xxxxxxxxxx>
      Signed-off-by: Andreas Färber <afaerber@xxxxxxx>

  commit 6bc5cf92c0ab0085ba9a6e0cebcf5a544f416ca7
  Author: Eduardo Habkost <ehabkost@xxxxxxxxxx>
  Date:   Thu Apr 9 16:57:30 2015 -0300

      qdev: Free property names after registering gpio aliases

      Now that object_property_add_alias() strdup()s target_name, we can free
      the property names in qdev_pass_gpios().

      Signed-off-by: Eduardo Habkost <ehabkost@xxxxxxxxxx>
      Reviewed-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>
      Reviewed-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Signed-off-by: Andreas Färber <afaerber@xxxxxxx>

  commit 1590d266d96b3f9b42443d6388dfc38f527ac2d8
  Author: Eduardo Habkost <ehabkost@xxxxxxxxxx>
  Date:   Thu Apr 9 16:57:29 2015 -0300

      qom: strdup() target property name on object_property_add_alias()

      With this, object_property_add_alias() callers can safely free the
      target property name, like what already happens with the 'name' argument
      to all object_property_add*() functions.

      Signed-off-by: Eduardo Habkost <ehabkost@xxxxxxxxxx>
      Reviewed-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>
      Reviewed-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Signed-off-by: Andreas Färber <afaerber@xxxxxxx>

  commit 8ffe756da0481233e1bd518b2b16489f51856292
  Merge: 1b58f5a e1d4210
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Thu Jun 18 13:32:39 2015 +0100

      Merge remote-tracking branch 'remotes/armbru/tags/pull-qapi-2015-06-18' 
into staging

      QAPI patches

      # gpg: Signature made Thu Jun 18 13:20:00 2015 BST using RSA key ID 
EB918653
      # gpg: Good signature from "Markus Armbruster <armbru@xxxxxxxxxx>"
      # gpg:                 aka "Markus Armbruster <armbru@xxxxxxxxxxxx>"

      * remotes/armbru/tags/pull-qapi-2015-06-18:
        qapi-types: Bury code dead since commit 6b5abc7
        qapi-types: Split generate_fwd_builtin() off generate_fwd_struct()
        qapi-types: Drop unused members parameters
        qapi-types: Don't filter out expressions with 'gen'
        qapi: Catch and reject flat union branch of array type
        tests/qapi-schema: New flat union array branch test case
        qapi: Better separate the different kinds of helpers
        qapi: Move exprs checking from parse_schema() to check_exprs()
        qapi: Fix to reject stray 't', 'f' and 'n'
        qapi: Simplify inclusion cycle detection
        qapi: Fix file name in error messages for included files
        qapi: Improve a couple of confusing variable names
        qapi: Eliminate superfluous QAPISchema attribute input_dir
        qapi: Drop bogus command from docs
        MAINTAINERS: Fix up QAPI and QAPI schema file patterns

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit e1d4210c3a50059a3889cedc44a8aa193fa63d7d
  Author: Markus Armbruster <armbru@xxxxxxxxxx>
  Date:   Fri Jun 12 09:45:55 2015 +0200

      qapi-types: Bury code dead since commit 6b5abc7

      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>
      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>

  commit c5ecd7e18f912ab5e91f09b0333fb07567885d42
  Author: Markus Armbruster <armbru@xxxxxxxxxx>
  Date:   Fri Jun 12 09:22:32 2015 +0200

      qapi-types: Split generate_fwd_builtin() off generate_fwd_struct()

      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>
      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>

  commit ae0a7a109037160465f55f8bab06897f0a904def
  Author: Markus Armbruster <armbru@xxxxxxxxxx>
  Date:   Fri Jun 12 10:40:17 2015 +0200

      qapi-types: Drop unused members parameters

      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>
      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>

  commit 4f3568002393380558705397bda4cd5f224ffe29
  Author: Markus Armbruster <armbru@xxxxxxxxxx>
  Date:   Fri Jun 12 08:32:51 2015 +0200

      qapi-types: Don't filter out expressions with 'gen'

      Useless, because it can only occur in commands, and we're not dealing
      with commands here.

      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>
      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>

  commit f9a1427361fe06ac67480d580412dc4ed6f5d03b
  Author: Markus Armbruster <armbru@xxxxxxxxxx>
  Date:   Wed Jun 10 13:07:43 2015 +0200

      qapi: Catch and reject flat union branch of array type

      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>
      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>

  commit 75276710ae0a9f802a9774a8d845a2c84f89305a
  Author: Markus Armbruster <armbru@xxxxxxxxxx>
  Date:   Wed Jun 10 13:03:04 2015 +0200

      tests/qapi-schema: New flat union array branch test case

      The new test demonstrates another generator crash.

      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>
      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>

  commit 00e4b285a31d19dcd88bd46729c9e09bfc9cc7fd
  Author: Markus Armbruster <armbru@xxxxxxxxxx>
  Date:   Wed Jun 10 10:04:36 2015 +0200

      qapi: Better separate the different kinds of helpers

      Insert comments to separate sections dealing with parsing, semantic
      analysis, code generation, and so forth.

      Move helpers to their proper section.

      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>
      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>

  commit 4d076d67c2c74662db092ecf4f99600b18209b2e
  Author: Markus Armbruster <armbru@xxxxxxxxxx>
  Date:   Wed Jun 10 08:55:21 2015 +0200

      qapi: Move exprs checking from parse_schema() to check_exprs()

      To have expression semantic analysis in one place rather than two.

      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>
      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>

  commit e565d934d21e3544b820cd03b88061e71ab644a0
  Author: Markus Armbruster <armbru@xxxxxxxxxx>
  Date:   Wed Jun 10 08:24:58 2015 +0200

      qapi: Fix to reject stray 't', 'f' and 'n'

      Screwed up in commit e53188a.

      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>
      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>

  commit a1366087270b312d94ff8c4031395a4218f160d4
  Author: Markus Armbruster <armbru@xxxxxxxxxx>
  Date:   Tue Jun 9 16:54:09 2015 +0200

      qapi: Simplify inclusion cycle detection

      We maintain a stack of filenames in include_hist for convenient cycle
      detection.

      As error_path() demonstrates, the same information is readily
      available in the expr_info, so just use that, and drop include_hist.

      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>
      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>

  commit 8608d2525186062099a38971c276752e7a38903a
  Author: Markus Armbruster <armbru@xxxxxxxxxx>
  Date:   Tue Jun 9 18:32:29 2015 +0200

      qapi: Fix file name in error messages for included files

      We print the name as it appears in the include expression.  Tools
      processing error messages want it relative to the working directory.
      Make it so.

      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>
      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>

  commit 54414047eca5bee7d5ba6e7af5fb251f8635896c
  Author: Markus Armbruster <armbru@xxxxxxxxxx>
  Date:   Tue Jun 9 16:22:45 2015 +0200

      qapi: Improve a couple of confusing variable names

      old name      new name
      ----------------------------
      input_file    fname
      input_relname fname
      input_fname   abs_fname
      include_path  incl_abs_fname
      parent_info   incl_info

      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>
      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>

  commit 12c707944927b8aa42752198dcf419a0bafe5d33
  Author: Markus Armbruster <armbru@xxxxxxxxxx>
  Date:   Tue Jun 9 16:49:13 2015 +0200

      qapi: Eliminate superfluous QAPISchema attribute input_dir

      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>
      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>

  commit 836c3b01d2630192d6f5a941ca073bc8d650574b
  Author: Markus Armbruster <armbru@xxxxxxxxxx>
  Date:   Tue Jun 9 14:38:58 2015 +0200

      qapi: Drop bogus command from docs

      Commit 87a560c4 added it in the wrong place.  Commit 59a2c4ce added it
      in the right place, but didn't remove it from the wrong place.  Do
      that now.

      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>
      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>

  commit 0311c5bde313c9ffcda2a198bd7cc70ae130d973
  Author: Markus Armbruster <armbru@xxxxxxxxxx>
  Date:   Fri Jun 12 15:15:54 2015 +0200

      MAINTAINERS: Fix up QAPI and QAPI schema file patterns

      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>
      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>

  commit 1b58f5a7f6fbe811cc486cd5786483bad5d51bbf
  Merge: e207527 a3122b6
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Thu Jun 18 11:36:42 2015 +0100

      Merge remote-tracking branch 'remotes/mcayland/tags/qemu-openbios-signed' 
into staging

      Update OpenBIOS images

      # gpg: Signature made Wed Jun 17 20:06:06 2015 BST using RSA key ID 
AE0F321F
      # gpg: Good signature from "Mark Cave-Ayland 
<mark.cave-ayland@xxxxxxxxxxxx>"

      * remotes/mcayland/tags/qemu-openbios-signed:
        Update OpenBIOS images

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit e20752775197d3606c50703422d2c5d53ecf54bb
  Author: Leon Alrae <leon.alrae@xxxxxxxxxx>
  Date:   Wed Jun 17 13:35:00 2015 +0100

      vfio: fix build error on CentOS 5.7

      Include linux/vfio.h after sys/ioctl.h, just like in hw/vfio/common.c.

      Signed-off-by: Leon Alrae <leon.alrae@xxxxxxxxxx>
      Acked-by: Alex Williamson <alex.williamson@xxxxxxxxxx>
      Message-id: 1434544500-22405-1-git-send-email-leon.alrae@xxxxxxxxxx
      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit a3122b681aee8a41268c610ca3a5e7a066a9091a
  Author: Mark Cave-Ayland <mark.cave-ayland@xxxxxxxxxxxx>
  Date:   Wed Jun 17 20:02:15 2015 +0100

      Update OpenBIOS images

      Update OpenBIOS images to SVN r1340 built from submodule.

      Signed-off-by: Mark Cave-Ayland <mark.cave-ayland@xxxxxxxxxxxx>

  commit c80cd6bb9c20ef518c56319ce44d2971171e677d
  Author: Greg Kurz <gkurz@xxxxxxxxxxxxxxxxxx>
  Date:   Wed Jun 17 15:23:44 2015 +0200

      tap: add VNET_LE/VNET_BE operations

      The linux tap and macvtap backends can be told to parse vnet headers
      according to little or big endian. This is done through the TUNSETVNETLE
      and TUNSETVNETBE ioctls.

      This patch brings all the plumbing for QEMU to use these APIs.

      Signed-off-by: Greg Kurz <gkurz@xxxxxxxxxxxxxxxxxx>
      Reviewed-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>

  commit 04b7a1523d65bb5c78832098cf3108a1aadcaf8a
  Author: Greg Kurz <gkurz@xxxxxxxxxxxxxxxxxx>
  Date:   Wed Jun 17 15:23:39 2015 +0200

      vhost: set vring endianness for legacy virtio

      Legacy virtio is native endian: if the guest and host endianness differ,
      we have to tell vhost so it can swap bytes where appropriate. This is
      done through a vhost ring ioctl.

      Signed-off-by: Greg Kurz <gkurz@xxxxxxxxxxxxxxxxxx>
      Reviewed-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>

  commit 41d283bdab08868a244b9c19dce507fdf15a8990
  Author: Greg Kurz <gkurz@xxxxxxxxxxxxxxxxxx>
  Date:   Wed Jun 17 15:23:34 2015 +0200

      virtio: introduce virtio_legacy_is_cross_endian()

      This helper will be used by vhost and tap to detect cross-endianness in
      the legacy virtio case.

      Signed-off-by: Greg Kurz <gkurz@xxxxxxxxxxxxxxxxxx>
      Reviewed-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>

  commit 332f64073bddc9240cd572f64682a44572b67049
  Author: Greg Kurz <gkurz@xxxxxxxxxxxxxxxxxx>
  Date:   Wed Jun 17 15:23:29 2015 +0200

      linux-headers: sync vhost.h

      This patch brings the cross-endian vhost API to QEMU.

      Signed-off-by: Greg Kurz <gkurz@xxxxxxxxxxxxxxxxxx>
      Reviewed-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>

  commit 06b008d941fd3e9684d38a9b3181a1cf301c78d1
  Author: Fam Zheng <famz@xxxxxxxxxx>
  Date:   Fri Apr 24 19:35:19 2015 +0800

      tests: virtio-scsi: Move start/stop to individual test functions

      Signed-off-by: Fam Zheng <famz@xxxxxxxxxx>
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit bea2f0982b335c13448dbde8a409107764fa8b59
  Author: Fam Zheng <famz@xxxxxxxxxx>
  Date:   Fri Apr 24 19:35:18 2015 +0800

      libqos: Complete virtio device ID definition list

      Signed-off-by: Fam Zheng <famz@xxxxxxxxxx>
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit 28452758c405e16d9890c44d6031d44233e8cb38
  Author: Fam Zheng <famz@xxxxxxxxxx>
  Date:   Fri Apr 24 19:35:17 2015 +0800

      libqos: Allow calling guest_free on NULL pointer

      Signed-off-by: Fam Zheng <famz@xxxxxxxxxx>
      Reviewed-by: John Snow <jsnow@xxxxxxxxxx>
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit ebe7d8b166c59b029521f8d95db011e5e0fc649d
  Author: Fam Zheng <famz@xxxxxxxxxx>
  Date:   Fri Apr 24 19:35:16 2015 +0800

      tests: Link libqos virtio object to virtio-scsi-test

      Signed-off-by: Fam Zheng <famz@xxxxxxxxxx>
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit d4862a87e31a51de9eb260f25c9e99a75efe3235
  Author: Petr Matousek <pmatouse@xxxxxxxxxx>
  Date:   Wed Jun 17 12:46:11 2015 +0200

      i8254: fix out-of-bounds memory access in pit_ioport_read()

      Due converting PIO to the new memory read/write api we no longer provide
      separate I/O region lenghts for read and write operations. As a result,
      reading from PIT Mode/Command register will end with accessing
      pit->channels with invalid index.

      Fix this by ignoring read from the Mode/Command register.

      This is CVE-2015-3214.

      Reported-by: Matt Tait <matttait@xxxxxxxxxx>
      Fixes: 0505bcdec8228d8de39ab1a02644e71999e7c052
      Cc: qemu-stable@xxxxxxxxxx
      Signed-off-by: Petr Matousek <pmatouse@xxxxxxxxxx>
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit 9dacf32d2cbd66cbcce7944ebdfd6b2df20e33b8
  Author: Yossi Hindin <yhindin@xxxxxxxxxx>
  Date:   Wed May 6 14:57:40 2015 +0300

      qemu-ga: Building Windows MSI installation with configure/Makefile

      New options were added to enable Windows MSI installation package
      creation:

      Option --enable-guest-agent-msi, like the name suggests, enables building
      Windows MSI package for QEMU guest agent; option --disable-guest-agent-msi
      disables MSI package creation; by default, no MSI package is created

      Signed-off-by: Yossi Hindin <yhindin@xxxxxxxxxx>
      Message-Id: <1430913460-13174-5-git-send-email-yhindin@xxxxxxxxxx>
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit 66ae13bb9eb2b16b59698e992bfcea61563b9d78
  Author: Yossi Hindin <yhindin@xxxxxxxxxx>
  Date:   Wed May 6 14:57:39 2015 +0300

      qemu-ga: Introduce Windows MSI script

      The script enables building Windows MSI installation package on Linux 
with wixl tool.

      Signed-off-by: Yossi Hindin <yhindin@xxxxxxxxxx>
      Message-Id: <1430913460-13174-4-git-send-email-yhindin@xxxxxxxxxx>
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit c69403fcd4a0cb89f838a212ab71e4a1a3464c95
  Author: Yossi Hindin <yhindin@xxxxxxxxxx>
  Date:   Wed May 6 14:57:38 2015 +0300

      qemu-ga: debug printouts to help troubleshoot installation

      Debug printouts extended, helps installation troubleshooting

      Signed-off-by: Yossi Hindin <yhindin@xxxxxxxxxx>
      Message-Id: <1430913460-13174-3-git-send-email-yhindin@xxxxxxxxxx>
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit 5e031072e71eebab3d7d2ea4609e84bc928d893e
  Author: Yossi Hindin <yhindin@xxxxxxxxxx>
  Date:   Wed May 6 14:57:37 2015 +0300

      qemu-ga: adding vss-[un]install options

      Existing command line options include '-s install' and '-s uninstall'.
      These options install/uninstall both Windows QEMU GA service
      and optional VSS COM server. The QEMU GA Windows service allows
      always-on serving guest agent's QMP commands and VSS COM server
      enables guest agent integration with Volume Shadow Service.

      This commit introdices new options '-s vss-install' and '-s 
vss-uninstall',
      affecting only GA VSS COM server registration. The new options are useful
      for registering and unregistering the COM server during MSI installation,
      upgrade and uninstallation.

      Signed-off-by: Yossi Hindin <yhindin@xxxxxxxxxx>
      Message-Id: <1430913460-13174-2-git-send-email-yhindin@xxxxxxxxxx>
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit 67633bb4f7743be2cb2e70b61e482ab92bf1724e
  Author: Pranith Kumar <bobby.prani@xxxxxxxxx>
  Date:   Wed Jun 10 10:20:24 2015 -0400

      qemu-log: Open file for logging when specified

      qemu-log defaults to stderr when there is no '-D' option mentioned on 
command
      line. When '-D' option is specified, we also need to specify '-d' option 
for it
      to use the specified logfile. When using monitor to enable logging this is
      troublesome since there will be no '-d' option because of which monitor 
dumps
      the logs to stderr.

      Fix this by opening the log file when '-D' is specified on the command 
line.
      Also fix an ancient comment which does not hold true since changing 
location and
      log level has now been streamlined.

      Signed-off-by: Pranith Kumar <bobby.prani@xxxxxxxxx>
      CC: Paolo Bonzini <pbonzini@xxxxxxxxxx>
      CC: Luiz Capitulino <lcapitulino@xxxxxxxxxx>
      CC: Markus Armbruster <armbru@xxxxxxxxxx>
      CC: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Message-Id: <1433946024-18439-1-git-send-email-bobby.prani@xxxxxxxxx>
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit f754c3c9cce3c4789733d9068394be4256dfe6a8
  Merge: a09f4a9 1f68f1d
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Wed Jun 17 12:43:26 2015 +0100

      Merge remote-tracking branch 
'remotes/agraf/tags/signed-s390-for-upstream' into staging

      Patch queue for s390 - 2015-06-17

      This is a special one. Two awesome features in one pull request:

        - CCW support for TCG
        - Watchpoint support for TCG

      To celebrate this, we also switch the default machine model from 
s390-virtio
      to s390-ccw and give users a fully working s390x model again!

      # gpg: Signature made Wed Jun 17 11:42:26 2015 BST using RSA key ID 
03FEDC60
      # gpg: Good signature from "Alexander Graf <agraf@xxxxxxx>"
      # gpg:                 aka "Alexander Graf <alex@xxxxxxxxx>"

      * remotes/agraf/tags/signed-s390-for-upstream: (26 commits)
        s390x: Switch to s390-ccw machine as default
        target-s390x: PER: add Breaking-Event-Address register
        target-s390x: PER instruction-fetch nullification event support
        target-s390x: PER store-using-real-address event support
        target-s390x: PER storage-alteration event support
        translate-all: fix watchpoints if retranslation not possible
        target-s390x: PER instruction-fetch event support
        target-s390x: PER successful-branching event support
        target-s390x: basic PER event handling
        target-s390x: add get_per_in_range function
        target-s390x: add get_per_atmid function
        target-s390x: add PER related constants
        target-s390x: mvc_fast_memmove: access memory through softmmu
        target-s390x: mvc_fast_memset: access memory through softmmu
        target-s390x: function to adjust the length wrt page boundary
        softmmu: provide tlb_vaddr_to_host function for user mode
        target-s390x: wire up I/O instructions in TCG mode
        target-s390x: wire up DIAG REIPL in TCG mode
        target-s390x: wire up DIAG IPL in TCG mode
        target-s390x: fix s390_cpu_initial_reset
        ...

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 1f68f1d36c3af09ed31a529ad69c3d09880d10fd
  Author: Alexander Graf <agraf@xxxxxxx>
  Date:   Tue Jun 16 23:06:33 2015 +0200

      s390x: Switch to s390-ccw machine as default

      We now finally have TCG support for the basic set of instructions 
necessary
      to run the s390-ccw machine. That means in any aspect possible that 
machine
      type is now superior to the legacy s390-virtio machine.

      Switch over to the ccw machine as default. That way people don't get a 
halfway
      broken machine with the s390x target.

      Signed-off-by: Alexander Graf <agraf@xxxxxxx>
      Reviewed-by: Aurelien Jarno <aurelien@xxxxxxxxxxx>
      Acked-by: Christian Borntraeger <borntraeger@xxxxxxxxxx>

  commit 3da0ab35292fe93640cfdd95aa8bedec8f145d2c
  Author: Aurelien Jarno <aurelien@xxxxxxxxxxx>
  Date:   Sat Jun 13 00:46:03 2015 +0200

      target-s390x: PER: add Breaking-Event-Address register

      This patch adds support for PER Breaking-Event-Address register. Like
      real hardware, it save the current PSW address when the PSW address is
      changed by an instruction. We have to take care of optimizations QEMU
      does, a branch to the next instruction is still a branch.

      This register is copied to low core memory when a program exception
      happens.

      Signed-off-by: Aurelien Jarno <aurelien@xxxxxxxxxxx>
      Signed-off-by: Alexander Graf <agraf@xxxxxxx>

  commit 83bb161299c019e25a3add59504f0b69e6257dcd
  Author: Aurelien Jarno <aurelien@xxxxxxxxxxx>
  Date:   Sat Jun 13 00:46:02 2015 +0200

      target-s390x: PER instruction-fetch nullification event support

      For the instruction-fetch nullification event, we just reuse the
      existing instruction-fetch code and trigger the exception immediately
      in that case.

      There is no need to save the CPU state in the TCG code as it has been
      saved by the previous instruction before calling the per_check_exception
      helper.

      Signed-off-by: Aurelien Jarno <aurelien@xxxxxxxxxxx>
      Signed-off-by: Alexander Graf <agraf@xxxxxxx>

  commit 2f54394997bfc808bbfbebb2d8294edd17d63808
  Author: Aurelien Jarno <aurelien@xxxxxxxxxxx>
  Date:   Sat Jun 13 00:46:01 2015 +0200

      target-s390x: PER store-using-real-address event support

      This PER event happens each time the STURA or STURG instructions are
      used. As they use helpers, we can just save the event in the PER code
      there, if enabled.

      Signed-off-by: Aurelien Jarno <aurelien@xxxxxxxxxxx>
      Signed-off-by: Alexander Graf <agraf@xxxxxxx>

  commit 311918b979c5364c30392c1054ed77d047a83953
  Author: Aurelien Jarno <aurelien@xxxxxxxxxxx>
  Date:   Sat Jun 13 00:46:00 2015 +0200

      target-s390x: PER storage-alteration event support

      For the PER storage-alteration event we can use the QEMU watchpoint
      infrastructure. When PER is enabled or PER control register changed we
      enable the corresponding watchpoints. When a watchpoint arises we can
      save the event. Unfortunately the current code does not provide the
      address space used to trigger the watchpoint. For now we assume it comes
      from the default ASC.

      Signed-off-by: Aurelien Jarno <aurelien@xxxxxxxxxxx>
      Signed-off-by: Alexander Graf <agraf@xxxxxxx>

  commit 8d302e76755b8157373073d7107e31b0b13f80c1
  Author: Aurelien Jarno <aurelien@xxxxxxxxxxx>
  Date:   Sat Jun 13 00:45:59 2015 +0200

      translate-all: fix watchpoints if retranslation not possible

      The tb_check_watchpoint function currently assumes that all memory
      access is done either directly through the TCG code or through an
      helper which knows its return address. This is obviously wrong as the
      helpers use cpu_ldxx/stxx_data functions to access the memory.

      Instead of aborting in that case, don't try to retranslate the code, but
      assume that the CPU state (and especially the program counter) has been
      saved before calling the helper. Then invalidate the TB based on this
      address.

      Signed-off-by: Aurelien Jarno <aurelien@xxxxxxxxxxx>
      Signed-off-by: Alexander Graf <agraf@xxxxxxx>

  commit f0e0d817c22539cd2ce1bcb5487e076f117b04c0
  Author: Aurelien Jarno <aurelien@xxxxxxxxxxx>
  Date:   Sat Jun 13 00:45:58 2015 +0200

      target-s390x: PER instruction-fetch event support

      For the PER instruction-fetch, we can't use the QEMU breakpoint
      infrastructure as it triggers for a single address and not a full
      address range, and as it actually stop before the instruction and
      not before.

      We therefore call an helper with the just fetched instruction address,
      which check if the address is within the PER address range. If it is
      the case, an event is recorded and will be signaled through an
      exception.

      Note that we implement here the PER-3 behaviour, that is an invalid
      opcode is not considered as an instruction fetch. Without PER-3 this
      behavious is undefined.

      Signed-off-by: Aurelien Jarno <aurelien@xxxxxxxxxxx>
      Signed-off-by: Alexander Graf <agraf@xxxxxxx>

  commit 2c2275eb41c612df4bd115cf71d6e651d105f69c
  Author: Aurelien Jarno <aurelien@xxxxxxxxxxx>
  Date:   Sat Jun 13 00:45:57 2015 +0200

      target-s390x: PER successful-branching event support

      For the PER successful-branching event support, we can't rely on any
      QEMU infrastucture. We therefore call an helper in all places where
      a branch can be taken. We have to pay attention to the branch to next
      case, as it's still a taken branch.

      We don't need to care about the cases using goto_tb, as we have disabled
      them in the previous patch.

      Signed-off-by: Aurelien Jarno <aurelien@xxxxxxxxxxx>
      Signed-off-by: Alexander Graf <agraf@xxxxxxx>

  commit 777c98c32ce577a9671b9267ff6e2802f69ebafd
  Author: Aurelien Jarno <aurelien@xxxxxxxxxxx>
  Date:   Sat Jun 13 00:45:56 2015 +0200

      target-s390x: basic PER event handling

      This patch add basic support to generate PER exceptions. It adds two
      fields to the cpu structure to record for the PER address and PER
      code & ATMID values. When an exception is triggered and a PER event is
      pending, the two PER values are copied to the lowcore area.

      At the end of an instruction, an helper is checking for a possible
      pending PER event and triggers an exception in that case. For that to
      work with branches, we need to disable TB chaining when PER is
      activated. Fortunately it's already in the TB flags.

      Finally in case of a SERVICE CALL exception, we need to trigger the PER
      exception immediately after.

      Signed-off-by: Aurelien Jarno <aurelien@xxxxxxxxxxx>
      Signed-off-by: Alexander Graf <agraf@xxxxxxx>

  commit d453d103831c966e7920f146eb3416e43b588f89
  Author: Aurelien Jarno <aurelien@xxxxxxxxxxx>
  Date:   Sat Jun 13 00:45:55 2015 +0200

      target-s390x: add get_per_in_range function

      This function checks if an address is in between the PER starting
      address and the PER ending address, taking care of a possible
      address range loop.

      Signed-off-by: Aurelien Jarno <aurelien@xxxxxxxxxxx>
      Signed-off-by: Alexander Graf <agraf@xxxxxxx>

  commit a8f931a931f8866abdb2f836d0fb6fb7d2606645
  Author: Aurelien Jarno <aurelien@xxxxxxxxxxx>
  Date:   Sat Jun 13 00:45:54 2015 +0200

      target-s390x: add get_per_atmid function

      This function returns the ATMID field that is stored in the
      per_perc_atmid lowcore entry.

      Signed-off-by: Aurelien Jarno <aurelien@xxxxxxxxxxx>
      Signed-off-by: Alexander Graf <agraf@xxxxxxx>

  commit fb01bf4c6b86d9ac00ea87d60f97871ee1488188
  Author: Aurelien Jarno <aurelien@xxxxxxxxxxx>
  Date:   Sat Jun 13 00:45:53 2015 +0200

      target-s390x: add PER related constants

      Signed-off-by: Aurelien Jarno <aurelien@xxxxxxxxxxx>
      Signed-off-by: Alexander Graf <agraf@xxxxxxx>

  commit 6da528d14de29138ca5ac43d6d059889dd24f464
  Author: Aurelien Jarno <aurelien@xxxxxxxxxxx>
  Date:   Sat Jun 13 00:45:52 2015 +0200

      target-s390x: mvc_fast_memmove: access memory through softmmu

      mvc_fast_memmove is bypassing the softmmu functions, getting the
      physical source and destination addresses using the mmu_translate
      function and accessing the corresponding physical memory. This
      prevents watchpoints to work correctly.

      Instead use the tlb_vaddr_to_host function to get the host addresses
      corresponding to the guest source and destination addresses through the
      softmmu code and fallback to the byte level code in case the
      corresponding address are not in the QEMU TLB or being examined through
      a watchpoint. As a bonus it works even for area crossing pages by
      splitting the are into chunks contained in a single page, bringing some
      performances improvements. We can therefore remove the 8-byte
      loads/stores method, as it is now quite unlikely to be used.

      At the same time change the name of the function to fast_memmove as it's
      not specific to mvc and use the same argument order as the C memmove
      function.

      Signed-off-by: Aurelien Jarno <aurelien@xxxxxxxxxxx>
      Signed-off-by: Alexander Graf <agraf@xxxxxxx>

  commit fc89efe693278c79273f3bbf6b581e8a749c85b0
  Author: Aurelien Jarno <aurelien@xxxxxxxxxxx>
  Date:   Sat Jun 13 00:45:51 2015 +0200

      target-s390x: mvc_fast_memset: access memory through softmmu

      mvc_fast_memset is bypassing the softmmu functions, getting the
      physical address using the mmu_translate function and accessing the
      corresponding physical memory. This prevents watchpoints to work
      correctly.

      Instead use the tlb_vaddr_to_host function to get the host address
      corresponding to the guest address through the softmmu code and fallback
      to the byte level code in case the corresponding address is not in the
      QEMU TLB or being examined through a watchpoint. As a bonus it works
      even for area crossing pages by splitting the are into chunks contained
      in a single page, bringing some performances improvements.

      At the same time change the name of the function to fast_memset as it's
      not specific to mvc and use the same argument order as the C memset
      function.

      Signed-off-by: Aurelien Jarno <aurelien@xxxxxxxxxxx>
      Signed-off-by: Alexander Graf <agraf@xxxxxxx>

  commit d7ce6b7a0ba4328a286d09d96395a8fc2fd6943c
  Author: Aurelien Jarno <aurelien@xxxxxxxxxxx>
  Date:   Sat Jun 13 00:45:50 2015 +0200

      target-s390x: function to adjust the length wrt page boundary

      This patch adds a function to adjust the length of a transfer so that
      it doesn't cross a page boundary in softmmu mode. It does nothing in
      user mode.

      Signed-off-by: Aurelien Jarno <aurelien@xxxxxxxxxxx>
      Signed-off-by: Alexander Graf <agraf@xxxxxxx>

  commit 2e83c496261c799b0fe6b8e18ac80cdc0a5c97ce
  Author: Aurelien Jarno <aurelien@xxxxxxxxxxx>
  Date:   Sat Jun 13 00:45:49 2015 +0200

      softmmu: provide tlb_vaddr_to_host function for user mode

      To avoid to many #ifdef in target code, provide a tlb_vaddr_to_host for
      both user and softmmu modes. In the first case the function always
      succeed and just call the g2h function.

      Signed-off-by: Aurelien Jarno <aurelien@xxxxxxxxxxx>
      Signed-off-by: Alexander Graf <agraf@xxxxxxx>

  commit ad8a4570add09a7635cb8cd1c9327640521ee7a7
  Author: Alexander Graf <agraf@xxxxxxx>
  Date:   Mon Jun 15 17:57:09 2015 +0200

      target-s390x: wire up I/O instructions in TCG mode

      The code handling the I/O instructions for KVM decodes the instruction
      itself. In TCG mode also pass the full instruction word to the helpers.

      Signed-off-by: Alexander Graf <agraf@xxxxxxx>
      Signed-off-by: Aurelien Jarno <aurelien@xxxxxxxxxxx>
      Signed-off-by: Alexander Graf <agraf@xxxxxxx>

  commit 2ecacb0b4b6c73af424b7b4389fa55809368a98b
  Author: Aurelien Jarno <aurelien@xxxxxxxxxxx>
  Date:   Mon Jun 15 17:57:08 2015 +0200

      target-s390x: wire up DIAG REIPL in TCG mode

      Signed-off-by: Aurelien Jarno <aurelien@xxxxxxxxxxx>
      Signed-off-by: Alexander Graf <agraf@xxxxxxx>

  commit 8df7eef3059394bd53cdf7609aac9a50a78aa030
  Author: Aurelien Jarno <aurelien@xxxxxxxxxxx>
  Date:   Mon Jun 15 17:57:07 2015 +0200

      target-s390x: wire up DIAG IPL in TCG mode

      DIAG IPL is already implemented for KVM, but not wired from TCG. For
      that change the format of the instruction so that we can get R1 and R3
      numbers in addition to the function code.

      The diag function can change plenty of things, including CC, so we
      should enter with a static CC. Also it doesn't set the value of general
      register 2 to 0 as in the current code. We also need to exit the CPU
      loop after a reset, which means a new PSW.

      Signed-off-by: Aurelien Jarno <aurelien@xxxxxxxxxxx>
      Signed-off-by: Alexander Graf <agraf@xxxxxxx>

  commit cbed0ba78f04ce9e2e718431f64eb4b621288aca
  Author: Aurelien Jarno <aurelien@xxxxxxxxxxx>
  Date:   Mon Jun 15 17:57:06 2015 +0200

      target-s390x: fix s390_cpu_initial_reset

      The s390_cpu_initial_reset function zeroes a big part of the CPU state
      structure, including CPU_COMMON, and thus the QEMU TLB structure. As
      they should not be initialized with zeroes only, we need to call the
      tlb_flush to initialize it correctly.

      Signed-off-by: Aurelien Jarno <aurelien@xxxxxxxxxxx>
      Signed-off-by: Alexander Graf <agraf@xxxxxxx>

  commit cc0d079d4582ee0ed97b5e3e3da4f6cb2b5bd67f
  Author: Aurelien Jarno <aurelien@xxxxxxxxxxx>
  Date:   Mon Jun 15 17:57:05 2015 +0200

      target-s390x: initialize I/O interrupt queue

      env->io_index[] should be set to -1 during CPU reset to mark the
      I/O interrupt queue as empty.

      Signed-off-by: Aurelien Jarno <aurelien@xxxxxxxxxxx>
      Signed-off-by: Alexander Graf <agraf@xxxxxxx>

  commit 7107e5a756317151666d47d1bc1e170293babaff
  Author: Aurelien Jarno <aurelien@xxxxxxxxxxx>
  Date:   Mon Jun 15 17:57:04 2015 +0200

      target-s390x: correctly initialize ext interrupt queue

      env->ext_index should be initialized to -1 to mark the external
      interrupt queue as emtpy. This should not be done in s390_cpu_initfn
      as all the interrupt fields are later reset to 0 by the memset in
      s390_cpu_initial_reset or s390_cpu_full_reset. Move the initialization
      there.

      Signed-off-by: Aurelien Jarno <aurelien@xxxxxxxxxxx>
      Signed-off-by: Alexander Graf <agraf@xxxxxxx>

  commit 06e3c077daa08c0a616e9507eb737401883ab645
  Author: Aurelien Jarno <aurelien@xxxxxxxxxxx>
  Date:   Mon Jun 15 17:57:03 2015 +0200

      target-s390x: fix setcc in TCG mode

      In TCG mode we should store the CC value in env->cc_op. However do it
      inconditionnaly because:
      - the tcg_enabled function is not inlined
      - it's probably faster to always store the value, especially given it
        is likely in the same cache line than env->psw.mask.

      Signed-off-by: Aurelien Jarno <aurelien@xxxxxxxxxxx>
      Signed-off-by: Alexander Graf <agraf@xxxxxxx>

  commit a499973ff32bc58f2db7b88ad5597ffdbc2becd7
  Author: Aurelien Jarno <aurelien@xxxxxxxxxxx>
  Date:   Mon Jun 15 17:57:02 2015 +0200

      virtio-ccw: disable ioevent bit when ioeventfds are not enabled

      This remove the corresponding error messages in TCG mode, and allow to
      simplify the s390_assign_subch_ioeventfd() function.

      Signed-off-by: Aurelien Jarno <aurelien@xxxxxxxxxxx>
      Signed-off-by: Alexander Graf <agraf@xxxxxxx>

  commit d49f4ab48ec76e590ad72a2d6c3fba8459d3ded7
  Author: Alexander Graf <agraf@xxxxxxx>
  Date:   Mon Jun 15 17:57:01 2015 +0200

      s390/ioinst: fix endianness in ioinst_schib_valid

      The ioinst_schib_valid gets a SCHIB in guest endianness, we should
      byteswap the fields we access.

      Signed-off-by: Alexander Graf <agraf@xxxxxxx>
      Signed-off-by: Aurelien Jarno <aurelien@xxxxxxxxxxx>
      Signed-off-by: Alexander Graf <agraf@xxxxxxx>

  commit ae52e585bf5e9678a77be033fd4b430a2e78dfed
  Author: Aurelien Jarno <aurelien@xxxxxxxxxxx>
  Date:   Mon Jun 15 17:57:00 2015 +0200

      s390/ioinst: fix IO_INT_WORD_ISC macro

      The I/O-Interruption Subclass field corresponds to bits 2 to 5 (BE
      notation) of the Interruption-Identification Word. The value should
      be shift by 27 instead of 24.

      Signed-off-by: Aurelien Jarno <aurelien@xxxxxxxxxxx>
      Reviewed-by: Christian Borntraeger <borntraeger@xxxxxxxxxx>
      Signed-off-by: Alexander Graf <agraf@xxxxxxx>

  commit a09f4a9d19c500ea5cbcdc0bd7f0d540cf54f9f5
  Merge: 8c29f8d f3bcd42
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Wed Jun 17 11:12:35 2015 +0100

      Merge remote-tracking branch 
'remotes/kraxel/tags/pull-seabios-1.8.2-20150617-1' into staging

      update seabios to release 1.8.2
      add vgabios for virtio-vga

      # gpg: Signature made Wed Jun 17 08:34:22 2015 BST using RSA key ID 
D3E87138
      # gpg: Good signature from "Gerd Hoffmann (work) <kraxel@xxxxxxxxxx>"
      # gpg:                 aka "Gerd Hoffmann <gerd@xxxxxxxxxx>"
      # gpg:                 aka "Gerd Hoffmann (private) <kraxel@xxxxxxxxx>"

      * remotes/kraxel/tags/pull-seabios-1.8.2-20150617-1:
        update seabios and vgabios binaries
        tag our seabios builds
        update seabios submodule to release 1.8.2

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 8c29f8d6b9595ac0f9ab1b41f22e91aebab482d7
  Merge: 93f6d1c f8d30a4
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Wed Jun 17 10:13:40 2015 +0100

      Merge remote-tracking branch 'remotes/kvaneesh/tags/for-upstream-signed' 
into staging

      VirtFS update:

      * Fix for virtfs-proxy-helper crash
      * Gracefully handle the error condition on input validation in 
virtfs-proxy-helper

      # gpg: Signature made Tue Jun 16 16:21:28 2015 BST using RSA key ID 
04C4E23A
      # gpg: Good signature from "Aneesh Kumar K.V 
<aneesh.kumar@xxxxxxxxxxxxxxxxxx>"
      # gpg: WARNING: This key is not certified with a trusted signature!
      # gpg:          There is no indication that the signature belongs to the 
owner.
      # Primary key fingerprint: 4846 9DE7 1860 360F A6E9  968C DE41 A4FE 04C4 
E23A

      * remotes/kvaneesh/tags/for-upstream-signed:
        virtfs-proxy-helper: fail gracefully if socket path is too long
        virtfs-proxy-helper: add missing long option terminator

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit f3bcd42683dcc48c576281399d6cf6b34da6ba41
  Author: Gerd Hoffmann <kraxel@xxxxxxxxxx>
  Date:   Wed Jun 17 09:28:03 2015 +0200

      update seabios and vgabios binaries

      Signed-off-by: Gerd Hoffmann <kraxel@xxxxxxxxxx>

  commit 7edf2f0ec4edbde50be3b54306adf5b8b16ca68b
  Author: Gerd Hoffmann <kraxel@xxxxxxxxxx>
  Date:   Wed Jun 17 09:24:55 2015 +0200

      tag our seabios builds

      Signed-off-by: Gerd Hoffmann <kraxel@xxxxxxxxxx>

  commit 10500ce26069b7c4746e8a2276aa03220a29581c
  Author: Gerd Hoffmann <kraxel@xxxxxxxxxx>
  Date:   Wed Jun 17 09:11:47 2015 +0200

      update seabios submodule to release 1.8.2

      git shortlog rel-1.8.1..rel-1.8.2
      =================================

      Gerd Hoffmann (1):
            vga: rework virtio-vga support

      Kevin O'Connor (5):
            vgabios: Add config option for assembler fixups
            vgabios: Emulate "leal" instruction
            build: Support "make VERSION=xyz" to override the default build 
version
            build: CONFIG_VGA_FIXUP_ASM should depend on CONFIG_BUILD_VGABIOS
            vgabios: On bda_save_restore() the saved vbe_mode also has flags in 
it

      Paolo Bonzini (1):
            smm: ignore bits 16,18-31 of SMM revision ID

      Vladimir Serbinenko (1):
            ahci: Ignore max_ports.

      Signed-off-by: Gerd Hoffmann <kraxel@xxxxxxxxxx>

  commit f8d30a4f96d6c3a12e692d2e69b8fe4734b916c6
  Author: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
  Date:   Mon Mar 30 14:57:16 2015 +0100

      virtfs-proxy-helper: fail gracefully if socket path is too long

      Replace the assertion check with graceful failure when the socket path
      is too long.  Programs should not crash on invalid input.  Print an
      error message and exit properly.

      Cc: Shannon Zhao <zhaoshenglong@xxxxxxxxxx>
      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Signed-off-by: Aneesh Kumar K.V <aneesh.kumar@xxxxxxxxxxxxxxxxxx>

  commit bf6667d63ef4c4fbaf91051589a594ec1c235308
  Author: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
  Date:   Mon Mar 30 14:57:15 2015 +0100

      virtfs-proxy-helper: add missing long option terminator

      The getopt_long(3) long options array must have a zeroed terminator.

      This patch solves a segmentation fault when an unknown command-line
      option is encountered:

        $ fsdev/virtfs-proxy-helper --help
        Segmentation fault (core dumped)

      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Signed-off-by: Aneesh Kumar K.V <aneesh.kumar@xxxxxxxxxxxxxxxxxx>

  commit 93f6d1c16036aaf34055d16f54ea770fb8d6d280
  Merge: 4316536 7a4dfd1
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Tue Jun 16 10:35:43 2015 +0100

      Merge remote-tracking branch 'remotes/kraxel/tags/pull-vga-20150615-1' 
into staging

      virtio-gpu: pci support bits and virtio-vga.

      # gpg: Signature made Mon Jun 15 13:55:19 2015 BST using RSA key ID 
D3E87138
      # gpg: Good signature from "Gerd Hoffmann (work) <kraxel@xxxxxxxxxx>"
      # gpg:                 aka "Gerd Hoffmann <gerd@xxxxxxxxxx>"
      # gpg:                 aka "Gerd Hoffmann (private) <kraxel@xxxxxxxxx>"

      * remotes/kraxel/tags/pull-vga-20150615-1:
        virtio-vga: add vgabios configuration
        virtio-vga: add '-vga virtio' support
        virtio-vga: add virtio gpu device with vga compatibility
        virtio-gpu-pci: add virtio pci support
        virtio-gpu: fix error message

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 4316536bf424d2e7f9cfa7d0dd561adb0986cc81
  Merge: 1dfe73b 45c874e
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Tue Jun 16 09:07:22 2015 +0100

      Merge remote-tracking branch 'remotes/riku/tags/pull-linux-user-20150616' 
into staging

      linux-user patches for 2.4 softfreeze
      second spin with ioctl patch refreshed

      # gpg: Signature made Tue Jun 16 08:03:14 2015 BST using RSA key ID 
DE3C9BC0
      # gpg: Good signature from "Riku Voipio <riku.voipio@xxxxxx>"
      # gpg:                 aka "Riku Voipio <riku.voipio@xxxxxxxxxx>"

      * remotes/riku/tags/pull-linux-user-20150616:
        linux-user: ioctl() command type is int
        linux-user: fix the breakpoint inheritance in spawned threads
        linux-user: use __get_user and __put_user in cmsg conversions
        linux-user: Fix length handling in host_to_target_cmsg
        linux-user: Use abi_ulong for TARGET_ELF_PAGESTART
        linux-user: Allocate thunk size dynamically

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 45c874ebbae661238bfa3c0534480ebe2940b112
  Author: Laurent Vivier <laurent@xxxxxxxxx>
  Date:   Tue Jun 16 00:35:28 2015 +0200

      linux-user: ioctl() command type is int

      When executing a 64bit target chroot on 64bit host,
      the ioctl() command can mismatch.

      It seems the previous commit doesn't solve the problem in
      my case:

          9c6bf9c7 linux-user: Fix ioctl cmd type mismatch on 64-bit targets

      For example, a ppc64 chroot on an x86_64 host:

      bash-4.3# ls
      Unsupported ioctl: cmd=0x80087467
      Unsupported ioctl: cmd=0x802c7415

      The origin of the problem is in syscall.c:do_ioctl().

          static abi_long do_ioctl(int fd, abi_long cmd, abi_long arg)

      In this case (ppc64) abi_long is long (on the x86_64), and

          cmd = 0x0000000080087467

      then
          if (ie->target_cmd == cmd)

      target_cmd is int, so target_cmd = 0x80087467
      and to compare an int with a long, the sign is extended to 64bit,
      so the comparison is:

          if (0xffffffff80087467 == 0x0000000080087467)

      which doesn't match whereas it should.

      This patch uses int in the case of the target command type
      instead of abi_long.

      Signed-off-by: Laurent Vivier <laurent@xxxxxxxxx>
      Signed-off-by: Riku Voipio <riku.voipio@xxxxxxxxxx>

  commit 1d085f6cae51b1a0fb92ad03ce8bf038e29c9750
  Author: Thierry Bultel <thierry.bultel@xxxxxxxxxxxxx>
  Date:   Fri Jun 12 11:24:10 2015 +0200

      linux-user: fix the breakpoint inheritance in spawned threads

      When a thread is spawned, cpu_copy re-initializes
      the bp & wp lists of current thread, instead of the ones
      of the new thread.
      The effect is that breakpoints are no longer hit.

      Signed-off-by: Thierry Bultel <thierry.bultel@xxxxxxxxxxxxx>
      Signed-off-by: Riku Voipio <riku.voipio@xxxxxxxxxx>

  commit 876e23cb2e545148a0ee4effda5c63c861855941
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Tue May 26 19:46:32 2015 +0100

      linux-user: use __get_user and __put_user in cmsg conversions

      The target payloads in cmsg conversions may not have the alignment
      required by the host. Using the get_user and put_user functions is
      the easiest way to handle this and also do the byte-swapping we
      require.

      (Note that prior to this commit target_to_host_cmsg was incorrectly
      using __put_user() rather than __get_user() for the SCM_CREDENTIALS
      conversion, which meant it wasn't getting the benefit of the
      misalignment handling.)

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Signed-off-by: Riku Voipio <riku.voipio@xxxxxxxxxx>

  commit c2aeb2586bd258ad76fcfe308f883075e73ff1d2
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Tue May 26 19:46:31 2015 +0100

      linux-user: Fix length handling in host_to_target_cmsg

      The previous code for handling payload length when converting
      cmsg structures from host to target had a number of problems:
       * we required the msg->msg_controllen to declare the buffer
         to have enough space for final trailing padding (we were
         checking against CMSG_SPACE), whereas the kernel does not
         require this, and common userspace code assumes this. (In
         particular, glibc's "try to talk to nscd" code that it will
         run on startup will receive a cmsg with a 4 byte payload and
         only allocate 4 bytes for it, which was causing us to do
         the wrong thing on architectures that need 8-alignment.)
       * we weren't correctly handling the fact that the SO_TIMESTAMP
         payload may be larger for the target than the host
       * we weren't marking the messages with MSG_CTRUNC when we did
         need to truncate a message that wasn't truncated by the host,
         but were instead logging a QEMU message; since truncation is
         always the result of a guest giving us an insufficiently
         sized buffer, we should report it to the guest as the kernel
         does and don't log anything

      Rewrite the parts of the function that deal with length to
      fix these issues, and add a comment in target_to_host_cmsg
      to explain why the overflow logging it does is a QEMU bug,
      not a guest issue.

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Signed-off-by: Riku Voipio <riku.voipio@xxxxxxxxxx>

  commit 1dfe73b94de5a75038a725b17dc7d08a23a977ec
  Merge: b500e4d f264d51
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Mon Jun 15 18:43:09 2015 +0100

      Merge remote-tracking branch 
'remotes/pmaydell/tags/pull-target-arm-20150615' into staging

      target-arm queue:
       * Handle "extended small page" descriptors correctly
       * Use extended address bits from supersection short descriptors
       * Update interrupt status for all cores in gic_update
       * Fix off-by-one in exynos4210_fimd bit-swap code
       * Remove stray unused 'pending_exception' field
       * Add Cortex-A53 KVM support
       * Fix reset value of REVIDR
       * Add AArch32 MIDR aliases for ARMv8 cores
       * MAINTAINERS update for ARM ACPI code
       * Trust the kernel's value of MPIDR if we're using KVM
       * Various pxa2xx device updates to avoid old APIs
       * Mark pxa2xx copro registers as ARM_CP_IO so -icount works
       * Correctly UNDEF Thumb2 DSP insns on Cortex-M3
       * Initial work towards implementing PMSAv7
       * Fix a reset order bug introduced recently
       * Correct "preferred return address" for cpreg access exceptions
       * Add ACPI SPCR table for the virt board

      # gpg: Signature made Mon Jun 15 18:19:34 2015 BST using RSA key ID 
14360CDE
      # gpg: Good signature from "Peter Maydell <peter.maydell@xxxxxxxxxx>"

      * remotes/pmaydell/tags/pull-target-arm-20150615: (28 commits)
        hw/arm/virt-acpi-build: Add SPCR table
        ACPI: Add definitions for the SPCR table
        target-arm: Correct "preferred return address" for cpreg access 
exceptions
        hw/arm/boot: fix rom_reset notifier registration order
        arm: helper: rename get_phys_addr_mpu
        arm: Add has-mpu property
        arm: Implement uniprocessor with MP config
        arm: Refactor get_phys_addr FSR return mechanism
        arm: helper: Factor out CP regs common to [pv]msa
        arm: Don't add v7mp registers in MPU systems
        arm: Do not define TLBTR in PMSA systems
        target-arm: Add the THUMB_DSP feature
        hw/sd/pxa2xx_mmci: Stop using old_mmio in MemoryRegionOps
        hw/arm/pxa2xx: Convert pxa2xx-ssp to VMState
        hw/arm/pxa2xx: Add reset method for pxa2xx_ssp
        hw/arm/pxa2xx: Convert pxa2xx-fir to QOM and VMState
        hw/arm/pxa2xx: Mark coprocessor registers as ARM_CP_IO
        target-arm: Use the kernel's idea of MPIDR if we're using KVM
        MAINTAINERS: Add myself as ARM ACPI Subsystem maintainer
        target-arm: add AArch32 MIDR aliases in ARMv8
        ...

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit f264d51d8ad939d7fb339d61a8cf680ed0cb21a2
  Author: Andrew Jones <drjones@xxxxxxxxxx>
  Date:   Mon Jun 15 18:06:11 2015 +0100

      hw/arm/virt-acpi-build: Add SPCR table

      Signed-off-by: Andrew Jones <drjones@xxxxxxxxxx>
      Tested-by: Shannon Zhao <shannon.zhao@xxxxxxxxxx>
      Reviewed-by: Igor Mammedov <imammedo@xxxxxxxxxx>
      Acked-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Message-id: 1433929959-29530-3-git-send-email-drjones@xxxxxxxxxx
      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit b8a0d75ef85b8f24c92a6c50817fa9579b4a98d9
  Author: Andrew Jones <drjones@xxxxxxxxxx>
  Date:   Mon Jun 15 18:06:11 2015 +0100

      ACPI: Add definitions for the SPCR table

      SPCR is the Serial Port Console Redirection Table. See the document
      linked from http://uefi.org/acpi. For serial port types, "Interface
      Type", see the documentation for the Debug Port Table 2 (DBG2).

      Signed-off-by: Andrew Jones <drjones@xxxxxxxxxx>
      Tested-by: Shannon Zhao <shannon.zhao@xxxxxxxxxx>
      Reviewed-by: Igor Mammedov <imammedo@xxxxxxxxxx>
      Acked-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Message-id: 1433929959-29530-2-git-send-email-drjones@xxxxxxxxxx
      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 3977ee5d7a9f2e3664dd8b233f3224694e23b62b
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Mon Jun 15 18:06:11 2015 +0100

      target-arm: Correct "preferred return address" for cpreg access exceptions

      The architecture defines that when taking an exception trying to
      access a coprocessor register, the "preferred return address" for
      the exception is the address of the instruction that caused the
      exception. Correct an off-by-4 error which meant we were returning
      the address after the instruction for traps which happened because
      of a failure of a runtime access-check function on an AArch32
      register. (Traps caused by translate-time checkable permissions
      failures had the correct address, as did traps on AArch64 registers.)

      This fixes https://bugs.launchpad.net/qemu/+bug/1463338

      Reported-by: Robert Buhren <robert@xxxxxxxxxxxxxxx>
      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Message-id: 1433861440-30133-1-git-send-email-peter.maydell@xxxxxxxxxx

  commit 63a183ed0eac2956574745c84faffa042d99afb8
  Author: Eric Auger <eric.auger@xxxxxxxxxx>
  Date:   Mon Jun 15 18:06:11 2015 +0100

      hw/arm/boot: fix rom_reset notifier registration order

      commit ac9d32e39664e060cd1b538ff190980d57ad69e4 had the consequence to
      register the do_cpu_reset after the rom_reset one. Hence they get
      executed in the wrong order. This commit restores the registration of
      do_cpu_reset in arm_load_kernel.

      Signed-off-by: Eric Auger <eric.auger@xxxxxxxxxx>
      Reported-by: Peter Crosthwaite <peter.crosthwaite@xxxxxxxxxx>
      Reviewed-by: Peter Crosthwaite <peter.crosthwaite@xxxxxxxxxx>
      Tested-by: Peter Crosthwaite <peter.crosthwaite@xxxxxxxxxx>
      Message-id: 1434111582-9325-1-git-send-email-eric.auger@xxxxxxxxxx
      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 13689d43646482f7305282de1bdd662c0d2b8b77
  Author: Peter Crosthwaite <peter.crosthwaite@xxxxxxxxxx>
  Date:   Mon Jun 15 18:06:10 2015 +0100

      arm: helper: rename get_phys_addr_mpu

      This get_phys_addr is really for pmsav5. Rename it accordingly.

      Reviewed-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Signed-off-by: Peter Crosthwaite <peter.crosthwaite@xxxxxxxxxx>
      Message-id: 
bf4b019aa87d682a45998105ef8e4d4e97a5e117.1434066412.git.peter.crosthwaite@xxxxxxxxxx
      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 8f325f568fbd0158cd413e7d637573ba90b3eaab
  Author: Peter Crosthwaite <peter.crosthwaite@xxxxxxxxxx>
  Date:   Mon Jun 15 18:06:10 2015 +0100

      arm: Add has-mpu property

      For processors that support MPUs, add a property to de-feature it. This
      is similar to the implementation of the EL3 feature.

      The processor definition in init sets ARM_FEATURE_MPU if it can support
      an MPU. post_init exposes the property, defaulting to true. If cleared
      by the instantiator, ARM_FEATURE_MPU is then removed at realize time.

      This is to support R profile processors that may or may-not have an MPU
      configured.

      Signed-off-by: Peter Crosthwaite <peter.crosthwaite@xxxxxxxxxx>
      Message-id: 
632918cc48786e868ea18aa6bd12f70597994cad.1434066412.git.peter.crosthwaite@xxxxxxxxxx
      Reviewed-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit a8e81b319d1ae1224cc7059877dcdf04a5aad59d
  Author: Peter Crosthwaite <peter.crosthwaite@xxxxxxxxxx>
  Date:   Mon Jun 15 18:06:10 2015 +0100

      arm: Implement uniprocessor with MP config

      Add a boolean for indicating uniprocessors with MP extensions. This
      drives the U bit in MPIDR. Prepares support for Cortex-R5.

      Signed-off-by: Peter Crosthwaite <peter.crosthwaite@xxxxxxxxxx>
      Message-id: 
a70a80583df265e0174f01fa1fc92b33ea6d1db5.1434066412.git.peter.crosthwaite@xxxxxxxxxx
      Reviewed-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit b7cc4e82f04a1c5b218a657f677a2fdd1e1c2889
  Author: Peter Crosthwaite <peter.crosthwaite@xxxxxxxxxx>
  Date:   Mon Jun 15 18:06:10 2015 +0100

      arm: Refactor get_phys_addr FSR return mechanism

      Currently, the return code for get_phys_addr is overloaded for both
      success/fail and FSR value return. This doesn't handle the case where
      there is an error with a 0 FSR. This case exists in PMSAv7.

      So rework get_phys_addr and friends to return a success/failure boolean
      return code and populate the FSR via a caller provided uint32_t
      pointer.

      Signed-off-by: Peter Crosthwaite <peter.crosthwaite@xxxxxxxxxx>
      Message-id: 
a209e3d8ae00cda55260c970891f520210e26bad.1434066412.git.peter.crosthwaite@xxxxxxxxxx
      Reviewed-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 8e5d75c950a1241f6e1243c37f28cd58f68fedc9
  Author: Peter Crosthwaite <peter.crosthwaite@xxxxxxxxxx>
  Date:   Mon Jun 15 18:06:10 2015 +0100

      arm: helper: Factor out CP regs common to [pv]msa

      V6+ PMSA and VMSA share some common registers that are currently
      in the VMSA definition block. Split them out into a new def that can
      be shared to PMSA.

      Signed-off-by: Peter Crosthwaite <peter.crosthwaite@xxxxxxxxxx>
      Message-id: 
284db78a43c63c9bfbb60de539672c361bcb6af8.1434066412.git.peter.crosthwaite@xxxxxxxxxx
      Reviewed-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 5e5cf9e35f25f9f932a6ce25107c11b67b426a43
  Author: Peter Crosthwaite <peter.crosthwaite@xxxxxxxxxx>
  Date:   Mon Jun 15 18:06:10 2015 +0100

      arm: Don't add v7mp registers in MPU systems

      These registers are VMSA specific so they should be conditional on
      VMSA (i.e. !MPU).

      Signed-off-by: Peter Crosthwaite <peter.crosthwaite@xxxxxxxxxx>
      Message-id: 
7bb8843e45f2635c6b7a583c5bb5da51ed4442a0.1434066412.git.peter.crosthwaite@xxxxxxxxxx
      Reviewed-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 8085ce63c5967d200f1241b6c0a189371993c5df
  Author: Peter Crosthwaite <peter.crosthwaite@xxxxxxxxxx>
  Date:   Mon Jun 15 18:06:10 2015 +0100

      arm: Do not define TLBTR in PMSA systems

      If doing a PMSA (MPU) system do not define the VMSA specific TLBTR CP.
      The def is done separately from VMSA registers group as it is affected
      by both the OMAP/STRONGARM RW errata and the MIDR backgrounding.

      Signed-off-by: Peter Crosthwaite <peter.crosthwaite@xxxxxxxxxx>
      Message-id: 
b03fea3840207edf633f5c9189400c3dd6a28d14.1434066412.git.peter.crosthwaite@xxxxxxxxxx
      Reviewed-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 62b44f059a84d1ac580a653fc4110dfabaef6b83
  Author: Aurelio C. Remonda <aurelioremonda@xxxxxxxxx>
  Date:   Mon Jun 15 18:06:09 2015 +0100

      target-arm: Add the THUMB_DSP feature

      Create an ARM_FEATURE_THUMB_DSP controlling the Thumb encodings of
      the 85 DSP instructions (these are all Thumb2). This is enabled for
      all non-M-profile CPUs with Thumb2 support, as the instructions are
      mandatory for R and A profiles. On M profile they are optional and
      not present in the Cortex-M3 (though they are in the M4).

      The effect of this commit is that we will now treat the DSP
      encodings as illegal instructions on M3, when previously we
      incorrectly implemented them.

      Signed-off-by: Aurelio C. Remonda <aurelioremonda@xxxxxxxxx>
      Message-id: 1434311355-26554-1-git-send-email-aurelioremonda@xxxxxxxxx
      [PMM: added clz/crc32/crc32c and default case to the early-decode switch;
       minor format/spacing fixups; reworded commit message a bit]
      Reviewed-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 13e1e476b4bc111d36fffaea025f90d8db52b697
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Mon Jun 15 18:06:09 2015 +0100

      hw/sd/pxa2xx_mmci: Stop using old_mmio in MemoryRegionOps

      Update the pxa2xx_mmci device to stop using the old_mmio read
      and write callbacks in its MemoryRegionOps. This actually
      simplifies the code because the separate byte/halfword/word
      access functions were all calling into a single function to
      do the work anyway.

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Reviewed-by: Peter Crosthwaite <peter.crosthwaite@xxxxxxxxxx>
      Message-id: 1434117989-7367-6-git-send-email-peter.maydell@xxxxxxxxxx

  commit 8e079caf82c3658ee64bca37c91953b38296d427
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Mon Jun 15 18:06:09 2015 +0100

      hw/arm/pxa2xx: Convert pxa2xx-ssp to VMState

      The pxa2xx-ssp device is already a QOM device but is still
      using the old-style register_savevm(); convert to VMState.

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Reviewed-by: Peter Crosthwaite <peter.crosthwaite@xxxxxxxxxx>
      Message-id: 1434117989-7367-5-git-send-email-peter.maydell@xxxxxxxxxx

  commit ce3203464bee89d2ae958717222981326a37775e
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Mon Jun 15 18:06:09 2015 +0100

      hw/arm/pxa2xx: Add reset method for pxa2xx_ssp

      The pxa2xx_ssp device was missing a reset method; add one.

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Reviewed-by: Peter Crosthwaite <peter..crosthwaite@xxxxxxxxxx>
      Message-id: 1434117989-7367-4-git-send-email-peter.maydell@xxxxxxxxxx

  commit 1fd9f2df241554b68b3a19ad1c94c475c7bb85ea
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Mon Jun 15 18:06:09 2015 +0100

      hw/arm/pxa2xx: Convert pxa2xx-fir to QOM and VMState

      Convert the pxa2xx-fir device to QOM, including using a
      VMState for its migration info.

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Reviewed-by: Peter Crosthwaite <peter.crosthwaite@xxxxxxxxxx>
      Message-id: 1434117989-7367-3-git-send-email-peter.maydell@xxxxxxxxxx

  commit 14c3032a7ebd5a354381465453c0c0690b7342d1
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Mon Jun 15 18:06:09 2015 +0100

      hw/arm/pxa2xx: Mark coprocessor registers as ARM_CP_IO

      The pxa2xx custom coprocessor registers in cp6 and cp14 do device
      accesses, so mark the non-constant regs as ARM_CP_IO so that
      icount works correctly and doesn't abort.

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Reviewed-by: Peter Crosthwaite <peter.crosthwaite@xxxxxxxxxx>
      Message-id: 1434117989-7367-2-git-send-email-peter.maydell@xxxxxxxxxx

  commit eb5e1d3c85dffe677da2550d211f9304a7d5ba3b
  Author: Pavel Fedin <p.fedin@xxxxxxxxxxx>
  Date:   Mon Jun 15 18:06:09 2015 +0100

      target-arm: Use the kernel's idea of MPIDR if we're using KVM

      When we're using KVM, the kernel's internal idea of the MPIDR
      affinity fields must match the values we tell it for the guest
      vcpu cluster configuration in the device tree. Since at the moment
      the kernel doesn't support letting userspace tell it the correct
      affinity fields to use, we must read the kernel's view and
      reflect that back in the device tree.

      Signed-off-by: Shlomo Pongratz <shlomo.pongratz@xxxxxxxxxx>
      Signed-off-by: Pavel Fedin <p.fedin@xxxxxxxxxxx>
      Message-id: 02f601d0a1e6$90c7d630$b2578290$@samsung.com
      [PMM: Use a local #define rather than a global variable for
       the TCG ARM_CPUS_PER_CLUSTER setting. Tweak a comment. Update the
       commit message.]
      Reviewed-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 8f4d260e70aff7c3796d97c78ba0663696e2d503
  Author: Shannon Zhao <shannon.zhao@xxxxxxxxxx>
  Date:   Mon Jun 15 18:06:08 2015 +0100

      MAINTAINERS: Add myself as ARM ACPI Subsystem maintainer

      Add Shannon Zhao as the maintainer for the ARM ACPI Subsystem.

      Signed-off-by: Shannon Zhao <zhaoshenglong@xxxxxxxxxx>
      Signed-off-by: Shannon Zhao <shannon.zhao@xxxxxxxxxx>
      Reviewed-by: Claudio Fontana <claudio.fontana@xxxxxxxxxx>
      Acked-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Message-id: 1433248318-6076-1-git-send-email-shannon.zhao@xxxxxxxxxx
      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit ac00c79ff6635ae9fd732ff357ada0d05e795500
  Author: Sergey Fedorov <serge.fdrv@xxxxxxxxx>
  Date:   Mon Jun 15 18:06:08 2015 +0100

      target-arm: add AArch32 MIDR aliases in ARMv8

      According to ARMv8 ARM, there are additional aliases to MIDR system 
register in
      AArch32 state. So add them to the list.

      Signed-off-by: Sergey Fedorov <serge.fdrv@xxxxxxxxx>
      Message-id: 1433321048-23793-3-git-send-email-serge.fdrv@xxxxxxxxx
      Reviewed-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 13b72b2b9aa7ab7ee129e38e9587acd6a1b9a932
  Author: Sergey Fedorov <serge.fdrv@xxxxxxxxx>
  Date:   Mon Jun 15 18:06:08 2015 +0100

      target-arm: Fix REVIDR reset value

      According to ARM Cortex-A53/A57 TRM, REVIDR reset value should be zero. 
So let
      REVIDR reset value be specified by CPU model and correct it for 
Cortex-A53/A57.

      Signed-off-by: Sergey Fedorov <serge.fdrv@xxxxxxxxx>
      Message-id: 1433321048-23793-2-git-send-email-serge.fdrv@xxxxxxxxx
      Reviewed-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 8772de2c53b44c75f18140646aa928e6d77cb9d8
  Author: Shannon Zhao <shannon.zhao@xxxxxxxxxx>
  Date:   Mon Jun 15 18:06:08 2015 +0100

      hw/arm/virt: Add cortex-a53 cpu support in machine virt

      Add cortex-a53 cpu support in machine virt, so it can be used for TCG
      and KVM.

      Signed-off-by: Shannon Zhao <zhaoshenglong@xxxxxxxxxx>
      Signed-off-by: Shannon Zhao <shannon.zhao@xxxxxxxxxx>
      Reviewed-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Message-id: 1433207452-4512-3-git-send-email-shannon.zhao@xxxxxxxxxx
      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 7525465e6def0ef878741087b36e4657016dce80
  Author: Shannon Zhao <shannon.zhao@xxxxxxxxxx>
  Date:   Mon Jun 15 18:06:08 2015 +0100

      target-arm/kvm64: Add cortex-a53 cpu support

      Since commit e353102(target-arm: cpu64: Add support for Cortex-A53) has
      added Cortex-A53 cpu support for target-arm, this patch just enables it
      for kvm-arm.

      Here adding XGENE_POTENZA just makes the enum continuous.

      Signed-off-by: Shannon Zhao <zhaoshenglong@xxxxxxxxxx>
      Signed-off-by: Shannon Zhao <shannon.zhao@xxxxxxxxxx>
      Message-id: 1433207452-4512-2-git-send-email-shannon.zhao@xxxxxxxxxx
      [PMM: Don't add the CPU types to cpus_to_try[]; this array only
       lists old CPUs which were supported in pre-PREFERRED_TARGET kernels]
      Reviewed-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit a79e0218e0ae27c9cdd2648bd46e5a916c903cc2
  Author: Alex Bennée <alex.bennee@xxxxxxxxxx>
  Date:   Mon Jun 15 18:06:08 2015 +0100

      target-arm/cpu.h: remove pending_exception

      This isn't used by any of the code. In fact it looks like it was never
      used as it came in with ARMv7 support.

      Signed-off-by: Alex Bennée <alex.bennee@xxxxxxxxxx>
      Message-id: 1434020015-8868-1-git-send-email-alex.bennee@xxxxxxxxxx
      Reviewed-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 644ead5be1a851abff16886240c5c6fc1c5137c0
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Mon Jun 15 18:06:08 2015 +0100

      hw/display/exynos4210_fimd: Fix bit-swapping code

      fimd_swap_data() includes code to reverse the bits in a
      64-bit integer, but an off-by-one error meant that it would
      try to shift off the top of the integer. Correct the bug
      (spotted by Coverity).

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Message-id: 1432912615-23107-1-git-send-email-peter.maydell@xxxxxxxxxx

  commit 235069a380147e31236b94c31528fc5170c3a421
  Author: Johan Karlsson <Johan.Karlsson@xxxxxxxx>
  Date:   Mon Jun 15 18:06:07 2015 +0100

      arm_gic: gic_update should always update all cores

      This patch fixes so that gic_update always updates all the cores with
      new pending irq states.  If the function returns early it is possible
      to get interrupts that has already been acknowledged.

      Signed-off-by: Johan Karlsson <johan.karlsson@xxxxxxxx>
      [PMM: rebased to apply to current master]
      Reviewed-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 4e42a6ca37e39e56725518851f4388e46bd91129
  Author: Sergey Fedorov <serge.fdrv@xxxxxxxxx>
  Date:   Mon Jun 15 18:06:07 2015 +0100

      target-arm: use extended address bits from supersection short descriptor

      Since ARMv7 with LPAE support, a supersection short translation table
      descriptor has had extended base address fields which hold bits 39:32 of
      translated address. These fields are IMPDEF in ARMv6 and ARMv7 without
      LPAE support.

      Signed-off-by: Sergey Fedorov <serge.fdrv@xxxxxxxxx>
      Message-id: 1433235718-30485-1-git-send-email-serge.fdrv@xxxxxxxxx
      Reviewed-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit fc1891c74ae122a9dc7854f38bae7db03cd911e6
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Mon Jun 15 18:06:07 2015 +0100

      target-arm: Handle "extended small page" descriptors correctly

      The old ARMv5-style page table format includes a kind of second level
      descriptor named the "extended small page" format, whose primary purpose
      is to allow specification of the TEX memory attribute bits on a 4K page.
      This exists on ARMv6 and also (as an implementation extension) on XScale
      CPUs; it's UNPREDICTABLE on v5.

      We were mishandling this in two ways:
       (1) we weren't implementing it for v6 (probably never noticed because
      Linux will use the new-style v6 page table format there)
       (2) we were not correctly setting the page_size, which is 4K, not 1K

      The latter bug went unnoticed for years because the only thing which
      the page_size affects is which TLB entries get flushed when the guest
      does a TLB invalidate on an address in the page, and prior to commit
      2f0d8631b7 we were doing a full TLB flush very frequently due to Linux's
      habit of writing the SCTLR pointlessly a lot.

      (We can assume that after commit 2f0d8631b7 the bug went unnoticed
      for a year because nobody's actually using the Zaurus/XScale emulation...)

      Report the correct page size for these descriptors, and permit them
      on ARMv6 CPUs. This fixes a problem where a kernel image for Zaurus
      can boot the kernel OK but gets random segfaults when it tries to
      run userspace programs.

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Message-id: 1432844085-16441-1-git-send-email-peter.maydell@xxxxxxxxxx

  commit b500e4db8e3e0b5f41a2dd14e2001200e5fc7d6b
  Merge: 46bca54 d95d7d8
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Mon Jun 15 16:15:32 2015 +0100

      Merge remote-tracking branch 'remotes/kraxel/tags/pull-audio-20150615-1' 
into staging

      audio: remove obsolete backends (esd, fmod, winwave).
      audio: stop using global variables, small fixes.
      audio: remove some obsolte and unused code.

      # gpg: Signature made Mon Jun 15 13:24:44 2015 BST using RSA key ID 
D3E87138
      # gpg: Good signature from "Gerd Hoffmann (work) <kraxel@xxxxxxxxxx>"
      # gpg:                 aka "Gerd Hoffmann <gerd@xxxxxxxxxx>"
      # gpg:                 aka "Gerd Hoffmann (private) <kraxel@xxxxxxxxx>"

      * remotes/kraxel/tags/pull-audio-20150615-1:
        ossaudio: use trace events instead of debug config flag
        alsaaudio: use trace events instead of verbose
        dsoundaudio: remove primary buffer
        dsoundaudio: remove *_retries kludges
        audio: remove plive
        audio: remove LOG_TO_MONITOR along with default_mon
        MAINTAINERS: remove malc from audio
        sdlaudio: do not allow multiple instances
        coreaudio: do not use global variables where possible
        dsoundaudio: do not use global variables
        paaudio: fix possible resource leak
        wavaudio: do not use global variables
        ossaudio: do not use global variables
        alsaaudio: do not use global variables
        paaudio: do not use global variables
        audio: expose drv_opaque to init_out and init_in
        only enable dsound in case the header file is present
        audio: remove winwave audio driver
        audio: remove fmod backend
        audio: remove esd backend

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 6a084ea39aec84d352dbd3de0f523daaaaac8c7d
  Author: Michael S. Tsirkin <mst@xxxxxxxxxx>
  Date:   Mon Jun 15 16:20:21 2015 +0200

      vhost-user: part of virtio

      vhost user is related to virtio, add it to the relevant entry.

      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>

  commit 46bca5404b08201bb9df1ac32bc88fc7e6db1f74
  Merge: f3e3b08 8369e33
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Mon Jun 15 13:24:50 2015 +0100

      Merge remote-tracking branch 'remotes/borntraeger/tags/s390x-20150615' 
into staging

      s390x/kvm/watchdog

      1. Implement a diag288 based watchdog
      2. Fix virtio-ccw BIOS for gcc >= 4.9

      # gpg: Signature made Mon Jun 15 12:36:25 2015 BST using RSA key ID 
B5A61C7C
      # gpg: Good signature from "Christian Borntraeger (IBM) 
<borntraeger@xxxxxxxxxx>"

      * remotes/borntraeger/tags/s390x-20150615:
        s390/bios: build with -fdelete-null-pointer-checks
        watchdog: Add new Virtual Watchdog action INJECT-NMI
        nmi: Implement inject_nmi() for non-monitor context use
        s390x/watchdog: diag288 migration support
        s390x/kvm: diag288 instruction interception and handling
        s390x/watchdog: introduce diag288 watchdog device
        watchdog: change option wording to allow for more watchdogs

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 8369e339d24f365750da456588e742674c153437
  Author: Aurelien Jarno <aurelien@xxxxxxxxxxx>
  Date:   Mon Jun 15 12:24:03 2015 +0200

      s390/bios: build with -fdelete-null-pointer-checks

      Starting with version 4.9, GCC assumes it can't safely dereference null
      pointers, and uses this for some optimizations. On s390, the lowcore
      memory is located at address 0, so this assumption is wrong and breaks
      the s390-ccw firmware. Pass -fdelete-null-pointer-checks to avoid that.

      Cc: Cornelia Huck <cornelia.huck@xxxxxxxxxx>
      Cc: Christian Borntraeger <borntraeger@xxxxxxxxxx>
      Cc: Alexander Graf <agraf@xxxxxxx>
      Signed-off-by: Aurelien Jarno <aurelien@xxxxxxxxxxx>
      Message-Id: <1434363843-14576-1-git-send-email-aurelien@xxxxxxxxxxx>
      Signed-off-by: Christian Borntraeger <borntraeger@xxxxxxxxxx>

  commit d95d7d802c33f6277c9fb967c14ae0cc99aeb072
  Author: KÅ?vágó, Zoltán <dirty.ice.hu@xxxxxxxxx>
  Date:   Fri Jun 12 14:33:07 2015 +0200

      ossaudio: use trace events instead of debug config flag

      Signed-off-by: KÅ?vágó, Zoltán <DirtY.iCE.hu@xxxxxxxxx>
      Signed-off-by: Gerd Hoffmann <kraxel@xxxxxxxxxx>

  commit fbb7ef56d55723a4996c288b50a16e6283eea13f
  Author: KÅ?vágó, Zoltán <dirty.ice.hu@xxxxxxxxx>
  Date:   Fri Jun 12 14:33:06 2015 +0200

      alsaaudio: use trace events instead of verbose

      Signed-off-by: KÅ?vágó, Zoltán <DirtY.iCE.hu@xxxxxxxxx>
      Signed-off-by: Gerd Hoffmann <kraxel@xxxxxxxxxx>

  commit 6dd35fd81e06d469b6f5280adee0a16ee383db57
  Author: KÅ?vágó, Zoltán <dirty.ice.hu@xxxxxxxxx>
  Date:   Fri Jun 12 14:33:05 2015 +0200

      dsoundaudio: remove primary buffer

      Enabling this option just creates a playback buffer with the specified 
settings,
      and then ignores it. It's probably some outdated hack to set audio 
formats on
      windows. (The first created stream dictates all other streams settings, 
at least
      on some Windows versions). Setting DAC_FIXED_SETTINGS should have the same
      effect as setting (the now removed) primary buffer.

      Signed-off-by: KÅ?vágó, Zoltán <DirtY.iCE.hu@xxxxxxxxx>
      Signed-off-by: Gerd Hoffmann <kraxel@xxxxxxxxxx>

  commit 2762955f723570944966347600b5746e7dd99388
  Author: KÅ?vágó, Zoltán <dirty.ice.hu@xxxxxxxxx>
  Date:   Fri Jun 12 14:33:04 2015 +0200

      dsoundaudio: remove *_retries kludges

      According to MSDN this may happen when the window is not in the 
foreground, but
      the default is 1 since a long time (which means no retries), so it should 
be ok.
      I've found no problems during testing it on Windows 7 and wine, so this 
was
      probably only the case with some old Windows versions.

      Signed-off-by: KÅ?vágó, Zoltán <DirtY.iCE.hu@xxxxxxxxx>
      Signed-off-by: Gerd Hoffmann <kraxel@xxxxxxxxxx>

  commit 73ad33ef7ba0d1e7c7f276663f36c4f72b9193a9
  Author: KÅ?vágó, Zoltán <dirty.ice.hu@xxxxxxxxx>
  Date:   Fri Jun 12 14:33:03 2015 +0200

      audio: remove plive

      It was useless even 3 years ago, so it can probably safely go away:
      https://lists.nongnu.org/archive/html/qemu-devel/2012-03/msg02427.html

      Signed-off-by: KÅ?vágó, Zoltán <DirtY.iCE.hu@xxxxxxxxx>
      Signed-off-by: Gerd Hoffmann <kraxel@xxxxxxxxxx>

  commit 06ac27f683c52890a6d174adba8c92354fa1eceb
  Author: KÅ?vágó, Zoltán <dirty.ice.hu@xxxxxxxxx>
  Date:   Fri Jun 12 14:33:02 2015 +0200

      audio: remove LOG_TO_MONITOR along with default_mon

      Setting QEMU_AUDIO_LOG_TO_MONITOR=1 can crash qemu (if qemu tries to log
      to the monitor before it's being initialized), and also nothing else in
      qemu logs to the monitor.

      This log to monitor feature was the last thing that used the default_mon
      variable, so I removed it too (as using it can cause problems).

      Signed-off-by: KÅ?vágó, Zoltán <DirtY.iCE.hu@xxxxxxxxx>
      Signed-off-by: Gerd Hoffmann <kraxel@xxxxxxxxxx>

  commit 65eb1e6b4c1c4f66deff9cdf9bfbdea267c59343
  Author: Gerd Hoffmann <kraxel@xxxxxxxxxx>
  Date:   Tue Jun 9 12:51:36 2015 +0200

      MAINTAINERS: remove malc from audio

      email bounces, with a appearently permanent error:
      "av1474@xxxxxxxx mail receiving disabled, rejecting"

      Signed-off-by: Gerd Hoffmann <kraxel@xxxxxxxxxx>
      Reviewed-by: Gonglei <arei.gonglei@xxxxxxxxxx>

  commit 81ebb07c56a28aa7ca47c38eb44690025a9dd6b9
  Author: KÅ?vágó, Zoltán <dirty.ice.hu@xxxxxxxxx>
  Date:   Wed Jun 3 23:03:55 2015 +0200

      sdlaudio: do not allow multiple instances

      Since SDL uses a lot of global data, we can't create independent
      instances of sdl audio backend.

      Signed-off-by: KÅ?vágó, Zoltán <DirtY.iCE.hu@xxxxxxxxx>
      Signed-off-by: Gerd Hoffmann <kraxel@xxxxxxxxxx>

  commit d1f52a1d704de2252bc48c64ca4d46086cb249a2
  Author: KÅ?vágó, Zoltán <dirty.ice.hu@xxxxxxxxx>
  Date:   Wed Jun 3 23:03:54 2015 +0200

      coreaudio: do not use global variables where possible

      Signed-off-by: KÅ?vágó, Zoltán <DirtY.iCE.hu@xxxxxxxxx>
      Signed-off-by: Gerd Hoffmann <kraxel@xxxxxxxxxx>

  commit 191e1f0acd32360b917fa54a52389b97d9b52b6f
  Author: KÅ?vágó, Zoltán <dirty.ice.hu@xxxxxxxxx>
  Date:   Wed Jun 3 23:03:52 2015 +0200

      dsoundaudio: do not use global variables

      Signed-off-by: KÅ?vágó, Zoltán <DirtY.iCE.hu@xxxxxxxxx>
      Signed-off-by: Gerd Hoffmann <kraxel@xxxxxxxxxx>

  commit 49dd6d0d33e1a59b4055713079e64062bc5092b5
  Author: KÅ?vágó, Zoltán <dirty.ice.hu@xxxxxxxxx>
  Date:   Wed Jun 3 23:03:53 2015 +0200

      paaudio: fix possible resource leak

      qpa_audio_init did not clean up resources properly if the initialization
      failed. This hopefully fixes it.

      Signed-off-by: KÅ?vágó, Zoltán <DirtY.iCE.hu@xxxxxxxxx>
      Signed-off-by: Gerd Hoffmann <kraxel@xxxxxxxxxx>

  commit f2dcc6cec285938967446d412b0477e02e26f3ca
  Author: KÅ?vágó, Zoltán <dirty.ice.hu@xxxxxxxxx>
  Date:   Wed Jun 3 23:03:51 2015 +0200

      wavaudio: do not use global variables

      Signed-off-by: KÅ?vágó, Zoltán <DirtY.iCE.hu@xxxxxxxxx>
      Signed-off-by: Gerd Hoffmann <kraxel@xxxxxxxxxx>

  commit 4045a85ad1aadb1a56038ed3358e2093ba88f91f
  Author: KÅ?vágó, Zoltán <dirty.ice.hu@xxxxxxxxx>
  Date:   Wed Jun 3 23:03:50 2015 +0200

      ossaudio: do not use global variables

      Signed-off-by: KÅ?vágó, Zoltán <DirtY.iCE.hu@xxxxxxxxx>
      Signed-off-by: Gerd Hoffmann <kraxel@xxxxxxxxxx>

  commit 765b37da3f2824afd45b38c038af44da42b956f6
  Author: KÅ?vágó, Zoltán <dirty.ice.hu@xxxxxxxxx>
  Date:   Wed Jun 3 23:03:48 2015 +0200

      alsaaudio: do not use global variables

      Signed-off-by: KÅ?vágó, Zoltán <DirtY.iCE.hu@xxxxxxxxx>
      Signed-off-by: Gerd Hoffmann <kraxel@xxxxxxxxxx>

  commit 9a644c4b4dfc7ebe7994bfa568cbeaa1847ca5ff
  Author: KÅ?vágó, Zoltán <dirty.ice.hu@xxxxxxxxx>
  Date:   Wed Jun 3 23:03:49 2015 +0200

      paaudio: do not use global variables

      Signed-off-by: KÅ?vágó, Zoltán <DirtY.iCE.hu@xxxxxxxxx>
      Signed-off-by: Gerd Hoffmann <kraxel@xxxxxxxxxx>

  commit 5706db1deb061ee9affdcea81e59c4c2cad7c41e
  Author: KÅ?vágó, Zoltán <dirty.ice.hu@xxxxxxxxx>
  Date:   Wed Jun 3 23:03:47 2015 +0200

      audio: expose drv_opaque to init_out and init_in

      Currently the opaque pointer returned by audio_driver's init is only
      exposed to the driver's fini, but not to audio_pcm_ops. This way if
      someone wants to share a variable with the driver and the pcm, he must
      use global variables. This patch fixes it by adding a third parameter to
      audio_pcm_op's init_out and init_in.

      Signed-off-by: KÅ?vágó, Zoltán <DirtY.iCE.hu@xxxxxxxxx>
      Signed-off-by: Gerd Hoffmann <kraxel@xxxxxxxxxx>

  commit 307119e7d948bcdb5918fd762153deda471e695b
  Author: Gerd Hoffmann <kraxel@xxxxxxxxxx>
  Date:   Wed Jun 10 09:07:35 2015 +0200

      only enable dsound in case the header file is present

      Signed-off-by: Gerd Hoffmann <kraxel@xxxxxxxxxx>

  commit f3e3b083d4c266ea864ae3c83da49d4086857679
  Merge: 8aeaa05 67251a3
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Mon Jun 15 10:43:06 2015 +0100

      Merge remote-tracking branch 'remotes/kevin/tags/for-upstream' into 
staging

      Block layer core and image format patches

      # gpg: Signature made Fri Jun 12 16:08:53 2015 BST using RSA key ID 
C88F2FD6
      # gpg: Good signature from "Kevin Wolf <kwolf@xxxxxxxxxx>"

      * remotes/kevin/tags/for-upstream: (25 commits)
        block: Fix reopen flag inheritance
        block: Add BlockDriverState.inherits_from
        block: Add list of children to BlockDriverState
        queue.h: Add QLIST_FIX_HEAD_PTR()
        block: Drain requests before swapping nodes in bdrv_swap()
        block: Move flag inheritance to bdrv_open_inherit()
        block: Use QemuOpts in bdrv_open_common()
        block: Use macro for cache option names
        vmdk: Use bdrv_open_image()
        quorum: Use bdrv_open_image()
        check-qdict: Test cases for new functions
        qdict: Add qdict_{set,copy}_default()
        qdict: Add qdict_array_entries()
        iotests: Add tests for overriding BDRV_O_PROTOCOL
        block: driver should override flags in bdrv_open()
        block: Change bitmap truncate conditional to assertion
        block: record new size in bdrv_dirty_bitmap_truncate
        raw-posix: Fix .bdrv_co_get_block_status() for unaligned image size
        vmdk: Use vmdk_find_index_in_cluster everywhere
        vmdk: Fix index_in_cluster calculation in vmdk_co_get_block_status
        ...

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 3cec7cc22f95ce31565e8e2c03b06a2f7ae8bc6f
  Author: KÅ?vágó, Zoltán <dirty.ice.hu@xxxxxxxxx>
  Date:   Wed Jun 3 23:03:46 2015 +0200

      audio: remove winwave audio driver

      DirectSound should be a superior choice on Windows.

      Signed-off-by: KÅ?vágó, Zoltán <DirtY.iCE.hu@xxxxxxxxx>
      Signed-off-by: Gerd Hoffmann <kraxel@xxxxxxxxxx>

  commit 14382605da6bda74516f275695bd3345bc54c464
  Author: KÅ?vágó, Zoltán <dirty.ice.hu@xxxxxxxxx>
  Date:   Wed Jun 3 23:03:45 2015 +0200

      audio: remove fmod backend

      Signed-off-by: KÅ?vágó, Zoltán <DirtY.iCE.hu@xxxxxxxxx>
      Signed-off-by: Gerd Hoffmann <kraxel@xxxxxxxxxx>

  commit 0bac111167e33838fa869cacd16f92e5899252b3
  Author: KÅ?vágó, Zoltán <dirty.ice.hu@xxxxxxxxx>
  Date:   Wed Jun 3 23:03:44 2015 +0200

      audio: remove esd backend

      ESD is no longer developed and replaced by PulseAudio.

      Signed-off-by: KÅ?vágó, Zoltán <DirtY.iCE.hu@xxxxxxxxx>
      Signed-off-by: Gerd Hoffmann <kraxel@xxxxxxxxxx>

  commit 79cb1f1d698da5e1e183863aa3c8a91b2e750664
  Author: Yongbok Kim <yongbok.kim@xxxxxxxxxx>
  Date:   Mon Apr 20 16:15:20 2015 +0100

      linux-user: Use abi_ulong for TARGET_ELF_PAGESTART

      TARGET_ELF_PAGESTART is required to use abi_ulong to correctly handle
      addresses for different target bits width.
      This patch fixes a problem when running a 64-bit user mode application
      on 32-bit host machines.

      Signed-off-by: Yongbok Kim <yongbok.kim@xxxxxxxxxx>
      Reviewed-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Signed-off-by: Riku Voipio <riku.voipio@xxxxxxxxxx>

  commit 8be656b87c6bb1b9f8af3ff78094413d71e4443a
  Author: Alexander Graf <agraf@xxxxxxx>
  Date:   Wed May 6 23:47:32 2015 +0200

      linux-user: Allocate thunk size dynamically

      We store all struct types in an array of static size without ever
      checking whether we overrun it. Of course some day someone (like me
      in another, ancient ALSA enabling patch set) will run into the limit
      without realizing it.

      So let's make the allocation dynamic. We already know the number of
      structs that we want to allocate, so we only need to pass the variable
      into the respective piece of code.

      Also, to ensure we don't accidently overwrite random memory, add some
      asserts to sanity check whether a thunk is actually part of our array.

      Signed-off-by: Alexander Graf <agraf@xxxxxxx>
      Signed-off-by: Riku Voipio <riku.voipio@xxxxxxxxxx>

  commit 8aeaa055f5d3d4e87bf870892ba301eae57bdc1d
  Merge: 0a2df85 2db33f8
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Fri Jun 12 18:04:14 2015 +0100

      Merge remote-tracking branch 'remotes/stefanha/tags/block-pull-request' 
into staging

      # gpg: Signature made Fri Jun 12 15:57:47 2015 BST using RSA key ID 
81AB73C8
      # gpg: Good signature from "Stefan Hajnoczi <stefanha@xxxxxxxxxx>"
      # gpg:                 aka "Stefan Hajnoczi <stefanha@xxxxxxxxx>"

      * remotes/stefanha/tags/block-pull-request:
        qemu-iotests: expand test 093 to support group throttling
        throttle: Update throttle infrastructure copyright
        throttle: add the name of the ThrottleGroup to BlockDeviceInfo
        throttle: acquire the ThrottleGroup lock in bdrv_swap()
        throttle: Add throttle group support
        throttle: Add throttle group infrastructure tests
        throttle: Add throttle group infrastructure
        throttle: Extract timers from ThrottleState into a separate structure
        raw-posix: Fix .bdrv_co_get_block_status() for unaligned image size
        Revert "iothread: release iothread around aio_poll"

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 67251a311371c4d22e803f151f47fe817175b6c3
  Author: Kevin Wolf <kwolf@xxxxxxxxxx>
  Date:   Thu Apr 9 18:54:04 2015 +0200

      block: Fix reopen flag inheritance

      When reopening an image, the block layer already takes care to reopen
      bs->file as well with recalculated inherited flags. The same must happen
      for any other child (most notably missing before this patch: backing
      files).

      If bs->file (or any other child) didn't originally inherit from bs, e.g.
      because it was created separately and then only referenced, it must not
      inherit flags on reopen either, so check the inherited_from field before
      propagation the reopen down.

      VMDK already reopened its extents manually; this code can now be
      dropped.

      Signed-off-by: Kevin Wolf <kwolf@xxxxxxxxxx>
      Reviewed-by: Max Reitz <mreitz@xxxxxxxxxx>
      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>

  commit bddcec3745b0220d4a7eda700950812a94398668
  Author: Kevin Wolf <kwolf@xxxxxxxxxx>
  Date:   Thu Apr 9 18:47:50 2015 +0200

      block: Add BlockDriverState.inherits_from

      Currently, the block layer assumes that any block node can have only one
      parent, and if it has a parent, that it inherits some options/flags from
      this parent.

      This is not true any more: With references used in block device
      creation, a single node can be used by multiple parents, or it can be
      created separately and not inherit flags from any parent.

      To handle reopens correctly, a node must know from which parent it
      inherited options. This patch adds the information to BlockDriverState.

      Signed-off-by: Kevin Wolf <kwolf@xxxxxxxxxx>
      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>
      Reviewed-by: Max Reitz <mreitz@xxxxxxxxxx>

  commit 6e93e7c41fdfdee3068770cae79380e1d986b76a
  Author: Kevin Wolf <kwolf@xxxxxxxxxx>
  Date:   Wed Apr 8 13:49:41 2015 +0200

      block: Add list of children to BlockDriverState

      This allows iterating over all children of a given BDS, not only
      including bs->file and bs->backing_hd, but also driver-specific
      ones like VMDK extents or Quorum children.

      For bdrv_swap(), the list of children of the swapped BDS stays at that
      BDS (because that's where the pointers stay as well). The list head
      moves and pointers to it must be fixed up therefore.

      The list of children in the parent of the swapped BDS is not affected by
      the swap. The contents of the BDS objects is swapped, so the existing
      pointer in the parent automatically points to the newly swapped in BDS.

      Signed-off-by: Kevin Wolf <kwolf@xxxxxxxxxx>
      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>
      Reviewed-by: Max Reitz <mreitz@xxxxxxxxxx>

  commit ae81693004fd95f7013e42811944707a92948d9a
  Author: Kevin Wolf <kwolf@xxxxxxxxxx>
  Date:   Wed Jun 10 13:47:35 2015 +0200

      queue.h: Add QLIST_FIX_HEAD_PTR()

      If the head of a list has been moved to a different memory location, the
      le_prev link in the first list entry has to be fixed up. Provide a macro
      that implements this fixup.

      Signed-off-by: Kevin Wolf <kwolf@xxxxxxxxxx>
      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>
      Reviewed-by: Max Reitz <mreitz@xxxxxxxxxx>

  commit 6ee4ce1ee75a651c246d926c2302281b51981f6d
  Author: Kevin Wolf <kwolf@xxxxxxxxxx>
  Date:   Wed Jun 10 13:33:17 2015 +0200

      block: Drain requests before swapping nodes in bdrv_swap()

      bdrv_swap() requires that there are no requests in flight on either of
      the two devices. The request coroutine would work on the wrong
      BlockDriverState object (with bs->opaque even being interpreted as a
      different type potentially) and all sorts of bad things would result
      from this.

      The currently existing callers mostly ensure that there is no I/O
      pending on nodes that are swapped. In detail, this is:

      1. Live snapshots. This goes through qmp_transaction(), which calls
         bdrv_drain_all() before doing anything. The command is executed
         synchronously, so no new I/O can be issued concurrently.

      2. snapshot=on in bdrv_open(). We're in the middle of opening the image
         (both the original image and its temporary overlay), so there can't
         be any I/O in flight yet.

      3. Mirroring. bdrv_drain() is already used on the source device so that
         the mirror doesn't miss anything. However, the main loop runs between
         that and the bdrv_swap() (which is actually a bug, being addressed in
         another series), so there is a small window in which new I/O might be
         issued that would be in flight during bdrv_swap().

      It is safer to just drain the request queue of both devices in
      bdrv_swap() instead of relying on callers to do the right thing.

      Signed-off-by: Kevin Wolf <kwolf@xxxxxxxxxx>
      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>
      Reviewed-by: Max Reitz <mreitz@xxxxxxxxxx>

  commit f3930ed0bb1945b59da8e591072b5c79606d0760
  Author: Kevin Wolf <kwolf@xxxxxxxxxx>
  Date:   Wed Apr 8 13:43:47 2015 +0200

      block: Move flag inheritance to bdrv_open_inherit()

      Instead of letting every caller of bdrv_open() determine the right flags
      for its child node manually and pass them to the function, pass the
      parent node and the role of the newly opened child (like backing file,
      protocol layer, etc.).

      Signed-off-by: Kevin Wolf <kwolf@xxxxxxxxxx>
      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>
      Reviewed-by: Max Reitz <mreitz@xxxxxxxxxx>

  commit 18edf289a8951f3a48caff3b5fe17f2d414c2924
  Author: Kevin Wolf <kwolf@xxxxxxxxxx>
  Date:   Tue Apr 7 17:12:56 2015 +0200

      block: Use QemuOpts in bdrv_open_common()

      Instead of manually parsing options and then deleting them from the
      options QDict, just use QemuOpts like most other places that deal with
      block device options.

      More options will be added there and then QemuOpts is a lot more
      manageable than open-coding everything.

      Signed-off-by: Kevin Wolf <kwolf@xxxxxxxxxx>
      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>
      Reviewed-by: Max Reitz <mreitz@xxxxxxxxxx>

  commit 54861b9280e95dd16c062b26a9d0adfe3608c63c
  Author: Kevin Wolf <kwolf@xxxxxxxxxx>
  Date:   Tue Apr 7 16:55:00 2015 +0200

      block: Use macro for cache option names

      Signed-off-by: Kevin Wolf <kwolf@xxxxxxxxxx>
      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>
      Reviewed-by: Max Reitz <mreitz@xxxxxxxxxx>
      Reviewed-by: Jeff Cody <jcody@xxxxxxxxxx>
      Reviewed-by: Alberto Garcia <berto@xxxxxxxxxx>

  commit a646836784a0fc50fee6f9a0d3fb968289714128
  Author: Kevin Wolf <kwolf@xxxxxxxxxx>
  Date:   Tue Apr 7 15:35:59 2015 +0200

      vmdk: Use bdrv_open_image()

      Besides standardising on a single interface for opening child nodes,
      this patch allows the user to specify options to individual extent
      nodes. Overriding file names isn't possible with this yet, so it's of
      limited usefulness, but still a step forward.

      Signed-off-by: Kevin Wolf <kwolf@xxxxxxxxxx>
      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>
      Reviewed-by: Max Reitz <mreitz@xxxxxxxxxx>
      Reviewed-by: Jeff Cody <jcody@xxxxxxxxxx>

  commit ea6828d81b34d42f407e8de28694d2751ee660a2
  Author: Kevin Wolf <kwolf@xxxxxxxxxx>
  Date:   Wed Jan 21 18:49:28 2015 +0100

      quorum: Use bdrv_open_image()

      Besides standardising on a single interface for opening child nodes,
      this simplifies the .bdrv_open() implementation of the quorum block
      driver by using block layer functionality for handling BlockdevRefs.

      Signed-off-by: Kevin Wolf <kwolf@xxxxxxxxxx>
      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>
      Reviewed-by: Max Reitz <mreitz@xxxxxxxxxx>
      Reviewed-by: Jeff Cody <jcody@xxxxxxxxxx>
      Reviewed-by: Alberto Garcia <berto@xxxxxxxxxx>

  commit ef1919df26b9b094aa41733466b134111fcdbd36
  Author: Kevin Wolf <kwolf@xxxxxxxxxx>
  Date:   Thu May 28 17:37:55 2015 +0200

      check-qdict: Test cases for new functions

      This adds test cases for the following new QDict functions:

      * qdict_array_entries()
      * qdict_set_default_str()
      * qdict_copy_default()

      Signed-off-by: Kevin Wolf <kwolf@xxxxxxxxxx>
      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>
      Reviewed-by: Max Reitz <mreitz@xxxxxxxxxx>

  commit 7990d2c99c974ae8e3c3f719d8321ddc6eac93bc
  Author: Kevin Wolf <kwolf@xxxxxxxxxx>
  Date:   Mon Jan 19 21:22:45 2015 +0100

      qdict: Add qdict_{set,copy}_default()

      In the block layer functions that determine options for a child block
      device, it's a common pattern to either copy options from the parent's
      options or to set a default string if the option isn't explicitly set
      yet for the child. Provide convenience functions so that it becomes a
      one-liner for each option.

      Signed-off-by: Kevin Wolf <kwolf@xxxxxxxxxx>
      Reviewed-by: Max Reitz <mreitz@xxxxxxxxxx>
      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>

  commit bd50530a9f40f6560a03caeaaddd451e2ce90ed8
  Author: Kevin Wolf <kwolf@xxxxxxxxxx>
  Date:   Wed Jan 21 17:15:44 2015 +0100

      qdict: Add qdict_array_entries()

      This counts the entries in a flattened array in a QDict without
      actually splitting the QDict into a QList.

      bdrv_open_image() doesn't take a QList, but rather a QDict and a key
      prefix string, so this is more convenient for block drivers which have a
      dynamically sized list of child nodes (e.g. Quorum) and are to be
      converted to using bdrv_open_image() as the standard interface for
      opening child nodes.

      Signed-off-by: Kevin Wolf <kwolf@xxxxxxxxxx>
      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>
      Reviewed-by: Max Reitz <mreitz@xxxxxxxxxx>

  commit 0a2df857a7038c75379cc575de5d4be4c0ac629e
  Merge: 9faffeb fafa4d5
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Fri Jun 12 15:39:05 2015 +0100

      Merge remote-tracking branch 'remotes/stefanha/tags/net-pull-request' 
into staging

      # gpg: Signature made Fri Jun 12 13:57:20 2015 BST using RSA key ID 
81AB73C8
      # gpg: Good signature from "Stefan Hajnoczi <stefanha@xxxxxxxxxx>"
      # gpg:                 aka "Stefan Hajnoczi <stefanha@xxxxxxxxx>"

      * remotes/stefanha/tags/net-pull-request:
        qmp/hmp: add rocker device support
        rocker: bring link up/down on PHY enable/disable
        rocker: update tests using hw-derived interface names
        rocker: Add support for phys name
        iohandler: Change return type of qemu_set_fd_handler to "void"
        event-notifier: Always return 0 for posix implementation
        xen_backend: Remove unused error handling of qemu_set_fd_handler
        oss: Remove unused error handling of qemu_set_fd_handler
        alsaaudio: Remove unused error handling of qemu_set_fd_handler
        main-loop: Drop qemu_set_fd_handler2
        Change qemu_set_fd_handler2(..., NULL, ...) to qemu_set_fd_handler
        tap: Drop tap_can_send
        net/socket: Drop net_socket_can_send
        netmap: Drop netmap_can_send
        l2tpv3: Drop l2tpv3_can_send
        stubs: Add qemu_set_fd_handler

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit a68197ff5b11f5a58d48e485d16a36758aeca7f4
  Author: Max Reitz <mreitz@xxxxxxxxxx>
  Date:   Thu Mar 19 14:53:17 2015 -0400

      iotests: Add tests for overriding BDRV_O_PROTOCOL

      This adds tests for overriding the qemu-internal BDRV_O_PROTOCOL flag by
      explicitly specifying a block driver. As one test must be run over the
      NBD protocol while the other must not, this patch adds two separate
      iotests.

      Signed-off-by: Max Reitz <mreitz@xxxxxxxxxx>
      Signed-off-by: Kevin Wolf <kwolf@xxxxxxxxxx>

  commit 53a295131274c87914c97053e2ca00f19a9c2efa
  Author: Max Reitz <mreitz@xxxxxxxxxx>
  Date:   Thu Mar 19 14:53:16 2015 -0400

      block: driver should override flags in bdrv_open()

      The BDRV_O_PROTOCOL flag should have an impact only if no driver is
      specified explicitly. Therefore, if bdrv_open() is called with an
      explicit block driver argument (either through the options QDict or
      through the drv parameter) and that block driver is a protocol block
      driver, BDRV_O_PROTOCOL should be set; if it is a format block driver,
      BDRV_O_PROTOCOL should be unset.

      While there was code to unset the flag in case a format block driver
      has been selected, it only followed the bdrv_fill_options() function
      call whereas the flag in fact needs to be adjusted before it is used
      there.

      With that change, BDRV_O_PROTOCOL will always be set if the BDS should
      be a protocol driver; if the driver has been specified explicitly, the
      new code will set it; and bdrv_fill_options() will only "probe" a
      protocol driver if BDRV_O_PROTOCOL is set. The probing after
      bdrv_fill_options() cannot select a protocol driver.

      Thus, bdrv_open_image() to open BDS.file is never called if a protocol
      BDS is about to be created. With that change in turn it is impossible to
      call bdrv_open_common() with a protocol drv and file != NULL, which
      allows us to remove the bdrv_swap() call.

      This change breaks a test case in qemu-iotest 051:
      "-drive file=t.qcow2,file.driver=qcow2" now works because the explicitly
      specified "qcow2" overrides the BDRV_O_PROTOCOL which is automatically
      set for the "file" BDS (and the filename is just passed down).
      Therefore, this patch removes that test case.

      Signed-off-by: Max Reitz <mreitz@xxxxxxxxxx>
      Signed-off-by: Kevin Wolf <kwolf@xxxxxxxxxx>

  commit 06207b0ff596aa4bb192d1fafc593847ed888e39
  Author: John Snow <jsnow@xxxxxxxxxx>
  Date:   Wed Jun 10 13:24:54 2015 -0400

      block: Change bitmap truncate conditional to assertion

      This is an artifact of an older version that had both all-bitmap and
      single-bitmap truncate functions, and some info got lost in the shuffle.

      Bitmaps can only be frozen during a backup operation, and a backup
      operation should prevent a resize operation, so just assert that this
      cannot happen.

      Suggested-by: Kevin Wolf <kwolf@xxxxxxxxxx>
      Signed-off-by: John Snow <jsnow@xxxxxxxxxx>
      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>
      Signed-off-by: Kevin Wolf <kwolf@xxxxxxxxxx>

  commit 5270b6a0d0cf41e49d634007ace40f5dfc381940
  Author: John Snow <jsnow@xxxxxxxxxx>
  Date:   Mon Jun 8 16:49:15 2015 -0400

      block: record new size in bdrv_dirty_bitmap_truncate

      ce1ffea8 neglected to update the BdrvDirtyBitmap structure
      itself for internal consistency. It's currently not an issue,
      but for migration and persistence series this will cause headaches.

      Signed-off-by: John Snow <jsnow@xxxxxxxxxx>
      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>
      Signed-off-by: Kevin Wolf <kwolf@xxxxxxxxxx>

  commit b8684454e152ca2e100f4b59d80de2be27186206
  Author: Kevin Wolf <kwolf@xxxxxxxxxx>
  Date:   Tue Jun 9 10:45:16 2015 +0200

      raw-posix: Fix .bdrv_co_get_block_status() for unaligned image size

      Image files with an unaligned image size have a final hole that starts
      at EOF, i.e. in the middle of a sector. Currently, *pnum == 0 is
      returned when checking the status of this sector. In qemu-img, this
      triggers an assertion failure.

      In order to fix this, one type for the sector that contains EOF must be
      found. Treating a hole as data is safe, so this patch rounds the
      calculated number of data sectors up, so that a partial sector at EOF is
      treated as a full data sector.

      This fixes https://bugzilla.redhat.com/show_bug.cgi?id=1229394

      Signed-off-by: Kevin Wolf <kwolf@xxxxxxxxxx>
      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>
      Tested-by: Cole Robinson <crobinso@xxxxxxxxxx>

  commit 90df601f06de14f062d2e8dc1bc57f0decf86fd1
  Author: Fam Zheng <famz@xxxxxxxxxx>
  Date:   Thu Jun 4 14:02:57 2015 +0800

      vmdk: Use vmdk_find_index_in_cluster everywhere

      Signed-off-by: Fam Zheng <famz@xxxxxxxxxx>
      Reviewed-by: Max Reitz <mreitz@xxxxxxxxxx>
      Signed-off-by: Kevin Wolf <kwolf@xxxxxxxxxx>

  commit 61f0ed1d54601b91b8195c1a30d7046f83283b40
  Author: Fam Zheng <famz@xxxxxxxxxx>
  Date:   Thu Jun 4 14:02:56 2015 +0800

      vmdk: Fix index_in_cluster calculation in vmdk_co_get_block_status

      It has the similar issue with b1649fae49a8. Since the calculation
      is repeated for a few times already, introduce a function so it can be
      reused.

      Signed-off-by: Fam Zheng <famz@xxxxxxxxxx>
      Reviewed-by: Max Reitz <mreitz@xxxxxxxxxx>
      Signed-off-by: Kevin Wolf <kwolf@xxxxxxxxxx>

  commit bc85ef265a0118d044ff62ae217c186cb08e0866
  Author: Max Reitz <mreitz@xxxxxxxxxx>
  Date:   Mon Jun 1 18:09:19 2015 +0200

      qcow2: Add DEFAULT_L2_CACHE_CLUSTERS

      If a relatively large cluster size is chosen, the default of 1 MB L2
      cache is not really appropriate. In this case, unless overridden by the
      user, the default cache size should not be determined by its size in
      bytes but by the number of L2 tables (clusters) it is supposed to
      contain.

      Note that without this patch, MIN_L2_CACHE_SIZE will effectively take
      over the same role. However, providing space for just two L2 tables is
      not enough to be the default.

      Signed-off-by: Max Reitz <mreitz@xxxxxxxxxx>
      Reviewed-by: Alberto Garcia <berto@xxxxxxxxxx>
      Signed-off-by: Kevin Wolf <kwolf@xxxxxxxxxx>

  commit a4291eafc597c0944057930acf3e51d899f79c2e
  Author: Max Reitz <mreitz@xxxxxxxxxx>
  Date:   Mon Jun 1 18:09:18 2015 +0200

      iotests: qcow2 COW with minimal L2 cache size

      This adds a test case to test 103 for performing a COW operation in a
      qcow2 image using an L2 cache with minimal size (which should be at
      least two clusters so the COW can access both source and destination
      simultaneously).

      Signed-off-by: Max Reitz <mreitz@xxxxxxxxxx>
      Reviewed-by: Alberto Garcia <berto@xxxxxxxxxx>
      Signed-off-by: Kevin Wolf <kwolf@xxxxxxxxxx>

  commit 57e216695948a79d9ced82fc217a37cce70fd986
  Author: Max Reitz <mreitz@xxxxxxxxxx>
  Date:   Mon Jun 1 18:09:17 2015 +0200

      qcow2: Set MIN_L2_CACHE_SIZE to 2

      The L2 cache must cover at least two L2 tables, because during COW two
      L2 tables are accessed simultaneously.

      Reported-by: Alexander Graf <agraf@xxxxxxx>
      Cc: qemu-stable <qemu-stable@xxxxxxxxxx>
      Signed-off-by: Max Reitz <mreitz@xxxxxxxxxx>
      Tested-by: Alexander Graf <agraf@xxxxxxx>
      Reviewed-by: Alberto Garcia <berto@xxxxxxxxxx>
      Signed-off-by: Kevin Wolf <kwolf@xxxxxxxxxx>

  commit 9aa711d75030356f1e179b9f71780da5fd1a45bb
  Author: Fam Zheng <famz@xxxxxxxxxx>
  Date:   Tue May 19 10:46:13 2015 +0000

      qemu-iotests: Fix 128 if sudo required

      If passwordless "sudo" works, use it in the qemu-io cmd.

      Signed-off-by: Fam Zheng <famz@xxxxxxxxxx>
      Reviewed-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Signed-off-by: Kevin Wolf <kwolf@xxxxxxxxxx>

  commit ff793890faeb119c8dad53b7ed614407ff7b027a
  Author: John Snow <jsnow@xxxxxxxxxx>
  Date:   Fri May 22 12:01:41 2015 -0400

      iotests: remove assertIsNotNone call

      RHEL6 doesn't have Python 2.7, so replace this call with
      assertNotEqual(x, None) which will work just as well.

      Reported-by: Kevin Wolf <kwolf@xxxxxxxxxx>
      Signed-off-by: John Snow <jsnow@xxxxxxxxxx>
      Reviewed-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Signed-off-by: Kevin Wolf <kwolf@xxxxxxxxxx>

  commit 9faffeb7772fddcb5d3fb2dbdcfe7e8a38f01637
  Merge: 4cb618a d218b28
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Fri Jun 12 14:31:13 2015 +0100

      Merge remote-tracking branch 'remotes/aurel/tags/pull-sh4-next-20150612' 
into staging

      sh4 linux-user cpu and hwcap
      misc optimizations and cleanup
      convert r2d to new MMIO accessor style

      # gpg: Signature made Fri Jun 12 11:28:43 2015 BST using RSA key ID 
1DDD8C9B
      # gpg: Good signature from "Aurelien Jarno <aurelien@xxxxxxxxxxx>"
      # gpg:                 aka "Aurelien Jarno <aurelien@xxxxxxxx>"
      # gpg:                 aka "Aurelien Jarno <aurel32@xxxxxxxxxx>"
      # gpg: WARNING: This key is not certified with a trusted signature!
      # gpg:          There is no indication that the signature belongs to the 
owner.
      # Primary key fingerprint: 7746 2642 A9EF 94FD 0F77  196D BA9C 7806 1DDD 
8C9B

      * remotes/aurel/tags/pull-sh4-next-20150612:
        target-sh4: remove dead code
        target-sh4: factorize fmov implementation
        target-sh4: split out Q and M from of SR and optimize div1
        target-sh4: optimize negc using add2 and sub2
        target-sh4: optimize subc using sub2
        target-sh4: optimize addc using add2
        target-sh4: Split out T from SR
        target-sh4: use bit number for SR constants
        sh4/r2d: convert to new MMIO accessor style
        linux-user: Add HWCAP for SH4
        linux-user: Default sh4 to sh7785

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 2db33f88d2b340c049c576ad75d442e4b6ffe768
  Author: Alberto Garcia <berto@xxxxxxxxxx>
  Date:   Mon Jun 8 18:17:48 2015 +0200

      qemu-iotests: expand test 093 to support group throttling

      This patch improves the test by attaching a different number of drives
      to the VM and putting them in the same throttling group. The test
      verifies that the I/O is evenly distributed among all members of the
      group, and that the limits are enforced.

      By default the test is repeated 3 times with 1, 2 and 3 drives, but
      the maximum number of simultaneous drives is configurable.

      Signed-off-by: Alberto Garcia <berto@xxxxxxxxxx>
      Reviewed-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Message-id: 
513df1da5c658878191b579ebcddd985adcd4122.1433779731.git.berto@xxxxxxxxxx
      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>

  commit a291d5d9b9940e1b07319041afc2c4b9285b9c48
  Author: Alberto Garcia <berto@xxxxxxxxxx>
  Date:   Mon Jun 8 18:17:47 2015 +0200

      throttle: Update throttle infrastructure copyright

      Signed-off-by: Alberto Garcia <berto@xxxxxxxxxx>
      Reviewed-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Message-id: 
07dcd4ed02f0110b13b3140f477b761b8bb8e270.1433779731.git.berto@xxxxxxxxxx
      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>

  commit b8fe1694e506362706cde65d1bf55b23e62b150e
  Author: Alberto Garcia <berto@xxxxxxxxxx>
  Date:   Mon Jun 8 18:17:46 2015 +0200

      throttle: add the name of the ThrottleGroup to BlockDeviceInfo

      Signed-off-by: Alberto Garcia <berto@xxxxxxxxxx>
      Reviewed-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Message-id: 
172df91f09c69c6f0440a697bbd1b3f95b077ee4.1433779731.git.berto@xxxxxxxxxx
      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>

  commit db6283385cb708b9d589e5b57e96eab4afd0269e
  Author: Alberto Garcia <berto@xxxxxxxxxx>
  Date:   Mon Jun 8 18:17:45 2015 +0200

      throttle: acquire the ThrottleGroup lock in bdrv_swap()

      bdrv_swap() touches the fields of a BlockDriverState that are
      protected by the ThrottleGroup lock. Although those fields end up in
      their original place, they are temporarily swapped in the process,
      so there's a chance that an operation on a member of the same group
      happening on a different thread can try to use them.

      Signed-off-by: Alberto Garcia <berto@xxxxxxxxxx>
      Reviewed-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Message-id: 
d92dc40d7c4f1fc5cda5cbbf4ffb7a4670b79d17.1433779731.git.berto@xxxxxxxxxx
      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>

  commit 76f4afb40fa076ed23fe0ab42c7a768ddb71123f
  Author: Alberto Garcia <berto@xxxxxxxxxx>
  Date:   Mon Jun 8 18:17:44 2015 +0200

      throttle: Add throttle group support

      The throttle group support use a cooperative round robin scheduling
      algorithm.

      The principles of the algorithm are simple:
      - Each BDS of the group is used as a token in a circular way.
      - The active BDS computes if a wait must be done and arms the right
        timer.
      - If a wait must be done the token timer will be armed so the token
        will become the next active BDS.

      Signed-off-by: Alberto Garcia <berto@xxxxxxxxxx>
      Reviewed-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Message-id: 
f0082a86f3ac01c46170f7eafe2101a92e8fde39.1433779731.git.berto@xxxxxxxxxx
      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>

  commit 1fee955f9cc5903b3c7f79bbd90929aefad583a6
  Author: Alberto Garcia <berto@xxxxxxxxxx>
  Date:   Mon Jun 8 18:17:43 2015 +0200

      throttle: Add throttle group infrastructure tests

      Signed-off-by: Alberto Garcia <berto@xxxxxxxxxx>
      Message-id: 
ba7b9dc7fca43efbb31d5f3aad91a8dbdbea635b.1433779731.git.berto@xxxxxxxxxx
      Cc: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>

  commit 2ff1f2e3a39daf4a401a8904d00b29ea8c450463
  Author: Alberto Garcia <berto@xxxxxxxxxx>
  Date:   Mon Jun 8 18:17:42 2015 +0200

      throttle: Add throttle group infrastructure

      Signed-off-by: Alberto Garcia <berto@xxxxxxxxxx>
      Reviewed-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Message-id: 
2fdb4de17210b733a13eb472c33cd08b45f8fd21.1433779731.git.berto@xxxxxxxxxx
      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>

  commit 0e5b0a2d54f4dca2f6d1a676da8ec089dc143001
  Author: Benoît Canet <benoit.canet@xxxxxxxxxxxx>
  Date:   Mon Jun 8 18:17:41 2015 +0200

      throttle: Extract timers from ThrottleState into a separate structure

      Group throttling will share ThrottleState between multiple bs.
      As a consequence the ThrottleState will be accessed by multiple aio
      context.

      Timers are tied to their aio context so they must go out of the
      ThrottleState structure.

      This commit paves the way for each bs of a common ThrottleState to
      have its own timer.

      Signed-off-by: Benoit Canet <benoit.canet@xxxxxxxxxxxx>
      Signed-off-by: Alberto Garcia <berto@xxxxxxxxxx>
      Reviewed-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Message-id: 
6cf9ea96d8b32ae2f8769cead38f68a6a0c8c909.1433779731.git.berto@xxxxxxxxxx
      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>

  commit f4a769abaa51badea666093077c50c568c35de17
  Author: Kevin Wolf <kwolf@xxxxxxxxxx>
  Date:   Tue Jun 9 10:55:08 2015 +0200

      raw-posix: Fix .bdrv_co_get_block_status() for unaligned image size

      Image files with an unaligned image size have a final hole that starts
      at EOF, i.e. in the middle of a sector. Currently, *pnum == 0 is
      returned when checking the status of this sector. In qemu-img, this
      triggers an assertion failure.

      In order to fix this, one type for the sector that contains EOF must be
      found. Treating a hole as data is safe, so this patch rounds the
      calculated number of data sectors up, so that a partial sector at EOF is
      treated as a full data sector.

      This fixes https://bugzilla.redhat.com/show_bug.cgi?id=1229394

      Signed-off-by: Kevin Wolf <kwolf@xxxxxxxxxx>
      Message-id: 1433840108-9996-1-git-send-email-kwolf@xxxxxxxxxx
      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>

  commit da5e1de95bb235330d7724316e7a29239d1359d5
  Author: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
  Date:   Wed Jun 3 10:15:33 2015 +0100

      Revert "iothread: release iothread around aio_poll"

      This reverts commit a0710f7995f914e3044e5899bd8ff6c43c62f916.

      In qemu-devel email message <556DBF87.2020908@xxxxxxxxxx>, Christian
      Borntraeger writes:

        Having many guests all with a kernel/ramdisk (via -kernel) and
        several null block devices will result in hangs. All hanging
        guests are in partition detection code waiting for an I/O to return
        so very early maybe even the first I/O.

        Reverting that commit "fixes" the hangs.

      Reverting this commit for the 2.4 release.  More time is needed to
      investigate and correct this patch.

      Reported-by: Christian Borntraeger <borntraeger@xxxxxxxxxx>
      Suggested-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>
      Reviewed-by: Fam Zheng <famz@xxxxxxxxxx>
      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>

  commit fafa4d508b42a70a59a6bd647a2c0cfad86246c3
  Author: Scott Feldman <sfeldma@xxxxxxxxx>
  Date:   Wed Jun 10 18:21:21 2015 -0700

      qmp/hmp: add rocker device support

      Add QMP/HMP support for rocker devices.  This is mostly for debugging 
purposes
      to see inside the device's tables and port configurations.  Some examples:

      (qemu) info rocker sw1
      name: sw1
      id: 0x0000013512005452
      ports: 4

      (qemu) info rocker-ports sw1
                  ena/    speed/ auto
            port  link    duplex neg?
           sw1.1  up     10G  FD  No
           sw1.2  up     10G  FD  No
           sw1.3  !ena   10G  FD  No
           sw1.4  !ena   10G  FD  No

      (qemu) info rocker-of-dpa-flows sw1
      prio tbl hits key(mask) --> actions
      2    60       pport 1 vlan 1 LLDP src 00:02:00:00:02:00 dst 
01:80:c2:00:00:0e
      2    60       pport 1 vlan 1 ARP src 00:02:00:00:02:00 dst 
00:02:00:00:03:00
      2    60       pport 2 vlan 2 IPv6 src 00:02:00:00:03:00 dst 
33:33:ff:00:00:02 proto 58
      3    50       vlan 2 dst 33:33:ff:00:00:02 --> write group 0x32000001 
goto tbl 60
      2    60       pport 2 vlan 2 IPv6 src 00:02:00:00:03:00 dst 
33:33:ff:00:03:00 proto 58
      3    50  1    vlan 2 dst 33:33:ff:00:03:00 --> write group 0x32000001 
goto tbl 60
      2    60       pport 2 vlan 2 ARP src 00:02:00:00:03:00 dst 
00:02:00:00:02:00
      3    50  2    vlan 2 dst 00:02:00:00:02:00 --> write group 0x02000001 
goto tbl 60
      2    60  1    pport 2 vlan 2 IP src 00:02:00:00:03:00 dst 
00:02:00:00:02:00 proto 1
      3    50  2    vlan 1 dst 00:02:00:00:03:00 --> write group 0x01000002 
goto tbl 60
      2    60  1    pport 1 vlan 1 IP src 00:02:00:00:02:00 dst 
00:02:00:00:03:00 proto 1
      2    60       pport 1 vlan 1 IPv6 src 00:02:00:00:02:00 dst 
33:33:ff:00:00:01 proto 58
      3    50       vlan 1 dst 33:33:ff:00:00:01 --> write group 0x31000000 
goto tbl 60
      2    60       pport 1 vlan 1 IPv6 src 00:02:00:00:02:00 dst 
33:33:ff:00:02:00 proto 58
      3    50  1    vlan 1 dst 33:33:ff:00:02:00 --> write group 0x31000000 
goto tbl 60
      1    60  173  pport 2 vlan 2 LLDP src <any> dst 01:80:c2:00:00:0e --> 
write group 0x02000000
      1    60  6    pport 2 vlan 2 IPv6 src <any> dst <any> --> write group 
0x02000000
      1    60  174  pport 1 vlan 1 LLDP src <any> dst 01:80:c2:00:00:0e --> 
write group 0x01000000
      1    60  174  pport 2 vlan 2 IP src <any> dst <any> --> write group 
0x02000000
      1    60  6    pport 1 vlan 1 IPv6 src <any> dst <any> --> write group 
0x01000000
      1    60  181  pport 2 vlan 2 ARP src <any> dst <any> --> write group 
0x02000000
      1    10  715  pport 2 --> apply new vlan 2 goto tbl 20
      1    60  177  pport 1 vlan 1 ARP src <any> dst <any> --> write group 
0x01000000
      1    60  174  pport 1 vlan 1 IP src <any> dst <any> --> write group 
0x01000000
      1    10  717  pport 1 --> apply new vlan 1 goto tbl 20
      1    0   1432 pport 0(0xffff) --> goto tbl 10

      (qemu) info rocker-of-dpa-groups sw1
      id (decode) --> buckets
      0x32000001 (type L2 multicast vlan 2 index 1) --> groups 
[0x02000001,0x02000000]
      0x02000001 (type L2 interface vlan 2 pport 1) --> pop vlan out pport 1
      0x01000002 (type L2 interface vlan 1 pport 2) --> pop vlan out pport 2
      0x02000000 (type L2 interface vlan 2 pport 0) --> pop vlan out pport 0
      0x01000000 (type L2 interface vlan 1 pport 0) --> pop vlan out pport 0
      0x31000000 (type L2 multicast vlan 1 index 0) --> groups 
[0x01000002,0x01000000]

      [Added "query-" prefixes to rocker.json commands as suggested by Eric
      Blake <eblake@xxxxxxxxxx>.
      --Stefan]

      Signed-off-by: Scott Feldman <sfeldma@xxxxxxxxx>
      Signed-off-by: Jiri Pirko <jiri@xxxxxxxxxxx>
      Message-id: 1433985681-56138-5-git-send-email-sfeldma@xxxxxxxxx
      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>

  commit 5ff1547b756a820bc7b695fe393b25d82467d1fe
  Author: Scott Feldman <sfeldma@xxxxxxxxx>
  Date:   Wed Jun 10 18:21:20 2015 -0700

      rocker: bring link up/down on PHY enable/disable

      When the OS driver enables/disables the port, go ahead and set the port's
      link status to up/down in response to the change.  This more closely
      emulates real hardware when the PHY for the port is brought up/down
      and the PHY negotiates carrier (link status) with link partner.  In
      the case of qemu, the virtual rocker device can't really do link
      negotiation with the link partner as that requires signally over a
      physical medium (the wire), so just pretend the negotiation was
      successful and bring the link up when the port is enabled.

      Signed-off-by: Scott Feldman <sfeldma@xxxxxxxxx>
      Reviewed-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Message-id: 1433985681-56138-4-git-send-email-sfeldma@xxxxxxxxx
      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>

  commit 73da0232098a69d06ce0d49ad8751b7c5e8b9448
  Author: Scott Feldman <sfeldma@xxxxxxxxx>
  Date:   Wed Jun 10 18:21:19 2015 -0700

      rocker: update tests using hw-derived interface names

      With previous patch to support phy name attribute for each port, the OS
      can name port interfaces using the hw-derived name.  So update rocker
      tests to use the new hw-derived interface names.

      Signed-off-by: Scott Feldman <sfeldma@xxxxxxxxx>
      Reviewed-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Message-id: 1433985681-56138-3-git-send-email-sfeldma@xxxxxxxxx
      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>

  commit 773495364ffbfc6a4d1e13e24e932f96409ba1d3
  Author: David Ahern <dsahern@xxxxxxxxx>
  Date:   Wed Jun 10 18:21:18 2015 -0700

      rocker: Add support for phys name

      Add ROCKER_TLV_CMD_PORT_SETTINGS_PHYS_NAME to port settings. This 
attribute
      exports the port name to the guest OS allowing it to name interfaces with
      sensible defaults.

      Mostly done by Scott for phys_id support; adapted to phys_name by David.

      Signed-off-by: Scott Feldman <sfeldma@xxxxxxxxx>
      Signed-off-by: David Ahern <dsahern@xxxxxxxxx>
      Message-id: 1433985681-56138-2-git-send-email-sfeldma@xxxxxxxxx
      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>

  commit f4d248bdc33167ab9e91b1470ef47a61dffd0b38
  Author: Fam Zheng <famz@xxxxxxxxxx>
  Date:   Thu Jun 4 14:45:24 2015 +0800

      iohandler: Change return type of qemu_set_fd_handler to "void"

      Signed-off-by: Fam Zheng <famz@xxxxxxxxxx>
      Message-id: 1433400324-7358-14-git-send-email-famz@xxxxxxxxxx
      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>

  commit 1e354528bdaf9671ffc94e531e6967233abe7b8f
  Author: Fam Zheng <famz@xxxxxxxxxx>
  Date:   Thu Jun 4 14:45:23 2015 +0800

      event-notifier: Always return 0 for posix implementation

      qemu_set_fd_handler cannot fail, let's always return 0.

      Signed-off-by: Fam Zheng <famz@xxxxxxxxxx>
      Message-id: 1433400324-7358-13-git-send-email-famz@xxxxxxxxxx
      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>

  commit 6b5166f8a82888638bb9aba9dc49aa7fa25f292f
  Author: Fam Zheng <famz@xxxxxxxxxx>
  Date:   Thu Jun 4 14:45:22 2015 +0800

      xen_backend: Remove unused error handling of qemu_set_fd_handler

      The function cannot fail, so the check is superfluous.

      Signed-off-by: Fam Zheng <famz@xxxxxxxxxx>
      Message-id: 1433400324-7358-12-git-send-email-famz@xxxxxxxxxx
      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>

  commit b027a538c6790bcfc93ef7f4819fe3e581445959
  Author: Fam Zheng <famz@xxxxxxxxxx>
  Date:   Thu Jun 4 14:45:21 2015 +0800

      oss: Remove unused error handling of qemu_set_fd_handler

      The function cannot fail, so the check is superfluous.

      Signed-off-by: Fam Zheng <famz@xxxxxxxxxx>
      Message-id: 1433400324-7358-11-git-send-email-famz@xxxxxxxxxx
      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>

  commit be93f216278d84d283187c95cef16c0b60b711b8
  Author: Fam Zheng <famz@xxxxxxxxxx>
  Date:   Thu Jun 4 14:45:20 2015 +0800

      alsaaudio: Remove unused error handling of qemu_set_fd_handler

      The function cannot fail, so the check is superfluous.

      Signed-off-by: Fam Zheng <famz@xxxxxxxxxx>
      Message-id: 1433400324-7358-10-git-send-email-famz@xxxxxxxxxx
      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>

  commit 6484e422479c93f28e3f8a68258b0eacd3b31e6d
  Author: Fam Zheng <famz@xxxxxxxxxx>
  Date:   Thu Jun 4 14:45:19 2015 +0800

      main-loop: Drop qemu_set_fd_handler2

      All users are converted to qemu_set_fd_handler now, drop
      qemu_set_fd_handler2 and IOHandlerRecord.fd_read_poll.

      Signed-off-by: Fam Zheng <famz@xxxxxxxxxx>
      Message-id: 1433400324-7358-9-git-send-email-famz@xxxxxxxxxx
      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>

  commit 82e1cc4bf91a2e1c3b62297b10b0ab1d93adfc45
  Author: Fam Zheng <famz@xxxxxxxxxx>
  Date:   Thu Jun 4 14:45:18 2015 +0800

      Change qemu_set_fd_handler2(..., NULL, ...) to qemu_set_fd_handler

      Done with following Coccinelle semantic patch, plus manual cosmetic 
changes in
      net/*.c.

          @@
          expression E1, E2, E3, E4;
          @@
          -   qemu_set_fd_handler2(E1, NULL, E2, E3, E4);
          +   qemu_set_fd_handler(E1, E2, E3, E4);

      Signed-off-by: Fam Zheng <famz@xxxxxxxxxx>
      Message-id: 1433400324-7358-8-git-send-email-famz@xxxxxxxxxx
      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>

  commit a90a7425cf592a3afeff3eaf32f543b83050ee5c
  Author: Fam Zheng <famz@xxxxxxxxxx>
  Date:   Thu Jun 4 14:45:17 2015 +0800

      tap: Drop tap_can_send

      This callback is called by main loop before polling s->fd, if it returns
      false, the fd will not be polled in this iteration.

      This is redundant with checks inside read callback. After this patch,
      the data will be sent to peer when it arrives. If the device can't
      receive, it will be queued to incoming_queue, and when the device status
      changes, this queue will be flushed.

      Signed-off-by: Fam Zheng <famz@xxxxxxxxxx>
      Message-id: 1433400324-7358-7-git-send-email-famz@xxxxxxxxxx
      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>

  commit 6e99c631f116221d169ea53953d91b8aa74d297a
  Author: Fam Zheng <famz@xxxxxxxxxx>
  Date:   Thu Jun 4 14:45:16 2015 +0800

      net/socket: Drop net_socket_can_send

      This callback is called by main loop before polling s->fd, if it returns
      false, the fd will not be polled in this iteration.

      This is redundant with checks inside read callback. After this patch,
      the data will be sent to peer when it arrives. If the device can't
      receive, it will be queued to incoming_queue, and when the device status
      changes, this queue will be flushed.

      If the peer is not ready, disable the read poll until send completes.

      Signed-off-by: Fam Zheng <famz@xxxxxxxxxx>
      Message-id: 1433400324-7358-6-git-send-email-famz@xxxxxxxxxx
      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>

  commit e8dd1d9c396104f0fac4b39a701143df49df2a74
  Author: Fam Zheng <famz@xxxxxxxxxx>
  Date:   Thu Jun 4 14:45:15 2015 +0800

      netmap: Drop netmap_can_send

      This callback is called by main loop before polling s->fd, if it returns
      false, the fd will not be polled in this iteration.

      This is redundant with checks inside read callback. After this patch,
      the data will be copied from s->fd to s->iov when it arrives. If the
      device can't receive, it will be queued to incoming_queue, and when the
      device status changes, this queue will be flushed.

      Also remove the qemu_can_send_packet() check in netmap_send. If it's
      true, we are good; if it's false, the qemu_sendv_packet_async would
      return 0 and read poll will be disabled until netmap_send_completed is
      called.

      Signed-off-by: Fam Zheng <famz@xxxxxxxxxx>
      Message-id: 1433400324-7358-5-git-send-email-famz@xxxxxxxxxx
      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>

  commit 95b1416ae93106923f733941e52dfe55c4318643
  Author: Fam Zheng <famz@xxxxxxxxxx>
  Date:   Thu Jun 4 14:45:14 2015 +0800

      l2tpv3: Drop l2tpv3_can_send

      This callback is called by main loop before polling s->fd, if it returns
      false, the fd will not be polled in this iteration.

      This is redundant with checks inside read callback. After this patch,
      the data will be copied from s->fd to s->msgvec when it arrives. If the
      device can't receive, it will be queued to incoming_queue, and when the
      device status changes, this queue will be flushed.

      Signed-off-by: Fam Zheng <famz@xxxxxxxxxx>
      Message-id: 1433400324-7358-4-git-send-email-famz@xxxxxxxxxx
      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>

  commit 0bc12c4f7e8b5ff0f83908bdef0c247f1ca1a9d8
  Author: Fam Zheng <famz@xxxxxxxxxx>
  Date:   Thu Jun 4 14:45:12 2015 +0800

      stubs: Add qemu_set_fd_handler

      Some qemu_set_fd_handler2 stub callers will be converted to
      call qemu_set_fd_handler, add this stub for them before making the
      change.

      Signed-off-by: Fam Zheng <famz@xxxxxxxxxx>
      Message-id: 1433400324-7358-2-git-send-email-famz@xxxxxxxxxx
      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>

  commit 4cb618abc1818586c08011ff0a84a015787b1672
  Merge: a4ef02f 6773f9b
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Fri Jun 12 12:49:40 2015 +0100

      Merge remote-tracking branch 'remotes/lalrae/tags/mips-20150612' into 
staging

      MIPS patches 2015-06-12

      Changes:
      * improve dp8393x network card and rc4030 chipset emulation
      * support misaligned R6 and MSA memory accesses
      * support MIPS eXtended and Large Physical Addressing
      * add Config5.FRE bit and ERETNC instruction (Config5.LLB)
      * support ememsize on MALTA

      # gpg: Signature made Fri Jun 12 09:38:11 2015 BST using RSA key ID 
0B29DA6B
      # gpg: Good signature from "Leon Alrae <leon.alrae@xxxxxxxxxx>"
      # gpg: WARNING: This key is not certified with a trusted signature!
      # gpg:          There is no indication that the signature belongs to the 
owner.
      # Primary key fingerprint: 8DD3 2F98 5495 9D66 35D4  4FC0 5211 8E3C 0B29 
DA6B

      * remotes/lalrae/tags/mips-20150612: (29 commits)
        target-mips: enable XPA and LPA features
        target-mips: remove misleading comments in translate_init.c
        target-mips: add MTHC0 and MFHC0 instructions
        target-mips: add CP0.PageGrain.ELPA support
        target-mips: support Page Frame Number Extension field
        target-mips: extend selected CP0 registers to 64-bits in MIPS32
        target-mips: correct MFC0 for CP0.EntryLo in MIPS64
        net/dp8393x: fix hardware reset
        net/dp8393x: correctly reset in_use field
        net/dp8393x: add load/save support
        net/dp8393x: add PROM to store MAC address
        net/dp8393x: QOM'ify
        net/dp8393x: use dp8393x_ prefix for all functions
        net/dp8393x: do not use old_mmio accesses
        net/dp8393x: always calculate proper checksums
        dma/rc4030: convert to QOM
        dma/rc4030: use trace events instead of custom logging
        dma/rc4030: document register at offset 0x210
        dma/rc4030: do not use old_mmio accesses
        dma/rc4030: use AddressSpace and address_space_rw in users
        ...

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit a4ef02fd9b3d12b105b56942166c8364ade9be0f
  Merge: d8e3b72 4fa3dd1
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Fri Jun 12 11:06:03 2015 +0100

      Merge remote-tracking branch 
'remotes/juanquintela/tags/migration/20150612' into staging

      migration/next for 20150612

      # gpg: Signature made Fri Jun 12 05:56:21 2015 BST using RSA key ID 
5872D723
      # gpg: Good signature from "Juan Quintela <quintela@xxxxxxxxxx>"
      # gpg:                 aka "Juan Quintela <quintela@xxxxxxxxxx>"

      * remotes/juanquintela/tags/migration/20150612: (21 commits)
        Remove unneeded memset
        Rename RDMA structures to make destination clear
        Teach analyze-migration.py about section footers
        Add a protective section footer
        Disable section footers on older machine types
        Merge section header writing
        Move loadvm_handlers into MigrationIncomingState
        Move copy out of qemu_peek_buffer
        Create MigrationIncomingState
        qemu_ram_foreach_block: pass up error value, and down the ramblock name
        Split header writing out of qemu_savevm_state_begin
        Add qemu_get_counted_string to read a string prefixed by a count byte
        migration: Use normal VMStateDescriptions for Subsections
        migration: create savevm_state
        migration: Remove duplicated assignment of SETUP status
        rdma: Fix qemu crash when IPv6 address is used for migration
        arch_init: Clean up the duplicate variable 'len' defining in ram_load()
        migration: reduce include files
        migration: Add myself to the copyright list of both files
        migration: move savevm.c inside migration/
        ...

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit d218b28d28b8f4de297bfd35c082b22f153cf0df
  Author: Aurelien Jarno <aurelien@xxxxxxxxxxx>
  Date:   Mon May 25 01:28:56 2015 +0200

      target-sh4: remove dead code

      Reviewed-by: Richard Henderson <rth@xxxxxxxxxxx>
      Signed-off-by: Aurelien Jarno <aurelien@xxxxxxxxxxx>

  commit 91b4d29f4eecab14c5f8888ecd7b3a740ad80b7c
  Author: Aurelien Jarno <aurelien@xxxxxxxxxxx>
  Date:   Mon May 25 01:28:56 2015 +0200

      target-sh4: factorize fmov implementation

      Reviewed-by: Richard Henderson <rth@xxxxxxxxxxx>
      Signed-off-by: Aurelien Jarno <aurelien@xxxxxxxxxxx>

  commit 1d565b21e1aecbb0da6589f3c4ea83c9c788ad63
  Author: Aurelien Jarno <aurelien@xxxxxxxxxxx>
  Date:   Mon May 25 01:28:56 2015 +0200

      target-sh4: split out Q and M from of SR and optimize div1

      Splitting Q and M out of SR, it's possible to optimize div1 by using
      TCG code instead of an helper.

      At the same time removed the now unused gen_copy_bit_i32 function.

      Reviewed-by: Richard Henderson <rth@xxxxxxxxxxx>
      Signed-off-by: Aurelien Jarno <aurelien@xxxxxxxxxxx>

  commit 60eb27fe4951fbe6cf5e24cc3d6df7e97c43a909
  Author: Aurelien Jarno <aurelien@xxxxxxxxxxx>
  Date:   Mon May 25 01:28:56 2015 +0200

      target-sh4: optimize negc using add2 and sub2

      Reviewed-by: Richard Henderson <rth@xxxxxxxxxxx>
      Signed-off-by: Aurelien Jarno <aurelien@xxxxxxxxxxx>

  commit d0f44a55fa321e042bd6b2a0fa25ac48864b7a25
  Author: Aurelien Jarno <aurelien@xxxxxxxxxxx>
  Date:   Mon May 25 01:28:56 2015 +0200

      target-sh4: optimize subc using sub2

      Reviewed-by: Richard Henderson <rth@xxxxxxxxxxx>
      Signed-off-by: Aurelien Jarno <aurelien@xxxxxxxxxxx>

  commit a2368e01c95a093d250a0e5d3cef53dddf642f1e
  Author: Aurelien Jarno <aurelien@xxxxxxxxxxx>
  Date:   Mon May 25 01:28:56 2015 +0200

      target-sh4: optimize addc using add2

      Reviewed-by: Richard Henderson <rth@xxxxxxxxxxx>
      Signed-off-by: Aurelien Jarno <aurelien@xxxxxxxxxxx>

  commit 34086945254c035a03e01e472d99e4524a2f2416
  Author: Aurelien Jarno <aurelien@xxxxxxxxxxx>
  Date:   Mon May 25 01:28:56 2015 +0200

      target-sh4: Split out T from SR

      In preparation for more efficient setting of this field.

      Reviewed-by: Richard Henderson <rth@xxxxxxxxxxx>
      Signed-off-by: Aurelien Jarno <aurelien@xxxxxxxxxxx>

  commit 5ed9a259c164bb9fd2a6fe8a363a4bda2e4a5461
  Author: Aurelien Jarno <aurelien@xxxxxxxxxxx>
  Date:   Mon May 25 01:28:56 2015 +0200

      target-sh4: use bit number for SR constants

      Use the bit number for SR constants instead of using a bit mask. This
      make possible to also use the constants for shifts.

      Reviewed-by: Richard Henderson <rth@xxxxxxxxxxx>
      Signed-off-by: Aurelien Jarno <aurelien@xxxxxxxxxxx>

  commit 563807520ff19e6ed2d40695f543f1fba7ba432f
  Author: Aurelien Jarno <aurelien@xxxxxxxxxxx>
  Date:   Wed Jun 3 23:16:43 2015 +0200

      sh4/r2d: convert to new MMIO accessor style

      The documentation is clear to use 16-bit accesses for all registers.

      Signed-off-by: Aurelien Jarno <aurelien@xxxxxxxxxxx>

  commit e42fd944f02dda893fc8773959d6db75f2a49367
  Author: Richard Henderson <rth@xxxxxxxxxxx>
  Date:   Sat May 23 15:06:54 2015 -0700

      linux-user: Add HWCAP for SH4

      Only exposing FPU and LLSC as the only features
      supported by the translator.

      Signed-off-by: Richard Henderson <rth@xxxxxxxxxxx>
      Signed-off-by: Aurelien Jarno <aurelien@xxxxxxxxxxx>

  commit 91c45a38f282b970f443f8e9d6bdb6ffaa00dfbf
  Author: Richard Henderson <rth@xxxxxxxxxxx>
  Date:   Sat May 23 15:06:53 2015 -0700

      linux-user: Default sh4 to sh7785

      Signed-off-by: Richard Henderson <rth@xxxxxxxxxxx>
      Signed-off-by: Aurelien Jarno <aurelien@xxxxxxxxxxx>

  commit 7a4dfd1e4a741991df1acf31672b391648e0aa0c
  Author: Gerd Hoffmann <kraxel@xxxxxxxxxx>
  Date:   Wed Sep 10 13:04:17 2014 +0200

      virtio-vga: add vgabios configuration

      Add seavgabios configuration for virtio-vga,
      hook up the new vgabios in the makefiles.

      Signed-off-by: Gerd Hoffmann <kraxel@xxxxxxxxxx>

  commit a94f0c5ca2f0e3dba4a64f40c9d2e1149017d81d
  Author: Gerd Hoffmann <kraxel@xxxxxxxxxx>
  Date:   Wed Sep 10 14:28:48 2014 +0200

      virtio-vga: add '-vga virtio' support

      Some convinience fluff:  Add support for '-vga virtio', also add
      virtio-vga to the list of vga cards so '-device virtio-vga' will
      turn off the default vga.

      Written by Dave Airlie and Gerd Hoffmann.

      Signed-off-by: Dave Airlie <airlied@xxxxxxxxxx>
      Signed-off-by: Gerd Hoffmann <kraxel@xxxxxxxxxx>

  commit c5d4dac86b61070c078a7b35e25f56d2c8bff508
  Author: Gerd Hoffmann <kraxel@xxxxxxxxxx>
  Date:   Wed Sep 10 14:25:45 2014 +0200

      virtio-vga: add virtio gpu device with vga compatibility

      This patch adds a virtio-vga device.  It is simliar to virtio-gpu-pci,
      but it also adds in vga compatibility, so guests without native
      virtio-gpu support can drive the device in vga mode.  It is compatible
      with stdvga.

      Written by Dave Airlie and Gerd Hoffmann.

      Signed-off-by: Dave Airlie <airlied@xxxxxxxxxx>
      Signed-off-by: Gerd Hoffmann <kraxel@xxxxxxxxxx>

  commit 9eafb62d47ac1c8c2d431e1b4829445444ccc2ee
  Author: Gerd Hoffmann <kraxel@xxxxxxxxxx>
  Date:   Wed Sep 10 14:20:34 2014 +0200

      virtio-gpu-pci: add virtio pci support

      This patch adds virtio-gpu-pci, which is the pci proxy for the virtio
      gpu device.  With this patch in place virtio-gpu is functional.  You
      need a linux guest with a virtio-gpu driver though, and output will
      appear pretty late in boot, once the kernel initialized drm and fbcon.

      Written by Dave Airlie and Gerd Hoffmann.

      Signed-off-by: Dave Airlie <airlied@xxxxxxxxxx>
      Signed-off-by: Gerd Hoffmann <kraxel@xxxxxxxxxx>

  commit 2c84167b4efa4a0e81946ef624e96005396e14b2
  Author: Gerd Hoffmann <kraxel@xxxxxxxxxx>
  Date:   Tue Mar 17 08:56:18 2015 +0100

      virtio-gpu: fix error message

      iov limit was raised, but the error message still has the old limit ...

      Signed-off-by: Gerd Hoffmann <kraxel@xxxxxxxxxx>

  commit 6773f9b687e0a8ab4b638ef88d075fb233fb7669
  Author: Leon Alrae <leon.alrae@xxxxxxxxxx>
  Date:   Tue Apr 14 10:33:43 2015 +0100

      target-mips: enable XPA and LPA features

      Enable XPA in MIPS32R5-generic and LPA in MIPS64R6-generic.

      Signed-off-by: Leon Alrae <leon.alrae@xxxxxxxxxx>
      Reviewed-by: Aurelien Jarno <aurelien@xxxxxxxxxxx>

  commit 28b027d5b63c7550c7390041d6dd50948c8f55b8
  Author: Leon Alrae <leon.alrae@xxxxxxxxxx>
  Date:   Tue Apr 14 10:33:35 2015 +0100

      target-mips: remove misleading comments in translate_init.c

      PABITS are not hardcoded to 36 bits and we do not model 59 PABITS (which 
is
      the architectural limit) in QEMU.

      Signed-off-by: Leon Alrae <leon.alrae@xxxxxxxxxx>
      Reviewed-by: Aurelien Jarno <aurelien@xxxxxxxxxxx>

  commit 5204ea79ea739b557f47fc4db96c94edcb33a5d6
  Author: Leon Alrae <leon.alrae@xxxxxxxxxx>
  Date:   Thu Sep 11 16:28:17 2014 +0100

      target-mips: add MTHC0 and MFHC0 instructions

      Implement MTHC0 and MFHC0 instructions. In MIPS32 they are used to access
      upper word of extended to 64-bits CP0 registers.

      In MIPS64, when CP0 destination register specified is the EntryLo0 or
      EntryLo1, bits 1:0 of the GPR appear at bits 31:30 of EntryLo0 or
      EntryLo1. This is to compensate for RI and XI, which were shifted to bits
      63:62 by MTC0 to EntryLo0 or EntryLo1. Therefore creating separate
      functions for EntryLo0 and EntryLo1.

      Signed-off-by: Leon Alrae <leon.alrae@xxxxxxxxxx>
      Reviewed-by: Aurelien Jarno <aurelien@xxxxxxxxxxx>

  commit e117f52636d04502fab28bd3abe93347c29f39a5
  Author: Leon Alrae <leon.alrae@xxxxxxxxxx>
  Date:   Tue Apr 14 10:09:38 2015 +0100

      target-mips: add CP0.PageGrain.ELPA support

      CP0.PageGrain.ELPA enables support for large physical addresses. This 
field
      is encoded as follows:
      0: Large physical address support is disabled.
      1: Large physical address support is enabled.

      If this bit is a 1, the following changes occur to coprocessor 0 
registers:
      - The PFNX field of the EntryLo0 and EntryLo1 registers is writable and
        concatenated with the PFN field to form the full page frame number.
      - Access to optional COP0 registers with PA extension, LLAddr, TagLo is
        defined.

      P5600 can operate in 32-bit or 40-bit Physical Address Mode. Therefore if
      XPA is disabled (CP0.PageGrain.ELPA = 0) then assume 32-bit Address Mode.
      In MIPS64 assume 36 as default PABITS (when CP0.PageGrain.ELPA = 0).

      env->PABITS value is constant and indicates maximum PABITS available on
      a core, whereas env->PAMask is calculated from env->PABITS and is also
      affected by CP0.PageGrain.ELPA.

      Signed-off-by: Leon Alrae <leon.alrae@xxxxxxxxxx>
      Reviewed-by: Aurelien Jarno <aurelien@xxxxxxxxxxx>

  commit cd0d45c40133ef8b409aede5ad8a99aeaf6a70fe
  Author: Leon Alrae <leon.alrae@xxxxxxxxxx>
  Date:   Thu Sep 11 16:28:16 2014 +0100

      target-mips: support Page Frame Number Extension field

      Update tlb->PFN to contain PFN concatenated with PFNX. PFNX is 0 if large
      physical address is not supported.

      Signed-off-by: Leon Alrae <leon.alrae@xxxxxxxxxx>
      Reviewed-by: Aurelien Jarno <aurelien@xxxxxxxxxxx>

  commit 284b731a6ae47b9ebabb9613e753c4d83cf75dd3
  Author: Leon Alrae <leon.alrae@xxxxxxxxxx>
  Date:   Tue Jun 9 17:14:13 2015 +0100

      target-mips: extend selected CP0 registers to 64-bits in MIPS32

      Extend EntryLo0, EntryLo1, LLAddr and TagLo from 32 to 64 bits in MIPS32.

      Introduce gen_move_low32() function which moves low 32 bits from 64-bit
      temp to GPR; it sign extends 32-bit value on MIPS64 and truncates on
      MIPS32.

      Signed-off-by: Leon Alrae <leon.alrae@xxxxxxxxxx>
      Reviewed-by: Aurelien Jarno <aurelien@xxxxxxxxxxx>

  commit b435f3f3d174721382b55bbd0c785ec50c1796a9
  Author: Leon Alrae <leon.alrae@xxxxxxxxxx>
  Date:   Fri Mar 20 12:06:10 2015 +0000

      target-mips: correct MFC0 for CP0.EntryLo in MIPS64

      CP0.EntryLo bits 31:30 have to be cleared.

      Signed-off-by: Leon Alrae <leon.alrae@xxxxxxxxxx>
      Reviewed-by: Aurelien Jarno <aurelien@xxxxxxxxxxx>

  commit 4fa3dd17dc29c316726f0d4a354a4d895e130c73
  Author: Dr. David Alan Gilbert <dgilbert@xxxxxxxxxx>
  Date:   Mon Apr 20 16:57:21 2015 +0100

      Remove unneeded memset

      Signed-off-by: Dr. David Alan Gilbert <dgilbert@xxxxxxxxxx>
      Reviewed-by: Michael R. Hines <mrhines@xxxxxxxxxx>
      Signed-off-by: Juan Quintela <quintela@xxxxxxxxxx>

  commit a97270ad5d6dd0382ecb4568674226c8463e59fb
  Author: Dr. David Alan Gilbert <dgilbert@xxxxxxxxxx>
  Date:   Mon Apr 20 16:57:16 2015 +0100

      Rename RDMA structures to make destination clear

      RDMA has two data types that are named confusingly;
         RDMALocalBlock (pointed to indirectly by local_ram_blocks)
         RDMARemoteBlock (pointed to by block in RDMAContext)

      RDMALocalBlocks, as the name suggests is a data strucuture that
      represents the RDMAable RAM Blocks on the current side of the migration
      whichever that is.

      RDMARemoteBlocks is always the shape of the RAMBlocks on the
      destination, even on the destination.

      Rename:
           RDMARemoteBlock -> RDMADestBlock
           context->'block' -> context->dest_blocks

      Signed-off-by: Dr. David Alan Gilbert <dgilbert@xxxxxxxxxx>
      Reviewed-by: Michael R. Hines <mrhines@xxxxxxxxxx>
      Signed-off-by: Juan Quintela <quintela@xxxxxxxxxx>

  commit 73d9a7961ab1b083fb2095413a3bd091e35f4369
  Author: Dr. David Alan Gilbert <dgilbert@xxxxxxxxxx>
  Date:   Tue May 19 12:29:53 2015 +0100

      Teach analyze-migration.py about section footers

      Signed-off-by: Dr. David Alan Gilbert <dgilbert@xxxxxxxxxx>
      Signed-off-by: Juan Quintela <quintela@xxxxxxxxxx>

  commit f68945d42bab700d95b87f62e0898606ce2421ed
  Author: Dr. David Alan Gilbert <dgilbert@xxxxxxxxxx>
  Date:   Tue May 19 12:29:52 2015 +0100

      Add a protective section footer

      Badly formatted migration streams can go undetected or produce
      misleading errors due to a lock of checking at the end of sections.
      In particular a section that adds an extra 0x00 at the end
      causes what looks like a normal end of stream and thus doesn't produce
      any errors, and something that ends in a 0x01..0x04 kind of look
      like real section headers and then fail when the section parser tries
      to figure out which section they are.  This is made worse by the
      choice of 0x00..0x04 being small numbers that are particularly common
      in normal section data.

      This patch adds a section footer consisting of a marker (0x7e - ~)
      followed by the section-id that was also sent in the header.  If
      they mismatch then it throws an error explaining which section was
      being loaded.

      Signed-off-by: Dr. David Alan Gilbert <dgilbert@xxxxxxxxxx>
      Reviewed-by: Juan Quintela <quintela@xxxxxxxxxx>
      Signed-off-by: Juan Quintela <quintela@xxxxxxxxxx>

  commit 37fb569c0198cba58e3e1bdf6b9702c8248b89dd
  Author: Dr. David Alan Gilbert <dgilbert@xxxxxxxxxx>
  Date:   Tue May 19 12:29:51 2015 +0100

      Disable section footers on older machine types

      The next patch adds section footers; but we don't want to
      break migration compatibility so disable them on older
      machine types

      Signed-off-by: Dr. David Alan Gilbert <dgilbert@xxxxxxxxxx>
      Reviewed-by: Juan Quintela <quintela@xxxxxxxxxx>
      Signed-off-by: Juan Quintela <quintela@xxxxxxxxxx>

  commit ce39bfc9186005d222a78db4a7fbdc83e2d62481
  Author: Dr. David Alan Gilbert <dgilbert@xxxxxxxxxx>
  Date:   Tue May 19 12:29:50 2015 +0100

      Merge section header writing

      The header writing for device sections is open coded in
      a few places, merge it into one.

      Signed-off-by: Dr. David Alan Gilbert <dgilbert@xxxxxxxxxx>
      Reviewed-by: Juan Quintela <quintela@xxxxxxxxxx>
      Signed-off-by: Juan Quintela <quintela@xxxxxxxxxx>

  commit 1a8f46f8d61ef885ff9d0bda251e4e9830c932ef
  Author: Dr. David Alan Gilbert <dgilbert@xxxxxxxxxx>
  Date:   Thu May 21 13:24:16 2015 +0100

      Move loadvm_handlers into MigrationIncomingState

      In postcopy we need the loadvm_handlers to be used in a couple
      of different instances of the loadvm loop/routine, and thus
      it can't be local any more.

      Signed-off-by: Dr. David Alan Gilbert <dgilbert@xxxxxxxxxx>
      Reviewed-by: David Gibson <david@xxxxxxxxxxxxxxxxxxxxx>
      Reviewed-by: Juan Quintela <quintela@xxxxxxxxxx>
      Signed-off-by: Juan Quintela <quintela@xxxxxxxxxx>

  commit 7c1e52ba6f3994dc127118f491258ce84d0beb52
  Author: Dr. David Alan Gilbert <dgilbert@xxxxxxxxxx>
  Date:   Thu May 21 13:24:15 2015 +0100

      Move copy out of qemu_peek_buffer

      qemu_peek_buffer currently copies the data it reads into a buffer,
      however a future patch wants access to the buffer without the copy,
      hence rework to remove the copy to the layer above.

      Signed-off-by: Dr. David Alan Gilbert <dgilbert@xxxxxxxxxx>
      Reviewed-by: Amit Shah <amit.shah@xxxxxxxxxx>
      Reviewed-by: Juan Quintela <quintela@xxxxxxxxxx>
      Signed-off-by: Juan Quintela <quintela@xxxxxxxxxx>

  commit bca7856ae8220d9f15ff0f44b97397529e26a552
  Author: Dr. David Alan Gilbert <dgilbert@xxxxxxxxxx>
  Date:   Thu May 21 13:24:14 2015 +0100

      Create MigrationIncomingState

      There are currently lots of pieces of incoming migration state scattered
      around, and postcopy is adding more, and it seems better to try and keep
      it together.

      allocate MIS in process_incoming_migration_co

      Signed-off-by: Dr. David Alan Gilbert <dgilbert@xxxxxxxxxx>
      Reviewed-by: Amit Shah <amit.shah@xxxxxxxxxx>
      Reviewed-by: David Gibson <david@xxxxxxxxxxxxxxxxxxxxx>
      Reviewed-by: Juan Quintela <quintela@xxxxxxxxxx>
      Signed-off-by: Juan Quintela <quintela@xxxxxxxxxx>

  commit e3807054e20fb3b94d18cb751c437ee2f43b6fac
  Author: Dr. David Alan Gilbert <dgilbert@xxxxxxxxxx>
  Date:   Thu May 21 13:24:13 2015 +0100

      qemu_ram_foreach_block: pass up error value, and down the ramblock name

      check the return value of the function it calls and error if it's non-0
      Fixup qemu_rdma_init_one_block that is the only current caller,
        and rdma_add_block the only function it calls using it.

      Pass the name of the ramblock to the function; helps in debugging.

      Signed-off-by: Dr. David Alan Gilbert <dgilbert@xxxxxxxxxx>
      Reviewed-by: David Gibson <david@xxxxxxxxxxxxxxxxxxxxx>
      Reviewed-by: Amit Shah <amit.shah@xxxxxxxxxx>
      Reviewed-by: Michael R. Hines <mrhines@xxxxxxxxxx>
      Reviewed-by: Juan Quintela <quintela@xxxxxxxxxx>
      Signed-off-by: Juan Quintela <quintela@xxxxxxxxxx>

  commit f796baa1b3efcf105ba3a465f797e05ac2b3dcfc
  Author: Dr. David Alan Gilbert <dgilbert@xxxxxxxxxx>
  Date:   Thu May 21 13:24:12 2015 +0100

      Split header writing out of qemu_savevm_state_begin

      Split qemu_savevm_state_begin to:
        qemu_savevm_state_header   That writes the initial file header.
        qemu_savevm_state_begin    That sets up devices and does the first
                                   device pass.

      Used later in postcopy.

      Signed-off-by: Dr. David Alan Gilbert <dgilbert@xxxxxxxxxx>
      Reviewed-by: Amit Shah <amit.shah@xxxxxxxxxx>
      Reviewed-by: David Gibson <david@xxxxxxxxxxxxxxxxxxxxx>
      Reviewed-by: Juan Quintela <quintela@xxxxxxxxxx>
      Signed-off-by: Juan Quintela <quintela@xxxxxxxxxx>

  commit b3af1bc9d21e6bec7dfd283d91b465c9f815b6d6
  Author: Dr. David Alan Gilbert <dgilbert@xxxxxxxxxx>
  Date:   Thu May 21 13:24:11 2015 +0100

      Add qemu_get_counted_string to read a string prefixed by a count byte

      and use it in loadvm_state and ram_load.

      Where ever it's used, check the return and error if it failed.

      Minor: ram_load was using a 257 byte array for its string, the
             maximum length is 255 bytes + 0 terminator, so fix to 256

      Signed-off-by: Dr. David Alan Gilbert <dgilbert@xxxxxxxxxx>
      Reviewed-by: Amit Shah <amit.shah@xxxxxxxxxx>
      Reviewed-by: David Gibson <david@xxxxxxxxxxxxxxxxxxxxx>
      Reviewed-by: Juan Quintela <quintela@xxxxxxxxxx>
      Signed-off-by: Juan Quintela <quintela@xxxxxxxxxx>

  commit 5cd8cadae8db905afcbf877cae568c27d1d55a8a
  Author: Juan Quintela <quintela@xxxxxxxxxx>
  Date:   Tue Sep 23 14:09:54 2014 +0200

      migration: Use normal VMStateDescriptions for Subsections

      We create optional sections with this patch.  But we already have
      optional subsections.  Instead of having two mechanism that do the
      same, we can just generalize it.

      For subsections we just change:

      - Add a needed function to VMStateDescription
      - Remove VMStateSubsection (after removal of the needed function
        it is just a VMStateDescription)
      - Adjust the whole tree, moving the needed function to the corresponding
        VMStateDescription

      Signed-off-by: Juan Quintela <quintela@xxxxxxxxxx>

  commit 0163a2e025cda6acb33e100d296965671ace17d9
  Author: Juan Quintela <quintela@xxxxxxxxxx>
  Date:   Wed May 13 13:37:04 2015 +0200

      migration: create savevm_state

      This way, we will put savevm global state here, instead of lots of 
variables.

      Signed-off-by: Juan Quintela <quintela@xxxxxxxxxx>
      Reviewed-by: Dr. David Alan Gilbert <dgilbert@xxxxxxxxxx>

  commit e45a1ebfc65fb23be8cddb684d97eaa92725484d
  Author: Juan Quintela <quintela@xxxxxxxxxx>
  Date:   Wed May 20 17:14:28 2015 +0200

      migration: Remove duplicated assignment of SETUP status

      We assign the MIGRATION_STATUS_SETUP status in two places.  Just in
      succession.  Just remove the second one.

      Signed-off-by: Juan Quintela <quintela@xxxxxxxxxx>
      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>

  commit 5b61d5752156dcbbe2bf1366c877a676ed9f8f51
  Author: Padmanabh Ratnakar <padmanabh.ratnakar@xxxxxxxxxxxxx>
  Date:   Wed Jun 3 04:44:10 2015 +0530

      rdma: Fix qemu crash when IPv6 address is used for migration

      Qemu crashes when IPv6 address is specified for migration and access
      to any RDMA uverbs device available on the system is blocked using 
cgroups.
      Fix the crash by checking the return value of ibv_open_device routine.

      Signed-off-by: Meghana Cheripady <meghana.cheripady@xxxxxxxxxxxxx>
      Signed-off-by: Padmanabh Ratnakar <padmanabh.ratnakar@xxxxxxxxxxxxx>
      Signed-off-by: Juan Quintela <quintela@xxxxxxxxxx>

  commit 5ee6926582cca64238967b2d00d870265cdb10b8
  Author: zhanghailiang <zhang.zhanghailiang@xxxxxxxxxx>
  Date:   Fri May 15 17:00:03 2015 +0800

      arch_init: Clean up the duplicate variable 'len' defining in ram_load()

      There are two places that define 'len' variable, It's OK for compiling,
      but makes it difficult for reading.

      Remove the local one which defined in the inside 'while' loop.

      Signed-off-by: zhanghailiang <zhang.zhanghailiang@xxxxxxxxxx>
      Signed-off-by: Juan Quintela <quintela@xxxxxxxxxx>

  commit 7205c9ec525fe375dd34c0f116c36dc4aab4c0f7
  Author: Juan Quintela <quintela@xxxxxxxxxx>
  Date:   Fri May 8 13:54:36 2015 +0200

      migration: reduce include files

      To make changes easier, with the copy, I maintained almost all include
      files.  Now I remove the unnecessary ones on this patch.  This compiles
      on linux x64 with all architectures configured, and cross-compiles for
      windows 32 and 64 bits.

      Signed-off-by: Juan Quintela <quintela@xxxxxxxxxx>
      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>

  commit 76cc7b587f1cd1679821e034a2d9974af9bc7d2b
  Author: Juan Quintela <quintela@xxxxxxxxxx>
  Date:   Fri May 8 13:20:21 2015 +0200

      migration: Add myself to the copyright list of both files

      If anyone feels like adding himself to the list, just sent me a patch.

      Signed-off-by: Juan Quintela <quintela@xxxxxxxxxx>
      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>

  commit c3049a56d69f1ee7e85b5100ba5d0e3dc69a14f1
  Author: Juan Quintela <quintela@xxxxxxxxxx>
  Date:   Fri May 8 12:49:01 2015 +0200

      migration: move savevm.c inside migration/

      Now, everything is in place.

      Signed-off-by: Juan Quintela <quintela@xxxxxxxxxx>
      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>

  commit 56e93d26b85bac76b93211393163c2ebcdee9481
  Author: Juan Quintela <quintela@xxxxxxxxxx>
  Date:   Thu May 7 19:33:31 2015 +0200

      migration: move ram stuff to migration/ram

      For historic reasons, ram migration have been on arch_init.c.  Just
      split it into migration/ram.c, the same that happened with block.c.

      There is only code movement, no changes altogether.

      Signed-off-by: Juan Quintela <quintela@xxxxxxxxxx>
      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>

  commit 795dc6e46d953d70b4b7ddd3f4956f8f4b9d8565
  Author: Mao Chuan Li <maochuan@xxxxxxxxxxxxxxxxxx>
  Date:   Thu Feb 5 18:28:36 2015 +0800

      watchdog: Add new Virtual Watchdog action INJECT-NMI

      This patch allows QEMU to inject a NMI into a guest when the
      watchdog expires.

      Signed-off-by: Mao Chuan Li <maochuan@xxxxxxxxxxxxxxxxxx>
      Reviewed-by: David Hildenbrand <dahi@xxxxxxxxxxxxxxxxxx>
      CC: Eric Blake <eblake@xxxxxxxxxx>
      CC: Markus Armbruster <armbru@xxxxxxxxxx>
      Signed-off-by: Christian Borntraeger <borntraeger@xxxxxxxxxx>

  commit f9a535e089abcbc7ac99db83c8c6e4644e395b12
  Author: Xu Wang <gesaint@xxxxxxxxxxxxxxxxxx>
  Date:   Thu Feb 5 18:28:35 2015 +0800

      nmi: Implement inject_nmi() for non-monitor context use

      Let's introduce a general "inject_nmi()" function that doesn't rely on 
the cpu
      index of the monitor, but uses cpu index 0 as default (except for x86).
      This function can then later be used from a non-monitor context.

      Signed-off-by: Xu Wang <gesaint@xxxxxxxxxxxxxxxxxx>
      Reviewed-by: David Hildenbrand <dahi@xxxxxxxxxxxxxxxxxx>
      CC: Alexey Kardashevskiy <aik@xxxxxxxxx>
      Signed-off-by: Christian Borntraeger <borntraeger@xxxxxxxxxx>

  commit d67f5fe63caa0f707fa91c760508c340e050b6f0
  Author: Xu Wang <gesaint@xxxxxxxxxxxxxxxxxx>
  Date:   Thu Feb 5 18:28:34 2015 +0800

      s390x/watchdog: diag288 migration support

      Add vmstate structure to keep state and data during migration.

      Signed-off-by: Xu Wang <gesaint@xxxxxxxxxxxxxxxxxx>
      Reviewed-by: David Hildenbrand <dahi@xxxxxxxxxxxxxxxxxx>
      Signed-off-by: Christian Borntraeger <borntraeger@xxxxxxxxxx>

  commit 8fc639af4b62930671b6988c1f7eedf9e7c9f7bc
  Author: Xu Wang <gesaint@xxxxxxxxxxxxxxxxxx>
  Date:   Thu Jun 11 13:55:26 2015 +0200

      s390x/kvm: diag288 instruction interception and handling

      Intercept the diag288 requests from kvm guests, and hand the
      requested command to the diag288 watchdog device for further
      handling.

      Signed-off-by: Xu Wang <gesaint@xxxxxxxxxxxxxxxxxx>
      Reviewed-by: David Hildenbrand <dahi@xxxxxxxxxxxxxxxxxx>
      Signed-off-by: Christian Borntraeger <borntraeger@xxxxxxxxxx>

  commit 188f24c2c149bcb0088c6317e99e09afc007de34
  Author: Xu Wang <gesaint@xxxxxxxxxxxxxxxxxx>
  Date:   Thu Feb 5 18:28:32 2015 +0800

      s390x/watchdog: introduce diag288 watchdog device

      This patch introduces a new diag288 watchdog device that will, just like
      other watchdogs, monitor a guest and take corresponding actions when it
      detects that the guest is not responding.

      diag288 is s390x specific. The wiring to s390x KVM will be done in
      separate patches.

      Signed-off-by: Xu Wang <gesaint@xxxxxxxxxxxxxxxxxx>
      Reviewed-by: David Hildenbrand <dahi@xxxxxxxxxxxxxxxxxx>
      Signed-off-by: Christian Borntraeger <borntraeger@xxxxxxxxxx>
      [split out qemu-option.hx base changes]

  commit d7933ef3ac81149a51ba43ddac9fe70405008aba
  Author: Xu Wang <gesaint@xxxxxxxxxxxxxxxxxx>
  Date:   Thu Jun 11 17:32:05 2015 +0200

      watchdog: change option wording to allow for more watchdogs

      We will introduce a new watchdog for s390x. Lets adopt
      qemu-options.hx to allow more watchdog devices.

      Signed-off-by: Xu Wang <gesaint@xxxxxxxxxxxxxxxxxx>
      Reviewed-by: David Hildenbrand <dahi@xxxxxxxxxxxxxxxxxx>
      Signed-off-by: Christian Borntraeger <borntraeger@xxxxxxxxxx>
      [split out qemu-option.hx base changes]

  commit d8e3b729cf452d2689c8669f1ec18158db29fd5a
  Merge: afa25c4 4ebc736
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Thu Jun 11 15:33:38 2015 +0100

      Merge remote-tracking branch 'remotes/mst/tags/for_upstream' into staging

      pc, acpi, virtio

      Most notably this includes virtio 1 patches
      Still not all devices converted, and not fully spec compliant,
      so disabled by default.

      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>

      # gpg: Signature made Thu Jun 11 12:53:08 2015 BST using RSA key ID 
D28D5469
      # gpg: Good signature from "Michael S. Tsirkin <mst@xxxxxxxxxx>"
      # gpg:                 aka "Michael S. Tsirkin <mst@xxxxxxxxxx>"

      * remotes/mst/tags/for_upstream: (42 commits)
        i386/acpi-build: fix PXB workarounds for unsupported BIOSes
        i386/acpi-build: more traditional _UID and _HID for PXB root buses
        vhost-scsi: move qdev properties into vhost-scsi.c
        virtio-9p-device: move qdev properties into virtio-9p-device.c
        virtio-serial-bus: move qdev properties into virtio-serial-bus.c
        virtio-rng: move qdev properties into virtio-rng.c
        virtio-scsi: move qdev properties into virtio-scsi.c
        virtio-net.h: Remove unsed DEFINE_VIRTIO_NET_PROPERTIES
        virtio-net: move qdev properties into virtio-net.c
        virtio-input: emulated devices [pci]
        virtio-input: core code & base class [pci]
        pci: add PCI_CLASS_INPUT_*
        virtio-pci: fill VirtIOPCIRegions early.
        virtio-pci: drop identical virtio_pci_cap
        virtio-pci: move cap type to VirtIOPCIRegion
        virtio-pci: move virtio_pci_add_mem_cap call to 
virtio_pci_modern_region_map
        virtio-pci: add virtio_pci_modern_region_map()
        virtio-pci: add virtio_pci_modern_regions_init()
        virtio-pci: add struct VirtIOPCIRegion for virtio-1 regions
        virtio-balloon: switch to virtio_add_feature
        ...

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit afa25c4bb5bd0732dca4aa0691fd4682d242925f
  Merge: 0b70743 08d49df
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Thu Jun 11 14:40:25 2015 +0100

      Merge remote-tracking branch 'remotes/kraxel/tags/pull-sdl-20150611-1' 
into staging

      sdl2: fix crash in handle_windowevent() when restoring the screen size

      # gpg: Signature made Thu Jun 11 08:57:38 2015 BST using RSA key ID 
D3E87138
      # gpg: Good signature from "Gerd Hoffmann (work) <kraxel@xxxxxxxxxx>"
      # gpg:                 aka "Gerd Hoffmann <gerd@xxxxxxxxxx>"
      # gpg:                 aka "Gerd Hoffmann (private) <kraxel@xxxxxxxxx>"

      * remotes/kraxel/tags/pull-sdl-20150611-1:
        sdl2: fix crash in handle_windowevent() when restoring the screen size

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 0b70743d4f4f260b2fe6ed53fecc6bc6cda13910
  Author: Eric Auger <eric.auger@xxxxxxxxxx>
  Date:   Thu Jun 11 09:44:40 2015 +0100

      hw/vfio/platform: replace g_malloc0_n by g_new0

      g_malloc0_n() is introduced since glib-2.24 while QEMU currently
      requires glib-2.22. This may cause a link error on some distributions.

      Signed-off-by: Eric Auger <eric.auger@xxxxxxxxxx>
      Reviewed-by: Gonglei <arei.gonglei@xxxxxxxxxx>
      Acked-by: Alex Williamson <alex.williamson@xxxxxxxxxx>
      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 169b71331eaff7a28e3d4fabe8733e7db91f01aa
  Merge: 39e16a5 5a9259a
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Thu Jun 11 12:12:58 2015 +0100

      Merge remote-tracking branch 'remotes/spice/tags/pull-spice-20150611-1' 
into staging

      spice: fix segfault in qemu_spice_create_update, ui_info tweaks.

      # gpg: Signature made Thu Jun 11 08:48:49 2015 BST using RSA key ID 
D3E87138
      # gpg: Good signature from "Gerd Hoffmann (work) <kraxel@xxxxxxxxxx>"
      # gpg:                 aka "Gerd Hoffmann <gerd@xxxxxxxxxx>"
      # gpg:                 aka "Gerd Hoffmann (private) <kraxel@xxxxxxxxx>"

      * remotes/spice/tags/pull-spice-20150611-1:
        spice: ui_info tweaks
        spice-display: fix segfault in qemu_spice_create_update

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 4ebc736e9938a7e88ecc785734b17145bf802a56
  Author: Laszlo Ersek <lersek@xxxxxxxxxx>
  Date:   Thu Jun 11 02:37:59 2015 +0200

      i386/acpi-build: fix PXB workarounds for unsupported BIOSes

      The patch

        apci: fix PXB behaviour if used with unsupported BIOS

      uses the following condition to see if a "PXB mem/IO chunk" has *not* been
      configured by the BIOS:

        (!range_base || range_base > range_limit)

      When this condition evaluates to true, said patch *omits* the
      corresponding entry from the _CRS.

      Later on the patch checks for the opposite condition (with the intent of
      *adding* entries to the _CRS if the "PXB mem/IO chunks" *have* been
      configured). Unfortunately, the condition was negated incorrectly: only
      the first ! operator was removed, which led to the nonsensical expression

        (range_base || range_base > range_limit)

      leading to bogus entries in the _CRS, and causing BSOD in Windows Server
      2012 R2 when it runs on OVMF.

      The correct negative of the condition seen at the top is

        (range_base && range_base <= range_limit)

      Fix the expressions.

      Cc: Marcel Apfelbaum <marcel@xxxxxxxxxx>
      Cc: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: Laszlo Ersek <lersek@xxxxxxxxxx>
      Reviewed-by: Marcel Apfelbaum <marcel@xxxxxxxxxx>
      Reviewed-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>

  commit c96d9286a6d70452e5fa4f1e3f840715e325be95
  Author: Laszlo Ersek <lersek@xxxxxxxxxx>
  Date:   Thu Jun 11 02:37:58 2015 +0200

      i386/acpi-build: more traditional _UID and _HID for PXB root buses

      The ACPI specification permits the _HID and _UID objects to evaluate to
      strings. (See "6.1.5 _HID (Hardware ID)" and "6.1.12 _UID (Unique ID)" in
      the ACPI v6.0 spec.)

      With regard to related standards, the UEFI specification can also express
      a device address composed from string _HID and _UID identifiers, inside
      the Expanded ACPI Device Path Node. (See "9.3.3 ACPI Device Path", Table
      49, in the UEFI v2.5 spec.)

      However, numeric (integer) contents for both _HID and _UID are more
      traditional. They are recommended by the UEFI spec for size reasons:

        [...] the ACPI Device Path node is smaller and should be used if
        possible to reduce the size of device paths that may potentially be
        stored in nonvolatile storage [...]

      External tools support them better (for example the --acpi_hid and
      --acpi_uid options of "efibootmgr" only take numeric identifiers).
      Finally, numeric _HID and _UID contents are existing practice in the QEMU
      source.

      This patch was tested with a Fedora 20 LiveCD and a preexistent Windows
      Server 2012 R2 guest. Using "acpidump" and "iasl" in the Fedora guest, we
      get, in the SSDT:

      > Scope (\_SB)
      > {
      >   Device (PC04)
      >   {
      >     Name (_UID, 0x04)  // _UID: Unique ID
      >     Name (_HID, EisaId ("PNP0A03") /* PCI Bus */)  // _HID: Hardware ID

      Cc: Marcel Apfelbaum <marcel@xxxxxxxxxx>
      Cc: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: Laszlo Ersek <lersek@xxxxxxxxxx>
      Reviewed-by: Marcel Apfelbaum <marcel@xxxxxxxxxx>
      Reviewed-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>

  commit 39e16a5b708358202e8d2252e3d84863666dc9e5
  Merge: 0e12e61 060ab76
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Thu Jun 11 11:18:11 2015 +0100

      Merge remote-tracking branch 'remotes/kraxel/tags/pull-gtk-20150611-1' 
into staging

      gtk: don't exit early in case gtk init fails

      # gpg: Signature made Thu Jun 11 10:38:29 2015 BST using RSA key ID 
D3E87138
      # gpg: Good signature from "Gerd Hoffmann (work) <kraxel@xxxxxxxxxx>"
      # gpg:                 aka "Gerd Hoffmann <gerd@xxxxxxxxxx>"
      # gpg:                 aka "Gerd Hoffmann (private) <kraxel@xxxxxxxxx>"

      * remotes/kraxel/tags/pull-gtk-20150611-1:
        gtk: don't exit early in case gtk init fails

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 060ab76356fff6a420bc881a574c40a5dda086af
  Author: Gerd Hoffmann <kraxel@xxxxxxxxxx>
  Date:   Fri Jun 5 13:07:58 2015 +0200

      gtk: don't exit early in case gtk init fails

      Signed-off-by: Gerd Hoffmann <kraxel@xxxxxxxxxx>
      Reviewed-by: Daniel P. Berrange <berrange@xxxxxxxxxx>

  commit bd8f1ebce430eb6c1dd92e34baf7bc35aa600464
  Author: Hervé Poussineau <hpoussin@xxxxxxxxxxx>
  Date:   Wed Jun 3 22:45:49 2015 +0200

      net/dp8393x: fix hardware reset

      Documentation is not clear of what happens when doing a hardware reset,
      but firmware expect all registers to be zero unless specified otherwise.

      This fixes reboot on MIPS Magnum.

      Signed-off-by: Hervé Poussineau <hpoussin@xxxxxxxxxxx>
      Reviewed-by: Aurelien Jarno <aurelien@xxxxxxxxxxx>
      Signed-off-by: Leon Alrae <leon.alrae@xxxxxxxxxx>

  commit 409b52bfe199d8106dadf7c5ff3d88d2228e89b5
  Author: Hervé Poussineau <hpoussin@xxxxxxxxxxx>
  Date:   Wed Jun 3 22:45:48 2015 +0200

      net/dp8393x: correctly reset in_use field

      Don't write more than the field width, which is always 16 bit.
      Fixes network in NetBSD 5.1/arc

      Signed-off-by: Hervé Poussineau <hpoussin@xxxxxxxxxxx>
      Reviewed-by: Aurelien Jarno <aurelien@xxxxxxxxxxx>
      Signed-off-by: Leon Alrae <leon.alrae@xxxxxxxxxx>

  commit 1670735dd7087224cf8fabd37c78fc2aa1f0b22f
  Author: Hervé Poussineau <hpoussin@xxxxxxxxxxx>
  Date:   Wed Jun 3 22:45:47 2015 +0200

      net/dp8393x: add load/save support

      Signed-off-by: Hervé Poussineau <hpoussin@xxxxxxxxxxx>
      Reviewed-by: Aurelien Jarno <aurelien@xxxxxxxxxxx>
      Signed-off-by: Leon Alrae <leon.alrae@xxxxxxxxxx>

  commit 89ae0ff9b73ee74c9ba707a09a07ad77b9fdccb4
  Author: Hervé Poussineau <hpoussin@xxxxxxxxxxx>
  Date:   Wed Jun 3 22:45:46 2015 +0200

      net/dp8393x: add PROM to store MAC address

      Signed-off-by: Laurent Vivier <laurent@xxxxxxxxx>
      Signed-off-by: Hervé Poussineau <hpoussin@xxxxxxxxxxx>
      Reviewed-by: Aurelien Jarno <aurelien@xxxxxxxxxxx>
      Signed-off-by: Leon Alrae <leon.alrae@xxxxxxxxxx>

  commit 104655a5c818ea8de1329cef50d1cc8defc524f3
  Author: Hervé Poussineau <hpoussin@xxxxxxxxxxx>
  Date:   Wed Jun 3 22:45:45 2015 +0200

      net/dp8393x: QOM'ify

      Signed-off-by: Laurent Vivier <laurent@xxxxxxxxx>
      Signed-off-by: Hervé Poussineau <hpoussin@xxxxxxxxxxx>
      Reviewed-by: Aurelien Jarno <aurelien@xxxxxxxxxxx>
      Signed-off-by: Leon Alrae <leon.alrae@xxxxxxxxxx>

  commit 3df5de64f06f6b288b1cf30ce2bad7878a96454b
  Author: Hervé Poussineau <hpoussin@xxxxxxxxxxx>
  Date:   Wed Jun 3 22:45:44 2015 +0200

      net/dp8393x: use dp8393x_ prefix for all functions

      Signed-off-by: Hervé Poussineau <hpoussin@xxxxxxxxxxx>
      Reviewed-by: Aurelien Jarno <aurelien@xxxxxxxxxxx>
      Signed-off-by: Leon Alrae <leon.alrae@xxxxxxxxxx>

  commit 84689cbb97d2f8c7bb1ebe069f887eaaaddb0902
  Author: Hervé Poussineau <hpoussin@xxxxxxxxxxx>
  Date:   Wed Jun 3 22:45:43 2015 +0200

      net/dp8393x: do not use old_mmio accesses

      Signed-off-by: Hervé Poussineau <hpoussin@xxxxxxxxxxx>
      Reviewed-by: Aurelien Jarno <aurelien@xxxxxxxxxxx>
      Signed-off-by: Leon Alrae <leon.alrae@xxxxxxxxxx>

  commit f2f62c4db244f392381c9061c4185ced98f9be57
  Author: Hervé Poussineau <hpoussin@xxxxxxxxxxx>
  Date:   Wed Jun 3 22:45:42 2015 +0200

      net/dp8393x: always calculate proper checksums

      Signed-off-by: Hervé Poussineau <hpoussin@xxxxxxxxxxx>
      Reviewed-by: Aurelien Jarno <aurelien@xxxxxxxxxxx>
      Signed-off-by: Leon Alrae <leon.alrae@xxxxxxxxxx>

  commit d791d60f1cf944f578aa26ca9f8903ce5dda1c78
  Author: Hervé Poussineau <hpoussin@xxxxxxxxxxx>
  Date:   Wed Jun 3 22:45:41 2015 +0200

      dma/rc4030: convert to QOM

      Signed-off-by: Hervé Poussineau <hpoussin@xxxxxxxxxxx>
      Reviewed-by: Aurelien Jarno <aurelien@xxxxxxxxxxx>
      Signed-off-by: Leon Alrae <leon.alrae@xxxxxxxxxx>

  commit 95c357bc461b00785284403bf56567657d42e915
  Author: Hervé Poussineau <hpoussin@xxxxxxxxxxx>
  Date:   Wed Jun 3 22:45:40 2015 +0200

      dma/rc4030: use trace events instead of custom logging

      Remove also unneeded debug logs.

      Signed-off-by: Hervé Poussineau <hpoussin@xxxxxxxxxxx>
      Reviewed-by: Aurelien Jarno <aurelien@xxxxxxxxxxx>
      Signed-off-by: Leon Alrae <leon.alrae@xxxxxxxxxx>

  commit dc6e3e1e1aef2e6b2ed2ddf80c9559c91f685ecd
  Author: Hervé Poussineau <hpoussin@xxxxxxxxxxx>
  Date:   Wed Jun 3 22:45:39 2015 +0200

      dma/rc4030: document register at offset 0x210

      Signed-off-by: Hervé Poussineau <hpoussin@xxxxxxxxxxx>
      Reviewed-by: Aurelien Jarno <aurelien@xxxxxxxxxxx>
      Signed-off-by: Leon Alrae <leon.alrae@xxxxxxxxxx>

  commit b421f3f52aed306ecc69221a13fac22d03905956
  Author: Hervé Poussineau <hpoussin@xxxxxxxxxxx>
  Date:   Wed Jun 3 22:45:38 2015 +0200

      dma/rc4030: do not use old_mmio accesses

      Signed-off-by: Hervé Poussineau <hpoussin@xxxxxxxxxxx>
      Reviewed-by: Aurelien Jarno <aurelien@xxxxxxxxxxx>
      Signed-off-by: Leon Alrae <leon.alrae@xxxxxxxxxx>

  commit dd8205130bab277a27889b6d3c0c6c7651585732
  Author: Hervé Poussineau <hpoussin@xxxxxxxxxxx>
  Date:   Wed Jun 3 22:45:37 2015 +0200

      dma/rc4030: use AddressSpace and address_space_rw in users

      Now that rc4030 internally uses an AddressSpace for DMA handling, make 
its root
      memory region public. This is especially usefull for dp8393x netcard, 
which now
      uses well known QEMU types and methods.

      Signed-off-by: Hervé Poussineau <hpoussin@xxxxxxxxxxx>
      Reviewed-by: Aurelien Jarno <aurelien@xxxxxxxxxxx>
      Signed-off-by: Leon Alrae <leon.alrae@xxxxxxxxxx>

  commit a3d586f704609a45b6037534cb2f34da5dfd8895
  Author: Hervé Poussineau <hpoussin@xxxxxxxxxxx>
  Date:   Wed Jun 3 22:45:36 2015 +0200

      dma/rc4030: create custom DMA address space

      Add a new memory region in system address space where DMA address space
      definition (the 'translation table') belongs, so we can update on the fly
      the DMA address space.

      Signed-off-by: Hervé Poussineau <hpoussin@xxxxxxxxxxx>
      Reviewed-by: Aurelien Jarno <aurelien@xxxxxxxxxxx>
      Signed-off-by: Leon Alrae <leon.alrae@xxxxxxxxxx>

  commit 9b1d21c53b73c8f8f79e4aae69c4eb7a5270d6d4
  Author: Hervé Poussineau <hpoussin@xxxxxxxxxxx>
  Date:   Wed Jun 3 22:45:35 2015 +0200

      mips jazz: compile only in 64 bit

      Remove now useless device models from other MIPS configurations

      We're now compiling 12 files less than before.

      Signed-off-by: Hervé Poussineau <hpoussin@xxxxxxxxxxx>
      Reviewed-by: Aurelien Jarno <aurelien@xxxxxxxxxxx>
      Signed-off-by: Leon Alrae <leon.alrae@xxxxxxxxxx>

  commit ce9782f40ac16660ea9437bfaa2c9c34d5ed8110
  Author: Leon Alrae <leon.alrae@xxxxxxxxxx>
  Date:   Thu Jun 4 17:00:31 2015 +0100

      target-mips: add ERETNC instruction and Config5.LLB bit

      ERETNC is identical to ERET except that an ERETNC will not clear the LLbit
      that is set by execution of an LL instruction, and thus when placed 
between
      an LL and SC sequence, will never cause the SC to fail.

      Presence of ERETNC is denoted by the Config5.LLB.

      Signed-off-by: Leon Alrae <leon.alrae@xxxxxxxxxx>
      Reviewed-by: Aurelien Jarno <aurelien@xxxxxxxxxxx>

  commit adc370a48fd26b92188fa4848dfb088578b1936c
  Author: Yongbok Kim <yongbok.kim@xxxxxxxxxx>
  Date:   Mon Jun 1 12:13:24 2015 +0100

      target-mips: Misaligned memory accesses for MSA

      MIPS SIMD Architecture vector loads and stores require misalignment 
support.
      MSA Memory access should work as an atomic operation. Therefore, it has to
      check validity of all addresses for a vector store access if it is 
spanning
      into two pages.

      Separating helper functions for each data format as format is known in
      translation.
      To use mmu_idx from cpu_mmu_index() instead of calculating it from hflag.
      Removing save_cpu_state() call in translation because it is able to use
      cpu_restore_state() on fault as GETRA() is passed.

      Signed-off-by: Yongbok Kim <yongbok.kim@xxxxxxxxxx>
      Reviewed-by: Leon Alrae <leon.alrae@xxxxxxxxxx>
      [leon.alrae@xxxxxxxxxx: remove unused do_* functions]
      Signed-off-by: Leon Alrae <leon.alrae@xxxxxxxxxx>

  commit 3b4afc9e75ab1a95f33e41f462921093f8a109c4
  Author: Yongbok Kim <yongbok.kim@xxxxxxxxxx>
  Date:   Mon Jun 1 12:13:23 2015 +0100

      softmmu: Add probe_write()

      Probe for whether the specified guest write access is permitted.
      If it is not permitted then an exception will be taken in the same
      way as if this were a real write access (and we will not return).
      Otherwise the function will return, and there will be a valid
      entry in the TLB for this access.

      Signed-off-by: Yongbok Kim <yongbok.kim@xxxxxxxxxx>
      Reviewed-by: Leon Alrae <leon.alrae@xxxxxxxxxx>
      Signed-off-by: Leon Alrae <leon.alrae@xxxxxxxxxx>

  commit be3a8c53b4f18bcc51a462d977cc61a0f46ebb1c
  Author: Yongbok Kim <yongbok.kim@xxxxxxxxxx>
  Date:   Mon Jun 1 12:13:22 2015 +0100

      target-mips: Misaligned memory accesses for R6

      Release 6 requires misaligned memory access support for all ordinary 
memory
      access instructions (for example, LW/SW, LWC1/SWC1).
      However misaligned support is not provided for certain special memory 
accesses
      such as atomics (for example, LL/SC).

      Signed-off-by: Yongbok Kim <yongbok.kim@xxxxxxxxxx>
      Reviewed-by: Leon Alrae <leon.alrae@xxxxxxxxxx>
      Signed-off-by: Leon Alrae <leon.alrae@xxxxxxxxxx>

  commit 71c199c81d290b2077ee7cf5400332a342de3a97
  Author: Paul Burton <paul.burton@xxxxxxxxxx>
  Date:   Mon May 25 14:21:04 2015 +0100

      mips_malta: provide ememsize env variable to kernels

      Commit 94c2b6aff43c (mips_malta: support up to 2GiB RAM) provided
      support for using over 256MB of RAM with the MIPS Malta board, including
      capping the memsize variable that QEMUs pseudo-bootloader provides to
      the kernel at 256MB in order to match YAMON. It didn't however provide
      the ememsize variable which kernels supporting memory outside of the
      unmapped address spaces (ie. EVA or highmem) may use to determine the
      true size of the RAM present in the system.

      Set ememsize to the size of RAM so that such kernels may use all
      available memory without the user having to manually specifying its size
      & location.

      Signed-off-by: Paul Burton <paul.burton@xxxxxxxxxx>
      Cc: Aurelien Jarno <aurelien@xxxxxxxxxxx>
      Cc: Leon Alrae <leon.alrae@xxxxxxxxxx>
      Reviewed-by: Leon Alrae <leon.alrae@xxxxxxxxxx>
      Reviewed-by: Aurelien Jarno <aurelien@xxxxxxxxxxx>
      Signed-off-by: Leon Alrae <leon.alrae@xxxxxxxxxx>

  commit 7c979afd11b09a16634699dd6344e3ba10c9677e
  Author: Leon Alrae <leon.alrae@xxxxxxxxxx>
  Date:   Tue Apr 21 16:06:28 2015 +0100

      target-mips: add Config5.FRE support allowing Status.FR=0 emulation

      This relatively small architectural feature adds the following:

      FIR.FREP: Read-only. If FREP=1, then Config5.FRE and Config5.UFE are
                available.

      Config5.FRE: When enabled all single-precision FP arithmetic instructions,
                   LWC1/LWXC1/MTC1, SWC1/SWXC1/MFC1 cause a Reserved 
Instructions
                   exception.

      Config5.UFE: Allows user to write/read Config5.FRE using CTC1/CFC1
                   instructions.

      Enable the feature in MIPS64R6-generic CPU.

      Signed-off-by: Leon Alrae <leon.alrae@xxxxxxxxxx>

  commit eab9944c7801525737626fa45cddaf00932dd2c8
  Author: Leon Alrae <leon.alrae@xxxxxxxxxx>
  Date:   Tue Apr 21 16:06:27 2015 +0100

      target-mips: move group of functions above gen_load_fpr32()

      Move the "Tests" group of functions so that gen_load_fpr32() and
      gen_store_fpr32() can use generate_exception().

      Signed-off-by: Leon Alrae <leon.alrae@xxxxxxxxxx>

  commit 5a9259a0b5d6f9424f94539cd9c715b1d166d90c
  Author: Gerd Hoffmann <kraxel@xxxxxxxxxx>
  Date:   Fri Mar 13 12:21:50 2015 +0100

      spice: ui_info tweaks

      Use the new dpy_ui_info_supported function.
      Clarifies the control flow.

      Signed-off-by: Gerd Hoffmann <kraxel@xxxxxxxxxx>

  commit c6e484707f28b3e115e64122a0570f6b3c585489
  Author: Gerd Hoffmann <kraxel@xxxxxxxxxx>
  Date:   Tue Jun 9 21:08:47 2015 +0200

      spice-display: fix segfault in qemu_spice_create_update

      Although it is pretty unusual the stride for the guest image and the
      mirror image maintained by spice-display can be different.  So use
      separate variables for them.

      https://bugzilla.redhat.com/show_bug.cgi?id=1163047

      Cc: qemu-stable@xxxxxxxxxx
      Reported-by: perrier vincent <clownix@xxxxxxxxxxx>
      Signed-off-by: Gerd Hoffmann <kraxel@xxxxxxxxxx>

  commit 0e12e61ff9a3407d123d0dbc4d945aec98d60fdf
  Merge: 3974c9d 62232bf
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Wed Jun 10 18:13:58 2015 +0100

      Merge remote-tracking branch 'remotes/kraxel/tags/pull-vga-20150610-1' 
into staging

      stdvga: factor out mmio subregion init
      virtio-gpu: add virtio gpu core code, 2d mode

      # gpg: Signature made Wed Jun 10 10:03:11 2015 BST using RSA key ID 
D3E87138
      # gpg: Good signature from "Gerd Hoffmann (work) <kraxel@xxxxxxxxxx>"
      # gpg:                 aka "Gerd Hoffmann <gerd@xxxxxxxxxx>"
      # gpg:                 aka "Gerd Hoffmann (private) <kraxel@xxxxxxxxx>"

      * remotes/kraxel/tags/pull-vga-20150610-1:
        virtio-gpu/2d: add virtio gpu core code
        virtio: update headers, add virtio-gpu (2d)
        stdvga: factor out mmio subregion init
        stdvga: pass VGACommonState instead of PCIVGAState
        stdvga: fix offset in pci_vga_ioport_read

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 21549a4642e1f1b438ffc31dd9dc35f134b10e5b
  Author: Shannon Zhao <shannon.zhao@xxxxxxxxxx>
  Date:   Wed Jun 10 23:04:36 2015 +0800

      vhost-scsi: move qdev properties into vhost-scsi.c

      As only one place in vhost-scsi.c uses DEFINE_VHOST_SCSI_PROPERTIES,
      there is no need to expose it. Inline it into vhost-scsi.c to avoid
      wrongly use.

      Signed-off-by: Shannon Zhao <zhaoshenglong@xxxxxxxxxx>
      Signed-off-by: Shannon Zhao <shannon.zhao@xxxxxxxxxx>
      Reviewed-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>
      Acked-by: Cornelia Huck <cornelia.huck@xxxxxxxxxx>
      Reviewed-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>

  commit 83a84878da2e00b4d350bd90d6775c1f6320e7b4
  Author: Shannon Zhao <shannon.zhao@xxxxxxxxxx>
  Date:   Wed Jun 10 23:04:35 2015 +0800

      virtio-9p-device: move qdev properties into virtio-9p-device.c

      As only one place in virtio-9p-device.c uses
      DEFINE_VIRTIO_9P_PROPERTIES, there is no need to expose it. Inline it
      into virtio-9p-device.c to avoid wrongly use.

      Signed-off-by: Shannon Zhao <zhaoshenglong@xxxxxxxxxx>
      Signed-off-by: Shannon Zhao <shannon.zhao@xxxxxxxxxx>
      Reviewed-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>
      Acked-by: Cornelia Huck <cornelia.huck@xxxxxxxxxx>
      Reviewed-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>

  commit 448777c411b80df0263eb00b9df2f829cdc7cc9b
  Author: Shannon Zhao <shannon.zhao@xxxxxxxxxx>
  Date:   Wed Jun 10 23:04:34 2015 +0800

      virtio-serial-bus: move qdev properties into virtio-serial-bus.c

      As only one place in virtio-serial-bus.c uses
      DEFINE_VIRTIO_SERIAL_PROPERTIES, there is no need to expose it. Inline
      it into virtio-serial-bus.c to avoid wrongly use.

      Signed-off-by: Shannon Zhao <zhaoshenglong@xxxxxxxxxx>
      Signed-off-by: Shannon Zhao <shannon.zhao@xxxxxxxxxx>
      Reviewed-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>
      Acked-by: Cornelia Huck <cornelia.huck@xxxxxxxxxx>
      Reviewed-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>

  commit fe704809b974d8dd8e020b4d3f48ede338a886fe
  Author: Shannon Zhao <shannon.zhao@xxxxxxxxxx>
  Date:   Wed Jun 10 23:04:33 2015 +0800

      virtio-rng: move qdev properties into virtio-rng.c

      As only one place in virtio-rng.c uses DEFINE_VIRTIO_RNG_PROPERTIES,
      there is no need to expose it. Inline it into virtio-rng.c to avoid
      wrongly use.

      Signed-off-by: Shannon Zhao <zhaoshenglong@xxxxxxxxxx>
      Signed-off-by: Shannon Zhao <shannon.zhao@xxxxxxxxxx>
      Reviewed-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>
      Acked-by: Cornelia Huck <cornelia.huck@xxxxxxxxxx>
      Reviewed-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>

  commit 0c63237a90f37fffe8a8016f24f61bb228653e86
  Author: Shannon Zhao <shannon.zhao@xxxxxxxxxx>
  Date:   Wed Jun 10 23:04:32 2015 +0800

      virtio-scsi: move qdev properties into virtio-scsi.c

      As only one place in virtio-scsi.c uses DEFINE_VIRTIO_SCSI_PROPERTIES
      and DEFINE_VIRTIO_SCSI_FEATURES, there is no need to expose them. Inline
      them into virtio-scsi.c to avoid wrongly use.

      Signed-off-by: Shannon Zhao <zhaoshenglong@xxxxxxxxxx>
      Signed-off-by: Shannon Zhao <shannon.zhao@xxxxxxxxxx>
      Reviewed-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>
      Acked-by: Cornelia Huck <cornelia.huck@xxxxxxxxxx>
      Reviewed-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>

  commit db58c063e159f02f0232d1557f0930fd32a6580f
  Author: Shannon Zhao <shannon.zhao@xxxxxxxxxx>
  Date:   Wed Jun 10 23:04:31 2015 +0800

      virtio-net.h: Remove unsed DEFINE_VIRTIO_NET_PROPERTIES

      Remove unsed DEFINE_VIRTIO_NET_PROPERTIES in virtio-net.h and delete a
      space typo.

      Signed-off-by: Shannon Zhao <zhaoshenglong@xxxxxxxxxx>
      Signed-off-by: Shannon Zhao <shannon.zhao@xxxxxxxxxx>
      Reviewed-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>
      Acked-by: Cornelia Huck <cornelia.huck@xxxxxxxxxx>
      Reviewed-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>

  commit 87108bb26ce04637980c0897caeabee8901e72c9
  Author: Shannon Zhao <shannon.zhao@xxxxxxxxxx>
  Date:   Wed Jun 10 23:04:30 2015 +0800

      virtio-net: move qdev properties into virtio-net.c

      As only one place in virtio-net.c uses DEFINE_VIRTIO_NET_FEATURES,
      there is no need to expose it. Inline it into virtio-net.c to avoid
      wrongly use.

      Signed-off-by: Shannon Zhao <zhaoshenglong@xxxxxxxxxx>
      Signed-off-by: Shannon Zhao <shannon.zhao@xxxxxxxxxx>
      Reviewed-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>
      Reviewed-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>

  commit 710e2d90da1a16807f7885d37b203ce739fdc53a
  Author: Gerd Hoffmann <kraxel@xxxxxxxxxx>
  Date:   Thu Jun 4 12:34:42 2015 +0200

      virtio-input: emulated devices [pci]

      This patch adds virtio-pci support for the emulated virtio-input
      devices.  Using them is as simple as adding "-device virtio-tablet-pci"
      to your command line.  If you want add multiple devices but don't want
      waste a pci slot for each you can compose a multifunction device this way:

      qemu -device virtio-keyboard-pci,addr=0d.0,multifunction=on \
           -device virtio-tablet-pci,addr=0d.1,multifunction=on

      Signed-off-by: Gerd Hoffmann <kraxel@xxxxxxxxxx>
      Reviewed-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>

  commit f958c8aa138718b8126a300d6faece522f7674b8
  Author: Gerd Hoffmann <kraxel@xxxxxxxxxx>
  Date:   Thu Jun 4 12:34:41 2015 +0200

      virtio-input: core code & base class [pci]

      This patch adds the virtio-pci support bits for virtio-input-device.

      Signed-off-by: Gerd Hoffmann <kraxel@xxxxxxxxxx>
      Reviewed-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>

  commit ffaa05037134d48e3ccd7ebbf2d58db26590b96d
  Author: Gerd Hoffmann <kraxel@xxxxxxxxxx>
  Date:   Thu Jun 4 12:34:40 2015 +0200

      pci: add PCI_CLASS_INPUT_*

      Signed-off-by: Gerd Hoffmann <kraxel@xxxxxxxxxx>
      Reviewed-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>

  commit b6ce27a593ab39ac28baebc3045901925046bebd
  Author: Gerd Hoffmann <kraxel@xxxxxxxxxx>
  Date:   Thu Jun 4 12:34:39 2015 +0200

      virtio-pci: fill VirtIOPCIRegions early.

      Initialize the modern bar and the VirtIOPCIRegion fields early, in
      realize.  Also add a size field to VirtIOPCIRegion and variables for
      pci bars to VirtIOPCIProxy.

      This allows virtio-pci subclasses to change things before the
      device_plugged callback applies them.  virtio-vga will use that to
      arrange regions in a way that virtio-vga is compatible to both stdvga
      (in vga mode) and virtio-gpu-pci (in pci mode).

      Signed-off-by: Gerd Hoffmann <kraxel@xxxxxxxxxx>
      Reviewed-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>

  commit cc52ea90f835aa66d431db712b22f8b15bec2e46
  Author: Gerd Hoffmann <kraxel@xxxxxxxxxx>
  Date:   Thu Jun 4 12:34:38 2015 +0200

      virtio-pci: drop identical virtio_pci_cap

      Now the three struct virtio_pci_caps are identical,
      lets drop two of them ;)

      Signed-off-by: Gerd Hoffmann <kraxel@xxxxxxxxxx>
      Reviewed-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>

  commit fc004905c5b4b7568aad50087c156a5f4dfae1a7
  Author: Gerd Hoffmann <kraxel@xxxxxxxxxx>
  Date:   Thu Jun 4 12:34:37 2015 +0200

      virtio-pci: move cap type to VirtIOPCIRegion

      Signed-off-by: Gerd Hoffmann <kraxel@xxxxxxxxxx>
      Reviewed-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>

  commit 54790d71e4adcfaae95dac3c7019b10721e609de
  Author: Gerd Hoffmann <kraxel@xxxxxxxxxx>
  Date:   Thu Jun 4 12:34:36 2015 +0200

      virtio-pci: move virtio_pci_add_mem_cap call to 
virtio_pci_modern_region_map

      Also fill offset and length automatically,
      from VirtIOPCIRegion->offset and region size.

      Signed-off-by: Gerd Hoffmann <kraxel@xxxxxxxxxx>
      Reviewed-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>

  commit a3cc2e81592aba6d818005c078b94b16ba47a02c
  Author: Gerd Hoffmann <kraxel@xxxxxxxxxx>
  Date:   Thu Jun 4 12:34:35 2015 +0200

      virtio-pci: add virtio_pci_modern_region_map()

      Add function to map modern virtio regions.
      Add offset to VirtIOPCIRegion.

      Signed-off-by: Gerd Hoffmann <kraxel@xxxxxxxxxx>
      Reviewed-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>

  commit 1141ce2190c85daacfa9b874476651ed0f7dc6df
  Author: Gerd Hoffmann <kraxel@xxxxxxxxxx>
  Date:   Thu Jun 4 12:34:34 2015 +0200

      virtio-pci: add virtio_pci_modern_regions_init()

      Add init function for the modern pci regions,
      move over the init code.

      Signed-off-by: Gerd Hoffmann <kraxel@xxxxxxxxxx>
      Reviewed-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>

  commit 588255ad5021f06789f438f7b045015c54e30841
  Author: Gerd Hoffmann <kraxel@xxxxxxxxxx>
  Date:   Thu Jun 4 12:34:33 2015 +0200

      virtio-pci: add struct VirtIOPCIRegion for virtio-1 regions

      For now just place the MemoryRegion there,
      following patches will add more.

      Signed-off-by: Gerd Hoffmann <kraxel@xxxxxxxxxx>
      Reviewed-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>

  commit 40de55affda76392627e68d3b1ba5a6a11c492bc
  Author: Cornelia Huck <cornelia.huck@xxxxxxxxxx>
  Date:   Thu Jun 4 12:34:32 2015 +0200

      virtio-balloon: switch to virtio_add_feature

      This was missed during the conversion of feature bit manipulation.

      Signed-off-by: Cornelia Huck <cornelia.huck@xxxxxxxxxx>
      Reviewed-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Reviewed-by: Michael S. Tsirkin <mst@xxxxxxxxxx>

  commit fbdc6892dd8a842a3d86b8315ff56399e0387b74
  Author: Michael S. Tsirkin <mst@xxxxxxxxxx>
  Date:   Thu Jun 4 12:34:31 2015 +0200

      virtio_balloon: header update

      add modern header

      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Reviewed-by: Michael S. Tsirkin <mst@xxxxxxxxxx>

  commit 975acc0ae6d60260859884a9235ae3c62e2969a2
  Author: Jason Wang <jasowang@xxxxxxxxxx>
  Date:   Thu Jun 4 12:34:30 2015 +0200

      virtio-pci: correctly set host notifiers for modern bar

      Currently, during host notifier set. We only add eventfd for legacy
      bar, this is not correct since:

      - Non-transitional device does not have legacy bar, so qemu will crash
        since proxy->bar was not initialized.
      - Modern device uses modern bar and notify cap to notify the device,
        we should add eventfd for proxy->notify.

      So this patch fixes the above two issues by adding eventfd based on
      whether legacy or modern device were supported.

      Signed-off-by: Jason Wang <jasowang@xxxxxxxxxx>
      Reviewed-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Reviewed-by: Michael S. Tsirkin <mst@xxxxxxxxxx>

  commit 4e93a68eb369b2f7adbef7a4f6afd7a30a0ed927
  Author: Gerd Hoffmann <kraxel@xxxxxxxxxx>
  Date:   Thu Jun 4 12:34:29 2015 +0200

      virtio-pci: make modern bar 64bit + prefetchable

      Signed-off-by: Gerd Hoffmann <kraxel@xxxxxxxxxx>
      Reviewed-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Reviewed-by: Michael S. Tsirkin <mst@xxxxxxxxxx>

  commit 23c5e3977502a1b57fa2d8cf8cf4b5c9e45f0d1f
  Author: Gerd Hoffmann <kraxel@xxxxxxxxxx>
  Date:   Thu Jun 4 12:34:28 2015 +0200

      virtio-pci: change & document virtio pci bar layout.

      This patch adds variables for the pci bars (to get rid of the magic
      numbers in the code) and moves the modern virtio bar to region 4 so
      regions 2+3 are kept free.  virtio-vga wants use them.

      Signed-off-by: Gerd Hoffmann <kraxel@xxxxxxxxxx>
      Reviewed-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Reviewed-by: Michael S. Tsirkin <mst@xxxxxxxxxx>

  commit 8aca0d75869f8ad0aa0032c50d8c85dcad65302f
  Author: Gerd Hoffmann <kraxel@xxxxxxxxxx>
  Date:   Thu Jun 4 12:34:27 2015 +0200

      virtio-pci: make QEMU_VIRTIO_PCI_QUEUE_MEM_MULT smaller

      Signed-off-by: Gerd Hoffmann <kraxel@xxxxxxxxxx>
      Acked-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Reviewed-by: Michael S. Tsirkin <mst@xxxxxxxxxx>

  commit e266d421490e0ae83044bbebb209b2d3650c0ba6
  Author: Gerd Hoffmann <kraxel@xxxxxxxxxx>
  Date:   Thu Jun 4 12:34:26 2015 +0200

      virtio-pci: add flags to enable/disable legacy/modern

      Add VIRTIO_PCI_FLAG_DISABLE_LEGACY and VIRTIO_PCI_FLAG_DISABLE_MODERN
      for VirtIOPCIProxy->flags.  Also add properties for them.  They can be
      used to disable modern (virtio 1.0) or legacy (virtio 0.9) modes.

      By default only legacy is advertized, modern will be turned on by
      default once all remaining spec compilance issues are addressed.

      Signed-off-by: Gerd Hoffmann <kraxel@xxxxxxxxxx>
      Acked-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Reviewed-by: Michael S. Tsirkin <mst@xxxxxxxxxx>

  commit 54c720d49d3f9741b52ac95c65a5cc990254a5d8
  Author: Michael S. Tsirkin <mst@xxxxxxxxxx>
  Date:   Thu Jun 4 12:34:25 2015 +0200

      virtio-pci: switch to modern accessors for 1.0

      virtio 1.0 config space is in LE format for all
      devices, use modern wrappers when accessed through
      the 1.0 BAR.

      Reported-by: Rusty Russell <rusty@xxxxxxxxxxxxxxx>
      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Reviewed-by: Michael S. Tsirkin <mst@xxxxxxxxxx>

  commit adfb743c90c7aa5e92907ce875e4f35747ee1963
  Author: Michael S. Tsirkin <mst@xxxxxxxxxx>
  Date:   Thu Jun 4 12:34:24 2015 +0200

      virtio: add modern config accessors

      virtio 1.0 defines config space as LE,
      as opposed to pre-1.0 which was native endian.

      Add API for transports to execute word/dword accesses in
      little endian format - will be useful for mmio
      and pci (byte access is also wrapped, for completeness).

      For simplicity, we still keep config in host native
      endian format, byteswap to LE on guest access.

      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Reviewed-by: Michael S. Tsirkin <mst@xxxxxxxxxx>

  commit b8f059081d93f1802480059d1d49fe5c1d32f60c
  Author: Michael S. Tsirkin <mst@xxxxxxxxxx>
  Date:   Thu Jun 4 12:34:23 2015 +0200

      virtio: generation counter support

      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Reviewed-by: Michael S. Tsirkin <mst@xxxxxxxxxx>

  commit dfb8e184db758bff275f94f7aa634300886cfe21
  Author: Michael S. Tsirkin <mst@xxxxxxxxxx>
  Date:   Thu Jun 4 12:34:22 2015 +0200

      virtio-pci: initial virtio 1.0 support

      This is somewhat functional.  With this, and linux driver from my tree,
      I was able to use virtio net as virtio 1.0 device for light browsing.

      At the moment, dataplane and vhost code is
      still missing.

      Based on Cornelia's virtio 1.0 patchset:
          Date: Thu, 11 Dec 2014 14:25:02 +0100
          From: Cornelia Huck <cornelia.huck@xxxxxxxxxx>
          To: virtualization@xxxxxxxxxxxxxxxxxxxxxxxxxx, qemu-devel@xxxxxxxxxx
          Cc: rusty@xxxxxxxxxxxxxxx, thuth@xxxxxxxxxxxxxxxxxx, mst@xxxxxxxxxx,
          Cornelia Huck <cornelia.huck@xxxxxxxxxx>
          Subject: [PATCH RFC v6 00/20] qemu: towards virtio-1 host support
          Message-Id: 
<1418304322-7546-1-git-send-email-cornelia.huck@xxxxxxxxxx>

      which is itself still missing some core bits.

      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Reviewed-by: Michael S. Tsirkin <mst@xxxxxxxxxx>

  commit c17bef33601737e24a3d53259ddb6db28ac4d6d2
  Author: Michael S. Tsirkin <mst@xxxxxxxxxx>
  Date:   Thu Jun 4 12:34:21 2015 +0200

      linux-headers: add virtio_pci

      Easier than duplicating code.

      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Reviewed-by: Michael S. Tsirkin <mst@xxxxxxxxxx>

  commit 9a2ba82302bea7faf3b9579f9168b89c73ae34ad
  Author: Cornelia Huck <cornelia.huck@xxxxxxxxxx>
  Date:   Thu Jun 4 12:34:20 2015 +0200

      vhost: 64 bit features

      Make sure that all vhost interfaces use 64 bit features, as the virtio
      core does, and make sure to use ULL everywhere possible to be on the
      safe side.

      Signed-off-by: Cornelia Huck <cornelia.huck@xxxxxxxxxx>
      Reviewed-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Reviewed-by: Michael S. Tsirkin <mst@xxxxxxxxxx>

  commit b1506132001eee6b11cf23b5968cd66ec141a9ed
  Author: Michael S. Tsirkin <mst@xxxxxxxxxx>
  Date:   Thu Jun 4 12:34:19 2015 +0200

      vhost_net: add version_1 feature

      Add VERSION_1 to list of features that we should
      test at the backend.

      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Reviewed-by: Michael S. Tsirkin <mst@xxxxxxxxxx>

  commit df91055db5c9cee93d70ca8c08d72119a240b987
  Author: Cornelia Huck <cornelia.huck@xxxxxxxxxx>
  Date:   Thu Jun 4 12:34:18 2015 +0200

      virtio-net: enable virtio 1.0

      virtio-net (non-vhost) now should have everything in place to support
      virtio 1.0: let's enable the feature bit for it.

      Note that VIRTIO_F_VERSION_1 is technically a transport feature; once
      every device is ready for virtio 1.0, we can move setting this
      feature bit out of the individual devices.

      Signed-off-by: Cornelia Huck <cornelia.huck@xxxxxxxxxx>
      Reviewed-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Reviewed-by: Michael S. Tsirkin <mst@xxxxxxxxxx>

  commit bb9d17f831fa8e70494eab8421d83a542e3d8508
  Author: Cornelia Huck <cornelia.huck@xxxxxxxxxx>
  Date:   Thu Jun 4 12:34:17 2015 +0200

      virtio-net: support longer header

      virtio-1 devices always use num_buffers in the header, even if
      mergeable rx buffers have not been negotiated.

      Signed-off-by: Cornelia Huck <cornelia.huck@xxxxxxxxxx>
      Reviewed-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Reviewed-by: Michael S. Tsirkin <mst@xxxxxxxxxx>

  commit b6a3cddb22d3f0f729e267d45f350ae31bdebbcf
  Author: Cornelia Huck <cornelia.huck@xxxxxxxxxx>
  Date:   Thu Jun 4 12:34:16 2015 +0200

      virtio-net: no writeable mac for virtio-1

      Devices operating as virtio 1.0 may not allow writes to the mac
      address in config space.

      Signed-off-by: Cornelia Huck <cornelia.huck@xxxxxxxxxx>
      Reviewed-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Reviewed-by: Michael S. Tsirkin <mst@xxxxxxxxxx>

  commit 0b352fd680e1ca7827ddea47b5e9b603320913b6
  Author: Cornelia Huck <cornelia.huck@xxxxxxxxxx>
  Date:   Thu Jun 4 12:34:15 2015 +0200

      virtio: allow to fail setting status

      virtio-1 allow setting of the FEATURES_OK status bit to fail if
      the negotiated feature bits are inconsistent: let's fail
      virtio_set_status() in that case and update virtio-ccw to post an
      error to the guest.

      Signed-off-by: Cornelia Huck <cornelia.huck@xxxxxxxxxx>
      Reviewed-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Reviewed-by: Michael S. Tsirkin <mst@xxxxxxxxxx>

  commit 6c0196d702e8482a17638ee79f45ce27cdd1ef5d
  Author: Cornelia Huck <cornelia.huck@xxxxxxxxxx>
  Date:   Thu Jun 4 12:34:14 2015 +0200

      virtio: disallow late feature changes for virtio-1

      For virtio-1 devices, the driver must not attempt to set feature bits
      after it set FEATURES_OK in the device status. Simply reject it in
      that case.

      Signed-off-by: Cornelia Huck <cornelia.huck@xxxxxxxxxx>
      Reviewed-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Reviewed-by: Michael S. Tsirkin <mst@xxxxxxxxxx>

  commit f5a5628cf0b65b223fa0c9031714578dfac4cf04
  Author: Cornelia Huck <cornelia.huck@xxxxxxxxxx>
  Date:   Thu Jun 4 12:34:13 2015 +0200

      dataplane: allow virtio-1 devices

      Handle endianness conversion for virtio-1 virtqueues correctly.

      Note that dataplane now needs to be built per-target.

      Signed-off-by: Cornelia Huck <cornelia.huck@xxxxxxxxxx>
      Reviewed-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Reviewed-by: Michael S. Tsirkin <mst@xxxxxxxxxx>

  commit ab223c9518e8c7eb542ef3133de1a34475b69790
  Author: Cornelia Huck <cornelia.huck@xxxxxxxxxx>
  Date:   Thu Jun 4 12:34:12 2015 +0200

      virtio: allow virtio-1 queue layout

      For virtio-1 devices, we allow a more complex queue layout that doesn't
      require descriptor table and rings on a physically-contigous memory area:
      add virtio_queue_set_rings() to allow transports to set this up.

      Signed-off-by: Cornelia Huck <cornelia.huck@xxxxxxxxxx>
      Reviewed-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Reviewed-by: Michael S. Tsirkin <mst@xxxxxxxxxx>

  commit 3c185597c86b8cd0a07c46e7a5bd5aac28bb7200
  Author: Cornelia Huck <cornelia.huck@xxxxxxxxxx>
  Date:   Thu Jun 4 12:34:11 2015 +0200

      virtio: endianness checks for virtio 1.0 devices

      Add code that checks for the VERSION_1 feature bit in order to make
      decisions about the device's endianness. This allows us to support
      transitional devices.

      Signed-off-by: Cornelia Huck <cornelia.huck@xxxxxxxxxx>
      Reviewed-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Reviewed-by: Michael S. Tsirkin <mst@xxxxxxxxxx>

  commit 3974c9d8ccfccbd81edc9df271fcae7082f3921d
  Merge: eed8a8f 5efed5a
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Wed Jun 10 16:52:34 2015 +0100

      Merge remote-tracking branch 'remotes/kraxel/tags/pull-fw_cfg-20150610-1' 
into staging

      fw_cfg: drop write support, qemu cmdline support, bugfixes.
      bios-tables-test: fix smbios test.

      # gpg: Signature made Wed Jun 10 07:29:53 2015 BST using RSA key ID 
D3E87138
      # gpg: Good signature from "Gerd Hoffmann (work) <kraxel@xxxxxxxxxx>"
      # gpg:                 aka "Gerd Hoffmann <gerd@xxxxxxxxxx>"
      # gpg:                 aka "Gerd Hoffmann (private) <kraxel@xxxxxxxxx>"

      * remotes/kraxel/tags/pull-fw_cfg-20150610-1:
        bios-tables-test: handle false-positive smbios signature matches
        fw_cfg: insert fw_cfg file blobs via qemu cmdline
        fw_cfg: prohibit insertion of duplicate fw_cfg file names
        fw_cfg: prevent selector key conflict
        fw_cfg: remove support for guest-side data writes
        fw_cfg: fix FW_CFG_BOOT_DEVICE update on ppc and sparc
        fw_cfg: add fw_cfg_modify_i16 (update) method
        QemuOpts: increase number of vm_config_groups

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit eed8a8f572e659c85f8711d79c20da95021e06e2
  Merge: e015fe0 7a8d15d
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Wed Jun 10 15:46:39 2015 +0100

      Merge remote-tracking branch 
'remotes/awilliam/tags/vfio-update-20150609.0' into staging

      Initial VFIO platform device support, v2 (Eric Auger, et al.)

      # gpg: Signature made Tue Jun  9 15:25:40 2015 BST using RSA key ID 
3BB08B22
      # gpg: Good signature from "Alex Williamson <alex.williamson@xxxxxxxxxx>"
      # gpg:                 aka "Alex Williamson <alex@xxxxxxxxxxx>"
      # gpg:                 aka "Alex Williamson <alwillia@xxxxxxxxxx>"
      # gpg:                 aka "Alex Williamson <alex.l.williamson@xxxxxxxxx>"

      * remotes/awilliam/tags/vfio-update-20150609.0:
        hw/vfio/platform: calxeda xgmac device
        hw/vfio/platform: add irq assignment
        hw/vfio/platform: vfio-platform skeleton

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit e015fe008a3a8901913248cdb50c62dba795c588
  Merge: b041114 9f7c594
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Wed Jun 10 15:10:14 2015 +0100

      Merge remote-tracking branch 
'remotes/stefanha/tags/CVE-2015-3209-pcnet-tx-buffer-fix-pull-request' into 
staging

      # gpg: Signature made Wed Jun 10 15:04:11 2015 BST using RSA key ID 
81AB73C8
      # gpg: Good signature from "Stefan Hajnoczi <stefanha@xxxxxxxxxx>"
      # gpg:                 aka "Stefan Hajnoczi <stefanha@xxxxxxxxx>"

      * remotes/stefanha/tags/CVE-2015-3209-pcnet-tx-buffer-fix-pull-request:
        pcnet: force the buffer access to be in bounds during tx

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 9f7c594c006289ad41169b854d70f5da6e400a2a
  Author: Petr Matousek <pmatouse@xxxxxxxxxx>
  Date:   Sun May 24 10:53:44 2015 +0200

      pcnet: force the buffer access to be in bounds during tx

      4096 is the maximum length per TMD and it is also currently the size of
      the relay buffer pcnet driver uses for sending the packet data to QEMU
      for further processing. With packet spanning multiple TMDs it can
      happen that the overall packet size will be bigger than sizeof(buffer),
      which results in memory corruption.

      Fix this by only allowing to queue maximum sizeof(buffer) bytes.

      This is CVE-2015-3209.

      [Fixed 3-space indentation to QEMU's 4-space coding standard.
      --Stefan]

      Signed-off-by: Petr Matousek <pmatouse@xxxxxxxxxx>
      Reported-by: Matt Tait <matttait@xxxxxxxxxx>
      Reviewed-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Reviewed-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>

  commit 24bfa207efb9b9d591552eefc1f414ff33ef0eac
  Author: Jason Wang <jasowang@xxxxxxxxxx>
  Date:   Thu Jun 4 23:05:58 2015 -0400

      vhost: put log correctly in vhost_dev_start()

      We allocate an dummy log even if the size is zero. So we should put it
      unconditionally too.

      Signed-off-by: Jason Wang <jasowang@xxxxxxxxxx>
      Reviewed-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>

  commit 62232bf48456bda4058ceae05851bc58c1032338
  Author: Gerd Hoffmann <kraxel@xxxxxxxxxx>
  Date:   Wed Sep 10 14:12:28 2014 +0200

      virtio-gpu/2d: add virtio gpu core code

      This patch adds the core code for virtio gpu emulation,
      covering 2d support.

      Written by Dave Airlie and Gerd Hoffmann.

      Signed-off-by: Dave Airlie <airlied@xxxxxxxxxx>
      Signed-off-by: Gerd Hoffmann <kraxel@xxxxxxxxxx>

  commit 53476e07d299b7fc33fa480db6bd9a6b1e2e8a97
  Author: Gerd Hoffmann <kraxel@xxxxxxxxxx>
  Date:   Fri May 22 15:37:33 2015 +0200

      virtio: update headers, add virtio-gpu (2d)

      Signed-off-by: Gerd Hoffmann <kraxel@xxxxxxxxxx>

  commit 220869e12d96bfb0b44d8e47394587c30e9a093f
  Author: Gerd Hoffmann <kraxel@xxxxxxxxxx>
  Date:   Wed Apr 8 09:50:46 2015 +0200

      stdvga: factor out mmio subregion init

      Signed-off-by: Gerd Hoffmann <kraxel@xxxxxxxxxx>

  commit cf45ec6a52af77ec2cdfe229b6f496a29b8f7886
  Author: Gerd Hoffmann <kraxel@xxxxxxxxxx>
  Date:   Wed Apr 8 09:09:49 2015 +0200

      stdvga: pass VGACommonState instead of PCIVGAState

      Signed-off-by: Gerd Hoffmann <kraxel@xxxxxxxxxx>

  commit 24cdff7c8278849747035f9554f8c538beabf949
  Author: Gerd Hoffmann <kraxel@xxxxxxxxxx>
  Date:   Wed Apr 8 09:03:54 2015 +0200

      stdvga: fix offset in pci_vga_ioport_read

      Simliar to pci_vga_ioport_write.

      Signed-off-by: Gerd Hoffmann <kraxel@xxxxxxxxxx>

  commit 5efed5a172881f601ac3c57c22ec5c5721f895be
  Author: Gabriel L. Somlo <somlo@xxxxxxx>
  Date:   Mon May 18 08:47:24 2015 -0400

      bios-tables-test: handle false-positive smbios signature matches

      It has been reported that sometimes the .rodata section of SeaBIOS,
      containing the constant string against which the SMBIOS signature
      ends up being compared, also falls within the guest f-segment. In
      that case, the test obviously fails, unless we continue searching
      for the *real* SMBIOS entry point.

      Rather than stopping at the first match for the SMBIOS signature
      ("_SM_") in the f-segment (0xF0000-0xFFFFF), continue scanning
      until either a valid entry point table is found, or the f-segment
      has been exhausted.

      Reported-by: Bruce Rogers <brogers@xxxxxxxx>
      Signed-off-by: Gabriel Somlo <somlo@xxxxxxx>
      Tested-by: Bruce Rogers <brogers@xxxxxxxx>
      Signed-off-by: Gerd Hoffmann <kraxel@xxxxxxxxxx>

  commit 81b2b81062612ebeac4cd5333a3b15c7d79a5a3d
  Author: Gabriel L. Somlo <somlo@xxxxxxx>
  Date:   Wed Apr 29 11:21:53 2015 -0400

      fw_cfg: insert fw_cfg file blobs via qemu cmdline

      Allow user supplied files to be inserted into the fw_cfg
      device before starting the guest. Since fw_cfg_add_file()
      already disallows duplicate fw_cfg file names, qemu will
      exit with an error message if the user supplies multiple
      blobs with the same fw_cfg file name, or if a blob name
      collides with a fw_cfg name programmatically added from
      within the QEMU source code. A warning message will be
      printed if the fw_cfg item name does not begin with the
      prefix "opt/", which is recommended for external, user
      provided blobs.

      Signed-off-by: Gabriel Somlo <somlo@xxxxxxx>
      Reviewed-by: Laszlo Ersek <lersek@xxxxxxxxxx>
      Signed-off-by: Gerd Hoffmann <kraxel@xxxxxxxxxx>

  commit 0eb973f91521c6bcb6399d25327711d083f6eb10
  Author: Gabriel L. Somlo <somlo@xxxxxxx>
  Date:   Wed Apr 29 11:21:52 2015 -0400

      fw_cfg: prohibit insertion of duplicate fw_cfg file names

      Exit with an error (instead of simply logging a trace event)
      whenever the same fw_cfg file name is added multiple times via
      one of the fw_cfg_add_file[_callback]() host-side API calls.

      Signed-off-by: Gabriel Somlo <somlo@xxxxxxx>
      Reviewed-by: Laszlo Ersek <lersek@xxxxxxxxxx>
      Signed-off-by: Gerd Hoffmann <kraxel@xxxxxxxxxx>

  commit 0f9b214139d11ef058fa0f1c11c89e94fa6ef95d
  Author: Gabriel L. Somlo <somlo@xxxxxxx>
  Date:   Wed Apr 29 11:21:51 2015 -0400

      fw_cfg: prevent selector key conflict

      Enforce a single assignment of data for each distinct selector key.

      Signed-off-by: Gabriel Somlo <somlo@xxxxxxx>
      Reviewed-by: Laszlo Ersek <lersek@xxxxxxxxxx>
      Signed-off-by: Gerd Hoffmann <kraxel@xxxxxxxxxx>

  commit 023e3148567ac898c7258138f8e86c3c2bb40d07
  Author: Gabriel L. Somlo <somlo@xxxxxxx>
  Date:   Wed Apr 29 11:21:50 2015 -0400

      fw_cfg: remove support for guest-side data writes

      From this point forward, any guest-side writes to the fw_cfg
      data register will be treated as no-ops. This patch also removes
      the unused host-side API function fw_cfg_add_callback(), which
      allowed the registration of a callback to be executed each time
      the guest completed a full overwrite of a given fw_cfg data item.

      Signed-off-by: Gabriel Somlo <somlo@xxxxxxx>
      Reviewed-by: Laszlo Ersek <lersek@xxxxxxxxxx>
      Signed-off-by: Gerd Hoffmann <kraxel@xxxxxxxxxx>

  commit 48779e501810c5046ff8af7b9cf9c99bec2928a1
  Author: Gabriel L. Somlo <somlo@xxxxxxx>
  Date:   Mon Jun 8 14:10:45 2015 -0400

      fw_cfg: fix FW_CFG_BOOT_DEVICE update on ppc and sparc

      On ppc, sparc, and sparc64, the value of the FW_CFG_BOOT_DEVICE 16bit
      fw_cfg entry is repeatedly modified from a series of callbacks, which
      currently results in the previous value's dynamically allocated memory
      being leaked.

      This patch switches updating to the new fw_cfg_modify_i16() call, which
      does not cause memory leaks.

      Signed-off-by: Gabriel Somlo <somlo@xxxxxxx>
      Signed-off-by: Gerd Hoffmann <kraxel@xxxxxxxxxx>

  commit 1edd34b638f73d39a175fbc4f9ad5c97800d7470
  Author: Gabriel L. Somlo <somlo@xxxxxxx>
  Date:   Mon Jun 8 14:10:44 2015 -0400

      fw_cfg: add fw_cfg_modify_i16 (update) method

      Allow the ability to modify the value of an existing 16-bit integer
      fw_cfg item.

      Signed-off-by: Gabriel Somlo <somlo@xxxxxxx>
      Signed-off-by: Gerd Hoffmann <kraxel@xxxxxxxxxx>

  commit 1ceaefbd0d09642fcff05c6b8da49ad8fbc050cb
  Author: Gerd Hoffmann <kraxel@xxxxxxxxxx>
  Date:   Fri May 29 14:37:54 2015 +0200

      QemuOpts: increase number of vm_config_groups

      Adding the fw_cfg cmd line support patch by
      Gabriel L. Somlo hits the limit.

      Fix this by making the array larger.

      Cc: Gabriel L. Somlo <somlo@xxxxxxx>
      Signed-off-by: Gerd Hoffmann <kraxel@xxxxxxxxxx>

  commit b0411142f482df92717f8b4a3b746081a62b724f
  Merge: 44ee94e 36e60ef
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Tue Jun 9 15:29:34 2015 +0100

      Merge remote-tracking branch 'remotes/rth/tags/pull-tcg-20150609' into 
staging

      Collected TCG patches

      # gpg: Signature made Tue Jun  9 15:06:18 2015 BST using RSA key ID 
4DD0279B
      # gpg: Good signature from "Richard Henderson <rth7680@xxxxxxxxx>"
      # gpg:                 aka "Richard Henderson <rth@xxxxxxxxxx>"
      # gpg:                 aka "Richard Henderson <rth@xxxxxxxxxxx>"

      * remotes/rth/tags/pull-tcg-20150609:
        tcg/optimize: rename tcg_constant_folding
        tcg/optimize: fold constant test in tcg_opt_gen_mov
        tcg/optimize: fold temp copies test in tcg_opt_gen_mov
        tcg/optimize: remove opc argument from tcg_opt_gen_mov
        tcg/optimize: remove opc argument from tcg_opt_gen_movi
        tcg: fix dead computation for repeated input arguments
        tcg: fix register allocation with two aliased dead inputs
        tcg: Handle MO_AMASK in tcg_dump_ops
        tcg: Mask TCGMemOp appropriately for indexing

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 7a8d15d7702444be715b6ae32574659483c0c158
  Author: Eric Auger <eric.auger@xxxxxxxxxx>
  Date:   Tue Jun 9 09:00:07 2015 +0100

      hw/vfio/platform: calxeda xgmac device

      The platform device class has become abstract. This patch introduces
      a calxeda xgmac device that derives from it.

      Signed-off-by: Eric Auger <eric.auger@xxxxxxxxxx>
      Reviewed-by: Alex Bennée <alex.bennee@xxxxxxxxxx>
      Signed-off-by: Alex Williamson <alex.williamson@xxxxxxxxxx>

  commit 36e60ef6ac5d8a262d0fbeedfdb2b588514cb1ea
  Author: Aurelien Jarno <aurelien@xxxxxxxxxxx>
  Date:   Thu Jun 4 21:53:27 2015 +0200

      tcg/optimize: rename tcg_constant_folding

      The tcg_constant_folding folding ends up doing all the optimizations
      (which is a good thing to avoid looping on all ops multiple time), so
      make it clear and just rename it tcg_optimize.

      Cc: Richard Henderson <rth@xxxxxxxxxxx>
      Signed-off-by: Aurelien Jarno <aurelien@xxxxxxxxxxx>
      Message-Id: <1433447607-31184-6-git-send-email-aurelien@xxxxxxxxxxx>
      Signed-off-by: Richard Henderson <rth@xxxxxxxxxxx>

  commit 97a79eb70dd35a24fda87d86196afba5e6f21c5d
  Author: Aurelien Jarno <aurelien@xxxxxxxxxxx>
  Date:   Fri Jun 5 11:19:18 2015 +0200

      tcg/optimize: fold constant test in tcg_opt_gen_mov

      Most of the calls to tcg_opt_gen_mov are preceeded by a test to check if
      the source temp is a constant. Fold that into the tcg_opt_gen_mov
      function.

      Cc: Richard Henderson <rth@xxxxxxxxxxx>
      Signed-off-by: Aurelien Jarno <aurelien@xxxxxxxxxxx>
      Message-Id: <1433495958-9508-1-git-send-email-aurelien@xxxxxxxxxxx>
      Signed-off-by: Richard Henderson <rth@xxxxxxxxxxx>

  commit 5365718a9afeeabde3784d82a542f8ad909b18cf
  Author: Aurelien Jarno <aurelien@xxxxxxxxxxx>
  Date:   Thu Jun 4 21:53:25 2015 +0200

      tcg/optimize: fold temp copies test in tcg_opt_gen_mov

      Each call to tcg_opt_gen_mov is preceeded by a test to check if the
      source and destination temps are copies. Fold that into the
      tcg_opt_gen_mov function.

      Cc: Richard Henderson <rth@xxxxxxxxxxx>
      Signed-off-by: Aurelien Jarno <aurelien@xxxxxxxxxxx>
      Message-Id: <1433447607-31184-4-git-send-email-aurelien@xxxxxxxxxxx>
      Signed-off-by: Richard Henderson <rth@xxxxxxxxxxx>

  commit 8d6a91602ea824ef4435ea38fd475387eecc098c
  Author: Aurelien Jarno <aurelien@xxxxxxxxxxx>
  Date:   Thu Jun 4 21:53:24 2015 +0200

      tcg/optimize: remove opc argument from tcg_opt_gen_mov

      We can get the opcode using the TCGOp pointer. It needs to be
      dereferenced, but it's anyway done a few lines below to write
      the new value.

      Cc: Richard Henderson <rth@xxxxxxxxxxx>
      Signed-off-by: Aurelien Jarno <aurelien@xxxxxxxxxxx>
      Message-Id: <1433447607-31184-3-git-send-email-aurelien@xxxxxxxxxxx>
      Signed-off-by: Richard Henderson <rth@xxxxxxxxxxx>

  commit ebd27391b00cdafc81e0541a940686137b3b48df
  Author: Aurelien Jarno <aurelien@xxxxxxxxxxx>
  Date:   Thu Jun 4 21:53:23 2015 +0200

      tcg/optimize: remove opc argument from tcg_opt_gen_movi

      We can get the opcode using the TCGOp pointer. It needs to be
      dereferenced, but it's anyway done a few lines below to write
      the new value.

      Cc: Richard Henderson <rth@xxxxxxxxxxx>
      Signed-off-by: Aurelien Jarno <aurelien@xxxxxxxxxxx>
      Message-Id: <1433447607-31184-2-git-send-email-aurelien@xxxxxxxxxxx>
      Signed-off-by: Richard Henderson <rth@xxxxxxxxxxx>

  commit c19f47bf5e8fe3dbd10206a52d0e6e348f803933
  Author: Aurelien Jarno <aurelien@xxxxxxxxxxx>
  Date:   Thu Jun 4 21:47:08 2015 +0200

      tcg: fix dead computation for repeated input arguments

      When the same temp is used twice or more as an input argument to a TCG
      instruction, the dead computation code doesn't recognize the second use
      as a dead temp. This is because the temp is marked as live in the same
      loop where dead inputs are checked.

      The fix is to split the loop in two parts. This avoid emitting a move
      and using a register for the movcond instruction when used as "move if
      true" on x86-64. This might bring more improvements on RISC TCG targets
      which don't have outputs aliased to inputs.

      Reviewed-by: Richard Henderson <rth@xxxxxxxxxxx>
      Signed-off-by: Aurelien Jarno <aurelien@xxxxxxxxxxx>
      Message-Id: <1433447228-29425-3-git-send-email-aurelien@xxxxxxxxxxx>
      Signed-off-by: Richard Henderson <rth@xxxxxxxxxxx>

  commit 7e1df267a7e8b39fc0cf1d84d2afc2e88ccbfeac
  Author: Aurelien Jarno <aurelien@xxxxxxxxxxx>
  Date:   Thu Jun 4 21:47:07 2015 +0200

      tcg: fix register allocation with two aliased dead inputs

      For TCG ops with two outputs registers (add2, sub2, div2, div2u), when
      the same input temp is used for the two inputs aliased to the two
      outputs, and when these inputs are both dead, the register allocation
      code wrongly assigned the same register to the same output.

      This happens for example with sub2 t1, t2, t3, t3, t4, t5, when t3 is
      not used anymore after the TCG op.  In that case the same register is
      used for t1, t2 and t3.

      The fix is to look for already allocated aliased input when allocating
      a dead aliased input and check that the register is not already
      used.

      Cc: Richard Henderson <rth@xxxxxxxxxxx>
      Signed-off-by: Aurelien Jarno <aurelien@xxxxxxxxxxx>
      Message-Id: <1433447228-29425-2-git-send-email-aurelien@xxxxxxxxxxx>
      Signed-off-by: Richard Henderson <rth@xxxxxxxxxxx>

  commit 59c4b7e8dfab0cdc41434fedbf2686222f541e57
  Author: Richard Henderson <rth@xxxxxxxxxxx>
  Date:   Mon Jun 1 14:38:56 2015 -0700

      tcg: Handle MO_AMASK in tcg_dump_ops

      Reviewed-by: Yongbok Kim <yongbok.kim@xxxxxxxxxx>
      Tested-by: Yongbok Kim <yongbok.kim@xxxxxxxxxx>
      Signed-off-by: Richard Henderson <rth@xxxxxxxxxxx>

  commit 2b7ec66f025263a5331f37d5ad78a625496fd7bd
  Author: Richard Henderson <rth@xxxxxxxxxxx>
  Date:   Fri May 29 09:16:51 2015 -0700

      tcg: Mask TCGMemOp appropriately for indexing

      The addition of MO_AMASK means that places that used inverted masks
      need to be changed to use positive masks, and places that failed to
      mask the intended bits need updating.

      Reviewed-by: Yongbok Kim <yongbok.kim@xxxxxxxxxx>
      Tested-by: Yongbok Kim <yongbok.kim@xxxxxxxxxx>
      Signed-off-by: Richard Henderson <rth@xxxxxxxxxxx>

  commit 44ee94e4862603c2b1b21718effc5f17b39f43bc
  Merge: b781a60 6028ef0
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Tue Jun 9 11:07:41 2015 +0100

      Merge remote-tracking branch 'remotes/borntraeger/tags/s390x-20150609' 
into staging

      s390x/virtio-ccw: migration and virtio for 2.4

      1. Migration fixups
      2. virtio 9pfs

      # gpg: Signature made Tue Jun  9 09:00:05 2015 BST using RSA key ID 
B5A61C7C
      # gpg: Good signature from "Christian Borntraeger (IBM) 
<borntraeger@xxxxxxxxxx>"

      * remotes/borntraeger/tags/s390x-20150609:
        s390x/migration: add comment about floating point migration
        s390x/kvm: always ignore empty vcpu interrupt state
        virtio-ccw/migration: Migrate config vector for virtio devices
        virtio-ccw: add support for 9pfs

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit b781a60b1054e06de6733b75dd1489afff9c3276
  Merge: ee09f84 8190483
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Tue Jun 9 10:05:29 2015 +0100

      Merge remote-tracking branch 'remotes/armbru/tags/pull-error-2015-06-09' 
into staging

      Error reporting patches

      # gpg: Signature made Tue Jun  9 06:42:15 2015 BST using RSA key ID 
EB918653
      # gpg: Good signature from "Markus Armbruster <armbru@xxxxxxxxxx>"
      # gpg:                 aka "Markus Armbruster <armbru@xxxxxxxxxxxx>"

      * remotes/armbru/tags/pull-error-2015-06-09:
        vhost-user: Improve -netdev/netdev_add/-net/... error reporting
        QemuOpts: Convert qemu_opt_foreach() to Error
        QemuOpts: Drop qemu_opt_foreach() parameter abort_on_failure
        blkdebug: Simplify passing of Error through qemu_opts_foreach()
        QemuOpts: Convert qemu_opts_foreach() to Error
        QemuOpts: Drop qemu_opts_foreach() parameter abort_on_failure
        vl: Fail right after first bad -object
        vl: Print -device help at most once
        vl: Report failure to sandbox at most once

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 08d49df0dbaacc220a099dbfb644e1dc0eda57be
  Author: Alberto Garcia <berto@xxxxxxxxxx>
  Date:   Mon Jun 8 11:12:15 2015 +0200

      sdl2: fix crash in handle_windowevent() when restoring the screen size

      The Ctrl-Alt-u keyboard shortcut restores the screen to its original
      size. In the SDL2 UI this is done by destroying the window and
      creating a new one. The old window emits SDL_WINDOWEVENT_HIDDEN when
      it's destroyed, but trying to call SDL_GetWindowFromID() from that
      event's window ID returns a null pointer. handle_windowevent() assumes
      that the pointer is never null so it results in a crash.

      Cc: qemu-stable@xxxxxxxxxx
      Signed-off-by: Alberto Garcia <berto@xxxxxxxxxx>
      Signed-off-by: Gerd Hoffmann <kraxel@xxxxxxxxxx>

  commit 6028ef075791913228c36f10cb270f1f52e9f076
  Author: Christian Borntraeger <borntraeger@xxxxxxxxxx>
  Date:   Mon Jun 8 12:21:24 2015 +0200

      s390x/migration: add comment about floating point migration

      commit 46c804def4bd ("s390x: move fpu regs into a subsection
      of the vmstate") moved the fprs into a subsection and bumped
      the version number. This will allow to not transfer fprs in
      the future if necessary. Add a comment to mark the return true
      as intentional.

      CC: Juan Quintela <quintela@xxxxxxxxxx>
      CC: David Hildenbrand <dahi@xxxxxxxxxxxxxxxxxx>
      Signed-off-by: Christian Borntraeger <borntraeger@xxxxxxxxxx>
      Message-Id: <1433758884-2997-1-git-send-email-borntraeger@xxxxxxxxxx>
      Reviewed-by: Juan Quintela <quintela@xxxxxxxxxx>

  commit 8190483196148f765c65785876f7b893d64b6cdd
  Author: Markus Armbruster <armbru@xxxxxxxxxx>
  Date:   Fri Mar 13 14:17:16 2015 +0100

      vhost-user: Improve -netdev/netdev_add/-net/... error reporting

      When -netdev vhost-user fails, it first reports a specific error, then
      one or more generic ones, like this:

          $ qemu-system-x86_64 -netdev vhost-user,id=foo,chardev=xxx
          qemu-system-x86_64: -netdev vhost-user,id=foo,chardev=xxx: chardev 
"xxx" not found
          qemu-system-x86_64: -netdev vhost-user,id=foo,chardev=xxx: No 
suitable chardev found
          qemu-system-x86_64: -netdev vhost-user,id=foo,chardev=xxx: Device 
'vhost-user' could not be initialized

      With the command line, the messages go to stderr.  In HMP, they go to
      the monitor.  In QMP, the last one becomes the error reply, and the
      others go to stderr.

      Convert net_init_vhost_user() and its helpers to Error.  This
      suppresses the unwanted unspecific error messages, and makes the
      specific error the QMP error reply.

      Cc: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Cc: Jason Wang <jasowang@xxxxxxxxxx>
      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>
      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>
      Reviewed-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>

  commit 71df1d833776647fc12f5bbcd6d6fe4c5e931094
  Author: Markus Armbruster <armbru@xxxxxxxxxx>
  Date:   Thu Mar 12 08:40:25 2015 +0100

      QemuOpts: Convert qemu_opt_foreach() to Error

      Retain the function value for now, to permit selective conversion of
      its callers.

      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>
      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>

  commit 1640b200d53e3d981f12a192fe84b7bb7958c065
  Author: Markus Armbruster <armbru@xxxxxxxxxx>
  Date:   Thu Mar 12 07:45:10 2015 +0100

      QemuOpts: Drop qemu_opt_foreach() parameter abort_on_failure

      When the argument is non-zero, qemu_opt_foreach() stops on callback
      returning non-zero, and returns that value.

      When the argument is zero, it doesn't stop, and returns the callback's
      value from the last iteration.

      The two callers that pass zero could just as well pass one:

      * qemu_spice_init()'s callback add_channel() either returns zero or
        exit()s.

      * config_write_opts()'s callback config_write_opt() always returns
        zero.

      Drop the parameter, and always stop.

      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>
      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>

  commit 8809cfc38e4e93884d664bb00108fc71b423f589
  Author: Markus Armbruster <armbru@xxxxxxxxxx>
  Date:   Fri Mar 13 13:38:42 2015 +0100

      blkdebug: Simplify passing of Error through qemu_opts_foreach()

      Cc: Kevin Wolf <kwolf@xxxxxxxxxx>
      Cc: qemu-block@xxxxxxxxxx
      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>
      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>
      Acked-by: Kevin Wolf <kwolf@xxxxxxxxxx>

  commit 28d0de7a4fb721b06de72970bd163f5183c2188b
  Author: Markus Armbruster <armbru@xxxxxxxxxx>
  Date:   Fri Mar 13 13:35:14 2015 +0100

      QemuOpts: Convert qemu_opts_foreach() to Error

      Retain the function value for now, to permit selective conversion of
      its callers.

      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>
      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>
      Acked-by: Kevin Wolf <kwolf@xxxxxxxxxx>

  commit a4c7367f7dd9348f94dc4298571ed515b8160a27
  Author: Markus Armbruster <armbru@xxxxxxxxxx>
  Date:   Fri Mar 13 11:07:24 2015 +0100

      QemuOpts: Drop qemu_opts_foreach() parameter abort_on_failure

      When the argument is non-zero, qemu_opts_foreach() stops on callback
      returning non-zero, and returns that value.

      When the argument is zero, it doesn't stop, and returns the bit-wise
      inclusive or of all the return values.  Funky :)

      The callers that pass zero could just as well pass one, because their
      callbacks can't return anything but zero:

      * qemu_add_globals()'s callback qdev_add_one_global()

      * qemu_config_write()'s callback config_write_opts()

      * main()'s callbacks default_driver_check(), drive_enable_snapshot(),
        vnc_init_func()

      Drop the parameter, and always stop.

      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>
      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>
      Acked-by: Kevin Wolf <kwolf@xxxxxxxxxx>

  commit 8122928a52248e28513c79d9b9929c6d20c866ea
  Author: Markus Armbruster <armbru@xxxxxxxxxx>
  Date:   Fri Mar 13 13:08:36 2015 +0100

      vl: Fail right after first bad -object

      Failure to create an object with -object is a fatal error.  However,
      we delay the actual exit until all -object are processed.  On the one
      hand, this permits detection of genuine additional errors.  On the
      other hand, it can muddy the waters with uninteresting additional
      errors, e.g. when a later -object tries to reference a prior one that
      failed.

      We generally stop right on the first bad option, so do that for
      -object as well.

      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>
      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>

  commit 8416abb3b0f42132fc6346c439ec543635075135
  Author: Markus Armbruster <armbru@xxxxxxxxxx>
  Date:   Fri Mar 13 13:02:03 2015 +0100

      vl: Print -device help at most once

      We print it once for each -device help.  Not helpful.  Stop after the
      first one.

      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>
      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>

  commit 092b21aa7edf7962248e731cddaf5350d268e333
  Author: Markus Armbruster <armbru@xxxxxxxxxx>
  Date:   Fri Mar 13 12:59:43 2015 +0100

      vl: Report failure to sandbox at most once

      It's reported once per -sandbox on.  Stop on the first failure, like
      we do for other options.

      Not fixed: "-sandbox on -sandbox off" should leave the sandbox off.
      It doesn't.

      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>
      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>

  commit 38559979bf0095a586f61bc9e028df36673f21a1
  Author: Eric Auger <eric.auger@xxxxxxxxxx>
  Date:   Mon Jun 8 09:25:26 2015 -0600

      hw/vfio/platform: add irq assignment

      This patch adds the code requested to assign interrupts to
      a guest. The interrupts are mediated through user handled
      eventfds only.

      Signed-off-by: Eric Auger <eric.auger@xxxxxxxxxx>
      Tested-by: Vikram Sethi <vikrams@xxxxxxxxxxxxxx>
      Signed-off-by: Alex Williamson <alex.williamson@xxxxxxxxxx>

  commit 0ea2730bef0b764ce87f5d6859f9b1eac6069250
  Author: Eric Auger <eric.auger@xxxxxxxxxx>
  Date:   Mon Jun 8 09:25:25 2015 -0600

      hw/vfio/platform: vfio-platform skeleton

      Minimal VFIO platform implementation supporting register space
      user mapping but not IRQ assignment.

      Signed-off-by: Kim Phillips <kim.phillips@xxxxxxxxxx>
      Signed-off-by: Eric Auger <eric.auger@xxxxxxxxxx>
      Tested-by: Vikram Sethi <vikrams@xxxxxxxxxxxxxx>
      Signed-off-by: Alex Williamson <alex.williamson@xxxxxxxxxx>

  commit ee09f84e6bf5383a23c9624115c26b72aa1e076c
  Merge: 2e29dd7 24a3142
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Mon Jun 8 15:57:41 2015 +0100

      Merge remote-tracking branch 'remotes/bonzini/tags/for-upstream' into 
staging

      * KVM error improvement from Laurent
      * CONFIG_PARALLEL fix from Mirek
      * Atomic/optimized dirty bitmap access from myself and Stefan
      * BUILD_DIR convenience/bugfix from Peter C
      * Memory leak fix from Shannon
      * SMM improvements (though still TCG only) from myself and Gerd, acked by 
mst

      # gpg: Signature made Fri Jun  5 18:45:20 2015 BST using RSA key ID 
78C7AE83
      # gpg: Good signature from "Paolo Bonzini <bonzini@xxxxxxx>"
      # gpg:                 aka "Paolo Bonzini <pbonzini@xxxxxxxxxx>"
      # gpg: WARNING: This key is not certified with sufficiently trusted 
signatures!
      # gpg:          It is not certain that the signature belongs to the owner.
      # Primary key fingerprint: 46F5 9FBD 57D6 12E7 BFD4  E2F7 7E15 100C CD36 
69B1
      #      Subkey fingerprint: F133 3857 4B66 2389 866C  7682 BFFB D25F 78C7 
AE83

      * remotes/bonzini/tags/for-upstream: (62 commits)
        update Linux headers from kvm/next
        atomics: add explicit compiler fence in __atomic memory barriers
        ich9: implement SMI_LOCK
        q35: implement TSEG
        q35: add test for SMRAM.D_LCK
        q35: implement SMRAM.D_LCK
        q35: add config space wmask for SMRAM and ESMRAMC
        q35: fix ESMRAMC default
        q35: implement high SMRAM
        hw/i386: remove smram_update
        target-i386: use memory API to implement SMRAM
        hw/i386: add a separate region that tracks the SMRAME bit
        target-i386: create a separate AddressSpace for each CPU
        vl: run "late" notifiers immediately
        qom: add object_property_add_const_link
        vl: allow full-blown QemuOpts syntax for -global
        pflash_cfi01: add secure property
        pflash_cfi01: change to new-style MMIO accessors
        pflash_cfi01: change big-endian property to BIT type
        target-i386: wake up processors that receive an SMI
        ...

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 2e29dd7c44db30e3d3c108ab2a622cbdac6d16f0
  Merge: 0daba1f 0ba9888
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Mon Jun 8 14:07:32 2015 +0100

      Merge remote-tracking branch 'remotes/jnsnow/tags/ide-pull-request' into 
staging

      # gpg: Signature made Fri Jun  5 20:59:07 2015 BST using RSA key ID 
AAFC390E
      # gpg: Good signature from "John Snow (John Huston) <jsnow@xxxxxxxxxx>"
      # gpg: WARNING: This key is not certified with sufficiently trusted 
signatures!
      # gpg:          It is not certain that the signature belongs to the owner.
      # Primary key fingerprint: FAEB 9711 A12C F475 812F  18F2 88A9 064D 1835 
61EB
      #      Subkey fingerprint: F9B7 ABDB BCAC DF95 BE76  CBD0 7DEF 8106 AAFC 
390E

      * remotes/jnsnow/tags/ide-pull-request:
        macio: remove remainder_len DBDMA_io property
        macio: update comment/constants to reflect the new code
        macio: switch pmac_dma_write() over to new offset/len implementation
        macio: switch pmac_dma_read() over to new offset/len implementation
        fdc-test: Test state for existing cases more thoroughly
        fdc: Fix MSR.RQM flag
        fdc: Disentangle phases in fdctrl_read_data()
        fdc: Code cleanup in fdctrl_write_data()
        fdc: Use phase in fdctrl_write_data()
        fdc: Introduce fdctrl->phase
        fdc: Rename fdctrl_set_fifo() to fdctrl_to_result_phase()
        fdc: Rename fdctrl_reset_fifo() to fdctrl_to_command_phase()

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 0daba1f037ab85be7a9ff7ee37ba6b644c5e7977
  Author: Alexander Graf <agraf@xxxxxxx>
  Date:   Fri Jun 5 11:05:03 2015 +0200

      machine: Drop use of DEFAULT_RAM_SIZE in help text

      As of commit 076b35b5a (machine: add default_ram_size to machine
      class) we no longer have a global default ram size, but instead
      machine specific defaults.  When invoking qemu --help we don't know
      which machine you selected, so we can't tell the user the default RAM
      size in the help text anymore now.

      Thus I don't see an easy way to expose the default ram size to the
      user in the help text.  The easiest option IMHO is to just drop this
      piece of information.

      Reported-by: Laurent Desnogues <laurent.desnogues@xxxxxxxxx>
      Signed-off-by: Alexander Graf <agraf@xxxxxxx>
      Acked-by: Laurent Desnogues <laurent.desnogues@xxxxxxxxx>
      Acked-by: Nikunj A Dadhania <nikunj@xxxxxxxxxxxxxxxxxx>
      Message-id: 1433495103-62084-1-git-send-email-agraf@xxxxxxx
      [PMM: rewrapped long commit message lines]
      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 779cec4d20907cbccb26fbf5f5c19c6cdee33eff
  Author: Markus Armbruster <armbru@xxxxxxxxxx>
  Date:   Mon Jun 8 10:44:30 2015 +0200

      monitor: Fix QMP ABI breakage around "id"

      Commit 65207c5 accidentally dropped a line of code we need along with
      a comment that became wrong then.  This made QMP reject "id":

          {"execute": "system_reset", "id": "1"}
          {"error": {"class": "GenericError", "desc": "QMP input object member 
'id' is unexpected"}}

      Put the lost line right back, so QMP again accepts and returns "id",
      as promised by the ABI:

          {"execute": "system_reset", "id": "1"}
          {"return": {}, "id": "1"}

      Reported-by: Fabio Fantoni <fabio.fantoni@xxxxxxx>
      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>
      Signed-off-by: Don Slutz <dslutz@xxxxxxxxxxx>
      Tested-by: Fabio Fantoni <fabio.fantoni@xxxxxxx>
      Signed-off-by: Wen Congyang <wency@xxxxxxxxxxxxxx>
      Signed-off-by: Pavel Fedin <p.fedin@xxxxxxxxxxx>
      Tested-by: Eric Blake <eblake@xxxxxxxxxx>
      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>
      Message-id: 1433753070-12632-2-git-send-email-armbru@xxxxxxxxxx
      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 24a314269281a175b5540b3b6a8981ed2e8220e1
  Author: Paolo Bonzini <pbonzini@xxxxxxxxxx>
  Date:   Thu Jun 4 16:38:29 2015 +0200

      update Linux headers from kvm/next

      This is kvm.git commit 05ff30bb56c6b3d3000519d6e02ed35678ddae3b.

      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit 3bbf572345c65813f86a8fc434ea1b23beb08e16
  Author: Paolo Bonzini <pbonzini@xxxxxxxxxx>
  Date:   Wed Jun 3 14:21:20 2015 +0200

      atomics: add explicit compiler fence in __atomic memory barriers

      __atomic_thread_fence does not include a compiler barrier; in the
      C++11 memory model, fences take effect in combination with other
      atomic operations.  GCC implements this by making __atomic_load and
      __atomic_store access memory as if the pointer was volatile, and
      leaves no trace whatsoever of acquire and release fences in the
      compiler's intermediate representation.

      In QEMU, we want memory barriers to act on all memory, but at the same
      time we would like to use __atomic_thread_fence for portability reasons.
      Add compiler barriers manually around the __atomic_thread_fence.

      Message-Id: <1433334080-14912-1-git-send-email-pbonzini@xxxxxxxxxx>
      Reviewed-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit 11e66a15a084cb0820dba13f4ea3b15b0512fd39
  Author: Gerd Hoffmann <kraxel@xxxxxxxxxx>
  Date:   Wed May 6 10:58:30 2015 +0200

      ich9: implement SMI_LOCK

      Add write mask for the smi enable register, so we can disable write
      access to certain bits.  Open all bits on reset.  Disable write access
      to GBL_SMI_EN when SMI_LOCK (in ich9 lpc pci config space) is set.
      Write access to SMI_LOCK itself is disabled too.

      Signed-off-by: Gerd Hoffmann <kraxel@xxxxxxxxxx>
      Acked-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit bafc90bdc594a4d04db846bd8712bdcec59678a8
  Author: Gerd Hoffmann <kraxel@xxxxxxxxxx>
  Date:   Mon Apr 20 10:55:09 2015 +0200

      q35: implement TSEG

      TSEG provides larger amounts of SMRAM than the 128 KB available with
      legacy SMRAM and high SMRAM.

      Route access to tseg into nowhere when enabled, for both cpus and
      busmaster dma, and add tseg window to smram region, so cpus can access
      it in smm mode.

      Signed-off-by: Gerd Hoffmann <kraxel@xxxxxxxxxx>
      Acked-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit 66e2ec2417e72edea1df5fb340b210100b0571b7
  Author: Gerd Hoffmann <kraxel@xxxxxxxxxx>
  Date:   Tue Apr 14 15:11:36 2015 +0200

      q35: add test for SMRAM.D_LCK

      Signed-off-by: Gerd Hoffmann <kraxel@xxxxxxxxxx>
      Acked-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      [Fix compilation of the newly introduced test. - Paolo]
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit 68c77acfb18d28933f17b1c2a842bd936ce7223b
  Author: Gerd Hoffmann <kraxel@xxxxxxxxxx>
  Date:   Tue Apr 14 14:03:22 2015 +0200

      q35: implement SMRAM.D_LCK

      Once the SMRAM.D_LCK bit has been set by the guest several bits in SMRAM
      and ESMRAMC become readonly until the next machine reset.  Implement
      this by updating the wmask accordingly when the guest sets the lock bit.
      As the lock it itself is locked down too we don't need to worry about
      the guest clearing the lock bit.

      Signed-off-by: Gerd Hoffmann <kraxel@xxxxxxxxxx>
      Acked-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit b66a67d7519cb7f980885af5391b1103c42e9b6d
  Author: Gerd Hoffmann <kraxel@xxxxxxxxxx>
  Date:   Wed Apr 15 16:48:12 2015 +0200

      q35: add config space wmask for SMRAM and ESMRAMC

      Not all bits in SMRAM and ESMRAMC can be changed by the guest.
      Add wmask defines accordingly and set them in mch_reset().

      Signed-off-by: Gerd Hoffmann <kraxel@xxxxxxxxxx>
      Acked-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit 7744752402d11cebe4c1d4079dcd40d3145eb37b
  Author: Gerd Hoffmann <kraxel@xxxxxxxxxx>
  Date:   Wed Apr 15 16:43:24 2015 +0200

      q35: fix ESMRAMC default

      The cache bits in ESMRAMC are hardcoded to 1 (=disabled) according to
      the q35 mch specs.  Add and use a define with this default.

      While being at it also update the SMRAM default to use the name (no code
      change, just makes things a bit more readable).

      Signed-off-by: Gerd Hoffmann <kraxel@xxxxxxxxxx>
      Acked-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit 64130fa4a1514ae7a580b8d46290a11784770600
  Author: Paolo Bonzini <pbonzini@xxxxxxxxxx>
  Date:   Tue Mar 31 17:13:01 2015 +0200

      q35: implement high SMRAM

      When H_SMRAME is 1, low memory at 0xa0000 is left alone by
      SMM, and instead the chipset maps the 0xa0000-0xbffff window at
      0xfeda0000-0xfedbffff.  This affects both the "non-SMM" view controlled
      by D_OPEN and the SMM view controlled by G_SMRAME, so add two new
      MemoryRegions and toggle the enabled/disabled state of all four
      in mch_update_smram.

      Acked-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit 3de70c0899db2712a5ae321093aa6173d6f76706
  Author: Paolo Bonzini <pbonzini@xxxxxxxxxx>
  Date:   Tue Mar 31 14:14:28 2015 +0200

      hw/i386: remove smram_update

      It's easier to inline it now that most of its work is done by the CPU
      (rather than the chipset) through /machine/smram and the memory API.

      Acked-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit f809c605122df291bbb9004dc487bde0969134b5
  Author: Paolo Bonzini <pbonzini@xxxxxxxxxx>
  Date:   Tue Mar 31 14:12:25 2015 +0200

      target-i386: use memory API to implement SMRAM

      Remove cpu_smm_register and cpu_smm_update.  Instead, each CPU
      address space gets an extra region which is an alias of
      /machine/smram.  This extra region is enabled or disabled
      as the CPU enters/exits SMM.

      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit fe6567d5fddfb7501a352c5e080a9eecf7b89177
  Author: Paolo Bonzini <pbonzini@xxxxxxxxxx>
  Date:   Tue Mar 31 14:10:22 2015 +0200

      hw/i386: add a separate region that tracks the SMRAME bit

      This region is exported at /machine/smram.  It is "empty" if
      SMRAME=0 and points to SMRAM if SMRAME=1.  The CPU will
      enable/disable it as it enters or exits SMRAM.

      While touching nearby code, the existing memory region setup was
      slightly inconsistent.  The smram_region is *disabled* in order to open
      SMRAM (because the smram_region shows the low VRAM instead of the RAM
      at 0xa0000).  Because SMRAM is closed at startup, the smram_region must
      be enabled when creating the i440fx or q35 devices.

      Acked-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit 2001d0cd6d55e5efa9956fa8ff8b89034d6a4329
  Author: Paolo Bonzini <pbonzini@xxxxxxxxxx>
  Date:   Tue Mar 31 14:11:09 2015 +0200

      target-i386: create a separate AddressSpace for each CPU

      Different CPUs can be in SMM or not at the same time, thus they
      will see different things where the chipset places SMRAM.

      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit 71cdd1cb914e24000273bbbfa5fb226cdb8ea265
  Author: Paolo Bonzini <pbonzini@xxxxxxxxxx>
  Date:   Tue Mar 31 14:01:06 2015 +0200

      vl: run "late" notifiers immediately

      If a machine_init_done notifier is added late, as part of a hot-plugged
      device, run it immediately.
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit fb9e7e334b54350e8e3b62bd7892b78f63a9d848
  Author: Paolo Bonzini <pbonzini@xxxxxxxxxx>
  Date:   Tue May 5 18:29:00 2015 +0200

      qom: add object_property_add_const_link

      Suggested-by: Eduardo Habkost <ehabkost@xxxxxxxxxx>
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit 3751d7c43f795b45ffdb9429cfb09c6beea55c68
  Author: Paolo Bonzini <pbonzini@xxxxxxxxxx>
  Date:   Thu Apr 9 14:16:19 2015 +0200

      vl: allow full-blown QemuOpts syntax for -global

      -global does not work for drivers that have a dot in their name, such as
      cfi.pflash01.  This is just a parsing limitation, because such globals
      can be declared easily inside a -readconfig file.

      To allow this usage, support the full QemuOpts key/value syntax for 
-global
      too, for example "-global driver=cfi.pflash01,property=secure,value=on".
      The two formats do not conflict, because the key/value syntax does not 
have
      a period before the first equal sign.

      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit f71e42a5c98722d6faa5be84a34fbad90d27dc04
  Author: Paolo Bonzini <pbonzini@xxxxxxxxxx>
  Date:   Wed Apr 8 14:09:43 2015 +0200

      pflash_cfi01: add secure property

      When this property is set, MMIO accesses are only allowed with the
      MEMTXATTRS_SECURE attribute.  This is used for secure access to UEFI
      variables stored in flash.

      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit 5aa113f0a2c245b0a77865e1dd2445bdd24c3ef8
  Author: Paolo Bonzini <pbonzini@xxxxxxxxxx>
  Date:   Wed Apr 8 14:00:53 2015 +0200

      pflash_cfi01: change to new-style MMIO accessors

      This is a required step to implement read_with_attrs and write_with_attrs.

      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit e98094221ec336fcfd0c72c66f280f1cabb16c72
  Author: Paolo Bonzini <pbonzini@xxxxxxxxxx>
  Date:   Wed Apr 8 13:53:29 2015 +0200

      pflash_cfi01: change big-endian property to BIT type

      Make this consistent with the secure property, added in the next patch.

      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit a9bad65d2c1f61af74ce2ff43238d4b20bf81c3a
  Author: Paolo Bonzini <pbonzini@xxxxxxxxxx>
  Date:   Tue May 19 13:46:47 2015 +0200

      target-i386: wake up processors that receive an SMI

      An SMI should definitely wake up a processor in halted state!
      This lets OVMF boot with SMM on multiprocessor systems, although
      it halts very soon after that with a "CpuIndex != BspIndex"
      assertion failure.

      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit b4854f1384176d897747de236f426d020668fa3c
  Author: Paolo Bonzini <pbonzini@xxxxxxxxxx>
  Date:   Thu Apr 30 12:02:46 2015 +0200

      target-i386: set G=1 in SMM big real mode selectors

      Because the limit field's bits 31:20 is 1, G should be 1.
      VMX actually enforces this, let's do it for completeness
      in QEMU as well.

      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit 9982f74bad70479939491b69522da047a3be5a0d
  Author: Paolo Bonzini <pbonzini@xxxxxxxxxx>
  Date:   Wed Apr 22 11:40:41 2015 +0200

      target-i386: mask NMIs on entry to SMM

      QEMU is not blocking NMIs on entry to SMM.  Implementing this has to
      cover a few corner cases, because:

      - NMIs can then be enabled by an IRET instruction and there
      is no mechanism to _set_ the "NMIs masked" flag on exit from SMM:
      "A special case can occur if an SMI handler nests inside an NMI handler
      and then another NMI occurs. [...] When the processor enters SMM while
      executing an NMI handler, the processor saves the SMRAM state save map
      but does not save the attribute to keep NMI interrupts disabled.

      - However, there is some hidden state, because "If NMIs were blocked
      before the SMI occurred [and no IRET is executed while in SMM], they
      are blocked after execution of RSM."  This is represented by the new
      HF2_SMM_INSIDE_NMI_MASK bit.  If it is zero, NMIs are _unblocked_
      on exit from RSM.

      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit 3f7d84648607cc0fcb3812bb4b88978e2a7aa24f
  Author: Paolo Bonzini <pbonzini@xxxxxxxxxx>
  Date:   Wed Apr 8 14:45:53 2015 +0200

      target-i386: Use correct memory attributes for ioport accesses

      In order to do this, stop using the cpu_in*/out* helpers, and instead
      access address_space_io directly.

      cpu_in* and cpu_out* remain for usage in the monitor, in qtest, and
      in Xen.

      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit b216aa6c0fcbaa8ff4128969c14594896a5485a4
  Author: Paolo Bonzini <pbonzini@xxxxxxxxxx>
  Date:   Wed Apr 8 13:39:37 2015 +0200

      target-i386: Use correct memory attributes for memory accesses

      These include page table walks, SVM accesses and SMM state save accesses.

      The bulk of the patch is obtained with

         sed -i 's/\(\<[a-z_]*_phys\(_notdirty\)\?\>(cs\)->as,/x86_\1,/'

      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit f794aa4a2fd772a3ec413c4e478cc23857cfee98
  Author: Paolo Bonzini <pbonzini@xxxxxxxxxx>
  Date:   Wed Apr 8 14:52:04 2015 +0200

      target-i386: introduce cpu_get_mem_attrs

      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit d7a0f71d9aac33e58d39fdbe4861d440af44fa8b
  Author: Victor CLEMENT <victor.clement@xxxxxxxxxxx>
  Date:   Fri May 29 17:14:06 2015 +0200

      icount: print a warning if there is no more deadline in sleep=no mode

      While qemu is running in sleep=no mode, a warning will be printed
      when no timer deadline is set.
      As this mode is intended for getting deterministic virtual time, if no
      timer is set on the virtual clock this determinism is broken.

      Signed-off-by: Victor CLEMENT <victor.clement@xxxxxxxxxxx>
      Message-Id: <1432912446-9811-4-git-send-email-victor.clement@xxxxxxxxxxx>
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit f1f4b57e88ff7c9cb20b074ff6106fd8f4397baa
  Author: Victor CLEMENT <victor.clement@xxxxxxxxxxx>
  Date:   Fri May 29 17:14:05 2015 +0200

      icount: add sleep parameter to the icount option to set icount_sleep mode

      The 'sleep' parameter sets the icount_sleep mode, which is enabled by
      default. To disable it, add the 'sleep=no' parameter (or 'nosleep') to the
      qemu -icount option.

      Signed-off-by: Victor CLEMENT <victor.clement@xxxxxxxxxxx>
      Message-Id: <1432912446-9811-3-git-send-email-victor.clement@xxxxxxxxxxx>
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit 5045e9d912588a7421ab899ba510025722666fd1
  Author: Victor CLEMENT <victor.clement@xxxxxxxxxxx>
  Date:   Fri May 29 17:14:04 2015 +0200

      icount: implement a new icount_sleep mode toggleing real-time cpu sleep

      When the icount_sleep mode is disabled, the QEMU_VIRTUAL_CLOCK runs at the
      maximum possible speed by warping the sleep times of the virtual cpu to 
the
      soonest clock deadline. The virtual clock will be updated only according
      the instruction counter.

      Signed-off-by: Victor CLEMENT <victor.clement@xxxxxxxxxxx>
      Message-Id: <1432912446-9811-2-git-send-email-victor.clement@xxxxxxxxxxx>
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit ec05ec26f940564b1e07bf88857035ec27e21dd8
  Author: Paolo Bonzini <pbonzini@xxxxxxxxxx>
  Date:   Sun Mar 29 09:31:43 2015 +0200

      memory: use mr->ram_addr in "is this RAM?" assertions

      mr->terminates alone doesn't guarantee that we are looking at a RAM 
region.
      mr->ram_addr also has to be checked, in order to distinguish RAM and I/O
      regions.

      So, do the following:

      1) add a new define RAM_ADDR_INVALID, and test it in the assertions
      instead of mr->terminates

      2) IOMMU regions were not setting mr->ram_addr to a bogus value, 
initialize
      it in the instance_init function so that the new assertions would fire
      for IOMMU regions as well.

      Reviewed-by: Fam Zheng <famz@xxxxxxxxxx>
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit 5f2cb94688bd0b2c88e0fc1ac3c4582965b7b106
  Author: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
  Date:   Tue Dec 2 11:23:19 2014 +0000

      memory: make cpu_physical_memory_sync_dirty_bitmap() fully atomic

      The fast path of cpu_physical_memory_sync_dirty_bitmap() directly
      manipulates the dirty bitmap.  Use atomic_xchg() to make the
      test-and-clear atomic.

      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Message-Id: <1417519399-3166-7-git-send-email-stefanha@xxxxxxxxxx>
      [Only do xchg on nonzero words. - Paolo]
      Reviewed-by: Fam Zheng <famz@xxxxxxxxxx>
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit 03eebc9e3246b9b3f5925aa41f7dfd7c1e467875
  Author: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
  Date:   Tue Dec 2 11:23:18 2014 +0000

      memory: replace cpu_physical_memory_reset_dirty() with test-and-clear

      The cpu_physical_memory_reset_dirty() function is sometimes used
      together with cpu_physical_memory_get_dirty().  This is not atomic since
      two separate accesses to the dirty memory bitmap are made.

      Turn cpu_physical_memory_reset_dirty() and
      cpu_physical_memory_clear_dirty_range_type() into the atomic
      cpu_physical_memory_test_and_clear_dirty().

      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Message-Id: <1417519399-3166-6-git-send-email-stefanha@xxxxxxxxxx>
      Reviewed-by: Fam Zheng <famz@xxxxxxxxxx>
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit 20015f72bda7d2f356c43580a5542a659afedf83
  Author: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
  Date:   Tue Dec 2 11:23:17 2014 +0000

      migration: move dirty bitmap sync to ram_addr.h

      The dirty memory bitmap is managed by ram_addr.h and copied to
      migration_bitmap[] periodically during live migration.

      Move the code to sync the bitmap to ram_addr.h where related code lives.

      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Message-Id: <1417519399-3166-5-git-send-email-stefanha@xxxxxxxxxx>
      Reviewed-by: Fam Zheng <famz@xxxxxxxxxx>
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit d114875b9a1c21162f69a12d72f69a22e7bab376
  Author: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
  Date:   Tue Dec 2 11:23:16 2014 +0000

      memory: use atomic ops for setting dirty memory bits

      Use set_bit_atomic() and bitmap_set_atomic() so that multiple threads
      can dirty memory without race conditions.

      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Message-Id: <1417519399-3166-4-git-send-email-stefanha@xxxxxxxxxx>
      Reviewed-by: Fam Zheng <famz@xxxxxxxxxx>
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit 36546e5b803f6e363906607307f27c489441fd15
  Author: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
  Date:   Tue Dec 2 11:23:15 2014 +0000

      bitmap: add atomic test and clear

      The new bitmap_test_and_clear_atomic() function clears a range and
      returns whether or not the bits were set.

      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Message-Id: <1417519399-3166-3-git-send-email-stefanha@xxxxxxxxxx>
      [Test before xchg; then a full barrier is needed at the end just like
       in the previous patch.  The barrier can be avoided if we did at least
       one xchg.  - Paolo]
      Reviewed-by: Fam Zheng <famz@xxxxxxxxxx>
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit 9f02cfc84b85929947b32fe1674fbc6a429f332a
  Author: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
  Date:   Tue Dec 2 11:23:14 2014 +0000

      bitmap: add atomic set functions

      Use atomic_or() for atomic bitmaps where several threads may set bits at
      the same time.  This avoids the race condition between threads loading
      an element, bitwise ORing, and then storing the element.

      When setting all bits in a word we can avoid atomic ops and instead just
      use an smp_mb() at the end.

      Most bitmap users don't need atomicity so introduce new functions.

      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Message-Id: <1417519399-3166-2-git-send-email-stefanha@xxxxxxxxxx>
      [Avoid barrier in the single word case, use full barrier instead of write.
       - Paolo]
      Reviewed-by: Fam Zheng <famz@xxxxxxxxxx>
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit 9460dee4b2258e3990906fb34099481c8334c267
  Author: Paolo Bonzini <pbonzini@xxxxxxxxxx>
  Date:   Mon Mar 23 11:41:32 2015 +0100

      memory: do not touch code dirty bitmap unless TCG is enabled

      cpu_physical_memory_set_dirty_lebitmap unconditionally syncs the
      DIRTY_MEMORY_CODE bitmap.  This however is unused unless TCG is
      enabled.

      Reviewed-by: Fam Zheng <famz@xxxxxxxxxx>
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit e87f7778b64d4a6a78e16c288c7fdc6c15317d5f
  Author: Paolo Bonzini <pbonzini@xxxxxxxxxx>
  Date:   Wed Mar 25 15:21:39 2015 +0100

      exec: only check relevant bitmaps for cleanliness

      Most of the time, not all bitmaps have to be marked as dirty;
      do not do anything if the interesting ones are already dirty.
      Previously, any clean bitmap would have cause all the bitmaps to be
      marked dirty.

      In fact, unless running TCG most of the time bitmap operations need
      not be done at all, because memory_region_is_logging returns zero.
      In this case, skip the call to cpu_physical_memory_range_includes_clean
      altogether as well.

      With this patch, cpu_physical_memory_set_dirty_range is called
      unconditionally, so there need not be anymore a separate call to
      xen_modified_memory.

      Reviewed-by: Fam Zheng <famz@xxxxxxxxxx>
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit 72b47e79cef36ed6ffc718f10e21001d7ec2a66f
  Author: Paolo Bonzini <pbonzini@xxxxxxxxxx>
  Date:   Wed Apr 22 13:48:25 2015 +0200

      exec: invert return value of cpu_physical_memory_get_clean, rename

      While it is obvious that cpu_physical_memory_get_dirty returns true even 
if
      a single page is dirty, the same is not true for 
cpu_physical_memory_get_clean;
      one would expect that it returns true only if all the pages are clean, but
      it actually looks for even one clean page.  (By contrast, the caller of 
that
      function, cpu_physical_memory_range_includes_clean, has a good name).

      To clarify, rename the function to cpu_physical_memory_all_dirty and 
return
      true if _all_ the pages are dirty.  This is the opposite of the previous
      meaning, because "all are 1" is the same as "not (any is 0)", so we have 
to
      modify cpu_physical_memory_range_includes_clean as well.

      Reviewed-by: Fam Zheng <famz@xxxxxxxxxx>
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit 58d2707e8713ef17b89b8b4c9ce586c76655a385
  Author: Paolo Bonzini <pbonzini@xxxxxxxxxx>
  Date:   Mon Mar 23 11:56:01 2015 +0100

      exec: pass client mask to cpu_physical_memory_set_dirty_range

      This cuts in half the cost of bitmap operations (which will become more
      expensive when made atomic) during migration on non-VRAM regions.

      Reviewed-by: Fam Zheng <famz@xxxxxxxxxx>
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit fc377bcf617a48233a99a9fe0a26247c38b5cb76
  Author: Paolo Bonzini <pbonzini@xxxxxxxxxx>
  Date:   Wed Apr 22 14:20:35 2015 +0200

      translate-all: make less of tb_invalidate_phys_page_range depend on 
is_cpu_write_access

      is_cpu_write_access is only set if tb_invalidate_phys_page_range is called
      from tb_invalidate_phys_page_fast, and hence from notdirty_mem_write.
      However:

      - the code bitmap can be built directly in tb_invalidate_phys_page_fast
        (unconditionally, since is_cpu_write_access would always be passed as 
1);

      - the virtual address is not needed to mark the page as "not containing
        code" (dirty code bitmap = 1), so we can also remove that use of
        is_cpu_write_access.  For calls of tb_invalidate_phys_page_range
        that do not come from notdirty_mem_write, the next call to
        notdirty_mem_write will notice that the page does not contain code
        anymore, and will fix up the TLB entry.

      The parameter needs to remain in order to guard accesses to 
cpu->mem_io_pc.

      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit 9564f52da7eb061326956ed9a468935e3352512d
  Author: Paolo Bonzini <pbonzini@xxxxxxxxxx>
  Date:   Wed Apr 22 14:24:54 2015 +0200

      cputlb: remove useless arguments to tlb_unprotect_code_phys, rename

      These days modification of the TLB is done in notdirty_mem_write,
      so the virtual address and env pointer as unnecessary.

      The new name of the function, tlb_unprotect_code, is consistent with
      tlb_protect_code.

      Reviewed-by: Fam Zheng <famz@xxxxxxxxxx>
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit 358653391b0c0beaa0e3f9e28304e1918cd223b3
  Author: Paolo Bonzini <pbonzini@xxxxxxxxxx>
  Date:   Wed Apr 22 14:20:35 2015 +0200

      translate-all: remove unnecessary argument to tb_invalidate_phys_range

      The is_cpu_write_access argument is always 0, remove it.

      Reviewed-by: Fam Zheng <famz@xxxxxxxxxx>
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit 1652b974766401743879d78f796f44b8929b0787
  Author: Paolo Bonzini <pbonzini@xxxxxxxxxx>
  Date:   Wed Apr 22 14:15:48 2015 +0200

      exec: move functions to translate-all.h

      Remove them from the sundry exec-all.h header, since they are only used by
      the TCG runtime in exec.c and user-exec.c.

      Reviewed-by: Fam Zheng <famz@xxxxxxxxxx>
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit 845b6214a309fa58a4405050bf8313e19fde5c91
  Author: Paolo Bonzini <pbonzini@xxxxxxxxxx>
  Date:   Mon Mar 23 11:45:53 2015 +0100

      exec: use memory_region_get_dirty_log_mask to optimize dirty tracking

      The memory API can now return the exact set of bitmaps that have to
      be tracked.  Use it instead of the in_migration variable.

      In the next patches, we will also use it to set only DIRTY_MEMORY_VGA
      or DIRTY_MEMORY_MIGRATION if necessary.  This can make a difference
      for dataplane, especially after the dirty bitmap is changed to use
      more expensive atomic operations.

      Of some interest is the change to stl_phys_notdirty.  When migration
      was introduced, stl_phys_notdirty was changed to effectively behave
      as stl_phys during migration.  In fact, if one looks at the function as it
      was in the beginning (commit 8df1cd0, physical memory access functions,
      2005-01-28), at the time the dirty bitmap was the equivalent of
      DIRTY_MEMORY_CODE nowadays; hence, the function simply should not touch
      the dirty code bits.  This patch changes it to do the intended thing.

      Reviewed-by: Fam Zheng <famz@xxxxxxxxxx>
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit 49dfcec40349245ad365964468b67e132c3cedc7
  Author: Paolo Bonzini <pbonzini@xxxxxxxxxx>
  Date:   Mon Mar 23 11:35:19 2015 +0100

      ram_addr: tweaks to xen_modified_memory

      Invoke xen_modified_memory from 
cpu_physical_memory_set_dirty_range_nocode;
      it is akin to DIRTY_MEMORY_MIGRATION, so set it together with that bitmap.
      The remaining call from invalidate_and_set_dirty's "else" branch will go
      away soon.

      Second, fix the second argument to the function in the
      cpu_physical_memory_set_dirty_lebitmap call site.  That function is only 
used
      by KVM, but it is better to be clean anyway.

      Acked-by: Stefano Stabellini <stefano.stabellini@xxxxxxxxxxxxx>
      Reviewed-by: Fam Zheng <famz@xxxxxxxxxx>
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit 1bfbac4ee16e2ea95d087e0926727d9a113b483e
  Author: Paolo Bonzini <pbonzini@xxxxxxxxxx>
  Date:   Mon Mar 23 10:57:21 2015 +0100

      kvm: remove special handling of DIRTY_MEMORY_MIGRATION in the dirty log 
mask

      One recent example is commit 4cc856f (kvm-all: Sync dirty-bitmap from
      kvm before kvm destroy the corresponding dirty_bitmap, 2015-04-02).
      Another performance problem is that KVM keeps tracking dirty pages
      after a failed live migration, which causes bad performance due to
      disallowing huge page mapping.

      Thanks to the previous patch, KVM can now stop hooking into
      log_global_start/stop.  This simplifies the KVM code noticeably.

      Reported-by: Wanpeng Li <wanpeng.li@xxxxxxxxxxxxxxx>
      Reported-by: Xiao Guangrong <guangrong.xiao@xxxxxxxxxxxxxxx>
      Reviewed-by: Fam Zheng <famz@xxxxxxxxxx>
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit 6f6a5ef3e429f92f987678ea8c396aab4dc6aa19
  Author: Paolo Bonzini <pbonzini@xxxxxxxxxx>
  Date:   Mon Mar 23 10:57:21 2015 +0100

      memory: include DIRTY_MEMORY_MIGRATION in the dirty log mask

      The separate handling of DIRTY_MEMORY_MIGRATION, which does not
      call log_start/log_stop callbacks when it changes in a region's
      dirty logging mask, has caused several bugs.

      One recent example is commit 4cc856f (kvm-all: Sync dirty-bitmap from
      kvm before kvm destroy the corresponding dirty_bitmap, 2015-04-02).
      Another performance problem is that KVM keeps tracking dirty pages
      after a failed live migration, which causes bad performance due to
      disallowing huge page mapping.

      This patch removes the root cause of the problem by reporting
      DIRTY_MEMORY_MIGRATION changes via log_start and log_stop.
      Note that we now have to rebuild the FlatView when global dirty
      logging is enabled or disabled; this ensures that log_start and
      log_stop callbacks are invoked.

      This will also be used to make the setting of bitmaps conditional.
      In general, this patch lets users of the memory API ignore the
      global state of dirty logging if they handle dirty logging
      generically per region.

      Reviewed-by: Fam Zheng <famz@xxxxxxxxxx>
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit ea8cb1a8d98f5e3822a23a7cecdb4add0f29178b
  Author: Paolo Bonzini <pbonzini@xxxxxxxxxx>
  Date:   Mon Apr 27 14:51:31 2015 +0200

      kvm: accept non-mapped memory in kvm_dirty_pages_log_change

      It is okay if memory is not mapped into the guest but has dirty logging
      enabled.  When this happens, KVM will not do anything and only accesses
      from the host will be logged.

      This can be triggered by iofuzz.

      Reviewed-by: Fam Zheng <famz@xxxxxxxxxx>
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit 677e7805cf95f3b2bca8baf0888d1ebed7f0c606
  Author: Paolo Bonzini <pbonzini@xxxxxxxxxx>
  Date:   Mon Mar 23 10:53:21 2015 +0100

      memory: track DIRTY_MEMORY_CODE in mr->dirty_log_mask

      DIRTY_MEMORY_CODE is only needed for TCG.  By adding it directly to
      mr->dirty_log_mask, we avoid testing for TCG everywhere a region is
      checked for the enabled/disabled state of dirty logging.

      Reviewed-by: Fam Zheng <famz@xxxxxxxxxx>
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit 42af3e3a02f6d0c38c46465b7f0311eabf532f77
  Author: Paolo Bonzini <pbonzini@xxxxxxxxxx>
  Date:   Wed Apr 22 13:30:19 2015 +0200

      ui/console: remove dpy_gfx_update_dirty

      dpy_gfx_update_dirty expects DIRTY_MEMORY_VGA logging to be always on,
      but that will not be the case soon.  Because it computes the memory
      region on the fly for every update (with memory_region_find), it cannot
      enable/disable logging by itself.

      We could always treat updates as invalidations if dirty logging is
      not enabled, assuming that the board will enable logging on the
      RAM region that includes the framebuffer.

      However, the function is unused, so just drop it.

      Reviewed-by: Fam Zheng <famz@xxxxxxxxxx>
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit d55d42078bfb507743747b761673507b95a76620
  Author: Paolo Bonzini <pbonzini@xxxxxxxxxx>
  Date:   Mon Mar 23 10:46:52 2015 +0100

      framebuffer: check memory_region_is_logging

      framebuffer.c expects DIRTY_MEMORY_VGA logging to be always on, but that
      will not be the case soon.  Because framebuffer.c computes the memory
      region on the fly for every update (with memory_region_find), it cannot
      enable/disable logging by itself.

      Instead, always treat updates as invalidations if dirty logging is
      not enabled, assuming that the board will enable logging on the
      RAM region that includes the framebuffer.

      Reviewed-by: Fam Zheng <famz@xxxxxxxxxx>
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit b2dfd71c4843a762f2befe702adb249cf55baf66
  Author: Paolo Bonzini <pbonzini@xxxxxxxxxx>
  Date:   Sat Apr 25 14:38:30 2015 +0200

      memory: prepare for multiple bits in the dirty log mask

      When the dirty log mask will also cover other bits than DIRTY_MEMORY_VGA,
      some listeners may be interested in the overall zero/non-zero value of
      the dirty log mask; others may be interested in the value of single bits.

      For this reason, always call log_start/log_stop if bits have respectively
      appeared or disappeared, and pass the old and new values of the dirty log
      mask so that listeners can distinguish the kinds of change.

      For example, KVM checks if dirty logging used to be completely disabled
      (in log_start) or is now completely disabled (in log_stop).  On the
      other hand, Xen has to check manually if DIRTY_MEMORY_VGA changed,
      since that is the only bit it cares about.

      Reviewed-by: Fam Zheng <famz@xxxxxxxxxx>
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit 2d1a35bef0ed96b3f23535e459c552414ccdbafd
  Author: Paolo Bonzini <pbonzini@xxxxxxxxxx>
  Date:   Mon Mar 23 10:50:57 2015 +0100

      memory: differentiate memory_region_is_logging and 
memory_region_get_dirty_log_mask

      For now memory regions only track DIRTY_MEMORY_VGA individually, but
      this will change soon.  To support this, split memory_region_is_logging
      in two functions: one that returns a given bit from dirty_log_mask,
      and one that returns the entire mask.  memory_region_is_logging gets an
      extra parameter so that the compiler flags misuse.

      While VGA-specific users (including the Xen listener!) will want to keep
      checking that bit, KVM and vhost check for "any bit except migration"
      (because migration is handled via the global start/stop listener
      callbacks).

      Reviewed-by: Fam Zheng <famz@xxxxxxxxxx>
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit 5299c0f2cf951c23ec681ff87e455d1cf4ec537b
  Author: Paolo Bonzini <pbonzini@xxxxxxxxxx>
  Date:   Wed Apr 22 13:12:40 2015 +0200

      display: add memory_region_sync_dirty_bitmap calls

      These are strictly speaking only needed for KVM and Xen, but it's still
      nice to be consistent.

      Reviewed-by: Fam Zheng <famz@xxxxxxxxxx>
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit 74259ae55b15bff4ef7b26faa6431a3ff16d7c9d
  Author: Paolo Bonzini <pbonzini@xxxxxxxxxx>
  Date:   Mon Mar 23 10:47:45 2015 +0100

      display: enable DIRTY_MEMORY_VGA tracking explicitly

      This will be required soon by the memory core.

      Tested-by: Aurelien Jarno <aurelien@xxxxxxxxxxx>
      Reviewed-by: Fam Zheng <famz@xxxxxxxxxx>
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit 086f90e890fb25e7f12fbe72fe5a8078792398aa
  Author: Paolo Bonzini <pbonzini@xxxxxxxxxx>
  Date:   Wed Apr 22 12:43:24 2015 +0200

      g364fb: remove pointless call to memory_region_set_coalescing

      Coalescing work on MMIO, not RAM, thus this call has no effect.

      Reviewed-by: Fam Zheng <famz@xxxxxxxxxx>
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit dbddac6da01a13c9d5d162994a0a265173acecab
  Author: Paolo Bonzini <pbonzini@xxxxxxxxxx>
  Date:   Mon Mar 23 10:31:53 2015 +0100

      memory: the only dirty memory flag for users is DIRTY_MEMORY_VGA

      DIRTY_MEMORY_MIGRATION is triggered by memory_global_dirty_log_start
      and memory_global_dirty_log_stop, so it cannot be used with
      memory_region_set_log.

      Specify this in the documentation and assert it.

      Reviewed-by: Fam Zheng <famz@xxxxxxxxxx>
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit 6b4ad3b28d4a70ad93f287b50200b04766aeb0de
  Author: Peter Crosthwaite <crosthwaitepeter@xxxxxxxxx>
  Date:   Mon May 25 22:38:06 2015 -0700

      Makefile.target: set master BUILD_DIR

      make can be invoked in the individual build dirs to build an individual
      target or just a single file of a target. e.g.

      touch translate-all.c
      make -C microblazeel-softmmu translate-all.o

      There is however a small bug when using the pixman submodule.
      config-host.mak will ref BUILD_DIR for the pixman -I CFLAGS:

      grep BUILD_DIR config-host.mak
      QEMU_CFLAGS=-I$(SRC_PATH)/pixman/pixman -I$(BUILD_DIR)/pixman/pixman ...

      This causes a build failure as -I/pixman/pixman (BUILD_DIR=="") will
      not be found.

      BUILD_DIR is usually set by the top level Makefile. Just lazy-set it in
      Makefile.target to the parent directory.

      Granted, this will not work if the pixman submodule is not prebuilt,
      but it at least means you can do incremental partial builds once you
      have done your initial full build (or attempt) from the top level.

      The next step would be refactor make infrastructure to rebuild pixman
      on a submake like the one above.

      Cc: Gerd Hoffmann <kraxel@xxxxxxxxxx>
      Signed-off-by: Peter Crosthwaite <crosthwaite.peter@xxxxxxxxx>
      Message-Id: 
<1432618686-16077-1-git-send-email-crosthwaite.peter@xxxxxxxxx>
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit db94604b20278c1dc227a04e4c564d80230e6c3f
  Author: Paolo Bonzini <pbonzini@xxxxxxxxxx>
  Date:   Thu May 21 15:12:29 2015 +0200

      exec: optimize phys_page_set_level

      phys_page_set_level is writing zeroes to a struct that has just been
      filled in by phys_map_node_alloc.  Instead, tell phys_map_node_alloc
      whether to fill in the page "as a leaf" or "as a non-leaf".

      memcpy is faster than struct assignment, which copies each bitfield
      individually.  A compiler bug (https://gcc.gnu.org/PR66391), and
      small memcpys like this one are special-cased anyway, and optimized
      to a register move, so just use the memcpy.

      This cuts the cost of phys_page_set_level from 25% to 5% when
      booting qboot.

      Reviewed-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit e4afbf4fb4d026510700cb40bb72dea9aef14e3b
  Author: Fam Zheng <famz@xxxxxxxxxx>
  Date:   Tue May 19 10:50:59 2015 +0000

      qemu-nbd: Switch to qemu_set_fd_handler

      Achieved by:

      - Remembering the server fd with a global variable, in order to access
        it from nbd_client_closed.

      - Checking nbd_can_accept() and updating server_fd handler whenever
        client connects or disconnects.

      Signed-off-by: Fam Zheng <famz@xxxxxxxxxx>
      Reviewed-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>
      Message-Id: <1432032670-15124-3-git-send-email-famz@xxxxxxxxxx>
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit dae02ba55a66cb3194a2410c7725734e5bc6166f
  Author: Laurent Vivier <lvivier@xxxxxxxxxx>
  Date:   Mon May 18 21:06:47 2015 +0200

      ppc: add helpful message when KVM fails to start VCPU

      On POWER8 systems, KVM checks if VCPU is running on primary threads,
      and that secondary threads are offline. If this is not the case,
      ioctl() fails with errno set to EBUSY.

      QEMU aborts with a non explicit error message:
      $ ./qemu-system-ppc64 --nographic -machine pseries,accel=kvm
      error: kvm run failed Device or resource busy

      To help user to diagnose the problem, this patch adds an informative
      error message.

      There is no easy way to check if SMT is enabled before starting the VCPU,
      and as this case is the only one setting errno to EBUSY, we just check
      the errno value to display a message.

      Signed-off-by: Laurent Vivier <lvivier@xxxxxxxxxx>
      Message-Id: <1431976007-20503-1-git-send-email-lvivier@xxxxxxxxxx>
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit 9157eee1b1c076ff3316361b760e891dda13e9bf
  Author: Miroslav Rezanina <mrezanin@xxxxxxxxxx>
  Date:   Wed May 13 11:39:30 2015 +0200

      Move parallel_hds_isa_init to hw/isa/isa-bus.c

      Disabling CONFIG_PARALLEL cause removing parallel_hds_isa_init defined in
      parallel.c. This function is called during initialization of some boards 
so
      disabling CONFIG_PARALLEL cause build failure.

      This patch moves parallel_hds_isa_init to hw/isa/isa-bus.c so it is 
included
      in case of disabled CONFIG_PARALLEL. Build is successful but qemu will 
abort
      with "Unknown device" error when function is called.

      Signed-off-by: Miroslav Rezanina <mrezanin@xxxxxxxxxx>
      Message-Id: <1431509970-32154-1-git-send-email-mrezanin@xxxxxxxxxx>
      Reviewed-by: Markus Armbruster <armbru@xxxxxxxxxx>
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit 00967f4e0bab246679d0ddc32fd31a7179345baf
  Merge: d6688ba 9814fed
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Fri Jun 5 12:04:41 2015 +0100

      Merge remote-tracking branch 
'remotes/agraf/tags/signed-s390-for-upstream' into staging

      Patch queue for s390 - 2015-06-05

      This time there are a lot of s390x TCG emulation bug fixes - almost all
      of them from Aurelien, who returned from nirvana :).

      # gpg: Signature made Fri Jun  5 00:39:27 2015 BST using RSA key ID 
03FEDC60
      # gpg: Good signature from "Alexander Graf <agraf@xxxxxxx>"
      # gpg:                 aka "Alexander Graf <alex@xxxxxxxxx>"

      * remotes/agraf/tags/signed-s390-for-upstream: (34 commits)
        target-s390x: Only access allocated storage keys
        target-s390x: fix MVC instruction when areas overlap
        target-s390x: use softmmu functions for mvcp/mvcs
        target-s390x: support non current ASC in s390_cpu_handle_mmu_fault
        target-s390x: add a cpu_mmu_idx_to_asc function
        target-s390x: implement high-word facility
        target-s390x: implement load-and-trap facility
        target-s390x: implement miscellaneous-instruction-extensions facility
        target-s390x: implement LPDFR and LNDFR instructions
        target-s390x: implement TRANSLATE EXTENDED instruction
        target-s390x: implement TRANSLATE AND TEST instruction
        target-s390x: implement LOAD FP INTEGER instructions
        target-s390x: move SET DFP ROUNDING MODE to the correct facility
        target-s390x: move STORE CLOCK FAST to the correct facility
        target-s390x: change CHRL and CGHRL format to RIL-b
        target-s390x: fix CLGIT instruction
        target-s390x: fix exception for invalid operation code
        target-s390x: implement LAY and LAEY instructions
        target-s390x: move a few instructions to the correct facility
        target-s390x: detect tininess before rounding for FP operations
        ...

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 0ba98885a0e965a17df214ab12b819ef630d8a14
  Author: Mark Cave-Ayland <mark.cave-ayland@xxxxxxxxxxxx>
  Date:   Thu Jun 4 22:59:37 2015 +0100

      macio: remove remainder_len DBDMA_io property

      Since the block alignment code is now effectively independent of the DMA
      implementation, this variable is no longer required and can be removed.

      Signed-off-by: Mark Cave-Ayland <mark.cave-ayland@xxxxxxxxxxxx>
      Reviewed-by: John Snow <jsnow@xxxxxxxxxx>
      Message-id: 
1433455177-21243-5-git-send-email-mark.cave-ayland@xxxxxxxxxxxx
      Signed-off-by: John Snow <jsnow@xxxxxxxxxx>

  commit b01d44cd0623dec66e583d6cd2438451443261df
  Author: Mark Cave-Ayland <mark.cave-ayland@xxxxxxxxxxxx>
  Date:   Thu Jun 4 22:59:36 2015 +0100

      macio: update comment/constants to reflect the new code

      With the offset/len functions taking care of all of the alignment mapping
      in isolation from the DMA tranasaction, many comments are now unnecessary.
      Remove these and tidy up a few constants at the same time.

      Signed-off-by: Mark Cave-Ayland <mark.cave-ayland@xxxxxxxxxxxx>
      Reviewed-by: John Snow <jsnow@xxxxxxxxxx>
      Message-id: 
1433455177-21243-4-git-send-email-mark.cave-ayland@xxxxxxxxxxxx
      Signed-off-by: John Snow <jsnow@xxxxxxxxxx>

  commit ac58fe7b2c67a9be142beacd4c6ee51f3264d90f
  Author: Mark Cave-Ayland <mark.cave-ayland@xxxxxxxxxxxx>
  Date:   Thu Jun 4 22:59:35 2015 +0100

      macio: switch pmac_dma_write() over to new offset/len implementation

      In particular, this fixes a bug whereby chains of overlapping head/tail 
chains
      would incorrectly write over each other's remainder cache. This is the 
access
      pattern used by OS X/Darwin and fixes an issue with a corrupt Darwin
      installation in my local tests.

      While we are here, rename the DBDMA_io struct property remainder to
      head_remainder for clarification.

      Signed-off-by: Mark Cave-Ayland <mark.cave-ayland@xxxxxxxxxxxx>
      Reviewed-by: John Snow <jsnow@xxxxxxxxxx>
      Message-id: 
1433455177-21243-3-git-send-email-mark.cave-ayland@xxxxxxxxxxxx
      Signed-off-by: John Snow <jsnow@xxxxxxxxxx>

  commit 0389b8f8c7688fe512e16bdc00c5f35d2d8df12c
  Author: Mark Cave-Ayland <mark.cave-ayland@xxxxxxxxxxxx>
  Date:   Thu Jun 4 22:59:34 2015 +0100

      macio: switch pmac_dma_read() over to new offset/len implementation

      For better handling of unaligned block device accesses.

      Signed-off-by: Mark Cave-Ayland <mark.cave-ayland@xxxxxxxxxxxx>
      Reviewed-by: John Snow <jsnow@xxxxxxxxxx>
      Message-id: 
1433455177-21243-2-git-send-email-mark.cave-ayland@xxxxxxxxxxxx
      Signed-off-by: John Snow <jsnow@xxxxxxxxxx>

  commit 9814fed0afa73f5c37f04e02ec17c915a5d59303
  Author: Alexander Graf <agraf@xxxxxxx>
  Date:   Thu Jun 4 00:52:44 2015 +0200

      target-s390x: Only access allocated storage keys

      We allocate ram_size / PAGE_SIZE storage keys, so we need to make sure 
that
      we only access that many. Unfortunately the code can overrun this array by
      one, potentially overwriting unrelated memory.

      Fix it by limiting storage keys to their scope.

      Signed-off-by: Alexander Graf <agraf@xxxxxxx>
      Reviewed-by: Aurelien Jarno <aurelien@xxxxxxxxxxx>

  commit 068593deea6cc61b06243a33c7fcfadb1650b654
  Author: Aurelien Jarno <aurelien@xxxxxxxxxxx>
  Date:   Wed Jun 3 23:09:56 2015 +0200

      target-s390x: fix MVC instruction when areas overlap

      The MVC instruction and the memmove C funtion do not have the same
      semantic when memory areas overlap:

      MVC: When the operands overlap, the result is obtained as if the
      operands were processed one byte at a time and each result byte were
      stored immediately after fetching the necessary operand byte.

      memmove: Copying takes place as though the bytes in src are first copied
      into a temporary array that does not overlap src or dest, and the bytes
      are then copied from the temporary array to dest.

      The behaviour is therefore the same when the destination is at a lower
      address than the source, but not in the other case. This is actually a
      trick for propagating a value to an area. While the current code detects
      that and call memset in that case, it only does for 1-byte value. This
      trick can and is used for propagating two or more bytes to an area.

      In the softmmu case, the call to mvc_fast_memmove is correct as the
      above tests verify that source and destination are each within a page,
      and both in a different page. The part doing the move 8 bytes by 8 bytes
      is wrong and we need to check that if the source and destination
      overlap, they do with a distance of minimum 8 bytes before copying 8
      bytes at a time.

      In the user code, we should check check that the destination is at a
      lower address than source or than the end of the source is at a lower
      address than the destination before calling memmove. In the opposite
      case we fallback to the same code as the softmmu one. Note that l
      represents (length - 1).

      Signed-off-by: Aurelien Jarno <aurelien@xxxxxxxxxxx>
      Reviewed-by: Richard Henderson <rth@xxxxxxxxxxx>
      Signed-off-by: Alexander Graf <agraf@xxxxxxx>

  commit a3084e8055067b3fe8ed653a609021d2ab368564
  Author: Aurelien Jarno <aurelien@xxxxxxxxxxx>
  Date:   Wed Jun 3 23:09:55 2015 +0200

      target-s390x: use softmmu functions for mvcp/mvcs

      mvcp and mvcs helper get access to the physical memory by a call to
      mmu_translate for the virtual to real conversion and then using ldb_phys
      and stb_phys to physically access the data. In practice this is quite
      slow because it bypasses the QEMU softmmu TLB and because stb_phys calls
      try to invalidate the corresponding memory for each access.

      Instead use cpu_ldb_{primary,secondary} for the loads and
      cpu_stb_{primary,secondary} for the stores. Ideally this should be
      further optimized by a call to memcpy, but that already improves the
      boot time of a guest by a factor 1.8.

      Signed-off-by: Aurelien Jarno <aurelien@xxxxxxxxxxx>
      Reviewed-by: Richard Henderson <rth@xxxxxxxxxxx>
      Signed-off-by: Alexander Graf <agraf@xxxxxxx>

  commit c255ac601231e8c53007e10d640722ac58eb77cc
  Author: Aurelien Jarno <aurelien@xxxxxxxxxxx>
  Date:   Wed Jun 3 23:09:54 2015 +0200

      target-s390x: support non current ASC in s390_cpu_handle_mmu_fault

      s390_cpu_handle_mmu_fault currently looks at the current ASC mode
      defined in PSW mask instead of the MMU index. This prevent emulating
      easily instructions using a specific ASC mode. Fix that by using the
      MMU index converted back to ASC using the just added cpu_mmu_idx_to_asc
      function.

      Signed-off-by: Aurelien Jarno <aurelien@xxxxxxxxxxx>
      Reviewed-by: Richard Henderson <rth@xxxxxxxxxxx>
      Signed-off-by: Alexander Graf <agraf@xxxxxxx>

  commit 4decd76d71d6972a59bf0a16d0dea0c83490d001
  Author: Aurelien Jarno <aurelien@xxxxxxxxxxx>
  Date:   Wed Jun 3 23:09:53 2015 +0200

      target-s390x: add a cpu_mmu_idx_to_asc function

      Use constants to define the MMU indexes, and add a function to do
      the reverse conversion of cpu_mmu_index.

      Signed-off-by: Aurelien Jarno <aurelien@xxxxxxxxxxx>
      Reviewed-by: Richard Henderson <rth@xxxxxxxxxxx>
      Signed-off-by: Alexander Graf <agraf@xxxxxxx>

  commit a1f12d855b6ec79a640fa6a74d12884f1646ecfe
  Author: Aurelien Jarno <aurelien@xxxxxxxxxxx>
  Date:   Wed Jun 3 23:09:52 2015 +0200

      target-s390x: implement high-word facility

      Besides RISBHG and RISBLG, all high-word instructions are not
      implemented. Fix that.

      Reviewed-by: Richard Henderson <rth@xxxxxxxxxxx>
      Signed-off-by: Aurelien Jarno <aurelien@xxxxxxxxxxx>
      Signed-off-by: Alexander Graf <agraf@xxxxxxx>

  commit 782a8479522f8e4a596f968e4acad5c10b77e061
  Author: Aurelien Jarno <aurelien@xxxxxxxxxxx>
  Date:   Wed Jun 3 23:09:51 2015 +0200

      target-s390x: implement load-and-trap facility

      At the same time move the trap code from op_ct into gen_trap and use it
      for all new functions. The value needs to be stored back to register
      before the exception, but also before the brcond (as we don't use
      temp locals). That's why we can't use wout helper.

      Reviewed-by: Richard Henderson <rth@xxxxxxxxxxx>
      Signed-off-by: Aurelien Jarno <aurelien@xxxxxxxxxxx>
      Signed-off-by: Alexander Graf <agraf@xxxxxxx>

  commit 375ee58bedcda359011fe7fa99e0647f66f9ffa0
  Author: Aurelien Jarno <aurelien@xxxxxxxxxxx>
  Date:   Wed Jun 3 23:09:50 2015 +0200

      target-s390x: implement miscellaneous-instruction-extensions facility

      RISBGN is the same as RISBG, but without setting the condition code.
      CLT and CLGT are the same as CLRT and CLGRT, but using memory for the
      second operand.

      Reviewed-by: Richard Henderson <rth@xxxxxxxxxxx>
      Signed-off-by: Aurelien Jarno <aurelien@xxxxxxxxxxx>
      Signed-off-by: Alexander Graf <agraf@xxxxxxx>

  commit df46283ce7be962002a30140a91ffbb56832cc2d
  Author: Aurelien Jarno <aurelien@xxxxxxxxxxx>
  Date:   Wed Jun 3 23:09:49 2015 +0200

      target-s390x: implement LPDFR and LNDFR instructions

      This complete the floating point support sign handling facility.

      Reviewed-by: Richard Henderson <rth@xxxxxxxxxxx>
      Signed-off-by: Aurelien Jarno <aurelien@xxxxxxxxxxx>
      Signed-off-by: Alexander Graf <agraf@xxxxxxx>

  commit 3f4de6756cd87b508b37c7ffa93f7b827832c4eb
  Author: Aurelien Jarno <aurelien@xxxxxxxxxxx>
  Date:   Wed Jun 3 23:09:48 2015 +0200

      target-s390x: implement TRANSLATE EXTENDED instruction

      It is part of the basic zArchitecture instructions.

      Signed-off-by: Aurelien Jarno <aurelien@xxxxxxxxxxx>
      Reviewed-by: Richard Henderson <rth@xxxxxxxxxxx>
      Signed-off-by: Alexander Graf <agraf@xxxxxxx>

  commit 54f007750978ffbb98ce933077e0d1741e0202b0
  Author: Aurelien Jarno <aurelien@xxxxxxxxxxx>
  Date:   Wed Jun 3 23:09:47 2015 +0200

      target-s390x: implement TRANSLATE AND TEST instruction

      It is part of the basic zArchitecture instructions. Allow it to be call
      from EXECUTE.

      Reviewed-by: Richard Henderson <rth@xxxxxxxxxxx>
      Signed-off-by: Aurelien Jarno <aurelien@xxxxxxxxxxx>
      Signed-off-by: Alexander Graf <agraf@xxxxxxx>

  commit ed0bcecec105137567f461e5b57834e72c851855
  Author: Aurelien Jarno <aurelien@xxxxxxxxxxx>
  Date:   Wed Jun 3 23:09:46 2015 +0200

      target-s390x: implement LOAD FP INTEGER instructions

      This is needed to pass the gcc.c-torture/execute/ieee/20010114-2.c test
      in the gcc testsuite.

      Signed-off-by: Aurelien Jarno <aurelien@xxxxxxxxxxx>
      Reviewed-by: Richard Henderson <rth@xxxxxxxxxxx>
      Signed-off-by: Alexander Graf <agraf@xxxxxxx>

  commit 9182886d797a20925d801a3378ca5330c0d91dfb
  Author: Aurelien Jarno <aurelien@xxxxxxxxxxx>
  Date:   Wed Jun 3 23:09:45 2015 +0200

      target-s390x: move SET DFP ROUNDING MODE to the correct facility

      It belongs to the DFP rounding facility.

      Reviewed-by: Richard Henderson <rth@xxxxxxxxxxx>
      Signed-off-by: Aurelien Jarno <aurelien@xxxxxxxxxxx>
      Signed-off-by: Alexander Graf <agraf@xxxxxxx>

  commit f7c2114067cc32eb8d8f79b7374a641ec5f4eb72
  Author: Aurelien Jarno <aurelien@xxxxxxxxxxx>
  Date:   Wed Jun 3 23:09:44 2015 +0200

      target-s390x: move STORE CLOCK FAST to the correct facility

      STORE CLOCK FAST should be in the SCF facility.

      Reviewed-by: Richard Henderson <rth@xxxxxxxxxxx>
      Signed-off-by: Aurelien Jarno <aurelien@xxxxxxxxxxx>
      Signed-off-by: Alexander Graf <agraf@xxxxxxx>

  commit 74266b4a5837b46477034a39acc2be3a3afba431
  Author: Aurelien Jarno <aurelien@xxxxxxxxxxx>
  Date:   Wed Jun 3 23:09:43 2015 +0200

      target-s390x: change CHRL and CGHRL format to RIL-b

      Change to match the PoP. In practice both format RIL-a and RIL-b have
      the same fields. They differ on the way we decode the fields, and it's
      done correctly in QEMU.

      Reviewed-by: Richard Henderson <rth@xxxxxxxxxxx>
      Signed-off-by: Aurelien Jarno <aurelien@xxxxxxxxxxx>
      Signed-off-by: Alexander Graf <agraf@xxxxxxx>

  commit 1dedb9b76f061c8da730002f6c21a1fa2b76b106
  Author: Aurelien Jarno <aurelien@xxxxxxxxxxx>
  Date:   Wed Jun 3 23:09:42 2015 +0200

      target-s390x: fix CLGIT instruction

      The COMPARE LOGICAL IMMEDIATE AND TRAP instruction should compare the
      numbers as unsigned, as its name implies.

      Reviewed-by: Richard Henderson <rth@xxxxxxxxxxx>
      Signed-off-by: Aurelien Jarno <aurelien@xxxxxxxxxxx>
      Signed-off-by: Alexander Graf <agraf@xxxxxxx>

  commit 111d7f4a69751d333bac32526cd252add6b071d3
  Author: Aurelien Jarno <aurelien@xxxxxxxxxxx>
  Date:   Wed Jun 3 23:09:41 2015 +0200

      target-s390x: fix exception for invalid operation code

      When an operation code is not recognized (ie invalid instruction) an
      operation exception should be generated instead of a specification
      exception. The latter is for valid opcode, with invalid operands or
      modifiers.

      This give a very basic GDB support in the guest, as it uses the invalid
      opcode 0x0001 to generate a trap.

      Reviewed-by: Richard Henderson <rth@xxxxxxxxxxx>
      Signed-off-by: Aurelien Jarno <aurelien@xxxxxxxxxxx>
      Signed-off-by: Alexander Graf <agraf@xxxxxxx>

  commit a1c7610a68795d66249c25166220324d4d0b9289
  Author: Aurelien Jarno <aurelien@xxxxxxxxxxx>
  Date:   Mon May 25 01:47:31 2015 +0200

      target-s390x: implement LAY and LAEY instructions

      This complete the general-instructions-extension facility, enable it.

      Signed-off-by: Aurelien Jarno <aurelien@xxxxxxxxxxx>
      [agraf: remove facility bit]
      Signed-off-by: Alexander Graf <agraf@xxxxxxx>

  commit 92892330e78ffca7bebf03f4f7161c5bbd6602d2
  Author: Aurelien Jarno <aurelien@xxxxxxxxxxx>
  Date:   Mon May 25 01:47:30 2015 +0200

      target-s390x: move a few instructions to the correct facility

      LY is part of the long-displacement facility.
      RISBHG and RISBLG are part of the high-word facility.
      STCMH is part of the z/Architecture.

      Signed-off-by: Aurelien Jarno <aurelien@xxxxxxxxxxx>
      Signed-off-by: Alexander Graf <agraf@xxxxxxx>

  commit 4a33565f9f46145d8cc701ab623b18bf423c469e
  Author: Aurelien Jarno <aurelien@xxxxxxxxxxx>
  Date:   Mon May 25 01:47:26 2015 +0200

      target-s390x: detect tininess before rounding for FP operations

      The s390x floating point unit detects tininess before rounding, so set
      the softfloat fp_status up appropriately.

      Signed-off-by: Aurelien Jarno <aurelien@xxxxxxxxxxx>
      Signed-off-by: Alexander Graf <agraf@xxxxxxx>

  commit f821135cdd4df09b1362666ddfbdfd162b905b1f
  Author: Aurelien Jarno <aurelien@xxxxxxxxxxx>
  Date:   Mon May 25 01:47:25 2015 +0200

      target-s390x: silence NaNs for LOAD LENGTHENED and LOAD ROUNDED

      LOAD LENGTHENED and LOAD ROUNDED are considered as FP operations and
      thus need to convert input sNaN into corresponding qNaN.

      Signed-off-by: Aurelien Jarno <aurelien@xxxxxxxxxxx>
      Signed-off-by: Alexander Graf <agraf@xxxxxxx>

  commit 2daea9c16ffe61377b6e5426d9c52014bf538df3
  Author: Aurelien Jarno <aurelien@xxxxxxxxxxx>
  Date:   Mon May 25 01:47:24 2015 +0200

      target-s390x: define default NaN values

      Signed-off-by: Aurelien Jarno <aurelien@xxxxxxxxxxx>
      Signed-off-by: Alexander Graf <agraf@xxxxxxx>

  commit 1f65958d9c21fd3b461f6b645e7884866313c1f3
  Author: Aurelien Jarno <aurelien@xxxxxxxxxxx>
  Date:   Mon May 25 01:47:23 2015 +0200

      target-s390x: fix MMU index computation

      The cpu_mmu_index function wrongly looks at PSW P bit to determine the
      MMU index, while this bit actually only control the use of priviledge
      instructions. The addressing mode is detected by looking at the PSW ASC
      bits instead.

      This used to work more or less correctly up to kernel 3.6 as the kernel
      was running in primary space and userland in secondary space. Since
      kernel 3.7 the default is to run the kernel in home space and userland
      in primary space. While the current QEMU code seems to work it open some
      security issues, like accessing the lowcore memory in R/W mode from a
      userspace process once it has been accessed by the kernel (it is then
      cached by the QEMU TLB).

      At the same time change the MMU_USER_IDX value so that it matches the
      value used in recent kernels.

      Signed-off-by: Aurelien Jarno <aurelien@xxxxxxxxxxx>
      Signed-off-by: Alexander Graf <agraf@xxxxxxx>

  commit 9bebf9863bd16cc824231ad71959a338dc1819ac
  Author: Aurelien Jarno <aurelien@xxxxxxxxxxx>
  Date:   Mon May 25 01:47:22 2015 +0200

      target-s390x: fix PSW value on dynamical exception from helpers

      runtime_exception computes the psw.addr value using the actual exception
      address and the instruction length computed by calling the get_ilen
      function. However as explained above the get_ilen code, it returns the
      actual instruction length, and not the ILC. Therefore there is no need to
      multiply the value by 2.

      Signed-off-by: Aurelien Jarno <aurelien@xxxxxxxxxxx>
      Signed-off-by: Alexander Graf <agraf@xxxxxxx>

  commit aa752a4afc2a4b7ede58a960a9d553b3fd9e6882
  Author: Aurelien Jarno <aurelien@xxxxxxxxxxx>
  Date:   Tue May 26 11:09:44 2015 +0200

      target-s390x: fix LOAD MULTIPLE instruction on page boundary

      When consecutive memory locations are on page boundary a page fault
      might occur when using the LOAD MULTIPLE instruction. In that case real
      hardware doesn't load any register.

      This is an important detail in case the base register is in the list
      of registers to be loaded. If a page fault occurs this register might be
      overwritten and when the instruction is later restarted the wrong
      base register value is useD.

      Fix this by first loading the first and last value from memory, hence
      triggering all possible page faults, and then the remaining registers.

      This fixes random segmentation faults seen in the guest.

      Signed-off-by: Aurelien Jarno <aurelien@xxxxxxxxxxx>
      Reviewed-by: Richard Henderson <rth@xxxxxxxxxxx>
      Signed-off-by: Alexander Graf <agraf@xxxxxxx>

  commit b8ae94bd398ff772f40fb232887ecbcbd244c3d4
  Author: Aurelien Jarno <aurelien@xxxxxxxxxxx>
  Date:   Mon May 18 23:42:29 2015 +0200

      target-s390x: implement STPT helper

      Save the timer target value in the SPT helper, so that the STPT helper
      can compute the remaining time.

      This allow the Linux kernel to correctly do time accounting.

      Signed-off-by: Aurelien Jarno <aurelien@xxxxxxxxxxx>
      Signed-off-by: Alexander Graf <agraf@xxxxxxx>

  commit aa9e14e684506e8ddf02bd5cff720520827bf244
  Author: Aurelien Jarno <aurelien@xxxxxxxxxxx>
  Date:   Mon May 18 23:42:28 2015 +0200

      target-s390x: implement STCKC helper

      The STCKC instruction just returns the last written clock comparator
      value and KVM already provides the corresponding variable.

      Signed-off-by: Aurelien Jarno <aurelien@xxxxxxxxxxx>
      Signed-off-by: Alexander Graf <agraf@xxxxxxx>

  commit d9d55f1108f45c866098731d95fef88409ff1e94
  Author: Aurelien Jarno <aurelien@xxxxxxxxxxx>
  Date:   Mon May 18 23:42:27 2015 +0200

      target-s390x: streamline STCK helper

      Now that clock_value is only used in one place, we can inline it in
      the STCK helper.

      Signed-off-by: Aurelien Jarno <aurelien@xxxxxxxxxxx>
      Signed-off-by: Alexander Graf <agraf@xxxxxxx>

  commit c941f07485e56e4b2653048e166b720428307acb
  Author: Aurelien Jarno <aurelien@xxxxxxxxxxx>
  Date:   Mon May 18 23:42:26 2015 +0200

      target-s390x: simplify SCKC helper

      The clock comparator and the QEMU timer work the same way, triggering
      at a given time, they just differ by the origin and the scale. It is
      therefore possible to go from one to another without using the current
      clock value. This spares two calls to qemu_clock_get_ns, which probably
      return slightly different values, possibly reducing the accuracy.

      Signed-off-by: Aurelien Jarno <aurelien@xxxxxxxxxxx>
      Signed-off-by: Alexander Graf <agraf@xxxxxxx>

  commit 9cb32c442e11d16b747fa07e29dd29b5d8227b57
  Author: Aurelien Jarno <aurelien@xxxxxxxxxxx>
  Date:   Mon May 18 23:42:25 2015 +0200

      target-s390x: add a tod2time function

      Add a tod2time function similar to the time2tod one, instead of open
      coding the conversion.

      Signed-off-by: Aurelien Jarno <aurelien@xxxxxxxxxxx>
      Signed-off-by: Alexander Graf <agraf@xxxxxxx>

  commit a91a1b20a23424412a3e7bb184422ec30ae64453
  Author: Aurelien Jarno <aurelien@xxxxxxxxxxx>
  Date:   Mon May 18 15:40:00 2015 +0200

      target-s390x: remove unused helpers

      Signed-off-by: Aurelien Jarno <aurelien@xxxxxxxxxxx>
      Reviewed-by: Richard Henderson <rth@xxxxxxxxxxx>
      Signed-off-by: Alexander Graf <agraf@xxxxxxx>

  commit d30107814c8d02f1896bd57249aef1b5aaed38c9
  Author: Aurelien Jarno <aurelien@xxxxxxxxxxx>
  Date:   Mon May 18 15:39:59 2015 +0200

      target-s390x: optimize (negative-) abs computation

      Now that movcond exists, it's easy to write (negative-) absolute value
      using TCG code instead of an helper.

      Signed-off-by: Aurelien Jarno <aurelien@xxxxxxxxxxx>
      Reviewed-by: Richard Henderson <rth@xxxxxxxxxxx>
      Signed-off-by: Alexander Graf <agraf@xxxxxxx>

  commit 2aaa1940684a3bf2b381fd2a8ff26c287a05109d
  Author: Aurelien Jarno <aurelien@xxxxxxxxxxx>
  Date:   Mon May 18 15:39:58 2015 +0200

      target-s390x: fix CC computation for LOAD POSITIVE instructions

      LOAD POSITIVE instructions (LPR, LPGR and LPGFR) set the following
      condition code:
        0: Result zero; no overflow
        1: --
        2: Result greater than zero; no overflow
        3: Overflow

      The current code wrongly returns 1 instead of 2 in case of a result
      greater than 0. This patches fixes that. This fixes the marshalling of
      the value '0L' in Python.

      Signed-off-by: Aurelien Jarno <aurelien@xxxxxxxxxxx>
      Reviewed-by: Richard Henderson <rth@xxxxxxxxxxx>
      Signed-off-by: Alexander Graf <agraf@xxxxxxx>

  commit ee0d0be16819896cc6c8018cbe171a632b61489c
  Author: Aurelien Jarno <aurelien@xxxxxxxxxxx>
  Date:   Sun May 17 01:28:03 2015 +0200

      target-s390x: fix CC computation for EX instruction

      Commit 7a6c7067f optimized CC computation by only saving cc_op before
      calling helpers as they either don't touch the CC or generate a new
      static value. This however doesn't work for the EX instruction as the
      helper changes or not the CC value depending on the actual executed
      instruction (e.g. MVC vs CLC).

      This patches force a CC computation before calling the helper. This
      fixes random memory corruption occuring in guests.

      Signed-off-by: Aurelien Jarno <aurelien@xxxxxxxxxxx>
      [agraf: remove set_cc_static in op_ex as suggested by rth]
      Signed-off-by: Alexander Graf <agraf@xxxxxxx>

  commit d6688ba17b934f20f5e8953dbaafc9408d8799c5
  Merge: 3b730f5 309750f
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Thu Jun 4 18:32:44 2015 +0100

      Merge remote-tracking branch 'remotes/mst/tags/for_upstream' into staging

      pc, acpi, virtio, tpm

      This includes pxb support by Marcel, as well as multiple enhancements all 
over
      the place.

      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>

      # gpg: Signature made Thu Jun  4 11:51:02 2015 BST using RSA key ID 
D28D5469
      # gpg: Good signature from "Michael S. Tsirkin <mst@xxxxxxxxxx>"
      # gpg:                 aka "Michael S. Tsirkin <mst@xxxxxxxxxx>"

      * remotes/mst/tags/for_upstream: (28 commits)
        vhost: logs sharing
        hw/acpi: piix4_pm_init(): take fw_cfg object no more
        hw/acpi: move "etc/system-states" fw_cfg file from PIIX4 to core
        hw/acpi: acpi_pm1_cnt_init(): take "disable_s3" and "disable_s4"
        pc-dimm: don't assert if pc-dimm alignment != hotpluggable mem range 
size
        docs: Add PXB documentation
        apci: fix PXB behaviour if used with unsupported BIOS
        hw/pxb: add numa_node parameter
        hw/pci: add support for NUMA nodes
        hw/pxb: add map_irq func
        hw/pci: inform bios if the system has extra pci root buses
        hw/pci: introduce PCI Expander Bridge (PXB)
        hw/pci: removed 'rootbus nr is 0' assumption from qmp_pci_query
        hw/acpi: remove from root bus 0 the crs resources used by other buses.
        hw/acpi: add _CRS method for extra root busses
        hw/apci: add _PRT method for extra PCI root busses
        hw/acpi: add support for i440fx 'snooping' root busses
        hw/pci: extend PCI config access to support devices behind PXB
        hw/i386: query only for q35/pc when looking for pci host bridge
        hw/pci: made pci_bus_num a PCIBusClass method
        ...

      Conflicts:
        hw/i386/pc_piix.c

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 3b730f570c5872ceea2137848f1d4554d4847441
  Merge: 2700a97 1de29ae
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Thu Jun 4 14:04:14 2015 +0100

      Merge remote-tracking branch 'remotes/agraf/tags/signed-ppc-for-upstream' 
into staging

      Patch queue for ppc - 2015-06-03

      Highlights this time around:

        - sPAPR: endian fixes, speedups, bug fixes, hotplug basics
        - add default ram size capability for machines (sPAPR defaults to 512MB 
now)

      # gpg: Signature made Wed Jun  3 22:59:09 2015 BST using RSA key ID 
03FEDC60
      # gpg: Good signature from "Alexander Graf <agraf@xxxxxxx>"
      # gpg:                 aka "Alexander Graf <alex@xxxxxxxxx>"

      * remotes/agraf/tags/signed-ppc-for-upstream: (40 commits)
        softmmu: support up to 12 MMU modes
        tcg: add TCG_TARGET_TLB_DISPLACEMENT_BITS
        tci: do not use CPUArchState in tcg-target.h
        Add David Gibson for sPAPR in MAINTAINERS file
        pseries: Enable in-kernel H_LOGICAL_CI_{LOAD, STORE} implementations
        spapr: override default ram size to 512MB
        machine: add default_ram_size to machine class
        spapr_pci: emit hotplug add/remove events during hotplug
        spapr_pci: enable basic hotplug operations
        pci: make pci_bar useable outside pci.c
        spapr_pci: create DRConnectors for each PCI slot during PHB realize
        spapr_pci: add dynamic-reconfiguration option for spapr-pci-host-bridge
        spapr_drc: add spapr_drc_populate_dt()
        spapr_events: event-scan RTAS interface
        spapr_events: re-use EPOW event infrastructure for hotplug events
        spapr_rtas: add ibm, configure-connector RTAS interface
        spapr: add rtas_st_buffer_direct() helper
        spapr_rtas: add get-sensor-state RTAS interface
        spapr_rtas: add set-indicator RTAS interface
        spapr_rtas: add get/set-power-level RTAS interfaces
        ...

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 2700a976dba6b107365aa9af7fd927ffb3dd3b21
  Merge: 6fa6b31 de38528
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Thu Jun 4 12:49:15 2015 +0100

      Merge remote-tracking branch 
'remotes/mjt/tags/pull-trivial-patches-2015-06-03' into staging

      trivial patches for 2015-06-03

      # gpg: Signature made Wed Jun  3 14:07:47 2015 BST using RSA key ID 
A4C3D7DB
      # gpg: Good signature from "Michael Tokarev <mjt@xxxxxxxxxx>"
      # gpg:                 aka "Michael Tokarev <mjt@xxxxxxxxx>"
      # gpg:                 aka "Michael Tokarev <mjt@xxxxxxxxxx>"

      * remotes/mjt/tags/pull-trivial-patches-2015-06-03: (30 commits)
        configure: postfix --extra-cflags to QEMU_CFLAGS
        cadence_gem: Fix Rx buffer size field mask
        slirp: use less predictable directory name in /tmp for smb config 
(CVE-2015-4037)
        translate-all: delete prototype for non-existent function
        Add -incoming help text
        hw/display/tc6393xb.c: Fix misusing qemu_allocate_irqs for single irq
        hw/arm/nseries.c: Fix misusing qemu_allocate_irqs for single irq
        hw/alpha/typhoon.c: Fix misusing qemu_allocate_irqs for single irq
        hw/unicore32/puv3.c: Fix misusing qemu_allocate_irqs for single irq
        hw/lm32/milkymist.c: Fix misusing qemu_allocate_irqs for single irq
        hw/lm32/lm32_boards.c: Fix misusing qemu_allocate_irqs for single irq
        hw/ppc/prep.c: Fix misusing qemu_allocate_irqs for single irq
        hw/sparc/sun4m.c: Fix misusing qemu_allocate_irqs for single irq
        hw/timer/arm_timer.c: Fix misusing qemu_allocate_irqs for single irq
        hw/isa/i82378.c: Fix misusing qemu_allocate_irqs for single irq
        hw/isa/lpc_ich9.c: Fix misusing qemu_allocate_irqs for single irq
        hw/i386/pc: Fix misusing qemu_allocate_irqs for single irq
        hw/intc/exynos4210_gic.c: Fix memory leak by adjusting order
        hw/arm/omap_sx1.c: Fix memory leak spotted by valgrind
        hw/ppc/e500.c: Fix memory leak
        ...

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 309750fad51f17d1ec6195c5d8ad7d741596ddb6
  Author: Jason Wang <jasowang@xxxxxxxxxx>
  Date:   Thu Jun 4 05:28:46 2015 -0400

      vhost: logs sharing

      Currently we allocate one vhost log per vhost device. This is sub
      optimal when:

      - Guest has several device with vhost as backend
      - Guest has multiqueue devices

      In the above cases, we can avoid the memory allocation by sharing a
      single vhost log among all the vhost devices. This is done through:

      - Introducing a new vhost_log structure with refcnt inside.
      - Using a global pointer to vhost_log structure that will be used. And
        introduce helper to get the log with expected log size and helper to
      - drop the refcnt to the old log.
      - Each vhost device still keep track of a pointer to the log that was
        used.

      With above, if no resize happens, all vhost device will share a single
      vhost log. During resize, a new vhost_log structure will be allocated
      and made for the global pointer. And each vhost devices will drop the
      refcnt to the old log.

      Tested by doing scp during migration for a 2 queues virtio-net-pci.

      Cc: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: Jason Wang <jasowang@xxxxxxxxxx>
      Reviewed-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>

  commit 6fa6b312765f698dc81b2c30e7eeb9683804a05b
  Merge: d2ceeb1 1b93c9a
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Thu Jun 4 11:44:32 2015 +0100

      Merge remote-tracking branch 'remotes/ehabkost/tags/x86-pull-request' 
into staging

      X86 queue 2015-06-02

      # gpg: Signature made Tue Jun  2 20:21:17 2015 BST using RSA key ID 
984DC5A6
      # gpg: Good signature from "Eduardo Habkost <ehabkost@xxxxxxxxxx>"
      # gpg: WARNING: This key is not certified with sufficiently trusted 
signatures!
      # gpg:          It is not certain that the signature belongs to the owner.
      # Primary key fingerprint: 5A32 2FD5 ABC4 D3DB ACCF  D1AA 2807 936F 984D 
C5A6

      * remotes/ehabkost/tags/x86-pull-request:
        arch_init: Drop target-x86_64.conf
        target-i386: Register QOM properties for feature flags
        apic: convert ->busdev.qdev casts to C casts
        target-i386: Fix signedness of MSR_IA32_APICBASE_BASE
        pc: Ensure non-zero CPU ref count after attaching to ICC bus

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 6e7d82497dc8da7d420c8fa6632d759e08a18bc3
  Author: Laszlo Ersek <lersek@xxxxxxxxxx>
  Date:   Wed Apr 29 15:20:16 2015 +0200

      hw/acpi: piix4_pm_init(): take fw_cfg object no more

      This PIIX4 init function has no more reason to receive a pointer to the
      FwCfg object. Remove the parameter from the prototype, and update callers.

      As a result, the pc_init1() function no longer needs to save the return
      value of pc_memory_init() and xen_load_linux(), which makes it more
      similar to pc_q35_init().

      The return type & value of pc_memory_init() and xen_load_linux() are not
      changed themselves; maybe we'll need their return values sometime later.

      RHBZ: https://bugzilla.redhat.com/show_bug.cgi?id=1204696
      Cc: Amit Shah <amit.shah@xxxxxxxxxx>
      Cc: "Michael S. Tsirkin" <mst@xxxxxxxxxx>
      Cc: Paolo Bonzini <pbonzini@xxxxxxxxxx>
      Cc: Richard Henderson <rth@xxxxxxxxxxx>
      Cc: Eduardo Habkost <ehabkost@xxxxxxxxxx>
      Cc: Aurelien Jarno <aurelien@xxxxxxxxxxx>
      Cc: Leon Alrae <leon.alrae@xxxxxxxxxx>
      Signed-off-by: Laszlo Ersek <lersek@xxxxxxxxxx>
      Reviewed-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: Laszlo Ersek <lersek@xxxxxxxxxx>

  commit e3845e7c47cc3eaf35305c9c0f9d55ca3840b49b
  Author: Laszlo Ersek <lersek@xxxxxxxxxx>
  Date:   Wed Apr 29 15:20:15 2015 +0200

      hw/acpi: move "etc/system-states" fw_cfg file from PIIX4 to core

      The acpi_pm1_cnt_init() core function is responsible for setting up the
      register block that will ultimately react to S3 and S4 requests (see
      acpi_pm1_cnt_write()). It makes sense to advertise this configuration to
      the guest firmware via an easy to parse fw_cfg file (ACPI is too complex
      for firmware to parse), and indeed PIIX4 does that. However, since
      acpi_pm1_cnt_init() is not specific to PIIX4, neither should be the fw_cfg
      file.

      This patch makes "etc/system-states" appear on all chipsets modified in
      the previous patch, not just PIIX4 (assuming they have fw_cfg at all).

      RHBZ: https://bugzilla.redhat.com/show_bug.cgi?id=1204696
      Cc: Amit Shah <amit.shah@xxxxxxxxxx>
      Cc: "Michael S. Tsirkin" <mst@xxxxxxxxxx>
      Cc: Paolo Bonzini <pbonzini@xxxxxxxxxx>
      Cc: Richard Henderson <rth@xxxxxxxxxxx>
      Cc: Eduardo Habkost <ehabkost@xxxxxxxxxx>
      Cc: Aurelien Jarno <aurelien@xxxxxxxxxxx>
      Cc: Leon Alrae <leon.alrae@xxxxxxxxxx>
      Signed-off-by: Laszlo Ersek <lersek@xxxxxxxxxx>
      Reviewed-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: Laszlo Ersek <lersek@xxxxxxxxxx>

  commit 9a10bbb4e83b184faef6fa744396a6775283c0aa
  Author: Laszlo Ersek <lersek@xxxxxxxxxx>
  Date:   Wed Apr 29 15:20:14 2015 +0200

      hw/acpi: acpi_pm1_cnt_init(): take "disable_s3" and "disable_s4"

      This patch only modifies the function prototype and updates all chipset
      code that calls acpi_pm1_cnt_init() to pass in their own disable_s3 and
      disable_s4 settings. vt82c686 is assumed to be fixed "S3 and S4 enabled".

      RHBZ: https://bugzilla.redhat.com/show_bug.cgi?id=1204696
      Cc: Amit Shah <amit.shah@xxxxxxxxxx>
      Cc: "Michael S. Tsirkin" <mst@xxxxxxxxxx>
      Cc: Paolo Bonzini <pbonzini@xxxxxxxxxx>
      Cc: Richard Henderson <rth@xxxxxxxxxxx>
      Cc: Eduardo Habkost <ehabkost@xxxxxxxxxx>
      Cc: Aurelien Jarno <aurelien@xxxxxxxxxxx>
      Cc: Leon Alrae <leon.alrae@xxxxxxxxxx>
      Signed-off-by: Laszlo Ersek <lersek@xxxxxxxxxx>
      Reviewed-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: Laszlo Ersek <lersek@xxxxxxxxxx>

  commit d2ceeb1d68ed8b005892408fcdb533f578aae081
  Merge: a67bfbb 94edf02
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Thu Jun 4 10:21:52 2015 +0100

      Merge remote-tracking branch 
'remotes/pmaydell/tags/pull-target-arm-20150602' into staging

      target-arm queue:
       * more EL2 preparation patches
       * revert a no-longer-necessary workaround for old glib versions
       * add GICv2m support to virt board (MSI support)
       * pl061: fix wrong calculation of GPIOMIS register
       * support MSI via irqfd
       * remove a confusing v8_ prefix from some variable names
       * add dynamic sysbus device support to the virt board

      # gpg: Signature made Tue Jun  2 17:30:38 2015 BST using RSA key ID 
14360CDE
      # gpg: Good signature from "Peter Maydell <peter.maydell@xxxxxxxxxx>"

      * remotes/pmaydell/tags/pull-target-arm-20150602: (22 commits)
        hw/arm/virt: change indentation in a15memmap
        hw/arm/virt: add dynamic sysbus device support
        hw/arm/boot: arm_load_kernel implemented as a machine init done notifier
        hw/arm/sysbus-fdt: helpers for platform bus nodes addition
        target-arm: Remove v8_ prefix from names of non-v8-specific cpreg arrays
        arm_gicv2m: set kvm_gsi_direct_mapping and kvm_msi_via_irqfd_allowed
        kvm: introduce kvm_arch_msi_data_to_gsi
        pl061: fix wrong calculation of GPIOMIS register
        target-arm: Add the GICv2m to the virt board
        target-arm: Extend the gic node properties
        arm_gicv2m: Add GICv2m widget to support MSIs
        target-arm: Add GIC phandle to VirtBoardInfo
        Revert "target-arm: Avoid g_hash_table_get_keys()"
        target-arm: Add TLBI_VAE2{IS}
        target-arm: Add TLBI_ALLE2
        target-arm: Add TLBI_ALLE1{IS}
        target-arm: Add TTBR0_EL2
        target-arm: Add TPIDR_EL2
        target-arm: Add SCTLR_EL2
        target-arm: Add TCR_EL2
        ...

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit b5d3b039221f056befb3715471fee1f68214815c
  Author: Igor Mammedov <imammedo@xxxxxxxxxx>
  Date:   Wed Jun 3 17:10:43 2015 +0200

      pc-dimm: don't assert if pc-dimm alignment != hotpluggable mem range size

      Drop superfluous pc-dimm alignment on hot-pluggable mem
      range size assert, since it causes QEMU crash during hotplug
      when hotplugging pc-dimm with alignment bigger than
      an alignment of hot-pluggable mem range size.

      Instead allow pc_dimm_get_free_addr() find free address
      and bail out gracefully later in that function during
      checking if pc-dimm will fit in hot-pluggable mem range.

      Signed-off-by: Igor Mammedov <imammedo@xxxxxxxxxx>
      Reviewed-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>

  commit 1de29aef17a7d70dbc04a7fe51e18942e3ebe313
  Author: Paolo Bonzini <pbonzini@xxxxxxxxxx>
  Date:   Tue May 5 09:18:23 2015 +0200

      softmmu: support up to 12 MMU modes

      At 8k per TLB (for 64-bit host or target), 8 or more modes
      make the TLBs bigger than 64k, and some RISC TCG backends do
      not like that.  On the affected hosts, cut the TLB size in
      half---there is still a measurable speedup on PPC with the
      next patch.

      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>
      Message-Id: <1424436345-37924-3-git-send-email-pbonzini@xxxxxxxxxx>
      Reviewed-by: Richard Henderson <rth@xxxxxxxxxxx>
      Signed-off-by: Alexander Graf <agraf@xxxxxxx>

  commit 006f8638c62bca2b0caf609485f47fa5e14d8a3c
  Author: Paolo Bonzini <pbonzini@xxxxxxxxxx>
  Date:   Tue May 5 09:18:22 2015 +0200

      tcg: add TCG_TARGET_TLB_DISPLACEMENT_BITS

      This will be used to size the TLB when more than 8 MMU modes are
      used by the target.  Limitations come from the limited size of
      the immediate fields (which sometimes, as in the case of Aarch64,
      extend to instructions that shift the immediate).

      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>
      Message-Id: <1424436345-37924-2-git-send-email-pbonzini@xxxxxxxxxx>
      Reviewed-by: Richard Henderson <rth@xxxxxxxxxxx>
      Signed-off-by: Alexander Graf <agraf@xxxxxxx>

  commit 5a58e884d1d9905a835de2889c8cd73327fe2a94
  Author: Paolo Bonzini <pbonzini@xxxxxxxxxx>
  Date:   Tue May 19 09:59:34 2015 +0200

      tci: do not use CPUArchState in tcg-target.h

      tcg-target.h does not use any QEMU-specific symbols, save for tci's usage
      of CPUArchState.  Pull that up to tcg/tcg.h.

      This will make it possible to include tcg-target.h in cpu-defs.h.

      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>
      Reviewed-by: Richard Henderson <rth@xxxxxxxxxxx>
      Signed-off-by: Alexander Graf <agraf@xxxxxxx>

  commit 085eb217dfb3ee12e7985c11f71f8a038394735a
  Author: David Gibson <david@xxxxxxxxxxxxxxxxxxxxx>
  Date:   Fri May 8 10:11:00 2015 +1000

      Add David Gibson for sPAPR in MAINTAINERS file

      At Alex Graf's request I'm now acting as sub-maintainer for the sPAPR
      (-machine pseries) code.  This updates MAINTAINERS accordingly.

      While we're at it, change the label to mention pseries since that's the
      actual name of the machine type, even if most of the C files use the sPAPR
      name.

      Signed-off-by: David Gibson <david@xxxxxxxxxxxxxxxxxxxxx>
      Signed-off-by: Alexander Graf <agraf@xxxxxxx>

  commit 026bfd89cb896c8a3460cc551cc4836219bd7ff9
  Author: David Gibson <david@xxxxxxxxxxxxxxxxxxxxx>
  Date:   Thu May 7 15:33:59 2015 +1000

      pseries: Enable in-kernel H_LOGICAL_CI_{LOAD, STORE} implementations

      qemu currently implements the hypercalls H_LOGICAL_CI_LOAD and
      H_LOGICAL_CI_STORE as PAPR extensions.  These are used by the SLOF 
firmware
      for IO, because performing cache inhibited MMIO accesses with the MMU off
      (real mode) is very awkward on POWER.

      This approach breaks when SLOF needs to access IO devices implemented
      within KVM instead of in qemu.  The simplest example would be virtio-blk
      using an iothread, because the iothread / dataplane mechanism relies on
      an in-kernel implementation of the virtio queue notification MMIO.

      To fix this, an in-kernel implementation of these hypercalls has been 
made,
      (kernel commit 99342cf "kvmppc: Implement H_LOGICAL_CI_{LOAD,STORE} in 
KVM"
      however, the hypercalls still need to be enabled from qemu.  This performs
      the necessary calls to do so.

      It would be nice to provide some warning if we encounter a problematic
      device with a kernel which doesn't support the new calls.  Unfortunately,
      I can't see a way to detect this case which won't either warn in far too
      many cases that will probably work, or which is horribly invasive.

      Signed-off-by: David Gibson <david@xxxxxxxxxxxxxxxxxxxxx>
      Reviewed-by: Thomas Huth <thuth@xxxxxxxxxx>
      Signed-off-by: Alexander Graf <agraf@xxxxxxx>

  commit a34944fe2e2457309bde74c1ffe3a1c60c6da018
  Author: Nikunj A Dadhania <nikunj@xxxxxxxxxxxxxxxxxx>
  Date:   Thu May 7 15:33:58 2015 +1000

      spapr: override default ram size to 512MB

      Signed-off-by: Nikunj A Dadhania <nikunj@xxxxxxxxxxxxxxxxxx>
      Reviewed-by: Igor Mammedov <imammedo@xxxxxxxxxx>
      Reviewed-by: Thomas Huth <thuth@xxxxxxxxxx>
      Acked-by: David Gibson <david@xxxxxxxxxxxxxxxxxxxxx>
      Signed-off-by: David Gibson <david@xxxxxxxxxxxxxxxxxxxxx>
      Signed-off-by: Alexander Graf <agraf@xxxxxxx>

  commit 076b35b5a56bca57c4aa41044ed304fe9c45d6c5
  Author: Nikunj A Dadhania <nikunj@xxxxxxxxxxxxxxxxxx>
  Date:   Thu May 7 15:33:57 2015 +1000

      machine: add default_ram_size to machine class

      Machines types can have different requirement for default ram
      size. Introduce a member in the machine class and set the current
      default_ram_size to 128MB.

      For QEMUMachine types override the value during the registration of
      the machine and for MachineClass introduce the generic class init
      setting the default_ram_size.

      Add helpers [K,M,G,T,P,E]_BYTE for better readability and easy usage

      Signed-off-by: Nikunj A Dadhania <nikunj@xxxxxxxxxxxxxxxxxx>
      Reviewed-by: Thomas Huth <thuth@xxxxxxxxxx>
      Reviewed-by: David Gibson <david@xxxxxxxxxxxxxxxxxxxxx>
      Acked-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>
      Signed-off-by: David Gibson <david@xxxxxxxxxxxxxxxxxxxxx>
      Signed-off-by: Alexander Graf <agraf@xxxxxxx>

  commit c5bc152bc399ae7ec8ac5227762e4320d0fd2d1c
  Author: Tyrel Datwyler <tyreld@xxxxxxxxxxxxxxxxxx>
  Date:   Thu May 7 15:33:56 2015 +1000

      spapr_pci: emit hotplug add/remove events during hotplug

      This uses extension of existing EPOW interrupt/event mechanism
      to notify userspace tools like librtas/drmgr to handle
      in-guest configuration/cleanup operations in response to
      device_add/device_del.

      Userspace tools that don't implement this extension will need
      to be run manually in response/advance of device_add/device_del,
      respectively.

      Signed-off-by: Tyrel Datwyler <tyreld@xxxxxxxxxxxxxxxxxx>
      Signed-off-by: Michael Roth <mdroth@xxxxxxxxxxxxxxxxxx>
      Reviewed-by: David Gibson <david@xxxxxxxxxxxxxxxxxxxxx>
      Signed-off-by: David Gibson <david@xxxxxxxxxxxxxxxxxxxxx>
      Signed-off-by: Alexander Graf <agraf@xxxxxxx>

  commit 7454c7af91bdd60216e2b6eead827c012bb4d0d0
  Author: Michael Roth <mdroth@xxxxxxxxxxxxxxxxxx>
  Date:   Thu May 7 15:33:55 2015 +1000

      spapr_pci: enable basic hotplug operations

      This enables hotplug of PCI devices to a PHB. Upon hotplug we
      generate the OF-nodes required by PAPR specification and
      IEEE 1275-1994 "PCI Bus Binding to Open Firmware" for the
      device.

      We associate the corresponding FDT for these nodes with the DRC
      corresponding to the slot, which will be fetched via
      ibm,configure-connector RTAS calls by the guest as described by PAPR
      specification.

      Signed-off-by: Michael Roth <mdroth@xxxxxxxxxxxxxxxxxx>
      Reviewed-by: David Gibson <david@xxxxxxxxxxxxxxxxxxxxx>
      Signed-off-by: David Gibson <david@xxxxxxxxxxxxxxxxxxxxx>
      Signed-off-by: Alexander Graf <agraf@xxxxxxx>

  commit cf8c704d5a06e7b8327c65d19d0c342dc23fff84
  Author: Michael Roth <mdroth@xxxxxxxxxxxxxxxxxx>
  Date:   Thu May 7 15:33:54 2015 +1000

      pci: make pci_bar useable outside pci.c

      We need to work with PCI BARs to generate OF properties
      during PCI hotplug for sPAPR guests.

      Signed-off-by: Michael Roth <mdroth@xxxxxxxxxxxxxxxxxx>
      Reviewed-by: David Gibson <david@xxxxxxxxxxxxxxxxxxxxx>
      Acked-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: David Gibson <david@xxxxxxxxxxxxxxxxxxxxx>
      Signed-off-by: Alexander Graf <agraf@xxxxxxx>

  commit 62083979b0471ac07da6d94944bf12a9b18baa1f
  Author: Michael Roth <mdroth@xxxxxxxxxxxxxxxxxx>
  Date:   Thu May 7 15:33:53 2015 +1000

      spapr_pci: create DRConnectors for each PCI slot during PHB realize

      These will be used to support hotplug/unplug of PCI devices to the PCI
      bus associated with a particular PHB.

      We also set up device-tree properties in each PHBs initial FDT to
      describe the DRCs associated with them. This advertises to guests that
      each PHB is DR-capable device with physical hotpluggable slots, each
      managed by the corresponding DRC. This is necessary for allowing
      hotplugging of devices to it later via bus rescan or guest rpaphp
      hotplug module.

      Signed-off-by: Michael Roth <mdroth@xxxxxxxxxxxxxxxxxx>
      Reviewed-by: David Gibson <david@xxxxxxxxxxxxxxxxxxxxx>
      Signed-off-by: David Gibson <david@xxxxxxxxxxxxxxxxxxxxx>
      Signed-off-by: Alexander Graf <agraf@xxxxxxx>

  commit 7619c7b00c90a39243f1229facde8c53a8fba921
  Author: Michael Roth <mdroth@xxxxxxxxxxxxxxxxxx>
  Date:   Thu May 7 15:33:52 2015 +1000

      spapr_pci: add dynamic-reconfiguration option for spapr-pci-host-bridge

      This option enables/disables PCI hotplug for a particular PHB.

      Also add machine compatibility code to disable it by default for machine
      types prior to pseries-2.4.

      Signed-off-by: Michael Roth <mdroth@xxxxxxxxxxxxxxxxxx>
      Reviewed-by: David Gibson <david@xxxxxxxxxxxxxxxxxxxxx>
      Signed-off-by: David Gibson <david@xxxxxxxxxxxxxxxxxxxxx>
      [agraf: move commas for compat fields]
      Signed-off-by: Alexander Graf <agraf@xxxxxxx>

  commit e4b798bb53447ba4608fc7e6ed91927bdb1c3d5d
  Author: Michael Roth <mdroth@xxxxxxxxxxxxxxxxxx>
  Date:   Thu May 7 15:33:51 2015 +1000

      spapr_drc: add spapr_drc_populate_dt()

      This function handles generation of ibm,drc-* array device tree
      properties to describe DRC topology to guests. This will by used
      by the guest to direct RTAS calls to manage any dynamic resources
      we associate with a particular DR Connector as part of
      hotplug/unplug.

      Since general management of boot-time device trees are handled
      outside of sPAPRDRConnector, we insert these values blindly given
      an FDT and offset. A mask of sPAPRDRConnector types is given to
      instruct us on what types of connectors entries should be generated
      for, since descriptions for different connectors may live in
      different parts of the device tree.

      Based on code originally written by Nathan Fontenot.

      Signed-off-by: Nathan Fontenot <nfont@xxxxxxxxxxxxxxxxxx>
      Signed-off-by: Michael Roth <mdroth@xxxxxxxxxxxxxxxxxx>
      Reviewed-by: David Gibson <david@xxxxxxxxxxxxxxxxxxxxx>
      Signed-off-by: David Gibson <david@xxxxxxxxxxxxxxxxxxxxx>
      Signed-off-by: Alexander Graf <agraf@xxxxxxx>

  commit 79853e18d904b0a4bcef62701d48559688007c93
  Author: Tyrel Datwyler <tyreld@xxxxxxxxxxxxxxxxxx>
  Date:   Thu May 7 15:33:50 2015 +1000

      spapr_events: event-scan RTAS interface

      We don't actually rely on this interface to surface hotplug events, and
      instead rely on the similar-but-interrupt-driven check-exception RTAS
      interface used for EPOW events. However, the existence of this interface
      is needed to ensure guest kernels initialize the event-reporting
      interfaces which will in turn be used by userspace tools to handle these
      events, so we implement this interface here.

      Since events surfaced by this call are mutually exclusive to those
      surfaced via check-exception, we also update the RTAS event queue code
      to accept a boolean to mark/filter for events accordingly.

      Events of this sort are not currently generated by QEMU, but the interface
      has been tested by surfacing hotplug events via event-scan in place
      of check-exception.

      Signed-off-by: Tyrel Datwyler <tyreld@xxxxxxxxxxxxxxxxxx>
      Signed-off-by: Michael Roth <mdroth@xxxxxxxxxxxxxxxxxx>
      Reviewed-by: David Gibson <david@xxxxxxxxxxxxxxxxxxxxx>
      Signed-off-by: David Gibson <david@xxxxxxxxxxxxxxxxxxxxx>
      Signed-off-by: Alexander Graf <agraf@xxxxxxx>

  commit 31fe14d15d08d613ff38abb249911e98c7966b86
  Author: Nathan Fontenot <nfont@xxxxxxxxxxxxxxxxxx>
  Date:   Thu May 7 15:33:49 2015 +1000

      spapr_events: re-use EPOW event infrastructure for hotplug events

      This extends the data structures currently used to report EPOW events to
      guests via the check-exception RTAS interfaces to also include event types
      for hotplug/unplug events.

      This is currently undocumented and being finalized for inclusion in PAPR
      specification, but we implement this here as an extension for guest
      userspace tools to implement (existing guest kernels simply log these
      events via a sysfs interface that's read by rtas_errd, and current
      versions of rtas_errd/powerpc-utils already support the use of this
      mechanism for initiating hotplug operations).

      We also add support for queues of pending RTAS events, since in the
      case of hotplug there's chance for multiple events being in-flight
      at any point in time.

      Signed-off-by: Nathan Fontenot <nfont@xxxxxxxxxxxxxxxxxx>
      Signed-off-by: Michael Roth <mdroth@xxxxxxxxxxxxxxxxxx>
      Reviewed-by: David Gibson <david@xxxxxxxxxxxxxxxxxxxxx>
      Signed-off-by: David Gibson <david@xxxxxxxxxxxxxxxxxxxxx>
      Signed-off-by: Alexander Graf <agraf@xxxxxxx>

  commit 46503c2bc047bfe8c26440e17298fcbc59d7bbbe
  Author: Michael Roth <mdroth@xxxxxxxxxxxxxxxxxx>
  Date:   Thu May 7 15:33:48 2015 +1000

      spapr_rtas: add ibm, configure-connector RTAS interface

      This interface is used to fetch an OF device-tree nodes that describes a
      newly-attached device to guest. It is called multiple times to walk the
      device-tree node and fetch individual properties into a 'workarea'/buffer
      provided by the guest.

      The device-tree is generated by QEMU and passed to an sPAPRDRConnector 
during
      the initial hotplug operation, and the state of these RTAS calls is 
tracked by
      the sPAPRDRConnector. When the last of these properties is successfully
      fetched, we report as special return value to the guest and transition
      the device to a 'configured' state on the QEMU/DRC side.

      See docs/specs/ppc-spapr-hotplug.txt for a complete description of
      this interface.

      Signed-off-by: Michael Roth <mdroth@xxxxxxxxxxxxxxxxxx>
      Signed-off-by: David Gibson <david@xxxxxxxxxxxxxxxxxxxxx>
      Signed-off-by: Alexander Graf <agraf@xxxxxxx>

  commit ab316865db8ee97c53cd70c91b1b160c474102f8
  Author: Michael Roth <mdroth@xxxxxxxxxxxxxxxxxx>
  Date:   Thu May 7 15:33:47 2015 +1000

      spapr: add rtas_st_buffer_direct() helper

      This is similar to the existing rtas_st_buffer(), but for cases
      where the guest is not expecting a length-encoded byte array.
      Namely, for calls where a "work area" buffer is used to pass
      around arbitrary fields/data.

      Signed-off-by: Michael Roth <mdroth@xxxxxxxxxxxxxxxxxx>
      Reviewed-by: David Gibson <david@xxxxxxxxxxxxxxxxxxxxx>
      Signed-off-by: David Gibson <david@xxxxxxxxxxxxxxxxxxxxx>
      Signed-off-by: Alexander Graf <agraf@xxxxxxx>

  commit 886445a6ee808ee06533f9ecdf0f169c9ea83fbb
  Author: Mike Day <ncmike@xxxxxxxxxxx>
  Date:   Thu May 7 15:33:46 2015 +1000

      spapr_rtas: add get-sensor-state RTAS interface

      This interface allows a guest to read various platform/device sensors.
      initially, we only implement support necessary to support hotplug:
      reading of the dr-entity-sense sensor, which communicates the state of
      a hotplugged resource/device to the guest (EMPTY/PRESENT/UNUSABLE).

      See docs/specs/ppc-spapr-hotplug.txt for a complete description of
      this interface.

      Signed-off-by: Mike Day <ncmike@xxxxxxxxxxx>
      Signed-off-by: Michael Roth <mdroth@xxxxxxxxxxxxxxxxxx>
      Reviewed-by: David Gibson <david@xxxxxxxxxxxxxxxxxxxxx>
      Signed-off-by: David Gibson <david@xxxxxxxxxxxxxxxxxxxxx>
      Signed-off-by: Alexander Graf <agraf@xxxxxxx>

  commit 8c8639df32f19d5ca9bf6a823ac83e298a188fd1
  Author: Mike Day <ncmike@xxxxxxxxxxx>
  Date:   Thu May 7 15:33:45 2015 +1000

      spapr_rtas: add set-indicator RTAS interface

      This interface allows a guest to control various platform/device
      sensors. Initially, we only implement support necessary to control
      sensors that are required for hotplug: DR connector indicators/LEDs,
      resource allocation state, and resource isolation state.

      See docs/specs/ppc-spapr-hotplug.txt for a complete description of
      this interface.

      Signed-off-by: Mike Day <ncmike@xxxxxxxxxxx>
      Signed-off-by: Michael Roth <mdroth@xxxxxxxxxxxxxxxxxx>
      Reviewed-by: David Gibson <david@xxxxxxxxxxxxxxxxxxxxx>
      Signed-off-by: David Gibson <david@xxxxxxxxxxxxxxxxxxxxx>
      Signed-off-by: Alexander Graf <agraf@xxxxxxx>

  commit 094d20585ecdcd31959b1b88a390b4d2c4cfeab7
  Author: Nathan Fontenot <nfont@xxxxxxxxxxxxxxxxxx>
  Date:   Thu May 7 15:33:44 2015 +1000

      spapr_rtas: add get/set-power-level RTAS interfaces

      These interfaces manage the power domains that guest devices are
      assigned to and are used to power on/off devices. Currently we
      only utilize 1 power domain, the 'live-insertion' domain, which
      automates power management of plugged/unplugged devices, essentially
      making these calls no-ops, but the RTAS interfaces are still required
      by guest hotplug code and PAPR+.

      See docs/specs/ppc-spapr-hotplug.txt for a complete description of
      these interfaces.

      Signed-off-by: Nathan Fontenot <nfont@xxxxxxxxxxxxxxxxxx>
      Signed-off-by: Michael Roth <mdroth@xxxxxxxxxxxxxxxxxx>
      Reviewed-by: David Gibson <david@xxxxxxxxxxxxxxxxxxxxx>
      Signed-off-by: David Gibson <david@xxxxxxxxxxxxxxxxxxxxx>
      Signed-off-by: Alexander Graf <agraf@xxxxxxx>

  commit bbf5c878ab76a74f6277f99082c77bbdb1ad4c5b
  Author: Michael Roth <mdroth@xxxxxxxxxxxxxxxxxx>
  Date:   Thu May 7 15:33:43 2015 +1000

      spapr_drc: initial implementation of sPAPRDRConnector device

      This device emulates a firmware abstraction used by pSeries guests to
      manage hotplug/dynamic-reconfiguration of host-bridges, PCI devices,
      memory, and CPUs. It is conceptually similar to an SHPC device,
      complete with LED indicators to identify individual slots to physical
      physical users and indicate when it is safe to remove a device. In
      some cases it is also used to manage virtualized resources, such a
      memory, CPUs, and physical-host bridges, which in the case of pSeries
      guests are virtualized resources where the physical components are
      managed by the host.

      Guests communicate with these DR Connectors using RTAS calls,
      generally by addressing the unique DRC index associated with a
      particular connector for a particular resource. For introspection
      purposes we expose this state initially as QOM properties, and
      in subsequent patches will introduce the RTAS calls that make use of
      it. This constitutes to the 'guest' interface.

      On the QEMU side we provide an attach/detach interface to associate
      or cleanup a DeviceState with a particular sPAPRDRConnector in
      response to hotplug/unplug, respectively. This constitutes the
      'physical' interface to the DR Connector.

      Signed-off-by: Michael Roth <mdroth@xxxxxxxxxxxxxxxxxx>
      Reviewed-by: David Gibson <david@xxxxxxxxxxxxxxxxxxxxx>
      Signed-off-by: David Gibson <david@xxxxxxxxxxxxxxxxxxxxx>
      Signed-off-by: Alexander Graf <agraf@xxxxxxx>

  commit 11eec063f29733395846ba756ecd544876ef6839
  Author: Michael Roth <mdroth@xxxxxxxxxxxxxxxxxx>
  Date:   Thu May 7 15:33:42 2015 +1000

      docs: add sPAPR hotplug/dynamic-reconfiguration documentation

      This adds a general overview of hotplug/dynamic-reconfiguration
      for sPAPR/pSeries guest.

      As specified in PAPR+ v2.7.

      Signed-off-by: Michael Roth <mdroth@xxxxxxxxxxxxxxxxxx>
      Reviewed-by: David Gibson <david@xxxxxxxxxxxxxxxxxxxxx>
      Signed-off-by: David Gibson <david@xxxxxxxxxxxxxxxxxxxxx>
      Signed-off-by: Alexander Graf <agraf@xxxxxxx>

  commit 730fce593bbaa9240a0be860616ac4366113194d
  Author: Thomas Huth <thuth@xxxxxxxxxx>
  Date:   Thu May 7 15:33:41 2015 +1000

      hw/ppc/spapr: Use error_report() instead of hw_error()

      hw_error() is designed for printing CPU-related error messages
      (e.g. it also prints a full CPU register dump). For error messages
      that are not directly related to CPU problems, a function like
      error_report() should be used instead.

      Signed-off-by: Thomas Huth <thuth@xxxxxxxxxx>
      Signed-off-by: David Gibson <david@xxxxxxxxxxxxxxxxxxxxx>
      Signed-off-by: Alexander Graf <agraf@xxxxxxx>

  commit 68fea5a0d7bac17fd74f0608ceed1d914eb0718e
  Author: Thomas Huth <thuth@xxxxxxxxxx>
  Date:   Thu May 7 15:33:40 2015 +1000

      hw/ppc/spapr: Fix error message when firmware could not be loaded

      When specifying a non-existing file with the "-bios" parameter, QEMU
      complained that it "could not find LPAR rtas". That's obviously a
      copy-n-paste bug from the code which loads the spapr-rtas.bin, it
      should complain about a missing firmware file instead.
      Additionally the error message was printed with hw_error() - which
      also dumps the whole CPU state. However, this does not make much
      sense here since the CPU is not running yet and thus the registers
      only contain zeroes. So let's use error_report() here instead.
      And while we're at it, let's also bail out if the firmware file
      had zero length.

      Signed-off-by: Thomas Huth <thuth@xxxxxxxxxx>
      Signed-off-by: David Gibson <david@xxxxxxxxxxxxxxxxxxxxx>
      Signed-off-by: Alexander Graf <agraf@xxxxxxx>

  commit a1a45612433edb0eb65c468f7ed579cd92358818
  Author: David Gibson <david@xxxxxxxxxxxxxxxxxxxxx>
  Date:   Thu May 7 15:33:39 2015 +1000

      pseries: Add pseries-2.4 machine type

      Now that 2.4 development has opened, create a new pseries machine type
      variant.  For now it is identical to the pseries-2.3 machine type, but
      a number of new features are coming that will need to set backwards
      compatibility options.

      Signed-off-by: David Gibson <david@xxxxxxxxxxxxxxxxxxxxx>
      Signed-off-by: Alexander Graf <agraf@xxxxxxx>

  commit f9ce8e0aa3fb55ae7a8ea34d3169e73e87feb337
  Author: Thomas Huth <thuth@xxxxxxxxxx>
  Date:   Thu May 7 15:33:38 2015 +1000

      hw/ppc/spapr_iommu: Fix the check for invalid upper bits in liobn

      The check "liobn & 0xFFFFFFFF00000000ULL" in spapr_tce_find_by_liobn()
      is completely useless since liobn is only declared as an uint32_t
      parameter. Fix this by using target_ulong instead (this is what most
      of the callers of this function are using, too).

      Signed-off-by: Thomas Huth <thuth@xxxxxxxxxx>
      Signed-off-by: David Gibson <david@xxxxxxxxxxxxxxxxxxxxx>
      Signed-off-by: Alexander Graf <agraf@xxxxxxx>

  commit dea1b3ce756d7242d4212c22b7d6e6a896495154
  Author: Alexey Kardashevskiy <aik@xxxxxxxxx>
  Date:   Thu May 7 15:33:37 2015 +1000

      spapr_iommu: Give unique QOM name to TCE table

      Useful for debugging.

      Signed-off-by: Alexey Kardashevskiy <aik@xxxxxxxxx>
      Signed-off-by: David Gibson <david@xxxxxxxxxxxxxxxxxxxxx>
      Signed-off-by: Alexander Graf <agraf@xxxxxxx>

  commit ccf9ff8527a87ee485fbb6a0a73d28641cab5f60
  Author: Alexey Kardashevskiy <aik@xxxxxxxxx>
  Date:   Thu May 7 15:33:36 2015 +1000

      spapr_pci: Rework device-tree rendering

      This replaces object_child_foreach() and callback with existing
      SPAPR_PCI_LIOBN() and spapr_tce_find_by_liobn() to make the code easier
      to read.

      This is a mechanical patch so no behaviour change is expected.

      Signed-off-by: Alexey Kardashevskiy <aik@xxxxxxxxx>
      Signed-off-by: David Gibson <david@xxxxxxxxxxxxxxxxxxxxx>
      Signed-off-by: Alexander Graf <agraf@xxxxxxx>

  commit fae807a2b182a613798fe619f9069bd0bbe3dc6a
  Author: Alexey Kardashevskiy <aik@xxxxxxxxx>
  Date:   Thu May 7 15:33:35 2015 +1000

      spapr_iommu: Make spapr_tce_find_by_liobn() public

      At the moment spapr_tce_find_by_liobn() is used by H_PUT_TCE/...
      handlers to find an IOMMU by LIOBN.

      We are going to implement Dynamic DMA windows (DDW), new code
      will go to a new file and we will use spapr_tce_find_by_liobn()
      there too so let's make it public.

      Signed-off-by: Alexey Kardashevskiy <aik@xxxxxxxxx>
      Reviewed-by: David Gibson <david@xxxxxxxxxxxxxxxxxxxxx>
      Signed-off-by: David Gibson <david@xxxxxxxxxxxxxxxxxxxxx>
      Signed-off-by: Alexander Graf <agraf@xxxxxxx>

  commit 46c5874e9cd752ed8ded31af03472edd8fc3efc1
  Author: Alexey Kardashevskiy <aik@xxxxxxxxx>
  Date:   Thu May 7 15:33:34 2015 +1000

      spapr_pci: Make find_phb()/find_dev() public

      This makes find_phb()/find_dev() public and changed its names
      to spapr_pci_find_phb()/spapr_pci_find_dev() as they are going to
      be used from other parts of QEMU such as VFIO DDW (dynamic DMA window)
      or VFIO PCI error injection or VFIO EEH handling - in all these
      cases there are RTAS calls which are addressed to BUID+config_addr
      in IEEE1275 format.

      Signed-off-by: Alexey Kardashevskiy <aik@xxxxxxxxx>
      Reviewed-by: David Gibson <david@xxxxxxxxxxxxxxxxxxxxx>
      Signed-off-by: David Gibson <david@xxxxxxxxxxxxxxxxxxxxx>
      Signed-off-by: Alexander Graf <agraf@xxxxxxx>

  commit d9d96a3cc7267880fbccb6bc4018fc31909fc930
  Author: Alexey Kardashevskiy <aik@xxxxxxxxx>
  Date:   Thu May 7 15:33:33 2015 +1000

      spapr_iommu: Add separate trace points for PCI DMA operations

      This is to reduce VIO noise while debugging PCI DMA.

      Signed-off-by: Alexey Kardashevskiy <aik@xxxxxxxxx>
      Signed-off-by: David Gibson <david@xxxxxxxxxxxxxxxxxxxxx>
      Signed-off-by: Alexander Graf <agraf@xxxxxxx>

  commit 3e1a01cb554412e8a9c25573126356596dc0c50f
  Author: Alexey Kardashevskiy <aik@xxxxxxxxx>
  Date:   Thu May 7 15:33:32 2015 +1000

      spapr_pci: Define default DMA window size as a macro

      This gets rid of a magic constant describing the default DMA window size
      for an emulated PHB.

      Signed-off-by: Alexey Kardashevskiy <aik@xxxxxxxxx>
      Signed-off-by: David Gibson <david@xxxxxxxxxxxxxxxxxxxxx>
      Signed-off-by: Alexander Graf <agraf@xxxxxxx>

  commit 4290ca49eed5e239695ce85c925a770e4a7317a6
  Author: Alexey Kardashevskiy <aik@xxxxxxxxx>
  Date:   Thu May 7 15:33:31 2015 +1000

      spapr_vio: Introduce a liobn number generating macros

      This introduces a macro which makes up a LIOBN from fixed prefix and
      VIO device address (@reg property).

      This is to keep LIOBN macros rendering consistent - the same macro for
      PCI has been added by the previous patch.

      Signed-off-by: Alexey Kardashevskiy <aik@xxxxxxxxx>
      Reviewed-by: David Gibson <david@xxxxxxxxxxxxxxxxxxxxx>
      Signed-off-by: David Gibson <david@xxxxxxxxxxxxxxxxxxxxx>
      Signed-off-by: Alexander Graf <agraf@xxxxxxx>

  commit c8545818b331e9a32e5dd47f0aefbcf2b93e41da
  Author: Alexey Kardashevskiy <aik@xxxxxxxxx>
  Date:   Thu May 7 15:33:30 2015 +1000

      spapr_pci: Introduce a liobn number generating macros

      We are going to have multiple DMA windows per PHB and we want them to
      migrate so we need a predictable way of assigning LIOBNs.

      This introduces a macro which makes up a LIOBN from fixed prefix,
      PHB index (unique PHB id) and window number.

      This introduces a SPAPR_PCI_DMA_WINDOW_NUM() to know the window number
      from LIOBN. It is used to distinguish the default 32bit windows from
      dynamic windows and avoid picking default DMA window properties from
      a wrong TCE table.

      Signed-off-by: Alexey Kardashevskiy <aik@xxxxxxxxx>
      Reviewed-by: David Gibson <david@xxxxxxxxxxxxxxxxxxxxx>
      Signed-off-by: David Gibson <david@xxxxxxxxxxxxxxxxxxxxx>
      Signed-off-by: Alexander Graf <agraf@xxxxxxx>

  commit f1215ea702e6e6cb3876221cf1f7f60133e08c30
  Author: Alexey Kardashevskiy <aik@xxxxxxxxx>
  Date:   Thu May 7 15:33:29 2015 +1000

      spapr_iommu: Make H_PUT_TCE_INDIRECT endian-safe

      PAPR is defined as big endian so TCEs need an adjustment so
      does this patch.

      This changes code to have ldq_be_phys() in one place.

      Signed-off-by: Alexey Kardashevskiy <aik@xxxxxxxxx>
      Reviewed-by: David Gibson <david@xxxxxxxxxxxxxxxxxxxxx>
      Signed-off-by: David Gibson <david@xxxxxxxxxxxxxxxxxxxxx>
      Signed-off-by: Alexander Graf <agraf@xxxxxxx>

  commit 12fd28535891572be7aaf862a03019257dafa425
  Author: Alexey Kardashevskiy <aik@xxxxxxxxx>
  Date:   Thu May 7 15:33:28 2015 +1000

      spapr_iommu: Disable in-kernel IOMMU tables for >4GB windows

      The existing KVM_CREATE_SPAPR_TCE ioctl only support 4G windows max as
      the window size parameter to the kernel ioctl() is 32-bit so
      there's no way of expressing a TCE window > 4GB.

      We are going to add huge DMA windows support so this will create small
      window and unexpectedly fail later.

      This disables KVM_CREATE_SPAPR_TCE for windows bigger that 4GB.

      Signed-off-by: Alexey Kardashevskiy <aik@xxxxxxxxx>
      Reviewed-by: David Gibson <david@xxxxxxxxxxxxxxxxxxxxx>
      Signed-off-by: David Gibson <david@xxxxxxxxxxxxxxxxxxxxx>
      Signed-off-by: Alexander Graf <agraf@xxxxxxx>

  commit 421b1b27f6e9135ac8f01db219e0d8c0cefd7e71
  Author: David Gibson <david@xxxxxxxxxxxxxxxxxxxxx>
  Date:   Thu Mar 19 15:14:18 2015 +1100

      spapr_pci: Fix unsafe signed/unsigned comparisons

      spapr_pci.c contains a number of expressions of the form (uval == -1) or
      (uval != -1), where 'uval' is an unsigned value.

      This mostly works in practice, because as long as the width of uval is
      greater or equal than that of (int), the -1 will be promoted to the
      unsigned type, which is the expected outcome.

      However, at least for the cases where uval is uint32_t, this would break
      on platforms where sizeof(int) > 4 (and a few such do exist), because then
      the uint32_t value would be promoted to the larger int type, and never be
      equal to -1.

      This patch fixes these errors.  The fixes for the (uint32_t) cases are
      necessary as described above.  I've made similar fixes to (uint64_t) and
      (hwaddr) cases.  Those are strictly theoretical, since I don't know of any
      platforms where sizeof(int) > 8, but hey, it's not that hard so we might
      as well be strictly C standard compliant.

      Reported-by: Markus Armbruster <armbru@xxxxxxxxxx>
      Signed-off-by: David Gibson <david@xxxxxxxxxxxxxxxxxxxxx>
      Reviewed-by: Markus Armbruster <armbru@xxxxxxxxxx>
      Signed-off-by: Alexander Graf <agraf@xxxxxxx>

  commit 31ce0adb79655003465070fa90d7d20a5b8c2ff5
  Author: Thomas Huth <thuth@xxxxxxxxxx>
  Date:   Mon May 18 12:59:49 2015 +0200

      configure: Check for libfdt version 1.4.0

      Some recent patches require a function from libfdt version 1.4.0,
      so we should check for this version during the configure step
      already. Unfortunately, there does not seem to be a proper #define
      for the version number in the libfdt headers. So alternatively,
      we check for the availability of the required function
      fdt_get_property_by_offset() instead instead.

      Signed-off-by: Thomas Huth <thuth@xxxxxxxxxx>
      Signed-off-by: Alexander Graf <agraf@xxxxxxx>

  commit 28f490b24af83a007937daacb9ea8bf7537f9084
  Author: Thomas Huth <thuth@xxxxxxxxxx>
  Date:   Mon May 18 12:59:48 2015 +0200

      dtc: Update dtc / libfdt submodule to version 1.4.0

      Since some recent patches require libfdt version 1.4.0,
      let's update the dtc submodule to this version.

      Signed-off-by: Thomas Huth <thuth@xxxxxxxxxx>
      Signed-off-by: Alexander Graf <agraf@xxxxxxx>

  commit 62e9cd771cc368a8fd0f152832b78c43557897a9
  Author: Markus Armbruster <armbru@xxxxxxxxxx>
  Date:   Tue Mar 17 08:46:15 2015 +0100

      macio: Convert to realize()

      Convert device models "macio-oldworld" and "macio-newworld".

      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>
      Signed-off-by: Alexander Graf <agraf@xxxxxxx>

  commit 814550d73a94dcf9f2c9f8d2ee280226f1145388
  Author: Marcel Apfelbaum <marcel@xxxxxxxxxx>
  Date:   Tue Jun 2 14:23:12 2015 +0300

      docs: Add PXB documentation

      Signed-off-by: Marcel Apfelbaum <marcel@xxxxxxxxxx>
      Reviewed-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Acked-by: Laszlo Ersek <lersek@xxxxxxxxxx>

  commit 0f6dd8e1d514b8c24689499ed72ea89fd0d967f3
  Author: Marcel Apfelbaum <marcel@xxxxxxxxxx>
  Date:   Tue Jun 2 14:23:11 2015 +0300

      apci: fix PXB behaviour if used with unsupported BIOS

      PXB does not work with unsupported bioses, but should
      not interfere with normal OS operation.
      We don't ship them anymore, but it's reasonable
      to keep the work-around until we update the bios in qemu.

      Fix this by not adding PXB mem/IO chunks to _CRS
      if they weren't configured by BIOS.

      Signed-off-by: Marcel Apfelbaum <marcel@xxxxxxxxxx>
      Reviewed-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Acked-by: Laszlo Ersek <lersek@xxxxxxxxxx>

  commit 0e79e51a7dcbd4fde5738d713b60f0fb0321f1af
  Author: Marcel Apfelbaum <marcel@xxxxxxxxxx>
  Date:   Tue Jun 2 14:23:10 2015 +0300

      hw/pxb: add numa_node parameter

      The pxb can be attach to and existing numa node by specifying
      numa_node option that equals the desired numa nodeid.

      Signed-off-by: Marcel Apfelbaum <marcel@xxxxxxxxxx>
      Reviewed-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Acked-by: Laszlo Ersek <lersek@xxxxxxxxxx>

  commit 6a3042b23bbb1fa92c00ea9267c830e7f2e99313
  Author: Marcel Apfelbaum <marcel@xxxxxxxxxx>
  Date:   Tue Jun 2 14:23:09 2015 +0300

      hw/pci: add support for NUMA nodes

      PCI root buses can be attached to a specific NUMA node.
      PCI buses are not attached by default to a NUMA node.

      Signed-off-by: Marcel Apfelbaum <marcel@xxxxxxxxxx>
      Reviewed-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Acked-by: Laszlo Ersek <lersek@xxxxxxxxxx>

  commit 0639b00d055b313930c23c4d6c9ebfb4af61c00c
  Author: Marcel Apfelbaum <marcel@xxxxxxxxxx>
  Date:   Tue Jun 2 14:23:08 2015 +0300

      hw/pxb: add map_irq func

      The bios does not index the pxb slot number when
      it computes the IRQ because it resides on bus 0
      and not on the current bus.
      However Qemu routes the irq through bus 0 and adds
      the pxb slot to the IRQ computation of the PXB device.

      Synchronize between bios and Qemu by canceling
      pxb's effect.

      Signed-off-by: Marcel Apfelbaum <marcel@xxxxxxxxxx>
      Reviewed-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Acked-by: Laszlo Ersek <lersek@xxxxxxxxxx>

  commit 2118196bb3795a43bf708c37bdcf4b3c33778ccb
  Author: Marcel Apfelbaum <marcel.a@xxxxxxxxxx>
  Date:   Tue Jun 2 14:23:07 2015 +0300

      hw/pci: inform bios if the system has extra pci root buses

      The bios looks for 'etc/extra-pci-roots' to decide if
      is going to scan further buses after bus 0 tree.

      Signed-off-by: Marcel Apfelbaum <marcel@xxxxxxxxxx>
      Reviewed-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Acked-by: Laszlo Ersek <lersek@xxxxxxxxxx>

  commit 40d14bef8012087ade60f254487d31db822a1a44
  Author: Marcel Apfelbaum <marcel.a@xxxxxxxxxx>
  Date:   Tue Jun 2 14:23:06 2015 +0300

      hw/pci: introduce PCI Expander Bridge (PXB)

      PXB is a "light-weight" host bridge whose purpose is to enable
      the main host bridge to support multiple PCI root buses
      for pc machines.

      As oposed to PCI-2-PCI bridge's secondary bus, PXB's bus
      is a primary bus and can be associated with a NUMA node
      (different from the main host bridge) allowing the guest OS
      to recognize the proximity of a pass-through device to
      other resources as RAM and CPUs.

      The PXB is composed from:
       - A primary PCI bus (can be associated with a NUMA node)
         Acts like a normal pci bus and from the functionality point
         of view is an "expansion" of the bus behind the
         main host bridge.
       - A pci-2-pci bridge behind the primary PCI bus where the actual
         devices will be attached.
       - A host-bridge PCI device
         Situated on the bus behind the main host bridge, allows
         the BIOS to configure the bus number and IO/mem resources.
         It does not have its own config/data register for configuration
         cycles, this being handled by the main host bridge.
      -  A host-bridge sysbus to comply with QEMU current design.

      Signed-off-by: Marcel Apfelbaum <marcel@xxxxxxxxxx>
      Reviewed-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Acked-by: Laszlo Ersek <lersek@xxxxxxxxxx>

  commit cb2ed8b3c66284f226c523231e2c09e60bbb34bb
  Author: Marcel Apfelbaum <marcel.a@xxxxxxxxxx>
  Date:   Tue Jun 2 14:23:05 2015 +0300

      hw/pci: removed 'rootbus nr is 0' assumption from qmp_pci_query

      Use the newer pci_bus_num to correctly get the root bus number.

      Signed-off-by: Marcel Apfelbaum <marcel@xxxxxxxxxx>
      Reviewed-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Acked-by: Laszlo Ersek <lersek@xxxxxxxxxx>

  commit dcdca29655f774568f30a82b7fe0190b4bd38802
  Author: Marcel Apfelbaum <marcel@xxxxxxxxxx>
  Date:   Tue Jun 2 14:23:04 2015 +0300

      hw/acpi: remove from root bus 0 the crs resources used by other buses.

      If multiple root buses are used, root bus 0 cannot use all the
      pci holes ranges. Remove the IO/mem ranges used by the other
      primary buses.

      Signed-off-by: Marcel Apfelbaum <marcel@xxxxxxxxxx>
      Reviewed-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Acked-by: Laszlo Ersek <lersek@xxxxxxxxxx>

  commit a43c6e276231e8040203940cb07be00387686e87
  Author: Marcel Apfelbaum <marcel@xxxxxxxxxx>
  Date:   Tue Jun 2 14:23:03 2015 +0300

      hw/acpi: add _CRS method for extra root busses

      Save the IO/mem/bus numbers ranges assigned to the extra root busses
      to be removed from the root bus 0 range.

      Signed-off-by: Marcel Apfelbaum <marcel@xxxxxxxxxx>
      Reviewed-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Acked-by: Laszlo Ersek <lersek@xxxxxxxxxx>

  commit 0d8935e3370e07f57651e43d2de9011d75c2a066
  Author: Marcel Apfelbaum <marcel@xxxxxxxxxx>
  Date:   Tue Jun 2 14:23:02 2015 +0300

      hw/apci: add _PRT method for extra PCI root busses

      Signed-off-by: Marcel Apfelbaum <marcel@xxxxxxxxxx>
      Reviewed-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Acked-by: Laszlo Ersek <lersek@xxxxxxxxxx>

  commit a4894206e3672f8a5e5443d72b705495e022b638
  Author: Marcel Apfelbaum <marcel@xxxxxxxxxx>
  Date:   Tue Jun 2 14:23:01 2015 +0300

      hw/acpi: add support for i440fx 'snooping' root busses

      If the machine has extra root busses that are snooping to
      the i440fx host bridge, we need to add them to
      acpi in order to be properly detected by guests.

      Signed-off-by: Marcel Apfelbaum <marcel@xxxxxxxxxx>
      Reviewed-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Acked-by: Laszlo Ersek <lersek@xxxxxxxxxx>

  commit 09e5b81922179b6c52b42fd27587e64b474036c7
  Author: Marcel Apfelbaum <marcel@xxxxxxxxxx>
  Date:   Tue Jun 2 14:23:00 2015 +0300

      hw/pci: extend PCI config access to support devices behind PXB

      PXB buses are assumed to be children of bus 0. Look for them
      while scanning the buses.

      Signed-off-by: Marcel Apfelbaum <marcel@xxxxxxxxxx>
      Reviewed-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Acked-by: Laszlo Ersek <lersek@xxxxxxxxxx>

  commit ca6c18556c5e9c4aac12489b960c3e4601e183bf
  Author: Marcel Apfelbaum <marcel@xxxxxxxxxx>
  Date:   Tue Jun 2 14:22:59 2015 +0300

      hw/i386: query only for q35/pc when looking for pci host bridge

      Because of the PXB hosts we cannot simply query TYPE_PCI_HOST_BRIDGE 
anymore.
      On i386 arch we only have two pci hosts, so we can look only for them.

      Signed-off-by: Marcel Apfelbaum <marcel@xxxxxxxxxx>
      Reviewed-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Acked-by: Laszlo Ersek <lersek@xxxxxxxxxx>

  commit 602141d9974d726063907851528c89d617730156
  Author: Marcel Apfelbaum <marcel.a@xxxxxxxxxx>
  Date:   Tue Jun 2 14:22:58 2015 +0300

      hw/pci: made pci_bus_num a PCIBusClass method

      Refactoring it as a method of PCIBusClass will allow
      different implementations for subclasses.

      Signed-off-by: Marcel Apfelbaum <marcel@xxxxxxxxxx>
      Reviewed-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Acked-by: Laszlo Ersek <lersek@xxxxxxxxxx>

  commit ce6a28ee057da3e4a587dada369e33a8486b0066
  Author: Marcel Apfelbaum <marcel.a@xxxxxxxxxx>
  Date:   Tue Jun 2 14:22:57 2015 +0300

      hw/pci: made pci_bus_is_root a PCIBusClass method

      Refactoring it as a method of PCIBusClass will allow
      different implementations for subclasses.

      Removed the assumption that the root bus does not
      have a parent device because is specific only
      to the default class implementation.

      Signed-off-by: Marcel Apfelbaum <marcel@xxxxxxxxxx>
      Reviewed-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Acked-by: Laszlo Ersek <lersek@xxxxxxxxxx>

  commit 32d9ca15bac63e8a7bad6dc1a4ab624e6d6d3b0f
  Author: Marcel Apfelbaum <marcel@xxxxxxxxxx>
  Date:   Tue Jun 2 14:22:56 2015 +0300

      acpi: add implementation of aml_while() term

      Commit 68e6b0af7 (acpi: add aml_while() term) added
      the definition of aml_while without the actual implementation.
      Implement the term.

      Signed-off-by: Marcel Apfelbaum <marcel@xxxxxxxxxx>
      Reviewed-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Acked-by: Laszlo Ersek <lersek@xxxxxxxxxx>

  commit ca9b46bcecc0f06882eec1b152b71f93a066da79
  Author: Zhu Guihua <zhugh.fnst@xxxxxxxxxxxxxx>
  Date:   Wed May 13 17:21:36 2015 +0800

      acpi: add acpi_send_gpe_event() to rise sci for hotplug

      Add a new API named acpi_send_gpe_event() to send hotplug SCI.
      This API can be used by pci, cpu and memory hotplug.

      This patch is rebased on master.

      Signed-off-by: Zhu Guihua <zhugh.fnst@xxxxxxxxxxxxxx>
      Reviewed-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Reviewed-by: Igor Mammedov <imammedo@xxxxxxxxxx>

  commit d5aaa1b0456033fc9ff723ac881ebe1b61360cca
  Author: Gerd Hoffmann <kraxel@xxxxxxxxxx>
  Date:   Wed Jun 3 14:47:19 2015 +0200

      virtio: 64bit features fixups.

      Commit "019a3ed virtio: make features 64bit wide" missed a few changes,
      as I've noticed while trying to rebase the virtio-1 branch to latest
      master.  This patch adds them.

      Signed-off-by: Gerd Hoffmann <kraxel@xxxxxxxxxx>
      Reviewed-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>

  commit 977ad992f14b29a7d4f18eaba42a705004545a64
  Author: Juan Quintela <quintela@xxxxxxxxxx>
  Date:   Tue Jun 2 15:47:20 2015 +0200

      TPM: fix build with tpm disabled

      Failure was included on commit

      Signed-off-by: Juan Quintela <quintela@xxxxxxxxxx>
      Reviewed-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>

  commit 6652d0811c9463fbfb2d2d1cb2ec03f388145c5f
  Author: Jason Wang <jasowang@xxxxxxxxxx>
  Date:   Wed May 27 16:26:07 2015 +0800

      virtio-pci: don't try to mask or unmask vqs without notifiers

      We should validate the vq index against nvqs_with_notifiers. Otherwise we 
may
      try to mask or unmask vector for vqs without notifiers (e.g control vq). 
This
      will lead qemu abort on kvm_irqchip_commit_routes() when trying to boot 
win8.1
      guest.

      Fixes 851c2a75a6e80c8aa5e713864d98cfb512e7229b ("virtio-pci: speedup MSI-X
      masking and unmasking")

      Reported-by: Alex Williamson <alex.williamson@xxxxxxxxxx>
      Signed-off-by: Jason Wang <jasowang@xxxxxxxxxx>
      Reviewed-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>

  commit 557772f26b361ade84acecb366fe6fdd2d55a6d9
  Author: Marcel Apfelbaum <marcel@xxxxxxxxxx>
  Date:   Mon Jun 1 17:09:12 2015 +0300

      hw/q35: fix floppy controller definition in ich9

      In DSDT FDC0 declares the IO region as IO(Decode16, 0x03F2, 0x03F2, 0x00, 
0x04).
      Use the same in lpc_ich9 initialization code.
      Now the floppy drive is detected correctly on Windows.

      Signed-off-by: Marcel Apfelbaum <marcel@xxxxxxxxxx>
      Reviewed-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>

  commit cb3d37a93cc59da400d27361fcda024d49210abd
  Author: Michael S. Tsirkin <mst@xxxxxxxxxx>
  Date:   Mon Jun 1 21:03:59 2015 +0200

      acpi: add missing ssdt

      commit 5cb18b3d7bff2a83275ee98af2a14eb9e21c93ab
          TPM2 ACPI table support

      was missing a file, so build with iasl fails
      (build without iasl works since it uses the generated
       hex files).

      Reported-by: "Daniel P. Berrange" <berrange@xxxxxxxxxx>
      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>

  commit b853d4cbf2062813e84f9bb880feff8daf467e05
  Author: Sascha Silbe <silbe@xxxxxxxxxxxxxxxxxx>
  Date:   Tue Jun 2 18:51:00 2015 +0200

      s390x/kvm: always ignore empty vcpu interrupt state

      kvm_s390_vcpu_interrupt_pre_save() and
      kvm_s390_vcpu_interrupt_post_load() are essentially no-ops on hosts
      without KVM_CAP_S390_IRQ_STATE. Move the capability check after the
      check for saved IRQ state in kvm_s390_vcpu_interrupt_post_load() so that
      migration between hosts without KVM_CAP_S390_IRQ_STATE (including save /
      restore on the same host) continues to work.

      Fixes: 3cda44f7bae5 ("s390x/kvm: migrate vcpu interrupt state")
      Signed-off-by: Sascha Silbe <silbe@xxxxxxxxxxxxxxxxxx>
      Reviewed-by: David Hildenbrand <dahi@xxxxxxxxxxxxxxxxxx>
      Reviewed-by: Jens Freimann <jfrei@xxxxxxxxxxxxxxxxxx>
      Signed-off-by: Christian Borntraeger <borntraeger@xxxxxxxxxx>

  commit 2a72ea5f66b3b87a975475bdc1cabacbbb402937
  Author: Jason J. Herne <jjherne@xxxxxxxxxxxxxxxxxx>
  Date:   Wed Jun 3 11:04:03 2015 -0400

      virtio-ccw/migration: Migrate config vector for virtio devices

      virtio_ccw_{save|load}_config are missing code to save and restore a 
vdev's
      config_vector value. This causes some virtio devices to become disabled
      following a migration.

      This patch fixes a bug whereby the qmp/hmp balloon command (virsh setmem)
      silently fails to update the guest's available memory because the device 
was not
      properly migrated.

      This will break compatibility, but vmstate_s390_cpu was bumped from
      version 2 to version 4 between v2.3.0 and v2.4.0 without a compat
      handler. Furthermore, there is no production environment yet so
      migration is fenced anyway between any relevant version of 2.3 and 2.4.

      Signed-off-by: Jason J. Herne <jjherne@xxxxxxxxxxxxxxxxxx>
      Message-Id: <1433343843-803-1-git-send-email-jjherne@xxxxxxxxxxxxxxxxxx>
      Reviewed-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: Christian Borntraeger <borntraeger@xxxxxxxxxx>

  commit de6a92185e3ac25ba7d37f03e579b1fc72e70162
  Author: Pierre Morel <pmorel@xxxxxxxxxxxxxxxxxx>
  Date:   Wed May 27 13:11:59 2015 +0200

      virtio-ccw: add support for 9pfs

      This patch adds 9pfs support for virtio-ccw
      by registering the virtio_ccw_9p_info type
      and adding associated callbacks.

      Signed-off-by: Pierre Morel <pmorel@xxxxxxxxxxxxxxxxxx>
      Signed-off-by: Christian Borntraeger <borntraeger@xxxxxxxxxx>

  commit de3852877f1e452321352fdb7e678f079876a41b
  Author: Alex Bennée <alex.bennee@xxxxxxxxxx>
  Date:   Wed Jun 3 09:56:37 2015 +0100

      configure: postfix --extra-cflags to QEMU_CFLAGS

      It makes sense that extra-cflags should be appended after the normal
      CFLAGS so they don't get overridden by default behaviour. This way if
      you specify something like:

        ./configure --extra-cflags="-O0"

      You will see the requested behaviour.

      Signed-off-by: Alex Bennée <alex.bennee@xxxxxxxxxx>
      Signed-off-by: Michael Tokarev <mjt@xxxxxxxxxx>

  commit 2801339f2fb2534ccf01561d274398328bdd446d
  Author: Sai Pavan Boddu <sai.pavan.boddu@xxxxxxxxxx>
  Date:   Fri May 29 11:52:35 2015 +0530

      cadence_gem: Fix Rx buffer size field mask

      This patch corrects the Rx buffer size field mask to mask bits 23 to 16
      to match Xilinx UG585 documentation.

      Signed-off-by: Sai Pavan Boddu <saipava@xxxxxxxxxx>
      Reviewed-by: Alistair Francis <alistair.francis@xxxxxxxxxx>
      Reviewed-by: Peter Crosthwaite <peter.crosthwaite@xxxxxxxxxx>
      Signed-off-by: Michael Tokarev <mjt@xxxxxxxxxx>

  commit 8b8f1c7e9ddb2e88a144638f6527bf70e32343e3
  Author: Michael Tokarev <mjt@xxxxxxxxxx>
  Date:   Thu May 28 14:12:26 2015 +0300

      slirp: use less predictable directory name in /tmp for smb config 
(CVE-2015-4037)

      In this version I used mkdtemp(3) which is:

              _BSD_SOURCE
              || /* Since glibc 2.10: */
                  (_POSIX_C_SOURCE >= 200809L || _XOPEN_SOURCE >= 700)

      (POSIX.1-2008), so should be available on systems we care about.

      While at it, reset the resulting directory name within smb structure
      on error so cleanup function wont try to remove directory which we
      failed to create.

      Signed-off-by: Michael Tokarev <mjt@xxxxxxxxxx>
      Reviewed-by: Markus Armbruster <armbru@xxxxxxxxxx>

  commit b6b099541d6cf3c50b0fb5af916fff0db6508805
  Author: Paolo Bonzini <pbonzini@xxxxxxxxxx>
  Date:   Mon Jun 1 09:53:55 2015 +0200

      translate-all: delete prototype for non-existent function

      Missed in commit 3a808cc40

      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>
      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>
      Reviewed-by: Peter Crosthwaite <peter.crosthwaite@xxxxxxxxxx>
      Signed-off-by: Michael Tokarev <mjt@xxxxxxxxxx>

  commit 1597051b84b816c9608e1ee0947f8e6dc9876b56
  Author: Dr. David Alan Gilbert <dgilbert@xxxxxxxxxx>
  Date:   Fri May 29 19:52:52 2015 +0100

      Add -incoming help text

      The help/man text for

      -incoming defer

      didn't make it through the merge of the code that implemented it.

      Signed-off-by: Dr. David Alan Gilbert <dgilbert@xxxxxxxxxx>
      Reviewed-by: Markus Armbruster <armbru@xxxxxxxxxx>
      Signed-off-by: Michael Tokarev <mjt@xxxxxxxxxx>

  commit 26c8acb3f326166bf9dc60c3e8184f4b862e8451
  Author: Shannon Zhao <shannon.zhao@xxxxxxxxxx>
  Date:   Fri May 29 13:27:11 2015 +0800

      hw/display/tc6393xb.c: Fix misusing qemu_allocate_irqs for single irq

      Signed-off-by: Shannon Zhao <zhaoshenglong@xxxxxxxxxx>
      Signed-off-by: Shannon Zhao <shannon.zhao@xxxxxxxxxx>
      Signed-off-by: Michael Tokarev <mjt@xxxxxxxxxx>

  commit 294972ce546107f2215b3b162994b47f08aab7a4
  Author: Shannon Zhao <shannon.zhao@xxxxxxxxxx>
  Date:   Fri May 29 13:27:10 2015 +0800

      hw/arm/nseries.c: Fix misusing qemu_allocate_irqs for single irq

      Signed-off-by: Shannon Zhao <zhaoshenglong@xxxxxxxxxx>
      Signed-off-by: Shannon Zhao <shannon.zhao@xxxxxxxxxx>
      Signed-off-by: Michael Tokarev <mjt@xxxxxxxxxx>

  commit 5429273615e7b412402a7b22738737c09ab9f488
  Author: Shannon Zhao <shannon.zhao@xxxxxxxxxx>
  Date:   Fri May 29 13:27:09 2015 +0800

      hw/alpha/typhoon.c: Fix misusing qemu_allocate_irqs for single irq

      Signed-off-by: Shannon Zhao <zhaoshenglong@xxxxxxxxxx>
      Signed-off-by: Shannon Zhao <shannon.zhao@xxxxxxxxxx>
      Signed-off-by: Michael Tokarev <mjt@xxxxxxxxxx>

  commit 2c85fad022a5c23b835d7c78b653763ae1e3f6eb
  Author: Shannon Zhao <shannon.zhao@xxxxxxxxxx>
  Date:   Fri May 29 13:27:08 2015 +0800

      hw/unicore32/puv3.c: Fix misusing qemu_allocate_irqs for single irq

      Signed-off-by: Shannon Zhao <zhaoshenglong@xxxxxxxxxx>
      Signed-off-by: Shannon Zhao <shannon.zhao@xxxxxxxxxx>
      Signed-off-by: Michael Tokarev <mjt@xxxxxxxxxx>

  commit a9c8a0d8d4217754648decc5921e4b0fcd00ce7f
  Author: Shannon Zhao <shannon.zhao@xxxxxxxxxx>
  Date:   Fri May 29 13:27:07 2015 +0800

      hw/lm32/milkymist.c: Fix misusing qemu_allocate_irqs for single irq

      Signed-off-by: Shannon Zhao <zhaoshenglong@xxxxxxxxxx>
      Signed-off-by: Shannon Zhao <shannon.zhao@xxxxxxxxxx>
      Signed-off-by: Michael Tokarev <mjt@xxxxxxxxxx>

  commit d4ef00af2598fef06affbd42608e570237a7b276
  Author: Shannon Zhao <shannon.zhao@xxxxxxxxxx>
  Date:   Fri May 29 13:27:06 2015 +0800

      hw/lm32/lm32_boards.c: Fix misusing qemu_allocate_irqs for single irq

      Signed-off-by: Shannon Zhao <zhaoshenglong@xxxxxxxxxx>
      Signed-off-by: Shannon Zhao <shannon.zhao@xxxxxxxxxx>
      Signed-off-by: Michael Tokarev <mjt@xxxxxxxxxx>

  commit aaaee0b273082ee2836dcc2f61a878ee291a8d9b
  Author: Shannon Zhao <shannon.zhao@xxxxxxxxxx>
  Date:   Fri May 29 13:27:05 2015 +0800

      hw/ppc/prep.c: Fix misusing qemu_allocate_irqs for single irq

      Signed-off-by: Shannon Zhao <zhaoshenglong@xxxxxxxxxx>
      Signed-off-by: Shannon Zhao <shannon.zhao@xxxxxxxxxx>
      Signed-off-by: Michael Tokarev <mjt@xxxxxxxxxx>

  commit ca43b97b5f6fa57e79adc7f167b12d3e0545c7e1
  Author: Shannon Zhao <shannon.zhao@xxxxxxxxxx>
  Date:   Fri May 29 13:27:04 2015 +0800

      hw/sparc/sun4m.c: Fix misusing qemu_allocate_irqs for single irq

      Signed-off-by: Shannon Zhao <zhaoshenglong@xxxxxxxxxx>
      Signed-off-by: Shannon Zhao <shannon.zhao@xxxxxxxxxx>
      Signed-off-by: Michael Tokarev <mjt@xxxxxxxxxx>

  commit b64127244d669c33a4ffdcc47e076559497785af
  Author: Shannon Zhao <shannon.zhao@xxxxxxxxxx>
  Date:   Fri May 29 13:27:02 2015 +0800

      hw/timer/arm_timer.c: Fix misusing qemu_allocate_irqs for single irq

      Signed-off-by: Shannon Zhao <zhaoshenglong@xxxxxxxxxx>
      Signed-off-by: Shannon Zhao <shannon.zhao@xxxxxxxxxx>
      Signed-off-by: Michael Tokarev <mjt@xxxxxxxxxx>

  commit 5105505e65ba6bc3e1dc549bcd0d1d33f3546e60
  Author: Shannon Zhao <shannon.zhao@xxxxxxxxxx>
  Date:   Fri May 29 13:27:01 2015 +0800

      hw/isa/i82378.c: Fix misusing qemu_allocate_irqs for single irq

      Signed-off-by: Shannon Zhao <zhaoshenglong@xxxxxxxxxx>
      Signed-off-by: Shannon Zhao <shannon.zhao@xxxxxxxxxx>
      Signed-off-by: Michael Tokarev <mjt@xxxxxxxxxx>

  commit aff0d5e57a71260885d54c07cef5f4a486c8336b
  Author: Shannon Zhao <shannon.zhao@xxxxxxxxxx>
  Date:   Fri May 29 13:27:00 2015 +0800

      hw/isa/lpc_ich9.c: Fix misusing qemu_allocate_irqs for single irq

      Since ich9_lpc_pm_init only requests one irq, so let it just call
      qemu_allocate_irq.

      Signed-off-by: Shannon Zhao <zhaoshenglong@xxxxxxxxxx>
      Signed-off-by: Shannon Zhao <shannon.zhao@xxxxxxxxxx>
      Signed-off-by: Michael Tokarev <mjt@xxxxxxxxxx>

  commit 0b0cc076b78976b30360dd7c6ed994f864424779
  Author: Shannon Zhao <shannon.zhao@xxxxxxxxxx>
  Date:   Fri May 29 13:26:59 2015 +0800

      hw/i386/pc: Fix misusing qemu_allocate_irqs for single irq

      Since pc_allocate_cpu_irq only requests one irq, so let it just call
      qemu_allocate_irq.

      Signed-off-by: Shannon Zhao <zhaoshenglong@xxxxxxxxxx>
      Signed-off-by: Shannon Zhao <shannon.zhao@xxxxxxxxxx>
      Signed-off-by: Michael Tokarev <mjt@xxxxxxxxxx>

  commit 9ff7f5bddbe5814bafe5e798d2cf1087b58dc7b6
  Author: Shannon Zhao <shannon.zhao@xxxxxxxxxx>
  Date:   Fri May 29 13:27:03 2015 +0800

      hw/intc/exynos4210_gic.c: Fix memory leak by adjusting order

      Signed-off-by: Shannon Zhao <zhaoshenglong@xxxxxxxxxx>
      Signed-off-by: Shannon Zhao <shannon.zhao@xxxxxxxxxx>
      Signed-off-by: Michael Tokarev <mjt@xxxxxxxxxx>

  commit 9f9b026dc60398224fb035eb27ae0ed083d2d66f
  Author: Shannon Zhao <shannon.zhao@xxxxxxxxxx>
  Date:   Fri May 29 13:38:34 2015 +0800

      hw/arm/omap_sx1.c: Fix memory leak spotted by valgrind

      Signed-off-by: Shannon Zhao <zhaoshenglong@xxxxxxxxxx>
      Signed-off-by: Shannon Zhao <shannon.zhao@xxxxxxxxxx>
      Signed-off-by: Michael Tokarev <mjt@xxxxxxxxxx>

  commit f19377bf234a3359b0a03844822e97de80ad4f30
  Author: Shannon Zhao <shannon.zhao@xxxxxxxxxx>
  Date:   Thu May 28 20:39:43 2015 +0800

      hw/ppc/e500.c: Fix memory leak

      Signed-off-by: Shannon Zhao <zhaoshenglong@xxxxxxxxxx>
      Signed-off-by: Shannon Zhao <shannon.zhao@xxxxxxxxxx>
      Signed-off-by: Michael Tokarev <mjt@xxxxxxxxxx>

  commit c18f855697ab6b64a895f37cf47fd7061ce9e798
  Author: Shannon Zhao <shannon.zhao@xxxxxxxxxx>
  Date:   Thu May 28 20:39:42 2015 +0800

      hw/alpha/dp264.c: Fix memory leak spotted by valgrind

      valgrind complains about:
      ==7055== 58 bytes in 1 blocks are definitely lost in loss record 1,471 of 
2,192
      ==7055==    at 0x4C2845D: malloc (in 
/usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so)
      ==7055==    by 0x24410F: malloc_and_trace (vl.c:2556)
      ==7055==    by 0x64C770E: g_malloc (in /usr/lib64/libglib-2.0.so.0.3600.3)
      ==7055==    by 0x64DEFD7: g_strndup (in 
/usr/lib64/libglib-2.0.so.0.3600.3)
      ==7055==    by 0x650181A: g_vasprintf (in 
/usr/lib64/libglib-2.0.so.0.3600.3)
      ==7055==    by 0x64DF0CC: g_strdup_vprintf (in 
/usr/lib64/libglib-2.0.so.0.3600.3)
      ==7055==    by 0x64DF188: g_strdup_printf (in 
/usr/lib64/libglib-2.0.so.0.3600.3)
      ==7055==    by 0x242F81: qemu_find_file (vl.c:2121)
      ==7055==    by 0x217A32: clipper_init (dp264.c:105)
      ==7055==    by 0x2484DA: main (vl.c:4249)

      Signed-off-by: Shannon Zhao <zhaoshenglong@xxxxxxxxxx>
      Signed-off-by: Shannon Zhao <shannon.zhao@xxxxxxxxxx>
      Signed-off-by: Michael Tokarev <mjt@xxxxxxxxxx>

  commit bd4baf6eebff75c7e0c67a729d1bdb5b0b36fe72
  Author: Shannon Zhao <shannon.zhao@xxxxxxxxxx>
  Date:   Mon May 25 14:47:25 2015 +0800

      vl: fix memory leak spotted by valgrind

      valgrind complains about:
      ==9276== 13 bytes in 1 blocks are definitely lost in loss record 1,046 of 
3,673
      ==9276==    at 0x4C2845D: malloc (in 
/usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so)
      ==9276==    by 0x2EAFBB: malloc_and_trace (vl.c:2556)
      ==9276==    by 0x64C770E: g_malloc (in /usr/lib64/libglib-2.0.so.0.3600.3)
      ==9276==    by 0x4A28BD: addr_to_string (vnc.c:123)
      ==9276==    by 0x4A29AD: vnc_socket_local_addr (vnc.c:139)
      ==9276==    by 0x4A9AFE: vnc_display_local_addr (vnc.c:3240)
      ==9276==    by 0x2EF4FE: main (vl.c:4321)

      Signed-off-by: Shannon Zhao <zhaoshenglong@xxxxxxxxxx>
      Signed-off-by: Shannon Zhao <shannon.zhao@xxxxxxxxxx>
      Signed-off-by: Michael Tokarev <mjt@xxxxxxxxxx>

  commit 7df057bac3734ee3c2c052fd0807479602ab5583
  Author: Peter Crosthwaite <crosthwaitepeter@xxxxxxxxx>
  Date:   Sun May 24 13:20:14 2015 -0700

      device-tree: Make a common-obj

      There is no reason for device tree API to be built per-target.
      common-obj it. There is an extraneous inclusion of config.h that
      needs to be removed.

      Cc: Alexander Graf <agraf@xxxxxxx>
      Reviewed-by: Andreas Färber <afaerber@xxxxxxx>
      Signed-off-by: Peter Crosthwaite <crosthwaite.peter@xxxxxxxxx>
      Signed-off-by: Michael Tokarev <mjt@xxxxxxxxxx>

  commit d370dfa9f3703cf0af07d96d50ed567413e8ec65
  Author: Shannon Zhao <shannon.zhao@xxxxxxxxxx>
  Date:   Tue May 26 09:46:07 2015 +0800

      hw/i386/acpi-build: decref after use

      valgrind complains about:
      ==16447== 48 bytes in 2 blocks are definitely lost in loss record 2,033 
of 3,310
      ==16447==    at 0x4C2845D: malloc (in 
/usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so)
      ==16447==    by 0x2E4FD7: malloc_and_trace (vl.c:2546)
      ==16447==    by 0x64C770E: g_malloc (in 
/usr/lib64/libglib-2.0.so.0.3600.3)
      ==16447==    by 0x53EC3F: qint_from_int (qint.c:33)
      ==16447==    by 0x53B426: qmp_output_type_int (qmp-output-visitor.c:162)
      ==16447==    by 0x539257: visit_type_uint32 (qapi-visit-core.c:147)
      ==16447==    by 0x471D07: property_get_uint32_ptr (object.c:1651)
      ==16447==    by 0x47000C: object_property_get (object.c:822)
      ==16447==    by 0x472428: object_property_get_qobject (qom-qobject.c:37)
      ==16447==    by 0x25701A: build_append_pci_bus_devices (acpi-build.c:520)
      ==16447==    by 0x25902E: build_ssdt (acpi-build.c:1004)
      ==16447==    by 0x25A0A8: acpi_build (acpi-build.c:1420)

      Signed-off-by: Shannon Zhao <zhaoshenglong@xxxxxxxxxx>
      Signed-off-by: Shannon Zhao <shannon.zhao@xxxxxxxxxx>
      Reviewed-by: Igor Mammedov <imammedo@xxxxxxxxxx>
      Signed-off-by: Michael Tokarev <mjt@xxxxxxxxxx>

  commit 6e38a4ba7889083b65729db2144cdbcefbaa303a
  Author: Shannon Zhao <shannon.zhao@xxxxxxxxxx>
  Date:   Tue May 26 09:46:06 2015 +0800

      hw/ide/pci: Fix memory leak

      valgrind complains about:
      ==16447== 16 bytes in 2 blocks are definitely lost in loss record 1,304 
of 3,310
      ==16447==    at 0x4C2845D: malloc (in 
/usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so)
      ==16447==    by 0x2E4FD7: malloc_and_trace (vl.c:2546)
      ==16447==    by 0x64C770E: g_malloc (in 
/usr/lib64/libglib-2.0.so.0.3600.3)
      ==16447==    by 0x36FB47: qemu_extend_irqs (irq.c:55)
      ==16447==    by 0x36FBD3: qemu_allocate_irqs (irq.c:64)
      ==16447==    by 0x3B4B44: bmdma_init (pci.c:464)
      ==16447==    by 0x3B547B: pci_piix_init_ports (piix.c:144)
      ==16447==    by 0x3B55D2: pci_piix_ide_realize (piix.c:164)
      ==16447==    by 0x3EAEC6: pci_qdev_realize (pci.c:1790)
      ==16447==    by 0x36C685: device_set_realized (qdev.c:1058)
      ==16447==    by 0x47179E: property_set_bool (object.c:1514)
      ==16447==    by 0x470098: object_property_set (object.c:837)

      Signed-off-by: Shannon Zhao <zhaoshenglong@xxxxxxxxxx>
      Signed-off-by: Shannon Zhao <shannon.zhao@xxxxxxxxxx>
      Reviewed-by: Marcel Apfelbaum <marcel@xxxxxxxxxx>
      Signed-off-by: Michael Tokarev <mjt@xxxxxxxxxx>

  commit 2ba154cf4eb8636cdd3aa90f392ca9e77206ca39
  Author: Shannon Zhao <shannon.zhao@xxxxxxxxxx>
  Date:   Tue May 26 09:46:05 2015 +0800

      hw/i386/pc_piix: Fix memory leak

      valgrind complains about:
      ==16447== 8 bytes in 1 blocks are definitely lost in loss record 552 of 
3,310
      ==16447==    at 0x4C2845D: malloc (in 
/usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so)
      ==16447==    by 0x2E4FD7: malloc_and_trace (vl.c:2546)
      ==16447==    by 0x64C770E: g_malloc (in 
/usr/lib64/libglib-2.0.so.0.3600.3)
      ==16447==    by 0x36FB47: qemu_extend_irqs (irq.c:55)
      ==16447==    by 0x36FBD3: qemu_allocate_irqs (irq.c:64)
      ==16447==    by 0x24E622: pc_init1 (pc_piix.c:287)
      ==16447==    by 0x24E76A: pc_init_pci (pc_piix.c:310)
      ==16447==    by 0x2E9360: main (vl.c:4226)

      ==16447== 128 bytes in 1 blocks are definitely lost in loss record 2,569 
of 3,310
      ==16447==    at 0x4C2845D: malloc (in 
/usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so)
      ==16447==    by 0x2E4FD7: malloc_and_trace (vl.c:2546)
      ==16447==    by 0x64C770E: g_malloc (in 
/usr/lib64/libglib-2.0.so.0.3600.3)
      ==16447==    by 0x36FB47: qemu_extend_irqs (irq.c:55)
      ==16447==    by 0x36FBD3: qemu_allocate_irqs (irq.c:64)
      ==16447==    by 0x25BEB2: kvm_i8259_init (i8259.c:133)
      ==16447==    by 0x24E1F1: pc_init1 (pc_piix.c:219)
      ==16447==    by 0x24E76A: pc_init_pci (pc_piix.c:310)
      ==16447==    by 0x2E9360: main (vl.c:4226)

      Signed-off-by: Shannon Zhao <zhaoshenglong@xxxxxxxxxx>
      Signed-off-by: Shannon Zhao <shannon.zhao@xxxxxxxxxx>
      Reviewed-by: Marcel Apfelbaum <marcel@xxxxxxxxxx>
      Signed-off-by: Michael Tokarev <mjt@xxxxxxxxxx>

  commit 5708b2b736ebec6e3af04b9b249faadf896791cd
  Author: Chen Hanxiao <chenhanxiao@xxxxxxxxxxxxxx>
  Date:   Tue May 26 05:25:41 2015 -0400

      docs/writing-qmp-commands: fix a typo

      s/interation/iteration

      Signed-off-by: Chen Hanxiao <chenhanxiao@xxxxxxxxxxxxxx>
      Signed-off-by: Michael Tokarev <mjt@xxxxxxxxxx>

  commit b8981dc9aae25fa79e5f35609e63f50f078a572d
  Author: Peter Krempa <pkrempa@xxxxxxxxxx>
  Date:   Fri May 15 11:31:43 2015 +0200

      util: socket: Add missing localaddr and localport option for DGRAM socket

      The 'socket_optslist' structure does not contain the 'localaddr' and
      'localport' options that are parsed in case you are creating a
      'connect' type UDP character device.

      I've noticed it happening after commit f43e47dbf6de24db20ec9b588bb6cc762
      made qemu abort() after seeing the invalid option.

      A minimal reproducer for the case is:
      $ qemu-system-x86_64 -chardev 
udp,id=charrng0,host=127.0.0.1,port=1234,localaddr=,localport=1234
      qemu-system-x86_64: -chardev 
udp,id=charrng0,host=127.0.0.1,port=1234,localaddr=,localport=1234: Invalid 
parameter 'localaddr'
      Aborted (core dumped)

      Prior to the commit mentioned above the error would be printed but the
      value for localaddr and localport was simply ignored. I did not go
      through the code to find out when it was broken.

      Add the two fields so that the options can again be parsed correctly and
      qemu doesn't abort().

      Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1220252

      Signed-off-by: Peter Krempa <pkrempa@xxxxxxxxxx>
      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>
      Reviewed-by: Markus Armbruster <armbru@xxxxxxxxxx>
      Signed-off-by: Michael Tokarev <mjt@xxxxxxxxxx>

  commit a2f533da00f7278788afcf10f325f636805077dc
  Author: Peter Crosthwaite <crosthwaitepeter@xxxxxxxxx>
  Date:   Thu May 14 22:33:39 2015 -0700

      microblaze: cpu: Delete MMAP_SHIFT definition

      Just fallback on the default of 12 like other architectures. This
      allows changing the system-mode-affecting definition of
      TARGET_PAGE_BITS without affecting microblaze linux-user.

      Signed-off-by: Peter Crosthwaite <crosthwaite.peter@xxxxxxxxx>
      Reviewed-by: Edgar E. Iglesias <edgar.iglesias@xxxxxxxxxx>
      Signed-off-by: Michael Tokarev <mjt@xxxxxxxxxx>

  commit 44f192f364b71683379e104157b15b0685d24394
  Author: Fam Zheng <famz@xxxxxxxxxx>
  Date:   Wed May 13 13:15:28 2015 +0000

      iscsi: Remove pointless runtime check of macro value

      raw_bsd already has QEMU_BUILD_BUG_ON(BDRV_SECTOR_SIZE != 512), so iscsi
      should relax.

      Signed-off-by: Fam Zheng <famz@xxxxxxxxxx>
      Signed-off-by: Michael Tokarev <mjt@xxxxxxxxxx>

  commit 1b93c9a1040b3c12320cf55c6284882a2e6e8ff3
  Author: Ikey Doherty <michael.i.doherty@xxxxxxxxx>
  Date:   Tue May 26 13:54:06 2015 +0100

      arch_init: Drop target-x86_64.conf

      The target-x86_64.conf sysconfig file has been empty and essentially 
ignored
      now for several years. This change removes the unused file to enable 
moving
      towards a stateless configuration.

      Signed-off-by: Ikey Doherty <michael.i.doherty@xxxxxxxxx>
      Acked-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>
      Reviewed-by: Eduardo Habkost <ehabkost@xxxxxxxxxx>
      Signed-off-by: Eduardo Habkost <ehabkost@xxxxxxxxxx>

  commit 38e5c119c2925812bd441450ab9e5e00fc79e662
  Author: Eduardo Habkost <ehabkost@xxxxxxxxxx>
  Date:   Mon Mar 23 17:29:32 2015 -0300

      target-i386: Register QOM properties for feature flags

      This uses the feature name arrays to register QOM properties for feature
      flags. This simply adds properties that can be configured using -global,
      but doesn't change x86_cpu_parse_featurestr() to use them yet.

      Reviewed-by: Igor Mammedov <imammedo@xxxxxxxxxx>
      Signed-off-by: Eduardo Habkost <ehabkost@xxxxxxxxxx>

  commit be9f8a08727e46c790adb8caa8a4525a1e8e9e73
  Author: Zhu Guihua <zhugh.fnst@xxxxxxxxxxxxxx>
  Date:   Wed May 20 10:40:47 2015 +0800

      apic: convert ->busdev.qdev casts to C casts

      Use C casts to avoid accessing ICCDevice's qdev field
      directly.

      Signed-off-by: Zhu Guihua <zhugh.fnst@xxxxxxxxxxxxxx>
      Reviewed-by: Igor Mammedov <imammedo@xxxxxxxxxx>
      Reviewed-by: Andreas Färber <afaerber@xxxxxxx>
      Acked-by: Andreas Färber <afaerber@xxxxxxx>
      Signed-off-by: Eduardo Habkost <ehabkost@xxxxxxxxxx>

  commit 458cf469f4a1cb520b07092f5537c5a6d2389d23
  Author: Eduardo Habkost <ehabkost@xxxxxxxxxx>
  Date:   Fri May 29 16:31:12 2015 -0300

      target-i386: Fix signedness of MSR_IA32_APICBASE_BASE

      Existing definition triggers the following when using clang
      -fsanitize=undefined:

          hw/intc/apic_common.c:314:55: runtime error: left shift of 1048575 by 
12
              places cannot be represented in type 'int'

      Fix it so we won't try to shift a 1 to the sign bit of a signed integer.

      Suggested-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Reviewed-by: Igor Mammedov <imammedo@xxxxxxxxxx>
      Signed-off-by: Eduardo Habkost <ehabkost@xxxxxxxxxx>

  commit 0e3bd56294230ad0ee20fce587879c29a83a0d8b
  Author: Andreas Färber <afaerber@xxxxxxx>
  Date:   Tue Mar 17 17:46:36 2015 +0100

      pc: Ensure non-zero CPU ref count after attaching to ICC bus

      Setting the parent bus of a device increases its ref count, which we
      ultimately want to level out. However it is only safe to do so after the
      last reference to the device in local code, as qom-set or similar 
operations
      might decrease the ref count.

      Therefore move the object_unref() from pc_new_cpu() into its callers.

      The APIC operations on the last CPU in pc_cpus_init() are still 
potentially
      insecure, but that is beyond the scope of this code movement.

      Signed-off-by: Andreas Färber <afaerber@xxxxxxx>
      Acked-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Reviewed-by: Eduardo Habkost <ehabkost@xxxxxxxxxx>
      Signed-off-by: Eduardo Habkost <ehabkost@xxxxxxxxxx>

  commit 4964e18e490f3ecad35c9e4cc9b613316a98755e
  Author: Kevin Wolf <kwolf@xxxxxxxxxx>
  Date:   Thu May 21 15:19:38 2015 +0200

      fdc-test: Test state for existing cases more thoroughly

      This just adds a few additional checks of the MSR and interrupt pin to
      the already existing test cases.

      Signed-off-by: Kevin Wolf <kwolf@xxxxxxxxxx>
      Reviewed-by: John Snow <jsnow@xxxxxxxxxx>
      Message-id: 1432214378-31891-9-git-send-email-kwolf@xxxxxxxxxx
      Signed-off-by: John Snow <jsnow@xxxxxxxxxx>

  commit 6cc8a11c84ddc18c64fc88d54c8e9dca24ada489
  Author: Kevin Wolf <kwolf@xxxxxxxxxx>
  Date:   Thu May 21 15:19:37 2015 +0200

      fdc: Fix MSR.RQM flag

      The RQM bit in MSR should be set whenever the guest is supposed to
      access the FIFO, and it should be cleared in all other cases. This is
      important so the guest can't continue writing/reading the FIFO beyond
      the length that it's suppossed to access (see CVE-2015-3456).

      Commit e9077462 fixed the CVE by adding code that avoids the buffer
      overflow; however it doesn't correct the wrong behaviour of the floppy
      controller which should already have cleared RQM.

      Currently, RQM stays set all the time and during all phases while a
      command is being processed. This is error-prone because the command has
      to explicitly clear the flag if it doesn't need data (and indeed, the
      two buggy commands that are the culprits for the CVE just forgot to do
      that).

      This patch clears RQM immediately as soon as all bytes that are expected
      have been received. If the the FIFO is used in the next phase, the flag
      has to be set explicitly there.

      It also clear RQM after receiving all bytes even if the phase transition
      immediately sets it again. While it's technically not necessary at the
      moment because the state between clearing and setting RQM is not
      observable by the guest, this is more explicit and matches how real
      hardware works. It will actually become necessary in qemu once
      asynchronous code paths are introduced.

      This alone should have been enough to fix the CVE, but now we have two
      lines of defense - even better.

      Signed-off-by: Kevin Wolf <kwolf@xxxxxxxxxx>
      Reviewed-by: John Snow <jsnow@xxxxxxxxxx>
      Message-id: 1432214378-31891-8-git-send-email-kwolf@xxxxxxxxxx
      Signed-off-by: John Snow <jsnow@xxxxxxxxxx>

  commit f6c2d1d8425fd0ca450d515b06821e2224d4b43c
  Author: Kevin Wolf <kwolf@xxxxxxxxxx>
  Date:   Thu May 21 15:19:36 2015 +0200

      fdc: Disentangle phases in fdctrl_read_data()

      This commit makes similar improvements as have already been made to the
      write function: Instead of relying on a flag in the MSR to distinguish
      controller phases, use the explicit phase that we store now. Assertions
      of the right MSR flags are added.

      Signed-off-by: Kevin Wolf <kwolf@xxxxxxxxxx>
      Reviewed-by: John Snow <jsnow@xxxxxxxxxx>
      Message-id: 1432214378-31891-7-git-send-email-kwolf@xxxxxxxxxx
      Signed-off-by: John Snow <jsnow@xxxxxxxxxx>

  commit d275b33d76c8ed9d5a3dca22ea0fdec8d5a5c8e6
  Author: Kevin Wolf <kwolf@xxxxxxxxxx>
  Date:   Thu May 21 15:19:35 2015 +0200

      fdc: Code cleanup in fdctrl_write_data()

      Factor out a few common lines of code, reformat, improve comments.

      Signed-off-by: Kevin Wolf <kwolf@xxxxxxxxxx>
      Reviewed-by: John Snow <jsnow@xxxxxxxxxx>
      Message-id: 1432214378-31891-6-git-send-email-kwolf@xxxxxxxxxx
      Signed-off-by: John Snow <jsnow@xxxxxxxxxx>

  commit 5b0a25e8d2f15f89255c745c71d297b5b24d138c
  Author: Kevin Wolf <kwolf@xxxxxxxxxx>
  Date:   Thu May 21 15:19:34 2015 +0200

      fdc: Use phase in fdctrl_write_data()

      Instead of relying on a flag in the MSR to distinguish controller phases,
      use the explicit phase that we store now. Assertions of the right MSR
      flags are added.

      Signed-off-by: Kevin Wolf <kwolf@xxxxxxxxxx>
      Reviewed-by: John Snow <jsnow@xxxxxxxxxx>
      Message-id: 1432214378-31891-5-git-send-email-kwolf@xxxxxxxxxx
      Signed-off-by: John Snow <jsnow@xxxxxxxxxx>

  commit 85d291a08c91c07927bbbd29f72a27d3ad7478f3
  Author: Kevin Wolf <kwolf@xxxxxxxxxx>
  Date:   Thu May 21 15:19:33 2015 +0200

      fdc: Introduce fdctrl->phase

      The floppy controller spec describes three different controller phases,
      which are currently not explicitly modelled in our emulation. Instead,
      each phase is represented by a combination of flags in registers.

      This patch makes explicit in which phase the controller currently is.

      Signed-off-by: Kevin Wolf <kwolf@xxxxxxxxxx>
      Acked-by: John Snow <jsnow@xxxxxxxxxx>
      Message-id: 1432214378-31891-4-git-send-email-kwolf@xxxxxxxxxx
      Signed-off-by: John Snow <jsnow@xxxxxxxxxx>

  commit 83a260135f13db8b5d7df72090864a5ebcef2845
  Author: Kevin Wolf <kwolf@xxxxxxxxxx>
  Date:   Thu May 21 15:19:32 2015 +0200

      fdc: Rename fdctrl_set_fifo() to fdctrl_to_result_phase()

      What callers really do with this function is to switch from execution
      phase (including data transfers) to result phase where the guest can
      read out one or more status bytes from the FIFO (the number depends on
      the command).

      Rename the function accordingly.

      Signed-off-by: Kevin Wolf <kwolf@xxxxxxxxxx>
      Reviewed-by: John Snow <jsnow@xxxxxxxxxx>
      Message-id: 1432214378-31891-3-git-send-email-kwolf@xxxxxxxxxx
      Signed-off-by: John Snow <jsnow@xxxxxxxxxx>

  commit 07e415f2398d9cfb21cdd5ef902445032ba54556
  Author: Kevin Wolf <kwolf@xxxxxxxxxx>
  Date:   Thu May 21 15:19:31 2015 +0200

      fdc: Rename fdctrl_reset_fifo() to fdctrl_to_command_phase()

      What all callers of fdctrl_reset_fifo() really want to do is to start
      the command phase, where writes to the data port initiate a new command.

      The function doesn't only clear the FIFO, but also sets up the state so
      that a new command can be received. Rename it to reflect this.

      Signed-off-by: Kevin Wolf <kwolf@xxxxxxxxxx>
      Reviewed-by: John Snow <jsnow@xxxxxxxxxx>
      Message-id: 1432214378-31891-2-git-send-email-kwolf@xxxxxxxxxx
      Signed-off-by: John Snow <jsnow@xxxxxxxxxx>

  commit a67bfbb9e41e089caec61384c625e8a61a5f270f
  Merge: 42d58e7 489653b
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Tue Jun 2 18:23:28 2015 +0100

      Merge remote-tracking branch 
'remotes/armbru/tags/pull-monitor-2015-06-02' into staging

      Monitor patches

      # gpg: Signature made Tue Jun  2 09:16:07 2015 BST using RSA key ID 
EB918653
      # gpg: Good signature from "Markus Armbruster <armbru@xxxxxxxxxx>"
      # gpg:                 aka "Markus Armbruster <armbru@xxxxxxxxxxxx>"

      * remotes/armbru/tags/pull-monitor-2015-06-02: (21 commits)
        monitor: Change return type of monitor_cur_is_qmp() to bool
        monitor: Rename monitor_ctrl_mode() to monitor_is_qmp()
        monitor: Turn int command_mode into bool in_command_mode
        monitor: Drop do_qmp_capabilities()'s superfluous QMP check
        monitor: Unbox Monitor member mc and rename to qmp
        monitor: Rename monitor_control_read(), monitor_control_event()
        monitor: Rename handle_user_command() to handle_hmp_command()
        monitor: Limit QError use to command handlers
        monitor: Inline monitor_has_error() into its only caller
        monitor: Wean monitor_protocol_emitter() off mon->error
        monitor: Propagate errors through invalid_qmp_mode()
        monitor: Propagate errors through qmp_check_input_obj()
        monitor: Propagate errors through qmp_check_client_args()
        monitor: Drop unused "new" HMP command interface
        monitor: Use trad. command interface for HMP pcie_aer_inject_error
        monitor: Use traditional command interface for HMP device_add
        monitor: Use traditional command interface for HMP drive_del
        monitor: Convert client_migrate_info to QAPI
        monitor: Improve and document client_migrate_info protocol error
        monitor: Clean up after previous commit
        ...

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 42d58e7c6760cb9c55627c28ae538e27dcf2f144
  Merge: 3fc827d c25bbf1
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Tue Jun 2 16:47:31 2015 +0100

      Merge remote-tracking branch 'remotes/sstabellini/tags/xen-15-06-02-tag' 
into staging

      XSA 128 129 130 131

      # gpg: Signature made Tue Jun  2 16:46:38 2015 BST using RSA key ID 
70E1AE90
      # gpg: Good signature from "Stefano Stabellini 
<stefano.stabellini@xxxxxxxxxxxxx>"

      * remotes/sstabellini/tags/xen-15-06-02-tag:
        xen/pt: unknown PCI config space fields should be read-only
        xen/pt: add a few PCI config space field descriptions
        xen/pt: mark reserved bits in PCI config space fields
        xen/pt: mark all PCIe capability bits read-only
        xen/pt: split out calculation of throughable mask in PCI config space 
handling
        xen/pt: correctly handle PM status bit
        xen/pt: consolidate PM capability emu_mask
        xen/MSI: don't open-code pass-through of enable bit modifications
        xen/MSI-X: limit error messages
        xen: don't allow guest to control MSI mask register
        xen: properly gate host writes of modified PCI CFG contents

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 94edf02c4c94781fa777c459fe86b52131b83cb6
  Author: Eric Auger <eric.auger@xxxxxxxxxx>
  Date:   Tue Jun 2 12:29:14 2015 +0100

      hw/arm/virt: change indentation in a15memmap

      Re-indent in a15memmap after VIRT_PLATFORM_BUS introduction

      Signed-off-by: Eric Auger <eric.auger@xxxxxxxxxx>
      Reviewed-by: Alex Bennée <alex.bennee@xxxxxxxxxx>
      Reviewed-by: Shannon Zhao <shannon.zhao@xxxxxxxxxx>
      Message-id: 1433244554-12898-5-git-send-email-eric.auger@xxxxxxxxxx
      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 5f7a5a0edc4a2f65293658eb540290ddf9a1988a
  Author: Eric Auger <eric.auger@xxxxxxxxxx>
  Date:   Tue Jun 2 12:29:13 2015 +0100

      hw/arm/virt: add dynamic sysbus device support

      Allows sysbus devices to be instantiated from command line by
      using -device option. Machvirt creates a platform bus at init.
      The dynamic sysbus devices are attached to this platform bus device.

      The platform bus device registers a machine init done notifier
      whose role will be to bind the dynamic sysbus devices. Indeed
      dynamic sysbus devices are created after machine init.

      machvirt also registers a notifier that will build the device
      tree nodes for the platform bus and its children dynamic sysbus
      devices.

      Signed-off-by: Eric Auger <eric.auger@xxxxxxxxxx>
      Reviewed-by: Alex Bennée <alex.bennee@xxxxxxxxxx>
      Message-id: 1433244554-12898-4-git-send-email-eric.auger@xxxxxxxxxx
      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit ac9d32e39664e060cd1b538ff190980d57ad69e4
  Author: Eric Auger <eric.auger@xxxxxxxxxx>
  Date:   Tue Jun 2 12:29:12 2015 +0100

      hw/arm/boot: arm_load_kernel implemented as a machine init done notifier

      Device tree nodes for the platform bus and its children dynamic sysbus
      devices are added in a machine init done notifier. To load the dtb once,
      after those latter nodes are built and before ROM freeze, the actual
      arm_load_kernel existing code is moved into a notifier notify function,
      arm_load_kernel_notify. arm_load_kernel now only registers the
      corresponding notifier.

      Machine files that do not support platform bus stay unchanged. Machine
      files willing to support dynamic sysbus devices must call arm_load_kernel
      before sysbus-fdt arm_register_platform_bus_fdt_creator to make sure
      dynamic sysbus device nodes are integrated in the dtb.

      Signed-off-by: Eric Auger <eric.auger@xxxxxxxxxx>
      Reviewed-by: Shannon Zhao <zhaoshenglong@xxxxxxxxxx>
      Reviewed-by: Alexander Graf <agraf@xxxxxxx>
      Reviewed-by: Alex Bennée <alex.bennee@xxxxxxxxxx>
      Message-id: 1433244554-12898-3-git-send-email-eric.auger@xxxxxxxxxx
      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit c25bbf1545a53ac051f9e51d4140e397660c10ae
  Author: Jan Beulich <jbeulich@xxxxxxxx>
  Date:   Tue Jun 2 15:07:01 2015 +0000

      xen/pt: unknown PCI config space fields should be read-only

      ... by default. Add a per-device "permissive" mode similar to pciback's
      to allow restoring previous behavior (and hence break security again,
      i.e. should be used only for trusted guests).

      This is part of XSA-131.

      Signed-off-by: Jan Beulich <jbeulich@xxxxxxxx>
      Acked-by: Stefano Stabellini <stefano.stabellini@xxxxxxxxxxxxx>
      Reviewed-by: Anthony PERARD <anthony.perard@xxxxxxxxxx>)

  commit a88a3f887181605f4487a22bdfb7d87ffafde5d9
  Author: Jan Beulich <jbeulich@xxxxxxxx>
  Date:   Tue Jun 2 15:07:01 2015 +0000

      xen/pt: add a few PCI config space field descriptions

      Since the next patch will turn all not explicitly described fields
      read-only by default, those fields that have guest writable bits need
      to be given explicit descriptors.

      This is a preparatory patch for XSA-131.

      Signed-off-by: Jan Beulich <jbeulich@xxxxxxxx>

  commit 0ad3393ad032f76e88b4dbd04d36ad84dff75dd6
  Author: Jan Beulich <jbeulich@xxxxxxxx>
  Date:   Tue Jun 2 15:07:01 2015 +0000

      xen/pt: mark reserved bits in PCI config space fields

      The adjustments are solely to make the subsequent patches work right
      (and hence make the patch set consistent), namely if permissive mode
      (introduced by the last patch) gets used (as both reserved registers
      and reserved fields must be similarly protected from guest access in
      default mode, but the guest should be allowed access to them in
      permissive mode).

      This is a preparatory patch for XSA-131.

      Signed-off-by: Jan Beulich <jbeulich@xxxxxxxx>

  commit 45ebe3916ab16f859ed930e92fbd52d84d5dcdaf
  Author: Jan Beulich <jbeulich@xxxxxxxx>
  Date:   Tue Jun 2 15:07:01 2015 +0000

      xen/pt: mark all PCIe capability bits read-only

      xen_pt_emu_reg_pcie[]'s PCI_EXP_DEVCAP needs to cover all bits as read-
      only to avoid unintended write-back (just a precaution, the field ought
      to be read-only in hardware).

      This is a preparatory patch for XSA-131.

      Signed-off-by: Jan Beulich <jbeulich@xxxxxxxx>
      Reviewed-by: Stefano Stabellini <stefano.stabellini@xxxxxxxxxxxxx>

  commit 0e7ef22136955169a0fd03c4e41af95662352733
  Author: Jan Beulich <jbeulich@xxxxxxxx>
  Date:   Tue Jun 2 15:07:01 2015 +0000

      xen/pt: split out calculation of throughable mask in PCI config space 
handling

      This is just to avoid having to adjust that calculation later in
      multiple places.

      Note that including ->ro_mask in get_throughable_mask()'s calculation
      is only an apparent (i.e. benign) behavioral change: For r/o fields it
      doesn't matter > whether they get passed through - either the same flag
      is also set in emu_mask (then there's no change at all) or the field is
      r/o in hardware (and hence a write won't change it anyway).

      This is a preparatory patch for XSA-131.

      Signed-off-by: Jan Beulich <jbeulich@xxxxxxxx>
      Acked-by: Stefano Stabellini <stefano.stabellini@xxxxxxxxxxxxx>
      Reviewed-by: Anthony PERARD <anthony.perard@xxxxxxxxxx>

  commit c4ff1e68c621928abc680266cad0a451686c403b
  Author: Jan Beulich <jbeulich@xxxxxxxx>
  Date:   Tue Jun 2 15:07:01 2015 +0000

      xen/pt: correctly handle PM status bit

      xen_pt_pmcsr_reg_write() needs an adjustment to deal with the RW1C
      nature of the not passed through bit 15 (PCI_PM_CTRL_PME_STATUS).

      This is a preparatory patch for XSA-131.

      Signed-off-by: Jan Beulich <jbeulich@xxxxxxxx>
      Reviewed-by: Stefano Stabellini <stefano.stabellini@xxxxxxxxxxxxx>

  commit d61bb2482dc0c7426f451f23ba7e2748ae2cc06d
  Author: Jan Beulich <jbeulich@xxxxxxxx>
  Date:   Tue Jun 2 15:07:01 2015 +0000

      xen/pt: consolidate PM capability emu_mask

      There's no point in xen_pt_pmcsr_reg_{read,write}() each ORing
      PCI_PM_CTRL_STATE_MASK and PCI_PM_CTRL_NO_SOFT_RESET into a local
      emu_mask variable - we can have the same effect by setting the field
      descriptor's emu_mask member suitably right away. Note that
      xen_pt_pmcsr_reg_write() is being retained in order to allow later
      patches to be less intrusive.

      This is a preparatory patch for XSA-131.

      Signed-off-by: Jan Beulich <jbeulich@xxxxxxxx>
      Acked-by: Stefano Stabellini <stefano.stabellini@xxxxxxxxxxxxx>
      Acked-by: Ian Campbell <ian.campbell@xxxxxxxxxx>

  commit d1d35cf4ffb6a60a356193397919e83306d0bb74
  Author: Jan Beulich <jbeulich@xxxxxxxx>
  Date:   Tue Jun 2 15:07:01 2015 +0000

      xen/MSI: don't open-code pass-through of enable bit modifications

      Without this the actual XSA-131 fix would cause the enable bit to not
      get set anymore (due to the write back getting suppressed there based
      on the OR of emu_mask, ro_mask, and res_mask).

      Note that the fiddling with the enable bit shouldn't really be done by
      qemu, but making this work right (via libxc and the hypervisor) will
      require more extensive changes, which can be postponed until after the
      security issue got addressed.

      This is a preparatory patch for XSA-131.

      Signed-off-by: Jan Beulich <jbeulich@xxxxxxxx>
      Acked-by: Stefano Stabellini <stefano.stabellini@xxxxxxxxxxxxx>

  commit b38ec5ee7a581776bbce0bdaecb397632c3c4791
  Author: Jan Beulich <jbeulich@xxxxxxxx>
  Date:   Tue Jun 2 15:07:00 2015 +0000

      xen/MSI-X: limit error messages

      Limit error messages resulting from bad guest behavior to avoid allowing
      the guest to cause the control domain's disk to fill.

      The first message in pci_msix_write() can simply be deleted, as this
      is indeed bad guest behavior, but such out of bounds writes don't
      really need to be logged.

      The second one is more problematic, as there guest behavior may only
      appear to be wrong: For one, the old logic didn't take the mask-all bit
      into account. And then this shouldn't depend on host device state (i.e.
      the host may have masked the entry without the guest having done so).
      Plus these writes shouldn't be dropped even when an entry is unmasked.
      Instead, if they can't be made take effect right away, they should take
      effect on the next unmasking or enabling operation - the specification
      explicitly describes such caching behavior. Until we can validly drop
      the message (implementing such caching/latching behavior), issue the
      message just once per MSI-X table entry.

      Note that the log message in pci_msix_read() similar to the one being
      removed here is not an issue: "addr" being of unsigned type, and the
      maximum size of the MSI-X table being 32k, entry_nr simply can't be
      negative and hence the conditonal guarding issuing of the message will
      never be true.

      This is XSA-130.

      Signed-off-by: Jan Beulich <jbeulich@xxxxxxxx>
      Reviewed-by: Stefano Stabellini <stefano.stabellini@xxxxxxxxxxxxx>

  commit 7611dae8a69f0f1775ba1a9a942961c2aa10d88e
  Author: Jan Beulich <jbeulich@xxxxxxxx>
  Date:   Tue Jun 2 15:07:00 2015 +0000

      xen: don't allow guest to control MSI mask register

      It's being used by the hypervisor. For now simply mimic a device not
      capable of masking, and fully emulate any accesses a guest may issue
      nevertheless as simple reads/writes without side effects.

      This is XSA-129.

      Signed-off-by: Jan Beulich <jbeulich@xxxxxxxx>
      Reviewed-by: Stefano Stabellini <stefano.stabellini@xxxxxxxxxxxxx>

  commit 5c83b2f5b4b956e91dd6e5711f14df7ab800aefb
  Author: Jan Beulich <jbeulich@xxxxxxxx>
  Date:   Tue Jun 2 15:07:00 2015 +0000

      xen: properly gate host writes of modified PCI CFG contents

      The old logic didn't work as intended when an access spanned multiple
      fields (for example a 32-bit access to the location of the MSI Message
      Data field with the high 16 bits not being covered by any known field).
      Remove it and derive which fields not to write to from the accessed
      fields' emulation masks: When they're all ones, there's no point in
      doing any host write.

      This fixes a secondary issue at once: We obviously shouldn't make any
      host write attempt when already the host read failed.

      This is XSA-128.

      Signed-off-by: Jan Beulich <jbeulich@xxxxxxxx>
      Reviewed-by: Stefano Stabellini <stefano.stabellini@xxxxxxxxxxxxx>

  commit 11d306b9df172faeeb3409deba4083dbe479b23c
  Author: Eric Auger <eric.auger@xxxxxxxxxx>
  Date:   Tue Jun 2 12:29:11 2015 +0100

      hw/arm/sysbus-fdt: helpers for platform bus nodes addition

      This new C module will be used by ARM machine files to generate
      platform bus node and their dynamic sysbus device tree nodes.

      Dynamic sysbus device node addition is done in a machine init
      done notifier. arm_register_platform_bus_fdt_creator does the
      registration of this latter and is supposed to be called by
      ARM machine files that support platform bus and their dynamic
      sysbus. Addition of dynamic sysbus nodes is done only if the
      user did not provide any dtb.

      Signed-off-by: Alexander Graf <agraf@xxxxxxx>
      Signed-off-by: Eric Auger <eric.auger@xxxxxxxxxx>
      Reviewed-by: Shannon Zhao <zhaoshenglong@xxxxxxxxxx>
      Reviewed-by: Alexander Graf <agraf@xxxxxxx>
      Reviewed-by: Alex Bennée <alex.bennee@xxxxxxxxxx>
      Message-id: 1433244554-12898-2-git-send-email-eric.auger@xxxxxxxxxx
      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 4771cd01daaccb2a8929fa04c88c608e378cf814
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Mon Jun 1 19:18:36 2015 +0100

      target-arm: Remove v8_ prefix from names of non-v8-specific cpreg arrays

      The ARMCPRegInfo arrays v8_el3_no_el2_cp_reginfo and v8_el2_cp_reginfo
      are actually used on non-v8 CPUs as well. Remove the incorrect v8_
      prefix from their names.

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Reviewed-by: Peter Crosthwaite <peter.crosthwaite@xxxxxxxxxx>
      Message-id: 1433182716-6400-1-git-send-email-peter.maydell@xxxxxxxxxx

  commit 9718e4ae362d2f221ec028cdacefafc593ef1357
  Author: Eric Auger <eric.auger@xxxxxxxxxx>
  Date:   Tue Jun 2 14:56:23 2015 +0100

      arm_gicv2m: set kvm_gsi_direct_mapping and kvm_msi_via_irqfd_allowed

      After introduction of kvm_arch_msi_data_to_gsi, kvm_gsi_direct_mapping
      now can be set on ARM. Also kvm_msi_via_irqfd_allowed can be set,
      depending on kernel irqfd support, hence enabling VIRTIO-PCI with
      vhost back-end.

      Signed-off-by: Eric Auger <eric.auger@xxxxxxxxxx>
      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 1850b6b7d027bb4b45010a7d1da919267fff2cd4
  Author: Eric Auger <eric.auger@xxxxxxxxxx>
  Date:   Tue Jun 2 14:56:23 2015 +0100

      kvm: introduce kvm_arch_msi_data_to_gsi

      On ARM the MSI data corresponds to the shared peripheral interrupt (SPI)
      ID. This latter equals to the SPI index + 32. to retrieve the SPI index,
      matching the gsi, an architecture specific function is introduced.

      Signed-off-by: Eric Auger <eric.auger@xxxxxxxxxx>
      Acked-by: Christoffer Dall <christoffer.dall@xxxxxxxxxx>
      Acked-by: Cornelia Huck <cornelia.huck@xxxxxxxxxx>
      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 0b2ff2ceb8a45cbe51ca13a1a32fc5bdeec71815
  Author: Victor CLEMENT <victor.clement@xxxxxxxxxxx>
  Date:   Tue Jun 2 14:56:23 2015 +0100

      pl061: fix wrong calculation of GPIOMIS register

      The masked interrupt status register should be the state of the interrupt
      after masking.
      There should be a logical AND instead of a logical OR between the
      interrupt status and the interrupt mask.

      Signed-off-by: Victor CLEMENT <victor.clement@xxxxxxxxxxx>
      Reviewed-by: Peter Crosthwaite <peter.crosthwaite@xxxxxxxxxx>
      Message-id: 1433154824-6927-1-git-send-email-victor.clement@xxxxxxxxxxx
      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit bd204e63a7ce9d1b5c5903c9033863b179194989
  Author: Christoffer Dall <christoffer.dall@xxxxxxxxxx>
  Date:   Tue Jun 2 14:56:23 2015 +0100

      target-arm: Add the GICv2m to the virt board

      Add a GICv2m device to the virt board to enable MSIs on the generic PCI
      host controller.  We allocate 64 SPIs in the IRQ space for now (this can
      be increased/decreased later) and map the GICv2m right after the GIC in
      the memory map.

      Reviewed-by: Eric Auger <eric.auger@xxxxxxxxxx>
      Signed-off-by: Christoffer Dall <christoffer.dall@xxxxxxxxxx>
      Message-id: 1432897270-7780-5-git-send-email-christoffer.dall@xxxxxxxxxx
      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit dfd90a87155882d92a3efa6da9afc773fd8c6796
  Author: Christoffer Dall <christoffer.dall@xxxxxxxxxx>
  Date:   Tue Jun 2 14:56:23 2015 +0100

      target-arm: Extend the gic node properties

      In preparation for adding the GICv2m which requires address specifiers
      and is a subnode of the gic, we extend the gic DT definition to specify
      the #address-cells and #size-cells properties and add an empty ranges
      property properties of the DT node, since this is required to add the
      v2m node as a child of the gic node.

      Note that we must also expand the irq-map to reference the gic with the
      right address-cells as a consequence of this change.

      Reviewed-by: Eric Auger <eric.auger@xxxxxxxxxx>
      Signed-off-by: Christoffer Dall <christoffer.dall@xxxxxxxxxx>
      Message-id: 1432897270-7780-4-git-send-email-christoffer.dall@xxxxxxxxxx
      Suggested-by: Shanker Donthineni <shankerd@xxxxxxxxxxxxxx>
      Signed-off-by: Christoffer Dall <christoffer.dall@xxxxxxxxxx>
      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 770c58f8d10b61e80a211d87df83670711631530
  Author: Christoffer Dall <christoffer.dall@xxxxxxxxxx>
  Date:   Tue Jun 2 14:56:23 2015 +0100

      arm_gicv2m: Add GICv2m widget to support MSIs

      The ARM GICv2m widget is a little device that handles MSI interrupt
      writes to a trigger register and ties them to a range of interrupt lines
      wires to the GIC.  It has a few status/id registers and the interrupt 
wires,
      and that's about it.

      A board instantiates the device by setting the base SPI number and
      number SPIs for the frame.  The base-spi parameter is indexed in the SPI
      number space only, so base-spi == 0, means IRQ number 32.  When a device
      (the PCI host controller) writes to the trigger register, the payload is
      the GIC IRQ number, so we have to subtract 32 from that and then index
      into our frame of SPIs.

      When instantiating a GICv2m device, tell PCI that we have instantiated
      something that can deal with MSIs.  We rely on the board actually wiring
      up the GICv2m to the PCI host controller.

      Reviewed-by: Eric Auger <eric.auger@xxxxxxxxxx>
      Signed-off-by: Christoffer Dall <christoffer.dall@xxxxxxxxxx>
      Message-id: 1432897270-7780-3-git-send-email-christoffer.dall@xxxxxxxxxx
      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 747d009dcac37ce7372b58b21c168f0ad66cf7be
  Author: Christoffer Dall <christoffer.dall@xxxxxxxxxx>
  Date:   Tue Jun 2 14:56:22 2015 +0100

      target-arm: Add GIC phandle to VirtBoardInfo

      Instead of passing the GIC phandle around between functions, add it to
      the VirtBoardInfo just like we do for the clock_phandle.  We are about
      to add the v2m phandle as well, and it's easier not having to pass
      around a bunch of phandles, return multiple values from functions, etc.

      Reviewed-by: Eric Auger <eric.auger@xxxxxxxxxx>
      Reviewed-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Signed-off-by: Christoffer Dall <christoffer.dall@xxxxxxxxxx>
      Message-id: 1432897270-7780-2-git-send-email-christoffer.dall@xxxxxxxxxx
      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 57b6d95eb480d66c5bfa4e416d1fbcad0f84fdd2
  Author: Markus Armbruster <armbru@xxxxxxxxxx>
  Date:   Tue Jun 2 14:56:22 2015 +0100

      Revert "target-arm: Avoid g_hash_table_get_keys()"

      Since we now require GLib 2.22+ (commit f40685c), we don't have to
      work around lack of g_hash_table_get_keys() anymore.

      This reverts commit 82a3a11897308b606120f7235001e87809708f85.

      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>
      Message-id: 1432749090-4698-1-git-send-email-armbru@xxxxxxxxxx
      Reviewed-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 8742d49d6f2278d353a1623dfa8a5e237dbfd906
  Author: Edgar E. Iglesias <edgar.iglesias@xxxxxxxxxx>
  Date:   Tue Jun 2 14:56:22 2015 +0100

      target-arm: Add TLBI_VAE2{IS}

      Signed-off-by: Edgar E. Iglesias <edgar.iglesias@xxxxxxxxxx>
      Message-id: 1432881807-18164-11-git-send-email-edgar.iglesias@xxxxxxxxx
      Reviewed-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 51da90140bba4333eeb9c1d8d8d8afc2ca790628
  Author: Edgar E. Iglesias <edgar.iglesias@xxxxxxxxxx>
  Date:   Tue Jun 2 14:56:22 2015 +0100

      target-arm: Add TLBI_ALLE2

      Signed-off-by: Edgar E. Iglesias <edgar.iglesias@xxxxxxxxxx>
      Message-id: 1432881807-18164-10-git-send-email-edgar.iglesias@xxxxxxxxx
      Reviewed-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit bdb9e2d66afbe0571dce48a9430c35ae4d6bbd32
  Author: Edgar E. Iglesias <edgar.iglesias@xxxxxxxxxx>
  Date:   Tue Jun 2 14:56:22 2015 +0100

      target-arm: Add TLBI_ALLE1{IS}

      Signed-off-by: Edgar E. Iglesias <edgar.iglesias@xxxxxxxxxx>
      Message-id: 1432881807-18164-9-git-send-email-edgar.iglesias@xxxxxxxxx
      Reviewed-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit a57633c08fa861807a0713505785bd4d441d7df8
  Author: Edgar E. Iglesias <edgar.iglesias@xxxxxxxxxx>
  Date:   Tue Jun 2 14:56:21 2015 +0100

      target-arm: Add TTBR0_EL2

      Signed-off-by: Edgar E. Iglesias <edgar.iglesias@xxxxxxxxxx>
      Message-id: 1432881807-18164-8-git-send-email-edgar.iglesias@xxxxxxxxx
      [PMM: Switch to preferred opc1/crm order for 64-bit AArch32 cpregs;
       drop unneeded use of vmsa_ttbr_writefn]
      Reviewed-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit ff05f37babe7874f28dcead6e9e4f1904d35a13a
  Author: Edgar E. Iglesias <edgar.iglesias@xxxxxxxxxx>
  Date:   Tue Jun 2 14:56:21 2015 +0100

      target-arm: Add TPIDR_EL2

      Signed-off-by: Edgar E. Iglesias <edgar.iglesias@xxxxxxxxxx>
      Message-id: 1432881807-18164-7-git-send-email-edgar.iglesias@xxxxxxxxx
      [PMM: reordered fields into preferred opc0/opc1/crn/crm/opc2 order]
      Reviewed-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit b9cb5323bb671a0f2bfecc36168d3a3763e90261
  Author: Edgar E. Iglesias <edgar.iglesias@xxxxxxxxxx>
  Date:   Tue Jun 2 14:56:21 2015 +0100

      target-arm: Add SCTLR_EL2

      Signed-off-by: Edgar E. Iglesias <edgar.iglesias@xxxxxxxxxx>
      Message-id: 1432881807-18164-6-git-send-email-edgar.iglesias@xxxxxxxxx
      Reviewed-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 06ec4c8c9f9e21b7671c79296f3a47ab63d50067
  Author: Edgar E. Iglesias <edgar.iglesias@xxxxxxxxxx>
  Date:   Tue Jun 2 14:56:21 2015 +0100

      target-arm: Add TCR_EL2

      Signed-off-by: Edgar E. Iglesias <edgar.iglesias@xxxxxxxxxx>
      Message-id: 1432881807-18164-5-git-send-email-edgar.iglesias@xxxxxxxxx
      Reviewed-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 95f949ac3dc7d4a6ebee512a9d122db18210df64
  Author: Edgar E. Iglesias <edgar.iglesias@xxxxxxxxxx>
  Date:   Tue Jun 2 14:56:21 2015 +0100

      target-arm: Add MAIR_EL2

      Signed-off-by: Edgar E. Iglesias <edgar.iglesias@xxxxxxxxxx>
      Message-id: 1432881807-18164-4-git-send-email-edgar.iglesias@xxxxxxxxx
      Reviewed-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit a903c449b41f105aadd5f762a7aede531b4950f0
  Author: Edgar E. Iglesias <edgar.iglesias@xxxxxxxxxx>
  Date:   Tue Jun 2 14:56:21 2015 +0100

      target-arm: Break down TLB_LOCKDOWN

      Break down the overly broad wildcard definition of TLB_LOCKDOWN
      down to v7 level.

      Signed-off-by: Edgar E. Iglesias <edgar.iglesias@xxxxxxxxxx>
      Message-id: 1432881807-18164-3-git-send-email-edgar.iglesias@xxxxxxxxx
      Reviewed-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 3fc827d591679f3e262b9d1f8b34528eabfca8c0
  Author: Edgar E. Iglesias <edgar.iglesias@xxxxxxxxxx>
  Date:   Fri May 29 16:43:13 2015 +1000

      target-arm: Correct check for non-EL3

      This fixes a compile warning from clang 3.5 (the assertion
      could never fire).

      Signed-off-by: Edgar E. Iglesias <edgar.iglesias@xxxxxxxxxx>
      Message-id: 1432881807-18164-2-git-send-email-edgar.iglesias@xxxxxxxxx
      Reviewed-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Reviewed-by: John Snow <jsnow@xxxxxxxxxx>
      [PMM: added note in commit message that this is fixing a build warning]
      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 25611aa12b4155937d076dbe7445daed62ee6043
  Merge: ef99b3e e63d114
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Tue Jun 2 11:25:12 2015 +0100

      Merge remote-tracking branch 'remotes/kraxel/tags/pull-input-20150602-1' 
into staging

      virtio-input: two small fixups

      # gpg: Signature made Tue Jun  2 09:32:51 2015 BST using RSA key ID 
D3E87138
      # gpg: Good signature from "Gerd Hoffmann (work) <kraxel@xxxxxxxxxx>"
      # gpg:                 aka "Gerd Hoffmann <gerd@xxxxxxxxxx>"
      # gpg:                 aka "Gerd Hoffmann (private) <kraxel@xxxxxxxxx>"

      * remotes/kraxel/tags/pull-input-20150602-1:
        virtio-input: make virtio devices follow usual naming convention
        virtio-input: const_le16 and const_le32 not build time constant

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit ef99b3ee065d5c817fa0a50d95293e569bfb47fb
  Merge: b821cbe 9e47226
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Tue Jun 2 10:20:03 2015 +0100

      Merge remote-tracking branch 'remotes/mst/tags/for_upstream' into staging

      pc build fix

      My last pull breaks build on systems with iasl.
      Fix this up.

      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>

      # gpg: Signature made Mon Jun  1 20:41:08 2015 BST using RSA key ID 
D28D5469
      # gpg: Good signature from "Michael S. Tsirkin <mst@xxxxxxxxxx>"
      # gpg:                 aka "Michael S. Tsirkin <mst@xxxxxxxxxx>"

      * remotes/mst/tags/for_upstream:
        acpi: add missing ssdt

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit e63d114b8a81e22ff9295674ba64b21255d589ee
  Author: Gerd Hoffmann <kraxel@xxxxxxxxxx>
  Date:   Tue Jun 2 10:31:29 2015 +0200

      virtio-input: make virtio devices follow usual naming convention

      Signed-off-by: Gerd Hoffmann <kraxel@xxxxxxxxxx>

  commit 16c9d46d32b39b147774ddd948dd2f9ad9049d02
  Author: Michael Mueller <mimu@xxxxxxxxxxxxxxxxxx>
  Date:   Mon Jun 1 15:51:56 2015 +0200

      virtio-input: const_le16 and const_le32 not build time constant

      As the implementation of const_le16 and const_le32 is not build time 
constant
      on big endian systems this need to be fixed.

        CC    hw/input/virtio-input-hid.o
      hw/input/virtio-input-hid.c:340:13: error: initializer element is not 
constant
      hw/input/virtio-input-hid.c:340:13: error: (near initialization for 
â??virtio_keyboard_config[1].u.ids.bustypeâ??)
      ...

      Signed-off-by: Michael Mueller <mimu@xxxxxxxxxxxxxxxxxx>
      Signed-off-by: Gerd Hoffmann <kraxel@xxxxxxxxxx>

  commit 489653b5db17679fd61b740dd289c798bb25d7b9
  Author: Markus Armbruster <armbru@xxxxxxxxxx>
  Date:   Fri Mar 6 20:01:05 2015 +0100

      monitor: Change return type of monitor_cur_is_qmp() to bool

      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>
      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>
      Reviewed-by: Luiz Capitulino <lcapitulino@xxxxxxxxxx>

  commit 9f3982f2dcd96753d57d0ac64bd1ae3b37a90eb3
  Author: Markus Armbruster <armbru@xxxxxxxxxx>
  Date:   Fri Mar 6 19:56:38 2015 +0100

      monitor: Rename monitor_ctrl_mode() to monitor_is_qmp()

      ... and change return type to bool.

      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>
      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>
      Reviewed-by: Luiz Capitulino <lcapitulino@xxxxxxxxxx>

  commit f994b2587f081693b017ebd03b362d162d3108b3
  Author: Markus Armbruster <armbru@xxxxxxxxxx>
  Date:   Fri Mar 6 19:51:51 2015 +0100

      monitor: Turn int command_mode into bool in_command_mode

      While there, inline the pointless qmp_cmd_mode() wrapper.

      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>
      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>
      Reviewed-by: Luiz Capitulino <lcapitulino@xxxxxxxxxx>

  commit 6a50636f35ba677c747f2f6127b0dba994b039ca
  Author: Markus Armbruster <armbru@xxxxxxxxxx>
  Date:   Fri Mar 6 19:49:41 2015 +0100

      monitor: Drop do_qmp_capabilities()'s superfluous QMP check

      Superfluous since commit 30f5041 removed it from HMP.

      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>
      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>
      Reviewed-by: Luiz Capitulino <lcapitulino@xxxxxxxxxx>

  commit 74358f2a1647b239d87340ea0024f9d2efa266ca
  Author: Markus Armbruster <armbru@xxxxxxxxxx>
  Date:   Fri Mar 6 19:35:59 2015 +0100

      monitor: Unbox Monitor member mc and rename to qmp

      While there, rename its type as well, from MonitorControl to
      MonitorQMP.

      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>
      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>
      Reviewed-by: Luiz Capitulino <lcapitulino@xxxxxxxxxx>

  commit c83fe23b58199a6d4a938305cb0fc45fe7729b61
  Author: Markus Armbruster <armbru@xxxxxxxxxx>
  Date:   Fri Mar 6 19:20:51 2015 +0100

      monitor: Rename monitor_control_read(), monitor_control_event()

      ... to monitor_qmp_read(), monitor_qmp_event().

      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>
      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>
      Reviewed-by: Luiz Capitulino <lcapitulino@xxxxxxxxxx>

  commit 7ef6cf6341c453021939c909adf2d62d9dc25fd5
  Author: Markus Armbruster <armbru@xxxxxxxxxx>
  Date:   Fri Mar 6 19:12:36 2015 +0100

      monitor: Rename handle_user_command() to handle_hmp_command()

      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>
      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>
      Reviewed-by: Luiz Capitulino <lcapitulino@xxxxxxxxxx>

  commit 710aec915d208246891b68e2ba61b54951edc508
  Author: Markus Armbruster <armbru@xxxxxxxxxx>
  Date:   Fri Mar 6 11:28:00 2015 +0100

      monitor: Limit QError use to command handlers

      The previous commits narrowed use of QError to handle_qmp_command()
      and its helpers monitor_protocol_emitter(), build_qmp_error_dict().
      Narrow it further to just the command handler call: instead of
      converting Error to QError throughout handle_qmp_command(), convert
      the QError gotten from the command handler to Error, and switch the
      helpers from QError to Error.

      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>
      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>
      Reviewed-by: Luiz Capitulino <lcapitulino@xxxxxxxxxx>

  commit 452e0300a3521f13b6c4ba0b99a8cea3a29209f1
  Author: Markus Armbruster <armbru@xxxxxxxxxx>
  Date:   Fri Mar 6 19:11:13 2015 +0100

      monitor: Inline monitor_has_error() into its only caller

      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>
      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>
      Reviewed-by: Luiz Capitulino <lcapitulino@xxxxxxxxxx>

  commit 70ea0c58991ae44b5a1e67d9c189d79029168cb1
  Author: Markus Armbruster <armbru@xxxxxxxxxx>
  Date:   Fri Mar 6 10:47:08 2015 +0100

      monitor: Wean monitor_protocol_emitter() off mon->error

      Move mon->error handling to its caller handle_qmp_command().

      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>
      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>
      Reviewed-by: Luiz Capitulino <lcapitulino@xxxxxxxxxx>

  commit 4086182fcd9b106345b5cc535d78bcc6d13a7683
  Author: Markus Armbruster <armbru@xxxxxxxxxx>
  Date:   Fri May 29 10:27:16 2015 +0200

      monitor: Propagate errors through invalid_qmp_mode()

      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>
      Reviewed-by: Luiz Capitulino <lcapitulino@xxxxxxxxxx>

  commit ba0510aad43148e5284cb52fcc7a0103b5e0af4d
  Author: Markus Armbruster <armbru@xxxxxxxxxx>
  Date:   Mon Mar 2 18:41:43 2015 +0100

      monitor: Propagate errors through qmp_check_input_obj()

      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>
      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>
      Reviewed-by: Luiz Capitulino <lcapitulino@xxxxxxxxxx>

  commit 326283aa5d4d51d576185af4cbbdc29f648cd766
  Author: Markus Armbruster <armbru@xxxxxxxxxx>
  Date:   Mon Mar 2 18:39:09 2015 +0100

      monitor: Propagate errors through qmp_check_client_args()

      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>
      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>
      Reviewed-by: Luiz Capitulino <lcapitulino@xxxxxxxxxx>

  commit 8a4f501c09bcb8b5a220699e378aa8fb7ec178e4
  Author: Markus Armbruster <armbru@xxxxxxxxxx>
  Date:   Thu Mar 5 18:50:05 2015 +0100

      monitor: Drop unused "new" HMP command interface

      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>
      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>
      Reviewed-by: Luiz Capitulino <lcapitulino@xxxxxxxxxx>

  commit 04e00c92ef75629a241ebc50537f75de0867928d
  Author: Markus Armbruster <armbru@xxxxxxxxxx>
  Date:   Thu Mar 5 17:48:49 2015 +0100

      monitor: Use trad. command interface for HMP pcie_aer_inject_error

      All QMP commands use the "new" handler interface (mhandler.cmd_new).
      Most HMP commands still use the traditional interface (mhandler.cmd),
      but a few use the "new" one.  Complicates handle_user_command() for no
      gain, so I'm converting these to the traditional interface.

      pcie_aer_inject_error's implementation is split into the
      hmp_pcie_aer_inject_error() and pcie_aer_inject_error_print().  The
      former is a peculiar crossbreed between HMP and QMP handler.  On
      success, it works like a QMP handler: store QDict through ret_data
      parameter, return 0.  Printing the QDict is left to
      pcie_aer_inject_error_print().  On failure, it works more like an HMP
      handler: print error to monitor, return negative number.

      To convert to the traditional interface, turn
      pcie_aer_inject_error_print() into a command handler wrapping around
      hmp_pcie_aer_inject_error().  By convention, this command handler
      should be called hmp_pcie_aer_inject_error(), so rename the existing
      hmp_pcie_aer_inject_error() to do_pcie_aer_inject_error().

      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>
      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>
      Reviewed-by: Luiz Capitulino <lcapitulino@xxxxxxxxxx>

  commit 318660f84a0a26451750aee68ab7dcf88731637d
  Author: Markus Armbruster <armbru@xxxxxxxxxx>
  Date:   Thu Mar 5 17:24:48 2015 +0100

      monitor: Use traditional command interface for HMP device_add

      All QMP commands use the "new" handler interface (mhandler.cmd_new).
      Most HMP commands still use the traditional interface (mhandler.cmd),
      but a few use the "new" one.  Complicates handle_user_command() for no
      gain, so I'm converting these to the traditional interface.

      For device_add, that's easy: just wrap the obvious hmp_device_add()
      around do_device_add().

      monitor_user_noop() is now unused, drop it.

      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>
      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>
      Reviewed-by: Luiz Capitulino <lcapitulino@xxxxxxxxxx>

  commit 072ebe6b0351060b33287454fdef625fe79c858f
  Author: Markus Armbruster <armbru@xxxxxxxxxx>
  Date:   Thu Mar 5 17:00:56 2015 +0100

      monitor: Use traditional command interface for HMP drive_del

      All QMP commands use the "new" handler interface (mhandler.cmd_new).
      Most HMP commands still use the traditional interface (mhandler.cmd),
      but a few use the "new" one.  Complicates handle_user_command() for no
      gain, so I'm converting these to the traditional interface.

      For drive_del, that's easy: hmp_drive_del() sheds its unused last
      parameter, and its return value, which the caller ignored anyway.

      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>
      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>
      Reviewed-by: Luiz Capitulino <lcapitulino@xxxxxxxxxx>

  commit b8a185bc9a8ecbdc74fd64672e4abdd09a558e1c
  Author: Markus Armbruster <armbru@xxxxxxxxxx>
  Date:   Thu Mar 5 17:29:02 2015 +0100

      monitor: Convert client_migrate_info to QAPI

      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>
      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>
      Reviewed-by: Luiz Capitulino <lcapitulino@xxxxxxxxxx>

  commit 13cadefbda71e119db79fe0b7a4efd26a6d005bd
  Author: Markus Armbruster <armbru@xxxxxxxxxx>
  Date:   Thu Mar 5 19:16:58 2015 +0100

      monitor: Improve and document client_migrate_info protocol error

      Protocol must be spice, vnc isn't implemented.  Fix up documentation.

      Attempts to use vnc or any other unknown protocol yield the misleading
      error message "Invalid parameter 'protocol'".  Improve it to
      "Parameter 'protocol' expects spice".

      Cc: Gerd Hoffmann <kraxel@xxxxxxxxxx>
      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>
      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>
      Reviewed-by. Gerd Hoffmann <kraxel@xxxxxxxxxx>
      Reviewed-by: Luiz Capitulino <lcapitulino@xxxxxxxxxx>

  commit 84add864ebd2e6f3c645948ab595d8454165ebc5
  Author: Markus Armbruster <armbru@xxxxxxxxxx>
  Date:   Thu Mar 5 16:45:15 2015 +0100

      monitor: Clean up after previous commit

      Inline qmp_call_cmd() along with its helper handler_audit() into its
      only caller handle_qmp_command(), and simplify the result.

      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>
      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>
      Reviewed-by: Luiz Capitulino <lcapitulino@xxxxxxxxxx>

  commit 65207c59d99f2260c5f1d3b9c491146616a522aa
  Author: Markus Armbruster <armbru@xxxxxxxxxx>
  Date:   Thu Mar 5 14:35:26 2015 +0100

      monitor: Drop broken, unused asynchronous command interface

      The asynchronous monitor command interface goes back to commit 940cc30
      (Jan 2010).  Added a third case to command execution.  The hope back
      then according to the commit message was that all commands get
      converted to the asynchronous interface, killing off the other two
      cases.  Didn't happen.

      The initial asynchronous commands balloon and info balloon were
      converted back to synchronous long ago (commit 96637bc and d72f32),
      with commit messages calling the asynchronous interface "not fully
      working" and "deprecated".  The only other user went away in commit
      3b5704b.

      New code generally uses synchronous commands and asynchronous events.

      What exactly is still "not fully working" with asynchronous commands?
      Well, here's a bug that defeats actual asynchronous use pretty
      reliably: the reply's ID is wrong (and has always been wrong) unless
      you use the command synchronously!  To reproduce, we need an
      asynchronous command, so we have to go back before commit 3b5704b.
      Run QEMU with spice:

          $ qemu-system-x86_64 -nodefaults -S -spice 
port=5900,disable-ticketing -qmp stdio
          {"QMP": {"version": {"qemu": {"micro": 94, "minor": 2, "major": 2}, 
"package": ""}, "capabilities": []}}

      Connect a spice client in another terminal:

          $ remote-viewer spice://localhost:5900

      Set up a migration destination dummy in a third terminal:

          $ socat TCP-LISTEN:12345 STDIO

      Now paste the following into the QMP monitor:

          { "execute": "qmp_capabilities", "id": "i0" }
          { "execute": "client_migrate_info", "id": "i1", "arguments": { 
"protocol": "spice", "hostname": "localhost", "port": 12345 } }
          { "execute": "query-kvm", "id": "i2" }

      Produces two replies immediately, one to qmp_capabilities, and one to
      query-kvm:

          {"return": {}, "id": "i0"}
          {"return": {"enabled": false, "present": true}, "id": "i2"}

      Both are correct.  Two lines of debug output from libspice-server not
      shown.

      Now EOF socat's standard input to make it close the connection.  This
      makes the asynchronous client_migrate_info complete.  It replies:

          {"return": {}}

      Bug: "id": "i1" is missing.  Two lines of debug output from
      libspice-server not shown.  Cherry on top: storage for the missing ID
      is leaked.

      Get rid of this stuff before somebody hurts himself with it.

      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>
      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>
      Reviewed-by: Luiz Capitulino <lcapitulino@xxxxxxxxxx>

  commit 9e472263b07d53cb3401ee49ef1b45ef195ddb84
  Author: Michael S. Tsirkin <mst@xxxxxxxxxx>
  Date:   Mon Jun 1 21:03:59 2015 +0200

      acpi: add missing ssdt

      commit 5cb18b3d7bff2a83275ee98af2a14eb9e21c93ab
          TPM2 ACPI table support

      was missing a file, so build with iasl fails
      (build without iasl works since it uses the generated
       hex files).

      Reported-by: "Daniel P. Berrange" <berrange@xxxxxxxxxx>
      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>

  commit b821cbe274c5a5cacf1a7b28360d869ae1e6e0c3
  Merge: 9657caf 830d70d
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Mon Jun 1 15:22:46 2015 +0100

      Merge remote-tracking branch 'remotes/mst/tags/for_upstream' into staging

      pc, pci, tpm, virtio, vhost enhancements and fixes

      A bunch of cleanups and fixes all over the place,
      enhancements in TPM, virtio and vhost.

      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>

      # gpg: Signature made Mon Jun  1 13:19:48 2015 BST using RSA key ID 
D28D5469
      # gpg: Good signature from "Michael S. Tsirkin <mst@xxxxxxxxxx>"
      # gpg:                 aka "Michael S. Tsirkin <mst@xxxxxxxxxx>"

      * remotes/mst/tags/for_upstream: (60 commits)
        vhost-user: add multi queue support
        virtio: make features 64bit wide
        qdev: add 64bit properties
        virtio-mmio: ioeventfd support
        hw/acpi/aml-build: Fix memory leak
        acpi: add aml_while() term
        acpi: add aml_increment() term
        acpi: add aml_shiftright() term
        acpi: add aml_shiftleft() term
        acpi: add aml_index() term
        acpi: add aml_lless() term
        acpi: add aml_add() term
        TPM2 ACPI table support
        tpm: Probe for connected TPM 1.2 or TPM 2
        Extend TPM TIS interface to support TPM 2
        Add stream ID to MSI write
        acpi: Simplify printing to dynamic string
        i386: drop FDC in pc-q35-2.4+ if neither it nor floppy drives are wanted
        i386/pc_q35: don't insist on board FDC if there's no default floppy
        i386/pc: '-drive if=floppy' should imply a board-default FDC
        ...

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 830d70db692e374b55555f4407f96a1ceefdcc97
  Author: Ouyang Changchun <changchun.ouyang@xxxxxxxxx>
  Date:   Thu May 28 09:23:06 2015 +0800

      vhost-user: add multi queue support

      Based on patch by Nikolay Nikolaev:
      Vhost-user will implement the multi queue support in a similar way
      to what vhost already has - a separate thread for each queue.
      To enable the multi queue functionality - a new command line parameter
      "queues" is introduced for the vhost-user netdev.

      Signed-off-by: Nikolay Nikolaev <n.nikolaev@xxxxxxxxxxxxxxxxxxxxxx>
      Signed-off-by: Changchun Ouyang <changchun.ouyang@xxxxxxxxx>
      Reviewed-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>

  commit 019a3edbb25f1571e876f8af1ce4c55412939e5d
  Author: Gerd Hoffmann <kraxel@xxxxxxxxxx>
  Date:   Mon Jun 1 10:45:40 2015 +0200

      virtio: make features 64bit wide

      Make features 64bit wide everywhere.

      On migration a full 64bit guest_features field is sent if one of the
      high bits is set, in addition to the lower 32bit guest_features field
      which must stay for compatibility reasons.  That way we send the lower
      32 feature bits twice, but the code is simpler because we don't have
      to split and compose the 64bit features into two 32bit fields.

      Signed-off-by: Gerd Hoffmann <kraxel@xxxxxxxxxx>
      Reviewed-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>

  commit fdba6d967e00864edd21275a6ee1d23a383510e8
  Author: Gerd Hoffmann <kraxel@xxxxxxxxxx>
  Date:   Mon Jun 1 10:45:39 2015 +0200

      qdev: add 64bit properties

      Needed for virtio features which go from 32bit to 64bit with virtio 1.0

      Signed-off-by: Gerd Hoffmann <kraxel@xxxxxxxxxx>
      Reviewed-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>

  commit 434027badb421863b85ffdb4769966533c001cfa
  Author: Ying-Shiuan Pan <yingshiuan.pan@xxxxxxxxx>
  Date:   Tue May 12 11:10:50 2015 +0300

      virtio-mmio: ioeventfd support

      set_host_notifier and set_guest_notifiers supported by virtio-mmio now.
      Most code copied from virtio-pci.

      This makes it possible to use vhost-net with virtio-mmio,
      improving performance by about 30%.

      The kvm-arm does not yet support irqfd, need to fix the hard-coded part 
after
      kvm-arm gets irqfd support.

      Signed-off-by: Ying-Shiuan Pan <yingshiuan.pan@xxxxxxxxx>
      Signed-off-by: Pavel Fedin <p.fedin@xxxxxxxxxxx>
      Reviewed-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>

  commit afcf905cff7971324c2706600ead35a1f41f417a
  Author: Shannon Zhao <shannon.zhao@xxxxxxxxxx>
  Date:   Mon May 25 15:14:37 2015 +0800

      hw/acpi/aml-build: Fix memory leak

      Signed-off-by: Shannon Zhao <zhaoshenglong@xxxxxxxxxx>
      Signed-off-by: Shannon Zhao <shannon.zhao@xxxxxxxxxx>
      Reviewed-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Reviewed-by: Igor Mammedov <imammedo@xxxxxxxxxx>

  commit 68e6b0af784dda4efd9d4e2e9d3b03a31ca1408c
  Author: Marcel Apfelbaum <marcel@xxxxxxxxxx>
  Date:   Mon May 25 18:33:46 2015 +0300

      acpi: add aml_while() term

      Add encoding for ACPI DefWhile Opcode.

      Reviewed-by: Shannon Zhao <zhaoshenglong@xxxxxxxxxx>
      Reviewed-by: Igor Mammedov <imammedo@xxxxxxxxxx>
      Signed-off-by: Marcel Apfelbaum <marcel@xxxxxxxxxx>
      Reviewed-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>

  commit af39d5363f373e6c1168a0e84658d6e4ef57fa8c
  Author: Marcel Apfelbaum <marcel@xxxxxxxxxx>
  Date:   Mon May 25 18:33:45 2015 +0300

      acpi: add aml_increment() term

      Add encoding for ACPI DefIncrement Opcode.

      Reviewed-by: Shannon Zhao <zhaoshenglong@xxxxxxxxxx>
      Reviewed-by: Igor Mammedov <imammedo@xxxxxxxxxx>
      Signed-off-by: Marcel Apfelbaum <marcel@xxxxxxxxxx>
      Reviewed-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>

  commit f7bd7b8eb6573ed22bfc51e148455a1c0a1e36d0
  Author: Marcel Apfelbaum <marcel@xxxxxxxxxx>
  Date:   Mon May 25 18:33:44 2015 +0300

      acpi: add aml_shiftright() term

      Add encoding for ACPI DefShiftRight Opcode.

      Reviewed-by: Igor Mammedov <imammedo@xxxxxxxxxx>
      Signed-off-by: Marcel Apfelbaum <marcel@xxxxxxxxxx>
      Reviewed-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Reviewed-by: Shannon Zhao <shannon.zhao@xxxxxxxxxx>

  commit a57dddddd2f93b87852fac2ed41a31c45e6d192a
  Author: Marcel Apfelbaum <marcel@xxxxxxxxxx>
  Date:   Mon May 25 18:33:43 2015 +0300

      acpi: add aml_shiftleft() term

      Add encoding for ACPI DefShiftLeft Opcode.

      Reviewed-by: Igor Mammedov <imammedo@xxxxxxxxxx>
      Signed-off-by: Marcel Apfelbaum <marcel@xxxxxxxxxx>
      Reviewed-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Reviewed-by: Shannon Zhao <shannon.zhao@xxxxxxxxxx>

  commit 928b8996576875f9364f77c5a41f12cd55c7b9f7
  Author: Marcel Apfelbaum <marcel@xxxxxxxxxx>
  Date:   Mon May 25 18:33:42 2015 +0300

      acpi: add aml_index() term

      Add encoding for ACPI DefIndex Opcode.

      Signed-off-by: Marcel Apfelbaum <marcel@xxxxxxxxxx>
      Reviewed-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Reviewed-by: Shannon Zhao <shannon.zhao@xxxxxxxxxx>

  commit 96396e2858fd8a0b4ee218c9894b5a67d22d97d9
  Author: Marcel Apfelbaum <marcel@xxxxxxxxxx>
  Date:   Mon May 25 18:33:41 2015 +0300

      acpi: add aml_lless() term

      Add encoding for ACPI DefLLess Opcode.

      Reviewed-by: Shannon Zhao <zhaoshenglong@xxxxxxxxxx>
      Reviewed-by: Igor Mammedov <imammedo@xxxxxxxxxx>
      Signed-off-by: Marcel Apfelbaum <marcel@xxxxxxxxxx>
      Reviewed-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>

  commit c08cf0704247aa55e9b0bb14cf34d845629e0e3e
  Author: Marcel Apfelbaum <marcel@xxxxxxxxxx>
  Date:   Mon May 25 18:33:40 2015 +0300

      acpi: add aml_add() term

      Add encoding for ACPI DefAdd Opcode.

      Reviewed-by: Igor Mammedov <imammedo@xxxxxxxxxx>
      Signed-off-by: Marcel Apfelbaum <marcel@xxxxxxxxxx>
      Reviewed-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Reviewed-by: Shannon Zhao <shannon.zhao@xxxxxxxxxx>

  commit 5cb18b3d7bff2a83275ee98af2a14eb9e21c93ab
  Author: Stefan Berger <stefanb@xxxxxxxxxxxxxxxxxx>
  Date:   Tue May 26 16:51:07 2015 -0400

      TPM2 ACPI table support

      Add a TPM2 ACPI table if a TPM 2 is used in the backend.
      Also add an SSDT for the TPM 2.

      Rename tpm_find() to tpm_get_version() and have this function
      return the version of the TPM found, TPMVersion_Unspec if
      no TPM is found. Use the version number to build version
      specific ACPI tables.

      Signed-off-by: Stefan Berger <stefanb@xxxxxxxxxxxxxxxxxx>
      Reviewed-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>

  commit 9657cafceb90accedd574a3accb3d344def8e764
  Merge: 97af820 07e1548
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Mon Jun 1 11:29:37 2015 +0100

      Merge remote-tracking branch 
'remotes/bkoppelmann/tags/pull-tricore-20150530' into staging

      TriCore bugfixes

      # gpg: Signature made Sat May 30 15:50:49 2015 BST using RSA key ID 
6B69CA14
      # gpg: Good signature from "Bastian Koppelmann 
<kbastian@xxxxxxxxxxxxxxxxxxxxx>"

      * remotes/bkoppelmann/tags/pull-tricore-20150530:
        target-tricore: fix BOL_ST_H_LONGOFF using ld
        target-tricore: fix msub32_q producing the wrong overflow bit
        target-tricore: fix OPC2_32_RR_DVINIT_HU having write before use on the 
result

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 56a3c24ffc11955ddc7bb21362ca8069a3fc8c55
  Author: Stefan Berger <stefanb@xxxxxxxxxxxxxxxxxx>
  Date:   Tue May 26 16:51:06 2015 -0400

      tpm: Probe for connected TPM 1.2 or TPM 2

      In the TPM passthrough backend driver, modify the probing code so
      that we can check whether a TPM 1.2 or TPM 2 is being used
      and adapt the behavior of the TPM TIS accordingly.

      Move the code that tested for a TPM 1.2 into tpm_utils.c
      and extend it with test for probing for TPM 2. Have the
      function return the version of TPM found.

      Signed-off-by: Stefan Berger <stefanb@xxxxxxxxxxxxxxxxxx>
      Reviewed-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>

  commit 116694c34aa794a994051fce55bfee418fe1521d
  Author: Stefan Berger <stefanb@xxxxxxxxxxxxxxxxxx>
  Date:   Tue May 26 16:51:05 2015 -0400

      Extend TPM TIS interface to support TPM 2

      Following the recent upgrade to version 1.3, extend the TPM TIS
      interface with capabilities introduced for support of a TPM 2.

      TPM TIS for TPM 2 introduced the following extensions beyond the
      TPM TIS 1.3 (used for TPM 1.2):

      - A new 32bit interface Id register was introduced.
      - New flags for the status (STS) register were defined.
      - New flags for the capability flags were defined.

      Support the above if a TPM TIS 1.3 for TPM 2 is used with a TPM 2
      on the backend side. Support the old TPM TIS 1.3 configuration if a
      TPM 1.2 is being used. A subsequent patch will then determine which
      TPM version is being used in the backend.

      Signed-off-by: Stefan Berger <stefanb@xxxxxxxxxxxxxxxxxx>
      Reviewed-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>

  commit 38d40ff10f71657ea913a63d1f8477be368b92c1
  Author: Pavel Fedin <p.fedin@xxxxxxxxxxx>
  Date:   Wed May 27 15:59:59 2015 +0300

      Add stream ID to MSI write

      GICv3 ITS distinguishes between devices by using hardwired device IDs 
passed on the bus.
      This patch implements passing these IDs in qemu.
      SMMU is also known to use stream IDs, therefore this addition can also be 
useful for
      implementing platforms with SMMU.

      Signed-off-by: Pavel Fedin <p.fedin@xxxxxxxxxxx>
      Reviewed-by: Michael S. Tsirkin <mst@xxxxxxxxxx>

       Changes from v1:
      - Added bus number to the stream ID
      - Added stream ID not only to MSI-X, but also to plain MSI. Some common 
code was made into
      msi_send_message() function.
      Reviewed-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>

  commit c3bdc56c183f6ca6baa502bd7861583ca98b333b
  Author: Markus Armbruster <armbru@xxxxxxxxxx>
  Date:   Wed May 27 19:55:55 2015 +0200

      acpi: Simplify printing to dynamic string

      build_append_namestringv() and aml_string() first calculate the
      resulting string's length with vsnprintf(NULL, ...), then allocate,
      then print for real.  Simply use g_strdup_vprintf() or g_vasprintf()
      instead.

      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>
      Reviewed-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Reviewed-by: John Snow <jsnow@xxxxxxxxxx>
      Reviewed-by: Igor Mammedov <imammedo@xxxxxxxxxx>

  commit ea96bc629cbd52be98b2967a4b4f72e91dfc3ee4
  Author: Laszlo Ersek <lersek@xxxxxxxxxx>
  Date:   Thu May 28 22:04:11 2015 +0200

      i386: drop FDC in pc-q35-2.4+ if neither it nor floppy drives are wanted

      It is Very annoying to carry forward an outdatEd coNtroller with a mOdern
      Machine type.

      Hence, let us not instantiate the FDC when all of the following apply:
      - the machine type is pc-q35-2.4 or later,
      - "-device isa-fdc" is not passed on the command line (nor in the config
        file),
      - no "-drive if=floppy,..." is requested.

      Cc: Markus Armbruster <armbru@xxxxxxxxxx>
      Cc: Paolo Bonzini <pbonzini@xxxxxxxxxx>
      Cc: Gerd Hoffmann <kraxel@xxxxxxxxxx>
      Cc: John Snow <jsnow@xxxxxxxxxx>
      Cc: "Gabriel L. Somlo" <gsomlo@xxxxxxxxx>
      Cc: "Michael S. Tsirkin" <mst@xxxxxxxxxx>
      Cc: Kevin Wolf <kwolf@xxxxxxxxxx>
      Cc: qemu-block@xxxxxxxxxx
      Suggested-by: Markus Armbruster <armbru@xxxxxxxxxx>
      Signed-off-by: Laszlo Ersek <lersek@xxxxxxxxxx>
      Acked-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>
      Reviewed-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Reviewed-by: Markus Armbruster <armbru@xxxxxxxxxx>

  commit 6cd2234ccbacf2825372142a2658bf318ce2f848
  Author: Laszlo Ersek <lersek@xxxxxxxxxx>
  Date:   Thu May 28 22:04:10 2015 +0200

      i386/pc_q35: don't insist on board FDC if there's no default floppy

      The "no_floppy = 1" machine class setting causes "default_floppy" in
      main() to become zero. Consequently, default_drive() will not call
      drive_add() and drive_new() for IF_FLOPPY, index=0, meaning that no
      default floppy drive will be created for the virtual machine. In that
      case, board code should also not insist on the creation of the
      board-default FDC.

      The board-default FDC will still be created if the user requests a floppy
      drive with "-drive if=floppy".

      Additionally, separate FDCs can be specified manually with "-device
      isa-fdc". They allow the

        -device isa-fdc,driveA=...

      syntax that is more flexible than the one required by the board-default
      FDC:

        -global isa-fdc.driveA=...

      This patch doesn't change the behavior observably, as all Q35 machine
      types have "no_floppy = 0".

      Cc: Markus Armbruster <armbru@xxxxxxxxxx>
      Cc: Paolo Bonzini <pbonzini@xxxxxxxxxx>
      Cc: Gerd Hoffmann <kraxel@xxxxxxxxxx>
      Cc: John Snow <jsnow@xxxxxxxxxx>
      Cc: "Gabriel L. Somlo" <gsomlo@xxxxxxxxx>
      Cc: "Michael S. Tsirkin" <mst@xxxxxxxxxx>
      Cc: Kevin Wolf <kwolf@xxxxxxxxxx>
      Cc: qemu-block@xxxxxxxxxx
      Signed-off-by: Laszlo Ersek <lersek@xxxxxxxxxx>
      Reviewed-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Reviewed-by: Markus Armbruster <armbru@xxxxxxxxxx>

  commit 936a7c1cf7410a3bab97c98301054921d47a8918
  Author: Laszlo Ersek <lersek@xxxxxxxxxx>
  Date:   Thu May 28 22:04:09 2015 +0200

      i386/pc: '-drive if=floppy' should imply a board-default FDC

      Even if board code decides not to request the creation of the FDC (keyed
      off board-level factors, to be determined later), we should create the FDC
      nevertheless if the user passes '-drive if=floppy' on the command line.

      Otherwise '-drive if=floppy' would break without explicit '-device
      isa-fdc' on such boards.

      Cc: Markus Armbruster <armbru@xxxxxxxxxx>
      Cc: Paolo Bonzini <pbonzini@xxxxxxxxxx>
      Cc: Gerd Hoffmann <kraxel@xxxxxxxxxx>
      Cc: John Snow <jsnow@xxxxxxxxxx>
      Cc: "Gabriel L. Somlo" <gsomlo@xxxxxxxxx>
      Cc: "Michael S. Tsirkin" <mst@xxxxxxxxxx>
      Cc: Kevin Wolf <kwolf@xxxxxxxxxx>
      Cc: qemu-block@xxxxxxxxxx
      Signed-off-by: Laszlo Ersek <lersek@xxxxxxxxxx>
      Reviewed-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Reviewed-by: Markus Armbruster <armbru@xxxxxxxxxx>

  commit fd53c87cf6651b0dfe9f5107cfe77d2f697bd4f6
  Author: Laszlo Ersek <lersek@xxxxxxxxxx>
  Date:   Thu May 28 22:04:08 2015 +0200

      i386/pc: pc_basic_device_init(): delegate FDC creation request

      This patch introduces no observable change, but it allows the callers of
      pc_basic_device_init(), ie. pc_init1() and pc_q35_init(), to request (or
      not request) the creation of the FDC explicitly.

      At the moment both callers pass constant create_fdctrl=true (hence no
      observable change).

      Assuming a board passes create_fdctrl=false, "floppy" will be NULL on
      output, and (beyond the FDC not being created) that NULL will be passed on
      to pc_cmos_init(). Luckily, pc_cmos_init() already handles that case.

      Cc: Markus Armbruster <armbru@xxxxxxxxxx>
      Cc: Paolo Bonzini <pbonzini@xxxxxxxxxx>
      Cc: Gerd Hoffmann <kraxel@xxxxxxxxxx>
      Cc: John Snow <jsnow@xxxxxxxxxx>
      Cc: "Gabriel L. Somlo" <gsomlo@xxxxxxxxx>
      Cc: "Michael S. Tsirkin" <mst@xxxxxxxxxx>
      Cc: Kevin Wolf <kwolf@xxxxxxxxxx>
      Cc: qemu-block@xxxxxxxxxx
      Signed-off-by: Laszlo Ersek <lersek@xxxxxxxxxx>
      Reviewed-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Reviewed-by: Markus Armbruster <armbru@xxxxxxxxxx>

  commit b829c2a98f1f67308eb02fcddb52d8fa67775f18
  Author: Jason Wang <jasowang@xxxxxxxxxx>
  Date:   Fri May 29 14:15:32 2015 +0800

      virtio: increase the queue limit to 1024

      Increase the queue limit to 1024. But virtio-ccw and s390-virtio won't
      support this, this is done through failing device_plugged() for those
      two transports if the number of virtqueues is greater than 64.

      Signed-off-by: Jason Wang <jasowang@xxxxxxxxxx>
      Reviewed-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>

  commit 87b3bd1c858e6cacac4d403da9109ec3a04fe9d0
  Author: Jason Wang <jasowang@xxxxxxxxxx>
  Date:   Fri May 29 14:15:31 2015 +0800

      virtio: rename VIRTIO_PCI_QUEUE_MAX to VIRTIO_QUEUE_MAX

      VIRTIO_PCI_QUEUE_MAX is not only used for pci, so rename it be generic.

      Cc: Amit Shah <amit.shah@xxxxxxxxxx>
      Cc: Paolo Bonzini <pbonzini@xxxxxxxxxx>
      Signed-off-by: Jason Wang <jasowang@xxxxxxxxxx>
      Reviewed-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>

  commit d820331a0b47cbbdc409b435545aea25e19b57ad
  Author: Jason Wang <jasowang@xxxxxxxxxx>
  Date:   Fri May 29 14:15:30 2015 +0800

      virtio-s390: introduce virtio_s390_device_plugged()

      This patch introduce a virtio-s390 specific device_plugged() function
      and doing the number of virtqueue validation inside.

      Cc: Alexander Graf <agraf@xxxxxxx>
      Cc: Richard Henderson <rth@xxxxxxxxxxx>
      Signed-off-by: Jason Wang <jasowang@xxxxxxxxxx>
      Reviewed-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>

  commit 74c85296dc880568005b8e7572e08a39d66bcdca
  Author: Jason Wang <jasowang@xxxxxxxxxx>
  Date:   Fri May 29 14:15:29 2015 +0800

      virtio-s390: introduce virito s390 queue limit

      Cc: Alexander Graf <agraf@xxxxxxx>
      Cc: Richard Henderson <rth@xxxxxxxxxxx>
      Signed-off-by: Jason Wang <jasowang@xxxxxxxxxx>
      Reviewed-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>

  commit 10ceaa1e8f9f74c917df1fe5db856817a8b26fe7
  Author: Jason Wang <jasowang@xxxxxxxxxx>
  Date:   Fri May 29 14:15:28 2015 +0800

      virtio-ccw: validate the number of queues against bus limitation

      Cc: Cornelia Huck <cornelia.huck@xxxxxxxxxx>
      Cc: Christian Borntraeger <borntraeger@xxxxxxxxxx>
      Cc: Richard Henderson <rth@xxxxxxxxxxx>
      Cc: Alexander Graf <agraf@xxxxxxx>
      Signed-off-by: Jason Wang <jasowang@xxxxxxxxxx>
      Reviewed-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>

  commit 8dfbaa6ac450c4ec2646b1ca08a4017052a90c1d
  Author: Jason Wang <jasowang@xxxxxxxxxx>
  Date:   Fri May 29 14:15:27 2015 +0800

      virtio-ccw: introduce ccw specific queue limit

      Cc: Alexander Graf <agraf@xxxxxxx>
      Cc: Cornelia Huck <cornelia.huck@xxxxxxxxxx>
      Cc: Christian Borntraeger <borntraeger@xxxxxxxxxx>
      Cc: Richard Henderson <rth@xxxxxxxxxxx>
      Signed-off-by: Jason Wang <jasowang@xxxxxxxxxx>
      Reviewed-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>

  commit 8ad176aaed24535f535e0fdb03c538c23017535d
  Author: Jason Wang <jasowang@xxxxxxxxxx>
  Date:   Fri May 29 14:15:26 2015 +0800

      virtio: introduce virtio_get_num_queues()

      This patch introduces virtio_get_num_queues() which iterates the vqs
      array and return the number of virtqueues used by device.

      Signed-off-by: Jason Wang <jasowang@xxxxxxxxxx>
      Reviewed-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>

  commit e83980455c8c7eb066405de512be7c4bace3ac4d
  Author: Jason Wang <jasowang@xxxxxxxxxx>
  Date:   Fri May 29 14:15:25 2015 +0800

      virtio: device_plugged() can fail

      This patch passes error pointer to transport specific device_plugged()
      callback. Through this way, device_plugged() can do some transport
      specific check and fail. This will be uesd by following patches that
      check the number of virtqueues against the transport limitation.

      Cc: Cornelia Huck <cornelia.huck@xxxxxxxxxx>
      Cc: Christian Borntraeger <borntraeger@xxxxxxxxxx>
      Cc: Richard Henderson <rth@xxxxxxxxxxx>
      Cc: Alexander Graf <agraf@xxxxxxx>
      Signed-off-by: Jason Wang <jasowang@xxxxxxxxxx>
      Reviewed-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>

  commit da51a335aa61ec0e45879d80f3c5e2ee4f87cd2f
  Author: Jason Wang <jasowang@xxxxxxxxxx>
  Date:   Fri May 29 14:15:24 2015 +0800

      virtio-net: adding all queues in .realize()

      Instead of adding queues for multiqueue during feature set. This patch
      did this in .realize(), this will help the following patches that
      count the number of virtqueues used in .device_plugged() callback.

      Signed-off-by: Jason Wang <jasowang@xxxxxxxxxx>
      Reviewed-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>

  commit cf34f533a161f8ced7322321d70ca00414d47473
  Author: Cornelia Huck <cornelia.huck@xxxxxxxxxx>
  Date:   Fri May 29 11:29:40 2015 +0200

      virtio: move VIRTIO_F_NOTIFY_ON_EMPTY into core

      Nearly all transports have been offering VIRTIO_F_NOTIFY_ON_EMPTY,
      s390-virtio being the exception. There's no reason why it shouldn't
      offer it as well, though (handling is done in core anyway), so let's
      move it to the common virtio features.

      While we're changing it anyway, fix the indentation for the
      DEFINE_VIRTIO_COMMON_FEATURES macro.

      Signed-off-by: Cornelia Huck <cornelia.huck@xxxxxxxxxx>
      Reviewed-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>

  commit 13644819c5bf322ae4c2a415aca77d5dbde95fe8
  Author: Cornelia Huck <cornelia.huck@xxxxxxxxxx>
  Date:   Fri May 29 11:29:39 2015 +0200

      virtio-ccw: Don't advertise VIRTIO_F_BAD_FEATURE

      This was copied from virtio-pci, but it doesn't make much sense for
      ccw, as it doesn't have to handle the broken implementations this bit
      is supposed to deal with. Remove it.

      Signed-off-by: Cornelia Huck <cornelia.huck@xxxxxxxxxx>
      Reviewed-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>

  commit 6b8f1020540c27246277377aa2c3331ad2bfb160
  Author: Cornelia Huck <cornelia.huck@xxxxxxxxxx>
  Date:   Tue May 26 16:34:47 2015 +0200

      virtio: move host_features

      Move host_features from the individual transport proxies into
      the virtio device. Transports may continue to add feature bits
      during device plugging.

      This should it make easier to offer different sets of host features
      for virtio-1/transitional support.

      Tested-by: Shannon Zhao <shannon.zhao@xxxxxxxxxx>
      Signed-off-by: Cornelia Huck <cornelia.huck@xxxxxxxxxx>
      Reviewed-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>

  commit 2332333c9738b442fbbd5b83a1eaa6be656ab9b5
  Author: Radim KrÄ?máÅ? <rkrcmar@xxxxxxxxxx>
  Date:   Fri May 29 21:57:32 2015 +0200

      pc: acpi: fix pvpanic for buggy guests

      In the old times, we always had pvpanic in ACPI and a _STA method told
      the guest not to use it.  Automatic generation dropped the _STA method
      as the specification says that missing _STA means enabled and working.
      Some guests (Linux) had buggy drivers and this change made them unable
      to utilize pvpanic.

      A Linux patch is posted as well, but I think it's worth to make pvpanic
      useable on old guests at the price of three lines and few bytes of SSDT.

      The old _STA method was
        Method (_STA, 0, NotSerialized) {
            Store (PEST, Local0)
            If (LEqual (Local0, Zero)) {
                Return (Zero) }
            Else {
                Return (0x0F) }}

      Igor pointed out that we don't need to use a method to return a constant
      and that 0xB (don't show in UI) is the common definition now.

      Also, the device used to be PEVT.  (PEVT as in "panic event"?)

      Signed-off-by: Radim KrÄ?máÅ? <rkrcmar@xxxxxxxxxx>
      Reviewed-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>

  commit 99fbeafee8b568e796863980365080abdb8d675e
  Author: Eduardo Habkost <ehabkost@xxxxxxxxxx>
  Date:   Fri May 15 14:19:01 2015 -0300

      pc: Generate init functions with a macro

      All pc-i440fx and pc-q35 init functions simply call the corresponding
      compat function and then call the main init function. Use a macro to
      generate that code.

      Signed-off-by: Eduardo Habkost <ehabkost@xxxxxxxxxx>
      Reviewed-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>

  commit 211b5b1d0a31f2f7593d6858a0b10487fb7b7fac
  Author: Eduardo Habkost <ehabkost@xxxxxxxxxx>
  Date:   Fri May 15 14:19:00 2015 -0300

      piix: Eliminate pc_init_pci()

      The function is not needed anymore, we can simply call pc_init1()
      directly.

      Signed-off-by: Eduardo Habkost <ehabkost@xxxxxxxxxx>
      Reviewed-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>

  commit 72d164aa73b7c8d22a63b8ee789f97e4a8d2aa5c
  Author: Eduardo Habkost <ehabkost@xxxxxxxxxx>
  Date:   Fri May 15 14:18:59 2015 -0300

      piix: Add kvmclock_enabled, pci_enabled globals

      This looks like a step backwards, but it will allow pc-0.1[0123] and
      isapc to follow the same compat+init pattern used by the other
      machine-types, allowing us to generate all init function using the same
      macro later.

      Signed-off-by: Eduardo Habkost <ehabkost@xxxxxxxxxx>
      Reviewed-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>

  commit d48f4fa69eb3efb03a2efe2e4606a97a17cf222f
  Author: Eduardo Habkost <ehabkost@xxxxxxxxxx>
  Date:   Fri May 15 14:18:58 2015 -0300

      machine: Remove unused fields from QEMUMachine

      This removes the following fields from QEMUMachine: family, alias,
      reset, hot_add_cpu, units_per_default_bus, no_serial, no_parallel,
      use_virtcon, use_sclp, no_floppy, no_cdrom, default_display,
      compat_props, and hw_version.

      The only users of those fields were already converted to use QOM and
      MachineClass directly, so they are not needed anymore.

      Signed-off-by: Eduardo Habkost <ehabkost@xxxxxxxxxx>
      Reviewed-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>

  commit d644b11657ae047d50d8ea9ce285ecd6dae04ca2
  Author: Eduardo Habkost <ehabkost@xxxxxxxxxx>
  Date:   Fri May 15 14:18:57 2015 -0300

      pc: Remove qemu_register_pc_machine() function

      The helper is not needed anymore, as the PC machine classes are
      registered using QOM directly.

      Signed-off-by: Eduardo Habkost <ehabkost@xxxxxxxxxx>
      Reviewed-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>

  commit 865906f7fdadd2732441ab158787f81f6a212bfe
  Author: Eduardo Habkost <ehabkost@xxxxxxxxxx>
  Date:   Fri May 15 14:18:56 2015 -0300

      pc: Don't use QEMUMachine anymore

      Now that we have a DEFINE_PC_MACHINE helper macro that just requires an
      initialization function, it is trivial to convert them to register a QOM
      machine class directly, instead of using QEMUMachine.

      Signed-off-by: Eduardo Habkost <ehabkost@xxxxxxxxxx>
      Reviewed-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>

  commit 25519b062c70f2afe2d2f0c262f3838a41e8bc7c
  Author: Eduardo Habkost <ehabkost@xxxxxxxxxx>
  Date:   Fri May 15 14:18:55 2015 -0300

      pc: Move compat_props setting inside *_machine_options() functions

      This will simplify the DEFINE_PC_MACHINE macro, and will help us to
      implement reuse of PC_COMPAT_* macros through class_init function reuse,
      in the future.

      Signed-off-by: Eduardo Habkost <ehabkost@xxxxxxxxxx>
      Reviewed-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>

  commit fddd179ab962f6f78a8493742e1068d6a620e059
  Author: Eduardo Habkost <ehabkost@xxxxxxxxxx>
  Date:   Fri May 15 14:18:54 2015 -0300

      pc: Convert *_MACHINE_OPTIONS macros into functions

      By now the new functions will get QEMUMachine as argument, but they will
      be later converted to initialize a MachineClass struct directly.

      Signed-off-by: Eduardo Habkost <ehabkost@xxxxxxxxxx>
      Reviewed-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>

  commit 61f219dfb093c0df91926928c780299cdf429619
  Author: Eduardo Habkost <ehabkost@xxxxxxxxxx>
  Date:   Fri May 15 14:18:53 2015 -0300

      pc: Define machines using a DEFINE_PC_MACHINE macro

      This will automatically generate the existing QEMUMachine structs based
      on the *_MACHINE_OPTIONS macros, and automatically add registration code
      for them.

      Signed-off-by: Eduardo Habkost <ehabkost@xxxxxxxxxx>
      Reviewed-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>

  commit b6b5c8e492ae7b71a16fe702b7409bff0feebfa7
  Author: Eduardo Habkost <ehabkost@xxxxxxxxxx>
  Date:   Fri May 15 14:18:52 2015 -0300

      pc: Define MACHINE_OPTIONS macros consistently for all machines

      Define a MACHINE_OPTIONS macro for each PC machine, and move every field
      inside the QEMUMachine structs to the macros, except for name, init, and
      compat_props.

      This also ensures that all MACHINE_OPTIONS inherit the fields from the
      next version, so their definitions carry only the changes that exist
      between one version and the next one.

      Comments about specific cases:

      pc-*-2.1:

        Existing PC_*_2_1_MACHINE_OPTIONS macros were defined as:
            PC_*_MACHINE_OPTIONS,
            .default_machine_opts = "firmware=bios-256k.bin"

        PC_*_2_2_MACHINE_OPTIONS is:
            PC_*_2_3_MACHINE_OPTIONS
        which is expanded to:
            PC_*_MACHINE_OPTIONS,
            .default_machine_opts = "firmware=bios-256k.bin",
            .default_display = "std"

        The only difference between 2_1 and 2_2 is .default_display, that's why
        we didn't reuse PC_*_2_2_MACHINE_OPTIONS. The good news is that having
        multiple initializers for a field is allowed by C99, and the last
        initializer overrides the previous ones.

        So we can reuse the 2_2 macro in 2_1 and define PC_*_2_1_MACHINE_OPTIONS
        as:
            PC_*_2_2_MACHINE_OPTIONS,
            .default_display = NULL

      pc-*-1.7:

        PC_*_1_7_MACHINE_OPTIONS was defined as:
            PC_*_MACHINE_OPTIONS

        PC_*_2_0_MACHINE_OPTIONS is defined as:
            PC_*_2_1_MACHINE_OPTIONS
        which is expanded to:
            PC_*_2_2_MACHINE_OPTIONS,
            .default_display = NULL
        which is expanded to:
            PC_*_2_3_MACHINE_OPTIONS,
            .default_display = NULL
        which is expanded to:
            PC_*_MACHINE_OPTIONS,
            .default_machine_opts = "firmware=bios-256k.bin",
            .default_display = "std",
            .default_display = NULL  /* overrides the previous line */

        So, the only difference between PC_*_1_7_MACHINE_OPTIONS and
        PC_*_2_0_MACHINE_OPTIONS is .default_machine_opts (as .default_display
        is not explicitly set by PC_*_MACHINE_OPTIONS so it is NULL).

        So we can keep the macro reuse pattern and define
        PC_*_2_0_MACHINE_OPTIONS as:
            PC_*_2_0_MACHINE_OPTIONS,
            .default_machine_opts = NULL

      pc-*-2.4 (alias and is_default fields):

        Set alias and is_default fields inside the 2.4 MACHINE_OPTIONS macro,
        and clear it in the 2.3 macro (that reuses the 2.4 macro).

      hw_machine:

        As all the machines older than v1.0 set hw_version explicitly, we can
        safely move the field to the MACHINE_OPTIONS macros without affecting
        the other versions that reuse them.

      init function:

        Some machines had the init function set inside the MACHINE_OPTIONS
        macro. Move it to the QEMUMachine declaration, to keep it consistent
        with the other machines.

      Signed-off-by: Eduardo Habkost <ehabkost@xxxxxxxxxx>
      Reviewed-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>

  commit f6d5a0bad276ea97fac4e0efb0f41f54a3f1ac84
  Author: Eduardo Habkost <ehabkost@xxxxxxxxxx>
  Date:   Thu May 14 15:53:10 2015 -0300

      piix: Define PC_COMPAT_0_10

      Move compat_props from pc-0.10 to the macro, to make it consistent with
      the other machines.

      Signed-off-by: Eduardo Habkost <ehabkost@xxxxxxxxxx>
      Reviewed-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>

  commit faf7e4254fa33a13805a34a1ffeeb9dcc0a36a5e
  Author: Eduardo Habkost <ehabkost@xxxxxxxxxx>
  Date:   Thu May 14 15:53:09 2015 -0300

      piix: Move pc-0.1[23] rombar compat props to PC_COMPAT_0_13

      The VGA and vmware-svga rombar compat properties were added by commit
      281a26b15b4adcecb8604216738975abd754bea8, but only to pc-0.13 and
      pc-0.12. This breaks the PC_COMPAT_* nesting pattern we currently
      follow.

      The new variables will now be inherited by pc-0.11 and older, but
      pc-0.11 and pc-0.10 already have PCI.rombar=0 on compat_props, so they
      shouldn't be affected at all.

      Cc: Stefan Weil <sw@xxxxxxxxxxx>
      Cc: Gerd Hoffmann <kraxel@xxxxxxxxxx>
      Signed-off-by: Eduardo Habkost <ehabkost@xxxxxxxxxx>
      Reviewed-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>

  commit d765519bef48bd95f2139314a5354144387523eb
  Author: Eduardo Habkost <ehabkost@xxxxxxxxxx>
  Date:   Thu May 14 15:53:08 2015 -0300

      piix: Move pc-0.13 virtio-9p-pci compat to PC_COMPAT_0_13

      The compat property was added by commit
      9dbcca5aa13cb9ab40788ac4c56bc227d94ca920, and the pc-0.12 and older
      machine-types were not changed because virtio-9p-pci was introduced on 
QEMU
      0.13 (commit 9f10751365b26b13b8a9b67e0e90536ae3d282df). The only problem 
is
      that this breaks the PC_COMPAT_* nesting pattern we currently use.

      So, move the property to PC_COMPAT_0_13. This make pc-0.12 and older 
inherit
      it, but that shouldn't be an issue as QEMU 0.12 didn't have virtio-9p-pci.

      Cc: Gerd Hoffmann <kraxel@xxxxxxxxxx>
      Cc: Aneesh Kumar K.V <aneesh.kumar@xxxxxxxxxxxxxxxxxx>
      Signed-off-by: Eduardo Habkost <ehabkost@xxxxxxxxxx>
      Reviewed-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>

  commit d5303df71073da70e0ad29a6dfb304ec7b747f5c
  Author: Eduardo Habkost <ehabkost@xxxxxxxxxx>
  Date:   Thu May 14 15:53:07 2015 -0300

      piix: Move pc-0.11 drive version compat props to PC_COMPAT_0_11

      The current code setting ide-drive.ver and scsi-disk.ver on pc-0.11
      breaks the PC_COMPAT_* nesting pattern we currently use.

      As those variables are overwritten in pc-0.10 too, they can be inherited
      by pc-0.10 with no side-effects at all.

      Cc: Gerd Hoffmann <kraxel@xxxxxxxxxx>
      Signed-off-by: Eduardo Habkost <ehabkost@xxxxxxxxxx>
      Reviewed-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>

  commit bb08d8829b5bec6af619e4532a397ef12727516c
  Author: Eduardo Habkost <ehabkost@xxxxxxxxxx>
  Date:   Thu May 14 15:53:06 2015 -0300

      piix: Move pc-0.14 qxl compat properties to PC_COMPAT_0_14

      Those properties were introduced by commit
      3827cdb1c3aa17a792d1658161195b9d7173c26b. They were not duplicated into
      pc-0.13 and older because 0.14 was the first QEMU version supporting
      qxl. The only problem is that this breaks the PC_COMPAT_* nesting
      pattern we currently use.

      So, move the properties to PC_COMPAT_0_14. This makes pc-0.13 and older
      inherit them, but that shouldn't be an issue as QEMU 0.13 didn't support
      qxl.

      Cc: Gerd Hoffmann <kraxel@xxxxxxxxxx>
      Signed-off-by: Eduardo Habkost <ehabkost@xxxxxxxxxx>
      Reviewed-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>

  commit 38ff32c6e6fd966c5adb9cde4d393a8cca9ef093
  Author: Eduardo Habkost <ehabkost@xxxxxxxxxx>
  Date:   Thu May 14 15:53:05 2015 -0300

      spapr: define SPAPR_COMPAT_2_3

      Don't add the pseries-2.3 machine yet, but define the corresponding
      SPAPR_COMPAT macro to make sure both pseries-2.2 and pseries-2.1 will
      inherit HW_COMPAT_2_3.

      Signed-off-by: Eduardo Habkost <ehabkost@xxxxxxxxxx>
      Reviewed-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>

  commit 4dfd8eaa19c90087f19b56da5d04d9c468109a65
  Author: Eduardo Habkost <ehabkost@xxxxxxxxxx>
  Date:   Thu May 14 15:53:04 2015 -0300

      spapr: Use HW_COMPAT_* inside SPAPR_COMPAT_* macros

      SPAPR_COMPAT_2_1 will need to include both HW_COMPAT_2_2 and
      HW_COMPAT_2_1, so include HW_COMPAT_2_1 inside SPAPR_COMPAT_2_1 and
      HW_COMPAT_2_2 inside SPAPR_COMPAT_2_2.

      Signed-off-by: Eduardo Habkost <ehabkost@xxxxxxxxxx>
      Reviewed-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>

  commit 42134ac9d74799cf2f70257798b72a2988b75d31
  Author: Eduardo Habkost <ehabkost@xxxxxxxxxx>
  Date:   Thu May 14 15:53:03 2015 -0300

      pc: Define PC_COMPAT_2_[123] macros

      Once we start adding compat code for pc-2.3, the usage of HW_COMPAT_2_1
      in pc-*-2.2 won't be enough, as it also has to include PC_COMPAT_2_3
      inside it. To ensure that, define PC_COMPAT_2_3, PC_COMPAT_2_2, and
      PC_COMPAT_2_1 macros.

      Signed-off-by: Eduardo Habkost <ehabkost@xxxxxxxxxx>
      Reviewed-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>

  commit 1edbde82b809f80b973978886d8232fbf280cb03
  Author: Eduardo Habkost <ehabkost@xxxxxxxxxx>
  Date:   Thu May 14 15:53:02 2015 -0300

      hw: Define empty HW_COMPAT_2_[23] macros

      Now we can make everything consistent and define the macros even if they
      are still empty.

      Signed-off-by: Eduardo Habkost <ehabkost@xxxxxxxxxx>
      Reviewed-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>

  commit dd754baf46b6479a02521f671a0b58ffc799810e
  Author: Eduardo Habkost <ehabkost@xxxxxxxxxx>
  Date:   Thu May 14 15:53:01 2015 -0300

      spapr: Move commas inside SPAPR_COMPAT_* macros

      Changing the convention to include commas inside the macros will allow
      macros containing empty lists to be defined and used without compilation
      errors.

      Signed-off-by: Eduardo Habkost <ehabkost@xxxxxxxxxx>
      Reviewed-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>

  commit a7cde24dc2f104c8e5861df0e2938e79264e9d58
  Author: Eduardo Habkost <ehabkost@xxxxxxxxxx>
  Date:   Thu May 14 15:53:00 2015 -0300

      pc: Move commas inside PC_COMPAT_* macros

      Changing the convention to include commas inside the macros will allow
      macros containing empty lists to be defined and used without compilation
      errors.

      Signed-off-by: Eduardo Habkost <ehabkost@xxxxxxxxxx>
      Reviewed-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>

  commit f27086a731bbd0141646702c95f6dc5fce3e8575
  Author: Eduardo Habkost <ehabkost@xxxxxxxxxx>
  Date:   Thu May 14 15:52:59 2015 -0300

      hw: Move commas inside HW_COMPAT_2_1 macro

      Changing the convention to include commas inside the macros will allow
      macros containing empty lists to be defined and used without compilation
      errors.

      Signed-off-by: Eduardo Habkost <ehabkost@xxxxxxxxxx>
      Reviewed-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>

  commit 4974920ab8fc8cf05687f1f764650dbc7c821004
  Author: Eduardo Habkost <ehabkost@xxxxxxxxxx>
  Date:   Thu May 14 15:52:58 2015 -0300

      pc: Replace tab with spaces

      Coding style change only.

      Signed-off-by: Eduardo Habkost <ehabkost@xxxxxxxxxx>
      Reviewed-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>

  commit ecfa60e37439c870d08a90a845b061a53aa26f74
  Author: Shannon Zhao <shannon.zhao@xxxxxxxxxx>
  Date:   Mon May 11 17:34:07 2015 +0800

      hw/s390x/virtio-ccw: use alias property for virtio-balloon-ccw

      Signed-off-by: Shannon Zhao <zhaoshenglong@xxxxxxxxxx>
      Signed-off-by: Shannon Zhao <shannon.zhao@xxxxxxxxxx>
      Reviewed-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Reviewed-by: Cornelia Huck <cornelia.huck@xxxxxxxxxx>
      Reviewed-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit 39b87c7b9f8bf3618e0357699d29615e521264d8
  Author: Shannon Zhao <shannon.zhao@xxxxxxxxxx>
  Date:   Mon May 11 17:34:06 2015 +0800

      hw/virtio/virtio-pci: use alias property for virtio-balloon-pci

      Signed-off-by: Shannon Zhao <zhaoshenglong@xxxxxxxxxx>
      Signed-off-by: Shannon Zhao <shannon.zhao@xxxxxxxxxx>
      Reviewed-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Reviewed-by: Cornelia Huck <cornelia.huck@xxxxxxxxxx>
      Reviewed-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit 1190044ea5a1c9a871664c4e2013072e51e56d5a
  Author: Shannon Zhao <shannon.zhao@xxxxxxxxxx>
  Date:   Mon May 11 17:34:05 2015 +0800

      hw/virtio/virtio-balloon: move adding property to 
virtio_balloon_instance_init

      This is in preparation for using alias property in virtio-balloon-pci
      and virtio-balloon-ccw.

      Signed-off-by: Shannon Zhao <zhaoshenglong@xxxxxxxxxx>
      Signed-off-by: Shannon Zhao <shannon.zhao@xxxxxxxxxx>
      Reviewed-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Reviewed-by: Cornelia Huck <cornelia.huck@xxxxxxxxxx>
      Reviewed-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit 07e15486faf353260431f10e85185372c5036baa
  Author: Bastian Koppelmann <kbastian@xxxxxxxxxxxxxxxxxxxxx>
  Date:   Fri May 22 12:15:58 2015 +0200

      target-tricore: fix BOL_ST_H_LONGOFF using ld

      Signed-off-by: Bastian Koppelmann <kbastian@xxxxxxxxxxxxxxxxxxxxx>
      Message-Id: 
<1432289758-6250-4-git-send-email-kbastian@xxxxxxxxxxxxxxxxxxxxx>

  commit 9bbd4843c052a0a467c7a3363046b0c95c0e5fc0
  Author: Bastian Koppelmann <kbastian@xxxxxxxxxxxxxxxxxxxxx>
  Date:   Fri May 22 12:15:57 2015 +0200

      target-tricore: fix msub32_q producing the wrong overflow bit

      The inversion of the overflow bit as a special case, which was needed for 
the
      madd32_q instructions, does not apply for msub32_q instructions. So 
remove it.

      Signed-off-by: Bastian Koppelmann <kbastian@xxxxxxxxxxxxxxxxxxxxx>
      Message-Id: 
<1432289758-6250-3-git-send-email-kbastian@xxxxxxxxxxxxxxxxxxxxx>

  commit 05b6ca9bbcaede74120050aa8e6684300c09257c
  Author: Bastian Koppelmann <kbastian@xxxxxxxxxxxxxxxxxxxxx>
  Date:   Fri May 22 12:15:56 2015 +0200

      target-tricore: fix OPC2_32_RR_DVINIT_HU having write before use on the 
result

      If the argument r1 was the same as the extended result register r3+1, we 
would
      overwrite r1 and then use it.

      Signed-off-by: Bastian Koppelmann <kbastian@xxxxxxxxxxxxxxxxxxxxx>
      Message-Id: 
<1432289758-6250-2-git-send-email-kbastian@xxxxxxxxxxxxxxxxxxxxx>

  commit 97af820f539efe80b87615a04f9de11ea585f725
  Merge: 2cc3bdb 3960c33
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Fri May 29 17:10:57 2015 +0100

      Merge remote-tracking branch 
'remotes/pmaydell/tags/pull-target-arm-20150529' into staging

      target-arm:
       * Support ACPI for ARMv8 systems using the 'virt' board
         (and a UEFI boot image, typically)
       * avoid buffer overrun in some UNPREDICTABLE ldrd/strd cases
       * further work preparing for 64-bit EL2/EL3 support

      # gpg: Signature made Fri May 29 12:14:06 2015 BST using RSA key ID 
14360CDE
      # gpg: Good signature from "Peter Maydell <peter.maydell@xxxxxxxxxx>"

      * remotes/pmaydell/tags/pull-target-arm-20150529: (39 commits)
        target-arm: Avoid buffer overrun on UNPREDICTABLE ldrd/strd
        hw/arm/virt: Enable dynamic generation of ACPI v5.1 tables
        ACPI: split CONFIG_ACPI into 4 pieces
        hw/arm/virt-acpi-build: Add PCIe controller in ACPI DSDT table
        hw/acpi/aml-build: Add Unicode macro
        hw/acpi/aml-build: Add aml_dword_io() term
        hw/acpi/aml-build: Add aml_create_dword_field() term
        hw/acpi/aml-build: Add aml_else() term
        hw/acpi/aml-build: Add aml_lnot() term
        hw/acpi/aml-build: Add aml_or() term
        hw/acpi/aml-build: Add ToUUID macro
        hw/acpi/aml-build: Make aml_buffer() definition consistent with the spec
        hw/arm/virt-acpi-build: Generate MCFG table
        hw/arm/virt-acpi-build: Generate RSDP table
        hw/arm/virt-acpi-build: Generate RSDT table
        hw/arm/virt-acpi-build: Generate GTDT table
        hw/arm/virt-acpi-build: Generate MADT table
        hw/arm/virt-acpi-build: Generate FADT table and update ACPI headers
        hw/arm/virt-acpi-build: Generation of DSDT table for virt devices
        hw/acpi/aml-build: Add aml_interrupt() term
        ...

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 2cc3bdbe2d3908f7a813d1c2d774cc2bf07746cd
  Merge: 2a90c45 9abe3bd
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Fri May 29 15:32:15 2015 +0100

      Merge remote-tracking branch 'remotes/armbru/tags/pull-block-2015-05-29' 
into staging

      Block QAPI, monitor, command line patches

      # gpg: Signature made Fri May 29 12:02:32 2015 BST using RSA key ID 
EB918653
      # gpg: Good signature from "Markus Armbruster <armbru@xxxxxxxxxx>"
      # gpg:                 aka "Markus Armbruster <armbru@xxxxxxxxxxxx>"

      * remotes/armbru/tags/pull-block-2015-05-29:
        qapi: add dirty bitmap status

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 2a90c454a1b90ace56ed908cd064f2fd483d1231
  Merge: 9441aa2 63c67b6
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Fri May 29 14:24:35 2015 +0100

      Merge remote-tracking branch 'remotes/kraxel/tags/pull-gtk-20150529-1' 
into staging

      gtk: add opengl rendering support.
      small bugfixes for gtk and opengl ui code.

      # gpg: Signature made Fri May 29 10:44:54 2015 BST using RSA key ID 
D3E87138
      # gpg: Good signature from "Gerd Hoffmann (work) <kraxel@xxxxxxxxxx>"
      # gpg:                 aka "Gerd Hoffmann <gerd@xxxxxxxxxx>"
      # gpg:                 aka "Gerd Hoffmann (private) <kraxel@xxxxxxxxx>"

      * remotes/kraxel/tags/pull-gtk-20150529-1:
        gtk: Replace gdk_cursor_new()
        gtk: add opengl support, using egl
        ui: add egl-helpers
        ui: shader.h protect against double inclusion
        ui: use libexpoxy

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 9abe3bdc45ced367fe034c0fdd7c686212389767
  Author: John Snow <jsnow@xxxxxxxxxx>
  Date:   Tue May 12 15:53:01 2015 -0400

      qapi: add dirty bitmap status

      Bitmaps can be in a handful of different states with potentially
      more to come as we tool around with migration and persistence patches.

      Management applications may need to know why certain bitmaps are
      unavailable for various commands, e.g. busy in another operation,
      busy being migrated, etc.

      Right now, all we offer is BlockDirtyInfo's boolean member 'frozen'.
      Instead of adding more booleans, replace it by an enumeration member
      'status' with values 'active' and 'frozen'.  Then add new value
      'disabled'.

      Incompatible change.  Fine because the changed part hasn't been
      released so far.

      Suggested-by: Eric Blake <eblake@xxxxxxxxxx>
      Signed-off-by: John Snow <jsnow@xxxxxxxxxx>
      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>
      [Commit message tweaked]
      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>

  commit 3960c336ad96c2183549c8bf32bbff93ecda7ea4
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Fri May 29 11:29:00 2015 +0100

      target-arm: Avoid buffer overrun on UNPREDICTABLE ldrd/strd

      A LDRD or STRD where rd is not an even number is UNPREDICTABLE.
      We were letting this fall through, which is OK unless rd is 15,
      in which case we would attempt to do a load_reg or store_reg
      to a nonexistent r16 for the second half of the double-word.
      Catch the odd-numbered-rd cases and UNDEF them instead.

      To do this we rearrange the structure of the code a little
      so we can put the UNDEF catches at the top before we've
      allocated TCG temporaries.

      Cc: qemu-stable@xxxxxxxxxx
      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Message-id: 1431348973-21315-1-git-send-email-peter.maydell@xxxxxxxxxx

  commit d7c2e2db28eb7e8f2ed7467fa2f2c59026b206d1
  Author: Shannon Zhao <shannon.zhao@xxxxxxxxxx>
  Date:   Fri May 29 11:28:59 2015 +0100

      hw/arm/virt: Enable dynamic generation of ACPI v5.1 tables

      Initialize VirtGuestInfoState and register a machine_init_done notify to
      call virt_acpi_build().

      Signed-off-by: Shannon Zhao <zhaoshenglong@xxxxxxxxxx>
      Signed-off-by: Shannon Zhao <shannon.zhao@xxxxxxxxxx>
      Message-id: 1432522520-8068-25-git-send-email-zhaoshenglong@xxxxxxxxxx
      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 135a67a692bedb952ea720351026247104da8645
  Author: Shannon Zhao <shannon.zhao@xxxxxxxxxx>
  Date:   Fri May 29 11:28:59 2015 +0100

      ACPI: split CONFIG_ACPI into 4 pieces

      As core.c, piix4.c, ich9.c and pcihp.c are for x86, add CONFIG_ACPI_X86
      to make it only for x86. ARM doesn't support cpu and memory hotplug, add
      CONFIG_ACPI_CPU_HOTPLUG and CONFIG_ACPI_MEMORY_HOTPLUG to exclude them
      for target-arm.

      Signed-off-by: Shannon Zhao <zhaoshenglong@xxxxxxxxxx>
      Signed-off-by: Shannon Zhao <shannon.zhao@xxxxxxxxxx>
      Reviewed-by: Alex Bennée <alex.bennee@xxxxxxxxxx>
      Message-id: 1432522520-8068-24-git-send-email-zhaoshenglong@xxxxxxxxxx
      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit d4e5de1ae02f6b47eb088531d3d4d047b4db6cfa
  Author: Shannon Zhao <shannon.zhao@xxxxxxxxxx>
  Date:   Fri May 29 11:28:59 2015 +0100

      hw/arm/virt-acpi-build: Add PCIe controller in ACPI DSDT table

      Add PCIe controller in ACPI DSDT table, so the guest can detect
      the PCIe.

      Signed-off-by: Shannon Zhao <zhaoshenglong@xxxxxxxxxx>
      Signed-off-by: Shannon Zhao <shannon.zhao@xxxxxxxxxx>
      Message-id: 1432522520-8068-23-git-send-email-zhaoshenglong@xxxxxxxxxx
      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit e1f776c434f8f18079b82d8121c166fb53a63451
  Author: Shannon Zhao <shannon.zhao@xxxxxxxxxx>
  Date:   Fri May 29 11:28:59 2015 +0100

      hw/acpi/aml-build: Add Unicode macro

      Signed-off-by: Shannon Zhao <zhaoshenglong@xxxxxxxxxx>
      Signed-off-by: Shannon Zhao <shannon.zhao@xxxxxxxxxx>
      Reviewed-by: Igor Mammedov <imammedo@xxxxxxxxxx>
      Reviewed-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Message-id: 1432522520-8068-22-git-send-email-zhaoshenglong@xxxxxxxxxx
      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 616ef329adbb671be783a1dba96d881b9218ff80
  Author: Shannon Zhao <shannon.zhao@xxxxxxxxxx>
  Date:   Fri May 29 11:28:58 2015 +0100

      hw/acpi/aml-build: Add aml_dword_io() term

      Signed-off-by: Shannon Zhao <zhaoshenglong@xxxxxxxxxx>
      Signed-off-by: Shannon Zhao <shannon.zhao@xxxxxxxxxx>
      Reviewed-by: Alex Bennée <alex.bennee@xxxxxxxxxx>
      Reviewed-by: Igor Mammedov <imammedo@xxxxxxxxxx>
      Reviewed-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Message-id: 1432522520-8068-21-git-send-email-zhaoshenglong@xxxxxxxxxx
      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit ed8176a37a8f227e61daddbcf92dc5d1cad45818
  Author: Shannon Zhao <shannon.zhao@xxxxxxxxxx>
  Date:   Fri May 29 11:28:58 2015 +0100

      hw/acpi/aml-build: Add aml_create_dword_field() term

      Signed-off-by: Shannon Zhao <zhaoshenglong@xxxxxxxxxx>
      Signed-off-by: Shannon Zhao <shannon.zhao@xxxxxxxxxx>
      Reviewed-by: Alex Bennée <alex.bennee@xxxxxxxxxx>
      Reviewed-by: Igor Mammedov <imammedo@xxxxxxxxxx>
      Reviewed-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Message-id: 1432522520-8068-20-git-send-email-zhaoshenglong@xxxxxxxxxx
      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 467b07dfae6087381d0993ab910253a6c1850457
  Author: Shannon Zhao <shannon.zhao@xxxxxxxxxx>
  Date:   Fri May 29 11:28:58 2015 +0100

      hw/acpi/aml-build: Add aml_else() term

      Signed-off-by: Shannon Zhao <zhaoshenglong@xxxxxxxxxx>
      Signed-off-by: Shannon Zhao <shannon.zhao@xxxxxxxxxx>
      Reviewed-by: Alex Bennée <alex.bennee@xxxxxxxxxx>
      Reviewed-by: Igor Mammedov <imammedo@xxxxxxxxxx>
      Reviewed-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Message-id: 1432522520-8068-19-git-send-email-zhaoshenglong@xxxxxxxxxx
      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit ea7df04a0217fe6314a1520dde1883c45fefcaaa
  Author: Shannon Zhao <shannon.zhao@xxxxxxxxxx>
  Date:   Fri May 29 11:28:58 2015 +0100

      hw/acpi/aml-build: Add aml_lnot() term

      Signed-off-by: Shannon Zhao <zhaoshenglong@xxxxxxxxxx>
      Signed-off-by: Shannon Zhao <shannon.zhao@xxxxxxxxxx>
      Reviewed-by: Alex Bennée <alex.bennee@xxxxxxxxxx>
      Reviewed-by: Igor Mammedov <imammedo@xxxxxxxxxx>
      Reviewed-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Message-id: 1432522520-8068-18-git-send-email-zhaoshenglong@xxxxxxxxxx
      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 922cc8823e484733021a7be5b0e876eba2218623
  Author: Shannon Zhao <shannon.zhao@xxxxxxxxxx>
  Date:   Fri May 29 11:28:58 2015 +0100

      hw/acpi/aml-build: Add aml_or() term

      Signed-off-by: Shannon Zhao <zhaoshenglong@xxxxxxxxxx>
      Signed-off-by: Shannon Zhao <shannon.zhao@xxxxxxxxxx>
      Reviewed-by: Igor Mammedov <imammedo@xxxxxxxxxx>
      Reviewed-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Message-id: 1432522520-8068-17-git-send-email-zhaoshenglong@xxxxxxxxxx
      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit b930fb9db4aa07abb8f3871eb7379242edbdf2a5
  Author: Shannon Zhao <shannon.zhao@xxxxxxxxxx>
  Date:   Fri May 29 11:28:57 2015 +0100

      hw/acpi/aml-build: Add ToUUID macro

      Add ToUUID macro, this is useful for generating PCIe ACPI table.

      Signed-off-by: Shannon Zhao <zhaoshenglong@xxxxxxxxxx>
      Signed-off-by: Shannon Zhao <shannon.zhao@xxxxxxxxxx>
      Reviewed-by: Igor Mammedov <imammedo@xxxxxxxxxx>
      Reviewed-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Message-id: 1432522520-8068-16-git-send-email-zhaoshenglong@xxxxxxxxxx
      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit ed8b5847e46c24d6e9c286892a00a34bee9b0835
  Author: Shannon Zhao <shannon.zhao@xxxxxxxxxx>
  Date:   Fri May 29 11:28:57 2015 +0100

      hw/acpi/aml-build: Make aml_buffer() definition consistent with the spec

      According to ACPI spec, DefBuffer can take two parameters: BufferSize
      and ByteList. Make it consistent with the spec. Uninitialized buffer
      could be requested by passing ByteList as NULL to reserve space.

      Signed-off-by: Shannon Zhao <zhaoshenglong@xxxxxxxxxx>
      Signed-off-by: Shannon Zhao <shannon.zhao@xxxxxxxxxx>
      Reviewed-by: Igor Mammedov <imammedo@xxxxxxxxxx>
      Reviewed-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Message-id: 1432522520-8068-15-git-send-email-zhaoshenglong@xxxxxxxxxx
      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 8434488400971c6793893b8c9547bc6b97e076ce
  Author: Shannon Zhao <shannon.zhao@xxxxxxxxxx>
  Date:   Fri May 29 11:28:57 2015 +0100

      hw/arm/virt-acpi-build: Generate MCFG table

      Generate MCFG table for PCIe controller.

      Signed-off-by: Shannon Zhao <zhaoshenglong@xxxxxxxxxx>
      Signed-off-by: Shannon Zhao <shannon.zhao@xxxxxxxxxx>
      Reviewed-by: Alex Bennée <alex.bennee@xxxxxxxxxx>
      Message-id: 1432522520-8068-14-git-send-email-zhaoshenglong@xxxxxxxxxx
      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit d4bec5d876b694f7f13ad3fcfe510ff46e9748d0
  Author: Shannon Zhao <shannon.zhao@xxxxxxxxxx>
  Date:   Fri May 29 11:28:56 2015 +0100

      hw/arm/virt-acpi-build: Generate RSDP table

      RSDP points to RSDT which in turn points to other tables.

      Signed-off-by: Shannon Zhao <zhaoshenglong@xxxxxxxxxx>
      Signed-off-by: Shannon Zhao <shannon.zhao@xxxxxxxxxx>
      Reviewed-by: Alex Bennée <alex.bennee@xxxxxxxxxx>
      Message-id: 1432522520-8068-13-git-send-email-zhaoshenglong@xxxxxxxxxx
      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 243bdb79fb0b2eda176cdef37700f29068a71d43
  Author: Shannon Zhao <shannon.zhao@xxxxxxxxxx>
  Date:   Fri May 29 11:28:56 2015 +0100

      hw/arm/virt-acpi-build: Generate RSDT table

      RSDT points to other tables FADT, MADT, GTDT. This code is shared with 
x86.

      Here we still use RSDT as UEFI puts ACPI tables below 4G address space,
      and UEFI ignore the RSDT or XSDT.

      Signed-off-by: Shannon Zhao <zhaoshenglong@xxxxxxxxxx>
      Signed-off-by: Shannon Zhao <shannon.zhao@xxxxxxxxxx>
      Reviewed-by: Alex Bennée <alex.bennee@xxxxxxxxxx>
      Message-id: 1432522520-8068-12-git-send-email-zhaoshenglong@xxxxxxxxxx
      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit ee246400c1ceef2014e120b718388d5f4aea8a2a
  Author: Shannon Zhao <shannon.zhao@xxxxxxxxxx>
  Date:   Fri May 29 11:28:56 2015 +0100

      hw/arm/virt-acpi-build: Generate GTDT table

      ACPI v5.1 defines GTDT for ARM devices as a place to describe timer
      related information in the system. The Arch Timer interrupts must
      be provided for GTDT.

      Signed-off-by: Shannon Zhao <zhaoshenglong@xxxxxxxxxx>
      Signed-off-by: Shannon Zhao <shannon.zhao@xxxxxxxxxx>
      Reviewed-by: Alex Bennée <alex.bennee@xxxxxxxxxx>
      Message-id: 1432522520-8068-11-git-send-email-zhaoshenglong@xxxxxxxxxx
      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 982d06c561a62cf7d2a8d31e8a8c107fb3477419
  Author: Shannon Zhao <shannon.zhao@xxxxxxxxxx>
  Date:   Fri May 29 11:28:56 2015 +0100

      hw/arm/virt-acpi-build: Generate MADT table

      MADT describes GIC enabled ARM platforms. The GICC and GICD
      subtables are used to define the GIC regions.

      Signed-off-by: Shannon Zhao <zhaoshenglong@xxxxxxxxxx>
      Signed-off-by: Shannon Zhao <shannon.zhao@xxxxxxxxxx>
      Reviewed-by: Alex Bennée <alex.bennee@xxxxxxxxxx>
      Message-id: 1432522520-8068-10-git-send-email-zhaoshenglong@xxxxxxxxxx
      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit c2f7c0c306dcd56725b506d3743eed421e6d0994
  Author: Shannon Zhao <shannon.zhao@xxxxxxxxxx>
  Date:   Fri May 29 11:28:55 2015 +0100

      hw/arm/virt-acpi-build: Generate FADT table and update ACPI headers

      In the case of mach virt, it is used to set the Hardware Reduced bit
      and enable PSCI SMP booting through HVC. So ignore FACS and FADT
      points to DSDT.

      Update the header definitions for FADT taking into account the new
      additions of ACPI v5.1 in `include/hw/acpi/acpi-defs.h`

      Signed-off-by: Shannon Zhao <zhaoshenglong@xxxxxxxxxx>
      Signed-off-by: Shannon Zhao <shannon.zhao@xxxxxxxxxx>
      Message-id: 1432522520-8068-9-git-send-email-zhaoshenglong@xxxxxxxxxx
      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit dfccd8cfd7c5d1b6740463821d84106bbaced44c
  Author: Shannon Zhao <shannon.zhao@xxxxxxxxxx>
  Date:   Fri May 29 11:28:55 2015 +0100

      hw/arm/virt-acpi-build: Generation of DSDT table for virt devices

      DSDT consists of the usual common table header plus a definition
      block in AML encoding which describes all devices in the platform.

      After initializing DSDT with header information the namespace is
      created which is followed by the device encodings. The devices are
      described using the Resource Template for the 32-Bit Fixed Memory
      Range and the Extended Interrupt Descriptors.

      Signed-off-by: Shannon Zhao <zhaoshenglong@xxxxxxxxxx>
      Signed-off-by: Shannon Zhao <shannon.zhao@xxxxxxxxxx>
      Reviewed-by: Alex Bennée <alex.bennee@xxxxxxxxxx>
      Message-id: 1432522520-8068-8-git-send-email-zhaoshenglong@xxxxxxxxxx
      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 205d1d1c04033b1be4c925e687b6865d1fc1b26b
  Author: Shannon Zhao <shannon.zhao@xxxxxxxxxx>
  Date:   Fri May 29 11:28:55 2015 +0100

      hw/acpi/aml-build: Add aml_interrupt() term

      Add aml_interrupt() for describing device interrupt in resource template.
      These can be used to generating DSDT table for ACPI on ARM.

      Signed-off-by: Shannon Zhao <zhaoshenglong@xxxxxxxxxx>
      Signed-off-by: Shannon Zhao <shannon.zhao@xxxxxxxxxx>
      Reviewed-by: Igor Mammedov <imammedo@xxxxxxxxxx>
      Message-id: 1432522520-8068-7-git-send-email-zhaoshenglong@xxxxxxxxxx
      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit dc17ab1de53d37ddcca81b16dfeae839322fbe5a
  Author: Shannon Zhao <shannon.zhao@xxxxxxxxxx>
  Date:   Fri May 29 11:28:55 2015 +0100

      hw/acpi/aml-build: Add aml_memory32_fixed() term

      Add aml_memory32_fixed() for describing device mmio region in resource
      template. These can be used to generating DSDT table for ACPI on ARM.

      Signed-off-by: Shannon Zhao <zhaoshenglong@xxxxxxxxxx>
      Signed-off-by: Shannon Zhao <shannon.zhao@xxxxxxxxxx>
      Reviewed-by: Alex Bennée <alex.bennee@xxxxxxxxxx>
      Reviewed-by: Igor Mammedov <imammedo@xxxxxxxxxx>
      Reviewed-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Message-id: 1432522520-8068-6-git-send-email-zhaoshenglong@xxxxxxxxxx
      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit f5d8c8cd792b3712f85a1f9a3a9a719015691975
  Author: Shannon Zhao <shannon.zhao@xxxxxxxxxx>
  Date:   Fri May 29 11:28:54 2015 +0100

      hw/arm/virt-acpi-build: Basic framework for building ACPI tables on ARM

      Introduce a preliminary framework in virt-acpi-build.c with the main
      ACPI build functions. It exposes the generated ACPI contents to
      guest over fw_cfg.

      The required ACPI v5.1 tables for ARM are:
      - RSDP: Initial table that points to XSDT
      - RSDT: Points to FADT GTDT MADT tables
      - FADT: Generic information about the machine
      - GTDT: Generic timer description table
      - MADT: Multiple APIC description table
      - DSDT: Holds all information about system devices/peripherals, pointed 
by FADT

      Signed-off-by: Shannon Zhao <zhaoshenglong@xxxxxxxxxx>
      Signed-off-by: Shannon Zhao <shannon.zhao@xxxxxxxxxx>
      Reviewed-by: Alex Bennée <alex.bennee@xxxxxxxxxx>
      Reviewed-by: Igor Mammedov <imammedo@xxxxxxxxxx>
      Message-id: 1432522520-8068-5-git-send-email-zhaoshenglong@xxxxxxxxxx
      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 6a1f001be3ea7478cac803d03149cfcfc1fa2094
  Author: Shannon Zhao <shannon.zhao@xxxxxxxxxx>
  Date:   Fri May 29 11:28:54 2015 +0100

      hw/arm/virt: Record PCIe ranges in MemMapEntry array

      To generate ACPI table for PCIe controller, we need the base and size of
      the PCIe ranges. Record these ranges in MemMapEntry array, then we could
      share and use them for generating ACPI table.

      Signed-off-by: Shannon Zhao <zhaoshenglong@xxxxxxxxxx>
      Signed-off-by: Shannon Zhao <shannon.zhao@xxxxxxxxxx>
      Message-id: 1432522520-8068-4-git-send-email-zhaoshenglong@xxxxxxxxxx
      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit afe0b3803f1a5fffe618af5a483d4c9567b5c5b7
  Author: Shannon Zhao <shannon.zhao@xxxxxxxxxx>
  Date:   Fri May 29 11:28:54 2015 +0100

      hw/arm/virt: Move common definitions to virt.h

      Move some common definitions to virt.h. These will be used by
      generating ACPI tables.

      Signed-off-by: Shannon Zhao <zhaoshenglong@xxxxxxxxxx>
      Signed-off-by: Shannon Zhao <shannon.zhao@xxxxxxxxxx>
      Reviewed-by: Alex Bennée <alex.bennee@xxxxxxxxxx>
      Message-id: 1432522520-8068-3-git-send-email-zhaoshenglong@xxxxxxxxxx
      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit ff80dc7fa8045e2b2531888d965424d2b0e1d1b6
  Author: Shannon Zhao <shannon.zhao@xxxxxxxxxx>
  Date:   Fri May 29 11:28:54 2015 +0100

      hw/acpi/aml-build: Make enum values to be upper case to match coding style

      Signed-off-by: Shannon Zhao <zhaoshenglong@xxxxxxxxxx>
      Signed-off-by: Shannon Zhao <shannon.zhao@xxxxxxxxxx>
      Reviewed-by: Igor Mammedov <imammedo@xxxxxxxxxx>
      Message-id: 1432522520-8068-2-git-send-email-zhaoshenglong@xxxxxxxxxx
      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit b1eced713d9913a5c58ba9daa795f10e4c856c49
  Author: Greg Bellows <greg.bellows@xxxxxxxxxx>
  Date:   Fri May 29 11:28:53 2015 +0100

      target-arm: Add WFx instruction trap support

      Add support for trapping WFI and WFE instructions to the proper EL when
      SCTLR/SCR/HCR settings apply.

      Signed-off-by: Greg Bellows <greg.bellows@xxxxxxxxxx>
      [PMM: removed unnecessary tweaking of syn_wfx() prototype;
       use raise_exception();
       don't trap on WFE (and add comment explaining why not);
       remove unnecessary ARM_FEATURE checks;
       trap to EL3, not EL1, if in S-EL0 and SCTLR check fires]
      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Reviewed-by: Edgar E. Iglesias <edgar.iglesias@xxxxxxxxxx>

  commit 84549b6dcf9147559ec08b066de673587be6b763
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Fri May 29 11:28:53 2015 +0100

      target-arm: Don't halt on WFI unless we don't have any work

      Just NOP the WFI instruction if we have work to do.
      This doesn't make much difference currently (though it does avoid
      jumping out to the top level loop and immediately restarting),
      but the distinction between "halt" and "don't halt" will become
      more important when the decision to halt requires us to trap
      to a higher exception level instead.

      Suggested-by: Edgar E. Iglesias <edgar.iglesias@xxxxxxxxxx>
      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Reviewed-by: Edgar E. Iglesias <edgar.iglesias@xxxxxxxxxx>

  commit 647f767ba3b37fb229275086187e96242248a4ac
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Fri May 29 11:28:53 2015 +0100

      target-arm: Move TB flags down to fill gap

      Deleting the now-unused ARM_TBFLAG_CPACR_FPEN left a gap in the
      bit usage; move the following ARM_TBFLAG_XSCALE_CPAR and
      ARM_TBFLAG_NS_SHIFT down 3 bits to fill the gap.

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Reviewed-by: Edgar E. Iglesias <edgar.iglesias@xxxxxxxxxx>

  commit 9dbbc748d671c70599101836cd1c2719d92f3017
  Author: Greg Bellows <greg.bellows@xxxxxxxxxx>
  Date:   Fri May 29 11:28:53 2015 +0100

      target-arm: Extend FP checks to use an EL

      Extend the ARM disassemble context to take a target exception EL instead 
of a
      boolean enable. This change reverses the polarity of the check making a 
value
      of 0 indicate floating point enabled (no exception).

      Signed-off-by: Greg Bellows <greg.bellows@xxxxxxxxxx>
      [PMM: Use a common TB flag field for AArch32 and AArch64;
       CPTR_EL2 exists in v7; CPTR_EL2 should trap for EL2 accesses;
       CPTR_EL2 should not trap for secure accesses; CPTR_EL3
       should trap for EL3 accesses; CPACR traps for secure
       accesses should trap to EL3 if EL3 is AArch32]
      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Reviewed-by: Edgar E. Iglesias <edgar.iglesias@xxxxxxxxxx>

  commit 3cf6a0fcedd429693d439556543400d5f0e31e1d
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Fri May 29 11:28:52 2015 +0100

      target-arm: Make singlestate TB flags common between AArch32/64

      Currently we keep the TB flags PSTATE_SS and SS_ACTIVE in different
      bit positions for AArch64 and AArch32. Replace these separate
      definitions with a single common flag in the upper part of the
      flags word.

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Reviewed-by: Edgar E. Iglesias <edgar.iglesias@xxxxxxxxxx>

  commit c6f191642a4027909813b4e6e288411f8371e951
  Author: Greg Bellows <greg.bellows@xxxxxxxxxx>
  Date:   Fri May 29 11:28:52 2015 +0100

      target-arm: Add AArch64 CPTR registers

      Adds CPTR_EL2/3 system registers definitions and access function.

      Signed-off-by: Greg Bellows <greg.bellows@xxxxxxxxxx>
      [PMM: merge CPTR_EL2 and HCPTR definitions into a single
       def using STATE_BOTH;
       don't use readfn/writefn to implement RAZ/WI registers;
       don't use accessfn for the no-EL2 CPTR_EL2;
       fix cpacr_access logic to catch EL2 accesses to CPACR being
       trapped to EL3;
       use new CP_ACCESS_TRAP_EL[23] rather than setting
       exception.target_el directly]
      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Reviewed-by: Edgar E. Iglesias <edgar.iglesias@xxxxxxxxxx>

  commit 38836a2cd47c20daaaa84873e3d6020f19e4bfca
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Fri May 29 11:28:52 2015 +0100

      target-arm: Allow cp access functions to indicate traps to EL2 or EL3

      Some coprocessor access functions will need to indicate that the
      instruction should trap to EL2 or EL3 rather than the default
      target exception level; add corresponding CPAccessResult enum
      entries and handling code.

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Reviewed-by: Edgar E. Iglesias <edgar.iglesias@xxxxxxxxxx>

  commit 012a906b19e99b126403ff4a257617dab9b34163
  Author: Greg Bellows <greg.bellows@xxxxxxxxxx>
  Date:   Fri May 29 11:28:51 2015 +0100

      target-arm: Update interrupt handling to use target EL

      Updated the interrupt handling to utilize and report through the target EL
      exception field.  This includes consolidating and cleaning up code where
      needed. Target EL is now calculated once in arm_cpu_exec_interrupt() and
      do_interrupt was updated to use the target_el exception field.  The
      necessary code from arm_excp_target_el() was merged in where needed and 
the
      function removed.

      Signed-off-by: Greg Bellows <greg.bellows@xxxxxxxxxx>
      Acked-by: Edgar E. Iglesias <edgar.iglesias@xxxxxxxxxx>
      Message-id: 1429722561-12651-4-git-send-email-greg.bellows@xxxxxxxxxx
      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit c63285991b371c031147ad620dd7671662a90303
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Fri May 29 11:28:51 2015 +0100

      target-arm: Make raise_exception() take syndrome and target EL

      Rather than making every caller of raise_exception set the
      syndrome and target EL by hand, make these arguments to
      raise_exception() and have that do the job.

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Reviewed-by: Edgar E. Iglesias <edgar.iglesias@xxxxxxxxxx>

  commit 863b6589d738d0b4c8b283297b0ff228f3d3fb14
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Fri May 29 11:28:51 2015 +0100

      target-arm: Set exception target EL in tlb_fill

      Set the exception target EL for MMU faults in tlb_fill.

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Reviewed-by: Edgar E. Iglesias <edgar.iglesias@xxxxxxxxxx>

  commit 8c6084bf10fe721929ca94cf16acd6687e61d3ec
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Fri May 29 11:28:51 2015 +0100

      target-arm: Move setting of exception info into tlb_fill

      Move the code which sets exception information out of
      arm_cpu_handle_mmu_fault and into tlb_fill. tlb_fill
      is the only caller which wants to raise_exception()
      so it makes more sense for it to handle the whole of
      the exception setup.

      As part of this cleanup, move the user-mode-only
      implementation function for the handle_mmu_fault CPU
      method into cpu.c so we don't need to make it globally
      visible, and rename the softmmu-only utility function
      arm_cpu_handle_mmu_fault to arm_tlb_fill so it's clear
      that it's not the same thing.

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Reviewed-by: Edgar E. Iglesias <edgar.iglesias@xxxxxxxxxx>

  commit f2932df777dace044719dc2f394f5a5a8aa1b1cd
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Fri May 29 11:28:50 2015 +0100

      target-arm: Set correct syndrome for faults on MSR DAIF*, imm

      If the SCTLR.UMA trap bit is set then attempts by EL0 to update
      the PSTATE DAIF bits via "MSR DAIFSet, imm" and "MSR DAIFClr, imm"
      instructions will raise an exception. We were failing to set
      the syndrome information for this exception, which meant that
      it would be reported as a repeat of whatever the previous
      exception was. Set the correct syndrome information.

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Reviewed-by: Edgar E. Iglesias <edgar.iglesias@xxxxxxxxxx>

  commit e3b1d480995f6e2e86ef062038e618c1234dbcf1
  Author: Greg Bellows <greg.bellows@xxxxxxxxxx>
  Date:   Fri May 29 11:28:50 2015 +0100

      target-arm: Extend helpers to route exceptions

      Updated the various helper routines to set the target EL as needed using a
      dedicated function.

      Signed-off-by: Greg Bellows <greg.bellows@xxxxxxxxxx>
      Acked-by: Edgar E. Iglesias <edgar.iglesias@xxxxxxxxxx>
      Message-id: 1429722561-12651-3-git-send-email-greg.bellows@xxxxxxxxxx
      [PMM: Also set target_el in fault cases in access_check_cp_reg()]
      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 737103619869600668cc7e8700e4f6eab3943896
  Author: Greg Bellows <greg.bellows@xxxxxxxxxx>
  Date:   Fri May 29 11:28:50 2015 +0100

      target-arm: Add exception target el infrastructure

      Add a CPU state exception target EL field that will be used for 
communicating
      the EL to which an exception should be routed.

      Add a disassembly context field for tracking the EL3 architecture needed 
for
      determining the target exception EL.

      Add a target EL argument to the generic exception helper for callers to 
specify
      the EL to which the exception should be routed.  Extended the helper to 
set
      the newly added CPU state exception target el.

      Added a function for setting the target exception EL and updated calls to 
helpers
      to call it.

      Signed-off-by: Greg Bellows <greg.bellows@xxxxxxxxxx>
      Acked-by: Edgar E. Iglesias <edgar.iglesias@xxxxxxxxxx>
      Message-id: 1429722561-12651-2-git-send-email-greg.bellows@xxxxxxxxxx
      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 9441aa282bc3213ef0530cab86f318b877bac25c
  Merge: ba7c388 55a1d80
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Fri May 29 11:23:07 2015 +0100

      Merge remote-tracking branch 'remotes/kraxel/tags/pull-input-20150529-1' 
into staging

      kbd: add support for brazilian keyboard (two extra keys).
      input: add virtio-input devices.

      # gpg: Signature made Fri May 29 10:09:02 2015 BST using RSA key ID 
D3E87138
      # gpg: Good signature from "Gerd Hoffmann (work) <kraxel@xxxxxxxxxx>"
      # gpg:                 aka "Gerd Hoffmann <gerd@xxxxxxxxxx>"
      # gpg:                 aka "Gerd Hoffmann (private) <kraxel@xxxxxxxxx>"

      * remotes/kraxel/tags/pull-input-20150529-1:
        virtio-input: emulated devices [device]
        virtio-input: core code & base class [device]
        virtio-input: add linux/input.h
        kbd: add brazil kbd keys to x11 evdev map
        kbd: add brazil kbd keys to qemu

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 63c67b6d4462b6589b371d55e3740e9f0dba3281
  Author: Max Reitz <mreitz@xxxxxxxxxx>
  Date:   Wed May 20 15:35:31 2015 +0200

      gtk: Replace gdk_cursor_new()

      gdk_cursor_new() has been deprecated in GTK 3.16, it is recommended to
      use gdk_cursor_new_for_display() instead, so do that.

      Signed-off-by: Max Reitz <mreitz@xxxxxxxxxx>
      Reviewed-by: Cole Robinson <crobinso@xxxxxxxxxx>
      Signed-off-by: Gerd Hoffmann <kraxel@xxxxxxxxxx>

  commit 97edf3bd5eab8952d475de66ede77307c12b8c48
  Author: Gerd Hoffmann <kraxel@xxxxxxxxxx>
  Date:   Tue Jan 20 12:43:28 2015 +0100

      gtk: add opengl support, using egl

      This adds opengl rendering support to the gtk ui, using egl.
      It's off by default for now, use 'qemu -display gtk,gl=on'
      to play with this.

      Note that gtk got native opengl support with release 3.16.
      There most likely will be a separate implementation for 3.16+,
      using the native gtk opengl support.  This patch covers older
      versions (and for the time being 3.16 too, hopefully without
      rendering quirks).

      Signed-off-by: Gerd Hoffmann <kraxel@xxxxxxxxxx>

  commit ba7c388963e099c0d2cedb7f048e30747ffff25d
  Merge: ce0274f f7a8beb
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Fri May 29 10:17:48 2015 +0100

      Merge remote-tracking branch 'remotes/spice/tags/pull-spice-20150529-1' 
into staging

      spice: misc fixes.

      # gpg: Signature made Fri May 29 09:16:29 2015 BST using RSA key ID 
D3E87138
      # gpg: Good signature from "Gerd Hoffmann (work) <kraxel@xxxxxxxxxx>"
      # gpg:                 aka "Gerd Hoffmann <gerd@xxxxxxxxxx>"
      # gpg:                 aka "Gerd Hoffmann (private) <kraxel@xxxxxxxxx>"

      * remotes/spice/tags/pull-spice-20150529-1:
        spice: fix spice_chr_add_watch() pre-condition
        spice: don't update mm_time when spice-server is stopped.
        spice-char: notify the server when chardev is writable
        virtio-console: notify chardev when writable

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 7ced9e9f6da2257224591b91727cfeee4f3977fb
  Author: Gerd Hoffmann <kraxel@xxxxxxxxxx>
  Date:   Tue Jan 6 15:40:00 2015 +0100

      ui: add egl-helpers

      Add helper functions to initialize OpenGL using egl.

      Signed-off-by: Gerd Hoffmann <kraxel@xxxxxxxxxx>
      Reviewed-by: Max Reitz <mreitz@xxxxxxxxxx>

  commit 896e1a050a0d333b1f0ec0768cc64e26c5d0d104
  Author: Gerd Hoffmann <kraxel@xxxxxxxxxx>
  Date:   Mon May 11 12:25:23 2015 +0200

      ui: shader.h protect against double inclusion

      Signed-off-by: Gerd Hoffmann <kraxel@xxxxxxxxxx>
      Reviewed-by: Max Reitz <mreitz@xxxxxxxxxx>

  commit dcf30025c3e3d43140a687240433de1920adf8b0
  Author: Gerd Hoffmann <kraxel@xxxxxxxxxx>
  Date:   Mon May 11 12:24:43 2015 +0200

      ui: use libexpoxy

      libepoxy does the opengl extension handling for us.

      It also is helpful for trouble-shooting as it prints nice error messages
      instead of silently failing or segfaulting in case we do something
      wrong, like using gl commands not supported by the current context.

      Signed-off-by: Gerd Hoffmann <kraxel@xxxxxxxxxx>
      Reviewed-by: Max Reitz <mreitz@xxxxxxxxxx>

  commit 55a1d80a41032d6133adec041c0096820beaa1b7
  Author: Gerd Hoffmann <kraxel@xxxxxxxxxx>
  Date:   Tue Apr 1 10:06:29 2014 +0200

      virtio-input: emulated devices [device]

      This patch adds the virtio-input-hid base class and
      virtio-{keyboard,mouse,tablet} subclasses building on the base class.
      They are hooked up to the qemu input core and deliver input events
      to the guest like all other hid devices (ps/2 kbd, usb tablet, ...).

      Using them is as simple as adding "-device virtio-tablet-device" to
      your command line, for use all transports except pci.  virtio-pci
      support comes as separate patch, once virtio-pci got virtio 1.0
      support.

      Signed-off-by: Gerd Hoffmann <kraxel@xxxxxxxxxx>

  commit f73ddbad397f98c1d476ffbf93d65af1cfa796e6
  Author: Gerd Hoffmann <kraxel@xxxxxxxxxx>
  Date:   Fri Mar 14 14:39:20 2014 +0100

      virtio-input: core code & base class [device]

      This patch adds virtio-input support to qemu.  It brings a abstract
      base class providing core support, other classes can build on it to
      actually implement input devices.

      virtio-input basically sends linux input layer events (evdev) over
      virtio.

      Signed-off-by: Gerd Hoffmann <kraxel@xxxxxxxxxx>

  commit 2fe7c31832a345cdc34314cdcd5478d06b884842
  Author: Gerd Hoffmann <kraxel@xxxxxxxxxx>
  Date:   Thu Mar 19 11:55:24 2015 +0100

      virtio-input: add linux/input.h

      Linux input layer (evdev) header file.

      Signed-off-by: Gerd Hoffmann <kraxel@xxxxxxxxxx>

  commit 33aa30cafcce053b833f9fe09fbb88e2f54b93aa
  Author: Gerd Hoffmann <kraxel@xxxxxxxxxx>
  Date:   Tue May 26 13:12:54 2015 +0200

      kbd: add brazil kbd keys to x11 evdev map

      This patch adds the two extra brazilian keys to the evdev keymap for
      X11.  This patch gets the two keys going with the vnc, gtk and sdl1
      UIs.

      The SDL2 library complains it doesn't know these keys, so the SDL2
      library must be fixed before we can update ui/sdl2-keymap.h

      Cc: qemu-stable@xxxxxxxxxx
      Signed-off-by: Gerd Hoffmann <kraxel@xxxxxxxxxx>
      Reviewed-by: Markus Armbruster <armbru@xxxxxxxxxx>
      Reviewed-by: Daniel P. Berrange <berrange@xxxxxxxxxx>
      Reviewed-by: Michael Tokarev <mjt@xxxxxxxxxx>

  commit b771f470f3e2f99f585eaae68147f0c849fd1f8d
  Author: Gerd Hoffmann <kraxel@xxxxxxxxxx>
  Date:   Tue May 26 10:39:10 2015 +0200

      kbd: add brazil kbd keys to qemu

      The brazilian computer keyboard layout has two extra keys (compared to
      the usual 105-key intl ps/2 keyboard).  This patch makes these two keys
      known to qemu.

      For historic reasons qemu has two ways to specify a key:  A QKeyCode
      (name-based) or a number (ps/2 scancode based).  Therefore we have to
      update multiple places to make new keys known to qemu:

        (1) The QKeyCode definition in qapi-schema.json
        (2) The QKeyCode <-> number mapping table in ui/input-keymap.c

      This patch does just that.  With this patch applied you can send those
      two keys to the guest using the send-key monitor command.

      Cc: qemu-stable@xxxxxxxxxx
      Signed-off-by: Gerd Hoffmann <kraxel@xxxxxxxxxx>
      Reviewed-by: Markus Armbruster <armbru@xxxxxxxxxx>
      Reviewed-by: Daniel P. Berrange <berrange@xxxxxxxxxx>
      Reviewed-by: Michael Tokarev <mjt@xxxxxxxxxx>

  commit f7a8beb5e6a13dc924895244777d9ef08b23b367
  Author: Marc-André Lureau <marcandre.lureau@xxxxxxxxx>
  Date:   Thu May 28 15:04:58 2015 +0200

      spice: fix spice_chr_add_watch() pre-condition

      Since e02bc6de30c44fd668dc0d6e1cd1804f2eed3ed3, add_watch() is called
      with G_IO_HUP. Even if spice-qemu-char ignores this flag, the
      precondition must be changed.

      https://bugzilla.redhat.com/show_bug.cgi?id=1128992

      Signed-off-by: Gerd Hoffmann <kraxel@xxxxxxxxxx>

  commit 641381c1fcd66ea8de07ecfcd733089da26cbba9
  Author: Gerd Hoffmann <kraxel@xxxxxxxxxx>
  Date:   Tue May 12 11:54:34 2015 +0200

      spice: don't update mm_time when spice-server is stopped.

      Skip mm_time updates (in qxl device memory) in case the guest is stopped.
      Guest isn't able to look anyway, and it causes problems with migration.

      Also make sure the initial state for spice server is stopped.

      Reported-by: Dr. David Alan Gilbert <dgilbert@xxxxxxxxxx>
      Signed-off-by: Gerd Hoffmann <kraxel@xxxxxxxxxx>

  commit e95e203c085b7731746e39c9b9f8bd2f6eaa0cd6
  Author: Marc-André Lureau <marcandre.lureau@xxxxxxxxx>
  Date:   Tue May 5 16:58:56 2015 +0200

      spice-char: notify the server when chardev is writable

      The spice server is polling on write, unless
      SPICE_CHAR_DEVICE_NOTIFY_WRITABLE flag is set. In this case, qemu must
      call spice_server_char_device_wakeup() when the frontend is writable.

      Signed-off-by: Marc-André Lureau <marcandre.lureau@xxxxxxxxx>
      Signed-off-by: Gerd Hoffmann <kraxel@xxxxxxxxxx>

  commit 246ca55faff625f4c15e21f3424781e215a254ea
  Author: Marc-André Lureau <marcandre.lureau@xxxxxxxxx>
  Date:   Tue May 5 16:58:55 2015 +0200

      virtio-console: notify chardev when writable

      When the virtio serial is writable, notify the chardev backend
      with qemu_chr_accept_input().

      Signed-off-by: Marc-André Lureau <marcandre.lureau@xxxxxxxxx>
      Signed-off-by: Gerd Hoffmann <kraxel@xxxxxxxxxx>

  commit ce0274f730eacbd24c706523ddbbabb6b95d0659
  Author: Fabien Chouteau <chouteau@xxxxxxxxxxx>
  Date:   Sat Feb 7 09:38:45 2015 +0100

      Revert "gdbstub: Do not kill target in system emulation mode"

      The requirements described in this patch are implemented by "Add GDB
      qAttached support".

      This reverts commit 00e94dbc7fd0110b0555d59592b004333adfb4b8.

      Signed-off-by: Fabien Chouteau <chouteau@xxxxxxxxxxx>
      Reviewed-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit a3919386eab91b56e40fb4faead980f57a664b2e
  Author: Jan Kiszka <jan.kiszka@xxxxxxxxxxx>
  Date:   Sat Feb 7 09:38:44 2015 +0100

      Add GDB qAttached support

      With this patch QEMU handles qAttached request from gdb. When QEMU
      replies 1, GDB sends a "detach" command at the end of a debugging
      session otherwise GDB sends "kill".

      The default value for qAttached is 1 on system emulation and 0 on user
      emulation.

      Based on original version by Fabien Chouteau.

      Signed-off-by: Jan Kiszka <jan.kiszka@xxxxxxxxxxx>
      Reviewed-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 4dabe747af0a6bd66a86c2c7879f1882bec43c33
  Author: Jan Kiszka <jan.kiszka@xxxxxxxxxxx>
  Date:   Sat Feb 7 09:38:43 2015 +0100

      gdbstub: Introduce an is is_query_packet helper

      This helper supports parsing of query packets with optional extensions.
      The separator can be specified so that we can use it already for both
      qqemu.sstep[=] and qSupported[:feature].

      Signed-off-by: Jan Kiszka <jan.kiszka@xxxxxxxxxxx>
      Reviewed-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 070949f39ee96bd16654e6623ab4ff627d918ba6
  Author: Jan Kiszka <jan.kiszka@xxxxxxxxxxx>
  Date:   Sat Feb 7 09:38:42 2015 +0100

      gdbstub: Fix qOffsets packet detection

      qOffsets has no additional optional parameters. So match the complete
      string to avoid stumbling over possible future commands with identical
      prefix.

      Signed-off-by: Jan Kiszka <jan.kiszka@xxxxxxxxxxx>
      Reviewed-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit a84904737277c2f07c8fbcb69db27451d844f12b
  Merge: bc3004f 46ca6b3
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Thu May 28 14:57:34 2015 +0100

      Merge remote-tracking branch 'remotes/cohuck/tags/s390x-20150528' into 
staging

      A set of patches add support for vector registers on s390x.
      Notable: Floating point registers and vector registers overlap,
      so extra care is needed so that we end up with a consistent state
      in all cases.

      # gpg: Signature made Thu May 28 09:37:27 2015 BST using RSA key ID 
C6F02FAF
      # gpg: Good signature from "Cornelia Huck <huckc@xxxxxxxxxxxxxxxxxx>"
      # gpg:                 aka "Cornelia Huck <cornelia.huck@xxxxxxxxxx>"

      * remotes/cohuck/tags/s390x-20150528:
        s390x: Enable vector processing capability
        s390x: Migrate vector registers
        s390x: Add vector registers to ELF dump
        linux/elf.h update
        s390x: Add vector registers to HMP output
        s390x: gdb updates for vector registers
        gdb-xml: Include XML for s390 vector registers
        s390x: Store Additional Status SIGP order
        s390x: Vector Register IOCTLs
        s390x: Common access to floating point registers

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit bc3004f0bb28d36b97eea5ff48922d16b4df7a1f
  Merge: 0915aed 2bc22a5
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Thu May 28 11:03:02 2015 +0100

      Merge remote-tracking branch 'remotes/stefanha/tags/net-pull-request' 
into staging

      # gpg: Signature made Wed May 27 11:02:55 2015 BST using RSA key ID 
81AB73C8
      # gpg: Good signature from "Stefan Hajnoczi <stefanha@xxxxxxxxxx>"
      # gpg:                 aka "Stefan Hajnoczi <stefanha@xxxxxxxxx>"

      * remotes/stefanha/tags/net-pull-request:
        net/net: Record usage status of mac address
        tap: Improve -netdev/netdev_add/-net/... tap error reporting
        tap: Finish conversion of tap_open() to Error
        tap-solaris: Convert tap_open() to Error
        tap-bsd: Convert tap_open() to Error
        tap-linux: Convert tap_open() to Error
        tap: Permit incremental conversion of tap_open() to Error
        tap: Convert launch_script() to Error
        tap: Convert net_init_tap_one() to Error
        tap: Convert tap_set_sndbuf() to Error
        tap: Improve -netdev/netdev_add/-net/... bridge error reporting
        tap: net_tap_fd_init() can't fail, drop dead error handling
        net/dump: Improve -net/host_net_add dump error reporting
        net: Improve -net nic error reporting
        net: Permit incremental conversion of init functions to Error
        net: Improve error message for -net hubport a bit
        net: Change help text to list -netdev instead of -net by default

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 46ca6b3bc99ebf9205e28ed14c023ebf84d39bb7
  Author: Eric Farman <farman@xxxxxxxxxxxxxxxxxx>
  Date:   Thu Oct 30 09:23:06 2014 -0400

      s390x: Enable vector processing capability

      Everything is finally in place, inform the kernel that user space
      supports vector registers.

      Signed-off-by: Eric Farman <farman@xxxxxxxxxxxxxxxxxx>
      Reviewed-by: Thomas Huth <thuth@xxxxxxxxxxxxxxxxxx>
      Signed-off-by: Cornelia Huck <cornelia.huck@xxxxxxxxxx>

  commit b2ac0ff5d9478907cfd5b204c9179f77d0cb943f
  Author: Eric Farman <farman@xxxxxxxxxxxxxxxxxx>
  Date:   Thu May 7 10:52:16 2015 -0400

      s390x: Migrate vector registers

      When migrating a guest, be sure to include the vector registers.
      The vector registers are defined in a subsection, similar to the
      existing subsection for floating point registers.  Since the
      floating point registers are always present (and thus migrated),
      we can skip them when performing the migration of the vector
      registers which may or may not be present.

      Suggested-by: David Hildenbrand <dahi@xxxxxxxxxxxxxxxxxx>
      Signed-off-by: Eric Farman <farman@xxxxxxxxxxxxxxxxxx>
      Reviewed-by: David Hildenbrand <dahi@xxxxxxxxxxxxxxxxxx>
      Signed-off-by: Cornelia Huck <cornelia.huck@xxxxxxxxxx>

  commit 3ceeb2930faf1116ee4bb22c8a7794bb2337e8a9
  Author: Eric Farman <farman@xxxxxxxxxxxxxxxxxx>
  Date:   Thu May 29 14:54:26 2014 -0400

      s390x: Add vector registers to ELF dump

      Create ELF notes for the vector registers where applicable, so that
      their contents can be examined by utilities such as crash or readelf.

      Signed-off-by: Eric Farman <farman@xxxxxxxxxxxxxxxxxx>
      Reviewed-by: David Hildenbrand <dahi@xxxxxxxxxxxxxxxxxx>
      Signed-off-by: Cornelia Huck <cornelia.huck@xxxxxxxxxx>

  commit eeef559ab4a80753b7bf31728780692a3a4e3ec1
  Author: Eric Farman <farman@xxxxxxxxxxxxxxxxxx>
  Date:   Wed Nov 12 14:22:55 2014 -0500

      linux/elf.h update

      Sync with kernel elf.h updates to get s390x vector register definitions.

      Signed-off-by: Eric Farman <farman@xxxxxxxxxxxxxxxxxx>
      Signed-off-by: Cornelia Huck <cornelia.huck@xxxxxxxxxx>

  commit 56c42271495fc5f6c5bd70c4309a74b425c5cbda
  Author: Eric Farman <farman@xxxxxxxxxxxxxxxxxx>
  Date:   Thu May 29 13:50:37 2014 -0400

      s390x: Add vector registers to HMP output

      There are mechanisms to dump registers via the qemu HMP interface,
      such as the "info registers" command.  Expand this output to dump
      the new vector registers.

      Signed-off-by: Eric Farman <farman@xxxxxxxxxxxxxxxxxx>
      Reviewed-by: David Hildenbrand <dahi@xxxxxxxxxxxxxxxxxx>
      Reviewed-by: Thomas Huth <thuth@xxxxxxxxxxxxxxxxxx>
      Signed-off-by: Cornelia Huck <cornelia.huck@xxxxxxxxxx>

  commit ca343c7a84fbe457dd442d26d5a01f31e8a8d308
  Author: Eric Farman <farman@xxxxxxxxxxxxxxxxxx>
  Date:   Tue Jun 3 08:42:18 2014 -0400

      s390x: gdb updates for vector registers

      gdb allows registers to be displayed/modified, and is being updated
      to account for the new vector registers.  Mirror these changes in
      the gdb stub in qemu so that this can be performed when gdb is
      attached to the qemu gdbserver.

      Signed-off-by: Eric Farman <farman@xxxxxxxxxxxxxxxxxx>
      Reviewed-by: David Hildenbrand <dahi@xxxxxxxxxxxxxxxxxx>
      Signed-off-by: Cornelia Huck <cornelia.huck@xxxxxxxxxx>

  commit 773d4ebc9a31a5e0efbaf83f76715ab40c355384
  Author: Eric Farman <farman@xxxxxxxxxxxxxxxxxx>
  Date:   Tue Nov 18 17:03:02 2014 -0500

      gdb-xml: Include XML for s390 vector registers

      Include the vector registers XML file that is provided by gdb,
      and can be used by the qemu gdbserver interface.

      Signed-off-by: Eric Farman <farman@xxxxxxxxxxxxxxxxxx>
      Reviewed-by: David Hildenbrand <dahi@xxxxxxxxxxxxxxxxxx>
      Signed-off-by: Cornelia Huck <cornelia.huck@xxxxxxxxxx>

  commit abec53565dce5ed56bff4968d3bed88f6cf68c3c
  Author: Eric Farman <farman@xxxxxxxxxxxxxxxxxx>
  Date:   Wed Jan 14 09:57:16 2015 -0500

      s390x: Store Additional Status SIGP order

      Add handling for the Store Additional Status at Address order
      that exists for the Signal Processor (SIGP) instruction.

      Signed-off-by: Eric Farman <farman@xxxxxxxxxxxxxxxxxx>
      Reviewed-by: Thomas Huth <thuth@xxxxxxxxxxxxxxxxxx>
      Signed-off-by: Cornelia Huck <cornelia.huck@xxxxxxxxxx>

  commit fcb79802e07fe06fe24ba97a027d8a1c3a714fa7
  Author: Eric Farman <farman@xxxxxxxxxxxxxxxxxx>
  Date:   Mon Aug 18 15:33:39 2014 -0400

      s390x: Vector Register IOCTLs

      Handle the actual syncing of the vector registers with kernel space,
      via the get/put register IOCTLs.

      The vector registers that were introduced with the z13 overlay
      the existing floating point registers.  FP registers 0-15 are
      the high-halves of vector registers 0-15.  Thus, remove the
      freg fields and replace them with the equivalent vector field
      to avoid errors in duplication.  Moreover, synchronize either the
      vector registers via kvm_sync_regs, or floating point registers
      via the GET/SET FPU IOCTLs.

      Signed-off-by: Eric Farman <farman@xxxxxxxxxxxxxxxxxx>
      Signed-off-by: Cornelia Huck <cornelia.huck@xxxxxxxxxx>

  commit c498d8e36e2998fb67de21a34ece633d356a4834
  Author: Eric Farman <farman@xxxxxxxxxxxxxxxxxx>
  Date:   Thu May 7 14:35:44 2015 -0400

      s390x: Common access to floating point registers

      Provide a routine to access the correct floating point register,
      to simplify future expansion.

      Suggested-by: David Hildenbrand <dahi@xxxxxxxxxxxxxxxxxx>
      Signed-off-by: Eric Farman <farman@xxxxxxxxxxxxxxxxxx>
      Reviewed-by: David Hildenbrand <dahi@xxxxxxxxxxxxxxxxxx>
      Signed-off-by: Cornelia Huck <cornelia.huck@xxxxxxxxxx>

  commit 2bc22a58e16f0650e56dccfac9495e5aef58e2ef
  Author: Shannon Zhao <shannon.zhao@xxxxxxxxxx>
  Date:   Thu May 21 17:44:48 2015 +0800

      net/net: Record usage status of mac address

      Currently QEMU dynamically generates mac address for the NIC which
      doesn't specify the mac address. But when we hotplug a NIC without
      specifying mac address, the mac address will increase for the same NIC
      along with hotplug and hot-unplug, and at last it will overflow. And if
      we codeplug one NIC with mac address e.g. "52:54:00:12:34:56", then
      hotplug one NIC without specifying mac address and the mac address of
      the hotplugged NIC is duplicate of "52:54:00:12:34:56".

      This patch add a mac_table to record the usage status and free the mac
      address when the NIC is unrealized.

      Signed-off-by: Shannon Zhao <zhaoshenglong@xxxxxxxxxx>
      Signed-off-by: Shannon Zhao <shannon.zhao@xxxxxxxxxx>
      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>

  commit a308817743be5cc051d3379477f54027deb0befb
  Author: Markus Armbruster <armbru@xxxxxxxxxx>
  Date:   Fri May 15 13:59:03 2015 +0200

      tap: Improve -netdev/netdev_add/-net/... tap error reporting

      When -netdev tap fails, it first reports a specific error, then a
      generic one, like this:

          $ qemu-system-x86_64 -netdev tap,id=foo
          qemu-system-x86_64: -netdev tap,id=foo: could not configure 
/dev/net/tun: Operation not permitted
          qemu-system-x86_64: -netdev tap,id=foo: Device 'tap' could not be 
initialized

      With the command line, the messages go to stderr.  In HMP, they go to
      the monitor.  In QMP, the second one becomes the error reply, and the
      first one goes to stderr.

      Convert net_init_tap() to Error.  This suppresses the unwanted second
      message, and makes the specific error the QMP error reply.

      [Dropped duplicate "and" from error message as suggested by Eric Blake:
      "ifname=, script=, downscript=, and vnet_hdr=, "
      "queues=, and vhostfds= are invalid with helper="
      --Stefan]

      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>
      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>
      Message-id: 1431691143-1015-16-git-send-email-armbru@xxxxxxxxxx
      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>

  commit 95c35a74fea51e307f6a3967e465a22776056b7e
  Author: Markus Armbruster <armbru@xxxxxxxxxx>
  Date:   Fri May 15 13:59:02 2015 +0200

      tap: Finish conversion of tap_open() to Error

      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>
      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>
      Message-id: 1431691143-1015-15-git-send-email-armbru@xxxxxxxxxx
      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>

  commit 576c6eb6700d241c9d4a6883d25720c7bbaaeccd
  Author: Markus Armbruster <armbru@xxxxxxxxxx>
  Date:   Fri May 15 13:59:01 2015 +0200

      tap-solaris: Convert tap_open() to Error

      Fixes inappropriate use of syslog().

      Not fixed: leaks on error paths, suspicious non-fatal errors.  FIXMEs
      added instead.

      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>
      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>
      Message-id: 1431691143-1015-14-git-send-email-armbru@xxxxxxxxxx
      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>

  commit 4bce487e14bf8949a91883a3213c2b7fa9d668bc
  Author: Markus Armbruster <armbru@xxxxxxxxxx>
  Date:   Fri May 15 13:59:00 2015 +0200

      tap-bsd: Convert tap_open() to Error

      Fixes inappropriate use of stderr in monitor command handler.

      While there, improve some of the messages a bit.

      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>
      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>
      Message-id: 1431691143-1015-13-git-send-email-armbru@xxxxxxxxxx
      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>

  commit 47896e2fd3dd80685434b320cb0e10164995e31c
  Author: Markus Armbruster <armbru@xxxxxxxxxx>
  Date:   Fri May 15 13:58:59 2015 +0200

      tap-linux: Convert tap_open() to Error

      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>
      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>
      Message-id: 1431691143-1015-12-git-send-email-armbru@xxxxxxxxxx
      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>

  commit 468dd82408e950d48def28f87e4cffabfd592ace
  Author: Markus Armbruster <armbru@xxxxxxxxxx>
  Date:   Fri May 15 13:58:58 2015 +0200

      tap: Permit incremental conversion of tap_open() to Error

      Convert the trivial ones immediately: tap-aix and tap-haiku.

      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>
      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>
      Message-id: 1431691143-1015-11-git-send-email-armbru@xxxxxxxxxx
      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>

  commit ac4fcf5639f44f7d863a35eaa2ad07ff31aabc01
  Author: Markus Armbruster <armbru@xxxxxxxxxx>
  Date:   Fri May 15 13:58:57 2015 +0200

      tap: Convert launch_script() to Error

      Fixes inappropriate use of stderr in monitor command handler.

      While there, improve the messages some.

      [Fixed Error **err -> Error *err local variable that broke the build.
      --Stefan]

      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>
      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>
      Message-id: 1431691143-1015-10-git-send-email-armbru@xxxxxxxxxx
      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>

  commit 445f116cabe0c4435590244741ac3d0b8f08d91d
  Author: Markus Armbruster <armbru@xxxxxxxxxx>
  Date:   Fri May 15 13:58:56 2015 +0200

      tap: Convert net_init_tap_one() to Error

      [Dropped %s from "tap: open vhost char device failed: %s" since
      error_setg_errno() already prints a human-readable error string and
      there is no format string argument.
      --Stefan]

      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>
      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>
      Message-id: 1431691143-1015-9-git-send-email-armbru@xxxxxxxxxx
      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>

  commit 80b832c300c2fc39c68e0ab095d408cb9199cfa0
  Author: Markus Armbruster <armbru@xxxxxxxxxx>
  Date:   Fri May 15 13:58:55 2015 +0200

      tap: Convert tap_set_sndbuf() to Error

      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>
      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>
      Message-id: 1431691143-1015-8-git-send-email-armbru@xxxxxxxxxx
      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>

  commit a8a21be9855e0bb0947a7325d0d1741a8814f21e
  Author: Markus Armbruster <armbru@xxxxxxxxxx>
  Date:   Fri May 15 13:58:54 2015 +0200

      tap: Improve -netdev/netdev_add/-net/... bridge error reporting

      When -netdev bridge fails, it first reports a specific error, then a
      generic one, like this:

          $ qemu-system-x86_64 -netdev bridge,id=foo
          failed to launch bridge helper
          qemu-system-x86_64: -netdev bridge,id=foo: Device 'bridge' could not 
be initialized

      The first message goes to stderr.  Wrong for HMP, because errors need
      to go to the monitor there.

      The second message goes to stderr for -netdev, to the monitor for HMP
      netdev_add, and becomes the error reply for QMP netdev_add.

      Convert net_bridge_run_helper() to Error, and propagate its errors
      through net_init_bridge().  This ensures the error gets reported where
      the user is, and suppresses the unwanted second message.

      While there, improve the error messages a bit.

      The above example becomes:

          $ qemu-system-x86_64 -netdev bridge,id=foo
          qemu-system-x86_64: -netdev bridge,id=foo: bridge helper failed

      net_init_tap() also uses net_bridge_run_helper().  Propagate its
      errors there as well.  Improves reporting these errors with -netdev
      tap & friends.

      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>
      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>
      Message-id: 1431691143-1015-7-git-send-email-armbru@xxxxxxxxxx
      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>

  commit da4a4eac26381c7fce3f147f3c8a7e7bb483be1e
  Author: Markus Armbruster <armbru@xxxxxxxxxx>
  Date:   Fri May 15 13:58:53 2015 +0200

      tap: net_tap_fd_init() can't fail, drop dead error handling

      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>
      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>
      Message-id: 1431691143-1015-6-git-send-email-armbru@xxxxxxxxxx
      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>

  commit 3791f83ca999edc2d11eb2006ccc1091cd712c15
  Author: Markus Armbruster <armbru@xxxxxxxxxx>
  Date:   Fri May 15 13:58:52 2015 +0200

      net/dump: Improve -net/host_net_add dump error reporting

      When -net dump fails, it first reports a specific error, then a
      generic one, like this:

          $ qemu-system-x86_64 -net dump,id=foo,file=/eperm
          qemu-system-x86_64: -net dump,id=foo,file=/eperm: -net dump: can't 
open /eperm
          qemu-system-x86_64: -net dump,id=foo,file=/eperm: Device 'dump' could 
not be initialized

      Convert net_init_tap() to Error.  This suppresses the unwanted second
      message.

      Improve the error messages to include strerror(errno) where
      appropriate.

      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>
      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>
      Message-id: 1431691143-1015-5-git-send-email-armbru@xxxxxxxxxx
      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>

  commit 6630886863d4a9b3b7bcb3b0e2895d83eb269c75
  Author: Markus Armbruster <armbru@xxxxxxxxxx>
  Date:   Fri May 15 13:58:51 2015 +0200

      net: Improve -net nic error reporting

      When -net nic fails, it first reports a specific error, then a generic
      one, like this:

          $ qemu-system-x86_64 -net nic,netdev=nonexistent
          qemu-system-x86_64: -net nic,netdev=nonexistent: netdev 'nonexistent' 
not found
          qemu-system-x86_64: -net nic,netdev=nonexistent: Device 'nic' could 
not be initialized

      Convert net_init_nic() to Error to get rid of the unwanted second
      error message.

      While there, tidy up an Overcapitalized Error Message.

      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>
      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>
      Message-id: 1431691143-1015-4-git-send-email-armbru@xxxxxxxxxx
      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>

  commit a30ecde6e795682d1473c45acae66a60a76fca2f
  Author: Markus Armbruster <armbru@xxxxxxxxxx>
  Date:   Fri May 15 13:58:50 2015 +0200

      net: Permit incremental conversion of init functions to Error

      Error reporting for netdev_add is broken: the net_client_init_fun[]
      report the actual errors with (at best) error_report(), and their
      caller net_client_init1() makes up a generic error on top.

      For command line and HMP, this produces an mildly ugly error cascade.

      In QMP, the actual errors go to stderr, and the generic error becomes
      the command's error reply.

      To fix this, we need to convert the net_client_init_fun[] to Error.

      To permit fixing them one by one, add an Error ** parameter to the
      net_client_init_fun[].  If the call fails without returning an Error,
      make up the same generic Error as before.  But if it returns one, use
      that instead.  Since none of them does so far, no functional change.

      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>
      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>
      Message-id: 1431691143-1015-3-git-send-email-armbru@xxxxxxxxxx
      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>

  commit ca7eb1848bb06d9b75784d7760b83c7b0beb1102
  Author: Markus Armbruster <armbru@xxxxxxxxxx>
  Date:   Fri May 15 13:58:49 2015 +0200

      net: Improve error message for -net hubport a bit

      Type "hubport" is valid only with -netdev.  Unfortunately, that's
      detected late and the error message doesn't explain why:

          $ qemu-system-i386 -net hubport,id=foo,hubid=0
          qemu-system-i386: -net hubport,id=foo,hubid=0: Device 'hubport' could 
not be initialized

      Improve the error message to "Parameter 'type' expects a net type".

      Not fixed: -net hubport without the parameters required by -netdev
      hubport still asks for those parameters:

          $ qemu-system-i386 -net hubport
          qemu-system-i386: -net hubport: Parameter 'hubid' is missing

      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>
      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>
      Message-id: 1431691143-1015-2-git-send-email-armbru@xxxxxxxxxx
      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>

  commit 6a8b4a5be21ad4941c8a6a5db1d355a522aea2fb
  Author: Thomas Huth <thuth@xxxxxxxxxx>
  Date:   Fri May 15 16:58:24 2015 +0200

      net: Change help text to list -netdev instead of -net by default

      Looking at the output of "qemu-system-xxx -help", you easily get
      the impression that "-net" is the preferred way instead of "-netdev"
      to specify host network interface, since the "-net" option is
      omnipresent but the "-netdev" option is only listed as a one-liner
      at the end. This is ugly since "-net" is considered as legacy and
      even might be removed one day. Thus, this patch switches the output
      to explain the host network interfaces with the "-netdev" option
      instead, moving the old "-net" option into some few lines at
      the end.

      Signed-off-by: Thomas Huth <thuth@xxxxxxxxxx>
      Message-id: 1431701904-12230-1-git-send-email-thuth@xxxxxxxxxx
      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>

  commit 0915aed5842bd4dbe396b92d4f3b846ae29ad663
  Merge: 0d2ed60 cd6cb73
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Tue May 26 11:31:03 2015 +0100

      Merge remote-tracking branch 'remotes/jnsnow/tags/ide-pull-request' into 
staging

      # gpg: Signature made Fri May 22 20:58:44 2015 BST using RSA key ID 
AAFC390E
      # gpg: Good signature from "John Snow (John Huston) <jsnow@xxxxxxxxxx>"
      # gpg: WARNING: This key is not certified with sufficiently trusted 
signatures!
      # gpg:          It is not certain that the signature belongs to the owner.
      # Primary key fingerprint: FAEB 9711 A12C F475 812F  18F2 88A9 064D 1835 
61EB
      #      Subkey fingerprint: F9B7 ABDB BCAC DF95 BE76  CBD0 7DEF 8106 AAFC 
390E

      * remotes/jnsnow/tags/ide-pull-request:
        ahci: do not remap clb/fis unconditionally
        macio: move unaligned DMA write code into separate pmac_dma_write() 
function
        macio: move unaligned DMA read code into separate pmac_dma_read() 
function
        qtest: pre-buffer hex nibs
        libqos/ahci: Swap memread/write with bufread/write
        qtest: add memset to qtest protocol
        qtest: Add base64 encoded read/write
        qtest: allow arbitrarily long sends
        qtest/ahci: add migrate halted dma test
        qtest/ahci: add halted dma test
        qtest/ahci: add flush migrate test
        qtest/ahci: add migrate dma test
        qtest/ahci: Add migration test
        ich9/ahci: Enable Migration
        libqos: Add migration helpers
        libqos/ahci: Fix sector set method
        libqos/ahci: Add halted command helpers
        glib: remove stale compat functions
        configure: require glib 2.22

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit cd6cb73beb63e5fa62ca8ed540b9d54063b15c44
  Author: John Snow <jsnow@xxxxxxxxxx>
  Date:   Fri May 22 14:13:44 2015 -0400

      ahci: do not remap clb/fis unconditionally

      This continues the IOMMU fix from 2.3, where we should not attempt
      to remap the CLB or FIS RX buffers if the AHCI device is currently
      running.

      The same applies to migration: keep our mitts off these registers
      unless the device is supposed to be on.

      Does not impact backwards compatibility for the AHCI device.

      Signed-off-by: John Snow <jsnow@xxxxxxxxxx>
      Reviewed-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Message-id: 1431470173-30847-2-git-send-email-jsnow@xxxxxxxxxx

  commit bd4214fc92090694aefa17882815c6109f0fd70c
  Author: Mark Cave-Ayland <mark.cave-ayland@xxxxxxxxxxxx>
  Date:   Fri May 22 14:13:44 2015 -0400

      macio: move unaligned DMA write code into separate pmac_dma_write() 
function

      Similarly switch the macio IDE routines over to use the new function and
      tidy-up the remaining code as required.

      [Maintainer edit: printf format codes adjusted for 32/64bit. --js]

      Signed-off-by: Mark Cave-Ayland <mark.cave-ayland@xxxxxxxxxxxx>
      Acked-by: John Snow <jsnow@xxxxxxxxxx>
      Message-id: 
1425939893-14404-3-git-send-email-mark.cave-ayland@xxxxxxxxxxxx
      Signed-off-by: John Snow <jsnow@xxxxxxxxxx>

  commit 4827ac1e8f8306b24e61b44ea1f2082ea08099bb
  Author: Mark Cave-Ayland <mark.cave-ayland@xxxxxxxxxxxx>
  Date:   Fri May 22 14:13:44 2015 -0400

      macio: move unaligned DMA read code into separate pmac_dma_read() function

      This considerably helps simplify the complexity of the macio read 
routines and
      by switching macio CDROM accesses to use the new code, fixes the issue 
with
      the CDROM device being detected intermittently by Darwin/OS X.

      [Maintainer edit: printf format codes adjusted for 32/64bit. --js]

      Signed-off-by: Mark Cave-Ayland <mark.cave-ayland@xxxxxxxxxxxxx>
      Acked-by: John Snow <jsnow@xxxxxxxxxx>
      Message-id: 
1425939893-14404-2-git-send-email-mark.cave-ayland@xxxxxxxxxxxx
      Signed-off-by: John Snow <jsnow@xxxxxxxxxx>

  commit 5560b85a31e6f15a8841b66620d9497943094ee4
  Author: John Snow <jsnow@xxxxxxxxxx>
  Date:   Fri May 22 14:13:44 2015 -0400

      qtest: pre-buffer hex nibs

      Instead of converting each byte one-at-a-time and then sending each byte
      over the wire, use sprintf() to pre-compute all of the hex nibs into a
      single buffer, then send the entire buffer all at once.

      This gives a moderate speed boost to memread() and memwrite() functions.

      Signed-off-by: John Snow <jsnow@xxxxxxxxxx>
      Reviewed-by: Markus Armbruster <armbru@xxxxxxxxxx>
      Message-id: 1431021095-7558-2-git-send-email-jsnow@xxxxxxxxxx

  commit 91d0374a7ffbd6a9cd0ba159c9160d9f26220cf5
  Author: John Snow <jsnow@xxxxxxxxxx>
  Date:   Fri May 22 14:13:44 2015 -0400

      libqos/ahci: Swap memread/write with bufread/write

      Where it makes sense, use the new faster primitives.
      For generally small reads/writes such as for the PRDT
      and FIS packets, stick with the more wasteful but
      easier to debug memread/memwrite.

      For ahci-test (before migration tests):
      With this patch:
      real    0m3.675s
      user    0m2.582s
      sys     0m1.718s

      Without any qtest protocol improvements:
      real    0m14.171s
      user    0m12.072s
      sys     0m12.527s

      Signed-off-by: John Snow <jsnow@xxxxxxxxxx>
      Message-id: 1430864578-22072-6-git-send-email-jsnow@xxxxxxxxxx

  commit 4d00796364ec4edab86b08abc38fd644d5e3c0ad
  Author: John Snow <jsnow@xxxxxxxxxx>
  Date:   Fri May 22 14:13:44 2015 -0400

      qtest: add memset to qtest protocol

      Previously, memset was just a frontend to write() and only
      stupidly sent the pattern many times across the wire.

      Let's not discuss who stupidly wrote it like that in the first place.
      (Hint: It was me.)

      Signed-off-by: John Snow <jsnow@xxxxxxxxxx>
      Message-id: 1430864578-22072-4-git-send-email-jsnow@xxxxxxxxxx

  commit 7a6a740d8dcc02f5693315d7935b5de9b963bb96
  Author: John Snow <jsnow@xxxxxxxxxx>
  Date:   Fri May 22 14:13:44 2015 -0400

      qtest: Add base64 encoded read/write

      For larger pieces of data that won't need to be debugged and
      viewing the hex nibbles is unlikely to be useful, we can encode
      data using base64 instead of encoding each byte as %02x, which
      leads to some space savings and faster reads/writes.

      For now, the default is left as hex nibbles in memwrite() and memread().
      For the purposes of making qtest io easier to read and debug, some
      callers may want to specify using the old encoding format for small
      patches of data where the savings from base64 wouldn't be that profound.

      memwrite/memread use a data encoding that takes 2x the size of the 
original
      buffer, but base64 uses "only" (4/3)x, so for larger buffers we can save a
      decent amount of time and space.

      Signed-off-by: John Snow <jsnow@xxxxxxxxxx>
      Message-id: 1430864578-22072-3-git-send-email-jsnow@xxxxxxxxxx

  commit 332cc7e9b39ddb2feacb4c71dcd18c3e5b0c3147
  Author: John Snow <jsnow@xxxxxxxxxx>
  Date:   Fri May 22 14:13:43 2015 -0400

      qtest: allow arbitrarily long sends

      qtest currently has a static buffer of size 1024 that if we
      overflow, ignores the additional data silently which leads
      to hangs or stream failures.

      Use glib's string facilities to allow arbitrarily long data,
      but split this off into a new function, qtest_sendf.

      Static data can still be sent using qtest_send, which avoids
      the malloc/copy overhead.

      Signed-off-by: John Snow <jsnow@xxxxxxxxxx>
      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>
      Message-id: 1430864578-22072-2-git-send-email-jsnow@xxxxxxxxxx

  commit 5d1cf0917b4f1282ac81bb72697713d14c98a876
  Author: John Snow <jsnow@xxxxxxxxxx>
  Date:   Fri May 22 14:13:43 2015 -0400

      qtest/ahci: add migrate halted dma test

      Test migrating a halted DMA transaction.
      Resume, then test data integrity.

      Signed-off-by: John Snow <jsnow@xxxxxxxxxx>
      Reviewed-by: Kevin Wolf <kwolf@xxxxxxxxxx>
      Message-id: 1430417242-11859-10-git-send-email-jsnow@xxxxxxxxxx

  commit 189d1b6126625212fbb50ed3a30a3e9e7ba7ca37
  Author: John Snow <jsnow@xxxxxxxxxx>
  Date:   Fri May 22 14:13:43 2015 -0400

      qtest/ahci: add halted dma test

      If we're going to test the migration of halted DMA jobs,
      we should probably check to make sure we can resume them
      locally as a first step.

      Signed-off-by: John Snow <jsnow@xxxxxxxxxx>
      Reviewed-by: Kevin Wolf <kwolf@xxxxxxxxxx>
      Message-id: 1430417242-11859-9-git-send-email-jsnow@xxxxxxxxxx

  commit a606ce50c29561b567995ab663cbb40067623e82
  Author: John Snow <jsnow@xxxxxxxxxx>
  Date:   Fri May 22 14:13:43 2015 -0400

      qtest/ahci: add flush migrate test

      Use blkdebug to inject an error on first flush, then attempt to flush
      on the first guest. When the error halts the VM, migrate to the
      second VM, and attempt to resume the command.

      Signed-off-by: John Snow <jsnow@xxxxxxxxxx>
      Reviewed-by: Kevin Wolf <kwolf@xxxxxxxxxx>
      Message-id: 1430417242-11859-8-git-send-email-jsnow@xxxxxxxxxx

  commit 88e21f9485f0a41603f0af3483ff3f11c95979ab
  Author: John Snow <jsnow@xxxxxxxxxx>
  Date:   Fri May 22 14:13:43 2015 -0400

      qtest/ahci: add migrate dma test

      Write to one guest, migrate, and then read from the other.
      adjust ahci_io to clear any buffers it creates, so that we
      can use ahci_io safely on both guests knowing we are using
      empty buffers and not accidentally re-using data.

      Signed-off-by: John Snow <jsnow@xxxxxxxxxx>
      Reviewed-by: Kevin Wolf <kwolf@xxxxxxxxxx>
      Message-id: 1430417242-11859-7-git-send-email-jsnow@xxxxxxxxxx

  commit 278128ab06c36341edb2c8b0bfcfd92760f4db52
  Author: John Snow <jsnow@xxxxxxxxxx>
  Date:   Fri May 22 14:13:43 2015 -0400

      qtest/ahci: Add migration test

      Notes:

       * The migration is performed on QOSState objects.

       * The migration is performed in such a way that it does not assume
         consistency between the allocators attached to each. That is to say,
         you can use each QOSState object completely independently and then at
         an arbitrary point decide to migrate, and the destination object will
         now be consistent with the memory within the source guest. The source
         object that was migrated from will have a completely blank allocator.

      ahci-test.c:
       - verify_state is added
       - ahci_migrate is added as a frontend to migrate
       - test_migrate_sanity test case is added.

      Signed-off-by: John Snow <jsnow@xxxxxxxxxx>
      Reviewed-by: Kevin Wolf <kwolf@xxxxxxxxxx>
      Message-id: 1430417242-11859-6-git-send-email-jsnow@xxxxxxxxxx

  commit 04329029a8c539eb5f75dcb6d8b016f0c53a031a
  Author: John Snow <jsnow@xxxxxxxxxx>
  Date:   Fri May 22 14:13:43 2015 -0400

      ich9/ahci: Enable Migration

      Lift the flag preventing the migration of the ICH9/AHCI devices.

      Signed-off-by: John Snow <jsnow@xxxxxxxxxx>
      Reviewed-by: Kevin Wolf <kwolf@xxxxxxxxxx>
      Message-id: 1430417242-11859-5-git-send-email-jsnow@xxxxxxxxxx

  commit 085248ae87704f1c1e4e1f929f58beca3ba294a2
  Author: John Snow <jsnow@xxxxxxxxxx>
  Date:   Fri May 22 14:13:43 2015 -0400

      libqos: Add migration helpers

      libqos.c:
          -set_context for addressing which commands go where
          -migrate performs the actual migration

      malloc.c:
          - Structure of the allocator is adjusted slightly with
            a second-tier malloc to make swapping around the allocators
            easy when we "migrate" the lists from the source to the destination.

      Signed-off-by: John Snow <jsnow@xxxxxxxxxx>
      Reviewed-by: Kevin Wolf <kwolf@xxxxxxxxxx>
      Message-id: 1430417242-11859-4-git-send-email-jsnow@xxxxxxxxxx

  commit 455e861cc625891baacf74e66c31a914883b80ca
  Author: John Snow <jsnow@xxxxxxxxxx>
  Date:   Fri May 22 14:13:42 2015 -0400

      libqos/ahci: Fix sector set method

      || probably does not mean the same thing as |.

      Additionally, allow users to submit a prd_size of 0
      to indicate that they'd like to continue using the default.

      Signed-off-by: John Snow <jsnow@xxxxxxxxxx>
      Reviewed-by: Kevin Wolf <kwolf@xxxxxxxxxx>
      Message-id: 1430417242-11859-3-git-send-email-jsnow@xxxxxxxxxx

  commit 008b6e123ff2ee421112768e838b0b44bc7f6c45
  Author: John Snow <jsnow@xxxxxxxxxx>
  Date:   Fri May 22 14:13:42 2015 -0400

      libqos/ahci: Add halted command helpers

      Sometimes we want a command to halt the VM instead
      of complete successfully, so it'd be nice to let the
      libqos/ahci functions cope with such scenarios.

      Signed-off-by: John Snow <jsnow@xxxxxxxxxx>
      Reviewed-by: Kevin Wolf <kwolf@xxxxxxxxxx>
      Message-id: 1430417242-11859-2-git-send-email-jsnow@xxxxxxxxxx

  commit 62754b157156c2cd26a00ce534aeec9e74619d95
  Author: John Snow <jsnow@xxxxxxxxxx>
  Date:   Fri May 22 14:13:42 2015 -0400

      glib: remove stale compat functions

      Since we're bumping the version to 2.22+,
      remove the now-stale compat functions.

      Signed-off-by: John Snow <jsnow@xxxxxxxxxx>
      Reviewed-by: Markus Armbruster <armbru@xxxxxxxxxx>
      Reviewed-by: Alex Bennée <alex.bennee@xxxxxxxxxx>
      Message-id: 1431469140-22208-2-git-send-email-jsnow@xxxxxxxxxx

  commit f40685c62b802c8c3f5c914e8d357dd5c4d4f9cc
  Author: John Snow <jsnow@xxxxxxxxxx>
  Date:   Fri May 22 14:13:42 2015 -0400

      configure: require glib 2.22

      This provides g_ptr_array_new_with_free_func, as well as a few
      other functions that we've been hacking around in glib-compat.h.
      Cleaning up the compatibility headers will come later.

      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>
      Signed-off-by: John Snow <jsnow@xxxxxxxxxx>
      Reviewed-by: Markus Armbruster <armbru@xxxxxxxxxx>
      Reviewed-by: Alex Bennée <alex.bennee@xxxxxxxxxx>
      Message-id: 1431469140-22208-2-git-send-email-jsnow@xxxxxxxxxx

  commit 0d2ed6039cf86fe3a78671e32b5e3eb17d725762
  Merge: bb2fa17 4120201
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Fri May 22 17:20:09 2015 +0100

      Merge remote-tracking branch 'remotes/kevin/tags/for-upstream' into 
staging

      Block layer core and image format patches

      # gpg: Signature made Fri May 22 16:21:03 2015 BST using RSA key ID 
C88F2FD6
      # gpg: Good signature from "Kevin Wolf <kwolf@xxxxxxxxxx>"

      * remotes/kevin/tags/for-upstream: (22 commits)
        MAINTAINERS: Split "Block QAPI, monitor, command line" off core
        MAINTAINERS: Add header files to Block Layer Core section
        tests: add test case for encrypted qcow2 read/write
        qemu-io: prompt for encryption keys when required
        util: allow \n to terminate password input
        util: move read_password method out of qemu-img into osdep/oslib
        qcow2/qcow: protect against uninitialized encryption key
        qemu-iotests: Make debugging python tests easier
        qemu-iotests: qemu-img info on afl VMDK image with a huge capacity
        block: Detect multiplication overflow in bdrv_getlength
        qemu-io: Use getopt() correctly
        qcow2: style fixes in qcow2-cache.c
        qcow2: make qcow2_cache_put() a void function
        qcow2: use a hash to look for entries in the L2 cache
        qcow2: remove qcow2_cache_find_entry_to_replace()
        qcow2: use an LRU algorithm to replace entries from the L2 cache
        qcow2: simplify qcow2_cache_put() and qcow2_cache_entry_mark_dirty()
        qcow2: use one single memory block for the L2/refcount cache tables
        vmdk: Fix overflow if l1_size is 0x20000000
        vmdk: Fix next_cluster_sector for compressed write
        ...

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit bb2fa17f182ee0b45b53474f76679944fc891f04
  Merge: 8b6db32 9371557
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Fri May 22 16:22:42 2015 +0100

      Merge remote-tracking branch 
'remotes/bkoppelmann/tags/pull-tricore-20150522' into staging

      TriCore v1.6.1 ISA and missing v1.6 instructions

      # gpg: Signature made Fri May 22 16:02:45 2015 BST using RSA key ID 
6B69CA14
      # gpg: Good signature from "Bastian Koppelmann 
<kbastian@xxxxxxxxxxxxxxxxxxxxx>"

      * remotes/bkoppelmann/tags/pull-tricore-20150522:
        target-tricore: add RR_DIV and RR_DIV_U instructions of the v1.6 ISA
        target-tricore: add FRET instructions of the v1.6 ISA
        target-tricore: add FCALL instructions of the v1.6 ISA
        target-tricore: add SYS_RESTORE instruction of the v1.6 ISA
        target-tricore: add RR_CRC32 instruction of the v1.6.1 ISA
        target-tricore: add SWAPMSK instructions of the v1.6.1 ISA
        target-tricore: add CMPSWP instructions of the v1.6.1 ISA
        target-tricore: Add SRC_MOV_E instruction of the v1.6 ISA
        target-tricore: introduce ISA v1.6.1 feature
        target-tricore: Add ISA v1.3.1 cpu and fix tc1796 to using v1.3

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 4120201d2fcfc24404fe6eb6b761b66bc35bca16
  Author: Markus Armbruster <armbru@xxxxxxxxxx>
  Date:   Wed May 20 13:23:46 2015 +0200

      MAINTAINERS: Split "Block QAPI, monitor, command line" off core

      Kevin and Stefan asked me to take care of this part.

      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>
      Signed-off-by: Kevin Wolf <kwolf@xxxxxxxxxx>

  commit 4c346e0bb9300afe3036560c21baa7fdfb253d9b
  Author: Kevin Wolf <kwolf@xxxxxxxxxx>
  Date:   Wed May 20 12:03:17 2015 +0200

      MAINTAINERS: Add header files to Block Layer Core section

      Suggested-by: Markus Armbruster <armbru@xxxxxxxxxx>
      Reviewed-by: Alberto Garcia <berto@xxxxxxxxxx>
      Signed-off-by: Kevin Wolf <kwolf@xxxxxxxxxx>

  commit f7ac119cfac735b24412db8d53b9be13e5ff23b0
  Author: Daniel P. Berrange <berrange@xxxxxxxxxx>
  Date:   Tue May 12 17:09:22 2015 +0100

      tests: add test case for encrypted qcow2 read/write

      Add a simple test case for qemu-iotests that covers read/write
      with encrypted qcow2 files.

      Signed-off-by: Daniel P. Berrange <berrange@xxxxxxxxxx>
      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>
      Signed-off-by: Kevin Wolf <kwolf@xxxxxxxxxx>

  commit 8caf02127e92939fff39b63a7ff1a5834d320191
  Author: Daniel P. Berrange <berrange@xxxxxxxxxx>
  Date:   Tue May 12 17:09:21 2015 +0100

      qemu-io: prompt for encryption keys when required

      The qemu-io tool does not check if the image is encrypted so
      historically would silently corrupt the sectors by writing
      plain text data into them instead of cipher text. The earlier
      commit turns this mistake into a fatal abort, so check for
      encryption and prompt for key when required.

      This enables us to add unit tests to ensure we don't break
      the ability of qemu-img to convert existing encrypted qcow2
      files into a non-encrypted format.

      Signed-off-by: Daniel P. Berrange <berrange@xxxxxxxxxx>
      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>
      Signed-off-by: Kevin Wolf <kwolf@xxxxxxxxxx>

  commit 6a11d5183fb7564a3d32007b46846312fd61a1c5
  Author: Daniel P. Berrange <berrange@xxxxxxxxxx>
  Date:   Tue May 12 17:09:20 2015 +0100

      util: allow \n to terminate password input

      The qemu_read_password() method looks for \r to terminate the
      reading of the a password. This is what will be seen when
      reading the password from a TTY. When scripting though, it is
      useful to be able to send the password via a pipe, in which
      case we must look for \n to terminate password input.

      Signed-off-by: Daniel P. Berrange <berrange@xxxxxxxxxx>
      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>
      Signed-off-by: Kevin Wolf <kwolf@xxxxxxxxxx>

  commit d57e4e482e3997b1382625c84149ad0b69155fc0
  Author: Daniel P. Berrange <berrange@xxxxxxxxxx>
  Date:   Tue May 12 17:09:19 2015 +0100

      util: move read_password method out of qemu-img into osdep/oslib

      The qemu-img.c file has a read_password() method impl that is
      used to prompt for passwords on the console, with impls for
      POSIX and Windows. This will be needed by qemu-io.c too, so
      move it into the QEMU osdep/oslib files where it can be shared
      without code duplication

      Signed-off-by: Daniel P. Berrange <berrange@xxxxxxxxxx>
      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>
      Signed-off-by: Kevin Wolf <kwolf@xxxxxxxxxx>

  commit 8336aafae1451d54c81dd2b187b45f7c45d2428e
  Author: Daniel P. Berrange <berrange@xxxxxxxxxx>
  Date:   Tue May 12 17:09:18 2015 +0100

      qcow2/qcow: protect against uninitialized encryption key

      When a qcow[2] file is opened, if the header reports an
      encryption method, this is used to set the 'crypt_method_header'
      field on the BDRVQcow[2]State struct, and the 'encrypted' flag
      in the BDRVState struct.

      When doing I/O operations, the 'crypt_method' field on the
      BDRVQcow[2]State struct is checked to determine if encryption
      needs to be applied.

      The crypt_method_header value is copied into crypt_method when
      the bdrv_set_key() method is called.

      The QEMU code which opens a block device is expected to always
      do a check

         if (bdrv_is_encrypted(bs)) {
             bdrv_set_key(bs, ....key...);
         }

      If code forgets to do this, then 'crypt_method' is never set
      and so when I/O is performed, QEMU writes plain text data
      into a sector which is expected to contain cipher text, or
      when reading, will return cipher text instead of plain
      text.

      Change the qcow[2] code to consult bs->encrypted when deciding
      whether encryption is required, and assert(s->crypt_method)
      to protect against cases where the caller forgets to set the
      encryption key.

      Also put an assert in the set_key methods to protect against
      the case where the caller sets an encryption key on a block
      device that does not have encryption

      Signed-off-by: Daniel P. Berrange <berrange@xxxxxxxxxx>
      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>
      Signed-off-by: Kevin Wolf <kwolf@xxxxxxxxxx>

  commit aa4f592a1dd9aea5f5c36f6ff4b22b5bd208162a
  Author: Fam Zheng <famz@xxxxxxxxxx>
  Date:   Mon May 18 09:39:12 2015 +0800

      qemu-iotests: Make debugging python tests easier

      Adding "-d" option. The output goes to "tee" so it appears in your
      console. Also, raise the verbosity of unnitest runner.

      When testing a topic branch, it's possible that a bug introduced by a
      code change makes the python test case hang, with debug output, it is
      much easier to locate the problem.

      This can also be helpful if you want to watch the progress of a python
      test, it offers you a way to sense the speed of each test case method
      you're writing.

      Note: because there is no easy way to get *both* the verbose output and
      the output expected by ./check comparison, the case would always fail
      with an "output mismatch". The sole purpose of using this option is
      giving developers a quick way to debug when things go wrong.

      Signed-off-by: Fam Zheng <famz@xxxxxxxxxx>
      Reviewed-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Signed-off-by: Kevin Wolf <kwolf@xxxxxxxxxx>

  commit b93bbf4ee9035ae077679482305d5beb38df4d7d
  Author: Fam Zheng <famz@xxxxxxxxxx>
  Date:   Fri May 15 16:36:06 2015 +0800

      qemu-iotests: qemu-img info on afl VMDK image with a huge capacity

      The image is contributed by Richard W.M. Jones.

      Cc: Richard W.M. Jones <rjones@xxxxxxxxxx>
      Signed-off-by: Fam Zheng <famz@xxxxxxxxxx>
      Reviewed-by: Alberto Garcia <berto@xxxxxxxxxx>
      Reviewed-by: Markus Armbruster <armbru@xxxxxxxxxx>
      Signed-off-by: Kevin Wolf <kwolf@xxxxxxxxxx>

  commit 4a9c9ea0d318bec2f67848c5ceaf4ad5bcb91d09
  Author: Fam Zheng <famz@xxxxxxxxxx>
  Date:   Fri May 15 16:36:05 2015 +0800

      block: Detect multiplication overflow in bdrv_getlength

      Bogus image may have a large total_sectors that will overflow the
      multiplication. For cleanness, fix the return code so the error message
      will be meaningful.

      Reported-by: Richard W.M. Jones <rjones@xxxxxxxxxx>
      Signed-off-by: Fam Zheng <famz@xxxxxxxxxx>
      Reviewed-by: Alberto Garcia <berto@xxxxxxxxxx>
      Reviewed-by: Markus Armbruster <armbru@xxxxxxxxxx>
      Signed-off-by: Kevin Wolf <kwolf@xxxxxxxxxx>

  commit b062ad86dcd33ab39be5060b0655d8e13834b167
  Author: Eric Blake <eblake@xxxxxxxxxx>
  Date:   Tue May 12 09:10:56 2015 -0600

      qemu-io: Use getopt() correctly

      POSIX says getopt() returns -1 on completion.  While Linux happens
      to define EOF as -1, this definition is not required by POSIX, and
      there may be platforms where checking for EOF instead of -1 would
      lead to an infinite loop.

      Signed-off-by: Eric Blake <eblake@xxxxxxxxxx>
      Reviewed-by: Alberto Garcia <berto@xxxxxxxxxx>
      Signed-off-by: Kevin Wolf <kwolf@xxxxxxxxxx>

  commit d1b4efe5c4088fd2289e39b95bbdf73b3dcb7432
  Author: Alberto Garcia <berto@xxxxxxxxxx>
  Date:   Mon May 11 15:54:59 2015 +0300

      qcow2: style fixes in qcow2-cache.c

      Fix pointer declaration to make it consistent with the rest of the
      code.

      Signed-off-by: Alberto Garcia <berto@xxxxxxxxxx>
      Reviewed-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Reviewed-by: Max Reitz <mreitz@xxxxxxxxxx>
      Signed-off-by: Kevin Wolf <kwolf@xxxxxxxxxx>

  commit a3f1afb43a09e4577571c044c48f2ba9e6e4ad06
  Author: Alberto Garcia <berto@xxxxxxxxxx>
  Date:   Mon May 11 15:54:58 2015 +0300

      qcow2: make qcow2_cache_put() a void function

      This function never receives an invalid table pointer, so we can make
      it void and remove all the error checking code.

      Signed-off-by: Alberto Garcia <berto@xxxxxxxxxx>
      Reviewed-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Reviewed-by: Max Reitz <mreitz@xxxxxxxxxx>
      Signed-off-by: Kevin Wolf <kwolf@xxxxxxxxxx>

  commit 812e4082cae73e12fd425cace4fd3a715a7c1d32
  Author: Alberto Garcia <berto@xxxxxxxxxx>
  Date:   Mon May 11 15:54:57 2015 +0300

      qcow2: use a hash to look for entries in the L2 cache

      The current cache algorithm traverses the array starting always from
      the beginning, so the average number of comparisons needed to perform
      a lookup is proportional to the size of the array.

      By using a hash of the offset as the starting point, lookups are
      faster and independent from the array size.

      The hash is computed using the cluster number of the table, multiplied
      by 4 to make it perform better when there are collisions.

      In my tests, using a cache with 2048 entries, this reduces the average
      number of comparisons per lookup from 430 to 2.5.

      Signed-off-by: Alberto Garcia <berto@xxxxxxxxxx>
      Reviewed-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Signed-off-by: Kevin Wolf <kwolf@xxxxxxxxxx>

  commit fdfbca82a0874916007ca76323cd35f2af8a2ef3
  Author: Alberto Garcia <berto@xxxxxxxxxx>
  Date:   Mon May 11 15:54:56 2015 +0300

      qcow2: remove qcow2_cache_find_entry_to_replace()

      A cache miss means that the whole array was traversed and the entry
      we were looking for was not found, so there's no need to traverse it
      again in order to select an entry to replace.

      Signed-off-by: Alberto Garcia <berto@xxxxxxxxxx>
      Reviewed-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Reviewed-by: Max Reitz <mreitz@xxxxxxxxxx>
      Signed-off-by: Kevin Wolf <kwolf@xxxxxxxxxx>

  commit 2693310eccccf8351678ddd6f3b050163e51dba0
  Author: Alberto Garcia <berto@xxxxxxxxxx>
  Date:   Mon May 11 15:54:55 2015 +0300

      qcow2: use an LRU algorithm to replace entries from the L2 cache

      The current algorithm to evict entries from the cache gives always
      preference to those in the lowest positions. As the size of the cache
      increases, the chances of the later elements of being removed decrease
      exponentially.

      In a scenario with random I/O and lots of cache misses, entries in
      positions 8 and higher are rarely (if ever) evicted. This can be seen
      even with the default cache size, but with larger caches the problem
      becomes more obvious.

      Using an LRU algorithm makes the chances of being removed from the
      cache independent from the position.

      Signed-off-by: Alberto Garcia <berto@xxxxxxxxxx>
      Reviewed-by: Max Reitz <mreitz@xxxxxxxxxx>
      Signed-off-by: Kevin Wolf <kwolf@xxxxxxxxxx>

  commit baf07d60f5c5d5d0f0c9e844cde75691f1ceb3d1
  Author: Alberto Garcia <berto@xxxxxxxxxx>
  Date:   Mon May 11 15:54:54 2015 +0300

      qcow2: simplify qcow2_cache_put() and qcow2_cache_entry_mark_dirty()

      Since all tables are now stored together, it is possible to obtain
      the position of a particular table directly from its address, so the
      operation becomes O(1).

      Signed-off-by: Alberto Garcia <berto@xxxxxxxxxx>
      Reviewed-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Reviewed-by: Max Reitz <mreitz@xxxxxxxxxx>
      Signed-off-by: Kevin Wolf <kwolf@xxxxxxxxxx>

  commit 72e80b89015bab196f0f0e83b12b0eee75fa0574
  Author: Alberto Garcia <berto@xxxxxxxxxx>
  Date:   Mon May 11 15:54:53 2015 +0300

      qcow2: use one single memory block for the L2/refcount cache tables

      The qcow2 L2/refcount cache contains one separate table for each cache
      entry. Doing one allocation per table adds unnecessary overhead and it
      also requires us to store the address of each table separately.

      Since the size of the cache is constant during its lifetime, it's
      better to have an array that contains all the tables using one single
      allocation.

      In my tests measuring freshly created caches with sizes 128MB (L2) and
      32MB (refcount) this uses around 10MB of RAM less.

      Signed-off-by: Alberto Garcia <berto@xxxxxxxxxx>
      Reviewed-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Reviewed-by: Max Reitz <mreitz@xxxxxxxxxx>
      Signed-off-by: Kevin Wolf <kwolf@xxxxxxxxxx>

  commit 13c4941cdd8685d28c7e3a09e393a5579b58db46
  Author: Fam Zheng <famz@xxxxxxxxxx>
  Date:   Tue May 5 17:28:13 2015 +0800

      vmdk: Fix overflow if l1_size is 0x20000000

      Richard Jones caught this bug with afl fuzzer.

      In fact, that's the only possible value to overflow (extent->l1_size =
      0x20000000) l1_size:

      l1_size = extent->l1_size * sizeof(long) => 0x80000000;

      g_try_malloc returns NULL because l1_size is interpreted as negative
      during type casting from 'int' to 'gsize', which yields a enormous
      value. Hence, by coincidence, we get a "not too bad" behavior:

      qemu-img: Could not open '/tmp/afl6.img': Could not open
      '/tmp/afl6.img': Cannot allocate memory

      Values larger than 0x20000000 will be refused by the validation in
      vmdk_add_extent.

      Values smaller than 0x20000000 will not overflow l1_size.

      Cc: qemu-stable@xxxxxxxxxx
      Reported-by: Richard W.M. Jones <rjones@xxxxxxxxxx>
      Signed-off-by: Fam Zheng <famz@xxxxxxxxxx>
      Reviewed-by: Max Reitz <mreitz@xxxxxxxxxx>
      Tested-by: Richard W.M. Jones <rjones@xxxxxxxxxx>
      Signed-off-by: Kevin Wolf <kwolf@xxxxxxxxxx>

  commit 5e82a31eb967db135fc4e688b134fb0972d62de3
  Author: Fam Zheng <famz@xxxxxxxxxx>
  Date:   Wed May 6 20:23:46 2015 +0800

      vmdk: Fix next_cluster_sector for compressed write

      This fixes the bug introduced by commit c6ac36e (vmdk: Optimize cluster
      allocation).

      Sometimes, write_len could be larger than cluster size, because it
      contains both data and marker.  We must advance next_cluster_sector in
      this case, otherwise the image gets corrupted.

      Cc: qemu-stable@xxxxxxxxxx
      Reported-by: Antoni Villalonga <qemu-list@xxxxxxxxx>
      Signed-off-by: Fam Zheng <famz@xxxxxxxxxx>
      Reviewed-by: Max Reitz <mreitz@xxxxxxxxxx>
      Signed-off-by: Kevin Wolf <kwolf@xxxxxxxxxx>

  commit aacd5650c68ef2e9e19079ba60cb0df51e15880c
  Author: Christoph Hellwig <hch@xxxxxx>
  Date:   Thu Apr 30 11:44:17 2015 +0200

      nvme: support NVME_VOLATILE_WRITE_CACHE feature

      The SCSI emulation in the Linux NVMe driver really wants to know
      if a device has a volatile write cache.  Given that qemu has moved
      away from a model where we report the backing store WCE bit to
      one where the WCE bit is supposed to be part of the migratable
      guest-visible state we always return 1 here.

      Signed-off-by: Christoph Hellwig <hch@xxxxxx>
      Acked-by: Keith Busch <keith.busch@xxxxxxxxx>
      Signed-off-by: Kevin Wolf <kwolf@xxxxxxxxxx>

  commit ecbda7a22576591a84f44de1be0150faf6001f1c
  Author: Kevin Wolf <kwolf@xxxxxxxxxx>
  Date:   Wed May 6 13:21:51 2015 +0200

      qcow2: Flush pending discards before allocating cluster

      Before a freed cluster can be reused, pending discards for this cluster
      must be processed.

      The original assumption was that this was not a problem because discards
      are only cached during discard/write zeroes operations, which are
      synchronous so that no concurrent write requests can cause cluster
      allocations.

      However, the discard/write zeroes operation itself can allocate a new L2
      table (and it has to in order to put zero flags there), so make sure we
      can cope with the situation.

      This fixes https://bugs.launchpad.net/bugs/1349972.

      Cc: qemu-stable@xxxxxxxxxx
      Signed-off-by: Kevin Wolf <kwolf@xxxxxxxxxx>
      Reviewed-by: Max Reitz <mreitz@xxxxxxxxxx>

  commit 9371557115a734412974f8d4096cbe8a62ca2731
  Author: Bastian Koppelmann <kbastian@xxxxxxxxxxxxxxxxxxxxx>
  Date:   Mon May 11 14:59:55 2015 +0200

      target-tricore: add RR_DIV and RR_DIV_U instructions of the v1.6 ISA

      Signed-off-by: Bastian Koppelmann <kbastian@xxxxxxxxxxxxxxxxxxxxx>
      Reviewed-by: Richard Henderson <rth@xxxxxxxxxxx>

  commit 0e045f43c45f675711c3f6836118dc7eabcc2411
  Author: Bastian Koppelmann <kbastian@xxxxxxxxxxxxxxxxxxxxx>
  Date:   Thu May 7 22:46:50 2015 +0200

      target-tricore: add FRET instructions of the v1.6 ISA

      Signed-off-by: Bastian Koppelmann <kbastian@xxxxxxxxxxxxxxxxxxxxx>
      Reviewed-by: Richard Henderson <rth@xxxxxxxxxxx>

  commit 9e14a7b24f4cff93da664fdcfecad41fbd229e2b
  Author: Bastian Koppelmann <kbastian@xxxxxxxxxxxxxxxxxxxxx>
  Date:   Thu May 7 22:38:16 2015 +0200

      target-tricore: add FCALL instructions of the v1.6 ISA

      Signed-off-by: Bastian Koppelmann <kbastian@xxxxxxxxxxxxxxxxxxxxx>
      Reviewed-by: Richard Henderson <rth@xxxxxxxxxxx>

  commit bc3551c43308dd77bc1cc9a4e39962b2afd4dffc
  Author: Bastian Koppelmann <kbastian@xxxxxxxxxxxxxxxxxxxxx>
  Date:   Thu May 7 21:25:42 2015 +0200

      target-tricore: add SYS_RESTORE instruction of the v1.6 ISA

      Signed-off-by: Bastian Koppelmann <kbastian@xxxxxxxxxxxxxxxxxxxxx>
      Reviewed-by: Richard Henderson <rth@xxxxxxxxxxx>

  commit e5c96c82bc529674b61eacd221734abc2674e264
  Author: Bastian Koppelmann <kbastian@xxxxxxxxxxxxxxxxxxxxx>
  Date:   Thu May 7 19:55:37 2015 +0200

      target-tricore: add RR_CRC32 instruction of the v1.6.1 ISA

      This instruction was introduced by the new Aurix platform.

      Signed-off-by: Bastian Koppelmann <kbastian@xxxxxxxxxxxxxxxxxxxxx>
      Reviewed-by: Richard Henderson <rth@xxxxxxxxxxx>

  commit ddd8cebe3106bdfb2681d8d283296199fd6c7417
  Author: Bastian Koppelmann <kbastian@xxxxxxxxxxxxxxxxxxxxx>
  Date:   Wed May 6 20:57:10 2015 +0200

      target-tricore: add SWAPMSK instructions of the v1.6.1 ISA

      Those instruction were introduced in the new Aurix platform.

      Signed-off-by: Bastian Koppelmann <kbastian@xxxxxxxxxxxxxxxxxxxxx>
      Reviewed-by: Richard Henderson <rth@xxxxxxxxxxx>

  commit 62872ebc38d700ea30b0cd861e40703dccdcae2a
  Author: Bastian Koppelmann <kbastian@xxxxxxxxxxxxxxxxxxxxx>
  Date:   Wed May 6 20:47:39 2015 +0200

      target-tricore: add CMPSWP instructions of the v1.6.1 ISA

      Those instruction were introduced in the new Aurix platform.

      Signed-off-by: Bastian Koppelmann <kbastian@xxxxxxxxxxxxxxxxxxxxx>
      Reviewed-by: Richard Henderson <rth@xxxxxxxxxxx>

  commit fcecf12684e1169653df72ed307ec2a82ca69b18
  Author: Bastian Koppelmann <kbastian@xxxxxxxxxxxxxxxxxxxxx>
  Date:   Wed May 6 20:22:45 2015 +0200

      target-tricore: Add SRC_MOV_E instruction of the v1.6 ISA

      Signed-off-by: Bastian Koppelmann <kbastian@xxxxxxxxxxxxxxxxxxxxx>
      Reviewed-by: Richard Henderson <rth@xxxxxxxxxxx>

  commit 6d2afc8a5edc042e4e7c2ceb49f7cabe02aae793
  Author: Bastian Koppelmann <kbastian@xxxxxxxxxxxxxxxxxxxxx>
  Date:   Wed May 6 20:18:41 2015 +0200

      target-tricore: introduce ISA v1.6.1 feature

      The aurix platform contains of several different cpu models and uses
      the 1.6.1 ISA. This patch changes the generic aurix model to the more
      specific tc27x cpu model and sets specific features.

      Signed-off-by: Bastian Koppelmann <kbastian@xxxxxxxxxxxxxxxxxxxxx>
      Reviewed-by: Richard Henderson <rth@xxxxxxxxxxx>

  commit fd5ecf31d4c48651de97c1aaf8771762753de9a7
  Author: Bastian Koppelmann <kbastian@xxxxxxxxxxxxxxxxxxxxx>
  Date:   Sun Mar 22 12:49:12 2015 +0000

      target-tricore: Add ISA v1.3.1 cpu and fix tc1796 to using v1.3

      Signed-off-by: Bastian Koppelmann <kbastian@xxxxxxxxxxxxxxxxxxxxx>
      Reviewed-by: Richard Henderson <rth@xxxxxxxxxxx>

  commit 8b6db32a4ec47d1171ccfa21d557096b99f4eef0
  Merge: f5790c3 a53f1a9
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Fri May 22 13:25:40 2015 +0100

      Merge remote-tracking branch 'remotes/stefanha/tags/block-pull-request' 
into staging

      # gpg: Signature made Fri May 22 10:00:53 2015 BST using RSA key ID 
81AB73C8
      # gpg: Good signature from "Stefan Hajnoczi <stefanha@xxxxxxxxxx>"
      # gpg:                 aka "Stefan Hajnoczi <stefanha@xxxxxxxxx>"

      * remotes/stefanha/tags/block-pull-request: (38 commits)
        block: get_block_status: use "else" when testing the opposite condition
        qemu-iotests: Test unaligned sub-block zero write
        block: Fix NULL deference for unaligned write if qiov is NULL
        Revert "block: Fix unaligned zero write"
        block: align bounce buffers to page
        block: minimal bounce buffer alignment
        block: return EPERM on writes or discards to read-only devices
        configure: Add workaround for ccache and clang
        configure: silence glib unknown attribute __alloc_size__
        configure: factor out supported flag check
        configure: handle clang -nopie argument warning
        block/parallels: improve image writing performance further
        block/parallels: optimize linear image expansion
        block/parallels: add prealloc-mode and prealloc-size open paramemets
        block/parallels: delay writing to BAT till bdrv_co_flush_to_os
        block/parallels: create bat_entry_off helper
        block/parallels: improve image reading performance
        iotests, parallels: check for incorrectly closed image in tests
        block/parallels: implement incorrect close detection
        block/parallels: implement parallels_check method of block driver
        ...

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit f5790c3bc81702c98c7ddadedb274758cff8cbe7
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Fri May 22 12:30:13 2015 +0100

      Revert "target-alpha: Add vector implementation for CMPBGE"

      This reverts commit 32ad48abd74a997220b841e4e913edeb267aa362.

      Unfortunately the SSE2 code here fails to compile on some versions
      of gcc:
       target-alpha/int_helper.c:77:24: error: invalid operands to binary >=
       (have '__vector(16) unsigned char' and '__vector(16) unsigned char')

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 27e1259a69c49ee2dd53385f4ca4ca14b822191d
  Merge: 9e549d3 32ad48a
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Fri May 22 10:06:33 2015 +0100

      Merge remote-tracking branch 'remotes/rth/tags/pull-axp-20150521' into 
staging

      Rewrite fp exceptions

      # gpg: Signature made Thu May 21 18:35:52 2015 BST using RSA key ID 
4DD0279B
      # gpg: Good signature from "Richard Henderson <rth7680@xxxxxxxxx>"
      # gpg:                 aka "Richard Henderson <rth@xxxxxxxxxx>"
      # gpg:                 aka "Richard Henderson <rth@xxxxxxxxxxx>"

      * remotes/rth/tags/pull-axp-20150521:
        target-alpha: Add vector implementation for CMPBGE
        target-alpha: Rewrite helper_zapnot
        target-alpha: Raise IOV from CVTQL
        target-alpha: Suppress underflow from CVTTQ if DNZ
        target-alpha: Raise EXC_M_INV properly for fp inputs
        target-alpha: Disallow literal operand to 1C.30 to 1C.37
        target-alpha: Implement WH64EN
        target-alpha: Fix integer overflow checking insns
        target-alpha: Fix cvttq vs inf
        target-alpha: Fix cvttq vs large integers
        target-alpha: Raise IOV from CVTTQ
        target-alpha: Set EXC_M_SWC for exceptions from /S insns
        target-alpha: Set fpcr_exc_status even for disabled exceptions
        target-alpha: Tidy FPCR representation
        target-alpha: Set PC correctly for floating-point exceptions
        target-alpha: Forget installed round mode after MT_FPCR
        target-alpha: Rename floating-point subroutines
        target-alpha: Move VAX helpers to a new file

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit a53f1a95f9605f300fbafbc8b60b8a8c67e9c4b4
  Author: Paolo Bonzini <pbonzini@xxxxxxxxxx>
  Date:   Thu May 14 12:35:02 2015 +0200

      block: get_block_status: use "else" when testing the opposite condition

      A bit of Boolean algebra (and common sense) tells us that the
      second "if" here is looking for blocks that are not allocated.
      This is the opposite of the "if" that sets BDRV_BLOCK_ALLOCATED,
      and thus it can use an "else".

      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>
      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>
      Reviewed-by: Fam Zheng <famz@xxxxxxxxxx>
      Message-id: 1431599702-10431-1-git-send-email-pbonzini@xxxxxxxxxx
      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>

  commit ab53c44718305d3fde3d9d2251889f1cab694be2
  Author: Fam Zheng <famz@xxxxxxxxxx>
  Date:   Wed May 13 13:12:01 2015 +0000

      qemu-iotests: Test unaligned sub-block zero write

      Test zero write in byte range 512~1024 for 4k alignment.

      Signed-off-by: Fam Zheng <famz@xxxxxxxxxx>
      Reviewed-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Reviewed-by: Kevin Wolf <kwolf@xxxxxxxxxx>
      Message-id: 1431522721-3266-4-git-send-email-famz@xxxxxxxxxx
      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>

  commit 9eeb6dd1b27bd57eb4e3869290e87feac8e8b226
  Author: Fam Zheng <famz@xxxxxxxxxx>
  Date:   Wed May 13 13:12:00 2015 +0000

      block: Fix NULL deference for unaligned write if qiov is NULL

      For zero write, callers pass in NULL qiov (qemu-io "write -z" or
      scsi-disk "write same").

      Commit fc3959e466 fixed bdrv_co_write_zeroes which is the common case
      for this bug, but it still exists in bdrv_aio_write_zeroes. A simpler
      fix would be in bdrv_co_do_pwritev which is the NULL dereference point
      and covers both cases.

      So don't access it in bdrv_co_do_pwritev in this case, use three aligned
      writes.

      [Initialize ret to 0 in bdrv_co_do_zero_pwritev() to avoid uninitialized
      variable warning with gcc 4.9.2.
      --Stefan]

      Signed-off-by: Fam Zheng <famz@xxxxxxxxxx>
      Message-id: 1431522721-3266-3-git-send-email-famz@xxxxxxxxxx
      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>

  commit d01c07f2221ca39ab2dd9e55932d99db98103b30
  Author: Fam Zheng <famz@xxxxxxxxxx>
  Date:   Wed May 13 13:11:59 2015 +0000

      Revert "block: Fix unaligned zero write"

      This reverts commit fc3959e4669a1c2149b91ccb05101cfc7ae1fc05.

      The core write code already handles the case, so remove this
      duplication.

      Because commit 61007b316 moved the touched code from block.c to
      block/io.c, the change is manually reverted.

      Signed-off-by: Fam Zheng <famz@xxxxxxxxxx>
      Reviewed-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Reviewed-by: Kevin Wolf <kwolf@xxxxxxxxxx>
      Message-id: 1431522721-3266-2-git-send-email-famz@xxxxxxxxxx
      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>

  commit 459b4e66129d091a11e9886ecc15a8bf9f7f3d92
  Author: Denis V. Lunev <den@xxxxxxxxxx>
  Date:   Tue May 12 17:30:56 2015 +0300

      block: align bounce buffers to page

      The following sequence
          int fd = open(argv[1], O_RDWR | O_CREAT | O_DIRECT, 0644);
          for (i = 0; i < 100000; i++)
                  write(fd, buf, 4096);
      performs 5% better if buf is aligned to 4096 bytes.

      The difference is quite reliable.

      On the other hand we do not want at the moment to enforce bounce
      buffering if guest request is aligned to 512 bytes.

      The patch changes default bounce buffer optimal alignment to
      MAX(page size, 4k). 4k is chosen as maximal known sector size on real
      HDD.

      The justification of the performance improve is quite interesting.
      From the kernel point of view each request to the disk was split
      by two. This could be seen by blktrace like this:
        9,0   11  1     0.000000000 11151  Q  WS 312737792 + 1023 [qemu-img]
        9,0   11  2     0.000007938 11151  Q  WS 312738815 + 8 [qemu-img]
        9,0   11  3     0.000030735 11151  Q  WS 312738823 + 1016 [qemu-img]
        9,0   11  4     0.000032482 11151  Q  WS 312739839 + 8 [qemu-img]
        9,0   11  5     0.000041379 11151  Q  WS 312739847 + 1016 [qemu-img]
        9,0   11  6     0.000042818 11151  Q  WS 312740863 + 8 [qemu-img]
        9,0   11  7     0.000051236 11151  Q  WS 312740871 + 1017 [qemu-img]
        9,0    5  1     0.169071519 11151  Q  WS 312741888 + 1023 [qemu-img]
      After the patch the pattern becomes normal:
        9,0    6  1     0.000000000 12422  Q  WS 314834944 + 1024 [qemu-img]
        9,0    6  2     0.000038527 12422  Q  WS 314835968 + 1024 [qemu-img]
        9,0    6  3     0.000072849 12422  Q  WS 314836992 + 1024 [qemu-img]
        9,0    6  4     0.000106276 12422  Q  WS 314838016 + 1024 [qemu-img]
      and the amount of requests sent to disk (could be calculated counting
      number of lines in the output of blktrace) is reduced about 2 times.

      Both qemu-img and qemu-io are affected while qemu-kvm is not. The guest
      does his job well and real requests comes properly aligned (to page).

      Signed-off-by: Denis V. Lunev <den@xxxxxxxxxx>
      Reviewed-by: Kevin Wolf <kwolf@xxxxxxxxxx>
      Message-id: 1431441056-26198-3-git-send-email-den@xxxxxxxxxx
      CC: Paolo Bonzini <pbonzini@xxxxxxxxxx>
      CC: Kevin Wolf <kwolf@xxxxxxxxxx>
      CC: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>

  commit 4196d2f0308cb1ae13ed450424ab7dfe154acda9
  Author: Denis V. Lunev <den@xxxxxxxxxx>
  Date:   Tue May 12 17:30:55 2015 +0300

      block: minimal bounce buffer alignment

      The patch introduces new concept: minimal memory alignment for bounce
      buffers. Original so called "optimal" value is actually minimal required
      value for aligment. It should be used for validation that the IOVec
      is properly aligned and bounce buffer is not required.

      Though, from the performance point of view, it would be better if
      bounce buffer or IOVec allocated by QEMU will be aligned stricter.

      The patch does not change any alignment value yet.

      Signed-off-by: Denis V. Lunev <den@xxxxxxxxxx>
      Reviewed-by: Kevin Wolf <kwolf@xxxxxxxxxx>
      Message-id: 1431441056-26198-2-git-send-email-den@xxxxxxxxxx
      CC: Paolo Bonzini <pbonzini@xxxxxxxxxx>
      Reviewed-by: Kevin Wolf <kwolf@xxxxxxxxxx>
      CC: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>

  commit eaf5fe2dd4ec001d645ff3b343f466457badaa64
  Author: Paolo Bonzini <pbonzini@xxxxxxxxxx>
  Date:   Thu May 7 17:45:48 2015 +0200

      block: return EPERM on writes or discards to read-only devices

      This is the behavior in the operating system, for example Linux's
      blkdev_write_iter has the following:

              if (bdev_read_only(I_BDEV(bd_inode)))
                      return -EPERM;

      This does not apply to opening a device for read/write, when the
      device only supports read-only operation.  In this case any of
      EACCES, EPERM or EROFS is acceptable depending on why writing is
      not possible.

      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>
      Message-id: 1431013548-22492-1-git-send-email-pbonzini@xxxxxxxxxx
      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>

  commit fd0e60530f10078f488fa3e9591cc7db5732989c
  Author: John Snow <jsnow@xxxxxxxxxx>
  Date:   Wed Mar 25 18:57:39 2015 -0400

      configure: Add workaround for ccache and clang

      Test if ccache is interfering with semantic analysis of macros,
      disable its habit of trying to compile already pre-processed
      versions of code if so. ccache attempts to save time by compiling
      pre-processed versions of code, but this disturbs clang's static
      analysis enough to produce false positives.

      ccache allows us to disable this feature, opting instead to
      compile the original version instead of its preprocessed version.
      This makes ccache much slower for cache misses, but at least it
      becomes usable with QEMU/clang.

      This workaround only activates for users using ccache AND clang,
      and only if their configuration is observed to be producing warnings.
      You may need to clear your ccache for builds started without -Werror,
      as those may continue to produce warnings from the cache.

      Thanks to Peter Eisentraut for his writeup on the issue:
      http://peter.eisentraut.org/blog/2014/12/01/ccache-and-clang-part-3/

      Signed-off-by: John Snow <jsnow@xxxxxxxxxx>
      Reviewed-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Message-id: 1427324259-1481-5-git-send-email-jsnow@xxxxxxxxxx
      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>

  commit bbbf2e04e5ea347d877c7fa8ee02e4bb647a48fc
  Author: John Snow <jsnow@xxxxxxxxxx>
  Date:   Wed Mar 25 18:57:38 2015 -0400

      configure: silence glib unknown attribute __alloc_size__

      The glib headers use GCC attributes.  Unfortunately the __GNUC__ and
      __GNUC_MINOR__ version macros are also defined by clang, but clang
      doesn't support the same attributes as GCC.

      clang 3.5.0 does not support the __alloc_size__ attribute:

        
https://github.com/llvm-mirror/clang/commit/c047507a9a79e89fc8339e074fa72822a7e7ea73

      The following warning is produced:

        gstrfuncs.h:257:44: warning: unknown attribute '__alloc_size__' ignored 
[-Wunknown-attributes]
              G_GNUC_MALLOC G_GNUC_ALLOC_SIZE(2);
                gmacros.h:67:45: note: expanded from macro 'G_GNUC_ALLOC_SIZE'
                      #define G_GNUC_ALLOC_SIZE(x) 
__attribute__((__alloc_size__(x)))

      This patch checks whether glib headers cause warnings and disables
      -Wunknown-attributes if it is able to.

      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Signed-off-by: John Snow <jsnow@xxxxxxxxxx>
      Reviewed-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Message-id: 1427324259-1481-4-git-send-email-jsnow@xxxxxxxxxx
      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>

  commit 93b25869228a3c0c632a6aa66624cc4e549ba14a
  Author: John Snow <jsnow@xxxxxxxxxx>
  Date:   Wed Mar 25 18:57:37 2015 -0400

      configure: factor out supported flag check

      Factor out the function that checks if a compiler
      flag is supported or not.

      Signed-off-by: John Snow <jsnow@xxxxxxxxxx>
      Reviewed-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Message-id: 1427324259-1481-3-git-send-email-jsnow@xxxxxxxxxx
      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>

  commit e4a7b344df40b1f4b2e732ddb0d68079ce658d89
  Author: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
  Date:   Wed Mar 25 18:57:36 2015 -0400

      configure: handle clang -nopie argument warning

      gcc 4.9.2 treats -nopie as an error:

        cc: error: unrecognized command line option â??-nopieâ??

      clang 3.5.0 treats -nopie as a warning:

        clang: warning: argument unused during compilation: '-nopie'

      The causes ./configure to fail with clang:

        ERROR: configure test passed without -Werror but failed with -Werror.

      Make the -nopie test use -Werror so that compile_prog works for both gcc
      and clang.

      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Signed-off-by: John Snow <jsnow@xxxxxxxxxx>
      Reviewed-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Message-id: 1427324259-1481-2-git-send-email-jsnow@xxxxxxxxxx
      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>

  commit ddd2ef2ce8d693b6e2635a0c20f65744641ff8df
  Author: Denis V. Lunev <den@xxxxxxxxxx>
  Date:   Tue Apr 28 10:47:00 2015 +0300

      block/parallels: improve image writing performance further

      Try to perform IO for the biggest continuous block possible.
      All blocks abscent in the image are accounted in the same type
      and preallocation is made for all of them at once.

      The performance for sequential write is increased from 200 Mb/sec to
      235 Mb/sec on my SSD HDD.

      Signed-off-by: Denis V. Lunev <den@xxxxxxxxxx>
      Reviewed-by: Roman Kagan <rkagan@xxxxxxxxxxxxx>
      Signed-off-by: Roman Kagan <rkagan@xxxxxxxxxxxxx>
      Message-id: 1430207220-24458-28-git-send-email-den@xxxxxxxxxx
      CC: Kevin Wolf <kwolf@xxxxxxxxxx>
      CC: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>

  commit 19f5dc15912dfb6af06c97e4975023e545e85c72
  Author: Denis V. Lunev <den@xxxxxxxxxx>
  Date:   Tue Apr 28 10:46:59 2015 +0300

      block/parallels: optimize linear image expansion

      Plain image expansion spends a lot of time to update image file size.
      This seriously affects the performance. The following simple test
        qemu_img create -f parallels -o cluster_size=64k ./1.hds 64G
        qemu_io -n -c "write -P 0x11 0 1024M" ./1.hds
      could be improved if the format driver will pre-allocate some space
      in the image file with a reasonable chunk.

      This patch preallocates 128 Mb using bdrv_write_zeroes, which should
      normally use fallocate() call inside. Fallback to older truncate()
      could be used as a fallback using image open options thanks to the
      previous patch.

      The benefit is around 15%.

      Signed-off-by: Denis V. Lunev <den@xxxxxxxxxx>
      Reviewed-by: Roman Karan <rkagan@xxxxxxxxxxxxx>
      Signed-off-by: Roman Kagan <rkagan@xxxxxxxxxxxxx>
      Message-id: 1430207220-24458-27-git-send-email-den@xxxxxxxxxx
      CC: Kevin Wolf <kwolf@xxxxxxxxxx>
      CC: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>

  commit d61790112fa861fbbbb02b53f9c3beb9ca7f8419
  Author: Denis V. Lunev <den@xxxxxxxxxx>
  Date:   Tue Apr 28 10:46:58 2015 +0300

      block/parallels: add prealloc-mode and prealloc-size open paramemets

      This is preparational commit for tweaks in Parallels image expansion.
      The idea is that enlarge via truncate by one data block is slow. It
      would be much better to use fallocate via bdrv_write_zeroes and
      expand by some significant amount at once.

      Original idea with sequential file writing to the end of the file without
      fallocate/truncate would be slower than this approach if the image is
      expanded with several operations:
      - each image expanding means file metadata update, i.e. filesystem
        journal write. Truncate/write to newly truncated space update file
        metadata twice thus truncate removal helps. With fallocate call
        inside bdrv_write_zeroes file metadata is updated only once and
        this should happen infrequently thus this approach is the best one
        for the image expansion
      - tail writes are ordered, i.e. the guest IO queue could not be sent
        immediately to the host introducing additional IO delays

      This patch just adds proper parameters into BDRVParallelsState and
      performs options parsing in parallels_open.

      Signed-off-by: Denis V. Lunev <den@xxxxxxxxxx>
      Reviewed-by: Roman Kagan <rkagan@xxxxxxxxxxxxx>
      Signed-off-by: Roman Kagan <rkagan@xxxxxxxxxxxxx>
      Message-id: 1430207220-24458-26-git-send-email-den@xxxxxxxxxx
      CC: Roman Kagan <rkagan@xxxxxxxxxxxxx>
      CC: Kevin Wolf <kwolf@xxxxxxxxxx>
      CC: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>

  commit 0d31c7c200b3dca2aeeaa6f74ff3fd539aad803a
  Author: Denis V. Lunev <den@xxxxxxxxxx>
  Date:   Tue Apr 28 10:46:57 2015 +0300

      block/parallels: delay writing to BAT till bdrv_co_flush_to_os

      The idea is that we do not need to immediately sync BAT to the image as
      from the guest point of view there is a possibility that IO is lost
      even in the physical controller until flush command was finished.
      bdrv_co_flush_to_os is exactly the right place for this purpose.

      Technically the patch uses loaded BAT data as a cache and performs
      actual on-disk metadata updates in parallels_co_flush_to_os callback.

      This patch speed ups
        qemu-img create -f parallels -o cluster_size=64k ./1.hds 64G
        qemu-io -f parallels -c "write -P 0x11 0 1024k" 1.hds
      writing from 50-60 Mb/sec to 80-90 Mb/sec on rotational media and
      from 160 Mb/sec to 190 Mb/sec on SSD disk.

      Signed-off-by: Denis V. Lunev <den@xxxxxxxxxx>
      Reviewed-by: Roman Kagan <rkagan@xxxxxxxxxxxxx>
      Reviewed-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Signed-off-by: Roman Kagan <rkagan@xxxxxxxxxxxxx>
      Message-id: 1430207220-24458-25-git-send-email-den@xxxxxxxxxx
      CC: Kevin Wolf <kwolf@xxxxxxxxxx>
      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>

  commit 2d68e22e94e8bc5a0d32a38b53c592c320db8261
  Author: Denis V. Lunev <den@xxxxxxxxxx>
  Date:   Tue Apr 28 10:46:56 2015 +0300

      block/parallels: create bat_entry_off helper

      calculate offset of the BAT entry in the image file.

      Signed-off-by: Denis V. Lunev <den@xxxxxxxxxx>
      Reviewed-by: Roman Kagan <rkagan@xxxxxxxxxxxxx>
      Reviewed-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Signed-off-by: Roman Kagan <rkagan@xxxxxxxxxxxxx>
      Message-id: 1430207220-24458-24-git-send-email-den@xxxxxxxxxx
      CC: Kevin Wolf <kwolf@xxxxxxxxxx>
      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>

  commit 6953d920784466dfaea77f7cfd23df2ad8b772a0
  Author: Denis V. Lunev <den@xxxxxxxxxx>
  Date:   Tue Apr 28 10:46:55 2015 +0300

      block/parallels: improve image reading performance

      Try to perform IO for the biggest continuous block possible.
      The performance for sequential read is increased from 220 Mb/sec to
      360 Mb/sec for continous image on my SSD HDD.

      Signed-off-by: Denis V. Lunev <den@xxxxxxxxxx>
      Reviewed-by: Roman Kagan <rkagan@xxxxxxxxxxxxx>
      Reviewed-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Signed-off-by: Roman Kagan <rkagan@xxxxxxxxxxxxx>
      Message-id: 1430207220-24458-23-git-send-email-den@xxxxxxxxxx
      CC: Kevin Wolf <kwolf@xxxxxxxxxx>
      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>

  commit a6be831e99f89d72a8c4a114347d5512c326af29
  Author: Denis V. Lunev <den@xxxxxxxxxx>
  Date:   Tue Apr 28 10:46:54 2015 +0300

      iotests, parallels: check for incorrectly closed image in tests

      Signed-off-by: Denis V. Lunev <den@xxxxxxxxxx>
      Reviewed-by: Roman Kagan <rkagan@xxxxxxxxxxxxx>
      Reviewed-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Signed-off-by: Roman Kagan <rkagan@xxxxxxxxxxxxx>
      Message-id: 1430207220-24458-22-git-send-email-den@xxxxxxxxxx
      CC: Kevin Wolf <kwolf@xxxxxxxxxx>
      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>

  commit 6dd6b9f1440c37811ad963b49a48bf80a8bde377
  Author: Denis V. Lunev <den@xxxxxxxxxx>
  Date:   Tue Apr 28 10:46:53 2015 +0300

      block/parallels: implement incorrect close detection

      The software driver must set inuse field in Parallels header to
      0x746F6E59 when the image is opened in read-write mode. The presence of
      this magic in the header on open forces image consistency check.

      There is an unfortunate trick here. We can not check for inuse in
      parallels_check as this will happen too late. It is possible to do
      that for simple check, but during the fix this would always report
      an error as the image was opened in BDRV_O_RDWR mode. Thus we save
      the flag in BDRVParallelsState for this.

      On the other hand, nothing should be done to clear inuse in
      parallels_check. Generic close will do the job right.

      Signed-off-by: Denis V. Lunev <den@xxxxxxxxxx>
      Reviewed-by: Roman Kagan <rkagan@xxxxxxxxxxxxx>
      Reviewed-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Signed-off-by: Roman Kagan <rkagan@xxxxxxxxxxxxx>
      Message-id: 1430207220-24458-21-git-send-email-den@xxxxxxxxxx
      CC: Kevin Wolf <kwolf@xxxxxxxxxx>
      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>

  commit 49ad6467313d17486af9029413debb709dc971a8
  Author: Denis V. Lunev <den@xxxxxxxxxx>
  Date:   Tue Apr 28 10:46:52 2015 +0300

      block/parallels: implement parallels_check method of block driver

      The check is very simple at the moment. It calculates necessary stats
      and fix only the following errors:
      - space leak at the end of the image. This would happens due to
        preallocation
      - clusters outside the image are zeroed. Nothing else could be done here

      Signed-off-by: Denis V. Lunev <den@xxxxxxxxxx>
      Reviewed-by: Roman Kagan <rkagan@xxxxxxxxxxxxx>
      Reviewed-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Signed-off-by: Roman Kagan <rkagan@xxxxxxxxxxxxx>
      Message-id: 1430207220-24458-20-git-send-email-den@xxxxxxxxxx
      CC: Kevin Wolf <kwolf@xxxxxxxxxx>
      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>

  commit 23d6bd3bd1225e8c8ade6ed829eabcf90ddfa6f7
  Author: Denis V. Lunev <den@xxxxxxxxxx>
  Date:   Tue Apr 28 10:46:51 2015 +0300

      block/parallels: move parallels_open/probe to the very end of the file

      This will help to avoid forward declarations for upcoming parallels_check

      Some very obvious formatting fixes were made to the moved code to make
      checkpatch happy.

      Signed-off-by: Denis V. Lunev <den@xxxxxxxxxx>
      Reviewed-by: Roman Kagan <rkagan@xxxxxxxxxxxxx>
      Reviewed-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Signed-off-by: Roman Kagan <rkagan@xxxxxxxxxxxxx>
      Message-id: 1430207220-24458-19-git-send-email-den@xxxxxxxxxx
      CC: Kevin Wolf <kwolf@xxxxxxxxxx>
      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>

  commit 9eae9cca95e76afc2f2288a665e08a64953f2820
  Author: Denis V. Lunev <den@xxxxxxxxxx>
  Date:   Tue Apr 28 10:46:50 2015 +0300

      block/parallels: read parallels image header and BAT into single buffer

      This metadata cache would allow to properly batch BAT updates to disk
      in next patches. These updates will be properly aligned to avoid
      read-modify-write transactions on block level.

      Signed-off-by: Denis V. Lunev <den@xxxxxxxxxx>
      Reviewed-by: Roman Kagan <rkagan@xxxxxxxxxxxxx>
      Reviewed-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Signed-off-by: Roman Kagan <rkagan@xxxxxxxxxxxxx>
      Message-id: 1430207220-24458-18-git-send-email-den@xxxxxxxxxx
      CC: Kevin Wolf <kwolf@xxxxxxxxxx>
      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>

  commit dd97cdc064f24484a2ebc141a4ec6bba35f56007
  Author: Denis V. Lunev <den@xxxxxxxxxx>
  Date:   Tue Apr 28 10:46:49 2015 +0300

      block/parallels: keep BAT bitmap data in little endian in memory

      This will allow to use this data as buffer to BAT update directly
      without any intermediate buffers.

      Signed-off-by: Denis V. Lunev <den@xxxxxxxxxx>
      Reviewed-by: Roman Kagan <rkagan@xxxxxxxxxxxxx>
      Reviewed-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Signed-off-by: Roman Kagan <rkagan@xxxxxxxxxxxxx>
      Message-id: 1430207220-24458-17-git-send-email-den@xxxxxxxxxx
      CC: Kevin Wolf <kwolf@xxxxxxxxxx>
      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>

  commit 555cc9d9fc5c71be6bd3f288eaf1e5628732088f
  Author: Denis V. Lunev <den@xxxxxxxxxx>
  Date:   Tue Apr 28 10:46:48 2015 +0300

      block/parallels: create bat2sect helper

      deduplicate copy/paste arithmetcs

      Signed-off-by: Denis V. Lunev <den@xxxxxxxxxx>
      Reviewed-by: Roman Kagan <rkagan@xxxxxxxxxxxxx>
      Reviewed-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Signed-off-by: Roman Kagan <rkagan@xxxxxxxxxxxxx>
      Message-id: 1430207220-24458-16-git-send-email-den@xxxxxxxxxx
      CC: Kevin Wolf <kwolf@xxxxxxxxxx>
      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>

  commit 369f7de9d57e4dd2f312255fc12271d5749c0a4e
  Author: Denis V. Lunev <den@xxxxxxxxxx>
  Date:   Tue Apr 28 10:46:47 2015 +0300

      block/parallels: rename catalog_ names to bat_

      BAT means 'block allocation table'. Thus this name is clean and shorter
      on writing.

      Some obvious formatting fixes in the old code were made to make checkpatch
      happy.

      Signed-off-by: Denis V. Lunev <den@xxxxxxxxxx>
      Reviewed-by: Roman Kagan <rkagan@xxxxxxxxxxxxx>
      Reviewed-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Signed-off-by: Roman Kagan <rkagan@xxxxxxxxxxxxx>
      Message-id: 1430207220-24458-15-git-send-email-den@xxxxxxxxxx
      CC: Kevin Wolf <kwolf@xxxxxxxxxx>
      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>

  commit cc5690f20fcc075940a213380b362ae2054c03ba
  Author: Denis V. Lunev <den@xxxxxxxxxx>
  Date:   Tue Apr 28 10:46:46 2015 +0300

      parallels: change copyright information in the image header

      Signed-off-by: Denis V. Lunev <den@xxxxxxxxxx>
      Reviewed-by: Roman Kagan <rkagan@xxxxxxxxxxxxx>
      Reviewed-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Signed-off-by: Roman Kagan <rkagan@xxxxxxxxxxxxx>
      Message-id: 1430207220-24458-14-git-send-email-den@xxxxxxxxxx
      CC: Kevin Wolf <kwolf@xxxxxxxxxx>
      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>

  commit ca9c4e0675f9cb98138e1069605114f45746d985
  Author: Denis V. Lunev <den@xxxxxxxxxx>
  Date:   Tue Apr 28 10:46:45 2015 +0300

      iotests, parallels: test for newly created parallels image via qemu-img

      Signed-off-by: Denis V. Lunev <den@xxxxxxxxxx>
      Reviewed-by: Roman Kagan <rkagan@xxxxxxxxxxxxx>
      Reviewed-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Signed-off-by: Roman Kagan <rkagan@xxxxxxxxxxxxx>
      Message-id: 1430207220-24458-13-git-send-email-den@xxxxxxxxxx
      CC: Kevin Wolf <kwolf@xxxxxxxxxx>
      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>

  commit 74cf6c5026fef6e327f09786445f626df02cbdf0
  Author: Denis V. Lunev <den@xxxxxxxxxx>
  Date:   Tue Apr 28 10:46:44 2015 +0300

      block/parallels: support parallels image creation

      Do not even care to create WithoutFreeSpace image, it is obsolete.
      Always create WithouFreSpacExt one.

      The code also does not spend a lot of efforts to fill cylinders and
      heads fields, they are not used actually in a real life neither in
      QEMU nor in Parallels products.

      Signed-off-by: Denis V. Lunev <den@xxxxxxxxxx>
      Reviewed-by: Roman Kagan <rkagan@xxxxxxxxxxxxx>
      Reviewed-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Signed-off-by: Roman Kagan <rkagan@xxxxxxxxxxxxx>
      Message-id: 1430207220-24458-12-git-send-email-den@xxxxxxxxxx
      CC: Kevin Wolf <kwolf@xxxxxxxxxx>
      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>

  commit 50ffd8fd3cfceede87cec1f7f9a04cd7b9147271
  Author: Denis V. Lunev <den@xxxxxxxxxx>
  Date:   Tue Apr 28 10:46:43 2015 +0300

      iotests, parallels: test for write into Parallels image

      Signed-off-by: Denis V. Lunev <den@xxxxxxxxxx>
      Reviewed-by: Roman Kagan <rkagan@xxxxxxxxxxxxx>
      Reviewed-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Signed-off-by: Roman Kagan <rkagan@xxxxxxxxxxxxx>
      Message-id: 1430207220-24458-11-git-send-email-den@xxxxxxxxxx
      CC: Kevin Wolf <kwolf@xxxxxxxxxx>
      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>

  commit 5a41e1fa95f379e236883f38dacda292f6c48e6f
  Author: Denis V. Lunev <den@xxxxxxxxxx>
  Date:   Tue Apr 28 10:46:42 2015 +0300

      block/parallels: _co_writev callback for Parallels format

      Support write on Parallels images. The code is almost the same as one
      in the previous patch implemented scatter-gather IO for read.

      Signed-off-by: Denis V. Lunev <den@xxxxxxxxxx>
      Reviewed-by: Roman Kagan <rkagan@xxxxxxxxxxxxx>
      Signed-off-by: Roman Kagan <rkagan@xxxxxxxxxxxxx>
      Message-id: 1430207220-24458-10-git-send-email-den@xxxxxxxxxx
      CC: Roman Kagan <rkagan@xxxxxxxxxxxxx>
      CC: Kevin Wolf <kwolf@xxxxxxxxxx>
      CC: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>

  commit d0e61ce56d1520cade573eb344fdb136993d2279
  Author: Denis V. Lunev <den@xxxxxxxxxx>
  Date:   Tue Apr 28 10:46:41 2015 +0300

      block/parallels: mark parallels format driver as zero inited

      From the guest point of view unallocated blocks are zeroed.

      Signed-off-by: Denis V. Lunev <den@xxxxxxxxxx>
      Reviewed-by: Roman Kagan <rkagan@xxxxxxxxxxxxx>
      Signed-off-by: Roman Kagan <rkagan@xxxxxxxxxxxxx>
      Message-id: 1430207220-24458-9-git-send-email-den@xxxxxxxxxx
      CC: Roman Kagan <rkagan@xxxxxxxxxxxxx>
      CC: Kevin Wolf <kwolf@xxxxxxxxxx>
      CC: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>

  commit 912f31281a683a24b552a8cc6c293ab389b62013
  Author: Denis V. Lunev <den@xxxxxxxxxx>
  Date:   Tue Apr 28 10:46:40 2015 +0300

      block/parallels: replace magic constants 4, 64 with proper sizeofs

      simple purification..

      Signed-off-by: Denis V. Lunev <den@xxxxxxxxxx>
      Reviewed-by: Roman Kagan <rkagan@xxxxxxxxxxxxx>
      Reviewed-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Signed-off-by: Roman Kagan <rkagan@xxxxxxxxxxxxx>
      Message-id: 1430207220-24458-8-git-send-email-den@xxxxxxxxxx
      CC: Kevin Wolf <kwolf@xxxxxxxxxx>
      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>

  commit 481fb9cf18925eab19e4af8a44bd86b82eb897ad
  Author: Denis V. Lunev <den@xxxxxxxxxx>
  Date:   Tue Apr 28 10:46:39 2015 +0300

      block/parallels: provide _co_readv routine for parallels format driver

      Main approach is taken from qcow2_co_readv.

      The patch drops coroutine lock for the duration of IO operation and
      peforms normal scatter-gather IO using standard QEMU backend.

      The patch also adds comment about locking considerations in the driver.

      Signed-off-by: Denis V. Lunev <den@xxxxxxxxxx>
      Reviewed-by: Roman Kagan <rkagan@xxxxxxxxxxxxx>
      Signed-off-by: Roman Kagan <rkagan@xxxxxxxxxxxxx>
      Message-id: 1430207220-24458-7-git-send-email-den@xxxxxxxxxx
      CC: Roman Kagan <rkagan@xxxxxxxxxxxxx>
      CC: Kevin Wolf <kwolf@xxxxxxxxxx>
      CC: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>

  commit dd3bed16ff229496b30cc77224b0c0ae645c4dae
  Author: Roman Kagan <rkagan@xxxxxxxxxxxxx>
  Date:   Tue Apr 28 10:46:38 2015 +0300

      block/parallels: add get_block_status

      Implement VFS method for get_block_status to Parallels format driver.

      qemu_co_mutex_lock is not necessary yet (the driver is read-only) but
      will be necessary very soon when write will be supported.

      Signed-off-by: Roman Kagan <rkagan@xxxxxxxxxxxxx>
      Reviewed-by: Denis V. Lunev <den@xxxxxxxxxx>
      Signed-off-by: Denis V. Lunev <den@xxxxxxxxxx>
      Message-id: 1430207220-24458-6-git-send-email-den@xxxxxxxxxx
      CC: Kevin Wolf <kwolf@xxxxxxxxxx>
      CC: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>

  commit 9de9da17d8304576e8402697bcee72c88ce499b8
  Author: Roman Kagan <rkagan@xxxxxxxxxxxxx>
  Date:   Tue Apr 28 10:46:37 2015 +0300

      block/parallels: read up to cluster end in one go

      Teach parallels_read() to do reads in coarser granularity than just a
      single sector: if requested, read up to the cluster end in one go.

      Signed-off-by: Roman Kagan <rkagan@xxxxxxxxxxxxx>
      Reviewed-by: Denis V. Lunev <den@xxxxxxxxxx>
      Signed-off-by: Denis V. Lunev <den@xxxxxxxxxx>
      Reviewed-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Message-id: 1430207220-24458-5-git-send-email-den@xxxxxxxxxx
      CC: Kevin Wolf <kwolf@xxxxxxxxxx>
      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>

  commit 2944256997dd8b080f8b0cc062e4b663cb2ec09c
  Author: Roman Kagan <rkagan@xxxxxxxxxxxxx>
  Date:   Tue Apr 28 10:46:36 2015 +0300

      block/parallels: switch to bdrv_read

      Switch the .bdrv_read method implementation from using bdrv_pread() to
      bdrv_read() on the underlying file, since the latter is subject to i/o
      throttling while the former is not.

      Besides, since bdrv_read() operates in sectors rather than bytes, adjust
      the helper functions to do so too.

      Signed-off-by: Roman Kagan <rkagan@xxxxxxxxxxxxx>
      Reviewed-by: Denis V. Lunev <den@xxxxxxxxxx>
      Signed-off-by: Denis V. Lunev <den@xxxxxxxxxx>
      Message-id: 1430207220-24458-4-git-send-email-den@xxxxxxxxxx
      CC: Kevin Wolf <kwolf@xxxxxxxxxx>
      CC: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>

  commit 0789890467d30e2ab10d84b5398bdc903db8cb91
  Author: Denis V. Lunev <den@xxxxxxxxxx>
  Date:   Tue Apr 28 10:46:35 2015 +0300

      block/parallels: rename parallels_header to ParallelsHeader

      this follows QEMU coding convention

      Signed-off-by: Denis V. Lunev <den@xxxxxxxxxx>
      Reviewed-by: Roman Kagan <rkagan@xxxxxxxxxxxxx>
      Reviewed-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Message-id: 1430207220-24458-3-git-send-email-den@xxxxxxxxxx
      CC: Kevin Wolf <kwolf@xxxxxxxxxx>
      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>

  commit d134cf73b10e9d0283e1d2531299c8f9ab13b5eb
  Author: Denis V. Lunev <den@xxxxxxxxxx>
  Date:   Tue Apr 28 10:46:34 2015 +0300

      iotests, parallels: quote TEST_IMG in 076 test to be path-safe

      suggested by Jeff Cody

      Signed-off-by: Denis V. Lunev <den@xxxxxxxxxx>
      Reviewed-by: Roman Kagan <rkagan@xxxxxxxxxxxxx>
      Reviewed-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Message-id: 1430207220-24458-2-git-send-email-den@xxxxxxxxxx
      CC: Kevin Wolf <kwolf@xxxxxxxxxx>
      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>

  commit 32ad48abd74a997220b841e4e913edeb267aa362
  Author: Richard Henderson <rth@xxxxxxxxxxx>
  Date:   Mon Aug 18 10:19:06 2014 -0700

      target-alpha: Add vector implementation for CMPBGE

      While conditionalized on SSE2, it's a "portable" gcc generic vector
      implementation, which could be enabled on other hosts.

      Signed-off-by: Richard Henderson <rth@xxxxxxxxxxx>

  commit 8d8d324e3424bf891d41e9c7758dcc09cf3c38b9
  Author: Richard Henderson <rth@xxxxxxxxxxx>
  Date:   Tue Jul 15 12:07:05 2014 -0700

      target-alpha: Rewrite helper_zapnot

      This form produces significantly smaller code on x86_64.

      Signed-off-by: Richard Henderson <rth@xxxxxxxxxxx>

  commit 9e549d36e989b14423279fb991b71728a2a4ae7c
  Merge: eba05e9 0ef705a
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Thu May 21 09:07:19 2015 +0100

      Merge remote-tracking branch 'remotes/kraxel/tags/pull-vnc-20150520-1' 
into staging

      vnc: misc fixes.

      # gpg: Signature made Wed May 20 09:32:45 2015 BST using RSA key ID 
D3E87138
      # gpg: Good signature from "Gerd Hoffmann (work) <kraxel@xxxxxxxxxx>"
      # gpg:                 aka "Gerd Hoffmann <gerd@xxxxxxxxxx>"
      # gpg:                 aka "Gerd Hoffmann (private) <kraxel@xxxxxxxxx>"

      * remotes/kraxel/tags/pull-vnc-20150520-1:
        qemu-sockets: Report explicit error if unlink fails
        vnc: Tweak error when init fails
        vnc: Don't assert if opening unix socket fails
        ui: remove check for failure of qemu_acl_init()
        Strip brackets from vnc host

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 0ef705a2653f09c15e44a644a98b6febc761431e
  Author: Cole Robinson <crobinso@xxxxxxxxxx>
  Date:   Tue May 5 11:07:19 2015 -0400

      qemu-sockets: Report explicit error if unlink fails

      Consider this case:

      $ ls -ld ~/root-owned/
      drwx--x--x. 2 root root 4096 Apr 29 12:55 /home/crobinso/root-owned/
      $ ls -l ~/root-owned/foo.sock
      -rwxrwxrwx. 1 crobinso crobinso 0 Apr 29 12:55 
/home/crobinso/root-owned/foo.sock

      $ qemu-system-x86_64 -vnc unix:~/root-owned/foo.sock
      qemu-system-x86_64: -vnc unix:/home/crobinso/root-owned/foo.sock: Failed 
to start VNC server: Failed to bind socket to 
/home/crobinso/root-owned/foo.sock: Address already in use

      ...which is techinically true, but the real error is that we failed to
      unlink. So report it.

      This may seem pathological but it's a real possibility via libvirt.

      Signed-off-by: Cole Robinson <crobinso@xxxxxxxxxx>
      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>
      Signed-off-by: Gerd Hoffmann <kraxel@xxxxxxxxxx>

  commit bc119048d7377ec8335ecde5946df629a1b72b46
  Author: Cole Robinson <crobinso@xxxxxxxxxx>
  Date:   Tue May 5 11:07:18 2015 -0400

      vnc: Tweak error when init fails

      Before:
      qemu-system-x86_64: -display vnc=unix:/root/foo.sock: Failed to start VNC 
server on `(null)': Failed to bind socket to /root/foo.sock: Permission denied

      After:
      qemu-system-x86_64: -display vnc=unix:/root/foo.sock: Failed to start VNC 
server: Failed to bind socket to /root/foo.sock: Permission denied

      Rather than tweak the string possibly show unix: value as well,
      just drop the explicit display reporting. We already get the cli
      string in the error message, that should be sufficient.

      Signed-off-by: Cole Robinson <crobinso@xxxxxxxxxx>
      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>
      Signed-off-by: Gerd Hoffmann <kraxel@xxxxxxxxxx>

  commit 3d00ac1a2ee0294fc3d460e6013a5cdd9c73ea6c
  Author: Cole Robinson <crobinso@xxxxxxxxxx>
  Date:   Tue May 5 11:07:17 2015 -0400

      vnc: Don't assert if opening unix socket fails

      Reproducer:

      $ qemu-system-x86_64 -display vnc=unix:/root/i-cant-access-you.sock
      qemu-system-x86_64: iohandler.c:60: qemu_set_fd_handler2: Assertion `fd 
>= 0' failed.
      Aborted (core dumped)

      Signed-off-by: Cole Robinson <crobinso@xxxxxxxxxx>
      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>
      Signed-off-by: Gerd Hoffmann <kraxel@xxxxxxxxxx>

  commit 2b2c1a38eeaba5d8bfe92281e9e680361e09ee3b
  Author: Daniel P. Berrange <berrange@xxxxxxxxxx>
  Date:   Fri May 1 11:44:46 2015 +0100

      ui: remove check for failure of qemu_acl_init()

      The qemu_acl_init() function has long since stopped being able
      to return NULL, since g_malloc will abort on OOM. As such the
      checks for NULL were unreachable code.

      Signed-off-by: Daniel P. Berrange <berrange@xxxxxxxxxx>
      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>
      Signed-off-by: Gerd Hoffmann <kraxel@xxxxxxxxxx>

  commit 274c3b52e10466a4771d591f6298ef61e8354ce0
  Author: Ján Tomko <jtomko@xxxxxxxxxx>
  Date:   Mon Apr 27 17:03:14 2015 +0200

      Strip brackets from vnc host

      Commit v2.2.0-1530-ge556032 vnc: switch to inet_listen_opts
      bypassed the use of inet_parse in inet_listen, making literal
      IPv6 addresses enclosed in brackets fail:

      qemu-kvm: -vnc [::1]:0: Failed to start VNC server on `(null)': address
      resolution failed for [::1]:5900: Name or service not known

      Strip the brackets to make it work again.

      Signed-off-by: Ján Tomko <jtomko@xxxxxxxxxx>
      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>
      Signed-off-by: Gerd Hoffmann <kraxel@xxxxxxxxxx>

  commit eba05e922e8e7f307bc5d4104a78797e55124e97
  Merge: fdbe454 a48da7b
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Tue May 19 14:10:33 2015 +0100

      Merge remote-tracking branch 'remotes/kraxel/tags/pull-serial-20150519-1' 
into staging

      serial: fix multi-pci card error cleanup.

      # gpg: Signature made Tue May 19 11:47:29 2015 BST using RSA key ID 
D3E87138
      # gpg: Good signature from "Gerd Hoffmann (work) <kraxel@xxxxxxxxxx>"
      # gpg:                 aka "Gerd Hoffmann <gerd@xxxxxxxxxx>"
      # gpg:                 aka "Gerd Hoffmann (private) <kraxel@xxxxxxxxx>"

      * remotes/kraxel/tags/pull-serial-20150519-1:
        serial: fix multi-pci card error cleanup.

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit a48da7b5bc1f0c98e7a124337140efd47049066c
  Author: Gerd Hoffmann <kraxel@xxxxxxxxxx>
  Date:   Wed May 6 12:58:19 2015 +0200

      serial: fix multi-pci card error cleanup.

      Put the number of serial ports into a local variable in
      multi_serial_pci_realize, then increment the port count
      (pci->ports) as we initialize the serial port cores.

      Now pci->ports always holds the number of successfully
      initialized ports and we can use multi_serial_pci_exit
      to properly cleanup the already initialized bits in case
      of a init failure.

      https://bugzilla.redhat.com/show_bug.cgi?id=970551

      Signed-off-by: Gerd Hoffmann <kraxel@xxxxxxxxxx>
      Reviewed-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit fdbe454a242105fcfe48b9c44b5499b80ff84160
  Merge: faa261a 176c324
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Tue May 19 11:47:03 2015 +0100

      Merge remote-tracking branch 'remotes/kraxel/tags/pull-vga-20150519-1' 
into staging

      hw/display: qomify vga cards

      # gpg: Signature made Tue May 19 11:23:09 2015 BST using RSA key ID 
D3E87138
      # gpg: Good signature from "Gerd Hoffmann (work) <kraxel@xxxxxxxxxx>"
      # gpg:                 aka "Gerd Hoffmann <gerd@xxxxxxxxxx>"
      # gpg:                 aka "Gerd Hoffmann (private) <kraxel@xxxxxxxxx>"

      * remotes/kraxel/tags/pull-vga-20150519-1:
        vga-pci: QOMify
        qxl: QOMify
        cirrus_vga: QOMify

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 176c324febd76d6f164347583f5af35b3cb4e5fb
  Author: Gonglei <arei.gonglei@xxxxxxxxxx>
  Date:   Tue May 12 17:27:08 2015 +0800

      vga-pci: QOMify

      Signed-off-by: Gonglei <arei.gonglei@xxxxxxxxxx>
      Signed-off-by: Gerd Hoffmann <kraxel@xxxxxxxxxx>

  commit c69f6c7dcf6164ee0ee3b00bec27dfdec4e8b661
  Author: Gonglei <arei.gonglei@xxxxxxxxxx>
  Date:   Tue May 12 17:27:10 2015 +0800

      qxl: QOMify

      Signed-off-by: Gonglei <arei.gonglei@xxxxxxxxxx>
      Signed-off-by: Gerd Hoffmann <kraxel@xxxxxxxxxx>

  commit d338bae33a76d02678ea706622dfcc26b8b8325c
  Author: Gonglei <arei.gonglei@xxxxxxxxxx>
  Date:   Tue May 12 17:27:09 2015 +0800

      cirrus_vga: QOMify

      QOMify pci-cirrus-vga like isa-cirrus-vga device.

      Signed-off-by: Gonglei <arei.gonglei@xxxxxxxxxx>
      Signed-off-by: Gerd Hoffmann <kraxel@xxxxxxxxxx>

  commit faa261a7fb254866bdd5b6a25ad94677945f21b4
  Merge: 62bf3df b4c6a11
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Tue May 19 10:25:59 2015 +0100

      Merge remote-tracking branch 'remotes/pmaydell/tags/pull-cocoa-20150519' 
into staging

      cocoa queue:
       * fix various issues with full screen in the OSX UI
       * set an icon for our binary file
       * add entries to the View menu for QEMU consoles
       * fix various warnings that are produced when building on 10.10
         (largely deprecated interfaces)

      # gpg: Signature made Tue May 19 09:17:23 2015 BST using RSA key ID 
14360CDE
      # gpg: Good signature from "Peter Maydell <peter.maydell@xxxxxxxxxx>"

      * remotes/pmaydell/tags/pull-cocoa-20150519:
        ui/cocoa: Add console items to the View menu
        ui/cocoa: Avoid deprecated NSOKButton/NSCancelButton constants
        ui/cocoa: Don't use NSWindow useOptimizedDrawing on OSX 10.10 and up
        ui/cocoa: Declare that QemuCocoaAppController implements 
NSApplicationDelegate
        ui/cocoa: openPanelDidEnd returnCode should be NSInteger, not int
        ui/cocoa: Remove compatibility ifdefs for OSX 10.4
        ui/cocoa: Drop tests for CGImageCreateWithImageInRect support
        Makefile.target: set icon for binary file on Mac OS X
        ui/cocoa: Make -full-screen option work on Mac OS X
        ui/cocoa: Fix several full screen issues on Mac OS X

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit b4c6a112dcfa1d24b905e6cccc763e02000937f1
  Author: Programmingkid <programmingkidx@xxxxxxxxx>
  Date:   Tue May 19 09:11:18 2015 +0100

      ui/cocoa: Add console items to the View menu

      Add any console that is available to the current emulator as a
      menu item under the View menu.

      Signed-off-by: John Arbuckle <programmingkidx@xxxxxxxxx>
      [PMM: Adjusted to apply after zoom-to-fit menu item was added;
       create the View menu at the same time as all the others, and only
       add the dynamically-determined items to it later]
      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 8617989eae7398e9e782a73857fc53a548692b31
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Tue May 19 09:11:18 2015 +0100

      ui/cocoa: Avoid deprecated NSOKButton/NSCancelButton constants

      In OSX 10.10, the NSOKButton and NSCancelButton constants are deprecated
      and provoke compiler warnings. Avoid them by using the
      NSFileHandlingPanelCancelButton and NSFileHandlingPanelOKButton constants
      instead. These are the documented correct constants for the 10.6-and-up
      beginSheetModalForWindow API we use. We also use the same method for
      the pre-10.6 compatibility code path, but conveniently the constant
      values are the same and the constant names have been present since 10.0.
      Preferring the constant names that match the non-legacy API makes more
      sense anyway.

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Message-id: 1431296361-16981-7-git-send-email-peter.maydell@xxxxxxxxxx

  commit 81801ae21333d81a8e7887bc6b11c601b6ecbee6
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Tue May 19 09:11:18 2015 +0100

      ui/cocoa: Don't use NSWindow useOptimizedDrawing on OSX 10.10 and up

      Starting in OSX 10.10, NSWindow useOptimizedDrawing is deprecated, so
      don't use it there.

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Message-id: 1431296361-16981-6-git-send-email-peter.maydell@xxxxxxxxxx

  commit 2a4c8c53dabf564142d5329b9ff8a82468324fd6
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Tue May 19 09:11:18 2015 +0100

      ui/cocoa: Declare that QemuCocoaAppController implements 
NSApplicationDelegate

      Our class QemuCocoaAppController implements the NSApplicationDelegate
      interface, and we pass an object of this class to [NSApp setDelegate].
      However, we weren't declaring in the class definition that we implemented
      this interface; in OSX 10.10 this provokes the following (slighly
      misleading) warning:
      ui/cocoa.m:1031:24: warning: sending 'QemuCocoaAppController *' to 
parameter of
            incompatible type 'id<NSFileManagerDelegate>'
          [NSApp setDelegate:appController];
                             ^~~~~~~~~~~~~
      
/System/Library/Frameworks/Foundation.framework/Headers/NSFileManager.h:109:47:
      note: passing argument to parameter 'delegate' here
      @property (assign) id <NSFileManagerDelegate> delegate NS_AVAILABLE(10_5,
      2_0);
                                                    ^

      Annoyingly, this interface wasn't formally defined until OSX 10.6, so we
      have to surround the relevant part of the @interface line with an ifdef.

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Message-id: 1431296361-16981-5-git-send-email-peter.maydell@xxxxxxxxxx

  commit de1aadee289722478c19f211f0fa3a38e7e66b6f
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Tue May 19 09:11:18 2015 +0100

      ui/cocoa: openPanelDidEnd returnCode should be NSInteger, not int

      The type for openPanelDidEnd's returnCode argument should be NSInteger,
      not int. This only matters for the OSX 10.5 code path where we pass
      the method directly to an OSX function to call.

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Message-id: 1431296361-16981-4-git-send-email-peter.maydell@xxxxxxxxxx

  commit 89424ff32f5c106f90627c7abe019c81c716fd13
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Tue May 19 09:11:17 2015 +0100

      ui/cocoa: Remove compatibility ifdefs for OSX 10.4

      Remove compatibility ifdefs that work around OSX 10.4 not providing
      various typedefs and functions.

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Message-id: 1431296361-16981-3-git-send-email-peter.maydell@xxxxxxxxxx

  commit b63901d84cc22a06f82900620fdbe01ff16511ec
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Tue May 19 09:11:17 2015 +0100

      ui/cocoa: Drop tests for CGImageCreateWithImageInRect support

      The code that tries to test at both compiletime and runtime
      for whether CGImageCreateWithImageInRect is supported provokes
      a compile warning on OSX 10.3:

      ui/cocoa.m:378:13: warning: comparison of function 
'CGImageCreateWithImageInRect'
            equal to a null pointer is always 
false[-Wtautological-pointer-compare]
              if (CGImageCreateWithImageInRect == NULL) { // test if 
"CGImageCreateWithImageInRect" is
      supported on host at runtime
                  ^~~~~~~~~~~~~~~~~~~~~~~~~~~~    ~~~~

      The simplest way to deal with this is just to drop this code,
      since we don't in practice support OSX 10.4 anyway. (10.5 was
      released in 2007 and is the last PPC version, so is the earliest
      we really need to continue to support at all.)

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Message-id: 1431296361-16981-2-git-send-email-peter.maydell@xxxxxxxxxx

  commit 4e34017c21485e5606beda7e6218c36d3568b363
  Author: Programmingkid <programmingkidx@xxxxxxxxx>
  Date:   Tue May 19 09:11:17 2015 +0100

      Makefile.target: set icon for binary file on Mac OS X

      Implements setting the icon for the binary file in Mac OS X.

      Signed-off-by: John Arbuckle <programmingkidx@xxxxxxxxx>
      [PMM: tweaked makefile to use $@ and quiet-command]
      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 43227af88a36faed50cedb0c7cef71a49c0be9d2
  Author: Programmingkid <programmingkidx@xxxxxxxxx>
  Date:   Tue May 19 09:11:17 2015 +0100

      ui/cocoa: Make -full-screen option work on Mac OS X

      This patch makes the -full-screen option actually instruct QEMU to
      enter fullscreen at startup, on Mac OS X.

      Signed-off-by: John Arbuckle <programmingkidx@xxxxxxxxx>
      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 5d1b2eef58632974494b4b94f8970846aa0bffb9
  Author: Programmingkid <programmingkidx@xxxxxxxxx>
  Date:   Tue May 19 09:11:17 2015 +0100

      ui/cocoa: Fix several full screen issues on Mac OS X

      This patch makes several changes:
      - Minimizes distorted full screen display by respecting aspect
      ratios.
      - Makes full screen mode available on Mac OS 10.7 and higher.
      - Allows user to decide if video should be stretched to fill the
      screen, using a menu item called "Zoom To Fit".
      - Hides the normalWindow so it won't show up in full screen mode.
      - Allows user to exit full screen mode.

      Signed-off-by: John Arbuckle <programmingkidx@xxxxxxxxx>
      [PMM: minor whitespace tweaks, remove incorrectly duplicated
       use of 'f' menu accelerator key]
      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 57a808b6d7f52a62111f6070933dfca6cd88a0fd
  Author: Richard Henderson <rth@xxxxxxxxxxx>
  Date:   Tue Jul 8 10:42:55 2014 -0700

      target-alpha: Raise IOV from CVTQL

      Even if an exception isn't taken, the status flags need updating
      and the result should be written to the destination.  Move the body
      of cvtql out of line, since we now always need a call.

      Reported-by: Al Viro <viro@xxxxxxxxxxxxxxxxxx>
      Signed-off-by: Richard Henderson <rth@xxxxxxxxxxx>

  commit 4ed069ab5334a495b49d0704795524fa34e8dbfc
  Author: Richard Henderson <rth@xxxxxxxxxxx>
  Date:   Tue Jul 8 10:14:09 2014 -0700

      target-alpha: Suppress underflow from CVTTQ if DNZ

      I.e. respect flush_inputs_to_zero.

      Reported-by: Al Viro <viro@xxxxxxxxxxxxxxxxxx>
      Signed-off-by: Richard Henderson <rth@xxxxxxxxxxx>

  commit b99e80694cc635aa6ed5a3716e89645a8afa261c
  Author: Richard Henderson <rth@xxxxxxxxxxx>
  Date:   Tue Jul 8 10:11:06 2014 -0700

      target-alpha: Raise EXC_M_INV properly for fp inputs

      Ignore DNZ if software completion isn't used.  Raise INV for
      denormals in system mode so the OS completion handler sees them.

      Reported-by: Al Viro <viro@xxxxxxxxxxxxxxxxxx>
      Signed-off-by: Richard Henderson <rth@xxxxxxxxxxx>

  commit ed0851380c8ed181ddd6ed3542b14fcb0bca6700
  Author: Richard Henderson <rth@xxxxxxxxxxx>
  Date:   Mon Jul 7 06:18:20 2014 -0700

      target-alpha: Disallow literal operand to 1C.30 to 1C.37

      Before 64f45e49 we used to have literal checks for 4 of these 8 opcodes.
      Confirmed that real hardware doesn't allow them.

      Reported-by: Al Viro <viro@xxxxxxxxxxxxxxxxxx>
      Signed-off-by: Richard Henderson <rth@xxxxxxxxxxx>

  commit 2517def6f82bec9eba9333a37f85a6f368ba52ee
  Author: Richard Henderson <rth@xxxxxxxxxxx>
  Date:   Thu Jul 3 21:04:26 2014 -0700

      target-alpha: Implement WH64EN

      Backward compatible cache insn introduced for EV7.

      Reported-by: Al Viro <viro@xxxxxxxxxxxxxxxxxx>
      Signed-off-by: Richard Henderson <rth@xxxxxxxxxxx>

  commit 4d1628e832dfc6ec02b0d196f6cc250aaa7bf3b3
  Author: Richard Henderson <rth@xxxxxxxxxxx>
  Date:   Thu Jul 3 13:18:26 2014 -0700

      target-alpha: Fix integer overflow checking insns

      We need to write the result to the destination register before
      raising any exception.  Thus inline the code for each insn, and
      check for any exception after we're done.

      Reported-by: Al Viro <viro@xxxxxxxxxxxxxxxxxx>
      Signed-off-by: Richard Henderson <rth@xxxxxxxxxxx>

  commit 7b4dde839e86ca6c254d4e3cd28260e9d668afb5
  Author: Richard Henderson <rth@xxxxxxxxxxx>
  Date:   Thu Jul 3 12:37:59 2014 -0700

      target-alpha: Fix cvttq vs inf

      We should raise INV for infinities as well, not OVR+INE.

      Reported-by: Al Viro <viro@xxxxxxxxxxxxxxxxxx>
      Signed-off-by: Richard Henderson <rth@xxxxxxxxxxx>

  commit 7f2e40020cfc827f7e59670f8c400b0b9a704481
  Author: Richard Henderson <rth@xxxxxxxxxxx>
  Date:   Thu Jul 3 12:36:34 2014 -0700

      target-alpha: Fix cvttq vs large integers

      The range +- 2**63 - 2**64 was returning the wrong truncated
      result.  We also incorrectly signaled overflow for -2**63.

      Reported-by: Al Viro <viro@xxxxxxxxxxxxxxxxxx>
      Signed-off-by: Richard Henderson <rth@xxxxxxxxxxx>

  commit c24a8a0b6dad5a33d84f5fb846edb28c43312c71
  Author: Richard Henderson <rth@xxxxxxxxxxx>
  Date:   Sat Jun 28 12:57:03 2014 -0700

      target-alpha: Raise IOV from CVTTQ

      Floating-point overflow is a different bit from integer overflow.

      Reported-by: Al Viro <viro@xxxxxxxxxxxxxxxxxx>
      Signed-off-by: Richard Henderson <rth@xxxxxxxxxxx>

  commit f6b6b7b8a775f97edab43eb672d5991f534c2e61
  Author: Richard Henderson <rth@xxxxxxxxxxx>
  Date:   Mon Jun 30 09:53:46 2014 -0700

      target-alpha: Set EXC_M_SWC for exceptions from /S insns

      Previously forgotten, the kernel needs the software completion bit to
      know that it needs to emulate software completion qualified insns.

      Reported-by: Al Viro <viro@xxxxxxxxxxxxxxxxxx>
      Signed-off-by: Richard Henderson <rth@xxxxxxxxxxx>

  commit 471d4930470aee38dffe6fc4890ede3d8eaf23c4
  Author: Richard Henderson <rth@xxxxxxxxxxx>
  Date:   Sat Jun 28 11:08:28 2014 -0700

      target-alpha: Set fpcr_exc_status even for disabled exceptions

      The qualifiers can suppress the raising of exceptions, but real
      hardware still records that the exceptions occurred.

      Reported-by: Al Viro <viro@xxxxxxxxxxxxxxxxxx>
      Signed-off-by: Richard Henderson <rth@xxxxxxxxxxx>

  commit f3d3aad4a920a4436a9f5397d7a2963aefe141a9
  Author: Richard Henderson <rth@xxxxxxxxxxx>
  Date:   Fri Aug 8 12:17:07 2014 -1000

      target-alpha: Tidy FPCR representation

      Store the fpcr as the hardware represents it.  Convert the softfpu
      representation of exceptions into the fpcr representation.

      Signed-off-by: Richard Henderson <rth@xxxxxxxxxxx>

  commit ba9c5de5f2d33d468a07a8794121472ea031a0b5
  Author: Richard Henderson <rth@xxxxxxxxxxx>
  Date:   Sat Jun 28 13:06:19 2014 -0700

      target-alpha: Set PC correctly for floating-point exceptions

      PC should be one past the faulting insn.  Add better commentary
      for the machine-check exception path.

      Reported-by: Al Viro <viro@xxxxxxxxxxxxxxxxxx>
      Signed-off-by: Richard Henderson <rth@xxxxxxxxxxx>

  commit 9d5a626b2c3fa98761b35b5e2ac86f7adb231002
  Author: Richard Henderson <rth@xxxxxxxxxxx>
  Date:   Sat Jun 28 10:25:36 2014 -0700

      target-alpha: Forget installed round mode after MT_FPCR

      When we use QUAL_RM_D, we copy fpcr_dyn_round to float_status.
      When we install a new FPCR value, we update fpcr_dyn_round.
      Reset the status of the cache so that we re-copy for the next
      fp insn that requires dynamic rounding.

      Signed-off-by: Richard Henderson <rth@xxxxxxxxxxx>

  commit 3da653fa05579579b0ba55a02ffa2aa3d466f01b
  Author: Richard Henderson <rth@xxxxxxxxxxx>
  Date:   Fri Aug 8 10:54:35 2014 -1000

      target-alpha: Rename floating-point subroutines

      ... to match the instructions, which have no leading "f".

      Signed-off-by: Richard Henderson <rth@xxxxxxxxxxx>

  commit 9354452c39fef1ab2491da5989e6944d8bb2e16a
  Author: Richard Henderson <rth@xxxxxxxxxxx>
  Date:   Fri Aug 8 10:42:45 2014 -1000

      target-alpha: Move VAX helpers to a new file

      Keep the IEEE and VAX floating point emulation separate.

      Signed-off-by: Richard Henderson <rth@xxxxxxxxxxx>

  commit 62bf3df432d93fa6eb0f355c460d6d784b7cbc1a
  Merge: 385057c 18084b2
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Mon May 18 20:23:16 2015 +0100

      Merge remote-tracking branch 
'remotes/pmaydell/tags/pull-target-arm-20150518-3' into staging

      target-arm:
       * New board model: xlnx-ep108
       * Some more preparation for AArch64 EL2/EL3
       * Fix bugs in access checking for generic counter registers
       * Remove a stray '+' sign

      # gpg: Signature made Mon May 18 20:13:05 2015 BST using RSA key ID 
14360CDE
      # gpg: Good signature from "Peter Maydell <peter.maydell@xxxxxxxxxx>"

      * remotes/pmaydell/tags/pull-target-arm-20150518-3: (21 commits)
        target-arm: Remove unneeded '+'
        target-arm: Correct accessfn for CNTV_TVAL_EL0
        target-arm: Correct accessfn for CNTP_{CT}VAL_EL0
        target-arm: Add WFx syndrome function
        target-arm: Add EL3 and EL2 TCR checking
        target-arm: Add TTBR regime function and use
        linux-user/arm: Correct TARGET_NR_timerfd to TARGET_NR_timerfd_create
        arm: xlnx-ep108: Add bootloading
        arm: xlnx-ep108: Add external RAM
        arm: Add xlnx-ep108 machine
        arm: xlnx-zynqmp: Add UART support
        char: cadence_uart: Split state struct and type into header
        char: cadence_uart: Clean up variable names
        arm: xlnx-zynqmp: Add GEM support
        net: cadence_gem: Split state struct and type into header
        net: cadence_gem: Clean up variable names
        arm: xlnx-zynqmp: Connect CPU Timers to GIC
        arm: xlnx-zynqmp: Add GIC
        arm: Introduce Xilinx ZynqMP SoC
        target-arm: cpu64: Add support for Cortex-A53
        ...

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 18084b2f71b22b3ec3bf4828b8cb83d1d39e8502
  Author: Edgar E. Iglesias <edgar.iglesias@xxxxxxxxxx>
  Date:   Wed May 13 16:52:28 2015 +1000

      target-arm: Remove unneeded '+'

      Signed-off-by: Edgar E. Iglesias <edgar.iglesias@xxxxxxxxxx>
      Reviewed-by: Alex Bennée <alex.bennee@xxxxxxxxxx>
      Message-id: 1431499963-1019-4-git-send-email-edgar.iglesias@xxxxxxxxx
      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit b65c08ee1a05760c1c5a786a6cedf240f924c53e
  Author: Edgar E. Iglesias <edgar.iglesias@xxxxxxxxxx>
  Date:   Wed May 13 16:52:27 2015 +1000

      target-arm: Correct accessfn for CNTV_TVAL_EL0

      Signed-off-by: Edgar E. Iglesias <edgar.iglesias@xxxxxxxxxx>
      Message-id: 1431499963-1019-3-git-send-email-edgar.iglesias@xxxxxxxxx
      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 12cde08aaf571de65d3fbbdf93c83f0a4321267f
  Author: Edgar E. Iglesias <edgar.iglesias@xxxxxxxxxx>
  Date:   Wed May 13 16:52:26 2015 +1000

      target-arm: Correct accessfn for CNTP_{CT}VAL_EL0

      Signed-off-by: Edgar E. Iglesias <edgar.iglesias@xxxxxxxxxx>
      Message-id: 1431499963-1019-2-git-send-email-edgar.iglesias@xxxxxxxxx
      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 06fbb2fdf7a7ac468d62c66cfe4537d3c71f7bb9
  Author: Greg Bellows <greg.bellows@xxxxxxxxxx>
  Date:   Wed Apr 22 12:09:20 2015 -0500

      target-arm: Add WFx syndrome function

      Adds a utility function for creating a WFx exception syndrome

      Signed-off-by: Greg Bellows <greg.bellows@xxxxxxxxxx>
      Reviewed-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Acked-by: Edgar E. Iglesias <edgar.iglesias@xxxxxxxxxx>
      Message-id: 1429722561-12651-9-git-send-email-greg.bellows@xxxxxxxxxx
      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 88e8add8b6656c349a96b447b074688d02dc5415
  Author: Greg Bellows <greg.bellows@xxxxxxxxxx>
  Date:   Wed Apr 22 12:09:19 2015 -0500

      target-arm: Add EL3 and EL2 TCR checking

      Updated get_phys_addr_lpae to check the appropriate TTBCR/TCR depending 
on the
      current EL. Support includes using the different TCR format as well as 
checks to
      insure TTBR1 is not used when in EL2 or EL3.

      Signed-off-by: Greg Bellows <greg.bellows@xxxxxxxxxx>
      Acked-by: Edgar E. Iglesias <edgar.iglesias@xxxxxxxxxx>
      Message-id: 1429722561-12651-8-git-send-email-greg.bellows@xxxxxxxxxx
      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit aef878be4e7ab1bdb30b408007320400b0a29c83
  Author: Greg Bellows <greg.bellows@xxxxxxxxxx>
  Date:   Wed Apr 22 12:09:18 2015 -0500

      target-arm: Add TTBR regime function and use

      Add a utility function for choosing the correct TTBR system register 
based on
      the specified MMU index. Add use of function on physical address lookup.

      Signed-off-by: Greg Bellows <greg.bellows@xxxxxxxxxx>
      Acked-by: Edgar E. Iglesias <edgar.iglesias@xxxxxxxxxx>
      Message-id: 1429722561-12651-7-git-send-email-greg.bellows@xxxxxxxxxx
      [PMM: fixed regime_ttbr() return type to be uint64_t]
      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit d82322e175d58c0c8951cbc905da1ca9ee2e008c
  Author: Timothy Baldwin <T.E.Baldwin99@xxxxxxxxxxxxxxxxxxx>
  Date:   Wed Apr 8 21:40:52 2015 +0100

      linux-user/arm: Correct TARGET_NR_timerfd to TARGET_NR_timerfd_create

      Misspelled system call name in macro was causing timerfd_create not
      to be supported for the ARM target.

      Signed-off-by: Timothy Edward Baldwin <T.E.Baldwin99@xxxxxxxxxxxxxxxxxxx>
      Reviewed-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 082587b741efc5329380b4a156d86f2bdbfa2d70
  Author: Peter Crosthwaite <peter.crosthwaite@xxxxxxxxxx>
  Date:   Thu May 14 19:23:30 2015 -0700

      arm: xlnx-ep108: Add bootloading

      Add bootloader support using standard ARM bootloader.

      Reviewed-by: Alistair Francis <alistair.francis@xxxxxxxxxx>
      Tested-by: Alistair Francis <alistair.francis@xxxxxxxxxx>
      Signed-off-by: Peter Crosthwaite <peter.crosthwaite@xxxxxxxxxx>
      Message-id: 
b829abaf2b70d02b28e79301553cbd74afc416a1.1431381507.git.peter.crosthwaite@xxxxxxxxxx
      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit b79b9d28f6b8f7879c50b6c053b4e3796de5b7d0
  Author: Peter Crosthwaite <peter.crosthwaite@xxxxxxxxxx>
  Date:   Thu May 14 19:23:27 2015 -0700

      arm: xlnx-ep108: Add external RAM

      Zynq MPSoC supports external DDR RAM. Add a RAM at 0 to the model.

      Reviewed-by: Alistair Francis <alistair.francis@xxxxxxxxxx>
      Tested-by: Alistair Francis <alistair.francis@xxxxxxxxxx>
      Signed-off-by: Peter Crosthwaite <peter.crosthwaite@xxxxxxxxxx>
      Message-id: 
2c25e2a4198402a6477aef2975d5df7c415dd341.1431381507.git.peter.crosthwaite@xxxxxxxxxx
      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 859a0c5b5fb8be0c1ed78d96695a162c9210e1e6
  Author: Peter Crosthwaite <peter.crosthwaite@xxxxxxxxxx>
  Date:   Thu May 14 19:23:24 2015 -0700

      arm: Add xlnx-ep108 machine

      Add a machine model for the Xilinx ZynqMP SoC EP108 board.

      Reviewed-by: Alistair Francis <alistair.francis@xxxxxxxxxx>
      Reviewed-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Reviewed-by: Edgar E. Iglesias <edgar.iglesias@xxxxxxxxxx>
      Tested-by: Alistair Francis <alistair.francis@xxxxxxxxxx>
      Signed-off-by: Peter Crosthwaite <peter.crosthwaite@xxxxxxxxxx>
      Message-id: 
3896b34c862f370dc0679e4428bf3848d1f9f83c.1431381507.git.peter.crosthwaite@xxxxxxxxxx
      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 3bade2a9e6336e0eb7cc5ad7425994f1143c5cfa
  Author: Peter Crosthwaite <peter.crosthwaite@xxxxxxxxxx>
  Date:   Thu May 14 19:23:21 2015 -0700

      arm: xlnx-zynqmp: Add UART support

      There are 2x Cadence UARTs in Zynq MP. Add them.

      Reviewed-by: Alistair Francis <alistair.francis@xxxxxxxxxx>
      Reviewed-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Tested-by: Alistair Francis <alistair.francis@xxxxxxxxxx>
      Signed-off-by: Peter Crosthwaite <peter.crosthwaite@xxxxxxxxxx>
      Message-id: 
e30795536f77599fabc1052278d846ccd52322e2.1431381507.git.peter.crosthwaite@xxxxxxxxxx
      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 8ae57b2fa35dae9aa4b50db5e632156eded9bec0
  Author: Peter Crosthwaite <peter.crosthwaite@xxxxxxxxxx>
  Date:   Thu May 14 19:23:18 2015 -0700

      char: cadence_uart: Split state struct and type into header

      Create a new header for Cadence UART to allow using the device with
      modern SoC programming conventions. The state struct needs to be
      visible to embed the device in SoC containers.

      Reviewed-by: Alistair Francis <alistair.francis@xxxxxxxxxx>
      Reviewed-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Reviewed-by: Edgar E. Iglesias <edgar.iglesias@xxxxxxxxxx>
      Tested-by: Alistair Francis <alistair.francis@xxxxxxxxxx>
      Signed-off-by: Peter Crosthwaite <peter.crosthwaite@xxxxxxxxxx>
      Message-id: 
46a0fbd45b6b205f54c4a8c778deb75c77f8abdf.1431381507.git.peter.crosthwaite@xxxxxxxxxx
      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit e86da3cb40d6f70ce99d8e64952c49df8ad78848
  Author: Peter Crosthwaite <peter.crosthwaite@xxxxxxxxxx>
  Date:   Thu May 14 19:23:15 2015 -0700

      char: cadence_uart: Clean up variable names

      Clean up some variable names in preparation for migrating the state struct
      and type cast macro to a public header. The acronym "UART" on it's own is
      not specific enough to be used in a more global namespace so preface with
      "cadence". Fix the capitalisation of "uart" in the state type while 
touching
      the typename. Preface macros used by the state struct itself with 
CADENCE_UART
      so they don't conflict in namespace either.

      Reviewed-by: Alistair Francis <alistair.francis@xxxxxxxxxx>
      Reviewed-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Reviewed-by: Edgar E. Iglesias <edgar.iglesias@xxxxxxxxxx>
      Tested-by: Alistair Francis <alistair.francis@xxxxxxxxxx>
      Signed-off-by: Peter Crosthwaite <peter.crosthwaite@xxxxxxxxxx>
      Message-id: 
3812b7426c338beae9e082557f3524a99310ddc6.1431381507.git.peter.crosthwaite@xxxxxxxxxx
      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 14ca2e462ee137974d81729b1d88d9d39cf2f22c
  Author: Peter Crosthwaite <peter.crosthwaite@xxxxxxxxxx>
  Date:   Thu May 14 19:23:12 2015 -0700

      arm: xlnx-zynqmp: Add GEM support

      There are 4x Cadence GEMs in ZynqMP. Add them.

      Reviewed-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Tested-by: Alistair Francis <alistair.francis@xxxxxxxxxx>
      Signed-off-by: Peter Crosthwaite <peter.crosthwaite@xxxxxxxxxx>
      Message-id: 
7d3e68e5495d145255f0ee567046415e3a26d67e.1431381507.git.peter.crosthwaite@xxxxxxxxxx
      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit f49856d4e65703e347ee3e2277a87282ce601bcd
  Author: Peter Crosthwaite <peter.crosthwaite@xxxxxxxxxx>
  Date:   Thu May 14 19:23:09 2015 -0700

      net: cadence_gem: Split state struct and type into header

      Create a new header for Cadence GEM to allow using the device with
      modern SoC programming conventions. The state struct needs to be
      visible to embed the device in SoC containers.

      Reviewed-by: Alistair Francis <alistair.francis@xxxxxxxxxx>
      Reviewed-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Reviewed-by: Edgar E. Iglesias <edgar.iglesias@xxxxxxxxxx>
      Tested-by: Alistair Francis <alistair.francis@xxxxxxxxxx>
      Signed-off-by: Peter Crosthwaite <peter.crosthwaite@xxxxxxxxxx>
      Message-id: 
a98b5df6440c5bff8f813a26bb53ce1cfefb4c4c.1431381507.git.peter.crosthwaite@xxxxxxxxxx
      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 448f19e23155021e42878e7effc3da895921ad4e
  Author: Peter Crosthwaite <peter.crosthwaite@xxxxxxxxxx>
  Date:   Thu May 14 19:23:07 2015 -0700

      net: cadence_gem: Clean up variable names

      Cleanup some variable names in preparation for migrating the state
      struct and type cast macro to a public header. The acronym "GEM" on
      its own is not specific enough to be used in a more global namespace
      so preface with "cadence". Fix the capitalisation of "gem" in the
      state type while touching the typename. Also preface the GEM_MAXREG
      macro as this will need to migrate to public header.

      Reviewed-by: Alistair Francis <alistair.francis@xxxxxxxxxx>
      Reviewed-by: Alex Bennée <alex.bennee@xxxxxxxxxx>
      Reviewed-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Reviewed-by: Edgar E. Iglesias <edgar.iglesias@xxxxxxxxxx>
      Tested-by: Alistair Francis <alistair.francis@xxxxxxxxxx>
      Signed-off-by: Peter Crosthwaite <peter.crosthwaite@xxxxxxxxxx>
      Message-id: 
8e2b0687b3a7b7a3fde5ba2f3bee6f3b911e84ef.1431381507.git.peter.crosthwaite@xxxxxxxxxx
      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit bf4cb10966a7685bba3aeaf14434902889ef535d
  Author: Peter Crosthwaite <peter.crosthwaite@xxxxxxxxxx>
  Date:   Thu May 14 19:23:04 2015 -0700

      arm: xlnx-zynqmp: Connect CPU Timers to GIC

      Connect the GPIO outputs from the individual CPUs for the timers to the
      GIC.

      Tested-by: Alistair Francis <alistair.francis@xxxxxxxxxx>
      Reviewed-by: Edgar E. Iglesias <edgar.iglesias@xxxxxxxxxx>
      Signed-off-by: Peter Crosthwaite <peter.crosthwaite@xxxxxxxxxx>
      Message-id: 
a7866a4f0c903c91fa3034210b4d2879aa4bfcb9.1431381507.git.peter.crosthwaite@xxxxxxxxxx
      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 7729e1f4b3c670eca38cc0ee0d96c1177efbc1e3
  Author: Peter Crosthwaite <peter.crosthwaite@xxxxxxxxxx>
  Date:   Thu May 14 19:23:01 2015 -0700

      arm: xlnx-zynqmp: Add GIC

      Add the GIC and connect IRQ outputs to the CPUs. The GIC regions are
      under-decoded through a 64k address region so implement aliases
      accordingly.

      Signed-off-by: Peter Crosthwaite <peter.crosthwaite@xxxxxxxxxx>
      Message-id: 
5853189965728d676106d9e94e76b9bb87981cb5.1431381507.git.peter.crosthwaite@xxxxxxxxxx
      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit f0a902f76452211cadbdf1d25ef9b94732b096e8
  Author: Peter Crosthwaite <peter.crosthwaite@xxxxxxxxxx>
  Date:   Thu May 14 19:22:58 2015 -0700

      arm: Introduce Xilinx ZynqMP SoC

      With quad Cortex-A53 CPUs.

      Use SMC PSCI, with the standard policy of secondaries starting in
      power-off.

      Tested-by: Alistair Francis <alistair.francis@xxxxxxxxxx>
      Reviewed-by: Alistair Francis <alistair.francis@xxxxxxxxxx>
      Reviewed-by: Edgar E. Iglesias <edgar.iglesias@xxxxxxxxxx>
      Signed-off-by: Peter Crosthwaite <peter.crosthwaite@xxxxxxxxxx>
      Message-id: 
a16202a6c7b79e446e5289d38cb18d2ee4b897a0.1431381507.git.peter.crosthwaite@xxxxxxxxxx
      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit e35310260ec57d20301c65a5714ca55369e971cc
  Author: Peter Crosthwaite <peter.crosthwaite@xxxxxxxxxx>
  Date:   Thu May 14 19:22:55 2015 -0700

      target-arm: cpu64: Add support for Cortex-A53

      Add the ARM Cortex-A53 processor definition. Similar to A57, but with
      different L1 I cache policy, phys addr size and different cache
      geometries. The cache sizes is implementation configurable, but use
      these values (from Xilinx Zynq MPSoC) as a default until cache size
      configurability is added.

      Acked-by: Edgar E. Iglesias <edgar.iglesias@xxxxxxxxxx>
      Reviewed-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Signed-off-by: Peter Crosthwaite <peter.crosthwaite@xxxxxxxxxx>
      Message-id: 
db439ff834cf0431bc192b05272a3b28fe2045d0.1431381507.git.peter.crosthwaite@xxxxxxxxxx
      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit ee804264ddc4d3cd36a5183a09847e391da0fc66
  Author: Peter Crosthwaite <peter.crosthwaite@xxxxxxxxxx>
  Date:   Thu May 14 19:22:52 2015 -0700

      target-arm: cpu64: generalise name of A57 regs

      Rename some A57 CP register variables in preparation for support for
      Cortex A53. Use "a57_a53" to describe the shareable features. Some of
      the CP15 registers (such as ACTLR) are specific to implementation, but
      we currently just RAZ them so continue with that as the policy for both
      A57 and A53 processors under a shared definition.

      Reviewed-by: Edgar E. Iglesias <edgar.iglesias@xxxxxxxxxx>
      Reviewed-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Signed-off-by: Peter Crosthwaite <peter.crosthwaite@xxxxxxxxxx>
      Message-id: 
5a5f957994677d91435190b3be1cefa6f657e274.1431381507.git.peter.crosthwaite@xxxxxxxxxx
      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 385057cbec9b4a0eb6150330c572e875ed714965
  Merge: 99e7627 4180978
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Fri May 15 17:51:20 2015 +0100

      Merge remote-tracking branch 'remotes/armbru/tags/pull-qapi-2015-05-15' 
into staging

      qapi: Fix qapi mangling of downstream names, and more

      # gpg: Signature made Fri May 15 17:41:31 2015 BST using RSA key ID 
EB918653
      # gpg: Good signature from "Markus Armbruster <armbru@xxxxxxxxxx>"
      # gpg:                 aka "Markus Armbruster <armbru@xxxxxxxxxxxx>"

      * remotes/armbru/tags/pull-qapi-2015-05-15: (26 commits)
        qapi: Inline gen_command_decl_prologue(), gen_command_def_prologue()
        qapi: Drop pointless flush() before close()
        qapi: Factor open_output(), close_output() out of generators
        qapi: Turn generators' mandatory option -i into an argument
        qapi: Fix generators to report command line errors decently
        qapi: Factor parse_command_line() out of the generators
        qapi: qapi-commands.py option --type is unused, drop it
        qapi: qapi-event.py option -b does nothing, drop it
        tests: Add missing dependencies on $(qapi-py)
        qapi: Support downstream events and commands
        qapi: Support downstream alternates
        qapi: Support downstream flat unions
        qapi: Support downstream simple unions
        qapi: Support downstream structs
        qapi: Support downstream enums
        qapi: Make c_type() consistently convert qapi names
        qapi: Tidy c_type() logic
        qapi: Move camel_to_upper(), c_enum_const() to closely related code
        qapi: Use c_enum_const() in generate_alternate_qtypes()
        qapi: Simplify c_enum_const()
        ...

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 99e7627a70d1a23e30a514e5a4798005cf4eb3aa
  Merge: 1eeace9 dfb3630
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Fri May 15 16:02:08 2015 +0100

      Merge remote-tracking branch 'remotes/rth/tags/pull-tcg-20150514' into 
staging

      Per-memop alignment

      # gpg: Signature made Thu May 14 20:17:27 2015 BST using RSA key ID 
4DD0279B
      # gpg: Good signature from "Richard Henderson <rth7680@xxxxxxxxx>"
      # gpg:                 aka "Richard Henderson <rth@xxxxxxxxxx>"
      # gpg:                 aka "Richard Henderson <rth@xxxxxxxxxxx>"

      * remotes/rth/tags/pull-tcg-20150514:
        tcg: Add MO_ALIGN, MO_UNALN
        tcg: Push merged memop+mmu_idx parameter to softmmu routines
        tcg: Merge memop and mmu_idx parameters to qemu_ld/st

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit dfb36305626636e2e07e0c5acd3a002a5419399e
  Author: Richard Henderson <rth@xxxxxxxxxxx>
  Date:   Wed May 13 11:25:20 2015 -0700

      tcg: Add MO_ALIGN, MO_UNALN

      These modifiers control, on a per-memory-op basis, whether
      unaligned memory accesses are allowed.  The default setting
      reflects the target's definition of ALIGNED_ONLY.

      Reviewed-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Signed-off-by: Richard Henderson <rth@xxxxxxxxxxx>

  commit 3972ef6f830d65e9bacbd31257abedc055fd6dc8
  Author: Richard Henderson <rth@xxxxxxxxxxx>
  Date:   Wed May 13 09:10:33 2015 -0700

      tcg: Push merged memop+mmu_idx parameter to softmmu routines

      The extra information is not yet used but it is now available.
      This requires minor changes through all of the tcg backends.

      Reviewed-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Signed-off-by: Richard Henderson <rth@xxxxxxxxxxx>

  commit 59227d5d45bb3c31dc2118011691c35b3c00879c
  Author: Richard Henderson <rth@xxxxxxxxxxx>
  Date:   Tue May 12 11:51:44 2015 -0700

      tcg: Merge memop and mmu_idx parameters to qemu_ld/st

      At the tcg opcode level, not at the tcg-op.h generator level.
      This requires minor changes through all of the tcg backends,
      but none of the cpu translators.

      Reviewed-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Signed-off-by: Richard Henderson <rth@xxxxxxxxxxx>

  commit 4180978c9205c50acd2d6c385def9b3e81911696
  Author: Markus Armbruster <armbru@xxxxxxxxxx>
  Date:   Thu Apr 2 14:52:55 2015 +0200

      qapi: Inline gen_command_decl_prologue(), gen_command_def_prologue()

      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>
      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>

  commit 09896d3f48078a93e3d2dbd8ef86436b85ebda7c
  Author: Markus Armbruster <armbru@xxxxxxxxxx>
  Date:   Thu Apr 2 14:49:29 2015 +0200

      qapi: Drop pointless flush() before close()

      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>
      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>

  commit 12f8e1b9ff57e99dafbb13f89cd5a99ad5c28527
  Author: Markus Armbruster <armbru@xxxxxxxxxx>
  Date:   Thu Apr 2 14:46:39 2015 +0200

      qapi: Factor open_output(), close_output() out of generators

      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>
      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>

  commit 16d80f61814745bd3f5bb9f47ae3b00edf9e1e45
  Author: Markus Armbruster <armbru@xxxxxxxxxx>
  Date:   Thu Apr 2 13:32:16 2015 +0200

      qapi: Turn generators' mandatory option -i into an argument

      Mandatory option is silly, and the error handling is missing: the
      programs crash when -i isn't supplied.  Make it an argument, and check
      it properly.

      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>
      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>

  commit b45409683e829770000a4560ed21e704f87df74c
  Author: Markus Armbruster <armbru@xxxxxxxxxx>
  Date:   Thu Apr 2 13:17:34 2015 +0200

      qapi: Fix generators to report command line errors decently

      Report to stderr, prefix with the program name.  Also reject
      extra arguments.

      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>
      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>

  commit 2114f5a98d0d80774306279e1694de074ca86aa0
  Author: Markus Armbruster <armbru@xxxxxxxxxx>
  Date:   Thu Apr 2 13:12:21 2015 +0200

      qapi: Factor parse_command_line() out of the generators

      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>
      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>

  commit 72aaa73a4acef06bfaed750064c40a597f0cf745
  Author: Markus Armbruster <armbru@xxxxxxxxxx>
  Date:   Thu Apr 2 11:41:22 2015 +0200

      qapi: qapi-commands.py option --type is unused, drop it

      Anything but --type sync (which is the default) suppresses output
      entirely, which makes no sense.

      Dates back to the initial commit c17d990.  Commit message says
      "Currently only generators for synchronous qapi/qmp functions are
      supported", so maybe output other than "synchronous qapi/qmp" was
      planned at the time, to be selected with --type.

      Should other kinds of output ever materialize, we can put the option
      back.

      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>
      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>

  commit c70cef5bd48c7be603f75a7b5346db032a31b470
  Author: Markus Armbruster <armbru@xxxxxxxxxx>
  Date:   Thu Apr 2 11:40:21 2015 +0200

      qapi: qapi-event.py option -b does nothing, drop it

      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>
      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>

  commit df3e21a0e0edd30ea2e7c9b09b05feaaa297c718
  Author: Markus Armbruster <armbru@xxxxxxxxxx>
  Date:   Thu Apr 2 13:38:48 2015 +0200

      tests: Add missing dependencies on $(qapi-py)

      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>
      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>

  commit e3c4c3d796c1147d32f66fa1413d5d7c49d5aa37
  Author: Eric Blake <eblake@xxxxxxxxxx>
  Date:   Thu May 14 06:51:01 2015 -0600

      qapi: Support downstream events and commands

      Enhance the testsuite to cover downstream events and commands.
      Events worked without more tweaks, but commands needed a few final
      updates in the generator to mangle names in the appropriate places.
      In making those tweaks, it was easier to drop type_visitor() and
      inline its actions instead.

      Signed-off-by: Eric Blake <eblake@xxxxxxxxxx>
      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>

  commit d1f07c86c05706facf950b0b0dba370f71fd5ef6
  Author: Eric Blake <eblake@xxxxxxxxxx>
  Date:   Thu May 14 06:51:00 2015 -0600

      qapi: Support downstream alternates

      Enhance the testsuite to cover downstream alternates, including
      whether the branch name or type is downstream.  Update the
      generator to mangle alternate names in the appropriate places.

      Signed-off-by: Eric Blake <eblake@xxxxxxxxxx>
      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>

  commit 857af5f06c3fb097d1bb6bc8a23b9992aac99e75
  Author: Eric Blake <eblake@xxxxxxxxxx>
  Date:   Thu May 14 06:50:59 2015 -0600

      qapi: Support downstream flat unions

      Enhance the testsuite to cover downstream flat unions, including
      the base type, discriminator name and type, and branch name and
      type.  Update the generator to mangle the union names in the
      appropriate places.

      Signed-off-by: Eric Blake <eblake@xxxxxxxxxx>
      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>

  commit bb33729043ceda56b4068db13bdc17786ebd0ed0
  Author: Eric Blake <eblake@xxxxxxxxxx>
  Date:   Thu May 14 06:50:58 2015 -0600

      qapi: Support downstream simple unions

      Enhance the testsuite to cover downstream simple unions, including
      when a union branch is a downstream name.  Update the generator to
      mangle the union names in the appropriate places.

      Signed-off-by: Eric Blake <eblake@xxxxxxxxxx>
      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>

  commit 83a02706bb1fd31c93eab755de543dfe228682d4
  Author: Eric Blake <eblake@xxxxxxxxxx>
  Date:   Thu May 14 06:50:57 2015 -0600

      qapi: Support downstream structs

      Enhance the testsuite to cover downstream structs, including struct
      members and base structs.  Update the generator to mangle the
      struct names in the appropriate places.

      Signed-off-by: Eric Blake <eblake@xxxxxxxxxx>
      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>

  commit fce384b8e5193e02421f6b2c2880f3684abcbdc0
  Author: Eric Blake <eblake@xxxxxxxxxx>
  Date:   Thu May 14 06:50:56 2015 -0600

      qapi: Support downstream enums

      Enhance the testsuite to cover a downstream enum type and enum
      string.  Update the generator to mangle the enum name in the
      appropriate places.

      Signed-off-by: Eric Blake <eblake@xxxxxxxxxx>
      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>

  commit c6405b54b7b09a876f2f2fba2aa6f8ac87189cb9
  Author: Eric Blake <eblake@xxxxxxxxxx>
  Date:   Thu May 14 06:50:55 2015 -0600

      qapi: Make c_type() consistently convert qapi names

      Continuing the string of cleanups for supporting downstream names
      containing '.', this patch focuses on ensuring c_type() can
      handle a downstream name.  This patch alone does not fix the
      places where generator output should be calling this function
      but was open-coding things instead, but it gets us a step closer.

      In particular, the changes to c_list_type() and type_name() mean
      that type_name(FOO) now handles the case when FOO contains '.',
      '-', or is a ticklish identifier other than a builtin (builtins
      are exempted because ['int'] must remain mapped to 'intList' and
      not 'q_intList').  Meanwhile, ['unix'] now maps to 'q_unixList'
      rather than 'unixList', to match the fact that 'unix' is ticklish;
      however, our naming conventions state that complex types should
      start with a capital, so no type name following conventions will
      ever have the 'q_' prepended.

      Likewise, changes to c_type() mean that c_type(FOO) properly
      handles an enum or complex type FOO with '.' or '-' in the
      name, or is a ticklish identifier (again, a ticklish identifier
      as a type name violates conventions).

      Signed-off-by: Eric Blake <eblake@xxxxxxxxxx>
      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>

  commit d557344628e32771f07e5b6a2a818ee3d8e7a65f
  Author: Eric Blake <eblake@xxxxxxxxxx>
  Date:   Thu May 14 06:50:54 2015 -0600

      qapi: Tidy c_type() logic

      c_type() is designed to be called on both string names and on
      array designations, so 'name' is a bit misleading because it
      operates on more than strings.  Also, no caller ever passes
      an empty string.  Finally, + notation is a bit nicer to read
      than '%s' % value for string concatenation.

      Signed-off-by: Eric Blake <eblake@xxxxxxxxxx>
      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>

  commit 849bc5382e42b3b9590c6a50ba30c2fd2450308c
  Author: Markus Armbruster <armbru@xxxxxxxxxx>
  Date:   Thu May 14 06:50:53 2015 -0600

      qapi: Move camel_to_upper(), c_enum_const() to closely related code

      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>
      Signed-off-by: Eric Blake <eblake@xxxxxxxxxx>

  commit b42e91484df9772bb0c26aa0f05390a92d564d6f
  Author: Markus Armbruster <armbru@xxxxxxxxxx>
  Date:   Thu May 14 06:50:52 2015 -0600

      qapi: Use c_enum_const() in generate_alternate_qtypes()

      Missed in commit b0b5819.

      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>
      Signed-off-by: Eric Blake <eblake@xxxxxxxxxx>

  commit 02e20c7e593363c564aae96e3c5bdc58630ce584
  Author: Markus Armbruster <armbru@xxxxxxxxxx>
  Date:   Thu May 14 06:50:51 2015 -0600

      qapi: Simplify c_enum_const()

      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>
      Signed-off-by: Eric Blake <eblake@xxxxxxxxxx>

  commit 7c81c61f9c2274f66ba947eafd9618d60da838a6
  Author: Markus Armbruster <armbru@xxxxxxxxxx>
  Date:   Thu May 14 06:50:50 2015 -0600

      qapi: Rename generate_enum_full_value() to c_enum_const()

      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>
      Signed-off-by: Eric Blake <eblake@xxxxxxxxxx>

  commit fa6068a1e8ef3c878ac9ee2399bb01eeaf61c366
  Author: Markus Armbruster <armbru@xxxxxxxxxx>
  Date:   Thu May 14 06:50:49 2015 -0600

      qapi: Rename _generate_enum_string() to camel_to_upper()

      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>
      Signed-off-by: Eric Blake <eblake@xxxxxxxxxx>

  commit 18df515ebbefa9f13474b128b8050d5fa346ea1e
  Author: Eric Blake <eblake@xxxxxxxxxx>
  Date:   Thu May 14 06:50:48 2015 -0600

      qapi: Rename identical c_fun()/c_var() into c_name()

      Now that the two functions are identical, we only need one of them,
      and we might as well give it a more descriptive name.  Basically,
      the function serves as the translation from a QAPI name into a
      (portion of a) C identifier, without regards to whether it is a
      variable or function name.

      Signed-off-by: Eric Blake <eblake@xxxxxxxxxx>
      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>

  commit 47299262de424af0cb69965d082e5e70b2314183
  Author: Markus Armbruster <armbru@xxxxxxxxxx>
  Date:   Thu May 14 06:50:47 2015 -0600

      qapi: Fix C identifiers generated for names containing '.'

      c_fun() maps '.' to '_', c_var() doesn't.  Nothing prevents '.' in
      QAPI names that get passed to c_var().

      Which QAPI names get passed to c_fun(), to c_var(), or to both is not
      obvious.  Names of command parameters and struct type members get
      passed to c_var().

      c_var() strips a leading '*', but this cannot happen.  c_fun()
      doesn't.

      Fix c_var() to work exactly like c_fun().

      Perhaps they should be replaced by a single mapping function.

      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>
      [add 'import string']
      Signed-off-by: Eric Blake <eblake@xxxxxxxxxx>
      Reviewed-by: Alberto Garcia <berto@xxxxxxxxxx>

  commit 777abdfe7bb47e582c8eb87dd6cecdf3fd9f86fc
  Author: Michael S. Tsirkin <mst@xxxxxxxxxx>
  Date:   Mon May 11 17:17:49 2015 +0200

      doc: fix qmp event type

      Event name for hot unplug errors was wrong.
      Make doc match code.

      Cc: Zhu Guihua <zhugh.fnst@xxxxxxxxxxxxxx>
      Reported-by: Eric Blake <eblake@xxxxxxxxxx>
      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>
      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>

  commit 58f88d4b7e9e5578b8dd2c5acfe555b85b35af88
  Author: Eduardo Habkost <ehabkost@xxxxxxxxxx>
  Date:   Fri May 8 16:04:22 2015 -0300

      qmp: Add qom_path field to query-cpus command

      This will allow clients to query additional information directly using
      qom-get on the CPU objects.

      Reviewed-by: David Gibson <david@xxxxxxxxxxxxxxxxxxxxx>
      Reviewed-by: Andreas Färber <afaerber@xxxxxxx>
      Signed-off-by: Eduardo Habkost <ehabkost@xxxxxxxxxx>
      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>
      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>

  commit 1eeace9c237a729d11c7acd7c0338ab4562af637
  Merge: 4d2d2d8 57af728
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Wed May 13 16:06:07 2015 +0100

      Merge remote-tracking branch 
'remotes/agraf/tags/signed-s390-for-upstream' into staging

      Patch queue for s390 - 2015-05-13

      A few TCG fixes for the s390x target. Nothing special, but with these
      applied I can run most of the SLE12 binaries in Linux-user emulation.

      # gpg: Signature made Wed May 13 13:49:25 2015 BST using RSA key ID 
03FEDC60
      # gpg: Good signature from "Alexander Graf <agraf@xxxxxxx>"
      # gpg:                 aka "Alexander Graf <alex@xxxxxxxxx>"

      * remotes/agraf/tags/signed-s390-for-upstream:
        s390x: Add interlocked access facility 1 instructions
        s390x: Add some documentation in opcode list
        s390x: Fix stoc direction

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 4d2d2d8b21779d7becbdffd7cd7983a7ccb55b54
  Merge: 968bb75 e907746
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Wed May 13 13:57:44 2015 +0100

      Merge remote-tracking branch 'remotes/jnsnow/tags/ide-cve-pull-request' 
into staging

      # gpg: Signature made Wed May 13 12:52:19 2015 BST using RSA key ID 
AAFC390E
      # gpg: Good signature from "John Snow (John Huston) <jsnow@xxxxxxxxxx>"
      # gpg: WARNING: This key is not certified with sufficiently trusted 
signatures!
      # gpg:          It is not certain that the signature belongs to the owner.
      # Primary key fingerprint: FAEB 9711 A12C F475 812F  18F2 88A9 064D 1835 
61EB
      #      Subkey fingerprint: F9B7 ABDB BCAC DF95 BE76  CBD0 7DEF 8106 AAFC 
390E

      * remotes/jnsnow/tags/ide-cve-pull-request:
        fdc: force the fifo access to be in bounds of the allocated buffer

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 57af7289f276ce70b65f2fbb4981833f04264aac
  Author: Alexander Graf <agraf@xxxxxxx>
  Date:   Fri May 8 03:07:53 2015 +0200

      s390x: Add interlocked access facility 1 instructions

      We're currently missing all instructions defined by the 
"interlocked-access
      facility 1" which is part of zEC12. This patch implements all of them 
except
      for LPD and LPDG.

      Signed-off-by: Alexander Graf <agraf@xxxxxxx>
      Reviewed-by: Richard Henderson <rth@xxxxxxxxxxx>

  commit 13f67dd5825a7dfd7a4904a5fb0cf0a3f95d2d45
  Author: Alexander Graf <agraf@xxxxxxx>
  Date:   Fri May 8 03:06:41 2015 +0200

      s390x: Add some documentation in opcode list

      I find it really hard to grasp what each field in the opcode list means.
      Slowly walking through its semantics myself, I figured I'd write a small
      summary at the top of the file to make life easier for me and whoever
      looks at the file next.

      Signed-off-by: Alexander Graf <agraf@xxxxxxx>
      Reviewed-by: Richard Henderson <rth@xxxxxxxxxxx>

  commit c095ed731ce4fecf166e4ac02ddc606b408f5e1f
  Author: Alexander Graf <agraf@xxxxxxx>
  Date:   Wed Apr 15 03:45:41 2015 +0200

      s390x: Fix stoc direction

      The store conditional instruction wants to store when the condition
      is fulfilled, so we should branch out when it's not true.

      The code today branches out when the condition is true, clearly
      reversing the logic. Fix it up by negating the condition.

      Signed-off-by: Alexander Graf <agraf@xxxxxxx>
      Reviewed-by: Richard Henderson <rth@xxxxxxxxxxx>

  commit e907746266721f305d67bc0718795fedee2e824c
  Author: Petr Matousek <pmatouse@xxxxxxxxxx>
  Date:   Wed May 6 09:48:59 2015 +0200

      fdc: force the fifo access to be in bounds of the allocated buffer

      During processing of certain commands such as FD_CMD_READ_ID and
      FD_CMD_DRIVE_SPECIFICATION_COMMAND the fifo memory access could
      get out of bounds leading to memory corruption with values coming
      from the guest.

      Fix this by making sure that the index is always bounded by the
      allocated memory.

      This is CVE-2015-3456.

      Signed-off-by: Petr Matousek <pmatouse@xxxxxxxxxx>
      Reviewed-by: John Snow <jsnow@xxxxxxxxxx>
      Signed-off-by: John Snow <jsnow@xxxxxxxxxx>

  commit 968bb75c348a401b85e08d5eb1887a3e6c3185f5
  Merge: 19fbe50 5ae79fe
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Tue May 12 12:11:32 2015 +0100

      Merge remote-tracking branch 
'remotes/pmaydell/tags/pull-target-arm-20150512' into staging

      target-arm queue:
       * Support TZ and grouping in the GIC
       * hw/sd: sd_reset cleanup
       * armv7m_nvic: fix bug in systick device

      # gpg: Signature made Tue May 12 12:02:26 2015 BST using RSA key ID 
14360CDE
      # gpg: Good signature from "Peter Maydell <peter.maydell@xxxxxxxxxx>"

      * remotes/pmaydell/tags/pull-target-arm-20150512:
        hw/arm/highbank.c: Wire FIQ between CPU <> GIC
        hw/arm/vexpress.c: Wire FIQ between CPU <> GIC
        hw/arm/virt.c: Wire FIQ between CPU <> GIC
        hw/intc/arm_gic: Add grouping support to gic_update()
        hw/intc/arm_gic: Change behavior of IAR writes
        hw/intc/arm_gic: Change behavior of EOIR writes
        hw/intc/arm_gic: Handle grouping for GICC_HPPIR
        hw/intc/arm_gic: Restrict priority view
        hw/intc/arm_gic: Implement Non-secure view of RPR
        hw/intc/arm_gic: Make ICCICR/GICC_CTLR banked
        hw/intc/arm_gic: Make ICCBPR/GICC_BPR banked
        hw/intc/arm_gic: Make ICDDCR/GICD_CTLR banked
        hw/intc/arm_gic_kvm.c: Save and restore GICD_IGROUPRn state
        hw/intc/arm_gic: Add Interrupt Group Registers
        hw/intc/arm_gic: Switch to read/write callbacks with tx attributes
        hw/intc/arm_gic: Add Security Extensions property
        hw/intc/arm_gic: Create outbound FIQ lines
        hw/sd: Don't pass BlockBackend to sd_reset()
        armv7m_nvic: systick: Reload the RELOAD value and count down only if 
ENABLE bit is set

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 5ae79fe825bedc89db8b6bde9d0ed0bb5d59558c
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Tue May 12 11:57:19 2015 +0100

      hw/arm/highbank.c: Wire FIQ between CPU <> GIC

      Connect FIQ output of the GIC CPU interfaces to the CPUs.

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Message-id: 1430502643-25909-18-git-send-email-peter.maydell@xxxxxxxxxx

  commit 27192e390d064489dcb23d5fcceb21cabf86d789
  Author: Fabian Aggeler <aggelerf@xxxxxxx>
  Date:   Tue May 12 11:57:18 2015 +0100

      hw/arm/vexpress.c: Wire FIQ between CPU <> GIC

      Connect FIQ output of the GIC CPU interfaces to the CPUs.

      Signed-off-by: Fabian Aggeler <aggelerf@xxxxxxx>
      Signed-off-by: Greg Bellows <greg.bellows@xxxxxxxxxx>
      Reviewed-by: Edgar E. Iglesias <edgar.iglesias@xxxxxxxxxx>
      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Message-id: 1430502643-25909-17-git-send-email-peter.maydell@xxxxxxxxxx
      Message-id: 1429113742-8371-3-git-send-email-greg.bellows@xxxxxxxxxx
      [PMM: minor format tweak]
      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 8e7b4ca08b968c9e195bcae9c6cb827c8564871a
  Author: Greg Bellows <greg.bellows@xxxxxxxxxx>
  Date:   Tue May 12 11:57:18 2015 +0100

      hw/arm/virt.c: Wire FIQ between CPU <> GIC

      Connect FIQ output of the GIC CPU interfaces to the CPUs.

      Signed-off-by: Greg Bellows <greg.bellows@xxxxxxxxxx>
      Reviewed-by: Edgar E. Iglesias <edgar.iglesias@xxxxxxxxxx>
      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Message-id: 1430502643-25909-16-git-send-email-peter.maydell@xxxxxxxxxx
      Message-id: 1429113742-8371-4-git-send-email-greg.bellows@xxxxxxxxxx
      [PMM: minor format tweak]
      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit dadbb58f5955053c5f5dc2252a4b183f90d7bfce
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Tue May 12 11:57:18 2015 +0100

      hw/intc/arm_gic: Add grouping support to gic_update()

      Add support to gic_update() for determining the current IRQ
      and FIQ status when interrupt grouping is supported. This
      simply requires that instead of always raising IRQ we
      check the group of the highest priority pending interrupt
      and the GICC_CTLR.FIQEn bit to see whether we should raise
      IRQ or FIQ.

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Reviewed-by: Edgar E. Iglesias <edgar.iglesias@xxxxxxxxxx>
      Message-id: 1430502643-25909-15-git-send-email-peter.maydell@xxxxxxxxxx

  commit c5619bf9e8935aeb972c0bd935549e9ee0a739f2
  Author: Fabian Aggeler <aggelerf@xxxxxxx>
  Date:   Tue May 12 11:57:18 2015 +0100

      hw/intc/arm_gic: Change behavior of IAR writes

      Grouping (GICv2) and Security Extensions change the behavior of IAR
      reads. Acknowledging Group0 interrupts is only allowed from Secure
      state and acknowledging Group1 interrupts from Secure state is only
      allowed if AckCtl bit is set.

      Signed-off-by: Fabian Aggeler <aggelerf@xxxxxxx>
      Signed-off-by: Greg Bellows <greg.bellows@xxxxxxxxxx>
      Reviewed-by: Edgar E. Iglesias <edgar.iglesias@xxxxxxxxxx>
      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Message-id: 1430502643-25909-14-git-send-email-peter.maydell@xxxxxxxxxx
      Message-id: 1429113742-8371-14-git-send-email-greg.bellows@xxxxxxxxxx
      [PMM: simplify significantly by reusing the existing
       gic_get_current_pending_irq() rather than reimplementing the
       same logic here]
      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit f9c6a7f1395c6d88a3bb1a0cb48811994709966e
  Author: Fabian Aggeler <aggelerf@xxxxxxx>
  Date:   Tue May 12 11:57:18 2015 +0100

      hw/intc/arm_gic: Change behavior of EOIR writes

      Grouping (GICv2) and Security Extensions change the behavior of EOIR
      writes. Completing Group0 interrupts is only allowed from Secure state.

      Signed-off-by: Fabian Aggeler <aggelerf@xxxxxxx>
      Signed-off-by: Greg Bellows <greg.bellows@xxxxxxxxxx>
      Reviewed-by: Edgar E. Iglesias <edgar.iglesias@xxxxxxxxxx>
      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Message-id: 1430502643-25909-13-git-send-email-peter.maydell@xxxxxxxxxx
      Message-id: 1429113742-8371-13-git-send-email-greg.bellows@xxxxxxxxxx
      [PMM: Rather than go to great lengths to ignore the UNPREDICTABLE case
       of a Secure EOI of a Group1 (NS) irq with AckCtl == 0, we just let
       it fall through; add a comment about it.]
      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 7c0fa108d918ab818e49c4588ab290004d6b532e
  Author: Fabian Aggeler <aggelerf@xxxxxxx>
  Date:   Tue May 12 11:57:18 2015 +0100

      hw/intc/arm_gic: Handle grouping for GICC_HPPIR

      Grouping (GICv2) and Security Extensions change the behaviour of reads
      of the highest priority pending interrupt register (ICCHPIR/GICC_HPPIR).

      Signed-off-by: Fabian Aggeler <aggelerf@xxxxxxx>
      Signed-off-by: Greg Bellows <greg.bellows@xxxxxxxxxx>
      Reviewed-by: Edgar E. Iglesias <edgar.iglesias@xxxxxxxxxx>
      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Message-id: 1430502643-25909-12-git-send-email-peter.maydell@xxxxxxxxxx
      Message-id: 1429113742-8371-12-git-send-email-greg.bellows@xxxxxxxxxx
      [PMM: make utility fn static; coding style fixes; AckCtl has an effect
       for GICv2 without security extensions as well; removed checks on enable
       bits because these are done when we set current_pending[cpu]]
      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 8150847061f8d2606101bfff77cc6ec86b081ab0
  Author: Fabian Aggeler <aggelerf@xxxxxxx>
  Date:   Tue May 12 11:57:17 2015 +0100

      hw/intc/arm_gic: Restrict priority view

      GICs with Security Extensions restrict the non-secure view of the
      interrupt priority and priority mask registers.

      Signed-off-by: Fabian Aggeler <aggelerf@xxxxxxx>
      Signed-off-by: Greg Bellows <greg.bellows@xxxxxxxxxx>
      Reviewed-by: Edgar E. Iglesias <edgar.iglesias@xxxxxxxxxx>
      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Message-id: 1430502643-25909-11-git-send-email-peter.maydell@xxxxxxxxxx
      Message-id: 1429113742-8371-15-git-send-email-greg.bellows@xxxxxxxxxx
      [PMM: minor code tweaks; fixed missing masking in gic_set_priority_mask
      and gic_set_priority]
      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 08efa9f2d1bb27d64fbedcc2879ca45ae6832c20
  Author: Fabian Aggeler <aggelerf@xxxxxxx>
  Date:   Tue May 12 11:57:17 2015 +0100

      hw/intc/arm_gic: Implement Non-secure view of RPR

      For GICs with Security Extensions Non-secure reads have a restricted
      view on the current running priority.

      Signed-off-by: Fabian Aggeler <aggelerf@xxxxxxx>
      Signed-off-by: Greg Bellows <greg.bellows@xxxxxxxxxx>
      Reviewed-by: Edgar E. Iglesias <edgar.iglesias@xxxxxxxxxx>
      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Message-id: 1430502643-25909-10-git-send-email-peter.maydell@xxxxxxxxxx
      Message-id: 1429113742-8371-11-git-send-email-greg.bellows@xxxxxxxxxx
      [PMM: make function static, minor comment tweak]
      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 32951860834f09d1c1a0b81d8d7d5529e2d0e074
  Author: Fabian Aggeler <aggelerf@xxxxxxx>
  Date:   Tue May 12 11:57:17 2015 +0100

      hw/intc/arm_gic: Make ICCICR/GICC_CTLR banked

      ICCICR/GICC_CTLR is banked in GICv1 implementations with Security
      Extensions or in GICv2 in independent from Security Extensions.
      This makes it possible to enable forwarding of interrupts from
      the CPU interfaces to the connected processors for Group0 and Group1.

      We also allow to set additional bits like AckCtl and FIQEn by changing
      the type from bool to uint32. Since the field does not only store the
      enable bit anymore and since we are touching the vmstate, we use the
      opportunity to rename the field to cpu_ctlr.

      Signed-off-by: Fabian Aggeler <aggelerf@xxxxxxx>
      Signed-off-by: Greg Bellows <greg.bellows@xxxxxxxxxx>
      Reviewed-by: Edgar E. Iglesias <edgar.iglesias@xxxxxxxxxx>
      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Message-id: 1430502643-25909-9-git-send-email-peter.maydell@xxxxxxxxxx
      Message-id: 1429113742-8371-9-git-send-email-greg.bellows@xxxxxxxxxx
      [PMM: rewrote to store state in a single uint32_t rather than
       keeping the NS and S banked variants separate; this considerably
       simplifies the get/set functions]
      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 822e9cc310484f77e0b1c16fbef763a5d0eec80a
  Author: Fabian Aggeler <aggelerf@xxxxxxx>
  Date:   Tue May 12 11:57:17 2015 +0100

      hw/intc/arm_gic: Make ICCBPR/GICC_BPR banked

      This register is banked in GICs with Security Extensions. Storing the
      non-secure copy of BPR in the abpr, which is an alias to the non-secure
      copy for secure access. ABPR itself is only accessible from secure state
      if the GIC implements Security Extensions.

      Signed-off-by: Fabian Aggeler <aggelerf@xxxxxxx>
      Signed-off-by: Greg Bellows <greg.bellows@xxxxxxxxxx>
      Reviewed-by: Edgar E. Iglesias <edgar.iglesias@xxxxxxxxxx>
      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Message-id: 1430502643-25909-8-git-send-email-peter.maydell@xxxxxxxxxx
      Message-id: 1429113742-8371-10-git-send-email-greg.bellows@xxxxxxxxxx
      [PMM: rewrote to fix style issues and correct handling of GICv2
       without security extensions]
      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 679aa175e84f5f80b32b307fce5a6b92729e0e61
  Author: Fabian Aggeler <aggelerf@xxxxxxx>
  Date:   Tue May 12 11:57:17 2015 +0100

      hw/intc/arm_gic: Make ICDDCR/GICD_CTLR banked

      ICDDCR/GICD_CTLR is banked if the GIC has the security extensions,
      and the S (or only) copy has separate enable bits for Group0 and
      Group1 enable if the GIC implements interrupt groups.

      EnableGroup0 (Bit [1]) in GICv1 is architecturally IMPDEF. Since this
      bit (Enable Non-secure) is present in the integrated GIC of the Cortex-A9
      MPCore, we support this bit in our GICv1 implementation too.

      Signed-off-by: Fabian Aggeler <aggelerf@xxxxxxx>
      Signed-off-by: Greg Bellows <greg.bellows@xxxxxxxxxx>
      Reviewed-by: Edgar E. Iglesias <edgar.iglesias@xxxxxxxxxx>
      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Message-id: 1430502643-25909-7-git-send-email-peter.maydell@xxxxxxxxxx
      Message-id: 1429113742-8371-8-git-send-email-greg.bellows@xxxxxxxxxx
      [PMM: rewritten to store the state in a single s->ctlr uint32,
       with the NS register handled as an alias of bit 1 in that value;
       added vmstate version bump]
      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit eb8b9530b0c618d4f2e728eae10d89239d35b0c0
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Tue May 12 11:57:17 2015 +0100

      hw/intc/arm_gic_kvm.c: Save and restore GICD_IGROUPRn state

      Now that the GIC base class has state fields for the GICD_IGROUPRn
      registers, make kvm_arm_gic_get() and kvm_arm_gic_put() write and
      read them. This allows us to remove the check that made us
      fail migration if the guest had set any of the group register bits.

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Message-id: 1430502643-25909-6-git-send-email-peter.maydell@xxxxxxxxxx

  commit c27a5ba94874cb3a29e21b3ad4bd5e504aea93b2
  Author: Fabian Aggeler <aggelerf@xxxxxxx>
  Date:   Tue May 12 11:57:17 2015 +0100

      hw/intc/arm_gic: Add Interrupt Group Registers

      The Interrupt Group Registers allow the guest to configure interrupts
      into one of two groups, where Group0 are higher priority and may
      be routed to IRQ or FIQ, and Group1 are lower priority and always
      routed to IRQ. (In a GIC with the security extensions Group0 is
      Secure interrupts and Group 1 is NonSecure.)
      The GICv2 always supports interrupt grouping; the GICv1 does only
      if it implements the security extensions.

      This patch implements the ability to read and write the registers;
      the actual functionality the bits control will be added in a
      subsequent patch.

      Signed-off-by: Fabian Aggeler <aggelerf@xxxxxxx>
      Signed-off-by: Greg Bellows <greg.bellows@xxxxxxxxxx>
      Reviewed-by: Edgar E. Iglesias <edgar.iglesias@xxxxxxxxxx>
      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Message-id: 1430502643-25909-5-git-send-email-peter.maydell@xxxxxxxxxx
      Message-id: 1429113742-8371-7-git-send-email-greg.bellows@xxxxxxxxxx
      [PMM: bring GIC_*_GROUP macros into line with the others, ie a
       simple SET/CLEAR/TEST rather than GROUP0/GROUP1;
       utility gic_has_groups() function;
       minor style fixes;
       bump vmstate version]
      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit a9d853533cc1a27dc09b10c7ab89677f9c5dd8f4
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Tue May 12 11:57:16 2015 +0100

      hw/intc/arm_gic: Switch to read/write callbacks with tx attributes

      Switch the GIC's MMIO callback functions to the read_with_attrs
      and write_with_attrs functions which provide MemTxAttrs. This will
      allow the GIC to correctly handle secure and nonsecure register
      accesses.

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Reviewed-by: Edgar E. Iglesias <edgar.iglesias@xxxxxxxxxx>
      Message-id: 1430502643-25909-4-git-send-email-peter.maydell@xxxxxxxxxx

  commit 5543d1abb6e218a9d3b8887b777fd3947c86c4cf
  Author: Fabian Aggeler <aggelerf@xxxxxxx>
  Date:   Tue May 12 11:57:16 2015 +0100

      hw/intc/arm_gic: Add Security Extensions property

      Add a QOM property which allows the GIC Security Extensions to be
      enabled. These are an optional part of the GICv1 and GICv2 architecture.
      This commit just adds the property and some sanity checks that it
      is only enabled on GIC revisions that support it.

      Signed-off-by: Fabian Aggeler <aggelerf@xxxxxxx>
      Signed-off-by: Greg Bellows <greg.bellows@xxxxxxxxxx>
      Reviewed-by: Edgar E. Iglesias <edgar.iglesias@xxxxxxxxxx>
      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Message-id: 1430502643-25909-3-git-send-email-peter.maydell@xxxxxxxxxx
      Message-id: 1429113742-8371-5-git-send-email-greg.bellows@xxxxxxxxxx
      [PMM: changed property name, added checks that it isn't set for
       older GIC revisions or if using the KVM VGIC; reworded commit message]
      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 44f552964714a41ccd41b5e8ac4cbd2478249db1
  Author: Fabian Aggeler <aggelerf@xxxxxxx>
  Date:   Tue May 12 11:57:16 2015 +0100

      hw/intc/arm_gic: Create outbound FIQ lines

      Create the outbound FIQ lines from the GIC to the CPUs; these are
      used if the GIC has security extensions or grouping support.

      Signed-off-by: Fabian Aggeler <aggelerf@xxxxxxx>
      Signed-off-by: Greg Bellows <greg.bellows@xxxxxxxxxx>
      Reviewed-by: Edgar E. Iglesias <edgar.iglesias@xxxxxxxxxx>
      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Message-id: 1430502643-25909-2-git-send-email-peter.maydell@xxxxxxxxxx
      Message-id: 1429113742-8371-2-git-send-email-greg.bellows@xxxxxxxxxx
      [PMM: added FIQ lines to kvm-arm-gic so its interface is the same;
      tweaked commit message]
      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 16b781aaef69c90d5f4f5456615f0c26a4f45740
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Tue May 12 11:57:16 2015 +0100

      hw/sd: Don't pass BlockBackend to sd_reset()

      The only valid BlockBackend to pass to sd_reset() is the one for
      the SD card, which is sd->blk. Drop the second argument from this
      function in favour of having it just use sd->blk.

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Reviewed-by: Markus Armbruster <armbru@xxxxxxxxxx>
      Message-id: 1430683444-9797-1-git-send-email-peter.maydell@xxxxxxxxxx

  commit 165cdaf857dc850f676fff0b5b873a51865baa9c
  Author: Adrian Huang <adrianhuang0701@xxxxxxxxx>
  Date:   Tue May 12 11:57:16 2015 +0100

      armv7m_nvic: systick: Reload the RELOAD value and count down only if 
ENABLE bit is set

      Consider the following pseudo code to configure SYSTICK (The
      recommended programming sequence from "the definitive guide to the
      arm cortex-m3"):
          SYSTICK Reload Value Register = 0xffff
          SYSTICK Current Value Register = 0
          SYSTICK Control and Status Register = 0x7

      The pseudo code "SYSTICK Current Value Register = 0" leads to invoking
      systick_reload(). As a consequence, the systick.tick member is updated
      and the systick timer starts to count down when the ENABLE bit of
      SYSTICK Control and Status Register is cleared.

      The worst case is that: during the system initialization, the reset
      value of the SYSTICK Control and Status Register is 0x00000000.
      When the code "SYSTICK Current Value Register = 0" is executed, the
      systick.tick member is accumulated with "(s->systick.reload + 1) *
      systick_scale(s)". The systick_scale() gets the external_ref_clock
      scale because the CLKSOURCE bit of the SYSTICK Control and Status
      Register is cleared. This is the incorrect behavior because of the
      code "SYSTICK Control and Status Register = 0x7". Actually, we want
      the processor clock instead of the external reference clock.

      This incorrect behavior defers the generation of the first interrupt.

      The patch fixes the above-mentioned issue by setting the systick.tick
      member and modifying the systick timer only if the ENABLE bit of
      the SYSTICK Control and Status Register is set.

      In addition, the Cortex-M3 Devices Generic User Guide mentioned that
      "When ENABLE is set to 1, the counter loads the RELOAD value from the
      SYST RVR register and then counts down". This patch adheres to the
      statement of the user guide.

      Signed-off-by: Adrian Huang <adrianhuang0701@xxxxxxxxx>
      Reviewed-by: Jim Huang <jserv.tw@xxxxxxxxx>
      [PMM: minor tweak to comment text]
      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 19fbe5084c1da6af95177c86e4cab64241d479a8
  Merge: 704eb1c 7db161f
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Tue May 12 10:40:31 2015 +0100

      Merge remote-tracking branch 'remotes/stefanha/tags/net-pull-request' 
into staging

      # gpg: Signature made Mon May 11 16:25:58 2015 BST using RSA key ID 
81AB73C8
      # gpg: Good signature from "Stefan Hajnoczi <stefanha@xxxxxxxxxx>"
      # gpg:                 aka "Stefan Hajnoczi <stefanha@xxxxxxxxx>"

      * remotes/stefanha/tags/net-pull-request:
        rocker: timestamp on the debug logs helps correlate with events in the 
VM
        MAINTAINERS: add rocker
        rocker: add tests
        rocker: add new rocker switch device
        pci: add network device class 'other' for network switches
        pci: add rocker device ID
        rocker: add register programming guide
        virtio-net: use qemu_mac_strdup_printf
        net: add MAC address string printer

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 704eb1c09963149db4a3407d5ba173ba2a9244bb
  Merge: 0403b0f 1ceca07
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Tue May 12 09:01:51 2015 +0100

      Merge remote-tracking branch 'remotes/qmp-unstable/tags/for-upstream' 
into staging

      QMP pull request

      # gpg: Signature made Mon May 11 14:15:19 2015 BST using RSA key ID 
E24ED5A7
      # gpg: Good signature from "Luiz Capitulino <lcapitulino@xxxxxxxxx>"

      * remotes/qmp-unstable/tags/for-upstream:
        scripts: qmp-shell: Add verbose flag
        scripts: qmp-shell: add transaction subshell
        scripts: qmp-shell: Expand support for QMP expressions
        scripts: qmp-shell: refactor helpers
        MAINTAINERS: New maintainer for QMP and QAPI
        json-parser: Accept 'null' in QMP
        qobject: Add a special null QObject
        qobject: Clean up around qtype_code
        QJSON: Use OBJECT_CHECK

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 0403b0f539f40a21da60409b825b4653b273ab39
  Merge: 266745c bc1f7c4
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Mon May 11 16:21:50 2015 +0100

      Merge remote-tracking branch 'remotes/mst/tags/for_upstream' into staging

      pc, virtio enhancements

      Memory hot-unplug support for pc, MSI-X
      mapping update speedup for virtio-pci,
      misc refactorings and bugfixes.

      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>

      # gpg: Signature made Mon May 11 08:23:43 2015 BST using RSA key ID 
D28D5469
      # gpg: Good signature from "Michael S. Tsirkin <mst@xxxxxxxxxx>"
      # gpg:                 aka "Michael S. Tsirkin <mst@xxxxxxxxxx>"

      * remotes/mst/tags/for_upstream: (28 commits)
        acpi: update expected files for memory unplug
        virtio-scsi: Move DEFINE_VIRTIO_SCSI_FEATURES to virtio-scsi
        virtio-net: Move DEFINE_VIRTIO_NET_FEATURES to virtio-net
        pci: Merge pci_nic_init() into pci_nic_init_nofail()
        acpi: add a missing backslash to the \_SB scope.
        qmp-event: add event notification for memory hot unplug error
        acpi: add hardware implementation for memory hot unplug
        acpi: fix "Memory device control fields" register
        acpi: extend aml_field() to support UpdateRule
        acpi, mem-hotplug: add unplug cb for memory device
        acpi, mem-hotplug: add unplug request cb for memory device
        acpi, mem-hotplug: add acpi_memory_slot_status() to get MemStatus
        docs: update documentation for memory hot unplug
        virtio: coding style tweak
        pci: remove hard-coded bar size in msix_init_exclusive_bar()
        virtio-pci: speedup MSI-X masking and unmasking
        virtio: introduce vector to virtqueues mapping
        virtio-ccw: using VIRTIO_NO_VECTOR instead of 0 for invalid virtqueue
        monitor: check return value of qemu_find_net_clients_except()
        monitor: replace the magic number 255 with MAX_QUEUE_NUM
        ...

      Conflicts:
        hw/s390x/s390-virtio-bus.c

      [PMM: fixed conflict in s390_virtio_scsi_properties and
      s390_virtio_net_properties arrays; since the result of the
      two conflicting patches is to empty the property arrays
      completely, the conflict resolution is to remove them entirely.]
      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 266745cacb848d7cd0ae8889ae262e8718ace4d4
  Merge: 9ad2c8c 3446a11
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Mon May 11 15:07:12 2015 +0100

      Merge remote-tracking branch 
'remotes/bkoppelmann/tags/pull-tricore-20150511' into staging

      TriCore bugfixes

      # gpg: Signature made Mon May 11 13:26:40 2015 BST using RSA key ID 
6B69CA14
      # gpg: Good signature from "Bastian Koppelmann 
<kbastian@xxxxxxxxxxxxxxxxxxxxx>"

      * remotes/bkoppelmann/tags/pull-tricore-20150511:
        target-tricore: fix rfe not restoring the PC
        target-tricore: fix rslcx restoring the upper context instead of the 
lower
        target-tricore: fix BO_OFF10_SEXT calculating the wrong offset
        target-tricore: fix SLR_LD_W and SLR_LD_W_POSTINC insn being a 2 byte 
memory access insted of 4
        target-tricore: Fix LOOP using wrong register for compare

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 7db161f6dd144760b2912026d992837ef80ca7e7
  Author: David Ahern <dsahern@xxxxxxxxx>
  Date:   Fri Mar 13 21:09:33 2015 -0700

      rocker: timestamp on the debug logs helps correlate with events in the VM

      Signed-off-by: David Ahern <dsahern@xxxxxxxxx>
      Signed-off-by: Scott Feldman <sfeldma@xxxxxxxxx>
      Signed-off-by: Jiri Pirko <jiri@xxxxxxxxxxx>
      Message-id: 1426306173-24884-10-git-send-email-sfeldma@xxxxxxxxx
      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>

  commit de24d3f1013dbee65b42f34cb825f056647861a5
  Author: Scott Feldman <sfeldma@xxxxxxxxx>
  Date:   Fri Mar 13 21:09:32 2015 -0700

      MAINTAINERS: add rocker

      Signed-off-by: Scott Feldman <sfeldma@xxxxxxxxx>
      Signed-off-by: Jiri Pirko <jiri@xxxxxxxxxxx>
      Message-id: 1426306173-24884-9-git-send-email-sfeldma@xxxxxxxxx
      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>

  commit 63d2ada2f55a85c3143ecf69a5aeecf6b3f3ffc9
  Author: Scott Feldman <sfeldma@xxxxxxxxx>
  Date:   Fri Mar 13 21:09:31 2015 -0700

      rocker: add tests

      Add some basic test for rocker to test L2/L3/L4 functionality.  Requires 
an
      external test environment, simp, located here:

      https://github.com/scottfeldman/simp

      To run tests, simp environment must be installed and a suitable VM image 
built
      and installed with a Linux 3.18 (or greater) kernel with rocker driver 
support
      enabled.

      Signed-off-by: Scott Feldman <sfeldma@xxxxxxxxx>
      Message-id: 1426306173-24884-8-git-send-email-sfeldma@xxxxxxxxx
      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>

  commit dc488f888060afdc129e0cc8812cf50c4c083423
  Author: Scott Feldman <sfeldma@xxxxxxxxx>
  Date:   Fri Mar 13 21:09:30 2015 -0700

      rocker: add new rocker switch device

      Rocker is a simulated ethernet switch device.  The device supports up to 
62
      front-panel ports and supports L2 switching and L3 routing functions, as 
well
      as L2/L3/L4 ACLs.  The device presents a single PCI device for each 
switch,
      with a memory-mapped register space for device driver access.

      Rocker device is invoked with -device, for example a 4-port switch:

        -device rocker,name=sw1,len-ports=4,ports[0]=dev0,ports[1]=dev1, \
               ports[2]=dev2,ports[3]=dev3

      Each port is a netdev and can be paired with using -netdev id=<port name>.

      Signed-off-by: Scott Feldman <sfeldma@xxxxxxxxx>
      Signed-off-by: Jiri Pirko <jiri@xxxxxxxxxxx>
      Acked-by: Scott Feldman <sfeldma@xxxxxxxxx>
      Acked-by: Jiri Pirko <jiri@xxxxxxxxxxx>
      Signed-off-by: David Ahern <dsahern@xxxxxxxxx>
      Message-id: 1426306173-24884-7-git-send-email-sfeldma@xxxxxxxxx

      rocker: fix clang compiler errors

      Consolidate all forward typedef declarations to rocker.h.

      Signed-off-by: David Ahern <dsahern@xxxxxxxxx>
      Acked-by: Scott Feldman <sfeldma@xxxxxxxxx>
      Acked-by: Jiri Pirko <jiri@xxxxxxxxxxx>

      rocker: add support for flow modification

      We had support for flow add/del.  This adds support for flow mod.  I 
needed
      this for L3 support where an existing route is modified using 
NLM_F_REPLACE.
      For example:

        ip route add 12.0.0.0/30 nexthop via 11.0.0.1 dev swp1
        ip route change 12.0.0.0/30 nexthop via 11.0.0.9 dev swp2

      The first cmd adds the route.  The second cmd changes the existing route 
by
      changing its nexthop info.

      In the device, a mod operation results in the matching flow enty being 
modified
      with the new settings.  This is atomic to the device.

      Signed-off-by: Scott Feldman <sfeldma@xxxxxxxxx>
      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>

  commit dc407ae8a75d03cf48e114d3812d077fa29a8bd9
  Author: Scott Feldman <sfeldma@xxxxxxxxx>
  Date:   Fri Mar 13 21:09:29 2015 -0700

      pci: add network device class 'other' for network switches

      Rocker is an ethernet switch device, so add 'other' network device class 
as
      defined by PCI to cover these types of devices.

      Signed-off-by: Scott Feldman <sfeldma@xxxxxxxxx>
      Signed-off-by: Jiri Pirko <jiri@xxxxxxxxxxx>
      Message-id: 1426306173-24884-6-git-send-email-sfeldma@xxxxxxxxx
      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>

  commit 5dcc26371dcc72976777c51f0251127716a59ed8
  Author: Scott Feldman <sfeldma@xxxxxxxxx>
  Date:   Fri Mar 13 21:09:28 2015 -0700

      pci: add rocker device ID

      Signed-off-by: Scott Feldman <sfeldma@xxxxxxxxx>
      Signed-off-by: Jiri Pirko <jiri@xxxxxxxxxxx>
      Message-id: 1426306173-24884-5-git-send-email-sfeldma@xxxxxxxxx
      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>

  commit bbc53c7e2580264fe2b6ea84bd8f3480bcc7c845
  Author: Scott Feldman <sfeldma@xxxxxxxxx>
  Date:   Fri Mar 13 21:09:27 2015 -0700

      rocker: add register programming guide

      This is the register programming guide for the Rocker device.  It's 
intended
      for driver writers and device writers.  It covers the device's PCI space,
      the register set, DMA interface, and interrupts.

      Signed-off-by: Scott Feldman <sfeldma@xxxxxxxxx>
      Signed-off-by: Jiri Pirko <jiri@xxxxxxxxxxx>
      Message-id: 1426306173-24884-4-git-send-email-sfeldma@xxxxxxxxx
      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>

  commit b0575ba4a52c9259357af29d842950e978306fa4
  Author: Scott Feldman <sfeldma@xxxxxxxxx>
  Date:   Fri Mar 13 21:09:26 2015 -0700

      virtio-net: use qemu_mac_strdup_printf

      Signed-off-by: Scott Feldman <sfeldma@xxxxxxxxx>
      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>
      Message-id: 1426306173-24884-3-git-send-email-sfeldma@xxxxxxxxx
      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>

  commit 890ee6abb385d6508bba7f5273c74a8e43bea6af
  Author: Scott Feldman <sfeldma@xxxxxxxxx>
  Date:   Fri Mar 13 21:09:25 2015 -0700

      net: add MAC address string printer

      We can use this in virtio-net code as well as new Rocker driver code, so
      up-level this.

      Signed-off-by: Scott Feldman <sfeldma@xxxxxxxxx>
      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>
      Message-id: 1426306173-24884-2-git-send-email-sfeldma@xxxxxxxxx
      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>

  commit 1ceca07e48ead0dd2e41576c81d40e6a91cafefd
  Author: John Snow <jsnow@xxxxxxxxxx>
  Date:   Wed Apr 29 15:14:04 2015 -0400

      scripts: qmp-shell: Add verbose flag

      Add a verbose flag that shows the QMP command that was
      constructed, to allow for later copy/pasting, reference,
      debugging, etc.

      The QMP is converted from a Python literal to JSON first,
      to ensure that it is viable input to the actual QMP parser.

      As a side-effect, this JSON output will helpfully show all
      the necessary conversions that were performed on the input,
      illustrating that "True" was transformed back into "true",
      literal values are now escaped with "" instead of '', and so on.

      Signed-off-by: John Snow <jsnow@xxxxxxxxxx>
      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>
      Tested-by: Kashyap Chamarthy <kchamart@xxxxxxxxxx>
      Signed-off-by: Luiz Capitulino <lcapitulino@xxxxxxxxxx>

  commit 30bd6815efbaf5bae70885feac9a35e149e2f1ad
  Author: John Snow <jsnow@xxxxxxxxxx>
  Date:   Wed Apr 29 15:14:03 2015 -0400

      scripts: qmp-shell: add transaction subshell

      Add a special processing mode to craft transactions.

      By entering "transaction(" the shell will enter a special
      mode where each subsequent command will be saved as a transaction
      instead of executed as an individual command.

      The transaction can be submitted by entering ")" on a line by itself.

      Examples:

      Separate lines:

      (QEMU) transaction(
      TRANS> block-dirty-bitmap-add node=drive0 name=bitmap1
      TRANS> block-dirty-bitmap-clear node=drive0 name=bitmap0
      TRANS> )

      With a transaction action included on the first line:

      (QEMU) transaction( block-dirty-bitmap-add node=drive0 name=bitmap2
      TRANS> block-dirty-bitmap-add node=drive0 name=bitmap3
      TRANS> )

      As a one-liner, with just one transaction action:

      (QEMU) transaction( block-dirty-bitmap-add node=drive0 name=bitmap0 )

      As a side-effect of this patch, blank lines are now parsed as no-ops,
      regardless of which shell mode you are in.

      Signed-off-by: John Snow <jsnow@xxxxxxxxxx>
      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>
      Tested-by: Kashyap Chamarthy <kchamart@xxxxxxxxxx>
      Signed-off-by: Luiz Capitulino <lcapitulino@xxxxxxxxxx>

  commit 6092c3ecc4bdafee5bf07061be78a4a2cc5a5088
  Author: John Snow <jsnow@xxxxxxxxxx>
  Date:   Wed Apr 29 15:14:02 2015 -0400

      scripts: qmp-shell: Expand support for QMP expressions

      This includes support for [] expressions, single-quotes in
      QMP expressions (which is not strictly a part of JSON), and
      the ability to use "True", "False" and "None" literals instead
      of JSON's equivalent true, false, and null literals.

      qmp-shell currently allows you to describe values as
      JSON expressions:
      key={"key":{"key2":"val"}}

      But it does not currently support arrays, which are needed
      for serializing and deserializing transactions:
      key=[{"type":"drive-backup","data":{...}}]

      qmp-shell also only currently accepts doubly quoted strings
      as-per JSON spec, but QMP allows single quotes.

      Lastly, python allows you to utilize "True" or "False" as
      boolean literals, but JSON expects "true" or "false". Expand
      qmp-shell to allow the user to type either, converting to the
      correct type.

      As a consequence of the above, the key=val parsing is also improved
      to give better error messages if a key=val token is not provided.

      CAVEAT: The parser is still extremely rudimentary and does not
      expect to find spaces in {} nor [] expressions. This patch does
      not improve this functionality.

      Signed-off-by: John Snow <jsnow@xxxxxxxxxx>
      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>
      Tested-by: Kashyap Chamarthy <kchamart@xxxxxxxxxx>
      Signed-off-by: Luiz Capitulino <lcapitulino@xxxxxxxxxx>

  commit a7430a0badc59bd6295936e06c1869e8fe32649d
  Author: John Snow <jsnow@xxxxxxxxxx>
  Date:   Wed Apr 29 15:14:01 2015 -0400

      scripts: qmp-shell: refactor helpers

      Refactor the qmp-shell command line processing function
      into two components. This will be used to allow sub-expressions,
      which will assist us in adding transactional support to qmp-shell.

      Signed-off-by: John Snow <jsnow@xxxxxxxxxx>
      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>
      Tested-by: Kashyap Chamarthy <kchamart@xxxxxxxxxx>
      Signed-off-by: Luiz Capitulino <lcapitulino@xxxxxxxxxx>

  commit 9740618cd2a0ed85b9c1648f05f3066f525f4b2e
  Author: Luiz Capitulino <lcapitulino@xxxxxxxxxx>
  Date:   Tue May 5 10:39:15 2015 -0400

      MAINTAINERS: New maintainer for QMP and QAPI

      Markus is taking over maintership of QMP and the QAPI from
      me. Markus has always been a great reviewer and contributor
      to those subsystems. In the last few months he's also doing
      pull requests that are a lot more relevant than the ones I
      was able to do. So, this is a natural move.

      I'm still the maintainer of HMP and QObjects, but I'm
      looking for someone to take over those too.

      PS: This commit also fixes the file listing for the QMP
          entry.

      Signed-off-by: Luiz Capitulino <lcapitulino@xxxxxxxxxx>
      Reviewed-by: Michael Roth <mdroth@xxxxxxxxxxxxxxxxxx>
      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>

  commit e549e7161f37416ff66971d77d021d30057045ca
  Author: Eric Blake <eblake@xxxxxxxxxx>
  Date:   Wed Apr 29 15:35:06 2015 -0600

      json-parser: Accept 'null' in QMP

      We document that in QMP, the client may send any json-value
      for the optional "id" key, and then return that same value
      on reply (both success and failures, insofar as the failure
      happened after parsing the id).  [Note that the output may
      not be identical to the input, as whitespace may change and
      since we may reorder keys within a json-object, but that this
      still constitutes the same json-value].  However, we were not
      handling the JSON literal null, which counts as a json-value
      per RFC 7159.

      Also, down the road, given the QAPI schema of {'*foo':'str'} or
      {'*foo':'ComplexType'}, we could decide to allow the QMP client
      to pass { "foo":null } instead of the current representation of
      { } where omitting the key is the only way to get at the default
      NULL value.  Such a change might be useful for argument
      introspection (if a type in older qemu lacks 'foo' altogether,
      then an explicit "foo":null probe will force an easily
      distinguished error message for whether the optional "foo" key
      is even understood in newer qemu).  And if we add default values
      to optional arguments, allowing an explicit null would be
      required for getting a NULL value associated with an optional
      string that has a non-null default.  But all that can come at a
      later day.

      The 'check-unit' testsuite is enhanced to test that parsing
      produces the same object as explicitly requesting a reference
      to the special qnull object.  In addition, I tested with:

      $ ./x86_64-softmmu/qemu-system-x86_64 -qmp stdio -nodefaults
      {"QMP": {"version": {"qemu": {"micro": 91, "minor": 2, "major": 2}, 
"package": ""}, "capabilities": []}}
      {"execute":"qmp_capabilities","id":null}
      {"return": {}, "id": null}
      {"id":{"a":null,"b":[1,null]},"execute":"quit"}
      {"return": {}, "id": {"a": null, "b": [1, null]}}
      {"timestamp": {"seconds": 1427742379, "microseconds": 423128}, "event": 
"SHUTDOWN"}

      Signed-off-by: Eric Blake <eblake@xxxxxxxxxx>
      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>
      Signed-off-by: Luiz Capitulino <lcapitulino@xxxxxxxxxx>

  commit 481b002cc81ed7fc7b06e32e9d4d495d81739d14
  Author: Markus Armbruster <armbru@xxxxxxxxxx>
  Date:   Wed Apr 29 15:35:05 2015 -0600

      qobject: Add a special null QObject

      I'm going to fix the JSON parser to recognize null.  The obvious
      representation of JSON null as (QObject *)NULL doesn't work, because
      the parser already uses it as an error value.  Perhaps we should
      change it to free NULL for null, but that's more than I can do right
      now.  Create a special null QObject instead.

      The existing QDict, QList, and QString all represent something that
      is a pointer in C and could therefore be associated with NULL.  But
      right now, all three of these sub-types are always non-null once
      created, so the new null sentinel object is intentionally unrelated
      to them.

      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>
      Signed-off-by: Eric Blake <eblake@xxxxxxxxxx>
      Signed-off-by: Luiz Capitulino <lcapitulino@xxxxxxxxxx>

  commit a7c31816288a8f20fc387d69d441413e7a8c9ff1
  Author: Markus Armbruster <armbru@xxxxxxxxxx>
  Date:   Wed Apr 29 15:35:04 2015 -0600

      qobject: Clean up around qtype_code

      QTYPE_NONE is a sentinel value.  No QObject has this type code.
      Document it properly.

      Fix dump_qobject() to abort() on QTYPE_NONE, just like for any other
      invalid type code.

      Fix to_json() to abort() on all invalid type codes, not just
      QTYPE_MAX.

      Clean up Property member qtype's type: it's a qtype_code.

      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>
      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>
      Signed-off-by: Luiz Capitulino <lcapitulino@xxxxxxxxxx>

  commit 4cf2d837340589155acfda993c51e66eb5800416
  Author: Eduardo Habkost <ehabkost@xxxxxxxxxx>
  Date:   Sat Apr 25 12:28:06 2015 -0300

      QJSON: Use OBJECT_CHECK

      The QJSON code used casts to (QJSON*) directly, instead of OBJECT_CHECK.
      There were even some functions using object_dynamic_cast() calls
      followed by assert(), which is exactly what OBJECT_CHECK does (by
      calling object_dynamic_cast_assert()).

      Signed-off-by: Eduardo Habkost <ehabkost@xxxxxxxxxx>
      Signed-off-by: Luiz Capitulino <lcapitulino@xxxxxxxxxx>

  commit 9ad2c8cd41a086020e21aa6d616b73bd5e2a800b
  Merge: b951cda 0caef8f
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Mon May 11 13:54:00 2015 +0100

      Merge remote-tracking branch 
'remotes/mjt/tags/pull-trivial-patches-2015-05-09' into staging

      trivial patches for 2015-05-09

      # gpg: Signature made Fri May  8 22:58:42 2015 BST using RSA key ID 
A4C3D7DB
      # gpg: Good signature from "Michael Tokarev <mjt@xxxxxxxxxx>"
      # gpg:                 aka "Michael Tokarev <mjt@xxxxxxxxx>"
      # gpg:                 aka "Michael Tokarev <mjt@xxxxxxxxxx>"

      * remotes/mjt/tags/pull-trivial-patches-2015-05-09:
        docs: update BLOCK_IMAGE_CORRUPTED documentation
        glib-compat.h: change assert to g_assert
        Remove various unused functions
        sheepdog: fix resource leak with sd_snapshot_create
        xhci: remove unused code

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 3446a11181c6e8263dbd9c13c28986df4317099e
  Author: Bastian Koppelmann <kbastian@xxxxxxxxxxxxxxxxxxxxx>
  Date:   Tue May 5 19:41:10 2015 +0200

      target-tricore: fix rfe not restoring the PC

      Signed-off-by: Bastian Koppelmann <kbastian@xxxxxxxxxxxxxxxxxxxxx>

  commit bc72f8aaf23fa11833e0e04c10b5c0e1036c2609
  Author: Bastian Koppelmann <kbastian@xxxxxxxxxxxxxxxxxxxxx>
  Date:   Tue May 5 19:39:18 2015 +0200

      target-tricore: fix rslcx restoring the upper context instead of the lower

      Signed-off-by: Bastian Koppelmann <kbastian@xxxxxxxxxxxxxxxxxxxxx>

  commit 4959d6b3662d94a5add5811ba1ff5243116b8987
  Author: Bastian Koppelmann <kbastian@xxxxxxxxxxxxxxxxxxxxx>
  Date:   Tue May 5 19:36:55 2015 +0200

      target-tricore: fix BO_OFF10_SEXT calculating the wrong offset

      The lower part of the combined offset was sign extended and could lead to
      wrong results.

      Signed-off-by: Bastian Koppelmann <kbastian@xxxxxxxxxxxxxxxxxxxxx>

  commit 7bd0eaec311d188412123a034abb44595deb7dae
  Author: Bastian Koppelmann <kbastian@xxxxxxxxxxxxxxxxxxxxx>
  Date:   Fri Apr 3 14:29:22 2015 +0200

      target-tricore: fix SLR_LD_W and SLR_LD_W_POSTINC insn being a 2 byte 
memory access insted of 4

      Signed-off-by: Bastian Koppelmann <kbastian@xxxxxxxxxxxxxxxxxxxxx>

  commit 250ef8c76861c756354ed1c67f0a4524e5339369
  Author: Bastian Koppelmann <kbastian@xxxxxxxxxxxxxxxxxxxxx>
  Date:   Tue Dec 9 16:04:46 2014 +0000

      target-tricore: Fix LOOP using wrong register for compare

      Signed-off-by: Bastian Koppelmann <kbastian@xxxxxxxxxxxxxxxxxxxxx>

  commit b951cda21d6b232f138ccf008e12bce8ddc95465
  Merge: ec62ad1 ca44148
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Mon May 11 12:01:09 2015 +0100

      Merge remote-tracking branch 'remotes/bonzini/tags/for-upstream' into 
staging

      - build bugfix from Fam and new configure check from Emilio
      - two improvements to "info mtere" from Gerd
      - KVM support for memory transaction attributes
      - one more small step towards unlocked MMIO dispatch
      - one piece of the qemu-nbd errno fixes
      - trivial-ish patches from Denis and Thomas

      # gpg: Signature made Fri May  8 13:47:29 2015 BST using RSA key ID 
78C7AE83
      # gpg: Good signature from "Paolo Bonzini <bonzini@xxxxxxx>"
      # gpg:                 aka "Paolo Bonzini <pbonzini@xxxxxxxxxx>"
      # gpg: WARNING: This key is not certified with sufficiently trusted 
signatures!
      # gpg:          It is not certain that the signature belongs to the owner.
      # Primary key fingerprint: 46F5 9FBD 57D6 12E7 BFD4  E2F7 7E15 100C CD36 
69B1
      #      Subkey fingerprint: F133 3857 4B66 2389 866C  7682 BFFB D25F 78C7 
AE83

      * remotes/bonzini/tags/for-upstream:
        qemu-nbd: only send a limited number of errno codes on the wire
        rules.mak: Force CFLAGS for all objects in DSO
        configure: require __thread support
        exec: move rcu_read_lock/unlock to address_space_translate callers
        kvm: add support for memory transaction attributes
        mtree: also print disabled regions
        mtree: tag & indent a bit better
        apic_common: improve readability of apic_reset_common
        kvm: Silence warning from valgrind

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit ec62ad1e27ffd1f7ff2172a916d161cc385e73bd
  Merge: 4ae740c 1271f7f
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Mon May 11 10:43:08 2015 +0100

      Merge remote-tracking branch 'remotes/kraxel/tags/pull-gtk-20150508-1' 
into staging

      gtk: add ui_info support, cleanups + fixes.

      # gpg: Signature made Fri May  8 12:47:04 2015 BST using RSA key ID 
D3E87138
      # gpg: Good signature from "Gerd Hoffmann (work) <kraxel@xxxxxxxxxx>"
      # gpg:                 aka "Gerd Hoffmann <gerd@xxxxxxxxxx>"
      # gpg:                 aka "Gerd Hoffmann (private) <kraxel@xxxxxxxxx>"

      * remotes/kraxel/tags/pull-gtk-20150508-1:
        gtk: update mouse position in mouse_set()
        gtk: create gtk.h
        gtk: add ui_info support
        console: add dpy_ui_info_supported
        console: delayed ui_info guest notification

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 4ae740cc0e4a123047b40c373e699e28031d420e
  Merge: fc85cf4 ca5a21c
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Mon May 11 09:42:20 2015 +0100

      Merge remote-tracking branch 'remotes/kraxel/tags/pull-usb-20150508-1' 
into staging

      usb: qomify, bugfixes for xhci & uhci.

      # gpg: Signature made Fri May  8 12:39:28 2015 BST using RSA key ID 
D3E87138
      # gpg: Good signature from "Gerd Hoffmann (work) <kraxel@xxxxxxxxxx>"
      # gpg:                 aka "Gerd Hoffmann <gerd@xxxxxxxxxx>"
      # gpg:                 aka "Gerd Hoffmann (private) <kraxel@xxxxxxxxx>"

      * remotes/kraxel/tags/pull-usb-20150508-1:
        uhci: controller is halted after reset
        usb: usb-serial QOMify
        usb: usb-redir QOMify
        usb: usb-wacom-tablet QOMify
        usb: usb-uas QOMify
        usb: usb-storage QOMify
        usb: usb-ccid QOMify
        usb: usb-net QOMify
        usb-mtp: fix segmentation fault
        usb: usb-mtp QOMify
        usb: usb-hub QOMify
        usb: usb-hid QOMify
        usb: usb-bt QOMify
        usb: usb-audio QOMify
        uhci: QOMify
        xhci: fix events for setup trb.
        Revert "xhci: generate a Transfer Event for each Transfer TRB with the 
IOC bit set"
        xhci: set timer to retry xfers
        usb: fix usb-net segfault

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit bc1f7c4c915a7c727741c4d27a2795e1039eacd3
  Author: Michael S. Tsirkin <mst@xxxxxxxxxx>
  Date:   Mon May 11 09:21:37 2015 +0200

      acpi: update expected files for memory unplug

      commit c06b2ffb02bfcc642c67300d2c4dffd5aa54932b
          acpi: add hardware implementation for memory hot unplug

      Changed both the DSDT and the SSDT. Update the expected files
      accordingly.

      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>

  commit fc85cf4a8199a657fdfd5fb902f1835973406454
  Merge: f8340b3 3cda44f
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Sun May 10 21:40:54 2015 +0100

      Merge remote-tracking branch 'remotes/cohuck/tags/s390x-20150508' into 
staging

      Assorted s390x patches:
      - updates for virtio-ccw and s390-virtio, making them more similar
        to virtio-pci
      - improvements regarding per-vcpu interrupts and migration

      # gpg: Signature made Fri May  8 09:45:09 2015 BST using RSA key ID 
C6F02FAF
      # gpg: Good signature from "Cornelia Huck <huckc@xxxxxxxxxxxxxxxxxx>"
      # gpg:                 aka "Cornelia Huck <cornelia.huck@xxxxxxxxxx>"

      * remotes/cohuck/tags/s390x-20150508:
        s390x/kvm: migrate vcpu interrupt state
        s390x: move fpu regs into a subsection of the vmstate
        s390x/kvm: use ioctl KVM_S390_IRQ for vcpu interrupts
        virtio-ccw: implement ->device_plugged
        virtio-ccw: change realization sequence
        s390-virtio: clear {used,avail}_event_idx on reset as well
        s390-virtio: use common features
        s390-virtio: Accommodate guests using virtqueues too early

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit ca4414804114fd0095b317785bc0b51862e62ebb
  Author: Paolo Bonzini <pbonzini@xxxxxxxxxx>
  Date:   Thu May 7 17:25:10 2015 +0200

      qemu-nbd: only send a limited number of errno codes on the wire

      Right now, NBD includes potentially platform-specific error values in
      the wire protocol.

      Luckily, most common error values are more or less universal: in
      particular, of all errno values <= 34 (up to ERANGE), they are all the
      same on supported platforms except for 11 (which is EAGAIN on Windows and
      Linux, but EDEADLK on Darwin and the *BSDs).  So, in order to guarantee
      some portability, only keep a handful of possible error codes and squash
      everything else to EINVAL.

      This patch defines a limited set of errno values that are valid for the
      NBD protocol, and specifies recommendations for what error to return
      in specific corner cases.  The set of errno values is roughly based on
      the errors listed in the read(2) and write(2) man pages, with some
      exceptions:

      - ENOMEM is added for servers that implement copy-on-write or other
        formats that require dynamic allocation.

      - EDQUOT is not part of the universal set of errors; it can be changed
        to ENOSPC on the wire format.

      - EFBIG is part of the universal set of errors, but it is also changed
        to ENOSPC because it is pretty similar to ENOSPC or EDQUOT.

      Incoming values will in general match system errno values, but not
      on the Hurd which has different errno values (they have a "subsystem
      code" equal to 0x10 in bits 24-31).  The Hurd is probably not something
      to which QEMU has been ported, but still do the right thing and
      reverse-map the NBD errno values to the system errno values.

      The corresponding patch to the NBD protocol description can be found at
      http://article.gmane.org/gmane.linux.drivers.nbd.general/3154.

      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit d24697e1824467f3921c84a94f011f43d6466403
  Author: Fam Zheng <famz@xxxxxxxxxx>
  Date:   Thu May 7 14:55:15 2015 +0800

      rules.mak: Force CFLAGS for all objects in DSO

      Because of the trick of process-archive-undefs, all .mo objects, even
      with --enable-modules, are dependencies of executables.

      This breaks CFLAGS propogation because the compiling of module object
      will happen too early before building for DSO.

      With GCC 5, the linking would fail because .o doesn't have -fPIC. Also,
      BUILD_DSO will be missed. (module-common.o will have it, so the stamp
      symbol was still liked in .so).

      Fix the problem by forcing the CFLAGS on individual .o-cflags during
      unnest-vars.

      Reported-by: Alexander Graf <agraf@xxxxxxx>
      Signed-off-by: Fam Zheng <famz@xxxxxxxxxx>
      Cc: qemu-stable@xxxxxxxxxx # 2.3
      Message-Id: <1430981715-31465-1-git-send-email-famz@xxxxxxxxxx>
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit 0caef8f6df4a9426bd6333ab843ce51ce005d7d0
  Author: Alberto Garcia <berto@xxxxxxxxxx>
  Date:   Thu May 7 17:58:26 2015 +0300

      docs: update BLOCK_IMAGE_CORRUPTED documentation

      Label the "size" and "offset" fields in BLOCK_IMAGE_CORRUPTED as
      optional, and clarify that the latter refers to the host's offset into
      the image.

      Signed-off-by: Alberto Garcia <berto@xxxxxxxxxx>
      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>
      Signed-off-by: Michael Tokarev <mjt@xxxxxxxxxx>

  commit f20f2a1f339b99f5b840367236ddce9d9736247c
  Author: Michael Tokarev <mjt@xxxxxxxxxx>
  Date:   Thu May 7 13:38:02 2015 +0300

      glib-compat.h: change assert to g_assert

      include/glib-compat.h defines a bunch of functions based on glib 
primitives,
      and uses assert() without including assert.h.  Replace assert() with
      g_assert() to make the file more self-contained, and to fix compilation
      breakage after 28507a415a9b1e.

      Reported-by: Laurent Desnogues <laurent.desnogues@xxxxxxxxx>
      Signed-off-by: Michael Tokarev <mjt@xxxxxxxxxx>
      Tested-by: Laurent Desnogues <laurent.desnogues@xxxxxxxxx>

  commit ac9541579eb95b0b8c93ca58d0a074e1f22cd55a
  Author: Thomas Huth <huth@xxxxxxxxxxxxx>
  Date:   Sun May 3 10:47:22 2015 +0200

      Remove various unused functions

      The functions tpm_backend_thread_tpm_reset() and iothread_find()
      are completely unused, let's remove them.

      Signed-off-by: Thomas Huth <huth@xxxxxxxxxxxxx>
      Reviewed-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Signed-off-by: Michael Tokarev <mjt@xxxxxxxxxx>

  commit 973a8529c54f9e4410a0e4a18ca1dcb2b085ca7e
  Author: zhanghailiang <zhang.zhanghailiang@xxxxxxxxxx>
  Date:   Tue May 5 09:48:03 2015 +0800

      sheepdog: fix resource leak with sd_snapshot_create

      Signed-off-by: zhanghailiang <zhang.zhanghailiang@xxxxxxxxxx>
      Reviewed-by: Markus Armbruster <armbru@xxxxxxxxxx>
      Signed-off-by: Michael Tokarev <mjt@xxxxxxxxxx>

  commit e5a88b0cf3c902d6e9b342a90f0a4a4d5d954f7a
  Author: Gonglei <arei.gonglei@xxxxxxxxxx>
  Date:   Tue Apr 28 17:11:03 2015 +0800

      xhci: remove unused code

      Value from xfer->packet.ep is assigned to ep here, but that
      stored value is not used before it is overwritten. Remove it.

      Cc: Gerd Hoffmann <kraxel@xxxxxxxxxx>
      Signed-off-by: Gonglei <arei.gonglei@xxxxxxxxxx>
      Signed-off-by: Michael Tokarev <mjt@xxxxxxxxxx>

  commit ca5a21c40d95d7a4e26ea0a304fd2cd8ad4e6ae1
  Author: Gerd Hoffmann <kraxel@xxxxxxxxxx>
  Date:   Thu May 7 09:24:00 2015 +0200

      uhci: controller is halted after reset

      ... and the status register should say so.

      Fixes "usbus0: controller did not stop" error printed by freebsd.

      Signed-off-by: Gerd Hoffmann <kraxel@xxxxxxxxxx>

  commit cdf0d7694d877f19936d7404fd10b580f6e9a9b1
  Author: Gonglei <arei.gonglei@xxxxxxxxxx>
  Date:   Wed May 6 20:55:36 2015 +0800

      usb: usb-serial QOMify

      Signed-off-by: Gonglei <arei.gonglei@xxxxxxxxxx>
      Signed-off-by: Gerd Hoffmann <kraxel@xxxxxxxxxx>

  commit d371cbc778e1868b18faa8d6764602b1f4806100
  Author: Gonglei <arei.gonglei@xxxxxxxxxx>
  Date:   Wed May 6 20:55:35 2015 +0800

      usb: usb-redir QOMify

      Signed-off-by: Gonglei <arei.gonglei@xxxxxxxxxx>
      Signed-off-by: Gerd Hoffmann <kraxel@xxxxxxxxxx>

  commit 924e567e1e6641f4af7e927f9c420cc7b4464073
  Author: Gonglei <arei.gonglei@xxxxxxxxxx>
  Date:   Wed May 6 20:55:34 2015 +0800

      usb: usb-wacom-tablet QOMify

      Signed-off-by: Gonglei <arei.gonglei@xxxxxxxxxx>
      Signed-off-by: Gerd Hoffmann <kraxel@xxxxxxxxxx>

  commit 0b06d099b0ab9b055414508ca55133b200d675f8
  Author: Gonglei <arei.gonglei@xxxxxxxxxx>
  Date:   Wed May 6 20:55:33 2015 +0800

      usb: usb-uas QOMify

      Signed-off-by: Gonglei <arei.gonglei@xxxxxxxxxx>
      Signed-off-by: Gerd Hoffmann <kraxel@xxxxxxxxxx>

  commit 79e2590cbf9887a99a65d2aa62da78c6dfd9cdb8
  Author: Gonglei <arei.gonglei@xxxxxxxxxx>
  Date:   Wed May 6 20:55:32 2015 +0800

      usb: usb-storage QOMify

      Signed-off-by: Gonglei <arei.gonglei@xxxxxxxxxx>
      Signed-off-by: Gerd Hoffmann <kraxel@xxxxxxxxxx>

  commit 61b4887b41b270bc837ead57bc502d904af023bb
  Author: Gonglei <arei.gonglei@xxxxxxxxxx>
  Date:   Wed May 6 20:55:31 2015 +0800

      usb: usb-ccid QOMify

      Signed-off-by: Gonglei <arei.gonglei@xxxxxxxxxx>
      Signed-off-by: Gerd Hoffmann <kraxel@xxxxxxxxxx>

  commit fe47db72210dc17b794954f978ef1d1236cbeb72
  Author: Gonglei <arei.gonglei@xxxxxxxxxx>
  Date:   Wed May 6 20:55:30 2015 +0800

      usb: usb-net QOMify

      Signed-off-by: Gonglei <arei.gonglei@xxxxxxxxxx>
      Signed-off-by: Gerd Hoffmann <kraxel@xxxxxxxxxx>

  commit e60baebd409d547292c778d599111ea1623dd4b5
  Author: Gonglei <arei.gonglei@xxxxxxxxxx>
  Date:   Wed May 6 20:55:29 2015 +0800

      usb-mtp: fix segmentation fault

      When x-root property not be configured, will cause segfault
      because of null pointer accessing. Add a check for s->root
      property avoid segfault.

      Signed-off-by: Gonglei <arei.gonglei@xxxxxxxxxx>
      Signed-off-by: Gerd Hoffmann <kraxel@xxxxxxxxxx>

  commit 7c03a899e6e4030a88bd42c4d494e3a7521806ea
  Author: Gonglei <arei.gonglei@xxxxxxxxxx>
  Date:   Wed May 6 20:55:28 2015 +0800

      usb: usb-mtp QOMify

      Signed-off-by: Gonglei <arei.gonglei@xxxxxxxxxx>
      Signed-off-by: Gerd Hoffmann <kraxel@xxxxxxxxxx>

  commit e81b13ad94803bf13491bb71c8a76a5d7db9ddf1
  Author: Gonglei <arei.gonglei@xxxxxxxxxx>
  Date:   Wed May 6 20:55:27 2015 +0800

      usb: usb-hub QOMify

      Signed-off-by: Gonglei <arei.gonglei@xxxxxxxxxx>
      Signed-off-by: Gerd Hoffmann <kraxel@xxxxxxxxxx>

  commit f56691295e38429bbfe476d57676c53bcb1fd437
  Author: Gonglei <arei.gonglei@xxxxxxxxxx>
  Date:   Wed May 6 20:55:26 2015 +0800

      usb: usb-hid QOMify

      Signed-off-by: Gonglei <arei.gonglei@xxxxxxxxxx>
      Signed-off-by: Gerd Hoffmann <kraxel@xxxxxxxxxx>

  commit a293e82bbef666f66be733993e276998319568e1
  Author: Gonglei <arei.gonglei@xxxxxxxxxx>
  Date:   Wed May 6 20:55:25 2015 +0800

      usb: usb-bt QOMify

      Signed-off-by: Gonglei <arei.gonglei@xxxxxxxxxx>
      Signed-off-by: Gerd Hoffmann <kraxel@xxxxxxxxxx>

  commit 0389a0b10967b639ac7444453274b910a4b6f2ed
  Author: Gonglei <arei.gonglei@xxxxxxxxxx>
  Date:   Wed May 6 20:55:24 2015 +0800

      usb: usb-audio QOMify

      Signed-off-by: Gonglei <arei.gonglei@xxxxxxxxxx>
      Signed-off-by: Gerd Hoffmann <kraxel@xxxxxxxxxx>

  commit 49184b6253a50385c5e934cc4eb813b79cc956f2
  Author: Gonglei <arei.gonglei@xxxxxxxxxx>
  Date:   Wed May 6 20:55:23 2015 +0800

      uhci: QOMify

      Cc: Gerd Hoffmann <kraxel@xxxxxxxxxx>
      Signed-off-by: Gonglei <arei.gonglei@xxxxxxxxxx>
      Signed-off-by: Gerd Hoffmann <kraxel@xxxxxxxxxx>

  commit df0f1692db9236a469496cc09fc7bd5faf31efad
  Author: Gerd Hoffmann <kraxel@xxxxxxxxxx>
  Date:   Tue Apr 28 09:31:44 2015 +0200

      xhci: fix events for setup trb.

      When we find a IOC bit set on a setup trb and therefore queue an event,
      that should not stop events being generated for following data trbs.
      So clear the 'reported' flag.

      Signed-off-by: Gerd Hoffmann <kraxel@xxxxxxxxxx>

  commit 88dbed3f5946b74cf02c1bb0082b8c50037720ea
  Author: Gerd Hoffmann <kraxel@xxxxxxxxxx>
  Date:   Tue Apr 28 09:19:35 2015 +0200

      Revert "xhci: generate a Transfer Event for each Transfer TRB with the 
IOC bit set"

      This makes xhci generate multiple short packet events in case of
      multi-trb transfers.  Which is wrong.  We need to fix this in a
      different way.

      This reverts commit aa6857891df614c620e6e9fc4bc4af6e0e49cafd.

      Signed-off-by: Gerd Hoffmann <kraxel@xxxxxxxxxx>

  commit 4e8cfbe1143d8384387595b500212d7a7f11aeae
  Author: Gerd Hoffmann <kraxel@xxxxxxxxxx>
  Date:   Tue Apr 28 09:19:14 2015 +0200

      xhci: set timer to retry xfers

      Signed-off-by: Gerd Hoffmann <kraxel@xxxxxxxxxx>

  commit 278412d0e710e2e848c6e510f8308e5b1ed4d03e
  Author: Michal Kazior <michal.kazior@xxxxxxxxx>
  Date:   Wed Apr 29 11:34:59 2015 +0000

      usb: fix usb-net segfault

      The dev->config pointer isn't set until guest
      system initializes usb devices (via
      usb_desc_set_config). However qemu networking can
      go through some motions prior to that, e.g.:

       #0  is_rndis (s=0x555557261970) at hw/usb/dev-network.c:653
       #1  0x000055555585f723 in usbnet_can_receive (nc=0x55555641e820) at 
hw/usb/dev-network.c:1315
       #2  0x000055555587635e in qemu_can_send_packet (sender=0x5555572660a0) 
at net/net.c:470
       #3  0x0000555555878e34 in net_hub_port_can_receive (nc=0x5555562d7800) 
at net/hub.c:101
       #4  0x000055555587635e in qemu_can_send_packet (sender=0x5555562d7980) 
at net/net.c:470
       #5  0x000055555587dbca in tap_can_send (opaque=0x5555562d7980) at 
net/tap.c:172

      The command to reproduce most reliably was:

       qemu-system-i386 -usb -device usb-net,vlan=0 -net tap,vlan=0

      This wasn't strictly a problem with tap. Other
      networking endpoints (vde, user) could trigger
      this problem as well.

      Fixes: https://bugs.launchpad.net/qemu/+bug/1050823
      Cc: qemu-stable@xxxxxxxxxx
      Signed-off-by: Michal Kazior <michal.kazior@xxxxxxxxx>
      Signed-off-by: Gerd Hoffmann <kraxel@xxxxxxxxxx>

  commit 768b7855c86c4f46b605183ae9451e9af64ca288
  Author: Emilio G. Cota <cota@xxxxxxxxx>
  Date:   Wed Apr 29 13:09:02 2015 +0200

      configure: require __thread support

      The codebase doesn't build without __thread support.
      Formalise this requirement by adding a check for it in the
      configure script.

      Signed-off-by: Emilio G. Cota <cota@xxxxxxxxx>
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit 3cda44f7bae5c9feddc11630ba6eecb2e3bed425
  Author: Jens Freimann <jfrei@xxxxxxxxxxxxxxxxxx>
  Date:   Mon Mar 2 17:44:24 2015 +0100

      s390x/kvm: migrate vcpu interrupt state

      This patch adds support to migrate vcpu interrupts.
      We use ioctl KVM_S390_GET_IRQ_STATE and _SET_IRQ_STATE
      to get/set the complete interrupt state for a vcpu.

      Reviewed-by: David Hildenbrand <dahi@xxxxxxxxxxxxxxxxxx>
      Signed-off-by: Jens Freimann <jfrei@xxxxxxxxxxxxxxxxxx>
      Signed-off-by: Cornelia Huck <cornelia.huck@xxxxxxxxxx>

  commit 46c804def4bda2491c546e8e33b86fe4981e4b68
  Author: David Hildenbrand <dahi@xxxxxxxxxxxxxxxxxx>
  Date:   Mon Mar 30 13:22:47 2015 +0200

      s390x: move fpu regs into a subsection of the vmstate

      Let's move the floating point registers into a seperate subsection and
      bump up the version id. This cleans up the current vmstate and will
      allow for a future extension with vector registers in a compatible way.

      This patch is based on a patch from Eric Farman.

      Reviewed-by: Eric Farman <farman@xxxxxxxxxxxxxxxxxx>
      Signed-off-by: David Hildenbrand <dahi@xxxxxxxxxxxxxxxxxx>
      Signed-off-by: Cornelia Huck <cornelia.huck@xxxxxxxxxx>

  commit 1191c94963f36b3f9631fcd1ec2e9296631b407e
  Author: Jens Freimann <jfrei@xxxxxxxxxxxxxxxxxx>
  Date:   Thu Dec 18 17:38:05 2014 +0100

      s390x/kvm: use ioctl KVM_S390_IRQ for vcpu interrupts

      KVM_S390_INT uses only two parameter fields. This is not
      enough to pass all required information for certain interrupts.

      A new ioctl KVM_S390_IRQ is available which allows us to
      inject all local interrupts as defined in the Principles of
      Operation. It takes a struct kvm_s390_irq as a parameter
      which can store interrupt payload data for all interrupts.

      Let's use the new ioctl for injecting vcpu interrupts.

      Tested-by: Thomas Huth <thuth@xxxxxxxxxxxxxxxxxx>
      Reviewed-by: Thomas Huth <thuth@xxxxxxxxxxxxxxxxxx>
      Reviewed-by: David Hildenbrand <dahi@xxxxxxxxxxxxxxxxxx>
      Signed-off-by: Jens Freimann <jfrei@xxxxxxxxxxxxxxxxxx>
      Signed-off-by: Cornelia Huck <cornelia.huck@xxxxxxxxxx>

  commit fb846a094fdee7bb6a88b48aeed0d97a8080a20d
  Author: Cornelia Huck <cornelia.huck@xxxxxxxxxx>
  Date:   Tue Apr 21 16:36:56 2015 +0200

      virtio-ccw: implement ->device_plugged

      Let's move operations that are only valid after the backend has been
      realized to a ->device_plugged callback, just as virtio-pci does.
      Also reorder setting up the host feature bits to the sequence used
      by virtio-pci.

      While we're at it, also add a ->device_unplugged callback to stop
      ioeventfd, just to be on the safe side.

      Reviewed-by: Shannon Zhao <shannon.zhao@xxxxxxxxxx>
      Signed-off-by: Cornelia Huck <cornelia.huck@xxxxxxxxxx>
      Message-Id: <1429627016-30656-3-git-send-email-cornelia.huck@xxxxxxxxxx>

  commit 1fa755234e24697cc76f326782edbb09bd0a3a53
  Author: Cornelia Huck <cornelia.huck@xxxxxxxxxx>
  Date:   Tue Apr 21 16:36:55 2015 +0200

      virtio-ccw: change realization sequence

      virtio-ccw has an odd sequence of realizing devices: first the
      device-specific relization (net, block, ...), then the generic
      realization. It feels less odd to have the generic realization
      callback trigger the device-specific realization instead (and this
      also matches what virtio-pci does).

      One thing to note: We need to defer initializing the cu model in the
      sense id data until after the device-specific realization has been
      performed, as we need to refer to the virtio device's device_id.

      Signed-off-by: Cornelia Huck <cornelia.huck@xxxxxxxxxx>
      Message-Id: <1429627016-30656-2-git-send-email-cornelia.huck@xxxxxxxxxx>

  commit 77ae0b2a6e731ab7b97e9fae401c579397edb31c
  Author: Christian Borntraeger <borntraeger@xxxxxxxxxx>
  Date:   Mon May 4 15:27:25 2015 +0200

      s390-virtio: clear {used,avail}_event_idx on reset as well

      The old s390-virtio transport clears the vring used/avail indices in
      the shared area on reset. When we enabled event_idx for virtio-blk, we
      noticed that this is not enough: We also need to clear the published
      used/avail event indices, or reboot will fail.

      Signed-off-by: Christian Borntraeger <borntraeger@xxxxxxxxxx>
      Signed-off-by: Cornelia Huck <cornelia.huck@xxxxxxxxxx>

  commit f50616a81b7f88a9adac16f3ea0236311a748eca
  Author: Cornelia Huck <cornelia.huck@xxxxxxxxxx>
  Date:   Wed Apr 29 15:30:58 2015 +0200

      s390-virtio: use common features

      We used to avoid enabling event_idx for virtio-blk devices via
      s390-virtio, but we now have a workaround in place for guests trying
      to use the device before setting DRIVER_OK. Therefore, let's add
      DEFINE_VIRTIO_COMMON_FEATURES to the base device so all devices get
      those common features - and make s390-virtio use the same mechanism
      as the other transports do.

      Acked-by: Christian Borntraeger <borntraeger@xxxxxxxxxx>
      Reviewed-by: Shannon Zhao <shannon.zhao@xxxxxxxxxx>
      Signed-off-by: Cornelia Huck <cornelia.huck@xxxxxxxxxx>

  commit cb927b8aee7c3993a43cb829f7341071f873857b
  Author: Christian Borntraeger <borntraeger@xxxxxxxxxx>
  Date:   Thu Apr 30 17:53:13 2015 +0200

      s390-virtio: Accommodate guests using virtqueues too early

      Feature updates are not a synchronuous operation for the legacy
      s390-virtio transport. This transport syncs the guest feature bits
      (those from finalize) on the set_status hypercall. Before that qemu
      thinks that features are zero, which means QEMU will misbehave, e.g.
      it will not write the event index, even if the guest asks for it.

      Let's detect the case where a kick happens before the driver is ready
      and force sync the features.
      With this workaround, it is now safe to switch to the common feature
      bit handling code as used by all other transports.

      Signed-off-by: Christian Borntraeger <borntraeger@xxxxxxxxxx>
      Reviewed-by: Cornelia Huck <cornelia.huck@xxxxxxxxxx>
      Signed-off-by: Cornelia Huck <cornelia.huck@xxxxxxxxxx>

  commit f8340b360b9bc29d48716ba8aca79df2b9544979
  Author: Edgar E. Iglesias <edgar.iglesias@xxxxxxxxxx>
  Date:   Wed Sep 10 18:33:58 2014 +1000

      hw/ptimer: Do not artificially limit timers when using icount

      Reviewed-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>
      Signed-off-by: Edgar E. Iglesias <edgar.iglesias@xxxxxxxxxx>

  commit 838686357b1a175e9a32569700a153b207a9e10f
  Merge: 38003ae 362ba4e
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Thu May 7 18:22:03 2015 +0100

      Merge remote-tracking branch 
'remotes/juanquintela/tags/migration/20150507-1' into staging

      migration/next for 20150507

      # gpg: Signature made Thu May  7 17:42:19 2015 BST using RSA key ID 
5872D723
      # gpg: Good signature from "Juan Quintela <quintela@xxxxxxxxxx>"
      # gpg:                 aka "Juan Quintela <quintela@xxxxxxxxxx>"

      * remotes/juanquintela/tags/migration/20150507-1:
        migration: Fix migration state update issue
        migration: avoid divide by zero in xbzrle cache miss rate
        migration: Add hmp interface to set and query parameters
        migration: Add qmp commands to set and query parameters
        migration: Use an array instead of 3 parameters
        migration: Add interface to control compression
        migration: Add the core code for decompression
        migration: Make compression co-work with xbzrle
        migration: Add the core code of multi-thread compression
        migration: Split save_zero_page from ram_save_page
        arch_init: Add and free data struct for decompression
        arch_init: Alloc and free data struct for compression
        qemu-file: Add compression functions to QEMUFile
        migration: Add the framework of multi-thread decompression
        migration: Add the framework of multi-thread compression
        docs: Add a doc about multiple thread compression

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 362ba4e3ee801e8f5e28d72d0009547384222927
  Author: Liang Li <liang.z.li@xxxxxxxxx>
  Date:   Fri May 8 02:31:22 2015 +0800

      migration: Fix migration state update issue

      If live migration is very fast and can be completed in 1 second,
      the dirty_sync_count of MigrationState will not be updated.
      Then you will see "dirty sync count: 0" in qemu monitor even if
      the actual dirty sync count is not 0.

      Signed-off-by: Liang Li <liang.z.li@xxxxxxxxx>
      Reviewed-by: Juan Quintela <quintela@xxxxxxxxxx>
      Reviewed-by: Dr.David Alan Gilbert <dgilbert@xxxxxxxxxx>
      Signed-off-by: Juan Quintela <quintela@xxxxxxxxxx>

  commit 27ff42e29a1d12e9d9dbc473bbca36a50baf278b
  Author: Michael Chapman <mike@xxxxxxxxxxxxxxxxx>
  Date:   Wed Apr 15 13:59:14 2015 +1000

      migration: avoid divide by zero in xbzrle cache miss rate

      This bug manifested itself as a VM that could not be resumed by libvirt
      following a migration:

        # virsh resume example
        error: Failed to resume domain example
        error: internal error: cannot parse json {"return":
          {"xbzrle-cache":
            {..., "cache-miss-rate": -nan, ...},
            ...
          }
        }: lexical error: malformed number, a digit is required after the minus 
sign.

      This patch also ensures xbzrle_cache_miss_prev and iterations_prev are
      cleared at the start of the migration.

      Signed-off-by: Michael Chapman <mike@xxxxxxxxxxxxxxxxx>
      Reviewed-by: Amit Shah <amit.shah@xxxxxxxxxx>
      Signed-off-by: Juan Quintela <quintela@xxxxxxxxxx>

  commit 50e9a629c6c92e73260cd3d7c2e3f5bfd84e47e2
  Author: Liang Li <liang.z.li@xxxxxxxxx>
  Date:   Mon Mar 23 16:32:29 2015 +0800

      migration: Add hmp interface to set and query parameters

      Add the hmp interface to tune and query the parameters used in
      live migration.

      Signed-off-by: Liang Li <liang.z.li@xxxxxxxxx>
      Signed-off-by: Yang Zhang <yang.z.zhang@xxxxxxxxx>
      Signed-off-by: Juan Quintela <quintela@xxxxxxxxxx>

  commit 85de83231ecde075c6b25897f2e74cd1767880e3
  Author: Liang Li <liang.z.li@xxxxxxxxx>
  Date:   Mon Mar 23 16:32:28 2015 +0800

      migration: Add qmp commands to set and query parameters

      Add the qmp commands to tune and query the parameters used in live
      migration.

      Signed-off-by: Liang Li <liang.z.li@xxxxxxxxx>
      Signed-off-by: Yang Zhang <yang.z.zhang@xxxxxxxxx>
      Signed-off-by: Juan Quintela <quintela@xxxxxxxxxx>

  commit 43c60a81ba15ea040709be5809a279a4ca59b26b
  Author: Liang Li <liang.z.li@xxxxxxxxx>
  Date:   Mon Mar 23 16:32:27 2015 +0800

      migration: Use an array instead of 3 parameters

      Put the three parameters related to multiple thread (de)compression
      into an int array, and use an enum type to index the parameter.

      Signed-off-by: Liang Li <liang.z.li@xxxxxxxxx>
      Signed-off-by: Yang Zhang <yang.z.zhang@xxxxxxxxx>
      Signed-off-by: Juan Quintela <quintela@xxxxxxxxxx>

  commit dde4e694ae576462990b2ce711e62565e085c261
  Author: Liang Li <liang.z.li@xxxxxxxxx>
  Date:   Mon Mar 23 16:32:26 2015 +0800

      migration: Add interface to control compression

      The multiple compression threads can be turned on/off through
      qmp and hmp interface before doing live migration.

      Signed-off-by: Liang Li <liang.z.li@xxxxxxxxx>
      Signed-off-by: Yang Zhang <yang.z.zhang@xxxxxxxxx>
      Reviewed-by: Dr.David Alan Gilbert <dgilbert@xxxxxxxxxx>
      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>
      Signed-off-by: Juan Quintela <quintela@xxxxxxxxxx>

  commit 68ae113646dc84637359472e89669e5547dc5ee3
  Author: Liang Li <liang.z.li@xxxxxxxxx>
  Date:   Mon Mar 23 16:32:25 2015 +0800

      migration: Add the core code for decompression

      Implement the core logic of multiple thread decompression,
      the decompression can work now.

      Signed-off-by: Liang Li <liang.z.li@xxxxxxxxx>
      Signed-off-by: Yang Zhang <yang.z.zhang@xxxxxxxxx>
      Signed-off-by: Juan Quintela <quintela@xxxxxxxxxx>

  commit 98f1138902195bd9ab8a753d0ee2cf2a0a88b6e8
  Author: Liang Li <liang.z.li@xxxxxxxxx>
  Date:   Mon Mar 23 16:32:24 2015 +0800

      migration: Make compression co-work with xbzrle

      Now, multiple thread compression can co-work with xbzrle. when
      xbzrle is on, multiple thread compression will only work at the
      first round of RAM data sync.

      Signed-off-by: Liang Li <liang.z.li@xxxxxxxxx>
      Signed-off-by: Yang Zhang <yang.z.zhang@xxxxxxxxx>
      Reviewed-by: Dr.David Alan Gilbert <dgilbert@xxxxxxxxxx>
      Signed-off-by: Juan Quintela <quintela@xxxxxxxxxx>

  commit 20eb617eacf7a0ce76d9dd10ff246d6ae7f0b4e1
  Author: Liang Li <liang.z.li@xxxxxxxxx>
  Date:   Mon Mar 23 16:32:23 2015 +0800

      migration: Add the core code of multi-thread compression

      Implement the core logic of the multiple thread compression. At this
      point, multiple thread compression can't co-work with xbzrle yet.

      Signed-off-by: Liang Li <liang.z.li@xxxxxxxxx>
      Signed-off-by: Yang Zhang <yang.z.zhang@xxxxxxxxx>
      Signed-off-by: Juan Quintela <quintela@xxxxxxxxxx>

  commit e2102428c09901788a5e585f32f9e805137f5967
  Author: Liang Li <liang.z.li@xxxxxxxxx>
  Date:   Mon Mar 23 16:32:22 2015 +0800

      migration: Split save_zero_page from ram_save_page

      Split the function save_zero_page from ram_save_page so that we can
      reuse it later.

      Signed-off-by: Liang Li <liang.z.li@xxxxxxxxx>
      Signed-off-by: Yang Zhang <yang.z.zhang@xxxxxxxxx>
      Reviewed-by: Juan Quintela <quintela@xxxxxxxxxx>
      Signed-off-by: Juan Quintela <quintela@xxxxxxxxxx>

  commit 3caf633dbde8a347cff49e960691c7fa6a82afa1
  Author: Liang Li <liang.z.li@xxxxxxxxx>
  Date:   Mon Mar 23 16:32:21 2015 +0800

      arch_init: Add and free data struct for decompression

      Define the data structure and variables used to do multiple thread
      decompression, and add the code to initialize and free them.

      Signed-off-by: Liang Li <liang.z.li@xxxxxxxxx>
      Signed-off-by: Yang Zhang <yang.z.zhang@xxxxxxxxx>
      Reviewed-by: Dr.David Alan Gilbert <dgilbert@xxxxxxxxxx>
      Reviewed-by: Juan Quintela <quintela@xxxxxxxxxx>
      Signed-off-by: Juan Quintela <quintela@xxxxxxxxxx>

  commit 474ddaf6e3aebc470f4665ef4f7ce6578448c6d1
  Author: Liang Li <liang.z.li@xxxxxxxxx>
  Date:   Mon Mar 23 16:32:20 2015 +0800

      arch_init: Alloc and free data struct for compression

      Define the data structure and variables used to do multiple thread
      compression, and add the code to initialize and free them.

      Signed-off-by: Liang Li <liang.z.li@xxxxxxxxx>
      Signed-off-by: Yang Zhang <yang.z.zhang@xxxxxxxxx>
      Reviewed-by: Dr.David Alan Gilbert <dgilbert@xxxxxxxxxx>
      Reviewed-by: Juan Quintela <quintela@xxxxxxxxxx>
      Signed-off-by: Juan Quintela <quintela@xxxxxxxxxx>

  commit 44f0eadc338f55d3bffe4fccefb1d4241defa418
  Author: Liang Li <liang.z.li@xxxxxxxxx>
  Date:   Mon Mar 23 16:32:19 2015 +0800

      qemu-file: Add compression functions to QEMUFile

      qemu_put_compression_data() compress the data and put it to QEMUFile.
      qemu_put_qemu_file() put the data in the buffer of source QEMUFile to
      destination QEMUFile.

      Signed-off-by: Liang Li <liang.z.li@xxxxxxxxx>
      Signed-off-by: Yang Zhang <yang.z.zhang@xxxxxxxxx>
      Reviewed-by: Juan Quintela <quintela@xxxxxxxxxx>
      Signed-off-by: Juan Quintela <quintela@xxxxxxxxxx>

  commit 3fcb38c223510cf88c6101f5d218ce0840d1354c
  Author: Liang Li <liang.z.li@xxxxxxxxx>
  Date:   Mon Mar 23 16:32:18 2015 +0800

      migration: Add the framework of multi-thread decompression

      Add the code to create and destroy the multiple threads those will be
      used to do data decompression. Left some functions empty just to keep
      clearness, and the code will be added later.

      Signed-off-by: Liang Li <liang.z.li@xxxxxxxxx>
      Signed-off-by: Yang Zhang <yang.z.zhang@xxxxxxxxx>
      Reviewed-by: Dr.David Alan Gilbert <dgilbert@xxxxxxxxxx>
      Reviewed-by: Juan Quintela <quintela@xxxxxxxxxx>
      Signed-off-by: Juan Quintela <quintela@xxxxxxxxxx>

  commit 8706d2d566cbf4bad2c5597bb57358e3d5f5caf0
  Author: Liang Li <liang.z.li@xxxxxxxxx>
  Date:   Mon Mar 23 16:32:17 2015 +0800

      migration: Add the framework of multi-thread compression

      Add the code to create and destroy the multiple threads those will
      be used to do data compression. Left some functions empty to keep
      clearness, and the code will be added later.

      Signed-off-by: Liang Li <liang.z.li@xxxxxxxxx>
      Signed-off-by: Yang Zhang <yang.z.zhang@xxxxxxxxx>
      Reviewed-by: Dr.David Alan Gilbert <dgilbert@xxxxxxxxxx>
      Reviewed-by: Juan Quintela <quintela@xxxxxxxxxx>
      Signed-off-by: Juan Quintela <quintela@xxxxxxxxxx>

  commit 263170e679dfb456f8812a0100073990586cecb5
  Author: Liang Li <liang.z.li@xxxxxxxxx>
  Date:   Mon Mar 23 16:32:16 2015 +0800

      docs: Add a doc about multiple thread compression

      Give some details about the multiple thread (de)compression and
      how to use it in live migration.

      Signed-off-by: Liang Li <liang.z.li@xxxxxxxxx>
      Signed-off-by: Yang Zhang <yang.z.zhang@xxxxxxxxx>
      Reviewed-by: Dr.David Alan Gilbert <dgilbert@xxxxxxxxxx>
      Reviewed-by: Juan Quintela <quintela@xxxxxxxxxx>
      Signed-off-by: Juan Quintela <quintela@xxxxxxxxxx>

  commit 38003aee196a96edccd4d64471beb1b67e9b2b17
  Merge: 233353e 00c8fa9
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Wed May 6 11:16:35 2015 +0100

      Merge remote-tracking branch 'remotes/rth/tags/tcg-next-20150505' into 
staging

      size reduction merge

      # gpg: Signature made Wed May  6 00:21:43 2015 BST using RSA key ID 
4DD0279B
      # gpg: Good signature from "Richard Henderson <rth7680@xxxxxxxxx>"
      # gpg:                 aka "Richard Henderson <rth@xxxxxxxxxx>"
      # gpg:                 aka "Richard Henderson <rth@xxxxxxxxxxx>"

      * remotes/rth/tags/tcg-next-20150505:
        tcg: optimise memory layout of TCGTemp

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 1271f7f7c60e0b0a3cc031921008a69dfd53bd34
  Author: Gerd Hoffmann <kraxel@xxxxxxxxxx>
  Date:   Tue Jul 1 19:12:45 2014 +0200

      gtk: update mouse position in mouse_set()

      Without that the next mouse motion event uses the old position
      as base for relative move calculation, giving wrong results and
      making your mouse pointer jump around.

      Signed-off-by: Gerd Hoffmann <kraxel@xxxxxxxxxx>

  commit dc7ff344187db6a94294a87d63cf8332e8ed0e6f
  Author: Gerd Hoffmann <kraxel@xxxxxxxxxx>
  Date:   Wed Mar 4 15:37:27 2015 +0100

      gtk: create gtk.h

      Move various gtk bits (includes, data structures) to a header file.

      Signed-off-by: Gerd Hoffmann <kraxel@xxxxxxxxxx>

  commit 1301e515eff267d4b8684e74a5b2c1b5cf03f103
  Author: Gerd Hoffmann <kraxel@xxxxxxxxxx>
  Date:   Fri Mar 13 12:47:00 2015 +0100

      gtk: add ui_info support

      Pass new display size to the guest after window resizes.

      Signed-off-by: Gerd Hoffmann <kraxel@xxxxxxxxxx>

  commit b7fb49f0c709a406f79372be397367ff2550373b
  Author: Gerd Hoffmann <kraxel@xxxxxxxxxx>
  Date:   Fri Mar 13 12:21:14 2015 +0100

      console: add dpy_ui_info_supported

      Allow ui code to check whenever the emulated
      display supports display change notifications.

      Signed-off-by: Gerd Hoffmann <kraxel@xxxxxxxxxx>

  commit cf1ecc82ab84dbfb4b6eea02c329bf9c2aa856ec
  Author: Gerd Hoffmann <kraxel@xxxxxxxxxx>
  Date:   Thu Mar 12 12:51:13 2015 +0100

      console: delayed ui_info guest notification

      So we don't flood the guest with display change notifications
      while the user resizes the window.

      Signed-off-by: Gerd Hoffmann <kraxel@xxxxxxxxxx>

  commit 233353ec93e4541fa7ab1c53a922a6d5c2bfce7a
  Merge: 874e9ae ff55d72
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Tue May 5 18:22:12 2015 +0100

      Merge remote-tracking branch 'remotes/armbru/tags/pull-qmp-2015-05-05' 
into staging

      drop qapi nested structs

      # gpg: Signature made Tue May  5 17:40:40 2015 BST using RSA key ID 
EB918653
      # gpg: Good signature from "Markus Armbruster <armbru@xxxxxxxxxx>"
      # gpg:                 aka "Markus Armbruster <armbru@xxxxxxxxxxxx>"

      * remotes/armbru/tags/pull-qmp-2015-05-05: (40 commits)
        qapi: Check for member name conflicts with a base class
        qapi: Support (subset of) \u escapes in strings
        qapi: Tweak doc references to QMP when QGA is also meant
        qapi: Drop dead visitor code related to nested structs
        qapi: Drop support for inline nested types
        qapi: Drop inline nested structs in query-pci
        qapi: Drop inline nested struct in query-version
        qapi: Drop tests for inline nested structs
        qapi: Merge UserDefTwo and UserDefNested in tests
        qapi: Forbid 'type' in schema
        qapi: Use 'struct' instead of 'type' in schema
        qapi: Document 'struct' metatype
        qapi: Prefer 'struct' over 'type' in generator
        qapi: More rigorous checking for type safety bypass
        qapi: Whitelist commands that don't return dictionary
        qapi: Require valid names
        qapi: More rigourous checking of types
        qapi: Add some type check tests
        qapi: Unify type bypass and add tests
        qapi: Allow true, false and null in schema json
        ...

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit ff55d72eaf9628e7d58e7b067b361cdbf789c9f4
  Author: Eric Blake <eblake@xxxxxxxxxx>
  Date:   Mon May 4 09:05:37 2015 -0600

      qapi: Check for member name conflicts with a base class

      Our type inheritance for both 'struct' and for flat 'union' merges
      key/value pairs from the base class with those from the type in
      question.  Although the C code currently boxes things so that there
      is a distinction between which member is referred to, the QMP wire
      format does not allow passing a key more than once in a single
      object.  Besides, if we ever change the generated C code to not be
      quite so boxy, we'd want to avoid duplicate member names there,
      too.

      Fix a testsuite entry added in an earlier patch, as well as adding
      a couple more tests to ensure we have appropriate coverage.  Ensure
      that collisions are detected, regardless of whether there is a
      difference in opinion on whether the member name is optional.

      Signed-off-by: Eric Blake <eblake@xxxxxxxxxx>
      Reviewed-by: Markus Armbruster <armbru@xxxxxxxxxx>
      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>

  commit a7f5966b297330f6492020019544ae87c45d699b
  Author: Eric Blake <eblake@xxxxxxxxxx>
  Date:   Mon May 4 09:05:36 2015 -0600

      qapi: Support (subset of) \u escapes in strings

      The handling of \ inside QAPI strings was less than ideal, and
      really only worked JSON's \/, \\, \", and our extension of \'
      (an obvious extension, when you realize we use '' instead of ""
      for strings).  For other things, like '\n', it resulted in a
      literal 'n' instead of a newline.

      Of course, at the moment, we really have no use for escaped
      characters, as QAPI has to map to C identifiers, and we currently
      support ASCII only for that.  But down the road, we may add
      support for default values for string parameters to a command
      or struct; if that happens, it would be nice to correctly support
      all JSON escape sequences, such as \n or \uXXXX.  This gets us
      closer, by supporting Unicode escapes in the ASCII range.

      Since JSON does not require \OCTAL or \xXX escapes, and our QMP
      implementation does not understand them either, I intentionally
      reject it here, but it would be an easy addition if we desired it.
      Likewise, intentionally refusing the NUL byte means we don't have
      to worry about C strings being shorter than the qapi input.

      Signed-off-by: Eric Blake <eblake@xxxxxxxxxx>
      Reviewed-by: Markus Armbruster <armbru@xxxxxxxxxx>
      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>

  commit 363b4262a10a52f6d7ac1073bab5e6648da4051b
  Author: Eric Blake <eblake@xxxxxxxxxx>
  Date:   Mon May 4 09:05:35 2015 -0600

      qapi: Tweak doc references to QMP when QGA is also meant

      We have more than one qapi schema in use by more than one protocol.
      Add a new term 'Client JSON Protocol' for use throughout the
      document, to avoid confusion on whether something refers only to
      QMP and not QGA.

      Signed-off-by: Eric Blake <eblake@xxxxxxxxxx>
      Reviewed-by: Markus Armbruster <armbru@xxxxxxxxxx>
      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>

  commit a82b982e2bddf7cd7cb490f83643e952e17d4523
  Author: Eric Blake <eblake@xxxxxxxxxx>
  Date:   Mon May 4 09:05:34 2015 -0600

      qapi: Drop dead visitor code related to nested structs

      Now that we no longer have nested structs to visit, the use of
      prefix strings is no longer required.  Remove the code that is
      no longer reachable.

      Signed-off-by: Eric Blake <eblake@xxxxxxxxxx>
      Reviewed-by: Markus Armbruster <armbru@xxxxxxxxxx>
      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>

  commit 6b5abc7df7ef9aadb3ff0eba6ccf4f1f0181e2e1
  Author: Eric Blake <eblake@xxxxxxxxxx>
  Date:   Mon May 4 09:05:33 2015 -0600

      qapi: Drop support for inline nested types

      A future patch will be using a 'name':{dictionary} entry in the
      QAPI schema to specify a default value for an optional argument
      (see previous commit messages for more details why); but existing
      use of inline nested structs conflicts with that goal. Now that
      all commands have been changed to avoid inline nested structs,
      nuke support for them, and turn it into a hard error. Update the
      testsuite to reflect tighter parsing rules.

      Signed-off-by: Eric Blake <eblake@xxxxxxxxxx>
      Reviewed-by: Markus Armbruster <armbru@xxxxxxxxxx>
      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>

  commit 9fa02cd194a131aca75ab646ece975b6835400e1
  Author: Eric Blake <eblake@xxxxxxxxxx>
  Date:   Mon May 4 09:05:32 2015 -0600

      qapi: Drop inline nested structs in query-pci

      A future patch will be using a 'name':{dictionary} entry in the
      QAPI schema to specify a default value for an optional argument
      (see previous commit message for more details why); but existing
      use of inline nested structs conflicts with that goal. This patch
      fixes one of only two commands relying on nested types, by
      breaking the nesting into an explicit type; it means that the
      type is now boxed instead of unboxed in C code, but the QMP wire
      format is unaffected by this change.

      Prefer the safer g_new0() while making the conversion, and reduce
      some long lines.

      Signed-off-by: Eric Blake <eblake@xxxxxxxxxx>
      Reviewed-by: Markus Armbruster <armbru@xxxxxxxxxx>
      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>

  commit 4752cdbbf330ac7c593a6f337b97a79648f3f878
  Author: Eric Blake <eblake@xxxxxxxxxx>
  Date:   Mon May 4 09:05:31 2015 -0600

      qapi: Drop inline nested struct in query-version

      A future patch will be using a 'name':{dictionary} entry in the
      QAPI schema to specify a default value for an optional argument
      (see previous commit message for more details why); but existing
      use of inline nested structs conflicts with that goal. This patch
      fixes one of only two commands relying on nested types, by
      breaking the nesting into an explicit type; it means that the
      type is now boxed instead of unboxed in C code, but the QMP wire
      format is unaffected by this change.

      Prefer the safer g_new0() while making the conversion.

      Signed-off-by: Eric Blake <eblake@xxxxxxxxxx>
      Reviewed-by: Markus Armbruster <armbru@xxxxxxxxxx>
      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>

  commit 6446a592760155bb3e2e248d56bab97a34af0336
  Author: Eric Blake <eblake@xxxxxxxxxx>
  Date:   Mon May 4 09:05:30 2015 -0600

      qapi: Drop tests for inline nested structs

      A future patch will be using a 'name':{dictionary} entry in the
      QAPI schema to specify a default value for an optional argument;
      but existing use of inline nested structs conflicts with that goal.

      More precisely, a definition in the QAPI schema associates a name
      with a set of properties:

      Example 1: { 'struct': 'Foo', 'data': { MEMBERS... } }
      associates the global name 'Foo' with properties (meta-type struct)
      and MEMBERS...

      Example 2: 'mumble': TYPE
      within MEMBERS... above associates 'mumble' with properties (type
      TYPE) and (optional false) within type Foo

      The syntax of example 1 is extensible; if we need another property,
      we add another name/value pair to the dictionary (such as
      'base':TYPE).  The syntax of example 2 is not extensible, because
      the right hand side can only be a type.

      We have used name encoding to add a property: "'*mumble': 'int'"
      associates 'mumble' with (type int) and (optional true).  Nice,
      but doesn't scale.  So the solution is to change our existing uses
      to be syntactic sugar to an extensible form:

         NAME: TYPE   --> NAME:  { 'type': TYPE, 'optional': false }
         *ONAME: TYPE --> ONAME: { 'type': TYPE, 'optional': true }

      This patch fixes the testsuite to avoid inline nested types, by
      breaking the nesting into explicit types; it means that the type
      is now boxed instead of unboxed in C code, but makes no difference
      on the wire (and if desired, a later patch could change the
      generator to not do so much boxing in C).  When touching code to
      add new allocations, also convert existing allocations to
      consistently prefer typesafe g_new0 over g_malloc0 when a type
      name is involved.

      Signed-off-by: Eric Blake <eblake@xxxxxxxxxx>
      Reviewed-by: Markus Armbruster <armbru@xxxxxxxxxx>
      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>

  commit b6fcf32d9b851a83dedcb609091236b97cc4a985
  Author: Eric Blake <eblake@xxxxxxxxxx>
  Date:   Mon May 4 09:05:29 2015 -0600

      qapi: Merge UserDefTwo and UserDefNested in tests

      In the testsuite, UserDefTwo and UserDefNested were identical
      structs other than the member names.  Reduce code duplication by
      having just one type, and choose names that also favor reuse.
      This will also make it easier for a later patch to get rid of
      inline nested types in QAPI.  When touching code related to
      allocations, convert g_malloc0(sizeof(Type)) to the more typesafe
      g_new0(Type, 1).

      Ensure that 'make check-qapi-schema check-unit' still passes.

      Signed-off-by: Eric Blake <eblake@xxxxxxxxxx>
      Reviewed-by: Markus Armbruster <armbru@xxxxxxxxxx>
      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>

  commit 3e391d355644b2bff7c9f187759aadb46c6e051f
  Author: Eric Blake <eblake@xxxxxxxxxx>
  Date:   Mon May 4 09:05:28 2015 -0600

      qapi: Forbid 'type' in schema

      Referring to "type" as both a meta-type (built-in, enum, union,
      alternate, or struct) and a specific type (the name that the
      schema uses for declaring structs) is confusing.  Finish up the
      conversion to using "struct" in qapi schema by removing the hack
      in the generator that allowed 'type'.

      Signed-off-by: Eric Blake <eblake@xxxxxxxxxx>
      Reviewed-by: Markus Armbruster <armbru@xxxxxxxxxx>
      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>

  commit 895a2a80e0e054f0d5d3715aa93d10d15e49f9f7
  Author: Eric Blake <eblake@xxxxxxxxxx>
  Date:   Mon May 4 09:05:27 2015 -0600

      qapi: Use 'struct' instead of 'type' in schema

      Referring to "type" as both a meta-type (built-in, enum, union,
      alternate, or struct) and a specific type (the name that the
      schema uses for declaring structs) is confusing.  Do the bulk of
      the conversion to "struct" in qapi schema, with a fairly
      mechanical:

      for f in `find -name '*.json'; do sed -i "s/'type'/'struct'/"; done

      followed by manually filtering out the places where we have a
      'type' embedded in 'data'.  Then tweak a couple of tests whose
      output changes slightly due to longer lines.

      I also verified that the generated files for QMP and QGA (such
      as qmp-commands.h) are the same before and after, as assurance
      that I didn't leave in any accidental member name changes.

      Signed-off-by: Eric Blake <eblake@xxxxxxxxxx>
      Reviewed-by: Markus Armbruster <armbru@xxxxxxxxxx>
      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>

  commit 3b2a8b85322f3677525a65c0b35deadf45fb704b
  Author: Eric Blake <eblake@xxxxxxxxxx>
  Date:   Mon May 4 09:05:26 2015 -0600

      qapi: Document 'struct' metatype

      Referring to "type" as both a meta-type (built-in, enum, union,
      alternate, or struct) and a specific type (the name that the
      schema uses for declaring structs) is confusing.  Now that the
      generator accepts 'struct' as a synonym for 'type', update all
      documentation to use saner wording.

      Signed-off-by: Eric Blake <eblake@xxxxxxxxxx>
      Reviewed-by: Markus Armbruster <armbru@xxxxxxxxxx>
      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>

  commit fd41dd4eae5f7ea92f10c04cb3f217727fcee91f
  Author: Eric Blake <eblake@xxxxxxxxxx>
  Date:   Mon May 4 09:05:25 2015 -0600

      qapi: Prefer 'struct' over 'type' in generator

      Referring to "type" as both a meta-type (built-in, enum, union,
      alternate, or struct) and a specific type (the name that the
      schema uses for declaring structs) is confusing.  The confusion
      is only made worse by the fact that the generator mostly already
      refers to struct even when dealing with expr['type'].  This
      commit changes the generator to consistently refer to it as
      struct everywhere, plus a single back-compat tweak that allows
      accepting the existing .json files as-is, so that the meat of
      this change is separate from the mindless churn of that change.

      Fix the testsuite fallout for error messages that change, and
      in some cases, become more legible.  Improve comments to better
      match our intentions where a struct (rather than any complex
      type) is required.  Note that in some cases, an error message
      now refers to 'struct' while the schema still refers to 'type';
      that will be cleaned up in the later commit to the schema.

      Signed-off-by: Eric Blake <eblake@xxxxxxxxxx>
      Reviewed-by: Markus Armbruster <armbru@xxxxxxxxxx>
      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>

  commit 2cbf09925ad45401673a79ab77f67de2f04a826c
  Author: Eric Blake <eblake@xxxxxxxxxx>
  Date:   Mon May 4 09:05:24 2015 -0600

      qapi: More rigorous checking for type safety bypass

      Now that we have a way to validate every type, we can also be
      stricter about enforcing that callers that want to bypass
      type safety in generated code.  Prior to this patch, it didn't
      matter what value was associated with the key 'gen', but it
      looked odd that 'gen':'yes' could result in bypassing the
      generated code.  These changes also enforce the changes made
      earlier in the series for documentation and consolidation of
      using '**' as the wildcard type, as well as 'gen':false as the
      canonical spelling for requesting type bypass.

      Note that 'gen':false is a one-way switch away from the default;
      we do not support 'gen':true (similar for 'success-response').
      In practice, this doesn't matter.

      Signed-off-by: Eric Blake <eblake@xxxxxxxxxx>
      Reviewed-by: Markus Armbruster <armbru@xxxxxxxxxx>
      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>

  commit 10d4d997f86cf2a4ce89145df5658952d5722e56
  Author: Eric Blake <eblake@xxxxxxxxxx>
  Date:   Mon May 4 09:05:23 2015 -0600

      qapi: Whitelist commands that don't return dictionary

      ...or an array of dictionaries.  Although we have to cater to
      existing commands, returning a non-dictionary means the command
      is not extensible (no new name/value pairs can be added if more
      information must be returned in parallel).  By making the
      whitelist explicit, any new command that falls foul of this
      practice will have to be self-documenting, which will encourage
      developers to either justify the action or rework the design to
      use a dictionary after all.

      It's a little bit sloppy that we share a single whitelist among
      three clients (it's too permissive for each).  If this is a
      problem, a future patch could tighten things by having the
      generator take the whitelist as an argument (as in
      scripts/qapi-commands.py --legacy-returns=...), or by having
      the generator output C code that requires explicit use of the
      whitelist (as in:
       #ifndef FROBNICATE_LEGACY_RETURN_OK
       # error Command 'frobnicate' should return a dictionary
       #endif
      then having the callers define appropriate macros).  But until
      we need such fine-grained separation (if ever), this patch does
      the job just fine.

      Signed-off-by: Eric Blake <eblake@xxxxxxxxxx>
      Reviewed-by: Markus Armbruster <armbru@xxxxxxxxxx>
      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>

  commit c9e0a798691d8c45747b082206e789c8f50523c9
  Author: Eric Blake <eblake@xxxxxxxxxx>
  Date:   Mon May 4 09:05:22 2015 -0600

      qapi: Require valid names

      Previous commits demonstrated that the generator overlooked various
      bad naming situations:
      - types, commands, and events need a valid name
      - enum members must be valid names, when combined with prefix
      - union and alternate branches cannot be marked optional

      Valid upstream names match [a-zA-Z][a-zA-Z0-9_-]*; valid downstream
      names match __[a-zA-Z][a-zA-Z0-9._-]*.  Enumerations match the
      weaker [a-zA-Z0-9._-]+ (in part thanks to QKeyCode picking an enum
      that starts with a digit, which we can't change now due to
      backwards compatibility).  Rather than call out three separate
      regex, this patch just uses a broader combination that allows both
      upstream and downstream names, as well as a small hack that
      realizes that any enum name is merely a suffix to an already valid
      name prefix (that is, any enum name is valid if prepending _ fits
      the normal rules).

      We could reject new enumeration names beginning with a digit by
      whitelisting existing exceptions.  We could also be stricter
      about the distinction between upstream names (no leading
      underscore, no use of dot) and downstream (mandatory leading
      double underscore), but it is probably not worth the bother.

      Signed-off-by: Eric Blake <eblake@xxxxxxxxxx>
      Reviewed-by: Markus Armbruster <armbru@xxxxxxxxxx>
      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>

  commit dd883c6f0547f02ae805d02852ff3691f6d08f85
  Author: Eric Blake <eblake@xxxxxxxxxx>
  Date:   Mon May 4 09:05:21 2015 -0600

      qapi: More rigourous checking of types

      Now that we know every expression is valid with regards to
      its keys, we can add further tests that those keys refer to
      valid types.  With this patch, all uses of a type (the 'data':
      of command, type, union, alternate, and event; the 'returns':
      of command; the 'base': of type and union) must resolve to an
      appropriate subset of metatypes  declared by the current qapi
      parse; this includes recursing into each member of a data
      dictionary.  Dealing with '**' and nested anonymous structs
      will be done in later patches.

      Update the testsuite to match improved output.

      Signed-off-by: Eric Blake <eblake@xxxxxxxxxx>
      Reviewed-by: Markus Armbruster <armbru@xxxxxxxxxx>
      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>

  commit 0d8b9fb5f296a96723d98a45a6a00bfd4e45e1b9
  Author: Eric Blake <eblake@xxxxxxxxxx>
  Date:   Mon May 4 09:05:20 2015 -0600

      qapi: Add some type check tests

      Demonstrate that the qapi generator silently parses confusing
      types, which may cause other errors later on. Later patches
      will update the expected results as the generator is made stricter.

      Most of the new tests focus on blatant errors.  But
      returns-whitelist is a case where we have historically allowed
      returning something other than a JSON object from particular
      commands; we have to keep that behavior to avoid breaking clients,
      but it would be nicer to avoid adding such commands in the future,
      because any return that is not an (array of) object cannot be
      easily extended if future qemu wants to return additional
      information.  The QMP protocol already documents that clients
      should ignore unknown dictionary keys, but does not require
      clients to have to handle more than one type of JSON object.

      Signed-off-by: Eric Blake <eblake@xxxxxxxxxx>
      Reviewed-by: Markus Armbruster <armbru@xxxxxxxxxx>
      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>

  commit d708cdbe8792a55f53e90c1c787e871d527e8d4b
  Author: Eric Blake <eblake@xxxxxxxxxx>
  Date:   Mon May 4 09:05:19 2015 -0600

      qapi: Unify type bypass and add tests

      For a few QMP commands, we are forced to pass an arbitrary type
      without tracking it properly in QAPI.  Among the existing clients,
      this unnamed type was spelled 'dict', 'visitor', and '**'; this
      patch standardizes on '**', matching the documentation changes
      earlier in the series.

      Meanwhile, for the 'gen' key, we have been ignoring the value,
      although the schema consistently used "'no'" ('success-response'
      was hard-coded to checking for 'no').  But now that we can support
      a literal "false" in the schema, we might as well use that rather
      than ignoring the value or special-casing a random string.  Note
      that these are one-way switches (use of 'gen':true is not the same
      as omitting 'gen'). Also, the use of '**' requires 'gen':false,
      but the use of 'gen':false does not mandate the use of '**'.

      There is no difference to the generated code.  Add some tests on
      what we'd like to guarantee, although it will take later patches
      to clean up test results and actually enforce the use of a bool
      parameter.

      Signed-off-by: Eric Blake <eblake@xxxxxxxxxx>
      Reviewed-by: Markus Armbruster <armbru@xxxxxxxxxx>
      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>

  commit e53188ada516c814a729551be2448684d6d8ce08
  Author: Fam Zheng <famz@xxxxxxxxxx>
  Date:   Mon May 4 09:05:18 2015 -0600

      qapi: Allow true, false and null in schema json

      In the near term, we will use it for a sensible-looking
      'gen':false inside command declarations, instead of the
      current ugly 'gen':'no'.

      In the long term, it will allow conversion from shorthand
      with defaults mentioned only in side-band documentation:
       'data':{'*flag':'bool', '*string':'str'}
      into an explicit default value documentation, as in:
       'data':{'flag':{'type':'bool', 'optional':true, 'default':true},
               'string':{'type':'str', 'optional':true, 'default':null}}

      We still don't parse integer values (also necessary before
      we can allow explicit defaults), but that can come in a later
      series.

      Update the testsuite to match an improved error message.

      Signed-off-by: Fam Zheng <famz@xxxxxxxxxx>
      Signed-off-by: Eric Blake <eblake@xxxxxxxxxx>
      Reviewed-by: Markus Armbruster <armbru@xxxxxxxxxx>
      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>

  commit 4dc2e6906e1084fdd37bf67385c5dcd2c72ae22b
  Author: Eric Blake <eblake@xxxxxxxxxx>
  Date:   Mon May 4 09:05:17 2015 -0600

      qapi: Better error messages for duplicated expressions

      The previous commit demonstrated that the generator overlooked
      duplicate expressions:
      - a complex type or command reusing a built-in type name
      - redeclaration of a type name, whether by the same or different
      metatype
      - redeclaration of a command or event
      - collision of a type with implicit 'Kind' enum for a union
      - collision with an implicit MAX enum constant

      Since the c_type() function in the generator treats all names
      as being in the same namespace, this patch adds a global array
      to track all known names and their source, to prevent collisions
      before it can cause further problems.  While valid .json files
      won't trigger any of these cases, we might as well be nicer to
      developers that make a typo while trying to add new QAPI code.

      Signed-off-by: Eric Blake <eblake@xxxxxxxxxx>
      Reviewed-by: Markus Armbruster <armbru@xxxxxxxxxx>
      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>

  commit cfdd5bcad515a8371af59dba9625e31a6f6f733e
  Author: Eric Blake <eblake@xxxxxxxxxx>
  Date:   Mon May 4 09:05:16 2015 -0600

      qapi: Add tests of redefined expressions

      Demonstrate that the qapi generator doesn't deal very well with
      redefined expressions.  At the parse level, they are silently
      accepted; and while the testsuite just stops at parsing, I've
      further tested that many of them cause generator crashes or
      invalid C code if they were appended to qapi-schema-test.json.
      A later patch will tighten things up and adjust the testsuite
      to match.

      Signed-off-by: Eric Blake <eblake@xxxxxxxxxx>
      Reviewed-by: Markus Armbruster <armbru@xxxxxxxxxx>
      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>

  commit 0545f6b8874c28d97369f2c83e5077e0461d4f12
  Author: Eric Blake <eblake@xxxxxxxxxx>
  Date:   Mon May 4 09:05:15 2015 -0600

      qapi: Better error messages for bad expressions

      The previous commit demonstrated that the generator overlooked some
      fairly basic broken expressions:
      - missing metataype
      - metatype key has a non-string value
      - unknown key in relation to the metatype
      - conflicting metatype (this patch treats the second metatype as an
      unknown key of the first key visited, which is not necessarily the
      first key the user typed)

      Add check_keys to cover these situations, and update testcases to
      match.  A couple other tests (enum-missing-data, indented-expr) had
      to change since the validation added here occurs so early.
      Conversely, changes to ident-with-escape results show that we still
      have problems where our handling of escape sequences differs from
      true JSON, which will matter down the road if we allow arbitrary
      default string values for optional parameters (but for now is not
      too bad, as we currently can avoid unicode escaping as we don't
      need to represent anything beyond C identifier material).

      While valid .json files won't trigger any of these cases, we might
      as well be nicer to developers that make a typo while trying to add
      new QAPI code.

      Signed-off-by: Eric Blake <eblake@xxxxxxxxxx>
      Reviewed-by: Markus Armbruster <armbru@xxxxxxxxxx>
      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>

  commit 9050c65b71ac1d197330e6db221f63189e21bad5
  Author: Eric Blake <eblake@xxxxxxxxxx>
  Date:   Mon May 4 09:05:14 2015 -0600

      qapi: Add some expr tests

      Demonstrate that the qapi generator doesn't deal well with
      expressions that aren't up to par. Later patches will improve
      the expected results as the generator is made stricter.  Only
      a few of the the added tests actually behave sanely at
      rejecting obvious problems or demonstrating success.

      Note that in some cases, we reject bad QAPI merely because our
      pseudo-JSON parser does not yet know how to parse numbers.  This
      series does not address that, but when a later series adds support
      for numeric defaults of integer fields, the testsuite will ensure
      that we don't lose the error (and hopefully that the error
      message quality is improved).

      Signed-off-by: Eric Blake <eblake@xxxxxxxxxx>
      Reviewed-by: Markus Armbruster <armbru@xxxxxxxxxx>
      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>

  commit ab916faddd16f0165e9cc2551f90699be8efde53
  Author: Eric Blake <eblake@xxxxxxxxxx>
  Date:   Mon May 4 09:05:13 2015 -0600

      qapi: Use 'alternate' to replace anonymous union

      Previous patches have led up to the point where I create the
      new meta-type "'alternate':'Foo'".  See the previous patches
      for documentation; I intentionally split as much work into
      earlier patches to minimize the size of this patch, but a lot
      of it is churn due to testsuite fallout after updating to the
      new type.

      Signed-off-by: Eric Blake <eblake@xxxxxxxxxx>
      Reviewed-by: Markus Armbruster <armbru@xxxxxxxxxx>
      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>

  commit 7b1b98c420355ccea98d8bd55c9193ee6b7cef97
  Author: Eric Blake <eblake@xxxxxxxxxx>
  Date:   Mon May 4 09:05:12 2015 -0600

      qapi: Document new 'alternate' meta-type

      The next patch will quit special-casing "'union':'Foo',
      'discriminator':{}" and instead use "'alternate':'Foo'".

      Separating docs from implementation makes it easier to focus
      on wording without holding up code.  In particular, making
      alternate a separate type makes for a nice type hierarchy:

                /-------- meta-type ------\
               /              |            \
          simple types    alternate     complex types
          |         |                   |           |
       built-in   enum             type(struct)   union
       |       \    /                            /    \
      numeric  string                         simple  flat

      A later patch will then clean up 'type' vs. 'struct'
      confusion.

      Signed-off-by: Eric Blake <eblake@xxxxxxxxxx>
      Reviewed-by: Markus Armbruster <armbru@xxxxxxxxxx>
      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>

  commit ab045267447d52e63a79c0e18f89ae4411f5420b
  Author: Eric Blake <eblake@xxxxxxxxxx>
  Date:   Mon May 4 09:05:11 2015 -0600

      qapi: Rename anonymous union type in test

      Reduce churn in the future patch that replaces anonymous unions
      with a new metatype 'alternate' by changing 'AnonUnion' to
      'Alternate'.

      Signed-off-by: Eric Blake <eblake@xxxxxxxxxx>
      Reviewed-by: Markus Armbruster <armbru@xxxxxxxxxx>
      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>

  commit 811d04fd0cff1229480d3f5b2e349f646ab6e3c1
  Author: Eric Blake <eblake@xxxxxxxxxx>
  Date:   Mon May 4 09:05:10 2015 -0600

      qapi: Segregate anonymous unions into alternates in generator

      Special-casing 'discriminator == {}' for handling anonymous unions
      is getting awkward; since this particular type is not always a
      dictionary on the wire, it is easier to treat it as a completely
      different class of type, "alternate", so that if a type is listed
      in the union_types array, we know it is not an anonymous union.

      This patch just further segregates union handling, to make sure that
      anonymous unions are not stored in union_types, and splitting up
      check_union() into separate functions.  A future patch will change
      the qapi grammar, and having the segregation already in place will
      make it easier to deal with the distinct meta-type.

      Signed-off-by: Eric Blake <eblake@xxxxxxxxxx>
      Reviewed-by: Markus Armbruster <armbru@xxxxxxxxxx>
      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>

  commit 268a1c5eb10832c2e4476d3fe199ea547dabecb7
  Author: Eric Blake <eblake@xxxxxxxxxx>
  Date:   Mon May 4 09:05:09 2015 -0600

      qapi: Prepare for catching more semantic parse errors

      This patch widens the scope of a try block (with the attending
      reindentation required by Python) in preparation for a future
      patch adding more instances of QAPIExprError inside the block.
      It's easier to separate indentation from semantic changes, so
      this patch has no real behavior change.

      Signed-off-by: Eric Blake <eblake@xxxxxxxxxx>
      Reviewed-by: Markus Armbruster <armbru@xxxxxxxxxx>
      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>

  commit 44bd1276a7dea747c41f250cb71ab65965343a7f
  Author: Eric Blake <eblake@xxxxxxxxxx>
  Date:   Mon May 4 09:05:08 2015 -0600

      qapi: Tighten checking of unions

      Previous commits demonstrated that the generator had several
      flaws with less-than-perfect unions:
      - a simple union that listed the same branch twice (or two variant
      names that map to the same C enumerator, including the implicit
      MAX sentinel) ended up generating invalid C code
      - an anonymous union that listed two branches with the same qtype
      ended up generating invalid C code
      - the generator crashed on anonymous union attempts to use an
      array type
      - the generator was silently ignoring a base type for anonymous
      unions
      - the generator allowed unknown types or nested anonymous unions
      as a branch in an anonymous union

      Signed-off-by: Eric Blake <eblake@xxxxxxxxxx>
      Reviewed-by: Markus Armbruster <armbru@xxxxxxxxxx>
      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>

  commit a8d4a2e4d7e1a0207699de47142c9bdbf2cc8675
  Author: Eric Blake <eblake@xxxxxxxxxx>
  Date:   Mon May 4 09:05:07 2015 -0600

      qapi: Forbid base without discriminator in unions

      None of the existing QMP or QGA interfaces uses a union with a
      base type but no discriminator; it is easier to avoid this in the
      generator to save room for other future extensions more likely to
      be useful.  An earlier commit added a union-base-no-discriminator
      test to ensure that we eventually give a decent error message;
      likewise, removing UserDefUnion outright is okay, because we moved
      all the tests we wish to keep into the tests of the simple union
      UserDefNativeListUnion in the previous commit.  Now is the time to
      actually forbid simple union with base, and remove the last
      vestiges from the testsuite.

      Signed-off-by: Eric Blake <eblake@xxxxxxxxxx>
      Reviewed-by: Markus Armbruster <armbru@xxxxxxxxxx>
      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>

  commit 805017b7791200f1b72deef17dc98fd272b941eb
  Author: Eric Blake <eblake@xxxxxxxxxx>
  Date:   Mon May 4 09:05:06 2015 -0600

      qapi: Clean up test coverage of simple unions

      The tests of UserDefNativeListUnion serve to validate code
      generation of simple unions without a base type, except that it
      did not have full coverage in the strict test.  The next commits
      will remove tests and support for simple unions with a base type,
      so there is no real loss at repurposing that test here as
      opposed to churn of adding a new test then deleting the old one.

      Fix some indentation and long lines while at it.

      Signed-off-by: Eric Blake <eblake@xxxxxxxxxx>
      Reviewed-by: Markus Armbruster <armbru@xxxxxxxxxx>
      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>

  commit 3d0c48292633260269cb21551d9bab006b2f2781
  Author: Eric Blake <eblake@xxxxxxxxxx>
  Date:   Mon May 4 09:05:05 2015 -0600

      qapi: Add some union tests

      Demonstrate that the qapi generator doesn't deal well with unions
      that aren't up to par. Later patches will update the expected
      reseults as the generator is made stricter.  A few tests work
      as planned, but most show poor or missing error messages.

      Of particular note, qapi-code-gen.txt documents 'base' only for
      flat unions, but the tests here demonstrate that we currently allow
      a 'base' to a simple union, although it is exercised only in the
      testsuite.  Later patches will remove this undocumented feature, to
      give us more flexibility in adding other future extensions to union
      types.  For example, one possible extension is the idea of a
      type-safe simple enum, where added fields tie the discriminator to
      a user-defined enum type rather than creating an implicit enum from
      the names in 'data'.  But adding such safety on top of a simple
      enum with a base type could look ambiguous with a flat enum;
      besides, the documentation also mentions how any simple union can
      be represented by an equivalent flat union.  So it will be simpler
      to just outlaw support for something we aren't using.

      Signed-off-by: Eric Blake <eblake@xxxxxxxxxx>
      Reviewed-by: Markus Armbruster <armbru@xxxxxxxxxx>
      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>

  commit cf3935907b5df16f667d54ad6761c7e937dcf425
  Author: Eric Blake <eblake@xxxxxxxxxx>
  Date:   Mon May 4 09:05:04 2015 -0600

      qapi: Better error messages for bad enums

      The previous commit demonstrated that the generator had several
      flaws with less-than-perfect enums:
      - an enum that listed the same string twice (or two variant
      strings that map to the same C enumerator) ended up generating
      an invalid C enum
      - because the generator adds a _MAX terminator to each enum,
      the use of an enum member 'max' can also cause this clash
      - if an enum omits 'data', the generator left a python stack
      trace rather than a graceful message
      - an enum that used a non-array 'data' was silently accepted by
      the parser
      - an enum that used non-string members in the 'data' member
      was silently accepted by the parser

      Add check_enum to cover these situations, and update testcases
      to match.  While valid .json files won't trigger any of these
      cases, we might as well be nicer to developers that make a typo
      while trying to add new QAPI code.

      Signed-off-by: Eric Blake <eblake@xxxxxxxxxx>
      Reviewed-by: Markus Armbruster <armbru@xxxxxxxxxx>
      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>

  commit ad11dbb93752ffd4bd1d5f31da7e2d9c40a68e8a
  Author: Eric Blake <eblake@xxxxxxxxxx>
  Date:   Mon May 4 09:05:03 2015 -0600

      qapi: Add some enum tests

      Demonstrate that the qapi generator doesn't deal well with enums
      that aren't up to par. Later patches will update the expected
      results as the generator is made stricter.

      Signed-off-by: Eric Blake <eblake@xxxxxxxxxx>
      Reviewed-by: Markus Armbruster <armbru@xxxxxxxxxx>
      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>

  commit fe2a9303c9e511462f662a415c2e9d2defe9b7ca
  Author: Eric Blake <eblake@xxxxxxxxxx>
  Date:   Mon May 4 09:05:02 2015 -0600

      qapi: Require ASCII in schema

      Python 2 and Python 3 have a wild history of whether strings
      default to ascii or unicode, where Python 3 requires checking
      isinstance(foo, basestr) to cover all strings, but where that
      code is not portable to Python 2.  It's simpler to just state
      that we don't care about Unicode strings, and to just always
      use the simpler isinstance(foo, str) everywhere.

      I'm no python expert, so I'm basing it on this conversation:
      https://lists.gnu.org/archive/html/qemu-devel/2014-09/msg05278.html

      Signed-off-by: Eric Blake <eblake@xxxxxxxxxx>
      Reviewed-by: Markus Armbruster <armbru@xxxxxxxxxx>
      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>

  commit cb17f79eef0d161e81ac457e4c1f124405be2a18
  Author: Eric Blake <eblake@xxxxxxxxxx>
  Date:   Mon May 4 09:05:01 2015 -0600

      qapi: Fix generation of 'size' builtin type

      We were missing the 'size' builtin type (which means that QAPI using
      [ 'size' ] would fail to compile).

      Signed-off-by: Eric Blake <eblake@xxxxxxxxxx>
      Reviewed-by: Markus Armbruster <armbru@xxxxxxxxxx>
      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>

  commit b52c4b9cf0bbafdf8cede4ea1f62770d86815718
  Author: Eric Blake <eblake@xxxxxxxxxx>
  Date:   Mon May 4 09:05:00 2015 -0600

      qapi: Simplify builtin type handling

      There was some redundancy between builtin_types[] and
      builtin_type_qtypes{}.  Merge them into one.

      Signed-off-by: Eric Blake <eblake@xxxxxxxxxx>
      Reviewed-by: Markus Armbruster <armbru@xxxxxxxxxx>
      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>

  commit e790e666518e68134ca0570b6b4a707169ea3cb1
  Author: Eric Blake <eblake@xxxxxxxxxx>
  Date:   Mon May 4 09:04:59 2015 -0600

      qapi: Document type-safety considerations

      Go into more details about the various types of valid expressions
      in a qapi schema, including tweaks to document fixes being done
      later in the current patch series.  Also fix some stale and missing
      documentation in the QMP specification.

      Signed-off-by: Eric Blake <eblake@xxxxxxxxxx>
      Reviewed-by: Markus Armbruster <armbru@xxxxxxxxxx>
      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>

  commit 6fb55451728e6dc74ae4e67e4f5ab557468f084e
  Author: Eric Blake <eblake@xxxxxxxxxx>
  Date:   Mon May 4 09:04:58 2015 -0600

      qapi: Add copyright declaration on docs

      While our top-level COPYING with its GPLv2+ license applies to
      any documentation file that omits explicit instructions, these
      days it's better to be a good example of calling out our
      intentions.  Correct use of GPL requires the use of a copyright
      statement, so I'm adding notice to two QAPI documents, by
      attributing these files to the initial authors and major
      contributors.  I used:

      $ git blame --line-porcelain $file \
        | sed -n 's/^author //p' | sort | uniq -c | sort -rn

      to determine authorship of these two files.  qmp-spec.txt blames
      entirely to Red Hat (easy, since my contribution falls in that
      category); while qapi-code-gen.txt has multiple contributors
      representing multiple entities.  But since it was originally
      supplied by Michael Roth, the notice I added there copies the
      notice he has used in other files.  As there is no intended
      change in license from the implicit one previously present from
      the top level, I have not bothered to CC other contributors;
      if we want to weaken things to something looser (such as LGPL)
      so that there is no question that someone re-implementing the
      spec is not forced to use GPL, that would be a different commit.

      CC: Michael Roth <mdroth@xxxxxxxxxxxxxxxxxx>
      Signed-off-by: Eric Blake <eblake@xxxxxxxxxx>
      Reviewed-by: Markus Armbruster <armbru@xxxxxxxxxx>
      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>

  commit 00c8fa9ffeee7458e5ed62c962faf638156c18da
  Author: Emilio G. Cota <cota@xxxxxxxxx>
  Date:   Thu Apr 2 20:07:53 2015 -0400

      tcg: optimise memory layout of TCGTemp

      This brings down the size of the struct from 56 to 32 bytes on 64-bit,
      and to 20 bytes on 32-bit. This leads to memory savings:

      Before:
      $ find . -name 'tcg.o' | xargs size
         text    data     bss     dec     hex filename
        41131   29800      88   71019   1156b ./aarch64-softmmu/tcg/tcg.o
        37969   29416      96   67481   10799 ./x86_64-linux-user/tcg/tcg.o
        39354   28816      96   68266   10aaa ./arm-linux-user/tcg/tcg.o
        40802   29096      88   69986   11162 ./arm-softmmu/tcg/tcg.o
        39417   29672      88   69177   10e39 ./x86_64-softmmu/tcg/tcg.o

      After:
      $ find . -name 'tcg.o' | xargs size
         text    data     bss     dec     hex filename
        40883   29800      88   70771   11473 ./aarch64-softmmu/tcg/tcg.o
        37473   29416      96   66985   105a9 ./x86_64-linux-user/tcg/tcg.o
        38858   28816      96   67770   108ba ./arm-linux-user/tcg/tcg.o
        40554   29096      88   69738   1106a ./arm-softmmu/tcg/tcg.o
        39169   29672      88   68929   10d41 ./x86_64-softmmu/tcg/tcg.o

      Note that using an entire byte for some enums that need less than
      that wastes a few bits (noticeable in 32 bits, where we use
      20 bytes instead of 16) but avoids extraction code, which overall
      is a win--I've tested several variations of the patch, and the appended
      is the best performer for OpenSSL's bntest by a very small margin:

      Before:
      $ taskset -c 0 perf stat -r 15 -- x86_64-linux-user/qemu-x86_64 
img/bntest-x86_64 >/dev/null
      [...]
       Performance counter stats for 'x86_64-linux-user/qemu-x86_64 
img/bntest-x86_64' (15 runs):

            10538.479833 task-clock (msec)  # 0.999 CPUs utilized  ( +-  0.38% )
                     772 context-switches   # 0.073 K/sec          ( +-  2.03% )
                       0 cpu-migrations     # 0.000 K/sec          ( +-100.00% )
                   2,207 page-faults        # 0.209 K/sec          ( +-  0.08% )
            10.552871687 seconds time elapsed                      ( +-  0.39% )

      After:
      $ taskset -c 0 perf stat -r 15 -- x86_64-linux-user/qemu-x86_64 
img/bntest-x86_64 >/dev/null
       Performance counter stats for 'x86_64-linux-user/qemu-x86_64 
img/bntest-x86_64' (15 runs):

            10459.968847 task-clock (msec)  # 0.999 CPUs utilized  ( +-  0.30% )
                     739 context-switches   # 0.071 K/sec          ( +-  1.71% )
                       0 cpu-migrations     # 0.000 K/sec          ( +- 68.14% )
                   2,204 page-faults        # 0.211 K/sec          ( +-  0.10% )
            10.473900411 seconds time elapsed                      ( +-  0.30% )

      Suggested-by: Stefan Weil <sw@xxxxxxxxxxx>
      Suggested-by: Richard Henderson <rth@xxxxxxxxxxx>
      Reviewed-by: Alex Bennée <alex.bennee@xxxxxxxxxx>
      Signed-off-by: Emilio G. Cota <cota@xxxxxxxxx>
      Signed-off-by: Richard Henderson <rth@xxxxxxxxxxx>

  commit 874e9aeeeb74c5459639a93439a502d262847e68
  Merge: b4c5df7 e444ea3
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Tue May 5 14:06:12 2015 +0100

      Merge remote-tracking branch 'remotes/kraxel/tags/pull-sdl-20150505-1' 
into staging

      sdl2: add opengl support

      # gpg: Signature made Tue May  5 10:36:25 2015 BST using RSA key ID 
D3E87138
      # gpg: Good signature from "Gerd Hoffmann (work) <kraxel@xxxxxxxxxx>"
      # gpg:                 aka "Gerd Hoffmann <gerd@xxxxxxxxxx>"
      # gpg:                 aka "Gerd Hoffmann (private) <kraxel@xxxxxxxxx>"

      * remotes/kraxel/tags/pull-sdl-20150505-1:
        sdl2: Fix RGB555
        sdl2: add support for display rendering using opengl.
        sdl2: move SDL_* includes to sdl2.h
        console-gl: add opengl rendering helper functions
        opengl: add shader helper functions.
        opengl: add shader build infrastructure

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit b4c5df7a15dad2417bc05d08a470b82ab89d56ea
  Merge: 5bccbb0 2e1c92d
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Tue May 5 10:23:22 2015 +0100

      Merge remote-tracking branch 
'remotes/armbru/tags/pull-cov-model-2015-05-05' into staging

      coverity: fix address_space_rw model

      # gpg: Signature made Tue May  5 09:44:26 2015 BST using RSA key ID 
EB918653
      # gpg: Good signature from "Markus Armbruster <armbru@xxxxxxxxxx>"
      # gpg:                 aka "Markus Armbruster <armbru@xxxxxxxxxxxx>"

      * remotes/armbru/tags/pull-cov-model-2015-05-05:
        coverity: fix address_space_rw model

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit e444ea34f8ec27acfa9ead7eaa9904238c831e69
  Author: Max Reitz <mreitz@xxxxxxxxxx>
  Date:   Tue Mar 3 12:25:27 2015 -0500

      sdl2: Fix RGB555

      Reproducable with:

      $ x86_64-softmmu/qemu-system-x86_64 \
          -kernel $vmlinuz_of_your_choice \
          -append vga=0x313 -sdl

      Signed-off-by: Max Reitz <mreitz@xxxxxxxxxx>
      Signed-off-by: Gerd Hoffmann <kraxel@xxxxxxxxxx>

  commit 0b71a5d5caa4f709d37fa1d7786dffc2c94f8414
  Author: Gerd Hoffmann <kraxel@xxxxxxxxxx>
  Date:   Tue Nov 11 16:54:45 2014 +0100

      sdl2: add support for display rendering using opengl.

      Add new sdl2-gl.c file, with display
      rendering functions using opengl.

      Signed-off-by: Gerd Hoffmann <kraxel@xxxxxxxxxx>
      Reviewed-by: Max Reitz <mreitz@xxxxxxxxxx>

  commit 19dadfccd0124804e2790e7cb075c9df7cd3154f
  Author: Gerd Hoffmann <kraxel@xxxxxxxxxx>
  Date:   Wed Nov 19 14:19:49 2014 +0100

      sdl2: move SDL_* includes to sdl2.h

      Signed-off-by: Gerd Hoffmann <kraxel@xxxxxxxxxx>
      Reviewed-by: Max Reitz <mreitz@xxxxxxxxxx>

  commit cd2bc889e5b30c69926fc1511b6522e7cb4c705d
  Author: Gerd Hoffmann <kraxel@xxxxxxxxxx>
  Date:   Fri Jan 9 11:40:23 2015 +0100

      console-gl: add opengl rendering helper functions

      Signed-off-by: Gerd Hoffmann <kraxel@xxxxxxxxxx>
      Reviewed-by: Max Reitz <mreitz@xxxxxxxxxx>

  commit 985e1c9b008e5e8b6eac41546266d3abcfa6282a
  Author: Gerd Hoffmann <kraxel@xxxxxxxxxx>
  Date:   Fri Apr 24 07:48:45 2015 +0200

      opengl: add shader helper functions.

      Helper functions to compile, link and run opengl shader programs.

      Signed-off-by: Gerd Hoffmann <kraxel@xxxxxxxxxx>

  commit 2e1c92daff752c056ae10087e6b1702b0460af88
  Author: Paolo Bonzini <pbonzini@xxxxxxxxxx>
  Date:   Mon May 4 14:18:09 2015 +0200

      coverity: fix address_space_rw model

      If the is_write argument is true, address_space_rw writes to memory
      and thus reads from the buffer.  The opposite holds if is_write is
      false.  Fix the model.

      Cc: Markus Armbruster <armbru@xxxxxxxxxx>
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>
      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>

  commit d98bc0b654b97d130338e76e0928296f84e6d6fd
  Author: Gerd Hoffmann <kraxel@xxxxxxxxxx>
  Date:   Fri Jan 16 13:59:17 2015 +0100

      opengl: add shader build infrastructure

      perl script to transform shader programs into c include files with
      static string constands containing the shader programs, so we can
      easily embed them into qemu.  Also some Makefile logic for them.

      Signed-off-by: Gerd Hoffmann <kraxel@xxxxxxxxxx>
      Reviewed-by: Max Reitz <mreitz@xxxxxxxxxx>

  commit 5bccbb04a4abba7af4398de992bf06d585fd1333
  Merge: f90f5b9 4a4d614
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Thu Apr 30 20:34:54 2015 +0100

      Merge remote-tracking branch 'remotes/kevin/tags/for-upstream' into 
staging

      Block patches

      # gpg: Signature made Thu Apr 30 19:51:16 2015 BST using RSA key ID 
C88F2FD6
      # gpg: Good signature from "Kevin Wolf <kwolf@xxxxxxxxxx>"

      * remotes/kevin/tags/for-upstream:
        Enable NVMe start controller for Windows guest.
        MAINTAINERS: Add qemu-block list where missing
        MAINTAINERS: make block layer core Kevin Wolf's responsibility
        MAINTAINERS: make image fuzzer Stefan Hajnoczi's responsibility
        MAINTAINERS: make block I/O path Stefan Hajnoczi's responsibility
        MAINTAINERS: split out image formats
        MAINTAINERS: make virtio-blk Stefan Hajnoczi's responsibility

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 41063e1e7afcb2f13e103720fe96221657f5dbbc
  Author: Paolo Bonzini <pbonzini@xxxxxxxxxx>
  Date:   Wed Mar 18 14:21:43 2015 +0100

      exec: move rcu_read_lock/unlock to address_space_translate callers

      Once address_space_translate will be called outside the BQL, the returned
      MemoryRegion might disappear as soon as the RCU read-side critical section
      ends.  Avoid this by moving the critical section to the callers.

      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>
      Message-Id: <1426684909-95030-3-git-send-email-pbonzini@xxxxxxxxxx>

  commit 4c6637525290dc863a00be7f58fc11d07b780bd4
  Author: Paolo Bonzini <pbonzini@xxxxxxxxxx>
  Date:   Wed Apr 8 13:30:58 2015 +0200

      kvm: add support for memory transaction attributes

      Let kvm_arch_post_run convert fields in the kvm_run struct to MemTxAttrs.
      These are then passed to address_space_rw.

      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit f8a9f720dd2fa5c1560838c26c6dad396a0cef5b
  Author: Gerd Hoffmann <kraxel@xxxxxxxxxx>
  Date:   Wed Apr 8 12:57:11 2015 +0200

      mtree: also print disabled regions

      Signed-off-by: Gerd Hoffmann <kraxel@xxxxxxxxxx>
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit e48816aac6eef50c851e3833add886f0403b6f11
  Author: Gerd Hoffmann <kraxel@xxxxxxxxxx>
  Date:   Wed Apr 8 12:53:47 2015 +0200

      mtree: tag & indent a bit better

      Signed-off-by: Gerd Hoffmann <kraxel@xxxxxxxxxx>
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit 813297541196698f60525d611dd09007fa60b45b
  Author: Denis V. Lunev <den@xxxxxxxxxx>
  Date:   Tue Apr 7 16:53:52 2015 +0300

      apic_common: improve readability of apic_reset_common

      Replace call of cpu_is_bsp(s->cpu) which really returns
          !!(s->apicbase & MSR_IA32_APICBASE_BSP)
      with directly collected value. Due to this the tracepoint
        trace_cpu_get_apic_base((uint64_t)s->apicbase);
      will not be hit anymore in apic_reset_common.

      Signed-off-by: Denis V. Lunev <den@xxxxxxxxxx>
      CC: Andreas F�¤rber <afaerber@xxxxxxx>
      CC: Paolo Bonzini <pbonzini@xxxxxxxxxx>
      Message-Id: <1428414832-3104-1-git-send-email-den@xxxxxxxxxx>
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit 03a96b83b539498510e22aab585e41015ba18247
  Author: Thomas Huth <thuth@xxxxxxxxxx>
  Date:   Mon Apr 27 18:59:04 2015 +0200

      kvm: Silence warning from valgrind

      valgrind complains here about uninitialized bytes with the following 
message:

      ==17814== Syscall param ioctl(generic) points to uninitialised byte(s)
      ==17814==    at 0x466A780: ioctl (in /usr/lib64/power8/libc-2.17.so)
      ==17814==    by 0x100735B7: kvm_vm_ioctl (kvm-all.c:1920)
      ==17814==    by 0x10074583: kvm_set_ioeventfd_mmio (kvm-all.c:574)

      Let's fix it by using a proper struct initializer in 
kvm_set_ioeventfd_mmio().

      Signed-off-by: Thomas Huth <thuth@xxxxxxxxxx>
      Message-Id: <1430153944-24368-1-git-send-email-thuth@xxxxxxxxxx>
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit f90f5b9a9aa41e5ea47dc7a0f3e1f99196f485c3
  Merge: 4981475 5530293
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Thu Apr 30 15:18:30 2015 +0100

      Merge remote-tracking branch 
'remotes/mjt/tags/pull-trivial-patches-2015-04-30' into staging

      trivial patches for 2015-04-30

      # gpg: Signature made Thu Apr 30 14:07:50 2015 BST using RSA key ID 
A4C3D7DB
      # gpg: Good signature from "Michael Tokarev <mjt@xxxxxxxxxx>"
      # gpg:                 aka "Michael Tokarev <mjt@xxxxxxxxx>"
      # gpg:                 aka "Michael Tokarev <mjt@xxxxxxxxxx>"

      * remotes/mjt/tags/pull-trivial-patches-2015-04-30: (42 commits)
        openrisc: cpu: Remove unused cpu_get_pc
        microblaze: fix memory leak
        tcg: Delete unused cpu_pc_from_tb()
        kvm: Silence warning from valgrind
        vhost-user: remove superfluous '\n' around error_report()
        target-mips: fix memory leak
        qmp-commands: Fix typo
        linux-user/elfload: use QTAILQ_FOREACH instead of open-coding it
        coroutine: remove unnecessary parentheses in qemu_co_queue_empty
        qemu-char: remove unused list node from FDCharDriver
        input: remove unused mouse_handlers list
        cpus: use first_cpu macro instead of QTAILQ_FIRST(&cpus)
        microblaze: cpu: delete unused cpu_interrupts_enabled
        microblaze: cpu: Renumber EXCP_* constants to close gap
        microblaze: cpu: Delete EXCP_NMI
        microblaze: cpu: Remove unused CC_OP enum
        microblaze: cpu: Remote unused cpu_get_pc
        microblaze: mmu: Delete flip_um fn prototype
        defconfigs: Piggyback microblazeel on microblaze
        libcacard: do not use full paths for include files in the same dir
        ...

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 4a4d614ff56b4cf15e83629946afe51dc116053f
  Author: Daniel Stekloff <dan@xxxxxxxxxx>
  Date:   Fri Apr 24 11:55:42 2015 -0700

      Enable NVMe start controller for Windows guest.

      Windows seems to send two separate calls to NVMe controller 
configuration. The
      first sends configuration info and the second the enable bit. I couldn't
      enable the Windows 8.1 in-box NVMe driver with base Qemu. I made the
      following change to store the configuration data and then handle enable 
and
      NVMe driver works on Windows 8.1.

      I am not a Windows expert and I'm not entirely sure this is the correct
      approach. I'm offering it for anyone who wishes to use NVMe on Windows 8.1
      using Qemu.

      I have tested this change with Linux and Windows guests with NVMe devices.

      Signed-off-by: Daniel Stekloff <dan@xxxxxxxxxx>
      Acked-by: Keith Busch <keith.busch@xxxxxxxxx>
      Signed-off-by: Kevin Wolf <kwolf@xxxxxxxxxx>

  commit 498147529d1f8e902e6528a0115143b53475791e
  Merge: 06feaac 2c80e99
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Thu Apr 30 14:15:56 2015 +0100

      Merge remote-tracking branch 'remotes/cohuck/tags/s390x-20150430' into 
staging

      First pile of s390x patches for 2.4, including:
      - some cleanup patches
      - sort most of the s390x devices into categories
      - support for the new STSI post handler, used to insert vm name and
        friends
      - support for the new MEM_OP ioctl (including access register mode)
        for accessing guest memory

      # gpg: Signature made Thu Apr 30 12:56:58 2015 BST using RSA key ID 
C6F02FAF
      # gpg: Good signature from "Cornelia Huck <huckc@xxxxxxxxxxxxxxxxxx>"
      # gpg:                 aka "Cornelia Huck <cornelia.huck@xxxxxxxxxx>"

      * remotes/cohuck/tags/s390x-20150430:
        kvm: better advice for failed s390x startup
        s390x/kvm: Support access register mode for KVM_S390_MEM_OP ioctl
        s390x/mmu: Use ioctl for reading and writing from/to guest memory
        s390x/kvm: Put vm name, extended name and UUID into STSI322 SYSIB
        linux-headers: update
        s390x/mmu: Use access type definitions instead of magic values
        s390x/ipl: sort into categories
        sclp: sort into categories
        s390-virtio: sort into categories
        virtio-ccw: sort into categories

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit c95e4c0e53c774dd82a78ae751ea24f537e38778
  Author: Kevin Wolf <kwolf@xxxxxxxxxx>
  Date:   Thu Apr 30 15:15:13 2015 +0200

      MAINTAINERS: Add qemu-block list where missing

      Signed-off-by: Kevin Wolf <kwolf@xxxxxxxxxx>

  commit 17f1e8f5acf0016bf0b14ef9ec591d3f5081fc60
  Author: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
  Date:   Wed Apr 29 15:13:29 2015 +0100

      MAINTAINERS: make block layer core Kevin Wolf's responsibility

      Kevin is now sole maintainer of the core block layer, including
      BlockDriverState graphs and monitor commands.

      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Signed-off-by: Kevin Wolf <kwolf@xxxxxxxxxx>

  commit abfe4e9408a9e82bec9e9834eabc65f53907f281
  Author: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
  Date:   Wed Apr 29 15:13:28 2015 +0100

      MAINTAINERS: make image fuzzer Stefan Hajnoczi's responsibility

      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Signed-off-by: Kevin Wolf <kwolf@xxxxxxxxxx>

  commit d55053b16e22d46db0d98819814a31ae5c33e2c7
  Author: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
  Date:   Wed Apr 29 15:13:27 2015 +0100

      MAINTAINERS: make block I/O path Stefan Hajnoczi's responsibility

      The block I/O path includes the asynchronous I/O machinery and
      read/write/flush/discard processing.  It somewhat arbitrarily also
      includes block migration, which I've found myself reviewing patches for
      over the years.

      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Signed-off-by: Kevin Wolf <kwolf@xxxxxxxxxx>

  commit e7c6e631b191c99eecb4a06fe19302e863f033c6
  Author: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
  Date:   Wed Apr 29 15:13:26 2015 +0100

      MAINTAINERS: split out image formats

      Block driver submaintainers has proven to be a good model.  Kevin and
      Stefan are splitting up the unclaimed block drivers so each has a
      dedicated maintainer.

      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Signed-off-by: Kevin Wolf <kwolf@xxxxxxxxxx>

  commit b457a5f54cd857815401dc4708a4c778481ec562
  Author: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
  Date:   Wed Apr 29 15:13:25 2015 +0100

      MAINTAINERS: make virtio-blk Stefan Hajnoczi's responsibility

      Cc: Kevin Wolf <kwolf@xxxxxxxxxx>
      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Signed-off-by: Kevin Wolf <kwolf@xxxxxxxxxx>

  commit 553029351bac9f5b4f9ea72793e55f02e7677ec2
  Author: Peter Crosthwaite <crosthwaitepeter@xxxxxxxxx>
  Date:   Thu Apr 30 00:38:52 2015 -0700

      openrisc: cpu: Remove unused cpu_get_pc

      This function is not used by anything. Remove.

      Signed-off-by: Peter Crosthwaite <crosthwaite.peter@xxxxxxxxx>
      Reviewed-by: Alex Bennée <alex.bennee@xxxxxxxxxx>
      Signed-off-by: Michael Tokarev <mjt@xxxxxxxxxx>

  commit 4d850406a859d3a5dcfca74eb9caa76ccc064ab3
  Author: Gonglei <arei.gonglei@xxxxxxxxxx>
  Date:   Thu Mar 5 11:05:20 2015 +0800

      microblaze: fix memory leak

      When not assign a -dtb argument, the variable dtb_filename
      storage returned from qemu_find_file(), which should be freed
      after use. Alternatively we define a local variable filename,
      with 'char *' type, free after use.

      Signed-off-by: Gonglei <arei.gonglei@xxxxxxxxxx>
      Reviewed-by: Peter Crosthwaite <peter.crosthwaite@xxxxxxxxxx>
      Reviewed-by: Edgar E. Iglesias <edgar.iglesias@xxxxxxxxxx>
      Signed-off-by: Michael Tokarev <mjt@xxxxxxxxxx>

  commit fee068e4f190a36ef3bda9aa7c802f90434ef8e5
  Author: Peter Crosthwaite <crosthwaitepeter@xxxxxxxxx>
  Date:   Wed Apr 29 00:52:21 2015 -0700

      tcg: Delete unused cpu_pc_from_tb()

      No code uses the cpu_pc_from_tb() function. Delete from tricore and
      arm which each provide an unused implementation. Update the comment
      in tcg.h to reflect that this is obsoleted by synchronize_from_tb.

      Signed-off-by: Peter Crosthwaite <crosthwaite.peter@xxxxxxxxx>
      Signed-off-by: Michael Tokarev <mjt@xxxxxxxxxx>

  commit 2ed0c3dad769ab747e1f5448b70eeaf134c76982
  Author: Thomas Huth <thuth@xxxxxxxxxx>
  Date:   Mon Apr 27 18:59:04 2015 +0200

      kvm: Silence warning from valgrind

      valgrind complains here about uninitialized bytes with the following 
message:

      ==17814== Syscall param ioctl(generic) points to uninitialised byte(s)
      ==17814==    at 0x466A780: ioctl (in /usr/lib64/power8/libc-2.17.so)
      ==17814==    by 0x100735B7: kvm_vm_ioctl (kvm-all.c:1920)
      ==17814==    by 0x10074583: kvm_set_ioeventfd_mmio (kvm-all.c:574)

      Let's fix it by using a proper struct initializer in 
kvm_set_ioeventfd_mmio().

      Signed-off-by: Thomas Huth <thuth@xxxxxxxxxx>
      Signed-off-by: Michael Tokarev <mjt@xxxxxxxxxx>

  commit ab7c5aaf31213f5fc96018514e3d258e951d520f
  Author: Gonglei <arei.gonglei@xxxxxxxxxx>
  Date:   Tue Apr 28 17:11:04 2015 +0800

      vhost-user: remove superfluous '\n' around error_report()

      Signed-off-by: Gonglei <arei.gonglei@xxxxxxxxxx>
      Reviewed-by: Andreas Färber <afaerber@xxxxxxx>
      Signed-off-by: Michael Tokarev <mjt@xxxxxxxxxx>

  commit 3ad9fd5a257794d516db515c217c78a5806112fe
  Author: Gonglei <arei.gonglei@xxxxxxxxxx>
  Date:   Tue Apr 28 17:11:02 2015 +0800

      target-mips: fix memory leak

      Coveristy reports that variable prom_buf/params_buf going
      out of scope leaks the storage it points to.

      Cc: Aurelien Jarno <aurelien@xxxxxxxxxxx>
      Cc: Leon Alrae <leon.alrae@xxxxxxxxxx>
      Signed-off-by: Gonglei <arei.gonglei@xxxxxxxxxx>
      Reviewed-by: Leon Alrae <leon.alrae@xxxxxxxxxx>
      Signed-off-by: Michael Tokarev <mjt@xxxxxxxxxx>

  commit 5403432f39fc09ce1973cc8c1a62e16502358bf7
  Author: John Snow <jsnow@xxxxxxxxxx>
  Date:   Tue Apr 28 15:20:41 2015 -0400

      qmp-commands: Fix typo

      Just a trivial patch to correct a QMP example in qmp-commands.hx.

      Signed-off-by: John Snow <jsnow@xxxxxxxxxx>
      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>
      Signed-off-by: Michael Tokarev <mjt@xxxxxxxxxx>

  commit 52a53afebd2604af957d50fd4f3ce2012350a40d
  Author: Emilio G. Cota <cota@xxxxxxxxx>
  Date:   Mon Apr 27 12:45:33 2015 -0400

      linux-user/elfload: use QTAILQ_FOREACH instead of open-coding it

      Signed-off-by: Emilio G. Cota <cota@xxxxxxxxx>
      Signed-off-by: Michael Tokarev <mjt@xxxxxxxxxx>

  commit b1201addc7ceb8f1fcdc378071ec6f5ab5b3f7ab
  Author: Emilio G. Cota <cota@xxxxxxxxx>
  Date:   Mon Apr 27 12:45:32 2015 -0400

      coroutine: remove unnecessary parentheses in qemu_co_queue_empty

      Signed-off-by: Emilio G. Cota <cota@xxxxxxxxx>
      Signed-off-by: Michael Tokarev <mjt@xxxxxxxxxx>

  commit 63d229c32b72767461262ade78a5cb98dbe0f1b4
  Author: Emilio G. Cota <cota@xxxxxxxxx>
  Date:   Mon Apr 27 12:45:30 2015 -0400

      qemu-char: remove unused list node from FDCharDriver

      Signed-off-by: Emilio G. Cota <cota@xxxxxxxxx>
      Signed-off-by: Michael Tokarev <mjt@xxxxxxxxxx>

  commit dfbf272b77cfb6b74131746a67c82271ab009f2f
  Author: Emilio G. Cota <cota@xxxxxxxxx>
  Date:   Mon Apr 27 12:45:29 2015 -0400

      input: remove unused mouse_handlers list

      Signed-off-by: Emilio G. Cota <cota@xxxxxxxxx>
      Signed-off-by: Michael Tokarev <mjt@xxxxxxxxxx>

  commit c28e399cadbeaa996e2a3d334368edd4cd6b6889
  Author: Emilio G. Cota <cota@xxxxxxxxx>
  Date:   Mon Apr 27 12:45:28 2015 -0400

      cpus: use first_cpu macro instead of QTAILQ_FIRST(&cpus)

      Signed-off-by: Emilio G. Cota <cota@xxxxxxxxx>
      Signed-off-by: Michael Tokarev <mjt@xxxxxxxxxx>

  commit 93100f67c723f5812d0fa9a026208cf320ef46e6
  Author: Peter Crosthwaite <crosthwaitepeter@xxxxxxxxx>
  Date:   Sun Apr 26 12:10:24 2015 -0700

      microblaze: cpu: delete unused cpu_interrupts_enabled

      This function is unused. Remove.

      Signed-off-by: Peter Crosthwaite <crosthwaite.peter@xxxxxxxxx>
      Signed-off-by: Michael Tokarev <mjt@xxxxxxxxxx>

  commit 2161be35ce57ed5b0da0b98f902d003bfebac2c9
  Author: Michael Tokarev <mjt@xxxxxxxxxx>
  Date:   Wed Apr 29 08:34:29 2015 +0300

      microblaze: cpu: Renumber EXCP_* constants to close gap

      After removal of EXCP_NMI there's a gap in EXCP_*
      numbering. Let's remove it.

      Signed-off-by: Michael Tokarev <mjt@xxxxxxxxxx>
      Reviewed-by: Edgar E. Iglesias <edgar.iglesias@xxxxxxxxxx>

  commit 059ec9aa34fd3c5bfe65141741c671b3e80ac6e7
  Author: Peter Crosthwaite <crosthwaitepeter@xxxxxxxxx>
  Date:   Sun Apr 26 12:10:23 2015 -0700

      microblaze: cpu: Delete EXCP_NMI

      This define is unused. Remove.

      Signed-off-by: Peter Crosthwaite <crosthwaite.peter@xxxxxxxxx>
      Reviewed-by: Edgar E. Iglesias <edgar.iglesias@xxxxxxxxxx>
      Signed-off-by: Michael Tokarev <mjt@xxxxxxxxxx>

  commit 004f979fbb83397349c9158946ec5d4f0036632b
  Author: Peter Crosthwaite <crosthwaitepeter@xxxxxxxxx>
  Date:   Sun Apr 26 12:10:22 2015 -0700

      microblaze: cpu: Remove unused CC_OP enum

      This enum is not used by anything. Remove.

      Signed-off-by: Peter Crosthwaite <crosthwaite.peter@xxxxxxxxx>
      Reviewed-by: Edgar E. Iglesias <edgar.iglesias@xxxxxxxxxx>
      Signed-off-by: Michael Tokarev <mjt@xxxxxxxxxx>

  commit b133b09a9d8ae280bba279a1aba9af73a805e198
  Author: Peter Crosthwaite <crosthwaitepeter@xxxxxxxxx>
  Date:   Sun Apr 26 12:10:21 2015 -0700

      microblaze: cpu: Remote unused cpu_get_pc

      This function is not used by anything. Remove.

      Signed-off-by: Peter Crosthwaite <crosthwaite.peter@xxxxxxxxx>
      Reviewed-by: Edgar E. Iglesias <edgar.iglesias@xxxxxxxxxx>
      Reviewed-by: Alex Bennée <alex.bennee@xxxxxxxxxx>
      Signed-off-by: Michael Tokarev <mjt@xxxxxxxxxx>

  commit 19191a6bc537b2290e18430e1877de9c2db20510
  Author: Peter Crosthwaite <crosthwaitepeter@xxxxxxxxx>
  Date:   Sun Apr 26 12:10:20 2015 -0700

      microblaze: mmu: Delete flip_um fn prototype

      This is not implemented or used.

      Signed-off-by: Peter Crosthwaite <crosthwaite.peter@xxxxxxxxx>
      Reviewed-by: Edgar E. Iglesias <edgar.iglesias@xxxxxxxxxx>
      Signed-off-by: Michael Tokarev <mjt@xxxxxxxxxx>

  commit a0970d91c94241c74b2b8027268d2a7e8fe19ae3
  Author: Peter Crosthwaite <crosthwaitepeter@xxxxxxxxx>
  Date:   Sun Apr 26 12:10:19 2015 -0700

      defconfigs: Piggyback microblazeel on microblaze

      Theres no difference in defconfig. Going forward microblazeel should
      superset microblaze so use an include.

      Signed-off-by: Peter Crosthwaite <crosthwaite.peter@xxxxxxxxx>
      Reviewed-by: Edgar E. Iglesias <edgar.iglesias@xxxxxxxxxx>
      Signed-off-by: Michael Tokarev <mjt@xxxxxxxxxx>

  commit f66759d3aec208651a7ad0cd37f4fec8d86fa7c1
  Author: Michael Tokarev <mjt@xxxxxxxxxx>
  Date:   Mon Apr 27 16:29:58 2015 +0300

      libcacard: do not use full paths for include files in the same dir

      Signed-off-by: Michael Tokarev <mjt@xxxxxxxxxx>
      Reviewed-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit 28507a415a9b1e897aa8cdab658c6cdc00eff6cd
  Author: Paolo Bonzini <pbonzini@xxxxxxxxxx>
  Date:   Mon Apr 27 12:34:18 2015 +0200

      libcacard: stop including qemu-common.h

      This is a small step towards making libcacard standalone.

      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>
      Signed-off-by: Michael Tokarev <mjt@xxxxxxxxxx>

  commit d3e4abdddfcf70b2e678de1c6b9b1c6cd3ce541e
  Author: Laszlo Ersek <lersek@xxxxxxxxxx>
  Date:   Mon Apr 27 13:32:35 2015 +0200

      docs/atomics.txt: fix two typos

      Cc: Paolo Bonzini <pbonzini@xxxxxxxxxx>
      Signed-off-by: Laszlo Ersek <lersek@xxxxxxxxxx>
      Signed-off-by: Michael Tokarev <mjt@xxxxxxxxxx>

  commit 5ecaa4ed882aa6040d2ddbfc6f487d8b4bcd3b83
  Author: Peter Crosthwaite <crosthwaitepeter@xxxxxxxxx>
  Date:   Sun Apr 26 19:14:26 2015 -0700

      configure: alphabetize tricore in target list

      tricore was out of alphabetical order in the target list. Fix.

      Signed-off-by: Peter Crosthwaite <crosthwaite.peter@xxxxxxxxx>
      Acked-by: Bastian Koppelmann <kbastian@xxxxxxxxxxxxxxxxxxxxx>
      Signed-off-by: Michael Tokarev <mjt@xxxxxxxxxx>

  commit ef1d27f4b17c4238ed3395724026910973026d2b
  Author: Peter Crosthwaite <crosthwaitepeter@xxxxxxxxx>
  Date:   Sun Apr 26 18:38:18 2015 -0700

      arm: cpu.h: Remove unused typdefs

      These CP accessor function prototypes are unused. Remove them.

      Signed-off-by: Peter Crosthwaite <crosthwaite.peter@xxxxxxxxx>
      Signed-off-by: Michael Tokarev <mjt@xxxxxxxxxx>

  commit 3bf2af7b40281f73d0e33ecca4095078feed07b1
  Author: Thomas Huth <thuth@xxxxxxxxxxxxxxxxxx>
  Date:   Sat Mar 14 07:19:33 2015 +0100

      util: Remove unused functions

      Delete the unused functions qemu_signalfd_available(),
      qemu_send_full() and qemu_recv_full().

      Signed-off-by: Thomas Huth <thuth@xxxxxxxxxxxxxxxxxx>
      Signed-off-by: Michael Tokarev <mjt@xxxxxxxxxx>

  commit ec29ea1b2b5ffed569d52393ad8e8d3f4215b9b3
  Author: Thomas Huth <thuth@xxxxxxxxxxxxxxxxxx>
  Date:   Sat Mar 14 07:19:32 2015 +0100

      usb: Remove unused functions

      Delete set_usb_string(), usb_ep_get_ifnum(), usb_ep_get_max_packet_size()
      usb_ep_get_max_streams() and usb_ep_set_pipeline() since they are
      not used anymore.

      Signed-off-by: Thomas Huth <thuth@xxxxxxxxxxxxxxxxxx>
      Reviewed-by: Gerd Hoffmann <kraxel@xxxxxxxxxx>
      Signed-off-by: Michael Tokarev <mjt@xxxxxxxxxx>

  commit 26b93109c0dff55aab67da66ebbace2cc39becfc
  Author: Thomas Huth <thuth@xxxxxxxxxxxxxxxxxx>
  Date:   Sat Mar 14 07:19:31 2015 +0100

      monitor: Remove unused functions

      The functions ringbuf_read_completion() and monitor_get_rs()
      are not used anywhere anymore, so let's remove them.

      Signed-off-by: Thomas Huth <thuth@xxxxxxxxxxxxxxxxxx>
      Cc: Luiz Capitulino <lcapitulino@xxxxxxxxxx>
      Signed-off-by: Michael Tokarev <mjt@xxxxxxxxxx>

  commit 04768b985e8da35cba67b60dab02865a4d8ecdca
  Author: Thomas Huth <thuth@xxxxxxxxxxxxxxxxxx>
  Date:   Sat Mar 14 07:19:30 2015 +0100

      pci: Remove unused function ich9_d2pbr_init()

      The function ich9_d2pbr_init() is completely unused and
      thus can be deleted.

      Signed-off-by: Thomas Huth <thuth@xxxxxxxxxxxxxxxxxx>
      Reviewed-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: Michael Tokarev <mjt@xxxxxxxxxx>

  commit 9dcfda1298662223af1b99f7aef1bcf94df134a8
  Author: Thomas Huth <thuth@xxxxxxxxxxxxxxxxxx>
  Date:   Sat Mar 14 07:19:29 2015 +0100

      vmxnet: Remove unused function vmxnet_rx_pkt_get_num_frags()

      The function is not used anymore and thus can be deleted.

      Signed-off-by: Thomas Huth <thuth@xxxxxxxxxxxxxxxxxx>
      Cc: Dmitry Fleytman <dmitry@xxxxxxxxxx>
      Signed-off-by: Michael Tokarev <mjt@xxxxxxxxxx>

  commit 825976153ee4c787326e0beb31144906f0a3c210
  Author: Michael Tokarev <mjt@xxxxxxxxxx>
  Date:   Mon Apr 27 11:12:49 2015 +0300

      qemu-options: trivial spelling fix (messsage)

      Signed-off-by: Michael Tokarev <mjt@xxxxxxxxxx>
      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>

  commit c2cb2b041b56e113e43da78528c9dfd8257e0206
  Author: Jan Kiszka <jan.kiszka@xxxxxxxxxxx>
  Date:   Fri Apr 24 19:41:26 2015 +0200

      hostmem: Fix mem-path property name in error report

      The subtle difference between "property not found" and "property not
      set" is already confusing enough.

      Signed-off-by: Jan Kiszka <jan.kiszka@xxxxxxxxxxx>
      Reviewed-by: Peter Crosthwaite <peter.crosthwaite@xxxxxxxxxx>
      Signed-off-by: Michael Tokarev <mjt@xxxxxxxxxx>

  commit 29b558d87710a962203a45d9dd57bf7eab19dca0
  Author: Stefan Berger <stefanb@xxxxxxxxxxxxxxxxxx>
  Date:   Wed Apr 15 10:18:55 2015 -0400

      tpm: fix coding style

      Fix coding style in one instance.

      Signed-off-by: Stefan Berger <stefanb@xxxxxxxxxxxxxxxxxx>
      Signed-off-by: Michael Tokarev <mjt@xxxxxxxxxx>

  commit 1897b212b780a02a5605ad934a6dd16c76571fe3
  Author: Paolo Bonzini <pbonzini@xxxxxxxxxx>
  Date:   Mon Apr 13 17:28:27 2015 +0200

      qemu-config: remove stray inclusions of hw/ files

      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>
      Signed-off-by: Michael Tokarev <mjt@xxxxxxxxxx>

  commit f2fbb40ea32445b281696a1b3f16de670951de2e
  Author: Paolo Bonzini <pbonzini@xxxxxxxxxx>
  Date:   Mon Apr 13 17:28:26 2015 +0200

      range: remove useless inclusions

      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>
      Signed-off-by: Michael Tokarev <mjt@xxxxxxxxxx>

  commit 631b22ea206300f09b9d1bb9249169e0f0092639
  Author: Stefan Weil <sw@xxxxxxxxxxx>
  Date:   Thu Apr 9 20:32:39 2015 +0200

      misc: Fix new collection of typos

      All of them were reported by codespell.
      Most typos are in comments, one is in an error message.

      Signed-off-by: Stefan Weil <sw@xxxxxxxxxxx>
      Reviewed-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Reviewed-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Signed-off-by: Michael Tokarev <mjt@xxxxxxxxxx>

  commit c9f88ce330c3d9107adfabdde33bdf10dcc05934
  Author: Chih-Min Chao <cmchao@xxxxxxxxx>
  Date:   Thu Apr 9 02:04:14 2015 +0800

      hw/display : remove 'struct' from 'typedef QXL struct'

      Signed-off-by: Chih-Min Chao <cmchao@xxxxxxxxx>
      Reviewed-by: Gerd Hoffmann <kraxel@xxxxxxxxxx>
      Signed-off-by: Michael Tokarev <mjt@xxxxxxxxxx>

  commit 9425c004fe287bfe95e2bf64634d6a618c2b596c
  Author: Chih-Min Chao <cmchao@xxxxxxxxx>
  Date:   Thu Apr 9 02:04:13 2015 +0800

      ui/console : remove 'struct' from 'typedef struct' type

      Signed-off-by: Chih-Min Chao <cmchao@xxxxxxxxx>
      Reviewed-by: Gerd Hoffmann <kraxel@xxxxxxxxxx>
      Signed-off-by: Michael Tokarev <mjt@xxxxxxxxxx>

  commit 4769a881cbe1130e7ba4650471ef37e2cf998a9c
  Author: Chih-Min Chao <cmchao@xxxxxxxxx>
  Date:   Thu Apr 9 02:04:12 2015 +0800

      ui/vnc : remove 'struct' of 'typedef struct'

      Signed-off-by: Chih-Min Chao <cmchao@xxxxxxxxx>
      Reviewed-by: Gerd Hoffmann <kraxel@xxxxxxxxxx>
      Signed-off-by: Michael Tokarev <mjt@xxxxxxxxxx>

  commit 494cb81741f867319f11ecfa0949168baf9f01d7
  Author: Chih-Min Chao <cmchao@xxxxxxxxx>
  Date:   Thu Apr 9 02:04:11 2015 +0800

      ui/vnc : fix coding style

          reported by checkpatch.pl

      Signed-off-by: Chih-Min Chao <cmchao@xxxxxxxxx>
      Reviewed-by: Gerd Hoffmann <kraxel@xxxxxxxxxx>
      Signed-off-by: Michael Tokarev <mjt@xxxxxxxxxx>

  commit 4188e39055bfaf6d76b7d98294b0aeb8e4f3082d
  Author: Chih-Min Chao <cmchao@xxxxxxxxx>
  Date:   Thu Apr 9 02:04:10 2015 +0800

      bitops : fix coding style

          don't mix tab and space. The rule is 4 spaces

      Signed-off-by: Chih-Min Chao <cmchao@xxxxxxxxx>
      Reviewed-by: Gerd Hoffmann <kraxel@xxxxxxxxxx>
      Signed-off-by: Michael Tokarev <mjt@xxxxxxxxxx>

  commit 4d1ba9c4f8a4d68b9d053946d551ffa8f1006b77
  Author: Stefan Berger <stefanb@xxxxxxxxxxxxxxxxxx>
  Date:   Tue Mar 31 14:49:10 2015 -0400

      tpm: Modify DPRINTF to enable -Wformat checking

      Modify DPRINTF to always enable -Wformat checking.

      Signed-off-by: Stefan Berger <stefanb@xxxxxxxxxxxxxxxxxx>
      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>
      Signed-off-by: Michael Tokarev <mjt@xxxxxxxxxx>

  commit 070c7607f62f9623be9ff14623a43b0ca195c572
  Author: Stefan Berger <stefanb@xxxxxxxxxxxxxxxxxx>
  Date:   Tue Mar 31 14:49:09 2015 -0400

      tpm: Cast 64bit variables to int when used in DPRINTF

      Cast 64bit variables to int when used in DPRINTF. They only contain
      32bit of data.

      Signed-off-by: Stefan Berger <stefanb@xxxxxxxxxxxxxxxxxx>
      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>
      Signed-off-by: Michael Tokarev <mjt@xxxxxxxxxx>

  commit 2c80e996e427ae31982f3405a762859578a6261d
  Author: Cornelia Huck <cornelia.huck@xxxxxxxxxx>
  Date:   Thu Apr 23 17:03:46 2015 +0200

      kvm: better advice for failed s390x startup

      If KVM_CREATE failed on s390x, we print a hint to enable the switch_amode
      kernel parameter. This only applies to old kernels, and only if the
      error was -EINVAL. Moreover, with new kernels, the most likely reason
      for -EINVAL is that pgstes were not enabled.

      Let's update the error message to give a better hint on where things
      may need fixing.

      Acked-by: Christian Borntraeger <borntraeger@xxxxxxxxxx>
      Signed-off-by: Cornelia Huck <cornelia.huck@xxxxxxxxxx>

  commit 6cb1e49de58cab8f243b05a971a9a1f80ab3223d
  Author: Alexander Yarygin <yarygin@xxxxxxxxxxxxxxxxxx>
  Date:   Thu Mar 5 12:36:48 2015 +0300

      s390x/kvm: Support access register mode for KVM_S390_MEM_OP ioctl

      Access register mode is one of the modes that control dynamic address
      translation. In this mode the address space is specified by values of
      the access registers. The effective address-space-control element is
      obtained from the result of the access register translation. See
      the "Access-Register Introduction" section of the chapter 5 "Program
      Execution" in "Principles of Operations" for more details.

      When the CPU is in AR mode, the s390_cpu_virt_mem_rw() function must
      know which access register number to use for address translation.
      This patch does several things:
      - add new parameter 'uint8_t ar' to that function
      - decode ar number from intercepted instructions
      - pass the ar number to s390_cpu_virt_mem_rw(), which in turn passes it
      to the KVM_S390_MEM_OP ioctl.

      Signed-off-by: Alexander Yarygin <yarygin@xxxxxxxxxxxxxxxxxx>
      Reviewed-by: Thomas Huth <thuth@xxxxxxxxxxxxxxxxxx>
      Reviewed-by: David Hildenbrand <dahi@xxxxxxxxxxxxxxxxxx>
      Signed-off-by: Cornelia Huck <cornelia.huck@xxxxxxxxxx>

  commit a9bcd1b8719dea2e91512238d810e2a0037e174d
  Author: Thomas Huth <thuth@xxxxxxxxxxxxxxxxxx>
  Date:   Fri Feb 6 15:54:58 2015 +0100

      s390x/mmu: Use ioctl for reading and writing from/to guest memory

      Add code to make use of the new ioctl for reading from / writing to
      virtual guest memory. By using the ioctl, the memory accesses are now
      protected with the so-called ipte-lock in the kernel.

      [CH: moved error message into kvm_s390_mem_op()]
      Signed-off-by: Thomas Huth <thuth@xxxxxxxxxxxxxxxxxx>
      Acked-by: Christian Borntraeger <borntraeger@xxxxxxxxxx>
      Signed-off-by: Cornelia Huck <cornelia.huck@xxxxxxxxxx>

  commit f07177a5599fb204e42a007db4820ceda1bc85ba
  Author: Ekaterina Tumanova <tumanova@xxxxxxxxxxxxxxxxxx>
  Date:   Tue Mar 3 18:35:27 2015 +0100

      s390x/kvm: Put vm name, extended name and UUID into STSI322 SYSIB

      KVM prefills the SYSIB, returned by STSI 3.2.2. This patch allows
      userspace to intercept execution, and fill in the values, that are
      known to qemu: machine name (8 chars), extended machine name (256
      chars), extended machine name encoding (equals 2 for UTF-8) and UUID.

      STSI322 qemu handler also finds a highest virtualization level in
      level-3 virtualization stack that doesn't support Extended Names
      (Ext Name delimiter) and propagates zero Ext Name to all levels below,
      because this level is not capable of managing Extended Names of lower
      levels.

      Signed-off-by: Ekaterina Tumanova <tumanova@xxxxxxxxxxxxxxxxxx>
      Reviewed-by: Christian Borntraeger <borntraeger@xxxxxxxxxx>
      Reviewed-by: Thomas Huth <thuth@xxxxxxxxxxxxxxxxxx>
      Signed-off-by: Cornelia Huck <cornelia.huck@xxxxxxxxxx>

  commit 7a52ce8a160739c5d37469b0e344d3239eb86462
  Author: Cornelia Huck <cornelia.huck@xxxxxxxxxx>
  Date:   Tue Mar 31 16:07:08 2015 +0200

      linux-headers: update

      This updates linux-headers against master 4.1-rc1 (commit
      b787f68c36d49bb1d9236f403813641efa74a031).

      Signed-off-by: Cornelia Huck <cornelia.huck@xxxxxxxxxx>

  commit 217a4acb211d603f33199cf94ada9fce3ac419b5
  Author: Thomas Huth <thuth@xxxxxxxxxxxxxxxxxx>
  Date:   Thu Mar 19 15:04:50 2015 +0100

      s390x/mmu: Use access type definitions instead of magic values

      Since there are now proper definitions for the MMU access type,
      let's use them in the s390x MMU code, too, instead of the
      hard-to-understand magic values.

      Signed-off-by: Thomas Huth <thuth@xxxxxxxxxxxxxxxxxx>
      Reviewed-by: Jens Freimann <jfrei@xxxxxxxxxxxxxxxxxx>
      Acked-by: Cornelia Huck <cornelia.huck@xxxxxxxxxx>
      Signed-off-by: Cornelia Huck <cornelia.huck@xxxxxxxxxx>

  commit b4ab4572b319f2c26435b2ed18cfd3fb602c7439
  Author: Cornelia Huck <cornelia.huck@xxxxxxxxxx>
  Date:   Fri Mar 20 10:17:08 2015 +0100

      s390x/ipl: sort into categories

      The s390 ipl device has no real home (it's not really a storage device),
      so let's sort it into the misc category.

      Reviewed-by: David Hildenbrand <dahi@xxxxxxxxxxxxxxxxxx>
      Acked-by: Christian Borntraeger <borntraeger@xxxxxxxxxx>
      Signed-off-by: Cornelia Huck <cornelia.huck@xxxxxxxxxx>

  commit 183f6b8d7e7adf6b892523644e38b534c5954be1
  Author: Cornelia Huck <cornelia.huck@xxxxxxxxxx>
  Date:   Tue Mar 17 13:44:39 2015 +0100

      sclp: sort into categories

      Sort the sclp consoles into the input category, just as virtio-serial.
      Various other sclp devices don't have an obvious category, sort them
      into misc.

      Reviewed-by: David Hildenbrand <dahi@xxxxxxxxxxxxxxxxxx>
      Acked-by: Christian Borntraeger <borntraeger@xxxxxxxxxx>
      Signed-off-by: Cornelia Huck <cornelia.huck@xxxxxxxxxx>

  commit 4d1866de9422c4b359f61819ee01efc9b988187b
  Author: Cornelia Huck <cornelia.huck@xxxxxxxxxx>
  Date:   Tue Mar 17 13:43:26 2015 +0100

      s390-virtio: sort into categories

      Sort the various s390-virtio devices into the same categories as their
      virtio-pci counterparts.

      Reviewed-by: David Hildenbrand <dahi@xxxxxxxxxxxxxxxxxx>
      Acked-by: Christian Borntraeger <borntraeger@xxxxxxxxxx>
      Signed-off-by: Cornelia Huck <cornelia.huck@xxxxxxxxxx>

  commit cd20d61634092a9fa19c8c6f0a749526e9958374
  Author: Cornelia Huck <cornelia.huck@xxxxxxxxxx>
  Date:   Tue Mar 17 13:42:03 2015 +0100

      virtio-ccw: sort into categories

      Sort the various virtio-ccw devices into the same categories as their
      virtio-pci counterparts.

      Reviewed-by: David Hildenbrand <dahi@xxxxxxxxxxxxxxxxxx>
      Acked-by: Christian Borntraeger <borntraeger@xxxxxxxxxx>
      Signed-off-by: Cornelia Huck <cornelia.huck@xxxxxxxxxx>

  commit 06feaacfb4cfef10cc0c93d97df7bfc8a71dbc7e
  Merge: a1fe58f d064d9f
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Thu Apr 30 12:04:11 2015 +0100

      Merge remote-tracking branch 'remotes/bonzini/tags/for-upstream' into 
staging

      - miscellaneous cleanups for TCG (Emilio) and NBD (Bogdan)
      - next part in the thread-safe address_space_* saga: atomic access
        to the bounce buffer and the map_clients list, from Fam
      - optional support for linking with tcmalloc, also from Fam
      - reapplying Peter Crosthwaite's "Respect as_translate_internal
        length clamp" after fixing the SPARC fallout.
      - build system fix from Wei Liu
      - small acpi-build and ioport cleanup by myself

      # gpg: Signature made Wed Apr 29 09:34:00 2015 BST using RSA key ID 
78C7AE83
      # gpg: Good signature from "Paolo Bonzini <bonzini@xxxxxxx>"
      # gpg:                 aka "Paolo Bonzini <pbonzini@xxxxxxxxxx>"
      # gpg: WARNING: This key is not certified with sufficiently trusted 
signatures!
      # gpg:          It is not certain that the signature belongs to the owner.
      # Primary key fingerprint: 46F5 9FBD 57D6 12E7 BFD4  E2F7 7E15 100C CD36 
69B1
      #      Subkey fingerprint: F133 3857 4B66 2389 866C  7682 BFFB D25F 78C7 
AE83

      * remotes/bonzini/tags/for-upstream: (22 commits)
        nbd/trivial: fix type cast for ioctl
        translate-all: use bitmap helpers for PageDesc's bitmap
        target-i386: disable LINT0 after reset
        Makefile.target: prepend $libs_softmmu to $LIBS
        milkymist: do not modify libs-softmmu
        configure: Add support for tcmalloc
        exec: Respect as_translate_internal length clamp
        ioport: reserve the whole range of an I/O port in the AddressSpace
        ioport: loosen assertions on emulation of 16-bit ports
        ioport: remove wrong comment
        ide: there is only one data port
        gus: clean up MemoryRegionPortio
        sb16: remove useless mixer_write_indexw
        sun4m: fix slavio sysctrl and led register sizes
        acpi-build: remove dependency from ram_addr.h
        memory: add memory_region_ram_resize
        dma-helpers: Fix race condition of continue_after_map_failure and 
dma_aio_cancel
        exec: Notify cpu_register_map_client caller if the bounce buffer is 
available
        exec: Protect map_client_list with mutex
        linux-user, bsd-user: Remove two calls to cpu_exec_init_all
        ...

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit a1fe58f6ad2282399da256b8579b49b43527e486
  Merge: 52b7aba c836867
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Thu Apr 30 10:10:31 2015 +0100

      Merge remote-tracking branch 'remotes/jnsnow/tags/ide-pull-request' into 
staging

      # gpg: Signature made Wed Apr 29 00:03:44 2015 BST using RSA key ID 
AAFC390E
      # gpg: Good signature from "John Snow (John Huston) <jsnow@xxxxxxxxxx>"
      # gpg: WARNING: This key is not certified with sufficiently trusted 
signatures!
      # gpg:          It is not certain that the signature belongs to the owner.
      # Primary key fingerprint: FAEB 9711 A12C F475 812F  18F2 88A9 064D 1835 
61EB
      #      Subkey fingerprint: F9B7 ABDB BCAC DF95 BE76  CBD0 7DEF 8106 AAFC 
390E

      * remotes/jnsnow/tags/ide-pull-request:
        qtest: Add assertion that required environment variable is set
        qtest/ahci: add flush retry test
        libqos: add blkdebug_prepare_script
        libqtest: add qmp_async
        libqtest: add qmp_eventwait
        qtest/ahci: Allow override of default CLI options
        qtest/ahci: Add simple flush test
        qtest/ahci: test different disk sectors
        qtest/ahci: add qcow2 support to ahci-test
        fdc: remove sparc sun4m mutations

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit d064d9f381b00538e41f14104b88a1ae85d78865
  Author: Bogdan Purcareata <bogdan.purcareata@xxxxxxxxxxxxx>
  Date:   Fri Apr 3 11:01:54 2015 +0000

      nbd/trivial: fix type cast for ioctl

      This fixes ioctl behavior on powerpc e6500 platforms with 64bit kernel 
and 32bit
      userspace. The current type cast has no effect there and the value passed 
to the
      kernel is still 0. Probably an issue related to the compiler, since I'm 
assuming
      the same configuration works on a similar setup on x86.

      Also ensure consistency with previous type cast in TRACE message.

      Signed-off-by: Bogdan Purcareata <bogdan.purcareata@xxxxxxxxxxxxx>
      Message-Id: 
<1428058914-32050-1-git-send-email-bogdan.purcareata@xxxxxxxxxxxxx>
      Cc: qemu-stable@xxxxxxxxxx
      [Fix parens as noticed by Michael. - Paolo]
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit 510a647fa27a12b66be40da4c2c098430003225c
  Author: Emilio G. Cota <cota@xxxxxxxxx>
  Date:   Wed Apr 22 17:50:52 2015 -0400

      translate-all: use bitmap helpers for PageDesc's bitmap

      Here we have an open-coded byte-based bitmap implementation.
      Get rid of it since there's a ulong-based implementation to be
      used by all code.

      Signed-off-by: Emilio G. Cota <cota@xxxxxxxxx>
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit b8eb5512fd8a115f164edbbe897cdf8884920ccb
  Author: Nadav Amit <namit@xxxxxxxxxxxxxxxxx>
  Date:   Mon Apr 13 02:32:08 2015 +0300

      target-i386: disable LINT0 after reset

      Due to old Seabios bug, QEMU reenable LINT0 after reset. This bug is long 
gone
      and therefore this hack is no longer needed.  Since it violates the
      specifications, it is removed.

      Signed-off-by: Nadav Amit <namit@xxxxxxxxxxxxxxxxx>
      Message-Id: <1428881529-29459-2-git-send-email-namit@xxxxxxxxxxxxxxxxx>
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit 7398dfc7799a50097803db4796c7edb6cd7d47a1
  Author: Wei Liu <wei.liu2@xxxxxxxxxx>
  Date:   Mon Mar 9 14:54:33 2015 +0000

      Makefile.target: prepend $libs_softmmu to $LIBS

      I discovered a problem when trying to build QEMU statically with gcc.
      libm is an element of LIBS while libpixman-1 is an element in
      libs_softmmu. Libpixman references functions in libm, so the original
      ordering makes linking fail.

      This fix is to reorder $libs_softmmu and $LIBS to make -lm appear after
      -lpixman-1. However I'm not quite sure if this is the right fix, hence
      the RFC tag.

      Normally QEMU is built with c++ compiler which happens to link in libm
      (at least this is the case with g++), so building QEMU statically
      normally just works and nobody notices this issue.

      Signed-off-by: Wei Liu <wei.liu2@xxxxxxxxxx>
      Message-Id: <1425912873-21215-1-git-send-email-wei.liu2@xxxxxxxxxx>
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit 738e4171de478da2516180c7a139f1b762443618
  Author: Paolo Bonzini <pbonzini@xxxxxxxxxx>
  Date:   Tue Mar 10 11:17:48 2015 +0100

      milkymist: do not modify libs-softmmu

      This is better and prepares for the next patch.  When we copy
      libs_softmmu's value into LIBS with a := assignment, we cannot
      anymore modify libs_softmmu in the Makefiles.

      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit 2847b46958ab0bd604e1b3fcafba0f5ba4375833
  Author: Fam Zheng <famz@xxxxxxxxxx>
  Date:   Thu Mar 26 11:03:12 2015 +0800

      configure: Add support for tcmalloc

      This adds "--enable-tcmalloc" and "--disable-tcmalloc" to allow linking
      to libtcmalloc from gperftools.

      tcmalloc is a malloc implementation that works well with threads and is
      fast, so it is good for performance.

      It is disabled by default, because the MALLOC_PERTURB_ flag we use in
      tests doesn't work with tcmalloc. However we can enable tcmalloc
      specific heap checker and profilers later.

      An IOPS gain can be observed with virtio-blk-dataplane, other parts of
      QEMU will directly benefit from it as well:

      ==========================================================
                             glibc malloc
      ----------------------------------------------------------
      rw         bs         iodepth    bw     iops       latency
      read       4k         1          150    38511      24
      ----------------------------------------------------------

      ==========================================================
                               tcmalloc
      ----------------------------------------------------------
      rw         bs         iodepth    bw     iops       latency
      read       4k         1          156    39969      23
      ----------------------------------------------------------

      Signed-off-by: Fam Zheng <famz@xxxxxxxxxx>
      Message-Id: <1427338992-27057-1-git-send-email-famz@xxxxxxxxxx>
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit c8368674980b299604e3cfe9215c4105acefa516
  Author: Ed Maste <emaste@xxxxxxxxxxx>
  Date:   Tue Apr 28 15:27:51 2015 -0400

      qtest: Add assertion that required environment variable is set

      Signed-off-by: Ed Maste <emaste@xxxxxxxxxxx>
      Reviewed-by: John Snow <jsnow@xxxxxxxxxx>
      Message-id: 1427911244-22565-1-git-send-email-emaste@xxxxxxxxxxx
      Signed-off-by: John Snow <jsnow@xxxxxxxxxx>

  commit cf5aa89e9d32ae39bd9df27c9b2aec03c0d240b2
  Author: John Snow <jsnow@xxxxxxxxxx>
  Date:   Tue Apr 28 15:27:51 2015 -0400

      qtest/ahci: add flush retry test

      Signed-off-by: John Snow <jsnow@xxxxxxxxxx>
      Message-id: 1426018503-821-7-git-send-email-jsnow@xxxxxxxxxx

  commit 72c85e949fd162b039614d588d94393ff3e2dae3
  Author: John Snow <jsnow@xxxxxxxxxx>
  Date:   Tue Apr 28 15:27:51 2015 -0400

      libqos: add blkdebug_prepare_script

      Pull this helper out of ide-test and into libqos,
      to be shared with ahci-test.

      Signed-off-by: John Snow <jsnow@xxxxxxxxxx>
      Message-id: 1426018503-821-6-git-send-email-jsnow@xxxxxxxxxx

  commit ba4ed39346c1bdbfefd1d781b39009f90822b956
  Author: John Snow <jsnow@xxxxxxxxxx>
  Date:   Tue Apr 28 15:27:51 2015 -0400

      libqtest: add qmp_async

      Add qmp_async, which lets us send QMP commands asynchronously.
      This is useful when we want to send commands that will trigger
      event responses, but we don't know in what order to expect them.

      Sometimes the event responses may arrive even before the command
      confirmation will show up, so it is convenient to leave the responses
      in the stream.

      Signed-off-by: John Snow <jsnow@xxxxxxxxxx>
      Message-id: 1426018503-821-5-git-send-email-jsnow@xxxxxxxxxx

  commit 8fe941f749b2db3735abade1c298552de4eab496
  Author: John Snow <jsnow@xxxxxxxxxx>
  Date:   Tue Apr 28 15:27:51 2015 -0400

      libqtest: add qmp_eventwait

      Allow the user to poll until a desired interrupt occurs.

      Signed-off-by: John Snow <jsnow@xxxxxxxxxx>
      Message-id: 1426018503-821-4-git-send-email-jsnow@xxxxxxxxxx

  commit debaaa114a8877a939533ba846e64168fb287b7b
  Author: John Snow <jsnow@xxxxxxxxxx>
  Date:   Tue Apr 28 15:27:51 2015 -0400

      qtest/ahci: Allow override of default CLI options

      Signed-off-by: John Snow <jsnow@xxxxxxxxxx>
      Message-id: 1426018503-821-3-git-send-email-jsnow@xxxxxxxxxx

  commit 4e217074ca3f704d9a1c3bd1ebb03eb7621ab882
  Author: John Snow <jsnow@xxxxxxxxxx>
  Date:   Tue Apr 28 15:27:51 2015 -0400

      qtest/ahci: Add simple flush test

      Signed-off-by: John Snow <jsnow@xxxxxxxxxx>
      Message-id: 1426018503-821-2-git-send-email-jsnow@xxxxxxxxxx

  commit 727be1a7550b5caad0b94098a41de8033ad43f85
  Author: John Snow <jsnow@xxxxxxxxxx>
  Date:   Tue Apr 28 15:27:51 2015 -0400

      qtest/ahci: test different disk sectors

      Test sector offset 0, 1, and the last sector(s)
      in LBA28 and LBA48 modes.

      Signed-off-by: John Snow <jsnow@xxxxxxxxxx>
      Acked-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Message-id: 1426274523-22661-3-git-send-email-jsnow@xxxxxxxxxx

  commit 122fdf2d8822699482723e6f50f34c9c3933360b
  Author: John Snow <jsnow@xxxxxxxxxx>
  Date:   Tue Apr 28 15:27:51 2015 -0400

      qtest/ahci: add qcow2 support to ahci-test

      This will enable the testing of high offsets without
      wasting a lot of disk space, and does not impact the
      previous tests.

      mkimg and mkqcow2 are added to libqos for other tests.

      Signed-off-by: John Snow <jsnow@xxxxxxxxxx>
      Acked-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Message-id: 1426274523-22661-2-git-send-email-jsnow@xxxxxxxxxx

  commit 24a5c62cfe3cbe3fb4722f79661b9900a2579316
  Author: Hervé Poussineau <hpoussin@xxxxxxxxxxx>
  Date:   Tue Apr 28 15:27:51 2015 -0400

      fdc: remove sparc sun4m mutations

      They were introduced in 6f7e9aec5eb5bdfa57a9e458e391b785c283a007 and
      82407d1a4035e5bfefb53ffdcb270872f813b34c and lots of bug fixes were done 
after that.

      This fixes (at least) the detection of the floppy controller on Debian 
4.0r9/SPARC,
      and SS-5's OBP initialization routine still works.

      Signed-off-by: Hervé Poussineau <hpoussin@xxxxxxxxxxx>
      Tested-by: Mark Cave-Ayland <mark.cave-ayland@xxxxxxxxxxxx>
      Message-id: 1426351846-6497-1-git-send-email-hpoussin@xxxxxxxxxxx
      Signed-off-by: John Snow <jsnow@xxxxxxxxxx>

  commit 52b7aba62f02cf90f57ee7e02f67d2d8445e7e40
  Merge: a9392bc 5655f93
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Tue Apr 28 18:58:15 2015 +0100

      Merge remote-tracking branch 
'remotes/awilliam/tags/vfio-update-20150428.0' into staging

      VFIO updates
       - Correction to BAR overflow
       - Fix error sign
       - Reset workaround for AMD Bonaire & Hawaii GPUs

      # gpg: Signature made Tue Apr 28 18:26:43 2015 BST using RSA key ID 
3BB08B22
      # gpg: Good signature from "Alex Williamson <alex.williamson@xxxxxxxxxx>"
      # gpg:                 aka "Alex Williamson <alex@xxxxxxxxxxx>"
      # gpg:                 aka "Alex Williamson <alwillia@xxxxxxxxxx>"
      # gpg:                 aka "Alex Williamson <alex.l.williamson@xxxxxxxxx>"

      * remotes/awilliam/tags/vfio-update-20150428.0:
        vfio-pci: Reset workaround for AMD Bonaire and Hawaii GPUs
        vfio-pci: Fix error path sign
        vfio-pci: Further fix BAR size overflow

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 5655f931abcfa5f100d12d021eaed606c2d4ef52
  Author: Alex Williamson <alex.williamson@xxxxxxxxxx>
  Date:   Tue Apr 28 11:14:02 2015 -0600

      vfio-pci: Reset workaround for AMD Bonaire and Hawaii GPUs

      Somehow these GPUs manage not to respond to a PCI bus reset, removing
      our primary mechanism for resetting graphics cards.  The result is
      that these devices typically work well for a single VM boot.  If the
      VM is rebooted or restarted, the guest driver is not able to init the
      card from the dirty state, resulting in a blue screen for Windows
      guests.

      The workaround is to use a device specific reset.  This is not 100%
      reliable though since it depends on the incoming state of the device,
      but it substantially improves the usability of these devices in a VM.

      Credit to Alex Deucher <alexander.deucher@xxxxxxx> for his guidance.

      Signed-off-by: Alex Williamson <alex.williamson@xxxxxxxxxx>

  commit c6d231e2fd3773ef9a566ca24962f2314cb78f73
  Author: Alex Williamson <alex.williamson@xxxxxxxxxx>
  Date:   Tue Apr 28 11:14:02 2015 -0600

      vfio-pci: Fix error path sign

      This is an impossible error path due to the fact that we're reading a
      kernel provided, rather than user provided link, which will certainly
      always fit in PATH_MAX.  Currently it returns a fixed 26 char path
      plus %d group number, which typically maxes out at double digits.
      However, the caller of the initfn certainly expects a less-than zero
      return value on error, not just a non-zero value.  Therefore we
      should correct the sign here.

      Reported-by: Laszlo Ersek <lersek@xxxxxxxxxx>
      Reviewed-by: Laszlo Ersek <lersek@xxxxxxxxxx>
      Signed-off-by: Alex Williamson <alex.williamson@xxxxxxxxxx>

  commit 07ceaf98800519ef9c5dc893af00f1fe1f9144e4
  Author: Alex Williamson <alex.williamson@xxxxxxxxxx>
  Date:   Tue Apr 28 11:14:02 2015 -0600

      vfio-pci: Further fix BAR size overflow

      In an analysis by Laszlo, the resulting type of our calculation for
      the end of the MSI-X table, and thus the start of memory after the
      table, is uint32_t.  We're therefore not correctly preventing the
      corner case overflow that we intended to fix here where a BAR >=4G
      could place the MSI-X table to end exactly at the 4G boundary.  The
      MSI-X table offset is defined by the hardware spec to 32bits, so we
      simply use a cast rather than changing data structure types.  This
      scenario is purely theoretically, typically the MSI-X table is located
      at the front of the BAR.

      Reported-by: Laszlo Ersek <lersek@xxxxxxxxxx>
      Reviewed-by: Laszlo Ersek <lersek@xxxxxxxxxx>
      Signed-off-by: Alex Williamson <alex.williamson@xxxxxxxxxx>

  commit a9392bc93c8615ad1983047e9f91ee3fa8aae75f
  Merge: 84cbd63 61007b3
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Tue Apr 28 16:55:03 2015 +0100

      Merge remote-tracking branch 'remotes/kevin/tags/for-upstream' into 
staging

      Block patches

      # gpg: Signature made Tue Apr 28 15:35:05 2015 BST using RSA key ID 
C88F2FD6
      # gpg: Good signature from "Kevin Wolf <kwolf@xxxxxxxxxx>"

      * remotes/kevin/tags/for-upstream: (76 commits)
        block: move I/O request processing to block/io.c
        block: extract bdrv_setup_io_funcs()
        block: add bdrv_set_dirty()/bdrv_reset_dirty() to block_int.h
        block: replace bdrv_states iteration with bdrv_next()
        vmdk: Widen before shifting 32 bit header field
        block/dmg: make it modular
        block/mirror: Always call block_job_sleep_ns()
        iotests: add incremental backup granularity tests
        iotests: add incremental backup failure recovery test
        iotests: add simple incremental backup case
        iotests: add QMP event waiting queue
        iotests: add invalid input incremental backup tests
        hbitmap: truncate tests
        block: Resize bitmaps on bdrv_truncate
        block: Ensure consistent bitmap function prototypes
        block: add BdrvDirtyBitmap documentation
        qmp: Add dirty bitmap status field in query-block
        qmp: add block-dirty-bitmap-clear
        qmp: Add support of "dirty-bitmap" sync mode for drive-backup
        block: Add bitmap successors
        ...

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit da2f84d1270d203027d82f778d5bcc1f7a49bab0
  Author: Shannon Zhao <shannon.zhao@xxxxxxxxxx>
  Date:   Tue Apr 28 19:51:13 2015 +0800

      virtio-scsi: Move DEFINE_VIRTIO_SCSI_FEATURES to virtio-scsi

      So far virtio-scsi-device can't expose host features to guest while
      using virtio-mmio because it doesn't set DEFINE_VIRTIO_SCSI_FEATURES on
      backend or transport.

      The host features belong to the backends while virtio-scsi-pci,
      virtio-scsi-s390 and virtio-scsi-ccw set the DEFINE_VIRTIO_SCSI_FEATURES
      on transports. But they already have the ability to forward property
      accesses to the backend child. So if we move the host features to
      backends, it doesn't break the backwards compatibility for them and
      make host features work while using virtio-mmio.

      Move DEFINE_VIRTIO_SCSI_FEATURES to the backend virtio-scsi. The
      transports just sync the host features from backends.

      Signed-off-by: Shannon Zhao <zhaoshenglong@xxxxxxxxxx>
      Signed-off-by: Shannon Zhao <shannon.zhao@xxxxxxxxxx>
      Reviewed-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Reviewed-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit da3e8a23492dbc13c4b70d90b6ae42970624e63a
  Author: Shannon Zhao <shannon.zhao@xxxxxxxxxx>
  Date:   Tue Apr 28 19:51:12 2015 +0800

      virtio-net: Move DEFINE_VIRTIO_NET_FEATURES to virtio-net

      So far virtio-net-device can't expose host features to guest while
      using virtio-mmio because it doesn't set DEFINE_VIRTIO_NET_FEATURES on
      backend or transport. So the performance is low.

      The host features belong to the backend while virtio-net-pci,
      virtio-net-s390 and virtio-net-ccw set the DEFINE_VIRTIO_NET_FEATURES
      on transports. But they already have the ability to forward property
      accesses to the backend child. So if we move the host features to
      backends, it doesn't break the backwards compatibility for them and
      make host features work while using virtio-mmio.

      Here we move DEFINE_VIRTIO_NET_FEATURES to the backend virtio-net. The
      transports just sync the host features from backend. Meanwhile move
      virtio_net_set_config_size to virtio-net to make sure the config size
      is correct and don't expose it.

      Signed-off-by: Shannon Zhao <zhaoshenglong@xxxxxxxxxx>
      Signed-off-by: Shannon Zhao <shannon.zhao@xxxxxxxxxx>
      Reviewed-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Reviewed-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 51f7cb974ba1af9f68302f2bae4bf0161fb0ab03
  Author: Thomas Huth <thuth@xxxxxxxxxx>
  Date:   Tue Apr 28 12:50:07 2015 +0200

      pci: Merge pci_nic_init() into pci_nic_init_nofail()

      The error reporting in pci_nic_init() is quite erratic: Some errors
      are printed directly with error_report(), and some are passed back
      to the caller pci_nic_init_nofail() via an Error pointer.
      Since pci_nic_init() is only used by pci_nic_init_nofail(), the
      functions can be simply merged to clean up this inconsistency.

      Signed-off-by: Thomas Huth <thuth@xxxxxxxxxx>
      Reviewed-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Reviewed-by: Markus Armbruster <armbru@xxxxxxxxxx>

  commit 61007b316cd71ee7333ff7a0a749a8949527575f
  Author: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
  Date:   Tue Apr 28 14:27:52 2015 +0100

      block: move I/O request processing to block/io.c

      The block.c file has grown to over 6000 lines.  It is time to split this
      file so there are fewer conflicts and the code is easier to maintain.

      Extract I/O request processing code:
       * Read
       * Write
       * Zero writes and making the image empty
       * Flush
       * Discard
       * ioctl
       * Tracked requests and queuing
       * Throttling and copy-on-read
       * Block status and allocated functions
       * Refreshing block limits
       * Reading/writing vmstate
       * qemu_blockalign() and friends

      The patch simply moves code from block.c into block/io.c.

      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Signed-off-by: Kevin Wolf <kwolf@xxxxxxxxxx>

  commit 0eb7217e49b84553bb30f97bc34380633fd846fe
  Author: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
  Date:   Tue Apr 28 14:27:51 2015 +0100

      block: extract bdrv_setup_io_funcs()

      Move the code to install coroutine and aio emulation function pointers
      in a BlockDriver to its own function.

      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Signed-off-by: Kevin Wolf <kwolf@xxxxxxxxxx>

  commit e0c47b6cb1de430fbc6f828f7acffa851c580840
  Author: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
  Date:   Tue Apr 28 14:27:50 2015 +0100

      block: add bdrv_set_dirty()/bdrv_reset_dirty() to block_int.h

      The dirty bitmap functions are called from the block I/O processing
      code.  Make them visible to block_int.h users so they can be used
      outside block.c.

      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Signed-off-by: Kevin Wolf <kwolf@xxxxxxxxxx>

  commit 4f5472cb2d3d37ec3282cc3829612f9d696c2df7
  Author: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
  Date:   Tue Apr 28 14:27:49 2015 +0100

      block: replace bdrv_states iteration with bdrv_next()

      The bdrv_states list is a static variable in block.c.

      bdrv_drain_all() and bdrv_flush_all() use this variable to iterate over
      all drives.

      The next patch will move bdrv_drain_all() and bdrv_flush_all() out of
      block.c so it's necessary to switch to the public bdrv_next() interface.

      Reviewed-by: Alberto Garcia <berto@xxxxxxxxxx>
      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Signed-off-by: Kevin Wolf <kwolf@xxxxxxxxxx>

  commit 7237aecd7e8fcc3ccf7fded77b6c127b4df5d3ac
  Author: Fam Zheng <famz@xxxxxxxxxx>
  Date:   Mon Apr 27 22:23:01 2015 +0800

      vmdk: Widen before shifting 32 bit header field

      Coverity spotted this.

      The field is 32 bits, but if it's possible to overflow in 32 bit
      left shift.

      Signed-off-by: Fam Zheng <famz@xxxxxxxxxx>
      Reviewed-by: John Snow <jsnow@xxxxxxxxxx>
      Signed-off-by: Kevin Wolf <kwolf@xxxxxxxxxx>

  commit 5505e8b76f86f925c35ecc2b2d311886bb36534c
  Author: Michael Tokarev <mjt@xxxxxxxxxx>
  Date:   Mon Apr 27 14:51:56 2015 +0300

      block/dmg: make it modular

      dmg can optionally utilize libbz2, make it modular

      Signed-off-by: Michael Tokarev <mjt@xxxxxxxxxx>
      Reviewed-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>
      Signed-off-by: Kevin Wolf <kwolf@xxxxxxxxxx>

  commit 001c95b740b2ed3d8b486952f68b5f06e609f1f2
  Author: Max Reitz <mreitz@xxxxxxxxxx>
  Date:   Mon Apr 27 13:07:31 2015 +0200

      block/mirror: Always call block_job_sleep_ns()

      The mirror block job is trying to take a clever shortcut if delay_ns is
      0 and skips block_job_sleep_ns() in that case. But that function must be
      called in every block job iteration, because otherwise it is for example
      impossible to pause the job.

      Signed-off-by: Max Reitz <mreitz@xxxxxxxxxx>
      Reviewed-by: Fam Zheng <famz@xxxxxxxxxx>
      Reviewed-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>
      Signed-off-by: Kevin Wolf <kwolf@xxxxxxxxxx>

  commit 59fc5d844fe192494308d0f07507b712ec395129
  Author: John Snow <jsnow@xxxxxxxxxx>
  Date:   Fri Apr 17 19:50:09 2015 -0400

      iotests: add incremental backup granularity tests

      Test what happens if you fiddle with the granularity.

      Reviewed-by: Max Reitz <mreitz@xxxxxxxxxx>
      Signed-off-by: John Snow <jsnow@xxxxxxxxxx>
      Reviewed-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Message-id: 1429314609-29776-22-git-send-email-jsnow@xxxxxxxxxx
      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Signed-off-by: Kevin Wolf <kwolf@xxxxxxxxxx>

  commit 24618f5381da650bd50c78feea07b35cf82e7d6c
  Author: John Snow <jsnow@xxxxxxxxxx>
  Date:   Fri Apr 17 19:50:08 2015 -0400

      iotests: add incremental backup failure recovery test

      Test the failure case for incremental backups.

      Signed-off-by: John Snow <jsnow@xxxxxxxxxx>
      Reviewed-by: Max Reitz <mreitz@xxxxxxxxxx>
      Reviewed-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Message-id: 1429314609-29776-21-git-send-email-jsnow@xxxxxxxxxx
      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Signed-off-by: Kevin Wolf <kwolf@xxxxxxxxxx>

  commit a3d715958c4456afea402e891288864fe4e51547
  Author: John Snow <jsnow@xxxxxxxxxx>
  Date:   Fri Apr 17 19:50:07 2015 -0400

      iotests: add simple incremental backup case

      Signed-off-by: John Snow <jsnow@xxxxxxxxxx>
      Reviewed-by: Max Reitz <mreitz@xxxxxxxxxx>
      Reviewed-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Message-id: 1429314609-29776-20-git-send-email-jsnow@xxxxxxxxxx
      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Signed-off-by: Kevin Wolf <kwolf@xxxxxxxxxx>

  commit 7898f74e78a5900fc079868e255b65d807fa8a8f
  Author: John Snow <jsnow@xxxxxxxxxx>
  Date:   Fri Apr 17 19:50:06 2015 -0400

      iotests: add QMP event waiting queue

      A filter is added to allow callers to request very specific
      events to be pulled from the event queue, while leaving undesired
      events still in the stream.

      This allows us to poll for completion data for multiple asynchronous
      events in any arbitrary order.

      A new timeout context is added to the qmp pull_event method's
      wait parameter to allow tests to fail if they do not complete
      within some expected period of time.

      Also fixed is a bug in qmp.pull_event where we try to retrieve an event
      from an empty list if we attempt to retrieve an event with wait=False
      but no events have occurred.

      Signed-off-by: John Snow <jsnow@xxxxxxxxxx>
      Reviewed-by: Max Reitz <mreitz@xxxxxxxxxx>
      Reviewed-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Message-id: 1429314609-29776-19-git-send-email-jsnow@xxxxxxxxxx
      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Signed-off-by: Kevin Wolf <kwolf@xxxxxxxxxx>

  commit 9f7264f57c8307bca32e78427348b8b323d5db21
  Author: John Snow <jsnow@xxxxxxxxxx>
  Date:   Fri Apr 17 19:50:05 2015 -0400

      iotests: add invalid input incremental backup tests

      Signed-off-by: John Snow <jsnow@xxxxxxxxxx>
      Reviewed-by: Max Reitz <mreitz@xxxxxxxxxx>
      Reviewed-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Message-id: 1429314609-29776-18-git-send-email-jsnow@xxxxxxxxxx
      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Signed-off-by: Kevin Wolf <kwolf@xxxxxxxxxx>

  commit a94e87c08cfff73ac4b179adc3d0d9c3b8d2ddef
  Author: John Snow <jsnow@xxxxxxxxxx>
  Date:   Fri Apr 17 19:50:04 2015 -0400

      hbitmap: truncate tests

      The general approach is to set bits close to the boundaries of
      where we are truncating and ensure that everything appears to
      have gone OK.

      We test growing and shrinking by different amounts:
      - Less than the granularity
      - Less than the granularity, but across a boundary
      - Less than sizeof(unsigned long)
      - Less than sizeof(unsigned long), but across a ulong boundary
      - More than sizeof(unsigned long)

      Signed-off-by: John Snow <jsnow@xxxxxxxxxx>
      Reviewed-by: Max Reitz <mreitz@xxxxxxxxxx>
      Reviewed-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Message-id: 1429314609-29776-17-git-send-email-jsnow@xxxxxxxxxx
      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Signed-off-by: Kevin Wolf <kwolf@xxxxxxxxxx>

  commit ce1ffea8cdcea41533bde87759b8390f0e3a9ad3
  Author: John Snow <jsnow@xxxxxxxxxx>
  Date:   Fri Apr 17 19:50:03 2015 -0400

      block: Resize bitmaps on bdrv_truncate

      Signed-off-by: John Snow <jsnow@xxxxxxxxxx>
      Reviewed-by: Max Reitz <mreitz@xxxxxxxxxx>
      Reviewed-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Message-id: 1429314609-29776-16-git-send-email-jsnow@xxxxxxxxxx
      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Signed-off-by: Kevin Wolf <kwolf@xxxxxxxxxx>

  commit 20dca81075e712ebcbc151eed9b1a02d4e5d08f5
  Author: John Snow <jsnow@xxxxxxxxxx>
  Date:   Fri Apr 17 19:50:02 2015 -0400

      block: Ensure consistent bitmap function prototypes

      We often don't need the BlockDriverState for functions
      that operate on bitmaps. Remove it.

      Signed-off-by: John Snow <jsnow@xxxxxxxxxx>
      Reviewed-by: Max Reitz <mreitz@xxxxxxxxxx>
      Reviewed-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Message-id: 1429314609-29776-15-git-send-email-jsnow@xxxxxxxxxx
      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Signed-off-by: Kevin Wolf <kwolf@xxxxxxxxxx>

  commit aa0c7ca506bb3f661be673b3d5c1320f37e52fdb
  Author: John Snow <jsnow@xxxxxxxxxx>
  Date:   Fri Apr 17 19:50:01 2015 -0400

      block: add BdrvDirtyBitmap documentation

      Signed-off-by: John Snow <jsnow@xxxxxxxxxx>
      Reviewed-by: Max Reitz <mreitz@xxxxxxxxxx>
      Reviewed-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Message-id: 1429314609-29776-14-git-send-email-jsnow@xxxxxxxxxx
      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Signed-off-by: Kevin Wolf <kwolf@xxxxxxxxxx>

  commit a113534ffb8f2580d323e6397e6908d5f4bfa0b7
  Author: John Snow <jsnow@xxxxxxxxxx>
  Date:   Fri Apr 17 19:50:00 2015 -0400

      qmp: Add dirty bitmap status field in query-block

      Add the "frozen" status booleans, to inform clients
      when a bitmap is occupied doing a task.

      Signed-off-by: Fam Zheng <famz@xxxxxxxxxx>
      Signed-off-by: John Snow <jsnow@xxxxxxxxxx>
      Reviewed-by: Max Reitz <mreitz@xxxxxxxxxx>
      Reviewed-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>
      Message-id: 1429314609-29776-13-git-send-email-jsnow@xxxxxxxxxx
      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Signed-off-by: Kevin Wolf <kwolf@xxxxxxxxxx>

  commit e74e6b78e6fe0c9ee426d1278fff45f5fa0af766
  Author: John Snow <jsnow@xxxxxxxxxx>
  Date:   Fri Apr 17 19:49:59 2015 -0400

      qmp: add block-dirty-bitmap-clear

      Add bdrv_clear_dirty_bitmap and a matching QMP command,
      qmp_block_dirty_bitmap_clear that enables a user to reset
      the bitmap attached to a drive.

      This allows us to reset a bitmap in the event of a full
      drive backup.

      Signed-off-by: John Snow <jsnow@xxxxxxxxxx>
      Reviewed-by: Max Reitz <mreitz@xxxxxxxxxx>
      Reviewed-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>
      Message-id: 1429314609-29776-12-git-send-email-jsnow@xxxxxxxxxx
      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Signed-off-by: Kevin Wolf <kwolf@xxxxxxxxxx>

  commit d58d84539784d27c826924a79d9436178b07ff69
  Author: John Snow <jsnow@xxxxxxxxxx>
  Date:   Fri Apr 17 19:49:58 2015 -0400

      qmp: Add support of "dirty-bitmap" sync mode for drive-backup

      For "dirty-bitmap" sync mode, the block job will iterate through the
      given dirty bitmap to decide if a sector needs backup (backup all the
      dirty clusters and skip clean ones), just as allocation conditions of
      "top" sync mode.

      Signed-off-by: Fam Zheng <famz@xxxxxxxxxx>
      Signed-off-by: John Snow <jsnow@xxxxxxxxxx>
      Reviewed-by: Max Reitz <mreitz@xxxxxxxxxx>
      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>
      Reviewed-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Message-id: 1429314609-29776-11-git-send-email-jsnow@xxxxxxxxxx
      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Signed-off-by: Kevin Wolf <kwolf@xxxxxxxxxx>

  commit 9bd2b08f27b9c27bb40d73b6466321b8c635086e
  Author: John Snow <jsnow@xxxxxxxxxx>
  Date:   Fri Apr 17 19:49:57 2015 -0400

      block: Add bitmap successors

      A bitmap successor is an anonymous BdrvDirtyBitmap that is intended to
      be created just prior to a sensitive operation (e.g. Incremental Backup)
      that can either succeed or fail, but during the course of which we still
      want a bitmap tracking writes.

      On creating a successor, we "freeze" the parent bitmap which prevents
      its deletion, enabling, anonymization, or creating a bitmap with the
      same name.

      On success, the parent bitmap can "abdicate" responsibility to the
      successor, which will inherit its name. The successor will have been
      tracking writes during the course of the backup operation. The parent
      will be safely deleted.

      On failure, we can "reclaim" the successor from the parent, unifying
      them such that the resulting bitmap describes all writes occurring since
      the last successful backup, for instance. Reclamation will thaw the
      parent, but not explicitly re-enable it.

      BdrvDirtyBitmap operations that target a single bitmap are protected
      by assertions that the bitmap is not frozen and/or disabled.

      BdrvDirtyBitmap operations that target a group of bitmaps, such as
      bdrv_{set,reset}_dirty will ignore frozen/disabled drives with a
      conditional instead.

      Internal functions that enable/disable dirty bitmaps have assertions
      added to them to prevent modifying frozen bitmaps.

      Signed-off-by: John Snow <jsnow@xxxxxxxxxx>
      Reviewed-by: Max Reitz <mreitz@xxxxxxxxxx>
      Reviewed-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>
      Message-id: 1429314609-29776-10-git-send-email-jsnow@xxxxxxxxxx
      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Signed-off-by: Kevin Wolf <kwolf@xxxxxxxxxx>

  commit b8e6fb752e43b45b428487c244cab35f0ab94b10
  Author: John Snow <jsnow@xxxxxxxxxx>
  Date:   Fri Apr 17 19:49:56 2015 -0400

      block: Add bitmap disabled status

      Add a status indicating the enabled/disabled state of the bitmap.
      A bitmap is by default enabled, but you can lock the bitmap into
      a read-only state by setting disabled = true.

      A previous version of this patch added a QMP interface for changing
      the state of the bitmap, but it has since been removed for now until
      a use case emerges where this state must be revealed to the user.

      The disabled state WILL be used internally for bitmap migration and
      bitmap persistence.

      Signed-off-by: Fam Zheng <famz@xxxxxxxxxx>
      Signed-off-by: John Snow <jsnow@xxxxxxxxxx>
      Reviewed-by: Max Reitz <mreitz@xxxxxxxxxx>
      Reviewed-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Message-id: 1429314609-29776-9-git-send-email-jsnow@xxxxxxxxxx
      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Signed-off-by: Kevin Wolf <kwolf@xxxxxxxxxx>

  commit be58721dbf882fa8830f3669f499b0a5b501e90f
  Author: John Snow <jsnow@xxxxxxxxxx>
  Date:   Fri Apr 17 19:49:55 2015 -0400

      hbitmap: add hbitmap_merge

      We add a bitmap merge operation to assist in error cases
      where we wish to combine two bitmaps together.

      This is algorithmically O(bits) provided HBITMAP_LEVELS remains
      constant. For a full bitmap on a 64bit machine:
      sum(bits/64^k, k, 0, HBITMAP_LEVELS) ~= 1.01587 * bits

      We may be able to improve running speed for particularly sparse
      bitmaps by using iterators, but the running time for dense maps
      will be worse.

      We present the simpler solution first, and we can refine it later
      if needed.

      Signed-off-by: John Snow <jsnow@xxxxxxxxxx>
      Reviewed-by: Max Reitz <mreitz@xxxxxxxxxx>
      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>
      Reviewed-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Message-id: 1429314609-29776-8-git-send-email-jsnow@xxxxxxxxxx
      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Signed-off-by: Kevin Wolf <kwolf@xxxxxxxxxx>

  commit 8515efbef1759b9143f06e9722c8f4e145032181
  Author: John Snow <jsnow@xxxxxxxxxx>
  Date:   Fri Apr 17 19:49:54 2015 -0400

      hbitmap: cache array lengths

      As a convenience: between incremental backups, bitmap migrations
      and bitmap persistence we seem to need to recalculate these a lot.

      Because the lengths are a little bit-twiddly, let's just solidly
      cache them and be done with it.

      Reviewed-by: Max Reitz <mreitz@xxxxxxxxxx>
      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>
      Signed-off-by: John Snow <jsnow@xxxxxxxxxx>
      Reviewed-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Message-id: 1429314609-29776-7-git-send-email-jsnow@xxxxxxxxxx
      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Signed-off-by: Kevin Wolf <kwolf@xxxxxxxxxx>

  commit 592fdd02ae987a439a2ba25a2a973673f1484805
  Author: John Snow <jsnow@xxxxxxxxxx>
  Date:   Fri Apr 17 19:49:53 2015 -0400

      block: Introduce bdrv_dirty_bitmap_granularity()

      This returns the granularity (in bytes) of dirty bitmap,
      which matches the QMP interface and the existing query
      interface.

      Signed-off-by: John Snow <jsnow@xxxxxxxxxx>
      Reviewed-by: Max Reitz <mreitz@xxxxxxxxxx>
      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>
      Reviewed-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Message-id: 1429314609-29776-6-git-send-email-jsnow@xxxxxxxxxx
      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Signed-off-by: Kevin Wolf <kwolf@xxxxxxxxxx>

  commit 341ebc2f81b14862347e4d4c1fcb3759f815237a
  Author: John Snow <jsnow@xxxxxxxxxx>
  Date:   Fri Apr 17 19:49:52 2015 -0400

      qmp: Add block-dirty-bitmap-add and block-dirty-bitmap-remove

      The new command pair is added to manage a user created dirty bitmap. The
      dirty bitmap's name is mandatory and must be unique for the same device,
      but different devices can have bitmaps with the same names.

      The granularity is an optional field. If it is not specified, we will
      choose a default granularity based on the cluster size if available,
      clamped to between 4K and 64K to mirror how the 'mirror' code was
      already choosing granularity. If we do not have cluster size info
      available, we choose 64K. This code has been factored out into a helper
      shared with block/mirror.

      This patch also introduces the 'block_dirty_bitmap_lookup' helper,
      which takes a device name and a dirty bitmap name and validates the
      lookup, returning NULL and setting errp if there is a problem with
      either field. This helper will be re-used in future patches in this
      series.

      The types added to block-core.json will be re-used in future patches
      in this series, see:
      'qapi: Add transaction support to block-dirty-bitmap-{add, enable, 
disable}'

      Signed-off-by: John Snow <jsnow@xxxxxxxxxx>
      Reviewed-by: Max Reitz <mreitz@xxxxxxxxxx>
      Reviewed-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>
      Message-id: 1429314609-29776-5-git-send-email-jsnow@xxxxxxxxxx
      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Signed-off-by: Kevin Wolf <kwolf@xxxxxxxxxx>

  commit 5fba6c0e50b66691568b34d5a2f4be0b39f5e20a
  Author: John Snow <jsnow@xxxxxxxxxx>
  Date:   Fri Apr 17 19:49:51 2015 -0400

      qmp: Ensure consistent granularity type

      We treat this field with a variety of different types everywhere
      in the code. Now it's just uint32_t.

      Signed-off-by: John Snow <jsnow@xxxxxxxxxx>
      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>
      Reviewed-by: Max Reitz <mreitz@xxxxxxxxxx>
      Reviewed-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Message-id: 1429314609-29776-4-git-send-email-jsnow@xxxxxxxxxx
      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Signed-off-by: Kevin Wolf <kwolf@xxxxxxxxxx>

  commit 0db6e54a8a2c6e16780356422da671b71f862341
  Author: Fam Zheng <famz@xxxxxxxxxx>
  Date:   Fri Apr 17 19:49:50 2015 -0400

      qapi: Add optional field "name" to block dirty bitmap

      This field will be set for user created dirty bitmap. Also pass in an
      error pointer to bdrv_create_dirty_bitmap, so when a name is already
      taken on this BDS, it can report an error message. This is not global
      check, two BDSes can have dirty bitmap with a common name.

      Implemented bdrv_find_dirty_bitmap to find a dirty bitmap by name, will
      be used later when other QMP commands want to reference dirty bitmap by
      name.

      Add bdrv_dirty_bitmap_make_anon. This unsets the name of dirty bitmap.

      Signed-off-by: Fam Zheng <famz@xxxxxxxxxx>
      Signed-off-by: John Snow <jsnow@xxxxxxxxxx>
      Reviewed-by: Max Reitz <mreitz@xxxxxxxxxx>
      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>
      Reviewed-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Message-id: 1429314609-29776-3-git-send-email-jsnow@xxxxxxxxxx
      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Signed-off-by: Kevin Wolf <kwolf@xxxxxxxxxx>

  commit efcfa278dca27f1c9db8b8283eac54f5e19074e7
  Author: John Snow <jsnow@xxxxxxxxxx>
  Date:   Fri Apr 17 19:49:49 2015 -0400

      docs: incremental backup documentation

      Signed-off-by: John Snow <jsnow@xxxxxxxxxx>
      Reviewed-by: Max Reitz <mreitz@xxxxxxxxxx>
      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>
      Message-id: 1429314609-29776-2-git-send-email-jsnow@xxxxxxxxxx
      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Signed-off-by: Kevin Wolf <kwolf@xxxxxxxxxx>

  commit 9eac3622a2b1159ab50b10540e822f3e58fdc383
  Author: Peter Lieven <pl@xxxxxxx>
  Date:   Thu Apr 16 16:08:33 2015 +0200

      block/iscsi: use the allocationmap also if cache.direct=on

      the allocationmap has only a hint character. The driver always
      double checks that blocks marked unallocated in the cache are
      still unallocated before taking the fast path and return zeroes.
      So using the allocationmap is migration safe and can
      also be enabled with cache.direct=on.

      Signed-off-by: Peter Lieven <pl@xxxxxxx>
      Message-id: 1429193313-4263-10-git-send-email-pl@xxxxxxx
      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Signed-off-by: Kevin Wolf <kwolf@xxxxxxxxxx>

  commit 03e40fef4678f9a42846c91a804b6d3c820e8b90
  Author: Peter Lieven <pl@xxxxxxx>
  Date:   Thu Apr 16 16:08:32 2015 +0200

      block/iscsi: bump year in copyright notice

      Signed-off-by: Peter Lieven <pl@xxxxxxx>
      Message-id: 1429193313-4263-9-git-send-email-pl@xxxxxxx
      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Signed-off-by: Kevin Wolf <kwolf@xxxxxxxxxx>

  commit e380aff831c24b37c023010852e7ddd2ae1ec385
  Author: Peter Lieven <pl@xxxxxxx>
  Date:   Thu Apr 16 16:08:31 2015 +0200

      block/iscsi: handle SCSI_STATUS_TASK_SET_FULL

      a target may issue a SCSI_STATUS_TASK_SET_FULL status
      if there is more than one "BUSY" command queued already.

      Signed-off-by: Peter Lieven <pl@xxxxxxx>
      Message-id: 1429193313-4263-8-git-send-email-pl@xxxxxxx
      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Signed-off-by: Kevin Wolf <kwolf@xxxxxxxxxx>

  commit 59dd0a22ca4c3ac70c37263208b9e49cfeacf2e4
  Author: Peter Lieven <pl@xxxxxxx>
  Date:   Thu Apr 16 16:08:30 2015 +0200

      block/iscsi: increase retry count

      The idea is that a command is retried in a BUSY condition
      up a time of approx. 60 seconds before it is failed. This should
      be far higher than any command timeout in the guest.

      Signed-off-by: Peter Lieven <pl@xxxxxxx>
      Message-id: 1429193313-4263-7-git-send-email-pl@xxxxxxx
      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Signed-off-by: Kevin Wolf <kwolf@xxxxxxxxxx>

  commit 73b5394e2e4af3bbe01e221fa395373facc67f78
  Author: Peter Lieven <pl@xxxxxxx>
  Date:   Thu Apr 16 16:08:29 2015 +0200

      block/iscsi: optimize WRITE10/16 if cache.writeback is not set

      SCSI allowes to tell the target to not return from a write command
      if the date is not written to the disk. Use this so called FUA
      bit if it is supported to optimize WRITE commands if writeback is
      not allowed.

      In this case qemu always issues a WRITE followed by a FLUSH. This
      is 2 round trip times. If we set the FUA bit we can ignore the
      following FLUSH.

      Signed-off-by: Peter Lieven <pl@xxxxxxx>
      Message-id: 1429193313-4263-6-git-send-email-pl@xxxxxxx
      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Signed-off-by: Kevin Wolf <kwolf@xxxxxxxxxx>

  commit 752ce45150d3d70aabc4eb46a7a9cdfd8b4640fd
  Author: Peter Lieven <pl@xxxxxxx>
  Date:   Thu Apr 16 16:08:28 2015 +0200

      block/iscsi: store DPOFUA bit from the modesense command

      Signed-off-by: Peter Lieven <pl@xxxxxxx>
      Message-id: 1429193313-4263-5-git-send-email-pl@xxxxxxx
      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Signed-off-by: Kevin Wolf <kwolf@xxxxxxxxxx>

  commit 7191f2080c70228c6483b6604cc1c18943d8d766
  Author: Peter Lieven <pl@xxxxxxx>
  Date:   Thu Apr 16 16:08:27 2015 +0200

      block/iscsi: rename iscsi_write_protected and let it return void

      Signed-off-by: Peter Lieven <pl@xxxxxxx>
      Message-id: 1429193313-4263-4-git-send-email-pl@xxxxxxx
      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Signed-off-by: Kevin Wolf <kwolf@xxxxxxxxxx>

  commit 0a386e48527d16e5dedbc1ff62aa0042a1cbdac5
  Author: Peter Lieven <pl@xxxxxxx>
  Date:   Thu Apr 16 16:08:26 2015 +0200

      block/iscsi: change all iscsilun properties from uint8_t to bool

      Signed-off-by: Peter Lieven <pl@xxxxxxx>
      Message-id: 1429193313-4263-3-git-send-email-pl@xxxxxxx
      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Signed-off-by: Kevin Wolf <kwolf@xxxxxxxxxx>

  commit 20474e9aa040b9a255c63127f1eb873c29c54f68
  Author: Peter Lieven <pl@xxxxxxx>
  Date:   Thu Apr 16 16:08:25 2015 +0200

      block/iscsi: do not forget to logout from target

      We actually were always impolitely dropping the connection and
      not cleanly logging out.

      CC: qemu-stable@xxxxxxxxxx
      Signed-off-by: Peter Lieven <pl@xxxxxxx>
      Message-id: 1429193313-4263-2-git-send-email-pl@xxxxxxx
      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Signed-off-by: Kevin Wolf <kwolf@xxxxxxxxxx>

  commit d5a8ee60a0fbc20a2c2d02f3bda1bb1bd365f1ee
  Author: Alberto Garcia <berto@xxxxxxxxxx>
  Date:   Fri Apr 17 14:52:43 2015 +0300

      qmp: fill in the image field in BlockDeviceInfo

      The image field in BlockDeviceInfo is supposed to contain an ImageInfo
      object. However that is being filled in by bdrv_query_info(), not by
      bdrv_block_device_info(), which is where BlockDeviceInfo is actually
      created.

      Anyone calling bdrv_block_device_info() directly will get a null image
      field. As a consequence of this, the HMP command 'info block -n -v'
      crashes QEMU.

      This patch moves the code that fills in that field from
      bdrv_query_info() to bdrv_block_device_info().

      Signed-off-by: Alberto Garcia <berto@xxxxxxxxxx>
      Message-id: 1429271563-3765-1-git-send-email-berto@xxxxxxxxxx
      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Signed-off-by: Kevin Wolf <kwolf@xxxxxxxxxx>

  commit 9419874f709469de16c1bced7731bfecb07fe1cf
  Author: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
  Date:   Wed Apr 22 11:15:10 2015 +0100

      Revert "hmp: fix crash in 'info block -n -v'"

      This reverts commit 638b8366200130cc7cf7a026630bc6bfb63b0c4c.

      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Signed-off-by: Kevin Wolf <kwolf@xxxxxxxxxx>

  commit dc881b441d74b8fc6c9c007cd03d5d05bca388dd
  Author: Alberto Garcia <berto@xxxxxxxxxx>
  Date:   Wed Apr 8 12:29:20 2015 +0300

      block: add 'node-name' field to BLOCK_IMAGE_CORRUPTED

      Since this event can occur in nodes that cannot have a device name
      associated, include also a field with the node name.

      Signed-off-by: Alberto Garcia <berto@xxxxxxxxxx>
      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>
      Reviewed-by: Max Reitz <mreitz@xxxxxxxxxx>
      Message-id: 
147cec5b3594f4bec0cb41c98afe5fcbfb67567c.1428485266.git.berto@xxxxxxxxxx
      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Signed-off-by: Kevin Wolf <kwolf@xxxxxxxxxx>

  commit 81e5f78a9f4f13548ec1edddaf780d339f18e2d2
  Author: Alberto Garcia <berto@xxxxxxxxxx>
  Date:   Wed Apr 8 12:29:19 2015 +0300

      block: use bdrv_get_device_or_node_name() in error messages

      There are several error messages that identify a BlockDriverState by
      its device name. However those errors can be produced in nodes that
      don't have a device name associated.

      In those cases we should use bdrv_get_device_or_node_name() to fall
      back to the node name and produce a more meaningful message. The
      messages are also updated to use the more generic term 'node' instead
      of 'device'.

      Signed-off-by: Alberto Garcia <berto@xxxxxxxxxx>
      Reviewed-by: Max Reitz <mreitz@xxxxxxxxxx>
      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>
      Message-id: 
9823a1f0514fdb0692e92868661c38a9e00a12d6.1428485266.git.berto@xxxxxxxxxx
      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Signed-off-by: Kevin Wolf <kwolf@xxxxxxxxxx>

  commit 9b2aa84f87f5b95cb0295dcae38fbfbf115df2be
  Author: Alberto Garcia <berto@xxxxxxxxxx>
  Date:   Wed Apr 8 12:29:18 2015 +0300

      block: add bdrv_get_device_or_node_name()

      This function gets the device name associated with a BlockDriverState,
      or its node name if the device name is empty.

      Signed-off-by: Alberto Garcia <berto@xxxxxxxxxx>
      Reviewed-by: Max Reitz <mreitz@xxxxxxxxxx>
      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>
      Message-id: 
4fa30aa8d61d9052ce266fd5429a59a14e941255.1428485266.git.berto@xxxxxxxxxx
      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Signed-off-by: Kevin Wolf <kwolf@xxxxxxxxxx>

  commit ec683d604069dcdaaa516789274bc0cdc14e5247
  Author: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
  Date:   Wed Apr 15 11:43:42 2015 +0100

      block: document block-stream in qmp-commands.hx

      The 'block-stream' QMP command is documented in block-core.json but not
      qmp-commands.hx.  Add a summary of the command to qmp-commands.hx
      (similar to the documentation for 'block-commit').

      Reported-by: Kashyap Chamarthy <kchamart@xxxxxxxxxx>
      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>
      Reviewed-by: Max Reitz <mreitz@xxxxxxxxxx>
      Message-id: 1429094622-26218-1-git-send-email-stefanha@xxxxxxxxxx
      Signed-off-by: Kevin Wolf <kwolf@xxxxxxxxxx>

  commit c485cf9c9277ca9b3d5227c99a13c374e812f42b
  Author: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
  Date:   Wed Apr 15 10:43:44 2015 +0100

      m25p80: fix s->blk usage before assignment

      Delay the call to blk_blockalign() until s->blk has been assigned.

      This never caused a crash because blk_blockalign(NULL, size) defaults to
      4096 alignment but it's technically incorrect.

      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Reviewed-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>
      Message-id: 1429091024-25098-1-git-send-email-stefanha@xxxxxxxxxx
      Signed-off-by: Kevin Wolf <kwolf@xxxxxxxxxx>

  commit d07063e46047242c4f010ff9ddbff5e02f15d9e7
  Author: Paolo Bonzini <pbonzini@xxxxxxxxxx>
  Date:   Tue Apr 14 17:29:47 2015 +0200

      m25p80: add missing blk_attach_dev_nofail

      Of the block devices that poked into -drive options via drive_get_next,
      m25p80 was the only one who also did not attach itself to the 
BlockBackend.

      Since sd does it, and all other devices go through a "drive" property,
      with this change all block backends attached to the guest will have a
      non-NULL result for blk_get_attached_dev().

      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>
      Reviewed-by: Peter Crosthwaite <peter.crosthwaite@xxxxxxxxxx>
      Message-id: 1429025387-11077-1-git-send-email-pbonzini@xxxxxxxxxx
      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Signed-off-by: Kevin Wolf <kwolf@xxxxxxxxxx>

  commit 4eb867e98c1815d9d7a2a9380182005df12064a7
  Author: Michael S. Tsirkin <mst@xxxxxxxxxx>
  Date:   Sun Apr 12 17:55:17 2015 +0200

      virtio_blk: comment fix

      update virtio blk header from latest linux, include comment fixups.

      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Message-id: 1428854036-12806-1-git-send-email-mst@xxxxxxxxxx
      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Signed-off-by: Kevin Wolf <kwolf@xxxxxxxxxx>

  commit 0b5a24454fc551f0294fe93821e8c643214a55f5
  Author: Paolo Bonzini <pbonzini@xxxxxxxxxx>
  Date:   Sat Mar 28 07:37:18 2015 +0100

      block: avoid unnecessary bottom halves

      bdrv_aio_* APIs can use coroutines to achieve asynchronicity.  However,
      the coroutine may terminate without having yielded back to the caller
      (for example because of something that invokes a nested event loop,
      or because the coroutine is doing nothing at all).  In this case,
      the bdrv_aio_* API must delay the completion to the next iteration
      of the main loop, because bdrv_aio_* will never invoke the callback
      before returning.

      This can be done with a bottom half, and indeed bdrv_aio_* is always
      using one for simplicity.  It is possible to gain some performance
      (~3%) by avoiding this in the common case.  A new field in the
      BlockAIOCBCoroutine struct is set to true until the first time the
      corotine has yielded to its creator, and completion goes through a
      new function bdrv_co_complete.  If the flag is false, bdrv_co_complete
      invokes the callback immediately.  If it is true, the caller will
      notice that the coroutine has completed and schedule the bottom
      half itself.

      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>
      Reviewed-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Message-id: 1427524638-28157-1-git-send-email-pbonzini@xxxxxxxxxx
      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Signed-off-by: Kevin Wolf <kwolf@xxxxxxxxxx>

  commit a7282330c01364ef00260749bc6a37c7f16ec047
  Author: Fam Zheng <famz@xxxxxxxxxx>
  Date:   Fri Apr 3 22:05:21 2015 +0800

      blockjob: Update function name in comments

      Signed-off-by: Fam Zheng <famz@xxxxxxxxxx>
      Reviewed-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Reviewed-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>
      Reviewed-by: Alberto Garcia <berto@xxxxxxxxxx>
      Message-id: 1428069921-2957-5-git-send-email-famz@xxxxxxxxxx
      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Signed-off-by: Kevin Wolf <kwolf@xxxxxxxxxx>

  commit e62303a437af72141c8d04c36799521a56d6f4f6
  Author: Fam Zheng <famz@xxxxxxxxxx>
  Date:   Fri Apr 3 22:05:20 2015 +0800

      qemu-iotests: Test that "stop" doesn't drain block jobs

      Signed-off-by: Fam Zheng <famz@xxxxxxxxxx>
      Reviewed-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Reviewed-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>
      Reviewed-by: Alberto Garcia <berto@xxxxxxxxxx>
      Message-id: 1428069921-2957-4-git-send-email-famz@xxxxxxxxxx
      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Signed-off-by: Kevin Wolf <kwolf@xxxxxxxxxx>

  commit 69da3b0b47c8f6016e9109fcfa608e9e7e99bc05
  Author: Fam Zheng <famz@xxxxxxxxxx>
  Date:   Fri Apr 3 22:05:19 2015 +0800

      block: Pause block jobs in bdrv_drain_all

      This is necessary to suppress more IO requests from being generated from
      block job coroutines.

      Signed-off-by: Fam Zheng <famz@xxxxxxxxxx>
      Reviewed-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Reviewed-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>
      Reviewed-by: Alberto Garcia <berto@xxxxxxxxxx>
      Message-id: 1428069921-2957-3-git-send-email-famz@xxxxxxxxxx
      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Signed-off-by: Kevin Wolf <kwolf@xxxxxxxxxx>

  commit 751ebd76e654bd1e65da08ecf694325282b4cfcc
  Author: Fam Zheng <famz@xxxxxxxxxx>
  Date:   Fri Apr 3 22:05:18 2015 +0800

      blockjob: Allow nested pause

      This patch changes block_job_pause to increase the pause counter and
      block_job_resume to decrease it.

      The counter will allow calling block_job_pause/block_job_resume
      unconditionally on a job when we need to suspend the IO temporarily.

      From now on, each block_job_resume must be paired with a block_job_pause
      to keep the counter balanced.

      The user pause from QMP or HMP will only trigger block_job_pause once
      until it's resumed, this is achieved by adding a user_paused flag in
      BlockJob.

      One occurrence of block_job_resume in mirror_complete is replaced with
      block_job_enter which does what is necessary.

      In block_job_cancel, the cancel flag is good enough to instruct
      coroutines to quit loop, so use block_job_enter to replace the unpaired
      block_job_resume.

      Upon block job IO error, user is notified about the entering to the
      pause state, so this pause belongs to user pause, set the flag
      accordingly and expect a matching QMP resume.

      [Extended doc comments as suggested by Paolo Bonzini
      <pbonzini@xxxxxxxxxx>.
      --Stefan]

      Signed-off-by: Fam Zheng <famz@xxxxxxxxxx>
      Reviewed-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Reviewed-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>
      Reviewed-by: Alberto Garcia <berto@xxxxxxxxxx>
      Message-id: 1428069921-2957-2-git-send-email-famz@xxxxxxxxxx
      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Signed-off-by: Kevin Wolf <kwolf@xxxxxxxxxx>

  commit 199667a8c843d268f0fe80f09041b8c7193f1ba5
  Author: Fam Zheng <famz@xxxxxxxxxx>
  Date:   Wed Apr 1 09:45:40 2015 +0800

      MAINTAINERS: Add Fam Zheng as Null block driver maintainer

      Signed-off-by: Fam Zheng <famz@xxxxxxxxxx>
      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>
      Reviewed-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Message-id: 1427852740-24315-4-git-send-email-famz@xxxxxxxxxx
      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Signed-off-by: Kevin Wolf <kwolf@xxxxxxxxxx>

  commit 1c2b49a17282f3abd9ccf71b65d0be62d3b3192e
  Author: Fam Zheng <famz@xxxxxxxxxx>
  Date:   Wed Apr 1 09:45:39 2015 +0800

      block/null: Support reopen

      Reopen is used in block-commit. With this always-succeed operation, it
      is now possible to test committing to a null drive, by specifying
      "null-aio://" or "null-co://" as the backing image when creating the
      qcow2 image.

      Signed-off-by: Fam Zheng <famz@xxxxxxxxxx>
      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>
      Reviewed-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Message-id: 1427852740-24315-3-git-send-email-famz@xxxxxxxxxx
      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Signed-off-by: Kevin Wolf <kwolf@xxxxxxxxxx>

  commit e5e51dd3af6a0872dedce290ee41437b5aeed109
  Author: Fam Zheng <famz@xxxxxxxxxx>
  Date:   Wed Apr 1 09:45:38 2015 +0800

      block/null: Latency simulation by adding new option "latency-ns"

      Aio context switch should just work because the requests will be
      drained, so the scheduled timer(s) on the old context will be freed.

      Signed-off-by: Fam Zheng <famz@xxxxxxxxxx>
      Reviewed-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Message-id: 1427852740-24315-2-git-send-email-famz@xxxxxxxxxx
      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Signed-off-by: Kevin Wolf <kwolf@xxxxxxxxxx>

  commit 9eddd6a4b3b187ba50038800b6e4aeda4973b365
  Author: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
  Date:   Thu Mar 26 22:42:34 2015 +0000

      scripts: add 'qemu coroutine' command to qemu-gdb.py

      The 'qemu coroutine <coroutine-address>' GDB command prints the
      backtrace for a CoroutineUContext.  This is useful for peeking inside
      yielded coroutines that are waiting for file descriptor events, timers,
      etc.

      For example:

        $ gdb tests/test-coroutine
        (gdb) b test_yield
        (gdb) r
        (gdb) b qemu_coroutine_enter
        (gdb) c
        (gdb) c
        Continuing.

        Breakpoint 2, qemu_coroutine_enter (co=0x555555c66520, opaque=0x0) at 
qemu-coroutine.c:103
        103     {
        (gdb) source scripts/qemu-gdb.py
        (gdb) qemu coroutine 0x555555c66520
        #0  0x000055555557a740 in qemu_coroutine_switch (from_=<optimized out>, 
to_=0x7ffff7f90a70, action=COROUTINE_YIELD) at coroutine-ucontext.c:177
        #1  0x0000555555566af9 in yield_5_times (opaque=0x7fffffffdbb7) at 
tests/test-coroutine.c:107
        #2  0x000055555557a7aa in coroutine_trampoline (i0=<optimized out>, 
i1=<optimized out>) at coroutine-ucontext.c:80
        #3  0x00007ffff08de000 in __start_context () at /lib64/libc.so.6

      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Message-id: 1427409754-8556-1-git-send-email-stefanha@xxxxxxxxxx
      Signed-off-by: Kevin Wolf <kwolf@xxxxxxxxxx>

  commit 1faa5bb73247339bf3d797433a9ade990ef0fb32
  Author: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
  Date:   Thu Apr 2 17:39:22 2015 +0100

      thread-pool: clean up thread_pool_completion_bh()

      This patch simplifies thread_pool_completion_bh().

      The function first checks elem->state:

        if (elem->state != THREAD_DONE) {
            continue;
        }

      It then goes on to check elem->state == THREAD_DONE although we already
      know this must be the case.

      The QLIST_REMOVE() is duplicated down both branches of an if-else
      statement so that can be lifted out as well.

      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Reviewed-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>
      Message-id: 1427992762-10126-1-git-send-email-stefanha@xxxxxxxxxx
      Signed-off-by: Kevin Wolf <kwolf@xxxxxxxxxx>

  commit d1a126c53ddc563b7b731cee013e0362f7a5f22f
  Author: Kevin Wolf <kwolf@xxxxxxxxxx>
  Date:   Tue Apr 14 16:36:16 2015 +0200

      vhdx: Fix zero-fill iov length

      Fix the length of the zero-fill for the back, which was accidentally
      using the same value as for the front. This is caught by qemu-iotests
      033.

      For consistency, change the code for the front as well to use the length
      stored in the iov (it is the same value, copied four lines above).

      Signed-off-by: Kevin Wolf <kwolf@xxxxxxxxxx>
      Acked-by: Jeff Cody <jcody@xxxxxxxxxx>

  commit 8eedfbd4a50299f03b3630659c34ad1b01f69370
  Author: Kevin Wolf <kwolf@xxxxxxxxxx>
  Date:   Tue Apr 14 16:32:45 2015 +0200

      blkdebug: Add bdrv_truncate()

      This is, amongst others, required for qemu-iotests 033 to run as
      intended on VHDX, which uses explicit bdrv_truncate() calls to bs->file
      when allocating new blocks.

      Signed-off-by: Kevin Wolf <kwolf@xxxxxxxxxx>
      Reviewed-by: Jeff Cody <jcody@xxxxxxxxxx>

  commit e4f587492331df0ac50bad6131ea273d527af796
  Author: Kevin Wolf <kwolf@xxxxxxxxxx>
  Date:   Thu Mar 19 13:33:33 2015 +0100

      qemu-iotests: Some qemu-img convert tests

      This adds a regression test for some problems that the qemu-img convert
      rewrite just fixed.

      Signed-off-by: Kevin Wolf <kwolf@xxxxxxxxxx>
      Reviewed-by: Max Reitz <mreitz@xxxxxxxxxx>

  commit 690c7301600162421b928c7f26fd488fd8fa464e
  Author: Kevin Wolf <kwolf@xxxxxxxxxx>
  Date:   Thu Mar 19 13:33:32 2015 +0100

      qemu-img convert: Rewrite copying logic

      The implementation of qemu-img convert is (a) messy, (b) buggy, and
      (c) less efficient than possible. The changes required to beat some
      sense into it are massive enough that incremental changes would only
      make my and the reviewers' life harder. So throw it away and reimplement
      it from scratch.

      Let me give some examples what I mean by messy, buggy and inefficient:

      (a) The copying logic of qemu-img convert has two separate branches for
          compressed and normal target images, which roughly do the same -
          except for a little code that handles actual differences between
          compressed and uncompressed images, and much more code that
          implements just a different set of optimisations and bugs. This is
          unnecessary code duplication, and makes the code for compressed
          output (unsurprisingly) suffer from bitrot.

          The code for uncompressed ouput is run twice to count the the total
          length for the progress bar. In the first run it just takes a
          shortcut and runs only half the loop, and when it's done, it toggles
          a boolean, jumps out of the loop with a backwards goto and starts
          over. Works, but pretty is something different.

      (b) Converting while keeping a backing file (-B option) is broken in
          several ways. This includes not writing to the image file if the
          input has zero clusters or data filled with zeros (ignoring that the
          backing file will be visible instead).

          It also doesn't correctly limit every iteration of the copy loop to
          sectors of the same status so that too many sectors may be copied to
          in the target image. For -B this gives an unexpected result, for
          other images it just does more work than necessary.

          Conversion with a compressed target completely ignores any target
          backing file.

      (c) qemu-img convert skips reading and writing an area if it knows from
          metadata that copying isn't needed (except for the bug mentioned
          above that ignores a status change in some cases). It does, however,
          read from the source even if it knows that it will read zeros, and
          then search for non-zero bytes in the read buffer, if it's possible
          that a write might be needed.

      This reimplementation of the copying core reorganises the code to remove
      the duplication and have a much more obvious code flow, by essentially
      splitting the copy iteration loop into three parts:

      1. Find the number of contiguous sectors of the same status at the
         current offset (This can also be called in a separate loop before the
         copying loop in order to determine the total sectors for the progress
         bar.)

      2. Read sectors. If the status implies that there is no data there to
         read (zero or unallocated cluster), don't do anything.

      3. Write sectors depending on the status. If it's data, write it. If
         we want the backing file to be visible (with -B), don't write it. If
         it's zeroed, skip it if you can, otherwise use bdrv_write_zeroes() to
         optimise the write at least where possible.

      Signed-off-by: Kevin Wolf <kwolf@xxxxxxxxxx>
      Reviewed-by: Max Reitz <mreitz@xxxxxxxxxx>

  commit 0df89e8e6f62aea32a7302e73a86b7bfe5821018
  Author: Kevin Wolf <kwolf@xxxxxxxxxx>
  Date:   Thu Mar 19 13:33:31 2015 +0100

      block-backend: Expose bdrv_write_zeroes()

      Signed-off-by: Kevin Wolf <kwolf@xxxxxxxxxx>
      Reviewed-by: Max Reitz <mreitz@xxxxxxxxxx>

  commit a0710f7995f914e3044e5899bd8ff6c43c62f916
  Author: Paolo Bonzini <pbonzini@xxxxxxxxxx>
  Date:   Fri Feb 20 17:26:52 2015 +0100

      iothread: release iothread around aio_poll

      This is the first step towards having fine-grained critical sections in
      dataplane threads, which resolves lock ordering problems between
      address_space_* functions (which need the BQL when doing MMIO, even
      after we complete RCU-based dispatch) and the AioContext.

      Because AioContext does not use contention callbacks anymore, the
      unit test has to be changed.

      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>
      Reviewed-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Message-id: 1424449612-18215-4-git-send-email-pbonzini@xxxxxxxxxx
      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Signed-off-by: Kevin Wolf <kwolf@xxxxxxxxxx>

  commit 49110174f8835ec3d5ca7fc076ee1f51c18564fe
  Author: Paolo Bonzini <pbonzini@xxxxxxxxxx>
  Date:   Fri Feb 20 17:26:51 2015 +0100

      AioContext: acquire/release AioContext during aio_poll

      This is the first step in pushing down acquire/release, and will let
      rfifolock drop the contention callback feature.

      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>
      Reviewed-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Message-id: 1424449612-18215-3-git-send-email-pbonzini@xxxxxxxxxx
      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Signed-off-by: Kevin Wolf <kwolf@xxxxxxxxxx>

  commit e98ab097092e54999f046e9efa1ca1dd52f0c9e5
  Author: Paolo Bonzini <pbonzini@xxxxxxxxxx>
  Date:   Fri Feb 20 17:26:50 2015 +0100

      aio-posix: move pollfds to thread-local storage

      By using thread-local storage, aio_poll can stop using global data during
      g_poll_ns.  This will make it possible to drop callbacks from rfifolock.

      [Moved npfd = 0 assignment to end of walking_handlers region as
      suggested by Paolo.  This resolves the assert(npfd == 0) assertion
      failure in pollfds_cleanup().
      --Stefan]

      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>
      Reviewed-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Message-id: 1424449612-18215-2-git-send-email-pbonzini@xxxxxxxxxx
      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Signed-off-by: Kevin Wolf <kwolf@xxxxxxxxxx>

  commit de50a20a4cc368d241d67c600f8c0f667186a8b5
  Author: Fam Zheng <famz@xxxxxxxxxx>
  Date:   Wed Mar 25 15:27:26 2015 +0800

      block: Switch to host monotonic clock for IO throttling

      Currently, throttle timers won't make any progress when VCPU is not
      running, which would stall the request queue in utils, qtest, vm
      suspending, and live migration, without special handling.

      Block jobs are confusingly inconsistent between with and without
      throttling: if user sets a bps limit, stops the vm, then start a block
      job, the block job will not make any progress; in contrary, if user
      unsets the bps limit, or if it's not set, the block job will run
      normally.

      After this patch, with the host clock, even if the VCPUs are stopped,
      the throttle queues will be processed.

      This patch also enables potential to add throttle to bdrv_drain_all.
      Currently all requests are drained immediately. In other words whenever
      it is called, IO throttling goes ineffective (examples: system reset,
      migration and many block job operations.). This is a loophole that guest
      could exploit. If we use the host clock, we can later just trust the
      nested poll. This could be done on top.

      Note that for qemu-iotests case 093, which uses qtest, we still keep vm
      clock so the script can control the clock stepping in order to be
      deterministic.

      Reviewed-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>
      Reviewed-by: Alberto Garcia <berto@xxxxxxxxxx>
      Signed-off-by: Fam Zheng <famz@xxxxxxxxxx>
      Message-id: 1427268446-6426-1-git-send-email-famz@xxxxxxxxxx
      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Signed-off-by: Kevin Wolf <kwolf@xxxxxxxxxx>

  commit 8b6ee9aeb3f0508ed2a41381cde13bdb8707b7be
  Author: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
  Date:   Mon Mar 23 15:29:31 2015 +0000

      checkpatch: complain about ffs(3) calls

      The ffs(3) family of functions is not portable.  MinGW doesn't always
      provide the function.

      Use ctz32() or ctz64() instead.

      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Message-id: 1427124571-28598-10-git-send-email-stefanha@xxxxxxxxxx
      Signed-off-by: Kevin Wolf <kwolf@xxxxxxxxxx>

  commit f450a85899585776ccd0913d2361dd8f82666e44
  Author: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
  Date:   Mon Mar 23 15:29:30 2015 +0000

      os-win32: drop ffs(3) prototype

      The lack of ffs(3) in the MinGW headers is a hint that we shouldn't rely
      on it.  MinGW 4.9.2 does not make it available for linking when QEMU's
      ./configure --enable-debug is used (release builds are fine though).

      Now that all QEMU code has been switched to ctz32() there is no need for
      ffs(3).

      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Message-id: 1427124571-28598-9-git-send-email-stefanha@xxxxxxxxxx
      Signed-off-by: Kevin Wolf <kwolf@xxxxxxxxxx>

  commit 41074f3d3ff0e9a3c6f638627c12ebbf6d757cea
  Author: Paolo Bonzini <pbonzini@xxxxxxxxxx>
  Date:   Mon Mar 23 15:29:29 2015 +0000

      omap_intc: convert ffs(3) to ctz32() in omap_inth_sir_update()

      Rewrite the loop using level &= level - 1 to clear the least significant
      bit after each iteration.  This simplifies the loop and makes it easy to
      replace ffs(3) with ctz32().

      Cc: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>
      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Message-id: 1427124571-28598-8-git-send-email-stefanha@xxxxxxxxxx
      Signed-off-by: Kevin Wolf <kwolf@xxxxxxxxxx>

  commit c9d933185181cb1cf81bc4c9e5c3a10a5934b017
  Author: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
  Date:   Mon Mar 23 15:29:28 2015 +0000

      sd: convert sd_normal_command() ffs(3) call to ctz32()

      ffs() cannot be replaced with ctz32() when the argument might be zero,
      because ffs(0) returns 0 while ctz32(0) returns 32.

      The ffs(3) call in sd_normal_command() is a special case though.  It can
      be converted to ctz32() + 1 because the argument is never zero:

        if (!(req.arg >> 8) || (req.arg >> (ctz32(req.arg & ~0xff) + 1))) {
            ~~~~~~~~~~~~~~~
                  ^--------------- req.arg cannot be zero

      Cc: Markus Armbruster <armbru@xxxxxxxxxx>
      Cc: Peter Crosthwaite <peter.crosthwaite@xxxxxxxxxx>
      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Message-id: 1427124571-28598-7-git-send-email-stefanha@xxxxxxxxxx
      Signed-off-by: Kevin Wolf <kwolf@xxxxxxxxxx>

  commit bd2a88840e2496e29442f333c8fdd6491e831a35
  Author: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
  Date:   Mon Mar 23 15:29:27 2015 +0000

      Convert ffs() != 0 callers to ctz32()

      There are a number of ffs(3) callers that do roughly:

        bit = ffs(val);
        if (bit) {
            do_something(bit - 1);
        }

      This pattern can be converted to ctz32() like this:

        zeroes = ctz32(val);
        if (zeroes != 32) {
            do_something(zeroes);
        }

      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Message-id: 1427124571-28598-6-git-send-email-stefanha@xxxxxxxxxx
      Signed-off-by: Kevin Wolf <kwolf@xxxxxxxxxx>

  commit 786a4ea82ec9c87e3a895cf41081029b285a5fe5
  Author: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
  Date:   Mon Mar 23 15:29:26 2015 +0000

      Convert (ffs(val) - 1) to ctz32(val)

      This commit was generated mechanically by coccinelle from the following
      semantic patch:

      @@
      expression val;
      @@
      - (ffs(val) - 1)
      + ctz32(val)

      The call sites have been audited to ensure the ffs(0) - 1 == -1 case
      never occurs (due to input validation, asserts, etc).  Therefore we
      don't need to worry about the fact that ctz32(0) == 32.

      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Message-id: 1427124571-28598-5-git-send-email-stefanha@xxxxxxxxxx
      Signed-off-by: Kevin Wolf <kwolf@xxxxxxxxxx>

  commit 5863d374a32c98a7adb4c5e49d62de3cdc16d2ea
  Author: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
  Date:   Mon Mar 23 15:29:25 2015 +0000

      uninorth: convert ffs(3) to ctz32()

      It is not clear from the code how a 0 parameter should be handled by the
      hardware.  Keep the same behavior as ffs(0) - 1 == -1.

      Cc: Alexander Graf <agraf@xxxxxxx>
      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Message-id: 1427124571-28598-4-git-send-email-stefanha@xxxxxxxxxx
      Signed-off-by: Kevin Wolf <kwolf@xxxxxxxxxx>

  commit ad5f5fdca83cccd1a4c269b1fd8ba2fce8d1ba26
  Author: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
  Date:   Mon Mar 23 15:29:24 2015 +0000

      hw/arm/nseries: convert ffs(3) to ctz32()

      It is not clear from the code how a 0 parameter should be handled by the
      hardware.  Keep the same behavior as ffs(0) - 1 == -1.

      Cc: Andrzej Zaborowski <balrog@xxxxxxxxx>
      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Message-id: 1427124571-28598-3-git-send-email-stefanha@xxxxxxxxxx
      Signed-off-by: Kevin Wolf <kwolf@xxxxxxxxxx>

  commit 588ef9d411339012fc3c94bfad8911e9d0a517a2
  Author: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
  Date:   Mon Mar 23 15:29:23 2015 +0000

      bt-sdp: fix broken uuids power-of-2 calculation

      The binary search in sdp_uuid_match() only works when the number of
      elements to search is a power of two.

        lo = record->uuid;
        hi = record->uuids;
        while (hi >>= 1)
            if (lo[hi] <= val)
                lo += hi;

        return *lo == val;

      I noticed that the record->uuids calculation in
      sdp_service_record_build() was suspect:

        record->uuids = 1 << ffs(record->uuids - 1);

      Unlike most ffs(val) - 1 users, the expression is ffs(val - 1)!

      Actually ffs() is the wrong function to use for power-of-2.  Use
      pow2ceil() to achieve the correct effect.  Now the record->uuid[] array
      is sized correctly and the binary search in sdp_uuid_match() should
      work.

      I'm not sure how to run/test this code.

      Cc: Andrzej Zaborowski <balrog@xxxxxxxxx>
      Cc: qemu-stable@xxxxxxxxxx
      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Message-id: 1427124571-28598-2-git-send-email-stefanha@xxxxxxxxxx
      Signed-off-by: Kevin Wolf <kwolf@xxxxxxxxxx>

  commit ecdda9e03d73d2cc1c82c00cccc02f087741b6a5
  Author: Alberto Garcia <berto@xxxxxxxxxx>
  Date:   Mon Mar 16 18:22:05 2015 +0200

      MAINTAINERS: Add myself as the maintainer of the Quorum driver

      Signed-off-by: Alberto Garcia <berto@xxxxxxxxxx>
      Message-id: 1426522925-14444-1-git-send-email-berto@xxxxxxxxxx
      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Signed-off-by: Kevin Wolf <kwolf@xxxxxxxxxx>

  commit 407bc15033b2a8faeb7ca42aab63b7bcede76e10
  Author: Yi Wang <up2wing@xxxxxxxxx>
  Date:   Thu Mar 12 22:54:42 2015 +0800

      savevm: create snapshot failed when id_str already exists

      The command "virsh create" will fail in such condition: vm has two
      disks: vda and vdb. vda has snapshot s1 with id "1", vdb doesn't have
      s1 but has snapshot s2 with id "1".  When we want to run command "virsh
      create s1", del_existing_snapshots() only deletes s1 in vda, and
      bdrv_snapshot_create() tries to create vdb's snapshot s1 with id "1",
      but id "1" alreay exists in vdb with name "s2"!

      The simplest way is call find_new_snapshot_id() unconditionally.

      Signed-off-by: Yi Wang <up2wing@xxxxxxxxx>
      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Signed-off-by: Kevin Wolf <kwolf@xxxxxxxxxx>

  commit 84cbd63f87c1d246f51ec8eee5367a5588f367fd
  Merge: 54965ee 726a8ff
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Tue Apr 28 12:22:20 2015 +0100

      Merge remote-tracking branch 'remotes/ehabkost/tags/x86-pull-request' 
into staging

      X86 queue, 2015-04-27 (v2)

      # gpg: Signature made Mon Apr 27 19:42:39 2015 BST using RSA key ID 
984DC5A6
      # gpg: Good signature from "Eduardo Habkost <ehabkost@xxxxxxxxxx>"
      # gpg: WARNING: This key is not certified with sufficiently trusted 
signatures!
      # gpg:          It is not certain that the signature belongs to the owner.
      # Primary key fingerprint: 5A32 2FD5 ABC4 D3DB ACCF  D1AA 2807 936F 984D 
C5A6

      * remotes/ehabkost/tags/x86-pull-request:
        target-i386: Remove AMD feature flag aliases from CPU model table
        target-i386: X86CPU::xlevel2 QOM property
        target-i386: Make "level" and "xlevel" properties static
        qemu-config: Accept empty option values
        MAINTAINERS: Change status of X86 to Maintained
        MAINTAINERS: Add myself to X86

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 54965ee61dbc114e98777f456b7cd6a778fbb412
  Merge: da378d0 2f54eb9
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Tue Apr 28 11:33:47 2015 +0100

      Merge remote-tracking branch 'remotes/ehabkost/tags/numa-pull-request' 
into staging

      NUMA queue, 2015-04-27

      # gpg: Signature made Mon Apr 27 19:02:19 2015 BST using RSA key ID 
984DC5A6
      # gpg: Good signature from "Eduardo Habkost <ehabkost@xxxxxxxxxx>"
      # gpg: WARNING: This key is not certified with sufficiently trusted 
signatures!
      # gpg:          It is not certain that the signature belongs to the owner.
      # Primary key fingerprint: 5A32 2FD5 ABC4 D3DB ACCF  D1AA 2807 936F 984D 
C5A6

      * remotes/ehabkost/tags/numa-pull-request:
        MAINTAINERS: Add myself as NUMA code maintainer

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit da378d014d27fe3a243bd8e7e060e9eb8c1a272b
  Merge: 3d27b09 4eb2764
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Tue Apr 28 10:31:03 2015 +0100

      Merge remote-tracking branch 
'remotes/pmaydell/tags/pull-target-arm-20150427' into staging

      target-arm queue:
       * memory system updates to support transaction attributes
       * set user-mode and secure attributes for accesses made by ARM CPUs
       * rename c1_coproc to cpacr_el1
       * adjust id_aa64pfr0 when has_el3 CPU property disabled
       * allow ARMv8 SCR.SMD updates

      # gpg: Signature made Mon Apr 27 16:14:30 2015 BST using RSA key ID 
14360CDE
      # gpg: Good signature from "Peter Maydell <peter.maydell@xxxxxxxxxx>"

      * remotes/pmaydell/tags/pull-target-arm-20150427:
        Allow ARMv8 SCR.SMD updates
        target-arm: Adjust id_aa64pfr0 when has_el3 CPU property disabled
        target-arm: rename c1_coproc to cpacr_el1
        target-arm: Check watchpoints against CPU security state
        target-arm: Use attribute info to handle user-only watchpoints
        target-arm: Add user-mode transaction attribute
        target-arm: Use correct memory attributes for page table walks
        target-arm: Honour NS bits in page tables
        Switch non-CPU callers from ld/st*_phys to address_space_ld/st*
        exec.c: Capture the memory attributes for a watchpoint hit
        exec.c: Add new address_space_ld*/st* functions
        exec.c: Make address_space_rw take transaction attributes
        exec.c: Convert subpage memory ops to _with_attrs
        Add MemTxAttrs to the IOTLB
        Make CPU iotlb a structure rather than a plain hwaddr
        memory: Replace io_mem_read/write with memory_region_dispatch_read/write
        memory: Define API for MemoryRegionOps to take attrs and return status

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 7824df3889499acc7466317175a3fb24a0824002
  Author: Gal Hammer <ghammer@xxxxxxxxxx>
  Date:   Tue Apr 21 11:26:12 2015 +0300

      acpi: add a missing backslash to the \_SB scope.

      A predefined scope in the ACPI specs is precede with a backslash.

      Signed-off-by: Gal Hammer <ghammer@xxxxxxxxxx>
      Reviewed-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Reviewed-by: Igor Mammedov <imammedo@xxxxxxxxxx>

  commit bc09e06113e79e5d70cf2b37015a26f2102cc03e
  Author: Zhu Guihua <zhugh.fnst@xxxxxxxxxxxxxx>
  Date:   Mon Apr 27 16:47:22 2015 +0800

      qmp-event: add event notification for memory hot unplug error

      When memory hot unplug fails, this patch adds support to send
      QMP event to notify mgmt about this failure.

      Reviewed-by: Igor Mammedov <imammedo@xxxxxxxxxx>
      Signed-off-by: Zhu Guihua <zhugh.fnst@xxxxxxxxxxxxxx>
      Reviewed-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>

  commit c06b2ffb02bfcc642c67300d2c4dffd5aa54932b
  Author: Zhu Guihua <zhugh.fnst@xxxxxxxxxxxxxx>
  Date:   Mon Apr 27 16:47:21 2015 +0800

      acpi: add hardware implementation for memory hot unplug

      - implements QEMU hardware part of memory hot unplug protocol
        described at "docs/spec/acpi_mem_hotplug.txt"
      - handles memory remove notification event
      - handles device eject notification

      Reviewed-by: Igor Mammedov <imammedo@xxxxxxxxxx>
      Signed-off-by: Zhu Guihua <zhugh.fnst@xxxxxxxxxxxxxx>
      Reviewed-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>

  commit 660e8ec70065c8b1fd68b2cb137de16d831959f4
  Author: Zhu Guihua <zhugh.fnst@xxxxxxxxxxxxxx>
  Date:   Mon Apr 27 16:47:20 2015 +0800

      acpi: fix "Memory device control fields" register

      0 bit in Memory device control fields must be cleared before writing to
      register. But now this field isn't cleared when other fields are written.

      To solve this bug, This patch fixes UpdateRule to WriteAsZeros in "Memory
      device control fields" register.

      Reviewed-by: Igor Mammedov <imammedo@xxxxxxxxxx>
      Signed-off-by: Zhu Guihua <zhugh.fnst@xxxxxxxxxxxxxx>
      Reviewed-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>

  commit af5098973136029211848b4999ad5d38bc90180f
  Author: Zhu Guihua <zhugh.fnst@xxxxxxxxxxxxxx>
  Date:   Mon Apr 27 16:47:19 2015 +0800

      acpi: extend aml_field() to support UpdateRule

      The flags field is declared with default update rule 'Preserve',
      this patch extends aml_field() to support UpdateRule so that we
      can specify different values per field.

      Reviewed-by: Igor Mammedov <imammedo@xxxxxxxxxx>
      Signed-off-by: Zhu Guihua <zhugh.fnst@xxxxxxxxxxxxxx>
      Reviewed-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>

  commit f7d3e29db5a5900a1f0ed10f8313f7c3f28e5b59
  Author: Tang Chen <tangchen@xxxxxxxxxxxxxx>
  Date:   Mon Apr 27 16:47:18 2015 +0800

      acpi, mem-hotplug: add unplug cb for memory device

      This patch adds unplug cb for memory device. It resets memory status
      "is_enabled" in acpi_memory_unplug_cb(), removes the corresponding
      memory region, unregisters vmstate, and unparents the object.

      Reviewed-by: Igor Mammedov <imammedo@xxxxxxxxxx>
      Signed-off-by: Tang Chen <tangchen@xxxxxxxxxxxxxx>
      Signed-off-by: Zhu Guihua <zhugh.fnst@xxxxxxxxxxxxxx>
      Reviewed-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>

  commit 64fec58e8ab62490edd2638e4214d8c9f84518c9
  Author: Tang Chen <tangchen@xxxxxxxxxxxxxx>
  Date:   Mon Apr 27 16:47:17 2015 +0800

      acpi, mem-hotplug: add unplug request cb for memory device

      This patch adds unplug request cb for memory device, and adds the
      is_removing boolean field to MemStatus. This field is used to indicate
      whether the memory device in slot has been requested to be ejected.
      This field is set to true in acpi_memory_unplug_request_cb().

      Reviewed-by: Igor Mammedov <imammedo@xxxxxxxxxx>
      Signed-off-by: Tang Chen <tangchen@xxxxxxxxxxxxxx>
      Signed-off-by: Zhu Guihua <zhugh.fnst@xxxxxxxxxxxxxx>
      Reviewed-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>

  commit 4aae99b63333e71b2097b106bb15a6fde7f9b55b
  Author: Tang Chen <tangchen@xxxxxxxxxxxxxx>
  Date:   Mon Apr 27 16:47:16 2015 +0800

      acpi, mem-hotplug: add acpi_memory_slot_status() to get MemStatus

      Add a new API named acpi_memory_slot_status() to obtain a single memory
      slot status. Doing this is because this procedure will be used by other
      functions in the next coming patches.

      Reviewed-by: Igor Mammedov <imammedo@xxxxxxxxxx>
      Signed-off-by: Tang Chen <tangchen@xxxxxxxxxxxxxx>
      Signed-off-by: Zhu Guihua <zhugh.fnst@xxxxxxxxxxxxxx>
      Reviewed-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>

  commit 4fccb4834d0455519ff6d7a81551a8dfd360fefa
  Author: Zhu Guihua <zhugh.fnst@xxxxxxxxxxxxxx>
  Date:   Mon Apr 27 16:47:15 2015 +0800

      docs: update documentation for memory hot unplug

      Add specification about how to use memory hot unplug, and add
      a flow diagram to explain memory hot unplug process.

      Reviewed-by: Igor Mammedov <imammedo@xxxxxxxxxx>
      Signed-off-by: Zhu Guihua <zhugh.fnst@xxxxxxxxxxxxxx>
      Reviewed-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>

  commit 850d00700ba787988b6c5404e8c1a3add7141db1
  Author: Michael S. Tsirkin <mst@xxxxxxxxxx>
  Date:   Mon Apr 27 21:01:20 2015 +0200

      virtio: coding style tweak

      no space needed after *.

      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>

  commit a0ccd2123ee2f83a1f081e4c39013c3316f9ec7a
  Author: Jason Wang <jasowang@xxxxxxxxxx>
  Date:   Thu Apr 23 14:21:49 2015 +0800

      pci: remove hard-coded bar size in msix_init_exclusive_bar()

      This patch lets msix_init_exclusive_bar() can calculate the bar and
      pba size based on the number of MSI-X vectors other than using a
      hard-coded limit 4096. This is needed to allow device to have more
      than 128 MSI_X vectors. To keep migration compatibility, keep using
      4096 as bar size and 2048 for pba offset.

      Notes: We don't care about the case that using vectors > 128 for
      legacy machine type. Since we limit the queue max to 64, so vectors >=
      65 is meaningless.

      Virtio device will be the first user for this.

      Cc: Keith Busch <keith.busch@xxxxxxxxx>
      Cc: Kevin Wolf <kwolf@xxxxxxxxxx>
      Cc: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Cc: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: Jason Wang <jasowang@xxxxxxxxxx>
      Reviewed-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>

  commit 851c2a75a6e80c8aa5e713864d98cfb512e7229b
  Author: Jason Wang <jasowang@xxxxxxxxxx>
  Date:   Thu Apr 23 14:21:47 2015 +0800

      virtio-pci: speedup MSI-X masking and unmasking

      This patch tries to speed up the MSI-X masking and unmasking through
      the mapping between vector and queues. With this patch it will there's
      no need to go through all possible virtqueues, which may help to
      reduce the time spent when doing MSI-X masking/unmasking a single
      vector when more than hundreds or even thousands of virtqueues were
      supported.

      Tested with 80 queue pairs virito-net-pci by changing the smp affinity
      in the background and doing netperf in the same time:

      Before the patch:
      5711.70 Gbits/sec
      After the patch:
      6830.98 Gbits/sec

      About 19.6% improvements in throughput.

      Cc: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: Jason Wang <jasowang@xxxxxxxxxx>
      Reviewed-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>

  commit e0d686bf4b9d018ba5449f057b486bb5e1fa1a0d
  Author: Jason Wang <jasowang@xxxxxxxxxx>
  Date:   Thu Apr 23 14:21:46 2015 +0800

      virtio: introduce vector to virtqueues mapping

      Currently we will try to traverse all virtqueues to find a subset that
      using a specific vector. This is sub optimal when we will support
      hundreds or even thousands of virtqueues. So this patch introduces a
      method which could be used by transport to get all virtqueues that
      using a same vector. This is done through QLISTs and the number of
      QLISTs was queried through a transport specific method. When guest
      setting vectors, the virtqueue will be linked and helpers for traverse
      the list was also introduced.

      The first user will be virtio pci which will use this to speed up
      MSI-X masking and unmasking handling.

      Cc: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: Jason Wang <jasowang@xxxxxxxxxx>
      Reviewed-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>

  commit 955cc8c9541779e09895a9c5ccbf8ace15d884f5
  Author: Jason Wang <jasowang@xxxxxxxxxx>
  Date:   Thu Apr 23 14:21:40 2015 +0800

      virtio-ccw: using VIRTIO_NO_VECTOR instead of 0 for invalid virtqueue

      It's a bad idea to need to use vector 0 for invalid virtqueue. So this 
patch
      changes to using VIRTIO_NO_VECTOR instead.

      Cc: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Cc: Cornelia Huck <cornelia.huck@xxxxxxxxxx>
      CC: Christian Borntraeger <borntraeger@xxxxxxxxxx>
      Cc: Richard Henderson <rth@xxxxxxxxxxx>
      Cc: Alexander Graf <agraf@xxxxxxx>
      Signed-off-by: Jason Wang <jasowang@xxxxxxxxxx>
      Acked-by: Cornelia Huck <cornelia.huck@xxxxxxxxxx>
      Reviewed-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>

  commit bcfa4d60144fb879f0ffef0a6d174faa37b2df82
  Author: Jason Wang <jasowang@xxxxxxxxxx>
  Date:   Thu Apr 23 14:21:39 2015 +0800

      monitor: check return value of qemu_find_net_clients_except()

      qemu_find_net_clients_except() may return a value which is greater
      than the size of array we provided. So we should check this value
      before using it, otherwise this may cause unexpected memory access.

      This patch fixes the net related command completion when we have a
      virtio-net nic with more than 255 queues.

      Cc: Luiz Capitulino <lcapitulino@xxxxxxxxxx>
      Signed-off-by: Jason Wang <jasowang@xxxxxxxxxx>
      Reviewed-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>

  commit eaed483c1b3db1ac312116fca5d20c45b4b418b2
  Author: Jason Wang <jasowang@xxxxxxxxxx>
  Date:   Thu Apr 23 14:21:38 2015 +0800

      monitor: replace the magic number 255 with MAX_QUEUE_NUM

      This patch replace the magic number 255, and increase it to
      MAX_QUEUE_NUM which is maximum number of queues supported by a nic.

      Cc: Luiz Capitulino <lcapitulino@xxxxxxxxxx>
      Signed-off-by: Jason Wang <jasowang@xxxxxxxxxx>
      Reviewed-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>

  commit d25228e7befac33b665cd9250292de47ae6b78b5
  Author: Jason Wang <jasowang@xxxxxxxxxx>
  Date:   Thu Apr 23 14:21:37 2015 +0800

      ppc: spapr: add 2.4 machine type

      The following patches will limit the following things to legacy
      machine type:

      - maximum number of virtqueues for virtio-pci were limited to 64

      Cc: Alexander Graf <agraf@xxxxxxx>
      Cc: qemu-ppc@xxxxxxxxxx

      Signed-off-by: Jason Wang <jasowang@xxxxxxxxxx>
      Reviewed-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>

      Reviewed-by: Alexander Graf <agraf@xxxxxxx>

  commit 3d27b09cf6f62ec61c1330d0a811811a91e7514d
  Merge: 3f9d69b 700cd85
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Mon Apr 27 20:00:57 2015 +0100

      Merge remote-tracking branch 'remotes/spice/tags/pull-spice-20150427-1' 
into staging

      spice: misc fixes.

      # gpg: Signature made Mon Apr 27 12:03:16 2015 BST using RSA key ID 
D3E87138
      # gpg: Good signature from "Gerd Hoffmann (work) <kraxel@xxxxxxxxxx>"
      # gpg:                 aka "Gerd Hoffmann <gerd@xxxxxxxxxx>"
      # gpg:                 aka "Gerd Hoffmann (private) <kraxel@xxxxxxxxx>"

      * remotes/spice/tags/pull-spice-20150427-1:
        spice: learn to hide cursor
        spice: set pointer position on hotspot
        spice: fix mouse cursor position
        spice: fix simple display on bigendian hosts
        monitor: Make client_migrate_info synchronous

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit b0e966d0209fa5c93d510d1756a87dd4229b1f8a
  Author: Jason Wang <jasowang@xxxxxxxxxx>
  Date:   Thu Apr 23 14:21:36 2015 +0800

      spapr: add machine type specific instance init function

      This patches adds machine type specific instance initialization
      functions. Those functions will be used by following patches to compat
      class properties for legacy machine types.

      Cc: Alexander Graf <agraf@xxxxxxx>
      Cc: qemu-ppc@xxxxxxxxxx
      Signed-off-by: Jason Wang <jasowang@xxxxxxxxxx>
      Reviewed-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>

  commit 5cb50e0acc7ba6063b87664404103cce217c0493
  Author: Jason Wang <jasowang@xxxxxxxxxx>
  Date:   Thu Apr 23 14:21:35 2015 +0800

      pc: add 2.4 machine types

      The following patches will limit the following things to legacy
      machine type:

      - maximum number of virtqueues for virtio-pci were limited to 64
      - auto msix bar size for virtio-net-pci were disabled by default

      Cc: Paolo Bonzini <pbonzini@xxxxxxxxxx>
      Cc: Richard Henderson <rth@xxxxxxxxxxx>
      Cc: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: Jason Wang <jasowang@xxxxxxxxxx>
      Reviewed-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>

  commit 27a46dcf5038e20451101ed2d5414aebf3846e27
  Author: Jason Wang <jasowang@xxxxxxxxxx>
  Date:   Thu Apr 23 14:21:34 2015 +0800

      virtio-net: fix the upper bound when trying to delete queues

      Virtqueue were indexed from zero, so don't delete virtqueue whose
      index is n->max_queues * 2 + 1.

      Cc: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Cc: qemu-stable <qemu-stable@xxxxxxxxxx>
      Signed-off-by: Jason Wang <jasowang@xxxxxxxxxx>
      Reviewed-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>

  commit 294ce717e0f212ed0763307f3eab72b4a1bdf4d0
  Author: Luke Gorrie <luke@xxxxxxxx>
  Date:   Sun Apr 26 15:00:49 2015 +0200

      vhost-user: Send VHOST_RESET_OWNER on vhost stop

      Ensure that the vhost-user slave knows when the vrings are valid and
      when they are invalid, for example during a guest reboot.

      The vhost-user protocol says this of VHOST_RESET_OWNER:

            Issued when a new connection is about to be closed. The Master
            will no longer own this connection (and will usually close it).

      Send this message to tell the vhost-user slave that the vhost session
      has ended and that session state (e.g. vrings) is no longer valid.

      Signed-off-by: Luke Gorrie <luke@xxxxxxxx>
      Reviewed-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>

  commit 658c27181bf3b08a9cf2fab00ecce7f76065f6af
  Author: Shannon Zhao <shannon.zhao@xxxxxxxxxx>
  Date:   Fri Apr 3 18:03:34 2015 +0800

      hw/i386/acpi-build: move generic acpi building helpers into dedictated 
file

      Move generic acpi building helpers into dedictated file and this
      can be shared with other machines.

      Signed-off-by: Shannon Zhao <zhaoshenglong@xxxxxxxxxx>
      Signed-off-by: Shannon Zhao <shannon.zhao@xxxxxxxxxx>
      Reviewed-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>

  commit 395e5fb4421a03c9d3a002bbb55d56b74024a568
  Author: Shannon Zhao <shannon.zhao@xxxxxxxxxx>
  Date:   Fri Apr 3 18:03:33 2015 +0800

      hw/i386: Move ACPI header definitions in an arch-independent location

      The ACPI related header file acpi-defs.h, includes definitions that
      apply on other architectures as well. Move it in `include/hw/acpi/`
      to sanely include it from other architectures.

      Signed-off-by: Alvise Rigo <a.rigo@xxxxxxxxxxxxxxxxxxxxxx>
      Signed-off-by: Shannon Zhao <zhaoshenglong@xxxxxxxxxx>
      Signed-off-by: Shannon Zhao <shannon.zhao@xxxxxxxxxx>
      Reviewed-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>

  commit 853cff8e2815c99429d53baa71110416c1de2798
  Author: Michael S. Tsirkin <mst@xxxxxxxxxx>
  Date:   Wed Apr 15 10:55:46 2015 +0200

      acpi-build: close } in comment

      missing } confuses editors

      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>

  commit 726a8ff68677d8d5fba17eb0ffb85076bfb598dc
  Author: Eduardo Habkost <ehabkost@xxxxxxxxxx>
  Date:   Fri Apr 10 14:45:00 2015 -0300

      target-i386: Remove AMD feature flag aliases from CPU model table

      When CPU vendor is AMD, the AMD feature alias bits on
      CPUID[0x80000001].EDX are already automatically copied from CPUID[1].EDX
      on x86_cpu_realizefn(). When CPU vendor is Intel, those bits are
      reserved and should be zero. On either case, those bits shouldn't be set
      in the CPU model table.

      Reviewed-by: Igor Mammedov <imammedo@xxxxxxxxxx>
      Signed-off-by: Eduardo Habkost <ehabkost@xxxxxxxxxx>

  commit 01431f3ce0f31e123172cc99c12c98c0ddbe9917
  Author: Eduardo Habkost <ehabkost@xxxxxxxxxx>
  Date:   Thu Apr 2 17:22:27 2015 -0300

      target-i386: X86CPU::xlevel2 QOM property

      We already have "level" and "xlevel", only "xlevel2" is missing.

      Reviewed-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>
      Signed-off-by: Eduardo Habkost <ehabkost@xxxxxxxxxx>

  commit b9472b76d273c7796d877c49af50969c0a879c50
  Author: Eduardo Habkost <ehabkost@xxxxxxxxxx>
  Date:   Thu Apr 2 17:21:53 2015 -0300

      target-i386: Make "level" and "xlevel" properties static

      Static properties require only 1 line of code, much simpler than the
      existing code that requires writing new getters/setters.

      As a nice side-effect, this fixes an existing bug where the setters were
      incorrectly allowing the properties to be changed after the CPU was
      already realized.

      Reviewed-by: Igor Mammedov <imammedo@xxxxxxxxxx>
      Signed-off-by: Eduardo Habkost <ehabkost@xxxxxxxxxx>

  commit d9f7e29ee5a6915caa049ba64c0a9f28766351d2
  Author: Eduardo Habkost <ehabkost@xxxxxxxxxx>
  Date:   Wed Apr 8 14:57:31 2015 -0300

      qemu-config: Accept empty option values

      Currently it is impossible to set an option in a config file to an empty
      string, because the parser matches only lines containing non-empty
      strings between double-quotes.

      As sscanf() "[" conversion specifier only matches non-empty strings, add
      a special case for empty strings.

      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>
      Acked-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>
      Signed-off-by: Eduardo Habkost <ehabkost@xxxxxxxxxx>

  commit b203a4ba93fc25bf1eb49039a8ec4b260b446211
  Author: Eduardo Habkost <ehabkost@xxxxxxxxxx>
  Date:   Wed Apr 8 08:36:24 2015 -0300

      MAINTAINERS: Change status of X86 to Maintained

      "Odd Fixes" doesn't reflect the current status of target-i386. We have
      people looking after it, now.

      Acked-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>
      Signed-off-by: Eduardo Habkost <ehabkost@xxxxxxxxxx>

  commit e1a0433956bbe68b56853e6ae633a5004b1f6351
  Author: Eduardo Habkost <ehabkost@xxxxxxxxxx>
  Date:   Wed Apr 8 08:34:56 2015 -0300

      MAINTAINERS: Add myself to X86

      Acked-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>
      Signed-off-by: Eduardo Habkost <ehabkost@xxxxxxxxxx>

  commit 3f9d69ba12da6f2874631f6e426a7ef148ba4c82
  Merge: 0d81cdd 1a01716
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Mon Apr 27 19:06:08 2015 +0100

      Merge remote-tracking branch 'remotes/kraxel/tags/pull-gtk-20150427-1' 
into staging

      gtk: support text consoles without vte, bugfixes.

      # gpg: Signature made Mon Apr 27 14:34:15 2015 BST using RSA key ID 
D3E87138
      # gpg: Good signature from "Gerd Hoffmann (work) <kraxel@xxxxxxxxxx>"
      # gpg:                 aka "Gerd Hoffmann <gerd@xxxxxxxxxx>"
      # gpg:                 aka "Gerd Hoffmann (private) <kraxel@xxxxxxxxx>"

      * remotes/kraxel/tags/pull-gtk-20150427-1:
        gtk: Avoid accel key leakage into guest on console switch
        gtk: Fix VTE focus grabbing
        console/gtk: add qemu_console_get_label
        gtk: bind to text terminal consoles too
        gtk: handle switch_surface(NULL) properly

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 2f54eb98c3255154dc6bdbb8b38982af9b3f3a8f
  Author: Eduardo Habkost <ehabkost@xxxxxxxxxx>
  Date:   Wed Apr 8 08:34:33 2015 -0300

      MAINTAINERS: Add myself as NUMA code maintainer

      The "srat" and "numa" keywords will help get_maintainer.pl catch
      NUMA-related code in other files too.

      Acked-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>
      Signed-off-by: Eduardo Habkost <ehabkost@xxxxxxxxxx>

  commit 0d81cdddaa40a1988b24657aeac19959cfad0fde
  Merge: e1a5476 2d5a834
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Mon Apr 27 17:28:41 2015 +0100

      Merge remote-tracking branch 'remotes/qmp-unstable/tags/for-upstream' 
into staging

      Four little fixes

      # gpg: Signature made Fri Apr 24 19:56:51 2015 BST using RSA key ID 
E24ED5A7
      # gpg: Good signature from "Luiz Capitulino <lcapitulino@xxxxxxxxx>"

      * remotes/qmp-unstable/tags/for-upstream:
        qmp: Give saner messages related to qmp_capabilities misuse
        qmp-commands: fix incorrect uses of ":O" specifier
        qapi: Drop dead genlist parameter
        balloon: improve error msg when adding second device

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 23820dbfc79d1c9dce090b4c555994f2bb6a69b3
  Author: Peter Crosthwaite <peter.crosthwaite@xxxxxxxxxx>
  Date:   Mon Mar 16 22:35:54 2015 -0700

      exec: Respect as_translate_internal length clamp

      address_space_translate_internal will clamp the *plen length argument
      based on the size of the memory region being queried. The iommu walker
      logic in addresss_space_translate was ignoring this by discarding the
      post fn call value of *plen. Fix by just always using *plen as the
      length argument throughout the fn, removing the len local variable.

      This fixes a bootloader bug when a single elf section spans multiple
      QEMU memory regions.

      Signed-off-by: Peter Crosthwaite <peter.crosthwaite@xxxxxxxxxx>
      Message-Id: 
<1426570554-15940-1-git-send-email-peter.crosthwaite@xxxxxxxxxx>
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit 4080a13c11398d684668d286da27b6f8ee668e44
  Author: Paolo Bonzini <pbonzini@xxxxxxxxxx>
  Date:   Mon Mar 30 12:35:00 2015 +0200

      ioport: reserve the whole range of an I/O port in the AddressSpace

      When an I/O port is more than 1 byte long, ioport.c is currently
      creating "short" regions, for example 0x1ce-0x1ce for the 16-bit
      Bochs index port.  When I/O ports are memory mapped, and thus
      accessed via a subpage_ops memory region, subpage_accepts gets
      confused because it finds a hole at 0x1cf and rejects the access.

      In order to fix this, modify registration of the region to cover
      the whole size of the I/O port.  Attempts to access an invalid
      port will be blocked by find_portio returning NULL.

      This only affects the VBE DISPI regions.  For all other cases,
      the MemoryRegionPortio entries for 2- or 4-byte accesses overlap
      an entry for 1-byte accesses, thus the size of the memory region
      is not affected.

      Reported-by: Zoltan Balaton <balaton@xxxxxxxxxx>
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit 147ed379838176d4780688157891c06f49403b19
  Author: Paolo Bonzini <pbonzini@xxxxxxxxxx>
  Date:   Mon Mar 30 12:49:40 2015 +0200

      ioport: loosen assertions on emulation of 16-bit ports

      Right now, ioport.c assumes that the entire range specified with
      MemoryRegionPortio includes a region with size == 1.  This however
      is not true for the VBE DISPI ports, which are 16-bit only.  The
      next patch will make these regions' length equal to two, which can
      cause the assertions to trigger.  Replace them with simple conditionals.

      Also, ioport.c will emulate a 16-bit ioport with two distinct reads
      or writes, even if one of the two accesses is out of the bounds given
      by the MemoryRegionPortio array.  Do not do this anymore, instead
      discard writes to the incorrect register and read it as all-ones.
      This ensures that the mrp->read and mrp->write callbacks get an
      in-range ioport number.

      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit 30476b2282c69c9ec1e44e33a4c0b5d5f4bc884e
  Author: Paolo Bonzini <pbonzini@xxxxxxxxxx>
  Date:   Mon Mar 30 12:50:36 2015 +0200

      ioport: remove wrong comment

      ioport.c has not been using an alias since commit b40acf9 (ioport:
      Switch dispatching to memory core layer, 2013-06-24).  Remove the
      obsolete comment.

      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit e477317cce98c399a2299d025bcb6bf0fd69df49
  Author: Paolo Bonzini <pbonzini@xxxxxxxxxx>
  Date:   Mon Mar 30 13:19:16 2015 +0200

      ide: there is only one data port

      IDE PIO data must be written, for example, at 0x1f0.  You cannot
      do word or dword writes to 0x1f1..0x1f3 to access the data register.
      Adjust the ide_portio_list accordingly.

      Cc: John Snow <jsnow@xxxxxxxxxx>
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit 54da54e543eea8e689a625fcb3dada1b296f5d3d
  Author: Paolo Bonzini <pbonzini@xxxxxxxxxx>
  Date:   Mon Mar 30 13:12:32 2015 +0200

      gus: clean up MemoryRegionPortio

      Remove 16-bit reads/writes, since ioport.c is able to synthesize them.
      Remove the two MIDI registers (0x300 and 0x301) from gus_portio_list1,
      and add the second MIDI register (0x301) to gus_portio_list2.

      Tested with Second Reality.

      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit 3337d0b2794131425d0b5cb525e67c5989f4a9dd
  Author: Paolo Bonzini <pbonzini@xxxxxxxxxx>
  Date:   Mon Mar 30 12:34:17 2015 +0200

      sb16: remove useless mixer_write_indexw

      ioport.c is already able to split a 16-bit access into two 8-bit
      accesses to consecutive ports.  Tested with Epic Pinball.

      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit 0e1cd6576c55269b6e5251dc739a7fc819f9b4a6
  Author: Mark Cave-Ayland <mark.cave-ayland@xxxxxxxxxxxx>
  Date:   Thu Apr 2 16:09:30 2015 +0100

      sun4m: fix slavio sysctrl and led register sizes

      These were being incorrectly declared as MISC_SIZE (1 byte) rather than
      4 bytes and 2 bytes respectively. As a result accesses clamped to the
      real register size would unexpectedly fail.

      Signed-off-by: Mark Cave-Ayland <mark.cave-ayland@xxxxxxxxxxxx>
      CC: Paolo Bonzini <pbonzini@xxxxxxxxxx>
      Message-Id: 
<1427987370-15897-1-git-send-email-mark.cave-ayland@xxxxxxxxxxxx>
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit 339240b5cd42bd13d4f6629f2aedf8b4b07459fb
  Author: Paolo Bonzini <pbonzini@xxxxxxxxxx>
  Date:   Mon Mar 23 10:24:16 2015 +0100

      acpi-build: remove dependency from ram_addr.h

      ram_addr_t is an internal interface, everyone should go through
      MemoryRegion.  Clean it up by making rom_add_blob return a
      MemoryRegion* and using the new qemu_ram_resize infrastructure.

      Reviewed-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit 37d7c08413cd4307f53c83d43b1b06cf2701d7a7
  Author: Paolo Bonzini <pbonzini@xxxxxxxxxx>
  Date:   Mon Mar 23 10:21:46 2015 +0100

      memory: add memory_region_ram_resize

      This is a simple MemoryRegion wrapper for qemu_ram_resize.

      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit e95205e1f9cd2c4262b7a7b1c992a94512c86d0e
  Author: Fam Zheng <famz@xxxxxxxxxx>
  Date:   Mon Mar 16 17:03:37 2015 +0800

      dma-helpers: Fix race condition of continue_after_map_failure and 
dma_aio_cancel

      If DMA's owning thread cancels the IO while the bounce buffer's owning 
thread
      is notifying the "cpu client list", a use-after-free happens:

           continue_after_map_failure               dma_aio_cancel
           ------------------------------------------------------------------
           aio_bh_new
                                                    qemu_bh_delete
           qemu_bh_schedule (use after free)

      Also, the old code doesn't run the bh in the right AioContext.

      Fix both problems by passing a QEMUBH to cpu_register_map_client.

      Signed-off-by: Fam Zheng <famz@xxxxxxxxxx>
      Reviewed-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>
      Message-Id: <1426496617-10702-6-git-send-email-famz@xxxxxxxxxx>
      [Remove unnecessary forward declaration. - Paolo]
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit 33b6c2edf6214f02b9beaea61b169506c01f90aa
  Author: Fam Zheng <famz@xxxxxxxxxx>
  Date:   Mon Mar 16 17:03:36 2015 +0800

      exec: Notify cpu_register_map_client caller if the bounce buffer is 
available

      The caller's workflow is like

          if (!address_space_map()) {
              ...
              cpu_register_map_client();
          }

      If bounce buffer became available after address_space_map() but before
      cpu_register_map_client(), the caller could miss it and has to wait for 
the
      next bounce buffer notify, which may never happen in the worse case.

      Just notify the list in cpu_register_map_client().

      Signed-off-by: Fam Zheng <famz@xxxxxxxxxx>
      Message-Id: <1426496617-10702-5-git-send-email-famz@xxxxxxxxxx>
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit 38e047b50d2bfd1df99fbbca884c9f1db0785ff4
  Author: Fam Zheng <famz@xxxxxxxxxx>
  Date:   Mon Mar 16 17:03:35 2015 +0800

      exec: Protect map_client_list with mutex

      So that accesses from multiple threads are safe.

      Signed-off-by: Fam Zheng <famz@xxxxxxxxxx>
      Message-Id: <1426496617-10702-4-git-send-email-famz@xxxxxxxxxx>
      [Remove #if from cpu_exec_init_all. - Paolo]
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit 02f4035c47b4d34cdc61780292ee288f400b9c49
  Author: Fam Zheng <famz@xxxxxxxxxx>
  Date:   Mon Mar 16 17:03:34 2015 +0800

      linux-user, bsd-user: Remove two calls to cpu_exec_init_all

      The function is a nop for user mode, so just remove them.

      Signed-off-by: Fam Zheng <famz@xxxxxxxxxx>
      Message-Id: <1426496617-10702-3-git-send-email-famz@xxxxxxxxxx>
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit c2cba0ffe495b60c4cc58080281e99c7a6580d4b
  Author: Fam Zheng <famz@xxxxxxxxxx>
  Date:   Mon Mar 16 17:03:33 2015 +0800

      exec: Atomic access to bounce buffer

      There could be a race condition when two processes call
      address_space_map concurrently and both want to use the bounce buffer.

      Add an in_use flag in BounceBuffer to sync it.

      Signed-off-by: Fam Zheng <famz@xxxxxxxxxx>
      Message-Id: <1426496617-10702-2-git-send-email-famz@xxxxxxxxxx>
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit e3a0abfda71db1fa83be894dcff7c4871b36cc8d
  Author: Emilio G. Cota <cota@xxxxxxxxx>
  Date:   Thu Apr 9 16:07:33 2015 -0400

      translate-all: use glib for all page descriptor allocations

      Since commit

        b7b5233a "bsd-user/mmap.c: Don't try to override g_malloc/g_free"

      the exception we make here for usermode has been unnecessary.
      Get rid of it.

      Signed-off-by: Emilio G. Cota <cota@xxxxxxxxx>
      Message-Id: <1428610053-26148-1-git-send-email-cota@xxxxxxxxx>
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit 700cd855def54c2a9f2b6a016dcebf75fe19c238
  Author: Marc-André Lureau <marcandre.lureau@xxxxxxxxx>
  Date:   Tue Mar 24 17:50:13 2015 +0100

      spice: learn to hide cursor

      Signed-off-by: Gerd Hoffmann <kraxel@xxxxxxxxxx>

  commit dc8dceee64f45820c20f3ffa3c3fecd7b6539990
  Author: Marc-André Lureau <marcandre.lureau@xxxxxxxxx>
  Date:   Tue Mar 24 17:50:12 2015 +0100

      spice: set pointer position on hotspot

      The Spice protocol uses cursor position on hotspot: the client is
      applying hotspot offset when drawing the cursor.

      Signed-off-by: Gerd Hoffmann <kraxel@xxxxxxxxxx>

  commit d0df04a1569c75f6442123fdda0b2e9aadc3fcc7
  Author: Marc-André Lureau <marcandre.lureau@xxxxxxxxx>
  Date:   Tue Mar 24 17:50:11 2015 +0100

      spice: fix mouse cursor position

      Signed-off-by: Gerd Hoffmann <kraxel@xxxxxxxxxx>

  commit c1d37cd353be3ea4c5773fc227ba8459c1f20470
  Author: Gerd Hoffmann <kraxel@xxxxxxxxxx>
  Date:   Tue Apr 14 08:56:21 2015 +0200

      spice: fix simple display on bigendian hosts

      Denis Kirjanov is busy getting spice run on ppc64 and trapped into this
      one.  Spice wire format is little endian, so we have to explicitly say
      we want little endian when letting pixman convert the data for us.

      Reported-by: Denis Kirjanov <kirjanov@xxxxxxxxx>
      Signed-off-by: Gerd Hoffmann <kraxel@xxxxxxxxxx>

  commit 3b5704b2f80189b2f9fdddf1690998e566eeacab
  Author: Markus Armbruster <armbru@xxxxxxxxxx>
  Date:   Thu Mar 5 09:30:16 2015 +0100

      monitor: Make client_migrate_info synchronous

      Live migration with spice works like this today:

        (1) client_migrate_info monitor cmd
        (2) spice server notifies client, client connects to target host.
        (3) qemu waits until spice client connect is finished.
        (4) send over vmstate (i.e. main part of live migration).
        (5) spice handover to target host.

      (3) is implemented by making client_migrate_info a async monitor
      command.  This is the only async monitor command we have.

      The original reason to implement this dance was that qemu did not accept
      new tcp connections while the incoming migration was running, so (2) and
      (4) could not be done in parallel.  That issue was fixed long ago though.
      Qemu version 1.3.0 (released Dec 2012) and newer happily accept tcp
      connects while the incoming migration runs.

      Time to drop step (3).  This patch does exactly that, by making the
      monitor command synchronous and removing the code needed to handle the
      async monitor command in ui/spice-core.c

      Signed-off-by: Gerd Hoffmann <kraxel@xxxxxxxxxx>

  commit 1a01716a307387e5cf1336f61a96f772dddadc90
  Author: Jan Kiszka <jan.kiszka@xxxxxxxxxxx>
  Date:   Sun Apr 26 21:04:21 2015 +0200

      gtk: Avoid accel key leakage into guest on console switch

      GTK2 sends the accel key to the guest when switching to the graphic
      console via that shortcut. Resolve this by ignoring any keys until the
      next key-release event. However, do not ignore keys when switching via
      the menu or when on GTK3.

      Signed-off-by: Jan Kiszka <jan.kiszka@xxxxxxxxxxx>
      Signed-off-by: Gerd Hoffmann <kraxel@xxxxxxxxxx>

  commit 9d677e1c2fa479336fb7a2b90aea78c10d037e98
  Author: Jan Kiszka <jan.kiszka@xxxxxxxxxxx>
  Date:   Sun Apr 26 21:04:20 2015 +0200

      gtk: Fix VTE focus grabbing

      At least on GTK2, the VTE terminal has to be specified as target of
      gtk_widget_grab_focus. Otherwise, switching from one VTE terminal to
      another causes the focus to get lost.

      CC: John Snow <jsnow@xxxxxxxxxx>
      Signed-off-by: Jan Kiszka <jan.kiszka@xxxxxxxxxxx>

      [ kraxel: fixed build with CONFIG_VTE=n ]

      Signed-off-by: Gerd Hoffmann <kraxel@xxxxxxxxxx>

  commit 4eb276408363aef5435a72a8e818f24220b5edd0
  Author: Greg Bellows <greg.bellows@xxxxxxxxxx>
  Date:   Sun Apr 26 16:49:26 2015 +0100

      Allow ARMv8 SCR.SMD updates

      Updated scr_write to always allow updates to the SCR.SMD bit on ARMv8
      regardless of whether virtualization (EL2) is enabled or not.

      Signed-off-by: Greg Bellows <greg.bellows@xxxxxxxxxx>
      Message-id: 1429888797-4378-1-git-send-email-greg.bellows@xxxxxxxxxx
      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 3d5c84ff21a8a7a3bfb3a75154be8905e62f51db
  Author: Sergey Fedorov <serge.fdrv@xxxxxxxxx>
  Date:   Sun Apr 26 16:49:26 2015 +0100

      target-arm: Adjust id_aa64pfr0 when has_el3 CPU property disabled

      Signed-off-by: Sergey Fedorov <serge.fdrv@xxxxxxxxx>
      Message-id: 1429669112-29835-1-git-send-email-serge.fdrv@xxxxxxxxx
      Reviewed-by: Greg Bellows <greg.bellows@xxxxxxxxxx>
      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 7ebd5f2e03a00889619bb97e83062d27066d4a26
  Author: Sergey Fedorov <serge.fdrv@xxxxxxxxx>
  Date:   Sun Apr 26 16:49:25 2015 +0100

      target-arm: rename c1_coproc to cpacr_el1

      Rename the field holding CPACR_EL1 system register state in AArch64
      naming style.

      Signed-off-by: Sergey Fedorov <serge.fdrv@xxxxxxxxx>
      [PMM: also fixed a couple of missed occurrences in cpu.c]
      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit ef7bab8d73580b48bda83b8d16b5eea8a3ac43fe
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Sun Apr 26 16:49:25 2015 +0100

      target-arm: Check watchpoints against CPU security state

      Fix a TODO in bp_wp_matches() now that we have a function for
      testing whether the CPU is currently in Secure mode or not.

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Reviewed-by: Edgar E. Iglesias <edgar.iglesias@xxxxxxxxxx>
      Reviewed-by: Alex Bennée <alex.bennee@xxxxxxxxxx>

  commit 9e1fc5bdfdf94564abf7621c0ef644599196360f
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Sun Apr 26 16:49:25 2015 +0100

      target-arm: Use attribute info to handle user-only watchpoints

      Now that we have memory access attribute information in the watchpoint
      checking code, we can correctly implement handling of watchpoints
      which should match only on userspace accesses, where LDRT/STRT/LDT/STT
      from EL1 are treated as userspace accesses.

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Reviewed-by: Edgar E. Iglesias <edgar.iglesias@xxxxxxxxxx>
      Reviewed-by: Alex Bennée <alex.bennee@xxxxxxxxxx>

  commit 0995bf8cd91b81ec9c1078e37b808794080dc5c0
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Sun Apr 26 16:49:25 2015 +0100

      target-arm: Add user-mode transaction attribute

      Add a transaction attribute indicating that a memory access is being
      done from user-mode (unprivileged). This corresponds to an equivalent
      signal in ARM AMBA buses.

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Reviewed-by: Alex Bennée <alex.bennee@xxxxxxxxxx>

  commit ebca90e4c3aaaae5ed1ee7c569dea00d5d6ed476
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Sun Apr 26 16:49:25 2015 +0100

      target-arm: Use correct memory attributes for page table walks

      Factor out the page table walk memory accesses into their own function,
      so that we can specify the correct S/NS memory attributes for them.
      This will also provide a place to use the correct endianness and
      handle the need for a stage-2 translation when virtualization is
      supported.

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Reviewed-by: Edgar E. Iglesias <edgar.iglesias@xxxxxxxxxx>
      Reviewed-by: Alex Bennée <alex.bennee@xxxxxxxxxx>

  commit 8bf5b6a9c1911d2c8473385fc0cebfaaeef42dbc
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Sun Apr 26 16:49:25 2015 +0100

      target-arm: Honour NS bits in page tables

      Honour the NS bit in ARM page tables:
       * when adding entries to the TLB, include the Secure/NonSecure
         transaction attribute
       * set the NS bit in the PAR when doing ATS operations

      Note that we don't yet correctly use the NSTable bit to
      cause the page table walk itself to use the right attributes.

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Reviewed-by: Alex Bennée <alex.bennee@xxxxxxxxxx>

  commit 42874d3a8c6267ff7789a0396843c884b1d0933a
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Sun Apr 26 16:49:24 2015 +0100

      Switch non-CPU callers from ld/st*_phys to address_space_ld/st*

      Switch all the uses of ld/st*_phys to address_space_ld/st*,
      except for those cases where the address space is the CPU's
      (ie cs->as). This was done with the following script which
      generates a Coccinelle patch.

      A few over-80-columns lines in the result were rewrapped by
      hand where Coccinelle failed to do the wrapping automatically,
      as well as one location where it didn't put a line-continuation
      '\' when wrapping lines on a change made to a match inside
      a macro definition.

      ===begin===
      #!/bin/sh -e
      # Usage:
      # ./ldst-phys.spatch.sh > ldst-phys.spatch
      # spatch -sp_file ldst-phys.spatch -dir . | sed -e '/^+/s/\t/        /g' 
> out.patch
      # patch -p1 < out.patch

      for FN in ub uw_le uw_be l_le l_be q_le q_be uw l q; do
      cat <<EOF
      @ cpu_matches_ld_${FN} @
      expression E1,E2;
      identifier as;
      @@

      ld${FN}_phys(E1->as,E2)

      @ other_matches_ld_${FN} depends on !cpu_matches_ld_${FN} @
      expression E1,E2;
      @@

      -ld${FN}_phys(E1,E2)
      +address_space_ld${FN}(E1,E2, MEMTXATTRS_UNSPECIFIED, NULL)

      EOF

      done

      for FN in b w_le w_be l_le l_be q_le q_be w l q; do
      cat <<EOF
      @ cpu_matches_st_${FN} @
      expression E1,E2,E3;
      identifier as;
      @@

      st${FN}_phys(E1->as,E2,E3)

      @ other_matches_st_${FN} depends on !cpu_matches_st_${FN} @
      expression E1,E2,E3;
      @@

      -st${FN}_phys(E1,E2,E3)
      +address_space_st${FN}(E1,E2,E3, MEMTXATTRS_UNSPECIFIED, NULL)

      EOF

      done
      ===endit===

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Reviewed-by: Edgar E. Iglesias <edgar.iglesias@xxxxxxxxxx>
      Reviewed-by: Alex Bennée <alex.bennee@xxxxxxxxxx>

  commit 66b9b43c42049bcae37668e890fedde9a72c8167
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Sun Apr 26 16:49:24 2015 +0100

      exec.c: Capture the memory attributes for a watchpoint hit

      Capture the memory attributes for the transaction which triggered
      a watchpoint; this allows CPU specific code to implement features
      like ARM's "user-mode only WPs also hit for LDRT/STRT accesses
      made from privileged code". This change also correctly passes
      through the memory attributes to the underlying device when
      a watchpoint access doesn't hit.

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Reviewed-by: Alex Bennée <alex.bennee@xxxxxxxxxx>

  commit 500131154d677930fce35ec3a6f0b5a26bcd2973
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Sun Apr 26 16:49:24 2015 +0100

      exec.c: Add new address_space_ld*/st* functions

      Add new address_space_ld*/st* functions which allow transaction
      attributes and error reporting for basic load and stores. These
      are named to be in line with the address_space_read/write/rw
      buffer operations.

      The existing ld/st*_phys functions are now wrappers around
      the new functions.

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Reviewed-by: Edgar E. Iglesias <edgar.iglesias@xxxxxxxxxx>
      Reviewed-by: Alex Bennée <alex.bennee@xxxxxxxxxx>

  commit 5c9eb0286c819c1836220a32f2e1a7b5004ac79a
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Sun Apr 26 16:49:24 2015 +0100

      exec.c: Make address_space_rw take transaction attributes

      Make address_space_rw take transaction attributes, rather
      than always using the 'unspecified' attributes.

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Reviewed-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>
      Reviewed-by: Edgar E. Iglesias <edgar.iglesias@xxxxxxxxxx>
      Reviewed-by: Alex Bennée <alex.bennee@xxxxxxxxxx>

  commit f25a49e0057bbfcc2b1111f60785d919b6ddaeea
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Sun Apr 26 16:49:24 2015 +0100

      exec.c: Convert subpage memory ops to _with_attrs

      Convert the subpage memory ops to _with_attrs; this will allow
      us to pass the attributes through to the underlying access
      functions. (Nothing uses the attributes yet.)

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Reviewed-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>
      Reviewed-by: Edgar E. Iglesias <edgar.iglesias@xxxxxxxxxx>

  commit fadc1cbe85c6b032d5842ec0d19d209f50fcb375
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Sun Apr 26 16:49:24 2015 +0100

      Add MemTxAttrs to the IOTLB

      Add a MemTxAttrs field to the IOTLB, and allow target-specific
      code to set it via a new tlb_set_page_with_attrs() function;
      pass the attributes through to the device when making IO accesses.

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Reviewed-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>
      Reviewed-by: Edgar E. Iglesias <edgar.iglesias@xxxxxxxxxx>
      Reviewed-by: Alex Bennée <alex.bennee@xxxxxxxxxx>

  commit e469b22ffda40188954fafaf6e3308f58d50f8f8
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Sun Apr 26 16:49:23 2015 +0100

      Make CPU iotlb a structure rather than a plain hwaddr

      Make the CPU iotlb a structure rather than a plain hwaddr;
      this will allow us to add transaction attributes to it.

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Reviewed-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>
      Reviewed-by: Edgar E. Iglesias <edgar.iglesias@xxxxxxxxxx>
      Reviewed-by: Alex Bennée <alex.bennee@xxxxxxxxxx>

  commit 3b6434953934e6d4a776ed426d8c6d6badee176f
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Sun Apr 26 16:49:23 2015 +0100

      memory: Replace io_mem_read/write with memory_region_dispatch_read/write

      Rather than retaining io_mem_read/write as simple wrappers around
      the memory_region_dispatch_read/write functions, make the latter
      public and change all the callers to use them, since we need to
      touch all the callsites anyway to add MemTxAttrs and MemTxResult
      support. Delete io_mem_read and io_mem_write entirely.

      (All the callers currently pass MEMTXATTRS_UNSPECIFIED
      and convert the return value back to bool or ignore it.)

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Reviewed-by: Alex Bennée <alex.bennee@xxxxxxxxxx>

  commit cc05c43ad942165ecc6ffd39e41991bee43af044
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Sun Apr 26 16:49:23 2015 +0100

      memory: Define API for MemoryRegionOps to take attrs and return status

      Define an API so that devices can register MemoryRegionOps whose read
      and write callback functions are passed an arbitrary pointer to some
      transaction attributes and can return a success-or-failure status code.
      This will allow us to model devices which:
       * behave differently for ARM Secure/NonSecure memory accesses
       * behave differently for privileged/unprivileged accesses
       * may return a transaction failure (causing a guest exception)
         for erroneous accesses

      This patch defines the new API and plumbs the attributes parameter through
      to the memory.c public level functions io_mem_read() and io_mem_write(),
      where it is currently dummied out.

      The success/failure response indication is also propagated out to
      io_mem_read() and io_mem_write(), which retain the old-style
      boolean true-for-error return.

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Acked-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>
      Reviewed-by: Alex Bennée <alex.bennee@xxxxxxxxxx>

  commit e1a5476354d396773e4c555f126d752d4ae58fa9
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Sat Apr 25 22:05:07 2015 +0100

      Open 2.4 development tree

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 2d5a8346a484250934526a15b3a522bdba7e6772
  Author: Eric Blake <eblake@xxxxxxxxxx>
  Date:   Wed Apr 15 09:19:23 2015 -0600

      qmp: Give saner messages related to qmp_capabilities misuse

      Pretending that QMP doesn't understand a command merely because
      we are not in the right mode doesn't help first-time users figure
      out what to do to correct things.  Although the documentation for
      QMP calls out capabilities negotiation, we should also make it
      clear in our error messages what we were expecting.  With this
      patch, I now get the following transcript:

      $ ./x86_64-softmmu/qemu-system-x86_64 -qmp stdio -nodefaults
      {"QMP": {"version": {"qemu": {"micro": 93, "minor": 2, "major": 2}, 
"package": ""}, "capabilities": []}}
      {"execute":"huh"}
      {"error": {"class": "CommandNotFound", "desc": "The command huh has not 
been found"}}
      {"execute":"quit"}
      {"error": {"class": "CommandNotFound", "desc": "Expecting capabilities 
negotiation with 'qmp_capabilities' before command 'quit'"}}
      {"execute":"qmp_capabilities"}
      {"return": {}}
      {"execute":"qmp_capabilities"}
      {"error": {"class": "CommandNotFound", "desc": "Capabilities negotiation 
is already complete, command 'qmp_capabilities' ignored"}}
      {"execute":"quit"}
      {"return": {}}
      {"timestamp": {"seconds": 1429110729, "microseconds": 181935}, "event": 
"SHUTDOWN"}

      Signed-off-by: Eric Blake <eblake@xxxxxxxxxx>
      Tested-By: Kashyap Chamarthy <kchamart@xxxxxxxxxx>
      Reviewed-by: Paulo Vital <paulo.vital@xxxxxxxxxxxxxxxx>
      Reviewed-by: John Snow <jsnow@xxxxxxxxxx>
      Signed-off-by: Luiz Capitulino <lcapitulino@xxxxxxxxxx>

  commit 43d0a2c1af5bc77ed067636db956209779351dfe
  Author: Paolo Bonzini <pbonzini@xxxxxxxxxx>
  Date:   Wed Apr 15 13:30:04 2015 +0200

      qmp-commands: fix incorrect uses of ":O" specifier

      As far as the QMP parser is concerned, neither the 'O' nor the 'q' format 
specifiers
      put any constraint on the command.  However, there are two differences:

      1) from a documentation point of view 'O' says that this command takes
      a dictionary.  The dictionary will be converted to QemuOpts in the
      handler to match the corresponding HMP command.

      2) 'O' sets QMP_ACCEPT_UNKNOWNS, resulting in the command accepting 
invalid
      extra arguments.  For example the following is accepted:

         { "execute": "send-key",
              "arguments": { "keys": [ { "type": "qcode", "data": "ctrl" },
                                       { "type": "qcode", "data": "alt" },
                                       { "type": "qcode", "data": "delete" } ], 
"foo": "bar" } }

      Neither send-key nor migrate-set-capabilities take a QemuOpts-like
      dictionary; they take an array of dictionaries.  And neither command
      really wants to have extra unknown arguments.  Thus, the right
      specifier to use in this case is 'q'; with this patch the above
      command fails with

         {"error": {"class": "GenericError", "desc": "Invalid parameter 'foo'"}}

      as intended.

      Reported-by: Alberto Garcia <berto@xxxxxxxxxx>
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>
      Reviewed-by: Alberto Garcia <berto@xxxxxxxxxx>
      Signed-off-by: Luiz Capitulino <lcapitulino@xxxxxxxxxx>

  commit 6540e9f35bfeea2baf4509745516172070dca412
  Author: Eric Blake <eblake@xxxxxxxxxx>
  Date:   Fri Apr 10 15:07:59 2015 -0600

      qapi: Drop dead genlist parameter

      Defaulting a parameter to True, then having all callers omit or
      pass an explicit True for that parameter, is pointless. Looks
      like it has been dead since introduction in commit 06d64c6, more
      than 4 years ago.

      Signed-off-by: Eric Blake <eblake@xxxxxxxxxx>
      Signed-off-by: Luiz Capitulino <lcapitulino@xxxxxxxxxx>

  commit 46abb8124006887d071921c5e657eeec3c50a9e2
  Author: Luiz Capitulino <lcapitulino@xxxxxxxxxx>
  Date:   Tue Mar 31 13:00:26 2015 -0400

      balloon: improve error msg when adding second device

      A VM supports only one balloon device, but due to several changes
      in infrastructure the error message got messed up when trying
      to add a second device. Fix it.

      Before this fix

      Command-line:

      qemu-qmp: -device virtio-balloon-pci,id=balloon0: Another balloon device 
already registered
      qemu-qmp: -device virtio-balloon-pci,id=balloon0: Adding balloon handler 
failed
      qemu-qmp: -device virtio-balloon-pci,id=balloon0: Device 
'virtio-balloon-pci' could not be initialized

      HMP:

      Another balloon device already registered
      Adding balloon handler failed
      Device 'virtio-balloon-pci' could not be initialized

      QMP:

      { "execute": "device_add", "arguments": { "driver": "virtio-balloon-pci", 
"id": "balloon0" } }
      {
        "error": {
                "class": "GenericError",
                "desc": "Adding balloon handler failed"
        }
      }

      After this fix

      Command-line:

      qemu-qmp: -device virtio-balloon-pci,id=balloon0: Only one balloon device 
is supported
      qemu-qmp: -device virtio-balloon-pci,id=balloon0: Device 
'virtio-balloon-pci' could not be initialized

      HMP:

      (qemu) device_add virtio-balloon-pci,id=balloon0
      Only one balloon device is supported
      Device 'virtio-balloon-pci' could not be initialized
      (qemu)

      QMP:

      { "execute": "device_add",
                "arguments": { "driver": "virtio-balloon-pci", "id": "balloon0" 
} }
      {
          "error": {
              "class": "GenericError",
              "desc": "Only one balloon device is supported"
          }
      }

      Signed-off-by: Luiz Capitulino <lcapitulino@xxxxxxxxxx>
      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>

  commit e5b3a24181ea0cebf1c5b20f44d016311b7048f0
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Fri Apr 24 15:05:06 2015 +0100

      Update version for v2.3.0 release

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 779ce88fbd3f977112bc77ccb028b0ace762105e
  Author: Gerd Hoffmann <kraxel@xxxxxxxxxx>
  Date:   Tue Feb 17 10:41:08 2015 +0100

      console/gtk: add qemu_console_get_label

      Add a new function to get a nice label for a given QemuConsole.
      Drop the labeling code in gtk.c and use the new function instead.

      Signed-off-by: Gerd Hoffmann <kraxel@xxxxxxxxxx>

  commit f8c223f69ac58488ea830597281b7ddd33037c4c
  Author: Gerd Hoffmann <kraxel@xxxxxxxxxx>
  Date:   Thu May 22 11:08:54 2014 +0200

      gtk: bind to text terminal consoles too

      This way gtk has text terminal consoles even when building without vte.
      Most notably you'll get a monitor tab on windows now.

      Signed-off-by: Gerd Hoffmann <kraxel@xxxxxxxxxx>

  commit f98f43eab0fcc536c5f95df3a94943d5dff5ccdc
  Author: Gerd Hoffmann <kraxel@xxxxxxxxxx>
  Date:   Fri Feb 27 14:36:09 2015 +0100

      gtk: handle switch_surface(NULL) properly

      Signed-off-by: Gerd Hoffmann <kraxel@xxxxxxxxxx>

  commit f2a581010cb8e3a2564a45a2863a33a732cc2fc7
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Mon Apr 20 17:13:16 2015 +0100

      Update version for v2.3.0-rc4 release

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit e05ca8200216149008fa1b1d1d847bf16691f6b4
  Author: Michael S. Tsirkin <mst@xxxxxxxxxx>
  Date:   Fri Apr 17 17:13:24 2015 +0200

      vhost: fix log base address

      VHOST_SET_LOG_BASE got an incorrect address, causing
      migration errors and potentially even memory corruption.

      Reported-by: Wen Congyang <wency@xxxxxxxxxxxxxx>
      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Reviewed-by: Amos Kong <akong@xxxxxxxxxx>
      Message-id: 1429283565-32265-1-git-send-email-mst@xxxxxxxxxx
      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 638b8366200130cc7cf7a026630bc6bfb63b0c4c
  Author: Alberto Garcia <berto@xxxxxxxxxx>
  Date:   Fri Apr 17 15:44:48 2015 +0300

      hmp: fix crash in 'info block -n -v'

      The image field in BlockDeviceInfo should never be null, however
      bdrv_block_device_info() is not filling it in.

      This makes the 'info block -n -v' command crash QEMU.

      The proper solution is probably to move the relevant code from
      bdrv_query_info() to bdrv_block_device_info(), but since we're too
      close to the release for that this simpler workaround solves the
      crash.

      Signed-off-by: Alberto Garcia <berto@xxxxxxxxxx>
      Message-id: 1429274688-8115-1-git-send-email-berto@xxxxxxxxxx
      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 87a8adc0876c11a434d3ecdfb10cd797259ddaaa
  Merge: b6df74c 0ca4f94
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Fri Apr 17 12:54:46 2015 +0100

      Merge remote-tracking branch 'remotes/lalrae/tags/mips-20150417-2' into 
staging

      MIPS patches 2015-04-17

      Changes:
      * fix broken fulong2e

      # gpg: Signature made Fri Apr 17 12:14:37 2015 BST using RSA key ID 
0B29DA6B
      # gpg: Can't check signature: public key not found

      * remotes/lalrae/tags/mips-20150417-2:
        mips: fix broken fulong2e machine

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit b6df74c46528646f3163890cf16b74af551c3494
  Merge: 993ebe4 6cec43e
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Fri Apr 17 12:37:38 2015 +0100

      Merge remote-tracking branch 'remotes/kraxel/tags/pull-fwcfg-20150414-1' 
into staging

      fw_cfg: add documentation file (docs/specs/fw_cfg.txt)

      # gpg: Signature made Tue Apr 14 12:22:20 2015 BST using RSA key ID 
D3E87138
      # gpg: Good signature from "Gerd Hoffmann (work) <kraxel@xxxxxxxxxx>"
      # gpg:                 aka "Gerd Hoffmann <gerd@xxxxxxxxxx>"
      # gpg:                 aka "Gerd Hoffmann (private) <kraxel@xxxxxxxxx>"

      * remotes/kraxel/tags/pull-fwcfg-20150414-1:
        fw_cfg: add documentation file (docs/specs/fw_cfg.txt)

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 0ca4f94195cce77b624edc6d9abcf14a3bf01f06
  Author: Paolo Bonzini <pbonzini@xxxxxxxxxx>
  Date:   Thu Apr 16 21:11:23 2015 +0100

      mips: fix broken fulong2e machine

      After commit 5312bd8 the bonito_readl() and bonito_writel() have been
      accessing incorrect addresses. Consequently QEMU is crashing when trying
      to boot Linux kernel on fulong2e machine.

      Cc: qemu-stable@xxxxxxxxxx
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>
      Signed-off-by: Leon Alrae <leon.alrae@xxxxxxxxxx>

  commit 993ebe4a0be9aa4e4821818a81fab00b1ab1a79a
  Author: Mark Cave-Ayland <mark.cave-ayland@xxxxxxxxxxxx>
  Date:   Fri Apr 17 08:16:49 2015 +0100

      target-ppc: don't invalidate msr MSR_HVB bit in cpu_post_load

      The invalidation code introduced in commit 2360b works by inverting most 
bits
      of env->msr to ensure that hreg_store_msr() will forcibly update the CPU 
env
      state to reflect the new msr value post-migration. Unfortunately
      hreg_store_msr() is called with alter_hv set to 0 which preserves the 
MSR_HVB
      state from the CPU env which is now the opposite value to what it should 
be.

      Ensure that we don't invalidate the msr MSR_HVB bit during cpu_post_load 
so
      that the correct value is restored. This fixes suspend/resume for PPC64.

      Reported-by: Stefan Berger <stefanb@xxxxxxxxxxxxxxxxxx>
      Signed-off-by: Mark Cave-Ayland <mark.cave-ayland@xxxxxxxxxxxx>
      Reviewed-by: Alexander Graf <agraf@xxxxxxx>
      Message-id: 
1429255009-12751-1-git-send-email-mark.cave-ayland@xxxxxxxxxxxx
      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 6cec43e178cde38a3eac43a2cd741ce741b10f36
  Author: Gabriel L. Somlo <somlo@xxxxxxx>
  Date:   Thu Apr 9 10:40:01 2015 -0400

      fw_cfg: add documentation file (docs/specs/fw_cfg.txt)

      This document covers the guest-side hardware interface, as
      well as the host-side programming API of QEMU's firmware
      configuration (fw_cfg) device.

      Signed-off-by: Jordan Justen <jordan.l.justen@xxxxxxxxx>
      Signed-off-by: Gabriel Somlo <somlo@xxxxxxx>
      Reviewed-by: Laszlo Ersek <lersek@xxxxxxxxxx>
      Signed-off-by: Gerd Hoffmann <kraxel@xxxxxxxxxx>

  commit b8df9208f357d2b36e1b19634aea973618dc7ba8
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Mon Apr 13 17:35:44 2015 +0100

      Update version for v2.3.0-rc3 release

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit ae6e8ef11e6cb43ec83a5846e8f3b266834cf280
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Fri Apr 10 13:58:01 2015 +0100

      Revert seccomp tests that allow it to be used on non-x86 architectures

      Unfortunately it turns out that libseccomp 2.2 still does not work
      correctly on non-x86 architectures; return to the previous configure
      setup of insisting on libseccomp 2.1 or better and i386/x86_64 and
      disabling seccomp support in all other situations.

      This reverts the two commits:
       * "seccomp: libseccomp version varying according to arch"
         (commit 896848f0d3e2393905845ef2b244bb2601f9df0c)
       * "seccomp: update libseccomp version and remove arch restriction"
         (commit 8e27fc200457e3f2473d0069263774d4ba17bd85)

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Message-id: 1428670681-23032-1-git-send-email-peter.maydell@xxxxxxxxxx

  commit 4d0ecde44ae6dab3aa9d10c23e61d9d43789731a
  Author: Thomas Huth <thuth@xxxxxxxxxx>
  Date:   Thu Apr 9 15:32:45 2015 +0200

      pci: Fix crash with illegal "-net nic, model=xxx" option

      Current QEMU crashes when specifying an illegal model with the
      "-net nic,model=xxx" option, e.g.:

       $ qemu-system-x86_64 -net nic,model=n/a
       qemu-system-x86_64: Unsupported NIC model: n/a

       Program received signal SIGSEGV, Segmentation fault.

      The gdb backtrace looks like this:

      0x0000555555965fe0 in error_get_pretty (err=0x0) at util/error.c:152
      152           return err->msg;
      (gdb) bt
       0  0x0000555555965fe0 in error_get_pretty (err=0x0) at util/error.c:152
       1  0x0000555555965ffd in error_report_err (err=0x0) at util/error.c:157
       2  0x0000555555809c90 in pci_nic_init_nofail (nd=0x555555e49860 
<nd_table>, rootbus=0x5555564409b0,
          default_model=0x55555598c37b "e1000", default_devaddr=0x0) at 
hw/pci/pci.c:1663
       3  0x0000555555691e42 in pc_nic_init (isa_bus=0x555556f71900, 
pci_bus=0x5555564409b0)
          at hw/i386/pc.c:1506
       4  0x000055555569396b in pc_init1 (machine=0x5555562abbf0, 
pci_enabled=1, kvmclock_enabled=1)
          at hw/i386/pc_piix.c:248
       5  0x0000555555693d27 in pc_init_pci (machine=0x5555562abbf0) at 
hw/i386/pc_piix.c:310
       6  0x000055555572ddf5 in main (argc=3, argv=0x7fffffffe018, 
envp=0x7fffffffe038) at vl.c:4226

      The problem is that pci_nic_init_nofail() does not check whether the err
      parameter from pci_nic_init has been set up and thus passes a NULL pointer
      to error_report_err(). Fix it by correctly checking the err parameter.

      Signed-off-by: Thomas Huth <thuth@xxxxxxxxxx>
      Reviewed-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Reviewed-by: Jason Wang <jasowang@xxxxxxxxxx>
      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 342b0711cd62ddc08d334d879eac57b68f925fd5
  Author: Andreas Färber <afaerber@xxxxxxx>
  Date:   Fri Apr 10 16:37:56 2015 +0200

      stm32f205: Fix SoC type name

      The type name for the SoC device, unlike those of its sub-devices,
      did not follow the QOM naming conventions. While the usage is internal
      only, this is exposed through QMP and HMP, so fix it before release.

      Cc: Alistair Francis <alistair.francis@xxxxxxxxxx>
      Signed-off-by: Andreas Färber <afaerber@xxxxxxx>
      Reviewed-by: Alistair Francis <alistair@xxxxxxxxxxxxx>
      Message-id: 1428676676-23056-1-git-send-email-afaerber@xxxxxxx
      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit c0c8584142a13e728178e51f2477c23a84ce74b4
  Author: Dirk Müller <dirk@xxxxxxxx>
  Date:   Sat Apr 4 14:15:10 2015 +0200

      cris: memory: Replace memory_region_init_ram with 
memory_region_allocate_system_memory

      Commit 0b183fc871:"memory: move mem_path handling to
      memory_region_allocate_system_memory" split memory_region_init_ram and
      memory_region_init_ram_from_file. Also it moved mem-path handling a step
      up from memory_region_init_ram to memory_region_allocate_system_memory.

      Therefore for any board that uses memory_region_init_ram directly,
      -mem-path is not supported.

      Fix this by replacing memory_region_init_ram with
      memory_region_allocate_system_memory.

      Tested-by: Edgar E. Iglesias <edgar.iglesias@xxxxxxxxxx>
      Reviewed-by: Edgar E. Iglesias <edgar.iglesias@xxxxxxxxxx>
      Cc: Edgar E. Iglesias <edgar.iglesias@xxxxxxxxx>
      Signed-off-by: Dirk Mueller <dmueller@xxxxxxxx>
      Signed-off-by: Edgar E. Iglesias <edgar.iglesias@xxxxxxxxxx>

  commit 58c24a4775ef7ccf16cfcd695753dfdf149fe29d
  Author: Dirk Müller <dirk@xxxxxxxx>
  Date:   Sat Apr 4 14:14:14 2015 +0200

      alpha: memory: Replace memory_region_init_ram with 
memory_region_allocate_system_memory

      Commit 0b183fc871:"memory: move mem_path handling to
      memory_region_allocate_system_memory" split memory_region_init_ram and
      memory_region_init_ram_from_file. Also it moved mem-path handling a step
      up from memory_region_init_ram to memory_region_allocate_system_memory.

      Therefore for any board that uses memory_region_init_ram directly,
      -mem-path is not supported.

      Fix this by replacing memory_region_init_ram with
      memory_region_allocate_system_memory.

      Cc: Richard Henderson <rth@xxxxxxxxxxx>
      Signed-off-by: Dirk Mueller <dmueller@xxxxxxxx>
      Acked-by: Richard Henderson <rth@xxxxxxxxxxx>
      Message-id: 
CAL5wTH64_ykF17cw2T1Axq8P3vCWm=6WbUJ3qJrLF-u+-MmzUw@xxxxxxxxxxxxxx
      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit b7ccb83f44eca09e48c61866a090425c762598f0
  Author: Dirk Müller <dirk@xxxxxxxx>
  Date:   Sat Apr 4 14:16:18 2015 +0200

      lm32: memory: Replace memory_region_init_ram with 
memory_region_allocate_system_memory

      Commit 0b183fc871:"memory: move mem_path handling to
      memory_region_allocate_system_memory" split memory_region_init_ram and
      memory_region_init_ram_from_file. Also it moved mem-path handling a step
      up from memory_region_init_ram to memory_region_allocate_system_memory.

      Therefore for any board that uses memory_region_init_ram directly,
      -mem-path is not supported.

      Fix this by replacing memory_region_init_ram with
      memory_region_allocate_system_memory.

      Cc: Michael Walle <michael@xxxxxxxx>
      Signed-off-by: Dirk Mueller <dmueller@xxxxxxxx>
      Acked-by: Michael Walle <michael@xxxxxxxx>
      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 81b23ef82cd1be29ca3d69ab7e98b5b5e55926ce
  Author: Jan Beulich <jbeulich@xxxxxxxx>
  Date:   Tue Mar 31 15:18:03 2015 +0100

      xen: limit guest control of PCI command register

      Otherwise the guest can abuse that control to cause e.g. PCIe
      Unsupported Request responses (by disabling memory and/or I/O decoding
      and subsequently causing [CPU side] accesses to the respective address
      ranges), which (depending on system configuration) may be fatal to the
      host.

      This is CVE-2015-2756 / XSA-126.

      Signed-off-by: Jan Beulich <jbeulich@xxxxxxxx>
      Reviewed-by: Stefano Stabellini <stefano.stabellini@xxxxxxxxxxxxx>
      Acked-by: Ian Campbell <ian.campbell@xxxxxxxxxx>
      Message-id: alpine.DEB.2.02.1503311510300.7690@xxxxxxxxxxxxxxxxxxxxxxx
      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 6a460ed18a3fda0eb2d9c96b8b01817b4dcbded4
  Author: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
  Date:   Thu Apr 9 14:52:18 2015 +0100

      configure: disable Archipelago by default and warn about libxseg GPLv3 
license

      libxseg has changed license to GPLv3.  QEMU includes GPL "v2 only" code
      which is not compatible with GPLv3.  This means the resulting binaries
      may not be redistributable!

      Disable Archipelago (libxseg) by default to prevent accidental license
      violations.  Also warn if linking against libxseg is enabled to remind
      the user.

      Note that this commit does not constitute any advice about software
      licensing.  If you have doubts you should consult a lawyer.

      Cc: Chrysostomos Nanakos <cnanakos@xxxxxxxx>
      Suggested-by: Kevin Wolf <kwolf@xxxxxxxxxx>
      Reported-by: Andreas Färber <afaerber@xxxxxxx>
      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Reviewed-by: Andreas Färber <afaerber@xxxxxxx>
      Message-id: 1428587538-8765-1-git-send-email-stefanha@xxxxxxxxxx
      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit a6f2cb037a82fb8679e70e175cfbc879dd829e06
  Merge: cf811ff 05b685f
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Thu Apr 9 12:05:00 2015 +0100

      Merge remote-tracking branch 'remotes/stefanha/tags/block-pull-request' 
into staging

      # gpg: Signature made Thu Apr  9 10:55:11 2015 BST using RSA key ID 
81AB73C8
      # gpg: Good signature from "Stefan Hajnoczi <stefanha@xxxxxxxxxx>"
      # gpg:                 aka "Stefan Hajnoczi <stefanha@xxxxxxxxx>"

      * remotes/stefanha/tags/block-pull-request:
        block/iscsi: handle zero events from iscsi_which_events
        aio: strengthen memory barriers for bottom half scheduling
        virtio-blk: correctly dirty guest memory
        qcow2: Fix header update with overridden backing file

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit cf811fff2ae20008f00455d0ab2212a4dea0b56f
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Wed Apr 8 20:57:09 2015 +0100

      tcg/tcg-op.c: Fix ld/st of 64 bit values on 32-bit bigendian hosts

      Commit 951c6300f7 out-of-lined the 32-bit-host versions of
      tcg_gen_{ld,st}_i64, but in the process it inadvertently changed
      an #ifdef HOST_WORDS_BIGENDIAN to #ifdef TCG_TARGET_WORDS_BIGENDIAN.
      Since the latter doesn't get defined anywhere this meant we always
      took the "LE host" codepath, and stored the two halves of the value
      in the wrong order on BE hosts. This typically breaks any 64-bit
      guest on a 32-bit BE host completely, and will have possibly more
      subtle effects even for 32-bit guests.

      Switch the ifdef back to HOST_WORDS_BIGENDIAN.

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Reviewed-by: Richard Henderson <rth@xxxxxxxxxxx>
      Tested-by: Andreas Färber <afaerber@xxxxxxx>
      Message-id: 1428523029-13620-1-git-send-email-peter.maydell@xxxxxxxxxx

  commit 05b685fbabb7fdcab72cb42b27db916fd74b2265
  Author: Peter Lieven <pl@xxxxxxx>
  Date:   Tue Apr 7 22:08:15 2015 +0200

      block/iscsi: handle zero events from iscsi_which_events

      newer libiscsi versions may return zero events from iscsi_which_events.

      In this case iscsi_service will return immediately without any progress.
      To avoid busy waiting for iscsi_which_events to change we deregister all
      read and write handlers in this case and schedule a timer to periodically
      check iscsi_which_events for changed events.

      Next libiscsi version will introduce async reconnects and zero events
      are returned while libiscsi is waiting for a reconnect retry.

      Signed-off-by: Peter Lieven <pl@xxxxxxx>
      Message-id: 1428437295-29577-1-git-send-email-pl@xxxxxxx
      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>

  commit e8d3b1a25f284cdf9705b7cf0412281cc9ee3a36
  Author: Paolo Bonzini <pbonzini@xxxxxxxxxx>
  Date:   Tue Apr 7 17:16:19 2015 +0200

      aio: strengthen memory barriers for bottom half scheduling

      There are two problems with memory barriers in async.c.  The fix is
      to use atomic_xchg in order to achieve sequential consistency between
      the scheduling of a bottom half and the corresponding execution.

      First, if bh->scheduled is already 1 in qemu_bh_schedule, QEMU does
      not execute a memory barrier to order any writes needed by the callback
      before the read of bh->scheduled.  If the other side sees req->state as
      THREAD_ACTIVE, the callback is not invoked and you get deadlock.

      Second, the memory barrier in aio_bh_poll is too weak.  Without this
      patch, it is possible that bh->scheduled = 0 is not "published" until
      after the callback has returned.  Another thread wants to schedule the
      bottom half, but it sees bh->scheduled = 1 and does nothing.  This causes
      a lost wakeup.  The memory barrier should have been changed to smp_mb()
      in commit 924fe12 (aio: fix qemu_bh_schedule() bh->ctx race condition,
      2014-06-03) together with qemu_bh_schedule()'s.  Guess who reviewed
      that patch?

      Both of these involve a store and a load, so they are reproducible on
      x86_64 as well.  It is however much easier on aarch64, where the
      libguestfs test suite triggers the bug fairly easily.  Even there the
      failure can go away or appear depending on compiler optimization level,
      tracing options, or even kernel debugging options.

      Paul Leveille however reported how to trigger the problem within 15
      minutes on x86_64 as well.  His (untested) recipe, reproduced here
      for reference, is the following:

         1) Qcow2 (or 3) is critical â?? raw files alone seem to avoid the 
problem.

         2) Use â??cache=directsyncâ?? rather than the default of
         â??cache=noneâ?? to make it happen easier.

         3) Use a server with a write-back RAID controller to allow for rapid
         IO rates.

         4) Run a random-access load that (mostly) writes chunks to various
         files on the virtual block device.

            a. I use â??diskload.exe c:25â??, a Microsoft HCT load
               generator, on Windows VMs.

            b. Iometer can probably be configured to generate a similar load.

         5) Run multiple VMs in parallel, against the same storage device,
         to shake the failure out sooner.

         6) IvyBridge and Haswell processors for certain; not sure about others.

      A similar patch survived over 12 hours of testing, where an unpatched
      QEMU would fail within 15 minutes.

      This bug is, most likely, also the cause of failures in the libguestfs
      testsuite on AArch64.

      Thanks to Laszlo Ersek for initially reporting this bug, to Stefan
      Hajnoczi for suggesting closer examination of qemu_bh_schedule, and to
      Paul for providing test input and a prototype patch.

      Reported-by: Laszlo Ersek <lersek@xxxxxxxxxx>
      Reported-by: Paul Leveille <Paul.Leveille@xxxxxxxxxxx>
      Reported-by: John Snow <jsnow@xxxxxxxxxx>
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>
      Message-id: 1428419779-26062-1-git-send-email-pbonzini@xxxxxxxxxx
      Suggested-by: Paul Leveille <Paul.Leveille@xxxxxxxxxxx>
      Suggested-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>
      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>

  commit c8623c0215e18eb4a8ec73eba014d97e51ed707e
  Author: Dirk Müller <dirk@xxxxxxxx>
  Date:   Sat Apr 4 14:24:38 2015 +0200

      arm: memory: Replace memory_region_init_ram with 
memory_region_allocate_system_memory

      Commit 0b183fc871:"memory: move mem_path handling to
      memory_region_allocate_system_memory" split memory_region_init_ram and
      memory_region_init_ram_from_file. Also it moved mem-path handling a step
      up from memory_region_init_ram to memory_region_allocate_system_memory.

      Therefore for any board that uses memory_region_init_ram directly,
      -mem-path is not supported.

      Fix this by replacing memory_region_init_ram with
      memory_region_allocate_system_memory.

      Signed-off-by: Dirk Mueller <dmueller@xxxxxxxx>
      Message-id: 
CAL5wTH4UHYKpJF=dLJfFzxpufjY189chnCow47-ySuLf8GLbug@xxxxxxxxxxxxxx
      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 2a6cdd6d35158bc7a6aacd92b5b0302f28ec480e
  Author: Paolo Bonzini <pbonzini@xxxxxxxxxx>
  Date:   Thu Apr 2 19:50:44 2015 +0200

      virtio-blk: correctly dirty guest memory

      After qemu_iovec_destroy, the QEMUIOVector's size is zeroed and
      the zero size ultimately is used to compute virtqueue_push's len
      argument.  Therefore, reads from virtio-blk devices did not
      migrate their results correctly.  (Writes were okay).

      Save the size in virtio_blk_handle_request, and use it when the request
      is completed.

      Based on a patch by Wen Congyang.

      Signed-off-by: Wen Congyang <wency@xxxxxxxxxxxxxx>
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>
      Reviewed-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Tested-by: Li Zhijian <lizhijian@xxxxxxxxxxxxxx>
      Message-id: 1427997044-392-1-git-send-email-pbonzini@xxxxxxxxxx
      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>

  commit e4603fe139e2161464d7e75faa3a650e31f057fc
  Author: Kevin Wolf <kwolf@xxxxxxxxxx>
  Date:   Tue Apr 7 15:03:16 2015 +0200

      qcow2: Fix header update with overridden backing file

      In recent qemu versions, it is possible to override the backing file
      name and format that is stored in the image file with values given at
      runtime. In such cases, the temporary override could end up in the
      image header if the qcow2 header was updated, while obviously correct
      behaviour would be to leave the on-disk backing file path/format
      unchanged.

      Fix this and add a test case for it.

      Reported-by: Michael Tokarev <mjt@xxxxxxxxxx>
      Signed-off-by: Kevin Wolf <kwolf@xxxxxxxxxx>
      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>
      Message-id: 1428411796-2852-1-git-send-email-kwolf@xxxxxxxxxx
      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>

  commit 5a24f20a7208a58fb80d78ca0521bba6f4d7b145
  Merge: f2155a0 9be6e69
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Tue Apr 7 14:33:46 2015 +0100

      Merge remote-tracking branch 
'remotes/mjt/tags/pull-trivial-patches-2015-04-04' into staging

      trivial patches for 2015-04-04

      # gpg: Signature made Sat Apr  4 08:07:49 2015 BST using RSA key ID 
A4C3D7DB
      # gpg: Good signature from "Michael Tokarev <mjt@xxxxxxxxxx>"
      # gpg:                 aka "Michael Tokarev <mjt@xxxxxxxxx>"
      # gpg:                 aka "Michael Tokarev <mjt@xxxxxxxxxx>"

      * remotes/mjt/tags/pull-trivial-patches-2015-04-04:
        vhost: fix typo in vq_index description
        gitignore: Ignore more .pod files.
        target-tricore: Fix check which was always false
        target-i386: remove superfluous TARGET_HAS_SMC macro
        pcspk: Fix I/O port name

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 9be6e69f12bc65e9c43ee5b8eb026412f11b8b71
  Author: Greg Kurz <gkurz@xxxxxxxxxxxxxxxxxx>
  Date:   Thu Mar 26 12:10:29 2015 +0100

      vhost: fix typo in vq_index description

      Signed-off-by: Greg Kurz <gkurz@xxxxxxxxxxxxxxxxxx>
      Acked-by: Jason Wang <jasowang@xxxxxxxxxx>
      Signed-off-by: Michael Tokarev <mjt@xxxxxxxxxx>

  commit 085feb61dbc6130bfd2e6c3f59d03220ff9e1bb3
  Author: Eric Blake <eblake@xxxxxxxxxx>
  Date:   Fri Mar 20 10:30:44 2015 -0600

      gitignore: Ignore more .pod files.

      kvm_stat.{1,pod} started showing up as untracked files in my
      directory, and I nearly accidentally merged them into a commit
      with my usual habit of 'git add .'.  Rather than spelling out
      each such file, just ignore the entire pattern.

      Signed-off-by: Eric Blake <eblake@xxxxxxxxxx>
      Reviewed-by: Stefan Weil <sw@xxxxxxxxxxx>
      Signed-off-by: Michael Tokarev <mjt@xxxxxxxxxx>

  commit 7b4b0b5795e934a9b7efb916af86715b68555be9
  Author: Stefan Weil <sw@xxxxxxxxxxx>
  Date:   Sat Mar 21 14:44:58 2015 +0100

      target-tricore: Fix check which was always false

      With a mask value of 0x00400000, the result will never be 1.
      This fixes a Coverity warning.

      Signed-off-by: Stefan Weil <sw@xxxxxxxxxxx>
      Signed-off-by: Michael Tokarev <mjt@xxxxxxxxxx>

  commit 9c04146ad4696b20c440bfbb4a6ab27ea254e7ca
  Author: Emilio G. Cota <cota@xxxxxxxxx>
  Date:   Sat Mar 21 13:29:09 2015 -0400

      target-i386: remove superfluous TARGET_HAS_SMC macro

      Signed-off-by: Emilio G. Cota <cota@xxxxxxxxx>
      Reviewed-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>
      Signed-off-by: Michael Tokarev <mjt@xxxxxxxxxx>

  commit ecf2e5a46d7559f258a2c914131ba25d3c5326bf
  Author: Jan Kiszka <jan.kiszka@xxxxxxxxxxx>
  Date:   Thu Mar 19 13:08:40 2015 +0100

      pcspk: Fix I/O port name

      Probably a copy&paste bug. Fixing it helps identifying the device model
      behind port 0x61.

      Signed-off-by: Jan Kiszka <jan.kiszka@xxxxxxxxxxx>
      Reviewed-by: Gonglei <arei.gonglei@xxxxxxxxxx>
      Signed-off-by: Michael Tokarev <mjt@xxxxxxxxxx>


For bisection revision-tuple graph see:
   
http://logs.test-lab.xenproject.org/osstest/results/bisect/qemu-mainline/test-amd64-i386-xl-qemuu-debianhvm-amd64.debian-hvm-install.html
Revision IDs in each graph node refer, respectively, to the Trees above.

----------------------------------------
Running cs-bisection-step 
--graph-out=/home/logs/results/bisect/qemu-mainline/test-amd64-i386-xl-qemuu-debianhvm-amd64.debian-hvm-install
 --summary-out=tmp/65229.bisection-summary --basis-template=64579 
--blessings=real,real-bisect qemu-mainline 
test-amd64-i386-xl-qemuu-debianhvm-amd64 debian-hvm-install
Searching for failure / basis pass:
 65147 fail [host=nocera1] / 65121 [host=rimava1] 65100 [host=pinot1] 65078 
[host=fiano1] 65054 [host=huxelrebe0] 65005 [host=italia1] 64965 [host=rimava0] 
64797 [host=huxelrebe1] 64579 [host=chardonnay1] 64450 [host=baroque0] 64290 
[host=italia0] 64095 [host=fiano1] 63957 [host=pinot1] 63705 [host=italia1] 
63585 [host=huxelrebe1] 63527 [host=rimava0] 63466 [host=huxelrebe0] 63384 
[host=baroque0] 63363 [host=rimava1] 63346 [host=merlot1] 63202 [host=elbling1] 
63117 [host=baroque1] 63086 [host=pinot1] 63064 [host=huxelrebe1] 63029 
[host=pinot0] 63010 [host=rimava1] 62950 [host=italia1] 62943 [host=fiano1] 
62934 [host=chardonnay1] 62795 [host=italia0] 62748 [host=huxelrebe0] 62696 
[host=pinot1] 62649 [host=chardonnay0] 62594 [host=chardonnay0] 62525 
[host=elbling1] 62424 [host=pinot0] 62339 [host=rimava1] 62280 
[host=chardonnay1] 62173 [host=huxelrebe1] 61883 [host=chardonnay0] 61767 
[host=elbling1] 61573 [host=merlot0] 61516 [host=merlot1] 61288 [host=elbling0] 
61006 [host=italia0] 60958 [host=rimava1] 60879 [host=pinot1] 60846 
[host=chardonnay1] 60777 [host=italia1] 60713 [host=fiano0] 60685 
[host=merlot0] 60664 [host=pinot1] 60616 [host=pinot0] 60583 [host=italia0] 
60374 [host=italia0] 60164 [host=italia0] 60029 [host=italia0] 59965 
[host=italia0] 59932 [host=italia0] 59908 [host=italia0] 59877 [host=italia0] 
59850 [host=italia0] 59810 [host=italia0] 59791 [host=italia0] 59769 
[host=italia0] 59715 [host=italia0] 59695 [host=italia0] 59661 [host=italia0] 
59634 [host=italia0] 59616 [host=italia0] 59598 [host=italia0] 59579 
[host=italia0] 59556 [host=italia0] 59530 [host=italia0] 59505 [host=italia0] 
59483 [host=italia0] 59465 [host=italia0] 59435 [host=italia0] 59387 
[host=italia0] 59307 [host=italia0] 59214 [host=italia0] 59169 [host=italia0] 
59109 [host=elbling0] 59059 [host=elbling1] 59035 [host=fiano1] 59023 
[host=chardonnay1] 59010 [host=pinot1] 58980 [host=rimava1] 58973 
[host=italia1] 58964 [host=pinot0] 58934 [host=huxelrebe1] 58904 
[host=chardonnay0] 58876 [host=huxelrebe0] 58844 [host=italia0] 58829 
[host=elbling0] 58819 [host=merlot1] 58753 [host=fiano0] 58732 [host=merlot0] 
58721 [host=fiano1] 58708 [host=pinot1] 58672 [host=elbling1] 58473 
[host=huxelrebe1] 58416 [host=chardonnay0] 58387 [host=huxelrebe0] 58318 
[host=pinot0] 58241 [host=italia0] 58195 [host=elbling0] 58150 [host=elbling0] 
57925 [host=elbling0] 57872 [host=pinot1] 57815 [host=fiano1] 57737 
[host=italia1] 57591 [host=rimava1] 57513 [host=fiano0] 57448 [host=pinot1] 
57404 [host=merlot0] 57288 [host=italia0] 57266 [host=chardonnay0] 57174 
[host=italia1] 57141 [host=italia1] 57112 [host=merlot1] 57078 [host=pinot0] 
56989 [host=elbling0] 56946 [host=huxelrebe0] 56911 [host=fiano0] 56831 
[host=huxelrebe1] 56784 [host=italia0] 56727 [host=fiano1] 56682 
[host=chardonnay0] 56512 [host=chardonnay1] 56435 [host=elbling0] 56374 
[host=pinot1] 55881 [host=merlot0] 55418 [host=elbling1] 55331 [host=merlot1] 
55268 [host=baroque0] 54832 [host=italia1] 53914 [host=baroque1] 53811 
[host=pinot0] 53190 [host=fiano1] 52652 [host=pinot1] 50428 [host=pinot0] 50406 
[host=italia0] 50391 [host=nocera0] 50371 [host=italia1] 50337 ok.
Failure / basis pass flights: 65147 / 50337
(tree with no url: ovmf)
(tree with no url: seabios)
Tree: linux git://xenbits.xen.org/linux-pvops.git
Tree: linuxfirmware git://xenbits.xen.org/osstest/linux-firmware.git
Tree: qemu git://xenbits.xen.org/qemu-xen-traditional.git
Tree: qemuu git://git.qemu.org/qemu.git
Tree: xen git://xenbits.xen.org/xen.git
Latest 769b79eb206ad5b0249a08665fefb913c3d1998e 
c530a75c1e6a472b0eb9558310b518f0dfcd8860 
bc00cad75d8bcc3ba696992bec219c21db8406aa 
b04fc428356a540fdb9065fa8c3c71ee476c2031 
713b7e4ef2aa4ec3ae697cde9c81d5a57548f9b1
Basis pass 8a5f782c33c04ea5c9b3ca6fb32d6039e2e5c0c9 
c530a75c1e6a472b0eb9558310b518f0dfcd8860 
a4b276b4ce49c8d70dd841ff885b900ec652b994 
f2155a089600e80cf7bcdc814520ef3304882cc4 
3a28f760508fb35c430edac17a9efde5aff6d1d5
Generating revisions with ./adhoc-revtuple-generator  
git://xenbits.xen.org/linux-pvops.git#8a5f782c33c04ea5c9b3ca6fb32d6039e2e5c0c9-769b79eb206ad5b0249a08665fefb913c3d1998e
 
git://xenbits.xen.org/osstest/linux-firmware.git#c530a75c1e6a472b0eb9558310b518f0dfcd8860-c530a75c1e6a472b0eb9558310b518f0dfcd8860
 
git://xenbits.xen.org/qemu-xen-traditional.git#a4b276b4ce49c8d70dd841ff885b900ec652b994-bc00cad75d8bcc3ba696992bec219c21db8406aa
 
git://git.qemu.org/qemu.git#f2155a089600e80cf7bcdc814520ef3304882cc4-b04fc428356a540fdb9065fa8c3c71ee476c2031
 
git://xenbits.xen.org/xen.git#3a28f760508fb35c430edac17a9efde5aff6d1d5-713b7e4ef2aa4ec3ae697cde9c81d5a57548f9b1
adhoc-revtuple-generator: tree discontiguous: linux-pvops
adhoc-revtuple-generator: tree discontiguous: qemu
adhoc-revtuple-generator: tree discontiguous: xen
Loaded 1006 nodes in revision graph
Searching for test results:
 34710 [host=rice-weevil]
 34711 [host=rice-weevil]
 34716 [host=rice-weevil]
 34721 [host=rice-weevil]
 34727 [host=rice-weevil]
 34730 [host=rice-weevil]
 34734 [host=rice-weevil]
 34738 [host=rice-weevil]
 34744 [host=rice-weevil]
 34748 [host=rice-weevil]
 34759 [host=rice-weevil]
 63957 [host=pinot1]
 34896 [host=rice-weevil]
 34909 [host=rice-weevil]
 34920 [host=rice-weevil]
 34937 [host=rice-weevil]
 34952 [host=rice-weevil]
 34957 [host=rice-weevil]
 34961 [host=rice-weevil]
 34967 [host=rice-weevil]
 34979 [host=rice-weevil]
 34983 [host=rice-weevil]
 34988 [host=rice-weevil]
 34993 [host=rice-weevil]
 34996 [host=rice-weevil]
 35004 [host=rice-weevil]
 35011 [host=rice-weevil]
 35021 [host=rice-weevil]
 35028 [host=rice-weevil]
 35033 [host=rice-weevil]
 35052 [host=rice-weevil]
 35063 [host=rice-weevil]
 35077 [host=rice-weevil]
 35098 [host=rice-weevil]
 35101 [host=rice-weevil]
 35119 [host=rice-weevil]
 35133 [host=rice-weevil]
 35147 [host=rice-weevil]
 35157 [host=rice-weevil]
 35169 [host=rice-weevil]
 35179 [host=rice-weevil]
 35187 [host=rice-weevil]
 35196 [host=rice-weevil]
 35212 [host=rice-weevil]
 35220 [host=rice-weevil]
 35228 [host=rice-weevil]
 35237 [host=rice-weevil]
 35251 [host=rice-weevil]
 35269 [host=rice-weevil]
 35283 [host=rice-weevil]
 35290 [host=rice-weevil]
 35296 [host=rice-weevil]
 35298 [host=grain-weevil]
 35303 [host=rice-weevil]
 35314 [host=rice-weevil]
 35319 [host=rice-weevil]
 35336 [host=rice-weevil]
 35344 [host=rice-weevil]
 35364 [host=rice-weevil]
 35371 [host=rice-weevil]
 35377 [host=rice-weevil]
 35387 [host=rice-weevil]
 35394 [host=rice-weevil]
 35408 [host=rice-weevil]
 35427 [host=rice-weevil]
 35436 [host=rice-weevil]
 35455 [host=rice-weevil]
 35477 [host=rice-weevil]
 35489 [host=rice-weevil]
 35491 [host=rice-weevil]
 35499 [host=rice-weevil]
 35505 [host=rice-weevil]
 35511 [host=rice-weevil]
 35516 [host=rice-weevil]
 35519 [host=rice-weevil]
 35531 [host=rice-weevil]
 35537 [host=rice-weevil]
 35543 [host=rice-weevil]
 35551 [host=rice-weevil]
 35560 [host=rice-weevil]
 35565 [host=rice-weevil]
 35571 [host=rice-weevil]
 35572 [host=grain-weevil]
 35819 [host=lace-bug]
 35893 [host=scape-moth]
 36522 [host=leaf-beetle]
 36586 [host=itch-mite]
 36709 [host=scape-moth]
 36760 [host=lace-bug]
 50272 [host=fiano0]
 50290 [host=pinot0]
 50320 [host=fiano1]
 50337 pass 8a5f782c33c04ea5c9b3ca6fb32d6039e2e5c0c9 
c530a75c1e6a472b0eb9558310b518f0dfcd8860 
a4b276b4ce49c8d70dd841ff885b900ec652b994 
f2155a089600e80cf7bcdc814520ef3304882cc4 
3a28f760508fb35c430edac17a9efde5aff6d1d5
 50371 [host=italia1]
 50259 []
 64095 [host=fiano1]
 50406 [host=italia0]
 50391 [host=nocera0]
 50428 [host=pinot0]
 64177 []
 64290 [host=italia0]
 64450 [host=baroque0]
 64579 [host=chardonnay1]
 64797 [host=huxelrebe1]
 64965 [host=rimava0]
 65005 [host=italia1]
 52624 []
 52652 [host=pinot1]
 65121 [host=rimava1]
 65054 [host=huxelrebe0]
 65078 [host=fiano1]
 65100 [host=pinot1]
 65147 fail 769b79eb206ad5b0249a08665fefb913c3d1998e 
c530a75c1e6a472b0eb9558310b518f0dfcd8860 
bc00cad75d8bcc3ba696992bec219c21db8406aa 
b04fc428356a540fdb9065fa8c3c71ee476c2031 
713b7e4ef2aa4ec3ae697cde9c81d5a57548f9b1
 65198 pass 8a5f782c33c04ea5c9b3ca6fb32d6039e2e5c0c9 
c530a75c1e6a472b0eb9558310b518f0dfcd8860 
734b9a8f05418c6cdb21b4c3d24b9d35960595eb 
f2155a089600e80cf7bcdc814520ef3304882cc4 
3a28f760508fb35c430edac17a9efde5aff6d1d5
 65169 pass 8a5f782c33c04ea5c9b3ca6fb32d6039e2e5c0c9 
c530a75c1e6a472b0eb9558310b518f0dfcd8860 
a4b276b4ce49c8d70dd841ff885b900ec652b994 
f2155a089600e80cf7bcdc814520ef3304882cc4 
3a28f760508fb35c430edac17a9efde5aff6d1d5
 65221 fail 769b79eb206ad5b0249a08665fefb913c3d1998e 
c530a75c1e6a472b0eb9558310b518f0dfcd8860 
bc00cad75d8bcc3ba696992bec219c21db8406aa 
b04fc428356a540fdb9065fa8c3c71ee476c2031 
713b7e4ef2aa4ec3ae697cde9c81d5a57548f9b1
 65185 fail 769b79eb206ad5b0249a08665fefb913c3d1998e 
c530a75c1e6a472b0eb9558310b518f0dfcd8860 
bc00cad75d8bcc3ba696992bec219c21db8406aa 
b04fc428356a540fdb9065fa8c3c71ee476c2031 
713b7e4ef2aa4ec3ae697cde9c81d5a57548f9b1
 65211 fail 769b79eb206ad5b0249a08665fefb913c3d1998e 
c530a75c1e6a472b0eb9558310b518f0dfcd8860 
bc00cad75d8bcc3ba696992bec219c21db8406aa 
b04fc428356a540fdb9065fa8c3c71ee476c2031 
713b7e4ef2aa4ec3ae697cde9c81d5a57548f9b1
 65188 pass 8a5f782c33c04ea5c9b3ca6fb32d6039e2e5c0c9 
c530a75c1e6a472b0eb9558310b518f0dfcd8860 
3b050c69ee3171997d33bb8b2c111a4ebea169fd 
f2155a089600e80cf7bcdc814520ef3304882cc4 
3a28f760508fb35c430edac17a9efde5aff6d1d5
 65201 pass 769b79eb206ad5b0249a08665fefb913c3d1998e 
c530a75c1e6a472b0eb9558310b518f0dfcd8860 
bc00cad75d8bcc3ba696992bec219c21db8406aa 
f2155a089600e80cf7bcdc814520ef3304882cc4 
3a28f760508fb35c430edac17a9efde5aff6d1d5
 65191 pass 8a5f782c33c04ea5c9b3ca6fb32d6039e2e5c0c9 
c530a75c1e6a472b0eb9558310b518f0dfcd8860 
e6af340b9e32e78fd980d46d939aa0939f51ebd4 
f2155a089600e80cf7bcdc814520ef3304882cc4 
3a28f760508fb35c430edac17a9efde5aff6d1d5
 65194 pass 8a5f782c33c04ea5c9b3ca6fb32d6039e2e5c0c9 
c530a75c1e6a472b0eb9558310b518f0dfcd8860 
9da9f80538c8ff891886cfe3d987ca17bd240d19 
f2155a089600e80cf7bcdc814520ef3304882cc4 
3a28f760508fb35c430edac17a9efde5aff6d1d5
 65229 fail 769b79eb206ad5b0249a08665fefb913c3d1998e 
c530a75c1e6a472b0eb9558310b518f0dfcd8860 
bc00cad75d8bcc3ba696992bec219c21db8406aa 
b04fc428356a540fdb9065fa8c3c71ee476c2031 
713b7e4ef2aa4ec3ae697cde9c81d5a57548f9b1
 65206 pass 769b79eb206ad5b0249a08665fefb913c3d1998e 
c530a75c1e6a472b0eb9558310b518f0dfcd8860 
bc00cad75d8bcc3ba696992bec219c21db8406aa 
f2155a089600e80cf7bcdc814520ef3304882cc4 
713b7e4ef2aa4ec3ae697cde9c81d5a57548f9b1
 65216 pass 769b79eb206ad5b0249a08665fefb913c3d1998e 
c530a75c1e6a472b0eb9558310b518f0dfcd8860 
bc00cad75d8bcc3ba696992bec219c21db8406aa 
f2155a089600e80cf7bcdc814520ef3304882cc4 
713b7e4ef2aa4ec3ae697cde9c81d5a57548f9b1
 65224 pass 769b79eb206ad5b0249a08665fefb913c3d1998e 
c530a75c1e6a472b0eb9558310b518f0dfcd8860 
bc00cad75d8bcc3ba696992bec219c21db8406aa 
f2155a089600e80cf7bcdc814520ef3304882cc4 
713b7e4ef2aa4ec3ae697cde9c81d5a57548f9b1
 53190 [host=fiano1]
 53811 [host=pinot0]
 53914 [host=baroque1]
 54832 [host=italia1]
 55268 [host=baroque0]
 55331 [host=merlot1]
 55418 [host=elbling1]
 55881 [host=merlot0]
 56374 [host=pinot1]
 56435 [host=elbling0]
 56512 [host=chardonnay1]
 56682 [host=chardonnay0]
 56727 [host=fiano1]
 56831 [host=huxelrebe1]
 56784 [host=italia0]
 56911 [host=fiano0]
 56946 [host=huxelrebe0]
 57078 [host=pinot0]
 56989 [host=elbling0]
 57174 [host=italia1]
 57112 [host=merlot1]
 57141 [host=italia1]
 57266 [host=chardonnay0]
 57288 [host=italia0]
 57404 [host=merlot0]
 57513 [host=fiano0]
 57448 [host=pinot1]
 57591 [host=rimava1]
 57737 [host=italia1]
 57872 [host=pinot1]
 57815 [host=fiano1]
 57925 [host=elbling0]
 58150 [host=elbling0]
 58195 [host=elbling0]
 58241 [host=italia0]
 58318 [host=pinot0]
 58387 [host=huxelrebe0]
 58416 [host=chardonnay0]
 58473 [host=huxelrebe1]
 58648 []
 58638 []
 58625 []
 58632 []
 58658 []
 58672 [host=elbling1]
 58664 []
 58708 [host=pinot1]
 58721 [host=fiano1]
 58732 [host=merlot0]
 58753 [host=fiano0]
 58819 [host=merlot1]
 58829 [host=elbling0]
 58844 [host=italia0]
 58904 [host=chardonnay0]
 58876 [host=huxelrebe0]
 58934 [host=huxelrebe1]
 58973 [host=italia1]
 58964 [host=pinot0]
 58980 [host=rimava1]
 59010 [host=pinot1]
 59023 [host=chardonnay1]
 59035 [host=fiano1]
 59059 [host=elbling1]
 59169 [host=italia0]
 59109 [host=elbling0]
 59307 [host=italia0]
 59214 [host=italia0]
 59387 [host=italia0]
 59435 [host=italia0]
 59465 [host=italia0]
 59483 [host=italia0]
 59505 [host=italia0]
 59530 [host=italia0]
 59556 [host=italia0]
 59579 [host=italia0]
 59598 [host=italia0]
 59616 [host=italia0]
 59634 [host=italia0]
 59661 [host=italia0]
 59695 [host=italia0]
 59715 [host=italia0]
 59810 [host=italia0]
 59791 [host=italia0]
 59850 [host=italia0]
 59877 [host=italia0]
 59760 []
 59769 [host=italia0]
 59832 [host=italia0]
 59932 [host=italia0]
 59965 [host=italia0]
 60004 []
 59908 [host=italia0]
 60029 [host=italia0]
 60164 [host=italia0]
 60374 [host=italia0]
 60616 [host=pinot0]
 60583 [host=italia0]
 60713 [host=fiano0]
 60685 [host=merlot0]
 60664 [host=pinot1]
 60777 [host=italia1]
 60846 [host=chardonnay1]
 60958 [host=rimava1]
 60879 [host=pinot1]
 61006 [host=italia0]
 61128 []
 61288 [host=elbling0]
 61516 [host=merlot1]
 61573 [host=merlot0]
 61767 [host=elbling1]
 61883 [host=chardonnay0]
 62028 [host=huxelrebe0]
 62173 [host=huxelrebe1]
 62339 [host=rimava1]
 62280 [host=chardonnay1]
 62424 [host=pinot0]
 62525 [host=elbling1]
 62594 [host=chardonnay0]
 62683 [host=chardonnay0]
 62649 [host=chardonnay0]
 62681 [host=chardonnay0]
 62696 [host=pinot1]
 62795 [host=italia0]
 62748 [host=huxelrebe0]
 62950 [host=italia1]
 62934 [host=chardonnay1]
 62943 [host=fiano1]
 63029 [host=pinot0]
 63010 [host=rimava1]
 63064 [host=huxelrebe1]
 63086 [host=pinot1]
 63117 [host=baroque1]
 63202 [host=elbling1]
 63346 [host=merlot1]
 63363 [host=rimava1]
 63384 [host=baroque0]
 63466 [host=huxelrebe0]
 63527 [host=rimava0]
 63585 [host=huxelrebe1]
 63705 [host=italia1]
 34146 [host=rice-weevil]
 34262 [host=rice-weevil]
 34244 [host=rice-weevil]
 34187 [host=rice-weevil]
 34241 [host=rice-weevil]
 34248 [host=rice-weevil]
 34259 [host=rice-weevil]
 34188 [host=rice-weevil]
 34254 [host=rice-weevil]
 34337 [host=rice-weevil]
 34357 [host=rice-weevil]
 34330 [host=rice-weevil]
 34323 [host=rice-weevil]
 34320 [host=rice-weevil]
 34347 [host=rice-weevil]
 34335 [host=rice-weevil]
 34339 [host=rice-weevil]
 34354 [host=rice-weevil]
 34349 [host=rice-weevil]
 34393 [host=rice-weevil]
 34455 [host=rice-weevil]
 34401 [host=rice-weevil]
 34402 [host=rice-weevil]
 34424 [host=rice-weevil]
 34404 [host=rice-weevil]
 34412 [host=rice-weevil]
 34429 [host=rice-weevil]
 34407 [host=rice-weevil]
 34410 [host=rice-weevil]
 34433 [host=rice-weevil]
 34422 [host=rice-weevil]
 34427 [host=grain-weevil]
 34449 [host=rice-weevil]
 34430 [host=rice-weevil]
 34441 [host=rice-weevil]
 34445 [host=rice-weevil]
 34438 [host=rice-weevil]
 34452 [host=rice-weevil]
 34458 [host=rice-weevil]
 34460 [host=rice-weevil]
 34463 [host=rice-weevil]
 34466 [host=rice-weevil]
 34470 [host=rice-weevil]
 34473 [host=rice-weevil]
 34543 [host=grain-weevil]
 34475 [host=rice-weevil]
 34480 [host=rice-weevil]
 34485 [host=rice-weevil]
 34489 [host=rice-weevil]
 34490 [host=grain-weevil]
 34544 [host=grain-weevil]
 34577 [host=grain-weevil]
 34579 [host=grain-weevil]
 34581 [host=grain-weevil]
 34583 [host=grain-weevil]
 34585 [host=grain-weevil]
 34587 [host=grain-weevil]
 34633 [host=grain-weevil]
 34588 [host=grain-weevil]
 34656 [host=rice-weevil]
 34635 [host=grain-weevil]
 34594 [host=grain-weevil]
 34636 [host=grain-weevil]
 34646 [host=grain-weevil]
 34658 [host=rice-weevil]
 34598 [host=grain-weevil]
 34631 [host=grain-weevil]
 34632 [host=grain-weevil]
 34640 [host=grain-weevil]
 34644 [host=grain-weevil]
 34596 [host=rice-weevil]
 34653 [host=grain-weevil]
Searching for interesting versions
 Result found: flight 50337 (pass), for basis pass
 Result found: flight 65147 (fail), for basis failure
 Repro found: flight 65169 (pass), for basis pass
 Repro found: flight 65185 (fail), for basis failure
 0 revisions at 769b79eb206ad5b0249a08665fefb913c3d1998e 
c530a75c1e6a472b0eb9558310b518f0dfcd8860 
bc00cad75d8bcc3ba696992bec219c21db8406aa 
f2155a089600e80cf7bcdc814520ef3304882cc4 
713b7e4ef2aa4ec3ae697cde9c81d5a57548f9b1
No revisions left to test, checking graph state.
 Result found: flight 65206 (pass), for last pass
 Result found: flight 65211 (fail), for first failure
 Repro found: flight 65216 (pass), for last pass
 Repro found: flight 65221 (fail), for first failure
 Repro found: flight 65224 (pass), for last pass
 Repro found: flight 65229 (fail), for first failure

*** Found and reproduced problem changeset ***

  Bug is in tree:  qemuu git://git.qemu.org/qemu.git
  Bug introduced:  b04fc428356a540fdb9065fa8c3c71ee476c2031
  Bug not present: f2155a089600e80cf7bcdc814520ef3304882cc4
  Last fail repro: http://logs.test-lab.xenproject.org/osstest/logs/65229/


  commit b04fc428356a540fdb9065fa8c3c71ee476c2031
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Thu Nov 26 17:50:12 2015 +0000

      Update version for v2.5.0-rc2 release

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 72f75c76d84e2eefc6806dafca116860ffe847f0
  Merge: a5df350 d08e42a
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Thu Nov 26 16:50:59 2015 +0000

      Merge remote-tracking branch 'remotes/mst/tags/for_upstream' into staging

      vhost, pc: fixes for 2.5

      Minor vhost fixes.  HW version tweak for PC.
      Documentation and test updates.

      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>

      # gpg: Signature made Thu 26 Nov 2015 16:40:25 GMT using RSA key ID 
D28D5469
      # gpg: Good signature from "Michael S. Tsirkin <mst@xxxxxxxxxx>"
      # gpg:                 aka "Michael S. Tsirkin <mst@xxxxxxxxxx>"

      * remotes/mst/tags/for_upstream:
        vhost-user-test: fix migration overlap test
        Fix memory leak on error
        Revert "vhost: send SET_VRING_ENABLE at start/stop"
        tests/vhost-user-bridge: read command line arguments
        tests/vhost-user-bridge: propose GUEST_ANNOUNCE feature
        vhost-user: clarify start and enable
        vhost-user: set link down when the char device is closed
        pc: Don't set hw_version on pc-*-2.5
        osdep: Change default value of qemu_hw_version() to "2.5+"

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit d08e42a1125d384cb53423f5810b0c7ea52dc6c9
  Author: Michael S. Tsirkin <mst@xxxxxxxxxx>
  Date:   Thu Nov 26 15:14:02 2015 +0200

      vhost-user-test: fix migration overlap test

      During migration, source does GET_BASE, destination does SET_BASE.
      Use that as opposed to fds being configured to detect
      vhost user running on both source and destination.

      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>

  commit a5df35070a4c7fa8e2d9c6bd7175ee8e3e0f7641
  Merge: 317e4db df64983
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Thu Nov 26 16:27:26 2015 +0000

      Merge remote-tracking branch 
'remotes/armbru/tags/pull-monitor-2015-11-26' into staging

      QMP and QObject patches

      # gpg: Signature made Thu 26 Nov 2015 09:07:18 GMT using RSA key ID 
EB918653
      # gpg: Good signature from "Markus Armbruster <armbru@xxxxxxxxxx>"
      # gpg:                 aka "Markus Armbruster <armbru@xxxxxxxxxxxx>"

      * remotes/armbru/tags/pull-monitor-2015-11-26:
        qjson: Limit number of tokens in addition to total size
        qjson: surprise, allocating 6 QObjects per token is expensive
        qjson: store tokens in a GQueue
        qjson: Convert to parser to recursive descent
        qjson: replace QString in JSONLexer with GString
        qjson: Inline token_is_escape() and simplify
        qjson: Inline token_is_keyword() and simplify
        qjson: Give each of the six structural chars its own token type
        qjson: Spell out some silent assumptions
        check-qjson: Add test for JSON nesting depth limit
        qjson: Don't crash when input exceeds nesting limit
        qjson: Apply nesting limit more sanely
        monitor: Plug memory leak on QMP error

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 317e4db6e90421abeeebc78f1a3e8472a76b2e74
  Merge: fe4cf57 5120901
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Thu Nov 26 15:56:53 2015 +0000

      Merge remote-tracking branch 'remotes/bonzini/tags/for-upstream' into 
staging

      Small patches, without the one that introduces -fwrapv.

      # gpg: Signature made Thu 26 Nov 2015 15:48:53 GMT using RSA key ID 
78C7AE83
      # gpg: Good signature from "Paolo Bonzini <bonzini@xxxxxxx>"
      # gpg:                 aka "Paolo Bonzini <pbonzini@xxxxxxxxxx>"

      * remotes/bonzini/tags/for-upstream:
        target-i386: kvm: Print warning when clearing mcg_cap bits
        target-i386: kvm: Use env->mcg_cap when setting up MCE
        target-i386: kvm: Abort if MCE bank count is not supported by host
        virtio-scsi: don't crash without a valid device
        target-sparc: fix 32-bit truncation in fpackfix
        exec: remove warning about mempath and hugetlbfs
        Revert "exec: silence hugetlbfs warning under qtest"
        call bdrv_drain_all() even if the vm is stopped
        MAINTAINERS: Update TCG CPU cores section

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 5120901a378501403d5454b69cf43e666fc29d5b
  Author: Eduardo Habkost <ehabkost@xxxxxxxxxx>
  Date:   Wed Nov 25 18:19:16 2015 +0100

      target-i386: kvm: Print warning when clearing mcg_cap bits

      Instead of silently clearing mcg_cap bits when the host doesn't
      support them, print a warning when doing that.

      Signed-off-by: Eduardo Habkost <ehabkost@xxxxxxxxxx>
      [Avoid \n at end of error_report. - Paolo]
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>
      Message-Id: <1448471956-66873-10-git-send-email-pbonzini@xxxxxxxxxx>

  commit 2590f15b13cc57487518996b32bb7626b0d80909
  Author: Eduardo Habkost <ehabkost@xxxxxxxxxx>
  Date:   Wed Nov 25 18:19:15 2015 +0100

      target-i386: kvm: Use env->mcg_cap when setting up MCE

      When setting up MCE, instead of using the MCE_*_DEF macros
      directly, just filter the existing env->mcg_cap value.

      As env->mcg_cap is already initialized as
      MCE_CAP_DEF|MCE_BANKS_DEF at target-i386/cpu.c:mce_init(), this
      doesn't change any behavior. But it will allow us to change
      mce_init() in the future, to implement different defaults
      depending on CPU model, machine-type or command-line parameters.

      Signed-off-by: Eduardo Habkost <ehabkost@xxxxxxxxxx>
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>
      Message-Id: <1448471956-66873-9-git-send-email-pbonzini@xxxxxxxxxx>

  commit 49b69cbfcd6e32e2178d6ff7e5d60689c3f79c6e
  Author: Eduardo Habkost <ehabkost@xxxxxxxxxx>
  Date:   Wed Nov 25 18:19:14 2015 +0100

      target-i386: kvm: Abort if MCE bank count is not supported by host

      Instead of silently changing the number of banks in mcg_cap based
      on kvm_get_mce_cap_supported(), abort initialization if the host
      doesn't support MCE_BANKS_DEF banks.

      Note that MCE_BANKS_DEF was always 10 since it was introduced in
      QEMU, and Linux always returned 32 at KVM_CAP_MCE since
      KVM_CAP_MCE was introduced, so no behavior is being changed and
      the error can't be triggered by any Linux version. The point of
      the new check is to ensure we won't silently change the bank
      count if we change MCE_BANKS_DEF or make the bank count
      configurable in the future.

      Signed-off-by: Eduardo Habkost <ehabkost@xxxxxxxxxx>
      [Avoid Yoda condition and \n at end of error_report. - Paolo]
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>
      Message-Id: <1448471956-66873-8-git-send-email-pbonzini@xxxxxxxxxx>

  commit 3e32e8a96e6995cde3d8a13d68e31226ee83f290
  Author: Eugene (jno) Dvurechenski <jno@xxxxxxxxxxxxxxxxxx>
  Date:   Thu Nov 26 15:45:35 2015 +0100

      virtio-scsi: don't crash without a valid device

      Make sure that we actually have a device when checking the aio
      context. Otherwise guests could trigger QEMU crashes.

      Signed-off-by: "Eugene (jno) Dvurechenski" <jno@xxxxxxxxxxxxxxxxxx>
      Reviewed-by: David Hildenbrand <dahi@xxxxxxxxxxxxxxxxxx>
      Message-Id: <1448549135-6582-2-git-send-email-jno@xxxxxxxxxxxxxxxxxx>
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit 12a3567c4099be194b44987ac5d7d65b99bcfab7
  Author: Paolo Bonzini <pbonzini@xxxxxxxxxx>
  Date:   Mon Nov 2 15:05:34 2015 +0100

      target-sparc: fix 32-bit truncation in fpackfix

      This is reported by Coverity.  The algorithm description at
      ftp://ftp.icm.edu.pl/packages/ggi/doc/hw/sparc/Sparc.pdf suggests
      that the 32-bit parts of rs2, after the left shift, is treated
      as a 64-bit integer.  Bits 32 and above are used to do the
      saturating truncation.

      Message-Id: <1446473134-4330-1-git-send-email-pbonzini@xxxxxxxxxx>
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit bfc2a1a1f41c2861b20e8318c0541d0823427802
  Author: Daniel P. Berrange <berrange@xxxxxxxxxx>
  Date:   Wed Nov 25 10:52:29 2015 +0000

      exec: remove warning about mempath and hugetlbfs

      The gethugepagesize() method in exec.c printed a warning if
      the file path for "-mem-path" or "-object memory-backend-file"
      was not on a hugetlbfs filesystem. This warning is bogus, because
      QEMU functions perfectly well with the path on a regular tmpfs
      filesystem. Use of hugetlbfs vs tmpfs is a choice for the management
      application or end user to make as best fits their needs. As such it
      is inappropriate for QEMU to have an opinion on whether the user's
      choice is right or wrong in this case.

      Signed-off-by: Daniel P. Berrange <berrange@xxxxxxxxxx>
      Message-Id: <1448448749-1332-3-git-send-email-berrange@xxxxxxxxxx>
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit 2c189a4e12a37b1c7cae2a2643c378c5af8f67fc
  Author: Daniel P. Berrange <berrange@xxxxxxxxxx>
  Date:   Wed Nov 25 10:52:28 2015 +0000

      Revert "exec: silence hugetlbfs warning under qtest"

      This reverts commit 1c7ba94a184df1eddd589d5400d879568d3e5d08.

      That commit changed QEMU initialization order from

       - object-initial, chardev, qtest, object-late

      to

       - chardev, qtest, object-initial, object-late

      This breaks chardev setups which need to rely on objects
      having been created. For example, when chardevs use TLS
      encryption in the future, they need to have tls credential
      objects created first.

      This revert, restores the ordering introduced in

        commit f08f9271bfe3f19a5eb3d7a2f48532065304d5c8
        Author: Daniel P. Berrange <berrange@xxxxxxxxxx>
        Date:   Wed May 13 17:14:04 2015 +0100

          vl: Create (most) objects before creating chardev backends

      Signed-off-by: Daniel P. Berrange <berrange@xxxxxxxxxx>
      Message-Id: <1448448749-1332-2-git-send-email-berrange@xxxxxxxxxx>
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit b2780d325306dc80ec07db9c0c61e9b2ac10e559
  Author: Wen Congyang <wency@xxxxxxxxxxxxxx>
  Date:   Fri Nov 20 17:34:38 2015 +0800

      call bdrv_drain_all() even if the vm is stopped

      There are still I/O operations when the vm is stopped. For example,
      stop the vm, and do block migration. In this case, we don't drain all
      I/O operation, and may meet the following problem:

      qemu-system-x86_64: migration/block.c:731: block_save_complete: Assertion 
`block_mig_state.submitted == 0' failed.

      Signed-off-by: Wen Congyang <wency@xxxxxxxxxxxxxx>
      Message-Id: <564EE92E.4070701@xxxxxxxxxxxxxx>
      Cc: qemu-stable@xxxxxxxxxx
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit 903a41d3415960240cb3b9f1d66f3707b27010d6
  Author: Stefano Dong (��水) <opensource.dxs@xxxxxxxxxx>
  Date:   Thu Nov 26 12:00:12 2015 +0000

      Fix memory leak on error

      hw/ppc/spapr.c: Fix memory leak on error, it was introduced in bc09e0611
      hw/acpi/memory_hotplug.c: Fix memory leak on error, it was introduced in 
34f2af3d

      Signed-off-by: Stefano Dong (��水) <opensource.dxs@xxxxxxxxxx>
      Reviewed-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>

  commit fe4cf57da7a85fa65488448acdc22a65096e832a
  Merge: b8b0ee0 7fe4a41
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Thu Nov 26 10:58:10 2015 +0000

      Merge remote-tracking branch 'remotes/kraxel/tags/pull-vnc-20151126-1' 
into staging

      vnc: fix segfault

      # gpg: Signature made Thu 26 Nov 2015 07:37:43 GMT using RSA key ID 
D3E87138
      # gpg: Good signature from "Gerd Hoffmann (work) <kraxel@xxxxxxxxxx>"
      # gpg:                 aka "Gerd Hoffmann <gerd@xxxxxxxxxx>"
      # gpg:                 aka "Gerd Hoffmann (private) <kraxel@xxxxxxxxx>"

      * remotes/kraxel/tags/pull-vnc-20151126-1:
        vnc: fix segfault

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit b8b0ee0ea3d2789d8ee7372b9a173e7952e18087
  Merge: 7ef7ddf 44c6e00
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Thu Nov 26 10:24:18 2015 +0000

      Merge remote-tracking branch 
'remotes/mdroth/tags/qga-pull-2015-11-25-v2-tag' into staging

      qemu-ga patch queue for 2.5

      * include additional w32 MSI install components needed for
        guest-exec
      * fix 'make install' when compiling with --disable-tools
      * fix potential data corruption/loss when accessing files
        bi-directionally via guest-file-{read,write}
      * explicitly document how integer args for guest-file-seek map to
        SEEK_SET/SEEK_CUR/etc to avoid platform-specific differences

      v2:
      * fixed missing SoB

      # gpg: Signature made Wed 25 Nov 2015 23:58:45 GMT using RSA key ID 
F108B584
      # gpg: Good signature from "Michael Roth <flukshun@xxxxxxxxx>"
      # gpg:                 aka "Michael Roth <mdroth@xxxxxxxxxx>"
      # gpg:                 aka "Michael Roth <mdroth@xxxxxxxxxxxxxxxxxx>"

      * remotes/mdroth/tags/qga-pull-2015-11-25-v2-tag:
        qga: added another non-interactive gspawn() helper file.
        qga: Better mapping of SEEK_* in guest-file-seek
        tests: add file-write-read test
        qga: flush explicitly when needed
        qga: gspawn() console helper to Windows guest agent msi build
        makefile: fix qemu-ga make install for --disable-tools

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 449e3578107799817a81249b189f6f82aa9e787d
  Author: Michael S. Tsirkin <mst@xxxxxxxxxx>
  Date:   Wed Nov 25 13:39:57 2015 +0200

      Revert "vhost: send SET_VRING_ENABLE at start/stop"

      This reverts commit 3a12f32229a046f4d4ab0a3a52fb01d2d5a1ab76.

      In case of live migration several queues can be enabled and not only the
      first one. So informing backend that only the first queue is enabled is
      wrong.

      Reported-by: Thibaut Collet <thibaut.collet@xxxxxxxxx>
      Cc: Yuanhan Liu <yuanhan.liu@xxxxxxxxxxxxxxx>
      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Reviewed-by: Yuanhan Liu <yuanhan.liu@xxxxxxxxxxxxxxx>

  commit 7ef7ddf37674f7147ef23c311cbc3c37e908c8b0
  Merge: c7933a8 9c73517
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Thu Nov 26 09:44:25 2015 +0000

      Merge remote-tracking branch 'remotes/jnsnow/tags/ide-pull-request' into 
staging

      # gpg: Signature made Wed 25 Nov 2015 20:25:21 GMT using RSA key ID 
AAFC390E
      # gpg: Good signature from "John Snow (John Huston) <jsnow@xxxxxxxxxx>"

      * remotes/jnsnow/tags/ide-pull-request:
        ide-test: fix timeouts
        atapi: Fix code indentation
        atapi: Account for failed and invalid operations in cd_read_sector()
        ide-test: cdrom_pio_impl fixup

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit df649835fe48f635a93316fdefe96ced7189316e
  Author: Markus Armbruster <armbru@xxxxxxxxxx>
  Date:   Wed Nov 25 22:23:33 2015 +0100

      qjson: Limit number of tokens in addition to total size

      Commit 29c75dd "json-streamer: limit the maximum recursion depth and
      maximum token count" attempts to guard against excessive heap usage by
      limiting total token size (it says "token count", but that's a lie).

      Total token size is a rather imprecise predictor of heap usage: many
      small tokens use more space than few large tokens with the same input
      size, because there's a constant per-token overhead: 37 bytes on my
      system.

      Tighten this up: limit the token count to 2Mi.  Chosen to roughly
      match the 64MiB total token size limit.

      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>
      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>
      Message-Id: <1448486613-17634-13-git-send-email-armbru@xxxxxxxxxx>

  commit 9bada8971173345ceb37ed1a47b00a01a4dd48cf
  Author: Paolo Bonzini <pbonzini@xxxxxxxxxx>
  Date:   Wed Nov 25 22:23:32 2015 +0100

      qjson: surprise, allocating 6 QObjects per token is expensive

      Replace the contents of the tokens GQueue with a simple struct.  This cuts
      the amount of memory allocated by tests/check-qjson from ~500MB to ~20MB,
      and the execution time from 600ms to 80ms on my laptop.  Still a lot (some
      could be saved by using an intrusive list, such as QSIMPLEQ, instead of
      the GQueue), but the savings are already massive and the right thing to
      do would probably be to get rid of json-streamer completely.

      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>
      Message-Id: <1448300659-23559-5-git-send-email-pbonzini@xxxxxxxxxx>
      [Straightforwardly rebased on my patches]
      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>
      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>

  commit 95385fe9ace7db156b924da6b6f5c9082b68ba68
  Author: Paolo Bonzini <pbonzini@xxxxxxxxxx>
  Date:   Wed Nov 25 22:23:31 2015 +0100

      qjson: store tokens in a GQueue

      Even though we still have the "streamer" concept, the tokens can now
      be deleted as they are read.  While doing so convert from QList to
      GQueue, since the next step will make tokens not a QObject and we
      will have to do the conversion anyway.

      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>
      Message-Id: <1448300659-23559-4-git-send-email-pbonzini@xxxxxxxxxx>
      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>
      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>

  commit d538b25543f4db026bb435066e2403a542522c40
  Author: Markus Armbruster <armbru@xxxxxxxxxx>
  Date:   Wed Nov 25 22:23:30 2015 +0100

      qjson: Convert to parser to recursive descent

      We backtrack in parse_value(), even though JSON is LL(1) and thus can
      be parsed by straightforward recursive descent.  Do exactly that.

      Based on an almost-correct patch from Paolo Bonzini.

      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>
      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>
      Message-Id: <1448486613-17634-10-git-send-email-armbru@xxxxxxxxxx>
      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>

  commit d2ca7c0b0d876cf0e219ae7a92252626b0913a28
  Author: Paolo Bonzini <pbonzini@xxxxxxxxxx>
  Date:   Wed Nov 25 22:23:29 2015 +0100

      qjson: replace QString in JSONLexer with GString

      JSONLexer only needs a simple resizable buffer.  json-streamer.c
      can allocate memory for each token instead of relying on reference
      counting of QStrings.

      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>
      Message-Id: <1448300659-23559-2-git-send-email-pbonzini@xxxxxxxxxx>
      [Straightforwardly rebased on my patches, checkpatch made happy]
      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>
      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>

  commit 6b9606f68ec589def27bd2a9cea97ec63cffd581
  Author: Markus Armbruster <armbru@xxxxxxxxxx>
  Date:   Wed Nov 25 22:23:28 2015 +0100

      qjson: Inline token_is_escape() and simplify

      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>
      Message-Id: <1448486613-17634-8-git-send-email-armbru@xxxxxxxxxx>
      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>

  commit 50e2a467f5315fa36c547fb6330659ba45f6bb83
  Author: Markus Armbruster <armbru@xxxxxxxxxx>
  Date:   Wed Nov 25 22:23:27 2015 +0100

      qjson: Inline token_is_keyword() and simplify

      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>
      Message-Id: <1448486613-17634-7-git-send-email-armbru@xxxxxxxxxx>
      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>

  commit c54616608af442edf4cfb7397a1909c2653efba0
  Author: Markus Armbruster <armbru@xxxxxxxxxx>
  Date:   Wed Nov 25 22:23:26 2015 +0100

      qjson: Give each of the six structural chars its own token type

      Simplifies things, because we always check for a specific one.

      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>
      Message-Id: <1448486613-17634-6-git-send-email-armbru@xxxxxxxxxx>
      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>

  commit b8d3b1da3cdbb02e180618d6be346c564723015d
  Author: Markus Armbruster <armbru@xxxxxxxxxx>
  Date:   Wed Nov 25 22:23:25 2015 +0100

      qjson: Spell out some silent assumptions

      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>
      Message-Id: <1448486613-17634-5-git-send-email-armbru@xxxxxxxxxx>
      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>

  commit f0ae0304c7a41a42b7d4a6cde450da938d3c2cc7
  Author: Markus Armbruster <armbru@xxxxxxxxxx>
  Date:   Wed Nov 25 22:23:24 2015 +0100

      check-qjson: Add test for JSON nesting depth limit

      This would have prevented the regression mentioned in the previous
      commit.

      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>
      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>
      Message-Id: <1448486613-17634-4-git-send-email-armbru@xxxxxxxxxx>

  commit 0753113a26bb8c77f951b1ea91fd4f36d099c37a
  Author: Markus Armbruster <armbru@xxxxxxxxxx>
  Date:   Wed Nov 25 22:23:23 2015 +0100

      qjson: Don't crash when input exceeds nesting limit

      We limit nesting depth and input size to defend against input
      triggering excessive heap or stack memory use (commit 29c75dd
      json-streamer: limit the maximum recursion depth and maximum token
      count).  However, when the nesting limit is exceeded,
      parser_context_peek_token()'s assertion fails.

      Broken in commit 65c0f1e "json-parser: don't replicate tokens at each
      level of recursion".

      To reproduce stuff 1025 open braces or brackets into QMP.

      Fix by taking the error exit instead of the normal one.

      Reported-by: Eric Blake <eblake@xxxxxxxxxx>
      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>
      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>
      Message-Id: <1448486613-17634-3-git-send-email-armbru@xxxxxxxxxx>

  commit 4f2d31fbc0bfdf41feea7d1be49f4f7ffa005534
  Author: Markus Armbruster <armbru@xxxxxxxxxx>
  Date:   Wed Nov 25 22:23:22 2015 +0100

      qjson: Apply nesting limit more sanely

      The nesting limit from commit 29c75dd "json-streamer: limit the
      maximum recursion depth and maximum token count" applies separately to
      braces and brackets.  This makes no sense.  Apply it to their sum,
      because that's actually a measure of recursion depth.

      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>
      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>
      Message-Id: <1448486613-17634-2-git-send-email-armbru@xxxxxxxxxx>

  commit 3a81a10179b702e031d8f84438193d83a64b4122
  Author: Markus Armbruster <armbru@xxxxxxxxxx>
  Date:   Thu Oct 29 12:15:09 2015 +0100

      monitor: Plug memory leak on QMP error

      Leak introduced in commit 8a4f501..710aec9, v2.4.0.

      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>
      Message-Id: <1446117309-15322-1-git-send-email-armbru@xxxxxxxxxx>
      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>
      Reviewed-by: Luiz Capitulino <lcapitulino@xxxxxxxxxx>

  commit 7fe4a41c262e2529dc79f77f6fe63c5309fa2fd9
  Author: Gerd Hoffmann <kraxel@xxxxxxxxxx>
  Date:   Wed Nov 25 08:04:05 2015 +0100

      vnc: fix segfault

      Commit "c7628bf vnc: only alloc server surface with clients connected"
      missed one rarely used codepath (cirrus with guest drivers using 2d
      accel) where we have to check for the server surface being present,
      to avoid qemu crashing with a NULL pointer dereference.  Add the check.

      Reported-by: Anthony PERARD <anthony.perard@xxxxxxxxxx>
      Tested-by: Anthony PERARD <anthony.perard@xxxxxxxxxx>
      Signed-off-by: Gerd Hoffmann <kraxel@xxxxxxxxxx>

  commit 44c6e00c3fd85b9c496bd3e74108ace126813a59
  Author: Yuri Pudgorodskiy <yur@xxxxxxxxxxxxx>
  Date:   Wed Nov 25 22:02:26 2015 +0300

      qga: added another non-interactive gspawn() helper file.

      With previous commit we added gspawn-win64-helper-console.exe,
      required for gspawn() mingw implementation.
      Unfortunatly when running as a service without interactive
      desktop, gspawn() also requires another helper app.

      Added gspawn-win64-helper.exe and gspawn-win32-helper.exe
      for corresponding architectures.

      Signed-off-by: Yuri Pudgorodskiy <yur@xxxxxxxxxxxxx>
      Signed-off-by: Denis V. Lunev <den@xxxxxxxxxx>
      CC: Michael Roth <mdroth@xxxxxxxxxxxxxxxxxx>
      * remove trailing whitespace
      Signed-off-by: Michael Roth <mdroth@xxxxxxxxxxxxxxxxxx>

  commit 0a982b1bf3953dc8640c4d6e619fb1132ebbebc3
  Author: Eric Blake <eblake@xxxxxxxxxx>
  Date:   Wed Nov 25 10:37:15 2015 -0700

      qga: Better mapping of SEEK_* in guest-file-seek

      Exposing OS-specific SEEK_ constants in our qapi was a mistake
      (if the host has SEEK_CUR as 1, but the guest has it as 2, then
      the semantics are unclear what should happen); if we had a time
      machine, we would instead expose only a symbolic enum.  It's too
      late to change the fact that we have an integer in qapi, but we
      can at least document what mapping we want to enforce for all
      qga clients (and luckily, it happens to be the mapping that both
      Linux and Windows use); then fix the code to match that mapping.
      It also helps us filter out unsupported SEEK_DATA and SEEK_HOLE.

      In the future, we may wish to move our QGA_SEEK_* constants into
      qga/qapi-schema.json, along with updating the schema to take an
      alternate type (either the integer, or the string value of the
      enum name) - but that's too much risk during hard freeze.

      Signed-off-by: Eric Blake <eblake@xxxxxxxxxx>
      Signed-off-by: Michael Roth <mdroth@xxxxxxxxxxxxxxxxxx>

  commit 4eaab85cb1c1ba9c575d29921df81d63c7aa35df
  Author: Marc-André Lureau <marcandre.lureau@xxxxxxxxxx>
  Date:   Wed Nov 25 13:59:12 2015 +0100

      tests: add file-write-read test

      This test exhibits a POSIX behaviour regarding switching between write
      and read. It's undefined result if the application doesn't ensure a
      flush between the two operations (with glibc, the flush can be implicit
      when the buffer size is relatively small). The previous commit fixes
      this test.

      Related to:
      https://bugzilla.redhat.com/show_bug.cgi?id=1210246

      Signed-off-by: Marc-André Lureau <marcandre.lureau@xxxxxxxxxx>
      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>
      Signed-off-by: Michael Roth <mdroth@xxxxxxxxxxxxxxxxxx>

  commit 895b00f62a7e86724dc7352d67c7808d37366130
  Author: Marc-André Lureau <marcandre.lureau@xxxxxxxxxx>
  Date:   Wed Nov 25 13:59:11 2015 +0100

      qga: flush explicitly when needed

      According to the specification:
      http://pubs.opengroup.org/onlinepubs/9699919799/functions/fopen.html

      "the application shall ensure that output is not directly followed by
      input without an intervening call to fflush() or to a file positioning
      function (fseek(), fsetpos(), or rewind()), and input is not directly
      followed by output without an intervening call to a file positioning
      function, unless the input operation encounters end-of-file."

      Without this change, an fwrite() followed by an fread() may lose the
      previously written content, as shown in the following test.

      Fixes:
      https://bugzilla.redhat.com/show_bug.cgi?id=1210246

      Signed-off-by: Marc-André Lureau <marcandre.lureau@xxxxxxxxxx>
      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>
      * don't confuse {write,read}() with f{write,read}() in
        commit msg (Laszlo)
      Signed-off-by: Michael Roth <mdroth@xxxxxxxxxxxxxxxxxx>

  commit 9c73517ca56d6611371376bd298b4b20f3ad6140
  Author: John Snow <jsnow@xxxxxxxxxx>
  Date:   Tue Nov 24 14:36:11 2015 -0500

      ide-test: fix timeouts

      Use explicit timeouts instead of trying to approximate it by counting
      the cumulative duration of nsleep calls.

      In practice, the timeout if inb() dwarfed the nsleep delays, and as a
      result the real timeout value became a lot larger than 5 seconds.

      So: change the semantics from "Not sooner than 5 seconds" to "no more
      than 5 seconds" to ensure we don't hang the tester for very long.

      Signed-off-by: John Snow <jsnow@xxxxxxxxxx>
      Reviewed-by: Kevin Wolf <kwolf@xxxxxxxxxx>
      Message-id: 1448393771-15483-2-git-send-email-jsnow@xxxxxxxxxx

  commit f2b608ab80a336b0136d35d9b49419a917656d44
  Author: Yuri Pudgorodskiy <yur@xxxxxxxxxxxxx>
  Date:   Thu Nov 19 15:20:37 2015 +0300

      qga: gspawn() console helper to Windows guest agent msi build

      This helper, gspawn-win64-helper-console.exe for 64-bit and
      gspawn-win32-helper-console.exe for 32-bit environment,
      is needed for gspawn() mingw implementation, used by guest-exec command.

      Without these files guest-exec command on Windows will not
      work with "file not found" diagnostic message.

      Signed-off-by: Yuri Pudgorodskiy <yur@xxxxxxxxxxxxx>
      Signed-off-by: Denis V. Lunev <den@xxxxxxxxxx>
      CC: Michael Roth <mdroth@xxxxxxxxxxxxxxxxxx>
      Signed-off-by: Michael Roth <mdroth@xxxxxxxxxxxxxxxxxx>

  commit 68aa262ad09c81b8b1284340cc0d26b65c605df5
  Author: Michael Roth <mdroth@xxxxxxxxxxxxxxxxxx>
  Date:   Mon Nov 23 15:48:58 2015 -0600

      makefile: fix qemu-ga make install for --disable-tools

      ab59e3e introduced a fix for `make install` on w32 that involved
      filtering out qemu-ga from $TOOLS install recipe so that we could
      append $(EXESUF) to it before attempting to install the binary
      via install-prog function.

      install-prog takes a list of binaries to install to a particular
      directory. If the list is empty it breaks. We guard against this
      by ensuring $TOOLS is not empty prior to calling.

      However, ab59e3e introduces extra filtering after this check which
      can still result on us attempting to call install-prog with an
      empty list of binaries. In particular, this occurs if we
      build with the --disable-tools configure option, which results
      in qemu-ga being the only member of $TOOLS.

      Fix this by doing a simple s/qemu-ga/qemu-ga$(EXESUF)/ pass through
      $TOOLS instead of filtering out qemu-ga to handle it seperately.

      Reported-by: Steve Ellcey <sellcey@xxxxxxxxxx>
      Cc: Stefan Weil <sw@xxxxxxxxxxx>
      Signed-off-by: Michael Roth <mdroth@xxxxxxxxxxxxxxxxxx>

  commit c7933a80bc6f3bb79c341f8fc17b4cf76622e2f3
  Merge: 1a4dab8 f77dcdb
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Wed Nov 25 16:20:58 2015 +0000

      Merge remote-tracking branch 
'remotes/juanquintela/tags/migration/20151125' into staging

      migration/next for 20151125

      # gpg: Signature made Wed 25 Nov 2015 14:28:47 GMT using RSA key ID 
5872D723
      # gpg: Good signature from "Juan Quintela <quintela@xxxxxxxxxx>"
      # gpg:                 aka "Juan Quintela <quintela@xxxxxxxxxx>"

      * remotes/juanquintela/tags/migration/20151125:
        block-migration: limit the memory usage
        Assume madvise for (no)hugepage works

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 1a4dab849d5d06191ab5e5850f6b8bfcad8ceb47
  Merge: e85dda8 8c34d89
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Wed Nov 25 14:47:06 2015 +0000

      Merge remote-tracking branch 'remotes/kevin/tags/for-upstream' into 
staging

      Block layer patches

      # gpg: Signature made Wed 25 Nov 2015 13:33:14 GMT using RSA key ID 
C88F2FD6
      # gpg: Good signature from "Kevin Wolf <kwolf@xxxxxxxxxx>"

      * remotes/kevin/tags/for-upstream:
        qemu-iotests: Add -nographic when starting QEMU in 119 and 120
        block/qapi: Plug memory leak on query-block error path
        raw-posix.c: Make GetBSDPath() handle caching options
        nand: fix flash erase when oob is in memory
        test-aio: Fix event notifier cleanup
        tests/Makefile: Add more dependencies for test-timed-average

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit f77dcdbc76dbf9bade9739e85e1013639e535835
  Author: Wen Congyang <wency@xxxxxxxxxxxxxx>
  Date:   Fri Nov 20 17:37:13 2015 +0800

      block-migration: limit the memory usage

      If we set migration speed in a very large value, block-migration will try 
to read
      all data to the memory. Because
          (block_mig_state.submitted + block_mig_state.read_done) * BLOCK_SIZE
      will be overflow, and it will be always less than rate limit.

      There is no need to read too many data into memory when the rate limit is 
very large.
      So limit the memory usage can fix the overflow problem.

      Signed-off-by: Wen Congyang <wency@xxxxxxxxxxxxxx>
      Reviewed-by: Juan Quintela <quintela@xxxxxxxxxx>
      Reviewed-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Signed-off-by: Juan Quintela <quintela@xxxxxxxxxx>

  commit 1d7414396f926651c4d7a673eb3a10aca5246d76
  Author: Dr. David Alan Gilbert <dgilbert@xxxxxxxxxx>
  Date:   Thu Nov 19 15:27:48 2015 +0000

      Assume madvise for (no)hugepage works

      madvise() returns EINVAL in the case of many failures, but also
      returns it in cases where the host kernel doesn't have THP enabled.
      Postcopy only really cares that THP is off before it detects faults,
      and turns it back on afterwards; so we're going to have
      to assume that if the madvise fails then the host just doesn't do
      THP and we can carry on with the postcopy.

      Signed-off-by: Dr. David Alan Gilbert <dgilbert@xxxxxxxxxx>
      Tested-by: Jason J. Herne <jjherne@xxxxxxxxxxxxxxxxxx>
      Reviewed-by: Juan Quintela <quintela@xxxxxxxxxx>
      Reviewed-by: Amit Shah <amit.shah@xxxxxxxxxx>
      Signed-off-by: Juan Quintela <quintela@xxxxxxxxxx>

  commit 8c34d891b1594840d8394a3c9b92236c13254fd8
  Merge: 903c341 4d7f853
  Author: Kevin Wolf <kwolf@xxxxxxxxxx>
  Date:   Wed Nov 25 14:33:01 2015 +0100

      Merge remote-tracking branch 
'mreitz/tags/pull-block-for-kevin-2015-11-25' into queue-block

      One block patch for qemu 2.5-rc2.

      # gpg: Signature made Wed Nov 25 14:30:45 2015 CET using RSA key ID 
E838ACAD
      # gpg: Good signature from "Max Reitz <mreitz@xxxxxxxxxx>"

      * mreitz/tags/pull-block-for-kevin-2015-11-25:
        qemu-iotests: Add -nographic when starting QEMU in 119 and 120

      Signed-off-by: Kevin Wolf <kwolf@xxxxxxxxxx>

  commit 4d7f853ff0054989a4f20f1f22d1ec489c669c3b
  Author: Fam Zheng <famz@xxxxxxxxxx>
  Date:   Mon Nov 23 10:32:10 2015 +0800

      qemu-iotests: Add -nographic when starting QEMU in 119 and 120

      Otherwise, a window flashes on my desktop (built with SDL). Add this as
      other cases have it.

      Signed-off-by: Fam Zheng <famz@xxxxxxxxxx>
      Message-id: 1448245930-15031-1-git-send-email-famz@xxxxxxxxxx
      Signed-off-by: Max Reitz <mreitz@xxxxxxxxxx>

  commit 903c341d5742b160e52752eb6fdc1ba9b87dc52e
  Author: Markus Armbruster <armbru@xxxxxxxxxx>
  Date:   Fri Nov 20 13:53:35 2015 +0100

      block/qapi: Plug memory leak on query-block error path

      Spotted by Coverity.

      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>
      Reviewed-by: Kevin Wolf <kwolf@xxxxxxxxxx>
      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>
      Signed-off-by: Kevin Wolf <kwolf@xxxxxxxxxx>

  commit 98caa5bc0083ed4fe4833addd3078b56ce2f6cfa
  Author: Programmingkid <programmingkidx@xxxxxxxxx>
  Date:   Fri Nov 20 19:17:48 2015 -0500

      raw-posix.c: Make GetBSDPath() handle caching options

      Add support for caching options that can be specified from the command
      line.

      The CD-ROM raw char device bypasses the host page cache and therefore
      has alignment requirements.  Alignment probing is necessary so only use
      the raw char device if BDRV_O_NOCACHE is set.

      This patch fixes -cdrom /dev/cdrom on Mac OS X hosts, where bdrv_read()
      used to fail due to misaligned requests during image format probing.

      Signed-off-by: John Arbuckle <programmingkidx@xxxxxxxxx>
      Reviewed-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Signed-off-by: Kevin Wolf <kwolf@xxxxxxxxxx>

  commit 8e37ca6d0be8aae2887c167da783fd2d9536c962
  Author: Ricard Wanderlof <ricard.wanderlof@xxxxxxxx>
  Date:   Fri Nov 13 14:17:28 2015 +0100

      nand: fix flash erase when oob is in memory

      For the "main area on file, oob in memory" case, fix the shifts so that
      we erase the correct number of pages.

      Signed-off-by: Ricard Wanderlöf <ricardw@xxxxxxxx>
      Signed-off-by: Kevin Wolf <kwolf@xxxxxxxxxx>

  commit 7595ed743914b9de1d146213dedc1e007283f723
  Author: Kevin Wolf <kwolf@xxxxxxxxxx>
  Date:   Mon Nov 23 13:30:23 2015 +0100

      test-aio: Fix event notifier cleanup

      One test case closed an event notifier (event_notifier_cleanup())
      without first disabling it (set_event_notifier(..., NULL)). This
      resulted in a leftover handle 0 that was added to each subsequent
      WaitForMultipleObjects() call, causing the function to fail (invalid
      handle).

      Signed-off-by: Kevin Wolf <kwolf@xxxxxxxxxx>
      Reviewed-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>
      Reviewed-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>

  commit 5e41fbffa115608fe6f7159d345d6caa0019e687
  Author: Kevin Wolf <kwolf@xxxxxxxxxx>
  Date:   Mon Nov 23 13:28:12 2015 +0100

      tests/Makefile: Add more dependencies for test-timed-average

      'make check' failed to compile the test case for mingw because of
      undefined references. Pull in a few more dependencies so that it builds.

      Signed-off-by: Kevin Wolf <kwolf@xxxxxxxxxx>
      Reviewed-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>
      Reviewed-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>

  commit e85dda8070b20dd8765d52daf64de70a9ccf395f
  Merge: 1aae36d 22037db
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Wed Nov 25 12:09:34 2015 +0000

      Merge remote-tracking branch 'remotes/sstabellini/tags/xen-20151125' into 
staging

      Xen 2015/11/25

      # gpg: Signature made Wed 25 Nov 2015 11:19:26 GMT using RSA key ID 
70E1AE90
      # gpg: Good signature from "Stefano Stabellini 
<stefano.stabellini@xxxxxxxxxxxxx>"

      * remotes/sstabellini/tags/xen-20151125:
        xen_disk: Remove ioreq.postsync
        xen: fix usage of xc_domain_create in domain builder

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 2b1641d0a2fc10bdbffb1c0aa9836186af008766
  Author: Paolo Bonzini <pbonzini@xxxxxxxxxx>
  Date:   Fri Nov 13 18:49:54 2015 +0100

      MAINTAINERS: Update TCG CPU cores section

      These are the people that I think have been touching it lately
      or reviewing patches.

      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit 7cf32491eac9dc32fd8ca7933f3edc9d42f884ee
  Author: Victor Kaplansky <victork@xxxxxxxxxx>
  Date:   Tue Nov 24 12:56:00 2015 +0200

      tests/vhost-user-bridge: read command line arguments

      Now some vhost-user-bridge parameters can be passed from the
      command line:

      Usage: prog [-u ud_socket_path] [-l lhost:lport] [-r rhost:rport]
              -u path to unix doman socket. default: /tmp/vubr.sock
              -l local host and port. default: 127.0.0.1:4444
              -r remote host and port. default: 127.0.0.1:5555

      Signed-off-by: Victor Kaplansky <victork@xxxxxxxxxx>
      Reviewed-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>

  commit 85ea9da5b8d8c0b2ab77b493d5ce62599279bf33
  Author: Victor Kaplansky <victork@xxxxxxxxxx>
  Date:   Tue Nov 24 12:55:56 2015 +0200

      tests/vhost-user-bridge: propose GUEST_ANNOUNCE feature

      The backend has to know whether VIRTIO_NET_F_GUEST_ANNOUNCE was
      negotiated, so, as a hack we propose the feature by
      vhost-user-bridge during the feature negotiation.

      Signed-off-by: Victor Kaplansky <victork@xxxxxxxxxx>
      Reviewed-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>

  commit c61f09ed855b5009f816242ce281fd01586d4646
  Author: Michael S. Tsirkin <mst@xxxxxxxxxx>
  Date:   Mon Nov 23 12:48:52 2015 +0200

      vhost-user: clarify start and enable

      It seems that we currently have some duplication between
      started and enabled states.

      The actual reason is that enable is not documented correctly:
      what it does is connecting ring to the backend.

      This is important for MQ, because a Linux guest expects TX
      packets to be completed even if it disables some queues
      temporarily.

      Cc: Yuanhan Liu <yuanhan.liu@xxxxxxxxxxxxxxx>
      Cc: Victor Kaplansky <victork@xxxxxxxxxx>
      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>

  commit d39c87d70763f2755d1d7a719817b06f0281fb01
  Author: Wen Congyang <wency@xxxxxxxxxxxxxx>
  Date:   Wed Nov 11 14:53:29 2015 +0800

      vhost-user: set link down when the char device is closed

      Signed-off-by: Wen Congyang <wency@xxxxxxxxxxxxxx>
      Reviewed-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Reviewed-by: Yuanhan Liu <yuanhan.liu@xxxxxxxxxxxxxxx>

  commit 463b52f285164ec3dc0649763e06e40cea9e8a1f
  Author: Eduardo Habkost <ehabkost@xxxxxxxxxx>
  Date:   Thu Nov 12 15:29:55 2015 -0200

      pc: Don't set hw_version on pc-*-2.5

      Now that qemu_hw_version() returns a fixed "2.5+" string instead
      of QEMU_VERSION, we don't need to set hw_version on pc-*-2.5
      explicitly.

      Suggested-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: Eduardo Habkost <ehabkost@xxxxxxxxxx>
      Reviewed-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>

  commit fac862ffa605f6fa41f52033b27346d26a96bea5
  Author: Eduardo Habkost <ehabkost@xxxxxxxxxx>
  Date:   Thu Nov 12 15:29:54 2015 -0200

      osdep: Change default value of qemu_hw_version() to "2.5+"

      There are two issues with qemu_hw_version() today:

      1) If a machine has hw_version set, the value returned by it is
         not very useful, because it is not the actual QEMU version.
      2) If a machine does't set hw_version, the return value of
         qemu_hw_version() is broken, because it will change when
         upgrading QEMU.

      For those reasons, using qemu_hw_version() is strongly
      discouraged, and should be used only in code that used
      QEMU_VERSION in the past and needs to keep compatibility.

      To fix (2), instead of making every machine broken by default
      unless they set hw_version, make qemu_hw_version() simply return
      "2.5+" if qemu_set_hw_version() is not called.

      Suggested-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: Eduardo Habkost <ehabkost@xxxxxxxxxx>
      Reviewed-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>

  commit 1aae36df4b8ed884c6ef6995e70c67fad79b49df
  Merge: 4b6eda6 1d64924
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Wed Nov 25 11:38:03 2015 +0000

      Merge remote-tracking branch 
'remotes/armbru/tags/pull-ivshmem-2015-11-25' into staging

      ivshmem patches for 2.5

      # gpg: Signature made Wed 25 Nov 2015 09:25:38 GMT using RSA key ID 
EB918653
      # gpg: Good signature from "Markus Armbruster <armbru@xxxxxxxxxx>"
      # gpg:                 aka "Markus Armbruster <armbru@xxxxxxxxxxxx>"

      * remotes/armbru/tags/pull-ivshmem-2015-11-25:
        ivshmem: Rename property memdev to x-memdev for 2.5
        ivshmem: Mark questionable socket type test FIXME
        tests/ivshmem-test: Supply missing initializer in get_device()
        qemu-doc: Fix ivshmem usage example with shm=...
        qemu-doc: Fix ivshmem example markup

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 22037db38ccfe497bd13a94edead6657781b9b37
  Author: Alberto Garcia <berto@xxxxxxxxxx>
  Date:   Wed Nov 25 11:54:14 2015 +0200

      xen_disk: Remove ioreq.postsync

      This code has been dead for three years (since commit 7e7b7cba1).

      Signed-off-by: Alberto Garcia <berto@xxxxxxxxxx>
      Signed-off-by: Stefano Stabellini <stefano.stabellini@xxxxxxxxxxxxx>
      Reviewed-by: Stefano Stabellini <stefano.stabellini@xxxxxxxxxxxxx>

  commit 1d649244b3695cb148dd2ae66999db0f6f9566b3
  Author: Markus Armbruster <armbru@xxxxxxxxxx>
  Date:   Tue Nov 24 18:06:29 2015 +0100

      ivshmem: Rename property memdev to x-memdev for 2.5

      The device's guest interface and its QEMU user interface are
      flawed^Whotly debated.  We'll resolve that in the next development
      cycle, probably by deprecating the device in favour of a cleaned up,
      but not quite compatible revision.

      To avoid adding more baggage to the soon-to-be-deprecated interface,
      mark property "memdev" as experimental, by renaming it to "x-memdev".
      It's the only recent user interface change.

      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>
      Message-Id: <1448384789-14830-6-git-send-email-armbru@xxxxxxxxxx>
      [Update of qemu-doc.texi squashed in]
      Reviewed-by: Marc-André Lureau <marcandre.lureau@xxxxxxxxxx>

  commit 2825717c02f5b1367e8e315b222888db00618170
  Author: Markus Armbruster <armbru@xxxxxxxxxx>
  Date:   Tue Nov 24 18:06:28 2015 +0100

      ivshmem: Mark questionable socket type test FIXME

      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>
      Reviewed-by: Marc-André Lureau <marcandre.lureau@xxxxxxxxxx>

  commit 1613094766602bdb8cae337ceecd8ab68f956197
  Author: Markus Armbruster <armbru@xxxxxxxxxx>
  Date:   Tue Nov 24 18:06:27 2015 +0100

      tests/ivshmem-test: Supply missing initializer in get_device()

      If the device isn't found, the assertion uses dev without
      initialization.  Fix that.

      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>
      Message-Id: <1448384789-14830-4-git-send-email-armbru@xxxxxxxxxx>
      Reviewed-by: Marc-André Lureau <marcandre.lureau@xxxxxxxxxx>

  commit a9282c25a5e2e860dfba5eca6d08fb2e42ee4f1a
  Author: Markus Armbruster <armbru@xxxxxxxxxx>
  Date:   Tue Nov 24 18:06:26 2015 +0100

      qemu-doc: Fix ivshmem usage example with shm=...

      The example suggests you can omit "shm".  This isn't true; you must
      specify exactly one of "shm", "chardev", "memdev".  Fix it.

      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>
      Message-Id: <1448384789-14830-3-git-send-email-armbru@xxxxxxxxxx>
      Reviewed-by: Marc-André Lureau <marcandre.lureau@xxxxxxxxxx>

  commit 50d34c4e357c41231b1106fc3f46cfd479a31e41
  Author: Markus Armbruster <armbru@xxxxxxxxxx>
  Date:   Tue Nov 24 18:06:25 2015 +0100

      qemu-doc: Fix ivshmem example markup

      Use @var{foo} like we do everywhere else, not <foo>.

      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>
      Message-Id: <1448384789-14830-2-git-send-email-armbru@xxxxxxxxxx>
      Reviewed-by: Marc-André Lureau <marcandre.lureau@xxxxxxxxxx>

  commit 73a27d9ac35e3da3a2cf0ebd0bcc2be6de19dd0a
  Author: Alberto Garcia <berto@xxxxxxxxxx>
  Date:   Tue Nov 24 14:18:00 2015 +0200

      atapi: Fix code indentation

      This was accidentally changed by commit 5f81724d

      Signed-off-by: Alberto Garcia <berto@xxxxxxxxxx>
      Reviewed-by: John Snow <jsnow@xxxxxxxxxx>
      Message-id: 
93fb43522e3b8dddb6c709d568919347d9a5ba3f.1448367341.git.berto@xxxxxxxxxx
      Signed-off-by: John Snow <jsnow@xxxxxxxxxx>

  commit 36be0929f53260cb9b1e2720c7c22f6b5fb5910f
  Author: Alberto Garcia <berto@xxxxxxxxxx>
  Date:   Tue Nov 24 14:17:59 2015 +0200

      atapi: Account for failed and invalid operations in cd_read_sector()

      Commit 5f81724d made PIO read requests async but didn't add the
      relevant block_acct_failed() and block_acct_invalid() calls.

      Signed-off-by: Alberto Garcia <berto@xxxxxxxxxx>
      Reviewed-by: John Snow <jsnow@xxxxxxxxxx>
      Message-id: 
9b87e09d61019c128139b6c999ed0c07f0674170.1448367341.git.berto@xxxxxxxxxx
      Signed-off-by: John Snow <jsnow@xxxxxxxxxx>

  commit a421f3c38509ee4ce47230ec68c5c3a184efb538
  Author: John Snow <jsnow@xxxxxxxxxx>
  Date:   Fri Nov 20 17:53:55 2015 -0500

      ide-test: cdrom_pio_impl fixup

      Final tidying: move the interrupt wait into the loop,
      document that the status read clears the IRQ, and move
      the final interrupt check outside of the loop.

      This should be functionally equivalent to how it works
      currently, but a little less ambiguous and slightly more
      explicit about the state transitions.

      Signed-off-by: John Snow <jsnow@xxxxxxxxxx>
      Reviewed-by: Kevin Wolf <kwolf@xxxxxxxxxx>
      Message-id: 1448060035-31973-3-git-send-email-jsnow@xxxxxxxxxx

  commit 4b6eda626fdb8bf90472c6868d502a2ac09abeeb
  Merge: d9636b6 f93c3a8
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Tue Nov 24 17:05:06 2015 +0000

      Merge remote-tracking branch 'remotes/lalrae/tags/mips-20151124' into 
staging

      MIPS patches 2015-11-24

      Changes:
      * Fixes for enabling/disabling 64-bit addressing

      # gpg: Signature made Tue 24 Nov 2015 14:54:35 GMT using RSA key ID 
0B29DA6B
      # gpg: Good signature from "Leon Alrae <leon.alrae@xxxxxxxxxx>"

      * remotes/lalrae/tags/mips-20151124:
        target-mips: flush QEMU TLB when disabling 64-bit addressing
        target-mips: Fix exceptions while UX=0

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit d9636b6c2b533ab43fad8c9f47633debeef94561
  Merge: 229c037 e14f0eb
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Tue Nov 24 14:22:37 2015 +0000

      Merge remote-tracking branch 
'remotes/pmaydell/tags/pull-target-arm-20151124' into staging

      target-arm queue:
       * fix minimum RAM check warning on xlnx-ep108
       * remove unused define from aarch64-linux-user.mak config
       * don't mask out bits [47:40] in ARMv8 LPAE descriptors
       * correct unallocated instruction checks for ldst_excl

      # gpg: Signature made Tue 24 Nov 2015 14:17:10 GMT using RSA key ID 
14360CDE
      # gpg: Good signature from "Peter Maydell <peter.maydell@xxxxxxxxxx>"
      # gpg:                 aka "Peter Maydell <pmaydell@xxxxxxxxx>"
      # gpg:                 aka "Peter Maydell 
<pmaydell@xxxxxxxxxxxxxxxxxxxxxx>"

      * remotes/pmaydell/tags/pull-target-arm-20151124:
        target-arm/translate-a64.c: Correct unallocated checks for ldst_excl
        target-arm: Don't mask out bits [47:40] in LPAE descriptors for v8
        default-configs/aarch64-linux-user.mak: Remove unused define
        xlnx-ep108: Fix minimum RAM check

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit e14f0eb12f920fd96b9f79d15cedd437648e8667
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Tue Nov 24 14:12:15 2015 +0000

      target-arm/translate-a64.c: Correct unallocated checks for ldst_excl

      The checks for the unallocated encodings in the ldst_excl group
      (exclusives and load-acquire/store-release) were not correct. This
      error meant that in turn we ended up with code attempting to handle
      the non-existent case of "non-exclusive load-acquire/store-release
      pair". Delete that broken and now unreachable code.

      Reported-by: Laurent Desnogues <laurent.desnogues@xxxxxxxxx>
      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Reviewed-by: Laurent Desnogues <laurent.desnogues@xxxxxxxxx>
      Reviewed-by: Edgar E. Iglesias <edgar.iglesias@xxxxxxxxxx>
      Reviewed-by: Sergey Fedorov <serge.fdrv@xxxxxxxxx>

  commit 6109769a8b42bd0c3d5b1601c9b35fe7ea6a603e
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Tue Nov 24 14:12:15 2015 +0000

      target-arm: Don't mask out bits [47:40] in LPAE descriptors for v8

      In an LPAE format descriptor in ARMv8 the address field extends
      up to bit 47, not just bit 39. Correct the masking so we don't
      give incorrect results if the output address size is greater
      than 40 bits, as it can be for AArch64.

      (Note that we don't yet support the new-in-v8 Address Size fault which
      should be generated if any translation table entry or TTBR contains
      an address with non-zero bits above the most significant bit of the
      maximum output address size.)

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Reviewed-by: Laurent Desnogues <laurent.desnogues@xxxxxxxxx>
      Reviewed-by: Edgar E. Iglesias <edgar.iglesias@xxxxxxxxxx>
      Message-id: 1448029971-9875-1-git-send-email-peter.maydell@xxxxxxxxxx

  commit f72c0a79f76f1b7ed1a1e0ff8be31f5df06b3269
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Tue Nov 24 14:12:15 2015 +0000

      default-configs/aarch64-linux-user.mak: Remove unused define

      The uses of the CONFIG_GDBSTUB_XML define were removed in commit
      b77abd95a9484c, but the define in aarch64-linux-user.mak somehow
      escaped the cull (the patchset probably crossed in the mail with
      the patches adding aarch64 support). Remove the stray define.

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Reviewed-by: Laurent Desnogues <laurent.desnogues@xxxxxxxxx>
      Message-id: 1447690178-4560-1-git-send-email-peter.maydell@xxxxxxxxxx

  commit 5b4a047fbe8ceb68ad1a78d51f0fadbe2bb12af7
  Author: Alistair Francis <alistair.francis@xxxxxxxxxx>
  Date:   Tue Nov 24 14:12:15 2015 +0000

      xlnx-ep108: Fix minimum RAM check

      The minimum RAM check logic for the Xiilnx EP108 was off by one,
      which caused a false positive. Correct the logic to only print
      warnings when the RAM is below 0x8000000.

      Signed-off-by: Alistair Francis <alistair.francis@xxxxxxxxxx>
      Message-id: 
fba8112ca7b01efd72553332b8045ecf107b7662.1448021100.git.alistair.francis@xxxxxxxxxx
      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit f93c3a8d0c0c1038dbe1e957eb8ab92671137975
  Author: Leon Alrae <leon.alrae@xxxxxxxxxx>
  Date:   Thu Nov 19 19:15:35 2015 +0000

      target-mips: flush QEMU TLB when disabling 64-bit addressing

      CP0.Status.KX/SX/UX bits are responsible for enabling access to 64-bit
      Kernel/Supervisor/User Segments. If bit is cleared an access to
      corresponding segment should generate Address Error Exception.

      However, the guest may still be able to access some pages belonging to
      the disabled 64-bit segment because we forget to flush QEMU TLB.

      This patch fixes it.

      Signed-off-by: Leon Alrae <leon.alrae@xxxxxxxxxx>

  commit 7871abb94c2f4adc39f2487f6edf5e69ba872a65
  Author: James Hogan <james.hogan@xxxxxxxxxx>
  Date:   Tue Nov 17 17:13:54 2015 +0000

      target-mips: Fix exceptions while UX=0

      Commit 01f728857941 ("target-mips: Status.UX/SX/KX enable 32-bit address
      wrapping") added a new hflag MIPS_HFLAG_AWRAP, which indicates that
      64-bit addressing is disallowed in the current mode, so hflag users
      don't need to worry about the complexities of working that out, for
      example checking both MIPS_HFLAG_KSU and MIPS_HFLAG_UX.

      However when exceptions are taken outside of exception level,
      mips_cpu_do_interrupt() manipulates the env->hflags directly rather than
      using compute_hflags() to update them, and this code wasn't updated
      accordingly. As a result, when UX is cleared, MIPS_HFLAG_AWRAP is set,
      but it doesn't get cleared on entry back into kernel mode due to an
      exception. Kernel mode then cannot access the 64-bit segments resulting
      in a nested exception loop. The same applies to errors and debug
      exceptions.

      Fix by updating mips_cpu_do_interrupt() to clear the MIPS_HFLAG_WRAP
      flag when necessary, according to compute_hflags().

      Fixes: 01f728857941 ("target-mips: Status.UX/SX/KX enable 32-bit...")
      Signed-off-by: James Hogan <james.hogan@xxxxxxxxxx>
      Cc: Leon Alrae <leon.alrae@xxxxxxxxxx>
      Cc: Aurelien Jarno <aurelien@xxxxxxxxxxx>
      Reviewed-by: Leon Alrae <leon.alrae@xxxxxxxxxx>
      Signed-off-by: Leon Alrae <leon.alrae@xxxxxxxxxx>

  commit 229c0372cf3ca201c41d2bb121627e6752e776ad
  Merge: 5522a84 466138d
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Tue Nov 24 10:27:19 2015 +0000

      Merge remote-tracking branch 'remotes/stefanha/tags/block-pull-request' 
into staging

      # gpg: Signature made Tue 24 Nov 2015 08:04:07 GMT using RSA key ID 
81AB73C8
      # gpg: Good signature from "Stefan Hajnoczi <stefanha@xxxxxxxxxx>"
      # gpg:                 aka "Stefan Hajnoczi <stefanha@xxxxxxxxx>"

      * remotes/stefanha/tags/block-pull-request:
        virtio-blk: Move resetting of req->mr_next to virtio_blk_handle_rw_error
        parallels: dirty BAT properly for continuous allocations

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 466138dc689b6b14f31d5d20316affb4b4efd177
  Author: Fam Zheng <famz@xxxxxxxxxx>
  Date:   Mon Nov 23 08:41:20 2015 +0800

      virtio-blk: Move resetting of req->mr_next to virtio_blk_handle_rw_error

      "werror=report" would free the req in virtio_blk_handle_rw_error, we
      mustn't write to it in that case.

      Reported-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>
      Signed-off-by: Fam Zheng <famz@xxxxxxxxxx>
      Message-id: 1448239280-15025-1-git-send-email-famz@xxxxxxxxxx
      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>

  commit c9f6856ded10602147ca1d1806e7afb545430fd9
  Author: Vladimir Sementsov-Ogievskiy <vsementsov@xxxxxxxxxxxxx>
  Date:   Tue Nov 17 20:02:58 2015 +0300

      parallels: dirty BAT properly for continuous allocations

      This patch marks part of the BAT dirty properly. There is a possibility 
that
      multy-block allocation could have one block allocated on one BAT page and
      next block on the next page. The code without the patch could not save
      updated position to the file.

      Signed-off-by: Vladimir Sementsov-Ogievskiy <vsementsov@xxxxxxxxxxxxx>
      Signed-off-by: Denis V. Lunev <den@xxxxxxxxxx>
      Message-id: 1447779778-26062-1-git-send-email-den@xxxxxxxxxx
      CC: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>

  commit 5522a841cab5f15ac0f8d207b320c21755a7a1a5
  Merge: 68c6128 a3567ba
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Mon Nov 23 16:07:49 2015 +0000

      Merge remote-tracking branch 'remotes/ehabkost/tags/numa-pull-request' 
into staging

      NUMA fix for -rc2

      # gpg: Signature made Mon 23 Nov 2015 12:45:34 GMT using RSA key ID 
984DC5A6
      # gpg: Good signature from "Eduardo Habkost <ehabkost@xxxxxxxxxx>"

      * remotes/ehabkost/tags/numa-pull-request:
        hostmem: Ignore ENOSYS while setting MPOL_DEFAULT

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 68c61282fe8a02aa3bddfa7a9c2b7ad7e6177f69
  Merge: 541abd1 644da9b
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Mon Nov 23 13:54:41 2015 +0000

      Merge remote-tracking branch 'remotes/rth/tags/pull-tcg-20151123' into 
staging

      Last minute fix.

      # gpg: Signature made Mon 23 Nov 2015 12:17:26 GMT using RSA key ID 
4DD0279B
      # gpg: Good signature from "Richard Henderson <rth7680@xxxxxxxxx>"
      # gpg:                 aka "Richard Henderson <rth@xxxxxxxxxx>"
      # gpg:                 aka "Richard Henderson <rth@xxxxxxxxxxx>"

      * remotes/rth/tags/pull-tcg-20151123:
        tcg: Fix highwater check

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit a3567ba1e6171ef7cfad55ae549c0cd8bffb1195
  Author: Pavel Fedin <p.fedin@xxxxxxxxxxx>
  Date:   Tue Oct 27 15:51:31 2015 +0300

      hostmem: Ignore ENOSYS while setting MPOL_DEFAULT

      Currently hostmem backend fails if CONFIG_NUMA is enabled in QEMU
      (the default) but NUMA is not supported by the kernel. This makes
      it impossible to use ivshmem in such configurations.

      This patch fixes the problem by ignoring ENOSYS error if policy is set to
      MPOL_DEFAULT. This way the code behaves in the same way as if CONFIG_NUMA
      was not defined. qemu will still fail if the user specifies some other
      policy, so that the user knows it.

      Signed-off-by: Pavel Fedin <p.fedin@xxxxxxxxxxx>
      Reviewed-by: Eduardo Habkost <ehabkost@xxxxxxxxxx>
      Signed-off-by: Eduardo Habkost <ehabkost@xxxxxxxxxx>

  commit 644da9b39e477caa80bab69d2847dfcb468f0d33
  Author: John Clarke <johnc@xxxxxxxxxxx>
  Date:   Thu Nov 19 10:30:50 2015 +0100

      tcg: Fix highwater check

      A simple typo in the variable to use when comparing vs the highwater mark.
      Reports are that qemu can in fact segfault occasionally due to this 
mistake.

      Signed-off-by: John Clarke <johnc@xxxxxxxxxxx>
      Signed-off-by: Richard Henderson <rth@xxxxxxxxxxx>

  commit 541abd10a01da56c5f16582cd32d67114ec22a5c
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Fri Nov 20 17:43:46 2015 +0000

      Update version for v2.5.0-rc1 release

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit f348daf3d5d2e349519764cd0c3ec3aaca113732
  Author: Peter Lieven <pl@xxxxxxx>
  Date:   Fri Nov 20 15:29:02 2015 +0100

      tests: fix cdrom_pio_impl in ide-test

      The check for the cleared BSY flag has to be performed
      before each data transfer and not just before the
      first one.

      Commit 5f81724d revealed this glitch as the BSY flag
      was not set in ATAPI PIO transfers before.

      While at it fix the descriptions and add a comment before
      the nested for loop that transfers the data.

      Signed-off-by: Peter Lieven <pl@xxxxxxx>
      Message-id: 1448029742-19771-1-git-send-email-pl@xxxxxxx
      Reviewed-by: Kevin Wolf <kwolf@xxxxxxxxxx>
      Reviewed-by: John Snow <jsnow@xxxxxxxxxx>
      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 28c3e6ee72a34d3c2c44ef508b599fa460b273bb
  Merge: 348c327 9f4aa7c
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Thu Nov 19 17:54:46 2015 +0000

      Merge remote-tracking branch 
'remotes/afaerber/tags/qom-devices-for-peter' into staging

      QOM infrastructure fixes and device conversions

      * Fix for properties on objects > 4 GiB
      * Performance improvements for QOM property handling
      * Assertion cleanups
      * MAINTAINERS additions

      # gpg: Signature made Thu 19 Nov 2015 14:32:16 GMT using RSA key ID 
3E7E013F
      # gpg: Good signature from "Andreas Färber <afaerber@xxxxxxx>"
      # gpg:                 aka "Andreas Färber <afaerber@xxxxxxxx>"

      * remotes/afaerber/tags/qom-devices-for-peter:
        MAINTAINERS: Add check-qom-{interface,proplist} to QOM
        qom: Clean up assertions to display values on failure
        qom: Replace object property list with GHashTable
        qom: Add a test case for complex property finalization
        net: Convert net filter code to use object property iterators
        ppc: Convert spapr code to use object property iterators
        vl: Convert machine help code to use object property iterators
        qmp: Convert QMP code to use object property iterators
        qom: Introduce ObjectPropertyIterator struct for iteration
        qdev: Change Property::offset field to ptrdiff_t type

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 348c32709fdbeb475dd072af49523cfdd75873f1
  Merge: c601a24 1c7ba94
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Thu Nov 19 16:26:08 2015 +0000

      Merge remote-tracking branch 'remotes/mst/tags/for_upstream' into staging

      vhost, pc: fixes for 2.5

      Fixes all over the place.

      This also re-enables a test we disabled in 2.5 cycle
      now that there's a way not to get a warning from it.

      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>

      # gpg: Signature made Thu 19 Nov 2015 13:27:43 GMT using RSA key ID 
D28D5469
      # gpg: Good signature from "Michael S. Tsirkin <mst@xxxxxxxxxx>"
      # gpg:                 aka "Michael S. Tsirkin <mst@xxxxxxxxxx>"

      * remotes/mst/tags/for_upstream:
        exec: silence hugetlbfs warning under qtest
        tests: re-enable vhost-user-test
        acpi: fix buffer overrun on migration
        vhost-user: fix log size
        vhost-user: ignore qemu-only features
        specs/vhost-user: fix spec to match reality
        tests/vhost-user-bridge: implement logging of dirty pages
        i440fx: print an error message if user tries to enable iommu
        q35: Check propery to determine if iommu is set
        vhost-user: start/stop all rings
        vhost-user: print original request on error
        vhost-user-test: support VHOST_USER_SET_VRING_ENABLE
        vhost-user: update spec description
        vhost: don't send RESET_OWNER at stop
        vhost: let SET_VRING_ENABLE message depends on protocol feature

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit c601a244a49f4e0be2539cbc5ffd288727cd4e89
  Merge: 80fda8f ce8a1b5
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Thu Nov 19 15:56:50 2015 +0000

      Merge remote-tracking branch 
'remotes/pmaydell/tags/pull-target-arm-20151119' into staging

      target-arm queue:
       * add missing condexec updates when emulating architectural breakpoints
         and coprocessor access checks in Thumb translation (could in theory
         cause problems when these happened inside a Thumb IT block and an
         exception was taken)
       * arm_gic: correctly restore nested IRQ priority

      # gpg: Signature made Thu 19 Nov 2015 13:29:37 GMT using RSA key ID 
14360CDE
      # gpg: Good signature from "Peter Maydell <peter.maydell@xxxxxxxxxx>"
      # gpg:                 aka "Peter Maydell <pmaydell@xxxxxxxxx>"
      # gpg:                 aka "Peter Maydell 
<pmaydell@xxxxxxxxxxxxxxxxxxxxxx>"

      * remotes/pmaydell/tags/pull-target-arm-20151119:
        target-arm: Update condexec before arch BP check in AA32 translation
        target-arm: Update condexec before CP access check in AA32 translation
        hw/arm_gic: Correctly restore nested irq priority

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 80fda8f609457736ab43f0cb8027abb0e28a67f8
  Merge: 8f28030 79b3c12
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Thu Nov 19 15:05:06 2015 +0000

      Merge remote-tracking branch 
'remotes/juanquintela/tags/migration/20151119' into staging

      migration/next for 20151119

      # gpg: Signature made Thu 19 Nov 2015 11:17:07 GMT using RSA key ID 
5872D723
      # gpg: Good signature from "Juan Quintela <quintela@xxxxxxxxxx>"
      # gpg:                 aka "Juan Quintela <quintela@xxxxxxxxxx>"

      * remotes/juanquintela/tags/migration/20151119:
        migration: normalize locking in migration/savevm.c
        migration: implement bdrv_all_find_vmstate_bs helper
        migration: reorder processing in hmp_savevm
        snapshot: create bdrv_all_create_snapshot helper
        migration: drop find_vmstate_bs check in hmp_delvm
        snapshot: create bdrv_all_find_snapshot helper
        migration: factor our snapshottability check in load_vmstate
        snapshot: create bdrv_all_goto_snapshot helper
        snapshot: create bdrv_all_delete_snapshot helper
        snapshot: return error code from bdrv_snapshot_delete_by_id_or_name
        snapshot: create helper to test that block drivers supports snapshots
        Unneeded NULL check
        migration: Dead assignment of current_time
        Set last_sent_block

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 9f4aa7cef2214137db192b252f1d4fc1799d05c7
  Author: Andreas Färber <afaerber@xxxxxxx>
  Date:   Wed Nov 18 19:03:29 2015 +0100

      MAINTAINERS: Add check-qom-{interface,proplist} to QOM

      Add the QOM unit tests to the QOM maintenance area so that maintainers
      get CC'ed on changes and to document QOM test coverage.

      Reviewed-by: Daniel P. Berrange <berrange@xxxxxxxxxx>
      Reviewed-by: Igor Mammedov <imammedo@xxxxxxxxxx>
      Signed-off-by: Andreas Färber <afaerber@xxxxxxx>

  commit 8438a13543a281e3e61542cc0763bf1b05169016
  Author: Andreas Färber <afaerber@xxxxxxx>
  Date:   Mon Nov 16 17:49:20 2015 +0100

      qom: Clean up assertions to display values on failure

      Instead of using g_assert() for integer comparisons, use
      g_assert_cmpint() so that we can see the respective values.

      While at it, fix one stray indentation.

      Reviewed-by: Daniel P. Berrange <berrange@xxxxxxxxxx>
      Signed-off-by: Andreas Färber <afaerber@xxxxxxx>

  commit b604a854e843505007c59d68112c654556102a20
  Author: Pavel Fedin <p.fedin@xxxxxxxxxxx>
  Date:   Tue Oct 13 13:37:45 2015 +0100

      qom: Replace object property list with GHashTable

      ARM GICv3 systems with large number of CPUs create lots of IRQ pins. Since
      every pin is represented as a property, number of these properties becomes
      very large. Every property add first makes sure there's no duplicates.
      Traversing the list becomes very slow, therefore QEMU initialization takes
      significant time (several seconds for e. g. 16 CPUs).

      This patch replaces list with GHashTable, making lookup very fast. The 
only
      drawback is that object_child_foreach() and 
object_child_foreach_recursive()
      cannot add or remove properties during traversal, since GHashTableIter 
does
      not have modify-safe version. However, the code seems not to modify 
objects
      via these functions.

      Signed-off-by: Pavel Fedin <p.fedin@xxxxxxxxxxx>
      Signed-off-by: Daniel P. Berrange <berrange@xxxxxxxxxx>
      Tested-by: Pavel Fedin <p.fedin@xxxxxxxxxxx>
      [AF: Fixed object_property_del_{all,child}() issues;
           g_hash_table_contains() -> g_hash_table_lookup(), suggested by 
Daniel]
      Reviewed-by: Daniel P. Berrange <berrange@xxxxxxxxxx>
      Signed-off-by: Andreas Färber <afaerber@xxxxxxx>

  commit 1c7ba94a184df1eddd589d5400d879568d3e5d08
  Author: Marc-André Lureau <marcandre.lureau@xxxxxxxxxx>
  Date:   Wed Nov 18 10:02:58 2015 +0100

      exec: silence hugetlbfs warning under qtest

      vhost-user-test prints a warning. A test should not need to run on
      hugetlbfs, let's silence the warning under qtest. The
      condition can't check on qtest_enabled() since vhost-user-test actually
      doesn't use qtest accel. However, qtest_driver() can be used, if
      qtest_init() is called early enough. For that reason, move chardev and
      qtest initialization early.

      Signed-off-by: Marc-André Lureau <marcandre.lureau@xxxxxxxxxx>
      Reviewed-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>

  commit 421f4448cec3e42f8477499c5c584699e2cf656b
  Author: Marc-André Lureau <marcandre.lureau@xxxxxxxxxx>
  Date:   Mon Oct 26 15:32:00 2015 +0100

      tests: re-enable vhost-user-test

      Commit 7fe34ca9c2e actually disabled vhost-user-test altogether,
      since CONFIG_VHOST_NET is a per-target config variable.

      tests/vhost-user-test is already x86/x64 softmmu specific test, in order
      to enable it correctly, kvm & vhost-net are also conditions. To check
      that, set CONFIG_VHOST_NET_TEST_$target when kvm is also enabled.

      Since "check-qtest-x86_64-y = $(check-qtest-i386-y)", avoid duplication
      when both x86 & x64 are enabled.

      Other targets than x86 aren't enabled yet, and is intentionally left as
      a future improvement, since I can't easily test those.

      Signed-off-by: Marc-André Lureau <marcandre.lureau@xxxxxxxxxx>
      Reviewed-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>

  commit d9a3b33d2c9f996537b7f1d0246dee2d0120cefb
  Author: Michael S. Tsirkin <mst@xxxxxxxxxx>
  Date:   Thu Nov 19 15:14:07 2015 +0200

      acpi: fix buffer overrun on migration

      ich calls acpi_gpe_init with length ICH9_PMIO_GPE0_LEN so
      ICH9_PMIO_GPE0_LEN/2 bytes are allocated, but then the full
      ICH9_PMIO_GPE0_LEN bytes are migrated.

      As a quick work-around, allocate twice the memory.
      We'll probably want to tweak code to avoid
      migrating the extra ICH9_PMIO_GPE0_LEN/2 bytes,
      but that is a bit trickier to do without breaking
      migration compatibility.

      Tested-by: "Dr. David Alan Gilbert" <dgilbert@xxxxxxxxxx>
      Reported-by: "Dr. David Alan Gilbert" <dgilbert@xxxxxxxxxx>
      Cc: qemu-stable@xxxxxxxxxx
      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>

  commit ce8a1b5449cd8c4c2831abb581d3208c3a3745a0
  Author: Sergey Fedorov <serge.fdrv@xxxxxxxxx>
  Date:   Tue Nov 17 16:38:47 2015 +0300

      target-arm: Update condexec before arch BP check in AA32 translation

      Architectural breakpoint check could raise an exceptions, thus condexec
      bits should be updated before calling gen_helper_check_breakpoints().

      Signed-off-by: Sergey Fedorov <serge.fdrv@xxxxxxxxx>
      Message-id: 1447767527-21268-3-git-send-email-serge.fdrv@xxxxxxxxx
      Reviewed-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 43bfa4a100687af8d293fef0a197839b51400fca
  Author: Sergey Fedorov <serge.fdrv@xxxxxxxxx>
  Date:   Tue Nov 17 16:38:46 2015 +0300

      target-arm: Update condexec before CP access check in AA32 translation

      Coprocessor access instructions are allowed inside IT block.
      gen_helper_access_check_cp_reg() can raise an exceptions thus condexec
      bits should be updated before.

      Signed-off-by: Sergey Fedorov <serge.fdrv@xxxxxxxxx>
      Message-id: 1447767527-21268-2-git-send-email-serge.fdrv@xxxxxxxxx
      Reviewed-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit a859595791e6ac5c14afe0b8a53634bf1cc21f0f
  Author: François Baldassari <francois@xxxxxxxxxx>
  Date:   Thu Nov 19 12:09:52 2015 +0000

      hw/arm_gic: Correctly restore nested irq priority


      Upon activating an interrupt, set the corresponding priority bit in the
      APR/NSAPR registers without touching the currently set bits. In the event
      of nested interrupts, the GIC will then have the information it needs to
      restore the priority of the pre-empted interrupt once the higher priority
      interrupt finishes execution.

      Signed-off-by: François Baldassari <francois@xxxxxxxxxx>
      Reviewed-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 79b3c12ac5714e036a16d1a163a3517d74504f87
  Author: Denis V. Lunev <den@xxxxxxxxxx>
  Date:   Thu Nov 19 09:42:11 2015 +0300

      migration: normalize locking in migration/savevm.c

      basically all bdrv_* operations must be called under aio_context_acquire
      except ones with bdrv_all prefix.

      Signed-off-by: Denis V. Lunev <den@xxxxxxxxxx>
      Reviewed-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Reviewed-by: Fam Zheng <famz@xxxxxxxxxx>
      CC: Juan Quintela <quintela@xxxxxxxxxx>
      CC: Kevin Wolf <kwolf@xxxxxxxxxx>
      Tested-by: Greg Kurz <gkurz@xxxxxxxxxxxxxxxxxx>
      Signed-off-by: Juan Quintela <quintela@xxxxxxxxxx>

  commit 7cb14481498e7acd969a76b53be0535cd90f7d53
  Author: Denis V. Lunev <den@xxxxxxxxxx>
  Date:   Thu Nov 19 09:42:10 2015 +0300

      migration: implement bdrv_all_find_vmstate_bs helper

      The patch also ensures proper locking for the operation.

      Signed-off-by: Denis V. Lunev <den@xxxxxxxxxx>
      Reviewed-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Reviewed-by: Fam Zheng <famz@xxxxxxxxxx>
      Reviewed-by: Juan Quintela <quintela@xxxxxxxxxx>
      CC: Kevin Wolf <kwolf@xxxxxxxxxx>
      Tested-by: Greg Kurz <gkurz@xxxxxxxxxxxxxxxxxx>
      Signed-off-by: Juan Quintela <quintela@xxxxxxxxxx>

  commit 0b46160521ab72744da94988583a45d4d45e2986
  Author: Denis V. Lunev <den@xxxxxxxxxx>
  Date:   Thu Nov 19 09:42:09 2015 +0300

      migration: reorder processing in hmp_savevm

      State deletion can be performed on running VM which reduces VM downtime
      This approach looks a bit more natural.

      Signed-off-by: Denis V. Lunev <den@xxxxxxxxxx>
      Reviewed-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Reviewed-by: Fam Zheng <famz@xxxxxxxxxx>
      Reviewed-by: Juan Quintela <quintela@xxxxxxxxxx>
      Tested-by: Greg Kurz <gkurz@xxxxxxxxxxxxxxxxxx>
      Signed-off-by: Juan Quintela <quintela@xxxxxxxxxx>

  commit a9085f9b5583ba7a02b412ba08f929555112c244
  Author: Denis V. Lunev <den@xxxxxxxxxx>
  Date:   Thu Nov 19 09:42:08 2015 +0300

      snapshot: create bdrv_all_create_snapshot helper

      to create snapshot for all loaded block drivers.

      The patch also ensures proper locking.

      Signed-off-by: Denis V. Lunev <den@xxxxxxxxxx>
      Reviewed-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Reviewed-by: Fam Zheng <famz@xxxxxxxxxx>
      Reviewed-by: Juan Quintela <quintela@xxxxxxxxxx>
      CC: Kevin Wolf <kwolf@xxxxxxxxxx>
      Tested-by: Greg Kurz <gkurz@xxxxxxxxxxxxxxxxxx>
      Signed-off-by: Juan Quintela <quintela@xxxxxxxxxx>

  commit c6258b04f19bc690b576b089f621cb5333c533d7
  Author: Denis V. Lunev <den@xxxxxxxxxx>
  Date:   Thu Nov 19 09:42:07 2015 +0300

      migration: drop find_vmstate_bs check in hmp_delvm

      There is no much sense to do the check and write warning.

      Signed-off-by: Denis V. Lunev <den@xxxxxxxxxx>
      Reviewed-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Reviewed-by: Fam Zheng <famz@xxxxxxxxxx>
      Reviewed-by: Juan Quintela <quintela@xxxxxxxxxx>
      Tested-by: Greg Kurz <gkurz@xxxxxxxxxxxxxxxxxx>
      Signed-off-by: Juan Quintela <quintela@xxxxxxxxxx>

  commit 723ccda1a0eecece8e70dbcdd35a603f6c41a475
  Author: Denis V. Lunev <den@xxxxxxxxxx>
  Date:   Thu Nov 19 09:42:06 2015 +0300

      snapshot: create bdrv_all_find_snapshot helper

      to check that snapshot is available for all loaded block drivers.
      The check bs != bs1 in hmp_info_snapshots is an optimization. The check
      for availability of this snapshot will return always true as the list
      of snapshots was collected from that image.

      The patch also ensures proper locking.

      Signed-off-by: Denis V. Lunev <den@xxxxxxxxxx>
      Reviewed-by: Fam Zheng <famz@xxxxxxxxxx>
      Reviewed-by: Juan Quintela <quintela@xxxxxxxxxx>
      CC: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      CC: Kevin Wolf <kwolf@xxxxxxxxxx>
      Tested-by: Greg Kurz <gkurz@xxxxxxxxxxxxxxxxxx>
      Signed-off-by: Juan Quintela <quintela@xxxxxxxxxx>

  commit 849f96e2f71b52444516a0880fd9d12691b63d20
  Author: Denis V. Lunev <den@xxxxxxxxxx>
  Date:   Thu Nov 19 09:42:05 2015 +0300

      migration: factor our snapshottability check in load_vmstate

      We should check that all inserted and not read-only images support
      snapshotting. This could be made using already invented helper
      bdrv_all_can_snapshot().

      Signed-off-by: Denis V. Lunev <den@xxxxxxxxxx>
      Reviewed-by: Juan Quintela <quintela@xxxxxxxxxx>
      Reviewed-by: Fam Zheng <famz@xxxxxxxxxx>
      CC: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      CC: Kevin Wolf <kwolf@xxxxxxxxxx>
      Tested-by: Greg Kurz <gkurz@xxxxxxxxxxxxxxxxxx>
      Signed-off-by: Juan Quintela <quintela@xxxxxxxxxx>

  commit 4c1cdbaad07d067f3d156687d79014ab44387e2c
  Author: Denis V. Lunev <den@xxxxxxxxxx>
  Date:   Thu Nov 19 09:42:04 2015 +0300

      snapshot: create bdrv_all_goto_snapshot helper

      to switch to snapshot on all loaded block drivers.

      The patch also ensures proper locking.

      Signed-off-by: Denis V. Lunev <den@xxxxxxxxxx>
      Reviewed-by: Greg Kurz <gkurz@xxxxxxxxxxxxxxxxxx>
      Reviewed-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Reviewed-by: Fam Zheng <famz@xxxxxxxxxx>
      Reviewed-by: Juan Quintela <quintela@xxxxxxxxxx>
      CC: Kevin Wolf <kwolf@xxxxxxxxxx>
      Tested-by: Greg Kurz <gkurz@xxxxxxxxxxxxxxxxxx>
      Signed-off-by: Juan Quintela <quintela@xxxxxxxxxx>

  commit 9b00ea376d42e543feb12d7ce5435366d01aab1b
  Author: Denis V. Lunev <den@xxxxxxxxxx>
  Date:   Thu Nov 19 09:42:03 2015 +0300

      snapshot: create bdrv_all_delete_snapshot helper

      to delete snapshots from all loaded block drivers.

      The patch also ensures proper locking.

      Signed-off-by: Denis V. Lunev <den@xxxxxxxxxx>
      Reviewed-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Reviewed-by: Fam Zheng <famz@xxxxxxxxxx>
      Reviewed-by: Juan Quintela <quintela@xxxxxxxxxx>
      CC: Kevin Wolf <kwolf@xxxxxxxxxx>
      Tested-by: Greg Kurz <gkurz@xxxxxxxxxxxxxxxxxx>
      Signed-off-by: Juan Quintela <quintela@xxxxxxxxxx>

  commit 25af925fffc29f2e4c05aee10c61c823c4cdf398
  Author: Denis V. Lunev <den@xxxxxxxxxx>
  Date:   Thu Nov 19 09:42:02 2015 +0300

      snapshot: return error code from bdrv_snapshot_delete_by_id_or_name

      this will make code better in the next patch

      Signed-off-by: Denis V. Lunev <den@xxxxxxxxxx>
      Reviewed-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Reviewed-by: Fam Zheng <famz@xxxxxxxxxx>
      Reviewed-by: Juan Quintela <quintela@xxxxxxxxxx>
      CC: Kevin Wolf <kwolf@xxxxxxxxxx>
      Tested-by: Greg Kurz <gkurz@xxxxxxxxxxxxxxxxxx>
      Signed-off-by: Juan Quintela <quintela@xxxxxxxxxx>

  commit e9ff957ac26e0e11869a3568cfa7423ae33c51e7
  Author: Denis V. Lunev <den@xxxxxxxxxx>
  Date:   Thu Nov 19 09:42:01 2015 +0300

      snapshot: create helper to test that block drivers supports snapshots

      The patch enforces proper locking for this operation.

      Signed-off-by: Denis V. Lunev <den@xxxxxxxxxx>
      Reviewed-by: Greg Kurz <gkurz@xxxxxxxxxxxxxxxxxx>
      Reviewed-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Reviewed-by: Fam Zheng <famz@xxxxxxxxxx>
      Reviewed-by: Juan Quintela <quintela@xxxxxxxxxx>
      CC: Kevin Wolf <kwolf@xxxxxxxxxx>
      Tested-by: Greg Kurz <gkurz@xxxxxxxxxxxxxxxxxx>
      Signed-off-by: Juan Quintela <quintela@xxxxxxxxxx>

  commit 5df5416e639cd75bd85d243af41387c2418fa580
  Author: Dr. David Alan Gilbert <dgilbert@xxxxxxxxxx>
  Date:   Wed Nov 18 11:48:41 2015 +0000

      Unneeded NULL check

      The check is unneccesary, we read the value at the start of the
      thread, use it, and never change it.  The value is checked to be
      non-NULL before thread creation.

      Spotted by coverity, CID 1339211

      Signed-off-by: Dr. David Alan Gilbert <dgilbert@xxxxxxxxxx>
      Signed-off-by: Juan Quintela <quintela@xxxxxxxxxx>

  commit 95a7788b2faa81ff95675f1e46a3272a612b35de
  Author: Dr. David Alan Gilbert <dgilbert@xxxxxxxxxx>
  Date:   Wed Nov 18 11:48:40 2015 +0000

      migration: Dead assignment of current_time

      I set current_time before the postcopy test but never use it;
      (I think this was from the original version where it was time based).
      Spotted by coverity, CID 1339208

      Signed-off-by: Dr. David Alan Gilbert <dgilbert@xxxxxxxxxx>
      Signed-off-by: Juan Quintela <quintela@xxxxxxxxxx>

  commit 84e7b80a05c0c44b90533c6cd2f1db5c932ccf77
  Author: Dr. David Alan Gilbert <dgilbert@xxxxxxxxxx>
  Date:   Wed Nov 18 11:48:39 2015 +0000

      Set last_sent_block

      In a82d593b61054b3dea43 I accidentally removed the setting of
      last_sent_block,  put it back.

      Symptoms:
        Multithreaded compression only uses one thread.
        Migration is a bit less efficient since it won't use 'cont' flags.

      Signed-off-by: Dr. David Alan Gilbert <dgilbert@xxxxxxxxxx>
      Fixes: a82d593b61054b3dea43
      Signed-off-by: Juan Quintela <quintela@xxxxxxxxxx>

  commit 8c4d156c187c84b574d287bd4b9ddf9a6975de7c
  Author: Daniel P. Berrange <berrange@xxxxxxxxxx>
  Date:   Mon Nov 16 15:37:34 2015 +0000

      qom: Add a test case for complex property finalization

      Devices have some quite complex object child/link relationships
      which place some requirements on the object_property_del_all()
      function to consider that properties can be modified while
      being iterated over.

      This extends the QOM property test case to replicate the
      device like structure and expose any potential bugs in the
      object_property_del_all() function.

      Signed-off-by: Daniel P. Berrange <berrange@xxxxxxxxxx>
      Signed-off-by: Andreas Färber <afaerber@xxxxxxx>

  commit 456fb0bfe0b27c54d316be7fe3b362247f732656
  Author: Daniel P. Berrange <berrange@xxxxxxxxxx>
  Date:   Tue Oct 13 13:37:44 2015 +0100

      net: Convert net filter code to use object property iterators

      Stop directly accessing the Object::properties field data
      structure and instead use the formal object property iterator
      APIs. This insulates the code from future data structure
      changes in the Object struct.

      Signed-off-by: Daniel P. Berrange <berrange@xxxxxxxxxx>
      Tested-by: Pavel Fedin <p.fedin@xxxxxxxxxxx>
      Signed-off-by: Andreas Färber <afaerber@xxxxxxx>

  commit 9a842f7d3ce421b39c7edbfe2c47efeac5db6c28
  Author: Daniel P. Berrange <berrange@xxxxxxxxxx>
  Date:   Tue Oct 13 13:37:43 2015 +0100

      ppc: Convert spapr code to use object property iterators

      Stop directly accessing the Object::properties field data
      structure and instead use the formal object property iterator
      APIs. This insulates the code from future data structure
      changes in the Object struct.

      Signed-off-by: Daniel P. Berrange <berrange@xxxxxxxxxx>
      Tested-by: Pavel Fedin <p.fedin@xxxxxxxxxxx>
      Signed-off-by: Andreas Färber <afaerber@xxxxxxx>

  commit 2465bc564d39d9b62fa21b3e84313be3b32dbc16
  Author: Daniel P. Berrange <berrange@xxxxxxxxxx>
  Date:   Tue Oct 13 13:37:42 2015 +0100

      vl: Convert machine help code to use object property iterators

      Stop directly accessing the Object::properties field data
      structure and instead use the formal object property iterator
      APIs. This insulates the code from future data structure
      changes in the Object struct.

      Signed-off-by: Daniel P. Berrange <berrange@xxxxxxxxxx>
      Tested-by: Pavel Fedin <p.fedin@xxxxxxxxxxx>
      Signed-off-by: Andreas Färber <afaerber@xxxxxxx>

  commit 1b30c094dcb69273b7661897c067906f81e5b967
  Author: Daniel P. Berrange <berrange@xxxxxxxxxx>
  Date:   Tue Oct 13 13:37:41 2015 +0100

      qmp: Convert QMP code to use object property iterators

      Stop directly accessing the Object::properties field data
      structure and instead use the formal object property iterator
      APIs. This insulates the code from future data structure
      changes in the Object struct.

      Signed-off-by: Daniel P. Berrange <berrange@xxxxxxxxxx>
      Tested-by: Pavel Fedin <p.fedin@xxxxxxxxxxx>
      Signed-off-by: Andreas Färber <afaerber@xxxxxxx>

  commit a00c94824126901168bca5b89147f9e334a49e87
  Author: Daniel P. Berrange <berrange@xxxxxxxxxx>
  Date:   Tue Oct 13 13:37:40 2015 +0100

      qom: Introduce ObjectPropertyIterator struct for iteration

      Some users of QOM need to be able to iterate over properties
      defined against an object instance. Currently they are just
      directly using the QTAIL macros against the object properties
      data structure.

      This is bad because it exposes them to changes in the data
      structure used to store properties, as well as changes in
      functionality such as ability to register properties against
      the class.

      This provides an ObjectPropertyIterator struct which will
      insulate the callers from the particular data structure
      used to store properties. It can be used thus

        ObjectProperty *prop;
        ObjectPropertyIterator *iter;

        iter = object_property_iter_init(obj);
        while ((prop = object_property_iter_next(iter))) {
            ... do something with prop ...
        }
        object_property_iter_free(iter);

      Signed-off-by: Daniel P. Berrange <berrange@xxxxxxxxxx>
      Tested-by: Pavel Fedin <p.fedin@xxxxxxxxxxx>
      [AF: Fixed examples, style cleanups]
      Signed-off-by: Andreas Färber <afaerber@xxxxxxx>

  commit 3b6ca4022d150ad273d4cd9556c2f4873389f965
  Author: Ildar Isaev <ild@xxxxxxxx>
  Date:   Wed Mar 4 17:09:46 2015 +0300

      qdev: Change Property::offset field to ptrdiff_t type

      Property::offset field is calculated as a diff between two pointers:

        arrayprop->prop.offset = eltptr - (void *)dev;

      If offset is declared as int, this subtraction can cause type overflow,
      thus leading to failure of the subsequent assertion:

        assert(qdev_get_prop_ptr(dev, &arrayprop->prop) == eltptr);

      So ptrdiff_t should be used instead.

      Signed-off-by: Ildar Isaev <ild@xxxxxxxx>
      Reviewed-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Signed-off-by: Andreas Färber <afaerber@xxxxxxx>

  commit 8f280309030331a912fd8924c129d8bd59e1bdc7
  Merge: 7199c89 ca4fa82
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Wed Nov 18 17:07:24 2015 +0000

      Merge remote-tracking branch 'remotes/kevin/tags/for-upstream' into 
staging

      Block layer patches

      # gpg: Signature made Wed 18 Nov 2015 15:28:32 GMT using RSA key ID 
C88F2FD6
      # gpg: Good signature from "Kevin Wolf <kwolf@xxxxxxxxxx>"

      * remotes/kevin/tags/for-upstream:
        block: Call external_snapshot_clean after blockdev-snapshot
        blockdev: Add missing bdrv_unref() in drive-backup
        iotests: fix race in 030
        nand: fix address overflow

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 48854f57ce3e6aa4bd13368559e5c292e1c44e49
  Author: Michael S. Tsirkin <mst@xxxxxxxxxx>
  Date:   Wed Nov 18 16:13:54 2015 +0200

      vhost-user: fix log size

      commit 2b8819c6eee517c1582983773f8555bb3f9ed645
      ("vhost-user: modify SET_LOG_BASE to pass mmap size and offset")
      passes log size in units of 4 byte chunks instead of the
      expected size in bytes.

      Fix this up.

      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>

  commit 72018d1e1917a56d05e24aedc9f582b7c8385e19
  Author: Michael S. Tsirkin <mst@xxxxxxxxxx>
  Date:   Tue Nov 17 16:55:17 2015 +0200

      vhost-user: ignore qemu-only features

      Some features (such as ctrl vq) are supported
      by qemu without need to communicate with the
      backend.

      Drop them from the feature mask so we set them
      unconditionally.

      Reported-by: Victor Kaplansky <vkaplans@xxxxxxxxxx>
      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>

  commit 7199c89d8c6bbd0eda2cadb0d3fc7149934202bf
  Merge: ab9b872 08cb175
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Wed Nov 18 16:27:15 2015 +0000

      Merge remote-tracking branch 
'remotes/berrange/tags/qcrypto-fixes-20151118-1' into staging

      Pull qcrypto fixes 2015/11/18 v1

      # gpg: Signature made Wed 18 Nov 2015 15:44:07 GMT using RSA key ID 
15104FDF
      # gpg: Good signature from "Daniel P. Berrange <dan@xxxxxxxxxxxx>"
      # gpg:                 aka "Daniel P. Berrange <berrange@xxxxxxxxxx>"

      * remotes/berrange/tags/qcrypto-fixes-20151118-1:
        crypto: avoid passing NULL to access() syscall
        crypto: fix leaks in TLS x509 helper functions
        crypto: fix mistaken setting of Error in success code path
        crypto: fix leak of gnutls_dh_params_t data on credential unload

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 08cb175a24d642a40e41db2fef2892b0a1ab504e
  Author: Daniel P. Berrange <berrange@xxxxxxxxxx>
  Date:   Wed Nov 18 15:42:26 2015 +0000

      crypto: avoid passing NULL to access() syscall

      The qcrypto_tls_creds_x509_sanity_check() checks whether
      certs exist by calling access(). It is valid for this
      method to be invoked with certfile==NULL though, since
      for client credentials the cert is optional. This caused
      it to call access(NULL), which happens to be harmless on
      current Linux, but should none the less be avoided.

      Signed-off-by: Daniel P. Berrange <berrange@xxxxxxxxxx>

  commit ca4fa82fe66076284f702adcfe7c319ebbf909ec
  Merge: 0702d3d 4ad6f3d
  Author: Kevin Wolf <kwolf@xxxxxxxxxx>
  Date:   Wed Nov 18 16:27:44 2015 +0100

      Merge remote-tracking branch 
'mreitz/tags/pull-block-for-kevin-2015-11-18' into queue-block

      One block patch for qemu 2.5-rc1.

      # gpg: Signature made Wed Nov 18 16:26:59 2015 CET using RSA key ID 
E838ACAD
      # gpg: Good signature from "Max Reitz <mreitz@xxxxxxxxxx>"

      * mreitz/tags/pull-block-for-kevin-2015-11-18:
        block: Call external_snapshot_clean after blockdev-snapshot

      Signed-off-by: Kevin Wolf <kwolf@xxxxxxxxxx>

  commit 4ad6f3db7db154d5274274bd0079d6318367ab16
  Author: Alberto Garcia <berto@xxxxxxxxxx>
  Date:   Fri Nov 13 15:00:24 2015 +0200

      block: Call external_snapshot_clean after blockdev-snapshot

      Otherwise the AioContext will never be released.

      Signed-off-by: Alberto Garcia <berto@xxxxxxxxxx>
      Message-id: 1447419624-21918-1-git-send-email-berto@xxxxxxxxxx
      Reviewed-by: Fam Zheng <famz@xxxxxxxxxx>
      Signed-off-by: Max Reitz <mreitz@xxxxxxxxxx>

  commit 0702d3d88c2059814212b83f01e14ff3bb7b0c66
  Author: Max Reitz <mreitz@xxxxxxxxxx>
  Date:   Mon Nov 9 23:39:10 2015 +0100

      blockdev: Add missing bdrv_unref() in drive-backup

      All error paths after a successful bdrv_open() of target_bs should
      contain a bdrv_unref(target_bs). This one did not yet, so add it.

      Signed-off-by: Max Reitz <mreitz@xxxxxxxxxx>
      Reviewed-by: Alberto Garcia <berto@xxxxxxxxxx>
      Reviewed-by: Kevin Wolf <kwolf@xxxxxxxxxx>
      Reviewed-by: Fam Zheng <famz@xxxxxxxxxx>
      Signed-off-by: Kevin Wolf <kwolf@xxxxxxxxxx>

  commit 7b35030eedc26eff82210caa2b0fff2f9d0df453
  Author: Daniel P. Berrange <berrange@xxxxxxxxxx>
  Date:   Wed Nov 18 14:44:31 2015 +0000

      crypto: fix leaks in TLS x509 helper functions

      The test_tls_get_ipaddr() method forgot to free the returned data
      from getaddrinfo().

      The test_tls_write_cert_chain() method forgot to free the allocated
      buffer holding the certificate data after writing it out to a file.

      Signed-off-by: Daniel P. Berrange <berrange@xxxxxxxxxx>

  commit 6ef8cd7a4142049707b70b8278aaa9d8ee2bc5f5
  Author: Daniel P. Berrange <berrange@xxxxxxxxxx>
  Date:   Wed Nov 18 14:42:40 2015 +0000

      crypto: fix mistaken setting of Error in success code path

      The qcrypto_tls_session_check_certificate() method was setting
      an Error even when the ACL check suceeded. This didn't affect
      the callers detection of errors because they relied on the
      function return status, but this did cause a memory leak since
      the caller would not free an Error they did not expect to be
      set.

      Signed-off-by: Daniel P. Berrange <berrange@xxxxxxxxxx>

  commit 61b9251a3aaa65e65c4aab3a6800e884bb3b82f9
  Author: Daniel P. Berrange <berrange@xxxxxxxxxx>
  Date:   Wed Nov 18 14:41:35 2015 +0000

      crypto: fix leak of gnutls_dh_params_t data on credential unload

      The QCryptoTLSCredsX509 object was not free'ing the allocated
      gnutls_dh_params_t data when unloading the credentials

      Signed-off-by: Daniel P. Berrange <berrange@xxxxxxxxxx>

  commit 01809194a06d8e6c51c3e69600f14355225f4855
  Author: John Snow <jsnow@xxxxxxxxxx>
  Date:   Wed Nov 11 15:27:36 2015 -0500

      iotests: fix race in 030

      the stop_test case tests that we can resume a block-stream
      command after it has stopped/paused due to error. We cannot
      always reliably query it before it finishes after resume, though,
      so make this a conditional.

      The important thing is that we are still testing that it has stopped,
      and that it finishes successfully after we send a resume command.

      Signed-off-by: John Snow <jsnow@xxxxxxxxxx>
      Reviewed-by: Fam Zheng <famz@xxxxxxxxxx>
      Reviewed-by: Alberto Garcia <berto@xxxxxxxxxx>
      Reviewed-by: Jeff Cody <jcody@xxxxxxxxxx>
      Signed-off-by: Kevin Wolf <kwolf@xxxxxxxxxx>

  commit a184e74f24f83935c8fc7cd76c06ad0717f89fdb
  Author: Rabin Vincent <rabin.vincent@xxxxxxxx>
  Date:   Tue Nov 10 14:25:47 2015 +0100

      nand: fix address overflow

      The shifts of the address mask and value shift beyond 32 bits when there
      are 5 address cycles.

      Cc: qemu-stable@xxxxxxxxxx
      Signed-off-by: Rabin Vincent <rabin.vincent@xxxxxxxx>
      Reviewed-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>
      Reviewed-by: Peter Crosthwaite <crosthwaite.peter@xxxxxxxxx>
      Signed-off-by: Kevin Wolf <kwolf@xxxxxxxxxx>

  commit ab9b872ab3147faf3c04e91d525815b9139dd996
  Merge: 6b79f25 ab59e3e
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Wed Nov 18 12:47:29 2015 +0000

      Merge remote-tracking branch 
'remotes/mdroth/tags/qga-pull-2015-11-13-v2-tag' into staging

      qemu-ga patch queue for 2.5

      * fixes for guest-exec gspawn() usage:
        - inherit default lookup path by default instead of
          explicitly defining it as being empty.
        - don't inherit default PATH when PATH/ENV are explicit

      v2:

      * added fix for w32 'make install' target
      * added version check for new g_spawn() flag

      # gpg: Signature made Tue 17 Nov 2015 22:33:03 GMT using RSA key ID 
F108B584
      # gpg: Good signature from "Michael Roth <flukshun@xxxxxxxxx>"
      # gpg:                 aka "Michael Roth <mdroth@xxxxxxxxxx>"
      # gpg:                 aka "Michael Roth <mdroth@xxxxxxxxxxxxxxxxxx>"

      * remotes/mdroth/tags/qga-pull-2015-11-13-v2-tag:
        makefile: fix w32 install target for qemu-ga
        qga: allow to lookup in PATH from the passed envp for guest-exec
        qga: fix for default env processing for guest-exec

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 6b79f253a37708f21e8d1cd2831b8d8c03f58989
  Merge: 55db5ee d66a8fa
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Wed Nov 18 12:16:14 2015 +0000

      Merge remote-tracking branch 'remotes/jnsnow/tags/ide-pull-request' into 
staging

      # gpg: Signature made Tue 17 Nov 2015 20:06:58 GMT using RSA key ID 
AAFC390E
      # gpg: Good signature from "John Snow (John Huston) <jsnow@xxxxxxxxxx>"

      * remotes/jnsnow/tags/ide-pull-request:
        ide: enable buffered requests for PIO read requests
        ide: enable buffered requests for ATAPI devices
        ide: orphan all buffered requests on DMA cancel
        ide: add support for IDEBufferedRequest
        block: add blk_abort_aio_request
        ide/atapi: make PIO read requests async

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit ab59e3ecb2c12fafa89f7bedca7d329a078f3870
  Author: Michael Roth <mdroth@xxxxxxxxxxxxxxxxxx>
  Date:   Sun Nov 15 09:46:06 2015 -0600

      makefile: fix w32 install target for qemu-ga

      fafcaf1 added a 'qemu-ga' install target on w32, which can be used
      in place of the existing qemu-ga.exe target to also handle dealing
      with other components such as DLLs for VSS/fsfreeze and generating
      an MSI package if appropriate configure options are present.

      As part of that, qemu-ga$(EXESUF) was removed from $TOOLS in favor
      of this new qemu-ga target.

      The install rule however relies on a direct mapping of the $TOOLS
      entry to the actual resulting binary. In the case of w32, qemu-ga
      is not identical to qemu-ga$(EXESUF), and the install recipe fails
      to find the 'qemu-ga' binary.

      Fix this by essentially remapping 'qemu-ga' back to 'qemu-ga.exe'
      in the install recipe.

      This raises the question of whether or not qemu-ga should continue
      to live in TOOLS as opposed to its own special target, but as a
      late fix for a regression in 2.5 this commit should be safer, since
      we rely on qemu-ga's presence in $TOOLS in several places throughout
      Makefile.

      Reported-by: Stefan Weil <sw@xxxxxxxxxxx>
      Cc: Paolo Bonzini <pbonzini@xxxxxxxxxx>
      Reviewed-by: Stefan Weil <sw@xxxxxxxxxxx>
      Signed-off-by: Michael Roth <mdroth@xxxxxxxxxxxxxxxxxx>

  commit 0be40839519215988e207b86bc1638de53567588
  Author: Yuri Pudgorodskiy <yur@xxxxxxxxxxxxx>
  Date:   Thu Nov 12 16:36:21 2015 +0300

      qga: allow to lookup in PATH from the passed envp for guest-exec

      This was original behaviour before GLIB gspawn() rework and we rely on
      this behaviour.

      Signed-off-by: Yuri Pudgorodskiy <yur@xxxxxxxxxxxxx>
      Signed-off-by: Denis V. Lunev <den@xxxxxxxxxx>
      CC: Michael Roth <mdroth@xxxxxxxxxxxxxxxxxx>
      * add version check (2.33.2) for G_SPAWN_SEARCH_PATH_FROM_ENVP
      Signed-off-by: Michael Roth <mdroth@xxxxxxxxxxxxxxxxxx>

  commit 02a4d82e8c19267ad06b08389b5e914ba668450e
  Author: Yuri Pudgorodskiy <yur@xxxxxxxxxxxxx>
  Date:   Thu Nov 12 16:36:20 2015 +0300

      qga: fix for default env processing for guest-exec

      envp == NULL must be passed inside gspawn() if it was not passed with
      the command line. Original code inherits environment from the QGA,
      which is wrong.

      Signed-off-by: Yuri Pudgorodskiy <yur@xxxxxxxxxxxxx>
      Signed-off-by: Denis V. Lunev <den@xxxxxxxxxx>
      CC: Michael Roth <mdroth@xxxxxxxxxxxxxxxxxx>
      Signed-off-by: Michael Roth <mdroth@xxxxxxxxxxxxxxxxxx>

  commit 55db5eeeb7aa3328515817dc4e45728580e517a0
  Merge: c27e901 33b5e8c
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Tue Nov 17 22:00:45 2015 +0000

      Merge remote-tracking branch 'remotes/ehabkost/tags/x86-pull-request' 
into staging

      X86 fixes, 2015-11-17

      Two X86 fixes, hopefully in time for -rc1.

      # gpg: Signature made Tue 17 Nov 2015 19:06:53 GMT using RSA key ID 
984DC5A6
      # gpg: Good signature from "Eduardo Habkost <ehabkost@xxxxxxxxxx>"

      * remotes/ehabkost/tags/x86-pull-request:
        target-i386: Disable rdtscp on Opteron_G* CPU models
        target-i386: Fix mulx for identical target regs

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit d66a8fa83b00b3b3d631a0e28cdce8c9b5698822
  Author: Peter Lieven <pl@xxxxxxx>
  Date:   Tue Nov 17 15:06:39 2015 -0500

      ide: enable buffered requests for PIO read requests

      Signed-off-by: Peter Lieven <pl@xxxxxxx>
      Reviewed-by: Fam Zheng <famz@xxxxxxxxxx>
      Message-id: 1447345846-15624-7-git-send-email-pl@xxxxxxx
      Signed-off-by: John Snow <jsnow@xxxxxxxxxx>

  commit 02506b20b6609ed4ecb09de9900ba9f1dd20b205
  Author: Peter Lieven <pl@xxxxxxx>
  Date:   Tue Nov 17 15:06:33 2015 -0500

      ide: enable buffered requests for ATAPI devices

      Signed-off-by: Peter Lieven <pl@xxxxxxx>
      Reviewed-by: Fam Zheng <famz@xxxxxxxxxx>
      Message-id: 1447345846-15624-6-git-send-email-pl@xxxxxxx
      Signed-off-by: John Snow <jsnow@xxxxxxxxxx>

  commit 7cda62087c0baf064486f3d803184c2c3b35c04a
  Author: Peter Lieven <pl@xxxxxxx>
  Date:   Tue Nov 17 15:06:29 2015 -0500

      ide: orphan all buffered requests on DMA cancel

      If the guests canceles a DMA request we can prematurely
      invoke all callbacks of buffered requests and flag all them
      as orphaned. Ideally this avoids the need for draining all
      requests. For CDROM devices this works in 100% of all cases.

      Signed-off-by: Peter Lieven <pl@xxxxxxx>
      Reviewed-by: Fam Zheng <famz@xxxxxxxxxx>
      Message-id: 1447345846-15624-5-git-send-email-pl@xxxxxxx
      Signed-off-by: John Snow <jsnow@xxxxxxxxxx>

  commit 1d8c11d631545ee43aff16b0763aff7181b61f20
  Author: Peter Lieven <pl@xxxxxxx>
  Date:   Tue Nov 17 15:06:25 2015 -0500

      ide: add support for IDEBufferedRequest

      this patch adds a new aio readv compatible function which copies
      all data through a bounce buffer. These buffered requests can be
      flagged as orphaned which means that their original callback has
      already been invoked and the request has just not been completed
      by the backend storage. The bounce buffer guarantees that guest
      memory corruption is avoided when such a orphaned request is
      completed by the backend at a later stage.

      This trick only works for read requests as a write request completed
      at a later stage might corrupt data as there is no way to control
      if and what data has already been written to the storage.

      Signed-off-by: Peter Lieven <pl@xxxxxxx>
      Reviewed-by: Fam Zheng <famz@xxxxxxxxxx>
      Message-id: 1447345846-15624-4-git-send-email-pl@xxxxxxx
      Signed-off-by: John Snow <jsnow@xxxxxxxxxx>

  commit ca78ecfa72f311cd647b12a41d93e1ce54f18e66
  Author: Peter Lieven <pl@xxxxxxx>
  Date:   Tue Nov 17 15:06:21 2015 -0500

      block: add blk_abort_aio_request

      Signed-off-by: Peter Lieven <pl@xxxxxxx>
      Reviewed-by: Fam Zheng <famz@xxxxxxxxxx>
      Message-id: 1447345846-15624-3-git-send-email-pl@xxxxxxx
      Signed-off-by: John Snow <jsnow@xxxxxxxxxx>

  commit 5f81724d80a1492c73d329242663962139db739b
  Author: Peter Lieven <pl@xxxxxxx>
  Date:   Tue Nov 17 14:59:52 2015 -0500

      ide/atapi: make PIO read requests async

      PIO read requests on the ATAPI interface used to be sync blk requests.
      This has two significant drawbacks. First the main loop hangs util an
      I/O request is completed and secondly if the I/O request does not
      complete (e.g. due to an unresponsive storage) Qemu hangs completely.

      Note: Due to possible race conditions requests during an ongoing
      elementary transfer are still sync.

      Signed-off-by: Peter Lieven <pl@xxxxxxx>
      Reviewed-by: John Snow <jsnow@xxxxxxxxxx>
      Message-id: 1447345846-15624-2-git-send-email-pl@xxxxxxx
      Signed-off-by: John Snow <jsnow@xxxxxxxxxx>

  commit 33b5e8c03ae7a62d320d3c5c1104fe297d5c300d
  Author: Eduardo Habkost <ehabkost@xxxxxxxxxx>
  Date:   Fri Nov 13 17:07:13 2015 -0200

      target-i386: Disable rdtscp on Opteron_G* CPU models

      KVM can't virtualize rdtscp on AMD CPUs yet, so there's no point
      in enabling it by default on AMD CPU models, as all we are
      getting are confused users because of the "host doesn't support
      requested feature" warnings.

      Disable rdtscp on Opteron_G* models, but keep compatibility on
      pc-*-2.4 and older (just in case there are people are doing funny
      stuff using AMD CPU models on Intel hosts).

      Signed-off-by: Eduardo Habkost <ehabkost@xxxxxxxxxx>

  commit 9ecac5dad16722ce2a8c3e88d8eeba5794990031
  Author: Richard Henderson <rth@xxxxxxxxxxx>
  Date:   Tue Nov 17 12:41:47 2015 +0100

      target-i386: Fix mulx for identical target regs

      The Intel specification clearly indicates that the low part
      of the result is written first and the high part of the result
      is written second; thus if ModRM:reg and VEX.vvvv are identical,
      the final result should be the high part of the result.

      At present, TCG may either produce incorrect results or crash
      with --enable-checking.

      Reported-by: Toni Nedialkov <farmdve@xxxxxxxxx>
      Reported-by: Max Reitz <mreitz@xxxxxxxxxx>
      Signed-off-by: Richard Henderson <rth@xxxxxxxxxxx>
      Signed-off-by: Eduardo Habkost <ehabkost@xxxxxxxxxx>

  commit 7ebcfe569211f6ff5402b558b85e2ce1e1066cf6
  Author: Michael S. Tsirkin <mst@xxxxxxxxxx>
  Date:   Tue Nov 17 13:55:48 2015 +0200

      specs/vhost-user: fix spec to match reality

      We wanted to start/stop rings on VRING_ENABLE, but that is not what QEMU
      does. Rather than tweaking code some more, with risk to stability, let's
      just document it as it is.

      We'll be  able to fix this in the future with a new protocol feature bit.

      Reported-by: Victor Kaplansky <victork@xxxxxxxxxx>
      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>

  commit 5c93c47338dbaa8a21a8ccc9d95dc5ade3f7fa19
  Author: Victor Kaplansky <victork@xxxxxxxxxx>
  Date:   Tue Nov 17 12:04:06 2015 +0200

      tests/vhost-user-bridge: implement logging of dirty pages

      During migration devices continue writing to the guest's memory.
      The writes has to be reported to QEMU. This change implements
      minimal support in vhost-user-bridge required for successful
      migration of a guest with virtio-net device.

      Signed-off-by: Victor Kaplansky <victork@xxxxxxxxxx>
      Reviewed-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>

  commit 8d211f622b11ac2877c344f29de284d5a842d9d7
  Author: Bandan Das <bsd@xxxxxxxxxx>
  Date:   Fri Nov 13 01:55:48 2015 -0500

      i440fx: print an error message if user tries to enable iommu

      There's no indication of any sort that i440fx doesn't support
      "iommu=on"

      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>
      Signed-off-by: Bandan Das <bsd@xxxxxxxxxx>
      Reviewed-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>
      Signed-off-by: Bandan Das <bsd@xxxxxxxxxx>

  commit 1f8431f42d833e8914f2d16ce4a49b7b72b90db0
  Author: Bandan Das <bsd@xxxxxxxxxx>
  Date:   Fri Nov 13 01:55:47 2015 -0500

      q35: Check propery to determine if iommu is set

      The helper function machine_iommu() isn't necesary. We can
      directly check for the property.

      Signed-off-by: Bandan Das <bsd@xxxxxxxxxx>
      Reviewed-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: Bandan Das <bsd@xxxxxxxxxx>

  commit c27e9014d56fa4880e7d741275d887c3a5949997
  Merge: 9be060f 382e173
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Tue Nov 17 12:34:07 2015 +0000

      Merge remote-tracking branch 'remotes/kraxel/tags/pull-vnc-20151116-1' 
into staging

      vnc: buffer code improvements, bugfixes.

      # gpg: Signature made Mon 16 Nov 2015 17:20:02 GMT using RSA key ID 
D3E87138
      # gpg: Good signature from "Gerd Hoffmann (work) <kraxel@xxxxxxxxxx>"
      # gpg:                 aka "Gerd Hoffmann <gerd@xxxxxxxxxx>"
      # gpg:                 aka "Gerd Hoffmann (private) <kraxel@xxxxxxxxx>"

      * remotes/kraxel/tags/pull-vnc-20151116-1:
        vnc: fix mismerge
        buffer: allow a buffer to shrink gracefully
        buffer: factor out buffer_adj_size
        buffer: factor out buffer_req_size
        vnc: recycle empty vs->output buffer
        vnc: fix local state init
        vnc: only alloc server surface with clients connected
        vnc: use vnc_{width,height} in vnc_set_area_dirty
        vnc: factor out vnc_update_server_surface
        vnc: add vnc_width+vnc_height helpers
        vnc: zap dead code
        vnc-jobs: move buffer reset, use new buffer move
        vnc: kill jobs queue buffer
        vnc: attach names to buffers
        buffer: add tracing
        buffer: add buffer_shrink
        buffer: add buffer_move
        buffer: add buffer_move_empty
        buffer: add buffer_init
        buffer: make the Buffer capacity increase in powers of two

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 9be060f5278dc0d732ebfcf2bf0a293f88b833eb
  Merge: 361cb26 10f5a72
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Tue Nov 17 11:33:38 2015 +0000

      Merge remote-tracking branch 'remotes/stefanha/tags/block-pull-request' 
into staging

      # gpg: Signature made Tue 17 Nov 2015 11:13:05 GMT using RSA key ID 
81AB73C8
      # gpg: Good signature from "Stefan Hajnoczi <stefanha@xxxxxxxxxx>"
      # gpg:                 aka "Stefan Hajnoczi <stefanha@xxxxxxxxx>"

      * remotes/stefanha/tags/block-pull-request:
        virtio-blk: Fix double completion for werror=stop
        block: make 'stats-interval' an array of ints instead of a string
        aio-epoll: Fix use-after-free of node
        disas/arm: avoid clang shifting negative signed warning
        tpm: avoid clang shifting negative signed warning
        tests: Ignore recent test binaries
        docs: update bitmaps.md

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 10f5a72f70862d299ddbdf226d6dc71fa4ae34dd
  Author: Fam Zheng <famz@xxxxxxxxxx>
  Date:   Tue Nov 17 18:20:11 2015 +0800

      virtio-blk: Fix double completion for werror=stop

      When a request R is absorbed by request M, it is appended to the
      "mr_next" queue led by M, and is completed together with the completion
      of M, in virtio_blk_rw_complete.

      During DMA restart in virtio_blk_dma_restart_bh, requests in s->rq are
      parsed and submitted again, possibly with a stale req->mr_next. It could
      be a problem if the request merging in virtio_blk_handle_request hasn't
      refreshed every mr_next pointer, in which case, virtio_blk_rw_complete
      could walk through unexpected requests following the stale pointers.

      Fix this by unsetting the pointer in virtio_blk_rw_complete. It is safe
      because this req is either completed and freed right away, or it will be
      restarted and parsed from scratch out of the vq later.

      Signed-off-by: Fam Zheng <famz@xxxxxxxxxx>
      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>

  commit 40119effc5c36dbd0ca19ca85a5897d5b3d37d6d
  Author: Alberto Garcia <berto@xxxxxxxxxx>
  Date:   Mon Nov 16 11:28:38 2015 +0200

      block: make 'stats-interval' an array of ints instead of a string

      This is the natural JSON representation and prevents us from having to
      decode the list manually.

      Signed-off-by: Alberto Garcia <berto@xxxxxxxxxx>
      Message-id: 
0e3da8fa206f4ab534ae3ce6086e75fe84f1557e.1447665472.git.berto@xxxxxxxxxx
      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>

  commit 0ed39f3df2d3cf7f0fc3468b057f952a3b251ad9
  Author: Fam Zheng <famz@xxxxxxxxxx>
  Date:   Mon Nov 16 14:32:14 2015 +0800

      aio-epoll: Fix use-after-free of node

      aio_epoll_update needs the fields in node, so delay the free.

      Reported-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>
      Signed-off-by: Fam Zheng <famz@xxxxxxxxxx>
      Message-id: 1447655534-13974-1-git-send-email-famz@xxxxxxxxxx
      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>

  commit 02460c3b4287776062715b95c59cd8829015615d
  Author: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
  Date:   Tue Nov 10 15:57:35 2015 +0000

      disas/arm: avoid clang shifting negative signed warning

      clang 3.7.0 on x86_64 warns about the following:

        disas/arm.c:1782:17: warning: shifting a negative signed value is 
undefined [-Wshift-negative-value]
          imm |= (-1 << 7);
                  ~~ ^

      Note that this patch preserves the tab indent in this source file
      because the surrounding code still uses tabs.

      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>

  commit 886ce6f8b6ede74eb04314ef62d15bcdf5df7ef1
  Author: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
  Date:   Tue Nov 10 15:57:34 2015 +0000

      tpm: avoid clang shifting negative signed warning

      clang 3.7.0 on x86_64 warns about the following:

        hw/tpm/tpm_tis.c:1000:36: warning: shifting a negative signed value is 
undefined [-Wshift-negative-value]
                  tis->loc[c].iface_id = TPM_TIS_IFACE_ID_SUPPORTED_FLAGS1_3;
                                         ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
        hw/tpm/tpm_tis.c:144:10: note: expanded from macro 
'TPM_TIS_IFACE_ID_SUPPORTED_FLAGS1_3'
           (~0 << 4)/* all of it is don't care */)
            ~~ ^

      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>

  commit a12e52a151ab48fbfe462110a36d2399713271e6
  Author: Eric Blake <eblake@xxxxxxxxxx>
  Date:   Thu Nov 12 20:47:03 2015 -0700

      tests: Ignore recent test binaries

      Commits 6c6f312d and bd797fc1 added new tests (test-blockjob-txn
      and test-timed-average, respectively), but did not mark them for
      exclusion in .gitignore.

      Signed-off-by: Eric Blake <eblake@xxxxxxxxxx>
      Reviewed-by: John Snow <jsnow@xxxxxxxxxx>
      Message-id: 1447386423-13160-1-git-send-email-eblake@xxxxxxxxxx
      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>

  commit c4c2daa1ae9ed03c6dd78477a9b132edbce9e08c
  Author: John Snow <jsnow@xxxxxxxxxx>
  Date:   Tue Nov 10 18:00:17 2015 -0500

      docs: update bitmaps.md

      Include new error handling scenarios for 2.5.

      Signed-off-by: John Snow <jsnow@xxxxxxxxxx>
      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>
      Message-id: 1447196417-26081-1-git-send-email-jsnow@xxxxxxxxxx
      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>

  commit 361cb26827ffd5f24af05b0e473ecd82d6a33bde
  Merge: c257779 513e7cd
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Tue Nov 17 10:20:25 2015 +0000

      Merge remote-tracking branch 'remotes/armbru/tags/pull-qapi-2015-11-17' 
into staging

      QAPI patches

      # gpg: Signature made Tue 17 Nov 2015 08:28:24 GMT using RSA key ID 
EB918653
      # gpg: Good signature from "Markus Armbruster <armbru@xxxxxxxxxx>"
      # gpg:                 aka "Markus Armbruster <armbru@xxxxxxxxxxxx>"

      * remotes/armbru/tags/pull-qapi-2015-11-17:
        input: Document why x-input-send-event is still experimental
        qapi: Document introspection stability considerations

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 513e7cdbaeec56c77e4cf26f151d7ee79f3a6be9
  Author: Eric Blake <eblake@xxxxxxxxxx>
  Date:   Thu Nov 12 11:50:43 2015 -0700

      input: Document why x-input-send-event is still experimental

      The x-input-send-event command was introduced in 2.2 with mention
      that it is experimental, but now that several releases have elapsed
      without any changes, it would be nice to document why that was done
      and should still remain experimental in 2.5.

      Meanwhile, our documentation states that we prefer 'lower-case',
      rather than 'CamelCase', for qapi enum values.  The InputButton and
      InputAxis enums violate this convention.  However, because they are
      currently used primarily for generating code that is used internally;
      and their only exposure through QMP is via the experimental
      'x-input-send-event' command, we are free to change their spelling.
      Of course, it would be nicer to delay such a change until the same
      time we promote the command to non-experimental.  Adding
      documentation will help us remember to do that rename.

      We have plans to tighten the qapi generator to flag instances of
      inconsistent use of naming conventions; if that lands first, it
      will just need to whitelist these exceptions until the time we
      settle on the final interface.

      Fix a typo in the docs for InputAxis while at it.

      Signed-off-by: Eric Blake <eblake@xxxxxxxxxx>
      Message-Id: <1447354243-31825-1-git-send-email-eblake@xxxxxxxxxx>
      Reviewed-by: Gerd Hoffmann <kraxel@xxxxxxxxxx>
      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>

  commit 39a65e2c243978a480e03cab865462d98873fc3c
  Author: Eric Blake <eblake@xxxxxxxxxx>
  Date:   Wed Nov 11 10:50:02 2015 -0700

      qapi: Document introspection stability considerations

      We are not ready (and might never be ready) to declare
      introspection stable between releases. Clients written to
      control multiple versions of qemu, and desiring to know
      whether a particular member is supported for a given
      command, must be prepared to locate that member in spite
      of qapi changes that may affect the member's location or
      type within the overall object, even though such changes
      did not break QMP wire back-compatibility.

      Signed-off-by: Eric Blake <eblake@xxxxxxxxxx>
      Message-Id: <1447264202-19554-1-git-send-email-eblake@xxxxxxxxxx>
      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>

  commit dc3db6adde329548771ab2addc2ef8376b2b8b32
  Author: Michael S. Tsirkin <mst@xxxxxxxxxx>
  Date:   Mon Nov 16 18:40:18 2015 +0200

      vhost-user: start/stop all rings

      We are currently only sending VRING_ENABLE message for the first ring,
      that's wrong: we must start/stop them all.

      Reported-by: Victor Kaplansky <victork@xxxxxxxxxx>
      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>

  commit 5421f318ecc82294ad089fd54924df787b67c971
  Author: Michael S. Tsirkin <mst@xxxxxxxxxx>
  Date:   Mon Nov 16 13:55:53 2015 +0200

      vhost-user: print original request on error

      When we get an unexpected response, print out
      the original request.
      Helps debug protocol errors tremendously.

      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>

  commit 87656d50181e1be475303c1b88be6df0963c5bfd
  Author: Michael S. Tsirkin <mst@xxxxxxxxxx>
  Date:   Mon Nov 16 13:33:36 2015 +0200

      vhost-user-test: support VHOST_USER_SET_VRING_ENABLE

      vhost-user-test is broken now: it assumes
      QEMU sends RESET_OWNER, and we stopped doing that.
      Wait for ENABLE_RING with 0 instead.

      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>

  commit c257779e2a586043a1480bb7e96fb6bcd0129634
  Merge: bc7c6c1 ba060c5
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Mon Nov 16 12:09:47 2015 +0000

      Merge remote-tracking branch 'remotes/otubo/tags/pull-seccomp-20151116' 
into staging

      seccomp branch queue

      # gpg: Signature made Mon 16 Nov 2015 08:50:28 GMT using RSA key ID 
12F8BD2F
      # gpg: Good signature from "Eduardo Otubo (Software Engineer @ 
ProfitBricks) <eduardo.otubo@xxxxxxxxxxxxxxxx>"
      # gpg: WARNING: This key is not certified with a trusted signature!
      # gpg:          There is no indication that the signature belongs to the 
owner.
      # Primary key fingerprint: 1C96 46B6 E1D1 C38A F2EC  3FDE FD0C FF5B 12F8 
BD2F

      * remotes/otubo/tags/pull-seccomp-20151116:
        seccomp: loosen library version dependency
        configure: arm/aarch64: allow enable-seccomp
        seccomp: add cacheflush to whitelist

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit a586e65bbd017ab55fe4149dd1bcba5c3a72bcd1
  Author: Michael S. Tsirkin <mst@xxxxxxxxxx>
  Date:   Sun Nov 15 21:25:11 2015 +0200

      vhost-user: update spec description

      Clarify logging setup to make sure all clients comply in a way that is
      future-proof.  Document how rings are started/stopped.

      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Reviewed-by: Victor Kaplansky <victork@xxxxxxxxxx>

  commit bc7c6c1fec2e9aa1ff6f2e018ed641db1429315c
  Merge: 8337c6c 917158d
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Mon Nov 16 10:14:33 2015 +0000

      Merge remote-tracking branch 'remotes/jnsnow/tags/ide-pull-request' into 
staging

      # gpg: Signature made Fri 13 Nov 2015 20:16:21 GMT using RSA key ID 
AAFC390E
      # gpg: Good signature from "John Snow (John Huston) <jsnow@xxxxxxxxxx>"

      * remotes/jnsnow/tags/ide-pull-request:
        qtest/ahci: use raw format when qemu-img is absent
        libqos: add qemu-img presence check
        qtest/ahci: always specify image format
        ahci/qtest: don't use tcp sockets for migration tests
        atapi: Prioritize unknown cmd error over BCL error
        atapi: add byte_count_limit helper

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 12b8cbac3c8243b3dd485aaebb82547aefa06adb
  Author: Yuanhan Liu <yuanhan.liu@xxxxxxxxxxxxxxx>
  Date:   Fri Nov 13 15:24:10 2015 +0800

      vhost: don't send RESET_OWNER at stop

      First of all, RESET_OWNER message is sent incorrectly, as it's sent
      before GET_VRING_BASE. And the reset message would let the later call
      get nothing correct.

      And, sending SET_VRING_ENABLE at stop, which has already been done,
      makes more sense than RESET_OWNER.

      Signed-off-by: Yuanhan Liu <yuanhan.liu@xxxxxxxxxxxxxxx>
      Reviewed-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>

  commit 923e2d98ede7404882656aeb4364c3964a95db3d
  Author: Yuanhan Liu <yuanhan.liu@xxxxxxxxxxxxxxx>
  Date:   Fri Nov 13 15:24:09 2015 +0800

      vhost: let SET_VRING_ENABLE message depends on protocol feature

      But not depend on PROTOCOL_F_MQ feature bit. So that we could use
      SET_VRING_ENABLE to sign the backend on stop, even if MQ is disabled.

      That's reasonable, since we will have one queue pair at least.

      Signed-off-by: Yuanhan Liu <yuanhan.liu@xxxxxxxxxxxxxxx>
      Reviewed-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>

  commit ba060c53d585d186ff0ac6b181f4b2a867acc210
  Author: dann frazier <dann.frazier@xxxxxxxxxxxxx>
  Date:   Fri Oct 23 15:34:22 2015 -0600

      seccomp: loosen library version dependency

      Drop the libseccomp required version back to 2.1.0, restoring the ability
      to build w/ --enable-seccomp on Ubuntu 14.04.

      Commit 4cc47f8b3cc4f32586ba2f7fce1dc267da774a69 tightened the dependency
      on libseccomp from version 2.1.0 to 2.1.1. This broke building on Ubuntu
      14.04, the current Ubuntu LTS release. The commit message didn't mention
      any specific functional need for 2.1.1, just that it was the most recent
      stable version at the time. I reviewed the changes between 2.1.0 and 
2.1.1,
      but it looks like that update just contained minor fixes and cleanups - no
      obvious (to me) new interfaces or critical bug fixes.

      Signed-off-by: dann frazier <dann.frazier@xxxxxxxxxxxxx>
      Acked-by: Eduardo Otubo <eduardo.otubo@xxxxxxxxxxxxxxxx>

  commit 693e59105d2ce4d6f4c96a2373fec06a24d0e6be
  Author: Andrew Jones <drjones@xxxxxxxxxx>
  Date:   Wed Sep 30 11:59:18 2015 -0400

      configure: arm/aarch64: allow enable-seccomp

      This is a revert of ae6e8ef11e6cb, but with a bit of refactoring,
      and also specifically adding arm/aarch64, rather than all
      architectures. Currently, libseccomp code appears to also support
      mips, ppc, and s390. We could therefore allow qemu to enable
      seccomp for those platforms as well, with additional configure
      patches, given they're tested and proven to work.

      Signed-off-by: Andrew Jones <drjones@xxxxxxxxxx>
      Acked-by: Eduardo Otubo <eduardo.otubo@xxxxxxxxxxxxxxxx>

  commit 47d2067af3424c1a9b1b215dfc6b0c55ac4b3ee7
  Author: Andrew Jones <drjones@xxxxxxxxxx>
  Date:   Mon Nov 2 23:53:26 2015 +0100

      seccomp: add cacheflush to whitelist

      cacheflush is an arm-specific syscall that qemu built for arm
      uses. Add it to the whitelist, but only if we're linking with
      a recent enough libseccomp.

      Signed-off-by: Andrew Jones <drjones@xxxxxxxxxx>

  commit 917158dc3b22924922dc1f3b9d4049a4fc83d926
  Author: John Snow <jsnow@xxxxxxxxxx>
  Date:   Fri Nov 13 14:31:43 2015 -0500

      qtest/ahci: use raw format when qemu-img is absent

      If we don't have the qemu-img tool, use the raw format
      for tests and skip the high-sector LBA48 tests.

      Signed-off-by: John Snow <jsnow@xxxxxxxxxx>
      Message-id: 1447439479-16775-4-git-send-email-jsnow@xxxxxxxxxx

  commit cb11e7b2f3878575f23d49454c02d8dce35c8d35
  Author: John Snow <jsnow@xxxxxxxxxx>
  Date:   Fri Nov 13 14:31:42 2015 -0500

      libqos: add qemu-img presence check

      To allow tests to optionally exercise additional tests
      that require the qemu-img tool that may not be present
      in all builds.

      Signed-off-by: John Snow <jsnow@xxxxxxxxxx>
      Message-id: 1447439479-16775-3-git-send-email-jsnow@xxxxxxxxxx

  commit b236b61056ff0a6b69aa2a92cf5bb10a81450753
  Author: John Snow <jsnow@xxxxxxxxxx>
  Date:   Fri Nov 13 14:31:42 2015 -0500

      qtest/ahci: always specify image format

      Signed-off-by: John Snow <jsnow@xxxxxxxxxx>
      Message-id: 1447439479-16775-2-git-send-email-jsnow@xxxxxxxxxx

  commit 6d9e7295c5ff6fdd2d7989639b836c6fdc01ac61
  Author: John Snow <jsnow@xxxxxxxxxx>
  Date:   Fri Nov 13 14:31:42 2015 -0500

      ahci/qtest: don't use tcp sockets for migration tests

      Signed-off-by: John Snow <jsnow@xxxxxxxxxx>
      Message-id: 1447108074-20609-1-git-send-email-jsnow@xxxxxxxxxx

  commit f36aa12d2f2d5b5a877e38641183259e119e1568
  Author: John Snow <jsnow@xxxxxxxxxx>
  Date:   Fri Nov 13 14:31:42 2015 -0500

      atapi: Prioritize unknown cmd error over BCL error

      If we don't know about the command at all, we need to prioritize
      that failure above the zero byte-count-limit failure.

      This fixes a failure in the sparc64 NetBSD 7.0 installer bootup.

      Reported-by: Mark Cave-Ayland <mark.cave-ayland@xxxxxxxxxxxx>
      Signed-off-by: John Snow <jsnow@xxxxxxxxxx>
      Tested-by: Mark Cave-Ayland <mark.cave-ayland@xxxxxxxxxxxx>
      Message-id: 1447095959-10046-3-git-send-email-jsnow@xxxxxxxxxx

  commit af0e00db0e389dfa33d597f917a21454643bd314
  Author: John Snow <jsnow@xxxxxxxxxx>
  Date:   Fri Nov 13 14:31:42 2015 -0500

      atapi: add byte_count_limit helper

      Signed-off-by: John Snow <jsnow@xxxxxxxxxx>
      Tested-by: Mark Cave-Ayland <mark.cave-ayland@xxxxxxxxxxxx>
      Message-id: 1447095959-10046-2-git-send-email-jsnow@xxxxxxxxxx

  commit cdadde39a80779b52f72aedf80839cabac975e57
  Author: Roger Pau Monne <roger.pau@xxxxxxxxxx>
  Date:   Fri Nov 13 17:38:06 2015 +0000

      xen: fix usage of xc_domain_create in domain builder

      Due to the addition of HVMlite and the requirement to always provide a
      valid xc_domain_configuration_t, xc_domain_create now always takes an arch
      domain config, which can be NULL in order to mimic previous behaviour.

      Add a small stub called xen_domain_create that encapsulates the correct
      call to xc_domain_create depending on the libxc version detected.

      Signed-off-by: Roger Pau Monné <roger.pau@xxxxxxxxxx>
      Acked-by: Stefano Stabellini <stefano.stabellini@xxxxxxxxxxxxx>
      Signed-off-by: Stefano Stabellini <stefano.stabellini@xxxxxxxxxxxxx>

  commit 8337c6cbc37c6b2184f41bab3eaff47d5e68012a
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Fri Nov 13 17:10:36 2015 +0000

      Update version for v2.5.0-rc0 release

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 74fcbd22d20a2fbc1a47a7b00cce5bf98fd7be5f
  Author: Guenter Roeck <linux@xxxxxxxxxxxx>
  Date:   Thu Nov 12 09:54:55 2015 -0800

      hw/misc: Add support for ADC controller in Xilinx Zynq 7000

      Add support for the Xilinx XADC core used in Zynq 7000.

      References:
      - Zynq-7000 All Programmable SoC Technical Reference Manual
      - 7 Series FPGAs and Zynq-7000 All Programmable SoC XADC
        Dual 12-Bit 1 MSPS Analog-to-Digital Converter

      Tested with Linux using QEMU machine xilinx-zynq-a9 with devicetree
      files zynq-zc702.dtb and zynq-zc706.dtb, and kernel configuration
      multi_v7_defconfig.

      Reviewed-by: Alistair Francis <alistair.francis@xxxxxxxxxx>
      Signed-off-by: Guenter Roeck <linux@xxxxxxxxxxxx>
      [ PC changes:
        * Changed macro names to match TRM where possible
        * Made programmers model macro scheme consistent
        * Dropped XADC_ZYNQ_ prefix on local macros
        * Fix ALM field width
        * Update threshold-comparison interrupts in _update_ints()
        * factored out DFIFO pushes into helper. Renamed to "push/pop"
        * Changed xadc_reg to 10 bits and added OOB check.
        * Reduced scope of MCTL reset to just stop channel coms.
        * Added dummy read data to write commands
        * Changed _ to - seperators in string names and filenames
        * Dropped ------------ in header comment
        * Catchall'ed _update_ints() in _write handler.
        * Minor whitespace changes.
        * Use ZYNQ_XADC_FIFO_DEPTH instead of ARRAY_SIZE()
      ]
      Signed-off-by: Peter Crosthwaite <crosthwaite.peter@xxxxxxxxx>
      Tested-by: Guenter Roeck <linux@xxxxxxxxxxxx>
      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit f3bcfc5663646f74e62fe9d3d8774b8f0adda7bf
  Merge: b2df6a7 389775d
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Thu Nov 12 18:08:19 2015 +0000

      Merge remote-tracking branch 
'remotes/juanquintela/tags/migration/20151112' into staging

      migration/next for 20151112

      # gpg: Signature made Thu 12 Nov 2015 16:56:44 GMT using RSA key ID 
5872D723
      # gpg: Good signature from "Juan Quintela <quintela@xxxxxxxxxx>"
      # gpg:                 aka "Juan Quintela <quintela@xxxxxxxxxx>"

      * remotes/juanquintela/tags/migration/20151112:
        migration_init: Fix lock initialisation/make it explicit
        migrate-start-postcopy: Improve text
        Postcopy: Fix TP!=HP zero case
        Finish non-postcopiable iterative devices before package
        migration: Make 32bit linux compile with RDMA
        migration: print ram_addr_t as RAM_ADDR_FMT not %zx

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit b2df6a79df6343d0ed4ea05d83b3ff1d849e8d25
  Merge: cfcc7c1 aece5ed
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Thu Nov 12 17:22:06 2015 +0000

      Merge remote-tracking branch 'remotes/kevin/tags/for-upstream' into 
staging

      Block layer patches (rebased Stefan's pull request)

      # gpg: Signature made Thu 12 Nov 2015 15:34:16 GMT using RSA key ID 
C88F2FD6
      # gpg: Good signature from "Kevin Wolf <kwolf@xxxxxxxxxx>"

      * remotes/kevin/tags/for-upstream: (43 commits)
        block: Update copyright of the accounting code
        scsi-disk: Account for failed operations
        macio: Account for failed operations
        ide: Account for failed and invalid operations
        atapi: Account for failed and invalid operations
        xen_disk: Account for failed and invalid operations
        virtio-blk: Account for failed and invalid operations
        nvme: Account for failed and invalid operations
        iotests: Add test for the block device statistics
        block: Use QEMU_CLOCK_VIRTUAL for the accounting code in qtest mode
        qemu-io: Account for failed, invalid and flush operations
        block: New option to define the intervals for collecting I/O statistics
        block: Add average I/O queue depth to BlockDeviceTimedStats
        block: Compute minimum, maximum and average I/O latencies
        block: Allow configuring whether to account failed and invalid ops
        block: Add statistics for failed and invalid I/O operations
        block: Add idle_time_ns to BlockDeviceStats
        util: Infrastructure for computing recent averages
        block: define 'clock_type' for the accounting code
        ide: Account for write operations correctly
        ...

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 389775d1f67b2c8f44f9473b1e5363735972e389
  Author: Dr. David Alan Gilbert <dgilbert@xxxxxxxxxx>
  Date:   Thu Nov 12 15:38:27 2015 +0000

      migration_init: Fix lock initialisation/make it explicit

      Peter reported a lock error on MacOS after my a82d593b
      patch.

      migrate_get_current does one-time initialisation of
      a bunch of variables.
      migrate_init does reinitialisation even on a 2nd
      migrate after a cancel.

      The problem here was that I'd initialised the mutex
      in migrate_get_current, and the memset in migrate_init
      corrupted it.

      Remove the memset and replace it by explicit initialisation
      of fields that need initialising; this also turns out to be simpler
      than the old code that had to preserve some fields.

      Reported-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Signed-off-by: Dr. David Alan Gilbert <dgilbert@xxxxxxxxxx>
      Fixes: a82d593b
      Reviewed-by: Juan Quintela <quintela@xxxxxxxxxx>
      Signed-off-by: Juan Quintela <quintela@xxxxxxxxxx>

  commit a54d340b9d0902fa73ff9e5541974b9b51fb1d45
  Author: Dr. David Alan Gilbert <dgilbert@xxxxxxxxxx>
  Date:   Thu Nov 12 11:34:44 2015 +0000

      migrate-start-postcopy: Improve text

      Improve the text in both the qapi-schema and hmp help to point out
      you need to set the postcopy-ram capability prior to issuing
      migrate-start-postcopy.

      Also fix the text of the migrate_start_postcopy error that
      deals with capabilities.

      Signed-off-by: Dr. David Alan Gilbert <dgilbert@xxxxxxxxxx>
      Reviewed-by: Juan Quintela <quintela@xxxxxxxxxx>
      Acked-by: Jason J. Herne <jjherne@xxxxxxxxxxxxxxxxxx>
      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>
      Signed-off-by: Juan Quintela <quintela@xxxxxxxxxx>

  commit cfcc7c144879ebe61ac2472216314fc1331b4450
  Author: John Snow <jsnow@xxxxxxxxxx>
  Date:   Thu Nov 12 11:29:49 2015 -0500

      configure: check for $cxx before use

      I broke this when adding checks for clang++.

      Reported-by: Laurent Vivier <lvivier@xxxxxxxxxx>
      Signed-off-by: John Snow <jsnow@xxxxxxxxxx>
      Message-id: 1447345789-840-1-git-send-email-jsnow@xxxxxxxxxx
      Reviewed-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit a3b6ff6d0a7a964c5c7cd5f9a0d5e42752b6347a
  Author: Dr. David Alan Gilbert <dgilbert@xxxxxxxxxx>
  Date:   Wed Nov 11 14:02:28 2015 +0000

      Postcopy: Fix TP!=HP zero case

      Where the target page size is different from the host page
      we special case it, but I messed up on the zero case check.

      Signed-off-by: Dr. David Alan Gilbert <dgilbert@xxxxxxxxxx>
      Reviewed-by: Juan Quintela <quintela@xxxxxxxxxx>
      Signed-off-by: Juan Quintela <quintela@xxxxxxxxxx>

  commit 1c0d249ddf3c75c3992847d0af67f79a1cfd23d2
  Author: Dr. David Alan Gilbert <dgilbert@xxxxxxxxxx>
  Date:   Wed Nov 11 14:02:27 2015 +0000

      Finish non-postcopiable iterative devices before package

      Where we have iterable, but non-postcopiable devices (e.g. htab
      or block migration), complete them before forming the 'package'
      but with the CPUs stopped.  This stops them filling up the package.

      Signed-off-by: Dr. David Alan Gilbert <dgilbert@xxxxxxxxxx>
      Reviewed-by: Juan Quintela <quintela@xxxxxxxxxx>
      Signed-off-by: Juan Quintela <quintela@xxxxxxxxxx>

  commit 80e60c6e1c417aa50a4fed1cb1a2f73885be3bef
  Author: Juan Quintela <quintela@xxxxxxxxxx>
  Date:   Tue Nov 10 17:43:04 2015 +0100

      migration: Make 32bit linux compile with RDMA

      Rest of the file already use that trick. 64bit offsets make no sense in
      32bit archs, but that is ram_addr_t for you.

      Signed-off-by: Juan Quintela <quintela@xxxxxxxxxx>
      Reviewed-by: Dr. David Alan Gilbert <dgilbert@xxxxxxxxxx>

  commit 9458ad6b445ff1e886f74ed75cf5050721f93b3e
  Author: Juan Quintela <quintela@xxxxxxxxxx>
  Date:   Tue Nov 10 17:42:05 2015 +0100

      migration: print ram_addr_t as RAM_ADDR_FMT not %zx

      Not all the wold is 64bits (yet).

      Signed-off-by: Juan Quintela <quintela@xxxxxxxxxx>
      Reviewed-by: Dr. David Alan Gilbert <dgilbert@xxxxxxxxxx>

  commit ed6c64489ef11d9ac5fb4b4c89d455a4f1ae8083
  Author: Sergey Fedorov <serge.fdrv@xxxxxxxxx>
  Date:   Thu Nov 12 15:10:43 2015 +0000

      target-arm: Update PC before calling gen_helper_check_breakpoints()

      PC should be updated in the CPU state before calling check_breakpoints()
      helper. Otherwise, the helper would not see the correct PC in the CPU
      state if it is not at the start of a TB.

      Signed-off-by: Sergey Fedorov <serge.fdrv@xxxxxxxxx>
      Message-id: 1447176222-16401-1-git-send-email-serge.fdrv@xxxxxxxxx
      Reviewed-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 8f0da01d189077647adf79618acc3832f77b7918
  Merge: 17e50a7 4652f16
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Thu Nov 12 15:15:30 2015 +0000

      Merge remote-tracking branch 'remotes/mst/tags/for_upstream' into staging

      virtio, vhost: fixes for 2.5

      This fixes a performance regression with virtio 1,
      and makes device stop/start more robust for vhost-user.
      virtio devices on pcie bus now have pcie and pm
      capability, as required by the PCI Express spec.
      migration now works better with virtio 9p.

      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>

      # gpg: Signature made Thu 12 Nov 2015 14:40:42 GMT using RSA key ID 
D28D5469
      # gpg: Good signature from "Michael S. Tsirkin <mst@xxxxxxxxxx>"
      # gpg:                 aka "Michael S. Tsirkin <mst@xxxxxxxxxx>"

      * remotes/mst/tags/for_upstream:
        virtio-9p: add savem handlers
        hw/virtio: Add PCIe capability to virtio devices
        vhost: send SET_VRING_ENABLE at start/stop
        vhost: rename RESET_DEVICE backto RESET_OWNER
        vhost-user: modify SET_LOG_BASE to pass mmap size and offset
        virtio-pci: unbreak queue_enable read
        virtio-pci: introduce pio notification capability for modern device
        virtio-pci: use zero length mmio eventfd for 1.0 notification cap when 
possible
        KVM: add support for any length io eventfd
        memory: don't try to adjust endianness for zero length eventfd
        virtio-pci: fix 1.0 virtqueue migration

      Conflicts:
        include/hw/compat.h
      [Fixed a trivial merge conflict in compat.h]
      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit aece5edc96f211eec6febdafc9bbbb99315a2efd
  Author: Alberto Garcia <berto@xxxxxxxxxx>
  Date:   Wed Oct 28 17:33:18 2015 +0200

      block: Update copyright of the accounting code

      Signed-off-by: Alberto Garcia <berto@xxxxxxxxxx>
      Message-id: 
80a2278e3ec2dafd5daab20a7cb2d6a9b83371e4.1446044838.git.berto@xxxxxxxxxx
      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Signed-off-by: Kevin Wolf <kwolf@xxxxxxxxxx>

  commit d7628080f3bd074f80666561beadfdd5e2f5b0df
  Author: Alberto Garcia <berto@xxxxxxxxxx>
  Date:   Wed Oct 28 17:33:17 2015 +0200

      scsi-disk: Account for failed operations

      Signed-off-by: Alberto Garcia <berto@xxxxxxxxxx>
      Message-id: 
0ead7b0e59c22926e033ca12725e3a31985ec46b.1446044838.git.berto@xxxxxxxxxx
      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Signed-off-by: Kevin Wolf <kwolf@xxxxxxxxxx>

  commit b88b3c8b836ca55d8a4f738deed3b63c0ca84060
  Author: Alberto Garcia <berto@xxxxxxxxxx>
  Date:   Wed Oct 28 17:33:16 2015 +0200

      macio: Account for failed operations

      Signed-off-by: Alberto Garcia <berto@xxxxxxxxxx>
      Message-id: 
ee6f4fde6a7c1071ca96d4ddd53e4934ff812fcd.1446044838.git.berto@xxxxxxxxxx
      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Signed-off-by: Kevin Wolf <kwolf@xxxxxxxxxx>

  commit ecca3b397d06a957b18913ff9afc63860001cfdf
  Author: Alberto Garcia <berto@xxxxxxxxxx>
  Date:   Wed Oct 28 17:33:15 2015 +0200

      ide: Account for failed and invalid operations

      Signed-off-by: Alberto Garcia <berto@xxxxxxxxxx>
      Message-id: 
bf4d6c9c563877e699b0bf42e7eaf8b096c4a35e.1446044838.git.berto@xxxxxxxxxx
      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Signed-off-by: Kevin Wolf <kwolf@xxxxxxxxxx>

  commit ece2d05ed4adb9a9aa3ca9da0496be769dfb3a25
  Author: Alberto Garcia <berto@xxxxxxxxxx>
  Date:   Wed Oct 28 17:33:14 2015 +0200

      atapi: Account for failed and invalid operations

      Signed-off-by: Alberto Garcia <berto@xxxxxxxxxx>
      Message-id: 
59dee4e2921b0c79d41c49b67dfb93d32db9f7f9.1446044838.git.berto@xxxxxxxxxx
      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Signed-off-by: Kevin Wolf <kwolf@xxxxxxxxxx>

  commit 57ee366ce9cf8d9f7a52b7b654b9db78fe887349
  Author: Alberto Garcia <berto@xxxxxxxxxx>
  Date:   Wed Oct 28 17:33:13 2015 +0200

      xen_disk: Account for failed and invalid operations

      Signed-off-by: Alberto Garcia <berto@xxxxxxxxxx>
      Message-id: 
e0cbb96cb0e1f86c37c7ce332efdf02b57b9d365.1446044838.git.berto@xxxxxxxxxx
      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Signed-off-by: Kevin Wolf <kwolf@xxxxxxxxxx>

  commit 01762e03222154fef6d98087ce391aed8a157be5
  Author: Alberto Garcia <berto@xxxxxxxxxx>
  Date:   Wed Oct 28 17:33:12 2015 +0200

      virtio-blk: Account for failed and invalid operations

      Signed-off-by: Alberto Garcia <berto@xxxxxxxxxx>
      Message-id: 
4f623ce52c9d673d35a043fc2959526b41b685c6.1446044838.git.berto@xxxxxxxxxx
      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Signed-off-by: Kevin Wolf <kwolf@xxxxxxxxxx>

  commit 1753f3dc177a82f8b3c5ea8d2a32737db9411dd4
  Author: Alberto Garcia <berto@xxxxxxxxxx>
  Date:   Wed Oct 28 17:33:11 2015 +0200

      nvme: Account for failed and invalid operations

      Signed-off-by: Alberto Garcia <berto@xxxxxxxxxx>
      Message-id: 
678dc67da229759d404b44f7cc2bf5ed8bf8ad14.1446044838.git.berto@xxxxxxxxxx
      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Signed-off-by: Kevin Wolf <kwolf@xxxxxxxxxx>

  commit 4214face09bed08279c68a67fa1a4b01be887346
  Author: Alberto Garcia <berto@xxxxxxxxxx>
  Date:   Wed Oct 28 17:33:10 2015 +0200

      iotests: Add test for the block device statistics

      Signed-off-by: Alberto Garcia <berto@xxxxxxxxxx>
      Message-id: 
0fb8501bbf3666b3d5d3f67fa899729c88f21baf.1446044838.git.berto@xxxxxxxxxx
      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Signed-off-by: Kevin Wolf <kwolf@xxxxxxxxxx>

  commit 918a17a464bac332b14a19d87106acc81e476f05
  Author: Alberto Garcia <berto@xxxxxxxxxx>
  Date:   Wed Oct 28 17:33:09 2015 +0200

      block: Use QEMU_CLOCK_VIRTUAL for the accounting code in qtest mode

      This patch switches to QEMU_CLOCK_VIRTUAL for the accounting code in
      qtest mode, and makes the latency of the operation constant. This way we
      can perform tests on the accounting code with reproducible results.

      Signed-off-by: Alberto Garcia <berto@xxxxxxxxxx>
      Message-id: 
35ed0501450fa572684e9b5e92c361ab6cce565b.1446044838.git.berto@xxxxxxxxxx
      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Signed-off-by: Kevin Wolf <kwolf@xxxxxxxxxx>

  commit 556c2b60714e7dae3ed0eb3488910435263dc09f
  Author: Alberto Garcia <berto@xxxxxxxxxx>
  Date:   Wed Oct 28 17:33:08 2015 +0200

      qemu-io: Account for failed, invalid and flush operations

      Signed-off-by: Alberto Garcia <berto@xxxxxxxxxx>
      Message-id: 
78a7662a8636e55991737ece50003a2dc5a5f3e0.1446044838.git.berto@xxxxxxxxxx
      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Signed-off-by: Kevin Wolf <kwolf@xxxxxxxxxx>

  commit 2be5506fc85d5fef1abdb2128d446cb0b14b12bc
  Author: Alberto Garcia <berto@xxxxxxxxxx>
  Date:   Wed Oct 28 17:33:07 2015 +0200

      block: New option to define the intervals for collecting I/O statistics

      The BlockAcctStats structure contains a list of BlockAcctTimedStats.
      Each one of these collects statistics about the minimum, maximum and
      average latencies of all I/O operations in a certain interval of time.

      This patch adds a new "stats-intervals" option that allows defining
      these intervals.

      Signed-off-by: Alberto Garcia <berto@xxxxxxxxxx>
      Message-id: 
41cbcd334a61c6157f0f495cdfd21eff6c156f2a.1446044837.git.berto@xxxxxxxxxx
      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Signed-off-by: Kevin Wolf <kwolf@xxxxxxxxxx>

  commit 96e4dedaff9922f87e4ec351d51d3f093198382a
  Author: Alberto Garcia <berto@xxxxxxxxxx>
  Date:   Wed Oct 28 17:33:06 2015 +0200

      block: Add average I/O queue depth to BlockDeviceTimedStats

      This patch adds two new fields to BlockDeviceTimedStats that track the
      average number of pending read and write requests for a block device.

      The values are calculated for the period of time defined for that
      interval.

      Signed-off-by: Alberto Garcia <berto@xxxxxxxxxx>
      Message-id: 
fd31fef53e2714f2f30d59ed58ca2f67ec9ab926.1446044837.git.berto@xxxxxxxxxx
      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Signed-off-by: Kevin Wolf <kwolf@xxxxxxxxxx>

  commit 979e9b03fc8c85d3b78a14410c64cbb16d348095
  Author: Alberto Garcia <berto@xxxxxxxxxx>
  Date:   Wed Oct 28 17:33:05 2015 +0200

      block: Compute minimum, maximum and average I/O latencies

      This patch keeps track of the minimum, maximum and average latencies
      of I/O operations during a certain interval of time.

      The values are exposed in the BlockDeviceTimedStats structure.

      An option to define the intervals to collect these statistics will be
      added in a separate patch.

      Signed-off-by: Alberto Garcia <berto@xxxxxxxxxx>
      Message-id: 
c7382dc89622c64f918d09f32815827772628f8e.1446044837.git.berto@xxxxxxxxxx
      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Signed-off-by: Kevin Wolf <kwolf@xxxxxxxxxx>

  commit 362e9299b34b3101aaa20f20363441c9f055fa5e
  Author: Alberto Garcia <berto@xxxxxxxxxx>
  Date:   Wed Oct 28 17:33:04 2015 +0200

      block: Allow configuring whether to account failed and invalid ops

      This patch adds two options, "stats-account-invalid" and
      "stats-account-failed", that can be used to decide whether invalid and
      failed I/O operations must be used when collecting statistics for
      latency and last access time.

      Signed-off-by: Alberto Garcia <berto@xxxxxxxxxx>
      Reviewed-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Message-id: 
ebc7e5966511a342cad428a392c5f5ad56b15213.1446044837.git.berto@xxxxxxxxxx
      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Signed-off-by: Kevin Wolf <kwolf@xxxxxxxxxx>

  commit 7ee12dafe96a86dfa96af38cea1289305e429a55
  Author: Alberto Garcia <berto@xxxxxxxxxx>
  Date:   Wed Oct 28 17:33:03 2015 +0200

      block: Add statistics for failed and invalid I/O operations

      This patch adds the block_acct_failed() and block_acct_invalid()
      functions to allow keeping track of failed and invalid I/O operations.

      The number of failed and invalid operations is exposed in
      BlockDeviceStats.

      We don't keep track of the time spent on invalid operations because
      they are cancelled immediately when they are started.

      Signed-off-by: Alberto Garcia <berto@xxxxxxxxxx>
      Message-id: 
a7256ccb883a86356b1c6c46b5a29ed5448546a5.1446044837.git.berto@xxxxxxxxxx
      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Signed-off-by: Kevin Wolf <kwolf@xxxxxxxxxx>

  commit cb38fffbc968e797ae32039b1e2c47b940b30cb4
  Author: Alberto Garcia <berto@xxxxxxxxxx>
  Date:   Wed Oct 28 17:33:02 2015 +0200

      block: Add idle_time_ns to BlockDeviceStats

      This patch adds the new field 'idle_time_ns' to the BlockDeviceStats
      structure, indicating the time that has passed since the previous I/O
      operation.

      It also adds the block_acct_idle_time_ns() call, to ensure that all
      references to the clock type used for accounting are in the same
      place. This will later allow us to use a different clock for iotests.

      Signed-off-by: Alberto Garcia <berto@xxxxxxxxxx>
      Message-id: 
7d8cfcf931453e1a2443e6626e8c1edc347c7c8a.1446044837.git.berto@xxxxxxxxxx
      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Signed-off-by: Kevin Wolf <kwolf@xxxxxxxxxx>

  commit bd797fc15b4290e02c219b7cd6289a33cd6cd18b
  Author: Alberto Garcia <berto@xxxxxxxxxx>
  Date:   Wed Oct 28 17:33:01 2015 +0200

      util: Infrastructure for computing recent averages

      This module computes the average of a set of values within a time
      window, keeping also track of the minimum and maximum values.

      In order to produce more accurate results it works internally by
      creating two time windows of the same period, offsetted by half of
      that period. Values are accounted on both windows and the data is
      always returned from the oldest one.

      [Add missing util/replay.o to test-timed-average dependencies to fix the
      build.
      --Stefan]

      Signed-off-by: Alberto Garcia <berto@xxxxxxxxxx>
      Message-id: 
201b09c21bbc9c329779d2b2365ee2b9c80dceeb.1446044837.git.berto@xxxxxxxxxx
      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Signed-off-by: Kevin Wolf <kwolf@xxxxxxxxxx>

  commit 5519593c07c71c55b196546a00c08106bd9a100b
  Author: Alberto Garcia <berto@xxxxxxxxxx>
  Date:   Wed Oct 28 17:33:00 2015 +0200

      block: define 'clock_type' for the accounting code

      Its value is still QEMU_CLOCK_REALTIME, but having it in a variable will
      allow us to change its value easily in the future when running in qtest
      mode.

      Signed-off-by: Alberto Garcia <berto@xxxxxxxxxx>
      Reviewed-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Message-id: 
547485eb841cf9e3b2770c96539ae9ae5996e214.1446044837.git.berto@xxxxxxxxxx
      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Signed-off-by: Kevin Wolf <kwolf@xxxxxxxxxx>

  commit c618f331d314c34ff2390d2dbd3f926e513c7059
  Author: Alberto Garcia <berto@xxxxxxxxxx>
  Date:   Wed Oct 28 17:32:59 2015 +0200

      ide: Account for write operations correctly

      Signed-off-by: Alberto Garcia <berto@xxxxxxxxxx>
      Reviewed-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Message-id: 
2e71323c0875c2b66a8ae22229545e0c013af8d4.1446044837.git.berto@xxxxxxxxxx
      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Signed-off-by: Kevin Wolf <kwolf@xxxxxxxxxx>

  commit 693044ebd20ce8730aae679ff58d52aa8ec60b0a
  Author: Alberto Garcia <berto@xxxxxxxxxx>
  Date:   Wed Oct 28 17:32:58 2015 +0200

      xen_disk: Account for flush operations

      Currently both BLKIF_OP_WRITE and BLKIF_OP_FLUSH_DISKCACHE are being
      accounted as write operations.

      Signed-off-by: Alberto Garcia <berto@xxxxxxxxxx>
      Reviewed-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Message-id: 
7a2a14e3ac62027aa6267a6c02abc70717be9c0a.1446044837.git.berto@xxxxxxxxxx
      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Signed-off-by: Kevin Wolf <kwolf@xxxxxxxxxx>

  commit 6c6f312dd752c74c124ecfc4c34e8aaf7254c3b8
  Author: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
  Date:   Thu Nov 5 18:13:20 2015 -0500

      tests: add BlockJobTxn unit test

      The BlockJobTxn unit test verifies that both single jobs and pairs of
      jobs behave as a transaction group.  Either all jobs complete
      successfully or the group is cancelled.

      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Reviewed-by: Max Reitz <mreitz@xxxxxxxxxx>
      Reviewed-by: John Snow <jsnow@xxxxxxxxxx>
      Signed-off-by: Fam Zheng <famz@xxxxxxxxxx>
      Signed-off-by: John Snow <jsnow@xxxxxxxxxx>
      Message-id: 1446765200-3054-15-git-send-email-jsnow@xxxxxxxxxx
      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Signed-off-by: Kevin Wolf <kwolf@xxxxxxxxxx>

  commit fc6c796ff2b049303473702d1ade9196d1843f5d
  Author: John Snow <jsnow@xxxxxxxxxx>
  Date:   Thu Nov 5 18:13:19 2015 -0500

      iotests: 124 - transactional failure test

      Use a transaction to request an incremental backup across two drives.
      Coerce one of the jobs to fail, and then re-run the transaction.

      Verify that no bitmap data was lost due to the partial transaction
      failure.

      To support the 'err-cancel' QMP argument name it's necessary for
      transaction_action() to convert underscores in Python argument names
      to hyphens for QMP argument names.

      Signed-off-by: John Snow <jsnow@xxxxxxxxxx>
      Reviewed-by: Max Reitz <mreitz@xxxxxxxxxx>
      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Signed-off-by: Fam Zheng <famz@xxxxxxxxxx>
      Message-id: 1446765200-3054-14-git-send-email-jsnow@xxxxxxxxxx
      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Signed-off-by: Kevin Wolf <kwolf@xxxxxxxxxx>

  commit 94d16a640a1058653327392e08c6d39eeba1e499
  Author: John Snow <jsnow@xxxxxxxxxx>
  Date:   Thu Nov 5 18:13:18 2015 -0500

      block: add transactional properties

      Add both transactional properties to the QMP transactional interface,
      and add the BlockJobTxn that we create as a result of the err-cancel
      property to the BlkActionState structure.

      [split up from a patch originally by Stefan and Fam. --js]
      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Signed-off-by: Fam Zheng <famz@xxxxxxxxxx>
      Signed-off-by: John Snow <jsnow@xxxxxxxxxx>

      Signed-off-by: John Snow <jsnow@xxxxxxxxxx>
      Message-id: 1446765200-3054-13-git-send-email-jsnow@xxxxxxxxxx
      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Signed-off-by: Kevin Wolf <kwolf@xxxxxxxxxx>

  commit 78f51fde88d1925b5ae51ba789339baa9ff72ad1
  Author: John Snow <jsnow@xxxxxxxxxx>
  Date:   Thu Nov 5 18:13:17 2015 -0500

      block: Add BlockJobTxn support to backup_run

      Allow a BlockJobTxn to be passed into backup_run, which
      will allow the job to join a transactional group if present.

      Propagate this new parameter outward into new QMP helper
      functions in blockdev.c to allow transaction commands to
      pass forward their BlockJobTxn object in a forthcoming patch.

      [split up from a patch originally by Stefan and Fam. --js]
      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Signed-off-by: Fam Zheng <famz@xxxxxxxxxx>
      Signed-off-by: John Snow <jsnow@xxxxxxxxxx>

      Signed-off-by: John Snow <jsnow@xxxxxxxxxx>
      Message-id: 1446765200-3054-12-git-send-email-jsnow@xxxxxxxxxx
      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Signed-off-by: Kevin Wolf <kwolf@xxxxxxxxxx>

  commit c347b2c62a53b73cf6cc31225feb125d2f20f186
  Author: John Snow <jsnow@xxxxxxxxxx>
  Date:   Thu Nov 5 18:13:16 2015 -0500

      block/backup: Rely on commit/abort for cleanup

      Switch over to the new .commit/.abort handlers for
      cleaning up incremental bitmaps.

      [split up from a patch originally by Stefan and Fam. --js]
      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Signed-off-by: Fam Zheng <famz@xxxxxxxxxx>
      Signed-off-by: John Snow <jsnow@xxxxxxxxxx>

      Signed-off-by: John Snow <jsnow@xxxxxxxxxx>
      Message-id: 1446765200-3054-11-git-send-email-jsnow@xxxxxxxxxx
      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Signed-off-by: Kevin Wolf <kwolf@xxxxxxxxxx>

  commit c55a832fdddec2c350b585ade0476501f616608d
  Author: Fam Zheng <famz@xxxxxxxxxx>
  Date:   Thu Nov 5 18:13:15 2015 -0500

      block: Add block job transactions

      Sometimes block jobs must execute as a transaction group.  Finishing
      jobs wait until all other jobs are ready to complete successfully.
      Failure or cancellation of one job cancels the other jobs in the group.

      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Reviewed-by: Max Reitz <mreitz@xxxxxxxxxx>
      Signed-off-by: Fam Zheng <famz@xxxxxxxxxx>
      Signed-off-by: John Snow <jsnow@xxxxxxxxxx>
      Message-id: 1446765200-3054-10-git-send-email-jsnow@xxxxxxxxxx
      [Rewrite the implementation which is now contained in block_job_completed.
      --Fam]
      Signed-off-by: Fam Zheng <famz@xxxxxxxxxx>
      Reviewed-by: Max Reitz <mreitz@xxxxxxxxxx>

      Signed-off-by: John Snow <jsnow@xxxxxxxxxx>
      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Signed-off-by: Kevin Wolf <kwolf@xxxxxxxxxx>

  commit 94db6d2d30962cc0422a69c88c3b3e9981b33e50
  Author: Fam Zheng <famz@xxxxxxxxxx>
  Date:   Thu Nov 5 18:13:14 2015 -0500

      blockjob: Simplify block_job_finish_sync

      With job->completed and job->ret to replace BlockFinishData.

      Signed-off-by: Fam Zheng <famz@xxxxxxxxxx>
      Signed-off-by: John Snow <jsnow@xxxxxxxxxx>
      Message-id: 1446765200-3054-9-git-send-email-jsnow@xxxxxxxxxx
      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Signed-off-by: Kevin Wolf <kwolf@xxxxxxxxxx>

  commit a689dbf2df74a55d43e3fc4d6aec30ed67ca998f
  Author: Fam Zheng <famz@xxxxxxxxxx>
  Date:   Thu Nov 5 18:13:13 2015 -0500

      blockjob: Add "completed" and "ret" in BlockJob

      They are set when block_job_completed is called.

      Signed-off-by: Fam Zheng <famz@xxxxxxxxxx>
      Reviewed-by: John Snow <jsnow@xxxxxxxxxx>
      Reviewed-by: Max Reitz <mreitz@xxxxxxxxxx>
      Signed-off-by: John Snow <jsnow@xxxxxxxxxx>
      Message-id: 1446765200-3054-8-git-send-email-jsnow@xxxxxxxxxx
      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Signed-off-by: Kevin Wolf <kwolf@xxxxxxxxxx>

  commit 57901ecb8e02f03464d5f37bb6edf82e5076812d
  Author: Fam Zheng <famz@xxxxxxxxxx>
  Date:   Thu Nov 5 18:13:12 2015 -0500

      blockjob: Add .commit and .abort block job actions

      Reviewed-by: Max Reitz <mreitz@xxxxxxxxxx>
      Reviewed-by: John Snow <jsnow@xxxxxxxxxx>
      Signed-off-by: Fam Zheng <famz@xxxxxxxxxx>
      Signed-off-by: John Snow <jsnow@xxxxxxxxxx>
      Message-id: 1446765200-3054-7-git-send-email-jsnow@xxxxxxxxxx
      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Signed-off-by: Kevin Wolf <kwolf@xxxxxxxxxx>

  commit 18930ba3d17866fff6df52ae6d2e54ce5c5ca04b
  Author: Fam Zheng <famz@xxxxxxxxxx>
  Date:   Thu Nov 5 18:13:11 2015 -0500

      blockjob: Introduce reference count and fix reference to job->bs

      Add reference count to block job, meanwhile move the ownership of the
      reference to job->bs from the caller (which is released in two
      completion callbacks) to the block job itself. It is necessary for
      block_job_complete_sync to work, because block job shouldn't live longer
      than its bs, as asserted in bdrv_delete.

      Now block_job_complete_sync can be simplified.

      Signed-off-by: Fam Zheng <famz@xxxxxxxxxx>
      Signed-off-by: John Snow <jsnow@xxxxxxxxxx>
      Message-id: 1446765200-3054-6-git-send-email-jsnow@xxxxxxxxxx
      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Signed-off-by: Kevin Wolf <kwolf@xxxxxxxxxx>

  commit b976ea3cf591ac994cc17dcf0fc550c9aa9c0f5d
  Author: Fam Zheng <famz@xxxxxxxxxx>
  Date:   Thu Nov 5 18:13:10 2015 -0500

      backup: Extract dirty bitmap handling as a separate function

      This will be reused by the coming new transactional completion code.

      Signed-off-by: Fam Zheng <famz@xxxxxxxxxx>
      Reviewed-by: John Snow <jsnow@xxxxxxxxxx>
      Reviewed-by: Max Reitz <mreitz@xxxxxxxxxx>
      Signed-off-by: John Snow <jsnow@xxxxxxxxxx>
      Message-id: 1446765200-3054-5-git-send-email-jsnow@xxxxxxxxxx
      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Signed-off-by: Kevin Wolf <kwolf@xxxxxxxxxx>

  commit 50f43f0ff9a640b901b2657492d642e14a57bd4d
  Author: John Snow <jsnow@xxxxxxxxxx>
  Date:   Thu Nov 5 18:13:09 2015 -0500

      block: rename BlkTransactionState and BdrvActionOps

      These structures are misnomers, somewhat.

      (1) BlockTransactionState is not state for a transaction,
          but is rather state for a single transaction action.
          Rename it "BlkActionState" to be more accurate.

      (2) The BdrvActionOps describes operations for the BlkActionState,
          above. This name might imply a 'BdrvAction' or a 'BdrvActionState',
          which there isn't.
          Rename this to 'BlkActionOps' to match 'BlkActionState'.

      Lastly, update the surrounding in-line documentation and comments
      to reflect the current nature of how Transactions operate.

      This patch changes only comments and names, and should not affect
      behavior in any way.

      Reviewed-by: Max Reitz <mreitz@xxxxxxxxxx>
      Reviewed-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Reviewed-by: Fam Zheng <famz@xxxxxxxxxx>
      Signed-off-by: Fam Zheng <famz@xxxxxxxxxx>
      Signed-off-by: John Snow <jsnow@xxxxxxxxxx>
      Message-id: 1446765200-3054-4-git-send-email-jsnow@xxxxxxxxxx
      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Signed-off-by: Kevin Wolf <kwolf@xxxxxxxxxx>

  commit 749ad5e887e85fd51d83bf4d08ed72858f937fd9
  Author: John Snow <jsnow@xxxxxxxxxx>
  Date:   Thu Nov 5 18:13:08 2015 -0500

      iotests: add transactional incremental backup test

      Test simple usage cases for using transactions to create
      and synchronize incremental backups.

      Signed-off-by: John Snow <jsnow@xxxxxxxxxx>
      Reviewed-by: Max Reitz <mreitz@xxxxxxxxxx>
      Reviewed-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Reviewed-by: Fam Zheng <famz@xxxxxxxxxx>
      Signed-off-by: Fam Zheng <famz@xxxxxxxxxx>
      Message-id: 1446765200-3054-3-git-send-email-jsnow@xxxxxxxxxx
      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Signed-off-by: Kevin Wolf <kwolf@xxxxxxxxxx>

  commit df9a681dc9ad41c9cdeb9ecc5d060ba9abd27e01
  Author: Fam Zheng <famz@xxxxxxxxxx>
  Date:   Mon Nov 9 18:16:54 2015 +0800

      qed: Implement .bdrv_drain

      The "need_check_timer" is used to clear the "NEED_CHECK" flag in the
      image header after a grace period once metadata update has finished. In
      compliance to the bdrv_drain semantics we should make sure it remains
      deleted once .bdrv_drain is called.

      We cannot reuse qed_need_check_timer_cb because here it doesn't satisfy
      the assertion.  Do the "plug" and "flush" calls manually.

      Signed-off-by: Fam Zheng <famz@xxxxxxxxxx>
      Reviewed-by: Kevin Wolf <kwolf@xxxxxxxxxx>
      Message-id: 1447064214-29930-10-git-send-email-famz@xxxxxxxxxx
      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Signed-off-by: Kevin Wolf <kwolf@xxxxxxxxxx>

  commit 67da1dc5ce696c7b309b1db100da7d94292847b7
  Author: Fam Zheng <famz@xxxxxxxxxx>
  Date:   Mon Nov 9 18:16:53 2015 +0800

      block: Introduce BlockDriver.bdrv_drain callback

      Drivers can have internal request sources that generate IO, like the
      need_check_timer in QED. Since we want quiesced periods that contain
      nested event loops in block layer, we need to have a way to disable such
      event sources.

      Block drivers must implement the "bdrv_drain" callback if it has any
      internal sources that can generate I/O activity, like a timer or a
      worker thread (even in a library) that can schedule QEMUBH in an
      asynchronous callback.

      Update the comments of bdrv_drain and bdrv_drained_begin accordingly.

      Like bdrv_requests_pending(), we should consider all the children of bs.
      Before, the while loop just works, as bdrv_requests_pending() already
      tracks its children; now we mustn't miss the callback, so recurse down
      explicitly.

      Signed-off-by: Fam Zheng <famz@xxxxxxxxxx>
      Reviewed-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>
      Message-id: 1447064214-29930-9-git-send-email-famz@xxxxxxxxxx
      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Signed-off-by: Kevin Wolf <kwolf@xxxxxxxxxx>

  commit 83c98d7b924eab36a0a2c7813731dbef439a91d3
  Author: Fam Zheng <famz@xxxxxxxxxx>
  Date:   Mon Nov 9 18:16:52 2015 +0800

      block: Drop BlockDriver.bdrv_ioctl

      Now the callback is not used any more, drop the field along with all
      implementations in block drivers, which are iscsi and raw.

      Signed-off-by: Fam Zheng <famz@xxxxxxxxxx>
      Reviewed-by: Kevin Wolf <kwolf@xxxxxxxxxx>
      Message-id: 1447064214-29930-8-git-send-email-famz@xxxxxxxxxx
      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Signed-off-by: Kevin Wolf <kwolf@xxxxxxxxxx>

  commit 5c5ae76acb024f05b8f021e9f1e10a0299328bdd
  Author: Fam Zheng <famz@xxxxxxxxxx>
  Date:   Mon Nov 9 18:16:51 2015 +0800

      block: Emulate bdrv_ioctl with bdrv_aio_ioctl and track both

      Currently all drivers that support .bdrv_aio_ioctl also implement
      .bdrv_ioctl redundantly.  To track ioctl requests in block layer it is
      easier if we unify the two paths, because we'll need to run it in a
      coroutine, as required by tracked_request_begin. While we're at it, use
      .bdrv_aio_ioctl plus aio_poll() to emulate bdrv_ioctl().

      Signed-off-by: Fam Zheng <famz@xxxxxxxxxx>
      Message-id: 1447064214-29930-7-git-send-email-famz@xxxxxxxxxx
      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Signed-off-by: Kevin Wolf <kwolf@xxxxxxxxxx>

  commit 8b45f6878d291646cadc4786ae807e6a42c188b4
  Author: Fam Zheng <famz@xxxxxxxxxx>
  Date:   Mon Nov 9 18:16:50 2015 +0800

      block: Add ioctl parameter fields to BlockRequest

      The two fields that will be used by ioctl handling code later are added
      as union, because it's used exclusively by ioctl code which dosn't need
      the four fields in the other struct of the union.

      Signed-off-by: Fam Zheng <famz@xxxxxxxxxx>
      Reviewed-by: Kevin Wolf <kwolf@xxxxxxxxxx>
      Message-id: 1447064214-29930-6-git-send-email-famz@xxxxxxxxxx
      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Signed-off-by: Kevin Wolf <kwolf@xxxxxxxxxx>

  commit 4bb17ab51a78c6daaaa9d6c86d1c890d24c091c4
  Author: Fam Zheng <famz@xxxxxxxxxx>
  Date:   Mon Nov 9 18:16:49 2015 +0800

      iscsi: Emulate commands in iscsi_aio_ioctl as iscsi_ioctl

      iscsi_ioctl emulates SG_GET_VERSION_NUM and SG_GET_SCSI_ID. Now that
      bdrv_ioctl() will be emulated with .bdrv_aio_ioctl, replicate the logic
      into iscsi_aio_ioctl to make them consistent.

      Signed-off-by: Fam Zheng <famz@xxxxxxxxxx>
      Reviewed-by: Kevin Wolf <kwolf@xxxxxxxxxx>
      Message-id: 1447064214-29930-5-git-send-email-famz@xxxxxxxxxx
      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Signed-off-by: Kevin Wolf <kwolf@xxxxxxxxxx>

  commit b1066c875597649be1d1d6db4712bc504b4c4c81
  Author: Fam Zheng <famz@xxxxxxxxxx>
  Date:   Mon Nov 9 18:16:48 2015 +0800

      block: Track discard requests

      Both bdrv_discard and bdrv_aio_discard will call into bdrv_co_discard,
      so add tracked_request_begin/end calls around the loop.

      Signed-off-by: Fam Zheng <famz@xxxxxxxxxx>
      Reviewed-by: Kevin Wolf <kwolf@xxxxxxxxxx>
      Message-id: 1447064214-29930-4-git-send-email-famz@xxxxxxxxxx
      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Signed-off-by: Kevin Wolf <kwolf@xxxxxxxxxx>

  commit cdb5e3155eb323380c59f19fe88e28fedd85d3d8
  Author: Fam Zheng <famz@xxxxxxxxxx>
  Date:   Mon Nov 9 18:16:47 2015 +0800

      block: Track flush requests

      Both bdrv_flush and bdrv_aio_flush eventually call bdrv_co_flush, add
      tracked_request_begin and tracked_request_end pair in that function so
      that all flush requests are now tracked.

      Signed-off-by: Fam Zheng <famz@xxxxxxxxxx>
      Reviewed-by: Kevin Wolf <kwolf@xxxxxxxxxx>
      Message-id: 1447064214-29930-3-git-send-email-famz@xxxxxxxxxx
      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Signed-off-by: Kevin Wolf <kwolf@xxxxxxxxxx>

  commit ebde595ce63369921dbbe1bd16fec0b230050d67
  Author: Fam Zheng <famz@xxxxxxxxxx>
  Date:   Mon Nov 9 18:16:46 2015 +0800

      block: Add more types for tracked request

      We'll track more request types besides read and write, change the
      boolean field to an enum.

      Signed-off-by: Fam Zheng <famz@xxxxxxxxxx>
      Reviewed-by: Kevin Wolf <kwolf@xxxxxxxxxx>
      Message-id: 1447064214-29930-2-git-send-email-famz@xxxxxxxxxx
      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Signed-off-by: Kevin Wolf <kwolf@xxxxxxxxxx>

  commit 4652f1640e029e1f2433fa77ba6af285c7cd923a
  Author: Greg Kurz <gkurz@xxxxxxxxxxxxxxxxxx>
  Date:   Thu Oct 22 19:38:42 2015 +0200

      virtio-9p: add savem handlers

      We don't support migration of mounted 9p shares. This is handled by a
      migration blocker.

      One would expect, however, to be able to migrate if the share is 
unmounted.
      Unfortunately virtio-9p-device does not register savevm handlers at all !
      Migration succeeds and leaves the guest with a dangling device...

      This patch simply registers migration handlers for virtio-9p-device. 
Whether
      migration is possible or not still depends on the migration blocker.

      Signed-off-by: Greg Kurz <gkurz@xxxxxxxxxxxxxxxxxx>
      Reviewed-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>

  commit 1811e64c35fe1d9bce77952937a16c001dc08465
  Author: Marcel Apfelbaum <marcel@xxxxxxxxxx>
  Date:   Tue Nov 10 13:41:29 2015 +0200

      hw/virtio: Add PCIe capability to virtio devices

      The virtio devices are converted to PCI-Express
      if they are plugged into a PCI-Express bus and
      the 'modern' protocol is enabled.

      Devices plugged directly into the Root Complex as
      Integrated Endpoints remain PCI.

      Signed-off-by: Marcel Apfelbaum <marcel@xxxxxxxxxx>
      Reviewed-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>

  commit 17e50a72a3aade0eddfebc012a5d7bdd40a03573
  Merge: df1ac44 39bec4f
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Thu Nov 12 14:15:32 2015 +0000

      Merge remote-tracking branch 'remotes/jasowang/tags/net-pull-request' 
into staging

      # gpg: Signature made Thu 12 Nov 2015 08:01:55 GMT using RSA key ID 
398D6211
      # gpg: Good signature from "Jason Wang (Jason Wang on RedHat) 
<jasowang@xxxxxxxxxx>"
      # gpg: WARNING: This key is not certified with sufficiently trusted 
signatures!
      # gpg:          It is not certain that the signature belongs to the owner.
      # Primary key fingerprint: 215D 46F4 8246 689E C77F  3562 EF04 965B 398D 
6211

      * remotes/jasowang/tags/net-pull-request:
        net: netmap: use error_setg() helpers in place of error_report()
        net: netmap: Fix compilation issue
        e1000: Introducing backward compatibility command line parameter
        e1000: Implementing various counters
        e1000: Fixing the packet address filtering procedure
        e1000: Fixing the received/transmitted octets' counters
        e1000: Fixing the received/transmitted packets' counters
        e1000: Trivial implementation of various MAC registers
        e1000: Introduced an array to control the access to the MAC registers
        e1000: Add support for migrating the entire MAC registers' array
        e1000: Cosmetic and alignment fixes
        slirp: Fix type casts and format strings in debug code

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 3a12f32229a046f4d4ab0a3a52fb01d2d5a1ab76
  Author: Yuanhan Liu <yuanhan.liu@xxxxxxxxxxxxxxx>
  Date:   Wed Nov 11 21:24:41 2015 +0800

      vhost: send SET_VRING_ENABLE at start/stop

      Send SET_VRING_ENABLE at start/stop, to give the backend
      an explicit sign of our state.

      Signed-off-by: Yuanhan Liu <yuanhan.liu@xxxxxxxxxxxxxxx>
      Reviewed-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>

  commit 60915dc4691768c4dc62458bb3e16c843fab091d
  Author: Yuanhan Liu <yuanhan.liu@xxxxxxxxxxxxxxx>
  Date:   Wed Nov 11 21:24:37 2015 +0800

      vhost: rename RESET_DEVICE backto RESET_OWNER

      This patch basically reverts commit d1f8b30e.

      It turned out that it breaks stuff, so revert it:
          http://lists.nongnu.org/archive/html/qemu-devel/2015-10/msg00949.html

      CC: "Michael S. Tsirkin" <mst@xxxxxxxxxx>
      Reported-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>
      Signed-off-by: Yuanhan Liu <yuanhan.liu@xxxxxxxxxxxxxxx>
      Reviewed-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>

  commit 2b8819c6eee517c1582983773f8555bb3f9ed645
  Author: Victor Kaplansky <victork@xxxxxxxxxx>
  Date:   Wed Nov 11 16:26:02 2015 +0200

      vhost-user: modify SET_LOG_BASE to pass mmap size and offset

      Unlike the kernel, vhost-user application accesses log table by
      mmaping it to its user space. This change adds two new fields to
      VhostUserMsg payload: mmap_size, and mmap_offset and make QEMU to
      pass the to vhost-user application in VHOST_USER_SET_LOG_BASE
      request.

      Signed-off-by: Victor Kaplansky <victork@xxxxxxxxxx>
      Reviewed-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>

  commit 393f04d3ab40d03aa2fde0017ff7f02fc34cbd4e
  Author: Jason Wang <jasowang@xxxxxxxxxx>
  Date:   Fri Nov 6 16:02:49 2015 +0800

      virtio-pci: unbreak queue_enable read

      Guest always get zero when reading queue_enable. This violates
      spec. Fixing this by setting the queue_enable to true during any guest
      writing and setting it to zero during reset.

      Cc: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: Jason Wang <jasowang@xxxxxxxxxx>
      Reviewed-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>

  commit 9824d2a39d9893ef9bbe71f94efb57da265b73f6
  Author: Jason Wang <jasowang@xxxxxxxxxx>
  Date:   Fri Nov 6 16:02:48 2015 +0800

      virtio-pci: introduce pio notification capability for modern device

      We used to use mmio for notification. This could be slow on some arch
      (e.g on x86 without EPT). So this patch introduces pio bar and a pio
      notification cap for modern device. This ability is enabled through
      property "modern-pio-notify" for virtio pci devices and was disabled
      by default. Management can enable when it thinks it was needed.

      Benchmarks shows almost no obvious difference compared to legacy
      device on machines without ept. Thanks Wenli Quan <wquan@xxxxxxxxxx>
      for the benchmarking.

      Cc: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: Jason Wang <jasowang@xxxxxxxxxx>
      Reviewed-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>

  commit bc85ccfdf5cc045588f665c84b5707d7364c8a6c
  Author: Jason Wang <jasowang@xxxxxxxxxx>
  Date:   Fri Nov 6 16:02:47 2015 +0800

      virtio-pci: use zero length mmio eventfd for 1.0 notification cap when 
possible

      We use data match eventfd for 1.0 notification currently. This could
      be slow since software decoding is needed for mmio exit. To speed this
      up, we can switch to use zero length mmio eventfd for 1.0 notification
      since we can examine the queue index directly from the writing
      address. KVM kernel module can utilize this by registering it to fast
      mmio bus which could be as fast as pio on ept capable machine when
      fast mmio is supported by host kernel.

      Lots of improvements were seen on a ept capable machine:

      Guest RX:(TCP)
      size/session/+throughput%/+cpu%/-+per cpu%/
      64/1/+1.6807%/[-16.2421%]/[+21.3984%]/
      64/2/+0.6091%/[-11.0187%]/[+13.0678%]/
      64/4/+0.0553%/[-5.9768%]/[+6.4155%]/
      64/8/+0.1206%/[-4.0057%]/[+4.2984%]/
      256/1/-0.0031%/[-10.1166%]/[+11.2517%]/
      256/2/-0.5058%/[-6.1656%]/+6.0317%]/
      ...

      Guest TX:(TCP)
      size/session/+throughput%/+cpu%/-+per cpu%/
      64/1/[+18.9183%]/-0.2823%/[+19.2550%]/
      64/2/[+13.5714%]/[+2.2675%]/[+11.0533%]/
      64/4/[+13.1070%]/[+2.1817%]/[+10.6920%]/
      64/8/[+13.0426%]/[+2.0887%]/[+10.7299%]/
      256/1/[+36.2761%]/+6.3434%/[+28.1471%]/
      ...
      1024/1/[+44.8873%]/+2.0811%/[+41.9335%]/
      ...
      1024/4/+0.0228%/[-2.2044%]/[+2.2774%]/
      ...
      16384/2/+0.0127%/[-5.0346%]/[+5.3148%]/
      ...
      65535/1/[+0.0062%]/[-4.1183%]/[+4.3017%]/
      65535/2/+0.0004%/[-4.2311%]/[+4.4185%]/
      65535/4/+0.0107%/[-4.6106%]/[+4.8446%]/
      65535/8/-0.0090%/[-5.5178%]/[+5.8306%]/

      Latency:(TCP_RR)
      size/session/+transaction rate%/+cpu%/-+per cpu%/
      64/1/[+6.5248%]/[-9.2882%]/[+17.4322%]/
      64/25/[+11.0854%]/[+0.8000%]/[+10.2038%]/
      64/50/[+12.1076%]/[+2.4627%]/[+9.4131%]/
      256/1/[+5.3677%]/[+10.5669%]/-4.7024%/
      256/25/[+5.6402%]/-0.8962%/[+6.5955%]/
      256/50/[+5.9685%]/[+1.7766%]/[+4.1188%]/
      4096/1/+0.2508%/[-10.4941%]/[+12.0047%]/
      4096/25/[+1.8533%]/-0.0273%/+1.8812%/
      4096/50/[+1.2156%]/-1.4134%/+2.6667%/

      Notes: data with '[]' is the one whose significance is greater than 95%.

      Thanks Wenli Quan <wquan@xxxxxxxxxx> for the benchmarking.

      Cc: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: Jason Wang <jasowang@xxxxxxxxxx>
      Reviewed-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>

  commit 351082238d5d45d6836ec94eabe3fe7d72b36f46
  Author: Jason Wang <jasowang@xxxxxxxxxx>
  Date:   Fri Nov 6 16:02:46 2015 +0800

      KVM: add support for any length io eventfd

      Signed-off-by: Jason Wang <jasowang@xxxxxxxxxx>
      Reviewed-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Acked-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit b8aecea23aaccf39da54c77ef248f5fa50dcfbc1
  Author: Jason Wang <jasowang@xxxxxxxxxx>
  Date:   Fri Nov 6 16:02:45 2015 +0800

      memory: don't try to adjust endianness for zero length eventfd

      There's no need to adjust endianness for zero length eventfd since the
      data wrote was actually ignored by kernel. So skip the adjust in this
      case to fix a possible crash when trying to use wildcard mmio eventfd
      in ppc.

      Cc: Greg Kurz <gkurz@xxxxxxxxxxxxxxxxxx>
      Cc: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Cc: Paolo Bonzini <pbonzini@xxxxxxxxxx>
      Acked-by: Greg Kurz <gkurz@xxxxxxxxxxxxxxxxxx>
      Signed-off-by: Jason Wang <jasowang@xxxxxxxxxx>
      Reviewed-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>

  commit a6df8adf3edbb3062f087e425564df35077e8410
  Author: Jason Wang <jasowang@xxxxxxxxxx>
  Date:   Fri Nov 6 16:02:44 2015 +0800

      virtio-pci: fix 1.0 virtqueue migration

      We don't migrate the followings fields for virtio-pci:

      uint32_t dfselect;
      uint32_t gfselect;
      uint32_t guest_features[2];
      struct {
          uint16_t num;
          bool enabled;
          uint32_t desc[2];
          uint32_t avail[2];
          uint32_t used[2];
      } vqs[VIRTIO_QUEUE_MAX];

      This will confuse driver if migrating during initialization. Solves
      this issue by:

      - introduce transport specific callbacks to load and store extra
        virtqueue states.
      - add a new subsection for virtio to migrate transport specific modern
        device state.
      - implement pci specific callbacks.
      - add a new property for virtio-pci for whether or not to migrate
        extra state.
      - compat the migration for 2.4 and elder machine types

      Cc: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: Jason Wang <jasowang@xxxxxxxxxx>
      Reviewed-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Reviewed-by: Cornelia Huck <cornelia.huck@xxxxxxxxxx>

  commit df1ac44e9f0c1b1d775c65b6e86fbcac0be77930
  Merge: fd717e7 0a9516c
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Thu Nov 12 13:41:44 2015 +0000

      Merge remote-tracking branch 'remotes/dgibson/tags/ppc-next-20151112' 
into staging

      ppc patch queue -2015-11-12

      Highlights:
         - A number of fixes for MacOS 9 compatibility based on the old MOL
           (Mac-On-Linux) code and a GSoC project.
         - Cleaner and more general way of handling register access from the
           monitor

      # gpg: Signature made Thu 12 Nov 2015 04:33:26 GMT using RSA key ID 
20D9B392
      # gpg: Good signature from "David Gibson <david@xxxxxxxxxxxxxxxxxxxxx>"
      # gpg:                 aka "David Gibson (Red Hat) <dgibson@xxxxxxxxxx>"
      # gpg:                 aka "David Gibson (ozlabs.org) 
<dgibson@xxxxxxxxxx>"
      # gpg: WARNING: This key is not certified with sufficiently trusted 
signatures!
      # gpg:          It is not certain that the signature belongs to the owner.
      # Primary key fingerprint: 75F4 6586 AE61 A66C C44E  87DC 6C38 CACA 20D9 
B392

      * remotes/dgibson/tags/ppc-next-20151112:
        monitor/target-ppc: Define target_get_monitor_def
        cuda.c: add delay to setting of SR_INT bit
        cuda.c: fix T2 timer and enable its interrupt
        cuda.c: rename get_counter() state variable from s to ti for consistency
        cuda.c: refactor get_tb() so that the time can be passed in
        cuda.c: add defines for CUDA registers
        cuda.c: fix CUDA SR interrupt clearing
        cuda.c: implement dummy IIC access commands
        cuda.c: implement simple CUDA_GET_6805_ADDR command
        cuda.c: fix CUDA_PACKET response packet format
        cuda.c: fix CUDA ADB error packet format
        PPC: mac99: Always add USB controller
        PPC: Fix lswx bounds checks
        PPC: Allow Rc bit to be set on mtspr

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit fd717e789010012c5f0537269df19ef19d469baf
  Merge: 2048a2a 52074d0
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Thu Nov 12 13:11:06 2015 +0000

      Merge remote-tracking branch 
'remotes/mdroth/tags/qga-pull-2015-11-11-tag' into staging

      qemu-ga patch queue

      * fix for unintended overwriting of data on w32 using
        guest-file-open with append mode

      # gpg: Signature made Wed 11 Nov 2015 22:14:52 GMT using RSA key ID 
F108B584
      # gpg: Good signature from "Michael Roth <flukshun@xxxxxxxxx>"
      # gpg:                 aka "Michael Roth <mdroth@xxxxxxxxxx>"
      # gpg:                 aka "Michael Roth <mdroth@xxxxxxxxxxxxxxxxxx>"

      * remotes/mdroth/tags/qga-pull-2015-11-11-tag:
        qga: fix append file open modes for win32

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 2048a2a49188af7a9df065f7553021f89d8e9ec5
  Author: Marc-André Lureau <marcandre.lureau@xxxxxxxxxx>
  Date:   Thu Nov 12 12:10:18 2015 +0100

      tests: classify some ivshmem tests as slow

      Some tests may take long to run, move them under g_test_slow()
      condition.

      The 5s timeout for the "server" test will have to be adjusted to the worst
      known time (for the records, it takes ~0.2s on my host). The "pair"
      test takes ~1.7, a quickest version could be implemented.

      Signed-off-by: Marc-André Lureau <marcandre.lureau@xxxxxxxxxx>
      Message-id: 1447326618-11686-1-git-send-email-marcandre.lureau@xxxxxxxxxx
      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit c459343b8552e65398a05581f7ff31a068b5b551
  Merge: 7497b8d 455b0fd
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Thu Nov 12 10:09:14 2015 +0000

      Merge remote-tracking branch 'remotes/armbru/tags/pull-error-2015-11-11' 
into staging

      error: More error_setg() usage

      # gpg: Signature made Wed 11 Nov 2015 17:57:15 GMT using RSA key ID 
EB918653
      # gpg: Good signature from "Markus Armbruster <armbru@xxxxxxxxxx>"
      # gpg:                 aka "Markus Armbruster <armbru@xxxxxxxxxxxx>"

      * remotes/armbru/tags/pull-error-2015-11-11:
        error: More error_setg() usage

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 39bec4f38b028a2cff8c38f3455aef44d7b3b6c4
  Author: Vincenzo Maffione <v.maffione@xxxxxxxxx>
  Date:   Tue Nov 10 10:47:22 2015 +0100

      net: netmap: use error_setg() helpers in place of error_report()

      This update was required to align error reporting of netmap backend
      initialization to the modifications introduced by commit a30ecde.

      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>
      Reviewed-by: Markus Armbruster <armbru@xxxxxxxxxx>
      Signed-off-by: Vincenzo Maffione <v.maffione@xxxxxxxxx>
      Signed-off-by: Jason Wang <jasowang@xxxxxxxxxx>

  commit 54c59b4de584b3467166febb4ff84627a2f29a0e
  Author: Vincenzo Maffione <v.maffione@xxxxxxxxx>
  Date:   Tue Nov 10 10:47:21 2015 +0100

      net: netmap: Fix compilation issue

      Reorganization of struct NetClientOptions (commit e4ba22b) caused a
      compilation failure of the netmap backend. This patch fixes the issue
      by properly accessing the union field.

      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>
      Reviewed-by: Markus Armbruster <armbru@xxxxxxxxxx>
      Signed-off-by: Vincenzo Maffione <v.maffione@xxxxxxxxx>
      Signed-off-by: Jason Wang <jasowang@xxxxxxxxxx>

  commit ba63ec8594a5dd412182aced07b4bf042403766a
  Author: Leonid Bloch <leonid.bloch@xxxxxxxxxxxxxxxxxx>
  Date:   Wed Nov 11 15:52:47 2015 +0200

      e1000: Introducing backward compatibility command line parameter

      This follows the previous patches, where support for migrating the
      entire MAC registers' array, and some new MAC registers were introduced.

      This patch introduces the e1000-specific boolean parameter
      "extra_mac_registers", which is on by default. Setting it to off will
      enable migration to older versions of QEMU, but will disable the read
      and write access to the new registers, that were introduced since adding
      the ability to migrate the entire MAC array.

      Example for usage to enable backward compatibility and to disable the
      new MAC registers:

          qemu-system-x86_64 -device e1000,extra_mac_registers=off,... ...

      As mentioned above, the default value is "on".

      Signed-off-by: Leonid Bloch <leonid.bloch@xxxxxxxxxxxxxxxxxx>
      Signed-off-by: Dmitry Fleytman <dmitry.fleytman@xxxxxxxxxxxxxxxxxx>
      Signed-off-by: Jason Wang <jasowang@xxxxxxxxxx>

  commit 3b27430177498a1728b6765c70b455900f93d73a
  Author: Leonid Bloch <leonid.bloch@xxxxxxxxxxxxxxxxxx>
  Date:   Wed Nov 11 15:52:46 2015 +0200

      e1000: Implementing various counters

      This implements the following Statistic registers (various counters)
      according to Intel's specs:

      TSCTC  GOTCL  GOTCH  GORCL  GORCH  MPRC   BPRC   RUC    ROC
      BPTC   MPTC   PTC... PRC...

      PLEASE NOTE: these registers will not be active, nor will migrate, until
      a compatibility flag will be set (in the next patch in this series).

      Signed-off-by: Leonid Bloch <leonid.bloch@xxxxxxxxxxxxxxxxxx>
      Signed-off-by: Dmitry Fleytman <dmitry.fleytman@xxxxxxxxxxxxxxxxxx>
      Signed-off-by: Jason Wang <jasowang@xxxxxxxxxx>

  commit 4aeea330f022f45d0dabff6090ecbb98755c2116
  Author: Leonid Bloch <leonid.bloch@xxxxxxxxxxxxxxxxxx>
  Date:   Wed Nov 11 15:52:45 2015 +0200

      e1000: Fixing the packet address filtering procedure

      Previously, if promiscuous unicast was enabled, a packet was received
      straight away, even if it was a multicast or a broadcast packet. This
      patch fixes that behavior, while making the filtering procedure a bit
      more human-readable.

      Signed-off-by: Leonid Bloch <leonid.bloch@xxxxxxxxxxxxxxxxxx>
      Signed-off-by: Dmitry Fleytman <dmitry.fleytman@xxxxxxxxxxxxxxxxxx>
      Signed-off-by: Jason Wang <jasowang@xxxxxxxxxx>

  commit 45e93764711484440e56f580f233009bb3da18bc
  Author: Leonid Bloch <leonid.bloch@xxxxxxxxxxxxxxxxxx>
  Date:   Wed Nov 11 15:52:44 2015 +0200

      e1000: Fixing the received/transmitted octets' counters

      Previously, these 64-bit registers did not stick at their maximal
      values when (and if) they reached them, as they should do, according to
      the specs.

      This patch introduces a function that takes care of such registers,
      avoiding code duplication, making the relevant parts more compatible
      with the QEMU coding style, while ensuring that in the unlikely case
      of reaching the maximal value, the counter will stick there, as it
      supposed to.

      Signed-off-by: Leonid Bloch <leonid.bloch@xxxxxxxxxxxxxxxxxx>
      Signed-off-by: Dmitry Fleytman <dmitry.fleytman@xxxxxxxxxxxxxxxxxx>
      Signed-off-by: Jason Wang <jasowang@xxxxxxxxxx>

  commit 1f67f92c4fdf59a98c2fdf67d3e78deba489a370
  Author: Leonid Bloch <leonid.bloch@xxxxxxxxxxxxxxxxxx>
  Date:   Wed Nov 11 15:52:43 2015 +0200

      e1000: Fixing the received/transmitted packets' counters

      According to Intel's specs, these counters (as the other Statistic
      registers) stick at 0xffffffff when this maximal value is reached.
      Previously, they would reset after the max. value.

      Signed-off-by: Leonid Bloch <leonid.bloch@xxxxxxxxxxxxxxxxxx>
      Signed-off-by: Dmitry Fleytman <dmitry.fleytman@xxxxxxxxxxxxxxxxxx>
      Signed-off-by: Jason Wang <jasowang@xxxxxxxxxx>

  commit 72ea771c9711cba63686d5d3284bc6645d13f7d2
  Author: Leonid Bloch <leonid.bloch@xxxxxxxxxxxxxxxxxx>
  Date:   Wed Nov 11 15:52:42 2015 +0200

      e1000: Trivial implementation of various MAC registers

      These registers appear in Intel's specs, but were not implemented.
      These registers are now implemented trivially, i.e. they are initiated
      with zero values, and if they are RW, they can be written or read by the
      driver, or read only if they are R (essentially retaining their zero
      values). For these registers no other procedures are performed.

      For the trivially implemented Diagnostic registers, a debug warning is
      produced on read/write attempts.

      PLEASE NOTE: these registers will not be active, nor will migrate, until
      a compatibility flag will be set (in a later patch in this series).

      The registers implemented here are:

      Transmit:
      RW: AIT

      Management:
      RW: WUC     WUS     IPAV    IP6AT*  IP4AT*  FFLT*   WUPM*   FFMT*   FFVT*

      Diagnostic:
      RW: RDFH    RDFT    RDFHS   RDFTS   RDFPC   PBM*    TDFH    TDFT    TDFHS
          TDFTS   TDFPC

      Statistic:
      RW: FCRUC
      R:  RNBC    TSCTFC  MGTPRC  MGTPDC  MGTPTC  RFC     RJC     SCC     ECOL
          LATECOL MCC     COLC    DC      TNCRS   SEC     CEXTERR RLEC    XONRXC
          XONTXC  XOFFRXC XOFFTXC

      Signed-off-by: Leonid Bloch <leonid.bloch@xxxxxxxxxxxxxxxxxx>
      Signed-off-by: Dmitry Fleytman <dmitry.fleytman@xxxxxxxxxxxxxxxxxx>
      Signed-off-by: Jason Wang <jasowang@xxxxxxxxxx>

  commit bc0f0674f037a01f2ce0870ad6270a356a7a8347
  Author: Leonid Bloch <leonid.bloch@xxxxxxxxxxxxxxxxxx>
  Date:   Wed Nov 11 15:52:41 2015 +0200

      e1000: Introduced an array to control the access to the MAC registers

      The array of uint8_t's which is introduced here, contains access metadata
      about the MAC registers: if a register is accessible, but partly 
implemented,
      or if a register requires a certain compatibility flag in order to be
      accessed. Currently, 6 hypothetical flags are supported (3 exist for e1000
      so far) but in the future, if more than 6 flags will be needed, the 
datatype
      of this array can simply be swapped for a larger one.

      This patch is intended to solve the following current problems:

      1) In a scenario of migration between different versions of QEMU, which
      differ by the MAC registers implemented in them, some registers need not 
to
      be active if a compatibility flag is set, in order to preserve the 
machine's
      state perfectly for the older version. Checking this for each register
      individually, would create a lot of clutter in the code.

      2) Some registers are (or may be) only partly implemented (e.g.
      placeholders that allow reading and writing, but lack other functions).
      In such cases it is better to print a debug warning on read/write 
attempts.
      As above, dealing with this functionality on a per-register level, would
      require longer and more messy code.

      Signed-off-by: Leonid Bloch <leonid.bloch@xxxxxxxxxxxxxxxxxx>
      Signed-off-by: Dmitry Fleytman <dmitry.fleytman@xxxxxxxxxxxxxxxxxx>
      Signed-off-by: Jason Wang <jasowang@xxxxxxxxxx>

  commit 9e11773417d98fd2ec961568ec2875063b95569b
  Author: Leonid Bloch <leonid.bloch@xxxxxxxxxxxxxxxxxx>
  Date:   Wed Nov 11 15:52:40 2015 +0200

      e1000: Add support for migrating the entire MAC registers' array

      This patch makes the migration of the entire array of MAC registers
      possible during live migration. The entire array is just 128 KB long, so
      practically no penalty should be felt when transmitting it, additionally
      to the previously transmitted individual registers. The advantage here is
      eliminating the need to introduce new vmstate subsections in the future,
      when additional MAC registers will be implemented.

      Backward compatibility is preserved by introducing a e1000-specific
      boolean parameter (in a later patch), which will be on by default.
      Setting it to off would enable migration to older versions of QEMU.

      Additionally, this parameter will be used to control the access to the
      extra MAC registers in the future.

      Signed-off-by: Leonid Bloch <leonid.bloch@xxxxxxxxxxxxxxxxxx>
      Signed-off-by: Dmitry Fleytman <dmitry.fleytman@xxxxxxxxxxxxxxxxxx>
      Signed-off-by: Jason Wang <jasowang@xxxxxxxxxx>

  commit 20f3e86362758b5085aa17baa7bc109c858acf67
  Author: Leonid Bloch <leonid.bloch@xxxxxxxxxxxxxxxxxx>
  Date:   Wed Nov 11 15:52:39 2015 +0200

      e1000: Cosmetic and alignment fixes

      This fixes some alignment and cosmetic issues. The changes are made
      in order that the following patches in this series will look like
      integral parts of the code surrounding them, while conforming to the
      coding style. Although some changes in unrelated areas are also made.

      Signed-off-by: Leonid Bloch <leonid.bloch@xxxxxxxxxxxxxxxxxx>
      Signed-off-by: Dmitry Fleytman <dmitry.fleytman@xxxxxxxxxxxxxxxxxx>
      Signed-off-by: Jason Wang <jasowang@xxxxxxxxxx>

  commit ecc804cac31cec6cb90feaa459503afda8b38d09
  Author: Stefan Weil <sw@xxxxxxxxxxx>
  Date:   Sat Aug 29 09:12:35 2015 +0200

      slirp: Fix type casts and format strings in debug code

      Casting pointers to long won't work on 64 bit Windows.
      It is not needed with the right format strings.

      Signed-off-by: Stefan Weil <sw@xxxxxxxxxxx>
      Signed-off-by: Jason Wang <jasowang@xxxxxxxxxx>

  commit 0a9516c2d6711cb6760a726952bdbbe931fd045c
  Author: Alexey Kardashevskiy <aik@xxxxxxxxx>
  Date:   Thu Nov 12 14:44:23 2015 +1100

      monitor/target-ppc: Define target_get_monitor_def

      At the moment get_monitor_def() returns only registers from statically
      defined monitor_defs array. However there is a lot of BOOK3S SPRs
      which are not in the list and cannot be printed from the monitor.

      This adds a new target platform hook - target_get_monitor_def().
      The hook is called if a register was not found in the static
      array returned by the target_monitor_defs() hook.

      The hook is only defined for POWERPC, it returns registered
      SPRs and fails on unregistered ones providing the user with information
      on what is actually supported on the running CPU. The register value is
      saved as uint64_t as it is the biggest supported register size;
      target_ulong cannot be used because of the stub - it is in a "common"
      code and cannot include "cpu.h", etc; this is also why the hook prototype
      is redefined in the stub instead of being included from some header.

      This replaces static descriptors for GPRs, FPRs, SRs with a helper which
      looks for a value in a corresponding array in the CPUPPCState.
      The immediate effect is that all 32 SRs can be printed now (instead of 
16);
      later this can be reused for VSX or TM registers.

      This replaces callbacks for MSR and XER with static descriptors in
      monitor_defs as they are stored in CPUPPCState.

      While we are here, this adds "cr" as a synonym of "ccr".

      Signed-off-by: Alexey Kardashevskiy <aik@xxxxxxxxx>
      Signed-off-by: David Gibson <david@xxxxxxxxxxxxxxxxxxxxx>

  commit cffc331a3156870d54883bc79e4278472ffd8f1d
  Author: Mark Cave-Ayland <mark.cave-ayland@xxxxxxxxxxxx>
  Date:   Wed Nov 11 22:49:51 2015 +0000

      cuda.c: add delay to setting of SR_INT bit

      MacOS 9 is racy when it comes to accessing the shift register. Fix this by
      introducing a small delay between data accesses and raising the SR_INT
      interrupt bit.

      Signed-off-by: Mark Cave-Ayland <mark.cave-ayland@xxxxxxxxxxxx>
      Reviewed-by: David Gibson <david@xxxxxxxxxxxxxxxxxxxxx>
      Signed-off-by: David Gibson <david@xxxxxxxxxxxxxxxxxxxxx>

  commit a53cfdcca2834ec7e61fd955c4f24ac233c4ec16
  Author: Mark Cave-Ayland <mark.cave-ayland@xxxxxxxxxxxx>
  Date:   Wed Nov 11 22:49:50 2015 +0000

      cuda.c: fix T2 timer and enable its interrupt

      Fix the counter loading logic and enable the T2 interrupt when the timer
      expires. Otherwise MacOS 9 hangs on boot.

      Signed-off-by: Mark Cave-Ayland <mark.cave-ayland@xxxxxxxxxxxx>
      Signed-off-by: David Gibson <david@xxxxxxxxxxxxxxxxxxxxx>

  commit 0174adb611a22bcfeeb123851cf4874e6d922d06
  Author: Mark Cave-Ayland <mark.cave-ayland@xxxxxxxxxxxx>
  Date:   Wed Nov 11 22:49:49 2015 +0000

      cuda.c: rename get_counter() state variable from s to ti for consistency

      Signed-off-by: Mark Cave-Ayland <mark.cave-ayland@xxxxxxxxxxxx>
      Reviewed-by: David Gibson <david@xxxxxxxxxxxxxxxxxxxxx>
      Signed-off-by: David Gibson <david@xxxxxxxxxxxxxxxxxxxxx>

  commit eda14abbb804f8ed2cb903c99ad1852848fa2e42
  Author: Mark Cave-Ayland <mark.cave-ayland@xxxxxxxxxxxx>
  Date:   Wed Nov 11 22:49:48 2015 +0000

      cuda.c: refactor get_tb() so that the time can be passed in

      This is in preparation for sharing the code between timers.

      Signed-off-by: Mark Cave-Ayland <mark.cave-ayland@xxxxxxxxxxxx>
      Reviewed-by: David Gibson <david@xxxxxxxxxxxxxxxxxxxxx>
      Signed-off-by: David Gibson <david@xxxxxxxxxxxxxxxxxxxxx>

  commit b5ac04103bc3b24042418df1a561096187165fd7
  Author: Mark Cave-Ayland <mark.cave-ayland@xxxxxxxxxxxx>
  Date:   Wed Nov 11 22:49:47 2015 +0000

      cuda.c: add defines for CUDA registers

      Signed-off-by: Mark Cave-Ayland <mark.cave-ayland@xxxxxxxxxxxx>
      Reviewed-by: David Gibson <david@xxxxxxxxxxxxxxxxxxxxx>
      Signed-off-by: David Gibson <david@xxxxxxxxxxxxxxxxxxxxx>

  commit d271ae36dc1e292ae140f5bbf23e0fc1392dd325
  Author: Mark Cave-Ayland <mark.cave-ayland@xxxxxxxxxxxx>
  Date:   Wed Nov 11 22:49:46 2015 +0000

      cuda.c: fix CUDA SR interrupt clearing

      Make sure that we also clear the data and clock interrupts at the same 
time.

      Signed-off-by: Mark Cave-Ayland <mark.cave-ayland@xxxxxxxxxxxx>
      Signed-off-by: David Gibson <david@xxxxxxxxxxxxxxxxxxxxx>

  commit ce8d3b647b5acc2bec19602d9fac87d3da11ae77
  Author: Mark Cave-Ayland <mark.cave-ayland@xxxxxxxxxxxx>
  Date:   Wed Nov 11 22:49:45 2015 +0000

      cuda.c: implement dummy IIC access commands

      These are used by MacOS 9 on boot. Here we return an error except for 
4-byte
      commands which write to the IIC bus in a similar manner to MOL.

      Signed-off-by: Mark Cave-Ayland <mark.cave-ayland@xxxxxxxxxxxx>
      Signed-off-by: David Gibson <david@xxxxxxxxxxxxxxxxxxxxx>

  commit f1f46f74a9de7298977a3ed668e71843fa904c38
  Author: Mark Cave-Ayland <mark.cave-ayland@xxxxxxxxxxxx>
  Date:   Wed Nov 11 22:49:44 2015 +0000

      cuda.c: implement simple CUDA_GET_6805_ADDR command

      This simply returns an empty response with no error status as implemented 
by
      MOL to allow MacOS 9 boot to proceed further.

      Signed-off-by: Mark Cave-Ayland <mark.cave-ayland@xxxxxxxxxxxx>
      Reviewed-by: David Gibson <david@xxxxxxxxxxxxxxxxxxxxx>
      Signed-off-by: David Gibson <david@xxxxxxxxxxxxxxxxxxxxx>

  commit 4202e63c0432c72ba518dd882e99a794620d1665
  Author: Mark Cave-Ayland <mark.cave-ayland@xxxxxxxxxxxx>
  Date:   Wed Nov 11 22:49:43 2015 +0000

      cuda.c: fix CUDA_PACKET response packet format

      According to comments in MOL, the response to a CUDA_PACKET should be one 
of
      the following:

      Reply: (CUDA_PACKET, status, cmd)
      Error: (ERROR_PACKET, status, CUDA_PACKET, cmd)

      Update cuda_receive_packet() accordingly to reflect this in order to make
      MacOS 9 happy.

      Signed-off-by: Mark Cave-Ayland <mark.cave-ayland@xxxxxxxxxxxx>
      Signed-off-by: David Gibson <david@xxxxxxxxxxxxxxxxxxxxx>

  commit 6729aa40135bc96d69b5bf5e65a7d463ef7793e7
  Author: Mark Cave-Ayland <mark.cave-ayland@xxxxxxxxxxxx>
  Date:   Wed Nov 11 22:49:42 2015 +0000

      cuda.c: fix CUDA ADB error packet format

      According to MOL, ADB error packets should be of the form (type, status, 
cmd)
      rather than just (type, status). This fixes ADB device detection under 
MacOS 9.

      Signed-off-by: Mark Cave-Ayland <mark.cave-ayland@xxxxxxxxxxxx>
      Signed-off-by: David Gibson <david@xxxxxxxxxxxxxxxxxxxxx>

  commit 72f1f97d4927f798167855fda7881b0e22756b20
  Author: Alexander Graf <agraf@xxxxxxx>
  Date:   Wed Nov 11 22:49:41 2015 +0000

      PPC: mac99: Always add USB controller

      The mac99 machines always have a USB controller. Usually not having one 
around
      doesn't hurt quite as much, but Mac OS 9 really really wants one or it 
crashes
      on bootup.

      So always add OHCI to make it happy.

      Signed-off-by: Alexander Graf <agraf@xxxxxxx>
      Signed-off-by: Mark Cave-Ayland <mark.cave-ayland@xxxxxxxxxxxx>
      Reviewed-by: David Gibson <david@xxxxxxxxxxxxxxxxxxxxx>
      Signed-off-by: David Gibson <david@xxxxxxxxxxxxxxxxxxxxx>

  commit 488661ee9dd300110a6612d52fe68e2bb3539a5f
  Author: Alexander Graf <agraf@xxxxxxx>
  Date:   Wed Nov 11 22:49:40 2015 +0000

      PPC: Fix lswx bounds checks

      The lswx instruction checks whether the desired string actually fits
      into all defined registers. Unfortunately it does the calculation wrong,
      resulting in illegal instruction traps for loads that really should fit.

      Fix it up, making Mac OS happier.

      Signed-off-by: Alexander Graf <agraf@xxxxxxx>
      Signed-off-by: Mark Cave-Ayland <mark.cave-ayland@xxxxxxxxxxxx>
      Reviewed-by: David Gibson <david@xxxxxxxxxxxxxxxxxxxxx>
      Signed-off-by: David Gibson <david@xxxxxxxxxxxxxxxxxxxxx>

  commit 4248b336d3c1b74e343842c5b478b165d75f5ce8
  Author: Alexander Graf <agraf@xxxxxxx>
  Date:   Wed Nov 11 22:49:39 2015 +0000

      PPC: Allow Rc bit to be set on mtspr

      According to the ISA setting the Rc bit on mtspr is undefined behavior.
      Real 750 hardware simply ignores the bit and doesn't touch cr0 though.

      Unfortunately, Mac OS 9 relies on this fact and executes a few mtspr
      instructions (to set XER for example) with Rc set.

      So let's handle the bit the same way hardware does and ignore it.

      Signed-off-by: Alexander Graf <agraf@xxxxxxx>
      Signed-off-by: Mark Cave-Ayland <mark.cave-ayland@xxxxxxxxxxxx>
      Reviewed-by: Thomas Huth <thuth@xxxxxxxxxx>
      Reviewed-by: David Gibson <david@xxxxxxxxxxxxxxxxxxxxx>
      Signed-off-by: David Gibson <david@xxxxxxxxxxxxxxxxxxxxx>

  commit 7497b8dddcaee5b5f1851434607d0de044012ebe
  Merge: 31e49ac c833d1e
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Wed Nov 11 23:20:07 2015 +0000

      Merge remote-tracking branch 'remotes/cody/tags/block-pull-request' into 
staging

      # gpg: Signature made Wed 11 Nov 2015 17:59:33 GMT using RSA key ID 
C0DE3057
      # gpg: Good signature from "Jeffrey Cody <jcody@xxxxxxxxxx>"
      # gpg:                 aka "Jeffrey Cody <jeff@xxxxxxxxxxxxx>"
      # gpg:                 aka "Jeffrey Cody <codyprime@xxxxxxxxx>"

      * remotes/cody/tags/block-pull-request:
        gluster: allocate GlusterAIOCBs on the stack

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 31e49ac192f782d594bbd04070fe79e800b7813f
  Merge: 2869653 3c4c694
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Wed Nov 11 18:23:08 2015 +0000

      Merge remote-tracking branch 'remotes/cohuck/tags/s390x-20151111' into 
staging

      Hopefully last big batch of s390x patches, including:
      - bugfixes for LE host and for pci translation
      - MAINTAINERS update
      - hugetlbfs enablement (kernel patches pending)
      - boot from El Torito iso images on virtio-blk
        (boot from scsi pending)
      - cleanup in the ipl device code

      There's also a helper function for resetting busless devices in the
      qdev core in there.

      # gpg: Signature made Wed 11 Nov 2015 17:49:58 GMT using RSA key ID 
C6F02FAF
      # gpg: Good signature from "Cornelia Huck <huckc@xxxxxxxxxxxxxxxxxx>"
      # gpg:                 aka "Cornelia Huck <cornelia.huck@xxxxxxxxxx>"

      * remotes/cohuck/tags/s390x-20151111:
        s390: deprecate the non-ccw machine in 2.5
        s390x/ipl: switch error reporting to error_setg
        s390x/ipl: clean up qom definitions and turn into TYPE_DEVICE
        qdev: provide qdev_reset_all_fn()
        pc-bios/s390-ccw: rebuild image
        pc-bios/s390-ccw: El Torito 16-bit boot image size field workaround
        pc-bios/s390-ccw: El Torito s390x boot entry check
        pc-bios/s390-ccw: ISO-9660 El Torito boot implementation
        pc-bios/s390-ccw: Always adjust virtio sector count
        s390x/kvm: don't enable CMMA when hugetlbfs will be used
        s390x: switch to memory_region_allocate_system_memory
        MAINTAINERS: update virtio-ccw/s390 git tree
        MAINTAINERS: update s390 file patterns
        s390x/pci : fix up s390 pci iommu translation function
        s390x/css: sense data endianness

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 455b0fde8c38a0794743e2e7c1a40018b7bee9f6
  Author: Eric Blake <eblake@xxxxxxxxxx>
  Date:   Tue Nov 10 23:51:20 2015 -0700

      error: More error_setg() usage

      A few uses of error_set(ERROR_CLASS_GENERIC_ERROR) were missed in
      c6bd8c706, or have snuck in since.  Nuke them.

      Signed-off-by: Eric Blake <eblake@xxxxxxxxxx>
      Message-Id: <1447224690-9743-19-git-send-email-eblake@xxxxxxxxxx>
      Acked-by: Andreas Färber <afaerber@xxxxxxx>
      [Indentation tidied up, commit message tweaked]
      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>

  commit 2869653f23c63c400d3791513b507e9feddbc751
  Merge: 3c07587 4d07c72
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Wed Nov 11 16:43:19 2015 +0000

      Merge remote-tracking branch 'remotes/kevin/tags/for-upstream' into 
staging

      Block layer patches

      # gpg: Signature made Wed 11 Nov 2015 16:03:19 GMT using RSA key ID 
C88F2FD6
      # gpg: Good signature from "Kevin Wolf <kwolf@xxxxxxxxxx>"

      * remotes/kevin/tags/for-upstream: (41 commits)
        iotests: Check for quorum support in test 139
        qcow2: Fix qcow2_get_cluster_offset() for zero clusters
        iotests: Add tests for the x-blockdev-del command
        block: Add 'x-blockdev-del' QMP command
        block: Add blk_get_refcnt()
        mirror: block all operations on the target image during the job
        qemu-iotests: fix -valgrind option for check
        qemu-iotests: fix cleanup of background processes
        qemu-io: Correct error messages
        qemu-io: Check for trailing chars
        qemu-io: fix cvtnum lval types
        block: test 'blockdev-snapshot' using a file BDS as the overlay
        block: Remove inner quotation marks in iotest 085
        block: Disallow snapshots if the overlay doesn't support backing files
        throttle: Use bs->throttle_state instead of bs->io_limits_enabled
        throttle: Check for pending requests in throttle_group_unregister_bs()
        qemu-img: add check for zero-length job len
        qcow2: avoid misaligned 64bit bswap
        qemu-iotests: Test the reopening of overlay_bs in 'block-commit'
        commit: reopen overlay_bs before base
        ...

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 3c4c694c7ce2d21c0cf17a27cc60c91b6725ce48
  Author: Christian Borntraeger <borntraeger@xxxxxxxxxx>
  Date:   Fri Nov 6 13:07:25 2015 +0100

      s390: deprecate the non-ccw machine in 2.5

      The non-ccw machine for s390 (s390-virtio) is not very well maintained
      and caused several issues in the past:
      - aliases like virtio-blk did not work for s390
      - virtio refactoring failed due to long standing bugs (e.g.see
      commit cb927b8a "s390-virtio: Accommodate guests using virtqueues too 
early")
      - some features like memory hotplug will cause trouble due to virtio 
storage
        being above guest memory
      - the boot loader bios no longer seems to work. the source code of that
        loader is also no longer maintained

      2.4 changed the default to the ccw machine, let's deprecate the old
      machine for 2.5.

      Signed-off-by: Christian Borntraeger <borntraeger@xxxxxxxxxx>
      Acked-by: David Hildenbrand <dahi@xxxxxxxxxxxxxxxxxx>
      Message-Id: <1446811645-25565-1-git-send-email-borntraeger@xxxxxxxxxx>
      Signed-off-by: Cornelia Huck <cornelia.huck@xxxxxxxxxx>

  commit 8f04e88e2cd792e348eb54983ce1a485d5db4f27
  Author: David Hildenbrand <dahi@xxxxxxxxxxxxxxxxxx>
  Date:   Thu Oct 8 12:33:28 2015 +0200

      s390x/ipl: switch error reporting to error_setg

      Now that we can report errors in the realize function, let's replace
      the fprintf's and hw_error's with error_setg.

      Signed-off-by: David Hildenbrand <dahi@xxxxxxxxxxxxxxxxxx>
      Signed-off-by: Cornelia Huck <cornelia.huck@xxxxxxxxxx>

  commit 04fccf106e22c4b861398cf2146f5a5b5f18d01e
  Author: David Hildenbrand <dahi@xxxxxxxxxxxxxxxxxx>
  Date:   Thu Oct 8 12:32:13 2015 +0200

      s390x/ipl: clean up qom definitions and turn into TYPE_DEVICE

      Let's move the qom definitions of the ipl device into ipl.h, replace
      "s390-ipl" by a proper type define, turn it into a TYPE_DEVICE
      and remove the unneeded class definition.

      Signed-off-by: David Hildenbrand <dahi@xxxxxxxxxxxxxxxxxx>
      Signed-off-by: Cornelia Huck <cornelia.huck@xxxxxxxxxx>

  commit ff8de0757fc13407c81f002e936031ddc13057e4
  Author: David Hildenbrand <dahi@xxxxxxxxxxxxxxxxxx>
  Date:   Tue Jul 21 08:32:07 2015 +0200

      qdev: provide qdev_reset_all_fn()

      For TYPE_DEVICE, the dc->reset() function is not called on system resets
      yet. Until that is changed, we have to manually register a reset handler.
      Let's provide qdev_reset_all_fn(), that can directly be used - just like
      the reset handler that is already available for qbus.

      Reviewed-by: Cornelia Huck <cornelia.huck@xxxxxxxxxx>
      Signed-off-by: David Hildenbrand <dahi@xxxxxxxxxxxxxxxxxx>
      Signed-off-by: Cornelia Huck <cornelia.huck@xxxxxxxxxx>

  commit 81a93ee64d78a1933998ff1b95f06b6d67db46fd
  Author: Cornelia Huck <cornelia.huck@xxxxxxxxxx>
  Date:   Thu Nov 5 13:47:38 2015 +0100

      pc-bios/s390-ccw: rebuild image

      Contains:
        pc-bios/s390-ccw: Always adjust virtio sector count
        pc-bios/s390-ccw: ISO-9660 El Torito boot implementation
        pc-bios/s390-ccw: El Torito s390x boot entry check
        pc-bios/s390-ccw: El Torito 16-bit boot image size field workaround

      Signed-off-by: Cornelia Huck <cornelia.huck@xxxxxxxxxx>

  commit 869648e87eeb998cc0ede230f3b7aabfdf0eb2dd
  Author: Maxim Samoylov <max7255@xxxxxxxxxxxxxxxxxx>
  Date:   Mon Oct 12 17:50:20 2015 +0200

      pc-bios/s390-ccw: El Torito 16-bit boot image size field workaround

      Because of El Torito spec flaw boot image size needs to be verified.

      Boot catalog entry size field has 16-bit width, and specifies size
      in 512-byte units.

      Thus, boot image size cannot exceed 32M.

      We actually search for the file to get the file size.

      This is done by scanning the ISO directory tree for the ISO block number
      and reading the file size from the directory entry.

      Signed-off-by: Maxim Samoylov <max7255@xxxxxxxxxxxxxxxxxx>
      Reviewed-by: David Hildenbrand <dahi@xxxxxxxxxxxxxxxxxx>
      Signed-off-by: Cornelia Huck <cornelia.huck@xxxxxxxxxx>

  commit ba21f0cca8165c5b284274edd12dc955cf4fb248
  Author: Maxim Samoylov <max7255@xxxxxxxxxxxxxxxxxx>
  Date:   Mon Oct 12 17:50:20 2015 +0200

      pc-bios/s390-ccw: El Torito s390x boot entry check

      Boot entry is considered compatible if boot image is Linux kernel
      with matching S390 Linux magic string.

      Empty boot images with sector_count == 0 are considered broken.

      Signed-off-by: Maxim Samoylov <max7255@xxxxxxxxxxxxxxxxxx>
      Reviewed-by: David Hildenbrand <dahi@xxxxxxxxxxxxxxxxxx>
      Signed-off-by: Cornelia Huck <cornelia.huck@xxxxxxxxxx>

  commit 866cac91e06219f473a2900eefef0d1cf242b136
  Author: Maxim Samoylov <max7255@xxxxxxxxxxxxxxxxxx>
  Date:   Mon Oct 12 17:50:20 2015 +0200

      pc-bios/s390-ccw: ISO-9660 El Torito boot implementation

      This patch enables boot from media formatted according to
      ISO-9660 and El Torito bootable CD specification.

      We try to boot from device as ISO-9660 media when SCSI IPL failed.

      The first boot catalog entry with bootable flag is used.

      ISO-9660 media with default 2048-bytes sector size only is supported.

      Signed-off-by: Maxim Samoylov <max7255@xxxxxxxxxxxxxxxxxx>
      Reviewed-by: David Hildenbrand <dahi@xxxxxxxxxxxxxxxxxx>
      Signed-off-by: Cornelia Huck <cornelia.huck@xxxxxxxxxx>

  commit 38150be860434de9d9c76cef71ff5c6b6112ee8f
  Author: Maxim Samoylov <max7255@xxxxxxxxxxxxxxxxxx>
  Date:   Mon Oct 12 17:50:20 2015 +0200

      pc-bios/s390-ccw: Always adjust virtio sector count

      Let's always adjust the sector number to be read using the current
      virtio block size value.

      This prepares for the implementation of IPL from ISO-9660 media.

      Signed-off-by: Maxim Samoylov <max7255@xxxxxxxxxxxxxxxxxx>
      Reviewed-by: David Hildenbrand <dahi@xxxxxxxxxxxxxxxxxx>
      Reviewed-by: Cornelia Huck <cornelia.huck@xxxxxxxxxx>
      Signed-off-by: Cornelia Huck <cornelia.huck@xxxxxxxxxx>

  commit 4c292a009700755a1e6b234063ef3f2db235aaae
  Author: Dominik Dingel <dingel@xxxxxxxxxxxxxxxxxx>
  Date:   Tue Aug 11 11:12:12 2015 +0200

      s390x/kvm: don't enable CMMA when hugetlbfs will be used

      On hugetlbfs CMMA will not be useful as every ESSA instruction will trap.
      So don't offer CMMA to guests with a hugepages backing.

      Signed-off-by: Dominik Dingel <dingel@xxxxxxxxxxxxxxxxxx>
      Acked-by: Christian Borntraeger <borntraeger@xxxxxxxxxx>
      Signed-off-by: Cornelia Huck <cornelia.huck@xxxxxxxxxx>

  commit ae23a33591056d6349753766047ebc511158da9c
  Author: Dominik Dingel <dingel@xxxxxxxxxxxxxxxxxx>
  Date:   Tue May 12 13:21:30 2015 +0200

      s390x: switch to memory_region_allocate_system_memory

      By replacing memory_region_init_ram with 
memory_region_allocate_system_memory
      we gain goodies like mem-path backends. This will allow us to use 
hugetlbfs
      once the kernel supports it.

      Signed-off-by: Dominik Dingel <dingel@xxxxxxxxxxxxxxxxxx>
      Acked-by: Christian Borntraeger <borntraeger@xxxxxxxxxx>
      Signed-off-by: Cornelia Huck <cornelia.huck@xxxxxxxxxx>

  commit 3e9ed24b84c4acdd077904a74eaec6d95cfef928
  Author: Cornelia Huck <cornelia.huck@xxxxxxxxxx>
  Date:   Wed Nov 4 16:08:20 2015 +0100

      MAINTAINERS: update virtio-ccw/s390 git tree

      Let's reference the git branch I actually use, and add Christian's
      git tree.

      Acked-by: Christian Borntraeger <borntraeger@xxxxxxxxxx>
      Signed-off-by: Cornelia Huck <cornelia.huck@xxxxxxxxxx>

  commit c5bfb202bb3bcdc1a368e85fef336e89d6254f8c
  Author: Cornelia Huck <cornelia.huck@xxxxxxxxxx>
  Date:   Wed Nov 4 15:59:55 2015 +0100

      MAINTAINERS: update s390 file patterns

      We were missing some files, and some files should get an additional
      entry to add the people actually looking after the code.

      Reported-by: Thomas Huth <thuth@xxxxxxxxxx>
      Acked-by: Christian Borntraeger <borntraeger@xxxxxxxxxx>
      Signed-off-by: Cornelia Huck <cornelia.huck@xxxxxxxxxx>

  commit dce1b089249f52c053cf74dc3da98aea16656961
  Author: Yi Min Zhao <zyimin@xxxxxxxxxxxxxxxxxx>
  Date:   Wed Oct 28 11:30:23 2015 +0800

      s390x/pci : fix up s390 pci iommu translation function

      On s390x, each pci device has its own iommu, which is only properly
      setup in qemu once the mpcifc instruction used to register the
      translation table has been intercepted. Therefore, for a pci device that
      is not configured or has not been initialized, proper translation is
      neither required nor possible. Moreover, we may not have a host bridge
      device ready yet.

      This was exposed by a recent vfio change that triggers iommu translation
      during the initialization of the vfio pci device. Let's do an early exit
      in that case.

      Reviewed-by: Cornelia Huck <cornelia.huck@xxxxxxxxxx>
      Reviewed-by: Jens Freimann <jfrei@xxxxxxxxxxxxxxxxxx>
      Signed-off-by: Yi Min Zhao <zyimin@xxxxxxxxxxxxxxxxxx>
      Signed-off-by: Cornelia Huck <cornelia.huck@xxxxxxxxxx>

  commit b498484ed49ab9d1fcada3468f95dda1a5f59366
  Author: Cornelia Huck <cornelia.huck@xxxxxxxxxx>
  Date:   Wed Nov 4 18:40:54 2015 +0100

      s390x/css: sense data endianness

      We keep the device's sense data in a byte array (following the
      architecture), but the ecws are an array of 32 bit values. If we
      just blindly copy the values, the sense data will change from
      de-facto BE data to de-facto cpu-endian data, which means we end
      up doing an incorrect conversion on LE hosts.

      Let's just explicitly convert to cpu-endianness while assembling
      the irb.

      Reported-by: Andy Lutomirski <luto@xxxxxxxxxx>
      Tested-by: Andy Lutomirski <luto@xxxxxxxxxx>
      Signed-off-by: Cornelia Huck <cornelia.huck@xxxxxxxxxx>
      Reviewed-by: Christian Borntraeger <borntraeger@xxxxxxxxxx>

  commit 52074d0f662fc51293d4cde8077631f754784405
  Author: Kirk Allan <kallan@xxxxxxxx>
  Date:   Tue Nov 10 16:19:11 2015 -0700

      qga: fix append file open modes for win32

      For append file open modes, use FILE_APPEND_DATA for the desired access
      for writing at the end of the file.

      Version 2:
      For "a+", "ab+", and "a+b" modes use FILE_APPEND_DATA|GENERIC_READ.
      ORing in GENERIC_READ starts a read at the begining of the file.  All
      writes will append to the end fo the file.

      Added white space to maintain the alignment of the 
guest_file_open_modes[].

      Signed-off-by: Kirk Allan <kallan@xxxxxxxx>
      Cc: qemu-stable@xxxxxxxxxx
      * use FILE_GENERIC_APPEND macro, which provides same semantics as
        FILE_APPEND_DATA, but retains other flags from GENERIC_WRITE
      Signed-off-by: Michael Roth <mdroth@xxxxxxxxxxxxxxxxxx>

  commit 4d07c720f44beafd10907cecfd5b8a57622243c1
  Merge: a9ecfa0 92e6898
  Author: Kevin Wolf <kwolf@xxxxxxxxxx>
  Date:   Wed Nov 11 17:02:02 2015 +0100

      Merge remote-tracking branch 
'mreitz/tags/pull-block-for-kevin-2015-11-11' into queue-block

      Block patches from 2015-10-26 until 2015-11-11.

      # gpg: Signature made Wed Nov 11 17:00:50 2015 CET using RSA key ID 
E838ACAD
      # gpg: Good signature from "Max Reitz <mreitz@xxxxxxxxxx>"

      * mreitz/tags/pull-block-for-kevin-2015-11-11:
        iotests: Check for quorum support in test 139
        qcow2: Fix qcow2_get_cluster_offset() for zero clusters
        iotests: Add tests for the x-blockdev-del command
        block: Add 'x-blockdev-del' QMP command
        block: Add blk_get_refcnt()
        mirror: block all operations on the target image during the job
        qemu-iotests: fix -valgrind option for check
        qemu-iotests: fix cleanup of background processes

      Signed-off-by: Kevin Wolf <kwolf@xxxxxxxxxx>

  commit 92e68987745b0f89f04d29fe1d0c821010d58ea6
  Author: Alberto Garcia <berto@xxxxxxxxxx>
  Date:   Tue Nov 10 18:28:11 2015 +0200

      iotests: Check for quorum support in test 139

      The quorum driver is always built in, but it is disabled during
      run-time if there's no SHA256 support available (see commit e94867e).

      This patch skips the quorum test in iotest 139 in that case.

      Signed-off-by: Alberto Garcia <berto@xxxxxxxxxx>
      Message-id: 1447172891-20410-1-git-send-email-berto@xxxxxxxxxx
      Signed-off-by: Max Reitz <mreitz@xxxxxxxxxx>

  commit a99dfb45f26bface6830ee5465e57bcdbc53c6c8
  Author: Kevin Wolf <kwolf@xxxxxxxxxx>
  Date:   Wed Nov 4 18:16:24 2015 +0100

      qcow2: Fix qcow2_get_cluster_offset() for zero clusters

      When searching for contiguous zero clusters, we only need to check the
      cluster type. Before this patch, an increasing offset (L2E_OFFSET_MASK)
      was expected, so that the function never returned more than a single
      zero cluster in practice. This patch fixes it to actually return as many
      contiguous zero clusters as it can.

      Cc: qemu-stable@xxxxxxxxxx
      Signed-off-by: Kevin Wolf <kwolf@xxxxxxxxxx>
      Message-id: 1446657384-5907-1-git-send-email-kwolf@xxxxxxxxxx
      Signed-off-by: Max Reitz <mreitz@xxxxxxxxxx>

  commit 342075fd0ec9dce87139d71a81e1dbbe5ab5d021
  Author: Alberto Garcia <berto@xxxxxxxxxx>
  Date:   Mon Nov 2 16:51:56 2015 +0200

      iotests: Add tests for the x-blockdev-del command

      Signed-off-by: Alberto Garcia <berto@xxxxxxxxxx>
      Message-id: 
57c3b0d4d0c73ddadd19e5bded9492c359cc4568.1446475331.git.berto@xxxxxxxxxx
      Reviewed-by: Max Reitz <mreitz@xxxxxxxxxx>
      Signed-off-by: Max Reitz <mreitz@xxxxxxxxxx>

  commit 81b936ae70e635557af9ca80922ee69146cb5f4c
  Author: Alberto Garcia <berto@xxxxxxxxxx>
  Date:   Mon Nov 2 16:51:55 2015 +0200

      block: Add 'x-blockdev-del' QMP command

      This command is still experimental, hence the name.

      This is the companion to 'blockdev-add'. It allows deleting a
      BlockBackend with its associated BlockDriverState tree, or a
      BlockDriverState that is not attached to any backend.

      In either case, the command fails if the reference count is greater
      than 1 or the BlockDriverState has any parents.

      Signed-off-by: Alberto Garcia <berto@xxxxxxxxxx>
      Reviewed-by: Max Reitz <mreitz@xxxxxxxxxx>
      Message-id: 
6cfc148c77aca1da942b094d811bfa3fcf7ac7bb.1446475331.git.berto@xxxxxxxxxx
      Signed-off-by: Max Reitz <mreitz@xxxxxxxxxx>

  commit f636ae85f3db8ffb987c79715869dba1b8217e8a
  Author: Alberto Garcia <berto@xxxxxxxxxx>
  Date:   Mon Nov 2 16:51:54 2015 +0200

      block: Add blk_get_refcnt()

      This function returns the reference count of a given BlockBackend.
      For convenience, it returns 0 if the BlockBackend pointer is NULL.

      Signed-off-by: Alberto Garcia <berto@xxxxxxxxxx>
      Reviewed-by: Max Reitz <mreitz@xxxxxxxxxx>
      Message-id: 
dfdd8a17dbe3288842840636d2cfe5bb895abcb0.1446475331.git.berto@xxxxxxxxxx
      Signed-off-by: Max Reitz <mreitz@xxxxxxxxxx>

  commit 10f3cd15dd9913f8d959fbd061e6e00c45432093
  Author: Alberto Garcia <berto@xxxxxxxxxx>
  Date:   Mon Nov 2 16:51:53 2015 +0200

      mirror: block all operations on the target image during the job

      There's nothing preventing the target image from being used by other
      operations during the 'drive-mirror' job, so we should block them all
      until the job is done.

      Signed-off-by: Alberto Garcia <berto@xxxxxxxxxx>
      Reviewed-by: Max Reitz <mreitz@xxxxxxxxxx>
      Message-id: 
82b88fd04cde918a08a6f9a4ab85626d7fd7b502.1446475331.git.berto@xxxxxxxxxx
      Signed-off-by: Max Reitz <mreitz@xxxxxxxxxx>

  commit e6c17669eb0868013d9a17050d8eb2d598f06067
  Author: Jeff Cody <jcody@xxxxxxxxxx>
  Date:   Fri Oct 30 15:25:18 2015 -0400

      qemu-iotests: fix -valgrind option for check

      Commit 934659c switched the iotests to run qemu-io from a bash subshell,
      in order to catch segfaults.  This method is incompatible with the
      current valgrind_qemu_io() bash function.

      Move the valgrind usage into the exec subshell in _qemu_io_wrapper(),
      while making sure the original return value is passed back to the
      caller.

      Update test output for tests 039, 061, and 137 as it looks for the
      specific subshell command when the process is terminated.

      Reported-by: Kevin Wolf <kwolf@xxxxxxxxxx>
      Signed-off-by: Jeff Cody <jcody@xxxxxxxxxx>
      Message-id: 
0066fd85d26ca641a1c25135ff2479b7985701cf.1446232490.git.jcody@xxxxxxxxxx
      Reviewed-by: Max Reitz <mreitz@xxxxxxxxxx>
      Signed-off-by: Max Reitz <mreitz@xxxxxxxxxx>

  commit f6c8c2e055f88e8ed74ac0c185fc9fbca1e1b775
  Author: Jeff Cody <jcody@xxxxxxxxxx>
  Date:   Fri Oct 30 15:25:17 2015 -0400

      qemu-iotests: fix cleanup of background processes

      Commit 934659c switched the iotests to run qemu and qemu-nbd from a bash
      subshell, in order to catch segfaults.  Unfortunately, this means the
      process PID cannot be captured via '$!'. We stopped killing qemu and
      qemu-nbd processes, leaving a lot of orphaned, running qemu processes
      after executing iotests.

      Since the process is using exec in the subshell, the PID is the
      same as the subshell PID.

      Track these PIDs for cleanup using pidfiles in the $TEST_DIR. Only
      track the qemu PID, however, if requested - not all usage requires
      killing the process.

      Reported-by: John Snow <jsnow@xxxxxxxxxx>
      Signed-off-by: Jeff Cody <jcody@xxxxxxxxxx>
      Message-id: 
9e4f958b3895b7259b98d845bb46f000ba362869.1446232490.git.jcody@xxxxxxxxxx
      [mreitz@xxxxxxxxxx: Replaced '! -z "..."' by '-n "..."']
      Signed-off-by: Max Reitz <mreitz@xxxxxxxxxx>

  commit c833d1e8f5e95762336a823a35ade65a2d0fe587
  Author: Paolo Bonzini <pbonzini@xxxxxxxxxx>
  Date:   Thu Oct 1 13:04:38 2015 +0200

      gluster: allocate GlusterAIOCBs on the stack

      This is simpler now that the driver has been converted to coroutines.

      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>
      Signed-off-by: Jeff Cody <jcody@xxxxxxxxxx>
      Reviewed-by: Kevin Wolf <kwolf@xxxxxxxxxx>

  commit a9ecfa004f2dd83df612daac4a87dfc3a0feba28
  Author: John Snow <jsnow@xxxxxxxxxx>
  Date:   Thu Nov 5 18:53:04 2015 -0500

      qemu-io: Correct error messages

      Reported-by: Max Reitz <mreitz@xxxxxxxxxx>
      Signed-off-by: John Snow <jsnow@xxxxxxxxxx>
      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>
      Reviewed-by: Kevin Wolf <kwolf@xxxxxxxxxx>
      Signed-off-by: Kevin Wolf <kwolf@xxxxxxxxxx>

  commit ef5a788527b2038d742b057a415ab4d0e735e98f
  Author: John Snow <jsnow@xxxxxxxxxx>
  Date:   Thu Nov 5 18:53:03 2015 -0500

      qemu-io: Check for trailing chars

      Make sure there's not trailing garbage, e.g.
      "64k-whatever-i-want-here"

      Reported-by: Max Reitz <mreitz@xxxxxxxxxx>
      Signed-off-by: John Snow <jsnow@xxxxxxxxxx>
      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>
      Reviewed-by: Kevin Wolf <kwolf@xxxxxxxxxx>
      Signed-off-by: Kevin Wolf <kwolf@xxxxxxxxxx>

  commit 9b0beaf3de1396a23d5c287283e6f36c4b5d4385
  Author: John Snow <jsnow@xxxxxxxxxx>
  Date:   Thu Nov 5 18:53:02 2015 -0500

      qemu-io: fix cvtnum lval types

      cvtnum() returns int64_t: we should not be storing this
      result inside of an int.

      In a few cases, we need an extra sprinkling of error handling
      where we expect to pass this number on towards a function that
      expects something smaller than int64_t.

      Reported-by: Max Reitz <mreitz@xxxxxxxxxx>
      Signed-off-by: John Snow <jsnow@xxxxxxxxxx>
      Signed-off-by: Kevin Wolf <kwolf@xxxxxxxxxx>

  commit 3fa123d05964b07f9d4d972f131cce847091926d
  Author: Alberto Garcia <berto@xxxxxxxxxx>
  Date:   Tue Nov 3 12:32:37 2015 +0200

      block: test 'blockdev-snapshot' using a file BDS as the overlay

      This test checks that it is not possible to create a snapshot if the
      requested overlay node is a BDS which does not support backing images.

      Signed-off-by: Alberto Garcia <berto@xxxxxxxxxx>
      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>
      Signed-off-by: Kevin Wolf <kwolf@xxxxxxxxxx>

  commit f2d7f16f948b2ecfbb039c6bd62d6c7e2d61fac4
  Author: Alberto Garcia <berto@xxxxxxxxxx>
  Date:   Tue Nov 3 12:32:36 2015 +0200

      block: Remove inner quotation marks in iotest 085

      This patch removes the inner quotation marks in all cases like this:

         cmd=" ... "${variable}" ... "

      Signed-off-by: Alberto Garcia <berto@xxxxxxxxxx>
      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>
      Signed-off-by: Kevin Wolf <kwolf@xxxxxxxxxx>

  commit 08b24cfe3765f4b739700778814048e7d9a045fe
  Author: Alberto Garcia <berto@xxxxxxxxxx>
  Date:   Tue Nov 3 12:32:35 2015 +0200

      block: Disallow snapshots if the overlay doesn't support backing files

      This addresses scenarios like this one:

        { 'execute': 'blockdev-add', 'arguments':
          { 'options': { 'driver': 'qcow2',
                         'node-name': 'new0',
                         'file': { 'driver': 'file',
                                   'filename': 'new.qcow2',
                                   'node-name': 'file0' } } } }

        { 'execute': 'blockdev-snapshot', 'arguments':
          { 'node': 'virtio0',
            'overlay': 'file0' } }

      Signed-off-by: Alberto Garcia <berto@xxxxxxxxxx>
      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>
      Reviewed-by: Max Reitz <mreitz@xxxxxxxxxx>
      Signed-off-by: Kevin Wolf <kwolf@xxxxxxxxxx>

  commit a0d64a61db602696f4f1895a890c65eda5b3b618
  Author: Alberto Garcia <berto@xxxxxxxxxx>
  Date:   Wed Nov 4 15:15:36 2015 +0200

      throttle: Use bs->throttle_state instead of bs->io_limits_enabled

      There are two ways to check for I/O limits in a BlockDriverState:

      - bs->throttle_state: if this pointer is not NULL, it means that this
        BDS is member of a throttling group, its ThrottleTimers structure
        has been initialized and its I/O limits are ready to be applied.

      - bs->io_limits_enabled: if true it means that the throttle_state
        pointer is valid _and_ the limits are currently enabled.

      The latter is used in several places to check whether a BDS has I/O
      limits configured, but what it really checks is whether requests
      are being throttled or not. For example, io_limits_enabled can be
      temporarily set to false in cases like bdrv_read_unthrottled() without
      otherwise touching the throtting configuration of that BDS.

      This patch replaces bs->io_limits_enabled with bs->throttle_state in
      all cases where what we really want to check is the existence of I/O
      limits, not whether they are currently enabled or not.

      Signed-off-by: Alberto Garcia <berto@xxxxxxxxxx>
      Signed-off-by: Kevin Wolf <kwolf@xxxxxxxxxx>

  commit 5ac724184c286b367525035eabf4b8bb4a386c54
  Author: Alberto Garcia <berto@xxxxxxxxxx>
  Date:   Wed Nov 4 15:15:35 2015 +0200

      throttle: Check for pending requests in throttle_group_unregister_bs()

      throttle_group_unregister_bs() removes a BlockDriverState from its
      throttling group and destroys the timers. This means that there must
      be no pending throttled requests at that point (because it would be
      impossible to complete them), so the caller has to drain them first.

      At the moment throttle_group_unregister_bs() is only called from
      bdrv_io_limits_disable(), which already takes care of draining the
      requests, so there's nothing to worry about, but this patch makes
      this invariant explicit in the documentation and adds the relevant
      assertions.

      Signed-off-by: Alberto Garcia <berto@xxxxxxxxxx>
      Signed-off-by: Kevin Wolf <kwolf@xxxxxxxxxx>

  commit 62547b8a1c04daf30f50e3db362ade53e22bf222
  Author: John Snow <jsnow@xxxxxxxxxx>
  Date:   Mon Nov 2 18:28:20 2015 -0500

      qemu-img: add check for zero-length job len

      The mirror job doesn't update its total length until
      it has already started running, so we should translate
      a zero-length job-len as meaning 0%.

      Otherwise, we may get divide-by-zero faults.

      Signed-off-by: John Snow <jsnow@xxxxxxxxxx>
      Reviewed-by: Jeff Cody <jcody@xxxxxxxxxx>
      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>
      Signed-off-by: Kevin Wolf <kwolf@xxxxxxxxxx>

  commit 95334230637cef9fbd199bb79a56271ec73d4732
  Author: John Snow <jsnow@xxxxxxxxxx>
  Date:   Mon Nov 2 18:32:06 2015 -0500

      qcow2: avoid misaligned 64bit bswap

      If we create a buffer directly on the stack by using 12 bytes, there's
      no guarantee the 64bit value we want to swap will be aligned, which
      could cause errors with undefined behavior.

      Spotted with clang -fsanitize=undefined and observed in iotests 15, 26,
      44, 115 and 121.

      Signed-off-by: John Snow <jsnow@xxxxxxxxxx>
      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>
      Signed-off-by: Kevin Wolf <kwolf@xxxxxxxxxx>

  commit bcdce5a73cb28f32b3ca3a51e8fa89879685e015
  Author: Alberto Garcia <berto@xxxxxxxxxx>
  Date:   Wed Oct 28 15:43:50 2015 +0200

      qemu-iotests: Test the reopening of overlay_bs in 'block-commit'

      The 'block-commit' command needs the overlay image of 'top' to
      be opened in read-write mode in order to update the backing file
      string. If 'top' is not the active layer or its backing file then its
      overlay needs to be reopened during the block job.

      This is a test case for that scenario.

      Signed-off-by: Alberto Garcia <berto@xxxxxxxxxx>
      Reviewed-by: Max Reitz <mreitz@xxxxxxxxxx>
      Signed-off-by: Kevin Wolf <kwolf@xxxxxxxxxx>

  commit 3db2bd5508c86a1605258bc77c9672d93b5c350e
  Author: Alberto Garcia <berto@xxxxxxxxxx>
  Date:   Wed Oct 28 15:43:49 2015 +0200

      commit: reopen overlay_bs before base

      'block-commit' needs write access to two different nodes of the chain:

      - 'base', because that's where the data is written to.
      - the overlay of 'top', because it needs to update the backing file
        string to point to 'base' after the operation.

      Both images have to be opened in read-write mode, and commit_start()
      takes care of reopening them if necessary.

      With the current implementation, however, when overlay_bs is reopened
      in read-write mode it has the side effect of making 'base' read-only
      again, eventually making 'block-commit' fail.

      This needs to be fixed in bdrv_reopen(), but until we get to that it
      can be worked around simply by swapping the order of base and
      overlay_bs in the reopen queue.

      In order to reproduce this bug, overlay_bs needs to be initially in
      read-only mode. That is: the 'top' parameter of 'block-commit' cannot
      be the active layer nor its immediate backing chain.

      Cc: qemu-stable@xxxxxxxxxx
      Signed-off-by: Alberto Garcia <berto@xxxxxxxxxx>
      Reviewed-by: Max Reitz <mreitz@xxxxxxxxxx>
      Signed-off-by: Kevin Wolf <kwolf@xxxxxxxxxx>

  commit 89e3a2d86d31212d09ca688193ccecb92c0c77b5
  Author: Alberto Garcia <berto@xxxxxxxxxx>
  Date:   Mon Oct 26 14:27:17 2015 +0200

      block: add tests for the 'blockdev-snapshot' command

      Signed-off-by: Alberto Garcia <berto@xxxxxxxxxx>
      Reviewed-by: Max Reitz <mreitz@xxxxxxxxxx>
      Reviewed-by: Jeff Cody <jcody@xxxxxxxxxx>
      Signed-off-by: Kevin Wolf <kwolf@xxxxxxxxxx>

  commit 43de7e2de07093e47c7f25386aff280875dc3c62
  Author: Alberto Garcia <berto@xxxxxxxxxx>
  Date:   Mon Oct 26 14:27:16 2015 +0200

      block: add a 'blockdev-snapshot' QMP command

      One of the limitations of the 'blockdev-snapshot-sync' command is that
      it does not allow passing BlockdevOptions to the newly created
      snapshots, so they are always opened using the default values.

      Extending the command to allow passing options is not a practical
      solution because there is overlap between those options and some of
      the existing parameters of the command.

      This patch introduces a new 'blockdev-snapshot' command with a simpler
      interface: it just takes two references to existing block devices that
      will be used as the source and target for the snapshot.

      Since the main difference between the two commands is that one of them
      creates and opens the target image, while the other uses an already
      opened one, the bulk of the implementation is shared.

      Signed-off-by: Alberto Garcia <berto@xxxxxxxxxx>
      Reviewed-by: Max Reitz <mreitz@xxxxxxxxxx>
      Signed-off-by: Kevin Wolf <kwolf@xxxxxxxxxx>

  commit 3e8c2e57056614933fc5eb022e1d6d0f28071b44
  Author: Alberto Garcia <berto@xxxxxxxxxx>
  Date:   Mon Oct 26 14:27:15 2015 +0200

      block: support passing 'backing': '' to 'blockdev-add'

      Passing an empty string allows opening an image but not its backing
      file. This was already described in the API documentation, only the
      implementation was missing.

      This is useful for creating snapshots using images opened with
      blockdev-add, since they are not supposed to have a backing image
      before the operation.

      Signed-off-by: Alberto Garcia <berto@xxxxxxxxxx>
      Reviewed-by: Max Reitz <mreitz@xxxxxxxxxx>
      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>
      Reviewed-by: Kevin Wolf <kwolf@xxxxxxxxxx>
      Reviewed-by: Jeff Cody <jcody@xxxxxxxxxx>
      Signed-off-by: Kevin Wolf <kwolf@xxxxxxxxxx>

  commit a911e6ae7ce47d51b519d462c1d99d53b37b0f8c
  Author: Alberto Garcia <berto@xxxxxxxxxx>
  Date:   Mon Oct 26 14:27:14 2015 +0200

      block: rename BlockdevSnapshot to BlockdevSnapshotSync

      We will introduce the 'blockdev-snapshot' command that will require
      its own struct for the parameters, so we need to rename this one in
      order to avoid name clashes.

      Signed-off-by: Alberto Garcia <berto@xxxxxxxxxx>
      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>
      Reviewed-by: Max Reitz <mreitz@xxxxxxxxxx>
      Reviewed-by: Kevin Wolf <kwolf@xxxxxxxxxx>
      Reviewed-by: Jeff Cody <jcody@xxxxxxxxxx>
      Signed-off-by: Kevin Wolf <kwolf@xxxxxxxxxx>

  commit a39a24fbb05055d00026eb569ff3f7b868ca8785
  Author: Alberto Garcia <berto@xxxxxxxxxx>
  Date:   Mon Oct 26 14:27:13 2015 +0200

      block: check for existing device IDs in external_snapshot_prepare()

      The 'snapshot-node-name' parameter of blockdev-snapshot-sync allows
      setting the node name of the image that is going to be created.

      Before creating the image, external_snapshot_prepare() checks that the
      name is not already being used. The check is however incomplete since
      it only considers existing node names, but node names must not clash
      with device IDs either because they share the same namespace.

      If the user attempts to create a snapshot using the name of an
      existing device for the 'snapshot-node-name' parameter the operation
      will eventually fail, but only after the new image has been created.

      This patch replaces bdrv_find_node() with bdrv_lookup_bs() to extend
      the check to existing device IDs, and thus detect possible name
      clashes before the new image is created.

      Signed-off-by: Alberto Garcia <berto@xxxxxxxxxx>
      Reviewed-by: Max Reitz <mreitz@xxxxxxxxxx>
      Reviewed-by: Jeff Cody <jcody@xxxxxxxxxx>
      Signed-off-by: Kevin Wolf <kwolf@xxxxxxxxxx>

  commit adfe20303f2a897ce64b77fe579a0c7dc1e81771
  Author: Max Reitz <mreitz@xxxxxxxxxx>
  Date:   Mon Oct 26 21:39:19 2015 +0100

      iotests: Add test for change-related QMP commands

      Signed-off-by: Max Reitz <mreitz@xxxxxxxxxx>
      Signed-off-by: Kevin Wolf <kwolf@xxxxxxxxxx>

  commit baead0abefa8e95b18e53281ac182c96b24ba0cb
  Author: Max Reitz <mreitz@xxxxxxxxxx>
  Date:   Mon Oct 26 21:39:18 2015 +0100

      hmp: Add read-only-mode option to change command

      Expose the new read-only-mode option of 'blockdev-change-medium' for the
      'change' HMP command.

      Signed-off-by: Max Reitz <mreitz@xxxxxxxxxx>
      Reviewed-by: Kevin Wolf <kwolf@xxxxxxxxxx>
      Signed-off-by: Kevin Wolf <kwolf@xxxxxxxxxx>

  commit 39ff43d9e1f42b1d829a955e546cddab87ac0626
  Author: Max Reitz <mreitz@xxxxxxxxxx>
  Date:   Wed Nov 11 04:49:44 2015 +0100

      blockdev: read-only-mode for blockdev-change-medium

      Add an option to qmp_blockdev_change_medium() which allows changing the
      read-only status of the block device whose medium is changed.

      Some drives do not have a inherently fixed read-only status; for
      instance, floppy disks can be set read-only or writable independently of
      the drive. Some users may find it useful to be able to therefore change
      the read-only status of a block device when changing the medium.

      Signed-off-by: Max Reitz <mreitz@xxxxxxxxxx>
      Signed-off-by: Kevin Wolf <kwolf@xxxxxxxxxx>

  commit 1068674927a08cb9f535946abe2f91529b13160c
  Author: Max Reitz <mreitz@xxxxxxxxxx>
  Date:   Mon Oct 26 21:39:16 2015 +0100

      hmp: Use blockdev-change-medium for change command

      Use separate code paths for the two overloaded functions of the 'change'
      HMP command, and invoke the 'blockdev-change-medium' QMP command if used
      on a block device (by calling qmp_blockdev_change_medium()).

      Signed-off-by: Max Reitz <mreitz@xxxxxxxxxx>
      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>
      Reviewed-by: Kevin Wolf <kwolf@xxxxxxxxxx>
      Signed-off-by: Kevin Wolf <kwolf@xxxxxxxxxx>

  commit 24fb4133001e1f54a526f0927837f30c1507169a
  Author: Max Reitz <mreitz@xxxxxxxxxx>
  Date:   Fri Nov 6 16:27:06 2015 +0100

      qmp: Introduce blockdev-change-medium

      Introduce a new QMP command 'blockdev-change-medium' which is intended
      to replace the 'change' command for block devices. The existing function
      qmp_change_blockdev() is accordingly renamed to
      qmp_blockdev_change_medium().

      Signed-off-by: Max Reitz <mreitz@xxxxxxxxxx>
      Signed-off-by: Kevin Wolf <kwolf@xxxxxxxxxx>

  commit f1f57066573e832438cd87600310589fa9cee202
  Author: Max Reitz <mreitz@xxxxxxxxxx>
  Date:   Mon Oct 26 21:39:14 2015 +0100

      block: Inquire tray state before tray-moved events

      blk_dev_change_media_cb() is called for all potential tray movements;
      however, it is possible to request closing the tray but nothing actually
      happening (on a floppy disk drive without a medium).

      Thus, the actual tray status should be inquired before sending a
      tray-moved event (and an event should be sent whenever the status
      changed).

      Checking @load is now superfluous; it was necessary because it was
      possible to change a medium without having explicitly opened the tray
      and closed it again (or it might have been possible, at least). This is
      no longer possible, though.

      Signed-off-by: Max Reitz <mreitz@xxxxxxxxxx>
      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>
      Reviewed-by: Kevin Wolf <kwolf@xxxxxxxxxx>
      Signed-off-by: Kevin Wolf <kwolf@xxxxxxxxxx>

  commit de2c6c0536c5c5ebb6e0ce7dcfd8fa9476edab52
  Author: Max Reitz <mreitz@xxxxxxxxxx>
  Date:   Mon Oct 26 21:39:13 2015 +0100

      blockdev: Implement change with basic operations

      Implement 'change' on block devices by calling blockdev-open-tray,
      blockdev-remove-medium, blockdev-insert-medium (a variation of that
      which does not need a node-name) and blockdev-close-tray.

      Signed-off-by: Max Reitz <mreitz@xxxxxxxxxx>
      Signed-off-by: Kevin Wolf <kwolf@xxxxxxxxxx>

  commit 38f54bd1ee0ed0f13b7326eb79403e320c3a28d3
  Author: Max Reitz <mreitz@xxxxxxxxxx>
  Date:   Mon Oct 26 21:39:12 2015 +0100

      blockdev: Implement eject with basic operations

      Implement 'eject' by calling blockdev-open-tray and
      blockdev-remove-medium.

      Signed-off-by: Max Reitz <mreitz@xxxxxxxxxx>
      Signed-off-by: Kevin Wolf <kwolf@xxxxxxxxxx>

  commit d129988289a885e57aa8790097e2d814764571bd
  Author: Max Reitz <mreitz@xxxxxxxxxx>
  Date:   Mon Oct 26 21:39:11 2015 +0100

      blockdev: Add blockdev-insert-medium

      And a helper function for that, which directly takes a pointer to the
      BDS to be inserted instead of its node-name (which will be used for
      implementing 'change' using blockdev-insert-medium).

      Signed-off-by: Max Reitz <mreitz@xxxxxxxxxx>
      Signed-off-by: Kevin Wolf <kwolf@xxxxxxxxxx>

  commit 2814f67271bce537f29c6a7832f89fd4f1cdaa1a
  Author: Max Reitz <mreitz@xxxxxxxxxx>
  Date:   Mon Oct 26 21:39:10 2015 +0100

      blockdev: Add blockdev-remove-medium

      Signed-off-by: Max Reitz <mreitz@xxxxxxxxxx>
      Signed-off-by: Kevin Wolf <kwolf@xxxxxxxxxx>

  commit abaaf59d245b6984644497b6745f88912c715c39
  Author: Max Reitz <mreitz@xxxxxxxxxx>
  Date:   Mon Oct 26 21:39:09 2015 +0100

      blockdev: Add blockdev-close-tray

      Signed-off-by: Max Reitz <mreitz@xxxxxxxxxx>
      Reviewed-by: Kevin Wolf <kwolf@xxxxxxxxxx>
      Signed-off-by: Kevin Wolf <kwolf@xxxxxxxxxx>

  commit 7d8a9f71b9ec9fa295265392218efaf0771d96e0
  Author: Max Reitz <mreitz@xxxxxxxxxx>
  Date:   Mon Oct 26 21:39:08 2015 +0100

      blockdev: Add blockdev-open-tray

      Signed-off-by: Max Reitz <mreitz@xxxxxxxxxx>
      Signed-off-by: Kevin Wolf <kwolf@xxxxxxxxxx>

  commit 38cb18f5b71428fb8a3e3759ac8fa21ac70cb1b5
  Author: Max Reitz <mreitz@xxxxxxxxxx>
  Date:   Mon Oct 26 21:39:07 2015 +0100

      block: Add functions for inheriting a BBRS

      In order to open a BDS which inherits a BB's root state,
      blk_get_open_flags_from_root_state() is used to inquire the flags to be
      passed to bdrv_open(), and blk_apply_root_state() is used to apply the
      remaining state after the BDS has been opened.

      Signed-off-by: Max Reitz <mreitz@xxxxxxxxxx>
      Signed-off-by: Kevin Wolf <kwolf@xxxxxxxxxx>

  commit c69a4dd89989b483b06d765b13e41594c78d32b9
  Author: Max Reitz <mreitz@xxxxxxxxxx>
  Date:   Mon Oct 26 21:39:06 2015 +0100

      block: Make bdrv_states public

      When inserting a BDS tree into a BB, we will need to add the root BDS to
      this list. Since we will want to do that in the blockdev-insert-medium
      implementation in blockdev.c, we will need access to it there.

      This patch is not exactly elegant, but bdrv_states will be removed in
      the future anyway because we no longer need it since we have BBs.

      Signed-off-by: Max Reitz <mreitz@xxxxxxxxxx>
      Reviewed-by: Alberto Garcia <berto@xxxxxxxxxx>
      Signed-off-by: Kevin Wolf <kwolf@xxxxxxxxxx>

  commit 1c95f7e1aff8417ff6e6cc23bc2d04fbcf79d37e
  Author: Max Reitz <mreitz@xxxxxxxxxx>
  Date:   Mon Oct 26 21:39:05 2015 +0100

      block: Add blk_remove_bs()

      This function removes the BlockDriverState associated with the given
      BlockBackend from that BB and sets the BDS pointer in the BB to NULL.

      Signed-off-by: Max Reitz <mreitz@xxxxxxxxxx>
      Signed-off-by: Kevin Wolf <kwolf@xxxxxxxxxx>

  commit 9f4ed6fbd264a7c097590d830dcfd93996a80acb
  Author: Alberto Garcia <berto@xxxxxxxxxx>
  Date:   Mon Oct 26 16:46:49 2015 +0200

      block: Don't call blk_bs() twice in bdrv_lookup_bs()

      Signed-off-by: Alberto Garcia <berto@xxxxxxxxxx>
      Signed-off-by: Kevin Wolf <kwolf@xxxxxxxxxx>

  commit 3c07587d49458341510360557c849e93e9afaf59
  Merge: d93ae5b b41d320
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Wed Nov 11 09:34:18 2015 +0000

      Merge remote-tracking branch 'remotes/dgibson/tags/ppc-next-20151111' 
into staging

      ppc patch queue - 2015-11-11

      Highlights:
        - Updated SLOF version for "pseries machine
        - Bugfix / cleanup for KVM hash page table allocation

      # gpg: Signature made Wed 11 Nov 2015 02:30:51 GMT using RSA key ID 
20D9B392
      # gpg: Good signature from "David Gibson <david@xxxxxxxxxxxxxxxxxxxxx>"
      # gpg:                 aka "David Gibson (Red Hat) <dgibson@xxxxxxxxxx>"
      # gpg:                 aka "David Gibson (ozlabs.org) 
<dgibson@xxxxxxxxxx>"
      # gpg: WARNING: This key is not certified with sufficiently trusted 
signatures!
      # gpg:          It is not certain that the signature belongs to the owner.
      # Primary key fingerprint: 75F4 6586 AE61 A66C C44E  87DC 6C38 CACA 20D9 
B392

      * remotes/dgibson/tags/ppc-next-20151111:
        spapr: Handle failure of KVM_PPC_ALLOCATE_HTAB ioctl
        ppc: Let kvmppc_reset_htab() return 0 for !CONFIG_KVM
        pseries: Update SLOF firmware image to qemu-slof-20151103
        ppc: Add/Re-introduce MMU model definitions needed by PR KVM

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit b41d320fef705289d2b73f4949731eb2e189161d
  Author: Bharata B Rao <bharata@xxxxxxxxxxxxxxxxxx>
  Date:   Tue Nov 10 10:54:54 2015 +0530

      spapr: Handle failure of KVM_PPC_ALLOCATE_HTAB ioctl

      KVM_PPC_ALLOCATE_HTAB ioctl can return -ENOMEM for KVM guests and QEMU
      never handled this correctly. But this didn't cause any problems till
      now as KVM_PPC_ALLOCATE_HTAB ioctl returned with smaller than requested
      HTAB when enough contiguous memory wasn't available in the host.
      After the proposed kernel change: 
https://patchwork.ozlabs.org/patch/530501/,
      KVM_PPC_ALLOCATE_HTAB ioctl will not fallback to lower sized HTAB
      allocation and will fail if requested HTAB size can't be met.

      Check for such failures in QEMU and abort appropriately. This will
      prevent guest kernel from hanging/freezing during early boot by doing
      graceful exit when host is unable to allocate requested HTAB.

      Signed-off-by: Bharata B Rao <bharata@xxxxxxxxxxxxxxxxxx>
      Signed-off-by: David Gibson <david@xxxxxxxxxxxxxxxxxxxxx>

  commit a3166f8f6e9d3928d0b863c7f0dac1cf24b6c004
  Author: Bharata B Rao <bharata@xxxxxxxxxxxxxxxxxx>
  Date:   Tue Nov 10 10:54:53 2015 +0530

      ppc: Let kvmppc_reset_htab() return 0 for !CONFIG_KVM

      The !CONFIG_KVM implementation of kvmppc_reset_htab() returns -1
      by default. Change this to return 0 so that we fall back to user space
      HTAB allocation for emulated guests.

      This fixes the make check failures for ppc64 emulated target.

      Signed-off-by: Bharata B Rao <bharata@xxxxxxxxxxxxxxxxxx>
      Signed-off-by: David Gibson <david@xxxxxxxxxxxxxxxxxxxxx>

  commit 121048195860f0320a7e1cd5a4b86356082eb9c7
  Author: Alexey Kardashevskiy <aik@xxxxxxxxx>
  Date:   Tue Nov 3 13:20:34 2015 +1100

      pseries: Update SLOF firmware image to qemu-slof-20151103

      The changes are:
      1. supports recent binutils;
      2. 64bit BARs behind PCI bridges supported;
      3. Many fixes for USB keyboard support - keys, XHCI;
      4. virtio-vga support.

      This image was built with:
      gcc version 4.8.3 20140911 (Red Hat 4.8.3-7) (GCC)
      GNU ld version 2.23.2

      The full changelog is:
        > version: update to 20151103
        > documentation: Add a clause about signing off
        > qemu/js2x/client: Support binutils >= 2.25.1
        > Fix special keys on USB
        > Fix function keys on USB
        > pci-scan: program 64-bit mem bar range in pci-bridge bar
        > Allow to build SLOF on Little Endian host
        > usb-xhci: add keyboard support
        > usb-xhci: ready the link trb early
        > usb-xhci: scan usb high speed ports
        > usb-xhci: bulk improve event handling loop
        > usb-xhci: return on allocation failure
        > usb-xhci: add delay in shutdown path
        > usb-xhci: event trbs does not need link trb
        > usb-hid: refactor usb key reading
        > takeover: Fix header includes
        > board-js2x: Add missing file dma-function.fs
        > vga: Add support for virtio-vga
        > qemu-vga: Use MMIO BAR instead of legacy IO ports
        > slof: Change call_c() function to a proper assembler function

      Signed-off-by: Alexey Kardashevskiy <aik@xxxxxxxxx>
      Signed-off-by: David Gibson <david@xxxxxxxxxxxxxxxxxxxxx>

  commit ba3ecda05e933acf6fff618716b6f6d2ed6a5a07
  Author: Bharata B Rao <bharata@xxxxxxxxxxxxxxxxxx>
  Date:   Fri Nov 6 13:12:59 2015 +0530

      ppc: Add/Re-introduce MMU model definitions needed by PR KVM

      Commit aa4bb5875231 (ppc: Add mmu_model defines for arch 2.03 and 2.07)
      removed the mmu_model definition POWERPC_MMU_2_06a which is needed by
      PR KVM. Reintroduce it and also add POWERPC_MMU_2_07a.

      This fixes QEMU crash (qemu: fatal: Unknown MMU model) during booting
      of PR KVM guest.

      Signed-off-by: Bharata B Rao <bharata@xxxxxxxxxxxxxxxxxx>
      Cc: Benjamin Herrenschmidt <benh@xxxxxxxxxxxxxxxxxxx>
      Signed-off-by: David Gibson <david@xxxxxxxxxxxxxxxxxxxxx>

  commit d93ae5b69621b7ec6ecfa405ec656d5b5f5e4770
  Merge: a77067f bdd81ad
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Tue Nov 10 22:21:42 2015 +0000

      Merge remote-tracking branch 
'remotes/awilliam/tags/vfio-update-20151110.0' into staging

      VFIO updates 2015-11-10

       - Make Windows happy with vfio-pci devices exposed on conventional
         PCI buses on q35 by hiding PCIe capability (Alex Williamson)
       - Convert to g_new() where appropriate (Markus Armbruster)

      # gpg: Signature made Tue 10 Nov 2015 19:46:41 GMT using RSA key ID 
3BB08B22
      # gpg: Good signature from "Alex Williamson <alex.williamson@xxxxxxxxxx>"
      # gpg:                 aka "Alex Williamson <alex@xxxxxxxxxxx>"
      # gpg:                 aka "Alex Williamson <alwillia@xxxxxxxxxx>"
      # gpg:                 aka "Alex Williamson <alex.l.williamson@xxxxxxxxx>"

      * remotes/awilliam/tags/vfio-update-20151110.0:
        vfio: Use g_new() & friends where that makes obvious sense
        vfio/pci: Hide device PCIe capability on non-express buses for PCIe VMs

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit bdd81addf4033ce26e6cd180b060f63095f3ded9
  Author: Markus Armbruster <armbru@xxxxxxxxxx>
  Date:   Tue Nov 10 12:11:08 2015 -0700

      vfio: Use g_new() & friends where that makes obvious sense

      g_new(T, n) is neater than g_malloc(sizeof(T) * n).  It's also safer,
      for two reasons.  One, it catches multiplication overflowing size_t.
      Two, it returns T * rather than void *, which lets the compiler catch
      more type errors.

      This commit only touches allocations with size arguments of the form
      sizeof(T).  Same Coccinelle semantic patch as in commit b45c03f.

      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>
      Signed-off-by: Alex Williamson <alex.williamson@xxxxxxxxxx>

  commit 0282abf078c3353a178ab77a115828ce333181dd
  Author: Alex Williamson <alex.williamson@xxxxxxxxxx>
  Date:   Tue Nov 10 12:11:08 2015 -0700

      vfio/pci: Hide device PCIe capability on non-express buses for PCIe VMs

      When we have a PCIe VM, such as Q35, guests start to care more about
      valid configurations of devices relative to the VM view of the PCI
      topology.  Windows will error with a Code 10 for an assigned device if
      a PCIe capability is found for a device on a conventional bus.  We
      also have the possibility of IOMMUs, like VT-d, where the where the
      guest may be acutely aware of valid express capabilities on physical
      hardware.

      Some devices, like tg3 are adversely affected by this due to driver
      dependencies on the PCIe capability.  The only solution for such
      devices is to attach them to an express capable bus in the VM.

      Signed-off-by: Alex Williamson <alex.williamson@xxxxxxxxxx>

  commit a77067f6ac9b17beefea506ce5f514072fe3fcf4
  Merge: a1a8858 15b3b8e
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Tue Nov 10 17:49:39 2015 +0000

      Merge remote-tracking branch 
'remotes/juanquintela/tags/migration/20151110' into staging

      migration/next for 20151110

      # gpg: Signature made Tue 10 Nov 2015 14:23:26 GMT using RSA key ID 
5872D723
      # gpg: Good signature from "Juan Quintela <quintela@xxxxxxxxxx>"
      # gpg:                 aka "Juan Quintela <quintela@xxxxxxxxxx>"

      * remotes/juanquintela/tags/migration/20151110: (57 commits)
        migration: qemu_savevm_state_cleanup becomes mandatory operation
        Inhibit ballooning during postcopy
        Disable mlock around incoming postcopy
        End of migration for postcopy
        Postcopy: Mark nohugepage before discard
        postcopy: Wire up loadvm_postcopy_handle_ commands
        Start up a postcopy/listener thread ready for incoming page data
        Postcopy; Handle userfault requests
        Round up RAMBlock sizes to host page sizes
        Host page!=target page: Cleanup bitmaps
        Don't iterate on precopy-only devices during postcopy
        Don't sync dirty bitmaps in postcopy
        postcopy: Check order of received target pages
        Postcopy: Use helpers to map pages during migration
        postcopy_ram.c: place_page and helpers
        Page request: Consume pages off the post-copy queue
        Page request: Process incoming page request
        Page request: Add MIG_RP_MSG_REQ_PAGES reverse command
        Postcopy: End of iteration
        Postcopy: Postcopy startup in migration thread
        ...

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 15b3b8eaae8dbcc903bb164311ea0066c77536a7
  Author: Denis V. Lunev <den@xxxxxxxxxx>
  Date:   Mon Nov 9 10:24:04 2015 +0300

      migration: qemu_savevm_state_cleanup becomes mandatory operation

      since commit
          commit 94f5a43704129ca4995aa3385303c5ae225bde42
          Author: Liang Li <liang.z.li@xxxxxxxxx>
          Date:   Mon Nov 2 15:37:00 2015 +0800

          migration: defer migration_end & blk_mig_cleanup

      when actual .cleanup callbacks calling was removed from complete 
operations.

      The patch fixes regression introduced by the commit above results in
      100% reliable assert for virtio-scsi VM with iothreads enabled during
      'virsh create-snapshot' operation:
          assert(i != mr->ioeventfd_nb);
          memory_region_del_eventfd
          virtio_pci_set_host_notifier_internal
          virtio_pci_set_host_notifier
          virtio_scsi_dataplane_start
          virtio_scsi_handle_cmd
          virtio_queue_notify_vq
          virtio_queue_host_notifier_read
          aio_dispatch

      Signed-off-by: Denis V. Lunev <den@xxxxxxxxxx>
      Reviewed-by: Liang Li <liang.z.li@xxxxxxxxx>
      Reviewed-by: Juan Quintela <quintela@xxxxxxxxxx>
      CC: Paolo Bonzini <pbonzini@xxxxxxxxxx>
      CC: Juan Quintela <quintela@xxxxxxxxxx>
      CC: Amit Shah <amit.shah@xxxxxxxxxx>
      Signed-off-by: Juan Quintela <quintela@xxxxxxxxxx>

  commit 371ff5a3f04cd7d05bab49ac6e80da319026d95b
  Author: Dr. David Alan Gilbert <dgilbert@xxxxxxxxxx>
  Date:   Thu Nov 5 18:11:23 2015 +0000

      Inhibit ballooning during postcopy

      Postcopy detects accesses to pages that haven't been transferred yet
      using userfaultfd, and it causes exceptions on pages that are 'not
      present'.
      Ballooning also causes pages to be marked as 'not present' when the
      guest inflates the balloon.
      Potentially a balloon could be inflated to discard pages that are
      currently inflight during postcopy and that may be arriving at about
      the same time.

      To avoid this confusion, disable ballooning during postcopy.

      When disabled we drop balloon requests from the guest.  Since ballooning
      is generally initiated by the host, the management system should avoid
      initiating any balloon instructions to the guest during migration,
      although it's not possible to know how long it would take a guest to
      process a request made prior to the start of migration.
      Guest initiated ballooning will not know if it's really freed a page
      of host memory or not.

      Queueing the requests until after migration would be nice, but is
      non-trivial, since the set of inflate/deflate requests have to
      be compared with the state of the page to know what the final
      outcome is allowed to be.

      Signed-off-by: Dr. David Alan Gilbert <dgilbert@xxxxxxxxxx>
      Reviewed-by: Juan Quintela <quintela@xxxxxxxxxx>
      Reviewed-by: Amit Shah <amit.shah@xxxxxxxxxx>
      Signed-off-by: Juan Quintela <quintela@xxxxxxxxxx>

  commit 58b7c17e226aa4d3b943ea22c1d1309126de146b
  Author: Dr. David Alan Gilbert <dgilbert@xxxxxxxxxx>
  Date:   Thu Nov 5 18:11:22 2015 +0000

      Disable mlock around incoming postcopy

      Userfault doesn't work with mlock; mlock is designed to nail down pages
      so they don't move, userfault is designed to tell you when they're not
      there.

      munlock the pages we userfault protect before postcopy.
      mlock everything again at the end if mlock is enabled.

      Signed-off-by: Dr. David Alan Gilbert <dgilbert@xxxxxxxxxx>
      Reviewed-by: David Gibson <david@xxxxxxxxxxxxxxxxxxxxx>
      Reviewed-by: Amit Shah <amit.shah@xxxxxxxxxx>
      Reviewed-by: Juan Quintela <quintela@xxxxxxxxxx>
      Signed-off-by: Juan Quintela <quintela@xxxxxxxxxx>

  commit e9bef235d91bff87517770c93d74eb98e5a33278
  Author: Dr. David Alan Gilbert <dgilbert@xxxxxxxxxx>
  Date:   Thu Nov 5 18:11:21 2015 +0000

      End of migration for postcopy

      Tweak the end of migration cleanup; we don't want to close stuff down
      at the end of the main stream, since the postcopy is still sending pages
      on the other thread.

      Signed-off-by: Dr. David Alan Gilbert <dgilbert@xxxxxxxxxx>
      Reviewed-by: Juan Quintela <quintela@xxxxxxxxxx>
      Reviewed-by: Amit Shah <amit.shah@xxxxxxxxxx>
      Signed-off-by: Juan Quintela <quintela@xxxxxxxxxx>

  commit f9527107570853b6a4a0903e4b0733747d02e74a
  Author: Dr. David Alan Gilbert <dgilbert@xxxxxxxxxx>
  Date:   Thu Nov 5 18:11:20 2015 +0000

      Postcopy: Mark nohugepage before discard

      Prior to servicing userfault requests we must ensure we've not got
      huge pages in the area that might include non-transferred memory,
      since a hugepage could incorrectly mark the whole huge page as present.

      We mark the area as non-huge page (nhp) just before we perform
      discards; the discard code now tells us to discard any areas
      that haven't been sent (as well as any that are redirtied);
      any already formed transparent-huge-pages get fragmented
      by this discard process if they cotnain any discards.

      Transparent huge pages that have been entirely transferred
      and don't contain any discards are not broken by this mechanism;
      they stay as huge pages.

      By starting postcopy after a full precopy pass, many of the pages
      then stay as huge pages; this is important for maintaining performance
      after the end of the migration.

      Signed-off-by: Dr. David Alan Gilbert <dgilbert@xxxxxxxxxx>
      Reviewed-by: Juan Quintela <quintela@xxxxxxxxxx>
      Signed-off-by: Juan Quintela <quintela@xxxxxxxxxx>

  commit 27c6825bd3749758fb9fcad44f3759f593be8506
  Author: Dr. David Alan Gilbert <dgilbert@xxxxxxxxxx>
  Date:   Thu Nov 5 18:11:19 2015 +0000

      postcopy: Wire up loadvm_postcopy_handle_ commands

      Wire up more of the handlers for the commands on the destination side,
      in particular loadvm_postcopy_handle_run now has enough to start the
      guest running.

      Signed-off-by: Dr. David Alan Gilbert <dgilbert@xxxxxxxxxx>
      Reviewed-by: Juan Quintela <quintela@xxxxxxxxxx>
      Reviewed-by: Amit Shah <amit.shah@xxxxxxxxxx>
      Signed-off-by: Juan Quintela <quintela@xxxxxxxxxx>

  commit c76201ab52b1dd53823cd81449d17b72224f1623
  Author: Dr. David Alan Gilbert <dgilbert@xxxxxxxxxx>
  Date:   Thu Nov 5 18:11:18 2015 +0000

      Start up a postcopy/listener thread ready for incoming page data

      The loading of a device state (during postcopy) may access guest
      memory that's still on the source machine and thus might need
      a page fill; split off a separate thread that handles the incoming
      page data so that the original incoming migration code can finish
      off the device data.

      Signed-off-by: Dr. David Alan Gilbert <dgilbert@xxxxxxxxxx>
      Reviewed-by: Juan Quintela <quintela@xxxxxxxxxx>
      Signed-off-by: Juan Quintela <quintela@xxxxxxxxxx>

  commit c4faeed2313e2bf9aa3694544bd211c15e28c164
  Author: Dr. David Alan Gilbert <dgilbert@xxxxxxxxxx>
  Date:   Thu Nov 5 18:11:17 2015 +0000

      Postcopy; Handle userfault requests

      userfaultfd is a Linux syscall that gives an fd that receives a stream
      of notifications of accesses to pages registered with it and allows
      the program to acknowledge those stalls and tell the accessing
      thread to carry on.

      We convert the requests from the kernel into messages back to the
      source asking for the pages.

      Signed-off-by: Dr. David Alan Gilbert <dgilbert@xxxxxxxxxx>
      Reviewed-by: Juan Quintela <quintela@xxxxxxxxxx>
      Reviewed-by: Amit Shah <amit.shah@xxxxxxxxxx>
      Signed-off-by: Juan Quintela <quintela@xxxxxxxxxx>

  commit 4ed023ce2a39ab5812d33cf4d819def168965a7f
  Author: Dr. David Alan Gilbert <dgilbert@xxxxxxxxxx>
  Date:   Thu Nov 5 18:11:16 2015 +0000

      Round up RAMBlock sizes to host page sizes

      RAMBlocks that are not a multiple of host pages in length
      cause problems for postcopy (I've seen an ACPI table on aarch64
      be 5k in length - i.e. 5x target-page), so round RAMBlock sizes
      up to a host-page.

      This potentially breaks migration compatibility due to changes
      in RAMBlock sizes; however:
         1) x86 and s390 I think always have host=target page size
         2) When I've tried on Power the block sizes already seem aligned.
         3) I don't think there's anything else that maintains per-version
            machine-types for compatibility.

      Signed-off-by: Dr. David Alan Gilbert <dgilbert@xxxxxxxxxx>
      Reviewed-by: Juan Quintela <quintela@xxxxxxxxxx>
      Signed-off-by: Juan Quintela <quintela@xxxxxxxxxx>

  commit 99e314ebca8c7b3450e4beaa95117c63d8f2f393
  Author: Dr. David Alan Gilbert <dgilbert@xxxxxxxxxx>
  Date:   Thu Nov 5 18:11:15 2015 +0000

      Host page!=target page: Cleanup bitmaps

      Prior to the start of postcopy, ensure that everything that will
      be transferred later is a whole host-page in size.

      This is accomplished by discarding partially transferred host pages
      and marking any that are partially dirty as fully dirty.

      Signed-off-by: Dr. David Alan Gilbert <dgilbert@xxxxxxxxxx>
      Reviewed-by: Juan Quintela <quintela@xxxxxxxxxx>
      Signed-off-by: Juan Quintela <quintela@xxxxxxxxxx>

  commit 35ecd943e7ea8a29b6cc6872ad8ba620e91b4407
  Author: Dr. David Alan Gilbert <dgilbert@xxxxxxxxxx>
  Date:   Thu Nov 5 18:11:14 2015 +0000

      Don't iterate on precopy-only devices during postcopy

      During the postcopy phase we must not call the iterate method on
      precopy-only devices, since they may have done some cleanup during
      the _complete call at the end of the precopy phase.

      Signed-off-by: Dr. David Alan Gilbert <dgilbert@xxxxxxxxxx>
      Reviewed-by: Juan Quintela <quintela@xxxxxxxxxx>
      Signed-off-by: Juan Quintela <quintela@xxxxxxxxxx>

  commit 663e6c1df8721960c0a3bb6cd5dd047b610c3bad
  Author: Dr. David Alan Gilbert <dgilbert@xxxxxxxxxx>
  Date:   Thu Nov 5 18:11:13 2015 +0000

      Don't sync dirty bitmaps in postcopy

      Once we're in postcopy the source processors are stopped and memory
      shouldn't change any more, so there's no need to look at the dirty
      map.

      There are two notes to this:
        1) If we do resync and a page had changed then the page would get
           sent again, which the destination wouldn't allow (since it might
           have also modified the page)
        2) Before disabling this I'd seen very rare cases where a page had been
           marked dirtied although the memory contents are apparently identical

      Signed-off-by: Dr. David Alan Gilbert <dgilbert@xxxxxxxxxx>
      Reviewed-by: David Gibson <david@xxxxxxxxxxxxxxxxxxxxx>
      Reviewed-by: Juan Quintela <quintela@xxxxxxxxxx>
      Reviewed-by: Amit Shah <amit.shah@xxxxxxxxxx>
      Signed-off-by: Juan Quintela <quintela@xxxxxxxxxx>

  commit c53b7ddc61198c4af8290d6310592e48e3507c47
  Author: Dr. David Alan Gilbert <dgilbert@xxxxxxxxxx>
  Date:   Thu Nov 5 18:11:12 2015 +0000

      postcopy: Check order of received target pages

      Ensure that target pages received within a host page are in order.
      This shouldn't trigger, but in the cases where the sender goes
      wrong and sends stuff out of order it produces a corruption that's
      really nasty to debug.

      Signed-off-by: Dr. David Alan Gilbert <dgilbert@xxxxxxxxxx>
      Reviewed-by: Juan Quintela <quintela@xxxxxxxxxx>
      Signed-off-by: Juan Quintela <quintela@xxxxxxxxxx>

  commit a71808772acbea54df8ebf3680f01884f7383198
  Author: Dr. David Alan Gilbert <dgilbert@xxxxxxxxxx>
  Date:   Thu Nov 5 18:11:11 2015 +0000

      Postcopy: Use helpers to map pages during migration

      In postcopy, the destination guest is running at the same time
      as it's receiving pages; as we receive new pages we must put
      them into the guests address space atomically to avoid a running
      CPU accessing a partially written page.

      Use the helpers in postcopy-ram.c to map these pages.

      qemu_get_buffer_in_place is used to avoid a copy out of qemu_file
      in the case that postcopy is going to do a copy anyway.

      Signed-off-by: Dr. David Alan Gilbert <dgilbert@xxxxxxxxxx>
      Reviewed-by: Juan Quintela <quintela@xxxxxxxxxx>
      Signed-off-by: Juan Quintela <quintela@xxxxxxxxxx>

  commit 696ed9a9b3fee2d033d7b049ba2e6568860a25d1
  Author: Dr. David Alan Gilbert <dgilbert@xxxxxxxxxx>
  Date:   Thu Nov 5 18:11:10 2015 +0000

      postcopy_ram.c: place_page and helpers

      postcopy_place_page (etc) provide a way for postcopy to place a page
      into guests memory atomically (using the copy ioctl on the ufd).

      Signed-off-by: Dr. David Alan Gilbert <dgilbert@xxxxxxxxxx>
      Reviewed-by: Amit Shah <amit.shah@xxxxxxxxxx>
      Reviewed-by: Juan Quintela <quintela@xxxxxxxxxx>
      Signed-off-by: Juan Quintela <quintela@xxxxxxxxxx>

  commit a82d593b61054b3dea431ef829977000d772a252
  Author: Dr. David Alan Gilbert <dgilbert@xxxxxxxxxx>
  Date:   Thu Nov 5 18:11:09 2015 +0000

      Page request: Consume pages off the post-copy queue

      When transmitting RAM pages, consume pages that have been queued by
      MIG_RPCOMM_REQPAGE commands and send them ahead of normal page scanning.

      Note:
        a) After a queued page the linear walk carries on from after the
      unqueued page; there is a reasonable chance that the destination
      was about to ask for other closeby pages anyway.

        b) We have to be careful of any assumptions that the page walking
      code makes, in particular it does some short cuts on its first linear
      walk that break as soon as we do a queued page.

        c) We have to be careful to not break up host-page size chunks, since
      this makes it harder to place the pages on the destination.

      Signed-off-by: Dr. David Alan Gilbert <dgilbert@xxxxxxxxxx>
      Reviewed-by: Juan Quintela <quintela@xxxxxxxxxx>
      Signed-off-by: Juan Quintela <quintela@xxxxxxxxxx>

  commit 6c595cdee116dc46b0d4d7d632a426681ae66ad9
  Author: Dr. David Alan Gilbert <dgilbert@xxxxxxxxxx>
  Date:   Thu Nov 5 18:11:08 2015 +0000

      Page request: Process incoming page request

      On receiving MIG_RPCOMM_REQ_PAGES look up the address and
      queue the page.

      Signed-off-by: Dr. David Alan Gilbert <dgilbert@xxxxxxxxxx>
      Reviewed-by: Amit Shah <amit.shah@xxxxxxxxxx>
      Reviewed-by: Juan Quintela <quintela@xxxxxxxxxx>
      Signed-off-by: Juan Quintela <quintela@xxxxxxxxxx>

  commit 1e2d90ebc54531c416a6765849308c8476d98f2d
  Author: Dr. David Alan Gilbert <dgilbert@xxxxxxxxxx>
  Date:   Thu Nov 5 18:11:07 2015 +0000

      Page request: Add MIG_RP_MSG_REQ_PAGES reverse command

      Add MIG_RP_MSG_REQ_PAGES command on Return path for the postcopy
      destination to request a page from the source.

      Two versions exist:
         MIG_RP_MSG_REQ_PAGES_ID that includes a RAMBlock name and start/len
         MIG_RP_MSG_REQ_PAGES that just has start/len for use with the same
                              RAMBlock as a previous MIG_RP_MSG_REQ_PAGES_ID

      Signed-off-by: Dr. David Alan Gilbert <dgilbert@xxxxxxxxxx>
      Reviewed-by: Juan Quintela <quintela@xxxxxxxxxx>
      Reviewed-by: Amit Shah <amit.shah@xxxxxxxxxx>
      Signed-off-by: Juan Quintela <quintela@xxxxxxxxxx>

  commit b10ac0c42cef8829cd1461ce20f1869231b5f41f
  Author: Dr. David Alan Gilbert <dgilbert@xxxxxxxxxx>
  Date:   Thu Nov 5 18:11:06 2015 +0000

      Postcopy: End of iteration

      The end of migration in postcopy is a bit different since some of
      the things normally done at the end of migration have already been
      done on the transition to postcopy.

      Signed-off-by: Dr. David Alan Gilbert <dgilbert@xxxxxxxxxx>
      Reviewed-by: Juan Quintela <quintela@xxxxxxxxxx>
      Reviewed-by: Amit Shah <amit.shah@xxxxxxxxxx>
      Signed-off-by: Juan Quintela <quintela@xxxxxxxxxx>

  commit 1d34e4bf6a34f12b9ca387301b863b59f14d38ed
  Author: Dr. David Alan Gilbert <dgilbert@xxxxxxxxxx>
  Date:   Thu Nov 5 18:11:05 2015 +0000

      Postcopy: Postcopy startup in migration thread

      Rework the migration thread to setup and start postcopy.

      Signed-off-by: Dr. David Alan Gilbert <dgilbert@xxxxxxxxxx>
      Reviewed-by: Amit Shah <amit.shah@xxxxxxxxxx>
      Reviewed-by: Juan Quintela <quintela@xxxxxxxxxx>
      Signed-off-by: Juan Quintela <quintela@xxxxxxxxxx>

  commit f0a227ade4b0331c9e12fc01f8b74e2531fd496d
  Author: Dr. David Alan Gilbert <dgilbert@xxxxxxxxxx>
  Date:   Thu Nov 5 18:11:04 2015 +0000

      postcopy: ram_enable_notify to switch on userfault

      Mark the area of RAM as 'userfault'
      Start up a fault-thread to handle any userfaults we might receive
      from it (to be filled in later)

      Signed-off-by: Dr. David Alan Gilbert <dgilbert@xxxxxxxxxx>
      Reviewed-by: David Gibson <david@xxxxxxxxxxxxxxxxxxxxx>
      Reviewed-by: Juan Quintela <quintela@xxxxxxxxxx>
      Reviewed-by: Amit Shah <amit.shah@xxxxxxxxxx>
      Signed-off-by: Juan Quintela <quintela@xxxxxxxxxx>

  commit 1caddf8a819d83027d897997c0af10c426f88633
  Author: Dr. David Alan Gilbert <dgilbert@xxxxxxxxxx>
  Date:   Thu Nov 5 18:11:03 2015 +0000

      postcopy: Incoming initialisation

      Signed-off-by: Dr. David Alan Gilbert <dgilbert@xxxxxxxxxx>
      Reviewed-by: David Gibson <david@xxxxxxxxxxxxxxxxxxxxx>
      Reviewed-by: Amit Shah <amit.shah@xxxxxxxxxx>
      Reviewed-by: Juan Quintela <quintela@xxxxxxxxxx>
      Signed-off-by: Juan Quintela <quintela@xxxxxxxxxx>

  commit e0b266f01dd21748c12f35e18e6f300035f2f336
  Author: Dr. David Alan Gilbert <dgilbert@xxxxxxxxxx>
  Date:   Thu Nov 5 18:11:02 2015 +0000

      migration_completion: Take current state

      Soon we'll be in either ACTIVE or POSTCOPY_ACTIVE when we
      complete migration, and we need to know which we expect to be
      in to change state safely.

      Signed-off-by: Dr. David Alan Gilbert <dgilbert@xxxxxxxxxx>
      Reviewed-by: Juan Quintela <quintela@xxxxxxxxxx>
      Signed-off-by: Juan Quintela <quintela@xxxxxxxxxx>

  commit f3f491fcd6dd594ba695b7da5ecbdacb4e84b364
  Author: Dr. David Alan Gilbert <dgilbert@xxxxxxxxxx>
  Date:   Thu Nov 5 18:11:01 2015 +0000

      Postcopy: Maintain unsentmap

      Maintain an 'unsentmap' of pages that have yet to be sent.
      This is used in the following patches to discard some set of
      the pages already sent as we enter postcopy mode.

      Signed-off-by: Dr. David Alan Gilbert <dgilbert@xxxxxxxxxx>
      Reviewed-by: Juan Quintela <quintela@xxxxxxxxxx>
      Signed-off-by: Juan Quintela <quintela@xxxxxxxxxx>

  commit 763c906b0ee964e4b5c529a4ee171723339644cc
  Author: Dr. David Alan Gilbert <dgilbert@xxxxxxxxxx>
  Date:   Thu Nov 5 18:11:00 2015 +0000

      Add qemu_savevm_state_complete_postcopy

      Add qemu_savevm_state_complete_postcopy to complement
      qemu_savevm_state_complete_precopy together with a new
      save_live_complete_postcopy method on devices.

      The save_live_complete_precopy method is called on
      all devices during a precopy migration, and all non-postcopy
      devices during a postcopy migration at the transition.

      The save_live_complete_postcopy method is called at
      the end of postcopy for all postcopiable devices.

      Signed-off-by: Dr. David Alan Gilbert <dgilbert@xxxxxxxxxx>
      Reviewed-by: Juan Quintela <quintela@xxxxxxxxxx>
      Reviewed-by: Amit Shah <amit.shah@xxxxxxxxxx>
      Signed-off-by: Juan Quintela <quintela@xxxxxxxxxx>

  commit 8421b205ddb70314c0de2aa3222aed755f310f87
  Author: Dr. David Alan Gilbert <dgilbert@xxxxxxxxxx>
  Date:   Thu Nov 5 18:10:59 2015 +0000

      Avoid sending vmdescription during postcopy

      VMDescription is normally sent at the end, after all
      of the devices; however that's not the end for postcopy,
      so just don't send it when in postcopy.

      Signed-off-by: Dr. David Alan Gilbert <dgilbert@xxxxxxxxxx>
      Reviewed-by: Juan Quintela <quintela@xxxxxxxxxx>
      Reviewed-by: Amit Shah <amit.shah@xxxxxxxxxx>
      Signed-off-by: Juan Quintela <quintela@xxxxxxxxxx>

  commit 9ec055ae29df5132f61757519ab57b6b4209baa4
  Author: Dr. David Alan Gilbert <dgilbert@xxxxxxxxxx>
  Date:   Thu Nov 5 18:10:58 2015 +0000

      MIGRATION_STATUS_POSTCOPY_ACTIVE: Add new migration state

      'MIGRATION_STATUS_POSTCOPY_ACTIVE' is entered after migrate_start_postcopy

      'migration_in_postcopy' is provided for other sections to know if
      they're in postcopy.

      Signed-off-by: Dr. David Alan Gilbert <dgilbert@xxxxxxxxxx>
      Reviewed-by: David Gibson <david@xxxxxxxxxxxxxxxxxxxxx>
      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>
      Reviewed-by: Juan Quintela <quintela@xxxxxxxxxx>
      Reviewed-by: Amit Shah <amit.shah@xxxxxxxxxx>
      Signed-off-by: Juan Quintela <quintela@xxxxxxxxxx>

  commit 36f48567b82e3160bc0df87b8b4f239d55ca73e9
  Author: Dr. David Alan Gilbert <dgilbert@xxxxxxxxxx>
  Date:   Thu Nov 5 18:10:57 2015 +0000

      migration_completion: Take current state

      Soon we'll be in either ACTIVE or POSTCOPY_ACTIVE when we
      complete migration, and we need to know which we expect to be
      in to change state safely.

      Signed-off-by: Dr. David Alan Gilbert <dgilbert@xxxxxxxxxx>
      Reviewed-by: Juan Quintela <quintela@xxxxxxxxxx>
      Signed-off-by: Juan Quintela <quintela@xxxxxxxxxx>

  commit 4886a1bcb7d7a88da02eefb0f33327c613ac52a3
  Author: Dr. David Alan Gilbert <dgilbert@xxxxxxxxxx>
  Date:   Thu Nov 5 18:10:56 2015 +0000

      migrate_start_postcopy: Command to trigger transition to postcopy

      Once postcopy is enabled (with migrate_set_capability), the migration
      will still start on precopy mode.  To cause a transition into postcopy
      the:

        migrate_start_postcopy

      command must be issued.  Postcopy will start sometime after this
      (when it's next checked in the migration loop).

      Issuing the command before migration has started will error,
      and issuing after it has finished is ignored.

      Signed-off-by: Dr. David Alan Gilbert <dgilbert@xxxxxxxxxx>
      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>
      Reviewed-by: Juan Quintela <quintela@xxxxxxxxxx>
      Reviewed-by: Amit Shah <amit.shah@xxxxxxxxxx>
      Signed-off-by: Juan Quintela <quintela@xxxxxxxxxx>

  commit eb59db53a4f23420f127ec7aad2a672f787df697
  Author: Dr. David Alan Gilbert <dgilbert@xxxxxxxxxx>
  Date:   Thu Nov 5 18:10:55 2015 +0000

      postcopy: OS support test

      Provide a check to see if the OS we're running on has all the bits
      needed for postcopy.

      Creates postcopy-ram.c which will get most of the other helpers we need.

      Signed-off-by: Dr. David Alan Gilbert <dgilbert@xxxxxxxxxx>
      Reviewed-by: Amit Shah <amit.shah@xxxxxxxxxx>
      Reviewed-by: Juan Quintela <quintela@xxxxxxxxxx>
      Signed-off-by: Juan Quintela <quintela@xxxxxxxxxx>

  commit c31b098f64c5bbbc26350b9b5cf98ae2d2888de7
  Author: Dr. David Alan Gilbert <dgilbert@xxxxxxxxxx>
  Date:   Thu Nov 5 18:10:54 2015 +0000

      Modify save_live_pending for postcopy

      Modify save_live_pending to return separate postcopiable and
      non-postcopiable counts.

      Signed-off-by: Dr. David Alan Gilbert <dgilbert@xxxxxxxxxx>
      Reviewed-by: Juan Quintela <quintela@xxxxxxxxxx>
      Reviewed-by: Amit Shah <amit.shah@xxxxxxxxxx>
      Signed-off-by: Juan Quintela <quintela@xxxxxxxxxx>

  commit 11cf1d984b86b294972cd25df6286e5b2e98735d
  Author: Dr. David Alan Gilbert <dgilbert@xxxxxxxxxx>
  Date:   Thu Nov 5 18:10:53 2015 +0000

      MIG_CMD_PACKAGED: Send a packaged chunk of migration stream

      MIG_CMD_PACKAGED is a migration command that wraps a chunk of migration
      stream inside a package whose length can be determined purely by reading
      its header.  The destination guarantees that the whole MIG_CMD_PACKAGED
      is read off the stream prior to parsing the contents.

      This is used by postcopy to load device state (from the package)
      while leaving the main stream free to receive memory pages.

      Signed-off-by: Dr. David Alan Gilbert <dgilbert@xxxxxxxxxx>
      Reviewed-by: Amit Shah <amit.shah@xxxxxxxxxx>
      Reviewed-by: Juan Quintela <quintela@xxxxxxxxxx>
      Signed-off-by: Juan Quintela <quintela@xxxxxxxxxx>

  commit 093e3c429693f87fb917424c637ad8f599bd9e67
  Author: Dr. David Alan Gilbert <dgilbert@xxxxxxxxxx>
  Date:   Thu Nov 5 18:10:52 2015 +0000

      Add wrappers and handlers for sending/receiving the postcopy-ram 
migration messages.

      The state of the postcopy process is managed via a series of messages;
         * Add wrappers and handlers for sending/receiving these messages
         * Add state variable that track the current state of postcopy

      Signed-off-by: Dr. David Alan Gilbert <dgilbert@xxxxxxxxxx>
      Reviewed-by: Amit Shah <amit.shah@xxxxxxxxxx>
      Reviewed-by: Juan Quintela <quintela@xxxxxxxxxx>
      Signed-off-by: Juan Quintela <quintela@xxxxxxxxxx>

  commit 53dd370ced9b61a8113fc1c19ac8d61ca572a29c
  Author: Dr. David Alan Gilbert <dgilbert@xxxxxxxxxx>
  Date:   Thu Nov 5 18:10:51 2015 +0000

      Add migration-capability boolean for postcopy-ram.

      The 'postcopy ram' capability allows postcopy migration of RAM;
      note that the migration starts off in precopy mode until
      postcopy mode is triggered (see the migrate_start_postcopy
      patch later in the series).

      Signed-off-by: Dr. David Alan Gilbert <dgilbert@xxxxxxxxxx>
      Reviewed-by: Juan Quintela <quintela@xxxxxxxxxx>
      Reviewed-by: Amit Shah <amit.shah@xxxxxxxxxx>
      Signed-off-by: Juan Quintela <quintela@xxxxxxxxxx>

  commit 7b89bf279f16c093ed46845b8e6e0fb61b7ef639
  Author: Dr. David Alan Gilbert <dgilbert@xxxxxxxxxx>
  Date:   Thu Nov 5 18:10:50 2015 +0000

      Rework loadvm path for subloops

      Postcopy needs to have two migration streams loading concurrently;
      one from memory (with the device state) and the other from the fd
      with the memory transactions.

      Split the core of qemu_loadvm_state out so we can use it for both.

      Allow the inner loadvm loop to quit and cause the parent loops to
      exit as well.

      Signed-off-by: Dr. David Alan Gilbert <dgilbert@xxxxxxxxxx>
      Reviewed-by: Juan Quintela <quintela@xxxxxxxxxx>
      Reviewed-by: Amit Shah <amit.shah@xxxxxxxxxx>
      Signed-off-by: Juan Quintela <quintela@xxxxxxxxxx>

  commit 70b2047774231ba2cb672eb936e12f603fa644aa
  Author: Dr. David Alan Gilbert <dgilbert@xxxxxxxxxx>
  Date:   Thu Nov 5 18:10:49 2015 +0000

      Return path: Source handling of return path

      Open a return path, and handle messages that are received upon it.

      Signed-off-by: Dr. David Alan Gilbert <dgilbert@xxxxxxxxxx>
      Reviewed-by: Juan Quintela <quintela@xxxxxxxxxx>
      Signed-off-by: Juan Quintela <quintela@xxxxxxxxxx>

  commit f6844b99ce08e836d509ec4be2fbfc5ab13ac18f
  Author: Dr. David Alan Gilbert <dgilbert@xxxxxxxxxx>
  Date:   Thu Nov 5 18:10:48 2015 +0000

      migration_is_setup_or_active

      Add 'migration_is_setup_or_active' utility function to check state.
      (It gets postcopy added to it's list later on in the series)

      Signed-off-by: Dr. David Alan Gilbert <dgilbert@xxxxxxxxxx>
      Reviewed-by: Juan Quintela <quintela@xxxxxxxxxx>
      Signed-off-by: Juan Quintela <quintela@xxxxxxxxxx>

  commit 6decec931149ae50d84e2b264bf93f3676d5b3f9
  Author: Dr. David Alan Gilbert <dgilbert@xxxxxxxxxx>
  Date:   Thu Nov 5 18:10:47 2015 +0000

      Return path: Send responses from destination to source

      Add migrate_send_rp_message to send a message from destination to source 
along the return path.
        (It uses a mutex to let it be called from multiple threads)
      Add migrate_send_rp_shut to send a 'shut' message to indicate
        the destination is finished with the RP.
      Add migrate_send_rp_ack to send a 'PONG' message in response to a PING
        Use it in the MSG_RP_PING handler

      Signed-off-by: Dr. David Alan Gilbert <dgilbert@xxxxxxxxxx>
      Reviewed-by: Amit Shah <amit.shah@xxxxxxxxxx>
      Reviewed-by: Juan Quintela <quintela@xxxxxxxxxx>
      Signed-off-by: Juan Quintela <quintela@xxxxxxxxxx>

  commit 2e37701efdba7bb89f7159eff055bb71dbb9f02f
  Author: Dr. David Alan Gilbert <dgilbert@xxxxxxxxxx>
  Date:   Thu Nov 5 18:10:46 2015 +0000

      Return path: Control commands

      Add two src->dest commands:
         * OPEN_RETURN_PATH - To request that the destination open the return 
path
         * PING - Request an acknowledge from the destination

      Signed-off-by: Dr. David Alan Gilbert <dgilbert@xxxxxxxxxx>
      Reviewed-by: Amit Shah <amit.shah@xxxxxxxxxx>
      Reviewed-by: Juan Quintela <quintela@xxxxxxxxxx>
      Signed-off-by: Juan Quintela <quintela@xxxxxxxxxx>

  commit c76ca1888f49b4155a9de5a915dc9f814800c817
  Author: Dr. David Alan Gilbert <dgilbert@xxxxxxxxxx>
  Date:   Thu Nov 5 18:10:45 2015 +0000

      Migration commands

      Create QEMU_VM_COMMAND section type for sending commands from
      source to destination.  These commands are not intended to convey
      guest state but to control the migration process.

      For use in postcopy.

      Signed-off-by: Dr. David Alan Gilbert <dgilbert@xxxxxxxxxx>
      Reviewed-by: Amit Shah <amit.shah@xxxxxxxxxx>
      Reviewed-by: Juan Quintela <quintela@xxxxxxxxxx>
      Signed-off-by: Juan Quintela <quintela@xxxxxxxxxx>

  commit 3e4097b564386b1fd1b62f2cd20e056d4b3403da
  Author: Dr. David Alan Gilbert <dgilbert@xxxxxxxxxx>
  Date:   Thu Nov 5 18:10:44 2015 +0000

      Return path: socket_writev_buffer: Block even on non-blocking fd's

      The destination sets the fd to non-blocking on incoming migrations;
      this also affects the return path from the destination, and thus we
      need to make sure we can safely write to the return path.

      Signed-off-by: Dr. David Alan Gilbert <dgilbert@xxxxxxxxxx>
      Reviewed-by: Amit Shah <amit.shah@xxxxxxxxxx>
      Reviewed-by: Juan Quintela <quintela@xxxxxxxxxx>
      Signed-off-by: Juan Quintela <quintela@xxxxxxxxxx>

  commit a1a88589dc982f9f8b6c717c2ac98dd71dd4353d
  Merge: a8b4f95 577bf80
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Tue Nov 10 13:55:07 2015 +0000

      Merge remote-tracking branch 
'remotes/pmaydell/tags/pull-target-arm-20151110' into staging

      target-arm queue:
       * fix bugs in gdb singlestep handling and breakpoints
       * minor code cleanup in arm_gic
       * clean up error messages in hw/arm/virt
       * fix highbank kernel booting by adding a board-setup blob

      # gpg: Signature made Tue 10 Nov 2015 13:43:52 GMT using RSA key ID 
14360CDE
      # gpg: Good signature from "Peter Maydell <peter.maydell@xxxxxxxxxx>"
      # gpg:                 aka "Peter Maydell <pmaydell@xxxxxxxxx>"
      # gpg:                 aka "Peter Maydell 
<pmaydell@xxxxxxxxxxxxxxxxxxxxxx>"

      * remotes/pmaydell/tags/pull-target-arm-20151110:
        target-arm: Clean up DISAS_UPDATE usage in AArch32 translation code
        hw/arm/virt: error_report cleanups
        arm: highbank: Implement PSCI and dummy monitor
        arm: highbank: Defeature CPU override
        arm: boot: Add secure_board_setup flag
        hw/intc/arm_gic: Remove the definition of NUM_CPU
        target-arm: Fix gdb singlestep handling in arm_debug_excp_handler()

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit adc468e9b9ad866cd95b1e567291f9dcc1f49f1c
  Author: Dr. David Alan Gilbert <dgilbert@xxxxxxxxxx>
  Date:   Thu Nov 5 18:10:43 2015 +0000

      Return path: Open a return path on QEMUFile for sockets

      Postcopy needs a method to send messages from the destination back to
      the source, this is the 'return path'.

      Wire it up for 'socket' QEMUFile's.

      Signed-off-by: Dr. David Alan Gilbert <dgilbert@xxxxxxxxxx>
      Reviewed-by: Juan Quintela <quintela@xxxxxxxxxx>
      Reviewed-by: Amit Shah <amit.shah@xxxxxxxxxx>
      Signed-off-by: Juan Quintela <quintela@xxxxxxxxxx>

  commit c1fcf220c95b17f1a05adb799824d2c352ff9281
  Author: Dr. David Alan Gilbert <dgilbert@xxxxxxxxxx>
  Date:   Thu Nov 5 18:10:42 2015 +0000

      Add Linux userfaultfd.h header

      Postcopy uses the userfaultfd.h feature in the Linux kernel; include
      the header.

      (In early versions of the patch series we had this, and then we dropped
      this by only including it if the kernel headers defined the syscall
      number; however 1842bdfd added the syscall definition to our
      headers, which means we can't tell if the kernel has it or not)

      Signed-off-by: Dr. David Alan Gilbert <dgilbert@xxxxxxxxxx>
      Reviewed-by: Juan Quintela <quintela@xxxxxxxxxx>
      Signed-off-by: Juan Quintela <quintela@xxxxxxxxxx>

  commit a3e06c3d13b77a2534894dcebbc6ac08568dbe73
  Author: Dr. David Alan Gilbert <dgilbert@xxxxxxxxxx>
  Date:   Thu Nov 5 18:10:41 2015 +0000

      Rename save_live_complete to save_live_complete_precopy

      In postcopy we're going to need to perform the complete phase
      for postcopiable devices at a different point, start out by
      renaming all of the 'complete's to make the difference obvious.

      Signed-off-by: Dr. David Alan Gilbert <dgilbert@xxxxxxxxxx>
      Reviewed-by: Amit Shah <amit.shah@xxxxxxxxxx>
      Reviewed-by: Juan Quintela <quintela@xxxxxxxxxx>
      Signed-off-by: Juan Quintela <quintela@xxxxxxxxxx>

  commit aefeb18bde45fa629e3055a7bb6637a7dcad8c36
  Author: Dr. David Alan Gilbert <dgilbert@xxxxxxxxxx>
  Date:   Thu Nov 5 18:10:40 2015 +0000

      migrate_init: Call from savevm

      Suspend to file is very much like a migrate, and it makes life
      easier if we have the Migration state available, so initialise it
      in the savevm.c code for suspending.

      Signed-off-by: Dr. David Alan Gilbert <dgilbert@xxxxxxxxxx>
      Reviewed-by: David Gibson <david@xxxxxxxxxxxxxxxxxxxxx>
      Reviewed-by: Juan Quintela <quintela@xxxxxxxxxx>
      Reviewd-by: Amit Shah <amit.shah@xxxxxxxxxx>
      Signed-off-by: Juan Quintela <quintela@xxxxxxxxxx>

  commit a776aa15a7e3e08964c6c537314b9590dde27b4d
  Author: Dr. David Alan Gilbert <dgilbert@xxxxxxxxxx>
  Date:   Thu Nov 5 18:10:39 2015 +0000

      ram_load: Factor out host_from_stream_offset call and check

      The main RAM load loop has a call to host_from_stream_offset for
      each page type that actually loads data with the same test;
      factor it out before the switch.

      The host = NULL is to silence a bogus gcc warning of
      an unitialised in the RAM_SAVE_COMPRESS_PAGE case, it
      doesn't seem to realise that host is always initialised by the if at
      the top in the cases the switch takes.

      Signed-off-by: Dr. David Alan Gilbert <dgilbert@xxxxxxxxxx>
      Reviewed-by: Juan Quintela <quintela@xxxxxxxxxx>
      Signed-off-by: Juan Quintela <quintela@xxxxxxxxxx>

  commit 4f2e425267327719ee71ba6f191f7d66507a6c02
  Author: Dr. David Alan Gilbert <dgilbert@xxxxxxxxxx>
  Date:   Thu Nov 5 18:10:38 2015 +0000

      ram_debug_dump_bitmap: Dump a migration bitmap as text

      Useful for debugging the migration bitmap and other bitmaps
      of the same format (including the sentmap in postcopy).

      The bitmap is printed to stderr.
      Lines that are all the expected value are excluded so the output
      can be quite compact for many bitmaps.

      Signed-off-by: Dr. David Alan Gilbert <dgilbert@xxxxxxxxxx>
      Reviewed-by: Amit Shah <amit.shah@xxxxxxxxxx>
      Reviewed-by: Juan Quintela <quintela@xxxxxxxxxx>
      Signed-off-by: Juan Quintela <quintela@xxxxxxxxxx>

  commit ebf811500bc8dffa906ebd4c52b96f7620d7bf8e
  Author: Dr. David Alan Gilbert <dgilbert@xxxxxxxxxx>
  Date:   Thu Nov 5 18:10:37 2015 +0000

      Add QEMU_MADV_NOHUGEPAGE

      Add QEMU_MADV_NOHUGEPAGE as an OS-independent version of
      MADV_NOHUGEPAGE.

      We include sys/mman.h before making the test to ensure
      that we pick up the system defines.

      Signed-off-by: Dr. David Alan Gilbert <dgilbert@xxxxxxxxxx>
      Reviewed-by: Juan Quintela <quintela@xxxxxxxxxx>
      Reviewed-by: Amit Shah <amit.shah@xxxxxxxxxx>
      Signed-off-by: Juan Quintela <quintela@xxxxxxxxxx>

  commit a800cd5c38ba4ac20fe9ca68a6dee408f2d5b11f
  Author: Dr. David Alan Gilbert <dgilbert@xxxxxxxxxx>
  Date:   Thu Nov 5 18:10:36 2015 +0000

      Add wrapper for setting blocking status on a QEMUFile

      Add a wrapper to change the blocking status on a QEMUFile
      rather than having to use qemu_set_block(qemu_get_fd(f));
      it seems best to avoid exposing the fd since not all QEMUFile's
      really have one.  With this wrapper we could move the implementation
      down to be different on different transports.

      Signed-off-by: Dr. David Alan Gilbert <dgilbert@xxxxxxxxxx>
      Reviewed-by: Amit Shah <amit.shah@xxxxxxxxxx>
      Reviewed-by: Juan Quintela <quintela@xxxxxxxxxx>
      Signed-off-by: Juan Quintela <quintela@xxxxxxxxxx>

  commit 9504fb510c87c3dd6fe2e9a25e84c1426672f226
  Author: Dr. David Alan Gilbert <dgilbert@xxxxxxxxxx>
  Date:   Thu Nov 5 18:10:35 2015 +0000

      Add qemu_get_buffer_in_place to avoid copies some of the time

      qemu_get_buffer always copies the data it reads to a users buffer,
      however in many cases the file buffer inside qemu_file could be given
      back to the caller, avoiding the copy.  This isn't always possible
      depending on the size and alignment of the data.

      Thus 'qemu_get_buffer_in_place' either copies the data to a supplied
      buffer or updates a pointer to the internal buffer if convenient.

      Signed-off-by: Dr. David Alan Gilbert <dgilbert@xxxxxxxxxx>
      Reviewed-by: Juan Quintela <quintela@xxxxxxxxxx>
      Signed-off-by: Juan Quintela <quintela@xxxxxxxxxx>

  commit 42e2aa56372291d35345fcec85d5da2004c8b57c
  Author: Dr. David Alan Gilbert <dgilbert@xxxxxxxxxx>
  Date:   Thu Nov 5 18:10:34 2015 +0000

      Rename mis->file to from_src_file

      'file' becomes confusing when you have flows in each direction;
      rename to make it clear.
      This leaves just the main forward direction ms->file, which is used
      in a lot of places and is probably not worth renaming given the churn.

      Signed-off-by: Dr. David Alan Gilbert <dgilbert@xxxxxxxxxx>
      Reviewed-by: Juan Quintela <quintela@xxxxxxxxxx>
      Signed-off-by: Juan Quintela <quintela@xxxxxxxxxx>

  commit e3dd74934f2d2c8c67083995928ff68e8c1d0030
  Author: Dr. David Alan Gilbert <dgilbert@xxxxxxxxxx>
  Date:   Thu Nov 5 18:10:33 2015 +0000

      qemu_ram_block_by_name

      Add a function to find a RAMBlock by name; use it in two
      of the places that already open code that loop; we've
      got another use later in postcopy.

      Signed-off-by: Dr. David Alan Gilbert <dgilbert@xxxxxxxxxx>
      Reviewed-by: Juan Quintela <quintela@xxxxxxxxxx>
      Signed-off-by: Juan Quintela <quintela@xxxxxxxxxx>

  commit 422148d3e56c3c9a07c0cf36c1e0a0b76f09c357
  Author: Dr. David Alan Gilbert <dgilbert@xxxxxxxxxx>
  Date:   Thu Nov 5 18:10:32 2015 +0000

      qemu_ram_block_from_host

      Postcopy sends RAMBlock names and offsets over the wire (since it can't
      rely on the order of ramaddr being the same), and it starts out with
      HVA fault addresses from the kernel.

      qemu_ram_block_from_host translates a HVA into a RAMBlock, an offset
      in the RAMBlock and the global ram_addr_t value.

      Rewrite qemu_ram_addr_from_host to use qemu_ram_block_from_host.

      Provide qemu_ram_get_idstr since its the actual name text sent on the
      wire.

      Signed-off-by: Dr. David Alan Gilbert <dgilbert@xxxxxxxxxx>
      Reviewed-by: David Gibson <david@xxxxxxxxxxxxxxxxxxxxx>
      Reviewed-by: Juan Quintela <quintela@xxxxxxxxxx>
      Reviewed-by: Amit Shah <amit.shah@xxxxxxxxxx>
      Signed-off-by: Juan Quintela <quintela@xxxxxxxxxx>

  commit 87f50caa30ae7449c5875ff3171cff4d8648569a
  Author: Dr. David Alan Gilbert <dgilbert@xxxxxxxxxx>
  Date:   Thu Nov 5 18:10:31 2015 +0000

      Move page_size_init earlier

      The HOST_PAGE_ALIGN macros don't work until the page size variables
      have been set up; later in postcopy I use those macros in the RAM
      code, and it can be triggered using -object.

      Fix this by initialising page_size_init() earlier - it's currently
      initialised inside the accelerators, move it up into vl.c.

      Signed-off-by: Dr. David Alan Gilbert <dgilbert@xxxxxxxxxx>
      Reviewed-by: Juan Quintela <quintela@xxxxxxxxxx>
      Signed-off-by: Juan Quintela <quintela@xxxxxxxxxx>

  commit 172dfd4faf2b64720db8a2dad7048056f2b81d75
  Author: Dr. David Alan Gilbert <dgilbert@xxxxxxxxxx>
  Date:   Thu Nov 5 18:10:30 2015 +0000

      Move configuration section writing

      The vmstate_configuration is currently written
      in 'qemu_savevm_state_begin', move it to
      'qemu_savevm_state_header' since it's got a hard
      requirement that it must be the 1st thing after
      the header.
      (In postcopy some 'command' sections get sent
      early before the saving of the main sections
      and hence before qemu_savevm_state_begin).

      Signed-off-by: Dr. David Alan Gilbert <dgilbert@xxxxxxxxxx>
      Reviewed-by: Amit Shah <amit.shah@xxxxxxxxxx>
      Reviewed-by: Juan Quintela <quintela@xxxxxxxxxx>
      Signed-off-by: Juan Quintela <quintela@xxxxxxxxxx>

  commit 038629a699240326928665ea97e6e11059bbc007
  Author: Dr. David Alan Gilbert <dgilbert@xxxxxxxxxx>
  Date:   Thu Nov 5 18:10:29 2015 +0000

      Provide runtime Target page information

      The migration code generally is built target-independent, however
      there are a few places where knowing the target page size would
      avoid artificially moving stuff into migration/ram.c.

      Provide 'qemu_target_page_bits()' that returns TARGET_PAGE_BITS
      to other bits of code so that they can stay target-independent.

      Signed-off-by: Dr. David Alan Gilbert <dgilbert@xxxxxxxxxx>
      Reviewed-by: Amit Shah <amit.shah@xxxxxxxxxx>
      Reviewed-by: Juan Quintela <quintela@xxxxxxxxxx>
      Signed-off-by: Juan Quintela <quintela@xxxxxxxxxx>

  commit 2bfdd1c8a6ac22ee1f9209c247509ff0cadd2a52
  Author: Dr. David Alan Gilbert <dgilbert@xxxxxxxxxx>
  Date:   Thu Nov 5 18:10:28 2015 +0000

      Add postcopy documentation

      Signed-off-by: Dr. David Alan Gilbert <dgilbert@xxxxxxxxxx>
      Reviewed-by: Amit Shah <amit.shah@xxxxxxxxxx>
      Reviewed-by: Juan Quintela <quintela@xxxxxxxxxx>
      Signed-off-by: Juan Quintela <quintela@xxxxxxxxxx>

  commit 577bf808958d06497928c639efaa473bf8c5e099
  Author: Sergey Fedorov <serge.fdrv@xxxxxxxxx>
  Date:   Tue Nov 10 13:37:33 2015 +0000

      target-arm: Clean up DISAS_UPDATE usage in AArch32 translation code

      AArch32 translation code does not distinguish between DISAS_UPDATE and
      DISAS_JUMP. Thus, we cannot use any of them without first updating PC in
      CPU state. Furthermore, it is too complicated to update PC in CPU state
      before PC gets updated in disas context. So it is hardly possible to
      correctly end TB early if is is not likely to be executed before calling
      disas_*_insn(), e.g. just after calling breakpoint check helper.

      Modify DISAS_UPDATE and DISAS_JUMP usage in AArch32 translation and
      apply to them the same semantic as AArch64 translation does:
       - DISAS_UPDATE: update PC in CPU state when finishing translation
       - DISAS_JUMP:   preserve current PC value in CPU state when finishing
                       translation

      This patch fixes a bug in AArch32 breakpoint handling: when
      check_breakpoints helper does not generate an exception, ending the TB
      early with DISAS_UPDATE couldn't update PC in CPU state and execution
      hangs.

      Signed-off-by: Sergey Fedorov <serge.fdrv@xxxxxxxxx>
      Message-id: 1447097859-586-1-git-send-email-serge.fdrv@xxxxxxxxx
      Reviewed-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit faa811f6de44d58180f5d235787678dcdd4b2e9d
  Author: Andrew Jones <drjones@xxxxxxxxxx>
  Date:   Tue Nov 10 13:37:33 2015 +0000

      hw/arm/virt: error_report cleanups

      Signed-off-by: Andrew Jones <drjones@xxxxxxxxxx>
      Reviewed-by: Markus Armbruster <armbru@xxxxxxxxxx>
      Message-id: 1446909925-12201-1-git-send-email-drjones@xxxxxxxxxx
      Reviewed-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 40340e5f221935723bffbca305f3090e8866c818
  Author: Peter Crosthwaite <crosthwaitepeter@xxxxxxxxx>
  Date:   Tue Nov 10 13:37:33 2015 +0000

      arm: highbank: Implement PSCI and dummy monitor

      Firstly, enable monitor mode and PSCI, both of which are features of
      this board.

      In addition to PSCI, this board also uses SMC for cache maintenance
      ops. This means we need a secure monitor to catch these and nop them.
      Use the ARM boot board-setup feature to implement this. The SMC trap
      implements the needed nop while all other traps will pen the CPU.

      As a KVM CPU cannot run in secure mode, do not do the board-setup if
      not running TCG. Report a warning explaining the limitation in this
      case.

      Reviewed-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Signed-off-by: Peter Crosthwaite <crosthwaite.peter@xxxxxxxxx>
      Message-id: 
0fd0d12f0fa666c86616c89447861a70dbe27312.1447007690.git.crosthwaite.peter@xxxxxxxxx
      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit dca6eeed8c2a1c131d161139428dd18a35e58b03
  Author: Peter Crosthwaite <crosthwaitepeter@xxxxxxxxx>
  Date:   Tue Nov 10 13:37:33 2015 +0000

      arm: highbank: Defeature CPU override

      This board should not support CPU model override. This allows for
      easier patching of the board with being able to rely on the CPU
      type being correct.

      Reviewed-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Signed-off-by: Peter Crosthwaite <crosthwaite.peter@xxxxxxxxx>
      Message-id: 
471a61e049c7ca6e82f5ef6668889a1d518c7e00.1447007690.git.crosthwaite.peter@xxxxxxxxx
      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit baf6b6815ba9ae8255eefd1ddf15216d53da34b5
  Author: Peter Crosthwaite <crosthwaitepeter@xxxxxxxxx>
  Date:   Tue Nov 10 13:37:33 2015 +0000

      arm: boot: Add secure_board_setup flag

      Add a flag that when set, will cause the primary CPU to start in secure
      mode, even if the overall boot is non-secure. This is useful for when
      there is a board-setup blob that needs to run from secure mode, but
      device and secondary CPU init should still be done as-normal for a non-
      secure boot.

      Signed-off-by: Peter Crosthwaite <crosthwaite.peter@xxxxxxxxx>
      Message-id: 
d1170774d5446d715fced7739edfc61a5be931f9.1447007690.git.crosthwaite.peter@xxxxxxxxx
      Reviewed-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit b95690c9beaffd95edf91eb67829dc1e0a81e666
  Author: Wei Huang <wei@xxxxxxxxxx>
  Date:   Tue Nov 10 13:37:33 2015 +0000

      hw/intc/arm_gic: Remove the definition of NUM_CPU

      arm_gic.c retrieves CPU number using either NUM_CPU(s) or s->num_cpu.
      Such mixed-uses make source code inconsistent. This patch removes
      NUM_CPU(s), which was defined for MPCore tweak long ago, and instead
      favors s->num_cpu. The source is more consistent after this small tweak.

      Reviewed-by: Andreas Färber <afaerber@xxxxxxx>
      Signed-off-by: Wei Huang <wei@xxxxxxxxxx>
      Reviewed-by: Michael Tokarev <mjt@xxxxxxxxxx>
      Message-id: 1446744293-32365-1-git-send-email-wei@xxxxxxxxxx
      Reviewed-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 5c629f4ff4dc9ae79cc732f59a8df15ede796ff7
  Author: Sergey Fedorov <serge.fdrv@xxxxxxxxx>
  Date:   Tue Nov 10 13:37:32 2015 +0000

      target-arm: Fix gdb singlestep handling in arm_debug_excp_handler()

      Do not raise a CPU exception if no CPU breakpoint has fired, since
      singlestep is also done by generating a debug internal exception. This
      fixes a bug with singlestepping in gdbstub.

      Signed-off-by: Sergey Fedorov <serge.fdrv@xxxxxxxxx>
      Message-id: 1446726361-18328-1-git-send-email-serge.fdrv@xxxxxxxxx
      Reviewed-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit a8b4f9585a0bf5186fca793ce2c5d754cd8ec49a
  Merge: ce27861 f545504
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Tue Nov 10 09:39:24 2015 +0000

      Merge remote-tracking branch 'remotes/armbru/tags/pull-qapi-2015-11-10' 
into staging

      QAPI patches

      # gpg: Signature made Tue 10 Nov 2015 07:12:25 GMT using RSA key ID 
EB918653
      # gpg: Good signature from "Markus Armbruster <armbru@xxxxxxxxxx>"
      # gpg:                 aka "Markus Armbruster <armbru@xxxxxxxxxxxx>"

      * remotes/armbru/tags/pull-qapi-2015-11-10:
        qapi-introspect: Document lack of sorting
        qapi: Provide nicer array names in introspection
        qapi: More tests of input arrays
        qapi: Test failure in middle of array parse
        qapi: More tests of alternate output
        qapi: Simplify error cleanup in test-qmp-*
        qapi: Simplify non-error testing in test-qmp-*
        qapi: Plug leaks in test-qmp-*
        qapi: Share test_init code in test-qmp-input*
        qobject: Protect against use-after-free in qobject_decref()
        qapi: Strengthen test of TestStructList
        qapi: Use generated TestStruct machinery in tests

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit f5455044201747fd72531f5e8c1b1e9c56573d9c
  Author: Eric Blake <eblake@xxxxxxxxxx>
  Date:   Thu Nov 5 23:35:36 2015 -0700

      qapi-introspect: Document lack of sorting

      qapi-code-gen.txt already claims that types, commands, and
      events share a common namespace; set this in stone by further
      documenting that our introspection output will never have
      collisions with the same name tied to more than one meta-type.

      Our largest QMP enum currently has 125 values, our largest
      object type has 27 members, and the mean for each is less than
      10.  These sizes are small enough that the per-element overhead
      of O(log n) binary searching probably outweighs the speed
      possible with direct O(n) linear searching (a better algorithm
      with more overhead will only beat a leaner naive algorithm only
      as you scale to larger input sizes).

      Arguably, the overall SchemaInfo array could be sorted by name;
      there, we currently have 531 entities, large enough for a binary
      search to be faster than linear.  However, remember that we have
      mutually-recursive types, which means there is no topological
      ordering that will allow clients to learn all information about
      that type in a single linear pass; thus clients will want to do
      random access over the data, and they will probably read the
      introspection output into a hashtable for O(1) lookup rather
      than O(log n) binary searching, at which point, pre-sorting our
      introspection output doesn't help the client.

      It doesn't help that sorting can be subjective if you introduce
      locales into the mix (I'm not experienced enough with Python
      to know for sure, but at least it looks like it defaults to
      sorting in the C locale even when run under a different locale).
      And while our current introspection output is deterministic
      (because we visit entities in a sorted order), we may want
      to change that order in the future (such as using OrderedDict
      to stick to .json declaration order).

      For these reasons, we simply document that clients should not
      rely on any particular order of items in introspection output.
      And since it is now a documented part of the contract, we have
      the freedom to later rearrange output if needed, without
      worrying about breaking well-written clients.

      Signed-off-by: Eric Blake <eblake@xxxxxxxxxx>
      Message-Id: <1446791754-23823-13-git-send-email-eblake@xxxxxxxxxx>
      [Commit message tweaked]
      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>

  commit ce5fcb472d512455a8d13fae4c04ecf8eb00573b
  Author: Eric Blake <eblake@xxxxxxxxxx>
  Date:   Thu Nov 5 23:35:35 2015 -0700

      qapi: Provide nicer array names in introspection

      For the sake of humans reading introspection output, it is nice
      to have the name of implicit array types be recognizable as
      arrays of the underlying type.  However, while this patch allows
      humans to skip from a command with return type "[123]" straight
      to the definition of type "123" without having to first inspect
      type "[123]", document that this shortcut should not be taken by
      client apps.

      This makes the resulting introspection string slightly larger by
      default (just over 200 bytes), but it's in the noise (less than
      0.3% of the overall 70k size of 'query-qmp-capabilities').

      Signed-off-by: Eric Blake <eblake@xxxxxxxxxx>
      Message-Id: <1446791754-23823-12-git-send-email-eblake@xxxxxxxxxx>
      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>

  commit 2533377c7b0c686d1510ed6499cedf938607e805
  Author: Eric Blake <eblake@xxxxxxxxxx>
  Date:   Thu Nov 5 23:35:34 2015 -0700

      qapi: More tests of input arrays

      Our testsuite had no coverage of empty arrays, nor of what
      happens when the input does not match the expected type.
      Useful to have, especially if we start changing the visitor
      contracts.

      I did not think it worth duplicating these additions to
      test-qmp-input-strict; since all strict mode does is add
      the ability to reject JSON input that has more keys than
      what the visitor expects, yet the additions in this patch
      error out earlier than that point regardless of whether
      strict mode was requested.

      Signed-off-by: Eric Blake <eblake@xxxxxxxxxx>
      Message-Id: <1446791754-23823-11-git-send-email-eblake@xxxxxxxxxx>
      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>

  commit dd5ee2c2d3e3a17647ddd9bfa97935b8cb5dfa40
  Author: Eric Blake <eblake@xxxxxxxxxx>
  Date:   Thu Nov 5 23:35:33 2015 -0700

      qapi: Test failure in middle of array parse

      Our generated list visitors have the same problem as has been
      mentioned elsewhere (see commit 2f52e20): they allocate data
      even on failure. An upcoming patch will correct things to
      provide saner guarantees, but first we need to expose the
      behavior in the testsuite to ensure we aren't introducing any
      memory usage bugs.

      There are more test cases throughout the test-qmp-input-* tests
      that already deal with partial allocation; a later commit will
      clean up all visit_type_FOO(), without marking all of the tests
      with FIXME at this time.

      Signed-off-by: Eric Blake <eblake@xxxxxxxxxx>
      Message-Id: <1446791754-23823-10-git-send-email-eblake@xxxxxxxxxx>
      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>

  commit 12fafd7cedad51854c468ea0496a6542b3222b29
  Author: Eric Blake <eblake@xxxxxxxxxx>
  Date:   Thu Nov 5 23:35:32 2015 -0700

      qapi: More tests of alternate output

      The testsuite was only covering that we could output the 'int'
      branch of an alternate (no additional allocation/cleanup required).
      Add a test of the 'str' branch, to make sure that things still
      work even when a branch involves allocation.

      Update to modern style of g_new0() over g_malloc0() while
      touching it.

      Signed-off-by: Eric Blake <eblake@xxxxxxxxxx>
      Message-Id: <1446791754-23823-9-git-send-email-eblake@xxxxxxxxxx>
      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>

  commit a12a5a1a0132527afe87c079e4aae4aad372bd94
  Author: Eric Blake <eblake@xxxxxxxxxx>
  Date:   Thu Nov 5 23:35:31 2015 -0700

      qapi: Simplify error cleanup in test-qmp-*

      We have several tests that perform multiple sub-actions that are
      expected to fail.  Asserting that an error occurred, then clearing
      it up to prepare for the next action, turned into enough
      boilerplate that it was sometimes forgotten (for example, a number
      of tests added to test-qmp-input-visitor.c in d88f5fd leaked err).
      Worse, if an error is not reset to NULL, we risk invalidating
      later use of that error (passing a non-NULL err into a function
      is generally a bad idea).  Encapsulate the boilerplate into a
      single helper function error_free_or_abort(), and consistently
      use it.

      The new function is added into error.c for use everywhere,
      although it is anticipated that testsuites will be the main
      client.

      Signed-off-by: Eric Blake <eblake@xxxxxxxxxx>
      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>

  commit ce278618b088afd10b91a05311eaeb6401bb5004
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Mon Nov 9 15:14:09 2015 +0000

      configure: Don't disable optimization for non-fortify builds

      Commit b553a0428014636bc inadvertently disabled optimization
      for all non-fortify builds. Fix this bug so we only do an
      unoptimized build if we want debug.

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Message-id: 1447082049-25099-1-git-send-email-peter.maydell@xxxxxxxxxx

  commit d17008bc2914d62fd0af6a8f313604ae9f9a102c
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Mon Nov 9 14:56:31 2015 +0000

      hw/timer/hpet.c: Avoid signed integer overflow which results in bugs on 
OSX

      Signed integer overflow in C is undefined behaviour, and the compiler
      is at liberty to assume it can never happen and optimize accordingly.
      In particular, the subtractions in hpet_time_after() and 
hpet_time_after64()
      were causing OSX clang to optimize the code such that it was prone to
      hangs and complaints about the main loop stalling (presumably because
      we were spending all our time trying to service very high frequency
      HPET timer callbacks). The clang sanitizer confirms the UB:

      hw/timer/hpet.c:119:26: runtime error: signed integer overflow: 
-2146967296 - 2147003978 cannot be represented in type 'int'

      Fix this by doing the subtraction as an unsigned operation and then
      converting to signed for the comparison.

      Reported-by: Aaron Elkins <threcius@xxxxxxxxx>
      Cc: qemu-stable@xxxxxxxxxx
      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Message-id: 1447080991-24995-1-git-send-email-peter.maydell@xxxxxxxxxx

  commit 3f66f764ee25f10d3e1144ebc057a949421b7728
  Author: Eric Blake <eblake@xxxxxxxxxx>
  Date:   Thu Nov 5 23:35:30 2015 -0700

      qapi: Simplify non-error testing in test-qmp-*

      By using &error_abort, we can avoid a local err variable in
      situations where we expect success.  It also has the nice
      effect that if the test breaks, the error message from
      error_abort tends to be nicer than that of g_assert().

      This patch has an additional bonus of fixing several call sites that
      were passing &err to two different functions without checking it in
      between.  In general that is unsafe practice; because if the first
      function sets an error, the second function could abort() if it tries to
      set a different error. We got away with it because we were asserting
      that err was NULL through the entire chain, but switching to
      &error_abort avoids the questionable practice up front.

      Signed-off-by: Eric Blake <eblake@xxxxxxxxxx>
      Message-Id: <1446791754-23823-7-git-send-email-eblake@xxxxxxxxxx>
      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>

  commit b18f1141d0afa00de11a8e079f4f5305c9e36893
  Author: Eric Blake <eblake@xxxxxxxxxx>
  Date:   Thu Nov 5 23:35:29 2015 -0700

      qapi: Plug leaks in test-qmp-*

      Make valgrind happy with the current state of the tests, so that
      it is easier to see if future patches introduce new memory problems
      without being drowned in noise.  Many of the leaks were due to
      calling a second init without tearing down the data from an earlier
      visit.  But since teardown is already idempotent, and we already
      register teardown as part of input_visitor_test_add(), it is nicer
      to just make init() safe to call multiple times than it is to have
      to make all tests call teardown.

      Another common leak was forgetting to clean up an error object,
      after testing that an error was raised.

      Another leak was in test_visitor_in_struct_nested(), failing to
      clean the base member of UserDefTwo.  Cleaning that up left
      check_and_free_str() as dead code (since using the qapi_free_*
      takes care of recursion, and we don't want double frees).

      A final leak was in test_visitor_out_any(), which was reassigning
      the qobj local variable to a subset of the overall structure
      needing freeing; it did not result in a use-after-free, but
      was not cleaning up all the qdict.

      test-qmp-event and test-qmp-commands were already clean.

      Signed-off-by: Eric Blake <eblake@xxxxxxxxxx>
      Message-Id: <1446791754-23823-6-git-send-email-eblake@xxxxxxxxxx>
      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>

  commit 0920a17199d23b3def3a60fa1fbbdeadcdda452d
  Author: Eric Blake <eblake@xxxxxxxxxx>
  Date:   Thu Nov 5 23:35:28 2015 -0700

      qapi: Share test_init code in test-qmp-input*

      Rather than duplicate the body of two functions just to
      decide between qobject_from_jsonv() and qobject_from_json(),
      exploit the fact that qobject_from_jsonv() intentionally
      takes 'va_list *' instead of the more common 'va_list', and
      that qobject_from_json() just calls qobject_from_jsonv(,NULL).
      For each file, our two existing init functions then become
      thin wrappers around a new internal function, and future
      updates to initialization don't have to be duplicated.

      Suggested-by: Markus Armbruster <armbru@xxxxxxxxxx>
      Signed-off-by: Eric Blake <eblake@xxxxxxxxxx>
      Message-Id: <1446791754-23823-5-git-send-email-eblake@xxxxxxxxxx>
      [Two old comment typos fixed]
      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>

  commit cc9f60d4a2a4bf2578a9309a18f1c4602c9f5ce7
  Author: Eric Blake <eblake@xxxxxxxxxx>
  Date:   Thu Nov 5 23:35:27 2015 -0700

      qobject: Protect against use-after-free in qobject_decref()

      Adding an assertion to qobject_decref() will ensure that a
      programming error causing use-after-free will result in
      immediate failure (provided no other thread has started
      using the memory) instead of silently attempting to wrap
      refcnt around and leaving the problem to potentially bite
      later at a harder point to diagnose.

      Suggested-by: Markus Armbruster <armbru@xxxxxxxxxx>
      Signed-off-by: Eric Blake <eblake@xxxxxxxxxx>
      Message-Id: <1446791754-23823-4-git-send-email-eblake@xxxxxxxxxx>
      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>

  commit bd20588d19e9ff0e94b2d4ca3b5d6b3b3d6a1274
  Author: Eric Blake <eblake@xxxxxxxxxx>
  Date:   Thu Nov 5 23:35:26 2015 -0700

      qapi: Strengthen test of TestStructList

      Make each list element different, to ensure that order is
      preserved, and use the generated free function instead of
      hand-rolling our own to ensure (under valgrind) that the
      list is properly cleaned.

      Suggested-by: Markus Armbruster <armbru@xxxxxxxxxx>
      Signed-off-by: Eric Blake <eblake@xxxxxxxxxx>
      Message-Id: <1446791754-23823-3-git-send-email-eblake@xxxxxxxxxx>
      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>

  commit 748053c97b11039f657525fd7d57a39806d8083e
  Author: Eric Blake <eblake@xxxxxxxxxx>
  Date:   Thu Nov 5 23:35:25 2015 -0700

      qapi: Use generated TestStruct machinery in tests

      Commit d88f5fd and friends first introduced the various test-qmp-*
      tests in 2011, with duplicated hand-rolled TestStruct machinery,
      to make sure the qapi visitor interface was tested.  Later, commit
      4f193e3 in 2013 added a .json file for further testing use by the
      files, but without consolidating any of the existing hand-rolled
      visitors.  And with four copies, subtle differences have crept in,
      between the tests themselves (mainly whitespace differences, but
      also a question of whether to use NULL or "TestStruct" when
      calling visit_start_struct()) and from what the generator produces
      (the hand-rolled versions did not cater to partially-allocated
      objects, because they did not have a deallocation usage).

      Of course, just because the visitor interface is tested does not
      mean it is a sane interface; and future patches will be changing
      some of the visitor contracts.  Rather than having to duplicate
      the cleanup work in each copy of the TestStruct visitor, and keep
      each hand-rolled copy in sync with what the generator supplies, we
      might as well just test what the generator should give us in the
      first place.

      Signed-off-by: Eric Blake <eblake@xxxxxxxxxx>
      Message-Id: <1446791754-23823-2-git-send-email-eblake@xxxxxxxxxx>
      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>

  commit 9d5c1dc117d1ad881bbc76f6990ee1f9e9f8ef7f
  Merge: b3a9e57 84aa014
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Mon Nov 9 11:20:51 2015 +0000

      Merge remote-tracking branch 'remotes/stefanha/tags/block-pull-request' 
into staging

      # gpg: Signature made Mon 09 Nov 2015 10:08:17 GMT using RSA key ID 
81AB73C8
      # gpg: Good signature from "Stefan Hajnoczi <stefanha@xxxxxxxxxx>"
      # gpg:                 aka "Stefan Hajnoczi <stefanha@xxxxxxxxx>"

      * remotes/stefanha/tags/block-pull-request:
        blockdev: acquire AioContext in hmp_commit()
        monitor: add missed aio_context_acquire into vm_completion call
        aio: Introduce aio-epoll.c
        aio: Introduce aio_context_setup
        aio: Introduce aio_external_disabled
        dataplane: support non-contigious s/g
        dataplane: simplify indirect descriptor read

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 84aa0140dd4f04f5d993f0db14c40da8d3de2706
  Author: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
  Date:   Wed Nov 4 20:27:23 2015 +0300

      blockdev: acquire AioContext in hmp_commit()

      This one slipped through.  Although we acquire AioContext when
      committing all devices we don't for just a single device.

      AioContext must be acquired before calling bdrv_*() functions to
      synchronize access with other threads that may be using the AioContext.

      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Signed-off-by: Denis V. Lunev <den@xxxxxxxxxx>
      Reviewed-by: Jeff Cody <jcody@xxxxxxxxxx>
      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>

  commit 6bf1faa84877514971a20bb180b0ae5270bee571
  Author: Denis V. Lunev <den@xxxxxxxxxx>
  Date:   Wed Nov 4 20:19:42 2015 +0300

      monitor: add missed aio_context_acquire into vm_completion call

      Signed-off-by: Denis V. Lunev <den@xxxxxxxxxx>
      CC: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      CC: Kevin Wolf <kwolf@xxxxxxxxxx>
      CC: Luiz Capitulino <lcapitulino@xxxxxxxxxx>
      CC: Markus Armbruster <armbru@xxxxxxxxxx>
      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>

  commit fbe3fc5cb3cd9f9064e98c549684e821c353fe41
  Author: Fam Zheng <famz@xxxxxxxxxx>
  Date:   Fri Oct 30 12:06:29 2015 +0800

      aio: Introduce aio-epoll.c

      To minimize code duplication, epoll is hooked into aio-posix's
      aio_poll() instead of rolling its own. This approach also has both
      compile-time and run-time switchability.

      1) When QEMU starts with a small number of fds in the event loop, ppoll
      is used.

      2) When QEMU starts with a big number of fds, or when more devices are
      hot plugged, epoll kicks in when the number of fds hits the threshold.

      3) Some fds may not support epoll, such as tty based stdio. In this
      case, it falls back to ppoll.

      A rough benchmark with scsi-disk on virtio-scsi dataplane (epoll gets
      enabled from 64 onward). Numbers are in MB/s.

      ===============================================
                   |     master     |     epoll
                   |                |
      scsi disks # | read    randrw | read    randrw
      -------------|----------------|----------------
      1            | 86      36     | 92      45
      8            | 87      43     | 86      41
      64           | 71      32     | 70      38
      128          | 48      24     | 58      31
      256          | 37      19     | 57      28
      ===============================================

      To comply with aio_{disable,enable}_external, we always use ppoll when
      aio_external_disabled() is true.

      [Removed #ifdef CONFIG_EPOLL around AioContext epollfd field declaration
      since the field is also referenced outside CONFIG_EPOLL code.
      --Stefan]

      Signed-off-by: Fam Zheng <famz@xxxxxxxxxx>
      Message-id: 1446177989-6702-4-git-send-email-famz@xxxxxxxxxx
      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>

  commit 37fcee5d1154b7a03c13582e128bcc31ad43e954
  Author: Fam Zheng <famz@xxxxxxxxxx>
  Date:   Fri Oct 30 12:06:28 2015 +0800

      aio: Introduce aio_context_setup

      This is the place to initialize platform specific bits of AioContext.

      Signed-off-by: Fam Zheng <famz@xxxxxxxxxx>
      Message-id: 1446177989-6702-3-git-send-email-famz@xxxxxxxxxx
      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>

  commit 5ceb9e39284b69d2e1b01da3cb1894ad4b2b4606
  Author: Fam Zheng <famz@xxxxxxxxxx>
  Date:   Fri Oct 30 12:06:27 2015 +0800

      aio: Introduce aio_external_disabled

      This allows AioContext users to check the enable/disable state of
      external clients.

      Signed-off-by: Fam Zheng <famz@xxxxxxxxxx>
      Message-id: 1446177989-6702-2-git-send-email-famz@xxxxxxxxxx
      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>

  commit 8347c53243b58ad5e4d623d2403853404e9043a1
  Author: Michael S. Tsirkin <mst@xxxxxxxxxx>
  Date:   Wed Oct 28 17:48:04 2015 +0200

      dataplane: support non-contigious s/g

      bring_map currently fails if one of the entries it's mapping is
      contigious in GPA but not HVA address space.  Introduce a mapped_len
      parameter so it can handle this, returning the actual mapped length.

      This will still fail if there's no space left in the sg, but luckily max
      queue size in use is currently 256, while max sg size is 1024, so we
      should be OK even is all entries happen to cross a single DIMM boundary.

      Won't work well with very small DIMM sizes, unfortunately:
      e.g. this will fail with 4K DIMMs where a single
      request might span a large number of DIMMs.

      Let's hope these are uncommon - at least we are not breaking things.

      Reported-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Reported-by: Igor Mammedov <imammedo@xxxxxxxxxx>
      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Tested-by: Igor Mammedov <imammedo@xxxxxxxxxx>
      Message-id: 1446047243-3221-2-git-send-email-mst@xxxxxxxxxx
      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>

  commit 572ec519ed6fe68f10ec65963527536c2322eab0
  Author: Michael S. Tsirkin <mst@xxxxxxxxxx>
  Date:   Wed Oct 28 17:48:02 2015 +0200

      dataplane: simplify indirect descriptor read

      Use address_space_read to make sure we handle the case of an indirect
      descriptor crossing DIMM boundary correctly.

      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Reviewed-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Tested-by: Igor Mammedov <imammedo@xxxxxxxxxx>
      Message-id: 1446047243-3221-1-git-send-email-mst@xxxxxxxxxx
      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>

  commit b3a9e57d92dff7dd5822f322e4eb49af9e1b70b8
  Merge: c4a7bf5 0c47242
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Sat Nov 7 21:41:33 2015 +0000

      Merge remote-tracking branch 'remotes/ehabkost/tags/x86-pull-request' 
into staging

      target-i386: tcg: Handle clflushopt/clwb/pcommit instructions

      A small update to TCG code so it can handle the new
      clflushopt/clwb/pcommit instructions.

      # gpg: Signature made Sat 07 Nov 2015 14:50:54 GMT using RSA key ID 
984DC5A6
      # gpg: Good signature from "Eduardo Habkost <ehabkost@xxxxxxxxxx>"

      * remotes/ehabkost/tags/x86-pull-request:
        target-i386: Add clflushopt/clwb/pcommit to TCG_7_0_EBX_FEATURES
        target-i386: tcg: Check right CPUID bits for clflushopt/pcommit
        target-i386: tcg: Accept clwb instruction

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit c4a7bf54e588ff2de9fba0898b686156251b2063
  Merge: 4b59f39 dca6257
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Sat Nov 7 19:55:15 2015 +0000

      Merge remote-tracking branch 'remotes/jnsnow/tags/ide-pull-request' into 
staging

      # gpg: Signature made Fri 06 Nov 2015 20:01:44 GMT using RSA key ID 
AAFC390E
      # gpg: Good signature from "John Snow (John Huston) <jsnow@xxxxxxxxxx>"

      * remotes/jnsnow/tags/ide-pull-request:
        arm: allwinner-a10: Add SATA
        ahci: Add allwinner AHCI
        ahci: split realize and init
        ahci: Add some MMIO debug printfs
        ide: remove hardcoded 2GiB transactional limit

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit dca625768a7da9377cd5886cc03854229c1e18a1
  Author: Peter Crosthwaite <crosthwaitepeter@xxxxxxxxx>
  Date:   Fri Nov 6 14:09:01 2015 -0500

      arm: allwinner-a10: Add SATA

      Add the Allwinner A10 AHCI controller module to the SoC.

      Signed-off-by: Peter Crosthwaite <crosthwaite.peter@xxxxxxxxx>
      Reviewed-by: John Snow <jsnow@xxxxxxxxxx>
      Message-id: 
69d6962f2d14a218bd07e9ac4ccd1947737cc30f.1445917756.git.crosthwaite.peter@xxxxxxxxx
      Signed-off-by: John Snow <jsnow@xxxxxxxxxx>

  commit 377e2145392e5787d35e58d643bd3de4838006b4
  Author: Peter Crosthwaite <crosthwaitepeter@xxxxxxxxx>
  Date:   Fri Nov 6 14:09:01 2015 -0500

      ahci: Add allwinner AHCI

      Add a Sysbus AHCI subclass for the Allwinner AHCI. It has a few extra
      vendor specific registers which are used for phy and power init.

      Signed-off-by: Peter Crosthwaite <crosthwaite.peter@xxxxxxxxx>
      Reviewed-by: John Snow <jsnow@xxxxxxxxxx>
      Message-id: 
833b5b05ed5ade38bf69656679b0a7575e79492b.1445917756.git.crosthwaite.peter@xxxxxxxxx
      [resolved patch context on pull --js]
      Signed-off-by: John Snow <jsnow@xxxxxxxxxx>

  commit 0487eea48ecc6e525d6e626d94da54e203089a95
  Author: Peter Crosthwaite <crosthwaitepeter@xxxxxxxxx>
  Date:   Fri Nov 6 14:09:00 2015 -0500

      ahci: split realize and init

      Do the init level tasks asap and the realize later (mainly when
      num_ports is available). This allows sub-class realize routines
      to work with the device post-init.

      Signed-off-by: Peter Crosthwaite <crosthwaite.peter@xxxxxxxxx>
      Reviewed-by: John Snow <jsnow@xxxxxxxxxx>
      Message-id: 
1a7c7b2b32e5ccf49373a5065da5ece89730d3ac.1445917756.git.crosthwaite.peter@xxxxxxxxx
      Signed-off-by: John Snow <jsnow@xxxxxxxxxx>

  commit 802742670df73773c0dbaa251c63e4561cc794a1
  Author: Peter Crosthwaite <crosthwaitepeter@xxxxxxxxx>
  Date:   Fri Nov 6 14:09:00 2015 -0500

      ahci: Add some MMIO debug printfs

      These are useful for bringup of AHCI.

      Signed-off-by: Peter Crosthwaite <crosthwaite.peter@xxxxxxxxx>
      Reviewed-by: John Snow <jsnow@xxxxxxxxxx>
      Message-id: 
517ba413dce7deb4ab17c0cc1e8bbdaaace2a0db.1445917756.git.crosthwaite.peter@xxxxxxxxx
      Signed-off-by: John Snow <jsnow@xxxxxxxxxx>

  commit 9fbf0fa81fca8f527669dd4fa72662d66e7d6329
  Author: John Snow <jsnow@xxxxxxxxxx>
  Date:   Fri Nov 6 14:09:00 2015 -0500

      ide: remove hardcoded 2GiB transactional limit

      Not that you can request a >2GiB transaction, but that's why checking
      for it makes no sense anymore.

      With the newer 'limit' parameter to prepare_buf, we no longer need a
      static limit. The maximum limit is still 2GiB, but the limit parameter
      is set to the current transaction size, which cannot surpass 32MiB
      (512 * 65536). If the PRDT surpasses the transactional size, then,
      we'll just carry out the normative underflow handling pathways instead
      of needing an extra, strange pathway that worries about hitting some
      logistical cap for the largest sglist we can support -- we'll never
      even attempt to build one that big anymore.

      Reported-by: Kevin Wolf <kwolf@xxxxxxxxxx>
      Signed-off-by: John Snow <jsnow@xxxxxxxxxx>
      Acked-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Message-id: 1445902682-20051-1-git-send-email-jsnow@xxxxxxxxxx

  commit 0c47242b519a224279f13c685aa6e79347f97b85
  Author: Xiao Guangrong <guangrong.xiao@xxxxxxxxxxxxxxx>
  Date:   Thu Oct 29 15:31:39 2015 +0800

      target-i386: Add clflushopt/clwb/pcommit to TCG_7_0_EBX_FEATURES

      Now these instructions are handled by TCG and can be added to the
      TCG_7_0_EBX_FEATURES macro.

      Signed-off-by: Xiao Guangrong <guangrong.xiao@xxxxxxxxxxxxxxx>
      Reviewed-by: Richard Henderson <rth@xxxxxxxxxxx>
      Signed-off-by: Eduardo Habkost <ehabkost@xxxxxxxxxx>

  commit 891bc821a3ee462b09b1ec436f2891f00ab1f85b
  Author: Eduardo Habkost <ehabkost@xxxxxxxxxx>
  Date:   Wed Nov 4 19:24:46 2015 -0200

      target-i386: tcg: Check right CPUID bits for clflushopt/pcommit

      Detect the clflushopt and pcommit instructions and check their
      corresponding feature flags, instead of checking CPUID_SSE and
      CPUID_CLFLUSH.

      Reviewed-by: Richard Henderson <rth@xxxxxxxxxxx>
      Signed-off-by: Eduardo Habkost <ehabkost@xxxxxxxxxx>

  commit 5e1fac2dba7780e0cb2c022d4b39586af70bea0d
  Author: Eduardo Habkost <ehabkost@xxxxxxxxxx>
  Date:   Wed Nov 4 19:24:45 2015 -0200

      target-i386: tcg: Accept clwb instruction

      Accept the clwb instruction (66 0F AE /6) if its corresponding feature
      flag is enabled on CPUID[7].

      Reviewed-by: Richard Henderson <rth@xxxxxxxxxxx>
      Signed-off-by: Eduardo Habkost <ehabkost@xxxxxxxxxx>

  commit 4b59f39bc9a03afcc74b2fa28da7c3189fca507c
  Merge: 9319738 bd54a9f
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Fri Nov 6 12:50:24 2015 +0000

      Merge remote-tracking branch 
'remotes/mjt/tags/pull-trivial-patches-2015-11-06' into staging

      trivial patches for 2015-11-06

      # gpg: Signature made Fri 06 Nov 2015 12:42:43 GMT using RSA key ID 
A4C3D7DB
      # gpg: Good signature from "Michael Tokarev <mjt@xxxxxxxxxx>"
      # gpg:                 aka "Michael Tokarev <mjt@xxxxxxxxx>"
      # gpg:                 aka "Michael Tokarev <mjt@xxxxxxxxxx>"

      * remotes/mjt/tags/pull-trivial-patches-2015-11-06: (24 commits)
        tap-bsd: use user-specified tap device if it already exists
        qemu-sockets: do not test path with access() before unlinking
        taget-ppc: Fix read access to IBAT registers higher than IBAT3
        exec: avoid unnecessary cacheline bounce on ram_list.mru_block
        target-alpha: fix uninitialized variable
        ivshmem-server: fix possible OVERRUN
        pci-assign: do not test path with access() before opening
        qom/object: fix 2 comment typos
        configure: remove help string for 'vnc-tls' option
        usb: Use g_new() & friends where that makes obvious sense
        qxl: Use g_new() & friends where that makes obvious sense
        ui: Use g_new() & friends where that makes obvious sense
        bt: fix use of uninitialized variable seqlen
        hw/dma/pxa2xx: Remove superfluous memset
        linux-user/syscall: Replace g_malloc0 + memcpy with g_memdup
        tests/i44fx-test: No need for zeroing memory before memset
        hw/input/tsc210x: Remove superfluous memset
        xen: fix invalid assertion
        tests: ignore test-qga
        fix bad indentation in pcie_cap_slot_write_config()
        ...

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit bd54a9f9435c85de190a82019faef16c5ecf8e46
  Author: Ed Maste <emaste@xxxxxxxxxxx>
  Date:   Fri Oct 23 11:53:55 2015 -0400

      tap-bsd: use user-specified tap device if it already exists

      Acked-by: Roger Pau Monné <roger.pau@xxxxxxxxxx>
      Signed-off-by: Ed Maste <emaste@xxxxxxxxxxx>
      Signed-off-by: Michael Tokarev <mjt@xxxxxxxxxx>

  commit a2f31f180499593b5edb8ac5ab8ac1b92f0abcd4
  Author: Paolo Bonzini <pbonzini@xxxxxxxxxx>
  Date:   Wed Nov 4 14:48:47 2015 +0100

      qemu-sockets: do not test path with access() before unlinking

      Using access() is a time-of-check/time-of-use race condition.  It is
      okay to use them to provide better error messages, but that is pretty
      much it.

      This is not one such case; on the other hand, access() *will* skip
      unlink() for a non-existent path, so ignore ENOENT return values from
      the unlink() system call.

      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>
      Reviewed-by: Markus Armbruster <armbru@xxxxxxxxxx>
      Reviewed-by: Edgar E. Iglesias <edgar.iglesias@xxxxxxxxxx>
      Signed-off-by: Michael Tokarev <mjt@xxxxxxxxxx>

  commit 3ede8f699645f4ca7cdbc40d8139e5a0275b4805
  Author: Julio Guerra <julio@xxxxxxxxxx>
  Date:   Wed Oct 14 19:43:19 2015 +0200

      taget-ppc: Fix read access to IBAT registers higher than IBAT3

      Fix the index used to read the IBAT's vector which results in IBAT0..3 
instead
      of IBAT4..N.

      The bug appeared by saving/restoring contexts including IBATs values.

      Signed-off-by: Julio Guerra <julio@xxxxxxxxxx>
      Signed-off-by: Michael Tokarev <mjt@xxxxxxxxxx>

  commit 68851b98e5bf6d397498b74f1776801274ab8d48
  Author: Paolo Bonzini <pbonzini@xxxxxxxxxx>
  Date:   Thu Oct 22 13:51:30 2015 +0200

      exec: avoid unnecessary cacheline bounce on ram_list.mru_block

      Whenever the MRU cache hits for the list of RAM blocks, qemu_get_ram_block
      does an unnecessary write that causes a processor cache line to bounce
      from one core to another.  This causes a performance hit.

      Reported-by: Emilio G. Cota <cota@xxxxxxxxx>
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>
      Signed-off-by: Michael Tokarev <mjt@xxxxxxxxxx>

  commit 74de807f794ac5201b2b3c38ddadeef84a676a97
  Author: Paolo Bonzini <pbonzini@xxxxxxxxxx>
  Date:   Mon Oct 19 16:08:38 2015 +0200

      target-alpha: fix uninitialized variable

      I am not sure why the compiler does not catch it.  There is no
      semantic change since gen_excp returns EXIT_NORETURN, but the
      old code is wrong.

      Reported by Coverity.

      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>
      Signed-off-by: Michael Tokarev <mjt@xxxxxxxxxx>

  commit 258133bda9a6f22ba436ef9b63b7c086cc80190b
  Author: Gonglei <arei.gonglei@xxxxxxxxxx>
  Date:   Mon Nov 2 09:13:48 2015 +0800

      ivshmem-server: fix possible OVERRUN

      >>>     CID 1337991:  Memory - illegal accesses  (OVERRUN)
      >>>     Decrementing "i". The value of "i" is now 65534.
      218         while (i--) {
      219             event_notifier_cleanup(&peer->vectors[i]);
      220         }

      Signed-off-by: Gonglei <arei.gonglei@xxxxxxxxxx>
      Reviewed-by: Marc-André Lureau <marcandre.lureau@xxxxxxxxxx>
      Signed-off-by: Michael Tokarev <mjt@xxxxxxxxxx>

  commit 6268520d7df9b3f183bb4397218c9287441bc04f
  Author: Paolo Bonzini <pbonzini@xxxxxxxxxx>
  Date:   Mon Nov 2 15:17:37 2015 +0100

      pci-assign: do not test path with access() before opening

      Using access() is a time-of-check/time-of-use race condition.  It is
      okay to use them to provide better error messages, but that is pretty
      much it.

      In this case we can get the same error from fopen(), so just use
      strerror and errno there---which actually improves the error
      message most of the time.

      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>
      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>
      Signed-off-by: Michael Tokarev <mjt@xxxxxxxxxx>

  commit b30d80546421c6ea919096b596887f496c80af0a
  Author: Cao jin <caoj.fnst@xxxxxxxxxxxxxx>
  Date:   Tue Nov 3 10:36:42 2015 +0800

      qom/object: fix 2 comment typos

      Also change the misleading definition of macro OBJECT_CLASS_CHECK

      Signed-off-by: Cao jin <caoj.fnst@xxxxxxxxxxxxxx>
      Signed-off-by: Michael Tokarev <mjt@xxxxxxxxxx>

  commit 9f503153c78a23bcd44409cea64442c4ecd82ea5
  Author: Daniel P. Berrange <berrange@xxxxxxxxxx>
  Date:   Tue Nov 3 11:34:31 2015 +0000

      configure: remove help string for 'vnc-tls' option

      The '--enable-vnc-tls' option to configure was removed in

        commit 3e305e4a4752f70c0b5c3cf5b43ec957881714f7
        Author: Daniel P. Berrange <berrange@xxxxxxxxxx>
        Date:   Thu Aug 6 14:39:32 2015 +0100

          ui: convert VNC server to use QCryptoTLSSession

      This removes the corresponding help string.

      Signed-off-by: Daniel P. Berrange <berrange@xxxxxxxxxx>
      Signed-off-by: Michael Tokarev <mjt@xxxxxxxxxx>

  commit 98f343395e937fa1db3a28dfb4f303f97cfddd6c
  Author: Markus Armbruster <armbru@xxxxxxxxxx>
  Date:   Thu Oct 29 16:55:22 2015 +0100

      usb: Use g_new() & friends where that makes obvious sense

      g_new(T, n) is neater than g_malloc(sizeof(T) * n).  It's also safer,
      for two reasons.  One, it catches multiplication overflowing size_t.
      Two, it returns T * rather than void *, which lets the compiler catch
      more type errors.

      This commit only touches allocations with size arguments of the form
      sizeof(T).  Same Coccinelle semantic patch as in commit b45c03f.

      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>
      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>
      Reviewed-by: Gerd Hoffmann <kraxel@xxxxxxxxxx>
      Signed-off-by: Michael Tokarev <mjt@xxxxxxxxxx>

  commit 9de68637dff05a18d0eafcff2737e551b70bc490
  Author: Markus Armbruster <armbru@xxxxxxxxxx>
  Date:   Thu Oct 29 16:55:21 2015 +0100

      qxl: Use g_new() & friends where that makes obvious sense

      g_new(T, n) is neater than g_malloc(sizeof(T) * n).  It's also safer,
      for two reasons.  One, it catches multiplication overflowing size_t.
      Two, it returns T * rather than void *, which lets the compiler catch
      more type errors.

      This commit only touches allocations with size arguments of the form
      sizeof(T).  Same Coccinelle semantic patch as in commit b45c03f.

      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>
      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>
      Reviewed-by: Gerd Hoffmann <kraxel@xxxxxxxxxx>
      Signed-off-by: Michael Tokarev <mjt@xxxxxxxxxx>

  commit fedf0d35aafc4f1f1e5f6dbc80cb23ae1ae49f0b
  Author: Markus Armbruster <armbru@xxxxxxxxxx>
  Date:   Tue Nov 3 17:12:03 2015 +0100

      ui: Use g_new() & friends where that makes obvious sense

      g_new(T, n) is neater than g_malloc(sizeof(T) * n).  It's also safer,
      for two reasons.  One, it catches multiplication overflowing size_t.
      Two, it returns T * rather than void *, which lets the compiler catch
      more type errors.

      This commit only touches allocations with size arguments of the form
      sizeof(T).  Same Coccinelle semantic patch as in commit b45c03f.

      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>
      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>
      Signed-off-by: Michael Tokarev <mjt@xxxxxxxxxx>

  commit 374ec0669a1aa3affac7850a16c6cad18221c439
  Author: Paolo Bonzini <pbonzini@xxxxxxxxxx>
  Date:   Mon Oct 19 16:08:40 2015 +0200

      bt: fix use of uninitialized variable seqlen

      sdp_svc_match, sdp_attr_match and sdp_svc_attr_match read the last
      argument.  The only sensible way to change the code is to make that last
      argument "len" instead of "seqlen" which is the length of a subsequence
      in the previous "if" branch.

      To make the structure of the code clearer, use "else" instead of
      "else if".

      Reported by Coverity.

      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>
      Signed-off-by: Michael Tokarev <mjt@xxxxxxxxxx>

  commit 1a13b27273cdc4f6fd18bc1e83950d47c6b5928b
  Author: Thomas Huth <thuth@xxxxxxxxxx>
  Date:   Fri Oct 9 17:56:35 2015 +0200

      hw/dma/pxa2xx: Remove superfluous memset

      g_malloc0 already clears the memory, so no need for
      the additional memset here. And while we're at it,
      also convert the g_malloc0 to the preferred g_new0.

      Signed-off-by: Thomas Huth <thuth@xxxxxxxxxx>
      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>
      Signed-off-by: Michael Tokarev <mjt@xxxxxxxxxx>

  commit e9d49d518d5d2b0411ee2625e46662a6065a909c
  Author: Thomas Huth <thuth@xxxxxxxxxx>
  Date:   Fri Oct 9 17:56:38 2015 +0200

      linux-user/syscall: Replace g_malloc0 + memcpy with g_memdup

      No need to use g_malloc0 to zero the memory if we memcpy to
      the whole buffer afterwards anyway. Actually, there is even
      a function which combines both steps, g_memdup, so let's use
      this function here instead.

      Signed-off-by: Thomas Huth <thuth@xxxxxxxxxx>
      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>
      Signed-off-by: Michael Tokarev <mjt@xxxxxxxxxx>

  commit 112317867d573bb053d431f098060cf996d9b2e8
  Author: Thomas Huth <thuth@xxxxxxxxxx>
  Date:   Fri Oct 9 17:56:37 2015 +0200

      tests/i44fx-test: No need for zeroing memory before memset

      Change a g_malloc0 into g_malloc since the following
      memset fills the whole buffer anyway.

      Signed-off-by: Thomas Huth <thuth@xxxxxxxxxx>
      Reviewed-by: Laszlo Ersek <lersek@xxxxxxxxxx>
      Signed-off-by: Michael Tokarev <mjt@xxxxxxxxxx>

  commit a6c6d827605e416f0e127a325ee1efc9cf16afa5
  Author: Thomas Huth <thuth@xxxxxxxxxx>
  Date:   Fri Oct 9 17:56:36 2015 +0200

      hw/input/tsc210x: Remove superfluous memset

      g_malloc0 already clears the memory, so no need for additional
      memsets here. And while we're at it, let's also remove the
      superfluous typecasts for the return values of g_malloc0
      and use the type-safe g_new0 instead.

      Signed-off-by: Thomas Huth <thuth@xxxxxxxxxx>
      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>
      Signed-off-by: Michael Tokarev <mjt@xxxxxxxxxx>

  commit 2c21ec3d1818cb0395b5a9b73128e6920d44def7
  Author: Paolo Bonzini <pbonzini@xxxxxxxxxx>
  Date:   Mon Oct 19 16:08:39 2015 +0200

      xen: fix invalid assertion

      Asserting "true" is not that useful.

      Reported by Coverity.

      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>
      Acked-by: Stefano Stabellini <stefano.stabellini@xxxxxxxxxxxxx>
      Signed-off-by: Michael Tokarev <mjt@xxxxxxxxxx>

  commit 3cd01b6ed8a1ae472f09cbcc47b7cba4d732f94c
  Author: Eric Blake <eblake@xxxxxxxxxx>
  Date:   Tue Oct 20 13:41:33 2015 -0600

      tests: ignore test-qga

      Commit 62c39b30 added a new test, but did not mark it for
      exclusion in .gitignore.

      Signed-off-by: Eric Blake <eblake@xxxxxxxxxx>
      Signed-off-by: Michael Tokarev <mjt@xxxxxxxxxx>

  commit 6ba9fe86957c3c8febf74c2495d901ac4061a673
  Author: Cao jin <caoj.fnst@xxxxxxxxxxxxxx>
  Date:   Sun Oct 25 16:23:28 2015 +0800

      fix bad indentation in pcie_cap_slot_write_config()

      bad indentation conflicts with CODING_STYLE doc

      Signed-off-by: Cao jin <caoj.fnst@xxxxxxxxxxxxxx>
      Signed-off-by: Michael Tokarev <mjt@xxxxxxxxxx>

  commit 53d47be25a0c8bde5aa5b53625bc810f91c6271f
  Author: Eric Blake <eblake@xxxxxxxxxx>
  Date:   Mon Oct 26 14:27:31 2015 -0600

      maint: Ignore ivshmem binaries

      Commit a75eb03b added ivshmem-client and ivshmem-server binaries,
      but did not mark them for exclusion in .gitignore.

      Signed-off-by: Eric Blake <eblake@xxxxxxxxxx>
      Signed-off-by: Michael Tokarev <mjt@xxxxxxxxxx>

  commit b21de19992cefdfef68217e50a8365ee5e535e10
  Author: Thomas Huth <thuth@xxxxxxxxxx>
  Date:   Thu Oct 15 10:54:15 2015 +0200

      hw/display/tcx: Remove superfluous OBJECT() typecasts

      The tcx_initfn() function is already supplied with an
      Object *obj pointer, so there is no need to cast the
      state pointer back to an Object pointer all over the
      place. And while we're at it, also remove the superfluous
      "return;" statement in this function.

      Signed-off-by: Thomas Huth <thuth@xxxxxxxxxx>
      Reviewed-by: Markus Armbruster <armbru@xxxxxxxxxx>
      Acked-by: Mark Cave-Ayland <mark.cave-ayland@xxxxxxxxxxxx>
      Signed-off-by: Michael Tokarev <mjt@xxxxxxxxxx>

  commit 5accecb3a6b49d8ca79684179610583e9c7c1bf5
  Author: Kevin Wolf <kwolf@xxxxxxxxxx>
  Date:   Tue Oct 13 09:38:50 2015 +0200

      gdbstub: Fix buffer overflows in gdb_handle_packet()

      Some places in gdb_handle_packet() can get an arbitrary length (most
      times directly from the client) and either didn't check it at all or
      checked against the wrong value, potentially causing buffer overflows.

      Cc: qemu-stable@xxxxxxxxxx
      Signed-off-by: Kevin Wolf <kwolf@xxxxxxxxxx>
      Signed-off-by: Michael Tokarev <mjt@xxxxxxxxxx>

  commit 3c15d3a45045de82c744c49ff471d4c7ba405187
  Author: Marc-André Lureau <marcandre.lureau@xxxxxxxxxx>
  Date:   Mon Oct 12 12:54:57 2015 +0200

      hw/acpi/aml-build: remove useless glib version check

      2.22 is the minimum version required

      Signed-off-by: Marc-André Lureau <marcandre.lureau@xxxxxxxxxx>
      Signed-off-by: Michael Tokarev <mjt@xxxxxxxxxx>

  commit 9319738080faeb09876ce2017fcaea4937c475ee
  Merge: 3aa88b3 ee31299
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Fri Nov 6 11:31:40 2015 +0000

      Merge remote-tracking branch 'remotes/bonzini/tags/for-upstream-replay' 
into staging

      So here it is, let's see what happens.

      # gpg: Signature made Fri 06 Nov 2015 09:30:34 GMT using RSA key ID 
78C7AE83
      # gpg: Good signature from "Paolo Bonzini <bonzini@xxxxxxx>"
      # gpg:                 aka "Paolo Bonzini <pbonzini@xxxxxxxxxx>"

      * remotes/bonzini/tags/for-upstream-replay:
        replay: recording of the user input
        replay: command line options
        replay: replay blockers for devices
        replay: initialization and deinitialization
        replay: ptimer
        bottom halves: introduce bh call function
        replay: checkpoints
        icount: improve counting for record/replay
        replay: shutdown event
        replay: recording and replaying clock ticks
        replay: asynchronous events infrastructure
        replay: interrupts and exceptions
        cpu: replay instructions sequence
        cpu-exec: allow temporary disabling icount
        replay: introduce icount event
        replay: introduce mutex to protect the replay log
        replay: internal functions for replay log
        replay: global variables and function stubs

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 3aa88b31290c7cbbbae344efdece659194b95c70
  Author: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
  Date:   Mon Nov 2 14:06:23 2015 +0000

      configure: add missing --disable-modules option

      According to ./configure all options should have both --enable-foo and
      --disable-foo:

        # Always add --enable-foo and --disable-foo command line args.
        # Distributions want to ensure that several features are compiled in, 
and it
        # is impossible without a --enable-foo that exits if a feature is not 
found.

      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Reviewed-by: Fam Zheng <famz@xxxxxxxxxx>
      Message-id: 1446473183-24250-1-git-send-email-stefanha@xxxxxxxxxx
      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 574418132355bae50e829eb7890c8ea5dcb53fd8
  Merge: 496c1b1 f7fda28
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Fri Nov 6 10:10:15 2015 +0000

      Merge remote-tracking branch 'remotes/ehabkost/tags/x86-pull-request' 
into staging

      X86 queue, 2015-11-05

      # gpg: Signature made Thu 05 Nov 2015 19:35:31 GMT using RSA key ID 
984DC5A6
      # gpg: Good signature from "Eduardo Habkost <ehabkost@xxxxxxxxxx>"

      * remotes/ehabkost/tags/x86-pull-request:
        target-i386: Enable clflushopt/clwb/pcommit instructions
        target-i386: Remove POPCNT from qemu64 and qemu32 CPU models
        target-i386: Remove ABM from qemu64 CPU model
        target-i386: Remove SSE4a from qemu64 CPU model
        target-i386: Set "check=off" by default on pc-*-2.4 and older

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit ee312992a323530ea2cda8680f3a34746c72db8f
  Author: Pavel Dovgalyuk <Pavel.Dovgaluk@xxxxxxxxx>
  Date:   Thu Sep 17 19:25:24 2015 +0300

      replay: recording of the user input

      This records user input (keyboard and mouse events) in record mode and 
replays
      these input events in replay mode.

      Signed-off-by: Pavel Dovgalyuk <pavel.dovgaluk@xxxxxxxxx>
      Message-Id: <20150917162524.8676.11696.stgit@xxxxxxxxxxxxxxxxxx>
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>
      Signed-off-by: Pavel Dovgalyuk <Pavel.Dovgaluk@xxxxxxxxx>

  commit 4c27b859722089e0270fd4f41b4b3c63b6647439
  Author: Pavel Dovgalyuk <Pavel.Dovgaluk@xxxxxxxxx>
  Date:   Thu Sep 17 19:25:18 2015 +0300

      replay: command line options

      This patch introduces command line options for enabling recording or 
replaying
      virtual machine behavior. These options are added to icount command line
      parameter. They include 'rr' which switches between record and replay
      and 'rrfile' for specifying the filename for replay log.

      Signed-off-by: Pavel Dovgalyuk <pavel.dovgaluk@xxxxxxxxx>
      Message-Id: <20150917162518.8676.70792.stgit@xxxxxxxxxxxxxxxxxx>
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>
      Signed-off-by: Pavel Dovgalyuk <Pavel.Dovgaluk@xxxxxxxxx>

  commit 0194749ac4131e1bed8e166c5d5cf541678ef204
  Author: Pavel Dovgalyuk <Pavel.Dovgaluk@xxxxxxxxx>
  Date:   Thu Sep 17 19:25:13 2015 +0300

      replay: replay blockers for devices

      Some devices are not supported by record/replay subsystem.
      This patch introduces replay blocker which denies starting record/replay
      if such devices are included into the configuration.

      Signed-off-by: Pavel Dovgalyuk <pavel.dovgaluk@xxxxxxxxx>
      Message-Id: <20150917162512.8676.11367.stgit@xxxxxxxxxxxxxxxxxx>
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>
      Signed-off-by: Pavel Dovgalyuk <Pavel.Dovgaluk@xxxxxxxxx>

  commit 7615936ebf4e60c4565268a30df2356c841526f8
  Author: Pavel Dovgalyuk <Pavel.Dovgaluk@xxxxxxxxx>
  Date:   Thu Sep 17 19:25:07 2015 +0300

      replay: initialization and deinitialization

      This patch introduces the functions for enabling the record/replay and for
      freeing the resources when simulator closes.

      Reviewed-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

      Signed-off-by: Pavel Dovgalyuk <pavel.dovgaluk@xxxxxxxxx>
      Message-Id: <20150917162507.8676.90232.stgit@xxxxxxxxxxxxxxxxxx>
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>
      Signed-off-by: Pavel Dovgalyuk <Pavel.Dovgaluk@xxxxxxxxx>

  commit 8a354bd935a800dd2d98ac8f30707e2912c80ae6
  Author: Pavel Dovgalyuk <Pavel.Dovgaluk@xxxxxxxxx>
  Date:   Thu Sep 17 19:24:56 2015 +0300

      replay: ptimer

      This patch adds deterministic replay for hardware periodic countdown 
timers.
      ptimer uses bottom halves layer to execute such an asynchronous callback.
      We put this callback into the replay queue instead of bottom halves one.
      When checkpoint is met by main loop thread, the replay queue is processed
      and callback is executed. Binding callback moment to one of the 
checkpoints
      makes it deterministic.

      Signed-off-by: Pavel Dovgalyuk <pavel.dovgaluk@xxxxxxxxx>
      Message-Id: <20150917162456.8676.83366.stgit@xxxxxxxxxxxxxxxxxx>
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>
      Signed-off-by: Pavel Dovgalyuk <Pavel.Dovgaluk@xxxxxxxxx>

  commit df281b80b9ecba65d85795aa738c29e5b94d5ef1
  Author: Pavel Dovgalyuk <Pavel.Dovgaluk@xxxxxxxxx>
  Date:   Thu Sep 17 19:24:50 2015 +0300

      bottom halves: introduce bh call function

      This patch introduces aio_bh_call function. It is used to execute
      bottom halves as callbacks without adding them to the queue.

      Signed-off-by: Pavel Dovgalyuk <pavel.dovgaluk@xxxxxxxxx>
      Message-Id: <20150917162450.8676.56980.stgit@xxxxxxxxxxxxxxxxxx>
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>
      Signed-off-by: Pavel Dovgalyuk <Pavel.Dovgaluk@xxxxxxxxx>

  commit 8bd7f71d794b93ce027b856f5b79a98f4f82e44c
  Author: Pavel Dovgalyuk <Pavel.Dovgaluk@xxxxxxxxx>
  Date:   Thu Sep 17 19:24:44 2015 +0300

      replay: checkpoints

      This patch introduces checkpoints that synchronize cpu thread and 
iothread.
      When checkpoint is met in the code all asynchronous events from the queue
      are executed.

      Signed-off-by: Pavel Dovgalyuk <pavel.dovgaluk@xxxxxxxxx>
      Message-Id: <20150917162444.8676.52916.stgit@xxxxxxxxxxxxxxxxxx>
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>
      Signed-off-by: Pavel Dovgalyuk <Pavel.Dovgaluk@xxxxxxxxx>

  commit efab87cf79077a9624f675fc5fc8f034eaedfe4d
  Author: Pavel Dovgalyuk <Pavel.Dovgaluk@xxxxxxxxx>
  Date:   Thu Sep 17 19:24:39 2015 +0300

      icount: improve counting for record/replay

      icount_warp_rt function is called by qemu_clock_warp and as
      callback of icount_warp timer. This patch adds call to qemu_clock_warp
      into main_loop_wait function, because icount warp may be missed
      in record/replay mode, when CPU is sleeping.
      This patch also disables of calling this function by timer, because
      it is not needed after making modifications of main_loop_wait.

      Signed-off-by: Pavel Dovgalyuk <pavel.dovgaluk@xxxxxxxxx>
      Message-Id: <20150917162439.8676.38290.stgit@xxxxxxxxxxxxxxxxxx>
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>
      Signed-off-by: Pavel Dovgalyuk <Pavel.Dovgaluk@xxxxxxxxx>

  commit b60c48a7019614902f2debe4d4181ec8cfa60e0d
  Author: Pavel Dovgalyuk <Pavel.Dovgaluk@xxxxxxxxx>
  Date:   Thu Sep 17 19:24:33 2015 +0300

      replay: shutdown event

      This patch records and replays simulator shutdown event.

      Reviewed-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

      Signed-off-by: Pavel Dovgalyuk <pavel.dovgaluk@xxxxxxxxx>
      Message-Id: <20150917162433.8676.32262.stgit@xxxxxxxxxxxxxxxxxx>
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>
      Signed-off-by: Pavel Dovgalyuk <Pavel.Dovgaluk@xxxxxxxxx>

  commit 8eda206e09089914006bfbdd71467d5246c06e4a
  Author: Pavel Dovgalyuk <Pavel.Dovgaluk@xxxxxxxxx>
  Date:   Thu Sep 17 19:24:28 2015 +0300

      replay: recording and replaying clock ticks

      Clock ticks are considered as the sources of non-deterministic data for
      virtual machine. This patch implements saving the clock values when they
      are acquired (virtual, host clock).
      When replaying the execution corresponding values are read from log and
      transfered to the module, which wants to read the values.
      Such a design required the clock polling to be synchronized. Sometimes
      it is not true - e.g. when timeouts for timer lists are checked. In this 
case
      we use a cached value of the clock, passing it to the client code.

      Signed-off-by: Pavel Dovgalyuk <pavel.dovgaluk@xxxxxxxxx>
      Message-Id: <20150917162427.8676.36558.stgit@xxxxxxxxxxxxxxxxxx>
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>
      Signed-off-by: Pavel Dovgalyuk <Pavel.Dovgaluk@xxxxxxxxx>

  commit c0c071d05279ec1429352200affc5c70bb4e5980
  Author: Pavel Dovgalyuk <Pavel.Dovgaluk@xxxxxxxxx>
  Date:   Thu Sep 17 19:24:22 2015 +0300

      replay: asynchronous events infrastructure

      This patch adds module for saving and replaying asynchronous events.
      These events include network packets, keyboard and mouse input,
      USB packets, thread pool and bottom halves callbacks.
      All events are stored in the queue to be processed at synchronization 
points
      such as beginning of TB execution, or checkpoint in the iothread.

      Signed-off-by: Pavel Dovgalyuk <pavel.dovgaluk@xxxxxxxxx>
      Message-Id: <20150917162422.8676.88696.stgit@xxxxxxxxxxxxxxxxxx>
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

      Signed-off-by: Pavel Dovgalyuk <Pavel.Dovgaluk@xxxxxxxxx>

  commit 6f0609697f3670bf755a91477487507a8ffee471
  Author: Pavel Dovgalyuk <Pavel.Dovgaluk@xxxxxxxxx>
  Date:   Thu Sep 17 19:24:16 2015 +0300

      replay: interrupts and exceptions

      This patch includes modifications of common cpu files. All interrupts and
      exceptions occured during recording are written into the replay log.
      These events allow correct replaying the execution by kicking cpu thread
      when one of these events is found in the log.

      Signed-off-by: Pavel Dovgalyuk <pavel.dovgaluk@xxxxxxxxx>
      Message-Id: <20150917162416.8676.57647.stgit@xxxxxxxxxxxxxxxxxx>
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit f7fda280948a5e74aeb076ef346b991ecb173c56
  Author: Xiao Guangrong <guangrong.xiao@xxxxxxxxxxxxxxx>
  Date:   Thu Oct 29 15:31:39 2015 +0800

      target-i386: Enable clflushopt/clwb/pcommit instructions

      These instructions are used by NVDIMM drivers and the specification is
      located at:
      
https://software.intel.com/sites/default/files/managed/0d/53/319433-022.pdf

      There instructions are available on Skylake Server.

      Signed-off-by: Xiao Guangrong <guangrong.xiao@xxxxxxxxxxxxxxx>
      Reviewed-by: Richard Henderson <rth@xxxxxxxxxxx>
      Signed-off-by: Eduardo Habkost <ehabkost@xxxxxxxxxx>

  commit 6aa91e4a0237ddcebb85e3a95e166f3b3cfa42ae
  Author: Eduardo Habkost <ehabkost@xxxxxxxxxx>
  Date:   Tue Nov 3 17:24:18 2015 -0200

      target-i386: Remove POPCNT from qemu64 and qemu32 CPU models

      POPCNT is not available on Penryn and older and on Opteron_G2 and older,
      and we want to make the default CPU runnable in most hosts, so it won't
      be enabled by default in KVM mode.

      We should eventually have all features supported by TCG enabled by
      default in TCG mode, but as we don't have a good mechanism today to
      ensure we have different defaults in KVM and TCG mode, disable POPCNT in
      the qemu64 and qemu32 CPU models entirely.

      Reviewed-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>
      Signed-off-by: Eduardo Habkost <ehabkost@xxxxxxxxxx>

  commit 711956722c6764336f8b78a2106e57c55f02f36d
  Author: Eduardo Habkost <ehabkost@xxxxxxxxxx>
  Date:   Tue Nov 3 17:24:18 2015 -0200

      target-i386: Remove ABM from qemu64 CPU model

      ABM is not available on Sandy Bridge and older, and we want to make the
      default CPU runnable in most hosts, so it won't be enabled by default in
      KVM mode.

      We should eventually have all features supported by TCG enabled by
      default in TCG mode, but as we don't have a good mechanism today to
      ensure we have different defaults in KVM and TCG mode, disable ABM in
      the qemu64 CPU model entirely.

      Reviewed-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>
      Signed-off-by: Eduardo Habkost <ehabkost@xxxxxxxxxx>

  commit 0909ad24b2769368716c85f79fbb995dbb7041a9
  Author: Eduardo Habkost <ehabkost@xxxxxxxxxx>
  Date:   Tue Nov 3 17:17:33 2015 -0200

      target-i386: Remove SSE4a from qemu64 CPU model

      SSE4a is not available in any Intel CPU, and we want to make the default
      CPU runnable in most hosts, so it doesn't make sense to enable it by
      default in KVM mode.

      We should eventually have all features supported by TCG enabled by
      default in TCG mode, but as we don't have a good mechanism today to
      ensure we have different defaults in KVM and TCG mode, disable SSE4a in
      the qemu64 CPU model entirely.

      Reviewed-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>
      Signed-off-by: Eduardo Habkost <ehabkost@xxxxxxxxxx>

  commit 3e68482224129c3ddc061af7c9d438b882ecfdd1
  Author: Eduardo Habkost <ehabkost@xxxxxxxxxx>
  Date:   Tue Nov 3 17:18:50 2015 -0200

      target-i386: Set "check=off" by default on pc-*-2.4 and older

      The default CPU model (qemu64) have some issues today: it enables some
      features (ABM and SSE4a) that are not present in many host CPUs. That
      means many hosts (but not all of them) had those features silently
      disabled in the default configuration in QEMU 2.4 and older.

      With the new "check=on" default, this causes warnings to be printed in
      the default configuration, because of the lack of SSE4A on all Intel
      hosts, and the lack of ABM on Sandy Bridge and older hosts:

        $ qemu-system-x86_64 -machine pc,accel=kvm
        warning: host doesn't support requested feature: 
CPUID.80000001H:ECX.abm [bit 5]
        warning: host doesn't support requested feature: 
CPUID.80000001H:ECX.sse4a [bit 6]

      Those issues will be fixed in pc-*-2.5 and newer. But as we can't change
      the guest ABI in pc-*-2.4, disable "check" mode by default in pc-*-2.4
      and older so we don't print spurious warnings.

      Reviewed-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>
      Signed-off-by: Eduardo Habkost <ehabkost@xxxxxxxxxx>

  commit 382e1737d3467b76e8ade34b96afaae91509002e
  Author: Gerd Hoffmann <kraxel@xxxxxxxxxx>
  Date:   Thu Nov 5 10:12:18 2015 +0100

      vnc: fix mismerge

      Commit "4d77b1f vnc: fix bug: vnc server can't start when 'to' is
      specified" was rebased incorrectly, fix it.

      Reported-by: Markus Armbruster <armbru@xxxxxxxxxx>
      Signed-off-by: Gerd Hoffmann <kraxel@xxxxxxxxxx>
      Reviewed-by: Markus Armbruster <armbru@xxxxxxxxxx>
      Reviewed-by: Yang Hongyang <hongyang.yang@xxxxxxxxxxxx>
      Message-id: 1446714738-22400-1-git-send-email-kraxel@xxxxxxxxxx

  commit 496c1b19facc7b850fa0c09899fcc07a0702fbfd
  Merge: 8835b9d e01dd3d
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Thu Nov 5 14:31:24 2015 +0000

      Merge remote-tracking branch 'remotes/bonzini/tags/for-upstream' into 
staging

      * Guest ABI fixes for PC machines (hw_version)
      * Fixes for recent Perl
      * John Snow's configure fixes
      * file-backed RAM improvements (Igor, Pavel)
      * -Werror=clobbered fixes (Stefan)
      * Kill -d ioport
      * Fix qemu-system-s390x
      * Performance improvement for kvmclock migration

      # gpg: Signature made Thu 05 Nov 2015 13:42:27 GMT using RSA key ID 
78C7AE83
      # gpg: Good signature from "Paolo Bonzini <bonzini@xxxxxxx>"
      # gpg:                 aka "Paolo Bonzini <pbonzini@xxxxxxxxxx>"

      * remotes/bonzini/tags/for-upstream:
        iscsi: Translate scsi sense into error code
        Revert "Introduce cpu_clean_all_dirty"
        kvmclock: add a new function to update env->tsc.
        configure: disable FORTIFY_SOURCE under clang
        backends/hostmem-file: Allow to specify full pathname for backing file
        configure: disallow ccache during compile tests
        cpu-exec: Fix compiler warning (-Werror=clobbered)
        memory: call begin, log_start and commit when registering a new listener
        megasas: Use qemu_hw_version() instead of QEMU_VERSION
        osdep: Rename qemu_{get, set}_version() to qemu_{, set_}hw_version()
        pc: Set hw_version on all machine classes
        qemu-log: remove -d ioport
        ioport: do not use CPU_LOG_IOPORT
        target-i386: fix pcmpxstrx equal-ordered (strstr) mode
        scripts/text2pod.pl: Escape left brace
        file_ram_alloc: propagate error to caller instead of terminating QEMU

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit e01dd3da5cf9aa90ae844d3b86c2c2762066edac
  Author: Fam Zheng <famz@xxxxxxxxxx>
  Date:   Thu Nov 5 13:00:09 2015 +0800

      iscsi: Translate scsi sense into error code

      Previously we return -EIO blindly when anything goes wrong. Add a helper
      function to parse sense fields and try to make the return code more
      meaningful.

      This also fixes the default werror configuration (enospc) when we're
      using qcow2 on an iscsi lun. The old -EIO not being treated as out of
      space error failed to trigger vm stop.

      Signed-off-by: Fam Zheng <famz@xxxxxxxxxx>
      Message-Id: <1446699609-11376-1-git-send-email-famz@xxxxxxxxxx>
      [libiscsi 1.9 compatibility - Paolo]
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit 8b42704441865611a5ee241ac9fc5cabc47a079b
  Author: Pavel Dovgalyuk <Pavel.Dovgaluk@xxxxxxxxx>
  Date:   Thu Sep 17 19:24:05 2015 +0300

      cpu: replay instructions sequence

      This patch adds calls to replay functions into the icount setup block.
      In record mode number of executed instructions is written to the log.
      In replay mode number of istructions to execute is taken from the replay 
log.
      When replayed instructions counter is expired qemu_notify_event()
      function is called to wake up the iothread.

      Reviewed-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

      Signed-off-by: Pavel Dovgalyuk <pavel.dovgaluk@xxxxxxxxx>
      Message-Id: <20150917162405.8676.31890.stgit@xxxxxxxxxxxxxxxxxx>
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit 56c0269a9ec105d3848d9f900b5e38e6b35e2478
  Author: Pavel Dovgalyuk <Pavel.Dovgaluk@xxxxxxxxx>
  Date:   Thu Sep 17 19:23:59 2015 +0300

      cpu-exec: allow temporary disabling icount

      This patch is required for deterministic replay to generate an exception
      by trying executing an instruction without changing icount.
      It adds new flag to TB for disabling icount while translating it.

      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

      Signed-off-by: Pavel Dovgalyuk <pavel.dovgaluk@xxxxxxxxx>
      Message-Id: <20150917162359.8676.77011.stgit@xxxxxxxxxxxxxxxxxx>
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit 26bc60ac82f88d14e65be5387eb4a136edf94f1b
  Author: Pavel Dovgalyuk <Pavel.Dovgaluk@xxxxxxxxx>
  Date:   Thu Sep 17 19:23:54 2015 +0300

      replay: introduce icount event

      This patch adds icount event to the replay subsystem. This event 
corresponds
      to execution of several instructions and used to synchronize input events
      in the replay phase.

      Reviewed-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

      Signed-off-by: Pavel Dovgalyuk <pavel.dovgaluk@xxxxxxxxx>
      Message-Id: <20150917162354.8676.31351.stgit@xxxxxxxxxxxxxxxxxx>
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit c16861ef1b7b27803b4c068ef778ba0f80fba1c2
  Author: Pavel Dovgalyuk <Pavel.Dovgaluk@xxxxxxxxx>
  Date:   Thu Sep 17 19:23:48 2015 +0300

      replay: introduce mutex to protect the replay log

      This mutex will protect read/write operations for replay log.
      Using mutex is necessary because most of the events consist of
      several fields stored in the log. The mutex will help to avoid races.

      Reviewed-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

      Signed-off-by: Pavel Dovgalyuk <pavel.dovgaluk@xxxxxxxxx>
      Message-Id: <20150917162348.8676.8628.stgit@xxxxxxxxxxxxxxxxxx>
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit c92079f45fec0bc6a2757aa3783dd9b0604089ba
  Author: Pavel Dovgalyuk <Pavel.Dovgaluk@xxxxxxxxx>
  Date:   Thu Sep 17 19:23:43 2015 +0300

      replay: internal functions for replay log

      This patch adds functions to perform read and write operations
      with replay log.

      Reviewed-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

      Signed-off-by: Pavel Dovgalyuk <pavel.dovgaluk@xxxxxxxxx>
      Message-Id: <20150917162342.8676.29445.stgit@xxxxxxxxxxxxxxxxxx>
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit d73abd6dcc105fb5cacc34716046fca63132a264
  Author: Pavel Dovgalyuk <Pavel.Dovgaluk@xxxxxxxxx>
  Date:   Thu Sep 17 19:23:37 2015 +0300

      replay: global variables and function stubs

      This patch adds global variables, defines, function declarations,
      and function stubs for deterministic VM replay used by external modules.

      Reviewed-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>
      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>

      Signed-off-by: Pavel Dovgalyuk <pavel.dovgaluk@xxxxxxxxx>
      Message-Id: <20150917162337.8676.41538.stgit@xxxxxxxxxxxxxxxxxx>
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit 8835b9df3bddf332c883c861d6a1defc12c4ebe9
  Merge: 6c5f30c fb68777
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Thu Nov 5 10:52:35 2015 +0000

      Merge remote-tracking branch 
'remotes/mdroth/tags/qga-pull-2015-11-04-tag' into staging

      qemu-ga patch queue

      * fix file handle cleanup on w32
      * use non-blocking mode for file handles on w32 to avoid
        hangs on guest-file-read/guest-file-write to pipes

      # gpg: Signature made Wed 04 Nov 2015 19:36:16 GMT using RSA key ID 
F108B584
      # gpg: Good signature from "Michael Roth <flukshun@xxxxxxxxx>"
      # gpg:                 aka "Michael Roth <mdroth@xxxxxxxxxx>"
      # gpg:                 aka "Michael Roth <mdroth@xxxxxxxxxxxxxxxxxx>"

      * remotes/mdroth/tags/qga-pull-2015-11-04-tag:
        qga: set file descriptor in qmp_guest_file_open non-blocking on Win32
        qga: fixed CloseHandle in qmp_guest_file_open
        qga: drop hand-made guest_file_toggle_flags helper

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 6388acc853b7862761d3c2864be99033e8b62dcc
  Author: Liang Li <liang.z.li@xxxxxxxxx>
  Date:   Thu Nov 5 11:51:04 2015 +0800

      Revert "Introduce cpu_clean_all_dirty"

      This reverts commit de9d61e83d43be9069e6646fa9d57a3f47779d28.

      Now 'cpu_clean_all_dirty' is useless, we can revert the related code.

      Conflicts:
        include/sysemu/kvm.h

      Signed-off-by: Liang Li <liang.z.li@xxxxxxxxx>
      Message-Id: <1446695464-27116-3-git-send-email-liang.z.li@xxxxxxxxx>
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit 0fd7e098db30e302d27920487f0afec33be8982a
  Author: Liang Li <liang.z.li@xxxxxxxxx>
  Date:   Thu Nov 5 11:51:03 2015 +0800

      kvmclock: add a new function to update env->tsc.

      The commit 317b0a6d8 fixed an issue which caused by the outdated
      env->tsc value, but the fix lead to 'cpu_synchronize_all_states()'
      called twice during live migration. The 'cpu_synchronize_all_states()'
      takes about 130us for a VM which has 4 vcpus, it's a bit expensive.

      Synchronize the whole CPU context just for updating env->tsc is too
      wasting, this patch use a new function to update the env->tsc.
      Comparing to 'cpu_synchronize_all_states()', it only takes about 20us.

      Signed-off-by: Liang Li <liang.z.li@xxxxxxxxx>
      Message-Id: <1446695464-27116-2-git-send-email-liang.z.li@xxxxxxxxx>
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit b553a0428014636bce4951098e97c60dc18a83ed
  Author: John Snow <jsnow@xxxxxxxxxx>
  Date:   Tue Nov 3 15:43:42 2015 -0500

      configure: disable FORTIFY_SOURCE under clang

      Some versions of clang may have difficulty compiling glibc headers when
      -D_FORTIFY_SOURCE is used. For example, Clang++ 3.5.0-9.fc22 cannot
      compile glibc's stdio headers when -D_FORTIFY_SOURCE=2 is used. This
      manifests currently as build failures with clang and any arm target.

      According to LLVM dev Richard Smith, clang does not target or support
      FORTIFY_SOURCE + glibc, and it should not be relied on.
      "It's still an unsupported combination, and while it might compile, some
      of the checks are unlikely to work because they require a frontend
      inliner to be useful"

      See: http://lists.llvm.org/pipermail/cfe-dev/2015-November/045846.html

      Conclusion: disable fortify-source if we appear to be using clang instead
      of testing for compile success or failure, which may be incidental or not
      indicative of proper support of the feature.

      Signed-off-by: John Snow <jsnow@xxxxxxxxxx>
      Message-Id: <1446583422-10153-1-git-send-email-jsnow@xxxxxxxxxx>
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit 6c5f30cad290c745f910481d0e890b3f4fad1f00
  Merge: 2b5a79f 96e5c9b
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Thu Nov 5 10:10:57 2015 +0000

      Merge remote-tracking branch 
'remotes/juanquintela/tags/migration/20151104' into staging

      migration/next for 20151104

      # gpg: Signature made Wed 04 Nov 2015 12:45:19 GMT using RSA key ID 
5872D723
      # gpg: Good signature from "Juan Quintela <quintela@xxxxxxxxxx>"
      # gpg:                 aka "Juan Quintela <quintela@xxxxxxxxxx>"

      * remotes/juanquintela/tags/migration/20151104:
        migration: fix analyze-migration.py script
        migration: code clean up
        migration: rename cancel to cleanup in SaveVMHandles
        migration: rename qemu_savevm_state_cancel
        migration: defer migration_end & blk_mig_cleanup

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit f14c3d85b003d8614144ae67a26157667c1e1245
  Author: Peter Lieven <pl@xxxxxxx>
  Date:   Fri Oct 30 12:10:14 2015 +0100

      buffer: allow a buffer to shrink gracefully

      the idea behind this patch is to allow the buffer to shrink, but
      make this a seldom operation. The buffers average size is measured
      exponentionally smoothed with am alpha of 1/128.

      Signed-off-by: Peter Lieven <pl@xxxxxxx>
      Signed-off-by: Gerd Hoffmann <kraxel@xxxxxxxxxx>
      Reviewed-by: Daniel P. Berrange <berrange@xxxxxxxxxx>
      Message-id: 1446203414-4013-20-git-send-email-kraxel@xxxxxxxxxx

  commit 4ec5ba151ff3f2ac8dc44dabd058eca5846654a6
  Author: Peter Lieven <pl@xxxxxxx>
  Date:   Fri Oct 30 12:10:13 2015 +0100

      buffer: factor out buffer_adj_size

      Signed-off-by: Peter Lieven <pl@xxxxxxx>
      Signed-off-by: Gerd Hoffmann <kraxel@xxxxxxxxxx>
      Reviewed-by: Daniel P. Berrange <berrange@xxxxxxxxxx>
      Message-id: 1446203414-4013-19-git-send-email-kraxel@xxxxxxxxxx

  commit fd95243372f7657c2d24aed269e3be01bed1b87c
  Author: Peter Lieven <pl@xxxxxxx>
  Date:   Fri Oct 30 12:10:12 2015 +0100

      buffer: factor out buffer_req_size

      Signed-off-by: Peter Lieven <pl@xxxxxxx>
      Signed-off-by: Gerd Hoffmann <kraxel@xxxxxxxxxx>
      Reviewed-by: Daniel P. Berrange <berrange@xxxxxxxxxx>
      Message-id: 1446203414-4013-18-git-send-email-kraxel@xxxxxxxxxx

  commit c3d6899c5e67dfd7ff195eccc10541f3b7e141a7
  Author: Peter Lieven <pl@xxxxxxx>
  Date:   Fri Oct 30 12:10:11 2015 +0100

      vnc: recycle empty vs->output buffer

      If the vs->output buffer is empty it will be dropped
      by the next qio_buffer_move_empty in vnc_jobs_consume_buffer
      anyway. So reuse the allocated buffer from this buffer
      in the worker thread where we otherwise would start with
      an empty (unallocated buffer).

      Signed-off-by: Peter Lieven <pl@xxxxxxx>
      Reviewed-by: Daniel P. Berrange <berrange@xxxxxxxxxx>
      Message-id: 1446203414-4013-17-git-send-email-kraxel@xxxxxxxxxx

      [ added a comment describing the non-obvious optimization ]

      Signed-off-by: Gerd Hoffmann <kraxel@xxxxxxxxxx>

  commit 2e0c90af0a33451498d333d72c06e5429c7cd168
  Author: Gerd Hoffmann <kraxel@xxxxxxxxxx>
  Date:   Fri Oct 30 12:10:10 2015 +0100

      vnc: fix local state init

      Signed-off-by: Gerd Hoffmann <kraxel@xxxxxxxxxx>
      Reviewed-by: Peter Lieven <pl@xxxxxxx>
      Reviewed-by: Daniel P. Berrange <berrange@xxxxxxxxxx>
      Message-id: 1446203414-4013-16-git-send-email-kraxel@xxxxxxxxxx

  commit c7628bff4138ce906a3620d12e0820c1cf6c140d
  Author: Gerd Hoffmann <kraxel@xxxxxxxxxx>
  Date:   Fri Oct 30 12:10:09 2015 +0100

      vnc: only alloc server surface with clients connected

      Signed-off-by: Gerd Hoffmann <kraxel@xxxxxxxxxx>
      Reviewed-by: Peter Lieven <pl@xxxxxxx>
      Reviewed-by: Daniel P. Berrange <berrange@xxxxxxxxxx>
      Message-id: 1446203414-4013-15-git-send-email-kraxel@xxxxxxxxxx

  commit f7b3d68c95bc4f8915a3d084360aa07c7f4e4717
  Author: Gerd Hoffmann <kraxel@xxxxxxxxxx>
  Date:   Fri Oct 30 12:10:08 2015 +0100

      vnc: use vnc_{width,height} in vnc_set_area_dirty

      Signed-off-by: Gerd Hoffmann <kraxel@xxxxxxxxxx>
      Reviewed-by: Peter Lieven <pl@xxxxxxx>
      Reviewed-by: Daniel P. Berrange <berrange@xxxxxxxxxx>
      Message-id: 1446203414-4013-14-git-send-email-kraxel@xxxxxxxxxx

  commit 453f842bc4cab49f10c267cff9ad3cf657265d49
  Author: Gerd Hoffmann <kraxel@xxxxxxxxxx>
  Date:   Fri Oct 30 12:10:07 2015 +0100

      vnc: factor out vnc_update_server_surface

      Signed-off-by: Gerd Hoffmann <kraxel@xxxxxxxxxx>
      Reviewed-by: Peter Lieven <pl@xxxxxxx>
      Reviewed-by: Daniel P. Berrange <berrange@xxxxxxxxxx>
      Message-id: 1446203414-4013-13-git-send-email-kraxel@xxxxxxxxxx

  commit d05959c2e111858bb83c40ae5d8b8c10964b7bb0
  Author: Gerd Hoffmann <kraxel@xxxxxxxxxx>
  Date:   Fri Oct 30 12:10:06 2015 +0100

      vnc: add vnc_width+vnc_height helpers

      Signed-off-by: Gerd Hoffmann <kraxel@xxxxxxxxxx>
      Reviewed-by: Peter Lieven <pl@xxxxxxx>
      Reviewed-by: Daniel P. Berrange <berrange@xxxxxxxxxx>
      Message-id: 1446203414-4013-12-git-send-email-kraxel@xxxxxxxxxx

  commit e081aae5ae01f5ff695ba9fee4e622053d8e4bfe
  Author: Gerd Hoffmann <kraxel@xxxxxxxxxx>
  Date:   Fri Oct 30 12:10:05 2015 +0100

      vnc: zap dead code

      Signed-off-by: Gerd Hoffmann <kraxel@xxxxxxxxxx>
      Reviewed-by: Peter Lieven <pl@xxxxxxx>
      Reviewed-by: Daniel P. Berrange <berrange@xxxxxxxxxx>
      Message-id: 1446203414-4013-11-git-send-email-kraxel@xxxxxxxxxx

  commit d90340115a3569caa72063775ff927f4dc353551
  Author: Gerd Hoffmann <kraxel@xxxxxxxxxx>
  Date:   Fri Oct 30 12:10:04 2015 +0100

      vnc-jobs: move buffer reset, use new buffer move

      Signed-off-by: Gerd Hoffmann <kraxel@xxxxxxxxxx>
      Reviewed-by: Peter Lieven <pl@xxxxxxx>
      Reviewed-by: Daniel P. Berrange <berrange@xxxxxxxxxx>
      Message-id: 1446203414-4013-10-git-send-email-kraxel@xxxxxxxxxx

  commit 8305f917c1bc86b1ead0fa9197b5443a4bd611f3
  Author: Gerd Hoffmann <kraxel@xxxxxxxxxx>
  Date:   Fri Oct 30 12:10:03 2015 +0100

      vnc: kill jobs queue buffer

      Signed-off-by: Gerd Hoffmann <kraxel@xxxxxxxxxx>
      Reviewed-by: Peter Lieven <pl@xxxxxxx>
      Reviewed-by: Daniel P. Berrange <berrange@xxxxxxxxxx>
      Message-id: 1446203414-4013-9-git-send-email-kraxel@xxxxxxxxxx

  commit 543b95801f98ab2cb7413c39779fd5b7f363ce3d
  Author: Gerd Hoffmann <kraxel@xxxxxxxxxx>
  Date:   Fri Oct 30 12:10:02 2015 +0100

      vnc: attach names to buffers

      Signed-off-by: Gerd Hoffmann <kraxel@xxxxxxxxxx>
      Reviewed-by: Peter Lieven <pl@xxxxxxx>
      Reviewed-by: Daniel P. Berrange <berrange@xxxxxxxxxx>
      Message-id: 1446203414-4013-8-git-send-email-kraxel@xxxxxxxxxx

  commit d2b90718d25ed6dc8a2bb7f06504e6500dcc7bae
  Author: Gerd Hoffmann <kraxel@xxxxxxxxxx>
  Date:   Fri Oct 30 12:10:01 2015 +0100

      buffer: add tracing

      Signed-off-by: Gerd Hoffmann <kraxel@xxxxxxxxxx>
      Reviewed-by: Peter Lieven <pl@xxxxxxx>
      Reviewed-by: Daniel P. Berrange <berrange@xxxxxxxxxx>
      Message-id: 1446203414-4013-7-git-send-email-kraxel@xxxxxxxxxx

  commit 1ff36b5d4d00a4e3633eb960bf2be562f5e47dbf
  Author: Gerd Hoffmann <kraxel@xxxxxxxxxx>
  Date:   Fri Oct 30 12:10:00 2015 +0100

      buffer: add buffer_shrink

      Signed-off-by: Gerd Hoffmann <kraxel@xxxxxxxxxx>
      Reviewed-by: Peter Lieven <pl@xxxxxxx>
      Reviewed-by: Daniel P. Berrange <berrange@xxxxxxxxxx>
      Message-id: 1446203414-4013-6-git-send-email-kraxel@xxxxxxxxxx

  commit 830a9583206a051c240b74c3f688a015dc5d2967
  Author: Gerd Hoffmann <kraxel@xxxxxxxxxx>
  Date:   Fri Oct 30 12:09:59 2015 +0100

      buffer: add buffer_move

      Signed-off-by: Gerd Hoffmann <kraxel@xxxxxxxxxx>
      Reviewed-by: Peter Lieven <pl@xxxxxxx>
      Reviewed-by: Daniel P. Berrange <berrange@xxxxxxxxxx>
      Message-id: 1446203414-4013-5-git-send-email-kraxel@xxxxxxxxxx

  commit 4d1eb5fdb141c9100eb82e1dc7d4547fb1decd8b
  Author: Gerd Hoffmann <kraxel@xxxxxxxxxx>
  Date:   Fri Oct 30 12:09:58 2015 +0100

      buffer: add buffer_move_empty

      Signed-off-by: Gerd Hoffmann <kraxel@xxxxxxxxxx>
      Reviewed-by: Peter Lieven <pl@xxxxxxx>
      Reviewed-by: Daniel Berrange <berrange@xxxxxxxxxx>
      Message-id: 1446203414-4013-4-git-send-email-kraxel@xxxxxxxxxx

  commit 810082d15c244b8b29470d3bb1c6b11fc9a40c25
  Author: Gerd Hoffmann <kraxel@xxxxxxxxxx>
  Date:   Fri Oct 30 12:09:57 2015 +0100

      buffer: add buffer_init

      Signed-off-by: Gerd Hoffmann <kraxel@xxxxxxxxxx>
      Reviewed-by: Peter Lieven <pl@xxxxxxx>
      Reviewed-by: Daniel P. Berrange <berrange@xxxxxxxxxx>
      Message-id: 1446203414-4013-3-git-send-email-kraxel@xxxxxxxxxx

  commit 5c10dbb7b577370e86ff459973b06d530c3777cf
  Author: Peter Lieven <pl@xxxxxxx>
  Date:   Fri Oct 30 12:09:56 2015 +0100

      buffer: make the Buffer capacity increase in powers of two

      This makes sure the number of reallocs is in O(log N).

      Signed-off-by: Peter Lieven <pl@xxxxxxx>
      Reviewed-by: Daniel P. Berrange <berrange@xxxxxxxxxx>
      Signed-off-by: Gerd Hoffmann <kraxel@xxxxxxxxxx>
      Message-id: 1446203414-4013-2-git-send-email-kraxel@xxxxxxxxxx

      [ rebased to util/buffer.c ]

      Signed-off-by: Gerd Hoffmann <kraxel@xxxxxxxxxx>

  commit 2b5a79f1d961f07332cf77f38cdf9dc2fc7e2b64
  Merge: 79cf9fa 5dfdae8
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Wed Nov 4 18:20:31 2015 +0000

      Merge remote-tracking branch 'remotes/armbru/tags/pull-error-2015-11-03' 
into staging

      vl.c: Error message rework

      # gpg: Signature made Tue 03 Nov 2015 08:40:50 GMT using RSA key ID 
EB918653
      # gpg: Good signature from "Markus Armbruster <armbru@xxxxxxxxxx>"
      # gpg:                 aka "Markus Armbruster <armbru@xxxxxxxxxxxx>"

      * remotes/armbru/tags/pull-error-2015-11-03:
        vl.c: Use "%s support is disabled" error messages consistently
        vl.c: Improve warnings on use of deprecated options
        vl.c: Touch up error messages
        vl.c: Remove unnecessary uppercase in error messages
        vl.c: Use "warning:" prefix consistently on warnings
        vl.c: Remove periods and exclamation points from error messages
        vl.c: Replace fprintf(stderr) with error_report()

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 8d31d6b65a7448582c7bd320fd1b8cfc6cca2720
  Author: Pavel Fedin <p.fedin@xxxxxxxxxxx>
  Date:   Wed Oct 28 12:54:07 2015 +0300

      backends/hostmem-file: Allow to specify full pathname for backing file

      This allows to explicitly specify file name to use with the backend. This
      is important when using it together with ivshmem in order to make it 
backed
      by hugetlbfs. By default filename is autogenerated using mkstemp(), and 
the
      file is unlink()ed after creation, effectively making it anonymous. This 
is
      not very useful with ivshmem because it ends up in a memory which cannot 
be
      accessed by something else.

      Distinction between directory and file name is done by stat() check. If an
      existing directory is given, the code keeps old behavior. Otherwise it
      creates or opens a file with the given pathname.

      Signed-off-by: Pavel Fedin <p.fedin@xxxxxxxxxxx>
      Tested-by: Igor Skalkin <i.skalkin@xxxxxxxxxxx>
      Message-Id: <004301d11166$9672fe30$c358fa90$@samsung.com>
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit 5e4dfd3d4e87e0464d599ecef06aa8fe78420a9b
  Author: John Snow <jsnow@xxxxxxxxxx>
  Date:   Wed Oct 28 13:56:40 2015 -0400

      configure: disallow ccache during compile tests

      If the user is using ccache during the configuration step,
      it may interfere with some of the configuration tests,
      particularly the "Is ccache interfering with macro analysis" step,
      which is a bit of a poetic problem.

      1) Disallow ccache from reading from the cache during configure,
         but don't disable it entirely to allow us to see if it causes other
         problems.

      2) Force off CCACHE_CPP2 during the ccache test to get a deterministic
         answer over whether or not we need to enable that feature later.

      Signed-off-by: John Snow <jsnow@xxxxxxxxxx>
      Message-Id: <1446055000-29150-1-git-send-email-jsnow@xxxxxxxxxx>
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit 0448f5f8b816923b198ab6c32286fd1f3b2f3e45
  Author: Stefan Weil <sw@xxxxxxxxxxx>
  Date:   Sat Sep 26 13:23:26 2015 +0200

      cpu-exec: Fix compiler warning (-Werror=clobbered)

      Reloading of local variables after sigsetjmp is only needed for some
      buggy compilers.

      The code which should reload these variables causes compiler warnings
      with gcc 4.7 when compiler optimizations are enabled:

      cpu-exec.c:204:15: error:
       variable â??cpuâ?? might be clobbered by â??longjmpâ?? or â??vforkâ?? 
[-Werror=clobbered]
      cpu-exec.c:207:15: error:
       variable â??ccâ?? might be clobbered by â??longjmpâ?? or â??vforkâ?? 
[-Werror=clobbered]
      cpu-exec.c:202:28: error:
       argument â??envâ?? might be clobbered by â??longjmpâ?? or â??vforkâ?? 
[-Werror=clobbered]

      Now this code is only used for compilers which need it
      (and gcc 4.5.x, x > 0 which does not need it but won't give warnings).

      There were bug reports for clang and gcc 4.5.0, while gcc 4.5.1
      was reported to work fine without the reload code. For clang it
      is not clear which versions are affected, so simply keep the status quo
      for all clang compilations. This can be improved later.

      Signed-off-by: Stefan Weil <sw@xxxxxxxxxxx>
      Message-Id: <1443266606-21400-1-git-send-email-sw@xxxxxxxxxxx>
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit 680a4783dc13f1059c03d11da58193d76c19ead6
  Author: Paolo Bonzini <pbonzini@xxxxxxxxxx>
  Date:   Mon Nov 2 09:23:52 2015 +0100

      memory: call begin, log_start and commit when registering a new listener

      This ensures that cpu_reload_memory_map() is called as soon as
      tcg_cpu_address_space_init() is called, and before cpu->memory_dispatch
      is used.  qemu-system-s390x never changes the address spaces after
      tcg_cpu_address_space_init() is called, and thus tcg_commit() is never
      called.  This causes a SIGSEGV.

      Because memory_map_init() will now call mem_commit(), we have to
      initialize io_mem_* before address_space_memory and friends.

      Reported-by: Philipp Kern <pkern@xxxxxxxxxx>
      Reviewed-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Fixes: 0a1c71cec63e95f9b8d0dc96d049d2daa00c5210
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit 69fbd0ea25d1f45ab2c8b0d3f431e83063f977f2
  Author: Eduardo Habkost <ehabkost@xxxxxxxxxx>
  Date:   Fri Oct 30 17:36:09 2015 -0200

      megasas: Use qemu_hw_version() instead of QEMU_VERSION

      Guest visible data shouldn't change with a simple QEMU upgrade, so use
      qemu_hw_version() to ensure it won't change (as long as the machine
      class being used has hw_version set).

      Cc: Hannes Reinecke <hare@xxxxxxx>
      Cc: Paolo Bonzini <pbonzini@xxxxxxxxxx>
      Cc: qemu-block@xxxxxxxxxx
      Reviewed-by: Hannes Reinecke <hare@xxxxxxxx>
      Acked-by: Laszlo Ersek <lersek@xxxxxxxxxx>
      Signed-off-by: Eduardo Habkost <ehabkost@xxxxxxxxxx>
      Message-Id: <1446233769-7892-4-git-send-email-ehabkost@xxxxxxxxxx>
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit 35c2c8dc8c0899882a8e0d349d93bd657772f1e7
  Author: Eduardo Habkost <ehabkost@xxxxxxxxxx>
  Date:   Fri Oct 30 17:36:08 2015 -0200

      osdep: Rename qemu_{get, set}_version() to qemu_{, set_}hw_version()

      This makes the purpose of the function clearer: it is not about the
      version of QEMU that's running, but the version string exposed in the
      emulated hardware.

      Cc: Andrzej Zaborowski <balrogg@xxxxxxxxx>
      Cc: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Cc: John Snow <jsnow@xxxxxxxxxx>
      Cc: Paolo Bonzini <pbonzini@xxxxxxxxxx>
      Reviewed-by: John Snow <jsnow@xxxxxxxxxx>
      Signed-off-by: Eduardo Habkost <ehabkost@xxxxxxxxxx>
      Message-Id: <1446233769-7892-3-git-send-email-ehabkost@xxxxxxxxxx>
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit de796d93f59d363409dfd9e186ccd64a21f92204
  Author: Eduardo Habkost <ehabkost@xxxxxxxxxx>
  Date:   Fri Oct 30 17:36:07 2015 -0200

      pc: Set hw_version on all machine classes

      In 2012, QEMU had a bug where it exposed QEMU version information to the
      guest, meaning a QEMU upgrade would expose different hardware to the
      guest OS even if the same machine-type is being used.

      The bug was fixed by commit 93bfef4c6e4b23caea9d51e1099d06433d8835a4, on
      all machines up to pc-1.0. But we kept introducing the same bug on all
      newer machines since then. That means we are breaking guest ABI every
      time QEMU was upgraded.

      Fix this by setting the hw_version on all PC machines, making sure the
      hardware won't change when upgrading QEMU.

      Note that QEMU_VERSION was "1.0" in QEMU 1.0, but starting on QEMU
      1.1.0, it started following the "x.y.0" pattern. We have to follow it,
      to make sure we use the right QEMU_VERSION string from each QEMU
      release.

      The 2.5 machine classes could have hw_version unset, because the default
      value for qemu_get_version() is QEMU_VERSION. But I decided to set it
      explicitly to QEMU_VERSION so we don't forget to update it to "2.5.0"
      after we release 2.5.0 and create a 2.6 machine class.

      Reported-by: Laszlo Ersek <lersek@xxxxxxxxxx>
      Reviewed-by: Laszlo Ersek <lersek@xxxxxxxxxx>
      Signed-off-by: Eduardo Habkost <ehabkost@xxxxxxxxxx>
      Message-Id: <1446233769-7892-2-git-send-email-ehabkost@xxxxxxxxxx>
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit ddcc8e9d51c415a7b7b2983c3552408d9a50be6e
  Author: Paolo Bonzini <pbonzini@xxxxxxxxxx>
  Date:   Fri Oct 16 15:09:01 2015 +0200

      qemu-log: remove -d ioport

      It was disabled at compile-time, and is now replaced by tracepoints.

      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit 6f94b7d97f7e0e486a70fb06b703442e2c04a29a
  Author: Paolo Bonzini <pbonzini@xxxxxxxxxx>
  Date:   Fri Oct 16 15:08:34 2015 +0200

      ioport: do not use CPU_LOG_IOPORT

      These messages are disabled by default; a perfect usecase for tracepoints,
      which in fact already exist.  Add the missing information to them and
      stop using qemu_log_mask.

      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit 54c54f8b56047d3c2420e1ae06a6a8890c220ac4
  Author: Paolo Bonzini <pbonzini@xxxxxxxxxx>
  Date:   Mon Oct 12 11:50:27 2015 +0200

      target-i386: fix pcmpxstrx equal-ordered (strstr) mode

      In this mode, referring an invalid element of the source forces the
      result to false (table 4-7, last column) but referring an invalid
      element of the destination forces the result to true, so the outer
      loop should still be run even if some elements of the destination
      will be invalid.  They will be avoided in the inner loop, which
      correctly bounds "i" to validd, but they will still contribute to a
      positive outcome of the search.

      This fixes tst_strstr in glibc 2.17.

      Reported-by: Florian Weimer <fweimer@xxxxxxxxxx>
      Cc: Richard Henderson <rth@xxxxxxxxxxx>
      Cc: Eduardo Habkost <ehabkost@xxxxxxxxxx>
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit fb68777312887000cd0367d72621fdd67cc4a0a0
  Author: Olga Krishtal <okrishtal@xxxxxxxxxxxxx>
  Date:   Wed Oct 28 18:13:57 2015 +0300

      qga: set file descriptor in qmp_guest_file_open non-blocking on Win32

      Set fd non-blocking to avoid common use cases (like reading from a
      named pipe) from hanging the agent. This was missed in the original
      code.

      The patch introduces qemu_set_handle_nonoblocking, the local analog
      of qemu_set_nonblock for HANDLES.
      The usage of handles in qemu_set_non/block is impossible, because for
      win32 there is a difference between file discriptors and file handles,
      and all file ops are made via Win32 api.

      Signed-off-by: Olga Krishtal <okrishtal@xxxxxxxxxxxxx>
      Signed-off-by: Denis V. Lunev <den@xxxxxxxxxx>
      CC: Michael Roth <mdroth@xxxxxxxxxxxxxxxxxx>
      CC: Stefan Weil <sw@xxxxxxxxxxx>
      Signed-off-by: Michael Roth <mdroth@xxxxxxxxxxxxxxxxxx>

  commit c87d0964ef7534d50a4c729a6ae20045b3a0cd34
  Author: Olga Krishtal <okrishtal@xxxxxxxxxxxxx>
  Date:   Wed Oct 28 18:13:56 2015 +0300

      qga: fixed CloseHandle in qmp_guest_file_open

      CloseHandle use HANDLE as an argument, but not *HANDLE

      Signed-off-by: Olga Krishtal <okrishtal@xxxxxxxxxxxxx>
      Signed-off-by: Denis V. Lunev <den@xxxxxxxxxx>
      Reviewed-by: Stefan Weil <sw@xxxxxxxxxxx>
      CC: Michael Roth <mdroth@xxxxxxxxxxxxxxxxxx>
      Signed-off-by: Michael Roth <mdroth@xxxxxxxxxxxxxxxxxx>

  commit 125053965b05b31427ff5c75dc3b87acaa8d0505
  Author: Denis V. Lunev <den@xxxxxxxxxx>
  Date:   Wed Oct 28 18:13:55 2015 +0300

      qga: drop hand-made guest_file_toggle_flags helper

      We'd better use generic qemu_set_nonblock directly.

      Signed-off-by: Denis V. Lunev <den@xxxxxxxxxx>
      Reviewed-by: Yuri Pudgorodskiy <yur@xxxxxxxxxxxxx>
      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>
      CC: Michael Roth <mdroth@xxxxxxxxxxxxxxxxxx>
      Signed-off-by: Michael Roth <mdroth@xxxxxxxxxxxxxxxxxx>

  commit 96e5c9bc77acef8b7b56cbe23a8a2611feff9e34
  Author: Mark Cave-Ayland <mark.cave-ayland@xxxxxxxxxxxx>
  Date:   Sat Sep 5 20:51:48 2015 +0100

      migration: fix analyze-migration.py script

      Commit 61964 "Add configuration section" broke the analyze-migration.py 
script
      which terminates due to the unrecognised section. Fix the script by 
parsing
      the contents of the configuration section directly into a new
      ConfigurationSection object (although nothing is done with it yet).

      Signed-off-by: Mark Cave-Ayland <mark.cave-ayland@xxxxxxxxxxxx>
      Reviewed-by: Juan Quintela <quintela@xxxxxxxxxx>al3
      Signed-off-by: Juan Quintela <quintela@xxxxxxxxxx>al3

  commit 6ad2a215e7170350430adfda02eb8ef47c1acd8e
  Author: Liang Li <liang.z.li@xxxxxxxxx>
  Date:   Mon Nov 2 15:37:03 2015 +0800

      migration: code clean up

      Just clean up code, no behavior change.

      Signed-off-by: Liang Li <liang.z.li@xxxxxxxxx>
      Reviewed-by: Juan Quintela <quintela@xxxxxxxxxx>al3
      Reviewed-by: Amit Shah <amit.shah@xxxxxxxxxx>al3
      Signed-off-by: Juan Quintela <quintela@xxxxxxxxxx>al3

  commit d1a8548c10bf6d24160ec2aafa4881a3f50a8373
  Author: Liang Li <liang.z.li@xxxxxxxxx>
  Date:   Mon Nov 2 15:37:02 2015 +0800

      migration: rename cancel to cleanup in SaveVMHandles

      'cleanup' seems more appropriate than 'cancel'.

      Signed-off-by: Liang Li <liang.z.li@xxxxxxxxx>
      Reviewed-by: Juan Quintela <quintela@xxxxxxxxxx>al3
      Reviewed-by: Amit Shah <amit.shah@xxxxxxxxxx>al3
      Signed-off-by: Juan Quintela <quintela@xxxxxxxxxx>al3

  commit ea7415fac677c5c1599214ee226ab4a3a438fdd6
  Author: Liang Li <liang.z.li@xxxxxxxxx>
  Date:   Mon Nov 2 15:37:01 2015 +0800

      migration: rename qemu_savevm_state_cancel

      The function qemu_savevm_state_cancel is called after the migration
      in migration_thread, it seems strange to 'cancel' it after completion,
      rename it to qemu_savevm_state_cleanup looks better.

      Signed-off-by: Liang Li <liang.z.li@xxxxxxxxx>
      Reviewed-by: Juan Quintela <quintela@xxxxxxxxxx>al3
      Reviewed-by: Amit Shah <amit.shah@xxxxxxxxxx>al3
      Signed-off-by: Juan Quintela <quintela@xxxxxxxxxx>al3

  commit 94f5a43704129ca4995aa3385303c5ae225bde42
  Author: Liang Li <liang.z.li@xxxxxxxxx>
  Date:   Mon Nov 2 15:37:00 2015 +0800

      migration: defer migration_end & blk_mig_cleanup

      Because of the patch 3ea3b7fa9af067982f34b of kvm, which introduces a
      lazy collapsing of small sptes into large sptes mechanism, now
      migration_end() is a time consuming operation because it calls
      memroy_global_dirty_log_stop(), which will trigger the dropping of small
      sptes operation and takes about dozens of milliseconds, so call
      migration_end() before all the vmsate data has already been transferred
      to the destination will prolong VM downtime. This operation should be
      deferred after all the data has been transferred to the destination.

      blk_mig_cleanup() can be deferred too.

      For a VM with 8G RAM, this patch can reduce the VM downtime about 30 ms.

      Signed-off-by: Liang Li <liang.z.li@xxxxxxxxx>
      Reviewed-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>
      Reviewed-by: Juan Quintela <quintela@xxxxxxxxxx>al3
      Reviewed-by: Amit Shah <amit.shah@xxxxxxxxxx>al3
      Signed-off-by: Juan Quintela <quintela@xxxxxxxxxx>al3

  commit 79cf9fad341e6e7bd6b55395b71d5c5727d7f5b0
  Merge: 19bb546 5d9c175
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Tue Nov 3 14:54:40 2015 +0000

      Merge remote-tracking branch 
'remotes/pmaydell/tags/pull-target-arm-20151103' into staging

      target-arm queue:
       * code cleanup to use symbolic constants for register bank numbers
       * fix direct booting of modern Linux kernels on xilinx_zynq by setting
         SCLR values to what the kernel expects firmware to have done
       * implement SYSRESETREQ for ARMv7M CPU (stellaris boards)
       * update MAINTAINERS to mention new qemu-arm mailing list
       * clean up display of PSTATE in AArch64 debug logs
       * report Secure/Nonsecure status in CPU debug logs
       * fix a missing _CCA attribute in ACPI tables
       * add support for GICv3 to ACPI tables

      # gpg: Signature made Tue 03 Nov 2015 13:58:46 GMT using RSA key ID 
14360CDE
      # gpg: Good signature from "Peter Maydell <peter.maydell@xxxxxxxxxx>"
      # gpg:                 aka "Peter Maydell <pmaydell@xxxxxxxxx>"
      # gpg:                 aka "Peter Maydell 
<pmaydell@xxxxxxxxxxxxxxxxxxxxxx>"

      * remotes/pmaydell/tags/pull-target-arm-20151103:
        ARM: ACPI: Fix MPIDR value in ACPI table
        hw/arm/virt-acpi-build: Add GICC ACPI subtable for GICv3
        hw/arm/virt-acpi-build: _CCA attribute is compulsory
        target-arm: Report S/NS status in the CPU debug logs
        target-arm: Bring AArch64 debug CPU display of PSTATE into line with 
AArch32
        MAINTAINERS: Add new qemu-arm mailing list to ARM related entries
        arm: stellaris: exit on external reset request
        armv7-m: Implement SYSRESETREQ
        armv7-m: Return DeviceState* from armv7m_init()
        arm: xilinx_zynq: Add linux pre-boot
        arm: boot: Add board specific setup code API
        arm: boot: Adjust indentation of FIXUP comments
        target-arm: Add and use symbolic names for register banks

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 19bb5467135df4b234af2c93bf6c50284158d6ca
  Merge: 130d0bc a9be4e7
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Tue Nov 3 14:09:59 2015 +0000

      Merge remote-tracking branch 'remotes/kraxel/tags/pull-usb-20151103-1' 
into staging

      usb: two bugfixes for ehci & usb-host.

      # gpg: Signature made Tue 03 Nov 2015 10:57:28 GMT using RSA key ID 
D3E87138
      # gpg: Good signature from "Gerd Hoffmann (work) <kraxel@xxxxxxxxxx>"
      # gpg:                 aka "Gerd Hoffmann <gerd@xxxxxxxxxx>"
      # gpg:                 aka "Gerd Hoffmann (private) <kraxel@xxxxxxxxx>"

      * remotes/kraxel/tags/pull-usb-20151103-1:
        usb-host: fix usb3ep0quirk test
        ehci: clear suspend bit on detach

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 5d9c1756140d680e66e5b45005a1fb7078b74ee1
  Author: Shannon Zhao <shannon.zhao@xxxxxxxxxx>
  Date:   Tue Nov 3 13:49:42 2015 +0000

      ARM: ACPI: Fix MPIDR value in ACPI table

      Use mp_affinity of ARMCPU as the CPU MPIDR instead of the CPU index.

      Signed-off-by: Shannon Zhao <shannon.zhao@xxxxxxxxxx>
      Message-id: 1446285001-7316-1-git-send-email-zhaoshenglong@xxxxxxxxxx
      Reviewed-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit f2fbfacec024d1e78c10fc8498f3126557c21ed8
  Author: Shannon Zhao <shannon.zhao@xxxxxxxxxx>
  Date:   Tue Nov 3 13:49:42 2015 +0000

      hw/arm/virt-acpi-build: Add GICC ACPI subtable for GICv3

      When booting VM with GICv3, the kernel needs GICC ACPI subtable to
      initialize the CPUs, e.g. MPIDR information. This adds GICC ACPI
      subtable for GICv3, but set GICC base address only when gic_version == 2
      since it donesn't need GICC base address for GICv3.

      Signed-off-by: Shannon Zhao <shannon.zhao@xxxxxxxxxx>
      Message-id: 1446131773-5018-1-git-send-email-shannon.zhao@xxxxxxxxxx
      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit bc64b96c984abfe84f43562ca7480bb4f2af0613
  Author: Graeme Gregory <graeme.gregory@xxxxxxxxxx>
  Date:   Tue Nov 3 13:49:42 2015 +0000

      hw/arm/virt-acpi-build: _CCA attribute is compulsory

      According to ACPI specification 6.2.17 _CCA (Cache Coherency Attribute)
      this attribute is compulsory on ARM systems. Add this attribute to
      the PCI host bridges as required.

      Without this the kernel will produce the error
      [Firmware Bug]: PCI device 0000:00:00.0 fail to setup DMA.

      Signed-off-by: Graeme Gregory <graeme.gregory@xxxxxxxxxx>
      Message-id: 1446460786-13663-1-git-send-email-graeme.gregory@xxxxxxxxxx
      Reviewed-by: Shannon Zhao <shannon.zhao@xxxxxxxxxx>
      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 06e5cf7acd1f94ab7c1cd6945974a1f039672940
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Tue Nov 3 13:49:42 2015 +0000

      target-arm: Report S/NS status in the CPU debug logs

      If this CPU supports EL3, enhance the printing of the current
      CPU mode in debug logging to distinguish S from NS modes as
      appropriate.

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Reviewed-by: Edgar E. Iglesias <edgar.iglesias@xxxxxxxxxx>
      Reviewed-by: Alex Bennée <alex.bennee@xxxxxxxxxx>
      Message-id: 1445883178-576-3-git-send-email-peter.maydell@xxxxxxxxxx

  commit 08b8e0f527930208a548b424d2ab3103bf3c8c02
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Tue Nov 3 13:49:42 2015 +0000

      target-arm: Bring AArch64 debug CPU display of PSTATE into line with 
AArch32

      The AArch64 debug CPU display of PSTATE as "PSTATE=200003c5 (flags --C-)"
      on the end of the same line as the last of the general purpose registers
      is unnecessarily different from the AArch32 display of PSR as
      "PSR=200001d3 --C- A svc32" on its own line. Update the AArch64
      code to put PSTATE in its own line and in the same format, including
      printing the exception level (mode).

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Reviewed-by: Edgar E. Iglesias <edgar.iglesias@xxxxxxxxxx>
      Reviewed-by: Alex Bennée <alex.bennee@xxxxxxxxxx>
      Message-id: 1445883178-576-2-git-send-email-peter.maydell@xxxxxxxxxx

  commit b4f2bd1ce89f3a324fd047c65573897b39d5aaf8
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Tue Nov 3 13:49:42 2015 +0000

      MAINTAINERS: Add new qemu-arm mailing list to ARM related entries

      We now have a qemu-arm mailing list for ARM patches and discussion,
      so add an L: entry for it to the various ARM related entries in
      MAINTAINERS.

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Reviewed-by: Alistair Francis <alistair.francis@xxxxxxxxxx>
      Reviewed-by: Shannon Zhao <shannon.zhao@xxxxxxxxxx>
      Reviewed-by: Peter Crosthwaite <crosthwaite.peter@xxxxxxxxx>
      Message-id: 1446129661-5239-1-git-send-email-peter.maydell@xxxxxxxxxx

  commit d69ffb5b48701d8f33cdfa2570a4ea1d5eb9de4d
  Author: Michael Davidsaver <mdavidsaver@xxxxxxxxx>
  Date:   Tue Nov 3 13:49:41 2015 +0000

      arm: stellaris: exit on external reset request

      Add GPIO in for the stellaris board which calls
      qemu_system_reset_request() on reset request.

      Signed-off-by: Michael Davidsaver <mdavidsaver@xxxxxxxxx>
      Reviewed-by: Peter Crosthwaite <crosthwaite.peter@xxxxxxxxx>
      Reviewed-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit e192becdc7b05276a41ebef9fe11e6c30ddb91e3
  Author: Michael Davidsaver <mdavidsaver@xxxxxxxxx>
  Date:   Tue Nov 3 13:49:41 2015 +0000

      armv7-m: Implement SYSRESETREQ

      Implement the SYSRESETREQ bit of the AIRCR register
      for armv7-m (ie. cortex-m3) to trigger a GPIO out.

      Signed-off-by: Michael Davidsaver <mdavidsaver@xxxxxxxxx>
      Reviewed-by: Peter Crosthwaite <crosthwaite.peter@xxxxxxxxx>
      Reviewed-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 20c59c38927902a8e2c67da7d9a24b5222a31cb7
  Author: Michael Davidsaver <mdavidsaver@xxxxxxxxx>
  Date:   Tue Nov 3 13:49:41 2015 +0000

      armv7-m: Return DeviceState* from armv7m_init()

      Change armv7m_init to return the DeviceState* for the NVIC.
      This allows access to all GPIO blocks, not just the IRQ inputs.
      Move qdev_get_gpio_in() calls out of armv7m_init() into
      board code for stellaris and stm32f205 boards.

      Signed-off-by: Michael Davidsaver <mdavidsaver@xxxxxxxxx>
      Reviewed-by: Peter Crosthwaite <crosthwaite.peter@xxxxxxxxx>
      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit c3a9a689c6ff07ba2e00bafc68626fad84587794
  Author: Peter Crosthwaite <crosthwaitepeter@xxxxxxxxx>
  Date:   Tue Nov 3 13:49:41 2015 +0000

      arm: xilinx_zynq: Add linux pre-boot

      Add a Linux-specific pre-boot routine that matches the device-
      specific bootloaders behaviour. This is needed for modern Linux that
      expects the ARM PLL in SLCR to be a more even value (not 26).

      Cc: Alistair Francis <alistair.francis@xxxxxxxxxx>
      Signed-off-by: Peter Crosthwaite <crosthwaite.peter@xxxxxxxxx>
      Message-id: 
9a9025ea65572586b50dca4e5819032e3c436d64.1446182614.git.crosthwaite.peter@xxxxxxxxx
      Reviewed-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 10b8ec73e610e017ac2fbaf486fce21eec7061b2
  Author: Peter Crosthwaite <crosthwaitepeter@xxxxxxxxx>
  Date:   Tue Nov 3 13:49:41 2015 +0000

      arm: boot: Add board specific setup code API

      Add an API for boards to inject their own preboot software (or
      firmware) sequence.

      The software then returns to the bootloader via the link register. This
      allows boards to do their own little bits of firmware setup without
      needed to replace the bootloader completely (which is the requirement
      for existing firmware support).

      The blob is loaded by a callback if and only if doing a linux boot
      (similar to the existing write_secondary support).

      Rewrite the comment for the primary boot blob.

      Reviewed-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Signed-off-by: Peter Crosthwaite <crosthwaite.peter@xxxxxxxxx>
      Message-id: 
070295644c6ac84696d743913296e8cfefb48c15.1446182614.git.crosthwaite.peter@xxxxxxxxx
      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 84e59397797ff2040439058b689adbfef608b879
  Author: Peter Crosthwaite <crosthwaitepeter@xxxxxxxxx>
  Date:   Tue Nov 3 13:49:41 2015 +0000

      arm: boot: Adjust indentation of FIXUP comments

      These comments start immediately after the current longest name in the
      list. Tab them out to the next tab stop to give a little breathing room
      and prepare for FIXUP_BOARD_SETUP which will require more indent.

      Reviewed-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Signed-off-by: Peter Crosthwaite <crosthwaite.peter@xxxxxxxxx>
      Message-id: 
b9b9bb8f1c307c1ef8a3f26ff1f34fabb34b332e.1446182614.git.crosthwaite.peter@xxxxxxxxx
      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 99a99c1fc8e9bfec1656ac5916c53977a93d3581
  Author: Soren Brinkmann <soren.brinkmann@xxxxxxxxxx>
  Date:   Tue Nov 3 13:49:41 2015 +0000

      target-arm: Add and use symbolic names for register banks

      Add BANK_<cpumode> #defines to index banked registers.

      Suggested-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Signed-off-by: Soren Brinkmann <soren.brinkmann@xxxxxxxxxx>
      Reviewed-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit a9be4e7c48c4892c836bda1be4d550bb1a6732bd
  Author: Gerd Hoffmann <kraxel@xxxxxxxxxx>
  Date:   Fri Oct 23 14:27:10 2015 +0200

      usb-host: fix usb3ep0quirk test

      usb->speed is the usb speed the device is actually running on in the
      qemu emulation (i.e. from the guests point of view).  So when plugging
      usb3 devices into ehci hostadapter this is HIGH not SUPER.

      To figure whenever the host talks to the device with superspeed we
      have to check speedmask instead and see whenever the superspeed bit
      is set there.

      Signed-off-by: Gerd Hoffmann <kraxel@xxxxxxxxxx>
      Message-id: 1445603230-11840-1-git-send-email-kraxel@xxxxxxxxxx

  commit cbf82fa01e6fd4ecb234b235b10ffce548154a95
  Author: Gerd Hoffmann <kraxel@xxxxxxxxxx>
  Date:   Wed Oct 21 09:44:22 2015 +0200

      ehci: clear suspend bit on detach

      When a device is detached, clear the suspend bit (PORTSC_SUSPEND)
      in the port status register.

      The specs are not *that* clear what is supposed to happen in case
      a suspended device is unplugged.  But the enable bit (PORTSC_PED)
      is cleared, and the specs mention setting suspend with enable being
      unset is undefined behavior.  So clearing them both looks reasonable,
      and it actually fixes the reported bug.

      https://bugzilla.redhat.com/show_bug.cgi?id=1268879

      Cc: Hans de Goede <hdegoede@xxxxxxxxxx>
      Signed-off-by: Gerd Hoffmann <kraxel@xxxxxxxxxx>
      Reviewed-by: Hans de Goede <hdegoede@xxxxxxxxxx>
      Message-id: 1445413462-18004-1-git-send-email-kraxel@xxxxxxxxxx

  commit 130d0bc6594d0cc6591d00312841891b3c187b07
  Merge: 3d861a0 4d77b1f
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Tue Nov 3 10:20:04 2015 +0000

      Merge remote-tracking branch 'remotes/kraxel/tags/pull-ui-20151103-1' 
into staging

      ui: fixes for vnc, opengl and curses.

      # gpg: Signature made Tue 03 Nov 2015 09:53:24 GMT using RSA key ID 
D3E87138
      # gpg: Good signature from "Gerd Hoffmann (work) <kraxel@xxxxxxxxxx>"
      # gpg:                 aka "Gerd Hoffmann <gerd@xxxxxxxxxx>"
      # gpg:                 aka "Gerd Hoffmann (private) <kraxel@xxxxxxxxx>"

      * remotes/kraxel/tags/pull-ui-20151103-1:
        vnc: fix bug: vnc server can't start when 'to' is specified
        vnc: allow fall back to RAW encoding
        ui/opengl: Reduce build required libraries for opengl
        ui/curses: Fix pageup/pagedown on -curses
        ui/curses: Support line graphics chars on -curses mode
        ui/curses: Fix monitor color with -curses when 256 colors

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 4d77b1f23877b579b94421d0cab2bebc79f4e171
  Author: Yang Hongyang <hongyang.yang@xxxxxxxxxxxx>
  Date:   Tue Oct 27 14:10:52 2015 +0800

      vnc: fix bug: vnc server can't start when 'to' is specified

      commit e0d03b8ceb52 converted VNC startup to use SocketAddress,
      the interface socket_listen don't have a port_offset param, so
      we need to add the port offset (5900) to both 'port' and 'to' opts.
      currently only 'port' is added by offset.
      This patch add the port offset to 'to' opts.

      Signed-off-by: Yang Hongyang <hongyang.yang@xxxxxxxxxxxx>
      Reviewed-by: Daniel P. Berrange <berrange@xxxxxxxxxx>
      Message-id: 1445926252-14830-1-git-send-email-hongyang.yang@xxxxxxxxxxxx
      Cc: Daniel P. Berrange <berrange@xxxxxxxxxx>
      Cc: Eric Blake <eblake@xxxxxxxxxx>
      Cc: Gerd Hoffmann <kraxel@xxxxxxxxxx>
      Signed-off-by: Gerd Hoffmann <kraxel@xxxxxxxxxx>

  commit de3f7de7f4e257ce44cdabb90f5f17ee99624557
  Author: Peter Lieven <pl@xxxxxxx>
  Date:   Thu Aug 27 14:46:25 2015 +0200

      vnc: allow fall back to RAW encoding

      I have observed that depending on the contents and the encoding it happens
      that sending data as RAW sometimes would take less space than the encoded 
data.
      This is especially the case for small updates or areas with high color 
images.
      If sending RAW encoded data is beneficial allow a fall back to RAW 
encoding
      for the framebuffer update.

      Signed-off-by: Peter Lieven <pl@xxxxxxx>
      Signed-off-by: Gerd Hoffmann <kraxel@xxxxxxxxxx>

  commit fb719563676f8958141a5c984e876a9a1b18f48b
  Author: OGAWA Hirofumi <hirofumi@xxxxxxxxxxxxxxxxxx>
  Date:   Tue Oct 27 02:45:48 2015 +0900

      ui/opengl: Reduce build required libraries for opengl

      We now use epoxy to load opengl libraries. This means we don't need to
      link opengl libraries directly if interfaces handled by epoxy. With
      this, we just need epoxy headers and epoxy's *.so to build.

      Tested with epoxy-1.3.1.

      - sdl2/gtk/console egl stuff doesn't require other than epoxy
      - milkymist-tmu2 glx stuff doesn't require other than epoxy

      (lm32 test is limited, because can't find mmone-bios.bin, so just test
      to load libGL with "./lm32-softmmu/qemu-system-lm32 -M 
milkymist,accel=qtest")

      Signed-off-by: OGAWA Hirofumi <hirofumi@xxxxxxxxxxxxxxxxxx>

      [ lm32 tested by kraxel ]

      Signed-off-by: Gerd Hoffmann <kraxel@xxxxxxxxxx>

  commit e72df72a558cc189bb8681df8059b3a8cff281fc
  Author: OGAWA Hirofumi <hirofumi@xxxxxxxxxxxxxxxxxx>
  Date:   Mon Oct 19 21:24:07 2015 +0900

      ui/curses: Fix pageup/pagedown on -curses

      Current KEY_NPAGE/KEY_PPAGE handling is broken on -curses. Those uses
      "GREY", but "KEY_MASK" masked out "GREY".

      To fix, we have to use correct mask value - SCANCODE_KEYMASK.

      Then, this adds support of "shift + pageup/pagedown". With this,
      -curses mode can use scroll-up/down as usual like other display modes.

      Signed-off-by: OGAWA Hirofumi <hirofumi@xxxxxxxxxxxxxxxxxx>
      Signed-off-by: Gerd Hoffmann <kraxel@xxxxxxxxxx>

  commit e2368dc9684ae5cec2f0558be4803901a0b58b7b
  Author: OGAWA Hirofumi <hirofumi@xxxxxxxxxxxxxxxxxx>
  Date:   Mon Oct 19 21:23:46 2015 +0900

      ui/curses: Support line graphics chars on -curses mode

      This converts vga code to curses code in console_write_bh().

      With this changes, we can see line graphics (for example, dialog uses)
      correctly.

      Signed-off-by: OGAWA Hirofumi <hirofumi@xxxxxxxxxxxxxxxxxx>
      Signed-off-by: Gerd Hoffmann <kraxel@xxxxxxxxxx>

  commit 615220ddaf23db4c5686053257c568b46967e4b5
  Author: OGAWA Hirofumi <hirofumi@xxxxxxxxxxxxxxxxxx>
  Date:   Mon Oct 19 21:23:10 2015 +0900

      ui/curses: Fix monitor color with -curses when 256 colors

      If TERM=xterm-256color, COLOR_PAIRS==256 and monitor passes chtype
      like 0x74xx. Then, the code uses uninitialized color pair. As result,
      monitor uses black for both of fg and bg color, i.e. terminal is
      filled by black.

      To fix, this initialize above than 64 with default color 
(fg=white,bg=black).

      FIXME: on 256 color, curses may be possible better vga color emulation.

      Signed-off-by: OGAWA Hirofumi <hirofumi@xxxxxxxxxxxxxxxxxx>
      Signed-off-by: Gerd Hoffmann <kraxel@xxxxxxxxxx>

  commit 5dfdae814307f7580d56ab4505288224751e0801
  Author: Eduardo Habkost <ehabkost@xxxxxxxxxx>
  Date:   Fri Oct 30 13:08:02 2015 -0200

      vl.c: Use "%s support is disabled" error messages consistently

      Signed-off-by: Eduardo Habkost <ehabkost@xxxxxxxxxx>
      Message-Id: <1446217682-24421-12-git-send-email-ehabkost@xxxxxxxxxx>
      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>

  commit 515cb8ef27874822c64bc81ccde9bd7227383137
  Author: Eduardo Habkost <ehabkost@xxxxxxxxxx>
  Date:   Fri Oct 30 13:08:00 2015 -0200

      vl.c: Improve warnings on use of deprecated options

      Simplify warnings about deprecated options by rewriting them as
      "warning: ignoring deprecated option".

      Reword -no-kvm-pit-reinjection deprecation warning.

      Suggested-by: Andrew Jones <drjones@xxxxxxxxxx>
      Signed-off-by: Eduardo Habkost <ehabkost@xxxxxxxxxx>
      Message-Id: <1446217682-24421-10-git-send-email-ehabkost@xxxxxxxxxx>
      [Squashed in
      Message-Id: <1446217682-24421-11-git-send-email-ehabkost@xxxxxxxxxx>
      and updated commit message]
      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>

  commit 4cd70f34afa817cfc891f6c64fd7e277ba561784
  Author: Eduardo Habkost <ehabkost@xxxxxxxxxx>
  Date:   Fri Oct 30 13:07:56 2015 -0200

      vl.c: Touch up error messages

      Several small improvements:

      * Use "cannot" instead of "can not"
      * Use 'quotes' instead of `quotes'
      * Change "fail to parse" error message to "failed to parse"

      Suggested-by: Eric Blake <eblake@xxxxxxxxxx>
      Suggested-by: Andrew Jones <drjones@xxxxxxxxxx>
      Signed-off-by: Eduardo Habkost <ehabkost@xxxxxxxxxx>
      Message-Id: <1446217682-24421-6-git-send-email-ehabkost@xxxxxxxxxx>
      [Squashed in
      Message-Id: <1446217682-24421-7-git-send-email-ehabkost@xxxxxxxxxx>
      Message-Id: <1446217682-24421-9-git-send-email-ehabkost@xxxxxxxxxx>
      and updated commit message]
      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>

  commit 3e5153732e96d870b3272e662234d664c15e3815
  Author: Eduardo Habkost <ehabkost@xxxxxxxxxx>
  Date:   Fri Oct 30 13:07:58 2015 -0200

      vl.c: Remove unnecessary uppercase in error messages

      Suggested-by: Andrew Jones <drjones@xxxxxxxxxx>
      Signed-off-by: Eduardo Habkost <ehabkost@xxxxxxxxxx>
      Message-Id: <1446217682-24421-8-git-send-email-ehabkost@xxxxxxxxxx>
      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>

  commit eb177ec1843476f278a63d936b0f73f456a86024
  Author: Eduardo Habkost <ehabkost@xxxxxxxxxx>
  Date:   Fri Oct 30 13:07:55 2015 -0200

      vl.c: Use "warning:" prefix consistently on warnings

      Suggested-by: Andrew Jones <drjones@xxxxxxxxxx>
      Signed-off-by: Eduardo Habkost <ehabkost@xxxxxxxxxx>
      Message-Id: <1446217682-24421-5-git-send-email-ehabkost@xxxxxxxxxx>
      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>

  commit 8afb900030b93122a40ef4a636d02ba888bdce12
  Author: Eduardo Habkost <ehabkost@xxxxxxxxxx>
  Date:   Fri Oct 30 13:07:54 2015 -0200

      vl.c: Remove periods and exclamation points from error messages

      Except for removing periods and exclamation points, no other changes
      were made to the error messages (yet).

      Suggested-by: Markus Armbruster <armbru@xxxxxxxxxx>
      Signed-off-by: Eduardo Habkost <ehabkost@xxxxxxxxxx>
      Message-Id: <1446217682-24421-4-git-send-email-ehabkost@xxxxxxxxxx>
      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>

  commit f61eddcb2bb5cbbdd1d911b7e937db9affc29028
  Author: Eduardo Habkost <ehabkost@xxxxxxxxxx>
  Date:   Fri Oct 30 13:07:52 2015 -0200

      vl.c: Replace fprintf(stderr) with error_report()

      Straightforward replacement, except for qemu_kill_report(), which
      printed a common part of its error message first, then the applicable
      special part.  Print each complete message with a single
      error_report() instead.

      Multi-line messages were replaced by error_report() followed by
      error_printf().

      The following changes were made to the error messages:

      * The "invalid date format" message was reworded to better fit
        the new error_report()+error_printf() pattern.
      * On the remaining messages, only the trailing newlines, "qemu:" and
        "error:" message prefixes were removed.

      Signed-off-by: Eduardo Habkost <ehabkost@xxxxxxxxxx>
      Message-Id: <1446217682-24421-2-git-send-email-ehabkost@xxxxxxxxxx>
      [Squashed in
      Message-Id: <1446217682-24421-3-git-send-email-ehabkost@xxxxxxxxxx>
      and updated commit message]
      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>

  commit aa5ccadcca3e6018ebd9d2e8b0a0604f7cb0cd59
  Author: Fam Zheng <famz@xxxxxxxxxx>
  Date:   Tue Oct 20 15:38:46 2015 +0800

      scripts/text2pod.pl: Escape left brace

      Latest perl now deprecates "{" literal in regex and print warnings like
      "unescaped left brace in regex is deprecated".  Add escapes to keep it
      happy.

      Signed-off-by: Fam Zheng <famz@xxxxxxxxxx>

      Message-Id: <1445326726-16031-1-git-send-email-famz@xxxxxxxxxx>
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit cc57501dee37376d0a2fbc5921e0f3a9ed4b117d
  Author: Igor Mammedov <imammedo@xxxxxxxxxx>
  Date:   Mon Oct 19 19:11:11 2015 +0200

      file_ram_alloc: propagate error to caller instead of terminating QEMU

      QEMU shouldn't exits from file_ram_alloc() if -mem-prealloc option is 
specified
      and "object_add memory-backend-file,..." fails allocation during memory 
hotplug.

      Propagate error to a caller and let it decide what to do with allocation 
failure.
      That leaves QEMU alive if it can't create backend during hotplug time and
      kills QEMU at startup time if backends or initial memory were 
misconfigured/
      too large.

      Signed-off-by: Igor Mammedov <imammedo@xxxxxxxxxx>
      Message-Id: <1445274671-17704-1-git-send-email-imammedo@xxxxxxxxxx>
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit 3d861a01093f8eedfac9889746ccafcfd32039b7
  Merge: 24f4a0f 32bc687
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Mon Nov 2 11:11:39 2015 +0000

      Merge remote-tracking branch 'remotes/armbru/tags/pull-qapi-2015-11-02' 
into staging

      QAPI patches

      # gpg: Signature made Mon 02 Nov 2015 09:07:23 GMT using RSA key ID 
EB918653
      # gpg: Good signature from "Markus Armbruster <armbru@xxxxxxxxxx>"
      # gpg:                 aka "Markus Armbruster <armbru@xxxxxxxxxxxx>"

      * remotes/armbru/tags/pull-qapi-2015-11-02: (25 commits)
        qapi: Simplify gen_struct_field()
        qapi: Reserve 'u' member name
        qapi: Finish converting to new qapi union layout
        tpm: Convert to new qapi union layout
        memory: Convert to new qapi union layout
        input: Convert to new qapi union layout
        char: Convert to new qapi union layout
        net: Convert to new qapi union layout
        sockets: Convert to new qapi union layout
        block: Convert to new qapi union layout
        tests: Convert to new qapi union layout
        qapi-visit: Convert to new qapi union layout
        qapi: Start converting to new qapi union layout
        qapi-visit: Remove redundant functions for flat union base
        qapi: Unbox base members
        qapi: Prefer typesafe upcasts to qapi base classes
        qapi-types: Refactor base fields output
        qapi-visit: Split off visit_type_FOO_fields forward decl
        vnc: Hoist allocation of VncBasicInfo to callers
        qapi: Reserve 'q_*' and 'has_*' member names
        ...

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 32bc6879beea0b0cac6196cb15a71d206401e96d
  Author: Eric Blake <eblake@xxxxxxxxxx>
  Date:   Mon Oct 26 16:35:03 2015 -0600

      qapi: Simplify gen_struct_field()

      Rather than having all callers pass a name, type, and optional
      flag, have them instead pass a QAPISchemaObjectTypeMember which
      already has all that information.

      No change to generated code.

      Signed-off-by: Eric Blake <eblake@xxxxxxxxxx>
      Message-Id: <1445898903-12082-25-git-send-email-eblake@xxxxxxxxxx>
      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>

  commit 5e59baf90a72cd25d38a3134edc029f4f022da74
  Author: Eric Blake <eblake@xxxxxxxxxx>
  Date:   Mon Oct 26 16:35:02 2015 -0600

      qapi: Reserve 'u' member name

      Now that we have separated union tag values from colliding with
      non-variant C names, by naming the union 'u', we should reserve
      this name for our use.  Note that we want to forbid 'u' even in
      a struct with no variants, because it is possible for a future
      qemu release to extend QMP in a backwards-compatible manner while
      converting from a struct to a flat union.  Fortunately, no
      existing clients were using this member name.  If we ever find
      the need for QMP to have a member 'u', we could at that time
      relax things, perhaps by having c_name() munge the QMP member to
      'q_u'.

      Note that we cannot forbid 'u' everywhere (by adding the
      rejection code to check_name()), because the existing QKeyCode
      enum already uses it; therefore we only reserve it as a struct
      type member name.

      Signed-off-by: Eric Blake <eblake@xxxxxxxxxx>
      Message-Id: <1445898903-12082-24-git-send-email-eblake@xxxxxxxxxx>
      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>

  commit e4ba22b31943ab02373359555bd7bcd66442632f
  Author: Eric Blake <eblake@xxxxxxxxxx>
  Date:   Mon Oct 26 16:35:01 2015 -0600

      qapi: Finish converting to new qapi union layout

      We have two issues with our qapi union layout:
      1) Even though the QMP wire format spells the tag 'type', the
      C code spells it 'kind', requiring some hacks in the generator.
      2) The C struct uses an anonymous union, which places all tag
      values in the same namespace as all non-variant members. This
      leads to spurious collisions if a tag value matches a non-variant
      member's name.

      This patch is the back end for a series that converts to a
      saner qapi union layout.  Now that all clients have been
      converted to use 'type' and 'obj->u.value', we can drop the
      temporary parallel support for 'kind' and 'obj->value'.

      Given a simple union qapi type:

      { 'union':'Foo', 'data': { 'a':'int', 'b':'bool' } }

      this is the overall effect, when compared to the state before
      this series of patches:

      | struct Foo {
      |-    FooKind kind;
      |-    union { /* union tag is @kind */
      |+    FooKind type;
      |+    union { /* union tag is @type */
      |         void *data;
      |         int64_t a;
      |         bool b;
      |-    };
      |+    } u;
      | };

      The testsuite still contains some examples of artificial restrictions
      (see flat-union-clash-type.json, for example) that are no longer
      technically necessary, now that there is no longer a collision between
      enum tag values and non-variant member names; but fixing this will be
      done in later patches, in part because some further changes are required
      to keep QAPISchema*.check() from asserting.  Also, a later patch will
      add a reservation for the member name 'u' to avoid a collision between a
      user's non-variant names and our internal choice of C union name.

      Note, however, that we do not rename the generated enum, which
      is still 'FooKind'.  A further patch could generate implicit
      enums as 'FooType', but while the generator already reserved
      the '*Kind' namespace (commit 4dc2e69), there are already QMP
      constructs with '*Type' naming, which means changing our
      reservation namespace would have lots of churn to C code to
      deal with a forced name change.

      Signed-off-by: Eric Blake <eblake@xxxxxxxxxx>
      Message-Id: <1445898903-12082-23-git-send-email-eblake@xxxxxxxxxx>
      [Commit message tweaked]
      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>

  commit ce21131a0b9e556bb73bf65eacdc07ccb21f78a9
  Author: Eric Blake <eblake@xxxxxxxxxx>
  Date:   Mon Oct 26 16:35:00 2015 -0600

      tpm: Convert to new qapi union layout

      We have two issues with our qapi union layout:
      1) Even though the QMP wire format spells the tag 'type', the
      C code spells it 'kind', requiring some hacks in the generator.
      2) The C struct uses an anonymous union, which places all tag
      values in the same namespace as all non-variant members. This
      leads to spurious collisions if a tag value matches a non-variant
      member's name.

      Make the conversion to the new layout for TPM-related code.

      Signed-off-by: Eric Blake <eblake@xxxxxxxxxx>
      Message-Id: <1445898903-12082-22-git-send-email-eblake@xxxxxxxxxx>
      [Commit message tweaked slightly]
      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>

  commit 1fd5d4fea4ba686705fd377c7cffc0f0c9f83f93
  Author: Eric Blake <eblake@xxxxxxxxxx>
  Date:   Mon Oct 26 16:34:59 2015 -0600

      memory: Convert to new qapi union layout

      We have two issues with our qapi union layout:
      1) Even though the QMP wire format spells the tag 'type', the
      C code spells it 'kind', requiring some hacks in the generator.
      2) The C struct uses an anonymous union, which places all tag
      values in the same namespace as all non-variant members. This
      leads to spurious collisions if a tag value matches a non-variant
      member's name.

      Make the conversion to the new layout for memory-related code.

      Signed-off-by: Eric Blake <eblake@xxxxxxxxxx>
      Message-Id: <1445898903-12082-21-git-send-email-eblake@xxxxxxxxxx>
      [Commit message tweaked slightly]
      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>

  commit 568c73a4783cd981e9aa6de4f15dcda7829643ad
  Author: Eric Blake <eblake@xxxxxxxxxx>
  Date:   Mon Oct 26 16:34:58 2015 -0600

      input: Convert to new qapi union layout

      We have two issues with our qapi union layout:
      1) Even though the QMP wire format spells the tag 'type', the
      C code spells it 'kind', requiring some hacks in the generator.
      2) The C struct uses an anonymous union, which places all tag
      values in the same namespace as all non-variant members. This
      leads to spurious collisions if a tag value matches a non-variant
      member's name.

      Make the conversion to the new layout for input-related code.

      Signed-off-by: Eric Blake <eblake@xxxxxxxxxx>
      Message-Id: <1445898903-12082-20-git-send-email-eblake@xxxxxxxxxx>
      [Commit message tweaked slightly]
      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>

  commit 130257dc443574a9da91dc293665be2cfc40245a
  Author: Eric Blake <eblake@xxxxxxxxxx>
  Date:   Mon Oct 26 16:34:57 2015 -0600

      char: Convert to new qapi union layout

      We have two issues with our qapi union layout:
      1) Even though the QMP wire format spells the tag 'type', the
      C code spells it 'kind', requiring some hacks in the generator.
      2) The C struct uses an anonymous union, which places all tag
      values in the same namespace as all non-variant members. This
      leads to spurious collisions if a tag value matches a non-variant
      member's name.

      Make the conversion to the new layout for character-related
      code.

      Signed-off-by: Eric Blake <eblake@xxxxxxxxxx>
      Message-Id: <1445898903-12082-19-git-send-email-eblake@xxxxxxxxxx>
      [Commit message tweaked slightly]
      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>

  commit 8d0bcba8370a4e8606dee602393a14d0c48e8bfc
  Author: Eric Blake <eblake@xxxxxxxxxx>
  Date:   Mon Oct 26 16:34:56 2015 -0600

      net: Convert to new qapi union layout

      We have two issues with our qapi union layout:
      1) Even though the QMP wire format spells the tag 'type', the
      C code spells it 'kind', requiring some hacks in the generator.
      2) The C struct uses an anonymous union, which places all tag
      values in the same namespace as all non-variant members. This
      leads to spurious collisions if a tag value matches a non-variant
      member's name.

      Make the conversion to the new layout for net-related code.

      Signed-off-by: Eric Blake <eblake@xxxxxxxxxx>
      Message-Id: <1445898903-12082-18-git-send-email-eblake@xxxxxxxxxx>
      [Commit message tweaked slightly]
      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>

  commit 2d32addae70987521578d8bb27c6b3f52cdcbdcb
  Author: Eric Blake <eblake@xxxxxxxxxx>
  Date:   Mon Oct 26 16:34:55 2015 -0600

      sockets: Convert to new qapi union layout

      We have two issues with our qapi union layout:
      1) Even though the QMP wire format spells the tag 'type', the
      C code spells it 'kind', requiring some hacks in the generator.
      2) The C struct uses an anonymous union, which places all tag
      values in the same namespace as all non-variant members. This
      leads to spurious collisions if a tag value matches a non-variant
      member's name.

      Make the conversion to the new layout for socket-related code.

      Signed-off-by: Eric Blake <eblake@xxxxxxxxxx>
      Message-Id: <1445898903-12082-17-git-send-email-eblake@xxxxxxxxxx>
      [Commit message tweaked slightly]
      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>

  commit 6a8f9661dc3c088ed0d2f5b41d940190407cbdc5
  Author: Eric Blake <eblake@xxxxxxxxxx>
  Date:   Mon Oct 26 16:34:54 2015 -0600

      block: Convert to new qapi union layout

      We have two issues with our qapi union layout:
      1) Even though the QMP wire format spells the tag 'type', the
      C code spells it 'kind', requiring some hacks in the generator.
      2) The C struct uses an anonymous union, which places all tag
      values in the same namespace as all non-variant members. This
      leads to spurious collisions if a tag value matches a non-variant
      member's name.

      Make the conversion to the new layout for block-related code.

      Signed-off-by: Eric Blake <eblake@xxxxxxxxxx>
      Message-Id: <1445898903-12082-16-git-send-email-eblake@xxxxxxxxxx>
      [Commit message tweaked slightly]
      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>

  commit c363acef772647f66becdbf46dd54e70e67f3cc9
  Author: Eric Blake <eblake@xxxxxxxxxx>
  Date:   Mon Oct 26 16:34:53 2015 -0600

      tests: Convert to new qapi union layout

      We have two issues with our qapi union layout:
      1) Even though the QMP wire format spells the tag 'type', the
      C code spells it 'kind', requiring some hacks in the generator.
      2) The C struct uses an anonymous union, which places all tag
      values in the same namespace as all non-variant members. This
      leads to spurious collisions if a tag value matches a non-variant
      member's name.

      Make the conversion to the new layout for testsuite code.

      Signed-off-by: Eric Blake <eblake@xxxxxxxxxx>
      Message-Id: <1445898903-12082-15-git-send-email-eblake@xxxxxxxxxx>
      [Commit message tweaked slightly]
      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>

  commit 150d0564a4c626642897c748f7906260a13c14e1
  Author: Eric Blake <eblake@xxxxxxxxxx>
  Date:   Mon Oct 26 16:34:52 2015 -0600

      qapi-visit: Convert to new qapi union layout

      We have two issues with our qapi union layout:
      1) Even though the QMP wire format spells the tag 'type', the
      C code spells it 'kind', requiring some hacks in the generator.
      2) The C struct uses an anonymous union, which places all tag
      values in the same namespace as all non-variant members. This
      leads to spurious collisions if a tag value matches a non-variant
      member's name.

      Make the conversion to the new layout for qapi-visit.py.

      Generated code changes look like:

      |@@ -4912,16 +4912,16 @@ void visit_type_MemoryDeviceInfo(Visitor
      |     if (!*obj) {
      |         goto out_obj;
      |     }
      |-    visit_type_MemoryDeviceInfoKind(v, &(*obj)->kind, "type", &err);
      |+    visit_type_MemoryDeviceInfoKind(v, &(*obj)->type, "type", &err);
      |     if (err) {
      |         goto out_obj;
      |     }
      |-    if (!visit_start_union(v, !!(*obj)->data, &err) || err) {
      |+    if (!visit_start_union(v, !!(*obj)->u.data, &err) || err) {
      |         goto out_obj;
      |     }
      |-    switch ((*obj)->kind) {
      |+    switch ((*obj)->type) {
      |     case MEMORY_DEVICE_INFO_KIND_DIMM:
      |-        visit_type_PCDIMMDeviceInfo(v, &(*obj)->dimm, "data", &err);
      |+        visit_type_PCDIMMDeviceInfo(v, &(*obj)->u.dimm, "data", &err);
      |         break;
      |     default:
      |         abort();
      |@@ -4930,7 +4930,7 @@ out_obj:
      |     error_propagate(errp, err);
      |     err = NULL;
      |     if (*obj) {
      |-        visit_end_union(v, !!(*obj)->data, &err);
      |+        visit_end_union(v, !!(*obj)->u.data, &err);
      |     }
      |     error_propagate(errp, err);
      |     err = NULL;

      Signed-off-by: Eric Blake <eblake@xxxxxxxxxx>
      Message-Id: <1445898903-12082-14-git-send-email-eblake@xxxxxxxxxx>
      [Commit message tweaked slightly]
      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>

  commit f51d8fab44b231aa299d8de24cfdf9ba41ef4a21
  Author: Eric Blake <eblake@xxxxxxxxxx>
  Date:   Mon Oct 26 16:34:51 2015 -0600

      qapi: Start converting to new qapi union layout

      We have two issues with our qapi union layout:
      1) Even though the QMP wire format spells the tag 'type', the
      C code spells it 'kind', requiring some hacks in the generator.
      2) The C struct uses an anonymous union, which places all tag
      values in the same namespace as all non-variant members. This
      leads to spurious collisions if a tag value matches a non-variant
      member's name.

      This patch is the front end for a series that converts to a
      saner qapi union layout.  By the end of the series, we will no
      longer have the type/kind mismatch, and all tag values will be
      under a named union, which requires clients to access
      'obj->u.value' instead of 'obj->value'.  But since the
      conversion touches a number of files, it is easiest if we
      temporarily support BOTH layouts simultaneously.

      Given a simple union qapi type:

      { 'union':'Foo', 'data': { 'a':'int', 'b':'bool' } }

      make the following changes in generated qapi-types.h:

      | struct Foo {
      |-    FooKind kind;
      |-    union { /* union tag is @kind */
      |+    union {
      |+        FooKind kind;
      |+        FooKind type;
      |+    };
      |+    union { /* union tag is @type */
      |         void *data;
      |         int64_t a;
      |         bool b;
      |+        union { /* union tag is @type */
      |+            void *data;
      |+            int64_t a;
      |+            bool b;
      |+        } u;
      |     };
      | };

      Flat unions do not need the anonymous union for the tag member,
      as we already fixed that to use the member name instead of 'kind'
      back in commit 0f61af3e.

      One additional change is needed in qapi.py: check_union() now
      needs to check for collisions with 'type' in addition to those
      with 'kind'.

      Later, when the conversions are complete, we will remove the
      duplication hacks, and also drop the check_union() restrictions.

      Note, however, that we do not rename the generated enum, which
      is still 'FooKind'.  A further patch could generate implicit
      enums as 'FooType', but while the generator already reserved
      the '*Kind' namespace (commit 4dc2e69), there are already QMP
      constructs with '*Type' naming, which means changing our
      reservation namespace would have lots of churn to C code to
      deal with a forced name change.

      Signed-off-by: Eric Blake <eblake@xxxxxxxxxx>
      Message-Id: <1445898903-12082-13-git-send-email-eblake@xxxxxxxxxx>
      [Commit message tweaked slightly]
      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>

  commit 5c5e51a05b567fd48fb155d94ca6f7679dd0d478
  Author: Eric Blake <eblake@xxxxxxxxxx>
  Date:   Mon Oct 26 16:34:50 2015 -0600

      qapi-visit: Remove redundant functions for flat union base

      The code for visiting the base class of a child struct created
      visit_type_Base_fields() which covers all fields of Base; while
      the code for visiting the base class of a flat union created
      visit_type_Union_fields() covering all fields of the base
      except the discriminator.  But since the base class includes
      the discriminator of a flat union, we can just visit the entire
      base, without needing a separate visit of the discriminator.
      Not only is consistently visiting all fields easier to
      understand, it lets us share code.

      The generated code in qapi-visit.c loses several now-unused
      visit_type_UNION_fields(), along with changes like:

      |@@ -1654,11 +1557,7 @@ void visit_type_BlockdevOptions(Visitor
      |     if (!*obj) {
      |         goto out_obj;
      |     }
      |-    visit_type_BlockdevOptions_fields(v, obj, &err);
      |-    if (err) {
      |-        goto out_obj;
      |-    }
      |-    visit_type_BlockdevDriver(v, &(*obj)->driver, "driver", &err);
      |+    visit_type_BlockdevOptionsBase_fields(v, (BlockdevOptionsBase 
**)obj, &err);
      |     if (err) {
      |         goto out_obj;
      |     }

      and forward declarations where needed.  Note that the cast of obj
      to BASE ** is necessary to call visit_type_BASE_fields() (and we
      can't use our upcast wrappers, because those work on pointers while
      we have a pointer-to-pointer).

      Signed-off-by: Eric Blake <eblake@xxxxxxxxxx>
      Message-Id: <1445898903-12082-12-git-send-email-eblake@xxxxxxxxxx>
      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>

  commit ddf21908961073199f3d186204da4810f2ea150b
  Author: Eric Blake <eblake@xxxxxxxxxx>
  Date:   Mon Oct 26 16:34:49 2015 -0600

      qapi: Unbox base members

      Rather than storing a base class as a pointer to a box, just
      store the fields of that base class in the same order, so that
      a child struct can be directly cast to its parent.  This gives
      less malloc overhead, less pointer dereferencing, and even less
      generated code.  Compare to the earlier commit 1e6c1616a "qapi:
      Generate a nicer struct for flat unions" (although that patch
      had fewer places to change, as less of qemu was directly using
      qapi structs for flat unions).  It also allows us to turn on
      automatic type-safe wrappers for upcasting to the base class
      of a struct.

      Changes to the generated code look like this in qapi-types.h:

      | struct SpiceChannel {
      |-    SpiceBasicInfo *base;
      |+    /* Members inherited from SpiceBasicInfo: */
      |+    char *host;
      |+    char *port;
      |+    NetworkAddressFamily family;
      |+    /* Own members: */
      |     int64_t connection_id;

      as well as additional upcast functions like qapi_SpiceChannel_base().
      Meanwhile, changes to qapi-visit.c look like:

      | static void visit_type_SpiceChannel_fields(Visitor *v, SpiceChannel 
**obj, Error **errp)
      | {
      |     Error *err = NULL;
      |
      |-    visit_type_implicit_SpiceBasicInfo(v, &(*obj)->base, &err);
      |+    visit_type_SpiceBasicInfo_fields(v, (SpiceBasicInfo **)obj, &err);
      |     if (err) {

      (the cast is necessary, since our upcast wrappers only deal with a
      single pointer, not pointer-to-pointer); plus the wholesale
      elimination of some now-unused visit_type_implicit_FOO() functions.

      Without boxing, the corner case of one empty struct having
      another empty struct as its base type now requires inserting a
      dummy member (previously, the 'Base *base' member sufficed).

      And now that we no longer consume a 'base' member in the generated
      C struct, we can delete the former negative struct-base-clash-base
      test.

      Signed-off-by: Eric Blake <eblake@xxxxxxxxxx>
      Message-Id: <1445898903-12082-11-git-send-email-eblake@xxxxxxxxxx>
      [Commit message tweaked slightly]
      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>

  commit 30594fe1cd4355626e73b80645428105d0df3cf6
  Author: Eric Blake <eblake@xxxxxxxxxx>
  Date:   Mon Oct 26 16:34:48 2015 -0600

      qapi: Prefer typesafe upcasts to qapi base classes

      A previous patch (commit 1e6c1616) made it possible to
      directly cast from a qapi flat union type to its base type.
      However, it requires the use of a C cast, which turns off
      compiler type-safety checks.  Fortunately, no such casts
      exist, just yet.

      Regardless, add inline type-safe wrappers named
      qapi_FOO_base() for any union type FOO that has a base,
      which can be used for a safer upcast, and enhance the
      testsuite to cover the new functionality.

      A future patch will extend the upcast support to structs,
      where such conversions do exist already.

      Note that C makes const-correct upcasts annoying because
      it lacks overloads; these functions cast away const so that
      they can accept user pointers whether const or not, and the
      result in turn can be assigned to normal or const pointers.
      Alternatively, this could have been done with macros, but
      type-safe macros are hairy, and not worthwhile here.

      This patch just adds upcasts.  None of our code needed to
      downcast from a base qapi class to a child.  Also, in the
      case of grandchildren (such as BlockdevOptionsQcow2), the
      caller will need to call two functions to get to the inner
      base (although it wouldn't be too hard to generate a
      qapi_FOO_base_base() if desired).  If a user changes qapi
      to alter the base class hierarchy, such as going from
      'A -> C' to 'A -> B -> C', it will change the type of
      'qapi_C_base()', and the compiler will point out the places
      that are affected by the new base.

      One alternative was proposed, but was deemed too ugly to use
      in practice: the generators could output redundant
      information using anonymous types:
      | struct Child {
      |     union {
      |         struct {
      |             Type1 parent_member1;
      |             Type2 parent_member2;
      |         };
      |         Parent base;
      |     };
      | };
      With that ugly proposal, for a given qapi type, obj->member
      and obj->base.member would refer to the same storage; allowing
      convenience in working with members without needing 'base.'
      allowing typesafe upcast without needing a C cast by accessing
      '&obj->base', and allowing downcasts from the parent back to
      the child possible through container_of(obj, Child, base).

      Signed-off-by: Eric Blake <eblake@xxxxxxxxxx>
      Message-Id: <1445898903-12082-10-git-send-email-eblake@xxxxxxxxxx>
      [Commit message tweaked]
      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>

  commit f87ab7f9bd956250c48b5c6e9b607b537fd21543
  Author: Eric Blake <eblake@xxxxxxxxxx>
  Date:   Mon Oct 26 16:34:47 2015 -0600

      qapi-types: Refactor base fields output

      Move code from gen_union() into gen_struct_fields() in order for
      a later patch to share code when enumerating inherited fields
      for struct types.

      No change to generated code.

      Signed-off-by: Eric Blake <eblake@xxxxxxxxxx>
      Message-Id: <1445898903-12082-9-git-send-email-eblake@xxxxxxxxxx>
      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>

  commit d02cf37766ba3cf918d7085aa7848c9dc05fd11a
  Author: Eric Blake <eblake@xxxxxxxxxx>
  Date:   Mon Oct 26 16:34:46 2015 -0600

      qapi-visit: Split off visit_type_FOO_fields forward decl

      We generate a static visit_type_FOO_fields() for every type
      FOO.  However, sometimes we need a forward declaration. Split
      the code to generate the forward declaration out of
      gen_visit_implicit_struct() into a new gen_visit_fields_decl(),
      and also prepare for a forward declaration to be emitted
      during gen_visit_struct(), so that a future patch can switch
      from using visit_type_FOO_implicit() to the simpler
      visit_type_FOO_fields() as part of unboxing the base class
      of a struct.

      No change to generated code.

      Signed-off-by: Eric Blake <eblake@xxxxxxxxxx>
      Message-Id: <1445898903-12082-8-git-send-email-eblake@xxxxxxxxxx>
      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>

  commit 98481bfcd661daa3c160cc87a297b0e60a307788
  Author: Eric Blake <eblake@xxxxxxxxxx>
  Date:   Mon Oct 26 16:34:45 2015 -0600

      vnc: Hoist allocation of VncBasicInfo to callers

      A future qapi patch will rework generated structs with a base
      class to be unboxed.  In preparation for that, change the code
      that allocates then populates an info struct to instead merely
      populate the fields of an info field passed in as a parameter
      (renaming vnc_basic_info_get* to vnc_init_basic_info*). Add
      rudimentary Error handling at the lowest levels for cases
      where the old code returned NULL; but rather than plumb Error
      all the way through the stack, the callers drop the error and
      return NULL as before.

      Signed-off-by: Eric Blake <eblake@xxxxxxxxxx>
      Message-Id: <1445898903-12082-7-git-send-email-eblake@xxxxxxxxxx>
      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>

  commit 9fb081e0b98409556d023c7193eeb68947cd1211
  Author: Eric Blake <eblake@xxxxxxxxxx>
  Date:   Mon Oct 26 16:34:44 2015 -0600

      qapi: Reserve 'q_*' and 'has_*' member names

      c_name() produces names starting with 'q_' when protecting a
      dictionary member name that would fail to directly compile, but
      in doing so can cause clashes with any member name already
      beginning with 'q-' or 'q_'.  Likewise, we create a C name 'has_'
      for any optional member that can clash with any member name
      beginning with 'has-' or 'has_'.

      Technically, rather than blindly reserving the namespace,
      we could try to complain about user names only when an actual
      collision occurs, or even teach c_name() how to munge names
      to avoid collisions.  But it is not trivial, especially when
      collisions can occur across multiple types (such as via
      inheritance or flat unions).  Besides, no existing .json
      files are trying to use these names.  So it's easier to just
      outright forbid the potential for collision.  We can always
      relax things in the future if a real need arises for QMP to
      express member names that have been forbidden here.

      'has_' only has to be reserved for struct/union member names,
      while 'q_' is reserved everywhere (matching the fact that
      only members can be optional, while we use c_name() for munging
      both members and entities).  Note that we could relax 'q_'
      restrictions on entities independently from member names; for
      example, c_name('qmp_' + 'unix') would result in a different
      function name than our current 'qmp_' + c_name('unix').

      Update and add tests to cover the new error messages.

      Signed-off-by: Eric Blake <eblake@xxxxxxxxxx>
      Message-Id: <1445898903-12082-6-git-send-email-eblake@xxxxxxxxxx>
      [Consistently pass protect=False to c_name(); commit message tweaked
      slightly]
      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>

  commit 255960dd374d4497d6ea537305f1b0d8a3433789
  Author: Eric Blake <eblake@xxxxxxxxxx>
  Date:   Mon Oct 26 16:34:43 2015 -0600

      qapi: Reserve '*List' type names for list types

      Type names ending in 'List' can clash with qapi list types in
      generated C.  We don't currently use such names. It is easier to
      outlaw them now than to worry about how to resolve such a clash
      in the future. For precedence, see commit 4dc2e69, which did the
      same for names ending in 'Kind' versus implicit enum types for
      qapi unions.

      Update the testsuite to match.

      Signed-off-by: Eric Blake <eblake@xxxxxxxxxx>
      Message-Id: <1445898903-12082-5-git-send-email-eblake@xxxxxxxxxx>
      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>

  commit f9e6102b48f21e464a847a858a456c521e7a83e5
  Author: Eric Blake <eblake@xxxxxxxxxx>
  Date:   Mon Oct 26 16:34:42 2015 -0600

      qapi: More robust conditions for when labels are needed

      We were using regular expressions to see if ret included
      any earlier text that emitted a 'goto out;' line, to decide
      whether we needed to output an 'out:' label.  But this is
      fragile, if the ret text can possibly combine more than one
      generated function body, where the first function used a
      goto but the second does not.  Change the code to just check
      for the known conditions which cause an error check to be
      needed.  Besides, it's slightly more efficient to use plain
      checks than regular expression searching.

      No change to generated code.

      Signed-off-by: Eric Blake <eblake@xxxxxxxxxx>
      Message-Id: <1445898903-12082-4-git-send-email-eblake@xxxxxxxxxx>
      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>

  commit 8712fa5333ad348da20034b717dd814219d1ec11
  Author: Eric Blake <eblake@xxxxxxxxxx>
  Date:   Mon Oct 26 16:34:41 2015 -0600

      qapi: More idiomatic string operations

      Rather than slicing the end of a string, we can use python's
      endswith().  And rather than creating a set of characters,
      we can search for a character within a string.

      Signed-off-by: Eric Blake <eblake@xxxxxxxxxx>
      Message-Id: <1445898903-12082-3-git-send-email-eblake@xxxxxxxxxx>
      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>

  commit 1976708321f21ed51d0a374db6b28a6cd1bd5d66
  Author: Eric Blake <eblake@xxxxxxxxxx>
  Date:   Mon Oct 26 16:34:40 2015 -0600

      tests/qapi-schema: Test for reserved names, empty struct

      Add some testsuite coverage to ensure future patches are on
      the right track:

      Our current C representation of qapi arrays is done by appending
      'List' to the element name; but we are not preventing the
      creation of an object type with the same name.  Add
      reserved-type-list.json to test this.  Then rename
      enum-union-clash.json to reserved-type-kind.json to cover the
      reservation that we DO detect, and shorten it to match the fact
      that the name is reserved even if there is no clash.

      We are failing to detect a collision between a dictionary member
      and the implicit 'has_*' flag for another optional member. The
      easiest fix would be for a future patch to reserve the entire
      "has[-_]" namespace for member names (the collision is also
      possible for branch names within flat unions, but only as long as
      branch names can collide with (non-variant) members; however,
      since future patches are about to remove that, it is not worth
      testing here). Add reserved-member-has.json to test this.

      A similar collision exists between a dictionary member where
      c_name() munges what might otherwise be a reserved name to start
      with 'q_', and another member explicitly starts with "q[-_]".
      Again, the easiest solution for a future patch will be reserving
      the entire namespace, but here for commands as well as members.
      Add reserved-member-q.json and reserved-command-q.json to test
      this; separate tests since arguably our munging of command 'unix'
      to 'qmp_q_unix()' could be done without a q_, which is different
      than the munging of a member 'unix' to 'foo.q_unix'.

      Finally, our testsuite does not have any compilation coverage
      of struct inheritance with empty qapi structs.  Update
      qapi-schema-test.json to test this.

      Note that there is currently no technical reason to forbid type
      name patterns from member names, or member name patterns from
      types, since the two are not in the same namespace in C and
      won't collide; but it's not worth adding positive tests of these
      corner cases at this time, especially while there is other churn
      pending in patches that rearrange which collisions actually
      happen.

      Signed-off-by: Eric Blake <eblake@xxxxxxxxxx>
      Message-Id: <1445898903-12082-2-git-send-email-eblake@xxxxxxxxxx>
      [Commit message tweaked slightly]
      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>

  commit 2ea1793bd90f04c34fbb75a1b84d71cb5b1f9c08
  Author: Daniel P. Berrange <berrange@xxxxxxxxxx>
  Date:   Thu Oct 22 11:25:43 2015 +0100

      qapi-schema: mark InetSocketAddress as mandatory again

      Revert the qapi-schema.json change done in:

        commit 0983f5e6af76d5df8c6346cbdfff9d8305fb6da0
        Author: Daniel P. Berrange <berrange@xxxxxxxxxx>
        Date:   Tue Sep 1 14:46:50 2015 +0100

          sockets: allow port to be NULL when listening on IP address

      Switching "port" from mandatory to optional causes the QAPI
      code generator to add a 'has_port' field to the InetSocketAddress
      struct. No code that created InetSocketAddress objects was updated
      to set 'has_port = true', which caused the non-NULL port strings
      to be silently dropped when copying InetSocketAddress objects.

      Reported-by: Knut Omang <knuto@xxxxxxxxxx>
      Signed-off-by: Daniel P. Berrange <berrange@xxxxxxxxxx>
      Message-Id: <1445509543-30679-1-git-send-email-berrange@xxxxxxxxxx>
      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>
      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>

  commit 24f4a0f5c969e9077e341402881c1d929d37150b
  Merge: 3a958f5 2a080ce
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Fri Oct 30 21:59:48 2015 +0000

      Merge remote-tracking branch 'remotes/rth/tags/pull-tile-20151030' into 
staging

      Prefetch in y2 pipe

      # gpg: Signature made Fri 30 Oct 2015 20:40:02 GMT using RSA key ID 
4DD0279B
      # gpg: Good signature from "Richard Henderson <rth7680@xxxxxxxxx>"
      # gpg:                 aka "Richard Henderson <rth@xxxxxxxxxx>"
      # gpg:                 aka "Richard Henderson <rth@xxxxxxxxxxx>"

      * remotes/rth/tags/pull-tile-20151030:
        target-tilegx: Implement prefetch instructions in pipe y2

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 3a958f559ecd0511583d27b10011fa7f3cf79b63
  Merge: e79ea9e 37a639a
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Fri Oct 30 19:47:47 2015 +0000

      Merge remote-tracking branch 'remotes/stefanha/tags/block-pull-request' 
into staging

      # gpg: Signature made Thu 29 Oct 2015 18:09:16 GMT using RSA key ID 
81AB73C8
      # gpg: Good signature from "Stefan Hajnoczi <stefanha@xxxxxxxxxx>"
      # gpg:                 aka "Stefan Hajnoczi <stefanha@xxxxxxxxx>"

      * remotes/stefanha/tags/block-pull-request:
        block: Consider all child nodes in bdrv_requests_pending()
        target-arm: xlnx-zynqmp: Add sdhci support.
        sdhci: Split sdhci.h for public and internal device usage
        sd.h: Move sd.h to include/hw/sd/
        virtio: sync the dataplane vring state to the virtqueue before 
virtio_save
        gdb command: qemu handlers
        virtio-blk: switch off scsi-passthrough by default
        ppc/spapr: add 2.4 compat props
        s390x: include HW_COMPAT_* props
        qemu-gdb: add $qemu_coroutine_sp and $qemu_coroutine_pc
        qemu-gdb: extract parts of "qemu coroutine" implementation
        qemu-gdb: allow using glibc_pointer_guard() on core dumps

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit e79ea9e4240971b43494184d68a7f5a67d07e74b
  Merge: fdf9276 60270f8
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Fri Oct 30 16:30:25 2015 +0000

      Merge remote-tracking branch 'remotes/lalrae/tags/mips-20151030' into 
staging

      MIPS patches 2015-10-30

      Changes:
      * R6 CPU can be woken up by non-enabled interrupts
      * PC fix in KVM
      * Coprocessor 0 XContext calculation fix
      * various MIPS R6 updates

      # gpg: Signature made Fri 30 Oct 2015 14:51:56 GMT using RSA key ID 
0B29DA6B
      # gpg: Good signature from "Leon Alrae <leon.alrae@xxxxxxxxxx>"

      * remotes/lalrae/tags/mips-20151030:
        target-mips: fix updating XContext on mmu exception
        target-mips: add SIGRIE instruction
        target-mips: Set Config5.XNP for R6 cores
        target-mips: add PC, XNP reg numbers to RDHWR
        hw/mips_malta: Fix KVM PC initialisation
        target-mips: Add enum for BREAK32
        target-mips: update writing to CP0.Status.KX/SX/UX in MIPS Release R6
        target-mips: implement the CPU wake-up on non-enabled interrupts in R6
        target-mips: move the test for enabled interrupts to a separate function

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 60270f85cc93d2d34e45b7679c374b1d771f0eeb
  Author: Yongbok Kim <yongbok.kim@xxxxxxxxxx>
  Date:   Thu Oct 29 17:17:52 2015 +0000

      target-mips: fix updating XContext on mmu exception

      Correct updating XContext.Region field on mmu exceptions.
      If Config3.CTXTC = 0 then the R field of XContext has to be updated
      with the value of bits 63..62 of the virtual address upon a TLB
      exception.
      Also fixed the below line which overs 80 characters.

      Signed-off-by: Yongbok Kim <yongbok.kim@xxxxxxxxxx>
      Reviewed-by: James Hogan <james.hogan@xxxxxxxxxx>
      Reviewed-by: Leon Alrae <leon.alrae@xxxxxxxxxx>
      Signed-off-by: Leon Alrae <leon.alrae@xxxxxxxxxx>

  commit bb238210bb096534b68dab15a87c6ff0bef43672
  Author: Yongbok Kim <yongbok.kim@xxxxxxxxxx>
  Date:   Thu Oct 29 15:18:38 2015 +0000

      target-mips: add SIGRIE instruction

      Add SIGRIE (Signal Reserved Instruction Exception) for both MIPS and
      microMIPS.
      The instruction allows to use the 16-bit code field for software use.
      This instruction is introduced by and required as of Release 6.

      Signed-off-by: Yongbok Kim <yongbok.kim@xxxxxxxxxx>
      Reviewed-by: Leon Alrae <leon.alrae@xxxxxxxxxx>
      Signed-off-by: Leon Alrae <leon.alrae@xxxxxxxxxx>

  commit 35ac9e342e008e3d47ef18d33a6977fdb99de9cd
  Author: Yongbok Kim <yongbok.kim@xxxxxxxxxx>
  Date:   Mon Oct 5 14:45:45 2015 +0100

      target-mips: Set Config5.XNP for R6 cores

      Set Config5.XNP for R6 cores to indicate the extended LL/SC family
      of instructions NOT present.

      Signed-off-by: Yongbok Kim <yongbok.kim@xxxxxxxxxx>
      Reviewed-by: Leon Alrae <leon.alrae@xxxxxxxxxx>
      Signed-off-by: Leon Alrae <leon.alrae@xxxxxxxxxx>

  commit b00c72180c36510bf9b124e190bd520e3b7e1358
  Author: Yongbok Kim <yongbok.kim@xxxxxxxxxx>
  Date:   Thu Oct 29 15:18:39 2015 +0000

      target-mips: add PC, XNP reg numbers to RDHWR

      Add Performance Counter (4) and XNP (5) register numbers to RDHWR.
      Add check_hwrena() to simplify access control checkings.
      Add RDHWR support to microMIPS R6.

      Signed-off-by: Yongbok Kim <yongbok.kim@xxxxxxxxxx>
      Reviewed-by: Leon Alrae <leon.alrae@xxxxxxxxxx>
      Signed-off-by: Leon Alrae <leon.alrae@xxxxxxxxxx>

  commit ca2f6bbbce32b7e1ba4fdaf54165ab0dee47a3a5
  Author: James Hogan <james.hogan@xxxxxxxxxx>
  Date:   Mon Oct 12 17:54:39 2015 +0100

      hw/mips_malta: Fix KVM PC initialisation

      Commit 71c199c81d29 ("mips_malta: provide ememsize env variable to
      kernels") changed the meaning of loaderparams.ram_size to be the whole
      of RAM rather than just the low part below where the boot code is placed
      for KVM, but it didn't update the PC initialisation for KVM to use
      ram_low_size. Fix that now.

      Fixes: 71c199c81d29 ("mips_malta: provide ememsize env variable to 
kernels")
      Signed-off-by: James Hogan <james.hogan@xxxxxxxxxx>
      Cc: Paul Burton <paul.burton@xxxxxxxxxx>
      Cc: Leon Alrae <leon.alrae@xxxxxxxxxx>
      Cc: Aurelien Jarno <aurelien@xxxxxxxxxxx>
      Reviewed-by: Aurelien Jarno <aurelien@xxxxxxxxxxx>
      Reviewed-by: Leon Alrae <leon.alrae@xxxxxxxxxx>
      Signed-off-by: Leon Alrae <leon.alrae@xxxxxxxxxx>

  commit fdf927621a99711bf1a81712bce054794f2d44c3
  Merge: 7bc8e0c 7f1e7b2
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Fri Oct 30 09:41:14 2015 +0000

      Merge remote-tracking branch 
'remotes/armbru/tags/pull-monitor-2015-10-30' into staging

      QMP and QObject patches

      # gpg: Signature made Fri 30 Oct 2015 08:06:26 GMT using RSA key ID 
EB918653
      # gpg: Good signature from "Markus Armbruster <armbru@xxxxxxxxxx>"
      # gpg:                 aka "Markus Armbruster <armbru@xxxxxxxxxxxx>"

      * remotes/armbru/tags/pull-monitor-2015-10-30:
        docs: Document QMP event rate limiting
        monitor: Throttle event VSERPORT_CHANGE separately by "id"
        monitor: Turn monitor_qapi_event_state[] into a hash table
        glib: add compatibility interface for g_hash_table_add()
        monitor: Split MonitorQAPIEventConf off MonitorQAPIEventState
        monitor: Switch from timer_new() to timer_new_ns()
        monitor: Simplify event throttling
        monitor: Reduce casting of QAPI event QDict
        qstring: Make conversion from QObject * accept null
        qlist: Make conversion from QObject * accept null
        qfloat qint: Make conversion from QObject * accept null
        qdict: Make conversion from QObject * accept null
        qbool: Make conversion from QObject * accept null
        qobject: Drop QObject_HEAD

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 7f1e7b23d57408c86d350b3544673fdcd6be55c0
  Author: Markus Armbruster <armbru@xxxxxxxxxx>
  Date:   Thu Oct 15 17:08:36 2015 +0200

      docs: Document QMP event rate limiting

      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>
      Message-Id: <1444921716-9511-8-git-send-email-armbru@xxxxxxxxxx>
      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>

  commit 7de0be6573afc9dcfb6aa0ded167ad6a8730f727
  Author: Markus Armbruster <armbru@xxxxxxxxxx>
  Date:   Thu Oct 15 17:08:35 2015 +0200

      monitor: Throttle event VSERPORT_CHANGE separately by "id"

      VSERPORT_CHANGE is emitted when the guest opens or closes a
      virtio-serial port.  The event's member "id" identifies the port.

      When several events arrive quickly, throttling drops all but the last
      of them.  Because of that, a QMP client must assume that *any* port
      may have changed state when it receives a VSERPORT_CHANGE event and
      throttling may have happened.

      Make the event more useful by throttling it for each port separately.

      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>
      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>
      Message-Id: <1444921716-9511-7-git-send-email-armbru@xxxxxxxxxx>

  commit a24712af54259dd744a49447658521325f10a721
  Author: Markus Armbruster <armbru@xxxxxxxxxx>
  Date:   Thu Oct 15 17:08:34 2015 +0200

      monitor: Turn monitor_qapi_event_state[] into a hash table

      In preparation of finer grained throttling.

      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>
      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>
      Message-Id: <1444921716-9511-6-git-send-email-armbru@xxxxxxxxxx>

  commit 8681dffa91a0d5767b7c1eb3d5c2acbf7f7dd7ba
  Author: Markus Armbruster <armbru@xxxxxxxxxx>
  Date:   Tue Oct 27 15:44:00 2015 +0100

      glib: add compatibility interface for g_hash_table_add()

      The next commit will use it.

      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>
      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>

  commit 37a639a7fbc5c6b065c80e7e2de78d22af735496
  Author: Kevin Wolf <kwolf@xxxxxxxxxx>
  Date:   Wed Oct 28 11:46:51 2015 +0100

      block: Consider all child nodes in bdrv_requests_pending()

      The function manually recursed into bs->file and bs->backing to check
      whether there were any requests pending, but it ignored other children.

      There's no need to special case file and backing here, so just replace
      these two explicit recursions by a loop recursing for all child nodes.

      Reported-by: Max Reitz <mreitz@xxxxxxxxxx>
      Signed-off-by: Kevin Wolf <kwolf@xxxxxxxxxx>
      Reviewed-by: Alberto Garcia <berto@xxxxxxxxxx>
      Reviewed-by: Jeff Cody <jcody@xxxxxxxxxx>
      Message-id: 1446029211-27148-1-git-send-email-kwolf@xxxxxxxxxx
      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>

  commit 33108e9f3388b07b7daa4e46d476ff89ce7dbec5
  Author: Sai Pavan Boddu <sai.pavan.boddu@xxxxxxxxxx>
  Date:   Thu Oct 8 18:51:03 2015 +0530

      target-arm: xlnx-zynqmp: Add sdhci support.

      Add two SYSBUS_SDHCI devices for xlnx-zynqmp

      Signed-off-by: Sai Pavan Boddu <saipava@xxxxxxxxxx>
      Reviewed-by: Peter Crosthwaite <crosthwaite.peter@xxxxxxxxx>
      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>

  commit 637d23beb607765033067c5cb08e0d66afaf8f4c
  Author: Sai Pavan Boddu <sai.pavan.boddu@xxxxxxxxxx>
  Date:   Thu Oct 8 18:51:02 2015 +0530

      sdhci: Split sdhci.h for public and internal device usage

      Split sdhci.h into pubilc version (i.e include/hw/sd/sdhci.h) and
      internal version (i.e hw/sd/sdhci-interna.h) based on register
      declarations and object declaration.

      Signed-off-by: Sai Pavan Boddu <saipava@xxxxxxxxxx>
      Reviewed-by: Alistair Francis <alistair.francis@xxxxxxxxxx>
      Reviewed-by: Peter Crosthwaite <crosthwaite.peter@xxxxxxxxx>
      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>

  commit e3382ef0ea2724f5f09271a608e8f68ede5d844d
  Author: Sai Pavan Boddu <sai.pavan.boddu@xxxxxxxxxx>
  Date:   Thu Oct 8 18:51:01 2015 +0530

      sd.h: Move sd.h to include/hw/sd/

      Create a sd directory under include/hw/ and move sd.h to
      include/hw/sd/

      Signed-off-by: Sai Pavan Boddu <saipava@xxxxxxxxxx>
      Reviewed-by: Alistair Francis <alistair.francis@xxxxxxxxxx>
      Reviewed-by: Peter Crosthwaite <crosthwaite.peter@xxxxxxxxx>
      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>

  commit 10a06fd65f667a972848ebbbcac11bdba931b544
  Author: Pavel Butsykin <pbutsykin@xxxxxxxxxxxxx>
  Date:   Mon Oct 26 14:42:57 2015 +0300

      virtio: sync the dataplane vring state to the virtqueue before virtio_save

      When creating snapshot with the dataplane enabled, the snapshot file gets
      not the actual state of virtqueue, because the current state is stored in
      VirtIOBlockDataPlane. Therefore, before saving snapshot need to sync
      the dataplane vring state to the virtqueue. The dataplane will resume its
      work at the next notify virtqueue.

      When snapshot loads with loadvm we get a message:
      VQ 0 size 0x80 Guest index 0x15f5 inconsistent with Host index 0x0:
          delta 0x15f5
      error while loading state for instance 0x0 of device
          '0000:00:08.0/virtio-blk'
      Error -1 while loading VM state

      to reproduce the error I used the following hmp commands:
      savevm snap1
      loadvm snap1

      qemu parameters:
      --enable-kvm -smp 4 -m 1024 -drive 
file=/var/lib/libvirt/images/centos6.4.qcow2,if=none,id=drive-virtio-disk0,format=qcow2,cache=none,aio=native
 -device 
virtio-blk-pci,scsi=off,bus=pci.0,addr=0x8,drive=drive-virtio-disk0,id=virtio-disk0
 -set device.virtio-disk0.x-data-plane=on

      Signed-off-by: Pavel Butsykin <pbutsykin@xxxxxxxxxxxxx>
      Signed-off-by: Denis V. Lunev <den@xxxxxxxxxx>
      Message-id: 1445859777-2982-1-git-send-email-den@xxxxxxxxxx
      CC: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      CC: "Michael S. Tsirkin" <mst@xxxxxxxxxx>
      CC: Kevin Wolf <kwolf@xxxxxxxxxx>
      CC: Paolo Bonzini <pbonzini@xxxxxxxxxx>
      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>

  commit c900ef86c5e30e1adec0f79350edc3f30ebee285
  Author: Dr. David Alan Gilbert <dgilbert@xxxxxxxxxx>
  Date:   Tue Oct 27 13:09:45 2015 +0000

      gdb command: qemu handlers

      A new gdb commands are added:

        qemu handlers

           That dumps an AioContext list (by default qemu_aio_context)
           possibly including a backtrace for cases it knows about
           (with the verbose option).  Intended to help find why something
           is hanging waiting for IO.

        Use 'qemu handlers --verbose iohandler_ctx'  to find out why
      your incoming migration is stuck.

      Signed-off-by: Dr. David Alan Gilbert <dgilbert@xxxxxxxxxx>
      Message-id: 1445951385-11924-1-git-send-email-dgilbert@xxxxxxxxxx

      V2:
        Merge into one command with optional handlers arg, and only do
          backtrace in verbose mode

       (gdb) qemu handlers
       ----
       {pfd = {fd = 6, events = 25, revents = 0}, io_read = 0x55869656ffd0
       <event_notifier_dummy_cb>, io_write = 0x0, deleted = 0, opaque =
       0x558698c4ce08, node = {le_next = 0x0, le_prev = 0x558698c4cdc0}}

       (gdb) qemu handlers iohandler_ctx
       ----
       {pfd = {fd = 9, events = 25, revents = 0}, io_read = 0x558696581380
       <fd_coroutine_enter>, io_write = 0x0, deleted = 0, opaque =
       0x558698dc99d0, node = {le_next = 0x558698c4cca0, le_prev =
       0x558698c4c1d0}}
       ----
       {pfd = {fd = 4, events = 25, revents = 0}, io_read = 0x55869657b330
       <sigfd_handler>, io_write = 0x0, deleted = 0, opaque = 0x4, node =
       {le_next = 0x558698c4c260, le_prev = 0x558699f72508}}
       ----
       {pfd = {fd = 5, events = 25, revents = 0}, io_read = 0x55869656ffd0
       <event_notifier_dummy_cb>, io_write = 0x0, deleted = 0, opaque =
       0x558698c4c218, node = {le_next = 0x0, le_prev = 0x558698c4ccc8}}
       ----
       (gdb) qemu handlers --verbose iohandler_ctx
       ----
       {pfd = {fd = 9, events = 25, revents = 0}, io_read = 0x558696581380
       <fd_coroutine_enter>, io_write = 0x0, deleted = 0, opaque =
       0x558698dc99d0, node = {le_next = 0x558698c4cca0, le_prev =
       0x558698c4c1d0}}
       #0  0x0000558696581820 in qemu_coroutine_switch
       (from_=from_@entry=0x558698cb3cf0, to_=to_@entry=0x7f421c37eac8,
       action=action@entry=COROUTINE_YIELD) at
       /home/dgilbert/git/qemu/coroutine-ucontext.c:177
       #1  0x0000558696580c00 in qemu_coroutine_yield () at
       /home/dgilbert/git/qemu/qemu-coroutine.c:145
       #2  0x00005586965814f5 in yield_until_fd_readable (fd=9) at
       /home/dgilbert/git/qemu/qemu-coroutine-io.c:90
       #3  0x0000558696523937 in socket_get_buffer (opaque=0x55869a3dc620,
       buf=0x558698c505a0 "", pos=<optimized out>, size=32768) at
       /home/dgilbert/git/qemu/migration/qemu-file-unix.c:101
       #4  0x0000558696521fac in qemu_fill_buffer (f=0x558698c50570) at
       /home/dgilbert/git/qemu/migration/qemu-file.c:227
       #5  0x0000558696522989 in qemu_peek_byte (f=0x558698c50570, offset=0)
           at /home/dgilbert/git/qemu/migration/qemu-file.c:507
       #6  0x0000558696522bf4 in qemu_get_be32 (f=0x558698c50570) at
       /home/dgilbert/git/qemu/migration/qemu-file.c:520
       #7  0x0000558696522bf4 in qemu_get_be32 (f=f@entry=0x558698c50570)
           at /home/dgilbert/git/qemu/migration/qemu-file.c:604
       #8  0x0000558696347e5c in qemu_loadvm_state (f=f@entry=0x558698c50570)
           at /home/dgilbert/git/qemu/migration/savevm.c:1821
       #9  0x000055869651de8c in process_incoming_migration_co
       (opaque=0x558698c50570)
           at /home/dgilbert/git/qemu/migration/migration.c:336
       #10 0x000055869658188a in coroutine_trampoline (i0=<optimized out>,
       i1=<optimized out>)
           at /home/dgilbert/git/qemu/coroutine-ucontext.c:80
       #11 0x00007f420f05df10 in __start_context () at /lib64/libc.so.6
       #12 0x00007ffc40815f50 in  ()
       #13 0x0000000000000000 in  ()

        ----
      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>

  commit ed65fd1a2750d24290354cc7ea49caec7c13e30b
  Author: Cornelia Huck <cornelia.huck@xxxxxxxxxx>
  Date:   Fri Oct 16 12:25:54 2015 +0200

      virtio-blk: switch off scsi-passthrough by default

      Devices that are compliant with virtio-1 do not support scsi
      passthrough any more (and it has not been a recommended setup
      anyway for quite some time). To avoid having to switch it off
      explicitly in newer qemus that turn on virtio-1 by default, let's
      switch the default to scsi=false for 2.5.

      Signed-off-by: Cornelia Huck <cornelia.huck@xxxxxxxxxx>
      Message-id: 1444991154-79217-4-git-send-email-cornelia.huck@xxxxxxxxxx
      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>

  commit 80fd50f96b8dc46e185f61d9b6438a6414507076
  Author: Cornelia Huck <cornelia.huck@xxxxxxxxxx>
  Date:   Fri Oct 16 12:25:53 2015 +0200

      ppc/spapr: add 2.4 compat props

      HW_COMPAT_2_4 will become non-empty: prepare for it.

      Signed-off-by: Cornelia Huck <cornelia.huck@xxxxxxxxxx>
      Message-id: 1444991154-79217-3-git-send-email-cornelia.huck@xxxxxxxxxx
      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>

  commit 54d8ec84fa444ed7c05e03f96895ba69a2b2e5bc
  Author: Cornelia Huck <cornelia.huck@xxxxxxxxxx>
  Date:   Fri Oct 16 12:25:52 2015 +0200

      s390x: include HW_COMPAT_* props

      We want to inherit generic hw compat as well.

      Signed-off-by: Cornelia Huck <cornelia.huck@xxxxxxxxxx>
      Acked-by: Christian Borntraeger <borntraeger@xxxxxxxxxx>
      Message-id: 1444991154-79217-2-git-send-email-cornelia.huck@xxxxxxxxxx
      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>

  commit a201b0ff28d9fa0f965450c1ba7191eca69f9fd5
  Author: Paolo Bonzini <pbonzini@xxxxxxxxxx>
  Date:   Mon Oct 12 10:02:54 2015 +0200

      qemu-gdb: add $qemu_coroutine_sp and $qemu_coroutine_pc

      These can be useful to manually get a stack trace of a coroutine inside
      a core dump.

      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>
      Message-id: 1444636974-19950-4-git-send-email-pbonzini@xxxxxxxxxx
      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>

  commit 80ab31b257ba3aaa98ce6f1e36592aa20c5366c1
  Author: Paolo Bonzini <pbonzini@xxxxxxxxxx>
  Date:   Mon Oct 12 10:02:53 2015 +0200

      qemu-gdb: extract parts of "qemu coroutine" implementation

      Provide useful Python functions to reach and decipher a jmpbuf.

      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>
      Message-id: 1444636974-19950-3-git-send-email-pbonzini@xxxxxxxxxx
      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>

  commit 1138f24645e9e1e2d55d280caab4e2539dfcdb49
  Author: Paolo Bonzini <pbonzini@xxxxxxxxxx>
  Date:   Mon Oct 12 10:02:52 2015 +0200

      qemu-gdb: allow using glibc_pointer_guard() on core dumps

      get_fs_base() cannot be run on a core dump, because it uses the arch_prctl
      system call.  The fs base is the value that is returned by pthread_self(),
      and it would be nice to just glean it from the "info threads" output:

      * 1    Thread 0x7f16a3fff700 (LWP 33642) pthread_cond_wait@@GLIBC_2.3.2 ()
                    ^^^^^^^^^^^^^^

      but unfortunately the gdb API does not provide that.  Instead, we can
      look for the "arg" argument of the start_thread function if glibc debug
      information are available.  If not, fall back to the old mechanism.

      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>
      Message-id: 1444636974-19950-2-git-send-email-pbonzini@xxxxxxxxxx
      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>

  commit dbd8af9824d0ddc4400f859c2af77543461cba0d
  Author: Yongbok Kim <yongbok.kim@xxxxxxxxxx>
  Date:   Fri Oct 2 17:50:50 2015 +0100

      target-mips: Add enum for BREAK32

      Add enum for BREAK32

      Signed-off-by: Yongbok Kim <yongbok.kim@xxxxxxxxxx>
      Reviewed-by: Leon Alrae <leon.alrae@xxxxxxxxxx>
      Reviewed-by: Aurelien Jarno <aurelien@xxxxxxxxxxx>
      Signed-off-by: Leon Alrae <leon.alrae@xxxxxxxxxx>

  commit 2dcf7908d9e0274c08911400beb7ed14276bb170
  Author: Leon Alrae <leon.alrae@xxxxxxxxxx>
  Date:   Mon Sep 14 13:51:31 2015 +0100

      target-mips: update writing to CP0.Status.KX/SX/UX in MIPS Release R6

      Implement the relationship between CP0.Status.KX, SX and UX. It should not
      be possible to set UX bit if SX is 0, the same applies for setting SX if
      KX is 0.

      Signed-off-by: Leon Alrae <leon.alrae@xxxxxxxxxx>

  commit 7540a43a1d9de71fa7a53ccd2bb24a04e2aace41
  Author: Leon Alrae <leon.alrae@xxxxxxxxxx>
  Date:   Mon Sep 14 13:58:24 2015 +0100

      target-mips: implement the CPU wake-up on non-enabled interrupts in R6

      In Release 6, the behaviour of WAIT has been modified to make it a
      requirement that a processor that has disabled operation as a result of
      executing a WAIT will resume operation on arrival of an interrupt even if
      interrupts are not enabled.

      Signed-off-by: Leon Alrae <leon.alrae@xxxxxxxxxx>

  commit 71ca034a0dee69f77c8ac6ea7d21e5b6a0b0d836
  Author: Leon Alrae <leon.alrae@xxxxxxxxxx>
  Date:   Mon Sep 14 13:58:23 2015 +0100

      target-mips: move the test for enabled interrupts to a separate function

      Signed-off-by: Leon Alrae <leon.alrae@xxxxxxxxxx>

  commit b9b03ab0d47e8cfc0015255c531db41d0b1a1f91
  Author: Markus Armbruster <armbru@xxxxxxxxxx>
  Date:   Thu Oct 15 17:08:33 2015 +0200

      monitor: Split MonitorQAPIEventConf off MonitorQAPIEventState

      In preparation of turning monitor_qapi_event_state[] into a hash table
      for finer grained throttling.

      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>
      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>
      Message-Id: <1444921716-9511-5-git-send-email-armbru@xxxxxxxxxx>

  commit 1824c41a62c1bbb79d32f97037ca579212b8c134
  Author: Markus Armbruster <armbru@xxxxxxxxxx>
  Date:   Thu Oct 15 17:08:32 2015 +0200

      monitor: Switch from timer_new() to timer_new_ns()

      We don't actually care for the scale, so we can just as well use the
      simpler interface.

      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>
      Message-Id: <1444921716-9511-4-git-send-email-armbru@xxxxxxxxxx>
      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>

  commit 93f8f982fedfc9ee9cf5fc8983c3b25efe828967
  Author: Markus Armbruster <armbru@xxxxxxxxxx>
  Date:   Thu Oct 15 17:08:31 2015 +0200

      monitor: Simplify event throttling

      The event throttling state machine is hard to understand.  I'm not
      sure it's entirely correct.  Rewrite it in a more straightforward
      manner:

      State 1: No event sent recently (less than evconf->rate ns ago)

          Invariant: evstate->timer is not pending, evstate->qdict is null

          On event: send event, arm timer, goto state 2

      State 2: Event sent recently, no additional event being delayed

          Invariant: evstate->timer is pending, evstate->qdict is null

          On event: store it in evstate->qdict, goto state 3

          On timer: goto state 1

      State 3: Event sent recently, additional event being delayed

          Invariant: evstate->timer is pending, evstate->qdict is non-null

          On event: store it in evstate->qdict, goto state 3

          On timer: send evstate->qdict, clear evstate->qdict,
                    arm timer, goto state 2

      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>
      Message-Id: <1444921716-9511-3-git-send-email-armbru@xxxxxxxxxx>
      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>

  commit 688b4b7de755f4dd01ec516975ae01590cf9f438
  Author: Markus Armbruster <armbru@xxxxxxxxxx>
  Date:   Thu Oct 15 17:08:30 2015 +0200

      monitor: Reduce casting of QAPI event QDict

      Make the variables holding the event QDict instead of QObject.

      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>
      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>
      Message-Id: <1444921716-9511-2-git-send-email-armbru@xxxxxxxxxx>

  commit 7f0278435df1fa845b3bd9556942f89296d4246b
  Author: Markus Armbruster <armbru@xxxxxxxxxx>
  Date:   Thu Oct 15 16:15:37 2015 +0200

      qstring: Make conversion from QObject * accept null

      qobject_to_qstring() crashes on null, which is a trap for the unwary.
      Return null instead, and simplify a few callers.

      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>
      Message-Id: <1444918537-18107-7-git-send-email-armbru@xxxxxxxxxx>
      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>
      Reviewed-by: Luiz Capitulino <lcapitulino@xxxxxxxxxx>

  commit 2d6421a90047a83f6722832405fe09571040ea5b
  Author: Markus Armbruster <armbru@xxxxxxxxxx>
  Date:   Thu Oct 15 16:15:36 2015 +0200

      qlist: Make conversion from QObject * accept null

      qobject_to_qlist() crashes on null, which is a trap for the unwary.
      Return null instead.

      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>
      Message-Id: <1444918537-18107-6-git-send-email-armbru@xxxxxxxxxx>
      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>
      Reviewed-by: Luiz Capitulino <lcapitulino@xxxxxxxxxx>

  commit fcf73f66a67f5e58c18216f8c8651e38cf4d90af
  Author: Markus Armbruster <armbru@xxxxxxxxxx>
  Date:   Thu Oct 15 16:15:35 2015 +0200

      qfloat qint: Make conversion from QObject * accept null

      qobject_to_qfloat() and qobject_to_qint() crash on null, which is a
      trap for the unwary.  Return null instead, and simplify a few callers.

      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>
      Message-Id: <1444918537-18107-5-git-send-email-armbru@xxxxxxxxxx>
      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>
      Reviewed-by: Luiz Capitulino <lcapitulino@xxxxxxxxxx>

  commit 89cad9f3ec6b30d7550fb5704475fc9c3393a066
  Author: Markus Armbruster <armbru@xxxxxxxxxx>
  Date:   Thu Oct 15 16:15:34 2015 +0200

      qdict: Make conversion from QObject * accept null

      qobject_to_qdict() crashes on null, which is a trap for the unwary.
      Return null instead, and simplify a few callers.

      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>
      Message-Id: <1444918537-18107-4-git-send-email-armbru@xxxxxxxxxx>
      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>
      Reviewed-by: Luiz Capitulino <lcapitulino@xxxxxxxxxx>

  commit 14b6160099f0caf5dc9d62e637b007bc5d719a96
  Author: Markus Armbruster <armbru@xxxxxxxxxx>
  Date:   Thu Oct 15 16:15:33 2015 +0200

      qbool: Make conversion from QObject * accept null

      qobject_to_qbool() crashes on null, which is a trap for the unwary.
      Return null instead, and simplify a few callers.

      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>
      Message-Id: <1444918537-18107-3-git-send-email-armbru@xxxxxxxxxx>
      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>
      Reviewed-by: Luiz Capitulino <lcapitulino@xxxxxxxxxx>

  commit c7c462123cfc3b62d325fd75be9c595b055797db
  Author: Markus Armbruster <armbru@xxxxxxxxxx>
  Date:   Thu Oct 15 16:15:32 2015 +0200

      qobject: Drop QObject_HEAD

      QObject_HEAD is a macro expanding into the common part of structs that
      are sub-types of QObject.  It's always been just QObject base, and
      unlikely to change.  Drop the macro, because the code is clearer with
      out it.

      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>
      Message-Id: <1444918537-18107-2-git-send-email-armbru@xxxxxxxxxx>
      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>
      Reviewed-by: Luiz Capitulino <lcapitulino@xxxxxxxxxx>

  commit 7bc8e0c967a4ef77657174d28af775691e18b4ce
  Merge: 331c5e2 3f1e147
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Thu Oct 29 09:49:52 2015 +0000

      Merge remote-tracking branch 'remotes/mst/tags/for_upstream' into staging

      virtio, pc, memory: fixes+features for 2.5

      New features:
          This enables hotplug for multifunction devices.
          Patches are very small, so I think it's OK to merge
          at this stage.

          There's also some new infrastructure for vhost-user testing
          not enabled yet so it's harmless to merge.

      I've reverted the "gap between DIMMs" workaround, as it seems too risky, 
and
      applied my own patch in virtio, but not in dataplane code.  This means 
that
      dataplane is broken for some complex DIMM configurations for now.  
Waiting for
      Stefan to review the dataplane fix.

      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>

      # gpg: Signature made Thu 29 Oct 2015 09:36:16 GMT using RSA key ID 
D28D5469
      # gpg: Good signature from "Michael S. Tsirkin <mst@xxxxxxxxxx>"
      # gpg:                 aka "Michael S. Tsirkin <mst@xxxxxxxxxx>"

      * remotes/mst/tags/for_upstream:
        enable multi-function hot-add
        remove function during multi-function hot-add
        tests/vhost-user-bridge: add vhost-user bridge application
        Revert "memhp: extend address auto assignment to support gaps"
        Revert "pc: memhp: force gaps between DIMM's GPA"
        virtio: drop virtqueue_map_sg
        virtio-scsi: convert to virtqueue_map
        virtio-serial: convert to virtio_map
        virtio-blk: convert to virtqueue_map
        virtio: switch to virtio_map
        virtio: introduce virtio_map
        mmap-alloc: fix error handling
        pc: memhp: do not emit inserting event for coldplugged DIMMs
        vhost-user-test: fix up rhel6 build
        vhost-user: cleanup msg size math
        vhost-user: cleanup struct size math

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 3f1e1478db2d67098d98f2c3acf5a4946b7fb643
  Author: Cao jin <caoj.fnst@xxxxxxxxxxxxxx>
  Date:   Wed Oct 28 14:20:31 2015 +0800

      enable multi-function hot-add

      Enable PCIe device multi-function hot-add, just ensure function 0 is added
      last, then driver will get the notification to scan the slot.

      Signed-off-by: Cao jin <caoj.fnst@xxxxxxxxxxxxxx>
      Reviewed-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>

  commit 0d1c7d88ad909c5b2bd86211a9fe8abf5c74993b
  Author: Cao jin <caoj.fnst@xxxxxxxxxxxxxx>
  Date:   Wed Oct 28 14:20:30 2015 +0800

      remove function during multi-function hot-add

      In case user want to cancel the hot-add operation, should roll back,
      device_del the added function that still don`t work.

      Signed-off-by: Cao jin <caoj.fnst@xxxxxxxxxxxxxx>
      Reviewed-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>

  commit 3595e2eb0a233a881789fcc71f5b1072e5aaf669
  Author: Victor Kaplansky <victork@xxxxxxxxxx>
  Date:   Wed Oct 28 14:53:07 2015 +0200

      tests/vhost-user-bridge: add vhost-user bridge application

      The test existing in QEMU for vhost-user feature is good for
      testing the management protocol, but does not allow actual
      traffic. This patch proposes Vhost-User Bridge application, which
      can serve the QEMU community as a comprehensive test by running
      real internet traffic by means of vhost-user interface.

      Essentially the Vhost-User Bridge is a very basic vhost-user
      backend for QEMU. It runs as a standalone user-level process.
      For packet processing Vhost-User Bridge uses an additional QEMU
      instance with a backend configured by "-net socket" as a shared
      VLAN.  This way another QEMU virtual machine can effectively
      serve as a shared bus by means of UDP communication.

      For a more simple setup, the another QEMU instance running the
      SLiRP backend can be the same QEMU instance running vhost-user
      client.

      This Vhost-User Bridge implementation is very preliminary.  It is
      missing many features. I has been studying vhost-user protocol
      internals, so I've written vhost-user-bridge bit by bit as I
      progressed through the protocol.  Most probably its internal
      architecture will change significantly.

      To run Vhost-User Bridge application:

      1. Build vhost-user-bridge with a regular procedure. This will
      create a vhost-user-bridge executable under tests directory:

          $ configure; make tests/vhost-user-bridge

      2. Ensure the machine has hugepages enabled in kernel with
      command line like:

          default_hugepagesz=2M hugepagesz=2M hugepages=2048

      3. Run Vhost-User Bridge with:

          $ tests/vhost-user-bridge

      The above will run vhost-user server listening for connections
      on UNIX domain socket /tmp/vubr.sock, and will try to connect
      by UDP to VLAN bridge to localhost:5555, while listening on
      localhost:4444

      Run qemu with a virtio-net backed by vhost-user:

          $ qemu \
              -enable-kvm -m 512 -smp 2 \
              -object 
memory-backend-file,id=mem,size=512M,mem-path=/dev/hugepages,share=on \
              -numa node,memdev=mem -mem-prealloc \
              -chardev socket,id=char0,path=/tmp/vubr.sock \
              -netdev type=vhost-user,id=mynet1,chardev=char0,vhostforce \
              -device virtio-net-pci,netdev=mynet1 \
              -net none \
              -net socket,vlan=0,udp=localhost:4444,localaddr=localhost:5555 \
              -net user,vlan=0 \
              disk.img

      vhost-user-bridge was tested very lightly: it's able to bringup a
      linux on client VM with the virtio-net driver, and execute transmits
      and receives to the internet. I tested with "wget redhat.com",
      "dig redhat.com".

      PS. I've consulted DPDK's code for vhost-user during Vhost-User
      Bridge implementation.

      Signed-off-by: Victor Kaplansky <victork@xxxxxxxxxx>
      Reviewed-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>

  commit d6a9b0b89d27e0a688f37c1732d4dec40613669e
  Author: Michael S. Tsirkin <mst@xxxxxxxxxx>
  Date:   Wed Oct 28 18:55:06 2015 +0200

      Revert "memhp: extend address auto assignment to support gaps"

      This reverts commit df0acded19ec4b826aa095cfc19d341bd66fafd3.

      There's no point to it now that the only user has been reverted.

      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>

  commit 340065e5a11a515382c8b1112424c97e86ad2a3f
  Author: Michael S. Tsirkin <mst@xxxxxxxxxx>
  Date:   Wed Oct 28 18:54:05 2015 +0200

      Revert "pc: memhp: force gaps between DIMM's GPA"

      This reverts commit aa8580cddf011e8cedcf87f7a0fdea7549fc4704.

      As described in
      http://article.gmane.org/gmane.comp.emulators.qemu/371432
      that commit causes linux guests to crash on memory hot-unplug.

      The original problem it's trying to solve has now
      been addressed within virtio.

      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>

  commit 3945ecf1ec4f6e6aa28d0c396a7f5d983c6810d8
  Author: Michael S. Tsirkin <mst@xxxxxxxxxx>
  Date:   Tue Oct 27 10:22:59 2015 +0200

      virtio: drop virtqueue_map_sg

      Deprecated in favor of virtqueue_map.

      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Reviewed-by: Igor Mammedov <imammedo@xxxxxxxxxx>

  commit 4ada5331895551570846e12e7eb00e06616f9152
  Author: Michael S. Tsirkin <mst@xxxxxxxxxx>
  Date:   Tue Oct 27 10:22:13 2015 +0200

      virtio-scsi: convert to virtqueue_map

      Note: virtqueue_map already validates input
      so virtio-scsi does not have to.

      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Reviewed-by: Igor Mammedov <imammedo@xxxxxxxxxx>

  commit bff712dc223f685c684f9caf960e6460e84a96f0
  Author: Michael S. Tsirkin <mst@xxxxxxxxxx>
  Date:   Tue Oct 27 10:19:43 2015 +0200

      virtio-serial: convert to virtio_map

      This also fixes a minor bug:
      -                virtqueue_map_sg(port->elem.out_sg, port->elem.out_addr,
      -                                 port->elem.out_num, 1);
      is wrong: out_sg is not written so should not be marked dirty.

      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Reviewed-by: Igor Mammedov <imammedo@xxxxxxxxxx>

  commit 3d8db153b4b4e12b6d11590ccd318fff0eafd688
  Author: Michael S. Tsirkin <mst@xxxxxxxxxx>
  Date:   Tue Oct 27 10:18:24 2015 +0200

      virtio-blk: convert to virtqueue_map

      Drop deprecated use of virtqueue_map_sg.

      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Reviewed-by: Igor Mammedov <imammedo@xxxxxxxxxx>

  commit 13972ac5e263a7319609253edac5754129489132
  Author: Michael S. Tsirkin <mst@xxxxxxxxxx>
  Date:   Tue Oct 27 10:09:16 2015 +0200

      virtio: switch to virtio_map

      Drop use of the deprecated virtio_map_sg in virtio core.

      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Reviewed-by: Igor Mammedov <imammedo@xxxxxxxxxx>

  commit 8059feee004111534c4c0652e2f0715e9b4e0754
  Author: Michael S. Tsirkin <mst@xxxxxxxxxx>
  Date:   Tue Oct 27 10:01:44 2015 +0200

      virtio: introduce virtio_map

      virtio_map_sg currently fails if one of the entries it's mapping is
      contigious in GPA but not HVA address space.  Introduce virtio_map which
      handles this by splitting sg entries.

      This new API generally turns out to be a good idea since it's harder to
      misuse: at least in one case the existing one was used incorrectly.

      This will still fail if there's no space left in the sg, but luckily max
      queue size in use is currently 256, while max sg size is 1024, so we
      should be OK even is all entries happen to cross a single DIMM boundary.

      Won't work well with very small DIMM sizes, unfortunately:
      e.g. this will fail with 4K DIMMs where a single
      request might span a large number of DIMMs.

      Let's hope these are uncommon - at least we are not breaking things.

      Note: virtio-scsi calls virtio_map_sg on data loaded from network, and
      validates input, asserting on failure.  Copy the validating code here -
      it will be dropped from virtio-scsi in a follow-up patch.

      Reported-by: Igor Mammedov <imammedo@xxxxxxxxxx>
      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Reviewed-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Reviewed-by: Igor Mammedov <imammedo@xxxxxxxxxx>

  commit 9d4ec9370a36f8a564e1ba05519328c0bd60da13
  Author: Michael S. Tsirkin <mst@xxxxxxxxxx>
  Date:   Sun Oct 25 17:07:45 2015 +0200

      mmap-alloc: fix error handling

      Existing callers are checking for MAP_FAILED,
      so we should return that on error.

      Reported-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>
      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>

  commit 4828b10bda6a74a22a7695303e0648157d0e3ea4
  Author: Igor Mammedov <imammedo@xxxxxxxxxx>
  Date:   Fri Oct 23 14:55:26 2015 +0200

      pc: memhp: do not emit inserting event for coldplugged DIMMs

      currently acpi_memory_plug_cb() sets is_inserting for
      cold- and hot-plugged DIMMs as result ASL MHPD.MSCN()
      method issues device check even for every coldplugged
      DIMM. There isn't much harm in it but if we try to
      unplug such DIMM, OSPM will issue device check
      intstead of device eject event. So OSPM won't eject
      memory module as expected and it will try to eject it
      only when another memory device is hot-(un)plugged.

      As a fix do not set 'is_inserting' event and do not
      issue SCI for cold-plugged DIMMs as they are
      enumerated and activated by OSPM during guest's boot.

      Signed-off-by: Igor Mammedov <imammedo@xxxxxxxxxx>
      Reviewed-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>

  commit 12ebf6908333a86775ef18f12ea283601fd1d2df
  Author: Michael S. Tsirkin <mst@xxxxxxxxxx>
  Date:   Thu Oct 22 22:28:37 2015 +0300

      vhost-user-test: fix up rhel6 build

      Build on RHEL6 fails:
      https://gcc.gnu.org/bugzilla/show_bug.cgi?id=42875

      Apparently unnamed unions couldn't use C99  named field initializers.
      Let's just name the payload union field.

      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>

  commit 7fc0246c0792767b732c0989e8eba24bea185feb
  Author: Michael S. Tsirkin <mst@xxxxxxxxxx>
  Date:   Thu Oct 22 22:33:39 2015 +0300

      vhost-user: cleanup msg size math

      We are sending msg fields, use sizeof on these
      and not on local variables which happen to
      have a matching type.

      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>

  commit 86abad0fedc44554adde5e189cf7edfa5b1c948e
  Author: Michael S. Tsirkin <mst@xxxxxxxxxx>
  Date:   Thu Oct 22 22:31:28 2015 +0300

      vhost-user: cleanup struct size math

      We are using local msg structures everywhere, use them
      for sizeof as well.

      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>

  commit 331c5e2091009f170554fed4ef884aeea871e4bb
  Merge: 496fedd 522a0d4
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Wed Oct 28 20:10:22 2015 +0000

      Merge remote-tracking branch 'remotes/rth/tags/pull-tcg-20151028' into 
staging

      Breakpoint fixes

      # gpg: Signature made Wed 28 Oct 2015 17:58:52 GMT using RSA key ID 
4DD0279B
      # gpg: Good signature from "Richard Henderson <rth7680@xxxxxxxxx>"
      # gpg:                 aka "Richard Henderson <rth@xxxxxxxxxx>"
      # gpg:                 aka "Richard Henderson <rth@xxxxxxxxxxx>"

      * remotes/rth/tags/pull-tcg-20151028:
        target-*: Advance pc after recognizing a breakpoint

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 522a0d4e3c0d397ffb45ec400d8cbd426dad9d17
  Author: Richard Henderson <rth@xxxxxxxxxxx>
  Date:   Tue Oct 13 22:07:49 2015 +0000

      target-*: Advance pc after recognizing a breakpoint

      Some targets already had this within their logic, but make sure
      it's present for all targets.

      Reviewed-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Signed-off-by: Richard Henderson <rth@xxxxxxxxxxx>

  commit 496fedddce9a575111df4f912fb9e361037531ed
  Merge: 739680d 15e4134
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Wed Oct 28 15:08:36 2015 +0000

      Merge remote-tracking branch 'remotes/ehabkost/tags/x86-pull-request' 
into staging

      target-i386: finally enable "check" mode by default

      # gpg: Signature made Wed 28 Oct 2015 14:13:10 GMT using RSA key ID 
984DC5A6
      # gpg: Good signature from "Eduardo Habkost <ehabkost@xxxxxxxxxx>"

      * remotes/ehabkost/tags/x86-pull-request:
        target-i386: Enable "check" mode by default
        target-i386: Don't left shift negative constant

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 739680da59de8531a280e9360aae756b6134a3ec
  Merge: c012e1b 637016c
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Wed Oct 28 14:02:27 2015 +0000

      Merge remote-tracking branch 'remotes/mcayland/tags/qemu-openbios-signed' 
into staging

      Update OpenBIOS images

      # gpg: Signature made Wed 28 Oct 2015 00:02:46 GMT using RSA key ID 
AE0F321F
      # gpg: Good signature from "Mark Cave-Ayland 
<mark.cave-ayland@xxxxxxxxxxxx>"

      * remotes/mcayland/tags/qemu-openbios-signed:
        Update OpenBIOS images

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 637016c2603d15d01957eb57f64387262e3ba830
  Author: Mark Cave-Ayland <mark.cave-ayland@xxxxxxxxxxxx>
  Date:   Wed Oct 28 00:01:28 2015 +0000

      Update OpenBIOS images

      Update OpenBIOS images to SVN r1353 built from submodule.

      Signed-off-by: Mark Cave-Ayland <mark.cave-ayland@xxxxxxxxxxxx>

  commit 15e41345906d29a319cc9cdf566347bf79134d24
  Author: Eduardo Habkost <ehabkost@xxxxxxxxxx>
  Date:   Wed Aug 26 13:25:44 2015 -0300

      target-i386: Enable "check" mode by default

      Current default behavior of QEMU is to silently disable features that
      are not supported by the host when a CPU model is requested in the
      command-line. This means that in addition to risking breaking guest ABI
      by default, we are silent about it.

      I would like to enable "enforce" by default, but this can easily break
      existing production systems because of the way libvirt makes assumptions
      about CPU models today (this will change in the future, once QEMU
      provide a proper interface for checking if a CPU model is runnable).

      But there's no reason we should be silent about it. So, change
      target-i386 to enable "check" mode by default so at least we have some
      warning printed to stderr (and hopefully logged somewhere) when QEMU
      disables a feature that is not supported by the host system.

      Reviewed-by: Igor Mammedov <imammedo@xxxxxxxxxx>
      Signed-off-by: Eduardo Habkost <ehabkost@xxxxxxxxxx>

  commit 712b4243c761cb6ab6a4367a160fd2a42e2d4b76
  Author: Eduardo Habkost <ehabkost@xxxxxxxxxx>
  Date:   Tue Sep 29 17:34:23 2015 -0300

      target-i386: Don't left shift negative constant

      Left shift of negative values is undefined behavior. Detected by clang:
        qemu/target-i386/translate.c:2423:26: runtime error:
          left shift of negative value -8

      This changes the code to reverse the sign after the left shift.

      Signed-off-by: Eduardo Habkost <ehabkost@xxxxxxxxxx>

  commit c012e1b7ad066f462ba1c3322fcb43cd8295eaff
  Merge: 7e038b9 9b53926
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Tue Oct 27 16:17:55 2015 +0000

      Merge remote-tracking branch 
'remotes/pmaydell/tags/pull-target-arm-20151027-1' into staging

      target-arm queue:
       * more EL2 preparation: handling for stage 2 translations
       * standardize debug macros in i.MX devices
       * improve error message in a corner case for virt board
       * disable live migration of KVM GIC if the kernel can't handle it
       * add SPSR_(ABT|UND|IRQ|FIQ) registers
       * handle non-executable page-straddling Thumb instructions
       * fix a "no 64-bit EL2" assumption in arm_excp_unmasked()

      # gpg: Signature made Tue 27 Oct 2015 16:03:31 GMT using RSA key ID 
14360CDE
      # gpg: Good signature from "Peter Maydell <peter.maydell@xxxxxxxxxx>"
      # gpg:                 aka "Peter Maydell <pmaydell@xxxxxxxxx>"
      # gpg:                 aka "Peter Maydell 
<pmaydell@xxxxxxxxxxxxxxxxxxxxxx>"

      * remotes/pmaydell/tags/pull-target-arm-20151027-1: (27 commits)
        target-arm: Add support for S1 + S2 MMU translations
        target-arm: Route S2 MMU faults to EL2
        target-arm: Add S2 translation to 32bit S1 PTWs
        target-arm: Add S2 translation to 64bit S1 PTWs
        target-arm: Add ARMMMUFaultInfo
        target-arm: Avoid inline for get_phys_addr
        target-arm: Add support for S2 page-table protection bits
        target-arm: Add computation of starting level for S2 PTW
        target-arm: lpae: Rename granule_sz to stride
        target-arm: lpae: Replace tsz with computed inputsize
        target-arm: Add support for AArch32 S2 negative t0sz
        target-arm: lpae: Move declaration of t0sz and t1sz
        target-arm: lpae: Make t0sz and t1sz signed integers
        target-arm: Add HPFAR_EL2
        i.MX: Standardize i.MX GPT debug
        i.MX: Standardize i.MX EPIT debug
        i.MX: Standardize i.MX FEC debug
        i.MX: Standardize i.MX CCM debug
        i.MX: Standardize i.MX AVIC debug
        i.MX: Standardize i.MX I2C debug
        ...

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 9b539263faa5c1b7fce2551092b5c7b6eea92081
  Author: Edgar E. Iglesias <edgar.iglesias@xxxxxxxxxx>
  Date:   Mon Oct 26 14:02:07 2015 +0100

      target-arm: Add support for S1 + S2 MMU translations

      Signed-off-by: Edgar E. Iglesias <edgar.iglesias@xxxxxxxxxx>
      Message-id: 1445864527-14520-15-git-send-email-edgar.iglesias@xxxxxxxxx
      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit d759a457a144844bff259aafda093b24e92c116d
  Author: Edgar E. Iglesias <edgar.iglesias@xxxxxxxxxx>
  Date:   Mon Oct 26 14:02:06 2015 +0100

      target-arm: Route S2 MMU faults to EL2

      Reviewed-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Signed-off-by: Edgar E. Iglesias <edgar.iglesias@xxxxxxxxxx>
      Message-id: 1445864527-14520-14-git-send-email-edgar.iglesias@xxxxxxxxx
      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit a614e69854a2e601716ee44dfe15c09b8b88f620
  Author: Edgar E. Iglesias <edgar.iglesias@xxxxxxxxxx>
  Date:   Mon Oct 26 14:02:05 2015 +0100

      target-arm: Add S2 translation to 32bit S1 PTWs

      Add support for applying S2 translation to 32bit S1
      page-table walks.

      Reviewed-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Signed-off-by: Edgar E. Iglesias <edgar.iglesias@xxxxxxxxxx>
      Message-id: 1445864527-14520-13-git-send-email-edgar.iglesias@xxxxxxxxx
      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 37785977627295162bff58b1f8777d94e20f4c5b
  Author: Edgar E. Iglesias <edgar.iglesias@xxxxxxxxxx>
  Date:   Mon Oct 26 14:02:04 2015 +0100

      target-arm: Add S2 translation to 64bit S1 PTWs

      Add support for applying S2 translation to 64bit S1
      page-table walks.

      Reviewed-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Signed-off-by: Edgar E. Iglesias <edgar.iglesias@xxxxxxxxxx>
      Message-id: 1445864527-14520-12-git-send-email-edgar.iglesias@xxxxxxxxx
      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit e14b5a23d8c83304559f31397f95d22ada60a19a
  Author: Edgar E. Iglesias <edgar.iglesias@xxxxxxxxxx>
  Date:   Mon Oct 26 14:02:03 2015 +0100

      target-arm: Add ARMMMUFaultInfo

      Introduce ARMMMUFaultInfo to propagate MMU Fault information
      across the MMU translation code path. This is in preparation for
      adding Stage-2 translation.

      No functional changes.

      Reviewed-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Signed-off-by: Edgar E. Iglesias <edgar.iglesias@xxxxxxxxxx>
      Message-id: 1445864527-14520-11-git-send-email-edgar.iglesias@xxxxxxxxx
      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit af51f566ec7106d5e834476e78681a7b354f3c7c
  Author: Edgar E. Iglesias <edgar.iglesias@xxxxxxxxxx>
  Date:   Mon Oct 26 14:02:02 2015 +0100

      target-arm: Avoid inline for get_phys_addr

      Avoid inline for get_phys_addr() to prepare for future recursive use.

      Reviewed-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Signed-off-by: Edgar E. Iglesias <edgar.iglesias@xxxxxxxxxx>
      Message-id: 1445864527-14520-10-git-send-email-edgar.iglesias@xxxxxxxxx
      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 6ab1a5ee1c9d328cacf78805439ed4d3d132decd
  Author: Edgar E. Iglesias <edgar.iglesias@xxxxxxxxxx>
  Date:   Mon Oct 26 14:02:01 2015 +0100

      target-arm: Add support for S2 page-table protection bits

      Reviewed-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Signed-off-by: Edgar E. Iglesias <edgar.iglesias@xxxxxxxxxx>
      Message-id: 1445864527-14520-9-git-send-email-edgar.iglesias@xxxxxxxxx
      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 1853d5a9dcac910322c6cc5b2fddec45fd052d25
  Author: Edgar E. Iglesias <edgar.iglesias@xxxxxxxxxx>
  Date:   Mon Oct 26 14:02:00 2015 +0100

      target-arm: Add computation of starting level for S2 PTW

      The starting level for S2 pagetable walks is computed
      differently from the S1 starting level. Implement the S2
      variant.

      Signed-off-by: Edgar E. Iglesias <edgar.iglesias@xxxxxxxxxx>
      Message-id: 1445864527-14520-8-git-send-email-edgar.iglesias@xxxxxxxxx
      Reviewed-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 973a5434825c076995218868b5b3047e5de400c6
  Author: Edgar E. Iglesias <edgar.iglesias@xxxxxxxxxx>
  Date:   Mon Oct 26 14:01:59 2015 +0100

      target-arm: lpae: Rename granule_sz to stride

      Rename granule_sz to stride to better match the reference manuals.

      No functional change.

      Reviewed-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Signed-off-by: Edgar E. Iglesias <edgar.iglesias@xxxxxxxxxx>
      Message-id: 1445864527-14520-7-git-send-email-edgar.iglesias@xxxxxxxxx
      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 4ca6a051758edf625a17dfc4ce4ab72edabac170
  Author: Edgar E. Iglesias <edgar.iglesias@xxxxxxxxxx>
  Date:   Mon Oct 26 14:01:58 2015 +0100

      target-arm: lpae: Replace tsz with computed inputsize

      Remove the tsz variable and introduce inputsize.
      This simplifies the code a little and makes it easier to
      compare with the reference manuals.

      No functional change.

      Reviewed-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Signed-off-by: Edgar E. Iglesias <edgar.iglesias@xxxxxxxxxx>
      Message-id: 1445864527-14520-6-git-send-email-edgar.iglesias@xxxxxxxxx
      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 4ee38098010240e0b390061fdd0151ff62d80279
  Author: Edgar E. Iglesias <edgar.iglesias@xxxxxxxxxx>
  Date:   Mon Oct 26 14:01:57 2015 +0100

      target-arm: Add support for AArch32 S2 negative t0sz

      Add support for AArch32 S2 negative t0sz. In preparation for
      using 40bit IPAs on AArch32.

      Signed-off-by: Edgar E. Iglesias <edgar.iglesias@xxxxxxxxxx>
      Message-id: 1445864527-14520-5-git-send-email-edgar.iglesias@xxxxxxxxx
      Reviewed-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 1f4c8c18a5b6f4fad13e13b7e3828124c6c8f34d
  Author: Edgar E. Iglesias <edgar.iglesias@xxxxxxxxxx>
  Date:   Mon Oct 26 14:01:56 2015 +0100

      target-arm: lpae: Move declaration of t0sz and t1sz

      Move declaration of t0sz and t1sz to the top of the function
      avoiding a mix of code and variable declarations.

      No functional change.

      Signed-off-by: Edgar E. Iglesias <edgar.iglesias@xxxxxxxxxx>
      Message-id: 1445864527-14520-4-git-send-email-edgar.iglesias@xxxxxxxxx
      Reviewed-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 5c31a10d16c595d6a59e3e7fc1808c3b1d03e02f
  Author: Edgar E. Iglesias <edgar.iglesias@xxxxxxxxxx>
  Date:   Mon Oct 26 14:01:55 2015 +0100

      target-arm: lpae: Make t0sz and t1sz signed integers

      Make t0sz and t1sz signed integers to match tsz and to make
      it easier to implement support for AArch32 negative t0sz.
      t1sz is changed for consistensy.

      No functional change.

      Reviewed-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Signed-off-by: Edgar E. Iglesias <edgar.iglesias@xxxxxxxxxx>
      Message-id: 1445864527-14520-3-git-send-email-edgar.iglesias@xxxxxxxxx
      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 59e055307392fdf99b86c8cbcd33a7e261dcbdb1
  Author: Edgar E. Iglesias <edgar.iglesias@xxxxxxxxxx>
  Date:   Mon Oct 26 14:01:54 2015 +0100

      target-arm: Add HPFAR_EL2

      Reviewed-by: Alex Bennée <alex.bennee@xxxxxxxxxx>
      Signed-off-by: Edgar E. Iglesias <edgar.iglesias@xxxxxxxxxx>
      Message-id: 1445864527-14520-2-git-send-email-edgar.iglesias@xxxxxxxxx
      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 054535262fce994b942039b0a7c4c484c8026c5e
  Author: Jean-Christophe Dubois <jcd@xxxxxxxxxxxxxxx>
  Date:   Sun Oct 25 15:16:26 2015 +0100

      i.MX: Standardize i.MX GPT debug

      The goal is to have debug code always compiled during build.

      We standardize all debug output on the following format:

      [QOM_TYPE_NAME]reporting_function: debug message

      We also replace IPRINTF with qemu_log_mask(). The qemu_log_mask() output
      is following the same format as the above debug.

      Reviewed-by: Peter Crosthwaite <crosthwaite.peter@xxxxxxxxx>
      Signed-off-by: Jean-Christophe Dubois <jcd@xxxxxxxxxxxxxxx>
      Message-id: 
b7ce7e98a051479453744aded122789531d80a44.1445781957.git.jcd@xxxxxxxxxxxxxxx
      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 4929f6563c704dbd057524b38ee519b3a7c8dfe1
  Author: Jean-Christophe Dubois <jcd@xxxxxxxxxxxxxxx>
  Date:   Sun Oct 25 15:16:24 2015 +0100

      i.MX: Standardize i.MX EPIT debug

      The goal is to have debug code always compiled during build.

      We standardize all debug output on the following format:

      [QOM_TYPE_NAME]reporting_function: debug message

      We also replace IPRINTF with qemu_log_mask(). The qemu_log_mask() output
      is following the same format as the above debug.

      Reviewed-by: Peter Crosthwaite <crosthwaite.peter@xxxxxxxxx>
      Signed-off-by: Jean-Christophe Dubois <jcd@xxxxxxxxxxxxxxx>
      Message-id: 
5bbad71517ca728d8865f7b9f998baa0df022794.1445781957.git.jcd@xxxxxxxxxxxxxxx
      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit b72d8d257c187532194f2fca504afb568cd2a3bf
  Author: Jean-Christophe Dubois <jcd@xxxxxxxxxxxxxxx>
  Date:   Sun Oct 25 15:16:21 2015 +0100

      i.MX: Standardize i.MX FEC debug

      The goal is to have debug code always compiled during build.

      We standardize all debug output on the following format:

      [QOM_TYPE_NAME]reporting_function: debug message

      The qemu_log_mask() output is following the same format as the
      above debug.

      Reviewed-by: Peter Crosthwaite <crosthwaite.peter@xxxxxxxxx>
      Signed-off-by: Jean-Christophe Dubois <jcd@xxxxxxxxxxxxxxx>
      Message-id: 
57e565982db94fb433c32dfa17608888464d21de.1445781957.git.jcd@xxxxxxxxxxxxxxx
      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 4a6aa0af8593ee135ef37867ae00109650b95638
  Author: Jean-Christophe Dubois <jcd@xxxxxxxxxxxxxxx>
  Date:   Sun Oct 25 15:16:19 2015 +0100

      i.MX: Standardize i.MX CCM debug

      The goal is to have debug code always compiled during build.

      We standardize all debug output on the following format:

      [QOM_TYPE_NAME]reporting_function: debug message

      The qemu_log_mask() output is following the same format as the
      above debug.

      Adding some missing qemu_log_mask call for bad registers.

      Reviewed-by: Peter Crosthwaite <crosthwaite.peter@xxxxxxxxx>
      Signed-off-by: Jean-Christophe Dubois <jcd@xxxxxxxxxxxxxxx>
      Message-id: 
293e08f31cbb4df84d58f693243e61e770c73b3a.1445781957.git.jcd@xxxxxxxxxxxxxxx
      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit f50ed7853ad658407382dfe1da29f3c88d604592
  Author: Jean-Christophe Dubois <jcd@xxxxxxxxxxxxxxx>
  Date:   Sun Oct 25 15:16:17 2015 +0100

      i.MX: Standardize i.MX AVIC debug

      The goal is to have debug code always compiled during build.

      We standardize all debug output on the following format:

      [QOM_TYPE_NAME]reporting_function: debug message

      We also replace IPRINTF with qemu_log_mask(). The qemu_log_mask() output
      is following the same format as the above debug.

      Reviewed-by: Peter Crosthwaite <crosthwaite.peter@xxxxxxxxx>
      Signed-off-by: Jean-Christophe Dubois <jcd@xxxxxxxxxxxxxxx>
      Message-id: 
29885ffea2577eaf2288c1d17fd87ee951748b49.1445781957.git.jcd@xxxxxxxxxxxxxxx
      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 3afcbb01bc1227bc3a3bade1804c449daf74b262
  Author: Jean-Christophe Dubois <jcd@xxxxxxxxxxxxxxx>
  Date:   Sun Oct 25 15:16:14 2015 +0100

      i.MX: Standardize i.MX I2C debug

      The goal is to have debug code always compiled during build.

      We standardize all debug output on the following format:

      [QOM_TYPE_NAME]reporting_function: debug message

      The qemu_log_mask() output is following the same format as
      the above debug.

      Reviewed-by: Peter Crosthwaite <crosthwaite.peter@xxxxxxxxx>
      Signed-off-by: Jean-Christophe Dubois <jcd@xxxxxxxxxxxxxxx>
      Message-id: 
328acfe6fc09a5afdbfbfd5220e0869fd5082660.1445781957.git.jcd@xxxxxxxxxxxxxxx
      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 564111257468bb772ad0b374dbbb0c969a554cfd
  Author: Jean-Christophe Dubois <jcd@xxxxxxxxxxxxxxx>
  Date:   Sun Oct 25 15:16:11 2015 +0100

      i.MX: Standardize i.MX GPIO debug

      The goal is to have debug code always compiled during build.

      We standardize all debug output on the following format:

      [QOM_TYPE_NAME]reporting_function: debug message

      The qemu_log_mask() outputis following the same format as
      the above debug.

      Reviewed-by: Peter Crosthwaite <crosthwaite.peter@xxxxxxxxx>
      Signed-off-by: Jean-Christophe Dubois <jcd@xxxxxxxxxxxxxxx>
      Message-id: 
4f2007adcf0f579864bb4dd8a825824e0e9098b8.1445781957.git.jcd@xxxxxxxxxxxxxxx
      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 8ccce77c04a23a1451b6e149930e66b6eef75926
  Author: Jean-Christophe Dubois <jcd@xxxxxxxxxxxxxxx>
  Date:   Sun Oct 25 15:16:06 2015 +0100

      i.MX: Standardize i.MX serial debug.

      The goal is to have debug code always compiled during build.

      We standardize all debug output on the following format:

      [QOM_TYPE_NAME]reporting_function: debug message

      We also replace IPRINTF with qemu_log_mask(). The qemu_log_mask() output
      is following the same format as the above debug.

      Reviewed-by: Peter Crosthwaite <crosthwaite.peter@xxxxxxxxx>
      Signed-off-by: Jean-Christophe Dubois <jcd@xxxxxxxxxxxxxxx>
      Message-id: 
47b8759b251d356c633faf7ea34f897f340aea4e.1445781957.git.jcd@xxxxxxxxxxxxxxx
      [PMM: Drop attempt to print the ram_addr of a memory region in
       one DPRINTF, which (a) was using the wrong format string so
       didn't build on 32-bit and (b) was incorrectly looking at a
       private field of a MemoryRegion struct]
      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 4b280b726a329a97db03323d8d03ed554f7872b8
  Author: Andrew Jones <drjones@xxxxxxxxxx>
  Date:   Tue Oct 27 12:00:50 2015 +0000

      hw/arm/virt: don't use a15memmap directly

      We should always go through VirtBoardInfo when we need the memmap.
      To avoid using a15memmap directly, in this case, we need to defer
      the max-cpus check from class init time to instance init time. In
      class init we now use MAX_CPUMASK_BITS for max_cpus initialization,
      which is the maximum QEMU supports, and also, incidentally, the
      maximum KVM/gicv3 currently supports. Also, a nice side-effect of
      delaying the max-cpus check is that we now get more appropriate
      error messages for gicv2 machines that try to configure more than
      123 cpus. Before this patch it would complain that the requested
      number of cpus was greater than 123, but for gicv2 configs, it
      should complain that the number is greater than 8.

      Signed-off-by: Andrew Jones <drjones@xxxxxxxxxx>
      Message-id: 1445189728-860-3-git-send-email-drjones@xxxxxxxxxx
      Reviewed-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 24182fbc19cbc7c387bb350a72e6b55f63ea1747
  Author: Pavel Fedin <p.fedin@xxxxxxxxxxx>
  Date:   Tue Oct 27 12:00:50 2015 +0000

      arm_gic_kvm: Disable live migration if not supported

      Currently, if the kernel does not have live migration API, the migration
      will still be attempted, but vGIC save/restore functions will just not do
      anything. This will result in a broken machine state.

      This patch fixes the problem by adding migration blocker if kernel API is
      not supported.

      Signed-off-by: Pavel Fedin <p.fedin@xxxxxxxxxxx>
      Reviewed-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit b876452507d0b719cff0b478efafb34ac41db683
  Author: Soren Brinkmann <soren.brinkmann@xxxxxxxxxx>
  Date:   Tue Oct 27 12:00:50 2015 +0000

      target-arm: Add support for SPSR_(ABT|UND|IRQ|FIQ)

      Signed-off-by: Soren Brinkmann <soren.brinkmann@xxxxxxxxxx>
      Reviewed-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 541ebcd401ee47f3c1a3ce503ef5466b75e9d20a
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Tue Oct 27 12:00:50 2015 +0000

      target-arm/translate.c: Handle non-executable page-straddling Thumb insns

      When the memory we're trying to translate code from is not executable we 
have
      to turn this into a guest fault. In order to report the correct PC for 
this
      fault, and to make sure it is not reported until after any other possible
      faults for instructions earlier in execution, we must terminate TBs at
      the end of a page, in case the next instruction is in a non-executable 
page.
      This is simple for T16, A32 and A64 instructions, which are always aligned
      to their size. However T32 instructions may be 32-bits but only 
16-aligned,
      so they can straddle a page boundary.

      Correct the condition that checks whether the next instruction will touch
      the following page, to ensure that if we're 2 bytes before the boundary
      and this insn is T32 then we end the TB.

      Reported-by: Pavel Dovgalyuk <pavel.dovgaluk@xxxxxxxxx>
      Reviewed-by: Laurent Desnogues <laurent.desnogues@xxxxxxxxx>
      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 7cd6de3bb1ca55dfa8f53fb9894803eb33f497b3
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Tue Oct 27 12:00:50 2015 +0000

      target-arm: Fix "no 64-bit EL2" assumption in arm_excp_unmasked()

      The code in arm_excp_unmasked() suppresses the ability of PSTATE.AIF
      to mask exceptions from a lower EL targeting EL2 or EL3 if the
      CPU is 64-bit. This is correct for a target of EL3, but not correct
      for targeting EL2. Further, we go to some effort to calculate
      scr and hcr values which are not used at all for the 64-bit CPU
      case.

      Rearrange the code to correctly implement the 64-bit CPU logic
      and keep the hcr/scr calculations in the 32-bit CPU codepath.

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Message-id: 1444327729-4120-1-git-send-email-peter.maydell@xxxxxxxxxx
      Reviewed-by: Edgar E. Iglesias <edgar.iglesias@xxxxxxxxxx>
      Tested-by: Edgar E. Iglesias <edgar.iglesias@xxxxxxxxxx>

  commit 7e038b94e74e1c2d1b3598e2e4b0b5c8b79a7278
  Merge: 9666248 a3e8a3f
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Tue Oct 27 10:10:46 2015 +0000

      Merge remote-tracking branch 'remotes/jasowang/tags/net-pull-request' 
into staging

      # gpg: Signature made Tue 27 Oct 2015 05:47:28 GMT using RSA key ID 
398D6211
      # gpg: Good signature from "Jason Wang (Jason Wang on RedHat) 
<jasowang@xxxxxxxxxx>"
      # gpg: WARNING: This key is not certified with sufficiently trusted 
signatures!
      # gpg:          It is not certain that the signature belongs to the owner.
      # Primary key fingerprint: 215D 46F4 8246 689E C77F  3562 EF04 965B 398D 
6211

      * remotes/jasowang/tags/net-pull-request:
        net: free the string returned by object_get_canonical_path_component
        net: make iov_to_buf take right size argument in nc_sendv_compat()
        net: Remove duplicate data from query-rx-filter on multiqueue net 
devices
        vmxnet3: Do not fill stats if device is inactive
        options: Add documentation for filter-dump
        net/dump: Provide the dumping facility as a net-filter
        net/dump: Separate the NetClientState from the DumpState
        net/dump: Rework net-dump init functions
        net/dump: Add support for receive_iov function
        net: cadence_gem: Set initial MAC address

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit a3e8a3f382363d5fd452cfc15f90a688d70023d9
  Author: Yang Hongyang <yanghy@xxxxxxxxxxxxxx>
  Date:   Tue Oct 20 09:51:26 2015 +0800

      net: free the string returned by object_get_canonical_path_component

      The value returned from object_get_canonical_path_component
      must be freed.

      Signed-off-by: Yang Hongyang <yanghy@xxxxxxxxxxxxxx>
      Cc: Jason Wang <jasowang@xxxxxxxxxx>
      Cc: Paolo Bonzini <pbonzini@xxxxxxxxxx>
      Signed-off-by: Jason Wang <jasowang@xxxxxxxxxx>

  commit edc981443d5bd23e01639c2fbba4fbc2dc30204f
  Author: Yang Hongyang <yanghy@xxxxxxxxxxxxxx>
  Date:   Tue Oct 20 09:51:25 2015 +0800

      net: make iov_to_buf take right size argument in nc_sendv_compat()

      We want "buf, sizeof(buf)" here.  sizeof(buffer) is the size of a
      pointer, which is wrong.
      Thanks to Paolo for pointing it out.

      Signed-off-by: Yang Hongyang <yanghy@xxxxxxxxxxxxxx>
      Cc: Jason Wang <jasowang@xxxxxxxxxx>
      Cc: Paolo Bonzini <pbonzini@xxxxxxxxxx>
      Signed-off-by: Jason Wang <jasowang@xxxxxxxxxx>

  commit 5320c2caf43cc76748a1ffa0fdcaa9eb501d3fcd
  Author: Vladislav Yasevich <vyasevic@xxxxxxxxxx>
  Date:   Mon Oct 19 09:04:38 2015 -0400

      net: Remove duplicate data from query-rx-filter on multiqueue net devices

      When responding to a query-rx-filter command on a multiqueue
      netdev, qemu reports the data for each queue.  The data, however,
      is not per-queue, but per device and the same data is reported
      multiple times.  This causes confusion and may also cause extra
      unnecessary processing when looking at the data.

      Commit 638fb14169 (net: Make qmp_query_rx_filter() with name argument
      more obvious) partially addresses this issue, by limiting the output
      when the name is specified.  However, when the name is not specified,
      the issue still persists.

      Signed-off-by: Vladislav Yasevich <vyasevic@xxxxxxxxxx>
      Signed-off-by: Jason Wang <jasowang@xxxxxxxxxx>

  commit eedeeeffd419ab149e0b0ad5fc4b7cf5e1db6274
  Author: Shmulik Ladkani <shmulik.ladkani@xxxxxxxxxxxxxxxxxx>
  Date:   Thu Oct 15 13:54:30 2015 +0300

      vmxnet3: Do not fill stats if device is inactive

      Guest OS may issue VMXNET3_CMD_GET_STATS even before device was
      activated (for example in linux, after insmod but prior net-dev open).

      Accessing shared descriptors prior device activation is illegal as the
      VMXNET3State structures have not been fully initialized.

      As a result, guest memory gets corrupted and may lead to guest OS
      crashes.

      Fix, by not filling the stats descriptors if device is inactive.

      Reported-by: Leonid Shatz <leonid.shatz@xxxxxxxxxxxxxxxxxx>
      Acked-by: Dmitry Fleytman <dmitry@xxxxxxxxxx>
      Signed-off-by: Dana Rubin <dana.rubin@xxxxxxxxxxxxxxxxxx>
      Signed-off-by: Shmulik Ladkani <shmulik.ladkani@xxxxxxxxxxxxxxxxxx>
      Signed-off-by: Jason Wang <jasowang@xxxxxxxxxx>

  commit d3e0c032f52f4fb855f9bd2892ebd175a9d975a1
  Author: Thomas Huth <thuth@xxxxxxxxxx>
  Date:   Tue Oct 13 12:40:02 2015 +0200

      options: Add documentation for filter-dump

      Add a short description for the filter-dump command line options.

      Signed-off-by: Thomas Huth <thuth@xxxxxxxxxx>
      Signed-off-by: Jason Wang <jasowang@xxxxxxxxxx>

  commit 9d3e12e881bc97bc32ac75d146b5347136f29ca1
  Author: Thomas Huth <thuth@xxxxxxxxxx>
  Date:   Tue Oct 13 12:40:01 2015 +0200

      net/dump: Provide the dumping facility as a net-filter

      Use the net-filter infrastructure to provide the dumping
      functions for netdev devices, too.

      Reviewed-by: Yang Hongyang <yanghy@xxxxxxxxxxxxxx>
      Signed-off-by: Thomas Huth <thuth@xxxxxxxxxx>
      Signed-off-by: Jason Wang <jasowang@xxxxxxxxxx>

  commit 75310e3486ab205d870560b75bbcaba72acb26d7
  Author: Thomas Huth <thuth@xxxxxxxxxx>
  Date:   Tue Oct 13 12:40:00 2015 +0200

      net/dump: Separate the NetClientState from the DumpState

      With the upcoming dumping-via-netfilter patch, the DumpState
      should not be related to NetClientState anymore, so move the
      related information to a new struct called DumpNetClient.

      Reviewed-by: Yang Hongyang <yanghy@xxxxxxxxxxxxxx>
      Signed-off-by: Thomas Huth <thuth@xxxxxxxxxx>
      Signed-off-by: Jason Wang <jasowang@xxxxxxxxxx>

  commit 7bc3074c27bb1eae7c8ccacd920ba55454381786
  Author: Thomas Huth <thuth@xxxxxxxxxx>
  Date:   Tue Oct 13 12:39:59 2015 +0200

      net/dump: Rework net-dump init functions

      Move the creation of the dump client from net_dump_init() into
      net_init_dump(), so we can later use the former function for
      dump via netfilter, too. Also rename net_dump_init() to
      net_dump_state_init() to make it easier distinguishable from
      net_init_dump().

      Reviewed-by: Yang Hongyang <yanghy@xxxxxxxxxxxxxx>
      Signed-off-by: Thomas Huth <thuth@xxxxxxxxxx>
      Signed-off-by: Jason Wang <jasowang@xxxxxxxxxx>

  commit 43192fcc1ac0a61cf9e20a9034eae8d1e91f35c8
  Author: Thomas Huth <thuth@xxxxxxxxxx>
  Date:   Tue Oct 13 12:39:58 2015 +0200

      net/dump: Add support for receive_iov function

      Adding a proper receive_iov function to the net dump module.
      This will make it easier to support the dump filter feature for
      the -netdev option in later patches.

      Reviewed-by: Yang Hongyang <yanghy@xxxxxxxxxxxxxx>
      Signed-off-by: Thomas Huth <thuth@xxxxxxxxxx>
      Signed-off-by: Jason Wang <jasowang@xxxxxxxxxx>

  commit afb4c51fad8cf86104803fc17457b96e86172b98
  Author: Sebastian Huber <sebastian.huber@xxxxxxxxxxxxxxxxxx>
  Date:   Mon Oct 12 10:25:01 2015 +0200

      net: cadence_gem: Set initial MAC address

      Set initial MAC address to the one specified by the command line.

      Signed-off-by: Sebastian Huber <sebastian.huber@xxxxxxxxxxxxxxxxxx>
      Reviewed-by: Jason Wang <jasowang@xxxxxxxxxx>
      Reviewed-by: Peter Crosthwaite <peter.crosthwaite@xxxxxxxxxx>
      Signed-off-by: Jason Wang <jasowang@xxxxxxxxxx>

  commit 9666248a85fd889bfb6118f769e9c73039b998ed
  Merge: 251d7e6 b1ecd51
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Mon Oct 26 13:13:38 2015 +0000

      Merge remote-tracking branch 'remotes/sstabellini/tags/xen-2015-10-26' 
into staging

      Xen 2015-10-26

      # gpg: Signature made Mon 26 Oct 2015 11:32:50 GMT using RSA key ID 
70E1AE90
      # gpg: Good signature from "Stefano Stabellini 
<stefano.stabellini@xxxxxxxxxxxxx>"

      * remotes/sstabellini/tags/xen-2015-10-26:
        xen-platform: Replace assert() with appropriate error reporting
        xen_platform: switch to realize
        Qemu/Xen: Fix early freeing MSIX MMIO memory region

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit b1ecd51bdbb0fc0a7026662b03e7e7df9d129ca0
  Author: Eduardo Habkost <ehabkost@xxxxxxxxxx>
  Date:   Wed Oct 21 13:46:50 2015 -0200

      xen-platform: Replace assert() with appropriate error reporting

      Commit dbb7405d8caad0814ceddd568cb49f163a847561 made it possible to
      trigger an assert using "-device xen-platform". Replace it with
      appropriate error reporting.

      Before:

        $ qemu-system-x86_64 -device xen-platform
        qemu-system-x86_64: hw/i386/xen/xen_platform.c:391: 
xen_platform_initfn: Assertion `xen_enabled()' failed.
        Aborted (core dumped)
        $

      After:

        $ qemu-system-x86_64 -device xen-platform
        qemu-system-x86_64: -device xen-platform: xen-platform device requires 
the Xen accelerator
        $

      Signed-off-by: Eduardo Habkost <ehabkost@xxxxxxxxxx>
      Reviewed-by: Stefano Stabellini <stefano.stabellini@xxxxxxxxxxxxx>
      Signed-off-by: Stefano Stabellini <stefano.stabellini@xxxxxxxxxxxxx>

  commit 4098d49db549e20a2d87ca3cced28ace6e5864bf
  Author: Stefano Stabellini <stefano.stabellini@xxxxxxxxxxxxx>
  Date:   Wed Oct 21 13:46:49 2015 -0200

      xen_platform: switch to realize

      Use realize to initialize the xen_platform device

      Signed-off-by: Stefano Stabellini <stefano.stabellini@xxxxxxxxxxxxx>
      Signed-off-by: Eduardo Habkost <ehabkost@xxxxxxxxxx>

  commit 251d7e60148599be685c6f9f3921aee38dccef5c
  Merge: af25e72 7d4f4bd
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Mon Oct 26 11:32:20 2015 +0000

      Merge remote-tracking branch 'remotes/elmarco/tags/ivshmem-pull-request' 
into staging

      ivshmem series

      # gpg: Signature made Mon 26 Oct 2015 09:27:46 GMT using RSA key ID 
75969CE5
      # gpg: Good signature from "Marc-André Lureau 
<marcandre.lureau@xxxxxxxxxx>"
      # gpg:                 aka "Marc-André Lureau 
<marcandre.lureau@xxxxxxxxx>"
      # gpg: WARNING: This key is not certified with sufficiently trusted 
signatures!
      # gpg:          It is not certain that the signature belongs to the owner.
      # Primary key fingerprint: 87A9 BD93 3F87 C606 D276  F62D DAE8 E109 7596 
9CE5

      * remotes/elmarco/tags/ivshmem-pull-request: (51 commits)
        doc: document ivshmem & hugepages
        ivshmem: use little-endian int64_t for the protocol
        ivshmem: use kvm irqfd for msi notifications
        ivshmem: rename MSI eventfd_table
        ivshmem: remove EventfdEntry.vector
        ivshmem: add hostmem backend
        ivshmem: use qemu_strtosz()
        ivshmem: do not keep shm_fd open
        tests: add ivshmem qtest
        qtest: add qtest_add_abrt_handler()
        msix: implement pba write (but read-only)
        contrib: remove unnecessary strdup()
        ivshmem: add check on protocol version in QEMU
        docs: update ivshmem device spec
        ivshmem-server: fix hugetlbfs support
        ivshmem-server: use a uint16 for client ID
        ivshmem-client: check the number of vectors
        contrib: add ivshmem client and server
        util: const event_notifier_get_fd() argument
        ivshmem: reset mask on device reset
        ...

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 4e494de66800747446e73b5ec0189ad7f4690908
  Author: Lan Tianyu <tianyu.lan@xxxxxxxxx>
  Date:   Sun Oct 11 23:19:24 2015 +0800

      Qemu/Xen: Fix early freeing MSIX MMIO memory region

      msix->mmio is added to XenPCIPassthroughState's object as property.
      object_finalize_child_property is called for XenPCIPassthroughState's
      object, which calls object_property_del_all, which is going to try to
      delete msix->mmio. object_finalize_child_property() will access
      msix->mmio's obj. But the whole msix struct has already been freed
      by xen_pt_msix_delete. This will cause segment fault when msix->mmio
      has been overwritten.

      This patch is to fix the issue.

      Signed-off-by: Lan Tianyu <tianyu.lan@xxxxxxxxx>
      Reviewed-by: Stefano Stabellini <stefano.stabellini@xxxxxxxxxxxxx>
      Signed-off-by: Stefano Stabellini <stefano.stabellini@xxxxxxxxxxxxx>

  commit 7d4f4bdaf785dfe9fc41b06f85cc9aaf1b1474ee
  Author: Marc-André Lureau <marcandre.lureau@xxxxxxxxxx>
  Date:   Wed Oct 7 16:31:47 2015 +0200

      doc: document ivshmem & hugepages

      Document and give some examples of hugepages support with ivshmem device
      and server.

      Signed-off-by: Marc-André Lureau <marcandre.lureau@xxxxxxxxxx>
      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>

  commit f7a199b2b4486242271f769bb4bc2638c0413274
  Author: Marc-André Lureau <marcandre.lureau@xxxxxxxxxx>
  Date:   Thu Sep 24 12:55:01 2015 +0200

      ivshmem: use little-endian int64_t for the protocol

      The current ivshmem protocol uses 'long' for integers. But the
      sizeof(long) depends on the host and the endianess is not defined, which
      may cause portability troubles.

      Instead, switch to using little-endian int64_t. This breaks the
      protocol, except on x64 little-endian host where this change
      should be compatible.

      Signed-off-by: Marc-André Lureau <marcandre.lureau@xxxxxxxxxx>
      Reviewed-by: Claudio Fontana <claudio.fontana@xxxxxxxxxx>

  commit 660c97eef6f8f416c5dc24d3798e29f9f9f698fb
  Author: Marc-André Lureau <marcandre.lureau@xxxxxxxxxx>
  Date:   Thu Jul 9 15:50:13 2015 +0200

      ivshmem: use kvm irqfd for msi notifications

      Use irqfd for improving context switch when notifying the guest.
      If the host doesn't support kvm irqfd, regular msi notifications are
      still supported.

      Note: the ivshmem implementation doesn't allow switching between MSI and
      IO interrupts, this patch doesn't either.

      Signed-off-by: Marc-André Lureau <marcandre.lureau@xxxxxxxxxx>
      Reviewed-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit 0f57350e5c2ee0c6fe979f4d4b6d4e1de0c26e46
  Author: Marc-André Lureau <marcandre.lureau@xxxxxxxxxx>
  Date:   Mon Jul 27 12:59:19 2015 +0200

      ivshmem: rename MSI eventfd_table

      The array is used to have vector specific data, so use a more
      descriptive name.

      Signed-off-by: Marc-André Lureau <marcandre.lureau@xxxxxxxxxx>
      Reviewed-by: Claudio Fontana <claudio.fontana@xxxxxxxxxx>

  commit d160f3f7911bb1f99235ae211269c8f4422f2079
  Author: Marc-André Lureau <marcandre.lureau@xxxxxxxxxx>
  Date:   Fri Jul 24 18:52:19 2015 +0200

      ivshmem: remove EventfdEntry.vector

      No need to store an extra int for the vector number when it can be
      computed easily by looking at the position in the array.

      Signed-off-by: Marc-André Lureau <marcandre.lureau@xxxxxxxxxx>
      Reviewed-by: Claudio Fontana <claudio.fontana@xxxxxxxxxx>

  commit d9453c93fea0c9c67f9c63bfa79a87631317d746
  Author: Marc-André Lureau <marcandre.lureau@xxxxxxxxxx>
  Date:   Tue Jun 30 00:10:16 2015 +0200

      ivshmem: add hostmem backend

      Instead of handling allocation, teach ivshmem to use a memory backend.
      This allows to use hugetlbfs backed memory now.

      Signed-off-by: Marc-André Lureau <marcandre.lureau@xxxxxxxxxx>
      Reviewed-by: Claudio Fontana <claudio.fontana@xxxxxxxxxx>

  commit 2c04752cc8e37b15be4643570b49abb3128a8a46
  Author: Marc-André Lureau <marcandre.lureau@xxxxxxxxxx>
  Date:   Tue Jun 30 00:06:03 2015 +0200

      ivshmem: use qemu_strtosz()

      Use the common qemu utility function to parse the memory size.

      Signed-off-by: Marc-André Lureau <marcandre.lureau@xxxxxxxxxx>
      Reviewed-by: Claudio Fontana <claudio.fontana@xxxxxxxxxx>

  commit f689d2811a36894618087e1e2cc3ade78e758e94
  Author: Marc-André Lureau <marcandre.lureau@xxxxxxxxxx>
  Date:   Tue Jun 30 00:04:19 2015 +0200

      ivshmem: do not keep shm_fd open

      Remove shm_fd from device state, closing it as early as possible to avoid 
leaks.

      Signed-off-by: Marc-André Lureau <marcandre.lureau@xxxxxxxxxx>
      Reviewed-by: Claudio Fontana <claudio.fontana@xxxxxxxxxx>

  commit ddef6a0d68f641ca89466c697d191d07b7e6718c
  Author: Marc-André Lureau <marcandre.lureau@xxxxxxxxxx>
  Date:   Wed Apr 2 16:57:48 2014 +0200

      tests: add ivshmem qtest

      Adds 4 ivshmemtests:
      - single qemu instance and basic IO
      - pair of instances, check memory sharing
      - pair of instances with server, and MSIX
      - hot plug/unplug

      A temporary shm is created as well as a directory to place server
      socket, both should be clear on exit and abort.

      Cc: Cam Macdonell <cam@xxxxxxxxxxxxxx>
      Signed-off-by: Marc-André Lureau <marcandre.lureau@xxxxxxxxxx>
      Reviewed-by: Claudio Fontana <claudio.fontana@xxxxxxxxxx>
      Signed-off-by: Andreas Färber <afaerber@xxxxxxx>

  commit 063c23d909a8d6c9f251347514e34835e0510294
  Author: Marc-André Lureau <marcandre.lureau@xxxxxxxxxx>
  Date:   Fri Jun 19 18:45:14 2015 +0200

      qtest: add qtest_add_abrt_handler()

      Allow a test to add abort handlers, use GHook for all handlers.

      There is currently no way to remove a handler, but it could be
      later added if needed.

      Signed-off-by: Marc-André Lureau <marcandre.lureau@xxxxxxxxxx>
      Reviewed-by: Claudio Fontana <claudio.fontana@xxxxxxxxxx>

  commit 43b11a91dd861a946b231b89b7542856ade23d1b
  Author: Marc-André Lureau <marcandre.lureau@xxxxxxxxxx>
  Date:   Fri Jun 26 14:25:29 2015 +0200

      msix: implement pba write (but read-only)

      qpci_msix_pending() writes on pba region, causing qemu to SEGV:

        Program received signal SIGSEGV, Segmentation fault.
        [Switching to Thread 0x7ffff7fba8c0 (LWP 25882)]
        0x0000000000000000 in ?? ()
        (gdb) bt
        #0  0x0000000000000000 in  ()
        #1  0x00005555556556c5 in memory_region_oldmmio_write_accessor 
(mr=0x5555579f3f80, addr=0, value=0x7fffffffbf68, size=4, shift=0, 
mask=4294967295, attrs=...) at /home/elmarco/src/qemu/memory.c:434
        #2  0x00005555556558e1 in access_with_adjusted_size (addr=0, 
value=0x7fffffffbf68, size=4, access_size_min=1, access_size_max=4, 
access=0x55555565563e <memory_region_oldmmio_write_accessor>, 
mr=0x5555579f3f80, attrs=...) at /home/elmarco/src/qemu/memory.c:506
        #3  0x00005555556581eb in memory_region_dispatch_write 
(mr=0x5555579f3f80, addr=0, data=0, size=4, attrs=...) at 
/home/elmarco/src/qemu/memory.c:1176
        #4  0x000055555560b6f9 in address_space_rw (as=0x555555eff4e0 
<address_space_memory>, addr=3759147008, attrs=..., buf=0x7fffffffc1b0 "", 
len=4, is_write=true) at /home/elmarco/src/qemu/exec.c:2439
        #5  0x000055555560baa2 in cpu_physical_memory_rw (addr=3759147008, 
buf=0x7fffffffc1b0 "", len=4, is_write=1) at /home/elmarco/src/qemu/exec.c:2534
        #6  0x000055555564c005 in cpu_physical_memory_write (addr=3759147008, 
buf=0x7fffffffc1b0, len=4) at 
/home/elmarco/src/qemu/include/exec/cpu-common.h:80
        #7  0x000055555564cd9c in qtest_process_command (chr=0x55555642b890, 
words=0x5555578de4b0) at /home/elmarco/src/qemu/qtest.c:378
        #8  0x000055555564db77 in qtest_process_inbuf (chr=0x55555642b890, 
inbuf=0x55555641b340) at /home/elmarco/src/qemu/qtest.c:569
        #9  0x000055555564dc07 in qtest_read (opaque=0x55555642b890, 
buf=0x7fffffffc2e0 "writel 0xe0100800 0x0\n", size=22) at 
/home/elmarco/src/qemu/qtest.c:581
        #10 0x000055555574ce3e in qemu_chr_be_write (s=0x55555642b890, 
buf=0x7fffffffc2e0 "writel 0xe0100800 0x0\n", len=22) at qemu-char.c:306
        #11 0x0000555555751263 in tcp_chr_read (chan=0x55555642bcf0, 
cond=G_IO_IN, opaque=0x55555642b890) at qemu-char.c:2876
        #12 0x00007ffff64c9a8a in g_main_context_dispatch 
(context=0x55555641c400) at gmain.c:3122

      (without this patch, this can be reproduced with the ivshmem qtest)

      Implement an empty mmio write to avoid the crash.

      Signed-off-by: Marc-André Lureau <marcandre.lureau@xxxxxxxxxx>
      Reviewed-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit 45b00c44ceffeac8143fb8857a12677234114f2b
  Author: Marc-André Lureau <marcandre.lureau@xxxxxxxxxx>
  Date:   Wed Jun 24 13:33:32 2015 +0200

      contrib: remove unnecessary strdup()

      getopt() optarg points to argv memory, no need to dup those values,
      fixes small leaks detected by clang-analyzer.

      Signed-off-by: Marc-André Lureau <marcandre.lureau@xxxxxxxxxx>
      Reviewed-by: Vladimir Sementsov-Ogievskiy <vsementsov@xxxxxxxxxxxxx>

  commit 5105b1d8c2d1ad4a25b8806e86c0f012936b2eed
  Author: David Marchand <david.marchand@xxxxxxxxx>
  Date:   Tue Jun 16 17:43:34 2015 +0200

      ivshmem: add check on protocol version in QEMU

      Send a protocol version as the first message from server, clients must
      close communication if they don't support this protocol version.  Older
      QEMUs should be fine with this change in the protocol since they
      overrides their own vm_id on reception of an id associated to no
      eventfd.

      Signed-off-by: David Marchand <david.marchand@xxxxxxxxx>
      Signed-off-by: Marc-André Lureau <marcandre.lureau@xxxxxxxxxx>
      [use fifo_update_and_get()]
      Reviewed-by: Claudio Fontana <claudio.fontana@xxxxxxxxxx>

  commit 8c4ef202b901d25b88efc55398d4a76dfb2594de
  Author: David Marchand <david.marchand@xxxxxxxxx>
  Date:   Mon Sep 8 11:17:49 2014 +0200

      docs: update ivshmem device spec

      Add some notes on the parts needed to use ivshmem devices: more 
specifically,
      explain the purpose of an ivshmem server and the basic concept to use the
      ivshmem devices in guests.
      Move some parts of the documentation and re-organise it.

      Signed-off-by: David Marchand <david.marchand@xxxxxxxxx>
      Reviewed-by: Claudio Fontana <claudio.fontana@xxxxxxxxxx>
      Reviewed-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Signed-off-by: Marc-André Lureau <marcandre.lureau@xxxxxxxxxx>

  commit 1e21feb6280222a230fda1d87318ab58adde188f
  Author: Marc-André Lureau <marcandre.lureau@xxxxxxxxxx>
  Date:   Mon Jun 29 19:53:15 2015 +0200

      ivshmem-server: fix hugetlbfs support

      As pointed out on the ML by Andrew Jones, glibc no longer permits
      creating POSIX shm on hugetlbfs directly. When given a hugetlbfs path,
      create a shareable file there.

      Signed-off-by: Marc-André Lureau <marcandre.lureau@xxxxxxxxxx>
      Reviewed-by: Vladimir Sementsov-Ogievskiy <vsementsov@xxxxxxxxxxxxx>

  commit 022cffe31360750b405d368e343f3ca5febc0d0a
  Author: Marc-André Lureau <marcandre.lureau@xxxxxxxxxx>
  Date:   Tue Jun 23 17:09:59 2015 +0200

      ivshmem-server: use a uint16 for client ID

      In practice, the number of VM is limited to MAXUINT16 in ivshmem, so use
      the same limit on the server (removes a theorical infinite loop)

      Signed-off-by: Marc-André Lureau <marcandre.lureau@xxxxxxxxxx>
      Reviewed-by: Claudio Fontana <claudio.fontana@xxxxxxxxxx>

  commit 95204aa951ceb28eb6d4ce43bce09a58cbad83d8
  Author: Marc-André Lureau <marcandre.lureau@xxxxxxxxxx>
  Date:   Tue Jun 23 16:41:58 2015 +0200

      ivshmem-client: check the number of vectors

      Check the number of vectors received from the server, to avoid
      out of bound array access.

      Signed-off-by: Marc-André Lureau <marcandre.lureau@xxxxxxxxxx>
      Reviewed-by: Claudio Fontana <claudio.fontana@xxxxxxxxxx>

  commit a75eb03b9fca3af291ec2c433ddda06121ae927d
  Author: David Marchand <david.marchand@xxxxxxxxx>
  Date:   Mon Sep 8 11:17:48 2014 +0200

      contrib: add ivshmem client and server

      When using ivshmem devices, notifications between guests can be sent as
      interrupts using a ivshmem-server (typical use described in 
documentation).
      The client is provided as a debug tool.

      Signed-off-by: Olivier Matz <olivier.matz@xxxxxxxxx>
      Signed-off-by: David Marchand <david.marchand@xxxxxxxxx>
      [fix a valgrind warning, option and server_close() segvs, extra server
      headers includes, getopt() return type, out-of-tree build, use qemu
      event_notifier instead of eventfd, fix x86/osx warnings - Marc-André]
      Signed-off-by: Marc-André Lureau <marcandre.lureau@xxxxxxxxxx>

  commit 12f0b68c82356e4dd24f2f0d370b21eb17f1f42e
  Author: Marc-André Lureau <marcandre.lureau@xxxxxxxxxx>
  Date:   Tue Oct 13 12:12:16 2015 +0200

      util: const event_notifier_get_fd() argument

      Signed-off-by: Marc-André Lureau <marcandre.lureau@xxxxxxxxxx>

  commit 972ad21553fd46738eea91f0085c7bc32cf68d86
  Author: Marc-André Lureau <marcandre.lureau@xxxxxxxxxx>
  Date:   Tue Jun 23 14:13:08 2015 +0200

      ivshmem: reset mask on device reset

      The interrupt mask is a state value, it should be reset, like the
      interrupt status.

      Signed-off-by: Marc-André Lureau <marcandre.lureau@xxxxxxxxxx>
      Reviewed-by: Claudio Fontana <claudio.fontana@xxxxxxxxxx>

  commit 1ee57de444ac7dd0cdb091fec318ba056ed173fd
  Author: Marc-André Lureau <marcandre.lureau@xxxxxxxxxx>
  Date:   Tue Jun 23 14:07:11 2015 +0200

      ivshmem: error on too many eventfd received

      The number of eventfd that can be handled per peer is limited by the
      number of vectors. Return an error when receiving too many of them.

      Signed-off-by: Marc-André Lureau <marcandre.lureau@xxxxxxxxxx>
      Reviewed-by: Claudio Fontana <claudio.fontana@xxxxxxxxxx>

  commit f456179fae249a420dce38a02ad7e2efc6be37cf
  Author: Marc-André Lureau <marcandre.lureau@xxxxxxxxxx>
  Date:   Tue Jun 23 13:38:46 2015 +0200

      ivshmem: replace 'guest' for 'peer' appropriately

      The terms 'guest' and 'peer' are used sometime interchangeably which may
      be confusing. Instead, use 'peer' for the remote instances of ivshmem
      clients, and 'guest' for the local VM.

      Signed-off-by: Marc-André Lureau <marcandre.lureau@xxxxxxxxxx>
      Reviewed-by: Claudio Fontana <claudio.fontana@xxxxxxxxxx>

  commit f64a078d45a4c1d1da074d1c306a5a4994dcda89
  Author: Marc-André Lureau <marcandre.lureau@xxxxxxxxxx>
  Date:   Tue Jun 23 12:57:16 2015 +0200

      ivshmem: fix pci_ivshmem_exit()

      Free all objects owned by the device, making sure the device is free,
      fixing hot-unplug.

      Signed-off-by: Marc-André Lureau <marcandre.lureau@xxxxxxxxxx>
      Reviewed-by: Claudio Fontana <claudio.fontana@xxxxxxxxxx>

  commit d383537d01c1f23d783955963e234d11fce8ec02
  Author: Marc-André Lureau <marcandre.lureau@xxxxxxxxxx>
  Date:   Tue Jun 23 13:01:40 2015 +0200

      ivshmem: add device description

      Signed-off-by: Marc-André Lureau <marcandre.lureau@xxxxxxxxxx>
      Reviewed-by: Claudio Fontana <claudio.fontana@xxxxxxxxxx>

  commit 945001a1af36eafd093b6b1582f5282932cd3d87
  Author: Marc-André Lureau <marcandre.lureau@xxxxxxxxxx>
  Date:   Tue Jun 23 12:55:41 2015 +0200

      ivshmem: check shm isn't already initialized

      The server should not change the shm, and this isn't handled by qemu and
      we should should verify this in qemu.

      Signed-off-by: Marc-André Lureau <marcandre.lureau@xxxxxxxxxx>
      Reviewed-by: Claudio Fontana <claudio.fontana@xxxxxxxxxx>

  commit 86d471bfa4262fa983c0214ace7336843e2181a2
  Author: Marc-André Lureau <marcandre.lureau@xxxxxxxxxx>
  Date:   Tue Jun 23 12:53:42 2015 +0200

      ivshmem: shmfd can be 0

      0 is a valid fd value, so change conditions and set -1 value early

      Signed-off-by: Marc-André Lureau <marcandre.lureau@xxxxxxxxxx>
      Reviewed-by: Claudio Fontana <claudio.fontana@xxxxxxxxxx>

  commit 1f8552df2c7935a4cf883bda22acbe2adbf7d579
  Author: Marc-André Lureau <marcandre.lureau@xxxxxxxxxx>
  Date:   Thu Jun 18 14:05:46 2015 +0200

      ivshmem: migrate with VMStateDescription

      load_state_old() is used to keep compatibility with version 0.

      Signed-off-by: Marc-André Lureau <marcandre.lureau@xxxxxxxxxx>
      Reviewed-by: Claudio Fontana <claudio.fontana@xxxxxxxxxx>

  commit e309366337d636689730f6484e388e46db7b5654
  Author: Marc-André Lureau <marcandre.lureau@xxxxxxxxxx>
  Date:   Thu Jun 18 16:10:33 2015 +0200

      ivshmem: use common is_power_of_2()

      The common version correctly checks for 0 value case.

      Signed-off-by: Marc-André Lureau <marcandre.lureau@xxxxxxxxxx>
      Reviewed-by: Claudio Fontana <claudio.fontana@xxxxxxxxxx>

  commit 6f8a16d55daac5657ccbcf953140685048e15ace
  Author: Marc-André Lureau <marcandre.lureau@xxxxxxxxxx>
  Date:   Fri Jun 19 12:21:46 2015 +0200

      ivshmem: use common return

      Both if branches return, move this out to common end.

      Signed-off-by: Marc-André Lureau <marcandre.lureau@xxxxxxxxxx>
      Reviewed-by: Claudio Fontana <claudio.fontana@xxxxxxxxxx>

  commit 9a2f0e64aeb4c7891244785e88b2b0cfa1d61742
  Author: Marc-André Lureau <marcandre.lureau@xxxxxxxxxx>
  Date:   Fri Jun 19 12:19:55 2015 +0200

      ivshmem: simplify a bit the code

      Use some more explicit variables to simplify the code.

      Signed-off-by: Marc-André Lureau <marcandre.lureau@xxxxxxxxxx>
      Reviewed-by: Claudio Fontana <claudio.fontana@xxxxxxxxxx>

  commit ffa99afd6e4d354cdfae44cc43a2ca7ef056eb35
  Author: Marc-André Lureau <marcandre.lureau@xxxxxxxxxx>
  Date:   Tue Jun 23 13:34:09 2015 +0200

      ivshmem: print error on invalid peer id

      The server shouldn't send invalid peer id, so print an error if it's the
      case.

      Signed-off-by: Marc-André Lureau <marcandre.lureau@xxxxxxxxxx>
      Reviewed-by: Claudio Fontana <claudio.fontana@xxxxxxxxxx>

  commit 36617792b45b5d46d574af4f6ebb3f35c77d1e69
  Author: Marc-André Lureau <marcandre.lureau@xxxxxxxxxx>
  Date:   Thu Jun 18 14:39:49 2015 +0200

      ivshmem: improve error handling

      The test whether the chardev is an AF_UNIX socket rejects
      "-chardev socket,id=chr0,path=/tmp/foo,server,nowait -device
      ivshmem,chardev=chr0", but fails to explain why.

      Use an explicit error on why a chardev may be rejected.

      Signed-off-by: Marc-André Lureau <marcandre.lureau@xxxxxxxxxx>
      Reviewed-by: Claudio Fontana <claudio.fontana@xxxxxxxxxx>

  commit f59bb37898d6ff44cdf68bfbadaf3bd260ae465e
  Author: Marc-André Lureau <marcandre.lureau@xxxxxxxxxx>
  Date:   Thu Jun 18 15:04:13 2015 +0200

      ivshmem: improve debug messages

      Some misc improvements to ivshmem debug.

      Signed-off-by: Marc-André Lureau <marcandre.lureau@xxxxxxxxxx>
      Reviewed-by: Claudio Fontana <claudio.fontana@xxxxxxxxxx>

  commit 95c8425cc3a316c998a7e306799ec6d29811bc32
  Author: Marc-André Lureau <marcandre.lureau@xxxxxxxxxx>
  Date:   Fri Jun 19 12:17:26 2015 +0200

      ivshmem: remove max_peer field

      max_peer isn't really useful, it tracks the maximum received VM id, but
      that quickly matches nb_peers, the size of the peers array. Since VM
      come and go, there might be sparse peers so it doesn't help much in
      general to have this value around.

      Signed-off-by: Marc-André Lureau <marcandre.lureau@xxxxxxxxxx>
      Reviewed-by: Claudio Fontana <claudio.fontana@xxxxxxxxxx>

  commit 95e7c8a0f690f9a0c8b70fd1a4de60bd944371b8
  Author: Marc-André Lureau <marcandre.lureau@xxxxxxxxxx>
  Date:   Thu Jun 25 13:49:09 2015 +0200

      ivshmem: initialize max_peer to -1

      There is no peer when device is initialized, do not let doorbell for
      inexisting peer 0.

      Signed-off-by: Marc-André Lureau <marcandre.lureau@xxxxxxxxxx>
      Reviewed-by: Claudio Fontana <claudio.fontana@xxxxxxxxxx>

  commit d8a5da075a919f7b42f2182cc55f5d3e7e60b264
  Author: Marc-André Lureau <marcandre.lureau@xxxxxxxxxx>
  Date:   Thu Jun 18 15:00:52 2015 +0200

      ivshmem: remove useless ivshmem_update_irq() val argument

      val isn't used in ivshmem_update_irq() function.

      Signed-off-by: Marc-André Lureau <marcandre.lureau@xxxxxxxxxx>
      Reviewed-by: Claudio Fontana <claudio.fontana@xxxxxxxxxx>

  commit 81e507f0bc584f417cb671e88da3f049cb4defb1
  Author: Marc-André Lureau <marcandre.lureau@xxxxxxxxxx>
  Date:   Tue Sep 15 17:23:07 2015 +0200

      ivshmem: allocate eventfds in resize_peers()

      It simplifies a bit the code to allocate the array when setting the
      number of peers instead of lazily when receiving the first vector.

      Signed-off-by: Marc-André Lureau <marcandre.lureau@xxxxxxxxxx>
      Reviewed-by: Claudio Fontana <claudio.fontana@xxxxxxxxxx>

  commit 1300b2733a297f9a59deb4eebbd437a5833f3f41
  Author: Marc-André Lureau <marcandre.lureau@xxxxxxxxxx>
  Date:   Tue Sep 15 17:21:37 2015 +0200

      ivshmem: simplify around increase_dynamic_storage()

      Set the number of peers and array allocation in a single place. Rename
      to better reflect the function content.

      Signed-off-by: Marc-André Lureau <marcandre.lureau@xxxxxxxxxx>
      Reviewed-by: Claudio Fontana <claudio.fontana@xxxxxxxxxx>

  commit 61ea2d8648d32b8e84da62f142dc08fa9ee5b7b9
  Author: Marc-André Lureau <marcandre.lureau@xxxxxxxxxx>
  Date:   Tue Sep 15 16:55:10 2015 +0200

      ivshmem: limit maximum number of peers to G_MAXUINT16

      Limit the maximum number of peers to MAXUINT16. This is more realistic
      and better matches the limit of the doorbell register.

      Signed-off-by: Marc-André Lureau <marcandre.lureau@xxxxxxxxxx>
      Reviewed-by: Claudio Fontana <claudio.fontana@xxxxxxxxxx>

  commit 03977ad552874f6598a8f0ef3089e6846ba01a2b
  Author: Marc-André Lureau <marcandre.lureau@xxxxxxxxxx>
  Date:   Mon Jun 22 12:55:16 2015 +0200

      ivshmem: remove last exit(1)

      Failing to create a chardev shouldn't be fatal.

      Signed-off-by: Marc-André Lureau <marcandre.lureau@xxxxxxxxxx>
      Reviewed-by: Claudio Fontana <claudio.fontana@xxxxxxxxxx>

  commit d58d7e848ec6d5bcd19634212d58dec5f1efbdb8
  Author: Marc-André Lureau <marcandre.lureau@xxxxxxxxxx>
  Date:   Thu Jun 18 14:59:28 2015 +0200

      ivshmem: more qdev conversion

      Use the latest qemu device modeling API, in particular, convert to
      realize to fix the error handling; right now a botched device_add
      ivhsmem command kills the VM.

      Signed-off-by: Marc-André Lureau <marcandre.lureau@xxxxxxxxxx>
      Reviewed-by: Claudio Fontana <claudio.fontana@xxxxxxxxxx>

  commit 49b2951f8416b356001d7b32625da0c555f0d1ce
  Author: Marc-André Lureau <marcandre.lureau@xxxxxxxxxx>
  Date:   Thu Jun 18 16:17:48 2015 +0200

      ivshmem: remove useless doorbell field

      Signed-off-by: Marc-André Lureau <marcandre.lureau@xxxxxxxxxx>
      Reviewed-by: Claudio Fontana <claudio.fontana@xxxxxxxxxx>

  commit 9113e3f394e0a8569713b7aa9ece3e37cb9b61e8
  Author: Marc-André Lureau <marcandre.lureau@xxxxxxxxxx>
  Date:   Thu Jun 18 16:24:33 2015 +0200

      ivshmem: remove superflous ivshmem_attr field

      Signed-off-by: Marc-André Lureau <marcandre.lureau@xxxxxxxxxx>
      Reviewed-by: Claudio Fontana <claudio.fontana@xxxxxxxxxx>

  commit dee2151e7260a65c27495e9cbfc1931d9c9083d9
  Author: Marc-André Lureau <marcandre.lureau@xxxxxxxxxx>
  Date:   Mon Jun 22 12:38:34 2015 +0200

      ivshmem: remove unnecessary dup()

      qemu_chr_fe_get_msgfd() transfers ownership, there is no need to dup the
      fd.

      Signed-off-by: Marc-André Lureau <marcandre.lureau@xxxxxxxxxx>
      Reviewed-by: Claudio Fontana <claudio.fontana@xxxxxxxxxx>

  commit 0f14fd71c170278b35b46d8ae214473680905606
  Author: Marc-André Lureau <marcandre.lureau@xxxxxxxxxx>
  Date:   Tue Jun 23 17:56:37 2015 +0200

      ivshmem: factor out the incoming fifo handling

      Make a new function fifo_update_and_get() that can be reused by other
      functions (in next commits).

      Signed-off-by: Marc-André Lureau <marcandre.lureau@xxxxxxxxxx>
      Reviewed-by: Claudio Fontana <claudio.fontana@xxxxxxxxxx>

  commit 951dada665041e8199e8c572d2981773fa2f0d8c
  Author: Marc-André Lureau <marcandre.lureau@xxxxxxxxxx>
  Date:   Tue Jun 23 17:53:46 2015 +0200

      ivshmem: fix number of bytes to push to fifo

      If the fifo has 0 bytes, and the read is of size 1, the call to
      fifo8_push_all() will copy off boundary data.

      Signed-off-by: Marc-André Lureau <marcandre.lureau@xxxxxxxxxx>
      Reviewed-by: Claudio Fontana <claudio.fontana@xxxxxxxxxx>

  commit b8ab854b27e9b88d9b85b4c572049b29cb96de43
  Author: Marc-André Lureau <marcandre.lureau@xxxxxxxxxx>
  Date:   Fri Jun 19 13:00:32 2015 +0200

      ivhsmem: read do not accept more than sizeof(long)

      ivshmem_read() only reads sizeof(long) from the input buffer.  Accepting
      more could lead to fifo8 abort() on 32bit systems if fifo is not empty.

      A following patch will change the protocol to 64-bit little-endian
      instead.

      Signed-off-by: Marc-André Lureau <marcandre.lureau@xxxxxxxxxx>
      Reviewed-by: Claudio Fontana <claudio.fontana@xxxxxxxxxx>

  commit c246a62f26e5afa8285b21e641b33456f1e69c99
  Author: Marc-André Lureau <marcandre.lureau@xxxxxxxxxx>
  Date:   Thu Jun 18 14:05:13 2015 +0200

      msix: add VMSTATE_MSIX_TEST

      ivshmem is going to use MSIX state conditionally.

      Signed-off-by: Marc-André Lureau <marcandre.lureau@xxxxxxxxxx>
      Reviewed-by: Claudio Fontana <claudio.fontana@xxxxxxxxxx>

  commit 1ad78ea51aad7978638299a27004049935c2d913
  Author: Marc-André Lureau <marcandre.lureau@xxxxxxxxxx>
  Date:   Mon Jun 22 18:20:18 2015 +0200

      char: add qemu_chr_free()

      If a chardev is allowed to be created outside of QMP, then it must be
      also possible to free it. This is useful for ivshmem that creates
      chardev anonymously and must be able to free them.

      Signed-off-by: Marc-André Lureau <marcandre.lureau@xxxxxxxxxx>
      Acked-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>
      Reviewed-by: Claudio Fontana <claudio.fontana@xxxxxxxxxx>

  commit bbfc2efefe9779f85dfe2713aec1568b1ba871ad
  Author: Andreas Färber <afaerber@xxxxxxx>
  Date:   Sun Oct 11 00:18:32 2015 +0200

      tests: Add ivshmem qtest

      Note that it launches two instances, as sharing memory is the purpose of
      ivshmem.

      Cc: Cam Macdonell <cam@xxxxxxxxxxxxxx>
      Cc: Marc-André Lureau <marcandre.lureau@xxxxxxxxxx>
      Signed-off-by: Andreas Färber <afaerber@xxxxxxx>
      [ Remove Nahanni codename, add test to pci set - Marc-André ]
      Signed-off-by: Marc-André Lureau <marcandre.lureau@xxxxxxxxxx>

  commit dd054be35fa355a6ebeab58618d7ff662247a9f6
  Author: Marc-André Lureau <marcandre.lureau@xxxxxxxxxx>
  Date:   Mon Oct 12 15:25:55 2015 +0200

      config: enable ivshmem on POSIX

      ivshmem doesn't actually require kvm, so enable it when POSIX is
      enabled. (it is required however when ioeventfd is enabled)

      Signed-off-by: Marc-André Lureau <marcandre.lureau@xxxxxxxxxx>

  commit af25e7277d3e95a3ea31023f31d8097ab5e2ac84
  Merge: bc79082 c07bc2c
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Fri Oct 23 18:14:42 2015 +0100

      Merge remote-tracking branch 'remotes/kevin/tags/for-upstream' into 
staging

      Block layer patches

      # gpg: Signature made Fri 23 Oct 2015 17:59:56 BST using RSA key ID 
C88F2FD6
      # gpg: Good signature from "Kevin Wolf <kwolf@xxxxxxxxxx>"

      * remotes/kevin/tags/for-upstream: (37 commits)
        tests: Add test case for aio_disable_external
        block: Add "drained begin/end" for internal snapshot
        block: Add "drained begin/end" for transactional blockdev-backup
        block: Add "drained begin/end" for transactional backup
        block: Add "drained begin/end" for transactional external snapshot
        block: Introduce "drained begin/end" API
        aio: introduce aio_{disable,enable}_external
        dataplane: Mark host notifiers' client type as "external"
        nbd: Mark fd handlers client type as "external"
        aio: Add "is_external" flag for event handlers
        throttle: Remove throttle_group_lock/unlock()
        blockdev: Allow more options for BB-less BDS tree
        blockdev: Pull out blockdev option extraction
        blockdev: Do not create BDS for empty drive
        block: Prepare for NULL BDS
        block: Add blk_insert_bs()
        block: Prepare remaining BB functions for NULL BDS
        block: Fail requests to empty BlockBackend
        block: Make some BB functions fall back to BBRS
        block: Add BlockBackendRootState
        ...

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit c07bc2c1658fffeee08eb46402b2f66d55b07586
  Author: Fam Zheng <famz@xxxxxxxxxx>
  Date:   Fri Oct 23 11:08:14 2015 +0800

      tests: Add test case for aio_disable_external

      Signed-off-by: Fam Zheng <famz@xxxxxxxxxx>
      Reviewed-by: Kevin Wolf <kwolf@xxxxxxxxxx>
      Signed-off-by: Kevin Wolf <kwolf@xxxxxxxxxx>

  commit 507306cc8ee7981894a96c380f42d80e2674cb04
  Author: Fam Zheng <famz@xxxxxxxxxx>
  Date:   Fri Oct 23 11:08:13 2015 +0800

      block: Add "drained begin/end" for internal snapshot

      This ensures the atomicity of the transaction by avoiding processing of
      external requests such as those from ioeventfd.

      state->bs is assigned right after bdrv_drained_begin. Because it was
      used as the flag for deletion or not in abort, now we need a separate
      flag - InternalSnapshotState.created.

      Signed-off-by: Fam Zheng <famz@xxxxxxxxxx>
      Signed-off-by: Kevin Wolf <kwolf@xxxxxxxxxx>

  commit ff52bf36a3a6c63b7528fbe64e9ed9976b221e68
  Author: Fam Zheng <famz@xxxxxxxxxx>
  Date:   Fri Oct 23 11:08:12 2015 +0800

      block: Add "drained begin/end" for transactional blockdev-backup

      Similar to the previous patch, make sure that external events are not
      dispatched during transaction operations.

      Signed-off-by: Fam Zheng <famz@xxxxxxxxxx>
      Reviewed-by: Jeff Cody <jcody@xxxxxxxxxx>
      Reviewed-by: Kevin Wolf <kwolf@xxxxxxxxxx>
      Signed-off-by: Kevin Wolf <kwolf@xxxxxxxxxx>

  commit 1fdd4b7be3655d39c3594bc215eb1df5ce225c7d
  Author: Fam Zheng <famz@xxxxxxxxxx>
  Date:   Fri Oct 23 11:08:11 2015 +0800

      block: Add "drained begin/end" for transactional backup

      This ensures the atomicity of the transaction by avoiding processing of
      external requests such as those from ioeventfd.

      Move the assignment to state->bs up right after bdrv_drained_begin, so
      that we can use it in the clean callback. The abort callback will still
      check bs->job and state->job, so it's OK.

      Signed-off-by: Fam Zheng <famz@xxxxxxxxxx>
      Reviewed-by: Jeff Cody <jcody@xxxxxxxxxx>
      Reviewed-by: Kevin Wolf <kwolf@xxxxxxxxxx>
      Signed-off-by: Kevin Wolf <kwolf@xxxxxxxxxx>

  commit da763e83012c066ebe3effbaa8e7e7c8f78b0fbf
  Author: Fam Zheng <famz@xxxxxxxxxx>
  Date:   Fri Oct 23 11:08:10 2015 +0800

      block: Add "drained begin/end" for transactional external snapshot

      This ensures the atomicity of the transaction by avoiding processing of
      external requests such as those from ioeventfd.

      Signed-off-by: Fam Zheng <famz@xxxxxxxxxx>
      Reviewed-by: Jeff Cody <jcody@xxxxxxxxxx>
      Reviewed-by: Kevin Wolf <kwolf@xxxxxxxxxx>
      Signed-off-by: Kevin Wolf <kwolf@xxxxxxxxxx>

  commit 51288d7917e5c5b088985aaa7ff3592561fbc2ba
  Author: Fam Zheng <famz@xxxxxxxxxx>
  Date:   Fri Oct 23 11:08:09 2015 +0800

      block: Introduce "drained begin/end" API

      The semantics is that after bdrv_drained_begin(bs), bs will not get new 
external
      requests until the matching bdrv_drained_end(bs).

      Signed-off-by: Fam Zheng <famz@xxxxxxxxxx>
      Signed-off-by: Kevin Wolf <kwolf@xxxxxxxxxx>

  commit c1e1e5fa8f25f9061b076a05045a6d4950d1a891
  Author: Fam Zheng <famz@xxxxxxxxxx>
  Date:   Fri Oct 23 11:08:08 2015 +0800

      aio: introduce aio_{disable,enable}_external

      Signed-off-by: Fam Zheng <famz@xxxxxxxxxx>
      Signed-off-by: Kevin Wolf <kwolf@xxxxxxxxxx>

  commit 3a1e8074d74ad2acbcedf28d35aebedc3573f19e
  Author: Fam Zheng <famz@xxxxxxxxxx>
  Date:   Fri Oct 23 11:08:07 2015 +0800

      dataplane: Mark host notifiers' client type as "external"

      They will be excluded by type in the nested event loops in block layer,
      so that unwanted events won't be processed there.

      Signed-off-by: Fam Zheng <famz@xxxxxxxxxx>
      Reviewed-by: Kevin Wolf <kwolf@xxxxxxxxxx>
      Signed-off-by: Kevin Wolf <kwolf@xxxxxxxxxx>

  commit 172cc129a5ae58d36feb51f97fd67e2161ae5cc6
  Author: Fam Zheng <famz@xxxxxxxxxx>
  Date:   Fri Oct 23 11:08:06 2015 +0800

      nbd: Mark fd handlers client type as "external"

      So we could distinguish it from internal used fds, thus avoid handling
      unwanted events in nested aio polls.

      Signed-off-by: Fam Zheng <famz@xxxxxxxxxx>
      Reviewed-by: Jeff Cody <jcody@xxxxxxxxxx>
      Reviewed-by: Kevin Wolf <kwolf@xxxxxxxxxx>
      Signed-off-by: Kevin Wolf <kwolf@xxxxxxxxxx>

  commit dca21ef23ba48f6f1428c59f295a857e5dc203c8
  Author: Fam Zheng <famz@xxxxxxxxxx>
  Date:   Fri Oct 23 11:08:05 2015 +0800

      aio: Add "is_external" flag for event handlers

      All callers pass in false, and the real external ones will switch to
      true in coming patches.

      Signed-off-by: Fam Zheng <famz@xxxxxxxxxx>
      Reviewed-by: Jeff Cody <jcody@xxxxxxxxxx>
      Reviewed-by: Kevin Wolf <kwolf@xxxxxxxxxx>
      Signed-off-by: Kevin Wolf <kwolf@xxxxxxxxxx>

  commit d87d01e16a0e59a6af9634162cf0ded142b43e0d
  Author: Alberto Garcia <berto@xxxxxxxxxx>
  Date:   Wed Oct 21 21:36:05 2015 +0300

      throttle: Remove throttle_group_lock/unlock()

      The group throttling code was always meant to handle its locking
      internally. However, bdrv_swap() was touching the ThrottleGroup
      structure directly and therefore needed an API for that.

      Now that bdrv_swap() no longer exists there's no need for the
      throttle_group_lock() API anymore.

      Signed-off-by: Alberto Garcia <berto@xxxxxxxxxx>
      Signed-off-by: Kevin Wolf <kwolf@xxxxxxxxxx>

  commit bd745e238bb9432f40c875b6b4ad96a3d90e16a0
  Author: Max Reitz <mreitz@xxxxxxxxxx>
  Date:   Mon Oct 19 17:53:32 2015 +0200

      blockdev: Allow more options for BB-less BDS tree

      Most of the options which blockdev_init() parses for both the
      BlockBackend and the root BDS are valid for just the root BDS as well
      (e.g. read-only). This patch allows specifying these options even if not
      creating a BlockBackend.

      Signed-off-by: Max Reitz <mreitz@xxxxxxxxxx>
      Signed-off-by: Kevin Wolf <kwolf@xxxxxxxxxx>

  commit fbf8175eac92cca541efb1ac4a202fba941b78df
  Author: Max Reitz <mreitz@xxxxxxxxxx>
  Date:   Mon Oct 19 17:53:31 2015 +0200

      blockdev: Pull out blockdev option extraction

      Extract some of the blockdev option extraction code from blockdev_init()
      into its own function. This simplifies blockdev_init() and will allow
      reusing the code in a different function added in a follow-up patch.

      Signed-off-by: Max Reitz <mreitz@xxxxxxxxxx>
      Signed-off-by: Kevin Wolf <kwolf@xxxxxxxxxx>

  commit 5ec18f8c83583b7e22ed4dd360cd937da801ca40
  Author: Max Reitz <mreitz@xxxxxxxxxx>
  Date:   Mon Oct 19 17:53:30 2015 +0200

      blockdev: Do not create BDS for empty drive

      Do not use "rudimentary" BDSs for empty drives any longer (for
      freshly created drives).

      After a follow-up patch, empty drives will generally use a NULL BDS, not
      only the freshly created drives.

      Signed-off-by: Max Reitz <mreitz@xxxxxxxxxx>
      Signed-off-by: Kevin Wolf <kwolf@xxxxxxxxxx>

  commit 5433c24f0f9306c82ad9bcc2b2b586e5f0ed8fa5
  Author: Max Reitz <mreitz@xxxxxxxxxx>
  Date:   Mon Oct 19 17:53:29 2015 +0200

      block: Prepare for NULL BDS

      blk_bs() will not necessarily return a non-NULL value any more (unless
      blk_is_available() is true or it can be assumed to otherwise, e.g.
      because it is called immediately after a successful blk_new_with_bs() or
      blk_new_open()).

      Signed-off-by: Max Reitz <mreitz@xxxxxxxxxx>
      Signed-off-by: Kevin Wolf <kwolf@xxxxxxxxxx>

  commit 0c3c36d651922ebe9244e68e6d9ed14cdfcac9fd
  Author: Max Reitz <mreitz@xxxxxxxxxx>
  Date:   Mon Oct 19 17:53:28 2015 +0200

      block: Add blk_insert_bs()

      This function associates the given BlockDriverState with the given
      BlockBackend.

      Signed-off-by: Max Reitz <mreitz@xxxxxxxxxx>
      Reviewed-by: Kevin Wolf <kwolf@xxxxxxxxxx>
      Signed-off-by: Kevin Wolf <kwolf@xxxxxxxxxx>

  commit a46fc9c95012f3d7ed2b29b59f042246d62a08d7
  Author: Max Reitz <mreitz@xxxxxxxxxx>
  Date:   Mon Oct 19 17:53:27 2015 +0200

      block: Prepare remaining BB functions for NULL BDS

      There are several BlockBackend functions which, in theory, cannot fail.
      This patch makes them cope with the BlockDriverState pointer being NULL
      by making them fall back to some default action like ignoring the value
      in setters and returning the default in getters.

      Signed-off-by: Max Reitz <mreitz@xxxxxxxxxx>
      Reviewed-by: Kevin Wolf <kwolf@xxxxxxxxxx>
      Signed-off-by: Kevin Wolf <kwolf@xxxxxxxxxx>

  commit c09ba36c9ab62e3043041e429205f57ffbe3ba8b
  Author: Max Reitz <mreitz@xxxxxxxxxx>
  Date:   Mon Oct 19 17:53:26 2015 +0200

      block: Fail requests to empty BlockBackend

      If there is no BlockDriverState in a BlockBackend or if the tray of the
      guest device is open, fail all requests (where that is possible) with
      -ENOMEDIUM.

      The reason the status of the guest device is taken into account is
      because once the guest device's tray is opened, any request on the same
      BlockBackend as the guest uses should fail. If the BDS tree is supposed
      to be usable even after ejecting it from the guest, a different
      BlockBackend must be used.

      Signed-off-by: Max Reitz <mreitz@xxxxxxxxxx>
      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>
      Reviewed-by: Kevin Wolf <kwolf@xxxxxxxxxx>
      Signed-off-by: Kevin Wolf <kwolf@xxxxxxxxxx>

  commit 061959e8da5af59343e2c75d55c40f366d0164f9
  Author: Max Reitz <mreitz@xxxxxxxxxx>
  Date:   Mon Oct 19 17:53:25 2015 +0200

      block: Make some BB functions fall back to BBRS

      If there is no BDS tree attached to a BlockBackend, functions that can
      do so should fall back to the BlockBackendRootState structure.

      Signed-off-by: Max Reitz <mreitz@xxxxxxxxxx>
      Reviewed-by: Kevin Wolf <kwolf@xxxxxxxxxx>
      Signed-off-by: Kevin Wolf <kwolf@xxxxxxxxxx>

  commit 281d22d86ca26bf356284719e44c4bc66b716415
  Author: Max Reitz <mreitz@xxxxxxxxxx>
  Date:   Mon Oct 19 17:53:24 2015 +0200

      block: Add BlockBackendRootState

      This structure will store some of the state of the root BDS if the BDS
      tree is removed, so that state can be restored once a new BDS tree is
      inserted.

      Signed-off-by: Max Reitz <mreitz@xxxxxxxxxx>
      Reviewed-by: Kevin Wolf <kwolf@xxxxxxxxxx>
      Signed-off-by: Kevin Wolf <kwolf@xxxxxxxxxx>

  commit 973f2ddf7b48c27aa8642047796cca3bec0b48d8
  Author: Max Reitz <mreitz@xxxxxxxxxx>
  Date:   Mon Oct 19 17:53:23 2015 +0200

      block/throttle-groups: Make incref/decref public

      Throttle groups are not necessarily referenced by BDSs alone; a later
      patch will essentially allow BBs to reference them, too. Make the
      ref/unref functions public so that reference can be properly accounted
      for.

      Their interface is slightly adjusted in that they return and take a
      ThrottleState pointer, respectively, instead of a ThrottleGroup pointer.
      Functionally, they are equivalent, but since ThrottleGroup is not meant
      to be used outside of block/throttle-groups.c, ThrottleState is easier
      to handle.

      Signed-off-by: Max Reitz <mreitz@xxxxxxxxxx>
      Reviewed-by: Kevin Wolf <kwolf@xxxxxxxxxx>
      Signed-off-by: Kevin Wolf <kwolf@xxxxxxxxxx>

  commit 373340b26caa1572cf0f155131569dfc527aa133
  Author: Max Reitz <mreitz@xxxxxxxxxx>
  Date:   Mon Oct 19 17:53:22 2015 +0200

      block: Move I/O status and error actions into BB

      These options are only relevant for the user of a whole BDS tree (like a
      guest device or a block job) and should thus be moved into the
      BlockBackend.

      Signed-off-by: Max Reitz <mreitz@xxxxxxxxxx>
      Signed-off-by: Kevin Wolf <kwolf@xxxxxxxxxx>

  commit 7f0e9da6f134c5303be51333696e1ff54697f3e0
  Author: Max Reitz <mreitz@xxxxxxxxxx>
  Date:   Mon Oct 19 17:53:21 2015 +0200

      block: Move BlockAcctStats into BlockBackend

      As the comment above bdrv_get_stats() says, BlockAcctStats is something
      which belongs to the device instead of each BlockDriverState. This patch
      therefore moves it into the BlockBackend.

      Signed-off-by: Max Reitz <mreitz@xxxxxxxxxx>
      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>
      Reviewed-by: Alberto Garcia <berto@xxxxxxxxxx>
      Reviewed-by: Kevin Wolf <kwolf@xxxxxxxxxx>
      Signed-off-by: Kevin Wolf <kwolf@xxxxxxxxxx>

  commit 53d8f9d8fbf85f04d423958248f8c2fbe1ece192
  Author: Max Reitz <mreitz@xxxxxxxxxx>
  Date:   Mon Oct 19 17:53:20 2015 +0200

      block: Remove wr_highest_sector from BlockAcctStats

      BlockAcctStats contains statistics about the data transferred from and
      to the device; wr_highest_sector does not fit in with the rest.

      Furthermore, those statistics are supposed to be specific for a certain
      device and not necessarily for a BDS (see the comment above
      bdrv_get_stats()); on the other hand, wr_highest_sector may be a rather
      important information to know for each BDS. When BlockAcctStats is
      finally removed from the BDS, we will want to keep wr_highest_sector in
      the BDS.

      Finally, wr_highest_sector is renamed to wr_highest_offset and given the
      appropriate meaning. Externally, it is represented as an offset so there
      is no point in doing something different internally. Its definition is
      changed to match that in qapi/block-core.json which is "the offset after
      the greatest byte written to". Doing so should not cause any harm since
      if external programs tried to calculate the volume usage by
      (wr_highest_offset + 512) / volume_size, after this patch they will just
      assume the volume to be full slightly earlier than before.

      Signed-off-by: Max Reitz <mreitz@xxxxxxxxxx>
      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>
      Reviewed-by: Alberto Garcia <berto@xxxxxxxxxx>
      Reviewed-by: Kevin Wolf <kwolf@xxxxxxxxxx>
      Signed-off-by: Kevin Wolf <kwolf@xxxxxxxxxx>

  commit 68e9ec017bb00b96633d48b5bf039a37daa3bc21
  Author: Max Reitz <mreitz@xxxxxxxxxx>
  Date:   Mon Oct 19 17:53:19 2015 +0200

      block: Move guest_block_size into BlockBackend

      guest_block_size is a guest device property so it should be moved into
      the interface between block layer and guest devices, which is the
      BlockBackend.

      Signed-off-by: Max Reitz <mreitz@xxxxxxxxxx>
      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>
      Reviewed-by: Alberto Garcia <berto@xxxxxxxxxx>
      Reviewed-by: Kevin Wolf <kwolf@xxxxxxxxxx>
      Signed-off-by: Kevin Wolf <kwolf@xxxxxxxxxx>

  commit 4981bdec0d9b3ddd3e1474de5aa9918f120b54f7
  Author: Max Reitz <mreitz@xxxxxxxxxx>
  Date:   Mon Oct 19 17:53:18 2015 +0200

      block: Fix BB AIOCB AioContext without BDS

      Fix the BlockBackend's AIOCB AioContext for aborting AIO in case there
      is no BDS. If there is no implementation of AIOCBInfo::get_aio_context()
      the AioContext is derived from the BDS the AIOCB belongs to. If that BDS
      is NULL (because it has been removed from the BB) this will not work.

      This patch makes blk_get_aio_context() fall back to the main loop
      context if the BDS pointer is NULL and implements
      AIOCBInfo::get_aio_context() (blk_aiocb_get_aio_context()) which invokes
      blk_get_aio_context().

      Signed-off-by: Max Reitz <mreitz@xxxxxxxxxx>
      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>
      Reviewed-by: Alberto Garcia <berto@xxxxxxxxxx>
      Reviewed-by: Kevin Wolf <kwolf@xxxxxxxxxx>
      Signed-off-by: Kevin Wolf <kwolf@xxxxxxxxxx>

  commit 7d3467d903c0fa663fbe3f1002e7c624a210b634
  Author: Max Reitz <mreitz@xxxxxxxxxx>
  Date:   Mon Oct 19 17:53:17 2015 +0200

      hw/usb-storage: Check whether BB is inserted

      Only call bdrv_add_key() on the BlockDriverState if it is not NULL.

      Signed-off-by: Max Reitz <mreitz@xxxxxxxxxx>
      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>
      Reviewed-by: Alberto Garcia <berto@xxxxxxxxxx>
      Reviewed-by: Kevin Wolf <kwolf@xxxxxxxxxx>
      Signed-off-by: Kevin Wolf <kwolf@xxxxxxxxxx>

  commit 2e1280e8ff95b3145bc6262accc9d447718e5318
  Author: Max Reitz <mreitz@xxxxxxxxxx>
  Date:   Mon Oct 19 17:53:16 2015 +0200

      hw/block/fdc: Implement tray status

      The tray of an FDD is open iff there is no medium inserted (there are
      only two states for an FDD: "medium inserted" or "no medium inserted").

      Signed-off-by: Max Reitz <mreitz@xxxxxxxxxx>
      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>
      Reviewed-by: Kevin Wolf <kwolf@xxxxxxxxxx>
      Signed-off-by: Kevin Wolf <kwolf@xxxxxxxxxx>

  commit b4d02820d95e025e57d82144f7b2ccd677ac2418
  Author: Max Reitz <mreitz@xxxxxxxxxx>
  Date:   Mon Oct 19 17:53:15 2015 +0200

      block: Invoke change media CB before NULLing drv

      In order to handle host device passthrough, some guest device models
      may call blk_is_inserted() to check whether the medium is inserted on
      the host, when checking the guest tray status.

      This tray status is inquired by blk_dev_change_media_cb(); because
      bdrv_is_inserted() (invoked by blk_is_inserted()) always returns false
      for BDS with drv set to NULL, blk_dev_change_media_cb() should therefore
      be called before drv is set to NULL.

      Signed-off-by: Max Reitz <mreitz@xxxxxxxxxx>
      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>
      Reviewed-by: Alberto Garcia <berto@xxxxxxxxxx>
      Reviewed-by: Kevin Wolf <kwolf@xxxxxxxxxx>
      Signed-off-by: Kevin Wolf <kwolf@xxxxxxxxxx>

  commit 1354c473789a91ba603d40bdf2521e3221c0a69f
  Author: Max Reitz <mreitz@xxxxxxxxxx>
  Date:   Mon Oct 19 17:53:14 2015 +0200

      block/raw_bsd: Drop raw_is_inserted()

      With the new automatically-recursive implementation of
      bdrv_is_inserted() checking by default whether all the children of a BDS
      are inserted, we can drop raw's own implementation.

      Signed-off-by: Max Reitz <mreitz@xxxxxxxxxx>
      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>
      Reviewed-by: Kevin Wolf <kwolf@xxxxxxxxxx>
      Reviewed-by: Alberto Garcia <berto@xxxxxxxxxx>
      Signed-off-by: Kevin Wolf <kwolf@xxxxxxxxxx>

  commit 28d7a78996ae73e681d0e061a4be446ed2240c97
  Author: Max Reitz <mreitz@xxxxxxxxxx>
  Date:   Mon Oct 19 17:53:13 2015 +0200

      block: Make bdrv_is_inserted() recursive

      If bdrv_is_inserted() is called on the top level BDS, it should make
      sure all nodes in the BDS tree are actually inserted.

      Signed-off-by: Max Reitz <mreitz@xxxxxxxxxx>
      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>
      Reviewed-by: Kevin Wolf <kwolf@xxxxxxxxxx>
      Signed-off-by: Kevin Wolf <kwolf@xxxxxxxxxx>

  commit db0284f86a31ec66d138f0f7794321c306af969e
  Author: Max Reitz <mreitz@xxxxxxxxxx>
  Date:   Mon Oct 19 17:53:12 2015 +0200

      block: Add blk_is_available()

      blk_is_available() returns true iff the BDS is inserted (which means
      blk_bs() is not NULL and bdrv_is_inserted() returns true) and if the
      tray of the guest device is closed.

      blk_is_inserted() is changed to return true only if blk_bs() is not
      NULL.

      Signed-off-by: Max Reitz <mreitz@xxxxxxxxxx>
      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>
      Reviewed-by: Alberto Garcia <berto@xxxxxxxxxx>
      Reviewed-by: Kevin Wolf <kwolf@xxxxxxxxxx>
      Signed-off-by: Kevin Wolf <kwolf@xxxxxxxxxx>

  commit e031f750483377a5e5de4c92af68dfa68e4d0aae
  Author: Max Reitz <mreitz@xxxxxxxxxx>
  Date:   Mon Oct 19 17:53:11 2015 +0200

      block: Make bdrv_is_inserted() return a bool

      Make bdrv_is_inserted(), blk_is_inserted(), and the callback
      BlockDriver.bdrv_is_inserted() return a bool.

      Suggested-by: Eric Blake <eblake@xxxxxxxxxx>
      Signed-off-by: Max Reitz <mreitz@xxxxxxxxxx>
      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>
      Reviewed-by: Alberto Garcia <berto@xxxxxxxxxx>
      Reviewed-by: Kevin Wolf <kwolf@xxxxxxxxxx>
      Signed-off-by: Kevin Wolf <kwolf@xxxxxxxxxx>

  commit 8e9e653038db97bfd343c3fb217b7bf4da765a89
  Author: Max Reitz <mreitz@xxxxxxxxxx>
  Date:   Mon Oct 19 17:53:10 2015 +0200

      iotests: Only create BB if necessary

      Tests 071 and 081 test giving references in blockdev-add. It is not
      necessary to create a BlockBackend here, so omit it.

      While at it, fix up some blockdev-add invocations in the vicinity
      (s/raw/$IMGFMT/ in 081, drop the format BDS for blkverify's raw child in
      071).

      Signed-off-by: Max Reitz <mreitz@xxxxxxxxxx>
      Signed-off-by: Kevin Wolf <kwolf@xxxxxxxxxx>

  commit be4b67bc7d99da26b7878f7f45370f50a3bd4af5
  Author: Max Reitz <mreitz@xxxxxxxxxx>
  Date:   Mon Oct 19 17:53:09 2015 +0200

      blockdev: Allow creation of BDS trees without BB

      If the "id" field is missing from the options given to blockdev-add,
      just omit the BlockBackend and create the BlockDriverState tree alone.

      However, if "id" is missing, "node-name" must be specified; otherwise,
      the BDS tree would no longer be accessible.

      Many BDS options which are not parsed by bdrv_open() (like caching)
      cannot be specified for these BB-less BDS trees yet. A future patch will
      remove this limitation.

      Signed-off-by: Max Reitz <mreitz@xxxxxxxxxx>
      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>
      Reviewed-by: Kevin Wolf <kwolf@xxxxxxxxxx>
      Reviewed-by: Alberto Garcia <berto@xxxxxxxxxx>
      Signed-off-by: Kevin Wolf <kwolf@xxxxxxxxxx>

  commit d44f928a54497188c25357840a3224925d1b527b
  Author: Max Reitz <mreitz@xxxxxxxxxx>
  Date:   Mon Oct 19 17:53:08 2015 +0200

      block: Set BDRV_O_INCOMING in bdrv_fill_options()

      This flag should not be set for the root BDS only, but for any BDS that
      is being created while incoming migration is pending, so setting it is
      moved from blockdev_init() to bdrv_fill_options().

      Signed-off-by: Max Reitz <mreitz@xxxxxxxxxx>
      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>
      Reviewed-by: Kevin Wolf <kwolf@xxxxxxxxxx>
      Reviewed-by: Alberto Garcia <berto@xxxxxxxxxx>
      Signed-off-by: Kevin Wolf <kwolf@xxxxxxxxxx>

  commit f709623b3d30096c629f6a368670c9cf668da83f
  Author: Max Reitz <mreitz@xxxxxxxxxx>
  Date:   Mon Oct 19 17:53:07 2015 +0200

      block: Remove host floppy support

      It has been deprecated as of 2.3, so we can now remove it.

      Signed-off-by: Max Reitz <mreitz@xxxxxxxxxx>
      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>
      Reviewed-by: Kevin Wolf <kwolf@xxxxxxxxxx>
      Signed-off-by: Kevin Wolf <kwolf@xxxxxxxxxx>

  commit bc79082e4cd12c1241fa03b0abceacf45f537740
  Merge: 1e700f4 31bfa2a
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Fri Oct 23 16:35:43 2015 +0100

      Merge remote-tracking branch 'remotes/ehabkost/tags/x86-pull-request' 
into staging

      X86 queue, 2015-10-23

      # gpg: Signature made Fri 23 Oct 2015 16:30:58 BST using RSA key ID 
984DC5A6
      # gpg: Good signature from "Eduardo Habkost <ehabkost@xxxxxxxxxx>"

      * remotes/ehabkost/tags/x86-pull-request:
        vl: trivial: minor tweaks to a max-cpu error msg
        target-i386: Use 1UL for bit shift
        target-i386: Add DE to TCG_FEATURES
        target-i386: Ensure always-1 bits on DR6 can't be cleared
        target-i386: Check CR4[DE] for processing DR4/DR5
        target-i386: Handle I/O breakpoints
        target-i386: Optimize setting dr[0-3]
        target-i386: Move hw_*breakpoint_* functions
        target-i386: Ensure bit 10 on DR7 is never cleared
        target-i386: Re-introduce optimal breakpoint removal
        target-i386: Introduce cpu_x86_update_dr7
        target-i386: Disable cache info passthrough by default
        target-i386: allow any alignment for SMBASE

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 31bfa2a40004204aee503c6417fbafb5d17e0a51
  Author: Andrew Jones <drjones@xxxxxxxxxx>
  Date:   Sun Oct 18 19:35:27 2015 +0200

      vl: trivial: minor tweaks to a max-cpu error msg

      Signed-off-by: Andrew Jones <drjones@xxxxxxxxxx>

  commit 72370dc1149d7c90d2c2218e0d0658bee23a5bf7
  Author: Eduardo Habkost <ehabkost@xxxxxxxxxx>
  Date:   Tue Sep 29 17:34:22 2015 -0300

      target-i386: Use 1UL for bit shift

      Fix undefined behavior detected by clang runtime check:

        qemu/target-i386/cpu.c:1494:15: runtime error:
          left shift of 1 by 31 places cannot be represented in type 'int'

      While doing that, add extra parenthesis for clarity.

      Reported-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Signed-off-by: Eduardo Habkost <ehabkost@xxxxxxxxxx>

  commit b6c5a6f021f485fc36bca678b2c867e9b6783924
  Author: Eduardo Habkost <ehabkost@xxxxxxxxxx>
  Date:   Wed Oct 7 16:39:43 2015 -0300

      target-i386: Add DE to TCG_FEATURES

      Now DE is supported by TCG so it can be enabled in CPUID bits.

      Reviewed-by: Richard Henderson <rth@xxxxxxxxxxx>
      Signed-off-by: Eduardo Habkost <ehabkost@xxxxxxxxxx>

  commit 462f8ed1f1eac189ef50d9586eae8af90dbe426f
  Author: Eduardo Habkost <ehabkost@xxxxxxxxxx>
  Date:   Wed Oct 7 17:19:18 2015 -0300

      target-i386: Ensure always-1 bits on DR6 can't be cleared

      Bits 4-11 and 16-31 on DR6 are documented as always 1, so ensure they
      can't be cleared by software.

      Reviewed-by: Richard Henderson <rth@xxxxxxxxxxx>
      Signed-off-by: Eduardo Habkost <ehabkost@xxxxxxxxxx>

  commit d0052339236072bbf08c1d600c0906126b1ab258
  Author: Richard Henderson <rth@xxxxxxxxxxx>
  Date:   Tue Sep 15 11:45:13 2015 -0700

      target-i386: Check CR4[DE] for processing DR4/DR5

      Introduce helper_get_dr so that we don't have to put CR4[DE]
      into the scarce HFLAGS resource.  At the same time, rename
      helper_movl_drN_T0 to helper_set_dr and set the helper flags.

      Signed-off-by: Richard Henderson <rth@xxxxxxxxxxx>
      Signed-off-by: Eduardo Habkost <ehabkost@xxxxxxxxxx>

  commit 5223a9423c5fb9e32b0c3eaaa2c0bf8c5cfd6866
  Author: Eduardo Habkost <ehabkost@xxxxxxxxxx>
  Date:   Mon Oct 19 15:14:35 2015 -0200

      target-i386: Handle I/O breakpoints

      Signed-off-by: Richard Henderson <rth@xxxxxxxxxxx>
      Signed-off-by: Eduardo Habkost <ehabkost@xxxxxxxxxx>

  commit 7525b55051277717329cf64a9e1d5cff840d6f38
  Author: Richard Henderson <rth@xxxxxxxxxxx>
  Date:   Tue Sep 15 11:45:11 2015 -0700

      target-i386: Optimize setting dr[0-3]

      If the debug register is not enabled, we need
      do nothing besides update the register.

      Signed-off-by: Richard Henderson <rth@xxxxxxxxxxx>
      Signed-off-by: Eduardo Habkost <ehabkost@xxxxxxxxxx>

  commit 696ad9e4b27a49a9706010d00b31b17fe1f0d569
  Author: Richard Henderson <rth@xxxxxxxxxxx>
  Date:   Tue Sep 15 11:45:10 2015 -0700

      target-i386: Move hw_*breakpoint_* functions

      They're only used from bpt_helper.c now.

      Signed-off-by: Richard Henderson <rth@xxxxxxxxxxx>
      Signed-off-by: Eduardo Habkost <ehabkost@xxxxxxxxxx>

  commit 9055330ffbf5ca85f024c29874799d9c8bd17aa9
  Author: Eduardo Habkost <ehabkost@xxxxxxxxxx>
  Date:   Thu Oct 8 17:10:27 2015 -0300

      target-i386: Ensure bit 10 on DR7 is never cleared

      Bit 10 of DR7 is documented as always set to 1, so ensure that's
      always the case.

      Reviewed-by: Richard Henderson <rth@xxxxxxxxxxx>
      Signed-off-by: Eduardo Habkost <ehabkost@xxxxxxxxxx>

  commit 36eb6e096729f9aade3a6af7dbe4d0a990335d7e
  Author: Richard Henderson <rth@xxxxxxxxxxx>
  Date:   Tue Sep 15 11:45:09 2015 -0700

      target-i386: Re-introduce optimal breakpoint removal

      Before the last patch, we had an efficient loop that disabled
      local breakpoints on task switch.  Re-add that, but in a more
      general way that handles changes to the global enable bits too.

      Signed-off-by: Richard Henderson <rth@xxxxxxxxxxx>
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>
      Signed-off-by: Eduardo Habkost <ehabkost@xxxxxxxxxx>

  commit 93d00d0fbe4711061834730fb70525d167b6f908
  Author: Richard Henderson <rth@xxxxxxxxxxx>
  Date:   Tue Sep 15 11:45:08 2015 -0700

      target-i386: Introduce cpu_x86_update_dr7

      This moves the last of the iteration over breakpoints into
      the bpt_helper.c file.  This also allows us to make several
      breakpoint functions static.

      Signed-off-by: Richard Henderson <rth@xxxxxxxxxxx>
      Signed-off-by: Eduardo Habkost <ehabkost@xxxxxxxxxx>

  commit e265e3e48049fbece9eaf536aa00ca41aa3c54d0
  Author: Eduardo Habkost <ehabkost@xxxxxxxxxx>
  Date:   Wed Sep 2 11:19:11 2015 -0300

      target-i386: Disable cache info passthrough by default

      The host cache information may not make sense for the guest if the VM
      CPU topology doesn't match the host CPU topology. To make sure we won't
      expose broken cache information to the guest, disable cache info
      passthrough by default, and add a new "host-cache-info" property that
      can be used to enable the old behavior for users that really need it.

      Cc: Benoît Canet <benoit@xxxxxxxxxxx>
      Reviewed-by: Igor Mammedov <imammedo@xxxxxxxxxx>
      Signed-off-by: Eduardo Habkost <ehabkost@xxxxxxxxxx>

  commit dd75d4fcb4a82c34d4f466e7fc166162b71ff740
  Author: Paolo Bonzini <pbonzini@xxxxxxxxxx>
  Date:   Mon Oct 12 18:25:40 2015 +0200

      target-i386: allow any alignment for SMBASE

      Processors up to the Pentium (says Bochs---I do not have old enough
      manuals) require a 32KiB alignment for the SMBASE, but newer processors
      do not need that, and Tiano Core will use non-aligned SMBASE values.

      Reported-by: Michael D Kinney <michael.d.kinney@xxxxxxxxx>
      Cc: Laszlo Ersek <lersek@xxxxxxxxxx>
      Cc: Jordan Justen <jordan.l.justen@xxxxxxxxx>
      Cc: Eduardo Habkost <ehabkost@xxxxxxxxxx>
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>
      Reviewed-by: Laszlo Ersek <lersek@xxxxxxxxxx>
      Reviewed-by: Eduardo Habkost <ehabkost@xxxxxxxxxx>
      Signed-off-by: Eduardo Habkost <ehabkost@xxxxxxxxxx>

  commit 1e700f4c6cddaf29ce1d205f0f8e8b9255481930
  Merge: 147482a b3e9e58
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Fri Oct 23 15:55:50 2015 +0100

      Merge remote-tracking branch 
'remotes/mdroth/tags/qga-pull-2015-10-23-tag' into staging

      qemu-ga patch queue

      * unbreak qga-test unit test on travis-ci systems by not assuming a
        disk-based filesystem must be present

      # gpg: Signature made Fri 23 Oct 2015 15:01:47 BST using RSA key ID 
F108B584
      # gpg: Good signature from "Michael Roth <flukshun@xxxxxxxxx>"
      # gpg:                 aka "Michael Roth <mdroth@xxxxxxxxxx>"
      # gpg:                 aka "Michael Roth <mdroth@xxxxxxxxxxxxxxxxxx>"

      * remotes/mdroth/tags/qga-pull-2015-10-23-tag:
        tests: test-qga, loosen assumptions about host filesystems

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit b3e9e584fcef49be8ca0c355d11030f0bf6231b0
  Author: Michael Roth <mdroth@xxxxxxxxxxxxxxxxxx>
  Date:   Tue Oct 20 11:17:36 2015 -0500

      tests: test-qga, loosen assumptions about host filesystems

      QGA skips pseudo-filesystems when querying filesystems via
      guest-get-fsinfo. On some hosts, such as travis-ci which uses
      containers with simfs filesystems, QGA might not report *any*
      filesystems. Our test case assumes there would be at least one,
      leading to false error messages in these situations.

      Instead, sanity-check values iff we get at least one filesystem.

      Cc: Marc-André Lureau <marcandre.lureau@xxxxxxxxxx>
      Cc: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Signed-off-by: Michael Roth <mdroth@xxxxxxxxxxxxxxxxxx>

  commit 147482ae35b896808af68c0051ad86d3aae12979
  Merge: 431429a 659f7f6
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Fri Oct 23 13:09:09 2015 +0100

      Merge remote-tracking branch 'remotes/dgibson/tags/ppc-next-20151023' 
into staging

      ppc patch queue - 2015-10-23

      sPAPR highlights:
        * Allow VFIO devices on the spapr-pci-host-bridge
        * Allow virtio VGA
        * Safer handling of HTAB allocation
        * ibm,pa-features device tree property

      non-sPAPR highlights:
        * Categorization of many ppc specific devices in help output
        * Tweaks to MMU type constants

      # gpg: Signature made Fri 23 Oct 2015 07:27:56 BST using RSA key ID 
20D9B392
      # gpg: Good signature from "David Gibson <david@xxxxxxxxxxxxxxxxxxxxx>"
      # gpg:                 aka "David Gibson (Red Hat) <dgibson@xxxxxxxxxx>"
      # gpg:                 aka "David Gibson (ozlabs.org) 
<dgibson@xxxxxxxxxx>"
      # gpg: WARNING: This key is not certified with sufficiently trusted 
signatures!
      # gpg:          It is not certain that the signature belongs to the owner.
      # Primary key fingerprint: 75F4 6586 AE61 A66C C44E  87DC 6C38 CACA 20D9 
B392

      * remotes/dgibson/tags/ppc-next-20151023: (21 commits)
        prep: do not use CPU_LOG_IOPORT, convert to tracepoints
        openpic: add to misc category
        macio-nvram: add to misc category
        macio: add to bridge category
        uninorth: add to bridge category
        macio-ide: add to storage category
        cuda: add to bridge category
        grackle: add to bridge category
        escc: add to input category
        cmd646: add to storage category
        adb: add to input category
        ppc/spapr: Add "ibm,pa-features" property to the device-tree
        ppc: Add mmu_model defines for arch 2.03 and 2.07
        hw/scsi/spapr_vscsi: Remove superfluous memset
        spapr_pci: Allow VFIO devices to work on the normal PCI host bridge
        spapr_iommu: Provide a function to switch a TCE table to allowing VFIO
        spapr_iommu: Rename vfio_accel parameter
        spapr_pci: Allow PCI host bridge DMA window to be configured
        spapr: Add "slb-size" property to CPU device tree nodes
        spapr: Abort when HTAB of requested size isn't allocated
        ...

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 431429a5b802fccf2701c37f580307c6979f4c3e
  Merge: dfbe064 9024603
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Fri Oct 23 12:09:02 2015 +0100

      Merge remote-tracking branch 
'remotes/berrange/tags/qcrypto-fixes-pull-20151022-2' into staging

      Merge qcrypto-fixes 2015/10/22

      # gpg: Signature made Thu 22 Oct 2015 19:03:45 BST using RSA key ID 
15104FDF
      # gpg: Good signature from "Daniel P. Berrange <dan@xxxxxxxxxxxx>"
      # gpg:                 aka "Daniel P. Berrange <berrange@xxxxxxxxxx>"

      * remotes/berrange/tags/qcrypto-fixes-pull-20151022-2:
        configure: avoid polluting global CFLAGS with tasn1 flags
        crypto: add sanity checking of plaintext/ciphertext length
        crypto: don't let builtin aes crash if no IV is provided
        crypto: allow use of nettle/gcrypt to be selected explicitly

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit dfbe0642ef8e643e7e41956c8ca97f1acc9464a9
  Merge: 6a6739d 7f4a930
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Fri Oct 23 10:24:08 2015 +0100

      Merge remote-tracking branch 'remotes/mst/tags/for_upstream' into staging

      vhost: build fix

      Fix build breakages when using older gcc.

      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>

      # gpg: Signature made Thu 22 Oct 2015 20:36:07 BST using RSA key ID 
D28D5469
      # gpg: Good signature from "Michael S. Tsirkin <mst@xxxxxxxxxx>"
      # gpg:                 aka "Michael S. Tsirkin <mst@xxxxxxxxxx>"

      * remotes/mst/tags/for_upstream:
        vhost-user: fix up rhel6 build

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 659f7f65561e78d720986d61f3112c54a97b2b96
  Author: Paolo Bonzini <pbonzini@xxxxxxxxxx>
  Date:   Fri Oct 16 15:16:11 2015 +0200

      prep: do not use CPU_LOG_IOPORT, convert to tracepoints

      These messages are disabled by default; a perfect usecase for tracepoints.
      Convert them over.

      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>
      Signed-off-by: David Gibson <david@xxxxxxxxxxxxxxxxxxxxx>

  commit 29f8dd66e89d59f66105af9065c10e21f85cc653
  Author: Laurent Vivier <laurent@xxxxxxxxx>
  Date:   Sat Sep 26 18:22:12 2015 +0200

      openpic: add to misc category

      openpic is a programmable interrupt controller, so
      add it to the misc category.

      Signed-off-by: Laurent Vivier <laurent@xxxxxxxxx>
      Reviewed-by: Thomas Huth <thuth@xxxxxxxxxx>
      Signed-off-by: David Gibson <david@xxxxxxxxxxxxxxxxxxxxx>

  commit 175fe9e7c886263258602262c341c472bc64be42
  Author: Laurent Vivier <laurent@xxxxxxxxx>
  Date:   Sat Sep 26 18:22:11 2015 +0200

      macio-nvram: add to misc category

      The macio nvram is a non volatile RAM, so add it
      the misc category.

      Signed-off-by: Laurent Vivier <laurent@xxxxxxxxx>
      Reviewed-by: Thomas Huth <thuth@xxxxxxxxxx>
      Signed-off-by: David Gibson <david@xxxxxxxxxxxxxxxxxxxxx>

  commit f9f2a9f26f74b4572c51e74be7fd97fa34c920d3
  Author: Laurent Vivier <laurent@xxxxxxxxx>
  Date:   Sat Sep 26 18:22:10 2015 +0200

      macio: add to bridge category

      macio is a bridge between the PCI bus and the Mac nvram,
      IDE controller and PIC, so add it to the bridge category.

      Signed-off-by: Laurent Vivier <laurent@xxxxxxxxx>
      Reviewed-by: Thomas Huth <thuth@xxxxxxxxxx>
      Signed-off-by: David Gibson <david@xxxxxxxxxxxxxxxxxxxxx>

  commit 1d16f86a433a323691dcfd0f71acdc7592c114fc
  Author: Laurent Vivier <laurent@xxxxxxxxx>
  Date:   Sat Sep 26 18:22:09 2015 +0200

      uninorth: add to bridge category

      Uninorth is the mac99 PCI host controller, so add
      it to the bridge category.

      Signed-off-by: Laurent Vivier <laurent@xxxxxxxxx>
      Reviewed-by: Thomas Huth <thuth@xxxxxxxxxx>
      Signed-off-by: David Gibson <david@xxxxxxxxxxxxxxxxxxxxx>

  commit 3469d9bce86d2e387777addb25ed8b80b7e9d2a1
  Author: Laurent Vivier <laurent@xxxxxxxxx>
  Date:   Sat Sep 26 18:22:08 2015 +0200

      macio-ide: add to storage category

      macio-ide is an IDE controller, so add it
      to the storage category.

      Signed-off-by: Laurent Vivier <laurent@xxxxxxxxx>
      Reviewed-by: Thomas Huth <thuth@xxxxxxxxxx>
      Reviewed-by: John Snow <jsnow@xxxxxxxxxx>
      Signed-off-by: David Gibson <david@xxxxxxxxxxxxxxxxxxxxx>

  commit 599d7326c35d323c0a2cf18ebf65c613979e7f65
  Author: Laurent Vivier <laurent@xxxxxxxxx>
  Date:   Sat Sep 26 18:22:07 2015 +0200

      cuda: add to bridge category

      Cuda is a bridge between PowerMac system bus and the ADB controller,
      real-time clock, pram and the power management unit.

      So add it to the bridge category.

      Signed-off-by: Laurent Vivier <laurent@xxxxxxxxx>
      Signed-off-by: David Gibson <david@xxxxxxxxxxxxxxxxxxxxx>

  commit e16244355f8d5efc94df965b1f6a5a0b6c50a2f2
  Author: Laurent Vivier <laurent@xxxxxxxxx>
  Date:   Sat Sep 26 18:22:06 2015 +0200

      grackle: add to bridge category

      Grackle is the PCI host controller of oldworld powermac,
      so add it to the bridge category.

      Signed-off-by: Laurent Vivier <laurent@xxxxxxxxx>
      Reviewed-by: Thomas Huth <thuth@xxxxxxxxxx>
      Signed-off-by: David Gibson <david@xxxxxxxxxxxxxxxxxxxxx>

  commit f8d4c07c7807d0f7be02f42d2ee849d2eea4141e
  Author: Laurent Vivier <laurent@xxxxxxxxx>
  Date:   Sat Sep 26 18:22:05 2015 +0200

      escc: add to input category

      ESCC is a serial port controller, so add it
      to the input category.

      Signed-off-by: Laurent Vivier <laurent@xxxxxxxxx>
      Reviewed-by: Thomas Huth <thuth@xxxxxxxxxx>
      Signed-off-by: David Gibson <david@xxxxxxxxxxxxxxxxxxxxx>

  commit 74623e7369b175fa324421f4c0047d06da3baafc
  Author: Laurent Vivier <laurent@xxxxxxxxx>
  Date:   Sat Sep 26 18:22:04 2015 +0200

      cmd646: add to storage category

      cmd646 is an IDE controller, so add it to the
      storage category.

      Signed-off-by: Laurent Vivier <laurent@xxxxxxxxx>
      Reviewed-by: Thomas Huth <thuth@xxxxxxxxxx>
      Signed-off-by: David Gibson <david@xxxxxxxxxxxxxxxxxxxxx>

  commit 32f3a8992ea28a194678832eec1e1ffc09cbb7b1
  Author: Laurent Vivier <laurent@xxxxxxxxx>
  Date:   Sat Sep 26 18:22:03 2015 +0200

      adb: add to input category

      The Apple Desktop Bus is used to connect a keyboard and a mouse,
      so add it to the input category.

      Signed-off-by: Laurent Vivier <laurent@xxxxxxxxx>
      Reviewed-by: Thomas Huth <thuth@xxxxxxxxxx>
      Signed-off-by: David Gibson <david@xxxxxxxxxxxxxxxxxxxxx>

  commit 90da0d5a703839c8db9f37355107955df043b654
  Author: Benjamin Herrenschmidt <benh@xxxxxxxxxxxxxxxxxxx>
  Date:   Thu Oct 22 18:30:59 2015 +1100

      ppc/spapr: Add "ibm,pa-features" property to the device-tree

      LoPAPR defines a "ibm,pa-features" per-CPU device tree property which
      describes extended features of the Processor Architecture.

      This adds the property to the device tree. At the moment this is the
      copy of what pHyp advertises except "I=1 (cache inhibited) Large Pages"
      which is enabled for TCG and disabled when running under HV KVM host
      with 4K system page size.

      Signed-off-by: Benjamin Herrenschmidt <benh@xxxxxxxxxxxxxxxxxxx>
      [aik: rebased, changed commit log, moved ci_large_pages initialization,
      renamed pa_features arrays]
      Signed-off-by: Alexey Kardashevskiy <aik@xxxxxxxxx>
      Signed-off-by: David Gibson <david@xxxxxxxxxxxxxxxxxxxxx>

  commit aa4bb58752310e7906683a2ac99566222c1e7228
  Author: Benjamin Herrenschmidt <benh@xxxxxxxxxxxxxxxxxxx>
  Date:   Thu Oct 22 18:30:58 2015 +1100

      ppc: Add mmu_model defines for arch 2.03 and 2.07

      This removes unused POWERPC_MMU_2_06a/POWERPC_MMU_2_06d.

      This replaces POWERPC_MMU_64B with POWERPC_MMU_2_03 for POWER5+ to be
      more explicit about the version of the PowerISA supported.

      This defines POWERPC_MMU_2_07 and uses it for the POWER8 CPU family.
      This will not have an immediate effect now but it will in the following
      patch.

      This should cause no behavioural change.

      Signed-off-by: Benjamin Herrenschmidt <benh@xxxxxxxxxxxxxxxxxxx>
      [aik: rebased, changed commit log]
      Signed-off-by: Alexey Kardashevskiy <aik@xxxxxxxxx>
      Signed-off-by: David Gibson <david@xxxxxxxxxxxxxxxxxxxxx>

  commit a23dec105c0faed7b9cba5d07d92df63a04dbb2e
  Author: Thomas Huth <thuth@xxxxxxxxxx>
  Date:   Thu Oct 8 21:35:13 2015 +0200

      hw/scsi/spapr_vscsi: Remove superfluous memset

      g_malloc0 already clears the memory, so no need for
      the additional memset here.

      Cc: Paolo Bonzini <pbonzini@xxxxxxxxxx>
      Cc: David Gibson <david@xxxxxxxxxxxxxxxxxxxxx>
      Cc: Alexander Graf <agraf@xxxxxxx>
      Signed-off-by: Thomas Huth <thuth@xxxxxxxxxx>
      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>
      Signed-off-by: David Gibson <david@xxxxxxxxxxxxxxxxxxxxx>

  commit 185181f8835b1b68409ac4381688eafdca0172cc
  Author: David Gibson <david@xxxxxxxxxxxxxxxxxxxxx>
  Date:   Thu Sep 24 10:34:23 2015 +1000

      spapr_pci: Allow VFIO devices to work on the normal PCI host bridge

      The core VFIO infrastructure more or less allows VFIO devices to work
      on any normal guest PCI host bridge (PHB) without extra logic.
      However, the "spapr-pci-host-bridge" device (as opposed to the special
      "spapr-pci-vfio-host-bridge" device) breaks this by using a partially
      KVM accelerated implementation of the guest kernel IOMMU which won't
      work with VFIO devices, without additional kernel support.

      This patch allows VFIO devices to work on the spapr-pci-host-bridge,
      by having it switch off KVM TCE acceleration when a VFIO device is
      added to the PHB (either on startup, or by hotplug).

      Signed-off-by: David Gibson <david@xxxxxxxxxxxxxxxxxxxxx>
      Reviewed-by: Thomas Huth <thuth@xxxxxxxxxx>
      Reviewed-by: Laurent Vivier <lvivier@xxxxxxxxxx>

  commit c10325d6f9af84444120d8a6d1d59f41a282ae1b
  Author: David Gibson <david@xxxxxxxxxxxxxxxxxxxxx>
  Date:   Thu Oct 1 10:46:10 2015 +1000

      spapr_iommu: Provide a function to switch a TCE table to allowing VFIO

      Because of the way non-VFIO guest IOMMU operations are KVM accelerated, 
not
      all TCE tables (guest IOMMU contexts) can support VFIO devices.  
Currently,
      this is decided at creation time.

      To support hotplug of VFIO devices, we need to allow a TCE table which
      previously didn't allow VFIO devices to be switched so that it can.  This
      patch adds an spapr_tce_set_need_vfio() function to do this, by
      reallocating the table in userspace if necessary.

      Currently this doesn't allow the KVM acceleration to be re-enabled if all
      the VFIO devices are removed.  That's an optimization for another time.

      Signed-off-by: David Gibson <david@xxxxxxxxxxxxxxxxxxxxx>
      Reviewed-by: Laurent Vivier <lvivier@xxxxxxxxxx>

  commit 6a81dd172cd5d03fce593741629cb4c78fff10cb
  Author: David Gibson <david@xxxxxxxxxxxxxxxxxxxxx>
  Date:   Wed Sep 30 13:42:55 2015 +1000

      spapr_iommu: Rename vfio_accel parameter

      The vfio_accel parameter used when creating a new TCE table (guest IOMMU
      context) has a confusing name.  What it really means is whether we need 
the
      TCE table created to be able to support VFIO devices.

      VFIO is relevant, because when available we use in-kernel acceleration of
      the TCE table, but that may not work with VFIO devices because updates to
      the table are handled in kernel, bypass qemu and so don't hit qemu's
      infrastructure for keeping the VFIO host IOMMU state in sync with the 
guest
      IOMMU state.

      Rename the parameter to "need_vfio" throughout.  This is a cosmetic 
change,
      with no impact on the logic.

      Signed-off-by: David Gibson <david@xxxxxxxxxxxxxxxxxxxxx>
      Reviewed-by: Laurent Vivier <lvivier@xxxxxxxxxx>

  commit f93caaac36ec3b030184055596cb56f64d0de988
  Author: David Gibson <david@xxxxxxxxxxxxxxxxxxxxx>
  Date:   Thu Sep 24 09:56:44 2015 +1000

      spapr_pci: Allow PCI host bridge DMA window to be configured

      At present the PCI host bridge (PHB) for the pseries machine type has a
      fixed DMA window from 0..1GB (in PCI address space) which is mapped to 
real
      memory via the PAPR paravirtualized IOMMU.

      For better support of VFIO devices, we're going to want to allow for
      different configurations of the DMA window.

      Eventually we'll want to allow the guest itself to reconfigure the window
      via the PAPR dynamic DMA window interface, but as a preliminary this patch
      allows the user to reconfigure the window with new properties on the PHB
      device.

      Signed-off-by: David Gibson <david@xxxxxxxxxxxxxxxxxxxxx>
      Reviewed-by: Thomas Huth <thuth@xxxxxxxxxx>
      Reviewed-by: Laurent Vivier <lvivier@xxxxxxxxxx>

  commit fd5da5c47264a57c7d01507eaf50bf3d288ba8a4
  Author: Thomas Huth <thuth@xxxxxxxxxx>
  Date:   Thu Oct 1 15:30:07 2015 +0200

      spapr: Add "slb-size" property to CPU device tree nodes

      According to a commit message in the Linux kernel (see here
      
https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=b60c31d85a2a
      for example), the name of the property that carries the information
      about the number of SLB entries should be called "slb-size", and
      not "ibm,slb-size". The Linux kernel can deal with both names, but
      to be on the safe side we should support the official name, too.

      [Now that LoPAPR is public, the relevant requirement can be found in
      section C.6.1.8 --dwg]

      Signed-off-by: Thomas Huth <thuth@xxxxxxxxxx>
      Signed-off-by: David Gibson <david@xxxxxxxxxxxxxxxxxxxxx>

  commit 7735fedaf490cf9213cd8d487272b69a4987c851
  Author: Bharata B Rao <bharata@xxxxxxxxxxxxxxxxxx>
  Date:   Thu Sep 24 13:52:48 2015 +0530

      spapr: Abort when HTAB of requested size isn't allocated

      Terminate the guest when HTAB of requested size isn't allocated by
      the host.

      When memory hotplug is attempted on a guest that has booted with
      less than requested HTAB size, the guest kernel will not be able
      to gracefully fail the hotplug request. This patch will ensure that
      we never end up in a situation where memory hotplug fails due to
      less than requested HTAB size.

      Signed-off-by: Bharata B Rao <bharata@xxxxxxxxxxxxxxxxxx>
      Signed-off-by: David Gibson <david@xxxxxxxxxxxxxxxxxxxxx>

  commit b817772a2521defba513b64b1d08238f24c50657
  Author: Bharata B Rao <bharata@xxxxxxxxxxxxxxxxxx>
  Date:   Thu Sep 24 13:52:47 2015 +0530

      spapr: Allocate HTAB from machine init

      Allocate HTAB from ppc_spapr_init() so that we can abort the guest
      if requested HTAB size is't allocated by the host. However retain the
      htab reset call in spapr_reset_htab() so that HTAB gets reset (and
      not allocated) during machine reset.

      Signed-off-by: Bharata B Rao <bharata@xxxxxxxxxxxxxxxxxx>
      Signed-off-by: David Gibson <david@xxxxxxxxxxxxxxxxxxxxx>

  commit 7f4a930e64b9e69cd340395a7e4f0494aef4fcdd
  Author: Michael S. Tsirkin <mst@xxxxxxxxxx>
  Date:   Thu Oct 22 22:28:37 2015 +0300

      vhost-user: fix up rhel6 build

      Build on RHEL6 fails:
      https://gcc.gnu.org/bugzilla/show_bug.cgi?id=42875

      Apparently unnamed unions couldn't use C99  named field initializers.
      Let's just name the payload union field.

      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>

  commit 90246037760a2a1d64da67782200b690de24cc49
  Author: Daniel P. Berrange <berrange@xxxxxxxxxx>
  Date:   Mon Sep 21 17:25:34 2015 +0100

      configure: avoid polluting global CFLAGS with tasn1 flags

      The previous commit

        commit 9a2fd4347c40321f5cbb4ab4220e759fcbf87d03
        Author: Daniel P. Berrange <berrange@xxxxxxxxxx>
        Date:   Mon Apr 13 14:01:39 2015 +0100

          crypto: add sanity checking of TLS x509 credentials

      defined new variables $TEST_LIBS and $TEST_CFLAGS and
      used them in tests/Makefile to augment $LIBS and $CFLAGS.

      Unfortunately this overlooks the fact that tests/Makefile
      is not executed via recursive-make, it is just pulled into
      the top level Makefile via an include statement. So rather
      than just augmenting the compiler/linker flags for tests
      it polluted the global flags.

      This is thought to be behind a reported failure when
      building the pixman module as a sub-module, since global
      $CFLAGS are passed down to configure in pixman.

      This change removes the $TEST_LIBS and $TEST_CFLAGS
      replacing them with $TASN1_LIBS and $TASN1_CFLAGS,
      setting only against specific objects/executables
      that need them.

      Signed-off-by: Daniel P. Berrange <berrange@xxxxxxxxxx>

  commit 3a661f1eabf7e8db66e28489884d9b54aacb94ea
  Author: Daniel P. Berrange <berrange@xxxxxxxxxx>
  Date:   Fri Oct 16 16:35:06 2015 +0100

      crypto: add sanity checking of plaintext/ciphertext length

      When encrypting/decrypting data, the plaintext/ciphertext
      buffers are required to be a multiple of the cipher block
      size. If this is not done, nettle will abort and gcrypt
      will report an error. To get consistent behaviour add
      explicit checks upfront for the buffer sizes.

      Signed-off-by: Daniel P. Berrange <berrange@xxxxxxxxxx>

  commit eb2a770b178b9040c3fc04ee31dc38d1775db09a
  Author: Daniel P. Berrange <berrange@xxxxxxxxxx>
  Date:   Fri Oct 16 13:23:13 2015 +0100

      crypto: don't let builtin aes crash if no IV is provided

      If no IV is provided, then use a default IV of all-zeros
      instead of crashing. This gives parity with gcrypt and
      nettle backends.

      Signed-off-by: Daniel P. Berrange <berrange@xxxxxxxxxx>

  commit 91bfcdb01d4869aa8f4cb67007827de63b8c2217
  Author: Daniel P. Berrange <berrange@xxxxxxxxxx>
  Date:   Fri Oct 16 16:36:53 2015 +0100

      crypto: allow use of nettle/gcrypt to be selected explicitly

      Currently the choice of whether to use nettle or gcrypt is
      made based on what gnutls is linked to. There are times
      when it is desirable to be able to force build against a
      specific library. For example, if testing changes to QEMU's
      crypto code all 3 possible backends need to be checked
      regardless of what the local gnutls uses.

      It is also desirable to be able to enable nettle/gcrypt
      for cipher/hash algorithms, without enabling gnutls
      for TLS support.

      This gives two new configure flags, which allow the
      following possibilities

      Automatically determine nettle vs gcrypt from what
      gnutls links to (recommended to minimize number of
      crypto libraries linked to)

       ./configure

      Automatically determine nettle vs gcrypt based on
      which is installed

       ./configure --disable-gnutls

      Force use of nettle

       ./configure --enable-nettle

      Force use of gcrypt

       ./configure --enable-gcrypt

      Force use of built-in AES & crippled-DES

       ./configure --disable-nettle --disable-gcrypt

      Signed-off-by: Daniel P. Berrange <berrange@xxxxxxxxxx>

  commit 2a080ce26682f35517b0e20f4ad10559e9270b5d
  Author: Chen Gang <gang.chen.5i5j@xxxxxxxxx>
  Date:   Tue Oct 20 23:19:02 2015 +0800

      target-tilegx: Implement prefetch instructions in pipe y2

      Originally, tilegx qemu only implement prefetch instructions in pipe x1,
      did not implement them in pipe y2.

      Signed-off-by: Chen Gang <gang.chen.5i5j@xxxxxxxxx>
      Signed-off-by: Richard Henderson <rth@xxxxxxxxxxx>

  commit 6a6739de510706e1d337180d12be74ebbd0c7666
  Merge: b803894 89a82cd
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Thu Oct 22 18:01:53 2015 +0100

      Merge remote-tracking branch 'remotes/rth/tags/pull-tcg-20151021' into 
staging

      Collected tcg backend patches

      # gpg: Signature made Wed 21 Oct 2015 22:34:28 BST using RSA key ID 
4DD0279B
      # gpg: Good signature from "Richard Henderson <rth7680@xxxxxxxxx>"
      # gpg:                 aka "Richard Henderson <rth@xxxxxxxxxx>"
      # gpg:                 aka "Richard Henderson <rth@xxxxxxxxxxx>"

      * remotes/rth/tags/pull-tcg-20151021:
        cpu-exec: Add "nochain" debug flag
        tcg/mips: Support r6 SEL{NE, EQ}Z instead of MOVN/MOVZ
        tcg/mips: Support r6 multiply/divide encodings
        tcg/mips: Support r6 JR encoding
        tcg/mips: Add use_mips32r6_instructions definition
        disas/mips: Add R6 jr/jr.hb to disassembler
        tcg-opc.h: Simplify insn_start def
        tcg/ppc: Prefer mask over andi.
        tcg/ppc: Revise goto_tb implementation
        tcg/ppc: Adjust exit_tb for change in prologue placement

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit b803894e2c4d744ccc113ca6cbe6654ec80c1dc6
  Merge: ca3e40e 0960be7
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Thu Oct 22 17:33:54 2015 +0100

      Merge remote-tracking branch 'remotes/afaerber/tags/qom-cpu-for-peter' 
into staging

      QOM CPUState and X86CPU

      * Adoption of CPUClass::disas_set_info() hook

      # gpg: Signature made Thu 22 Oct 2015 17:11:24 BST using RSA key ID 
3E7E013F
      # gpg: Good signature from "Andreas Färber <afaerber@xxxxxxx>"
      # gpg:                 aka "Andreas Färber <afaerber@xxxxxxxx>"

      * remotes/afaerber/tags/qom-cpu-for-peter:
        disas: QOMify alpha specific disas setup
        disas: QOMify mips specific disas setup
        disas: QOMify sh4 specific disas setup
        disas: QOMify lm32 specific disas setup
        disas: QOMify sparc specific disas setup
        disas: QOMify m68k specific disas setup
        disas: QOMify moxie specific disas setup
        disas: QOMify s390x specific disas setup

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 0960be7cffa7b30189f2f0f76b1ac3c8115660f3
  Author: Peter Crosthwaite <crosthwaitepeter@xxxxxxxxx>
  Date:   Sat Jul 11 19:00:05 2015 -0700

      disas: QOMify alpha specific disas setup

      Move the target_disas() alpha specifics to the CPUClass::disas_set_info()
      hook and delete the #ifdef specific code in disas.c.

      This also makes monitor_disas() consistent with target_disas(), as
      monitor_disas() was missing a set of the BFD (This was an omission from
      commit b9bec751c8c8b08d8055da32306eb105db03031b).

      Signed-off-by: Peter Crosthwaite <crosthwaite.peter@xxxxxxxxx>
      Acked-by: Richard Henderson <rth@xxxxxxxxxxx>
      Signed-off-by: Andreas Färber <afaerber@xxxxxxx>

  commit 63a946c7e3b081d56e617bf264fcb2881a982848
  Author: Peter Crosthwaite <crosthwaitepeter@xxxxxxxxx>
  Date:   Sat Jul 11 19:00:04 2015 -0700

      disas: QOMify mips specific disas setup

      Move the target_disas() mips specifics to the CPUClass::disas_set_info()
      hook and delete the #ifdef specific code in disas.c.

      Cc: Aurelien Jarno <aurelien@xxxxxxxxxxx>
      Signed-off-by: Peter Crosthwaite <crosthwaite.peter@xxxxxxxxx>
      Acked-by: Leon Alrae <leon.alrae@xxxxxxxxxx>
      Signed-off-by: Andreas Färber <afaerber@xxxxxxx>

  commit d49dd523e459a4c001a0c87a438fd2fa1f5b4bae
  Author: Peter Crosthwaite <crosthwaitepeter@xxxxxxxxx>
  Date:   Sat Jul 11 19:00:03 2015 -0700

      disas: QOMify sh4 specific disas setup

      Move the target_disas() sh4 specifics to the CPUClass::disas_set_info()
      hook and delete the #ifdef specific code in disas.c.

      Signed-off-by: Peter Crosthwaite <crosthwaite.peter@xxxxxxxxx>
      Acked-by: Aurelien Jarno <aurelien@xxxxxxxxxxx>
      Signed-off-by: Andreas Färber <afaerber@xxxxxxx>

  commit 20984673e68ebd069222512c876b846ff2425cc0
  Author: Peter Crosthwaite <crosthwaitepeter@xxxxxxxxx>
  Date:   Sat Jul 11 19:00:02 2015 -0700

      disas: QOMify lm32 specific disas setup

      Move the target_disas() lm32 specifics to the CPUClass::disas_set_info()
      hook and delete the #ifdef specific code in disas.c.

      Signed-off-by: Peter Crosthwaite <crosthwaite.peter@xxxxxxxxx>
      Acked-by: Michael Walle <michael@xxxxxxxx>
      Signed-off-by: Andreas Färber <afaerber@xxxxxxx>

  commit df0900eb89a0672a3f924b7e8d20163dee2383db
  Author: Peter Crosthwaite <crosthwaitepeter@xxxxxxxxx>
  Date:   Sat Jul 11 19:00:01 2015 -0700

      disas: QOMify sparc specific disas setup

      Move the target_disas() sparc specifics to the QOM disas_set_info hook
      and delete the #ifdef specific code in disas.c.

      Cc: Mark Cave-Ayland <mark.cave-ayland@xxxxxxxxxxxx>
      Signed-off-by: Peter Crosthwaite <crosthwaite.peter@xxxxxxxxx>
      Signed-off-by: Andreas Färber <afaerber@xxxxxxx>

  commit 4f669905d95bbb6296338f9e86ffcdd8eae453d2
  Author: Peter Crosthwaite <crosthwaitepeter@xxxxxxxxx>
  Date:   Sat Jul 11 19:00:00 2015 -0700

      disas: QOMify m68k specific disas setup

      Move the target_disas() m68k specifics to the CPUClass::disas_set_info()
      hook and delete the #ifdef specific code in disas.c.

      Signed-off-by: Peter Crosthwaite <crosthwaite.peter@xxxxxxxxx>
      Reviewed-by: Laurent Vivier <laurent@xxxxxxxxx>
      Reviewed-by: Greg Ungerer <gerg@xxxxxxxxxxx>
      Signed-off-by: Andreas Färber <afaerber@xxxxxxx>

  commit 9f87a4cacd397e82e80c9512627ce5e190dfa971
  Author: Peter Crosthwaite <crosthwaitepeter@xxxxxxxxx>
  Date:   Sat Jul 11 18:59:59 2015 -0700

      disas: QOMify moxie specific disas setup

      Move the target_disas() moxie specifics to the CPUClass::disas_set_info()
      hook and delete the #ifdef specific code in disas.c.

      Cc: Anthony Green <green@xxxxxxxxxxxxxx>
      Signed-off-by: Peter Crosthwaite <crosthwaite.peter@xxxxxxxxx>
      Signed-off-by: Andreas Färber <afaerber@xxxxxxx>

  commit dbad6b74b3de6ce839bd870657b6bcc192e3b74a
  Author: Peter Crosthwaite <crosthwaitepeter@xxxxxxxxx>
  Date:   Sat Jul 11 18:59:58 2015 -0700

      disas: QOMify s390x specific disas setup

      Move the target_disas() s390 specifics to the CPUClass::disas_set_info()
      hook and delete the #ifdef specific code in disas.c.

      Cc: Alexander Graf <agraf@xxxxxxx>
      Signed-off-by: Peter Crosthwaite <crosthwaite.peter@xxxxxxxxx>
      Acked-by: Richard Henderson <rth@xxxxxxxxxxx>
      Signed-off-by: Andreas Färber <afaerber@xxxxxxx>

  commit ca3e40e233e87f7b29442311736a82da01c0df7b
  Merge: c1bd899 3c23402
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Thu Oct 22 12:41:44 2015 +0100

      Merge remote-tracking branch 'remotes/mst/tags/for_upstream' into staging

      vhost, pc, virtio features, fixes, cleanups

      New features:
          VT-d support for devices behind a bridge
          vhost-user migration support

      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>

      # gpg: Signature made Thu 22 Oct 2015 12:39:19 BST using RSA key ID 
D28D5469
      # gpg: Good signature from "Michael S. Tsirkin <mst@xxxxxxxxxx>"
      # gpg:                 aka "Michael S. Tsirkin <mst@xxxxxxxxxx>"

      * remotes/mst/tags/for_upstream: (37 commits)
        hw/isa/lpc_ich9: inject the SMI on the VCPU that is writing to APM_CNT
        i386: keep cpu_model field in MachineState uptodate
        vhost: set the correct queue index in case of migration with multiqueue
        piix: fix resource leak reported by Coverity
        seccomp: add memfd_create to whitelist
        vhost-user-test: check ownership during migration
        vhost-user-test: add live-migration test
        vhost-user-test: learn to tweak various qemu arguments
        vhost-user-test: wrap server in TestServer struct
        vhost-user-test: remove useless static check
        vhost-user-test: move wait_for_fds() out
        vhost: add migration block if memfd failed
        vhost-user: use an enum helper for features mask
        vhost user: add rarp sending after live migration for legacy guest
        vhost user: add support of live migration
        net: add trace_vhost_user_event
        vhost-user: document migration log
        vhost: use a function for each call
        vhost-user: add a migration blocker
        vhost-user: send log shm fd along with log_base
        ...

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 3c23402d4032f69af44a87fdb8019ad3229a4f31
  Author: Laszlo Ersek <lersek@xxxxxxxxxx>
  Date:   Tue Oct 20 20:14:00 2015 +0200

      hw/isa/lpc_ich9: inject the SMI on the VCPU that is writing to APM_CNT

      Commit 4d00636e97b7 ("ich9: Add the lpc chip", Nov 14 2012) added the
      ich9_apm_ctrl_changed() ioport write callback function such that it would
      inject the SMI, in response to a write to the APM_CNT register, on the
      first CPU, invariably.

      Since this register is used by guest code to trigger an SMI synchronously,
      the interrupt should be injected on the VCPU that is performing the write.

      apm_ioport_writeb() is the .write callback of the "apm_ops"
      MemoryRegionOps [hw/isa/apm.c]; it is parametrized to call
      ich9_apm_ctrl_changed() by ich9_lpc_init() [hw/isa/lpc_ich9.c], via
      apm_init(). Therefore this change affects no other board.

      ich9_generate_smi() is an unrelated function that is called by the TCO
      watchdog; a watchdog is likely in its right to (asynchronously) inject
      interrupts on the first CPU only.

      This patch allows the combined edk2/OVMF SMM driver stack to work with
      multiple VCPUs on TCG, using both qemu-system-i386 and qemu-system-x86_64.

      Cc: Paolo Bonzini <pbonzini@xxxxxxxxxx>
      Cc: Gerd Hoffmann <kraxel@xxxxxxxxxx>
      Cc: Jordan Justen <jordan.l.justen@xxxxxxxxx>
      Cc: Michael Kinney <michael.d.kinney@xxxxxxxxx>
      Cc: "Michael S. Tsirkin" <mst@xxxxxxxxxx>
      Signed-off-by: Laszlo Ersek <lersek@xxxxxxxxxx>
      Reviewed-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Reviewed-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit 4884b7bfe962e659c0e20c1d0de6f307d58f09be
  Author: Zhu Guihua <zhugh.fnst@xxxxxxxxxxxxxx>
  Date:   Thu Oct 15 11:12:12 2015 +0800

      i386: keep cpu_model field in MachineState uptodate

      Update cpu_model in MachineState for i386, so that the field can be used
      for cpu hotplug, instead of using a static variable.

      This patch is rebased on the latest master.

      Signed-off-by: Zhu Guihua <zhugh.fnst@xxxxxxxxxxxxxx>
      Reviewed-by: Eduardo Habkost <ehabkost@xxxxxxxxxx>
      Reviewed-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Reviewed-by: Marcel Apfelbaum <marcel@xxxxxxxxxx>
      Acked-by: Andreas Färber <afaerber@xxxxxxx>

  commit 25a2a920dddcf72896d94b37b6048a8147bc3198
  Author: Thibaut Collet <thibaut.collet@xxxxxxxxx>
  Date:   Mon Oct 19 14:59:27 2015 +0200

      vhost: set the correct queue index in case of migration with multiqueue

      When a live migration is started the log address to mark dirty pages is 
provided
      to the vhost backend through the vhost_dev_set_log function.
      This function is called for each queue pairs but the queue index is 
wrongly set:
      always set to the first queue pair. Then vhost backend lost descriptor 
addresses
      of the queue pairs greater than 1 and behaviour of the vhost backend is
      unpredictable.

      The queue index is computed by taking account of the vq_index (to 
retrieve the
      queue pair index) and calling the vhost_get_vq_index method of the 
backend.

      Signed-off-by: Thibaut Collet <thibaut.collet@xxxxxxxxx>
      Cc: qemu-stable@xxxxxxxxxx
      Acked-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Reviewed-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>

  commit e3fce97cf500c61f23df8e0245e08625fc375295
  Author: zhanghailiang <zhang.zhanghailiang@xxxxxxxxxx>
  Date:   Mon Sep 14 18:40:10 2015 +0800

      piix: fix resource leak reported by Coverity

      config_fd should be closed before return, or there will
      be a resource leak error.

      Signed-off-by: zhanghailiang <zhang.zhanghailiang@xxxxxxxxxx>
      Reviewed-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Reviewed-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>

  commit f8d82b8eb81d3ea29325b4046fafa8ed41e32449
  Author: Eduardo Otubo <eduardo.otubo@xxxxxxxxxxxxxxxx>
  Date:   Fri Oct 9 17:17:41 2015 +0200

      seccomp: add memfd_create to whitelist

      This is used by memfd code.

      Signed-off-by: Eduardo Otubo <eduardo.otubo@xxxxxxxxxxxxxxxx>
      Signed-off-by: Marc-André Lureau <marcandre.lureau@xxxxxxxxxx>
      Reviewed-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Tested-by: Thibaut Collet <thibaut.collet@xxxxxxxxx>

  commit 1d9edff78fa0b294d6084df76da89e20ee93fdab
  Author: Marc-André Lureau <marcandre.lureau@xxxxxxxxxx>
  Date:   Fri Oct 9 17:17:40 2015 +0200

      vhost-user-test: check ownership during migration

      Check that backend source and destination do not have simultaneous
      ownership during migration.

      Signed-off-by: Marc-André Lureau <marcandre.lureau@xxxxxxxxxx>
      Reviewed-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Tested-by: Thibaut Collet <thibaut.collet@xxxxxxxxx>

  commit b181974724e106c62e4d0ecbe085df09b8a482bb
  Author: Marc-André Lureau <marcandre.lureau@xxxxxxxxxx>
  Date:   Fri Oct 9 17:17:39 2015 +0200

      vhost-user-test: add live-migration test

      This test checks that the log fd is given to the migration source, and
      mark dirty pages during migration.

      Signed-off-by: Marc-André Lureau <marcandre.lureau@xxxxxxxxxx>
      Reviewed-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Tested-by: Thibaut Collet <thibaut.collet@xxxxxxxxx>

  commit 704b216887ef4a6c0fe981206bd6d43f3b6863cd
  Author: Marc-André Lureau <marcandre.lureau@xxxxxxxxxx>
  Date:   Fri Oct 9 17:17:38 2015 +0200

      vhost-user-test: learn to tweak various qemu arguments

      Add a new macro to make the qemu command line with other
      values of memory size, and specific chardev id.

      Signed-off-by: Marc-André Lureau <marcandre.lureau@xxxxxxxxxx>
      Reviewed-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Tested-by: Thibaut Collet <thibaut.collet@xxxxxxxxx>

  commit ae31fb5491493c82fface26f7902da7130b70575
  Author: Marc-André Lureau <marcandre.lureau@xxxxxxxxxx>
  Date:   Fri Oct 9 17:17:37 2015 +0200

      vhost-user-test: wrap server in TestServer struct

      In the coming patches, a test will use several servers
      simultaneously. Wrap the server in a struct, out of the global scope.

      Signed-off-by: Marc-André Lureau <marcandre.lureau@xxxxxxxxxx>
      Reviewed-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Tested-by: Thibaut Collet <thibaut.collet@xxxxxxxxx>

  commit 82755ff202e96ad9bc74c1268481f96e50907ae1
  Author: Marc-André Lureau <marcandre.lureau@xxxxxxxxxx>
  Date:   Fri Oct 9 17:17:36 2015 +0200

      vhost-user-test: remove useless static check

      Signed-off-by: Marc-André Lureau <marcandre.lureau@xxxxxxxxxx>
      Reviewed-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Tested-by: Thibaut Collet <thibaut.collet@xxxxxxxxx>

  commit cf72b57f894dd47c32750cf51de1d195a19c5e48
  Author: Marc-André Lureau <marcandre.lureau@xxxxxxxxxx>
  Date:   Fri Oct 9 17:17:35 2015 +0200

      vhost-user-test: move wait_for_fds() out

      This function is a precondition for most vhost-user tests.

      Signed-off-by: Marc-André Lureau <marcandre.lureau@xxxxxxxxxx>
      Reviewed-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Tested-by: Thibaut Collet <thibaut.collet@xxxxxxxxx>

  commit 31190ed781a81d2de65cea405e4cb3441ab929fc
  Author: Marc-André Lureau <marcandre.lureau@xxxxxxxxxx>
  Date:   Fri Oct 9 17:17:34 2015 +0200

      vhost: add migration block if memfd failed

      Signed-off-by: Marc-André Lureau <marcandre.lureau@xxxxxxxxxx>
      Reviewed-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Tested-by: Thibaut Collet <thibaut.collet@xxxxxxxxx>

  commit de1372d466fb4a7bed13f64f50bff14aaa4a5931
  Author: Thibaut Collet <thibaut.collet@xxxxxxxxx>
  Date:   Fri Oct 9 17:17:33 2015 +0200

      vhost-user: use an enum helper for features mask

      The VHOST_USER_PROTOCOL_FEATURE_MASK will be automatically updated when
      adding new features to the enum.

      Signed-off-by: Thibaut Collet <thibaut.collet@xxxxxxxxx>
      [Adapted from mailing list discussion - Marc-André]
      Signed-off-by: Marc-André Lureau <marcandre.lureau@xxxxxxxxxx>
      Reviewed-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Tested-by: Thibaut Collet <thibaut.collet@xxxxxxxxx>

  commit 3e866365e1eb6bcfa2d01c21debb05b9e47a47f7
  Author: Thibaut Collet <thibaut.collet@xxxxxxxxx>
  Date:   Fri Oct 9 17:17:32 2015 +0200

      vhost user: add rarp sending after live migration for legacy guest

      A new vhost user message is added to allow QEMU to ask to vhost user 
backend to
      broadcast a fake RARP after live migration for guest without 
GUEST_ANNOUNCE
      capability.

      This new message is sent only if the backend supports the new
      VHOST_USER_PROTOCOL_F_RARP protocol feature.
      The payload of this new message is the MAC address of the guest (not 
known by
      the backend). The MAC address is copied in the first 6 bytes of a u64 to 
avoid
      to create a new payload message type.

      This new message has no equivalent ioctl so a new callback is added in the
      userOps structure to send the request.

      Upon reception of this new message the vhost user backend must generate 
and
      broadcast a fake RARP request to notify the migration is terminated.

      Signed-off-by: Thibaut Collet <thibaut.collet@xxxxxxxxx>
      [Rebased and fixed checkpatch errors - Marc-André]
      Signed-off-by: Marc-André Lureau <marcandre.lureau@xxxxxxxxxx>
      Reviewed-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Tested-by: Thibaut Collet <thibaut.collet@xxxxxxxxx>

  commit f6f56291de879827766d17b172465d4377ad2c11
  Author: Thibaut Collet <thibaut.collet@xxxxxxxxx>
  Date:   Fri Oct 9 17:17:31 2015 +0200

      vhost user: add support of live migration

      Some vhost user backends are able to support live migration.
      To provide this service the following features must be added:
      1. Add the VIRTIO_NET_F_GUEST_ANNOUNCE capability to vhost-net when netdev
         backend is vhost-user.
      2. Provide a nop receive callback to vhost-user.
         This callback is called by:
          *  qemu_announce_self after a migration to send fake RARP to avoid 
network
             outage for peers talking to the migrated guest.
               - For guest with GUEST_ANNOUNCE capabilities, guest already 
sends GARP
                 when the bit VIRTIO_NET_S_ANNOUNCE is set.
                 => These packets must be discarded.
               - For guest without GUEST_ANNOUNCE capabilities, migration 
termination
                 is notified when the guest sends packets.
                 => These packets can be discarded.
          * virtio_net_tx_bh with a dummy boot to send fake bootp/dhcp request.
            BIOS guest manages virtio driver to send 4 bootp/dhcp request in 
case of
            dummy boot.
            => These packets must be discarded.

      Signed-off-by: Thibaut Collet <thibaut.collet@xxxxxxxxx>
      Reviewed-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Tested-by: Thibaut Collet <thibaut.collet@xxxxxxxxx>

  commit 69b32a6ce4e1a6096a496996fcda833eb54e81b9
  Author: Marc-André Lureau <marcandre.lureau@xxxxxxxxxx>
  Date:   Fri Oct 9 17:17:30 2015 +0200

      net: add trace_vhost_user_event

      Replace error_report() and use tracing instead. It's not an error to get
      a connection or a disconnection, so silence this and trace it instead.

      Signed-off-by: Marc-André Lureau <marcandre.lureau@xxxxxxxxxx>
      Reviewed-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Tested-by: Thibaut Collet <thibaut.collet@xxxxxxxxx>

  commit c62b91e5804e7d2b1e8e253fc4031b4ea67a11f7
  Author: Marc-André Lureau <marcandre.lureau@xxxxxxxxxx>
  Date:   Fri Oct 9 17:17:29 2015 +0200

      vhost-user: document migration log

      Signed-off-by: Marc-André Lureau <marcandre.lureau@xxxxxxxxxx>
      Reviewed-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Tested-by: Thibaut Collet <thibaut.collet@xxxxxxxxx>

  commit 21e704256dea24baf93b169f5d7b0e7fe684bd15
  Author: Marc-André Lureau <marcandre.lureau@xxxxxxxxxx>
  Date:   Fri Oct 9 17:17:28 2015 +0200

      vhost: use a function for each call

      Replace the generic vhost_call() by specific functions for each
      function call to help with type safety and changing arguments.

      While doing this, I found that "unsigned long long" and "uint64_t" were
      used interchangeably and causing compilation warnings, using uint64_t
      instead, as the vhost & protocol specifies.

      Signed-off-by: Marc-André Lureau <marcandre.lureau@xxxxxxxxxx>
      [Fix enum usage and MQ - Thibaut Collet]
      Signed-off-by: Thibaut Collet <thibaut.collet@xxxxxxxxx>
      Reviewed-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Tested-by: Thibaut Collet <thibaut.collet@xxxxxxxxx>

  commit d2fc4402cb152d3e526f736d7d53dbd050ef8794
  Author: Marc-André Lureau <marcandre.lureau@xxxxxxxxxx>
  Date:   Fri Oct 9 17:17:27 2015 +0200

      vhost-user: add a migration blocker

      If VHOST_USER_PROTOCOL_F_LOG_SHMFD is not announced, block vhost-user
      migration. The blocker is removed in vhost_dev_cleanup().

      Signed-off-by: Marc-André Lureau <marcandre.lureau@xxxxxxxxxx>
      Reviewed-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Tested-by: Thibaut Collet <thibaut.collet@xxxxxxxxx>

  commit 9a78a5dd272a190d262b5ba5d4721ab93d48c564
  Author: Marc-André Lureau <marcandre.lureau@xxxxxxxxxx>
  Date:   Fri Oct 9 17:17:26 2015 +0200

      vhost-user: send log shm fd along with log_base

      Send the shm for the dirty pages logging if the backend supports
      VHOST_USER_PROTOCOL_F_LOG_SHMFD. Wait for a reply to make sure
      the old log is no longer used.

      Signed-off-by: Marc-André Lureau <marcandre.lureau@xxxxxxxxxx>
      Reviewed-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Tested-by: Thibaut Collet <thibaut.collet@xxxxxxxxx>

  commit 15324404f68cde561d0eeee3d18a7b203f57f095
  Author: Marc-André Lureau <marcandre.lureau@xxxxxxxxxx>
  Date:   Fri Oct 9 17:17:25 2015 +0200

      vhost: alloc shareable log

      If the backend is requires it, allocate shareable memory.

      vhost_log_get() now uses 2 globals "vhost_log" and "vhost_log_shm", that
      way there is a common non-shareable log and a common shareable one.

      Signed-off-by: Marc-André Lureau <marcandre.lureau@xxxxxxxxxx>
      Reviewed-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Tested-by: Thibaut Collet <thibaut.collet@xxxxxxxxx>

  commit 1be0ac2109fbaca6e730ac578f0564507d173e2d
  Author: Marc-André Lureau <marcandre.lureau@xxxxxxxxxx>
  Date:   Fri Oct 9 17:17:24 2015 +0200

      vhost-user: add vhost_user_requires_shm_log()

      Check if the backend has VHOST_USER_PROTOCOL_F_LOG_SHMFD feature and
      require a shared log.

      Signed-off-by: Marc-André Lureau <marcandre.lureau@xxxxxxxxxx>
      Reviewed-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Tested-by: Thibaut Collet <thibaut.collet@xxxxxxxxx>

  commit c2bea314f6a2870b847c79e2e11263c5f9334db7
  Author: Marc-André Lureau <marcandre.lureau@xxxxxxxxxx>
  Date:   Fri Oct 9 17:17:23 2015 +0200

      vhost: add vhost_set_log_base op

      Split VHOST_SET_LOG_BASE call in a seperate function callback, so that
      type safety works and more arguments can be added in the next patches.

      Signed-off-by: Marc-André Lureau <marcandre.lureau@xxxxxxxxxx>
      Reviewed-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Tested-by: Thibaut Collet <thibaut.collet@xxxxxxxxx>

  commit 636f4dddfe48ccabaf5198bba440354d6a268d62
  Author: Marc-André Lureau <marcandre.lureau@xxxxxxxxxx>
  Date:   Fri Oct 9 17:17:22 2015 +0200

      vhost: document log resizing

      Signed-off-by: Marc-André Lureau <marcandre.lureau@xxxxxxxxxx>
      Reviewed-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Tested-by: Thibaut Collet <thibaut.collet@xxxxxxxxx>

  commit 35f9b6ef3acc9d0546c395a566b04e63ca84e302
  Author: Marc-André Lureau <marcandre.lureau@xxxxxxxxxx>
  Date:   Fri Oct 9 17:17:21 2015 +0200

      util: add fallback for qemu_memfd_alloc()

      Add an open/unlink/mmap fallback for system that do not support
      memfd (only available since 3.17, ~1y ago).

      This patch may require additional SELinux policies to work for enforced
      systems, but should fail gracefully in this case.

      Signed-off-by: Marc-André Lureau <marcandre.lureau@xxxxxxxxxx>
      Reviewed-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Tested-by: Thibaut Collet <thibaut.collet@xxxxxxxxx>

  commit d3592199ba3db504c6585115b9531b4cf7c50a0d
  Author: Marc-André Lureau <marcandre.lureau@xxxxxxxxxx>
  Date:   Fri Oct 9 17:17:20 2015 +0200

      util: add memfd helpers

      Add qemu_memfd_alloc/free() helpers.

      The function helps to allocate and seal shared memory.

      Signed-off-by: Marc-André Lureau <marcandre.lureau@xxxxxxxxxx>
      Reviewed-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Tested-by: Thibaut Collet <thibaut.collet@xxxxxxxxx>

  commit f04cf9239addd12d6be9e7ff137262755e3680d3
  Author: Marc-André Lureau <marcandre.lureau@xxxxxxxxxx>
  Date:   Fri Oct 9 17:17:19 2015 +0200

      util: add linux-only memfd fallback

      Implement memfd_create() fallback if not available in system libc.
      memfd_create() is still not included in glibc today, atlhough it's been
      available since Linux 3.17 in Oct 2014.

      memfd has numerous advantages over traditional shm/mmap for ipc memory
      sharing with fd handler, which we are going to make use of for
      vhost-user logging memory in following patches.

      The next patches are going to introduce helpers to use best practices of
      memfd usage and provide some compatibility fallback. memfd.c is thus
      temporarily useless and eventually empty if memfd_create() is provided
      by the system.

      Signed-off-by: Marc-André Lureau <marcandre.lureau@xxxxxxxxxx>
      Reviewed-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Tested-by: Thibaut Collet <thibaut.collet@xxxxxxxxx>

  commit e2792004580e42b86345d141493b1f12ba358fd8
  Author: Marc-André Lureau <marcandre.lureau@xxxxxxxxxx>
  Date:   Fri Oct 9 17:17:18 2015 +0200

      build-sys: split util-obj- on multi-lines

      Make it easier to add new unrelated units with shorter lines.

      Signed-off-by: Marc-André Lureau <marcandre.lureau@xxxxxxxxxx>
      Reviewed-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Tested-by: Thibaut Collet <thibaut.collet@xxxxxxxxx>

  commit 1842bdfdbac2ec46f2934d8914c874db83dd1344
  Author: Marc-André Lureau <marcandre.lureau@xxxxxxxxxx>
  Date:   Fri Oct 9 17:17:17 2015 +0200

      linux-headers: add unistd.h

      New syscalls are not yet widely distributed. Add them to qemu
      linux-headers include directory. Update based on v4.3-rc3 kernel headers.

      Exclude mips for now, which is more problematic due to extra header
      inclusion and probably unnecessary here.

      Signed-off-by: Marc-André Lureau <marcandre.lureau@xxxxxxxxxx>
      Reviewed-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Tested-by: Thibaut Collet <thibaut.collet@xxxxxxxxx>

  commit 751bcc3981d80594a3943166401af15b76781a5b
  Author: Marc-André Lureau <marcandre.lureau@xxxxxxxxxx>
  Date:   Fri Oct 9 17:17:16 2015 +0200

      configure: probe for memfd

      Check if memfd_create() is part of system libc.

      Signed-off-by: Marc-André Lureau <marcandre.lureau@xxxxxxxxxx>
      Reviewed-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Tested-by: Thibaut Collet <thibaut.collet@xxxxxxxxx>

  commit 22de58fe152d68b248bc14efd7affe72286079e5
  Author: Cornelia Huck <cornelia.huck@xxxxxxxxxx>
  Date:   Thu Sep 17 18:42:57 2015 +0200

      virtio: add some migration doc

      Try to cover the basics of virtio migration.

      Signed-off-by: Cornelia Huck <cornelia.huck@xxxxxxxxxx>
      Reviewed-by: Greg Kurz <gkurz@xxxxxxxxxxxxxxxxxx>
      Reviewed-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Reviewed-by: Jason Wang <jasowang@xxxxxxxxxx>

  commit aebf81680bf49c5953d7ae9ebb7b98c0f4dad8f3
  Author: Igor Mammedov <imammedo@xxxxxxxxxx>
  Date:   Tue Oct 6 10:37:29 2015 +0200

      vhost: fail backend intialization early

      Don't initialize vhost backend if memslots number exceeds the supported
      limit. This prevents failures down the road when backend
      is actually started.

      [MST: rewrite commit log]

      Signed-off-by: Igor Mammedov <imammedo@xxxxxxxxxx>
      Reviewed-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>

  commit 3fad87881e55aaff659408dcf25fa204f89a7896
  Author: Igor Mammedov <imammedo@xxxxxxxxxx>
  Date:   Tue Oct 6 10:37:28 2015 +0200

      pc-dimm: add vhost slots limit check before commiting to hotplug

      it allows safely cancel memory hotplug if vhost backend
      doesn't support necessary amount of memory slots and prevents
      QEMU crashing in vhost due to hitting vhost limit on amount
      of supported memory ranges.

      Signed-off-by: Igor Mammedov <imammedo@xxxxxxxxxx>
      Reviewed-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>

  commit 2ce68e4cf5be9b5176a3c3c372948d6340724d2d
  Author: Igor Mammedov <imammedo@xxxxxxxxxx>
  Date:   Tue Oct 6 10:37:27 2015 +0200

      vhost: add vhost_has_free_slot() interface

      it will allow for other parts of QEMU check if it's safe
      to map memory region during hotplug/runtime.
      That way hotplug path will have a chance to cancel
      hotplug operation instead of crashing in vhost_commit().

      Signed-off-by: Igor Mammedov <imammedo@xxxxxxxxxx>
      Reviewed-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>

  commit c1bd8997438f1b556acfeab1d52245ff7cc680c0
  Merge: 8bfaa25 19b7bec
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Wed Oct 21 21:21:29 2015 +0100

      Merge remote-tracking branch 'remotes/xtensa/tags/20151021-xtensa' into 
staging

      Xtensa updates:

      - fix register window overflow with l32e/s32e instructions;
      - make MMU events logging dependent on CPU_LOG_MMU;
      - attach FLASH to system I/O region on XTFPGA boards;
      - implement depbits and l32nb instructions.

      # gpg: Signature made Wed 21 Oct 2015 19:34:02 BST using RSA key ID 
F83FA044
      # gpg: Good signature from "Max Filippov 
<max.filippov@xxxxxxxxxxxxxxxxxx>"
      # gpg:                 aka "Max Filippov <jcmvbkbc@xxxxxxxxx>"

      * remotes/xtensa/tags/20151021-xtensa:
        target-xtensa: implement S32NB
        target-xtensa: implement depbits instruction
        target-xtensa: xtfpga: attach FLASH to system IO
        target-xtensa: use CPU_LOG_MMU for MMU event logging
        target-xtensa: add window overflow check to L32E/S32E

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 19b7bec4a37b081ed326293148fd793f04896b59
  Author: Max Filippov <jcmvbkbc@xxxxxxxxx>
  Date:   Sun Jul 19 09:49:00 2015 +0300

      target-xtensa: implement S32NB

      S32NB provides the same functionality as S32I with two exceptions.
      First, when its operation leaves the processor, the external transaction
      is marked Non-Bufferable. Second, it may not be used to write to
      Instruction RAM.
      In QEMU S32NB is equivalent to S32I.

      Signed-off-by: Max Filippov <jcmvbkbc@xxxxxxxxx>

  commit 5eeb40c5b1f00c4ee4fcf2f33087697d7ba6f5f6
  Author: Max Filippov <jcmvbkbc@xxxxxxxxx>
  Date:   Sun Jul 12 02:10:17 2015 +0300

      target-xtensa: implement depbits instruction

      This option provides an instruction for depositing a bit field from the
      least significant position of one register to an arbitrary position in
      another register.

      Signed-off-by: Max Filippov <jcmvbkbc@xxxxxxxxx>

  commit 68931a4082812f56657b39168e815c48f0ab0a8c
  Author: Max Filippov <jcmvbkbc@xxxxxxxxx>
  Date:   Sun Sep 27 18:21:19 2015 +0300

      target-xtensa: xtfpga: attach FLASH to system IO

      XTFPGA FLASH is tied to XTFPGA system IO block. It's not very important
      for systems with MMU where system IO block is visible at single
      location, but it's important for noMMU systems, where system IO block is
      accessible through two separate physical address ranges.

      Map XTFPGA FLASH to system IO block and fix offsets used for mapping.
      Create and initialize FLASH device with series of qdev_prop_set_* as
      that's the preferred interface now. Keep initialization in a separate
      function.

      Signed-off-by: Max Filippov <jcmvbkbc@xxxxxxxxx>
      Reviewed-by: Peter Crosthwaite <crosthwaite.peter@xxxxxxxxx>

  commit 5577e57b078a118595071241aba6dac8725a7640
  Author: Max Filippov <jcmvbkbc@xxxxxxxxx>
  Date:   Mon Sep 21 20:37:07 2015 +0300

      target-xtensa: use CPU_LOG_MMU for MMU event logging

      Signed-off-by: Max Filippov <jcmvbkbc@xxxxxxxxx>

  commit f822b7e497fa6a662094b491f86441015f363362
  Author: Max Filippov <jcmvbkbc@xxxxxxxxx>
  Date:   Sun Jul 19 10:02:37 2015 +0300

      target-xtensa: add window overflow check to L32E/S32E

      Despite L32E and S32E primary use is for window underflow and overflow
      exception handlers they are just normal instructions, and thus need to
      check for window overflow.

      Cc: qemu-stable@xxxxxxxxxx
      Signed-off-by: Max Filippov <jcmvbkbc@xxxxxxxxx>

  commit 8bfaa25fce2c22060a17501980943538801056de
  Merge: 426c0df 1cd4e0f
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Wed Oct 21 15:07:42 2015 +0100

      Merge remote-tracking branch 'remotes/cohuck/tags/s390x-20151021-v2' into 
staging

      More s390x patches. The first ones are fixes: A regression, missed
      compat and a missed part of the SIMD support. The others contain
      optimizations and cleanup.

      # gpg: Signature made Wed 21 Oct 2015 11:24:48 BST using RSA key ID 
C6F02FAF
      # gpg: Good signature from "Cornelia Huck <huckc@xxxxxxxxxxxxxxxxxx>"
      # gpg:                 aka "Cornelia Huck <cornelia.huck@xxxxxxxxxx>"

      * remotes/cohuck/tags/s390x-20151021-v2:
        s390x/cmma: clean up cmma reset
        s390x: reset crypto only on clear reset and QEMU reset
        s390x: machine reset function with new ipl cpu handling
        s390x/ipl: we always have an ipl device
        s390x: unify device reset during subsystem_reset()
        s390x: flagify mcic values
        s390x/kvm: Fix vector validity bit in device machine checks
        s390x/virtio-ccw: fix 2.4 virtio compat
        util/qemu-config: fix missing machine command line options

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 1cd4e0f6f0a6b1978a5868b41d4faae2071dc4ee
  Author: David Hildenbrand <dahi@xxxxxxxxxxxxxxxxxx>
  Date:   Tue Jul 21 11:11:11 2015 +0200

      s390x/cmma: clean up cmma reset

      The cmma reset is per VM, so we don't need a cpu object. We can
      directly make use of kvm_state, as it is already available when
      the reset is called. By moving the cmma reset in our machine reset
      function, we can avoid a manual reset handler.

      Acked-by: Christian Borntraeger <borntraeger@xxxxxxxxxx>
      Reviewed-by: Cornelia Huck <cornelia.huck@xxxxxxxxxx>
      Signed-off-by: David Hildenbrand <dahi@xxxxxxxxxxxxxxxxxx>
      Signed-off-by: Cornelia Huck <cornelia.huck@xxxxxxxxxx>

  commit 4ab729207fe1464b19c6bec609cd545ab717174a
  Author: David Hildenbrand <dahi@xxxxxxxxxxxxxxxxxx>
  Date:   Wed Sep 30 13:48:45 2015 +0200

      s390x: reset crypto only on clear reset and QEMU reset

      Initializing VM crypto in initial cpu reset has multiple problems

      1. We call the exact same function #VCPU times, although one time is 
enough
      2. On SIGP initial cpu reset, we exchange the wrapping key while
         other VCPUs are running. Bad!
      3. It is simply wrong. According to the Pop, a reset happens only during a
         clear reset.

      So, we have to reset the keys
      - on modified clear reset
      - on load clear (QEMU reset - via machine reset)
      - on qemu start (via machine reset)

      Reviewed-by: Christian Borntraeger <borntraeger@xxxxxxxxxx>
      Signed-off-by: David Hildenbrand <dahi@xxxxxxxxxxxxxxxxxx>
      Signed-off-by: Cornelia Huck <cornelia.huck@xxxxxxxxxx>

  commit db3b2566e0fb45e2901b6f9b842d91db6963915d
  Author: David Hildenbrand <dahi@xxxxxxxxxxxxxxxxxx>
  Date:   Tue Jul 21 13:47:32 2015 +0200

      s390x: machine reset function with new ipl cpu handling

      Current implementation depends on the order of resets getting triggered.

      If a cpu reset is triggered after the ipl device reset, the CPU is 
stopped and
      the VM will not run. In fact, that hinders us from converting the ipl 
device
      into a TYPE_DEVICE. Let's change that by manually configuring the ipl cpu
      during a system reset, so we have full control and can demangle that code.

      Also remove the superflous cpu parameter from s390_update_iplstate on the 
way.

      Acked-by: Christian Borntraeger <borntraeger@xxxxxxxxxx>
      Reviewed-by: Cornelia Huck <cornelia.huck@xxxxxxxxxx>
      Signed-off-by: David Hildenbrand <dahi@xxxxxxxxxxxxxxxxxx>
      Signed-off-by: Cornelia Huck <cornelia.huck@xxxxxxxxxx>

  commit feacc6c2c8fff037f67a89402b29923251833425
  Author: David Hildenbrand <dahi@xxxxxxxxxxxxxxxxxx>
  Date:   Thu Jun 25 09:55:55 2015 +0200

      s390x/ipl: we always have an ipl device

      Both s390 machines unconditionally create an ipl device, so no need to
      handle the missing case.

      Now we can also change s390_ipl_update_diag308() to return void.

      Reviewed-by: Cornelia Huck <cornelia.huck@xxxxxxxxxx>
      Acked-by: Christian Borntraeger <borntraeger@xxxxxxxxxx>
      Signed-off-by: David Hildenbrand <dahi@xxxxxxxxxxxxxxxxxx>
      Signed-off-by: Cornelia Huck <cornelia.huck@xxxxxxxxxx>

  commit 09c7f58ca9613ccfb1ca13031d0ff3b1794bd782
  Author: David Hildenbrand <dahi@xxxxxxxxxxxxxxxxxx>
  Date:   Tue Jul 21 10:58:38 2015 +0200

      s390x: unify device reset during subsystem_reset()

      We have to manually reset several devices that are not on a bus: Let's
      collect them in an array.

      Reviewed-by: Cornelia Huck <cornelia.huck@xxxxxxxxxx>
      Acked-by: Christian Borntraeger <borntraeger@xxxxxxxxxx>
      Signed-off-by: David Hildenbrand <dahi@xxxxxxxxxxxxxxxxxx>
      Signed-off-by: Cornelia Huck <cornelia.huck@xxxxxxxxxx>

  commit 052bd52fa978d3f04bc476137ad6e1b9a697f9bd
  Author: Michael S. Tsirkin <mst@xxxxxxxxxx>
  Date:   Wed Oct 14 12:11:27 2015 +0300

      net: don't set native endianness

      commit 5be7d9f1b1452613b95c6ba70b8d7ad3d0797991
          vhost-net: tell tap backend about the vnet endianness
      makes vhost net always try to set LE - even if that matches the
      native endian-ness.

      This makes it fail on older kernels on x86 without TUNSETVNETLE support.

      To fix, make qemu_set_vnet_le/qemu_set_vnet_be skip the
      ioctl if it matches the host endian-ness.

      Reported-by: Marcel Apfelbaum <marcel@xxxxxxxxxx>
      Cc: Greg Kurz <gkurz@xxxxxxxxxxxxxxxxxx>
      Cc: qemu-stable@xxxxxxxxxx
      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Reviewed-by: Marcel Apfelbaum <marcel@xxxxxxxxxx>

  commit 794e8f301a17953efa78ab7538019ec43c59e82a
  Author: Michael S. Tsirkin <mst@xxxxxxxxxx>
  Date:   Thu Sep 24 14:41:17 2015 +0300

      exec: factor out duplicate mmap code

      Anonymous and file-backed RAM allocation are now almost exactly the same.

      Reduce code duplication by moving RAM mmap code out of oslib-posix.c and
      exec.c.

      Reported-by: Marc-André Lureau <mlureau@xxxxxxxxxx>
      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Reviewed-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>
      Acked-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

      Tested-by: Thibaut Collet <thibaut.collet@xxxxxxxxx>

  commit 426c0df9e3e6e64c7ea489092c57088ca4d227d0
  Merge: ee9dfed 88c5f20
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Tue Oct 20 16:51:43 2015 +0100

      Merge remote-tracking branch 
'remotes/berrange/tags/io-channel-3-for-upstream' into staging

      Merge io-channels-3 partial branch

      # gpg: Signature made Tue 20 Oct 2015 16:36:10 BST using RSA key ID 
15104FDF
      # gpg: Good signature from "Daniel P. Berrange <dan@xxxxxxxxxxxx>"
      # gpg:                 aka "Daniel P. Berrange <berrange@xxxxxxxxxx>"

      * remotes/berrange/tags/io-channel-3-for-upstream:
        util: pull Buffer code out of VNC module
        coroutine: move into libqemuutil.a library
        osdep: add qemu_fork() wrapper for safely handling signals
        ui: convert VNC startup code to use SocketAddress
        sockets: allow port to be NULL when listening on IP address
        sockets: move qapi_copy_SocketAddress into qemu-sockets.c
        sockets: add helpers for creating SocketAddress from a socket

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit b080364aedfc294c53c4c4af255efcf007b35d9d
  Author: Cornelia Huck <cornelia.huck@xxxxxxxxxx>
  Date:   Thu Oct 8 15:05:46 2015 +0200

      s390x: flagify mcic values

      Instead of using magic values when building the machine check
      interruption code, add some defines as by chapter 11-14 in the PoP.

      This should make it easier to catch problems like the missing vector
      register validity bit ("s390x/kvm: Fix vector validity bit in device
      machine checks"), and less hassle should we want to generate machine
      checks beyond the channel reports we currently support.

      Acked-by: David Hildenbrand <dahi@xxxxxxxxxxxxxxxxxx>
      Signed-off-by: Cornelia Huck <cornelia.huck@xxxxxxxxxx>

  commit 2ab75df38e34fe9bc271b5115ab52114e6e63a89
  Author: Christian Borntraeger <borntraeger@xxxxxxxxxx>
  Date:   Wed Oct 7 10:29:42 2015 +0200

      s390x/kvm: Fix vector validity bit in device machine checks

      Device hotplugs trigger a crw machine check. All machine checks
      have validity bits for certain register types. With vector support
      we also have to claim that vector registers are valid.
      This is a band-aid suitable for stable. Long term we should
      create the full  mcic value dynamically depending on the active
      features in the kernel interrupt handler.

      Signed-off-by: Christian Borntraeger <borntraeger@xxxxxxxxxx>
      Reviewed-by: Cornelia Huck <cornelia.huck@xxxxxxxxxx>
      Cc: qemu-stable@xxxxxxxxxx
      Signed-off-by: Cornelia Huck <cornelia.huck@xxxxxxxxxx>

  commit 085b0b055b189e8846ca3108e6774e3b9e60c1ce
  Author: Cornelia Huck <cornelia.huck@xxxxxxxxxx>
  Date:   Thu Oct 8 15:11:34 2015 +0200

      s390x/virtio-ccw: fix 2.4 virtio compat

      Commit 542571d5 ("virtio-ccw: enable virtio-1") missed some virtio
      devices for the 2.4 compat handling. Add them.

      Fixes: 542571d5 ("virtio-ccw: enable virtio-1")
      Signed-off-by: Cornelia Huck <cornelia.huck@xxxxxxxxxx>
      Reviewed-by: Christian Borntraeger <borntraeger@xxxxxxxxxx>

  commit 5bcfa0c543b42a560673cafd3b5225900ef617e1
  Author: Tony Krowiak <akrowiak@xxxxxxxxxxxxxxxxxx>
  Date:   Mon Oct 12 11:36:21 2015 -0400

      util/qemu-config: fix missing machine command line options

      Commit 0a7cf217 ("util/qemu-config: fix regression of
      qmp_query_command_line_options") aimed to restore parsing of global
      machine options, but missed two: "aes-key-wrap" and
      "dea-key-wrap" (which were present in the initial version of that
      patch). Let's add them to the machine_opts again.

      Fixes: 0a7cf217 ("util/qemu-config: fix regression of
                        qmp_query_command_line_options")
      CC: Marcel Apfelbaum <marcel@xxxxxxxxxx>
      CC: qemu-stable@xxxxxxxxxx
      Signed-off-by: Tony Krowiak <akrowiak@xxxxxxxxxxxxxxxxxx>
      Reviewed-by: Marcel Apfelbaum <marcel@xxxxxxxxxx>
      Tested-by: Christian Borntraeger <borntraeger@xxxxxxxxxx>
      Message-Id: 
<1444664181-28023-1-git-send-email-akrowiak@xxxxxxxxxxxxxxxxxx>
      Signed-off-by: Cornelia Huck <cornelia.huck@xxxxxxxxxx>

  commit 88c5f205fa4c095db4c50eb7ad72816140206819
  Author: Daniel P. Berrange <berrange@xxxxxxxxxx>
  Date:   Tue Mar 3 17:13:42 2015 +0000

      util: pull Buffer code out of VNC module

      The Buffer code in the VNC server is useful for the IO channel
      code, so pull it out into a shared module, QIOBuffer.

      Signed-off-by: Daniel P. Berrange <berrange@xxxxxxxxxx>

  commit 10817bf09d5f8cb22711fb0ee8d8da49f6f05f89
  Author: Daniel P. Berrange <berrange@xxxxxxxxxx>
  Date:   Tue Sep 1 14:48:02 2015 +0100

      coroutine: move into libqemuutil.a library

      The coroutine files are currently referenced by the block-obj-y
      variable. The coroutine functionality though is already used by
      more than just the block code. eg migration code uses coroutine
      yield. In the future the I/O channel code will also use the
      coroutine yield functionality. Since the coroutine code is nicely
      self-contained it can be easily built as part of the libqemuutil.a
      library, making it widely available.

      The headers are also moved into include/qemu, instead of the
      include/block directory, since they are now part of the util
      codebase, and the impl was never in the block/ directory
      either.

      Signed-off-by: Daniel P. Berrange <berrange@xxxxxxxxxx>

  commit 57cb38b3833c5215131b983f181b26d6ba9b8d35
  Author: Daniel P. Berrange <berrange@xxxxxxxxxx>
  Date:   Fri Aug 28 14:40:01 2015 +0100

      osdep: add qemu_fork() wrapper for safely handling signals

      When using regular fork() the child process of course inherits
      all the parents' signal handlers. If the child then proceeds
      to close() any open file descriptors, it may break some of those
      registered signal handlers. The child generally does not want to
      ever run any of the signal handlers that the parent may have
      installed in the short time before it exec's. The parent may also
      have blocked various signals which the child process will want
      enabled.

      This introduces a wrapper qemu_fork() that takes care to sanitize
      signal handling across fork. Before forking it blocks all signals
      in the parent thread. After fork returns, the parent unblocks the
      signals and carries on as usual. The child, however, resets all the
      signal handlers back to their defaults before it unblocks signals.
      The child process can now exec the binary in a "clean" signal
      environment.

      Signed-off-by: Daniel P. Berrange <berrange@xxxxxxxxxx>

  commit e0d03b8ceb52e390b8b0a5db1762a8435dd8a44e
  Author: Daniel P. Berrange <berrange@xxxxxxxxxx>
  Date:   Fri Aug 14 18:56:44 2015 +0100

      ui: convert VNC startup code to use SocketAddress

      The VNC code is currently using QemuOpts to configure the
      sockets connections / listeners it needs. Convert it to
      use SocketAddress to bring it in line with modern QAPI
      based code elsewhere in QEMU.

      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>
      Signed-off-by: Daniel P. Berrange <berrange@xxxxxxxxxx>

  commit 0983f5e6af76d5df8c6346cbdfff9d8305fb6da0
  Author: Daniel P. Berrange <berrange@xxxxxxxxxx>
  Date:   Tue Sep 1 14:46:50 2015 +0100

      sockets: allow port to be NULL when listening on IP address

      If the port in the SocketAddress struct is NULL, it can allow
      the kernel to automatically select a free port. This is useful
      in particular in unit tests to avoid a race trying to find a
      free port to run a test case on.

      Signed-off-by: Daniel P. Berrange <berrange@xxxxxxxxxx>

  commit 2a8e21c7c8dcb7d235cfd256be36b7e8f9f3fcb3
  Author: Daniel P. Berrange <berrange@xxxxxxxxxx>
  Date:   Fri Aug 14 18:18:41 2015 +0100

      sockets: move qapi_copy_SocketAddress into qemu-sockets.c

      The qapi_copy_SocketAddress method is going to be useful
      in more places than just qemu-char.c, so move it into
      the qemu-sockets.c file to allow its reuse.

      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>
      Signed-off-by: Daniel P. Berrange <berrange@xxxxxxxxxx>

  commit 17c55decec2a516cf7f290ec8a5f4f207531e8b4
  Author: Daniel P. Berrange <berrange@xxxxxxxxxx>
  Date:   Fri May 1 17:36:20 2015 +0100

      sockets: add helpers for creating SocketAddress from a socket

      Add two helper methods that, given a socket file descriptor,
      can return a populated SocketAddress struct containing either
      the local or remote address information.

      Signed-off-by: Daniel P. Berrange <berrange@xxxxxxxxxx>

  commit ee9dfed242610ecb91418270fd46b875ed56e201
  Merge: b38c049 d9460a7
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Tue Oct 20 12:56:45 2015 +0100

      Merge remote-tracking branch 'remotes/kraxel/tags/pull-input-20151020-1' 
into staging

      virtio-input: ignore events until the guest driver is ready

      # gpg: Signature made Tue 20 Oct 2015 08:10:00 BST using RSA key ID 
D3E87138
      # gpg: Good signature from "Gerd Hoffmann (work) <kraxel@xxxxxxxxxx>"
      # gpg:                 aka "Gerd Hoffmann <gerd@xxxxxxxxxx>"
      # gpg:                 aka "Gerd Hoffmann (private) <kraxel@xxxxxxxxx>"

      * remotes/kraxel/tags/pull-input-20151020-1:
        virtio-input: ignore events until the guest driver is ready

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit b38c0494c141e2d7dabb3ecbf380305b74f9e330
  Merge: df81978 5829b09
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Tue Oct 20 12:17:53 2015 +0100

      Merge remote-tracking branch 'remotes/kraxel/tags/pull-vga-20151020-1' 
into staging

      vga: enable virtio-vga for pseries, vmsvga cursor checks.

      # gpg: Signature made Tue 20 Oct 2015 08:27:44 BST using RSA key ID 
D3E87138
      # gpg: Good signature from "Gerd Hoffmann (work) <kraxel@xxxxxxxxxx>"
      # gpg:                 aka "Gerd Hoffmann <gerd@xxxxxxxxxx>"
      # gpg:                 aka "Gerd Hoffmann (private) <kraxel@xxxxxxxxx>"

      * remotes/kraxel/tags/pull-vga-20151020-1:
        vmsvga: more cursor checks
        ppc/spapr: Allow VIRTIO_VGA

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit df8197836844275ef805c9031008eb3b20a89b83
  Merge: c14e42d 2cc06a8
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Tue Oct 20 11:45:23 2015 +0100

      Merge remote-tracking branch 'remotes/kraxel/tags/pull-fw_cfg-20151020-1' 
into staging

      fw_cfg: add dma interface, add strings via cmdline.

      # gpg: Signature made Tue 20 Oct 2015 07:07:34 BST using RSA key ID 
D3E87138
      # gpg: Good signature from "Gerd Hoffmann (work) <kraxel@xxxxxxxxxx>"
      # gpg:                 aka "Gerd Hoffmann <gerd@xxxxxxxxxx>"
      # gpg:                 aka "Gerd Hoffmann (private) <kraxel@xxxxxxxxx>"

      * remotes/kraxel/tags/pull-fw_cfg-20151020-1:
        fw_cfg: Define a static signature to be returned on DMA port reads
        Enable fw_cfg DMA interface for x86
        Enable fw_cfg DMA interface for ARM
        Implement fw_cfg DMA interface
        fw_cfg DMA interface documentation
        fw_cfg: document fw_cfg_modify_iXX() update functions
        fw_cfg: insert string blobs via qemu cmdline

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit c14e42d7a4495ecbad7bf8b3d603272e3a8992a1
  Merge: f52dd72 37bc43f
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Tue Oct 20 10:52:56 2015 +0100

      Merge remote-tracking branch 'remotes/kraxel/tags/pull-usb-20151020-1' 
into staging

      usb: misc small tweaks.

      # gpg: Signature made Tue 20 Oct 2015 08:24:09 BST using RSA key ID 
D3E87138
      # gpg: Good signature from "Gerd Hoffmann (work) <kraxel@xxxxxxxxxx>"
      # gpg:                 aka "Gerd Hoffmann <gerd@xxxxxxxxxx>"
      # gpg:                 aka "Gerd Hoffmann (private) <kraxel@xxxxxxxxx>"

      * remotes/kraxel/tags/pull-usb-20151020-1:
        usb-audio: increate default buffer size
        usb: print device id in "info usb" monitor command
        usb-host: add wakeup call for iso xfers

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit f52dd72dc1a679529e13e51a7b57e787455f92f0
  Merge: 26c7be8 e853ea1
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Tue Oct 20 09:04:20 2015 +0100

      Merge remote-tracking branch 
'remotes/mdroth/tags/qga-pull-2015-10-14-v4-tag' into staging

      qemu-ga patch queue

      * add unit tests for qemu-ga
      * add guest-exec support for posix/w32 guests
      * added 'qemu-ga' target for w32. this allows us to do full MSI build,
        without overloading 'qemu-ga.exe' target with uneeded dependencies.
      * number of s/g_new/g_malloc/ conversions for qga

      v2:
      * commit message and qapi documentation spelling fixes
      * rename 'inp-data' guest-exec param to 'input-data'

      v3:
      * fix OSX build errors for test-qga by using PRId64
        format in place of glib's, and dropping use of G_SPAWN_DEFAULT
        macro for glib 2.22 compat
      * fix win32 build warnings for 32-bit builds by avoid int casts
        of process HANDLEs

      v4:
      * assert connect_qga() doesn't fail
      * only enable test-qga for linux hosts
      * allow get-memory-block-info* to fail if memory blocks aren't exposed in
        sysfs

      # gpg: Signature made Tue 20 Oct 2015 00:33:43 BST using RSA key ID 
F108B584
      # gpg: Good signature from "Michael Roth <flukshun@xxxxxxxxx>"
      # gpg:                 aka "Michael Roth <mdroth@xxxxxxxxxx>"
      # gpg:                 aka "Michael Roth <mdroth@xxxxxxxxxxxxxxxxxx>"

      * remotes/mdroth/tags/qga-pull-2015-10-14-v4-tag:
        qga: fix uninitialized value warning for win32
        qga: guest-exec simple stdin/stdout/stderr redirection
        qga: handle G_IO_STATUS_AGAIN in ga_channel_write_all()
        qga: handle possible SIGPIPE in guest-file-write
        qga: guest exec functionality
        qga: drop guest_file_init helper and replace it with static initializers
        tests: add a local test for guest agent
        qga: guest-get-memory-blocks shouldn't fail for unexposed memory blocks
        glib-compat: add 2.38/2.40/2.46 asserts
        qtest: add a few fd-level qmp helpers
        qga: do not override configuration verbosity
        qga: add QGA_CONF environment variable
        qga: Use g_new() & friends where that makes obvious sense
        build: qemu-ga: add 'qemu-ga' build target for w32

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 5829b097204189c56dd1fb62c7f827360394bb39
  Author: Gerd Hoffmann <kraxel@xxxxxxxxxx>
  Date:   Tue Sep 29 09:58:05 2015 +0200

      vmsvga: more cursor checks

      Check the cursor size more carefully.  Also switch to unsigned while
      being at it, so they can't be negative.

      Signed-off-by: Gerd Hoffmann <kraxel@xxxxxxxxxx>

  commit b798c1905705e6ab44279d8a9ae41e500756eb1c
  Author: Benjamin Herrenschmidt <benh@xxxxxxxxxxxxxxxxxxx>
  Date:   Tue Sep 15 15:51:29 2015 +1000

      ppc/spapr: Allow VIRTIO_VGA

      It works fine with the Linux driver out of the box

      Signed-off-by: Benjamin Herrenschmidt <benh@xxxxxxxxxxxxxxxxxxx>
      Signed-off-by: Gerd Hoffmann <kraxel@xxxxxxxxxx>

  commit 37bc43f7fbfb38003550b327002e59d21b80a3e4
  Author: Gerd Hoffmann <kraxel@xxxxxxxxxx>
  Date:   Tue Oct 6 15:31:56 2015 +0200

      usb-audio: increate default buffer size

      Signed-off-by: Gerd Hoffmann <kraxel@xxxxxxxxxx>

  commit 974826f0ab1efc96cd2f61337ee75bda5cde1c77
  Author: Gerd Hoffmann <kraxel@xxxxxxxxxx>
  Date:   Tue Oct 6 15:31:21 2015 +0200

      usb: print device id in "info usb" monitor command

      Signed-off-by: Gerd Hoffmann <kraxel@xxxxxxxxxx>

  commit e206ddfb57e2595cc43ad3667b3becc6bd2ef62d
  Author: Gerd Hoffmann <kraxel@xxxxxxxxxx>
  Date:   Fri Jul 17 09:12:57 2015 +0200

      usb-host: add wakeup call for iso xfers

      Signed-off-by: Gerd Hoffmann <kraxel@xxxxxxxxxx>

  commit d9460a7557672af9c4d9d4f153200d1075ed5a78
  Author: Gerd Hoffmann <kraxel@xxxxxxxxxx>
  Date:   Fri Oct 16 13:33:07 2015 +0200

      virtio-input: ignore events until the guest driver is ready

      Cc: qemu-stable@xxxxxxxxxx
      Signed-off-by: Gerd Hoffmann <kraxel@xxxxxxxxxx>

  commit e853ea1cc68716c3d9c22d04578020c6dd743306
  Author: Michael Roth <mdroth@xxxxxxxxxxxxxxxxxx>
  Date:   Sat Oct 17 10:31:16 2015 -0500

      qga: fix uninitialized value warning for win32

      Signed-off-by: Michael Roth <mdroth@xxxxxxxxxxxxxxxxxx>

  commit a1853dca74362551ec1434b2e15acfcdd53caa99
  Author: Yuri Pudgorodskiy <yur@xxxxxxxxxxxxx>
  Date:   Tue Oct 13 18:41:23 2015 +0300

      qga: guest-exec simple stdin/stdout/stderr redirection

      Implemented with base64-encoded strings in qga json protocol.
      Glib portable GIOChannel is used for data I/O.

      Optinal stdin parameter of guest-exec command is now used as
      stdin content for spawned subprocess.

      If capture-output bool flag is specified, guest-exec redirects out/err
      file descriptiors internally to pipes and collects subprocess
      output.

      Guest-exe-status is modified to return this collected data to requestor
      in base64 encoding.

      Signed-off-by: Yuri Pudgorodskiy <yur@xxxxxxxxxxxxx>
      Signed-off-by: Denis V. Lunev <den@xxxxxxxxxx>
      Signed-off-by: Michael Roth <mdroth@xxxxxxxxxxxxxxxxxx>
      * switch from 'struct GuestIOExecData' to 'GuestIOExecData'
      * s/TRUE/true/g, s/FALSE/false/g for gboolean return values
      * s/inp_data/input_data/
      Signed-off-by: Michael Roth <mdroth@xxxxxxxxxxxxxxxxxx>

  commit f74df9bfce6d133fc64d6b878327849ed2b89b4b
  Author: Yuri Pudgorodskiy <yur@xxxxxxxxxxxxx>
  Date:   Tue Oct 13 18:41:22 2015 +0300

      qga: handle G_IO_STATUS_AGAIN in ga_channel_write_all()

      glib may return G_IO_STATUS_AGAIN which is actually not an error.
      Also fixed a bug when on incomplete write buf pointer was not adjusted.

      Signed-off-by: Yuri Pudgorodskiy <yur@xxxxxxxxxxxxx>
      Signed-off-by: Denis V. Lunev <den@xxxxxxxxxx>
      Reviewed-by: Michael Roth <mdroth@xxxxxxxxxxxxxxxxxx>
      Signed-off-by: Michael Roth <mdroth@xxxxxxxxxxxxxxxxxx>

  commit 4005b4732e40d3d583510db89ee204b834022d20
  Author: Denis V. Lunev <den@xxxxxxxxxx>
  Date:   Tue Oct 13 18:41:21 2015 +0300

      qga: handle possible SIGPIPE in guest-file-write

      qemu-ga should not exit on guest-file-write to pipe without read end
      but proper error code should be returned. The behavior of the
      spawned process should be default thus SIGPIPE processing should be
      reset to default after fork() but before exec().

      Signed-off-by: Denis V. Lunev <den@xxxxxxxxxx>
      Signed-off-by: Yuri Pudgorodskiy <yur@xxxxxxxxxxxxx>
      Reviewed-by: Michael Roth <mdroth@xxxxxxxxxxxxxxxxxx>
      Signed-off-by: Denis V. Lunev <den@xxxxxxxxxx>
      Signed-off-by: Michael Roth <mdroth@xxxxxxxxxxxxxxxxxx>

  commit d697e30cfff29a6a72e3197a218294ba52e7f0c6
  Author: Yuri Pudgorodskiy <yur@xxxxxxxxxxxxx>
  Date:   Tue Oct 13 18:41:20 2015 +0300

      qga: guest exec functionality

      Guest-exec rewritten in platform-independent style with glib spawn.

      Child process is spawn asynchronously and exit status can later
      be picked up by guest-exec-status command.

      stdin/stdout/stderr of the child now is redirected to /dev/null
      Later we will add ability to specify stdin in guest-exec command
      and to get collected stdout/stderr with guest-exec-status.

      Signed-off-by: Yuri Pudgorodskiy <yur@xxxxxxxxxxxxx>
      Signed-off-by: Denis V. Lunev <den@xxxxxxxxxx>
      CC: Michael Roth <mdroth@xxxxxxxxxxxxxxxxxx>
      * use g_new0 in place of g_malloc for GuestExec struct
      * commit msg spelling fixes
      * s/inp-data/input-data
      * document capture-input mode as false by default
      * use GetProcessId() for pids on w32 instead of casting HANDLE
      Signed-off-by: Michael Roth <mdroth@xxxxxxxxxxxxxxxxxx>

  commit b4fe97c8230c34ebd407a9f23894b9c614807540
  Author: Denis V. Lunev <den@xxxxxxxxxx>
  Date:   Tue Oct 13 18:41:19 2015 +0300

      qga: drop guest_file_init helper and replace it with static initializers

      This just makes code shorter and better.

      Signed-off-by: Denis V. Lunev <den@xxxxxxxxxx>
      Signed-off-by: Yuri Pudgorodskiy <yur@xxxxxxxxxxxxx>
      Reviewed-by: Michael Roth <mdroth@xxxxxxxxxxxxxxxxxx>
      Signed-off-by: Denis V. Lunev <den@xxxxxxxxxx>
      Signed-off-by: Michael Roth <mdroth@xxxxxxxxxxxxxxxxxx>

  commit 62c39b307b3a946f9df4f11396bfeced120c040f
  Author: Marc-André Lureau <marcandre.lureau@xxxxxxxxxx>
  Date:   Fri Oct 2 14:58:18 2015 +0200

      tests: add a local test for guest agent

      Add some local guest agent tests, as it is better than nothing, only
      when CONFIG_POSIX (using unix sockets).

      With the QGA_TEST_SIDE_EFFECTING environment variable, it will include
      tests with side effects, such as freezing/thawing the FS or changing the
      time.

      (a better test would involve a managed VM (or container), but it might
      be better to leave that off to autotest/avocado)

      Signed-off-by: Marc-André Lureau <marcandre.lureau@xxxxxxxxxx>
      * use mkdtemp() in placeof g_mkdtemp() for glib 2.22 compat
      * drop redundant/conflicting compat defines for
        g_assert_{true,false}, since glib-compat has them now.
      * build fixes for OSX: use PRId64 instead of glib formats, drop
        g_spawn_default usage for glib compat
      * assert connect_qga() doesn't fail
      * only enable test-qga for linux hosts
      * allow get-memory-block-info* to fail
      Signed-off-by: Michael Roth <mdroth@xxxxxxxxxxxxxxxxxx>

  commit f693fe6ef402bdcf89b3979bf004c4c5bf646724
  Author: Michael Roth <mdroth@xxxxxxxxxxxxxxxxxx>
  Date:   Mon Oct 19 16:38:25 2015 -0500

      qga: guest-get-memory-blocks shouldn't fail for unexposed memory blocks

      Some guests don't expose memory blocks via sysfs at all. This
      shouldn't be a failure, instead just return an empty list. For
      other access failures we still report an error.

      Signed-off-by: Michael Roth <mdroth@xxxxxxxxxxxxxxxxxx>

  commit 8a0b5421a09ab9b9567300c554d3e169f28fc09d
  Author: Marc-André Lureau <marcandre.lureau@xxxxxxxxxx>
  Date:   Fri Oct 2 14:58:17 2015 +0200

      glib-compat: add 2.38/2.40/2.46 asserts

      Those are mostly useful for writing tests.

      Signed-off-by: Marc-André Lureau <marcandre.lureau@xxxxxxxxxx>
      Reviewed-by: Claudio Fontana <claudio.fontana@xxxxxxxxxx>
      Signed-off-by: Michael Roth <mdroth@xxxxxxxxxxxxxxxxxx>

  commit dc47995e525c386f893b6e023da6b819f9975ece
  Author: Marc-André Lureau <marcandre.lureau@xxxxxxxxxx>
  Date:   Fri Oct 2 14:58:16 2015 +0200

      qtest: add a few fd-level qmp helpers

      Add a few functions to interact with qmp via a simple fd.

      Signed-off-by: Marc-André Lureau <marcandre.lureau@xxxxxxxxxx>
      Reviewed-by: Michael Roth <mdroth@xxxxxxxxxxxxxxxxxx>
      Signed-off-by: Michael Roth <mdroth@xxxxxxxxxxxxxxxxxx>

  commit 6eaeae37a5fdd0a1ef88ed9ab4b807669ffc0e2d
  Author: Marc-André Lureau <marcandre.lureau@xxxxxxxxxx>
  Date:   Fri Oct 2 14:58:15 2015 +0200

      qga: do not override configuration verbosity

      Move the default verbosity settings before loading the configuration
      file, or it will overwrite it. Found thanks to writing qga tests :)

      Signed-off-by: Marc-André Lureau <marcandre.lureau@xxxxxxxxxx>
      Reviewed-by: Michael Roth <mdroth@xxxxxxxxxxxxxxxxxx>
      Signed-off-by: Michael Roth <mdroth@xxxxxxxxxxxxxxxxxx>

  commit 8e34bf364ae518503642d28bdd43661090ae21bd
  Author: Marc-André Lureau <marcandre.lureau@xxxxxxxxxx>
  Date:   Fri Oct 2 14:58:14 2015 +0200

      qga: add QGA_CONF environment variable

      Having a environment variable allows to override default configuration
      path, useful for testing. Note that this can't easily be an argument,
      since loading config is done before parsing the arguments.

      Signed-off-by: Marc-André Lureau <marcandre.lureau@xxxxxxxxxx>
      Reviewed-by: Michael Roth <mdroth@xxxxxxxxxxxxxxxxxx>
      Signed-off-by: Michael Roth <mdroth@xxxxxxxxxxxxxxxxxx>

  commit f3a06403b82c7f036564e4caf18b52ce6885fcfb
  Author: Markus Armbruster <armbru@xxxxxxxxxx>
  Date:   Mon Sep 14 13:50:44 2015 +0200

      qga: Use g_new() & friends where that makes obvious sense

      g_new(T, n) is neater than g_malloc(sizeof(T) * n).  It's also safer,
      for two reasons.  One, it catches multiplication overflowing size_t.
      Two, it returns T * rather than void *, which lets the compiler catch
      more type errors.

      This commit only touches allocations with size arguments of the form
      sizeof(T).  Same Coccinelle semantic patch as in commit b45c03f.

      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>
      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>
      Signed-off-by: Michael Roth <mdroth@xxxxxxxxxxxxxxxxxx>

  commit fafcaf1d7434bd3a44a5cd6a98594b3ec12d83de
  Author: Michael Roth <mdroth@xxxxxxxxxxxxxxxxxx>
  Date:   Mon Sep 7 18:47:05 2015 -0500

      build: qemu-ga: add 'qemu-ga' build target for w32

      Currently POSIX builds rely on 'qemu-ga' target to do qga-only
      distributable build. On w32, as with most standalone binary targets,
      we rely on 'qemu-ga.exe' target.

      Unlike with POSIX, qemu-ga for w32 has a number of related targets
      such as VSS DLL and MSI package. We can do the full distributable
      qga-only build on w32 with:

        make qemu-ga.exe

      or:

        make msi

      To make that work, we tie VSS dependencies onto qemu-ga.exe.
      However, in reality the DLL isn't part of the binary, so we use a
      filter to pull them out of the LINK recipe, which attempts to link
      against prereqs for binary targets. Additionally, it could be argued
      that VSS is a separate distributable, and shouldn't be implied by
      qemu-ga.exe binary target.

      To avoid this, we can tie the VSS dependencies only to the 'msi'
      target, but that would make it impossible to do a qga-only build of
      the w32 distributable without building the 'msi' package, which was
      supported in the past.

      An alternative approach is to add a new target to build the whole
      distributable. w32 allows us to use the same build target we use
      on POSIX, 'qemu-ga', since the current binary-only target on w32
      is 'qemu-ga.exe'.

      To further simplify the build, we also make 'qemu-ga' build the MSI
      package if the appropriate ./configure options are set, making the
      full qga-only build the same on both POSIX and w32: `make qemu-ga`

      Cc: Paolo Bonzini <pbonzini@xxxxxxxxxx>
      Cc: Marc-André Lureau <marcandre.lureau@xxxxxxxxxx>
      Signed-off-by: Michael Roth <mdroth@xxxxxxxxxxxxxxxxxx>

  commit 89a82cd4b6a90fe117fa715e2abe51d5c607560c
  Author: Richard Henderson <rth@xxxxxxxxxxx>
  Date:   Wed Sep 16 15:33:53 2015 -0700

      cpu-exec: Add "nochain" debug flag

      Respect it to avoid linking TBs together.

      Reviewed-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Signed-off-by: Richard Henderson <rth@xxxxxxxxxxx>

  commit 137d63902faf4960081856db9242cbaf234a23af
  Author: James Hogan <james.hogan@xxxxxxxxxx>
  Date:   Fri Oct 2 13:24:17 2015 +0100

      tcg/mips: Support r6 SEL{NE, EQ}Z instead of MOVN/MOVZ

      Extend MIPS movcond implementation to support the SELNEZ/SELEQZ
      instructions introduced in MIPS r6 (where MOVN/MOVZ have been removed).

      Whereas the "MOVN/MOVZ rd, rs, rt" instructions have the following
      semantics:
       rd = [!]rt ? rs : rd

      The "SELNEZ/SELEQZ rd, rs, rt" instructions are slightly different:
       rd = [!]rt ? rs : 0

      First we ensure that if one of the movcond input values is zero that it
      comes last (we can swap the input arguments if we invert the condition).
      This is so that it can exactly match one of the SELNEZ/SELEQZ
      instructions and avoid the need to emit the other one.

      Otherwise we emit the opposite instruction first into a temporary
      register, and OR that into the result:
       SELNEZ/SELEQZ  TMP1, v2, c1
       SELEQZ/SELNEZ  ret, v1, c1
       OR             ret, ret, TMP1

      Which does the following:
       ret = cond ? v1 : v2

      Reviewed-by: Aurelien Jarno <aurelien@xxxxxxxxxxx>
      Signed-off-by: James Hogan <james.hogan@xxxxxxxxxx>
      Signed-off-by: Richard Henderson <rth@xxxxxxxxxxx>
      Message-Id: <1443788657-14537-7-git-send-email-james.hogan@xxxxxxxxxx>

  commit bc6d0c22b09a72897d9db4482076f89e7de97400
  Author: James Hogan <james.hogan@xxxxxxxxxx>
  Date:   Fri Oct 2 13:24:16 2015 +0100

      tcg/mips: Support r6 multiply/divide encodings

      MIPSr6 adds several new integer multiply, divide, and modulo
      instructions, and removes several pre-r6 encodings, along with the HI/LO
      registers which were the implicit operands of some of those
      instructions. Update TCG to use the new instructions when built for r6.

      The new instructions actually map much more directly to the TCG ops, as
      they only provide a single 32-bit half of the result and in a normal
      general purpose register instead of HI or LO.

      The mulu2_i32 and muls2_i32 operations are no longer appropriate for r6,
      so they are removed from the TCG opcode table. This is because they
      would need to emit two separate host instructions anyway (for the high
      and low half of the result), which TCG can arrange automatically for us
      in the absense of mulu2_i32/muls2_i32 by splitting it into mul_i32 and
      mul*h_i32 TCG ops.

      Reviewed-by: Aurelien Jarno <aurelien@xxxxxxxxxxx>
      Signed-off-by: James Hogan <james.hogan@xxxxxxxxxx>
      Signed-off-by: Richard Henderson <rth@xxxxxxxxxxx>
      Message-Id: <1443788657-14537-6-git-send-email-james.hogan@xxxxxxxxxx>

  commit 6e0d096989be52c2b945fc83a9bd15d887bbdb47
  Author: James Hogan <james.hogan@xxxxxxxxxx>
  Date:   Fri Oct 2 13:24:15 2015 +0100

      tcg/mips: Support r6 JR encoding

      MIPSr6 encodes JR as JALR with zero as the link register, and the pre-r6
      JR encoding is removed. Update TCG to use the new encoding when built
      for r6.

      We still use the old encoding for pre-r6, so as not to confuse return
      prediction stack hardware which may detect only particular encodings of
      the return instruction.

      Reviewed-by: Aurelien Jarno <aurelien@xxxxxxxxxxx>
      Signed-off-by: James Hogan <james.hogan@xxxxxxxxxx>
      Signed-off-by: Richard Henderson <rth@xxxxxxxxxxx>
      Message-Id: <1443788657-14537-5-git-send-email-james.hogan@xxxxxxxxxx>

  commit ce14bd4d469f3a14f6cbfceb6360aee066a60d72
  Author: James Hogan <james.hogan@xxxxxxxxxx>
  Date:   Fri Oct 2 13:24:14 2015 +0100

      tcg/mips: Add use_mips32r6_instructions definition

      Add definition use_mips32r6_instructions to the MIPS TCG backend which
      is constant 1 when built for MIPS release 6. This will be used to decide
      between pre-R6 and R6 instruction encodings.

      Reviewed-by: Aurelien Jarno <aurelien@xxxxxxxxxxx>
      Signed-off-by: James Hogan <james.hogan@xxxxxxxxxx>
      Signed-off-by: Richard Henderson <rth@xxxxxxxxxxx>
      Message-Id: <1443788657-14537-4-git-send-email-james.hogan@xxxxxxxxxx>

  commit d76f36535099b5d3d880c5e3ac1d411420c8a086
  Author: James Hogan <james.hogan@xxxxxxxxxx>
  Date:   Fri Oct 2 13:24:13 2015 +0100

      disas/mips: Add R6 jr/jr.hb to disassembler

      MIPS r6 encodes jr as jalr zero, and jr.hb as jalr.hb zero, so add these
      encodings to the MIPS disassembly table.

      Reviewed-by: Aurelien Jarno <aurelien@xxxxxxxxxxx>
      Reviewed-by: Leon Alrae <leon.alrae@xxxxxxxxxx>
      Signed-off-by: James Hogan <james.hogan@xxxxxxxxxx>
      Signed-off-by: Richard Henderson <rth@xxxxxxxxxxx>
      Message-Id: <1443788657-14537-3-git-send-email-james.hogan@xxxxxxxxxx>

  commit c0e40dbdcc291c85faa289a53be60b7b1b7c7598
  Author: James Hogan <james.hogan@xxxxxxxxxx>
  Date:   Fri Oct 2 13:24:12 2015 +0100

      tcg-opc.h: Simplify insn_start def

      We already have a TLADDR_ARGS definition, so rearrange the order
      slightly and use it in the definition of insn_start, instead of
      having an #ifdef.

      Reviewed-by: Aurelien Jarno <aurelien@xxxxxxxxxxx>
      Signed-off-by: James Hogan <james.hogan@xxxxxxxxxx>
      Signed-off-by: Richard Henderson <rth@xxxxxxxxxxx>
      Message-Id: <1443788657-14537-2-git-send-email-james.hogan@xxxxxxxxxx>

  commit 1e1df962e325e18a5188c4814cd1a10215a48f79
  Author: Richard Henderson <rth@xxxxxxxxxxx>
  Date:   Fri Oct 2 22:41:01 2015 +0000

      tcg/ppc: Prefer mask over andi.

      Prefer the instruction that isn't required to modify cr0.

      Signed-off-by: Richard Henderson <rth@xxxxxxxxxxx>

  commit 5bfd75a35c11dd3aa61c73d0d2cd88137c31519c
  Author: Richard Henderson <rth@xxxxxxxxxxx>
  Date:   Fri Oct 2 22:25:28 2015 +0000

      tcg/ppc: Revise goto_tb implementation

      Restrict the size of code_gen_buffer to 2GB on ppc64, which
      lets us assert that everything is reachable with addis+addi
      from tb_ret_addr.  This lets us use a max of 4 insns for goto_tb
      instead of 7.

      Emit the indirect branch portion of goto_tb up front, which
      means we only have to update two insns to update any link.
      With a 64-bit store, we can update the link atomically, which
      may be required in future.

      Signed-off-by: Richard Henderson <rth@xxxxxxxxxxx>

  commit 70f897bdc4ce4101ec008317d43090f532bfb07d
  Author: Richard Henderson <rth@xxxxxxxxxxx>
  Date:   Fri Oct 2 21:09:54 2015 +0000

      tcg/ppc: Adjust exit_tb for change in prologue placement

      Changing the prologue to the beginning of the code_gen_buffer
      changes the direction of the "return" branch.  Need to change
      the logic to match.

      Signed-off-by: Richard Henderson <rth@xxxxxxxxxxx>

  commit 2cc06a8843ace3d03464032eb3c74bc6e2b07579
  Author: Kevin O'Connor <kevin@xxxxxxxxxxxx>
  Date:   Thu Oct 8 17:02:58 2015 +0200

      fw_cfg: Define a static signature to be returned on DMA port reads

      Return a static signature ("QEMU CFG") if the guest does a read to the
      DMA address io register.

      Signed-off-by: Kevin O'Connor <kevin@xxxxxxxxxxxx>
      Reviewed-by: Laszlo Ersek <lersek@xxxxxxxxxx>
      Reviewed-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Signed-off-by: Gerd Hoffmann <kraxel@xxxxxxxxxx>

  commit c886fc4c20ff8456b2f788a1404dd321b8b59243
  Author: Marc Marí <markmb@xxxxxxxxxx>
  Date:   Thu Oct 8 17:02:57 2015 +0200

      Enable fw_cfg DMA interface for x86

      Enable the fw_cfg DMA interface for all the x86 platforms.

      Based on Gerd Hoffman's initial implementation.

      Signed-off-by: Marc Marí <markmb@xxxxxxxxxx>
      Reviewed-by: Laszlo Ersek <lersek@xxxxxxxxxx>
      Signed-off-by: Gerd Hoffmann <kraxel@xxxxxxxxxx>

  commit 0b341a85ca873cfc4faddbf9012c4c5da1b675bc
  Author: Marc Marí <markmb@xxxxxxxxxx>
  Date:   Thu Oct 8 17:02:56 2015 +0200

      Enable fw_cfg DMA interface for ARM

      Enable the fw_cfg DMA interface for the ARM virt machine.

      Based on Gerd Hoffman's initial implementation.

      Signed-off-by: Marc Marí <markmb@xxxxxxxxxx>
      Reviewed-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Reviewed-by: Laszlo Ersek <lersek@xxxxxxxxxx>
      Signed-off-by: Gerd Hoffmann <kraxel@xxxxxxxxxx>

  commit a4c0d1deb785611c96a455f65ec032976b00b36f
  Author: Marc Marí <markmb@xxxxxxxxxx>
  Date:   Thu Oct 8 17:02:55 2015 +0200

      Implement fw_cfg DMA interface

      Based on the specifications on docs/specs/fw_cfg.txt

      This interface is an addon. The old interface can still be used as usual.

      Based on Gerd Hoffman's initial implementation.

      Signed-off-by: Marc Marí <markmb@xxxxxxxxxx>
      Reviewed-by: Laszlo Ersek <lersek@xxxxxxxxxx>
      Signed-off-by: Gerd Hoffmann <kraxel@xxxxxxxxxx>

  commit c9eae1d4b93695d98fa5306a28b7fb7acc34ae67
  Author: Marc Marí <markmb@xxxxxxxxxx>
  Date:   Thu Oct 8 17:02:54 2015 +0200

      fw_cfg DMA interface documentation

      Add fw_cfg DMA interface specification in the documentation.

      Based on Gerd Hoffman's initial implementation.

      Signed-off-by: Marc Marí <markmb@xxxxxxxxxx>
      Reviewed-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Reviewed-by: Laszlo Ersek <lersek@xxxxxxxxxx>
      Signed-off-by: Gerd Hoffmann <kraxel@xxxxxxxxxx>

  commit 57c3d238a5ff7e7ad7aba098b5d55d8d89c2a6a1
  Author: Gabriel L. Somlo <somlo@xxxxxxx>
  Date:   Thu Oct 8 17:02:53 2015 +0200

      fw_cfg: document fw_cfg_modify_iXX() update functions

      Document the behavior of fw_cfg_modify_iXX() for leak-less updating
      of integer-type blobs.

      Currently only fw_cfg_modify_i16() is coded, but 32- and 64-bit versions
      may be added later if necessary..

      Signed-off-by: Gabriel Somlo <somlo@xxxxxxx>
      Reviewed-by: Laszlo Ersek <lersek@xxxxxxxxxx>
      Signed-off-by: Gerd Hoffmann <kraxel@xxxxxxxxxx>

  commit 6407d76eb4e5b5dd4af8613cef0162f31ff739ed
  Author: Gabriel L. Somlo <somlo@xxxxxxx>
  Date:   Tue Sep 29 12:29:01 2015 -0400

      fw_cfg: insert string blobs via qemu cmdline

      Allow users to provide custom fw_cfg blobs with ascii string
      payloads specified directly on the qemu command line.

      Suggested-by: Jordan Justen <jordan.l.justen@xxxxxxxxx>
      Suggested-by: Laszlo Ersek <lersek@xxxxxxxxxx>
      Signed-off-by: Gabriel Somlo <somlo@xxxxxxx>
      Message-id: 1443544141-26568-1-git-send-email-somlo@xxxxxxx
      Reviewd-by: Laszlo Ersek <lersek@xxxxxxxxxx>
      Signed-off-by: Gerd Hoffmann <kraxel@xxxxxxxxxx>

  commit 26c7be842637ee65a79cd77f96a99c23ddcd90ad
  Merge: 526d580 dbb7405
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Mon Oct 19 12:13:27 2015 +0100

      Merge remote-tracking branch 'remotes/sstabellini/tags/2015-10-19-tag' 
into staging

      Xen 2015-10-19

      # gpg: Signature made Mon 19 Oct 2015 11:24:05 BST using RSA key ID 
70E1AE90
      # gpg: Good signature from "Stefano Stabellini 
<stefano.stabellini@xxxxxxxxxxxxx>"

      * remotes/sstabellini/tags/2015-10-19-tag:
        xen-platform: Ensure xen is enabled when initializing
        pc: Require xen when initializing xenfv machine

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit dbb7405d8caad0814ceddd568cb49f163a847561
  Author: Eduardo Habkost <ehabkost@xxxxxxxxxx>
  Date:   Mon Sep 28 17:01:24 2015 -0300

      xen-platform: Ensure xen is enabled when initializing

      The xen-platform code crashes on reset if the xen backend is not
      initialized, because it calls xc_hvm_set_mem_type(). Ensure xen-platform
      won't be created without initializing the xen backend.

      The assert can't be triggered by the user because the device is not
      hotpluggable, and the only code creating it (at pc_xen_hvm_init())
      already checks xen_enabled().

      Signed-off-by: Eduardo Habkost <ehabkost@xxxxxxxxxx>
      Reviewed-by: Stefano Stabellini <stefano.stabellini@xxxxxxxxxxxxx>
      Signed-off-by: Stefano Stabellini <stefano.stabellini@xxxxxxxxxxxxx>

  commit a88ae0d44b6b5830b752641b2198735272f13eaf
  Author: Eduardo Habkost <ehabkost@xxxxxxxxxx>
  Date:   Mon Sep 28 17:01:23 2015 -0300

      pc: Require xen when initializing xenfv machine

      Without this check, the xen-platform device will crash on reset
      if using the accel option with anything other than xen (e.g.
      "-machine xenfv,accel=kvm").

      Signed-off-by: Eduardo Habkost <ehabkost@xxxxxxxxxx>
      Reviewed-by: Stefano Stabellini <stefano.stabellini@xxxxxxxxxxxxx>
      Signed-off-by: Stefano Stabellini <stefano.stabellini@xxxxxxxxxxxxx>

  commit 526d5809a0714edc7f19196f14ec2e607dbd9753
  Merge: aedc880 1c4a55d
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Mon Oct 19 10:52:39 2015 +0100

      Merge remote-tracking branch 'remotes/bonzini/tags/for-upstream' into 
staging

      * KVM page size fix for PPC
      * Support for Linux 4.4's new Hyper-V features
      * Eliminate g_slice from areas I maintain
      * checkpatch fix
      * Peter's cpu_reload_memory_map() cleanups
      * More changes to MAINTAINERS
      * Require Python 2.6
      * chardev creation fixes
      * PCI requester id for ARM KVM
      * cleanups and doc fixes
      * Allow customization of the Hyper-V vendor id

      # gpg: Signature made Mon 19 Oct 2015 09:13:10 BST using RSA key ID 
78C7AE83
      # gpg: Good signature from "Paolo Bonzini <bonzini@xxxxxxx>"
      # gpg:                 aka "Paolo Bonzini <pbonzini@xxxxxxxxxx>"

      * remotes/bonzini/tags/for-upstream: (49 commits)
        kvm: Allow the Hyper-V vendor ID to be specified
        kvm: Move x86-specific functions into target-i386/kvm.c
        kvm: Pass PCI device pointer to MSI routing functions
        hw/pci: Introduce pci_requester_id()
        kvm: Make KVM_CAP_SIGNAL_MSI globally available
        doc/rcu: fix g_free_rcu() usage example
        qemu-char: cleanup after completed conversion to cd->create
        qemu-char: convert ringbuf backend to data-driven creation
        qemu-char: convert vc backend to data-driven creation
        qemu-char: convert spice backend to data-driven creation
        qemu-char: convert console backend to data-driven creation
        qemu-char: convert stdio backend to data-driven creation
        qemu-char: convert testdev backend to data-driven creation
        qemu-char: convert braille backend to data-driven creation
        qemu-char: convert msmouse backend to data-driven creation
        qemu-char: convert mux backend to data-driven creation
        qemu-char: convert null backend to data-driven creation
        qemu-char: convert pty backend to data-driven creation
        qemu-char: convert UDP backend to data-driven creation
        qemu-char: convert socket backend to data-driven creation
        ...

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit aedc8806172dd1ae904f04169ee3b19fce1d7893
  Merge: 40fe17b 8307c29
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Mon Oct 19 10:06:56 2015 +0100

      Merge remote-tracking branch 'remotes/kraxel/tags/pull-audio-20151019-1' 
into staging

      Remove macros IO_READ_PROTO and IO_WRITE_PROTO

      # gpg: Signature made Mon 19 Oct 2015 09:19:21 BST using RSA key ID 
D3E87138
      # gpg: Good signature from "Gerd Hoffmann (work) <kraxel@xxxxxxxxxx>"
      # gpg:                 aka "Gerd Hoffmann <gerd@xxxxxxxxxx>"
      # gpg:                 aka "Gerd Hoffmann (private) <kraxel@xxxxxxxxx>"

      * remotes/kraxel/tags/pull-audio-20151019-1:
        Remove macros IO_READ_PROTO and IO_WRITE_PROTO

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 1c4a55dbed9a47fde9294f7de6c8bb060d874c88
  Author: Alex Williamson <alex.williamson@xxxxxxxxxx>
  Date:   Fri Oct 16 09:38:22 2015 -0600

      kvm: Allow the Hyper-V vendor ID to be specified

      According to Microsoft documentation, the signature in the standard
      hypervisor CPUID leaf at 0x40000000 identifies the Vendor ID and is
      for reporting and diagnostic purposes only.  We can therefore allow
      the user to change it to whatever they want, within the 12 character
      limit.  Add a new hv-vendor-id option to the -cpu flag to allow
      for this, ex:

       -cpu host,hv_time,hv-vendor-id=KeenlyKVM

      Link: http://msdn.microsoft.com/library/windows/hardware/hh975392
      Signed-off-by: Alex Williamson <alex.williamson@xxxxxxxxxx>
      Message-Id: <20151016153356.28104.48612.stgit@xxxxxxxxxx>
      [Adjust error message to match the property name, use error_report. - 
Paolo]
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit 28143b409f698210d85165ca518235ac7e7c5ac5
  Author: Thomas Huth <thuth@xxxxxxxxxx>
  Date:   Thu Oct 15 20:30:20 2015 +0200

      kvm: Move x86-specific functions into target-i386/kvm.c

      The functions for checking xcrs, xsave and pit_state2 are
      only used on x86, so they should reside in target-i386/kvm.c.

      Signed-off-by: Thomas Huth <thuth@xxxxxxxxxx>
      Message-Id: <1444933820-6968-1-git-send-email-thuth@xxxxxxxxxx>
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit dc9f06ca81e6e16d062ec382701142a3a2ab3f7d
  Author: Pavel Fedin <p.fedin@xxxxxxxxxxx>
  Date:   Thu Oct 15 16:44:52 2015 +0300

      kvm: Pass PCI device pointer to MSI routing functions

      In-kernel ITS emulation on ARM64 will require to supply requester IDs.
      These IDs can now be retrieved from the device pointer using new
      pci_requester_id() function.

      This patch adds pci_dev pointer to KVM GSI routing functions and makes
      callers passing it.

      x86 architecture does not use requester IDs, but hw/i386/kvm/pci-assign.c
      also made passing PCI device pointer instead of NULL for consistency with
      the rest of the code.

      Signed-off-by: Pavel Fedin <p.fedin@xxxxxxxxxxx>
      Message-Id: 
<ce081423ba2394a4efc30f30708fca07656bc500.1444916432.git.p.fedin@xxxxxxxxxxx>
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit a05f686ff39c373384772b01f1b7fc71e7eb2500
  Author: Pavel Fedin <p.fedin@xxxxxxxxxxx>
  Date:   Thu Oct 15 16:44:51 2015 +0300

      hw/pci: Introduce pci_requester_id()

      For GICv3 ITS implementation we are going to use requester IDs in KVM IRQ
      routing code. This patch introduces reusable convenient way to obtain this
      ID from the device pointer. The new function is now used in some places,
      where the same calculation was used.

      MemTxAttrs.stream_id also renamed to requester_id in order to better
      reflect semantics of the field.

      Signed-off-by: Pavel Fedin <p.fedin@xxxxxxxxxxx>
      Reviewed-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Acked-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Message-Id: 
<5814bcb03a297f198e796b13ed9c35059c52f89b.1444916432.git.p.fedin@xxxxxxxxxxx>
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit 50bf31b9379cf88c4fe92ec477fdc56f89d1af94
  Author: Pavel Fedin <p.fedin@xxxxxxxxxxx>
  Date:   Thu Oct 15 16:44:50 2015 +0300

      kvm: Make KVM_CAP_SIGNAL_MSI globally available

      This capability is useful to determine whether we can use KVM ITS
      emulation on ARM

      Signed-off-by: Pavel Fedin <p.fedin@xxxxxxxxxxx>
      Message-Id: 
<ff4ccb09b837d37defd639b885526949a25276de.1444916432.git.p.fedin@xxxxxxxxxxx>
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit 9bda456e419273199221625894003bf9307d8451
  Author: Sergey Fedorov <serge.fdrv@xxxxxxxxx>
  Date:   Wed Oct 14 18:46:44 2015 +0300

      doc/rcu: fix g_free_rcu() usage example

      The first argument of g_free_rcu() is a pointer to a structure.  But
      foo_reclaim is used as a function name in the previous example along
      with &foo as a pointer to the structure being reclaimed.  Make the
      example consistent with the previous one.

      Signed-off-by: Sergey Fedorov <serge.fdrv@xxxxxxxxx>
      Message-Id: <1444837604-13712-1-git-send-email-serge.fdrv@xxxxxxxxx>
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit 1c3af0f4f04bd6e6729783a48bb51ca1eb5c3baf
  Author: Paolo Bonzini <pbonzini@xxxxxxxxxx>
  Date:   Mon Oct 12 09:51:41 2015 +0200

      qemu-char: cleanup after completed conversion to cd->create

      All backends now return errors through Error*, so the "Failed to
      create chardev" placeholder error can only be reached if the backend
      is not available (and only from the chardev-add QMP command; instead,
      the -chardev command line option fails earlier).

      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit 479f09a130f774b0275134b5c44081ea71fe00b3
  Author: Paolo Bonzini <pbonzini@xxxxxxxxxx>
  Date:   Tue Sep 29 15:51:14 2015 +0200

      qemu-char: convert ringbuf backend to data-driven creation

      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit fa19d02539a56ac20d03b2eef775be7ffcdd695a
  Author: Paolo Bonzini <pbonzini@xxxxxxxxxx>
  Date:   Tue Sep 29 15:49:06 2015 +0200

      qemu-char: convert vc backend to data-driven creation

      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit 68145e178ac200a27b5f0ab342da80cf60ddd576
  Author: Paolo Bonzini <pbonzini@xxxxxxxxxx>
  Date:   Tue Sep 29 15:45:47 2015 +0200

      qemu-char: convert spice backend to data-driven creation

      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit 122e5ed4412cadce2d44a5f636e4d1bfc67c534b
  Author: Paolo Bonzini <pbonzini@xxxxxxxxxx>
  Date:   Tue Sep 29 15:42:04 2015 +0200

      qemu-char: convert console backend to data-driven creation

      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit 8c84b25d975870bbed2e089fe61e037c58a69854
  Author: Paolo Bonzini <pbonzini@xxxxxxxxxx>
  Date:   Tue Sep 29 15:40:28 2015 +0200

      qemu-char: convert stdio backend to data-driven creation

      The backend now always returns errors via the Error* argument.
      This avoids a double error message.  Before:

          qemu-system-x86_64: -chardev stdio,id=base: cannot use stdio with 
-daemonize
          qemu-system-x86_64: -chardev stdio,id=base: Failed to create chardev

      After:

          qemu-system-x86_64: -chardev stdio,id=base: cannot use stdio with 
-daemonize

      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit 0498790173e462ac3a7e4e0f3608704b8382dd10
  Author: Paolo Bonzini <pbonzini@xxxxxxxxxx>
  Date:   Tue Sep 29 15:33:42 2015 +0200

      qemu-char: convert testdev backend to data-driven creation

      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit e47666b8d1f0a7043d53671587058b3ce539b09d
  Author: Paolo Bonzini <pbonzini@xxxxxxxxxx>
  Date:   Tue Sep 29 15:31:26 2015 +0200

      qemu-char: convert braille backend to data-driven creation

      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit 96d885b93b47243d2fc6ee826abaa8c0017282c9
  Author: Paolo Bonzini <pbonzini@xxxxxxxxxx>
  Date:   Tue Sep 29 15:29:15 2015 +0200

      qemu-char: convert msmouse backend to data-driven creation

      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit 3c0e5a4a845c9e2823c9060631eeefebabc2f093
  Author: Paolo Bonzini <pbonzini@xxxxxxxxxx>
  Date:   Tue Sep 29 15:27:24 2015 +0200

      qemu-char: convert mux backend to data-driven creation

      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit 0d64992b5dfe099b170a0b19922833cc82745620
  Author: Paolo Bonzini <pbonzini@xxxxxxxxxx>
  Date:   Tue Sep 29 15:24:29 2015 +0200

      qemu-char: convert null backend to data-driven creation

      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit c2e75a432b907562cf93772b7d058d1ec8a8f8f1
  Author: Paolo Bonzini <pbonzini@xxxxxxxxxx>
  Date:   Tue Sep 29 15:23:42 2015 +0200

      qemu-char: convert pty backend to data-driven creation

      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit e79b80daa252ffb4bc5c84c836714eb45ab3bb68
  Author: Paolo Bonzini <pbonzini@xxxxxxxxxx>
  Date:   Tue Sep 29 15:17:20 2015 +0200

      qemu-char: convert UDP backend to data-driven creation

      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit dbba8d1be3db5a52cfe200f219fbf8840d75cb14
  Author: Paolo Bonzini <pbonzini@xxxxxxxxxx>
  Date:   Tue Sep 29 15:15:53 2015 +0200

      qemu-char: convert socket backend to data-driven creation

      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit 20cbe7a27980ef7e2ecd307cd210fc23b3f0762e
  Author: Paolo Bonzini <pbonzini@xxxxxxxxxx>
  Date:   Tue Sep 29 15:14:07 2015 +0200

      qemu-char: convert pipe backend to data-driven creation

      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit 38bfb1a63d05d000f128ea740442955070d9ff57
  Author: Paolo Bonzini <pbonzini@xxxxxxxxxx>
  Date:   Mon Oct 12 09:49:28 2015 +0200

      qemu-char: convert parallel backend to data-driven creation

      Conversion to Error * brings better error messages; before:

          qemu-system-x86_64: -chardev id=serial,backend=parallel,path=vl.c: 
Failed to create chardev

      After:

          qemu-system-x86_64: -chardev id=serial,backend=parallel,path=vl.c: 
not a parallel port: Inappropriate ioctl for device

      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit 8307c294a355bbf3c5352e00877365b0cda66d52
  Author: Nutan Shinde <nutanshinde1992@xxxxxxxxx>
  Date:   Wed Oct 7 22:02:54 2015 +0530

      Remove macros IO_READ_PROTO and IO_WRITE_PROTO

      Signed-off-by: Nutan Shinde <nutanshinde1992@xxxxxxxxx>
      Reviewed-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Reviewed-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Signed-off-by: Gerd Hoffmann <kraxel@xxxxxxxxxx>

  commit 40fe17bea478793fc9106a630fa3610dad51f939
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Fri Oct 16 17:19:35 2015 +0100

      hw/ide/ahci.c: Fix shift left into sign bit

      Avoid undefined behaviour from shifting left into the sign bit:

      hw/ide/ahci.c:551:36: runtime error: left shift of 255 by 24 places 
cannot be represented in type 'int'

      (Unfortunately C's promotion rules mean that in the expression
      "some_uint8_t_variable << 24" the LHS gets promoted to signed
      int before shifting.)

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Reviewed-by: John Snow <jsnow@xxxxxxxxxx>

  commit 7df953bd456da45f761064974820ab5c3fd7b2aa
  Author: Knut Omang <knut.omang@xxxxxxxxxx>
  Date:   Sun Oct 4 15:48:50 2015 +0200

      intel_iommu: Add support for translation for devices behind bridges

      - Use a hash table indexed on bus pointers to store information about 
buses
        instead of using the bus numbers.
        Bus pointers are stored in a new VTDBus struct together with the vector
        of device address space pointers indexed by devfn.
      - The bus number is still used for lookup for selective SID based 
invalidate,
        in which case the bus number is lazily resolved from the bus hash table 
and
        cached in a separate index.

      Signed-off-by: Knut Omang <knut.omang@xxxxxxxxxx>
      Reviewed-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>

  commit c737c7a608f4cd2c06e6600303845c4b469822c5
  Merge: 6d57410 6b826af
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Sat Oct 17 22:14:52 2015 +0100

      Merge remote-tracking branch 'remotes/kevin/tags/for-upstream' into 
staging

      Block layer patches

      # gpg: Signature made Fri 16 Oct 2015 14:36:50 BST using RSA key ID 
C88F2FD6
      # gpg: Good signature from "Kevin Wolf <kwolf@xxxxxxxxxx>"

      * remotes/kevin/tags/for-upstream: (29 commits)
        blkdebug: Don't confuse image as backing file
        qcow2: Remove forward declaration of QCowAIOCB
        qemu-nbd: always compile in --aio=MODE option
        blockdev: always compile in -drive aio= parsing
        raw-posix: warn about BDRV_O_NATIVE_AIO if libaio is unavailable
        block: auto-generated node-names
        util - add automated ID generation utility
        blkverify: Fix BDS leak in .bdrv_open error path
        block: Allow bdrv_unref_child(bs, NULL)
        block: Remove bdrv_swap()
        block: Add and use bdrv_replace_in_backing_chain()
        blockjob: Store device name at job creation
        block: Implement bdrv_append() without bdrv_swap()
        block: Introduce parents list
        block-backend: Add blk_set_bs()
        block/io: Make bdrv_requests_pending() public
        block: Split bdrv_move_feature_fields()
        block: Manage backing file references in bdrv_set_backing_hd()
        block: Convert bs->backing_hd to BdrvChild
        block: Remove bdrv_open_image()
        ...

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 6d57410a79d51d92673c54f26624b44f27fa6214
  Merge: 9c1f5bb 5d98bf8
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Sat Oct 17 12:31:33 2015 +0100

      Merge remote-tracking branch 
'remotes/pmaydell/tags/pull-target-arm-20151016' into staging

      target-arm queue:
       * break TBs after ISB instructions
       * more support code for future implementation of EL2 and 64-bit EL3
       * tell guest if KVM is enabled in SMBIOS version string
       * implement OSLAR/OSLSR system registers
       * provide better help text for Sharp PDA machine names
       * rename imx25_pdk to imx25-pdk (since it has never been released
         with the underscore-version name)
       * fix MMIO writes in zynq_slcr
       * implement MDCR_EL2
       * virt: allow the guest to configure PCI BARs with zero PCI addresses
       * fix breakpoint handling code

      # gpg: Signature made Fri 16 Oct 2015 14:56:15 BST using RSA key ID 
14360CDE
      # gpg: Good signature from "Peter Maydell <peter.maydell@xxxxxxxxxx>"
      # gpg:                 aka "Peter Maydell <pmaydell@xxxxxxxxx>"
      # gpg:                 aka "Peter Maydell 
<pmaydell@xxxxxxxxxxxxxxxxxxxxxx>"

      * remotes/pmaydell/tags/pull-target-arm-20151016:
        target-arm: Fix CPU breakpoint handling
        target-arm: Fix GDB breakpoint handling
        target-arm: implement arm_debug_target_el()
        hw/arm/virt: Allow zero address for PCI IO space
        target-arm: Add MDCR_EL2
        misc: zynq_slcr: Fix MMIO writes
        arm: imx25-pdk: Fix machine name
        target-arm: Provide model numbers for Sharp PDAs
        target-arm: Implement AArch64 OSLAR/OSLSR_EL1 sysregs
        hw/arm/virt: smbios: inform guest of kvm
        target-arm: Avoid calling arm_el_is_aa64() function for unimplemented EL
        target-arm: Break the TB after ISB to execute self-modified code 
correctly
        target-arm: Add missing 'static' attribute

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 9c1f5bbc739f3278353becf94839551afed0fdbd
  Merge: 61f7901 468a895
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Fri Oct 16 19:11:59 2015 +0100

      Merge remote-tracking branch 'remotes/pmaydell/tags/pull-cocoa-20151016' 
into staging

      cocoa queue:
       * fixes for compiler warnings
       * fix mouse cursor flickering

      # gpg: Signature made Fri 16 Oct 2015 11:09:46 BST using RSA key ID 
14360CDE
      # gpg: Good signature from "Peter Maydell <peter.maydell@xxxxxxxxxx>"
      # gpg:                 aka "Peter Maydell <pmaydell@xxxxxxxxx>"
      # gpg:                 aka "Peter Maydell 
<pmaydell@xxxxxxxxxxxxxxxxxxxxxx>"

      * remotes/pmaydell/tags/pull-cocoa-20151016:
        ui/cocoa.m: blinky mouse cursor fix
        ui/cocoa.m: addRemovableDevicesMenuItems() warning fix
        ui/cocoa.m: eliminate normalWindow warning

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 61f7901bb8a7f2f2503b5b025c4c33dbeac9cf5b
  Merge: e95bdb4 99df528
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Fri Oct 16 17:13:05 2015 +0100

      Merge remote-tracking branch 'remotes/armbru/tags/pull-qapi-2015-10-15' 
into staging

      QAPI patches

      # gpg: Signature made Thu 15 Oct 2015 07:40:46 BST using RSA key ID 
EB918653
      # gpg: Good signature from "Markus Armbruster <armbru@xxxxxxxxxx>"
      # gpg:                 aka "Markus Armbruster <armbru@xxxxxxxxxxxx>"

      * remotes/armbru/tags/pull-qapi-2015-10-15:
        qapi: Track location that created an implicit type
        qapi: Create simple union type member earlier
        qapi: Lazy creation of array types
        qapi: Don't use info as witness of implicit object type
        qapi: Drop redundant args-member-array test
        qapi: Drop redundant flat-union-reverse-define test
        qapi: Drop redundant returns-int test
        qapi: Move empty-enum to compile-time test
        qapi: Drop redundant alternate-good test
        qapi: Prepare for errors during check()
        qapi: Use predicate callback to determine visit filtering
        qapi: Fix regression with '-netdev help'

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit e95bdb4341c36ee158ff9dda4ade3f94405c69ce
  Merge: c49d341 60be634
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Fri Oct 16 15:47:59 2015 +0100

      Merge remote-tracking branch 
'remotes/juanquintela/tags/migration/20151015' into staging

      migration/next for 20151015

      # gpg: Signature made Thu 15 Oct 2015 07:25:27 BST using RSA key ID 
5872D723
      # gpg: Good signature from "Juan Quintela <quintela@xxxxxxxxxx>"
      # gpg:                 aka "Juan Quintela <quintela@xxxxxxxxxx>"

      * remotes/juanquintela/tags/migration/20151015:
        migration: fix deadlock
        migration: announce VM's new home just before VM is runnable
        Migration: Generate the completed event only when we complete

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 5d98bf8f38c17a348ab6e8af196088cd4953acd0
  Author: Sergey Fedorov <serge.fdrv@xxxxxxxxx>
  Date:   Tue Oct 13 12:56:28 2015 +0300

      target-arm: Fix CPU breakpoint handling

      A QEMU breakpoint match is not definitely an architectural breakpoint
      match. If an exception is generated unconditionally during translation,
      it is hardly possible to ignore it in the debug exception handler.

      Generate a call to a helper to check CPU breakpoints and raise an
      exception only if any breakpoint matches architecturally.

      Signed-off-by: Sergey Fedorov <serge.fdrv@xxxxxxxxx>
      Reviewed-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit e63a2d4d9ed73e33a0b7483085808048be8bbcb1
  Author: Sergey Fedorov <serge.fdrv@xxxxxxxxx>
  Date:   Tue Oct 13 12:56:27 2015 +0300

      target-arm: Fix GDB breakpoint handling

      GDB breakpoints have higher priority so they have to be checked first.
      Should GDB breakpoint match, just return from the debug exception
      handler.

      Signed-off-by: Sergey Fedorov <serge.fdrv@xxxxxxxxx>
      Reviewed-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 6b826af7b010ed1963b1e7bfb5c389dcdbaff222
  Author: Fam Zheng <famz@xxxxxxxxxx>
  Date:   Fri Oct 16 18:46:04 2015 +0800

      blkdebug: Don't confuse image as backing file

      The word "backing file" nowadays refers to the backing_hd in the
      external snapshot sense (i.e. bs->backing_hd), instead of the file sense
      (bs->file). Correct the comment to use the right term.

      Signed-off-by: Fam Zheng <famz@xxxxxxxxxx>
      Reviewed-by: Alberto Garcia <berto@xxxxxxxxxx>
      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>
      Signed-off-by: Kevin Wolf <kwolf@xxxxxxxxxx>

  commit e394621fbda0d9f69df2c9eab73ad5a5189805bb
  Author: Kevin Wolf <kwolf@xxxxxxxxxx>
  Date:   Fri Jul 10 22:19:23 2015 +0200

      qcow2: Remove forward declaration of QCowAIOCB

      This struct doesn't exist any more since commit 3fc48d09 in August 2011,
      it's about time to remove its forward declaration.

      Signed-off-by: Kevin Wolf <kwolf@xxxxxxxxxx>
      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>

  commit bb628e1af8b8b5ecf6420e50123cb696ee18b09f
  Author: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
  Date:   Thu Jul 23 13:48:36 2015 +0100

      qemu-nbd: always compile in --aio=MODE option

      The --aio=MODE option enables Linux AIO or Windows overlapped I/O.

      The #ifdef CONFIG_LINUX_AIO was a layering violation that also prevented
      Windows overlapped I/O from being used.

      Now that raw-posix.c prints an error when Linux AIO has not been
      compiled in, we can unconditionally compile the option into qemu-nbd.

      After this patch qemu-nbd --aio=native works on Windows.

      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Signed-off-by: Kevin Wolf <kwolf@xxxxxxxxxx>

  commit 04d71322c1cf6f527f15397c76bc088ebda7c18b
  Author: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
  Date:   Thu Jul 23 13:48:35 2015 +0100

      blockdev: always compile in -drive aio= parsing

      CONFIG_LINUX_AIO is an implementation detail of raw-posix.c.  Don't
      mention CONFIG_LINUX_AIO in blockdev.c.  Let block drivers decide what
      to do with BDRV_O_NATIVE_AIO.  They may print an error if it is
      unsupported.

      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Signed-off-by: Kevin Wolf <kwolf@xxxxxxxxxx>

  commit 1501ecc1d89231164b4aecddd0219ed4395b693a
  Author: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
  Date:   Thu Jul 23 13:48:34 2015 +0100

      raw-posix: warn about BDRV_O_NATIVE_AIO if libaio is unavailable

      raw-posix.c silently ignores BDRV_O_NATIVE_AIO if libaio is unavailable.
      It is confusing when aio=native performance is identical to aio=threads
      because the binary was accidentally built without libaio.

      Print a deprecation warning if -drive aio=native is used with a binary
      that does not support libaio.  There are probably users using aio=native
      who would be inconvenienced if QEMU suddenly refused to start their
      guests.  In the future this will become an error.

      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Signed-off-by: Kevin Wolf <kwolf@xxxxxxxxxx>

  commit 15489c769b9a4b3bec5b5848af2960689d7b4bd8
  Author: Jeff Cody <jcody@xxxxxxxxxx>
  Date:   Mon Oct 12 19:36:50 2015 -0400

      block: auto-generated node-names

      If a node-name is not specified, automatically generate the node-name.

      Generated node-names will use the "block" sub-system identifier.

      Signed-off-by: Jeff Cody <jcody@xxxxxxxxxx>
      Signed-off-by: Kevin Wolf <kwolf@xxxxxxxxxx>

  commit a0f1913637e6cd711aa721233b75eb2ec84d017b
  Author: Jeff Cody <jcody@xxxxxxxxxx>
  Date:   Mon Oct 12 19:36:49 2015 -0400

      util - add automated ID generation utility

      Multiple sub-systems in QEMU may find it useful to generate IDs
      for objects that a user may reference via QMP or HMP.  This patch
      presents a standardized way to do it, so that automatic ID generation
      follows the same rules.

      This patch enforces the following rules when generating an ID:

      1.) Guarantee no collisions with a user-specified ID
      2.) Identify the sub-system the ID belongs to
      3.) Guarantee of uniqueness
      4.) Spoiling predictability, to avoid creating an assumption
          of object ordering and parsing (i.e., we don't want users to think
          they can guess the next ID based on prior behavior).

      The scheme for this is as follows (no spaces):

                      # subsys D RR
      Reserved char --|    |   | |
      Subsystem String ----|   | |
      Unique number (64-bit) --| |
      Two-digit random number ---|

      For example, a generated node-name for the block sub-system may look
      like this:

          #block076

      The caller of id_generate() is responsible for freeing the generated
      node name string with g_free().

      Reviewed-by: John Snow <jsnow@xxxxxxxxxx>
      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>
      Reviewed-by: Alberto Garcia <berto@xxxxxxxxxx>
      Signed-off-by: Jeff Cody <jcody@xxxxxxxxxx>
      Signed-off-by: Kevin Wolf <kwolf@xxxxxxxxxx>

  commit 7e39d3a2dd34a84900e10b4ea1567f3b352659af
  Author: Kevin Wolf <kwolf@xxxxxxxxxx>
  Date:   Tue Oct 13 14:15:53 2015 +0200

      blkverify: Fix BDS leak in .bdrv_open error path

      Signed-off-by: Kevin Wolf <kwolf@xxxxxxxxxx>
      Reviewed-by: Jeff Cody <jcody@xxxxxxxxxx>

  commit 779020cbdc67011026c10fb620f701bfc6b85547
  Author: Kevin Wolf <kwolf@xxxxxxxxxx>
  Date:   Tue Oct 13 14:09:44 2015 +0200

      block: Allow bdrv_unref_child(bs, NULL)

      bdrv_unref() can be called with a NULL argument and doesn't do anything
      then. Make bdrv_unref_child() consistent with it.

      Signed-off-by: Kevin Wolf <kwolf@xxxxxxxxxx>
      Reviewed-by: Jeff Cody <jcody@xxxxxxxxxx>

  commit 8e419aefa07ca8e640f8db50b450378e84d60a11
  Author: Kevin Wolf <kwolf@xxxxxxxxxx>
  Date:   Wed Sep 16 16:18:38 2015 +0200

      block: Remove bdrv_swap()

      bdrv_swap() is unused now. Remove it and all functions that have
      no other users than bdrv_swap(). In particular, this removes the
      .bdrv_rebind callbacks from block drivers.

      Signed-off-by: Kevin Wolf <kwolf@xxxxxxxxxx>
      Reviewed-by: Max Reitz <mreitz@xxxxxxxxxx>
      Reviewed-by: Alberto Garcia <berto@xxxxxxxxxx>
      Reviewed-by: Fam Zheng <famz@xxxxxxxxxx>
      Reviewed-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>

  commit 3f09bfbc7bee812a44838f4c8b254007a9b86cab
  Author: Kevin Wolf <kwolf@xxxxxxxxxx>
  Date:   Tue Sep 15 11:58:23 2015 +0200

      block: Add and use bdrv_replace_in_backing_chain()

      This cleans up the mess we left behind in the mirror code after the
      previous patch. Instead of using bdrv_swap(), just change pointers.

      The interface change of the mirror job that callers must consider is
      that after job completion, their local BDS pointers still point to the
      same node now. qemu-img must change its code accordingly (which makes it
      easier to understand); the other callers stays unchanged because after
      completion they don't do anything with the BDS, but just with the job,
      and the job is still owned by the source BDS.

      Signed-off-by: Kevin Wolf <kwolf@xxxxxxxxxx>
      Reviewed-by: Max Reitz <mreitz@xxxxxxxxxx>
      Reviewed-by: Fam Zheng <famz@xxxxxxxxxx>
      Reviewed-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>

  commit 8ccb9569a976056c9594bb720ba33d84827648d9
  Author: Kevin Wolf <kwolf@xxxxxxxxxx>
  Date:   Wed Sep 16 13:34:54 2015 +0200

      blockjob: Store device name at job creation

      Some block jobs change the block device graph on completion. This means
      that the device that owns the job and originally was addressed with its
      device name may no longer be what the corresponding BlockBackend points
      to.

      Previously, the effects of bdrv_swap() ensured that the job was (at
      least partially) transferred to the target image. Events that contain
      the device name could still use bdrv_get_device_name(job->bs) and get
      the same result.

      After removing bdrv_swap(), this won't work any more. Instead, save the
      device name at job creation and use that copy for QMP events and
      anything else identifying the job.

      Signed-off-by: Kevin Wolf <kwolf@xxxxxxxxxx>
      Reviewed-by: Max Reitz <mreitz@xxxxxxxxxx>
      Reviewed-by: Alberto Garcia <berto@xxxxxxxxxx>
      Reviewed-by: Fam Zheng <famz@xxxxxxxxxx>
      Reviewed-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>

  commit dd62f1ca433ea60b06590884642ad2c8f8e539f2
  Author: Kevin Wolf <kwolf@xxxxxxxxxx>
  Date:   Thu Jun 18 14:09:57 2015 +0200

      block: Implement bdrv_append() without bdrv_swap()

      Remember all parent nodes and just change the pointers there instead of
      swapping the contents of the BlockDriverState.

      Handling of snapshot=on must be moved further down in bdrv_open()
      because *pbs (which is the bs pointer in the BlockBackend) must already
      be set before bdrv_append() is called. Otherwise bdrv_append() changes
      the BB's pointer to the temporary snapshot, but bdrv_open() overwrites
      it with the read-only original image.

      We also need to be careful to update callers as the interface changes
      (becomes less insane): Previously, the meaning of the two parameters was
      inverted when bdrv_append() returns. Now any BDS pointers keep pointing
      to the same node.

      Signed-off-by: Kevin Wolf <kwolf@xxxxxxxxxx>
      Reviewed-by: Max Reitz <mreitz@xxxxxxxxxx>
      Reviewed-by: Fam Zheng <famz@xxxxxxxxxx>
      Reviewed-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>

  commit d42a8a935b8b2d567331fffa13a70918352668bb
  Author: Kevin Wolf <kwolf@xxxxxxxxxx>
  Date:   Thu Sep 17 13:18:23 2015 +0200

      block: Introduce parents list

      Signed-off-by: Kevin Wolf <kwolf@xxxxxxxxxx>
      Reviewed-by: Max Reitz <mreitz@xxxxxxxxxx>
      Reviewed-by: Fam Zheng <famz@xxxxxxxxxx>
      Reviewed-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>

  commit a2d6190048d01c7012ab4fd6a2558f435b7b2fe8
  Author: Kevin Wolf <kwolf@xxxxxxxxxx>
  Date:   Thu Sep 17 13:01:50 2015 +0200

      block-backend: Add blk_set_bs()

      It allows changing the BlockDriverState that a BlockBackend points to.

      Signed-off-by: Kevin Wolf <kwolf@xxxxxxxxxx>
      Reviewed-by: Max Reitz <mreitz@xxxxxxxxxx>
      Reviewed-by: Alberto Garcia <berto@xxxxxxxxxx>
      Reviewed-by: Fam Zheng <famz@xxxxxxxxxx>
      Reviewed-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>

  commit 439db28cf9d4c29c9a97040bc8e08f047ba7e0af
  Author: Kevin Wolf <kwolf@xxxxxxxxxx>
  Date:   Wed Sep 16 16:08:17 2015 +0200

      block/io: Make bdrv_requests_pending() public

      Signed-off-by: Kevin Wolf <kwolf@xxxxxxxxxx>
      Reviewed-by: Max Reitz <mreitz@xxxxxxxxxx>
      Reviewed-by: Alberto Garcia <berto@xxxxxxxxxx>
      Reviewed-by: Fam Zheng <famz@xxxxxxxxxx>
      Reviewed-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>

  commit 063dd40e110eba7fffff09850ea9116b8dee2ae6
  Author: Kevin Wolf <kwolf@xxxxxxxxxx>
  Date:   Thu Sep 17 12:33:26 2015 +0200

      block: Split bdrv_move_feature_fields()

      After bdrv_swap(), some fields must be moved back to their original BDS
      to compensate for the effects that a swap of the contents of the objects
      has while keeping the old addresses. Other fields must be moved back
      because they should logically be moved and must stay on top

      When replacing bdrv_swap() with operations changing the pointers in the
      parents, we only need the latter and must avoid swapping the former.
      Split the function accordingly.

      Signed-off-by: Kevin Wolf <kwolf@xxxxxxxxxx>
      Reviewed-by: Max Reitz <mreitz@xxxxxxxxxx>
      Reviewed-by: Fam Zheng <famz@xxxxxxxxxx>
      Reviewed-by: Alberto Garcia <berto@xxxxxxxxxx>
      Reviewed-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>

  commit 5db15a57697063b9062a015dbc6d5d38211f2df1
  Author: Kevin Wolf <kwolf@xxxxxxxxxx>
  Date:   Mon Sep 14 15:33:33 2015 +0200

      block: Manage backing file references in bdrv_set_backing_hd()

      This simplifies the code somewhat, especially when dropping whole
      backing file subchains.

      The exception is the mirroring code that does adventurous things with
      bdrv_swap() and in order to keep it working, I had to duplicate most of
      bdrv_set_backing_hd() locally. We'll get rid again of this ugliness
      shortly.

      Signed-off-by: Kevin Wolf <kwolf@xxxxxxxxxx>
      Reviewed-by: Alberto Garcia <berto@xxxxxxxxxx>
      Reviewed-by: Max Reitz <mreitz@xxxxxxxxxx>
      Reviewed-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>

  commit 760e006384ecd5b8b8b1b91b5c85ff8fdcb3a21f
  Author: Kevin Wolf <kwolf@xxxxxxxxxx>
  Date:   Wed Jun 17 14:55:21 2015 +0200

      block: Convert bs->backing_hd to BdrvChild

      This is the final step in converting all of the BlockDriverState
      pointers that block drivers use to BdrvChild.

      After this patch, bs->children contains the full list of child nodes
      that are referenced by a given BDS, and these children are only
      referenced through BdrvChild, so that updating the pointer in there is
      enough for changing edges in the graph.

      Signed-off-by: Kevin Wolf <kwolf@xxxxxxxxxx>
      Reviewed-by: Alberto Garcia <berto@xxxxxxxxxx>
      Reviewed-by: Max Reitz <mreitz@xxxxxxxxxx>
      Reviewed-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>

  commit b26e90f56ad3a494ee6337d2075f4dc55b62b3c6
  Author: Kevin Wolf <kwolf@xxxxxxxxxx>
  Date:   Tue Jun 16 16:23:54 2015 +0200

      block: Remove bdrv_open_image()

      It is unused now.

      Signed-off-by: Kevin Wolf <kwolf@xxxxxxxxxx>
      Reviewed-by: Max Reitz <mreitz@xxxxxxxxxx>
      Reviewed-by: Alberto Garcia <berto@xxxxxxxxxx>
      Reviewed-by: Fam Zheng <famz@xxxxxxxxxx>
      Reviewed-by: Jeff Cody <jcody@xxxxxxxxxx>
      Reviewed-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>

  commit 9a4f4c31563b96a075f3deae83e72c726e0c84f8
  Author: Kevin Wolf <kwolf@xxxxxxxxxx>
  Date:   Tue Jun 16 14:19:22 2015 +0200

      block: Convert bs->file to BdrvChild

      This patch removes the temporary duplication between bs->file and
      bs->file_child by converting everything to BdrvChild.

      Signed-off-by: Kevin Wolf <kwolf@xxxxxxxxxx>
      Reviewed-by: Max Reitz <mreitz@xxxxxxxxxx>
      Reviewed-by: Alberto Garcia <berto@xxxxxxxxxx>
      Reviewed-by: Fam Zheng <famz@xxxxxxxxxx>
      Reviewed-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>

  commit 0bd6e91a7e00129764afb9bed83ae5519e18a111
  Author: Kevin Wolf <kwolf@xxxxxxxxxx>
  Date:   Tue Jun 16 11:29:22 2015 +0200

      quorum: Convert to BdrvChild

      Signed-off-by: Kevin Wolf <kwolf@xxxxxxxxxx>
      Reviewed-by: Max Reitz <mreitz@xxxxxxxxxx>
      Reviewed-by: Alberto Garcia <berto@xxxxxxxxxx>
      Reviewed-by: Fam Zheng <famz@xxxxxxxxxx>
      Reviewed-by: Jeff Cody <jcody@xxxxxxxxxx>
      Reviewed-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>

  commit 3e586be0b2b772394d6ed68c5b5a6da5cbbfe08b
  Author: Kevin Wolf <kwolf@xxxxxxxxxx>
  Date:   Tue Jun 16 11:13:47 2015 +0200

      blkverify: Convert s->test_file to BdrvChild

      Signed-off-by: Kevin Wolf <kwolf@xxxxxxxxxx>
      Reviewed-by: Max Reitz <mreitz@xxxxxxxxxx>
      Reviewed-by: Alberto Garcia <berto@xxxxxxxxxx>
      Reviewed-by: Fam Zheng <famz@xxxxxxxxxx>
      Reviewed-by: Jeff Cody <jcody@xxxxxxxxxx>
      Reviewed-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>

  commit 24bc15d1f6429dac0de47348b4b302855360c492
  Author: Kevin Wolf <kwolf@xxxxxxxxxx>
  Date:   Mon Jun 15 13:50:20 2015 +0200

      vmdk: Use BdrvChild instead of BDS for references to extents

      Signed-off-by: Kevin Wolf <kwolf@xxxxxxxxxx>
      Reviewed-by: Max Reitz <mreitz@xxxxxxxxxx>
      Reviewed-by: Alberto Garcia <berto@xxxxxxxxxx>
      Reviewed-by: Fam Zheng <famz@xxxxxxxxxx>
      Reviewed-by: Jeff Cody <jcody@xxxxxxxxxx>
      Reviewed-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>

  commit 1fdd69330872ef91d92482472eef79350d2f379b
  Author: Kevin Wolf <kwolf@xxxxxxxxxx>
  Date:   Mon Jun 15 14:11:51 2015 +0200

      block: Introduce BDS.file_child

      Store the BdrvChild for bs->file. At this point, bs->file_child->bs just
      duplicates the bs->file pointer. Later, it will completely replace it.

      Signed-off-by: Kevin Wolf <kwolf@xxxxxxxxxx>
      Reviewed-by: Max Reitz <mreitz@xxxxxxxxxx>
      Reviewed-by: Alberto Garcia <berto@xxxxxxxxxx>
      Reviewed-by: Fam Zheng <famz@xxxxxxxxxx>
      Reviewed-by: Jeff Cody <jcody@xxxxxxxxxx>
      Reviewed-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>

  commit 68e517a8d7d89298235913a514af70364e559b78
  Author: Jeff Cody <jcody@xxxxxxxxxx>
  Date:   Mon Oct 12 20:18:07 2015 -0400

      block: qemu-iotests - fix vmdk test 059.out

      In commit fe646693acc13ac48b98435d14149ab04dc597bc, the option
      printout format changed.

      This updates the VMDK test 059.out to the correct output.

      Signed-off-by: Jeff Cody <jcody@xxxxxxxxxx>
      Reviewed-by: Fam Zheng <famz@xxxxxxxxxx>
      Signed-off-by: Kevin Wolf <kwolf@xxxxxxxxxx>

  commit a910523a244c10d6c458e1415f35a92c3b11387f
  Author: Kashyap Chamarthy <kchamart@xxxxxxxxxx>
  Date:   Fri Oct 2 14:12:34 2015 +0200

      qmp-commands.hx: Update the supported 'transaction' operations

      Although the canonical source of reference for QMP commands is
      qapi-schema.json, for consistency's sake, update qmp-commands.hx to
      state the list of supported transactionable operations, namely:

          drive-backup
          blockdev-backup
          blockdev-snapshot-internal-sync
          abort
          block-dirty-bitmap-add
          block-dirty-bitmap-clear

      Also update the possible values for the "type" action array.

      Signed-off-by: Kashyap Chamarthy <kchamart@xxxxxxxxxx>
      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>
      Signed-off-by: Kevin Wolf <kwolf@xxxxxxxxxx>

  commit 317438e6dba5d7bb44bd867c10993c54b927992b
  Author: Alberto Garcia <berto@xxxxxxxxxx>
  Date:   Thu Sep 17 17:33:06 2015 +0300

      throttle: test that snapshots move the throttling configuration

      If a snapshot is performed on a device that has I/O limits they should
      be moved to the target image (the new active layer).

      Signed-off-by: Alberto Garcia <berto@xxxxxxxxxx>
      Reviewed-by: Max Reitz <mreitz@xxxxxxxxxx>
      Signed-off-by: Kevin Wolf <kwolf@xxxxxxxxxx>

  commit efd0fbbcf5d28b18fc629681e3bc8bee1bfadd9a
  Author: Alberto Garcia <berto@xxxxxxxxxx>
  Date:   Mon Sep 28 17:23:00 2015 +0300

      iotests: disable core dumps in test 061

      Commit 934659c460 disabled the supression of segmentation faults in
      bash tests. The new output of test 061, however, assumes that a core
      dump will be produced if a program aborts. This is not necessarily the
      case because core dumps can be disabled using ulimit.

      Since we cannot guarantee that abort() will produce a core dump, we
      should use SIGKILL instead (that does not produce any) and update the
      test output accordingly.

      Signed-off-by: Alberto Garcia <berto@xxxxxxxxxx>
      Reviewed-by: Max Reitz <mreitz@xxxxxxxxxx>
      Signed-off-by: Kevin Wolf <kwolf@xxxxxxxxxx>

  commit 81669b8b81eb450d7b89ee5fdd57bdb73d87022d
  Author: Sergey Fedorov <serge.fdrv@xxxxxxxxx>
  Date:   Mon Sep 14 13:53:48 2015 +0300

      target-arm: implement arm_debug_target_el()

      Implement debug exception routing according to ARM ARM D2.3.1 Pseudocode
      description of routing debug exceptions.

      Signed-off-by: Sergey Fedorov <serge.fdrv@xxxxxxxxx>
      Reviewed-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 74de8c356844080fcabc3a44b08b9d22feda691f
  Author: Alexander Gordeev <agordeev@xxxxxxxxxx>
  Date:   Fri Oct 16 11:14:54 2015 +0100

      hw/arm/virt: Allow zero address for PCI IO space

      Currently PCI IO address 0 is not allowed even though
      the IO space starts from 0. This update makes  PCI IO
      address 0 usable.

      CC: Peter Maydell <peter.maydell@xxxxxxxxxx>
      CC: Andrew Jones <drjones@xxxxxxxxxx>
      Signed-off-by: Alexander Gordeev <agordeev@xxxxxxxxxx>
      Reviewed-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 14cc7b54372995a6ba72c7719372e4f710fc9b5a
  Author: Sergey Fedorov <serge.fdrv@xxxxxxxxx>
  Date:   Fri Oct 16 11:14:54 2015 +0100

      target-arm: Add MDCR_EL2

      Add the MDCR_EL2 register. We don't implement any of
      the debug-related traps this register controls yet, so
      currently it simply reads back as written.

      Signed-off-by: Sergey Fedorov <serge.fdrv@xxxxxxxxx>
      Message-id: 1444383794-16767-1-git-send-email-serge.fdrv@xxxxxxxxx
      Reviewed-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      [PMM: tweaked commit message; moved non-dummy definition from
      debug_cp_reginfo to el2_cp_reginfo.]
      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit c209b0537203c58a051e5d837320335cea23e494
  Author: Peter Crosthwaite <crosthwaitepeter@xxxxxxxxx>
  Date:   Fri Oct 16 11:14:53 2015 +0100

      misc: zynq_slcr: Fix MMIO writes

      The /4 for offset calculation in MMIO writes was happening twice giving
      wrong write offsets. Fix.

      While touching the code, change the if-else to be a short returning if
      and convert the debug message to a GUEST_ERROR, which is more accurate
      for this condition.

      Cc: qemu-stable@xxxxxxxxxx
      Cc: Guenter Roeck <linux@xxxxxxxxxxxx>
      Signed-off-by: Peter Crosthwaite <crosthwaite.peter@xxxxxxxxx>
      Reviewed-by: Alistair Francis <alistair.francis@xxxxxxxxxx>
      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit b64d64de1a5b88de88146e3ad36e7b09b97837eb
  Author: Peter Crosthwaite <crosthwaitepeter@xxxxxxxxx>
  Date:   Fri Oct 16 11:14:53 2015 +0100

      arm: imx25-pdk: Fix machine name

      ARM uses dashes instead of underscores for machine names. Fix imx25_pdk
      which has not seen a release yet (so there is no legacy yet).

      Cc: Jean-Christophe Dubois <jcd@xxxxxxxxxxxxxxx>
      Signed-off-by: Peter Crosthwaite <crosthwaite.peter@xxxxxxxxx>
      Message-id: 1444445785-3648-1-git-send-email-crosthwaite.peter@xxxxxxxxx
      Reviewed-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      [PMM: Added change to tests/ds1338-test.c to use new machine name]
      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit ad1e8db894fa055ffa9447a5d86520ef1cbac6e9
  Author: Ryo ONODERA <ryo_on@xxxxxxxxxxxx>
  Date:   Fri Oct 16 11:14:53 2015 +0100

      target-arm: Provide model numbers for Sharp PDAs

      * For Collie, Akita, Spitz, Borzoi, Terrier and Tosa PDAs, provide
        model numbers and manufacturer (Sharp) information.

      Signed-off-by: Ryo ONODERA <ryo_on@xxxxxxxxxxxx>
      Reviewed-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 1424ca8d4320427c3e93722b65e19077969808a2
  Author: Davorin Mista <davorin.mista@xxxxxxxxxx>
  Date:   Fri Oct 16 11:14:53 2015 +0100

      target-arm: Implement AArch64 OSLAR/OSLSR_EL1 sysregs

      Added oslar_write function to OSLAR_EL1 sysreg, using a status variable
      in ARMCPUState.cp15 struct (oslsr_el1). This variable is also linked
      to the newly added read-only OSLSR_EL1 register.

      Linux reads from this register during its suspend/resume procedure.

      Signed-off-by: Davorin Mista <davorin.mista@xxxxxxxxxx>
      [PMM: folded a long line and tweaked a comment]
      Reviewed-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit bab27ea2e3855b6495a743f19b9d28cb013443ea
  Author: Andrew Jones <drjones@xxxxxxxxxx>
  Date:   Fri Oct 16 11:14:53 2015 +0100

      hw/arm/virt: smbios: inform guest of kvm

      ARM/AArch64 KVM guests don't have any way to identify
      themselves as KVM guests (x86 guests use a CPUID leaf). Now, we
      could discuss all sorts of reasons why guests shouldn't need to
      know that, but then there's always some case where it'd be
      nice... Anyway, now that we have SMBIOS tables in ARM guests,
      it's easy for the guest to know that it's a QEMU instance. This
      patch takes that one step further, also identifying KVM, when
      appropriate. Again, we could debate why generally nothing
      should care whether it's of type QEMU or QEMU/KVM, but again,
      sometimes it's nice to know...

      Signed-off-by: Andrew Jones <drjones@xxxxxxxxxx>
      Reviewed-by: Wei Huang <wei@xxxxxxxxxx>
      Message-id: 1443017892-15567-1-git-send-email-drjones@xxxxxxxxxx
      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 2cde031f5a34996bab32571a26b1a6bcf3e5b5d9
  Author: Sergey Sorokin <afarallax@xxxxxxxxx>
  Date:   Fri Oct 16 11:14:52 2015 +0100

      target-arm: Avoid calling arm_el_is_aa64() function for unimplemented EL

      It is incorrect to call arm_el_is_aa64() function for unimplemented EL.
      This patch fixes several attempts to do so.

      Signed-off-by: Sergey Sorokin <afarallax@xxxxxxxxx>
      [PMM: Reworked several of the comments to be more verbose.]
      Reviewed-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 6df99dec9e81838423d723996e96236693fa31fe
  Author: Sergey Sorokin <afarallax@xxxxxxxxx>
  Date:   Fri Oct 16 11:14:52 2015 +0100

      target-arm: Break the TB after ISB to execute self-modified code correctly

      If any store instruction writes the code inside the same TB
      after this store insn, the execution of the TB must be stopped
      to execute new code correctly.
      As described in ARMv8 manual D3.4.6 self-modifying code must do an
      IC invalidation to be valid, and an ISB after it. So it's enough to end
      the TB after ISB instruction on the code translation.
      Also this TB break is necessary to take any pending interrupts immediately
      after an ISB (as required by ARMv8 ARM D1.14.4).

      Signed-off-by: Sergey Sorokin <afarallax@xxxxxxxxx>
      [PMM: tweaked commit message and comments slightly]
      Reviewed-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 82c39f6a8898b028515eddcdbc4ae50959d0af5d
  Author: Stefan Weil <sw@xxxxxxxxxxx>
  Date:   Fri Oct 16 11:14:52 2015 +0100

      target-arm: Add missing 'static' attribute

      Signed-off-by: Stefan Weil <sw@xxxxxxxxxxx>
      Message-id: 1443213733-9807-1-git-send-email-sw@xxxxxxxxxxx
      Reviewed-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 468a895bce1492cf83bb8be0d995ccdfcf4f2785
  Author: John Arbuckle <programmingkidx@xxxxxxxxx>
  Date:   Tue Oct 13 21:51:18 2015 +0100

      ui/cocoa.m: blinky mouse cursor fix

      The mouse cursor can become blinky when being moved a lot. This patch 
fixes that
      problem by issuing the redraw sooner.

      Signed-off-by: John Arbuckle <programmingkidx@xxxxxxxxx>
      Message-id: AAA87DD7-EC20-4F4B-B71E-C38461D9FCBA@xxxxxxxxx
      Reviewed-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit a7940ec0af4be5d35f65890fe0c722efc5489298
  Author: John Arbuckle <programmingkidx@xxxxxxxxx>
  Date:   Tue Oct 13 21:51:18 2015 +0100

      ui/cocoa.m: addRemovableDevicesMenuItems() warning fix

      Eliminate this warning associated with the addRemovableDevicesMenuItems()
      function:

      ui/cocoa.m:1344:13: warning: function declaration isn't a prototype
      [-Wstrict-prototypes]
       static void addRemovableDevicesMenuItems()
                   ^
      ui/cocoa.m: In function 'addRemovableDevicesMenuItems':
      ui/cocoa.m:1344:13: warning: old-style function definition 
[-Wold-style-definition]

      Signed-off-by: John Arbuckle <programmingkidx@xxxxxxxxx>
      Message-id: 7B365FC2-072B-4E8D-A1D9-922C2D691A83@xxxxxxxxx
      Reviewed-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 99df5289d8c7ebf373c3570d8fba3f3a73360281
  Author: Eric Blake <eblake@xxxxxxxxxx>
  Date:   Mon Oct 12 22:22:32 2015 -0600

      qapi: Track location that created an implicit type

      A future patch will move some error checking from the parser
      to the various QAPISchema*.check() methods, which run only
      after parsing completes.  It will thus be possible to create
      a python instance representing an implicit QAPI type that
      parses fine but will fail validation during check().  Since
      all errors have to have an associated 'info' location, we
      need a location to be associated with those implicit types.
      The intuitive info to use is the location of the enclosing
      entity that caused the creation of the implicit type.

      Note that we do not anticipate builtin types being used in
      an error message (as they are not part of the user's QAPI
      input, the user can't cause a semantic error in their
      behavior), so we exempt those types from requiring info, by
      setting a flag to track the completion of _def_predefineds(),
      and tracking that flag in _def_entity().

      No change to the generated code.

      Signed-off-by: Eric Blake <eblake@xxxxxxxxxx>
      Message-Id: <1444710158-8723-13-git-send-email-eblake@xxxxxxxxxx>
      [Missing QAPISchemaArrayType.is_implicit() supplied]
      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>

  commit 46292ba75c515baf733df18644052b2ce9492728
  Author: Eric Blake <eblake@xxxxxxxxxx>
  Date:   Mon Oct 12 22:22:29 2015 -0600

      qapi: Create simple union type member earlier

      For simple unions, we were creating the implicit 'type' tag
      member during the QAPISchemaObjectTypeVariants constructor.
      This is different from every other implicit QAPISchemaEntity
      object, which get created by QAPISchema methods.  Hoist the
      creation to the caller (renaming _make_tag_enum() to
      _make_implicit_tag()), and pass the entity rather than the
      string name, so that we have the nice property that no
      entities are created as a side effect within a different
      entity.  A later patch will then have an easier time of
      associating location info with each entity creation.

      No change to generated code.

      Signed-off-by: Eric Blake <eblake@xxxxxxxxxx>
      Message-Id: <1444710158-8723-10-git-send-email-eblake@xxxxxxxxxx>
      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>

  commit 9f08c8ec73878122ad4b061ed334f0437afaaa32
  Author: Eric Blake <eblake@xxxxxxxxxx>
  Date:   Mon Oct 12 22:22:28 2015 -0600

      qapi: Lazy creation of array types

      Commit ac88219a had several TODO markers about whether we needed
      to automatically create the corresponding array type alongside
      any other type.  It turns out that most of the time, we don't!

      There are a few exceptions: 1) We have a few situations where we
      use an array type in internal code but do not expose that type
      through QMP; fix it by declaring a dummy type that forces the
      generator to see that we want to use the array type.

      2) The builtin arrays (such as intList for QAPI ['int']) must
      always be generated, because of the way our QAPI_TYPES_BUILTIN
      compile guard works: we have situations (at the very least
      tests/test-qmp-output-visitor.c) that include both top-level
      "qapi-types.h" (via "error.h") and a secondary
      "test-qapi-types.h". If we were to only emit the builtin types
      when used locally, then the first .h file would not include all
      types, but the second .h does not declare anything at all because
      the first .h set QAPI_TYPES_BUILTIN, and we would end up with
      compilation error due to things like unknown type 'int8List'.

      Actually, we may need to revisit how we do type guards, and
      change from a single QAPI_TYPES_BUILTIN over to a different
      usage pattern that does one #ifdef per qapi type - right now,
      the only types that are declared multiple times between two qapi
      .json files for inclusion by a single .c file happen to be the
      builtin arrays.  But now that we have QAPI 'include' statements,
      it is logical to assume that we will soon reach a point where
      we want to reuse non-builtin types (yes, I'm thinking about what
      it will take to add introspection to QGA, where we will want to
      reuse the SchemaInfo type and friends).  One #ifdef per type
      will help ensure that generating the same qapi type into more
      than one qapi-types.h won't cause collisions when both are
      included in the same .c file; but we also have to solve how to
      avoid creating duplicate qapi-types.c entry points.  So that
      is a problem left for another day.

      Generated code for qapi-types and qapi-visit is drastically
      reduced; less than a third of the arrays that were blindly
      created were actually needed (a quick grep shows we dropped
      from 219 to 69 *List types), and the .o files lost more than
      30% of their bulk.  [For best results, diff the generated
      files with 'git diff --patience --no-index pre post'.]

      Interestingly, the introspection output is unchanged - this is
      because we already cull all types that are not indirectly
      reachable from a command or event, so introspection was already
      using only a subset of array types.  The subset of types
      introspected is now a much larger percentage of the overall set
      of array types emitted in qapi-types.h (since the larger set
      shrunk), but still not 100% (evidence that the array types
      emitted for our new Dummy structs, and the new struct itself,
      don't affect QMP).

      Signed-off-by: Eric Blake <eblake@xxxxxxxxxx>
      Message-Id: <1444710158-8723-9-git-send-email-eblake@xxxxxxxxxx>
      [Moved array info tracking to a later patch]
      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>

  commit 49823c4b4304a3e4aa5d67e089946b12d6a52d64
  Author: Eric Blake <eblake@xxxxxxxxxx>
  Date:   Mon Oct 12 22:22:27 2015 -0600

      qapi: Don't use info as witness of implicit object type

      A future patch will enable error reporting from the various
      QAPISchema*.check() methods.  But to report an error related
      to an implicit type, we'll need to associate a location with
      the type (the same location as the top-level entity that is
      causing the creation of the implicit type), and once we do
      that, keying off of whether foo.info exists is no longer a
      viable way to determine if foo is an implicit type.

      Instead, add an is_implicit() method to QAPISchemaEntity, and use it.
      It can be overridden later for ObjectType and EnumType, when implicit
      instances of those classes gain info.

      Signed-off-by: Eric Blake <eblake@xxxxxxxxxx>
      Message-Id: <1444710158-8723-8-git-send-email-eblake@xxxxxxxxxx>
      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>

  commit 849ab13c1657b51b89693282ddd42ca1f6255354
  Author: Eric Blake <eblake@xxxxxxxxxx>
  Date:   Tue Oct 13 12:26:47 2015 -0600

      qapi: Drop redundant args-member-array test

      qapi-schema-test already ensures that we can correctly compile
      an array of enums (__org.qemu_x-command), an array of builtins
      (UserDefNativeListUnion), and an array of structs (again
      __org.qemu_x-command).  That means args-member-array is not
      adding any additional parse-only test coverage, so drop it.

      Signed-off-by: Eric Blake <eblake@xxxxxxxxxx>
      Message-Id: <1444760807-11307-1-git-send-email-eblake@xxxxxxxxxx>
      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>

  commit 70478cef837e86b1cff08073153081ce480e0e6c
  Author: Eric Blake <eblake@xxxxxxxxxx>
  Date:   Mon Oct 12 22:22:26 2015 -0600

      qapi: Drop redundant flat-union-reverse-define test

      As of commit 8c3f8e77, we test compilation of forward references
      for a struct base type (UserDefOne), flat union base type
      (UserDefUnionBase), and flat union branch type
      (UserDefFlatUnion2). The only remaining forward reference being
      tested for parsing in flat-union-reverse-define was a forward
      enum declaration.  Once we make sure that always compiles,
      the smaller parse-only test is redundant and can be deleted.

      Signed-off-by: Eric Blake <eblake@xxxxxxxxxx>
      Message-Id: <1444710158-8723-7-git-send-email-eblake@xxxxxxxxxx>
      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>

  commit cae95eae6270c1ea28a9ba8eee75c441b1015f68
  Author: Eric Blake <eblake@xxxxxxxxxx>
  Date:   Mon Oct 12 22:22:25 2015 -0600

      qapi: Drop redundant returns-int test

      qapi-schema-test was already testing that we could have a
      command returning int, but burned a command name in the whitelist.
      Merge the redundant positive test returns-int, and pick a name
      that reduces the whitelist size.

      Signed-off-by: Eric Blake <eblake@xxxxxxxxxx>
      Message-Id: <1444710158-8723-6-git-send-email-eblake@xxxxxxxxxx>
      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>

  commit 625b251c69d983959efaeadeee12405b1a66d331
  Author: Eric Blake <eblake@xxxxxxxxxx>
  Date:   Mon Oct 12 22:22:24 2015 -0600

      qapi: Move empty-enum to compile-time test

      Rather than just asserting that we can parse an empty enum,
      let's also make sure we can compile it, by including it in
      qapi-schema-test.

      Signed-off-by: Eric Blake <eblake@xxxxxxxxxx>
      Message-Id: <1444710158-8723-5-git-send-email-eblake@xxxxxxxxxx>
      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>

  commit baabb84c5b27115b979d864cb2af4d63b823983f
  Author: Eric Blake <eblake@xxxxxxxxxx>
  Date:   Mon Oct 12 22:22:23 2015 -0600

      qapi: Drop redundant alternate-good test

      The alternate-good.json test was already covered by
      qapi-schema-test.json.  As future commits will be tweaking
      how alternates are laid out, removing the duplicate test now
      reduces churn.

      Signed-off-by: Eric Blake <eblake@xxxxxxxxxx>
      Message-Id: <1444710158-8723-4-git-send-email-eblake@xxxxxxxxxx>
      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>

  commit 7618b91ff80ec42b84b29be24d8ef53ddb377110
  Author: Eric Blake <eblake@xxxxxxxxxx>
  Date:   Mon Oct 12 22:22:22 2015 -0600

      qapi: Prepare for errors during check()

      The next few patches will start migrating error checking from
      ad hoc parse methods into the QAPISchema*.check() methods.  But
      for an error message to display, we first have to fix the
      overall 'try' to catch those errors.  We also want to enable a
      few more assertions, such as making sure every attempt to
      raise a semantic error is passed a valid location info, or that
      various preconditions hold.

      The general approach for moving error checking will then be to
      relax an assertion into an if that raises an exception if the
      condition does not hold, and removing the counterpart ad hoc
      check done during the parse phase.

      Signed-off-by: Eric Blake <eblake@xxxxxxxxxx>
      Message-Id: <1444710158-8723-3-git-send-email-eblake@xxxxxxxxxx>
      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>

  commit 25a0d9c977c2f5db914b0a1619759fd77d97b016
  Author: Eric Blake <eblake@xxxxxxxxxx>
  Date:   Mon Oct 12 22:22:21 2015 -0600

      qapi: Use predicate callback to determine visit filtering

      Previously, qapi-types and qapi-visit filtered out implicit
      objects during visit_object_type() by using 'info' (works since
      implicit objects do not [yet] have associated info); meanwhile
      qapi-introspect filtered out all schema types on the first pass
      by returning a python type from visit_begin(), which was then
      used at a distance in QAPISchema.visit() to do the filtering.

      Rather than keeping these ad hoc approaches, add a new visitor
      callback visit_needed() which returns False to skip a given
      entity, and which defaults to True unless overridden.  Use the
      new mechanism to simplify all three filtering visitors.

      No change to the generated code.

      Suggested-by: Markus Armbruster <armbru@xxxxxxxxxx>
      Signed-off-by: Eric Blake <eblake@xxxxxxxxxx>
      Message-Id: <1444710158-8723-2-git-send-email-eblake@xxxxxxxxxx>
      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>

  commit d08ac81a459258ce20b3184fa9325c6c1350ac9e
  Author: Eric Blake <eblake@xxxxxxxxxx>
  Date:   Wed Oct 14 16:30:25 2015 -0600

      qapi: Fix regression with '-netdev help'

      Commit e36c714e causes 'qemu -netdev help' to dump core, because the
      call to visit_end_union() is no longer conditional on whether *obj was
      allocated.

      Reported by Marc-André Lureau <marcandre.lureau@xxxxxxxxx>
      Signed-off-by: Eric Blake <eblake@xxxxxxxxxx>
      Message-Id: <1444861825-19256-1-git-send-email-eblake@xxxxxxxxxx>
      [Commit message tweaked to say 'help' instead of '?']
      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>

  commit 60be6340796e66b5ac8aac2d98dde5c79336a89c
  Author: Denis V. Lunev <den@xxxxxxxxxx>
  Date:   Mon Sep 28 14:41:58 2015 +0300

      migration: fix deadlock

      Release qemu global mutex before call synchronize_rcu().
      synchronize_rcu() waiting for all readers to finish their critical
      sections. There is at least one critical section in which we try
      to get QGM (critical section is in address_space_rw() and
      prepare_mmio_access() is trying to aquire QGM).

      Both functions (migration_end() and migration_bitmap_extend())
      are called from main thread which is holding QGM.

      Thus there is a race condition that ends up with deadlock:
      main thread     working thread
      Lock QGA                |
      |             Call KVM_EXIT_IO handler
      |                       |
      |        Open rcu reader's critical section
      Migration cleanup bh    |
      |                       |
      synchronize_rcu() is    |
      waiting for readers     |
      |            prepare_mmio_access() is waiting for QGM
        \                   /
               deadlock

      The patch changes bitmap freeing from direct g_free after synchronize_rcu
      to free inside call_rcu.

      Signed-off-by: Denis V. Lunev <den@xxxxxxxxxx>
      Reported-by: Igor Redko <redkoi@xxxxxxxxxxxxx>
      Tested-by: Igor Redko <redkoi@xxxxxxxxxxxxx>
      Reviewed-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>
      Reviewed-by: Juan Quintela <quintela@xxxxxxxxxx>
      Signed-off-by: Juan Quintela <quintela@xxxxxxxxxx>

      CC: Anna Melekhova <annam@xxxxxxxxxxxxx>
      CC: Juan Quintela <quintela@xxxxxxxxxx>
      CC: Amit Shah <amit.shah@xxxxxxxxxx>
      CC: Paolo Bonzini <pbonzini@xxxxxxxxxx>
      CC: Wen Congyang <wency@xxxxxxxxxxxxxx>

  commit 92e3762237475407fe03e1ccac6e30612ab96caf
  Author: Amit Shah <amit.shah@xxxxxxxxxx>
  Date:   Wed Oct 14 17:37:19 2015 +0530

      migration: announce VM's new home just before VM is runnable

      We were announcing the dest host's IP as our new IP a bit too soon -- if
      there were errors detected after this announcement was done, the
      migration is failed and the VM could continue running on the src host --
      causing problems later.

      Move around the qemu_announce_self() call so it's done just before the
      VM is runnable.

      Signed-off-by: Amit Shah <amit.shah@xxxxxxxxxx>
      Reviewed-by: Juan Quintela <quintela@xxxxxxxxxx>
      Reviewed-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: Juan Quintela <quintela@xxxxxxxxxx>

  commit ed1f3e0090069dcb9458aa9e450df12bf8eba0b0
  Author: Dr. David Alan Gilbert <dgilbert@xxxxxxxxxx>
  Date:   Tue Oct 13 12:21:27 2015 +0100

      Migration: Generate the completed event only when we complete

      The current migration-completed event is generated a bit too early,
      which means that an eager libvirt that's ready to go as soon
      as it sees the event ends up racing with the actual end of migration.

      This corresponds to RH bug:
      https://bugzilla.redhat.com/show_bug.cgi?id=1271145

      Signed-off-by: Dr. David Alan Gilbert <dgilbert@xxxxxxxxxx>
      Reviewed-by: Juan Quintela <quintela@xxxxxxxxxx>
      Reviewed-by: Amit Shah <amit.shah@xxxxxxxxxx>
      xSigned-off-by: Juan Quintela <quintela@xxxxxxxxxx>

  commit 6511d39679f296162a90e71685651717a29e78e5
  Author: Paolo Bonzini <pbonzini@xxxxxxxxxx>
  Date:   Tue Sep 29 15:08:05 2015 +0200

      qemu-char: convert serial backend to data-driven creation

      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit fd5b036c5c6dc715bd06769a0023c6e1de2dadb4
  Author: Paolo Bonzini <pbonzini@xxxxxxxxxx>
  Date:   Tue Sep 29 15:06:02 2015 +0200

      qemu-char: convert file backend to data-driven creation

      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit 4ca172817a8c6df0145c16d80abdf04d53a56d92
  Author: Paolo Bonzini <pbonzini@xxxxxxxxxx>
  Date:   Tue Sep 29 14:55:59 2015 +0200

      qemu-char: add create to register_char_driver

      Having creation as a member of the CharDriver struct removes the need
      to export functions for qemu-char.c's usage.  After the conversion,
      chardev backends implemented outside qemu-char.c will not need a stub
      creation function anymore.

      Ultimately all drivers will be converted.  For now, support the case
      where cd->create == NULL.

      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit d809ab9521ace32a806cdf86ee7df40e1bf88443
  Author: Paolo Bonzini <pbonzini@xxxxxxxxxx>
  Date:   Mon Oct 12 09:46:23 2015 +0200

      qemu-char: cleanup HAVE_CHARDEV_*

      Move the #ifdef up into qmp_chardev_add, and avoid duplicating
      the code that reports unavailable backends.  Split HAVE_CHARDEV_TTY
      into HAVE_CHARDEV_SERIAL and HAVE_CHARDEV_PTY.

      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit eaeba65304d9666309f246849adf1eff217b9868
  Author: Paolo Bonzini <pbonzini@xxxxxxxxxx>
  Date:   Tue Sep 29 14:54:05 2015 +0200

      qemu-char: cleanup qmp_chardev_add

      Use the usual idioms for error propagation.

      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit a1dbc05a6f73e63ccfdd538c1825d44aa6347d8f
  Author: John Arbuckle <programmingkidx@xxxxxxxxx>
  Date:   Tue Oct 13 21:51:18 2015 +0100

      ui/cocoa.m: eliminate normalWindow warning

      Eliminate this warning associated with the setting of the normalWindow's 
title:

      ui/cocoa.m: In function '-[QemuCocoaAppController init]':
      ui/cocoa.m:888:9: warning: format not a string literal and no format 
arguments
       [-Wformat-security]
               [normalWindow setTitle:[NSString stringWithFormat:@"QEMU"]];

      Signed-off-by: John Arbuckle <programmingkidx@xxxxxxxxx>
      Message-id: 57057D6E-C108-4AE1-8370-E7E6855B2F2C@xxxxxxxxx
      Reviewed-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 0a3c190098e1cb3daaa946cba6663467d1f4e857
  Author: Daniel P. Berrange <berrange@xxxxxxxxxx>
  Date:   Mon Oct 12 18:41:19 2015 +0100

      README: fill out some useful quickstart information

      The README file is usually the first thing consulted when a user
      or developer obtains a copy of the QEMU source. The current QEMU
      README is lacking immediately useful information and so not very
      friendly for first time encounters. It either redirects users to
      qemu-doc.html (which does not exist until they've actually
      compiled QEMU), or the website (which assumes the user has
      convenient internet access at time of reading).

      This fills out the README file as simple quick-start guide on
      the topics of building source, submitting patches, licensing
      and how to contact the QEMU community. It does not intend to be
      comprehensive, instead referring people to an appropriate web
      page to obtain more detailed information. The intent is to give
      users quick guidance to get them going in the right direction.

      Signed-off-by: Daniel P. Berrange <berrange@xxxxxxxxxx>
      Message-Id: <1444671679-17674-1-git-send-email-berrange@xxxxxxxxxx>
      Reviewed-by: John Snow <jsnow@xxxxxxxxxx>
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit c49d3411faae8ffaab8f7e5db47405a008411c10
  Merge: 5451316 18bdbc3
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Tue Oct 13 10:42:06 2015 +0100

      Merge remote-tracking branch 'remotes/armbru/tags/pull-qapi-2015-10-12' 
into staging

      QAPI patches

      # gpg: Signature made Mon 12 Oct 2015 18:56:35 BST using RSA key ID 
EB918653
      # gpg: Good signature from "Markus Armbruster <armbru@xxxxxxxxxx>"
      # gpg:                 aka "Markus Armbruster <armbru@xxxxxxxxxxxx>"

      * remotes/armbru/tags/pull-qapi-2015-10-12:
        qapi: Simplify gen_visit_fields() error handling
        qapi: Share gen_visit_fields()
        qapi: Share gen_err_check()
        qapi: Consistent generated code: minimize push_indent() usage
        qapi: Consistent generated code: prefer common indentation
        qapi: Consistent generated code: prefer common labels
        qapi: Consistent generated code: prefer visitor 'v'
        qapi: Consistent generated code: prefer error 'err'
        qapi: Reuse code for flat union base validation
        qapi: Test use of 'number' within alternates
        qapi: Add tests for empty unions
        qapi: Avoid assertion failure on union 'type' collision
        qapi: Test for various name collisions
        qapi: Clean up qapi.py per pep8
        qapi: Invoke exception superclass initializer
        qapi: Improve 'include' error message
        qapi: Sort qapi-schema tests
        MAINTAINERS: Specify QAPI include and test files
        MAINTAINERS: Specify QObject include and test files
        docs: Move files from docs/qmp/ to docs/

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 18bdbc3ac8b477e160d56aa6ecd6942495ce44d0
  Author: Eric Blake <eblake@xxxxxxxxxx>
  Date:   Tue Sep 29 16:21:15 2015 -0600

      qapi: Simplify gen_visit_fields() error handling

      Since we have consolidated all generated code to use 'err' as
      the name of the local variable for error detection, we can
      simplify the decision on whether to skip error detection (useful
      for deallocation paths) to be a boolean.

      Signed-off-by: Eric Blake <eblake@xxxxxxxxxx>
      Message-Id: <1443565276-4535-18-git-send-email-eblake@xxxxxxxxxx>
      [Change to gen_visit_fields() simplified]
      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>

  commit 82ca8e469666b169ccf818a0e36136aee97d7db0
  Author: Eric Blake <eblake@xxxxxxxxxx>
  Date:   Tue Sep 29 16:21:14 2015 -0600

      qapi: Share gen_visit_fields()

      Consolidate the code between visit, command marshalling, and
      event generation that iterates over the members of a struct.
      It reduces code duplication in the generator, so that a future
      patch can reduce the size of generated code while touching only
      one instead of three locations.

      There are no changes to the generated marshal code.

      The visitor code becomes slightly more verbose, but remains
      semantically equivalent, and is actually easier to read as
      it follows a more common idiom:

      |     visit_optional(v, &(*obj)->has_device, "device", &err);
      |-    if (!err && (*obj)->has_device) {
      |-        visit_type_str(v, &(*obj)->device, "device", &err);
      |-    }
      |     if (err) {
      |         goto out;
      |     }
      |+    if ((*obj)->has_device) {
      |+        visit_type_str(v, &(*obj)->device, "device", &err);
      |+        if (err) {
      |+            goto out;
      |+        }
      |+    }

      The event code becomes slightly more verbose, but this is
      arguably a bug fix: although the visitors are not well
      documented, use of an optional member should not be attempted
      unless guarded by a prior call to visit_optional().  Works only
      because the output qmp visitor has a no-op visit_optional():

      |+    visit_optional(v, &has_offset, "offset", &err);
      |+    if (err) {
      |+        goto out;
      |+    }
      |     if (has_offset) {
      |         visit_type_int(v, &offset, "offset", &err);

      Signed-off-by: Eric Blake <eblake@xxxxxxxxxx>
      Message-Id: <1443565276-4535-17-git-send-email-eblake@xxxxxxxxxx>
      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>

  commit 1f35334489a43800df4d20cd91362a87cee39a29
  Author: Eric Blake <eblake@xxxxxxxxxx>
  Date:   Tue Sep 29 16:21:13 2015 -0600

      qapi: Share gen_err_check()

      qapi-commands has a nice helper gen_err_check(), but did not
      use it everywhere. In fact, using it in more places makes it
      easier to reduce the lines of code used for generating error
      checks.  This in turn will make it easier for later patches
      to consolidate another common pattern among the generators.

      The generated code has fewer blank lines in qapi-event.c functions,
      but has no semantic difference.

      Signed-off-by: Eric Blake <eblake@xxxxxxxxxx>
      Message-Id: <1443565276-4535-16-git-send-email-eblake@xxxxxxxxxx>
      [Drop another blank line for symmetry]
      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>

  commit 05372f708a8cb3556e4d67458de79417dadf241f
  Author: Eric Blake <eblake@xxxxxxxxxx>
  Date:   Tue Sep 29 16:21:12 2015 -0600

      qapi: Consistent generated code: minimize push_indent() usage

      We had some pointless differences in the generated code for visit,
      command marshalling, and events; unifying them makes it easier for
      future patches to consolidate to common helper functions.
      This is one patch of a series to clean up these differences.

      This patch reduces the number of push_indent()/pop_indent() pairs
      so that generated code is typically already at its natural output
      indentation in the python files.  It is easier to reason about
      generated code if the reader does not have to track how much
      spacing will be inserted alongside the code, and moreso when all
      of the generators use the same patterns (qapi-type and qapi-event
      were already using in-place indentation).

      Arguably, the resulting python may be a bit harder to read with C
      code at the same indentation as python; on the other hand, not
      having to think about push_indent() is a win, and most decent
      editors provide syntax highlighting that makes it easier to
      visually distinguish python code from string literals that will
      become C code.

      There is no change to the generated output.

      Signed-off-by: Eric Blake <eblake@xxxxxxxxxx>
      Message-Id: <1443565276-4535-15-git-send-email-eblake@xxxxxxxxxx>
      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>

  commit e36c714e6aad7c9266132350833e2f263f6d8874
  Author: Eric Blake <eblake@xxxxxxxxxx>
  Date:   Tue Sep 29 16:21:11 2015 -0600

      qapi: Consistent generated code: prefer common indentation

      We had some pointless differences in the generated code for visit,
      command marshalling, and events; unifying them makes it easier for
      future patches to consolidate to common helper functions.
      This is one patch of a series to clean up these differences.

      This patch adjusts gen_visit_union() to use the same indentation
      as other functions, namely, by jumping early to the error label
      if the object was not set rather than placing the rest of the
      body inside an if for when it is set.

      No change in semantics to the generated code.

      Signed-off-by: Eric Blake <eblake@xxxxxxxxxx>
      Message-Id: <1443565276-4535-14-git-send-email-eblake@xxxxxxxxxx>
      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>

  commit f782399cb4fa3fc4182cb046817f65a6db92ab07
  Author: Eric Blake <eblake@xxxxxxxxxx>
  Date:   Tue Sep 29 16:21:10 2015 -0600

      qapi: Consistent generated code: prefer common labels

      We had some pointless differences in the generated code for visit,
      command marshalling, and events; unifying them makes it easier for
      future patches to consolidate to common helper functions.
      This is one patch of a series to clean up these differences.

      This patch names the goto labels 'out' (not 'clean') and 'out_obj'
      (not 'out_end').  Additionally, the generator was inconsistent on
      whether labels had a leading space [our HACKING is silent; while
      emacs 'gnu' style adds the space to avoid littering column 1].
      For minimal churn, prefer no leading space; this also matches
      the style that is more prevalent in current qemu.git.

      No change in semantics to the generated code.

      Signed-off-by: Eric Blake <eblake@xxxxxxxxxx>
      Message-Id: <1443565276-4535-13-git-send-email-eblake@xxxxxxxxxx>
      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>

  commit f8b7f1a8eafa9f565ebecfe409e8741d38cd786b
  Author: Eric Blake <eblake@xxxxxxxxxx>
  Date:   Tue Sep 29 16:21:09 2015 -0600

      qapi: Consistent generated code: prefer visitor 'v'

      We had some pointless differences in the generated code for visit,
      command marshalling, and events; unifying them makes it easier for
      future patches to consolidate to common helper functions.
      This is one patch of a series to clean up these differences.

      This patch names the local visitor variable 'v' rather than 'm'.
      Related objects, such as 'QapiDeallocVisitor', are also named by
      their initials instead of an unrelated leading m.

      No change in semantics to the generated code.

      Signed-off-by: Eric Blake <eblake@xxxxxxxxxx>
      Message-Id: <1443565276-4535-12-git-send-email-eblake@xxxxxxxxxx>
      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>

  commit 2a0f50e8d973b01eda4c63bac4a5c79ea0f584ef
  Author: Eric Blake <eblake@xxxxxxxxxx>
  Date:   Tue Sep 29 16:21:08 2015 -0600

      qapi: Consistent generated code: prefer error 'err'

      We had some pointless differences in the generated code for visit,
      command marshalling, and events; unifying them makes it easier for
      future patches to consolidate to common helper functions.
      This is one patch of a series to clean up these differences.

      This patch consistently names the local error variable 'err' rather
      than 'local_err'.

      No change in semantics to the generated code.

      Signed-off-by: Eric Blake <eblake@xxxxxxxxxx>
      Message-Id: <1443565276-4535-11-git-send-email-eblake@xxxxxxxxxx>
      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>

  commit 376863ef4895ae709aadb6f26365a5973310ef09
  Author: Eric Blake <eblake@xxxxxxxxxx>
  Date:   Tue Sep 29 16:21:07 2015 -0600

      qapi: Reuse code for flat union base validation

      Rather than open-code the check for a valid base type, we
      should reuse the common functionality. This allows for
      consistent error messages, and also makes it easier for a
      later patch to turn on support for inline anonymous base
      structures.

      Test flat-union-inline is updated to test only one feature
      (anonymous branch dictionaries), which can be implemented
      independently (test flat-union-bad-base already covers the
      idea of an anonymous base dictionary).

      Signed-off-by: Eric Blake <eblake@xxxxxxxxxx>
      Message-Id: <1443565276-4535-10-git-send-email-eblake@xxxxxxxxxx>
      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>

  commit 9c51b4412959c5331a8a931d848c4b755b5bb36a
  Author: Eric Blake <eblake@xxxxxxxxxx>
  Date:   Tue Sep 29 16:21:06 2015 -0600

      qapi: Test use of 'number' within alternates

      Add some testsuite exposure for use of a 'number' as part of
      an alternate.  The current state of the tree has a few bugs
      exposed by this: our input parser depends on the ordering of
      how the qapi schema declared the alternate, and the parser
      does not accept integers for a 'number' in an alternate even
      though it does for numbers outside of an alternate.

      Mixing 'int' and 'number' in the same alternate is unusual,
      since both are supplied by json-numbers, but there does not
      seem to be a technical reason to forbid it given that our
      json lexer distinguishes between json-numbers that can be
      represented as an int vs. those that cannot.

      Improve the existing test_visitor_in_alternate() to match the
      style of the new test_visitor_in_alternate_number(), and to
      ensure full coverage of all possible qtype parsing.

      Signed-off-by: Eric Blake <eblake@xxxxxxxxxx>
      Message-Id: <1443565276-4535-9-git-send-email-eblake@xxxxxxxxxx>
      [Eric's follow-up fixes squashed in]
      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>

  commit 8d25dd101f759425456b8005b3180062689d71e7
  Author: Eric Blake <eblake@xxxxxxxxxx>
  Date:   Tue Sep 29 16:21:05 2015 -0600

      qapi: Add tests for empty unions

      The documentation claims that alternates are useful for
      allowing two or more types, although nothing enforces this.
      Meanwhile, it is silent on whether empty unions are allowed.
      In practice, the generated code will compile, in part because
      we have a 'void *data' branch; but attempting to visit such a
      type will cause an abort().  While there's no technical reason
      that a degenerate union could not be made to work, it's harder
      to justify the time spent in chasing known (the current
      abort() during visit) and unknown corner cases, than it would
      be to just outlaw them.  A future patch will probably take the
      approach of forbidding them; in the meantime, we can at least
      add testsuite coverage to make it obvious where things stand.

      In addition to adding tests to expose the problems, we also
      need to adjust existing tests that are meant to test something
      else, but which could fail for the wrong reason if we reject
      degenerate alternates/unions.

      Note that empty structs are explicitly supported (for example,
      right now they are the only way to specify that one branch of a
      flat union adds no additional members), and empty enums are
      covered by the testsuite as working (even if they do not seem
      to have much use).

      Signed-off-by: Eric Blake <eblake@xxxxxxxxxx>
      Message-Id: <1443565276-4535-8-git-send-email-eblake@xxxxxxxxxx>
      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>

  commit 7b2a5c2f9a52c4a08630fa741052f03fe5d3cc8a
  Author: Eric Blake <eblake@xxxxxxxxxx>
  Date:   Tue Sep 29 16:21:04 2015 -0600

      qapi: Avoid assertion failure on union 'type' collision

      The previous commit added two tests that triggered an assertion
      failure. It's fairly straightforward to avoid the failure by
      just outright forbidding the collision between a union's tag
      values and its discriminator name (including the implicit name
      'kind' supplied for simple unions [*]).  Ultimately, we'd like
      to move the collision detection into QAPISchema*.check(), but
      for now it is easier just to enhance the existing checks.

      [*] Of course, down the road, we have plans to rename the simple
      union tag name to 'type' to match the QMP wire name, but the
      idea of the collision will still be present even then.

      Technically, we could avoid the collision by naming the C union
      members representing each enum value as '_case_value' rather
      than 'value'; but until we have an actual qapi client (and not
      just our testsuite) that has a legitimate reason to match a
      case label to the name of a QMP key and needs the name munging
      to satisfy the compiler, it's easier to just reject the qapi
      as invalid.

      Signed-off-by: Eric Blake <eblake@xxxxxxxxxx>
      Message-Id: <1443565276-4535-7-git-send-email-eblake@xxxxxxxxxx>
      [Polished a few comments]
      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>

  commit d220fbcd1db2097de5ff3037e85317fcb5433e4e
  Author: Eric Blake <eblake@xxxxxxxxxx>
  Date:   Tue Sep 29 16:21:03 2015 -0600

      qapi: Test for various name collisions

      Expose some weaknesses in the generator: we don't always forbid
      the generation of structs that contain multiple members that map
      to the same C or QMP name.  This has already been marked FIXME in
      qapi.py in commit d90675f, but having more tests will make sure
      future patches produce desired behavior; and updating existing
      patches to better document things doesn't hurt, either.  Some of
      these collisions are already caught in the old-style parser
      checks, but ultimately we want all collisions to be caught in the
      new-style QAPISchema*.check() methods.

      This patch focuses on C struct members, and does not consider
      collisions between commands and events (affecting C function
      names), or even collisions between generated C type names with
      user type names (for things like automatic FOOList struct
      representing array types or FOOKind for an implicit enum).

      There are two types of struct collisions we want to catch:
       1) Collision between two keys in a JSON object. qapi.py prevents
          that within a single struct (see test duplicate-key), but it is
          possible to have collisions between a type's members and its
          base type's members (existing tests struct-base-clash,
          struct-base-clash-deep), and its flat union variant members
          (renamed test flat-union-clash-member).
       2) Collision between two members of the C struct that is generated
          for a given QAPI type:
          a) Multiple QAPI names map to the same C name (new test
             args-name-clash)
          b) A QAPI name maps to a C name that is used for another purpose
             (new tests flat-union-clash-branch, struct-base-clash-base,
             union-clash-data). We already fixed some such cases in commit
             0f61af3e and 1e6c1616, but more remain.
          c) Two C names generated for other purposes clash
             (updated test alternate-clash, new test union-clash-branches,
             union-clash-type, flat-union-clash-type)

      Ultimately, if we need to have a flat union where a tag value
      clashes with a base member name, we could change the generator to
      name the union (using 'foo.u.value' rather than 'foo.value') or
      otherwise munge the C name corresponding to tag values.  But
      unless such a need arises, it will probably be easier to just
      forbid these collisions.

      Some of these negative tests will be deleted later, and positive
      tests added to qapi-schema-test.json in their place, when the
      generator code is reworked to avoid particular code generation
      collisions in class 2).

      [Note that viewing this patch with git rename detection enabled
      may see some confusion due to renaming some tests while adding
      others, but where the content is similar enough that git picks
      the wrong pre- and post-patch files to associate]

      Signed-off-by: Eric Blake <eblake@xxxxxxxxxx>
      Message-Id: <1443565276-4535-6-git-send-email-eblake@xxxxxxxxxx>
      [Improve commit message and comments a bit, drop an unrelated test]
      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>

  commit 437db2549be383e52acad6cd4bf2862e98fdfc93
  Author: Eric Blake <eblake@xxxxxxxxxx>
  Date:   Tue Sep 29 16:21:02 2015 -0600

      qapi: Clean up qapi.py per pep8

      Silence pep8, and make pylint a bit happier.  Just style cleanups,
      plus killing a useless comment in camel_to_upper(); no semantic
      changes.

      Signed-off-by: Eric Blake <eblake@xxxxxxxxxx>
      Message-Id: <1443565276-4535-5-git-send-email-eblake@xxxxxxxxxx>
      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>

  commit 59b00542659c8947f9d4e8c28d2d528ab3ab61a5
  Author: Eric Blake <eblake@xxxxxxxxxx>
  Date:   Tue Sep 29 16:21:01 2015 -0600

      qapi: Invoke exception superclass initializer

      pylint recommends that every exception class should explicitly
      invoke the superclass __init__, even though things seem to work
      fine without it.

      Signed-off-by: Eric Blake <eblake@xxxxxxxxxx>
      Message-Id: <1443565276-4535-4-git-send-email-eblake@xxxxxxxxxx>
      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>

  commit 7408fb67c0f9403f6e40aecf97cf798fc14e2cd8
  Author: Eric Blake <eblake@xxxxxxxxxx>
  Date:   Tue Sep 29 16:21:00 2015 -0600

      qapi: Improve 'include' error message

      Use of '"...%s" % include' to print non-strings can lead to
      ugly messages, such as this (if the .json change is applied
      without the qapi.py change):
       Expected a file name (string), got: OrderedDict()

      Better is to just omit the actual non-string value in the
      message.

      Signed-off-by: Eric Blake <eblake@xxxxxxxxxx>
      Message-Id: <1443565276-4535-3-git-send-email-eblake@xxxxxxxxxx>
      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>

  commit 1ffe818a395cb883746f3baf8d9a0b6988375e8b
  Author: Eric Blake <eblake@xxxxxxxxxx>
  Date:   Tue Sep 29 16:20:59 2015 -0600

      qapi: Sort qapi-schema tests

      Recent changes to qapi have provided quite a bit of churn in
      the makefile, because we are inconsistent on what order test
      names appear in, and on whether to re-wrap the list of tests or
      just add arbitrary line lengths.  Writing the list in a sorted
      fashion, one test per line, will make future patches easier
      to see what tests are being added or removed by a patch.

      Although it is tempting to use $(wildcard qapi-schema/*.json)
      for a more compact listing, such an approach would risk picking
      up leftover garbage .json files in the directory; so keeping
      the list explicit is safer for ensuring reproducible tarballs
      and test results.

      Signed-off-by: Eric Blake <eblake@xxxxxxxxxx>
      Message-Id: <1443565276-4535-2-git-send-email-eblake@xxxxxxxxxx>
      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>

  commit ac4abb9aeb734f36eb90b149b9eed0cc8fdb2872
  Author: Markus Armbruster <armbru@xxxxxxxxxx>
  Date:   Thu Sep 24 18:11:57 2015 +0200

      MAINTAINERS: Specify QAPI include and test files

      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>
      Message-Id: <1443111117-29831-4-git-send-email-armbru@xxxxxxxxxx>
      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>
      Reviewed-by: Luiz Capitulino <lcapitulino@xxxxxxxxxx>

  commit 7735d2b50477b171446b38efd2d8866d3c966162
  Author: Markus Armbruster <armbru@xxxxxxxxxx>
  Date:   Thu Sep 24 18:11:56 2015 +0200

      MAINTAINERS: Specify QObject include and test files

      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>
      Message-Id: <1443111117-29831-3-git-send-email-armbru@xxxxxxxxxx>
      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>
      Reviewed-by: Luiz Capitulino <lcapitulino@xxxxxxxxxx>

  commit 9b89b6a2872f1473ef82acdcb64c901982e0ef88
  Author: Markus Armbruster <armbru@xxxxxxxxxx>
  Date:   Thu Sep 24 18:11:55 2015 +0200

      docs: Move files from docs/qmp/ to docs/

      Giving QMP its own subdirectory in docs/ is hardly worthwhile when we
      have just four files, and one of them isn't even in the subdirectory.
      Move the files from docs/qmp/ to docs/, renaming docs/qmp/README to
      docs/qmp-intro.

      Update MAINTAINERS.  The new pattern also captures the fourth file
      docs/writing-qmp-commands.txt.

      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>
      Message-Id: <1443111117-29831-2-git-send-email-armbru@xxxxxxxxxx>
      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>
      Reviewed-by: Luiz Capitulino <lcapitulino@xxxxxxxxxx>

  commit b77e7c8e99f9ac726c4eaa2fc3461fd886017dc0
  Author: Paolo Bonzini <pbonzini@xxxxxxxxxx>
  Date:   Mon Oct 12 15:35:16 2015 +0200

      qemu-sockets: fix conversion of ipv4/ipv6 JSON to QemuOpts

      The QemuOpts-based code treats "option not set" and "option set
      to false" the same way for the ipv4 and ipv6 options, because it
      is meant to handle only the ",ipv4" and ",ipv6" substrings in
      hand-crafted option parsers.

      When converting InetSocketAddress to QemuOpts, however, it is
      necessary to handle all three cases (not set, set to true, set
      to false).  Currently we are not handling all cases correctly.
      The rules are:

      * if none or both options are absent, leave things as is

      * if the single present option is Y, the other should be N.
      This can be implemented by leaving things as is, or by setting
      the other option to N as done in this patch.

      * if the single present option is N, the other should be Y.
      This is handled by the "else if" branch of this patch.

      This ensures that the ipv4 option has an effect on Windows,
      where creating the socket with PF_UNSPEC makes an ipv6
      socket.  With this patch, ",ipv4" will result in a PF_INET
      socket instead.

      Reported-by: Sair, Umair <Umair_Sair@xxxxxxxxxx>
      Tested-by: Sair, Umair <Umair_Sair@xxxxxxxxxx>
      Reviewed-by: Daniel P. Berrange <berrange@xxxxxxxxxx>
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit 5ea530491fe9ac56f75bc1833cc3fd7722b24efd
  Author: Paolo Bonzini <pbonzini@xxxxxxxxxx>
  Date:   Tue Sep 22 11:49:41 2015 +0200

      MAINTAINERS: Add more devices to realview board

      Cc: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit 062710000dbd9db81277156d9bdebd96b70cd1d2
  Author: Paolo Bonzini <pbonzini@xxxxxxxxxx>
  Date:   Tue Sep 22 11:45:00 2015 +0200

      MAINTAINERS: Add maintainer for ARM PrimeCell and integrated devices

      Cc: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit 9b31bff02153cf86d4413c6289794175662f7c5c
  Author: Paolo Bonzini <pbonzini@xxxxxxxxxx>
  Date:   Tue Sep 22 11:42:50 2015 +0200

      MAINTAINERS: Add more pxa2xx files and boards

      Cc: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Cc: Andrzej Zaborowski <balrogg@xxxxxxxxx>
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit c92451c2af29784c76527cc5484c33b4ce069d38
  Author: Paolo Bonzini <pbonzini@xxxxxxxxxx>
  Date:   Tue Sep 22 11:36:48 2015 +0200

      MAINTAINERS: Add more Xen files

      Cc: Stefano Stabellini <stefano.stabellini@xxxxxxxxxxxxx?
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit 566dd236e1e0bfe9d9bce326547f883d677cf30a
  Author: Paolo Bonzini <pbonzini@xxxxxxxxxx>
  Date:   Tue Sep 22 11:38:02 2015 +0200

      MAINTAINERS: add two devices to the e500 section

      Cc: Alexander Graf <agraf@xxxxxxx>
      Cc: Scott Wood <scottwood@xxxxxxxxxxxxx>
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit 3e5385fcf536fc4238eb87de55af8dd99089cad4
  Author: Andy Whitcroft <apw@xxxxxxxxxxxxx>
  Date:   Thu Oct 8 10:05:24 2015 +0200

      checkpatch: port fix from kernel "## is not a valid modifier"

      checkpatch currently loops on fpu/softfloat.c
      Turns out this is fixed in the Linux version of checkpatch.

      So this is a port of Andy Whitcrofts fix from Linux,
      Original commit was commit 89a883530fe7 ("checkpatch: ## is not a
      valid modifier")

      As suggested by Peter Maydell for the QEMU version we drop the last "|"
      as there seems to be no need for that. (FWIW, the kernel discusion about
      that dried out:
      http://www.spinics.net/lists/kernel/msg1944421.html
      )

      Cc: Andy Whitcroft <apw@xxxxxxxxxxxxx>
      Signed-off-by: Christian Borntraeger <borntraeger@xxxxxxxxxx>
      Message-Id: <1444291524-66569-1-git-send-email-borntraeger@xxxxxxxxxx>
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit b232c7857aa36d144205134c725114541630b1c2
  Author: Alexey Kardashevskiy <aik@xxxxxxxxx>
  Date:   Tue Oct 6 14:30:57 2015 +1100

      kvm-all: Align to qemu_real_host_page_size in kvm_set_phys_mem

      As the comment in kvm_set_phys_mem() says, KVM works in page size chunks.
      However it uses hardcoded TARGET_PAGE_SIZE which is 4K on most platforms
      while actual host may use different page size, for example, PPC64 hosts
      use 64K system pages.

      This replaces static TARGET_PAGE_SIZE with run-time calculated
      qemu_real_host_page_size.

      Signed-off-by: Alexey Kardashevskiy <aik@xxxxxxxxx>
      Message-Id: <1444102257-17405-1-git-send-email-aik@xxxxxxxxx>
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit 88401cbc5b5730986fd5040425f5015a9cce9080
  Author: Paolo Bonzini <pbonzini@xxxxxxxxxx>
  Date:   Tue Aug 11 10:52:46 2015 +0200

      exec: remove non-TCG stuff from exec-all.h header.

      The header is included from basically everywhere, thanks to cpu.h.
      It should be moved to the (TCG only) files that actually need it.
      As a start, remove non-TCG stuff.

      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit 46eb8f98f2ce402e384d60ddd15020720994c7ca
  Author: Andrey Smetanin <asmetanin@xxxxxxxxxxxxx>
  Date:   Wed Sep 16 12:59:44 2015 +0300

      target-i386/kvm: Hyper-V HV_X64_MSR_VP_RUNTIME support

      HV_X64_MSR_VP_RUNTIME msr used by guest to get
      "the time the virtual processor consumes running guest code,
      and the time the associated logical processor spends running
      hypervisor code on behalf of that guest."

      Calculation of that time is performed by task_cputime_adjusted()
      for vcpu task by KVM side.

      Signed-off-by: Andrey Smetanin <asmetanin@xxxxxxxxxxxxx>
      Signed-off-by: Denis V. Lunev <den@xxxxxxxxxx>
      CC: Paolo Bonzini <pbonzini@xxxxxxxxxx>
      CC: Richard Henderson <rth@xxxxxxxxxxx>
      CC: Eduardo Habkost <ehabkost@xxxxxxxxxx>
      CC: "Andreas Färber" <afaerber@xxxxxxx>
      CC: Marcelo Tosatti <mtosatti@xxxxxxxxxx>
      Message-Id: <1442397584-16698-4-git-send-email-den@xxxxxxxxxx>
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit 8c145d7ca9b4267d2ec1eabe801c6b2aee636f1f
  Author: Andrey Smetanin <asmetanin@xxxxxxxxxxxxx>
  Date:   Wed Sep 16 12:59:43 2015 +0300

      target-i386/kvm: set Hyper-V features cpuid bit 
HV_X64_MSR_VP_INDEX_AVAILABLE

      Hyper-V features bit HV_X64_MSR_VP_INDEX_AVAILABLE value is
      based on cpu option "hv-vpindex" and kernel support of
      HV_X64_MSR_VP_INDEX.

      Signed-off-by: Andrey Smetanin <asmetanin@xxxxxxxxxxxxx>
      Signed-off-by: Denis V. Lunev <den@xxxxxxxxxx>
      CC: Paolo Bonzini <pbonzini@xxxxxxxxxx>
      CC: Richard Henderson <rth@xxxxxxxxxxx>
      CC: Eduardo Habkost <ehabkost@xxxxxxxxxx>
      CC: "Andreas Färber" <afaerber@xxxxxxx>
      CC: Marcelo Tosatti <mtosatti@xxxxxxxxxx>
      Message-Id: <1442397584-16698-3-git-send-email-den@xxxxxxxxxx>
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit 744b8a9440fa2bd78ae64861667337439e25a6dc
  Author: Andrey Smetanin <asmetanin@xxxxxxxxxxxxx>
  Date:   Wed Sep 16 12:59:42 2015 +0300

      target-i386/kvm: Hyper-V HV_X64_MSR_RESET support

      HV_X64_MSR_RESET msr is used by Hyper-V based Windows guest
      to reset guest VM by hypervisor. This msr is stateless so
      no migration/fetch/update is required.

      This code checks cpu option "hv-reset" and support by
      kernel. If both conditions are met appropriate Hyper-V features
      cpuid bit is set.

      Signed-off-by: Andrey Smetanin <asmetanin@xxxxxxxxxxxxx>
      Signed-off-by: Denis V. Lunev <den@xxxxxxxxxx>
      CC: Paolo Bonzini <pbonzini@xxxxxxxxxx>
      CC: Richard Henderson <rth@xxxxxxxxxxx>
      CC: Eduardo Habkost <ehabkost@xxxxxxxxxx>
      CC: "Andreas Färber" <afaerber@xxxxxxx>
      CC: Marcelo Tosatti <mtosatti@xxxxxxxxxx>
      Message-Id: <1442397584-16698-2-git-send-email-den@xxxxxxxxxx>
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit 3a824b1552d68b708c161a900e2956a78d4ea466
  Author: Paolo Bonzini <pbonzini@xxxxxxxxxx>
  Date:   Fri Oct 2 18:19:58 2015 +0200

      linux-headers: update from kvm/next

      linux-headers/linux/vhost.h is currently out of sync with Linux.  Do
      not touch it in this update.

      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit 5b906129524d564d61760d04586d6c2301457ead
  Author: Paolo Bonzini <pbonzini@xxxxxxxxxx>
  Date:   Mon Oct 5 14:45:55 2015 +0200

      checkpatch: allow open braces on typedef lines

      The style here seems to be split according to the maintainer, but
      traditionally open braces were placed on typedef lines.

      Suggested-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit 32857f4d5e165329c03d66000d666975d85f882a
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Thu Oct 1 15:29:50 2015 +0100

      exec.c: Collect AddressSpace related fields into a CPUAddressSpace struct

      Gather up all the fields currently in CPUState which deal with the CPU's
      AddressSpace into a separate CPUAddressSpace struct. This paves the way
      for allowing the CPU to know about more than one AddressSpace.

      The rearrangement also allows us to make the MemoryListener a directly
      embedded object in the CPUAddressSpace (it could not be embedded in
      CPUState because 'struct MemoryListener' isn't defined for the user-only
      builds). This allows us to resolve the FIXME in tcg_commit() by going
      directly from the MemoryListener to the CPUAddressSpace.

      This patch extracts the actual update of the cached dispatch pointer
      from cpu_reload_memory_map() (which is renamed accordingly to
      cpu_reloading_memory_map() as it is only responsible for breaking
      cpu-exec.c's RCU critical section now). This lets us keep the definition
      of the CPUAddressSpace struct private to exec.c.

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Message-Id: <1443709790-25180-4-git-send-email-peter.maydell@xxxxxxxxxx>
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit 53f8a5e9e2633a4a3b6918c36aec725aa80f2887
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Thu Oct 1 15:29:49 2015 +0100

      cpu-exec-common.c: Clarify comment about cpu_reload_memory_map()'s RCU 
operations

      The reason for cpu_reload_memory_map()'s RCU operations is not
      so much because the guest could make the critical section very
      long, but that it could have a critical section within which
      it made an arbitrary number of changes to the memory map and
      thus accumulate an unbounded amount of memory data structures
      awaiting reclamation. Clarify the comment to make this clearer.

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Message-Id: <1443709790-25180-3-git-send-email-peter.maydell@xxxxxxxxxx>
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit 0a1c71cec63e95f9b8d0dc96d049d2daa00c5210
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Thu Oct 1 15:29:48 2015 +0100

      exec.c: Don't call cpu_reload_memory_map() from cpu_exec_init()

      Currently we call cpu_reload_memory_map() from cpu_exec_init(),
      but this is not necessary:
       * KVM doesn't use the data structures maintained by
         cpu_reload_memory_map() (the TLB and cpu->memory_dispatch)
       * for TCG, we will call this function via tcg_commit() either
         as soon as tcg_cpu_address_space_init() registers the listener,
         or when the first MemoryRegion is added to the AddressSpace
         if the AS is empty when we register the listener

      The unnecessary call is awkward for adding support for multiple
      address spaces per CPU, so drop it.

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Reviewed-by: Edgar E. Iglesias <edgar.iglesias@xxxxxxxxx>
      Message-Id: <1443709790-25180-2-git-send-email-peter.maydell@xxxxxxxxxx>
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit fec21036ff516d20721abc01ae7be99ae5bb0c7b
  Author: Markus Armbruster <armbru@xxxxxxxxxx>
  Date:   Fri Sep 4 21:53:03 2015 +0200

      configure: Require Python 2.6

      RHEL-6 and SLES-11 provide Python 2.6.  It'll also work on OS X back
      to 10.6.

      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>
      Message-Id: <1441396383-17304-1-git-send-email-armbru@xxxxxxxxxx>
      Reviewed-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit 8ef2eb8d2cad7400236d6b2c152bdb5506761b4d
  Author: Paolo Bonzini <pbonzini@xxxxxxxxxx>
  Date:   Wed Sep 30 19:21:10 2015 +0200

      megasas: fix megasas_get_sata_addr

      There are two bugs here.  First, the 16-bit id loses the high 8 bits
      when shifted left by 24.  Second, the address must be combined with
      an "or" or we just get zero.

      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit 633dccb458c4eaa40107cd7026737d804f90b6c0
  Author: Paolo Bonzini <pbonzini@xxxxxxxxxx>
  Date:   Thu Oct 1 12:59:01 2015 +0200

      scsi: switch from g_slice allocator to malloc

      Simplify memory allocation by sticking with a single API.  GSlice
      is not that fast anyway (tcmalloc/jemalloc are better).

      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit 1729404c62e1adae501feeaaf61b87262d52ae1b
  Author: Paolo Bonzini <pbonzini@xxxxxxxxxx>
  Date:   Thu Oct 1 12:59:08 2015 +0200

      nbd: switch from g_slice allocator to malloc

      Simplify memory allocation by sticking with a single API.  GSlice
      is not that fast anyway (tcmalloc/jemalloc are better).

      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit 5451316ed07b758a187dedf21047bed8f843f7f1
  Merge: 0bf224d 9201bb9
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Mon Oct 12 15:52:54 2015 +0100

      Merge remote-tracking branch 'remotes/stefanha/tags/block-pull-request' 
into staging

      Pull request

      v2:
       * Fix virtio 16lx -> HWADDR_PRIx format specifier [Peter]

      # gpg: Signature made Mon 12 Oct 2015 11:19:06 BST using RSA key ID 
81AB73C8
      # gpg: Good signature from "Stefan Hajnoczi <stefanha@xxxxxxxxxx>"
      # gpg:                 aka "Stefan Hajnoczi <stefanha@xxxxxxxxx>"

      * remotes/stefanha/tags/block-pull-request:
        sdhci.c: Limit the maximum block size
        block: switch from g_slice allocator to malloc
        virtio dataplane: adapt dataplane for virtio Version 1
        virtio-blk: use blk_io_plug/unplug for Linux AIO batching
        sdhci: Pass drive parameter to sdhci-pci via qdev property

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 0bf224d5da41967a775b328234cda2d19f303908
  Merge: 7684922 89b1273
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Mon Oct 12 14:29:29 2015 +0100

      Merge remote-tracking branch 'remotes/jasowang/tags/net-pull-request' 
into staging

      # gpg: Signature made Mon 12 Oct 2015 08:56:47 BST using RSA key ID 
398D6211
      # gpg: Good signature from "Jason Wang (Jason Wang on RedHat) 
<jasowang@xxxxxxxxxx>"
      # gpg: WARNING: This key is not certified with sufficiently trusted 
signatures!
      # gpg:          It is not certain that the signature belongs to the owner.
      # Primary key fingerprint: 215D 46F4 8246 689E C77F  3562 EF04 965B 398D 
6211

      * remotes/jasowang/tags/net-pull-request:
        tests: add test cases for netfilter object
        netfilter: add a netbuffer filter
        net/queue: export qemu_net_queue_append_iov
        netfilter: print filter info associate with the netdev
        netfilter: add an API to pass the packet to next filter
        net/queue: introduce NetQueueDeliverFunc
        net: merge qemu_deliver_packet and qemu_deliver_packet_iov
        netfilter: hook packets before net queue send
        init/cleanup of netfilter object
        vl.c: init delayed object after net_init_clients
        vmxnet3: Add support for VMXNET3_CMD_GET_ADAPTIVE_RING_INFO command
        e1000: use alias for default model
        vmxnet3: Support reading IMR registers on bar0
        net/vmxnet3: Refine l2 header validation

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 9201bb9a8c7cd3ba2382b7db5b2e40f603e61528
  Author: Alistair Francis <alistair.francis@xxxxxxxxxx>
  Date:   Tue Oct 6 10:40:41 2015 -0700

      sdhci.c: Limit the maximum block size

      It is possible for the guest to set an invalid block
      size which is larger then the fifo_buffer[] array. This
      could cause a buffer overflow.

      To avoid this limit the maximum size of the blksize variable.

      Signed-off-by: Alistair Francis <alistair.francis@xxxxxxxxxx>
      Reported-by: Intel Security ATR <secure@xxxxxxxxx>
      Reviewed-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Reviewed-by: Peter Crosthwaite <crosthwaite.peter@xxxxxxxxx>
      Message-id: 
abe4c51f513290bbb85d1ee271cb1a3d463d7561.1444067470.git.alistair.francis@xxxxxxxxxx
      Suggested-by: Igor Mitsyanko <i.mitsyanko@xxxxxxxxx>
      Reported-by: Intel Security ATR <secure@xxxxxxxxx>
      Reviewed-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>

  commit c84b31926f018af6fea2ab37a1fc47060b4bcfa1
  Author: Paolo Bonzini <pbonzini@xxxxxxxxxx>
  Date:   Thu Oct 1 13:04:39 2015 +0200

      block: switch from g_slice allocator to malloc

      Simplify memory allocation by sticking with a single API.  GSlice
      is not that fast anyway (tcmalloc/jemalloc are better).

      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>
      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>

  commit a9718ef0005d6910097788936dc40c0204713729
  Author: Pierre Morel <pmorel@xxxxxxxxxxxxxxxxxx>
  Date:   Mon Sep 7 13:33:56 2015 +0200

      virtio dataplane: adapt dataplane for virtio Version 1

      Let dataplane allocate different region for the desc/avail/used
      ring regions.
      Take VIRTIO_RING_F_EVENT_IDX into account to increase the used/avail
      rings accordingly.

      [Fix 32-bit builds by changing 16lx format specifier to HWADDR_PRIx.
      --Stefan]

      Signed-off-by: Pierre Morel <pmorel@xxxxxxxxxxxxxxxxxx>
      Tested-by: Greg Kurz <gkurz@xxxxxxxxxxxxxxxxxx>
      Signed-off-by: Greg Kurz <gkurz@xxxxxxxxxxxxxxxxxx>
      Message-id: 1441625636-23773-1-git-send-email-pmorel@xxxxxxxxxxxxxxxxxx
      (changed __virtio16 into uint16_t,
       map descriptor table and available ring read-only)
      Signed-off-by: Greg Kurz <gkurz@xxxxxxxxxxxxxxxxxx>
      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>

  commit 768492239014cb5e6161f1be80a9c8043c4530c2
  Merge: c9003eb 33fe968
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Mon Oct 12 11:07:38 2015 +0100

      Merge remote-tracking branch 
'remotes/armbru/tags/pull-monitor-2015-10-09' into staging

      Fix device introspection regressions

      # gpg: Signature made Fri 09 Oct 2015 14:43:41 BST using RSA key ID 
EB918653
      # gpg: Good signature from "Markus Armbruster <armbru@xxxxxxxxxx>"
      # gpg:                 aka "Markus Armbruster <armbru@xxxxxxxxxxxx>"

      * remotes/armbru/tags/pull-monitor-2015-10-09:
        Revert "qdev: Use qdev_get_device_class() for -device <type>,help"
        qdev: Protect device-list-properties against broken devices
        qmp: Fix device-list-properties not to crash for abstract device
        device-introspect-test: New, covering device introspection
        libqtest: New hmp() & friends
        libqtest: Clean up unused QTestState member sigact_old
        tests: Fix how qom-test is run
        macio: move DBDMA_init from instance_init to realize
        hw: do not pass NULL to memory_region_init from instance_init
        memory: allow destroying a non-empty MemoryRegion
        virtio-input: Fix device introspection on non-Linux hosts
        update-linux-headers: Rename SW_MAX to SW_MAX_

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit fc73548e444ae3239f6cef44a5200b5d2c3e85d1
  Author: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
  Date:   Mon Jul 20 16:54:16 2015 +0100

      virtio-blk: use blk_io_plug/unplug for Linux AIO batching

      The raw-posix block driver implements Linux AIO batching so multiple
      requests can be submitted with a single io_submit(2) system call.
      Batching is currently only used by virtio-scsi and
      virtio-blk-data-plane.

      Enable batching for regular virtio-blk so the number of io_submit(2)
      system calls is reduced for workloads with queue depth > 1.

      In 4KB random read performance tests with queue depth 32, the CPU
      utilization on the host is reduced by 9.4%.  The fio job is as follows:

        [global]
        bs=4k
        ioengine=libaio
        iodepth=32
        direct=1
        sync=0
        time_based=1
        runtime=30
        clocksource=gettimeofday
        ramp_time=5

        [job1]
        rw=randread
        filename=/dev/vdb
        size=4096M
        write_bw_log=fio
        write_iops_log=fio
        write_lat_log=fio
        log_avg_msec=1000

      This benchmark was run on an raw image on LVM.  The disk was an SSD
      drive and -drive cache=none,aio=native was used.

      Tested-by: Pradeep Surisetty <psuriset@xxxxxxxxxx>
      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Reviewed-by: Fam Zheng <famz@xxxxxxxxxx>

  commit 5ec911c30ff4337d4185e29e82a254349f5a22da
  Author: Kevin O'Connor <kevin@xxxxxxxxxxxx>
  Date:   Mon Aug 17 15:20:33 2015 -0400

      sdhci: Pass drive parameter to sdhci-pci via qdev property

      Commit 19109131 disabled the sdhci-pci support because it used
      drive_get_next().  This patch reenables sdhci-pci and changes it to
      pass the drive via a qdev property - for example:
       -device sdhci-pci,drive=drive0 -drive id=drive0,if=sd,file=myimage

      Reviewed-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Signed-off-by: Kevin O'Connor <kevin@xxxxxxxxxxxx>
      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>

  commit 89b1273742f45c30927df203532fca0d9a3e1af7
  Author: Yang Hongyang <yanghy@xxxxxxxxxxxxxx>
  Date:   Wed Oct 7 11:52:22 2015 +0800

      tests: add test cases for netfilter object

      Using qtest qmp interface to implement following cases:
      1) add/remove netfilter
      2) add a netfilter then delete the netdev
      3) add/remove more than one netfilters
      4) add more than one netfilters and then delete the netdev

      Signed-off-by: Yang Hongyang <yanghy@xxxxxxxxxxxxxx>
      Signed-off-by: Jason Wang <jasowang@xxxxxxxxxx>

  commit 7dbb11c84f25e20301b47a77102db00d68a2c4a4
  Author: Yang Hongyang <yanghy@xxxxxxxxxxxxxx>
  Date:   Wed Oct 7 11:52:21 2015 +0800

      netfilter: add a netbuffer filter

      This filter is to buffer/release packets. Can be used when using
      MicroCheckpointing or other Remus like VM FT solutions.
      You can also use it to crudely simulate network delay.  Doesn't
      actually delay individual packets, but batches them together, which is
      a delay of sorts.

      Usage:
       -netdev tap,id=bn0
       -object filter-buffer,id=f0,netdev=bn0,queue=rx,interval=1000

      NOTE:
       Interval is in microseconds, it can't be omitted currently, and can't be 
0.

      Signed-off-by: Yang Hongyang <yanghy@xxxxxxxxxxxxxx>
      Reviewed-by: Markus Armbruster <armbru@xxxxxxxxxx>
      Signed-off-by: Jason Wang <jasowang@xxxxxxxxxx>

  commit b68c7f76926dee3f234ccee88f3167b640d9318e
  Author: Yang Hongyang <yanghy@xxxxxxxxxxxxxx>
  Date:   Wed Oct 7 11:52:20 2015 +0800

      net/queue: export qemu_net_queue_append_iov

      This will be used by buffer filter implementation later to
      queue packets.

      Signed-off-by: Yang Hongyang <yanghy@xxxxxxxxxxxxxx>
      Reviewed-by: Thomas Huth <thuth@xxxxxxxxxx>
      Signed-off-by: Jason Wang <jasowang@xxxxxxxxxx>

  commit a4960f52e7f402a4b7402ace204283de7b9d4879
  Author: Yang Hongyang <burnef@xxxxxxxxx>
  Date:   Wed Oct 7 11:52:19 2015 +0800

      netfilter: print filter info associate with the netdev

      When execute "info network", print filter info also.
      add a info_str member to NetFilterState, store specific filters
      info.

      Signed-off-by: Yang Hongyang <yanghy@xxxxxxxxxxxxxx>
      Signed-off-by: Jason Wang <jasowang@xxxxxxxxxx>

  commit 7ef7bc8586fb0d41742a896b532c7afa2bbb7f84
  Author: Yang Hongyang <yanghy@xxxxxxxxxxxxxx>
  Date:   Wed Oct 7 11:52:18 2015 +0800

      netfilter: add an API to pass the packet to next filter

      add an API qemu_netfilter_pass_to_next() to pass the packet
      to next filter.

      Signed-off-by: Yang Hongyang <yanghy@xxxxxxxxxxxxxx>
      Reviewed-by: Thomas Huth <thuth@xxxxxxxxxx>
      Signed-off-by: Jason Wang <jasowang@xxxxxxxxxx>

  commit 3e033a46a7e39ea31e15f1b53402df990977115a
  Author: Yang Hongyang <yanghy@xxxxxxxxxxxxxx>
  Date:   Wed Oct 7 11:52:17 2015 +0800

      net/queue: introduce NetQueueDeliverFunc

      net/queue.c has logic to send/queue/flush packets but a
      qemu_deliver_packet_iov() call is hardcoded. Abstract this
      func so that we can use our own deliver function in netfilter.

      Signed-off-by: Yang Hongyang <yanghy@xxxxxxxxxxxxxx>
      Cc: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Signed-off-by: Jason Wang <jasowang@xxxxxxxxxx>

  commit fefe2a78abde932e0f340b21bded2c86def1d242
  Author: Yang Hongyang <yanghy@xxxxxxxxxxxxxx>
  Date:   Wed Oct 7 11:52:16 2015 +0800

      net: merge qemu_deliver_packet and qemu_deliver_packet_iov

      qemu_deliver_packet_iov already have the compat delivery, we
      can drop qemu_deliver_packet.

      Signed-off-by: Yang Hongyang <yanghy@xxxxxxxxxxxxxx>
      Signed-off-by: Jason Wang <jasowang@xxxxxxxxxx>

  commit e64c770d1fa859bd8ee583d339b085fe345ac02b
  Author: Yang Hongyang <yanghy@xxxxxxxxxxxxxx>
  Date:   Wed Oct 7 11:52:15 2015 +0800

      netfilter: hook packets before net queue send

      Capture packets that will be sent.

      Signed-off-by: Yang Hongyang <yanghy@xxxxxxxxxxxxxx>
      Reviewed-by: Thomas Huth <thuth@xxxxxxxxxx>
      Signed-off-by: Jason Wang <jasowang@xxxxxxxxxx>

  commit fdccce4596218e49ca4d0f5d4b3f0c453bd99ba0
  Author: Yang Hongyang <yanghy@xxxxxxxxxxxxxx>
  Date:   Wed Oct 7 11:52:14 2015 +0800

      init/cleanup of netfilter object

      Add a netfilter object based on QOM.

      A netfilter is attached to a netdev, captures all network packets
      that pass through the netdev. When we delete the netdev, we also
      delete the netfilter object attached to it, because if the netdev is
      removed, the filter which attached to it is useless.

      Signed-off-by: Yang Hongyang <yanghy@xxxxxxxxxxxxxx>
      Reviewed-by: Markus Armbruster <armbru@xxxxxxxxxx>
      Signed-off-by: Jason Wang <jasowang@xxxxxxxxxx>

  commit 9abce56d7b319b0c78b487720d128706272e0a0c
  Author: Yang Hongyang <yanghy@xxxxxxxxxxxxxx>
  Date:   Wed Oct 7 11:52:13 2015 +0800

      vl.c: init delayed object after net_init_clients

      Init delayed object after net_init_clients, because netfilters need
      to be initialized after net clients initialized.

      Signed-off-by: Yang Hongyang <yanghy@xxxxxxxxxxxxxx>
      Signed-off-by: Jason Wang <jasowang@xxxxxxxxxx>

  commit d62241eb6da9bd2517f07b3219ba4208b90b4e0d
  Author: Shmulik Ladkani <shmulik.ladkani@xxxxxxxxxxxxxxxxxx>
  Date:   Fri Sep 18 08:55:04 2015 +0300

      vmxnet3: Add support for VMXNET3_CMD_GET_ADAPTIVE_RING_INFO command

      Some drivers (e.g. vmware-tools) issue the 
VMXNET3_CMD_GET_ADAPTIVE_RING_INFO
      command.

      Currently, due to lack of support, a bogus value (-1) is returned.

      Support this command, returning the "adaptive-ring disabled" flag.

      Signed-off-by: Shmulik Ladkani <shmulik.ladkani@xxxxxxxxxxxxxxxxxx>
      Signed-off-by: Jason Wang <jasowang@xxxxxxxxxx>

  commit 8304402033e8dbe8e379017d51ed1dd8344f1dce
  Author: Jason Wang <jasowang@xxxxxxxxxx>
  Date:   Mon Sep 28 13:37:26 2015 +0800

      e1000: use alias for default model

      Instead of duplicating the "e1000-82540em" device model as "e1000",
      make the latter an alias for the former.

      Cc: Markus Armbruster <armbru@xxxxxxxxxx>
      Signed-off-by: Jason Wang <jasowang@xxxxxxxxxx
      Reviewed-by: Markus Armbruster <armbru@xxxxxxxxxx>

  commit c6048f849c7e3f009786df76206e895a69de032c
  Author: Shmulik Ladkani <shmulik.ladkani@xxxxxxxxxxxxxxxxxx>
  Date:   Mon Sep 21 17:09:02 2015 +0300

      vmxnet3: Support reading IMR registers on bar0

      Instead of asserting, return the actual IMR register value.
      This is aligned with what's returned on ESXi.

      Signed-off-by: Shmulik Ladkani <shmulik.ladkani@xxxxxxxxxxxxxxxxxx>
      Tested-by: Dana Rubin <dana.rubin@xxxxxxxxxxxxxxxxxx>
      Signed-off-by: Jason Wang <jasowang@xxxxxxxxxx>

  commit a7278b36fcab9af469563bd7b9dadebe2ae25e48
  Author: Dana Rubin <dana.rubin@xxxxxxxxxxxxxxxxxx>
  Date:   Tue Aug 18 12:45:55 2015 +0300

      net/vmxnet3: Refine l2 header validation

      Validation of l2 header length assumed minimal packet size as
      eth_header + 2 * vlan_header regardless of the actual protocol.

      This caused crash for valid non-IP packets shorter than 22 bytes, as
      'tx_pkt->packet_type' hasn't been assigned for such packets, and
      'vmxnet3_on_tx_done_update_stats()' expects it to be properly set.

      Refine header length validation in 'vmxnet_tx_pkt_parse_headers'.
      Check its return value during packet processing flow.

      As a side effect, in case IPv4 and IPv6 header validation failure,
      corrupt packets will be dropped.

      Signed-off-by: Dana Rubin <dana.rubin@xxxxxxxxxxxxxxxxxx>
      Signed-off-by: Shmulik Ladkani <shmulik.ladkani@xxxxxxxxxxxxxxxxxx>
      Signed-off-by: Jason Wang <jasowang@xxxxxxxxxx>

  commit c9003eb4662f44c61be9c8d7d5c9d4a02d58b560
  Merge: b37686f 925a040
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Fri Oct 9 17:30:03 2015 +0100

      Merge remote-tracking branch 'remotes/kraxel/tags/pull-virgl-20151008-1' 
into staging

      virtio-gpu: add 3d rendering support using virgl, misc fixes.
      ui/gtk: add opengl context and scanout support (for virtio-gpu).

      # gpg: Signature made Thu 08 Oct 2015 10:35:39 BST using RSA key ID 
D3E87138
      # gpg: Good signature from "Gerd Hoffmann (work) <kraxel@xxxxxxxxxx>"
      # gpg:                 aka "Gerd Hoffmann <gerd@xxxxxxxxxx>"
      # gpg:                 aka "Gerd Hoffmann (private) <kraxel@xxxxxxxxx>"

      * remotes/kraxel/tags/pull-virgl-20151008-1:
        gtk/opengl: add opengl context and scanout support (GtkGLArea)
        gtk/opengl: add opengl context and scanout support (egl)
        opengl: add egl-context.[ch] helpers
        virtio-gpu: add cursor update tracepoint
        virtio-gpu: add 3d mode and virgl rendering support.
        virtio-gpu: update headers for virgl/3d
        virtio-gpu: change licence from GPLv2 to GPLv2+
        virtio-gpu: move iov free to virtio_gpu_cleanup_mapping_iov
        ui/console: add opengl context and scanout support interfaces.
        sdl2: stop flickering
        shaders: initialize vertexes once

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 33fe96833015cf15f4c0aa5bf8d34f60526e0732
  Author: Markus Armbruster <armbru@xxxxxxxxxx>
  Date:   Thu Oct 1 10:59:59 2015 +0200

      Revert "qdev: Use qdev_get_device_class() for -device <type>,help"

      This reverts commit 31bed5509dfcbdfc293154ce81086a4dbd7a80b6.

      The reverted commit changed qdev_device_help() to reject abstract
      devices and devices that have cannot_instantiate_with_device_add_yet
      set, to fix crash bugs like -device x86_64-cpu,help.

      Rejecting abstract devices makes sense: they're purely internal, and
      the implementation of the help feature can't cope with them.

      Rejecting non-pluggable devices makes less sense: even though you
      can't use them with -device, the help may still be useful elsewhere,
      for instance with -global.  This is a regression: -device FOO,help
      used to help even for FOO that aren't pluggable.

      The previous two commits fixed the crash bug at a lower layer, so
      reverting this one is now safe.  Fixes the -device FOO,help
      regression, except for the broken devices marked
      cannot_even_create_with_object_new_yet.  For those, the error message
      is improved.

      Example of a device where the regression is fixed:

          $ qemu-system-x86_64 -device PIIX4_PM,help
          PIIX4_PM.command_serr_enable=bool (on/off)
          PIIX4_PM.multifunction=bool (on/off)
          PIIX4_PM.rombar=uint32
          PIIX4_PM.romfile=str
          PIIX4_PM.addr=int32 (Slot and optional function number, example: 06.0 
or 06)
          PIIX4_PM.memory-hotplug-support=bool
          PIIX4_PM.acpi-pci-hotplug-with-bridge-support=bool
          PIIX4_PM.s4_val=uint8
          PIIX4_PM.disable_s4=uint8
          PIIX4_PM.disable_s3=uint8
          PIIX4_PM.smb_io_base=uint32

      Example of a device where it isn't fixed:

          $ qemu-system-x86_64 -device host-x86_64-cpu,help
          Can't list properties of device 'host-x86_64-cpu'

      Both failed with "Parameter 'driver' expects pluggable device type"
      before.

      Cc: qemu-stable@xxxxxxxxxx
      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>
      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>
      Reviewed-by: Eduardo Habkost <ehabkost@xxxxxxxxxx>
      Message-Id: <1443689999-12182-11-git-send-email-armbru@xxxxxxxxxx>

  commit 4c315c27661502a0813b129e41c0bf640c34a8d6
  Author: Markus Armbruster <armbru@xxxxxxxxxx>
  Date:   Thu Oct 1 10:59:58 2015 +0200

      qdev: Protect device-list-properties against broken devices

      Several devices don't survive object_unref(object_new(T)): they crash
      or hang during cleanup, or they leave dangling pointers behind.

      This breaks at least device-list-properties, because
      qmp_device_list_properties() needs to create a device to find its
      properties.  Broken in commit f4eb32b "qmp: show QOM properties in
      device-list-properties", v2.1.  Example reproducer:

          $ qemu-system-aarch64 -nodefaults -display none -machine none -S -qmp 
stdio
          {"QMP": {"version": {"qemu": {"micro": 50, "minor": 4, "major": 2}, 
"package": ""}, "capabilities": []}}
          { "execute": "qmp_capabilities" }
          {"return": {}}
          { "execute": "device-list-properties", "arguments": { "typename": 
"pxa2xx-pcmcia" } }
          qemu-system-aarch64: /home/armbru/work/qemu/memory.c:1307: 
memory_region_finalize: Assertion `((&mr->subregions)->tqh_first == ((void 
*)0))' failed.
          Aborted (core dumped)
          [Exit 134 (SIGABRT)]

      Unfortunately, I can't fix the problems in these devices right now.
      Instead, add DeviceClass member cannot_destroy_with_object_finalize_yet
      to mark them:

      * Hang during cleanup (didn't debug, so I can't say why):
        "realview_pci", "versatile_pci".

      * Dangling pointer in cpus: most CPUs, plus "allwinner-a10", "digic",
        "fsl,imx25", "fsl,imx31", "xlnx,zynqmp", because they create such
        CPUs

      * Assert kvm_enabled(): "host-x86_64-cpu", host-i386-cpu",
        "host-powerpc64-cpu", "host-embedded-powerpc-cpu",
        "host-powerpc-cpu" (the powerpc ones can't currently reach the
        assertion, because the CPUs are only registered when KVM is enabled,
        but the assertion is arguably in the wrong place all the same)

      Make qmp_device_list_properties() fail cleanly when the device is so
      marked.  This improves device-list-properties from "crashes, hangs or
      leaves dangling pointers behind" to "fails".  Not a complete fix, just
      a better-than-nothing work-around.  In the above reproducer,
      device-list-properties now fails with "Can't list properties of device
      'pxa2xx-pcmcia'".

      This also protects -device FOO,help, which uses the same machinery
      since commit ef52358 "qdev-monitor: include QOM properties in -device
      FOO, help output", v2.2.  Example reproducer:

          $ qemu-system-aarch64 -machine none -device pxa2xx-pcmcia,help

      Before:

          qemu-system-aarch64: .../memory.c:1307: memory_region_finalize: 
Assertion `((&mr->subregions)->tqh_first == ((void *)0))' failed.

      After:

          Can't list properties of device 'pxa2xx-pcmcia'

      Cc: "Andreas Färber" <afaerber@xxxxxxx>
      Cc: "Edgar E. Iglesias" <edgar.iglesias@xxxxxxxxx>
      Cc: Alexander Graf <agraf@xxxxxxx>
      Cc: Anthony Green <green@xxxxxxxxxxxxxx>
      Cc: Aurelien Jarno <aurelien@xxxxxxxxxxx>
      Cc: Bastian Koppelmann <kbastian@xxxxxxxxxxxxxxxxxxxxx>
      Cc: Blue Swirl <blauwirbel@xxxxxxxxx>
      Cc: Eduardo Habkost <ehabkost@xxxxxxxxxx>
      Cc: Guan Xuetao <gxt@xxxxxxxxxxxxxxx>
      Cc: Jia Liu <proljc@xxxxxxxxx>
      Cc: Leon Alrae <leon.alrae@xxxxxxxxxx>
      Cc: Mark Cave-Ayland <mark.cave-ayland@xxxxxxxxxxxx>
      Cc: Max Filippov <jcmvbkbc@xxxxxxxxx>
      Cc: Michael Walle <michael@xxxxxxxx>
      Cc: Paolo Bonzini <pbonzini@xxxxxxxxxx>
      Cc: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Cc: Richard Henderson <rth@xxxxxxxxxxx>
      Cc: qemu-ppc@xxxxxxxxxx
      Cc: qemu-stable@xxxxxxxxxx
      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>
      Reviewed-by: Eduardo Habkost <ehabkost@xxxxxxxxxx>
      Message-Id: <1443689999-12182-10-git-send-email-armbru@xxxxxxxxxx>

  commit edb1523d90415cb79f60f83b4028ef3820d15612
  Author: Markus Armbruster <armbru@xxxxxxxxxx>
  Date:   Thu Oct 1 10:59:57 2015 +0200

      qmp: Fix device-list-properties not to crash for abstract device

      Broken in commit f4eb32b "qmp: show QOM properties in
      device-list-properties", v2.1.

      Cc: qemu-stable@xxxxxxxxxx
      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>
      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>
      Reviewed-by: Andreas Färber <afaerber@xxxxxxx>
      Message-Id: <1443689999-12182-9-git-send-email-armbru@xxxxxxxxxx>

  commit 2d1abb850fd15fd6eb75a92290be5f93b2772ec5
  Author: Markus Armbruster <armbru@xxxxxxxxxx>
  Date:   Thu Oct 1 10:59:56 2015 +0200

      device-introspect-test: New, covering device introspection

      The test doesn't check that the output makes any sense, only that QEMU
      survives.  Useful since we've had an astounding number of crash bugs
      around there.

      In fact, we have a bunch of them right now: a few devices crash or
      hang, and some leave dangling pointers behind.  The test skips testing
      the broken parts.  The next commits will fix them up, and drop the
      skipping.

      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>
      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>
      Message-Id: <1443689999-12182-8-git-send-email-armbru@xxxxxxxxxx>

  commit 5fb48d9673b76fc53507a0e717a12968e57d846e
  Author: Markus Armbruster <armbru@xxxxxxxxxx>
  Date:   Thu Oct 1 10:59:55 2015 +0200

      libqtest: New hmp() & friends

      New convenience function hmp() to facilitate use of
      human-monitor-command in tests.  Use it to simplify its existing uses.

      To blend into existing libqtest code, also add qtest_hmpv() and
      qtest_hmp().  That, and the egregiously verbose GTK-Doc comment format
      make this patch look bigger than it is.

      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>
      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>
      Reviewed-by: Thomas Huth <thuth@xxxxxxxxxx>
      Message-Id: <1443689999-12182-7-git-send-email-armbru@xxxxxxxxxx>

  commit 82b15c7bdbda6207d1fee2ec824432e64af3ecb4
  Author: Markus Armbruster <armbru@xxxxxxxxxx>
  Date:   Thu Oct 1 10:59:54 2015 +0200

      libqtest: Clean up unused QTestState member sigact_old

      Unused since commit d766825.

      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>
      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>
      Message-Id: <1443689999-12182-6-git-send-email-armbru@xxxxxxxxxx>
      Reviewed-by: Thomas Huth <thuth@xxxxxxxxxx>

  commit e253c287153c6f3ce4177686ac12c196f9bd8292
  Author: Markus Armbruster <armbru@xxxxxxxxxx>
  Date:   Thu Oct 1 10:59:53 2015 +0200

      tests: Fix how qom-test is run

      We want to run qom-test for every architecture, without having to
      manually add it to every architecture's list of tests.  Commit 3687d53
      accomplished this by adding it to every architecture's list
      automatically.

      However, some architectures inherit their tests from others, like this:

          check-qtest-x86_64-y = $(check-qtest-i386-y)
          check-qtest-microblazeel-y = $(check-qtest-microblaze-y)
          check-qtest-xtensaeb-y = $(check-qtest-xtensa-y)

      For such architectures, we ended up running the (slow!) test twice.
      Commit 2b8419c attempted to avoid this by adding the test only when
      it's not already present.  Works only as long as we consider adding
      the test to the architectures on the left hand side *after* the ones
      on the right hand side: x86_64 after i386, microblazeel after
      microblaze, xtensaeb after xtensa.

      Turns out we consider them in $(SYSEMU_TARGET_LIST) order.  Defined as

          SYSEMU_TARGET_LIST := $(subst -softmmu.mak,,$(notdir \
             $(wildcard $(SRC_PATH)/default-configs/*-softmmu.mak)))

      On my machine, this results in the oder xtensa, x86_64, microblazeel,
      microblaze, i386.  Consequently, qom-test runs twice for microblazeel
      and x86_64.

      Replace this complex and flawed machinery with a much simpler one: add
      generic tests (currently just qom-test) to check-qtest-generic-y
      instead of check-qtest-$(target)-y for every target, then run
      $(check-qtest-generic-y) for every target.

      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>
      Reviewed-by: Andreas Färber <afaerber@xxxxxxx>
      Message-Id: <1443689999-12182-5-git-send-email-armbru@xxxxxxxxxx>

  commit c7104402353bf32ac1d3a276e3619a20e910506b
  Author: Paolo Bonzini <pbonzini@xxxxxxxxxx>
  Date:   Thu Oct 1 10:59:52 2015 +0200

      macio: move DBDMA_init from instance_init to realize

      DBDMA_init is not idempotent, and calling it from instance_init
      breaks a simple object_new/object_unref pair.  Work around this,
      pending qdev-ification of DBDMA, by moving the call to realize.

      Reported-by: Markus Armbruster <armbru@xxxxxxxxxx>
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>
      Reviewed-by: Thomas Huth <thuth@xxxxxxxxxx>
      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>
      Message-Id: <1443689999-12182-4-git-send-email-armbru@xxxxxxxxxx>

  commit 81e0ab48dda611e9571dc2e166840205a4208567
  Author: Paolo Bonzini <pbonzini@xxxxxxxxxx>
  Date:   Thu Oct 1 10:59:51 2015 +0200

      hw: do not pass NULL to memory_region_init from instance_init

      This causes the region to outlive the object, because it attaches the
      region to /machine.  This is not nice for the "realize" method, but
      much worse for "instance_init" because it can cause dangling pointers
      after a simple object_new/object_unref pair.

      Reported-by: Markus Armbruster <armbru@xxxxxxxxxx>
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>
      Reviewed-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Tested-by: Markus Armbruster <armbru@xxxxxxxxxx>
      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>
      Message-Id: <1443689999-12182-3-git-send-email-armbru@xxxxxxxxxx>
      Reviewed-by: Thomas Huth <thuth@xxxxxxxxxx>

  commit 2e2b8eb70fdb7dfbec39f3a19b20f9a73f2f813e
  Author: Paolo Bonzini <pbonzini@xxxxxxxxxx>
  Date:   Thu Oct 1 10:59:50 2015 +0200

      memory: allow destroying a non-empty MemoryRegion

      This is legal; the MemoryRegion will simply unreference all the
      existing subregions and possibly bring them down with it as well.
      However, it requires a bit of care to avoid an infinite loop.
      Finalizing a memory region cannot trigger an address space update,
      but memory_region_del_subregion errs on the side of caution and
      might trigger a spurious update: avoid that by resetting mr->enabled
      first.

      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>
      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>
      Message-Id: <1443689999-12182-2-git-send-email-armbru@xxxxxxxxxx>

  commit c6047e9621f77a65993bcda8f58b676996e24bb5
  Author: Markus Armbruster <armbru@xxxxxxxxxx>
  Date:   Thu Oct 8 18:11:40 2015 +0200

      virtio-input: Fix device introspection on non-Linux hosts

      When CONFIG_LINUX is off, devices "virtio-keyboard-device",
      "virtio-mouse-device", "virtio-tablet-device" and
      "virtio-input-host-device" aren't compiled in, yet
      "virtio-keyboard-pci", "virtio-mouse-pci", "virtio-tablet-pci" and
      "virtio-input-host-pci" still are.  Attempts to introspect them crash,
      e.g.

          $ qemu-system-x86_64 -device virtio-tablet-pci,help
          **
          ERROR:/work/armbru/qemu/qom/object.c:333:object_initialize_with_type: 
assertion failed: (type != NULL)

      Broken in commit 710e2d9 and commit 006a5ed.

      Fix by compiling the "virtio-FOO-pci" exactly when compiling the
      "virtio-FOO-device": compile "virtio-keyboard-device",
      "virtio-mouse-device", "virtio-tablet-device" regardless of
      CONFIG_LINUX, and compile "virtio-input-host-pci" only for
      CONFIG_LINUX.

      Reported-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>
      Reviewed-by: Gerd Hoffmann <kraxel@xxxxxxxxxx>
      Message-Id: <1444320700-26260-3-git-send-email-armbru@xxxxxxxxxx>

  commit ac98fa849e834f48e5a64cf4b22218ba4047e142
  Author: Markus Armbruster <armbru@xxxxxxxxxx>
  Date:   Thu Oct 8 18:11:39 2015 +0200

      update-linux-headers: Rename SW_MAX to SW_MAX_

      The next commit will compile hw/input/virtio-input.c and
      hw/input/virtio-input-hid.c even when CONFIG_LINUX is off.  These
      files include both "include/standard-headers/linux/input.h" and
      <windows.h> then.  Doesn't work, because both define SW_MAX.  We don't
      actually use it.  Patch input.h to define SW_MAX_ instead.

      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>
      Message-Id: <1444320700-26260-2-git-send-email-armbru@xxxxxxxxxx>
      Reviewed-by: Gerd Hoffmann <kraxel@xxxxxxxxxx>

  commit b37686f7e84b22cfaf7fd01ac5133f2617cc3027
  Merge: 8be6e62 98cf48f
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Fri Oct 9 12:18:13 2015 +0100

      Merge remote-tracking branch 'remotes/stefanha/tags/tracing-pull-request' 
into staging

      # gpg: Signature made Fri 09 Oct 2015 10:15:13 BST using RSA key ID 
81AB73C8
      # gpg: Good signature from "Stefan Hajnoczi <stefanha@xxxxxxxxxx>"
      # gpg:                 aka "Stefan Hajnoczi <stefanha@xxxxxxxxx>"

      * remotes/stefanha/tags/tracing-pull-request:
        trace: remove malloc tracing
        docs: update the usage example of "dtrace" backend in tracing.txt

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 8be6e623a28497d1dcd10547a573c9143ece525c
  Merge: 1d27b91 deb847b
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Fri Oct 9 10:45:09 2015 +0100

      Merge remote-tracking branch 
'remotes/mjt/tags/pull-trivial-patches-2015-10-08' into staging

      trivial patches for 2015-10-08

      # gpg: Signature made Thu 08 Oct 2015 17:51:05 BST using RSA key ID 
A4C3D7DB
      # gpg: Good signature from "Michael Tokarev <mjt@xxxxxxxxxx>"
      # gpg:                 aka "Michael Tokarev <mjt@xxxxxxxxx>"
      # gpg:                 aka "Michael Tokarev <mjt@xxxxxxxxxx>"

      * remotes/mjt/tags/pull-trivial-patches-2015-10-08:
        tests: Unique test path for /string-visitor/output
        linux-user: Remove type casts to union type
        linux-user: Use g_new() & friends where that makes obvious sense
        rocker: Use g_new() & friends where that makes obvious sense
        .travis.yml: Run make check for all targets, not just some
        hw: char: Remove unnecessary variable
        hw: timer: Remove unnecessary variable
        qapi: add missing @
        MAINTAINERS: Add NSIS file for W32, W64 hosts
        target-ppc: Remove unnecessary variable
        target-microblaze: Remove unnecessary variable
        s/cpu_get_real_ticks/cpu_get_host_ticks/
        pc: check for underflow in load_linux
        pci-assign: do not include sys/io.h
        block/ssh: remove dead code
        imx_serial: Generate interrupt on tx empty if enabled
        sdhci: Change debug prints to compile unconditionally
        sdhci: use PRIx64 for uint64_t type
        Add .dir-locals.el file to configure emacs coding style

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 98cf48f60aa4999f5b2808569a193a401a390e6a
  Author: Paolo Bonzini <pbonzini@xxxxxxxxxx>
  Date:   Wed Sep 16 17:38:44 2015 +0200

      trace: remove malloc tracing

      The malloc vtable is not supported anymore in glib, because it broke
      when constructors called g_malloc.  Remove tracing of g_malloc,
      g_realloc and g_free calls.

      Note that, for systemtap users, glib also provides tracepoints
      glib.mem_alloc, glib.mem_free, glib.mem_realloc, glib.slice_alloc
      and glib.slice_free.

      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>
      Reviewed-by: Alberto Garcia <berto@xxxxxxxxxx>
      Message-id: 1442417924-25831-1-git-send-email-pbonzini@xxxxxxxxxx
      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>

  commit 2e4ccbbc64b212c4d1c7008ca58e141d6a984494
  Author: Lin Ma <lma@xxxxxxxx>
  Date:   Fri Sep 11 14:58:50 2015 +0800

      docs: update the usage example of "dtrace" backend in tracing.txt

      The usage example of dtrace is quite ancient, We have tracetool.py with
      different parameters instead of the original tracetool shell script for
      a long time, So update the old information.

      Signed-off-by: Lin Ma <lma@xxxxxxxx>
      Message-id: 1441954730-17341-1-git-send-email-lma@xxxxxxxx
      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>

  commit deb847bfba7ee0ab8151842f5e9cb12d4daad3a3
  Author: Dr. David Alan Gilbert <dgilbert@xxxxxxxxxx>
  Date:   Mon Oct 5 12:04:20 2015 +0100

      tests: Unique test path for /string-visitor/output

      Newer GLib's want unique test paths, and thus moan at dupes.
      (Seen on Fedora 23 which has glib 2.46)

      Uniquify the paths.

      Signed-off-by: Dr. David Alan Gilbert <dgilbert@xxxxxxxxxx>
      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>
      Signed-off-by: Michael Tokarev <mjt@xxxxxxxxxx>

  commit d1c002b6ae2dc81d97bbe23fe65e1960abdba9a4
  Author: Stefan Weil <sw@xxxxxxxxxxx>
  Date:   Sun Feb 8 15:40:58 2015 +0100

      linux-user: Remove type casts to union type

      Casting to a union type is a gcc (and clang) extension. Other compilers
      might not support it. This is not a problem today, but the type casts
      can be removed easily. Smatch now no longer complains like before:

      linux-user/syscall.c:3190:18: warning: cast to non-scalar
      linux-user/syscall.c:7348:44: warning: cast to non-scalar

      Cc: Riku Voipio <riku.voipio@xxxxxx>
      Signed-off-by: Stefan Weil <sw@xxxxxxxxxxx>
      Signed-off-by: Michael Tokarev <mjt@xxxxxxxxxx>

  commit c78d65e8a7d87badf46eda3a0b41330f5d239132
  Author: Markus Armbruster <armbru@xxxxxxxxxx>
  Date:   Mon Sep 14 13:53:03 2015 +0200

      linux-user: Use g_new() & friends where that makes obvious sense

      g_new(T, n) is neater than g_malloc(sizeof(T) * n).  It's also safer,
      for two reasons.  One, it catches multiplication overflowing size_t.
      Two, it returns T * rather than void *, which lets the compiler catch
      more type errors.

      This commit only touches allocations with size arguments of the form
      sizeof(T).  Same Coccinelle semantic patch as in commit b45c03f.

      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>
      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>
      Reviewed-by: Stefan Weil <sw@xxxxxxxxxxx>
      Signed-off-by: Michael Tokarev <mjt@xxxxxxxxxx>

  commit 778358d0a8f74a76488daea3c1b6fb327d8135b4
  Author: Markus Armbruster <armbru@xxxxxxxxxx>
  Date:   Mon Sep 14 13:52:23 2015 +0200

      rocker: Use g_new() & friends where that makes obvious sense

      g_new(T, n) is neater than g_malloc(sizeof(T) * n).  It's also safer,
      for two reasons.  One, it catches multiplication overflowing size_t.
      Two, it returns T * rather than void *, which lets the compiler catch
      more type errors.

      This commit only touches allocations with size arguments of the form
      sizeof(T).  Same Coccinelle semantic patchas in commit b45c03f.

      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>
      Acked-by: Jiri Pirko <jiri@xxxxxxxxxxx>
      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>
      Reviewed-by: Jiri Pirko <jiri@xxxxxxxxxxxx>
      Signed-off-by: Michael Tokarev <mjt@xxxxxxxxxx>

  commit cb157af23833ca0762125f34b3fe73cfdbac297e
  Author: David Gibson <david@xxxxxxxxxxxxxxxxxxxxx>
  Date:   Wed Sep 23 15:27:12 2015 +1000

      .travis.yml: Run make check for all targets, not just some

      ed173cb ".travis.yml: remove "make check" from main matrix" stopped 
running
      make check for all the Travis build targets for various reasons.  It
      continued to run make check on one Travis build, which builds for a big
      list of all (? nearly all) our supported softmmu targets.

      Unfortunately, due to a spacing / quoting error it only actually builds 
for
      the alpha, arm, aarch64 and cris targets.  Specifically, the list of
      targets is split over several lines.  Even with YAML folding, this will
      leave spaces in the list, meaning $TARGETS won't have the value we need.

      I had a look at the YAML spec and I couldn't quickly see a way of 
splitting
      the list so that it doesn't end up with spaces, so this patch fixes the
      problem by putting the whole list on one huge line.

      Signed-off-by: David Gibson <david@xxxxxxxxxxxxxxxxxxxxx>
      Signed-off-by: Michael Tokarev <mjt@xxxxxxxxxx>

  commit 65cb2a14cacbc08c754f3cb41436fe6ece46593a
  Author: Shraddha Barke <shraddha.6596@xxxxxxxxx>
  Date:   Fri Sep 25 20:06:02 2015 +0530

      hw: char: Remove unnecessary variable

      Compress lines and remove the variable.

      Signed-off-by: Shraddha Barke <shraddha.6596@xxxxxxxxx>
      Signed-off-by: Michael Tokarev <mjt@xxxxxxxxxx>

  commit bf5f78efed26054c2ce71e6f4c30ece13bf06e87
  Author: Shraddha Barke <shraddha.6596@xxxxxxxxx>
  Date:   Fri Sep 25 20:06:03 2015 +0530

      hw: timer: Remove unnecessary variable

      Compress lines and remove the variable.

      Signed-off-by: Shraddha Barke <shraddha.6596@xxxxxxxxx>
      Signed-off-by: Michael Tokarev <mjt@xxxxxxxxxx>

  commit f169f8fbca3999fe59f37a86822f305f7292949d
  Author: Marc-André Lureau <marcandre.lureau@xxxxxxxxxx>
  Date:   Fri Sep 25 16:03:30 2015 +0200

      qapi: add missing @

      Signed-off-by: Marc-André Lureau <marcandre.lureau@xxxxxxxxxx>
      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>
      Signed-off-by: Michael Tokarev <mjt@xxxxxxxxxx>

  commit 885bdc95b165dc2b63bdc756be4919e948b9d27b
  Author: Stefan Weil <sw@xxxxxxxxxxx>
  Date:   Fri Sep 25 22:25:32 2015 +0200

      MAINTAINERS: Add NSIS file for W32, W64 hosts

      The NSIS installer configuration is maintained by me.

      Signed-off-by: Stefan Weil <sw@xxxxxxxxxxx>
      Signed-off-by: Michael Tokarev <mjt@xxxxxxxxxx>

  commit f9b8e7f63acf9418238444aec654aba249a334ba
  Author: Shraddha Barke <shraddha.6596@xxxxxxxxx>
  Date:   Fri Sep 25 14:07:58 2015 +0530

      target-ppc: Remove unnecessary variable

      Compress lines and remove the variable.

      Signed-off-by: Shraddha Barke <shraddha.6596@xxxxxxxxx>
      Signed-off-by: Michael Tokarev <mjt@xxxxxxxxxx>

  commit 738c8b01ba4d020ee42c72e83a6aa3d9408a2530
  Author: Shraddha Barke <shraddha.6596@xxxxxxxxx>
  Date:   Fri Sep 25 14:07:56 2015 +0530

      target-microblaze: Remove unnecessary variable

      Compress lines and remove the variable.

      Signed-off-by: Shraddha Barke <shraddha.6596@xxxxxxxxx>
      Signed-off-by: Michael Tokarev <mjt@xxxxxxxxxx>

  commit 4a7428c5a7e82f4dde3646e4a8cc8e54f3257e2a
  Author: Christopher Covington <cov@xxxxxxxxxxxxxx>
  Date:   Fri Sep 25 10:42:21 2015 -0400

      s/cpu_get_real_ticks/cpu_get_host_ticks/

      This should help clarify the purpose of the function that returns
      the host system's CPU cycle count.

      Signed-off-by: Christopher Covington <cov@xxxxxxxxxxxxxx>
      Acked-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>
      ppc portion
      Acked-by: David Gibson <david@xxxxxxxxxxxxxxxxxxxxx>
      Signed-off-by: Michael Tokarev <mjt@xxxxxxxxxx>

  commit ec5fd402645fd4f03d89dcd5840b0e8542549e82
  Author: Paolo Bonzini <pbonzini@xxxxxxxxxx>
  Date:   Mon Sep 14 12:07:22 2015 +0200

      pc: check for underflow in load_linux

      If (setup_size+1)*512 is small enough, kernel_size -= setup_size can 
allocate
      a huge amount of memory.  Avoid that.

      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>
      Signed-off-by: Michael Tokarev <mjt@xxxxxxxxxx>

  commit 16033ba577059c5675e4c786234c46027380c29b
  Author: Paolo Bonzini <pbonzini@xxxxxxxxxx>
  Date:   Tue Sep 15 10:47:36 2015 +0200

      pci-assign: do not include sys/io.h

      This file does not exist on bionic libc and the functions it defines
      are in fact not used by pci-assign.c.  Remove it.

      Reported-by: Houcheng Lin <houcheng@xxxxxxxxx>
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>
      Signed-off-by: Michael Tokarev <mjt@xxxxxxxxxx>

  commit eab2ac9d3c1675a58989000c2647aa33e440906a
  Author: Paolo Bonzini <pbonzini@xxxxxxxxxx>
  Date:   Mon Sep 14 13:12:34 2015 +0200

      block/ssh: remove dead code

      The "err" label cannot be reached with qp != NULL.  Remove the free-ing
      of qp and avoid future regressions by removing the initializer.

      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>
      ACKed-by: Richard W.M. Jones <rjones@xxxxxxxxxx>
      Reviewed-by: Fam Zheng <famz@xxxxxxxxxx>
      Signed-off-by: Michael Tokarev <mjt@xxxxxxxxxx>

  commit dc1442204a2235b1ad0c4bdceb3580c97f71f1b5
  Author: Guenter Roeck <linux@xxxxxxxxxxxx>
  Date:   Thu Aug 20 08:52:35 2015 -0700

      imx_serial: Generate interrupt on tx empty if enabled

      Generate an interrupt if the tx buffer is empty and the tx empty interrupt
      is enabled. This fixes a problem seen when running a Linux image since
      Linux commit 55c3cb1358e ("serial: imx: remove unneeded 
imx_transmit_buffer()
      from imx_start_tx()"). Linux now waits for the tx empty interrupt before
      starting to send data, causing transmit stalls until there is an interrupt
      for another reason.

      Signed-off-by: Guenter Roeck <linux@xxxxxxxxxxxx>
      Reviewed-by: Peter Crosthwaite <crosthwaite.peter@xxxxxxxxx>
      Signed-off-by: Michael Tokarev <mjt@xxxxxxxxxx>

  commit 7af0fc994e85c0ff16eda6d7e328427b02a01008
  Author: Sai Pavan Boddu <sai.pavan.boddu@xxxxxxxxxx>
  Date:   Mon Sep 7 23:36:41 2015 +0530

      sdhci: Change debug prints to compile unconditionally

      Conditional compilation hides few type mismatch warnings, fix it to
      compile unconditionally.

      Signed-off-by: Sai Pavan Boddu <saipava@xxxxxxxxxx>
      Suggested-by: Eric Blake <eblake@xxxxxxxxxx>
      Reviewed-by: Peter Crosthwaite <crosthwaite.peter@xxxxxxxxx>
      Signed-off-by: Michael Tokarev <mjt@xxxxxxxxxx>

  commit be9c5ddeabb73e9dee2d6922c03ffee4e1f4c8ec
  Author: Sai Pavan Boddu <sai.pavan.boddu@xxxxxxxxxx>
  Date:   Mon Sep 7 23:36:40 2015 +0530

      sdhci: use PRIx64 for uint64_t type

      Fix compile time warnings, because of type mismatch for unsigned long
      long type.

      Signed-off-by: Sai Pavan Boddu <saipava@xxxxxxxxxx>
      Reviewed-by: Peter Crosthwaite <crosthwaite.peter@xxxxxxxxx>
      Signed-off-by: Michael Tokarev <mjt@xxxxxxxxxx>

  commit 91288a58a550be4dc80628456d5e1d2e91424827
  Author: Daniel P. Berrange <berrange@xxxxxxxxxx>
  Date:   Thu Jun 4 14:30:07 2015 +0100

      Add .dir-locals.el file to configure emacs coding style

      Some default emacs setups indent by 2 spaces and uses tabs
      which is counter to the QEMU coding style rules. Adding a
      .dir-locals.el file in the top level of the GIT repo will
      inform emacs about the QEMU coding style, and so assist
      contributors in avoiding common style mistakes before
      they submit patches.

      Signed-off-by: Daniel P. Berrange <berrange@xxxxxxxxxx>
      Reviewed-by: Markus Armbruster <armbru@xxxxxxxxxx>
      Signed-off-by: Michael Tokarev <mjt@xxxxxxxxxx>

  commit 1d27b91723c252d9a97151dc1959cfd89c5816cb
  Merge: 31c9bd1 508ce5e
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Thu Oct 8 16:50:34 2015 +0100

      Merge remote-tracking branch 
'remotes/awilliam/tags/vfio-update-20151007.0' into staging

      VFIO updates 2015-10-07

       - Change platform device IRQ setup sequence for compatibility
         with upcoming IRQ forwarding (Eric Auger)
       - Extensions to support vfio-pci devices on spapr-pci-host-bridge
         (David Gibson) [clang problem patch dropped]

      # gpg: Signature made Wed 07 Oct 2015 16:30:52 BST using RSA key ID 
3BB08B22
      # gpg: Good signature from "Alex Williamson <alex.williamson@xxxxxxxxxx>"
      # gpg:                 aka "Alex Williamson <alex@xxxxxxxxxxx>"
      # gpg:                 aka "Alex Williamson <alwillia@xxxxxxxxxx>"
      # gpg:                 aka "Alex Williamson <alex.l.williamson@xxxxxxxxx>"

      * remotes/awilliam/tags/vfio-update-20151007.0:
        vfio: Allow hotplug of containers onto existing guest IOMMU mappings
        memory: Allow replay of IOMMU mapping notifications
        vfio: Record host IOMMU's available IO page sizes
        vfio: Check guest IOVA ranges against host IOMMU capabilities
        vfio: Generalize vfio_listener_region_add failure path
        vfio: Remove unneeded union from VFIOContainer
        hw/vfio/platform: do not set resamplefd for edge-sensitive IRQS
        hw/vfio/platform: change interrupt/unmask fields into pointer
        hw/vfio/platform: irqfd setup sequence update

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 31c9bd164ddb653915b9029ba0edd40cd57530d9
  Merge: ca4e4b8 126d89e
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Thu Oct 8 15:33:56 2015 +0100

      Merge remote-tracking branch 'remotes/rth/tags/pull-tcg-20151007' into 
staging

      Do away with TB retranslation

      # gpg: Signature made Wed 07 Oct 2015 10:42:08 BST using RSA key ID 
4DD0279B
      # gpg: Good signature from "Richard Henderson <rth7680@xxxxxxxxx>"
      # gpg:                 aka "Richard Henderson <rth@xxxxxxxxxx>"
      # gpg:                 aka "Richard Henderson <rth@xxxxxxxxxxx>"

      * remotes/rth/tags/pull-tcg-20151007: (26 commits)
        tcg: Adjust CODE_GEN_AVG_BLOCK_SIZE
        tcg: Check for overflow via highwater mark
        tcg: Allocate a guard page after code_gen_buffer
        tcg: Emit prologue to the beginning of code_gen_buffer
        tcg: Remove tcg_gen_code_search_pc
        tcg: Remove gen_intermediate_code_pc
        tcg: Save insn data and use it in cpu_restore_state_from_tb
        tcg: Pass data argument to restore_state_to_opc
        tcg: Add TCG_MAX_INSNS
        target-*: Drop cpu_gen_code define
        tcg: Merge cpu_gen_code into tb_gen_code
        target-sparc: Add npc state to insn_start
        target-sparc: Remove gen_opc_jump_pc
        target-sparc: Split out gen_branch_n
        target-sparc: Tidy gen_branch_a interface
        target-cris: Mirror gen_opc_pc into insn_start
        target-sh4: Add flags state to insn_start
        target-s390x: Add cc_op state to insn_start
        target-mips: Add delayed branch state to insn_start
        target-i386: Add cc_op state to insn_start
        ...

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit ca4e4b82848982311a40d0937c1de9db1108fdb0
  Merge: fb6345f fec7daa
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Thu Oct 8 13:37:04 2015 +0100

      Merge remote-tracking branch 'remotes/rth/tags/pull-tile-20151007' into 
staging

      Collected patches

      # gpg: Signature made Wed 07 Oct 2015 10:30:17 BST using RSA key ID 
4DD0279B
      # gpg: Good signature from "Richard Henderson <rth7680@xxxxxxxxx>"
      # gpg:                 aka "Richard Henderson <rth@xxxxxxxxxx>"
      # gpg:                 aka "Richard Henderson <rth@xxxxxxxxxxx>"

      * remotes/rth/tags/pull-tile-20151007:
        target-tilegx: Support iret instruction and related special registers
        target-tilegx: Use TILEGX_EXCP_OPCODE_UNKNOWN and 
TILEGX_EXCP_OPCODE_UNIMPLEMENTED correctly
        target-tilegx: Implement v2mults instruction
        target-tilegx: Implement v?int_* instructions.
        target-tilegx: Implement v2sh* instructions
        target-tilegx: Handle nofault prefetch instructions
        target-tilegx: Fix a typo for mnemonic about "ld_add"
        target-tilegx: Use TILEGX_EXCP_SIGNAL instead of TILEGX_EXCP_SEGV
        target-tilegx: Decode ill pseudo-instructions
        linux-user/tilegx: Implement tilegx signal features
        linux-user/syscall_defs.h: Sync the latest si_code from Linux kernel
        target-tilegx: Let x1 pipe process bpt instruction only
        target-tilegx: Implement complex multiply instructions
        target-tilegx: Implement table index instructions
        target-tilegx: Implement crc instructions
        target-tilegx: Implement v1multu instruction
        target-tilegx: Implement v*add and v*sub instructions
        target-tilegx: Implement v*shl, v*shru, and v*shrs instructions
        target-tilegx: Tidy simd_helper.c

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit fb6345f452ba7cefb395389abb17d0af0e42c54b
  Merge: eed2df6 32532f2
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Thu Oct 8 11:28:17 2015 +0100

      Merge remote-tracking branch 'remotes/ehabkost/tags/numa-pull-request' 
into staging

      NUMA queue, 2015-10-06

      # gpg: Signature made Tue 06 Oct 2015 20:53:42 BST using RSA key ID 
984DC5A6
      # gpg: Good signature from "Eduardo Habkost <ehabkost@xxxxxxxxxx>"

      * remotes/ehabkost/tags/numa-pull-request:
        pc-dimm: Fail realization for invalid nodes in non-NUMA config

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 925a04000231ad865770ba227876ba518ac3e479
  Author: Gerd Hoffmann <kraxel@xxxxxxxxxx>
  Date:   Tue May 26 12:26:21 2015 +0200

      gtk/opengl: add opengl context and scanout support (GtkGLArea)

      This allows virtio-gpu to render in 3d mode.
      Uses native opengl support which is present
      in gtk versions 3.16 and newer.

      Signed-off-by: Gerd Hoffmann <kraxel@xxxxxxxxxx>

  commit 4782aeb79fbcb70bb96b52f6d9bc7cadb3cf7d58
  Author: Gerd Hoffmann <kraxel@xxxxxxxxxx>
  Date:   Fri May 8 11:30:51 2015 +0200

      gtk/opengl: add opengl context and scanout support (egl)

      This allows virtio-gpu to render in 3d mode.
      Uses egl, for gtk versions 3.14 and older.

      Signed-off-by: Gerd Hoffmann <kraxel@xxxxxxxxxx>
      Reviewed-by: Marc-André Lureau <marcandre.lureau@xxxxxxxxxx>

  commit 6c18744d0f99138cb19cd9d1241d7b11c478a944
  Author: Gerd Hoffmann <kraxel@xxxxxxxxxx>
  Date:   Wed Apr 29 10:08:04 2015 +0200

      opengl: add egl-context.[ch] helpers

      Add helper functions to manage opengl contexts using egl.

      Signed-off-by: Gerd Hoffmann <kraxel@xxxxxxxxxx>
      Reviewed-by: Marc-André Lureau <marcandre.lureau@xxxxxxxxxx>

  commit e9c1b459f28fb4dce52dd5afa6a1ad7fb00ee5e2
  Author: Gerd Hoffmann <kraxel@xxxxxxxxxx>
  Date:   Fri Oct 2 08:30:27 2015 +0200

      virtio-gpu: add cursor update tracepoint

      Signed-off-by: Gerd Hoffmann <kraxel@xxxxxxxxxx>
      Reviewed-by: Marc-André Lureau <marcandre.lureau@xxxxxxxxxx>

  commit 9d9e152136bdaa75ea98e5c2105f2a7127e369eb
  Author: Gerd Hoffmann <kraxel@xxxxxxxxxx>
  Date:   Fri Jul 11 12:51:43 2014 +0200

      virtio-gpu: add 3d mode and virgl rendering support.

      Add virglrenderer library detection.  Add 3d mode to virtio-gpu,
      wire up virglrenderer library.  When in 3d mode render using the
      new context management and texture scanout callbacks.

      Signed-off-by: Gerd Hoffmann <kraxel@xxxxxxxxxx>
      Reviewed-by: Max Reitz <mreitz@xxxxxxxxxx>

  commit bc79e96442283471c92c8ea7ae15563274f7b0cb
  Author: Gerd Hoffmann <kraxel@xxxxxxxxxx>
  Date:   Fri May 22 15:38:33 2015 +0200

      virtio-gpu: update headers for virgl/3d

      Sync with linux kernel headers with virgl/3d patches applied.

      Signed-off-by: Gerd Hoffmann <kraxel@xxxxxxxxxx>
      Reviewed-by: Marc-André Lureau <marcandre.lureau@xxxxxxxxxx>

  commit 2e2521452e28399dbc6fecec56d5bbb29f9b6796
  Author: Gerd Hoffmann <kraxel@xxxxxxxxxx>
  Date:   Wed Sep 16 09:15:15 2015 +0200

      virtio-gpu: change licence from GPLv2 to GPLv2+

      Signed-off-by: Gerd Hoffmann <kraxel@xxxxxxxxxx>

  commit 7f3be0f20ff8d976ab982cc06026cac0600f1fb6
  Author: Gerd Hoffmann <kraxel@xxxxxxxxxx>
  Date:   Tue Sep 15 09:23:14 2015 +0200

      virtio-gpu: move iov free to virtio_gpu_cleanup_mapping_iov

      For symmetry reasons: virtio_gpu_create_mapping_iov() allocates it so
      virtio_gpu_cleanup_mapping_iov() should free it, otherwise it's easy to
      miss a free() needed and leak memory.

      Signed-off-by: Gerd Hoffmann <kraxel@xxxxxxxxxx>
      Reviewed-by: Max Reitz <mreitz@xxxxxxxxxx>

  commit 06020b950c0a6a73cbee0527af846b05679c937a
  Author: Gerd Hoffmann <kraxel@xxxxxxxxxx>
  Date:   Fri Jul 11 13:56:51 2014 +0200

      ui/console: add opengl context and scanout support interfaces.

      Add callbacks for opengl context management and scanout texture
      configuration to DisplayChangeListenerOps.

      Signed-off-by: Gerd Hoffmann <kraxel@xxxxxxxxxx>
      Reviewed-by: Marc-André Lureau <marcandre.lureau@xxxxxxxxxx>

  commit 136a8d9d444560f71fca89f27475cfeaffa19cf3
  Author: Gerd Hoffmann <kraxel@xxxxxxxxxx>
  Date:   Fri Jun 12 12:16:02 2015 +0200

      sdl2: stop flickering

      Optimizing updates by copying the dirty rectangle
      only do not work because of double-buffering.

      Signed-off-by: Gerd Hoffmann <kraxel@xxxxxxxxxx>
      Reviewed-by: Marc-André Lureau <marcandre.lureau@xxxxxxxxxx>
      Reviewed-by: Max Reitz <mreitz@xxxxxxxxxx>

  commit c046d8284474a0f7763dea849433bde37a69023d
  Author: Gerd Hoffmann <kraxel@xxxxxxxxxx>
  Date:   Fri Jul 10 14:40:01 2015 +0200

      shaders: initialize vertexes once

      Create a buffer for the vertex data and place vertexes
      there at initialization time.  Then just use the buffer
      for each texture blit.

      Signed-off-by: Gerd Hoffmann <kraxel@xxxxxxxxxx>
      Reviewed-by: Marc-André Lureau <marcandre.lureau@xxxxxxxxxx>
      Reviewed-by: Max Reitz <mreitz@xxxxxxxxxx>

  commit 126d89e8cdfa3be15d51f76906eaccbcd0023f98
  Author: Richard Henderson <rth@xxxxxxxxxxx>
  Date:   Sat Sep 26 09:23:42 2015 -0700

      tcg: Adjust CODE_GEN_AVG_BLOCK_SIZE

      At present, the "average" guestimate of TB size is way too small, leading
      to many unused entries in the pre-allocated TB array.  For a guest with 
1GB
      ram, we're currently allocating 256MB for the array.

      Survey arm, alpha, aarch64, ppc, sparc, i686, x86_64 guests running on
      x86_64 and ppc64 hosts and select a new average.  The size of the array
      drops to 81MB with no more flushing than before.

      Reviewed-by: Aurelien Jarno <aurelien@xxxxxxxxxxx>
      Signed-off-by: Richard Henderson <rth@xxxxxxxxxxx>

  commit b125f9dc7bd68cd4c57189db4da83b0620b28a72
  Author: Richard Henderson <rth@xxxxxxxxxxx>
  Date:   Tue Sep 22 13:01:15 2015 -0700

      tcg: Check for overflow via highwater mark

      We currently pre-compute an worst case code size for any TB, which
      works out to be 122kB.  Since the average TB size is near 1kB, this
      wastes quite a lot of storage.

      Instead, check for overflow in between generating code for each opcode.
      The overhead of the check isn't measurable and wastage is minimized.

      Reviewed-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Signed-off-by: Richard Henderson <rth@xxxxxxxxxxx>

  commit f293709c6af7a65a9bcec09cdba7a60183657a3e
  Author: Richard Henderson <rth@xxxxxxxxxxx>
  Date:   Sat Sep 19 12:03:15 2015 -0700

      tcg: Allocate a guard page after code_gen_buffer

      This will catch any overflow of the buffer.

      Add a native win32 alternative for alloc_code_gen_buffer;
      remove the malloc alternative.

      Signed-off-by: Richard Henderson <rth@xxxxxxxxxxx>

  commit 8163b74938d8b7d12e70597c4553dd0dc49443d5
  Author: Richard Henderson <rth@xxxxxxxxxxx>
  Date:   Fri Sep 18 23:43:05 2015 -0700

      tcg: Emit prologue to the beginning of code_gen_buffer

      By putting the prologue at the end, we risk overwriting the
      prologue should our estimate of maximum TB size.  Given the
      two different placements of the call to tcg_prologue_init,
      move the high water mark computation into tcg_prologue_init.

      Reviewed-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Signed-off-by: Richard Henderson <rth@xxxxxxxxxxx>

  commit 04fe64000162c45d8974da9ca4d266f8d0e67eb7
  Author: Richard Henderson <rth@xxxxxxxxxxx>
  Date:   Tue Sep 1 20:07:48 2015 -0700

      tcg: Remove tcg_gen_code_search_pc

      It's no longer used, so tidy up everything reached by it.

      Reviewed-by: Aurelien Jarno <aurelien@xxxxxxxxxxx>
      Reviewed-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Signed-off-by: Richard Henderson <rth@xxxxxxxxxxx>

  commit 4e5e1215156662b2b153255c49d4640d82c5568b
  Author: Richard Henderson <rth@xxxxxxxxxxx>
  Date:   Tue Sep 1 20:01:40 2015 -0700

      tcg: Remove gen_intermediate_code_pc

      It is no longer used, so tidy up everything reached by it.
      This includes the gen_opc_* arrays, the search_pc parameter
      and the inline gen_intermediate_code_internal functions.

      Reviewed-by: Aurelien Jarno <aurelien@xxxxxxxxxxx>
      Reviewed-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Signed-off-by: Richard Henderson <rth@xxxxxxxxxxx>

  commit fca8a500d519a56abeaedf8073167a61d3c6b9c4
  Author: Richard Henderson <rth@xxxxxxxxxxx>
  Date:   Tue Sep 1 19:11:45 2015 -0700

      tcg: Save insn data and use it in cpu_restore_state_from_tb

      We can now restore state without retranslation.

      Reviewed-by: Aurelien Jarno <aurelien@xxxxxxxxxxx>
      Reviewed-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Signed-off-by: Richard Henderson <rth@xxxxxxxxxxx>

  commit bad729e272387de7dbfa3ec4319036552fc6c107
  Author: Richard Henderson <rth@xxxxxxxxxxx>
  Date:   Tue Sep 1 15:51:12 2015 -0700

      tcg: Pass data argument to restore_state_to_opc

      The gen_opc_* arrays are already redundant with the data stored in
      the insn_start arguments.  Transition restore_state_to_opc to use
      data from the latter.

      Reviewed-by: Aurelien Jarno <aurelien@xxxxxxxxxxx>
      Reviewed-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Signed-off-by: Richard Henderson <rth@xxxxxxxxxxx>

  commit 190ce7fbc79fd0883a6170d7f30da59d366e6830
  Author: Richard Henderson <rth@xxxxxxxxxxx>
  Date:   Mon Aug 31 14:34:41 2015 -0700

      tcg: Add TCG_MAX_INSNS

      Adjust all translators to respect it.

      Reviewed-by: Aurelien Jarno <aurelien@xxxxxxxxxxx>
      Reviewed-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Signed-off-by: Richard Henderson <rth@xxxxxxxxxxx>

  commit dc03246cc377268db63abc8c5663ef571aec2eea
  Author: Richard Henderson <rth@xxxxxxxxxxx>
  Date:   Thu Aug 27 18:18:09 2015 -0700

      target-*: Drop cpu_gen_code define

      This symbol no longer exists.

      Reviewed-by: Aurelien Jarno <aurelien@xxxxxxxxxxx>
      Reviewed-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Signed-off-by: Richard Henderson <rth@xxxxxxxxxxx>

  commit fec88f64bda27846add83e924c8f4def9d94e068
  Author: Richard Henderson <rth@xxxxxxxxxxx>
  Date:   Thu Aug 27 18:17:40 2015 -0700

      tcg: Merge cpu_gen_code into tb_gen_code

      As it's only caller, this tidies things a bit.

      Reviewed-by: Aurelien Jarno <aurelien@xxxxxxxxxxx>
      Reviewed-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Signed-off-by: Richard Henderson <rth@xxxxxxxxxxx>

  commit a3d5ad761cafc669e25f4185e63d8d758a989135
  Author: Richard Henderson <rth@xxxxxxxxxxx>
  Date:   Mon Aug 31 13:30:52 2015 -0700

      target-sparc: Add npc state to insn_start

      Reviewed-by: Aurelien Jarno <aurelien@xxxxxxxxxxx>
      Reviewed-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Signed-off-by: Richard Henderson <rth@xxxxxxxxxxx>

  commit 6c42444f9a53b6af39d46008cb9f650b11e96cb9
  Author: Richard Henderson <rth@xxxxxxxxxxx>
  Date:   Mon Aug 31 13:24:44 2015 -0700

      target-sparc: Remove gen_opc_jump_pc

      Since jump_pc[1] is always npc + 4, we can infer after incrementing
      that jump_pc[1] == pc + 4.  Because of that, we can encode the branch
      destination into a single word, and store that in npc.

      Reviewed-by: Aurelien Jarno <aurelien@xxxxxxxxxxx>
      Reviewed-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Signed-off-by: Richard Henderson <rth@xxxxxxxxxxx>

  commit 2bf2e019ed0a6349220620240c0ba807846793b9
  Author: Richard Henderson <rth@xxxxxxxxxxx>
  Date:   Mon Aug 31 13:01:47 2015 -0700

      target-sparc: Split out gen_branch_n

      Unify three copies of this code from different
      branch types.  Fix the case when npc == DYNAMIC_PC,
      i.e. a branch within a delay slot.

      Reviewed-by: Aurelien Jarno <aurelien@xxxxxxxxxxx>
      Reviewed-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Signed-off-by: Richard Henderson <rth@xxxxxxxxxxx>

  commit bfa31b765798139804ce9e5e35c7e142d233df31
  Author: Richard Henderson <rth@xxxxxxxxxxx>
  Date:   Mon Aug 31 12:44:16 2015 -0700

      target-sparc: Tidy gen_branch_a interface

      We always pass pc2 == dc->npc and r_cond == cpu_cond,
      and always set is_br afterward.  Infer all of that.

      Reviewed-by: Aurelien Jarno <aurelien@xxxxxxxxxxx>
      Reviewed-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Signed-off-by: Richard Henderson <rth@xxxxxxxxxxx>

  commit bd03c791a6ed1bb7aec17df15cfeea649362e8fd
  Author: Richard Henderson <rth@xxxxxxxxxxx>
  Date:   Sun Aug 30 09:35:14 2015 -0700

      target-cris: Mirror gen_opc_pc into insn_start

      This perhaps isn't ideal in terms of (ab)using the "pc" field
      to encode both pc and ppc + delay branch state, as one has to
      be aware of this when examining opcode dumps.

      But it preserves existing logic, which will be good for bisection,
      and it certainly does save storage space.

      Reviewed-by: Aurelien Jarno <aurelien@xxxxxxxxxxx>
      Reviewed-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Signed-off-by: Richard Henderson <rth@xxxxxxxxxxx>

  commit 07f3c16ced2b869228d58683c1dea06e3e1c9aa5
  Author: Richard Henderson <rth@xxxxxxxxxxx>
  Date:   Sun Aug 30 09:28:52 2015 -0700

      target-sh4: Add flags state to insn_start

      Reviewed-by: Aurelien Jarno <aurelien@xxxxxxxxxxx>
      Reviewed-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Signed-off-by: Richard Henderson <rth@xxxxxxxxxxx>

  commit a3fd522048f6728d8259e14596c9632c7c67305a
  Author: Richard Henderson <rth@xxxxxxxxxxx>
  Date:   Sun Aug 30 09:26:10 2015 -0700

      target-s390x: Add cc_op state to insn_start

      Reviewed-by: Aurelien Jarno <aurelien@xxxxxxxxxxx>
      Reviewed-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Signed-off-by: Richard Henderson <rth@xxxxxxxxxxx>

  commit c20d594e45bc8c4b21be1a7637cba0f279f72879
  Author: Richard Henderson <rth@xxxxxxxxxxx>
  Date:   Sun Aug 30 09:25:36 2015 -0700

      target-mips: Add delayed branch state to insn_start

      Reviewed-by: Aurelien Jarno <aurelien@xxxxxxxxxxx>
      Reviewed-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Signed-off-by: Richard Henderson <rth@xxxxxxxxxxx>

  commit 2066d09516ba34d0d180fdea451436d9babb3308
  Author: Richard Henderson <rth@xxxxxxxxxxx>
  Date:   Sun Aug 30 09:24:58 2015 -0700

      target-i386: Add cc_op state to insn_start

      Reviewed-by: Aurelien Jarno <aurelien@xxxxxxxxxxx>
      Reviewed-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Signed-off-by: Richard Henderson <rth@xxxxxxxxxxx>

  commit 52e971d9ff67e340ac2a86bd67e14bd31c7991e0
  Author: Richard Henderson <rth@xxxxxxxxxxx>
  Date:   Sun Aug 30 09:22:06 2015 -0700

      target-arm: Add condexec state to insn_start

      Reviewed-by: Aurelien Jarno <aurelien@xxxxxxxxxxx>
      Reviewed-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Signed-off-by: Richard Henderson <rth@xxxxxxxxxxx>

  commit 9aef40ed1f6e2bd794bbb3ba8c8b773e506334c9
  Author: Richard Henderson <rth@xxxxxxxxxxx>
  Date:   Sun Aug 30 09:21:33 2015 -0700

      tcg: Allow extra data to be attached to insn_start

      With an eye toward having this data replace the gen_opc_* arrays
      that each target collects in order to enable restore_state_from_tb.

      Reviewed-by: Aurelien Jarno <aurelien@xxxxxxxxxxx>
      Reviewed-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Signed-off-by: Richard Henderson <rth@xxxxxxxxxxx>

  commit b933066ae03d924a92b2616b4a24e7d91cd5b841
  Author: Richard Henderson <rth@xxxxxxxxxxx>
  Date:   Thu Sep 17 15:58:10 2015 -0700

      target-*: Introduce and use cpu_breakpoint_test

      Reduce the boilerplate required for each target.  At the same time,
      move the test for breakpoint after calling tcg_gen_insn_start.

      Note that arm and aarch64 do not use cpu_breakpoint_test, but still
      move the inline test down after tcg_gen_insn_start.

      Reviewed-by: Aurelien Jarno <aurelien@xxxxxxxxxxx>
      Reviewed-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Signed-off-by: Richard Henderson <rth@xxxxxxxxxxx>

  commit 959082fc4a93a016a6b697e1e0c2b373d8a3a373
  Author: Richard Henderson <rth@xxxxxxxxxxx>
  Date:   Thu Sep 17 14:25:46 2015 -0700

      target-*: Increment num_insns immediately after tcg_gen_insn_start

      This does tidy the icount test common to all targets.

      Reviewed-by: Aurelien Jarno <aurelien@xxxxxxxxxxx>
      Reviewed-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Signed-off-by: Richard Henderson <rth@xxxxxxxxxxx>

  commit 667b8e29c5b1d8c5b4e6ad5f780ca60914eb6e96
  Author: Richard Henderson <rth@xxxxxxxxxxx>
  Date:   Sat Aug 29 12:59:29 2015 -0700

      target-*: Unconditionally emit tcg_gen_insn_start

      While we're at it, emit the opcode adjacent to where we currently
      record data for search_pc.  This puts gen_io_start et al on the
      "correct" side of the marker.

      Reviewed-by: Aurelien Jarno <aurelien@xxxxxxxxxxx>
      Reviewed-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Signed-off-by: Richard Henderson <rth@xxxxxxxxxxx>

  commit 765b842adec4c5a359e69ca08785553599f71496
  Author: Richard Henderson <rth@xxxxxxxxxxx>
  Date:   Sat Aug 29 12:37:33 2015 -0700

      tcg: Rename debug_insn_start to insn_start

      With an eye toward making it mandatory.

      Reviewed-by: Aurelien Jarno <aurelien@xxxxxxxxxxx>
      Reviewed-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Signed-off-by: Richard Henderson <rth@xxxxxxxxxxx>

  commit fec7daab3d63b7b2ca61581fffc40142b22b2bd5
  Author: Chen Gang <gang.chen.5i5j@xxxxxxxxx>
  Date:   Sun Oct 4 17:41:14 2015 +0800

      target-tilegx: Support iret instruction and related special registers

      EX_CONTEXT_0_0 is used for jumping address, and EX_CONTEXT_0_1 is for
      INTERRUPT_CRITICAL_SECTION, which should only be 0 or 1 in user mode, or
      it will cause target SIGILL (and the patch doesn't support system mode).

      Signed-off-by: Chen Gang <gang.chen.5i5j@xxxxxxxxx>
      Signed-off-by: Richard Henderson <rth@xxxxxxxxxxx>

  commit 77b3adc0012153e629b48b710ad19a8b544bb507
  Author: Chen Gang <gang.chen.5i5j@xxxxxxxxx>
  Date:   Sun Oct 4 13:34:33 2015 +0800

      target-tilegx: Use TILEGX_EXCP_OPCODE_UNKNOWN and 
TILEGX_EXCP_OPCODE_UNIMPLEMENTED correctly

      For some cases, they are for TILEGX_EXCP_OPCODE_UNKNOWN, not for
      TILEGX_EXCP_OPCODE_UNIMPLEMENTED.

      Also for some cases, they are for TILEGX_EXCP_OPCODE_UNIMPLEMENTED, not
      for TILEGX_EXCP_OPCODE_UNKNOWN.

      When analyzing issues, the correct printing information is necessary,
      e.g. grep UIMP in gcc testsuite output log for finding qemu tilegx
      umimplementation issues, grep UNKNOWN for finding unknown instructions.

      Signed-off-by: Chen Gang <gang.chen.5i5j@xxxxxxxxx>
      Signed-off-by: Richard Henderson <rth@xxxxxxxxxxx>

  commit a419e22d703667211521d4257df294047c13eca3
  Author: Chen Gang <gang.chen.5i5j@xxxxxxxxx>
  Date:   Sun Oct 4 19:01:27 2015 +0800

      target-tilegx: Implement v2mults instruction

      Signed-off-by: Chen Gang <gang.chen.5i5j@xxxxxxxxx>
      Message-Id: <1443956491-26850-3-git-send-email-gang.chen.5i5j@xxxxxxxxx>
      Signed-off-by: Richard Henderson <rth@xxxxxxxxxxx>

  commit aaf893a6ad6c7c0a986638ba599000e13f9f4182
  Author: Chen Gang <gang.chen.5i5j@xxxxxxxxx>
  Date:   Sun Oct 4 19:01:26 2015 +0800

      target-tilegx: Implement v?int_* instructions.

      Signed-off-by: Chen Gang <gang.chen.5i5j@xxxxxxxxx>
      Message-Id: <1443956491-26850-2-git-send-email-gang.chen.5i5j@xxxxxxxxx>
      Signed-off-by: Richard Henderson <rth@xxxxxxxxxxx>

  commit 78affcb798516dcb5d44a7ed598d79dcd42cd988
  Author: Chen Gang <gang.chen.5i5j@xxxxxxxxx>
  Date:   Sun Oct 4 19:01:25 2015 +0800

      target-tilegx: Implement v2sh* instructions

      It is just according to v1sh* instructions implementation.

      Signed-off-by: Chen Gang <gang.chen.5i5j@xxxxxxxxx>
      Message-Id: <1443956491-26850-1-git-send-email-gang.chen.5i5j@xxxxxxxxx>
      Signed-off-by: Richard Henderson <rth@xxxxxxxxxxx>

  commit 133b84c819166a6da1425a007cf44d7a96d507a4
  Author: Richard Henderson <rth@xxxxxxxxxxx>
  Date:   Thu Oct 1 12:32:52 2015 +1000

      target-tilegx: Handle nofault prefetch instructions

      These are mapped onto some of the normal load instructions, when the
      destination is the zero register.  Other load insns do fault even
      when targeting the zero register.

      Signed-off-by: Richard Henderson <rth@xxxxxxxxxxx>

  commit 95df61e6238c79c2dc14f2bffa76abb2bd3acba7
  Author: Chen Gang <gang.chen.5i5j@xxxxxxxxx>
  Date:   Wed Sep 30 05:38:40 2015 +0800

      target-tilegx: Fix a typo for mnemonic about "ld_add"

      Signed-off-by: Chen Gang <gang.chen.5i5j@xxxxxxxxx>
      Message-Id: <1443562720-3008-1-git-send-email-gang.chen.5i5j@xxxxxxxxx>
      Signed-off-by: Richard Henderson <rth@xxxxxxxxxxx>

  commit a0577d2aa9bd42d5d584fa03649a166ba45c2f3d
  Author: Richard Henderson <rth@xxxxxxxxxxx>
  Date:   Sun Sep 27 14:26:04 2015 -0700

      target-tilegx: Use TILEGX_EXCP_SIGNAL instead of TILEGX_EXCP_SEGV

      Consolidate signal handling under a single exception.

      Signed-off-by: Richard Henderson <rth@xxxxxxxxxxx>

  commit dd8070d865ad1b32876931f812a80645f97112ff
  Author: Chen Gang <gang.chen.5i5j@xxxxxxxxx>
  Date:   Sat Sep 26 13:00:35 2015 +0800

      target-tilegx: Decode ill pseudo-instructions

      Notice raise and bpt, decoding the constants embedded in the
      nop addil instruction in the x0 slot.

      [rth: Generalize TILEGX_EXCP_OPCODE_ILL to TILEGX_EXCP_SIGNAL.
      Drop validation of signal values.]

      Signed-off-by: Chen Gang <gang.chen.5i5j@xxxxxxxxx>
      Message-Id: <1443243635-4886-1-git-send-email-gang.chen.5i5j@xxxxxxxxx>
      Signed-off-by: Richard Henderson <rth@xxxxxxxxxxx>

  commit bf0f60a61b92f4f9ddf09a3cf4fc41796fa42aed
  Author: Chen Gang <gang.chen.5i5j@xxxxxxxxx>
  Date:   Sun Sep 27 08:10:18 2015 +0800

      linux-user/tilegx: Implement tilegx signal features

      [rth: Remove the spreg[EX1] handling, as it's irrelevant to user-mode.]

      Signed-off-by: Chen Gang <gang.chen.5i5j@xxxxxxxxx>
      Message-Id: <1443312618-13641-1-git-send-email-gang.chen.5i5j@xxxxxxxxx>
      Signed-off-by: Richard Henderson <rth@xxxxxxxxxxx>

  commit de2fdd56b11f4207e6614ee2f56039ef240399f1
  Author: Chen Gang <gang.chen.5i5j@xxxxxxxxx>
  Date:   Sat Sep 26 12:10:05 2015 +0800

      linux-user/syscall_defs.h: Sync the latest si_code from Linux kernel

      They content several new macro members, also contents TARGET_N*.

      Signed-off-by: Chen Gang <gang.chen.5i5j@xxxxxxxxx>
      Message-Id: <1443240605-2924-1-git-send-email-gang.chen.5i5j@xxxxxxxxx>
      Signed-off-by: Richard Henderson <rth@xxxxxxxxxxx>

  commit f723287944c30f1bf230f08b4fb03d6d11a16504
  Author: Chen Gang <gang.chen.5i5j@xxxxxxxxx>
  Date:   Sat Sep 26 07:42:54 2015 +0800

      target-tilegx: Let x1 pipe process bpt instruction only

      According to the related document, bpt can be only in x1 pipe.

      Signed-off-by: Chen Gang <gang.chen.5i5j@xxxxxxxxx>
      Message-Id: <1443224574-2718-1-git-send-email-gang.chen.5i5j@xxxxxxxxx>
      Signed-off-by: Richard Henderson <rth@xxxxxxxxxxx>

  commit 9ff5b57c219f38f025b95ebf4b593b5d4e828b53
  Author: Richard Henderson <rth@xxxxxxxxxxx>
  Date:   Wed Sep 23 10:43:48 2015 -0700

      target-tilegx: Implement complex multiply instructions

      Signed-off-by: Richard Henderson <rth@xxxxxxxxxxx>

  commit 0b4232f10895e863b1759a93ba0d0a1b3380dc31
  Author: Richard Henderson <rth@xxxxxxxxxxx>
  Date:   Wed Sep 23 10:19:44 2015 -0700

      target-tilegx: Implement table index instructions

      Signed-off-by: Richard Henderson <rth@xxxxxxxxxxx>

  commit ba1fc78f65fdea9d4b14d6449514c1351ad64fa4
  Author: Richard Henderson <rth@xxxxxxxxxxx>
  Date:   Wed Sep 23 10:12:16 2015 -0700

      target-tilegx: Implement crc instructions

      Signed-off-by: Richard Henderson <rth@xxxxxxxxxxx>

  commit 38c949ffe7497b1d833bca5f70b22c87df9bd567
  Author: Chen Gang <gang.chen.5i5j@xxxxxxxxx>
  Date:   Tue Sep 22 06:26:54 2015 +0800

      target-tilegx: Implement v1multu instruction

      Signed-off-by: Chen Gang <gang.chen.5i5j@xxxxxxxxx>
      Reviewed-by: Richard Henderson <rth@xxxxxxxxxxx>
      Message-Id: <1442874414-3578-1-git-send-email-gang.chen.5i5j@xxxxxxxxx>
      Signed-off-by: Richard Henderson <rth@xxxxxxxxxxx>

  commit c6876d7e1c3ff04a9b9f751f6260bf427ab8cf1a
  Author: Chen Gang <gang.chen.5i5j@xxxxxxxxx>
  Date:   Tue Sep 22 06:18:38 2015 +0800

      target-tilegx: Implement v*add and v*sub instructions

      [rth: Implement everything inline; handle v1addi and v2addi as well.]

      Signed-off-by: Chen Gang <gang.chen.5i5j@xxxxxxxxx>
      Message-Id: <1442873918-3394-1-git-send-email-gang.chen.5i5j@xxxxxxxxx>
      Signed-off-by: Richard Henderson <rth@xxxxxxxxxxx>

  commit 0ab0a3d768a4f6ab6747b6fd936c5cf70b5069c2
  Author: Chen Gang <gang.chen.5i5j@xxxxxxxxx>
  Date:   Tue Sep 22 05:47:35 2015 +0800

      target-tilegx: Implement v*shl, v*shru, and v*shrs instructions

      v2sh* are implemented with helper functions; v4sh* are implmeneted
      with inline code.

      Signed-off-by: Chen Gang <gang.chen.5i5j@xxxxxxxxx>
      Message-Id: <1442872055-2836-1-git-send-email-gang.chen.5i5j@xxxxxxxxx>
      Signed-off-by: Richard Henderson <rth@xxxxxxxxxxx>

  commit 055130107683c3b199c1848a25e5e2c568230cbf
  Author: Richard Henderson <rth@xxxxxxxxxxx>
  Date:   Mon Sep 21 17:27:11 2015 -0700

      target-tilegx: Tidy simd_helper.c

      Using the V1 macro when we want to replicate a byte across
      the 8 elements of the word.  Using deposit and extract for
      manipulating specific elements.

      Signed-off-by: Richard Henderson <rth@xxxxxxxxxxx>

  commit 32532f215c49f005aaef942adfae34cbcc5fa678
  Author: Bharata B Rao <bharata@xxxxxxxxxxxxxxxxxx>
  Date:   Fri Jul 17 18:19:40 2015 +0530

      pc-dimm: Fail realization for invalid nodes in non-NUMA config

      pc_dimm_realize() validates the NUMA node to which memory hotplug is
      being performed only in case of NUMA configuration. Include a check to
      fail for invalid nodes in case of non-NUMA configuration too.

      Signed-off-by: Bharata B Rao <bharata@xxxxxxxxxxxxxxxxxx>
      Reviewed-by: David Gibson <david@xxxxxxxxxxxxxxxxxxxxx>
      Reviewed-by: Igor Mammedov <imammedo@xxxxxxxxxx>
      Signed-off-by: Eduardo Habkost <ehabkost@xxxxxxxxxx>

  commit eed2df678574f7f17947180a01127a8ba673a226
  Merge: 5fdb467 d9f090e
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Tue Oct 6 16:32:16 2015 +0100

      Merge remote-tracking branch 'remotes/borntraeger/tags/s390x-20151006' 
into staging

      s390: fixes

      Some fixes all over the place:
      - ccw bios and gcc 5.1 (avoid floating point ops)
      - properly print vector registers
      - sclp and sclp-event-facility no longer hang on 
object_unref(object_new(T))
      - better name for io_subsystem_reset

      One feature
      - the gdb server now exposes several virtualization specific register

      # gpg: Signature made Tue 06 Oct 2015 11:20:24 BST using RSA key ID 
B5A61C7C
      # gpg: Good signature from "Christian Borntraeger (IBM) 
<borntraeger@xxxxxxxxxx>"

      * remotes/borntraeger/tags/s390x-20151006:
        s390x: rename io_subsystem_reset -> subsystem_reset
        s390x/info registers: print vector registers properly
        s390x: set missing parent for hotplug and quiesce events
        s390x/gdb: expose virtualization specific registers
        pc-bios/s390-ccw: avoid floating point operations

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 5fdb4671b08e0d1631447e81348b2b50a6b85bf7
  Merge: 006d5c7 dfeb867
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Tue Oct 6 13:42:33 2015 +0100

      Merge remote-tracking branch 'remotes/ehabkost/tags/x86-pull-request' 
into staging

      X86 queue, 2015-10-05

      # gpg: Signature made Mon 05 Oct 2015 17:04:38 BST using RSA key ID 
984DC5A6
      # gpg: Good signature from "Eduardo Habkost <ehabkost@xxxxxxxxxx>"

      * remotes/ehabkost/tags/x86-pull-request:
        icc_bus: drop the unused files
        cpu/apic: drop icc bus/bridge
        x86: use new method to correct reset sequence
        apic: move APIC's MMIO region mapping into APIC
        Correctly re-init EFER state during INIT IPI
        target-i386: add ABM to Haswell* and Broadwell* CPU models
        target-i386: get/put MSR_TSC_AUX across reset and migration
        target-i386: Make check_hw_breakpoints static
        target-i386: Move breakpoint related functions to new file
        target-i386: Convert kvm_default_*features to property/value pairs
        vl: Add another sanity check to smp_parse() function
        cpu: Introduce X86CPUTopoInfo structure for argument simplification

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 006d5c741bbfcdbedeb59e14527fe58d45c9c76b
  Merge: 7fe34ca ec6b69c
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Tue Oct 6 12:09:56 2015 +0100

      Merge remote-tracking branch 'remotes/jnsnow/tags/ide-pull-request' into 
staging

      # gpg: Signature made Mon 05 Oct 2015 17:01:11 BST using RSA key ID 
AAFC390E
      # gpg: Good signature from "John Snow (John Huston) <jsnow@xxxxxxxxxx>"

      * remotes/jnsnow/tags/ide-pull-request:
        qtest/ide-test: ppc64be correction for ATAPI tests
        MAINTAINERS: Small IDE/FDC touchup
        qtest/ahci: fix redundant assertion

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 7fe34ca9c2e99560dc65395d599a6920624b127d
  Author: Michael S. Tsirkin <mst@xxxxxxxxxx>
  Date:   Tue Oct 6 10:17:55 2015 +0100

      tests: vhost-user: disable unless CONFIG_VHOST_NET

      vhost-user depends on vhost-net. We should probably fix that.
      For now, let's disable the test otherwise.

      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 508ce5eb00070809f0d19917a1b2960dfcf5a64b
  Author: David Gibson <david@xxxxxxxxxxxxxxxxxxxxx>
  Date:   Wed Sep 30 12:13:56 2015 +1000

      vfio: Allow hotplug of containers onto existing guest IOMMU mappings

      At present the memory listener used by vfio to keep host IOMMU mappings
      in sync with the guest memory image assumes that if a guest IOMMU
      appears, then it has no existing mappings.

      This may not be true if a VFIO device is hotplugged onto a guest bus
      which didn't previously include a VFIO device, and which has existing
      guest IOMMU mappings.

      Therefore, use the memory_region_register_iommu_notifier_replay()
      function in order to fix this case, replaying existing guest IOMMU
      mappings, bringing the host IOMMU into sync with the guest IOMMU.

      Signed-off-by: David Gibson <david@xxxxxxxxxxxxxxxxxxxxx>
      Signed-off-by: Alex Williamson <alex.williamson@xxxxxxxxxx>

  commit a788f227ef7bd2912fcaacdfe13d13ece2998149
  Author: David Gibson <david@xxxxxxxxxxxxxxxxxxxxx>
  Date:   Wed Sep 30 12:13:55 2015 +1000

      memory: Allow replay of IOMMU mapping notifications

      When we have guest visible IOMMUs, we allow notifiers to be registered
      which will be informed of all changes to IOMMU mappings.  This is used by
      vfio to keep the host IOMMU mappings in sync with guest IOMMU mappings.

      However, unlike with a memory region listener, an iommu notifier won't be
      told about any mappings which already exist in the (guest) IOMMU at the
      time it is registered.  This can cause problems if hotplugging a VFIO
      device onto a guest bus which had existing guest IOMMU mappings, but 
didn't
      previously have an VFIO devices (and hence no host IOMMU mappings).

      This adds a memory_region_iommu_replay() function to handle this case.  It
      replays any existing mappings in an IOMMU memory region to a specified
      notifier.  Because the IOMMU memory region doesn't internally remember the
      granularity of the guest IOMMU it has a small hack where the caller must
      specify a granularity at which to replay mappings.

      If there are finer mappings in the guest IOMMU these will be reported in
      the iotlb structures passed to the notifier which it must handle (probably
      causing it to flag an error).  This isn't new - the VFIO iommu notifier
      must already handle notifications about guest IOMMU mappings too short
      for it to represent in the host IOMMU.

      Signed-off-by: David Gibson <david@xxxxxxxxxxxxxxxxxxxxx>
      Reviewed-by: Laurent Vivier <lvivier@xxxxxxxxxx>
      Acked-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>
      Signed-off-by: Alex Williamson <alex.williamson@xxxxxxxxxx>

  commit 7a140a57c69293a2f19b045f40953a87879e8c76
  Author: David Gibson <david@xxxxxxxxxxxxxxxxxxxxx>
  Date:   Wed Sep 30 12:13:54 2015 +1000

      vfio: Record host IOMMU's available IO page sizes

      Depending on the host IOMMU type we determine and record the available 
page
      sizes for IOMMU translation.  We'll need this for other validation in
      future patches.

      Signed-off-by: David Gibson <david@xxxxxxxxxxxxxxxxxxxxx>
      Reviewed-by: Thomas Huth <thuth@xxxxxxxxxx>
      Reviewed-by: Laurent Vivier <lvivier@xxxxxxxxxx>
      Signed-off-by: Alex Williamson <alex.williamson@xxxxxxxxxx>

  commit 3898aad323475cf19127d9fc0846954d591d8e11
  Author: David Gibson <david@xxxxxxxxxxxxxxxxxxxxx>
  Date:   Wed Sep 30 12:13:53 2015 +1000

      vfio: Check guest IOVA ranges against host IOMMU capabilities

      The current vfio core code assumes that the host IOMMU is capable of
      mapping any IOVA the guest wants to use to where we need.  However, real
      IOMMUs generally only support translating a certain range of IOVAs (the
      "DMA window") not a full 64-bit address space.

      The common x86 IOMMUs support a wide enough range that guests are very
      unlikely to go beyond it in practice, however the IOMMU used on IBM Power
      machines - in the default configuration - supports only a much more 
limited
      IOVA range, usually 0..2GiB.

      If the guest attempts to set up an IOVA range that the host IOMMU can't
      map, qemu won't report an error until it actually attempts to map a bad
      IOVA.  If guest RAM is being mapped directly into the IOMMU (i.e. no guest
      visible IOMMU) then this will show up very quickly.  If there is a guest
      visible IOMMU, however, the problem might not show up until much later 
when
      the guest actually attempt to DMA with an IOVA the host can't handle.

      This patch adds a test so that we will detect earlier if the guest is
      attempting to use IOVA ranges that the host IOMMU won't be able to deal
      with.

      For now, we assume that "Type1" (x86) IOMMUs can support any IOVA, this is
      incorrect, but no worse than what we have already.  We can't do better for
      now because the Type1 kernel interface doesn't tell us what IOVA range the
      IOMMU actually supports.

      For the Power "sPAPR TCE" IOMMU, however, we can retrieve the supported
      IOVA range and validate guest IOVA ranges against it, and this patch does
      so.

      Signed-off-by: David Gibson <david@xxxxxxxxxxxxxxxxxxxxx>
      Reviewed-by: Laurent Vivier <lvivier@xxxxxxxxxx>
      Signed-off-by: Alex Williamson <alex.williamson@xxxxxxxxxx>

  commit ac6dc3894fbb6775245565229953879a0263d27f
  Author: David Gibson <david@xxxxxxxxxxxxxxxxxxxxx>
  Date:   Wed Sep 30 12:13:52 2015 +1000

      vfio: Generalize vfio_listener_region_add failure path

      If a DMA mapping operation fails in vfio_listener_region_add() it
      checks to see if we've already completed initial setup of the
      container.  If so it reports an error so the setup code can fail
      gracefully, otherwise throws a hw_error().

      There are other potential failure cases in vfio_listener_region_add()
      which could benefit from the same logic, so move it to its own
      fail: block.  Later patches can use this to extend other failure cases
      to fail as gracefully as possible under the circumstances.

      Signed-off-by: David Gibson <david@xxxxxxxxxxxxxxxxxxxxx>
      Reviewed-by: Thomas Huth <thuth@xxxxxxxxxx>
      Reviewed-by: Laurent Vivier <lvivier@xxxxxxxxxx>
      Signed-off-by: Alex Williamson <alex.williamson@xxxxxxxxxx>

  commit ee0bf0e59bb1c07c0196142f2ecfd88f7f8b194e
  Author: David Gibson <david@xxxxxxxxxxxxxxxxxxxxx>
  Date:   Wed Sep 30 12:13:51 2015 +1000

      vfio: Remove unneeded union from VFIOContainer

      Currently the VFIOContainer iommu_data field contains a union with
      different information for different host iommu types.  However:
         * It only actually contains information for the x86-like "Type1" iommu
         * Because we have a common listener the Type1 fields are actually used
      on all IOMMU types, including the SPAPR TCE type as well

      In fact we now have a general structure for the listener which is unlikely
      to ever need per-iommu-type information, so this patch removes the union.

      In a similar way we can unify the setup of the vfio memory listener in
      vfio_connect_container() that is currently split across a switch on iommu
      type, but is effectively the same in both cases.

      The iommu_data.release pointer was only needed as a cleanup function
      which would handle potentially different data in the union.  With the
      union gone, it too can be removed.

      Signed-off-by: David Gibson <david@xxxxxxxxxxxxxxxxxxxxx>
      Reviewed-by: Laurent Vivier <lvivier@xxxxxxxxxx>
      Signed-off-by: Alex Williamson <alex.williamson@xxxxxxxxxx>

  commit a5b39cd3f647eaaaef5b648beda5cb2f387418c0
  Author: Eric Auger <eric.auger@xxxxxxxxxx>
  Date:   Mon Oct 5 12:30:12 2015 -0600

      hw/vfio/platform: do not set resamplefd for edge-sensitive IRQS

      In irqfd mode, current code attempts to set a resamplefd whatever
      the type of the IRQ. For an edge-sensitive IRQ this attempt fails
      and as a consequence, the whole irqfd setup fails and we fall back
      to the slow mode. This patch bypasses the resamplefd setting for
      non level-sentive IRQs.

      Signed-off-by: Eric Auger <eric.auger@xxxxxxxxxx>
      Signed-off-by: Alex Williamson <alex.williamson@xxxxxxxxxx>

  commit a22313deca720e038ebc5805cf451b3a685d29ce
  Author: Eric Auger <eric.auger@xxxxxxxxxx>
  Date:   Mon Oct 5 12:30:12 2015 -0600

      hw/vfio/platform: change interrupt/unmask fields into pointer

      unmask EventNotifier might not be initialized in case of edge
      sensitive irq. Using EventNotifier pointers make life simpler to
      handle the edge-sensitive irqfd setup.

      Signed-off-by: Eric Auger <eric.auger@xxxxxxxxxx>
      Signed-off-by: Alex Williamson <alex.williamson@xxxxxxxxxx>

  commit 58892b447f0ffcd0967bc6f1bcb40df288ebeebc
  Author: Eric Auger <eric.auger@xxxxxxxxxx>
  Date:   Mon Oct 5 12:30:12 2015 -0600

      hw/vfio/platform: irqfd setup sequence update

      With current implementation, eventfd VFIO signaling is first set up and
      then irqfd is setup, if supported and allowed.

      This start sequence causes several issues with IRQ forwarding setup
      which, if supported, is transparently attempted on irqfd setup:
      IRQ forwarding setup is likely to fail if the IRQ is detected as under
      injection into the guest (active at irqchip level or VFIO masked).

      This currently always happens because the current sequence explicitly
      VFIO-masks the IRQ before setting irqfd.

      Even if that masking were removed, we couldn't prevent the case where
      the IRQ is under injection into the guest.

      So the simpler solution is to remove this 2-step startup and directly
      attempt irqfd setup. This is what this patch does.

      Also in case the eventfd setup fails, there is no reason to go farther:
      let's abort.

      Signed-off-by: Eric Auger <eric.auger@xxxxxxxxxx>
      Signed-off-by: Alex Williamson <alex.williamson@xxxxxxxxxx>

  commit ec6b69ca0305ab3a3e0461aecb6f190c59a765df
  Author: John Snow <jsnow@xxxxxxxxxx>
  Date:   Mon Oct 5 12:00:56 2015 -0400

      qtest/ide-test: ppc64be correction for ATAPI tests

      the 16bit ide data register is LE by definition.

      Signed-off-by: John Snow <jsnow@xxxxxxxxxx>
      Reviewed-by: Kevin Wolf <kwolf@xxxxxxxxxx>
      Message-id: 1443461938-30039-1-git-send-email-jsnow@xxxxxxxxxx

  commit aee50319873da4ed1c1d6901260c37d6236c74b5
  Author: John Snow <jsnow@xxxxxxxxxx>
  Date:   Mon Oct 5 12:00:56 2015 -0400

      MAINTAINERS: Small IDE/FDC touchup

      libqos/ahci and tests/fdc-test are under my purview also,
      include them in the appropriate stanzas.

      Signed-off-by: John Snow <jsnow@xxxxxxxxxx>
      Message-id: 1443117055-29240-1-git-send-email-jsnow@xxxxxxxxxx

  commit 3d937150dce20cb95cbaae99b6fd48dca4261f32
  Author: John Snow <jsnow@xxxxxxxxxx>
  Date:   Mon Oct 5 12:00:55 2015 -0400

      qtest/ahci: fix redundant assertion

      Fixes https://bugs.launchpad.net/qemu/+bug/1497711

      (!ncq || (ncq && lba48)) is the same as
      (!ncq || lba48).

      The intention is simply: "If a command is NCQ,
      it must also be LBA48."

      Signed-off-by: John Snow <jsnow@xxxxxxxxxx>
      Message-id: 1442868929-17777-1-git-send-email-jsnow@xxxxxxxxxx

  commit dfeb8679db358e1f8e0ee4dd84f903d71f000378
  Author: Zhu Guihua <zhugh.fnst@xxxxxxxxxxxxxx>
  Date:   Wed Sep 16 17:19:15 2015 +0800

      icc_bus: drop the unused files

      ICC bus impl has been droped, so all icc related files are not useful
      any more; delete them.

      Signed-off-by: Zhu Guihua <zhugh.fnst@xxxxxxxxxxxxxx>
      Reviewed-by: Igor Mammedov <imammedo@xxxxxxxxxx>
      Signed-off-by: Eduardo Habkost <ehabkost@xxxxxxxxxx>

  commit 46232aaacb66733d3e16dcbd0d26c32ec388801d
  Author: Chen Fan <chen.fan.fnst@xxxxxxxxxxxxxx>
  Date:   Wed Sep 16 17:19:14 2015 +0800

      cpu/apic: drop icc bus/bridge

      After CPU hotplug has been converted to BUS-less hot-plug infrastructure,
      the only function ICC bus performs is to propagate reset to LAPICs. 
However
      LAPIC could be reset by registering its reset handler after all device are
      initialized.
      Do so and drop ~30LOC of not needed anymore ICCBus related code.

      Signed-off-by: Chen Fan <chen.fan.fnst@xxxxxxxxxxxxxx>
      Signed-off-by: Zhu Guihua <zhugh.fnst@xxxxxxxxxxxxxx>
      Reviewed-by: Igor Mammedov <imammedo@xxxxxxxxxx>
      Signed-off-by: Eduardo Habkost <ehabkost@xxxxxxxxxx>

  commit ae50c55a09b8a90205972518d8129447000ae188
  Author: Zhu Guihua <zhugh.fnst@xxxxxxxxxxxxxx>
  Date:   Wed Sep 16 17:19:13 2015 +0800

      x86: use new method to correct reset sequence

      During reset some devices (such as hpet, rtc) might send IRQ to APIC
      which changes APIC's state from default one it's supposed to have
      at machine startup time.
      Fix this by resetting APIC after devices have been reset to cancel
      any changes that qemu_devices_reset() might have done to its state.

      Signed-off-by: Zhu Guihua <zhugh.fnst@xxxxxxxxxxxxxx>
      Reviewed-by: Igor Mammedov <imammedo@xxxxxxxxxx>
      Signed-off-by: Eduardo Habkost <ehabkost@xxxxxxxxxx>

  commit 8d42d2d32b508484106f1c600f5cdd5496bc867e
  Author: Chen Fan <chen.fan.fnst@xxxxxxxxxxxxxx>
  Date:   Wed Sep 16 17:19:11 2015 +0800

      apic: move APIC's MMIO region mapping into APIC

      When ICC bus/bridge is removed, APIC MMIO will be left
      unmapped since it was mapped into system's address space
      indirectly by ICC bridge.
      Fix it by moving mapping into APIC code, so it would be
      possible to remove ICC bus/bridge code later.

      Signed-off-by: Chen Fan <chen.fan.fnst@xxxxxxxxxxxxxx>
      Signed-off-by: Zhu Guihua <zhugh.fnst@xxxxxxxxxxxxxx>
      Reviewed-by: Igor Mammedov <imammedo@xxxxxxxxxx>
      Signed-off-by: Eduardo Habkost <ehabkost@xxxxxxxxxx>

  commit 2188cc52cb363433751f72b991d8fb05fc60e39d
  Author: Bill Paul <wpaul@xxxxxxxxxxxxx>
  Date:   Wed Sep 30 15:33:29 2015 -0700

      Correctly re-init EFER state during INIT IPI

      When doing a re-initialization of a CPU core, the default state is to 
_not_
      have 64-bit long mode enabled. This means the LME (long mode enable) and 
LMA
      (long mode active) bits in the EFER model-specific register should be 
cleared.

      However, the EFER state is part of the CPU environment which is
      preserved by do_cpu_init(), so if EFER.LME and EFER.LMA were set at the
      time an INIT IPI was received, they will remain set after the init 
completes.

      This is contrary to what the Intel architecture manual describes and what
      happens on real hardware, and it leaves the CPU in a weird state that the
      guest can't clear.

      To fix this, the 'efer' member of the CPUX86State structure has been moved
      to an area outside the region preserved by do_cpu_init(), so that it can
      be properly re-initialized by x86_cpu_reset().

      Signed-off-by: Bill Paul <wpaul@xxxxxxxxxxxxx>
      CC: Paolo Bonzini <pbonzini@xxxxxxxxxx>
      CC: Richard Henderson <rth@xxxxxxxxxxx>
      CC: Eduardo Habkost <ehabkost@xxxxxxxxxx>
      Reviewed-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>
      Signed-off-by: Eduardo Habkost <ehabkost@xxxxxxxxxx>

  commit becb66673ec30cb604926d247ab9449a60ad8b11
  Author: Paolo Bonzini <pbonzini@xxxxxxxxxx>
  Date:   Mon Sep 28 14:00:18 2015 +0200

      target-i386: add ABM to Haswell* and Broadwell* CPU models

      ABM is only implemented as a single instruction set by AMD; all AMD
      processors support both instructions or neither. Intel considers POPCNT
      as part of SSE4.2, and LZCNT as part of BMI1, but Intel also uses AMD's
      ABM flag to indicate support for both POPCNT and LZCNT.  It has to be
      added to Haswell and Broadwell because Haswell, by adding LZCNT, has
      completed the ABM.

      Tested with "qemu-kvm -cpu Haswell-noTSX,enforce" (and also with older
      machine types) on an Haswell-EP machine.

      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>
      Reviewed-by: Eduardo Habkost <ehabkost@xxxxxxxxxx>
      Signed-off-by: Eduardo Habkost <ehabkost@xxxxxxxxxx>

  commit c9b8f6b6210847b4381c5b2ee172b1c7eb9985d6
  Author: Amit Shah <amit.shah@xxxxxxxxxx>
  Date:   Wed Sep 23 11:57:33 2015 +0530

      target-i386: get/put MSR_TSC_AUX across reset and migration

      There's one report of migration breaking due to missing MSR_TSC_AUX
      save/restore.  Fix this by adding a new subsection that saves the state
      of this MSR.

      https://bugzilla.redhat.com/show_bug.cgi?id=1261797

      Reported-by: Xiaoqing Wei <xwei@xxxxxxxxxx>
      Signed-off-by: Amit Shah <amit.shah@xxxxxxxxxx>
      CC: Paolo Bonzini <pbonzini@xxxxxxxxxx>
      CC: Juan Quintela <quintela@xxxxxxxxxx>
      CC: "Dr. David Alan Gilbert" <dgilbert@xxxxxxxxxx>
      CC: Marcelo Tosatti <mtosatti@xxxxxxxxxx>
      CC: Richard Henderson <rth@xxxxxxxxxxx>
      CC: Eduardo Habkost <ehabkost@xxxxxxxxxx>
      Reviewed-by: Eduardo Habkost <ehabkost@xxxxxxxxxx>
      Signed-off-by: Eduardo Habkost <ehabkost@xxxxxxxxxx>

  commit dd941cdcfec536aad6a310a153778142ed9f3e92
  Author: Richard Henderson <rth@xxxxxxxxxxx>
  Date:   Tue Sep 15 11:45:07 2015 -0700

      target-i386: Make check_hw_breakpoints static

      The function is now only used from within a single file.

      Reviewed-by: Eduardo Habkost <ehabkost@xxxxxxxxxx>
      Signed-off-by: Richard Henderson <rth@xxxxxxxxxxx>
      Signed-off-by: Eduardo Habkost <ehabkost@xxxxxxxxxx>

  commit ba4b5c65a98ea91dc3b13e42dd9404808c999dda
  Author: Richard Henderson <rth@xxxxxxxxxxx>
  Date:   Tue Sep 15 11:45:06 2015 -0700

      target-i386: Move breakpoint related functions to new file

      Reviewed-by: Eduardo Habkost <ehabkost@xxxxxxxxxx>
      Signed-off-by: Richard Henderson <rth@xxxxxxxxxxx>
      Signed-off-by: Eduardo Habkost <ehabkost@xxxxxxxxxx>

  commit 5114e8422201190c3e2e1a4d77e38ad70cf001d2
  Author: Eduardo Habkost <ehabkost@xxxxxxxxxx>
  Date:   Fri Sep 11 12:40:27 2015 -0300

      target-i386: Convert kvm_default_*features to property/value pairs

      Convert the kvm_default_features and kvm_default_unset_features arrays
      into a simple list of property/value pairs that will be applied to
      X86CPU objects when using KVM.

      Acked-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>
      Signed-off-by: Eduardo Habkost <ehabkost@xxxxxxxxxx>

  commit a32ef3bfc12c8d0588f43f74dcc5280885bbdb30
  Author: Thomas Huth <thuth@xxxxxxxxxx>
  Date:   Wed Jul 22 15:59:50 2015 +0200

      vl: Add another sanity check to smp_parse() function

      The code in smp_parse already checks the topology information for
      sockets * cores * threads < cpus and bails out with an error in
      that case. However, it is still possible to supply a bad configuration
      the other way round, e.g. with:

       qemu-system-xxx -smp 4,sockets=1,cores=4,threads=2

      QEMU then still starts the guest, with topology configuration that
      is rather incomprehensible and likely not what the user wanted.
      So let's add another check to refuse such wrong configurations.

      Signed-off-by: Thomas Huth <thuth@xxxxxxxxxx>
      Reviewed-by: Eduardo Habkost <ehabkost@xxxxxxxxxx>
      Acked-by: Cornelia Huck <cornelia.huck@xxxxxxxxxx>
      Acked-by: Bastian Koppelmann <kbastian@xxxxxxxxxxxxxxxxxxxxx>
      Signed-off-by: Eduardo Habkost <ehabkost@xxxxxxxxxx>

  commit ed256144cd6f0ca2ff59fc3fc8dca547506f433b
  Author: Chen Fan <chen.fan.fnst@xxxxxxxxxxxxxx>
  Date:   Fri Aug 21 17:34:45 2015 +0800

      cpu: Introduce X86CPUTopoInfo structure for argument simplification

      In order to simplify arguments of function, introduce a new struct
      named X86CPUTopoInfo.

      Signed-off-by: Chen Fan <chen.fan.fnst@xxxxxxxxxxxxxx>
      Signed-off-by: Zhu Guihua <zhugh.fnst@xxxxxxxxxxxxxx>
      Signed-off-by: Eduardo Habkost <ehabkost@xxxxxxxxxx>

  commit c0b520dfb8890294a9f8879f4759172900585995
  Merge: 945507d 6fdac09
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Fri Oct 2 16:59:21 2015 +0100

      Merge remote-tracking branch 'remotes/mst/tags/for_upstream' into staging

      virtio,pc features, fixes

      New features:
          guest RAM buffer overrun mitigation
          RAM physical address gaps for memory hotplug
          (except refactoring which got some review comments)

      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>

      # gpg: Signature made Fri 02 Oct 2015 15:04:56 BST using RSA key ID 
D28D5469
      # gpg: Good signature from "Michael S. Tsirkin <mst@xxxxxxxxxx>"
      # gpg:                 aka "Michael S. Tsirkin <mst@xxxxxxxxxx>"

      * remotes/mst/tags/for_upstream:
        vhost-user-test: fix predictable filename on tmpfs
        vhost-user-test: use tmpfs by default
        pc: memhp: force gaps between DIMM's GPA
        memhp: extend address auto assignment to support gaps
        vhost-user: unit test for new messages
        vhost-user-test: do not reinvent glib-compat.h
        virtio: Notice when the system doesn't support MSIx at all
        pc: Add a comment explaining why pc_compat_2_4() doesn't exist
        exec: allocate PROT_NONE pages on top of RAM
        oslib: allocate PROT_NONE pages on top of RAM
        oslib: rework anonimous RAM allocation
        virtio-net: correctly drop truncated packets
        virtio: introduce virtqueue_discard()
        virtio: introduce virtqueue_unmap_sg()

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 945507d6bcde334f42b00cae134b4d47301d1821
  Merge: 37dd86a 86abac0
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Fri Oct 2 16:04:25 2015 +0100

      Merge remote-tracking branch 'remotes/riku/tags/pull-linux-user-20151002' 
into staging

      First set of Linux-user que patches for 2.5

      # gpg: Signature made Fri 02 Oct 2015 13:38:00 BST using RSA key ID 
DE3C9BC0
      # gpg: Good signature from "Riku Voipio <riku.voipio@xxxxxx>"
      # gpg:                 aka "Riku Voipio <riku.voipio@xxxxxxxxxx>"

      * remotes/riku/tags/pull-linux-user-20151002:
        linux-user: assert that target_mprotect cannot fail
        linux-user/signal.c: Use setup_rt_frame() instead of setup_frame() for 
target openrisc
        linux-user/syscall.c: Add EAGAIN to host_to_target_errno_table for
        linux-user: add name_to_handle_at/open_by_handle_at
        linux-user: Return target error number in do_fork()
        linux-user: fix cmsg conversion in case of multiple headers
        linux-user: remove MAX_ARG_PAGES limit
        linux-user: remove unused image_info members
        linux-user: Treat --foo options the same as -foo
        linux-user: use EXIT_SUCCESS and EXIT_FAILURE
        linux-user: Add proper error messages for bad options
        linux-user: Add -help
        linux-user: Exit 0 when -h is used

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 6fdac09370530be0cc6fe9e8d425c0670ba994b1
  Author: Michael S. Tsirkin <mst@xxxxxxxxxx>
  Date:   Thu Oct 1 15:50:52 2015 +0300

      vhost-user-test: fix predictable filename on tmpfs

      vhost-user-test uses getpid to create a unique filename. This name is
      predictable, and a security problem.  Instead, use a tmp directory
      created by mkdtemp, which is a suggested best practice.

      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Reviewed-by: Marc-André Lureau <marcandre.lureau@xxxxxxxxxx>

  commit 1b7e1e3b463a6e5c117498b192cb07603c04b668
  Author: Michael S. Tsirkin <mst@xxxxxxxxxx>
  Date:   Wed Sep 30 18:01:21 2015 +0300

      vhost-user-test: use tmpfs by default

      Most people don't run make check by default, so they skip vhost-user
      unit tests.  Solve this by using tmpfs instead, unless hugetlbfs is
      specified (using an environment variable).

      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Reviewed-by: Marc-André Lureau <marcandre.lureau@xxxxxxxxxx>

  commit aa8580cddf011e8cedcf87f7a0fdea7549fc4704
  Author: Igor Mammedov <imammedo@xxxxxxxxxx>
  Date:   Tue Sep 29 16:53:29 2015 +0200

      pc: memhp: force gaps between DIMM's GPA

      mapping DIMMs non contiguously allows to workaround
      virtio bug reported earlier:
      http://lists.nongnu.org/archive/html/qemu-devel/2015-08/msg00522.html
      in this case guest kernel doesn't allocate buffers
      that can cross DIMM boundary keeping each buffer
      local to a DIMM.

      Suggested-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: Igor Mammedov <imammedo@xxxxxxxxxx>
      Acked-by: Eduardo Habkost <ehabkost@xxxxxxxxxx>
      Reviewed-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>

  commit df0acded19ec4b826aa095cfc19d341bd66fafd3
  Author: Igor Mammedov <imammedo@xxxxxxxxxx>
  Date:   Tue Sep 29 16:53:28 2015 +0200

      memhp: extend address auto assignment to support gaps

      setting gap to TRUE will make sparse DIMM
      address auto allocation, leaving gaps between
      a new DIMM address and preceeding existing DIMM.

      Signed-off-by: Igor Mammedov <imammedo@xxxxxxxxxx>
      Reviewed-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>

  commit 8a9b6b37dabf00388e8069a2f5c0f659626693b3
  Author: Michael S. Tsirkin <mst@xxxxxxxxxx>
  Date:   Thu Sep 24 18:22:01 2015 +0200

      vhost-user: unit test for new messages

      Data is empty for now, but do make sure master
      sets the new feature bit flag.

      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Reviewed-by: Michael S. Tsirkin <mst@xxxxxxxxxx>

  commit ca06d9cc6691e23b6d02e07b44ea549aeac60151
  Author: Paolo Bonzini <pbonzini@xxxxxxxxxx>
  Date:   Tue Sep 29 14:12:03 2015 +0200

      vhost-user-test: do not reinvent glib-compat.h

      glib-compat.h has the gunk to support both old-style and new-style
      gthread functions.  Use it instead of reinventing it.

      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>
      Reviewed-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Reviewed-by: Marc-André Lureau <marcandre.lureau@xxxxxxxxxx>
      Tested-by: Marc-André Lureau <marcandre.lureau@xxxxxxxxxx>

  commit 37dd86a44cc4298f58ac370e0190b069469b6d25
  Merge: ff770b0 73ba05d
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Fri Oct 2 14:47:10 2015 +0100

      Merge remote-tracking branch 'remotes/kevin/tags/for-upstream' into 
staging

      Block layer patches

      # gpg: Signature made Fri 02 Oct 2015 12:49:13 BST using RSA key ID 
C88F2FD6
      # gpg: Good signature from "Kevin Wolf <kwolf@xxxxxxxxxx>"

      * remotes/kevin/tags/for-upstream:
        block/raw-posix: Open file descriptor O_RDWR to work around glibc 
posix_fallocate emulation issue.
        block: disable I/O limits at the beginning of bdrv_close()
        iotests: Fix test 128 for password-less sudo
        tests: Fix test 049 fallout from improved HMP error messages
        raw-win32: Fix write request error handling

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 73ba05d936e82fe01b2b2cf987bf3aecb4792af5
  Author: Richard W.M. Jones <rjones@xxxxxxxxxx>
  Date:   Tue Sep 29 16:54:10 2015 +0100

      block/raw-posix: Open file descriptor O_RDWR to work around glibc 
posix_fallocate emulation issue.

        https://bugzilla.redhat.com/show_bug.cgi?id=1265196

      The following command fails on an NFS mountpoint:

        $ qemu-img create -f qcow2 -o preallocation=falloc disk.img 262144
        Formatting 'disk.img', fmt=qcow2 size=262144 encryption=off 
cluster_size=65536 preallocation='falloc' lazy_refcounts=off
        qemu-img: disk.img: Could not preallocate data for the new file: Bad 
file descriptor

      The reason turns out to be because NFS doesn't support the
      posix_fallocate call.  glibc emulates it instead.  However glibc's
      emulation involves using the pread(2) syscall.  The pread syscall
      fails with EBADF if the file descriptor is opened without the read
      open-flag (ie. open (..., O_WRONLY)).

      I contacted glibc upstream about this, and their response is here:

        https://bugzilla.redhat.com/show_bug.cgi?id=1265196#c9

      There are two possible fixes: Use Linux fallocate directly, or (this
      fix) work around the problem in qemu by opening the file with O_RDWR
      instead of O_WRONLY.

      Signed-off-by: Richard W.M. Jones <rjones@xxxxxxxxxx>
      BZ: https://bugzilla.redhat.com/show_bug.cgi?id=1265196
      Reviewed-by: Jeff Cody <jcody@xxxxxxxxxx>
      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>
      Signed-off-by: Kevin Wolf <kwolf@xxxxxxxxxx>

  commit 99b7e7756780cec03fe5175db0f53b2fffa9426b
  Author: Alberto Garcia <berto@xxxxxxxxxx>
  Date:   Fri Sep 25 16:41:44 2015 +0300

      block: disable I/O limits at the beginning of bdrv_close()

      Disabling I/O limits from a BDS also drains all pending throttled
      requests, so it should be done at the beginning of bdrv_close() with
      the rest of the bdrv_drain() calls before the BlockDriver is closed.

      Signed-off-by: Alberto Garcia <berto@xxxxxxxxxx>
      Signed-off-by: Kevin Wolf <kwolf@xxxxxxxxxx>

  commit bb3c801df7ed454b663312326bc29c8b9c2e4de6
  Author: Max Reitz <mreitz@xxxxxxxxxx>
  Date:   Fri Sep 25 19:19:24 2015 +0200

      iotests: Fix test 128 for password-less sudo

      As of 934659c460d46c948cf348822fda1d38556ed9a4, $QEMU_IO is generally no
      longer a program name, and therefore "sudo -n $QEMU_IO" will no longer
      work.

      Fix this by copying the qemu-io invocation function from common.config,
      making it use $sudo for invoking $QEMU_IO_PROG, and then use that
      function instead of $QEMU_IO.

      Reported-by: Fam Zheng <famz@xxxxxxxxxx>
      Signed-off-by: Max Reitz <mreitz@xxxxxxxxxx>
      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>
      Signed-off-by: Kevin Wolf <kwolf@xxxxxxxxxx>

  commit 552bb52c4bf199ae9c038570187749b93c91310a
  Author: Eric Blake <eblake@xxxxxxxxxx>
  Date:   Tue Sep 22 17:15:52 2015 -0600

      tests: Fix test 049 fallout from improved HMP error messages

      Commit 50b7b000 improved HMP error messages, but forgot to update
      qemu-iotests to match.

      Reported-by: Kevin Wolf <kwolf@xxxxxxxxxx>
      Signed-off-by: Eric Blake <eblake@xxxxxxxxxx>
      Reviewed-by: John Snow <jsnow@xxxxxxxxxx>
      Reviewed-by: Alberto Garcia <berto@xxxxxxxxxx>
      Signed-off-by: Kevin Wolf <kwolf@xxxxxxxxxx>

  commit 5d555030ba10ef3be12cd75a121a7cd5f6ef9bd2
  Author: Kevin Wolf <kwolf@xxxxxxxxxx>
  Date:   Wed Sep 23 14:58:21 2015 +0200

      raw-win32: Fix write request error handling

      aio_worker() wrote the return code to the wrong variable.

      Signed-off-by: Kevin Wolf <kwolf@xxxxxxxxxx>
      Tested-by: Guangmu Zhu <guangmuzhu@xxxxxxxxx>
      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>

  commit d9f090ec7794d433b8f222ae8c8f95601369a4a5
  Author: David Hildenbrand <dahi@xxxxxxxxxxxxxxxxxx>
  Date:   Thu Oct 1 10:49:47 2015 +0200

      s390x: rename io_subsystem_reset -> subsystem_reset

      According to the Pop:
      "Subsystem reset operates only on those elements in the configuration
      which are not CPUs".

      As this is what we actually do, let's simply rename the function.

      Acked-by: Cornelia Huck <cornelia.huck@xxxxxxxxxx>
      Signed-off-by: David Hildenbrand <dahi@xxxxxxxxxxxxxxxxxx>
      Signed-off-by: Jens Freimann <jfrei@xxxxxxxxxxxxxxxxxx>
      Message-Id: <1443689387-34473-6-git-send-email-jfrei@xxxxxxxxxxxxxxxxxx>
      Signed-off-by: Christian Borntraeger <borntraeger@xxxxxxxxxx>

  commit a6085fab3b6b9f0f9d636170b7d7bd31172b5038
  Author: Christian Borntraeger <borntraeger@xxxxxxxxxx>
  Date:   Thu Oct 1 10:49:46 2015 +0200

      s390x/info registers: print vector registers properly

      We want

      F12=0000000000000000 F13=0000000000000000 F14=0000000000000000 
F15=0000000000000000
      V00=00000000000000000000000000000000 V01=00000000000000000000000000000000

      instead of
      F12=0000000000000000 F13=0000000000000000 F14=0000000000000000 
F15=0000000000000000
      V00=00000000000000000000000000000000
      V01=00000000000000000000000000000000 V02=00000000000000000000000000000000

      Signed-off-by: Christian Borntraeger <borntraeger@xxxxxxxxxx>
      Signed-off-by: Jens Freimann <jfrei@xxxxxxxxxxxxxxxxxx>
      Message-Id: <1443689387-34473-5-git-send-email-jfrei@xxxxxxxxxxxxxxxxxx>
      Signed-off-by: Christian Borntraeger <borntraeger@xxxxxxxxxx>

  commit 7059384c7e27d68c502d8636eb711873a9a6a597
  Author: David Hildenbrand <dahi@xxxxxxxxxxxxxxxxxx>
  Date:   Thu Oct 1 10:49:45 2015 +0200

      s390x: set missing parent for hotplug and quiesce events

      Existing code missed to set a parent for the quiesce and hotplug event.
      While this didn't matter in practise, new introspection APIs basically now
      do an object_unref(object_new(T)), which loops forever.

      When trying to remove the event facility bus, the code tries to
      unparent all childs on the bus, so they are properly deleted and 
therefore removed.
      As object_unparent() on these child devices doesn't work, as there is no 
parent,
      we loop forever.

      Let's fix this by adding the event facility as a parent. Also switch from
      object_initialize to object_new, so the only valid reference is in fact 
the
      parent property. This makes it more obvious when the device (state) is 
actually
      gone (and how the reference counting works).

      Signed-off-by: David Hildenbrand <dahi@xxxxxxxxxxxxxxxxxx>
      Signed-off-by: Jens Freimann <jfrei@xxxxxxxxxxxxxxxxxx>
      Message-Id: <1443689387-34473-4-git-send-email-jfrei@xxxxxxxxxxxxxxxxxx>
      Signed-off-by: Christian Borntraeger <borntraeger@xxxxxxxxxx>

  commit 8a641ff60f38799a10ed44a7c5bddd386bc169ed
  Author: David Hildenbrand <dahi@xxxxxxxxxxxxxxxxxx>
  Date:   Thu Oct 1 10:49:44 2015 +0200

      s390x/gdb: expose virtualization specific registers

      Let's expose some virtual/fake registers as virtualization specific
      registers.

      Signed-off-by: David Hildenbrand <dahi@xxxxxxxxxxxxxxxxxx>
      Signed-off-by: Jens Freimann <jfrei@xxxxxxxxxxxxxxxxxx>
      Message-Id: <1443689387-34473-3-git-send-email-jfrei@xxxxxxxxxxxxxxxxxx>
      Signed-off-by: Christian Borntraeger <borntraeger@xxxxxxxxxx>

  commit af3c15fee54e841d859d003b90a88042daf6cd7a
  Author: Christian Borntraeger <borntraeger@xxxxxxxxxx>
  Date:   Thu Oct 1 10:49:43 2015 +0200

      pc-bios/s390-ccw: avoid floating point operations

      Some gcc versions (e.g. Fedora 22 gcc 5.1.1) seem to use floating
      point registers for spilling and filling of general purpose registers.
      As the BIOS does not activate the AFP register setting of CR0 this can
      cause data exception program checks.
      Disallow floating point in the BIOS as a simple solution.

      Signed-off-by: Christian Borntraeger <borntraeger@xxxxxxxxxx>
      Reviewed-by: David Hildenbrand <dahi@xxxxxxxxxxxxxxxxxx>
      Signed-off-by: Jens Freimann <jfrei@xxxxxxxxxxxxxxxxxx>
      Message-Id: <1443689387-34473-2-git-send-email-jfrei@xxxxxxxxxxxxxxxxxx>
      Signed-off-by: Christian Borntraeger <borntraeger@xxxxxxxxxx>

  commit ff770b07f34d28b79013a83989bd6c85f8f16b2f
  Merge: 5250ced 5279efe
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Fri Oct 2 11:01:18 2015 +0100

      Merge remote-tracking branch 'remotes/cody/tags/block-pull-request' into 
staging

      # gpg: Signature made Thu 01 Oct 2015 20:02:33 BST using RSA key ID 
C0DE3057
      # gpg: Good signature from "Jeffrey Cody <jcody@xxxxxxxxxx>"
      # gpg:                 aka "Jeffrey Cody <jeff@xxxxxxxxxxxxx>"
      # gpg:                 aka "Jeffrey Cody <codyprime@xxxxxxxxx>"

      * remotes/cody/tags/block-pull-request:
        block: mirror - fix full sync mode when target does not support zero 
init

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 5250ced83173c9534b4a2723b7a50b67b7c7a6ee
  Author: Alistair Francis <alistair.francis@xxxxxxxxxx>
  Date:   Thu Jul 23 08:13:56 2015 -0700

      target-microblaze: Set the PC in reset instead of realize

      Set the Microblaze CPU PC in the reset instead of setting it
      in the realize. This is required as the PC is zeroed in the
      reset function and causes problems in some situations.

      Signed-off-by: Alistair Francis <alistair.francis@xxxxxxxxxx>
      Reviewed-by: Edgar E. Iglesias <edgar.iglesias@xxxxxxxxxx>
      Signed-off-by: Edgar E. Iglesias <edgar.iglesias@xxxxxxxxxx>

  commit c8667283a070d810f7917d69ea84209475c6e75e
  Author: Stefan Weil <sw@xxxxxxxxxxx>
  Date:   Fri Sep 25 22:45:53 2015 +0200

      disas/cris: Fix typo in comment

      Signed-off-by: Stefan Weil <sw@xxxxxxxxxxx>
      Reviewed-by: Edgar E. Iglesias <edgar.iglesias@xxxxxxxxxx>
      Signed-off-by: Edgar E. Iglesias <edgar.iglesias@xxxxxxxxxx>

  commit 5279efebcf8f8fbf2ed2feed63cdb9d375c7cd07
  Author: Jeff Cody <jcody@xxxxxxxxxx>
  Date:   Thu Oct 1 00:06:37 2015 -0400

      block: mirror - fix full sync mode when target does not support zero init

      During mirror, if the target device does not support zero init, a
      mirror may result in a corrupted image for sync="full" mode.

      This is due to how the initial dirty bitmap is set up prior to copying
      data - we did not mark sectors as dirty that are unallocated.  This
      means those unallocated sectors are skipped over on the target, and for
      a device without zero init, invalid data may reside in those holes.

      If both of the following conditions are true, then we will explicitly
      mark all sectors as dirty:

          1.) sync = "full"
          2.) bdrv_has_zero_init(target) == false

      If the target does support zero init, but a target image is passed in
      with data already present (i.e. an "existing" image), it is assumed the
      data present in the existing image is valid data for those sectors.

      Reviewed-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>
      Message-id: 
91ed4bc5bda7e2b09eb508b07c83f4071fe0b3c9.1443705220.git.jcody@xxxxxxxxxx
      Signed-off-by: Jeff Cody <jcody@xxxxxxxxxx>

  commit 0d583647a7fc73f621eeb64ed703556c4bbebfcc
  Author: Richard Henderson <rth@xxxxxxxxxxx>
  Date:   Tue May 19 13:29:51 2015 -0700

      virtio: Notice when the system doesn't support MSIx at all

      And do not issue an error_report in that case.

      Signed-off-by: Richard Henderson <rth@xxxxxxxxxxx>
      Reviewed-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>

  commit 798595075bf51c7e3125d260a19d860b9aa63e69
  Author: Eduardo Habkost <ehabkost@xxxxxxxxxx>
  Date:   Mon Sep 28 15:07:21 2015 -0300

      pc: Add a comment explaining why pc_compat_2_4() doesn't exist

      pc_compat_2_4() doesn't exist, and we shouldn't create one. Add a
      comment explaining why the function doesn't exist and why pc_compat_*()
      functions are deprecated.

      Signed-off-by: Eduardo Habkost <ehabkost@xxxxxxxxxx>
      Reviewed-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>

  commit 8561c9244ddf1122dfe7ccac9b23f506062f1499
  Author: Michael S. Tsirkin <mst@xxxxxxxxxx>
  Date:   Thu Sep 10 16:41:17 2015 +0300

      exec: allocate PROT_NONE pages on top of RAM

      This inserts a read and write protected page between RAM and QEMU
      memory, for file-backend RAM.
      This makes it harder to exploit QEMU bugs resulting from buffer
      overflows in devices using variants of cpu_physical_memory_map,
      dma_memory_map etc.

      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Reviewed-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>
      Acked-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit 9fac18f03a9040b67ec38e14d3e1ed34db9c7e06
  Author: Michael S. Tsirkin <mst@xxxxxxxxxx>
  Date:   Thu Sep 10 16:41:17 2015 +0300

      oslib: allocate PROT_NONE pages on top of RAM

      This inserts a read and write protected page between RAM and QEMU
      memory. This makes it harder to exploit QEMU bugs resulting from buffer
      overflows in devices using variants of cpu_physical_memory_map,
      dma_memory_map etc.

      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Reviewed-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>
      Acked-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit c2dfc5ba3fb3a1b7278c99bfd3bf350202169434
  Author: Michael S. Tsirkin <mst@xxxxxxxxxx>
  Date:   Thu Sep 10 16:36:51 2015 +0300

      oslib: rework anonimous RAM allocation

      At the moment we first allocate RAM, sometimes more than necessary for
      alignment reasons.  We then free the extra RAM.

      Rework this to avoid the temporary allocation: reserve the
      range by mapping it with PROT_NONE, then use just the
      necessary range with MAP_FIXED.

      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Reviewed-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>
      Acked-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit 0cf33fb6b49a19de32859e2cdc6021334f448fb3
  Author: Jason Wang <jasowang@xxxxxxxxxx>
  Date:   Fri Sep 25 13:21:30 2015 +0800

      virtio-net: correctly drop truncated packets

      When packet is truncated during receiving, we drop the packets but
      neither discard the descriptor nor add and signal used
      descriptor. This will lead several issues:

      - sg mappings are leaked
      - rx will be stalled if a lots of packets were truncated

      In order to be consistent with vhost, fix by discarding the descriptor
      in this case.

      Cc: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: Jason Wang <jasowang@xxxxxxxxxx>
      Reviewed-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>

  commit 29b9f5efd78ae0f9cc02dd169b6e80d2c404bade
  Author: Jason Wang <jasowang@xxxxxxxxxx>
  Date:   Fri Sep 25 13:21:29 2015 +0800

      virtio: introduce virtqueue_discard()

      This patch introduces virtqueue_discard() to discard a descriptor and
      unmap the sgs. This will be used by the patch that will discard
      descriptor when packet is truncated.

      Cc: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: Jason Wang <jasowang@xxxxxxxxxx>
      Reviewed-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>

  commit ce317461573bac12b10d67699b4ddf1f97cf066c
  Author: Jason Wang <jasowang@xxxxxxxxxx>
  Date:   Fri Sep 25 13:21:28 2015 +0800

      virtio: introduce virtqueue_unmap_sg()

      Factor out sg unmapping logic. This will be reused by the patch that
      can discard descriptor.

      Cc: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Cc: Andrew James <andrew.james@xxxxxxx>
      Signed-off-by: Jason Wang <jasowang@xxxxxxxxxx>
      Reviewed-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>

  commit fa500928ad9da6dd570918e3dfca13c029af07a8
  Merge: b2312c6 dc32562
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Thu Oct 1 10:49:38 2015 +0100

      Merge remote-tracking branch 
'remotes/juanquintela/tags/migration/20150930' into staging

      migration/next for 20150930

      # gpg: Signature made Wed 30 Sep 2015 09:24:02 BST using RSA key ID 
5872D723
      # gpg: Good signature from "Juan Quintela <quintela@xxxxxxxxxx>"
      # gpg:                 aka "Juan Quintela <quintela@xxxxxxxxxx>"

      * remotes/juanquintela/tags/migration/20150930:
        migration: Disambiguate MAX_THROTTLE
        qmp/hmp: Add throttle ratio to query-migrate and info migrate
        migration: Dynamic cpu throttling for auto-converge
        migration: Parameters for auto-converge cpu throttling
        cpu: Provide vcpu throttling interface
        migration: yet more possible state transitions

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 86abac06c142d20772b3f2e04c9bf02b7936a0b3
  Author: Paolo Bonzini <pbonzini@xxxxxxxxxx>
  Date:   Mon Sep 14 12:31:44 2015 +0200

      linux-user: assert that target_mprotect cannot fail

      All error conditions that target_mprotect checks are also checked
      by target_mmap.  EACCESS cannot happen because we are just removing
      PROT_WRITE.  ENOMEM should not happen because we are modifying a
      whole VMA (and we have bigger problems anyway if it happens).

      Fixes a Coverity false positive, where Coverity complains about
      target_mprotect's return value being passed to tb_invalidate_phys_range.

      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>
      Signed-off-by: Riku Voipio <riku.voipio@xxxxxxxxxx>

  commit d0924a26d8f37ab95fdef99f6850b93e9af3ffb2
  Author: Chen Gang <gang.chen.5i5j@xxxxxxxxx>
  Date:   Sat Sep 12 23:32:30 2015 +0800

      linux-user/signal.c: Use setup_rt_frame() instead of setup_frame() for 
target openrisc

      qemu has already considered about some targets may have no traditional
      signals. And openrisc's setup_frame() is dummy, but it can be supported
      by setup_rt_frame().

      Reviewed-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Signed-off-by: Chen Gang <gang.chen.5i5j@xxxxxxxxx>
      Signed-off-by: Riku Voipio <riku.voipio@xxxxxxxxxx>

  commit dc3256272cf70b2152279b013a8abb16e0f6fe96
  Author: Jason J. Herne <jjherne@xxxxxxxxxxxxxxxxxx>
  Date:   Tue Sep 8 13:12:37 2015 -0400

      migration: Disambiguate MAX_THROTTLE

      Migration has a define for MAX_THROTTLE. Update comment to clarify that 
this is
      used for throttling transfer speed. Hopefully this will prevent it from 
being
      confused with a guest cpu throttling entity.

      Signed-off-by: Jason J. Herne <jjherne@xxxxxxxxxxxxxxxxxx>
      Reviewed-by: Dr. David Alan Gilbert <dgilbert@xxxxxxxxxx>
      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>
      Signed-off-by: Juan Quintela <quintela@xxxxxxxxxx>
      Reviewed-by: Juan Quintela <quintela@xxxxxxxxxx>

  commit 4782893e099cde24c0b10a48d0412eea575ddcb3
  Author: Jason J. Herne <jjherne@xxxxxxxxxxxxxxxxxx>
  Date:   Tue Sep 8 13:12:36 2015 -0400

      qmp/hmp: Add throttle ratio to query-migrate and info migrate

      Report throttle percentage in info migrate and query-migrate responses 
when
      cpu throttling is active.

      Signed-off-by: Jason J. Herne <jjherne@xxxxxxxxxxxxxxxxxx>
      Reviewed-by: Dr. David Alan Gilbert <dgilbert@xxxxxxxxxx>
      Signed-off-by: Juan Quintela <quintela@xxxxxxxxxx>
      Reviewed-by: Juan Quintela <quintela@xxxxxxxxxx>

  commit 070afca258f973c704dcadf2769aa1ca921209a1
  Author: Jason J. Herne <jjherne@xxxxxxxxxxxxxxxxxx>
  Date:   Tue Sep 8 13:12:35 2015 -0400

      migration: Dynamic cpu throttling for auto-converge

      Remove traditional auto-converge static 30ms throttling code and replace 
it
      with a dynamic throttling algorithm.

      Additionally, be more aggressive when deciding when to start throttling.
      Previously we waited until four unproductive memory passes. Now we begin
      throttling after only two unproductive memory passes. Four seemed quite
      arbitrary and only waiting for two passes allows us to complete the 
migration
      faster.

      Signed-off-by: Jason J. Herne <jjherne@xxxxxxxxxxxxxxxxxx>
      Reviewed-by: Matthew Rosato <mjrosato@xxxxxxxxxxxxxxxxxx>
      Signed-off-by: Juan Quintela <quintela@xxxxxxxxxx>
      Reviewed-by: Juan Quintela <quintela@xxxxxxxxxx>

  commit 1626fee3bdbb295d5e8aff800f7621357bb376d6
  Author: Jason J. Herne <jjherne@xxxxxxxxxxxxxxxxxx>
  Date:   Tue Sep 8 13:12:34 2015 -0400

      migration: Parameters for auto-converge cpu throttling

      Add migration parameters to allow the user to adjust the parameters
      that control cpu throttling when auto-converge is in effect. The added
      parameters are as follows:

      x-cpu-throttle-initial : Initial percantage of time guest cpus are 
throttled
      when migration auto-converge is activated.

      x-cpu-throttle-increment: throttle percantage increase each time
      auto-converge detects that migration is not making progress.

      Signed-off-by: Jason J. Herne <jjherne@xxxxxxxxxxxxxxxxxx>
      Reviewed-by: Dr. David Alan Gilbert <dgilbert@xxxxxxxxxx>
      Signed-off-by: Juan Quintela <quintela@xxxxxxxxxx>
      Reviewed-by: Juan Quintela <quintela@xxxxxxxxxx>

  commit 2adcc85d407c1ab985f5abed808c78dbb84f4773
  Author: Jason J. Herne <jjherne@xxxxxxxxxxxxxxxxxx>
  Date:   Tue Sep 8 13:12:33 2015 -0400

      cpu: Provide vcpu throttling interface

      Provide a method to throttle guest cpu execution. CPUState is augmented 
with
      timeout controls and throttle start/stop functions. To throttle the guest 
cpu
      the caller simply has to call the throttle set function and provide a 
percentage
      of throttle time.

      Signed-off-by: Jason J. Herne <jjherne@xxxxxxxxxxxxxxxxxx>
      Reviewed-by: Matthew Rosato <mjrosato@xxxxxxxxxxxxxxxxxx>
      Signed-off-by: Juan Quintela <quintela@xxxxxxxxxx>
      Reviewed-by: Juan Quintela <quintela@xxxxxxxxxx>

  commit 2a6e6e59dfdeb0b98e744eb8f110a236f26a3ea4
  Author: Juan Quintela <quintela@xxxxxxxxxx>
  Date:   Tue Jul 28 15:28:28 2015 +0200

      migration: yet more possible state transitions

      On destination, we move from INMIGRATE to FINISH_MIGRATE.  Add that to
      the list of allowed states.

      Signed-off-by: Juan Quintela <quintela@xxxxxxxxxx>
      Reviewed-by: Juan Quintela <quintela@xxxxxxxxxx>

  commit b2312c680084ea18cd55fa7093397cad2224ec14
  Merge: 6996a00 b9e6092
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Tue Sep 29 12:41:19 2015 +0100

      Merge remote-tracking branch 
'remotes/amit-migration/tags/for-juan-201509' into staging

      Migration queue

      # gpg: Signature made Tue 29 Sep 2015 07:13:55 BST using RSA key ID 
854083B6
      # gpg: Good signature from "Amit Shah <amit@xxxxxxxxxxxx>"
      # gpg:                 aka "Amit Shah <amit@xxxxxxxxxx>"
      # gpg:                 aka "Amit Shah <amitshah@xxxxxxx>"

      * remotes/amit-migration/tags/for-juan-201509:
        ram_find_and_save_block: Split out the finding
        Move dirty page search state into separate structure
        migration: Use g_new() & friends where that makes obvious sense
        migration: qemu-file more size_t'ifying
        migration: size_t'ify some of qemu-file
        Init page sizes in qtest
        Split out end of migration code from migration_thread
        migration/ram.c: Use RAMBlock rather than MemoryRegion
        vmstate: Remove redefinition of VMSTATE_UINT32_ARRAY

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit b9e6092814735853cc1149e2e68245b09f621306
  Author: Dr. David Alan Gilbert <dgilbert@xxxxxxxxxx>
  Date:   Wed Sep 23 15:27:11 2015 +0100

      ram_find_and_save_block: Split out the finding

      Split out the finding of the dirty page and all the wrap detection
      into a separate function since it was getting a bit hairy.

      Signed-off-by: Dr. David Alan Gilbert <dgilbert@xxxxxxxxxx>
      Message-Id: <1443018431-11170-3-git-send-email-dgilbert@xxxxxxxxxx>
      Reviewed-by: Amit Shah <amit.shah@xxxxxxxxxx>

      [Fix comment -- Amit]
      Signed-off-by: Amit Shah <amit.shah@xxxxxxxxxx>

  commit b8fb8cb748497aa070304eec27b03edd3b05373d
  Author: Dr. David Alan Gilbert <dgilbert@xxxxxxxxxx>
  Date:   Wed Sep 23 15:27:10 2015 +0100

      Move dirty page search state into separate structure

      Pull the search state for one iteration of the dirty page
      search into a structure.

      Signed-off-by: Dr. David Alan Gilbert <dgilbert@xxxxxxxxxx>
      Reviewed-by: Amit Shah <amit.shah@xxxxxxxxxx>
      Message-Id: <1443018431-11170-2-git-send-email-dgilbert@xxxxxxxxxx>
      Reviewed-by: Amit Shah <amit.shah@xxxxxxxxxx>
      Signed-off-by: Amit Shah <amit.shah@xxxxxxxxxx>

  commit 97f3ad35517e0d02c0149637d1bb10713c52b057
  Author: Markus Armbruster <armbru@xxxxxxxxxx>
  Date:   Mon Sep 14 13:51:31 2015 +0200

      migration: Use g_new() & friends where that makes obvious sense

      g_new(T, n) is neater than g_malloc(sizeof(T) * n).  It's also safer,
      for two reasons.  One, it catches multiplication overflowing size_t.
      Two, it returns T * rather than void *, which lets the compiler catch
      more type errors.

      This commit only touches allocations with size arguments of the form
      sizeof(T).  Same Coccinelle semantic patch as in commit b45c03f.

      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>
      Message-Id: <1442231491-23352-1-git-send-email-armbru@xxxxxxxxxx>
      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>
      Reviewed-by: zhanghailiang <zhang.zhanghailiang@xxxxxxxxxx>
      Reviewed-by: Amit Shah <amit.shah@xxxxxxxxxx>
      Signed-off-by: Amit Shah <amit.shah@xxxxxxxxxx>

  commit 56f3835ff1e70df97f843f4a27abdff6b4a2ae77
  Author: Dr. David Alan Gilbert <dgilbert@xxxxxxxxxx>
  Date:   Thu Aug 13 11:51:34 2015 +0100

      migration: qemu-file more size_t'ifying

      This time convert the external functions:
        qemu_get_buffer, qemu_peek_buffer
        qemu_put_buffer and qemu_put_buffer_async

      Signed-off-by: Dr. David Alan Gilbert <dgilbert@xxxxxxxxxx>
      Message-Id: <1439463094-5394-6-git-send-email-dgilbert@xxxxxxxxxx>
      Reviewed-by: zhanghailiang <zhang.zhanghailiang@xxxxxxxxxx>
      Reviewed-by: Amit Shah <amit.shah@xxxxxxxxxx>
      Signed-off-by: Amit Shah <amit.shah@xxxxxxxxxx>

  commit a202a4c001fd35b50d99abcc329bc9e666eb8eed
  Author: Dr. David Alan Gilbert <dgilbert@xxxxxxxxxx>
  Date:   Thu Aug 13 11:51:33 2015 +0100

      migration: size_t'ify some of qemu-file

      This is a start on using size_t more in qemu-file and friends;
      it fixes up QEMUFilePutBufferFunc and QEMUFileGetBufferFunc
      to take size_t lengths and return ssize_t return values (like read(2))
      and fixes up all the different implementations of them.

      Note that I've not yet followed this deeply into bdrv_ implementations.

      Signed-off-by: Dr. David Alan Gilbert <dgilbert@xxxxxxxxxx>
      Message-Id: <1439463094-5394-5-git-send-email-dgilbert@xxxxxxxxxx>
      Reviewed-by: zhanghailiang <zhang.zhanghailiang@xxxxxxxxxx>
      Reviewed-by: Amit Shah <amit.shah@xxxxxxxxxx>
      Signed-off-by: Amit Shah <amit.shah@xxxxxxxxxx>

  commit c50766f5a99ef7bf6c9a86cd07341c389faf7ae6
  Author: Dr. David Alan Gilbert <dgilbert@xxxxxxxxxx>
  Date:   Thu Aug 13 11:51:32 2015 +0100

      Init page sizes in qtest

      One of my patches used a loop that was based on host page size;
      it dies in qtest since qtest hadn't bothered init'ing it.

      Signed-off-by: Dr. David Alan Gilbert <dgilbert@xxxxxxxxxx>
      Reviewed-by: Juan Quintela <quintela@xxxxxxxxxx>
      Reviewed-by: Amit Shah <amit.shah@xxxxxxxxxx>
      Message-Id: <1439463094-5394-4-git-send-email-dgilbert@xxxxxxxxxx>
      Signed-off-by: Amit Shah <amit.shah@xxxxxxxxxx>

  commit 09f6c85e39ee9e57bd245adbe6f400d387061707
  Author: Dr. David Alan Gilbert <dgilbert@xxxxxxxxxx>
  Date:   Thu Aug 13 11:51:31 2015 +0100

      Split out end of migration code from migration_thread

      The code that gets run at the end of the migration process
      is getting large, and I'm about to add more for postcopy.
      Split it into a separate function.

      Signed-off-by: Dr. David Alan Gilbert <dgilbert@xxxxxxxxxx>
      Message-Id: <1439463094-5394-3-git-send-email-dgilbert@xxxxxxxxxx>
      Reviewed-by: zhanghailiang <zhang.zhanghailiang@xxxxxxxxxx>
      Reviewed-by: Amit Shah <amit.shah@xxxxxxxxxx>
      Signed-off-by: Amit Shah <amit.shah@xxxxxxxxxx>

  commit 2f68e39956b7504f6669671fd95b70859afc340d
  Author: Dr. David Alan Gilbert <dgilbert@xxxxxxxxxx>
  Date:   Thu Aug 13 11:51:30 2015 +0100

      migration/ram.c: Use RAMBlock rather than MemoryRegion

      RAM migration mainly works on RAMBlocks but in a few places
      uses data from MemoryRegions to access the same information that's
      already held in RAMBlocks; clean it up just to avoid the
      MemoryRegion use.

      Signed-off-by: Dr. David Alan Gilbert <dgilbert@xxxxxxxxxx>
      Message-Id: <1439463094-5394-2-git-send-email-dgilbert@xxxxxxxxxx>
      Acked-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>
      Reviewed-by: Amit Shah <amit.shah@xxxxxxxxxx>
      Signed-off-by: Amit Shah <amit.shah@xxxxxxxxxx>

  commit eb5c936e81e2e292ceefec9b6628862599f71c17
  Author: Soren Brinkmann <soren.brinkmann@xxxxxxxxxx>
  Date:   Thu Aug 13 23:16:27 2015 -0700

      vmstate: Remove redefinition of VMSTATE_UINT32_ARRAY

      The macro is defined twice in identical ways.

      Signed-off-by: Soren Brinkmann <soren.brinkmann@xxxxxxxxxx>
      Message-Id: <1439532987-16335-1-git-send-email-soren.brinkmann@xxxxxxxxxx>
      Reviewed-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Reviewed-by: Amit Shah <amit.shah@xxxxxxxxxx>
      Signed-off-by: Amit Shah <amit.shah@xxxxxxxxxx>

  commit 08703b9f7bcd7ca2152d51a4c8893d26f1dc28de
  Author: Chen Gang <gang.chen.5i5j@xxxxxxxxx>
  Date:   Mon Sep 7 10:35:06 2015 +0800

      linux-user/syscall.c: Add EAGAIN to host_to_target_errno_table for

      Under Alpha host, EAGAIN is redefined to 35, so it need be remapped too.

      Reviewed-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Signed-off-by: Chen Gang <gang.chen.5i5j@xxxxxxxxx>
      Signed-off-by: Riku Voipio <riku.voipio@xxxxxxxxxx>

  commit 0f0426f343886fb5c9f137c2830f35cc2dae7327
  Author: Laurent Vivier <laurent@xxxxxxxxx>
  Date:   Tue Sep 1 22:27:33 2015 +0200

      linux-user: add name_to_handle_at/open_by_handle_at

      This patch allows to run example given by open_by_handle_at(2):

            The following shell session demonstrates the use of these two 
programs:

                 $ echo 'Can you please think about it?' > cecilia.txt
                 $ ./t_name_to_handle_at cecilia.txt > fh
                 $ ./t_open_by_handle_at < fh
                 open_by_handle_at: Operation not permitted
                 $ sudo ./t_open_by_handle_at < fh      # Need CAP_SYS_ADMIN
                 Read 31 bytes
                 $ rm cecilia.txt

             Now  we delete and (quickly) re-create the file so that it has the 
same
             content and (by chance) the  same  inode.[...]

                 $ stat --printf="%i\n" cecilia.txt     # Display inode number
                 4072121
                 $ rm cecilia.txt
                 $ echo 'Can you please think about it?' > cecilia.txt
                 $ stat --printf="%i\n" cecilia.txt     # Check inode number
                 4072121
                 $ sudo ./t_open_by_handle_at < fh
                 open_by_handle_at: Stale NFS file handle

      See the man page for source code.

      Reviewed-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Signed-off-by: Laurent Vivier <laurent@xxxxxxxxx>
      Signed-off-by: Riku Voipio <riku.voipio@xxxxxxxxxx>

  commit 93b4eff80af9822e4b726dcf21ee61538e088695
  Author: Timothy E Baldwin <T.E.Baldwin99@xxxxxxxxxxxxxxxxxxx>
  Date:   Mon Aug 31 00:26:21 2015 +0100

      linux-user: Return target error number in do_fork()

      Whilst calls to do_fork() are wrapped in get_errno() this does not
      translate return values.

      Reviewed-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Signed-off-by: Timothy Edward Baldwin <T.E.Baldwin99@xxxxxxxxxxxxxxxxxxx>
      Signed-off-by: Riku Voipio <riku.voipio@xxxxxxxxxx>

  commit ee1045877a7e226945c7cec2bda80039bd2d0c8e
  Author: Jonathan Neuschäfer <j.neuschaefer@xxxxxxx>
  Date:   Thu Sep 3 07:27:26 2015 +0200

      linux-user: fix cmsg conversion in case of multiple headers

      Currently, __target_cmsg_nxthdr compares a pointer derived from
      target_cmsg against the msg_control field of target_msgh (through
      subtraction).  This failed for me when emulating i386 code under x86_64,
      because pointers in the host address space and pointers in the guest
      address space were not the same.  This patch passes the initial value of
      target_cmsg into __target_cmsg_nxthdr.

      I found and fixed two more related bugs:
      - __target_cmsg_nxthdr now returns the new cmsg pointer instead of the
        old one.
      - tgt_space (in host_to_target_cmsg) doesn't count "sizeof (struct
        target_cmsghdr)" twice anymore.

      Reviewed-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Signed-off-by: Jonathan Neuschäfer <j.neuschaefer@xxxxxxx>
      Signed-off-by: Riku Voipio <riku.voipio@xxxxxxxxxx>

  commit 59baae9a626396a3a05840279084c4bf2beb8f40
  Author: Stefan Brüns <stefan.bruens@xxxxxxxxxxxxxx>
  Date:   Wed Sep 2 03:38:53 2015 +0200

      linux-user: remove MAX_ARG_PAGES limit

      Instead of creating a temporary copy for the whole environment and
      the arguments, directly copy everything to the target stack.

      For this to work, we have to change the order of stack creation and
      copying the arguments.

      Reviewed-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Signed-off-by: Stefan Brüns <stefan.bruens@xxxxxxxxxxxxxx>
      Signed-off-by: Riku Voipio <riku.voipio@xxxxxxxxxx>

  commit 84646ee25b68321624ef4768011e91064e4bd440
  Author: Stefan Brüns <stefan.bruens@xxxxxxxxxxxxxx>
  Date:   Wed Sep 2 03:38:52 2015 +0200

      linux-user: remove unused image_info members

      Reviewed-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Signed-off-by: Stefan Brüns <stefan.bruens@xxxxxxxxxxxxxx>
      Signed-off-by: Riku Voipio <riku.voipio@xxxxxxxxxx>

  commit ba02577cadbe5b53db791522310c977f9960f81f
  Author: Meador Inge <meadori@xxxxxxxxxxxxxxxx>
  Date:   Mon Jul 6 11:03:41 2015 -0700

      linux-user: Treat --foo options the same as -foo

      The system mode binaries provide a similar alias
      and it makes common options like --version and --help
      work as expected.

      Signed-off-by: Meador Inge <meadori@xxxxxxxxxxxxxxxx>
      Signed-off-by: Riku Voipio <riku.voipio@xxxxxxxxxx>

  commit 4d1275c24d5d64d22ec4a30ce1b6a0db3ba9a25a
  Author: Riku Voipio <riku.voipio@xxxxxxxxxx>
  Date:   Mon Sep 28 16:12:16 2015 +0300

      linux-user: use EXIT_SUCCESS and EXIT_FAILURE

      As suggested by Laurent, use EXIT_SUCCESS and EXIT_FAILURE from
      stdlib.h instead of numeric values.

      Cc: Laurent Vivier <laurent@xxxxxxxxx>
      Signed-off-by: Riku Voipio <riku.voipio@xxxxxxxxxx>

  commit 138940bf08df1d8e9b862ad019a0d7d451e2413a
  Author: Meador Inge <meadori@xxxxxxxxxxxxxxxx>
  Date:   Mon Jul 6 11:03:40 2015 -0700

      linux-user: Add proper error messages for bad options

      This patch adds better support for diagnosing option
      parser errors.  The previous implementation just printed
      the usage text and exited when a bad option or argument
      was found.  This made it very difficult to determine why
      the usage was being displayed and it was doubly confusing
      for cases like '--help' (it wasn't clear that --help was
      actually an error).

      Signed-off-by: Meador Inge <meadori@xxxxxxxxxxxxxxxx>
      Signed-off-by: Riku Voipio <riku.voipio@xxxxxxxxxx>

  commit daaf8c8eb7135386134bc7075b9cf4dd57107c43
  Author: Meador Inge <meadori@xxxxxxxxxxxxxxxx>
  Date:   Mon Jul 6 11:03:39 2015 -0700

      linux-user: Add -help

      This option is already available on the system mode
      binaries.  It would be better if long options were
      supported (i.e. --help), but this is okay for now.

      Signed-off-by: Meador Inge <meadori@xxxxxxxxxxxxxxxx>
      Signed-off-by: Riku Voipio <riku.voipio@xxxxxxxxxx>

  commit d03f9c320234d2e49ad8b2f4abd049a497afa2be
  Author: Meador Inge <meadori@xxxxxxxxxxxxxxxx>
  Date:   Mon Jul 6 11:03:38 2015 -0700

      linux-user: Exit 0 when -h is used

      Signed-off-by: Meador Inge <meadori@xxxxxxxxxxxxxxxx>
      Signed-off-by: Riku Voipio <riku.voipio@xxxxxxxxxx>

  commit 6996a002d845be0166e155c016448014a6fbfe05
  Merge: 9e07142 365d7f3
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Fri Sep 25 23:20:06 2015 +0100

      Merge remote-tracking branch 
'remotes/pmaydell/tags/pull-cocoa-20150925-1' into staging

      cocoa queue:
       * fix stuck-key bug if keys were down when QEMU lost focus
       * prompt the user whether they really meant to quit
       * remove the 'open image file' dialog box we used to display
         if the user started QEMU without arguments

      # gpg: Signature made Fri 25 Sep 2015 23:17:19 BST using RSA key ID 
14360CDE
      # gpg: Good signature from "Peter Maydell <peter.maydell@xxxxxxxxxx>"
      # gpg:                 aka "Peter Maydell <pmaydell@xxxxxxxxx>"
      # gpg:                 aka "Peter Maydell 
<pmaydell@xxxxxxxxxxxxxxxxxxxxxx>"

      * remotes/pmaydell/tags/pull-cocoa-20150925-1:
        ui/cocoa.m: remove open dialog code
        ui/cocoa.m: prevent stuck key situation
        ui/cocoa.m: verify with user before quitting QEMU

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 365d7f3c7aacc789ead96b8eeb5ba5b0a8d93d48
  Author: John Arbuckle <programmingkidx@xxxxxxxxx>
  Date:   Fri Sep 25 23:14:00 2015 +0100

      ui/cocoa.m: remove open dialog code

      Removes the open dialog code that runs when no arguments are supplied 
with QEMU.
      Not everyone needs a hard drive or cdrom to boot their target. A user 
might only
      need to use their target's bios to do work. With that said, this patch 
removes
      the unneeded open dialog code.

      Signed-off-by: John Arbuckle <programmingkidx@xxxxxxxxx>
      Message-id: 33856864-321C-4367-9170-FB0BF81E789B@xxxxxxxxx
      Reviewed-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 3b178b7130ecf4005cd73d0c40e964c9d0d31a48
  Author: John Arbuckle <programmingkidx@xxxxxxxxx>
  Date:   Fri Sep 25 23:14:00 2015 +0100

      ui/cocoa.m: prevent stuck key situation

      When the user puts QEMU in the background while holding
      down a key, QEMU will not receive the keyup event when
      the user lets go of the key. When the user goes back to
      QEMU, QEMU will think the key is still down causing
      stuck key symptoms. This patch fixes this problem by
      releasing all down keys when QEMU goes into the
      background.

      Signed-off-by: John Arbuckle <programmingkidx@xxxxxxxxx>
      Message-id: 7A3FA6EE-84C8-4422-A786-C899B7229D32@xxxxxxxxx
      Reviewed-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit d9bc14f63e880010ba72b3a0169ff8ef52275a63
  Author: John Arbuckle <programmingkidx@xxxxxxxxx>
  Date:   Fri Sep 25 23:13:59 2015 +0100

      ui/cocoa.m: verify with user before quitting QEMU

      This patch prevents the user from accidentally quitting QEMU by pushing
      Command-Q or by pushing the close button on the main window. When
      the user does one of these two things, a dialog box appears verifying
      with the user if he or she wants to quit QEMU.

      Signed-off-by: John Arbuckle <programmingkidx@xxxxxxxxx>
      Message-id: 29169A74-0347-47F5-934F-A5AD24C225CA@xxxxxxxxx
      Reviewed-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 9e071429e649346c14b2dc76902f84f8352d2333
  Merge: 8bfbbb4 8e9620a
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Fri Sep 25 21:52:30 2015 +0100

      Merge remote-tracking branch 'remotes/bonzini/tags/for-upstream' into 
staging

      * First batch of MAINTAINERS updates
      * IOAPIC fixes (to pass kvm-unit-tests with -machine kernel_irqchip=off)
      * NBD API upgrades from Daniel
      * strtosz fixes from Marc-André
      * improved support for readonly=on on scsi-generic devices
      * new "info ioapic" and "info lapic" monitor commands
      * Peter Crosthwaite's ELF_MACHINE cleanups
      * docs patches from Thomas and Daniel

      # gpg: Signature made Fri 25 Sep 2015 11:20:52 BST using RSA key ID 
78C7AE83
      # gpg: Good signature from "Paolo Bonzini <bonzini@xxxxxxx>"
      # gpg:                 aka "Paolo Bonzini <pbonzini@xxxxxxxxxx>"

      * remotes/bonzini/tags/for-upstream: (52 commits)
        doc: Refresh URLs in the qemu-tech documentation
        docs: describe the QEMU build system structure / design
        typedef: add typedef for QemuOpts
        i386: interrupt poll processing
        i386: partial revert of interrupt poll fix
        ppc: Rename ELF_MACHINE to be PPC specific
        i386: Rename ELF_MACHINE to be x86 specific
        alpha: Remove ELF_MACHINE from cpu.h
        mips: Remove ELF_MACHINE from cpu.h
        sparc: Remove ELF_MACHINE from cpu.h
        s390: Remove ELF_MACHINE from cpu.h
        sh4: Remove ELF_MACHINE from cpu.h
        xtensa: Remove ELF_MACHINE from cpu.h
        tricore: Remove ELF_MACHINE from cpu.h
        or32: Remove ELF_MACHINE from cpu.h
        lm32: Remove ELF_MACHINE from cpu.h
        unicore: Remove ELF_MACHINE from cpu.h
        moxie: Remove ELF_MACHINE from cpu.h
        cris: Remove ELF_MACHINE from cpu.h
        m68k: Remove ELF_MACHINE from cpu.h
        ...

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 8bfbbb4bcb6e06aaf4a3e2264f53c8c44ed4c655
  Merge: 54b3762 9d146b2
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Fri Sep 25 21:11:12 2015 +0100

      Merge remote-tracking branch 
'remotes/awilliam/tags/vfio-update-20150925.0' into staging

      VFIO updates 2015-09-25

       - Remove use of g_malloc0_n for glib2.22 compat

      # gpg: Signature made Fri 25 Sep 2015 17:58:04 BST using RSA key ID 
3BB08B22
      # gpg: Good signature from "Alex Williamson <alex.williamson@xxxxxxxxxx>"
      # gpg:                 aka "Alex Williamson <alex@xxxxxxxxxxx>"
      # gpg:                 aka "Alex Williamson <alwillia@xxxxxxxxxx>"
      # gpg:                 aka "Alex Williamson <alex.l.williamson@xxxxxxxxx>"

      * remotes/awilliam/tags/vfio-update-20150925.0:
        vfio/pci: Remove use of g_malloc0_n() from quirks

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 54b376230c795d9f63490fa2e951cb786f7b1e12
  Merge: 690b286 e6fd57e
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Fri Sep 25 19:01:46 2015 +0100

      Merge remote-tracking branch 'remotes/cody/tags/block-pull-request' into 
staging

      # gpg: Signature made Fri 25 Sep 2015 16:47:31 BST using RSA key ID 
C0DE3057
      # gpg: Good signature from "Jeffrey Cody <jcody@xxxxxxxxxx>"
      # gpg:                 aka "Jeffrey Cody <jeff@xxxxxxxxxxxxx>"
      # gpg:                 aka "Jeffrey Cody <codyprime@xxxxxxxxx>"

      * remotes/cody/tags/block-pull-request:
        sheepdog: refine discard support
        sheepdog: use per AIOCB dirty indexes for non overlapping requests
        Backup: don't do copy-on-read in before_write_notifier
        block: Introduce a new API bdrv_co_no_copy_on_readv()
        sheepdog: add reopen support
        block/nfs: cache allocated filesize for read-only files
        block/nfs: fix calculation of allocated file size

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 690b286fefa806f130dfc1931b5ba0b4dd2fb415
  Merge: cdf9818 ab60b74
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Fri Sep 25 18:03:19 2015 +0100

      Merge remote-tracking branch 
'remotes/vivier-misc/tags/pull-muldiv64-20150925' into staging

      Remove muldiv64() by using period instead of frequency

      # gpg: Signature made Fri 25 Sep 2015 14:54:37 BST using RSA key ID 
3F2FBE3C
      # gpg: Good signature from "Laurent Vivier <lvivier@xxxxxxxxxx>"
      # gpg:                 aka "Laurent Vivier <laurent@xxxxxxxxx>"
      # gpg:                 aka "Laurent Vivier (Red Hat) <lvivier@xxxxxxxxxx>"
      # gpg: WARNING: This key is not certified with a trusted signature!
      # gpg:          There is no indication that the signature belongs to the 
owner.
      # Primary key fingerprint: CD2F 75DD C8E3 A4DC 2E4F  5173 F30C 38BD 3F2F 
BE3C

      * remotes/vivier-misc/tags/pull-muldiv64-20150925:
        net: remove muldiv64()
        bt: remove muldiv64()
        hpet: remove muldiv64()
        arm: clarify the use of muldiv64()
        openrisc: remove muldiv64()
        mips: remove muldiv64()
        pcnet: remove muldiv64()
        rtl8139: remove muldiv64()
        i6300esb: remove muldiv64()

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit cdf98182420e3bec62e2fd957eb8a17761161c0f
  Merge: 8a47d57 f178bc6
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Fri Sep 25 16:40:05 2015 +0100

      Merge remote-tracking branch 'remotes/mst/tags/for_upstream' into staging

      virtio,pc features, fixes

      New features:
          vhost-user multiqueue support
          virtio-ccw virtio 1 support

      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>

      # gpg: Signature made Fri 25 Sep 2015 07:40:35 BST using RSA key ID 
D28D5469
      # gpg: Good signature from "Michael S. Tsirkin <mst@xxxxxxxxxx>"
      # gpg:                 aka "Michael S. Tsirkin <mst@xxxxxxxxxx>"

      * remotes/mst/tags/for_upstream:
        MAINTAINERS: add more devices to the PCI section
        MAINTAINERS: add more devices to the PC section
        vhost-user: add a new message to disable/enable a specific virt queue.
        vhost-user: add multiple queue support
        vhost: introduce vhost_backend_get_vq_index method
        vhost-user: add VHOST_USER_GET_QUEUE_NUM message
        vhost: rename VHOST_RESET_OWNER to VHOST_RESET_DEVICE
        vhost-user: add protocol feature negotiation
        vhost-user: use VHOST_USER_XXX macro for switch statement
        virtio-ccw: enable virtio-1
        virtio-ccw: feature bits > 31 handling
        virtio-ccw: support ring size changes
        virtio: ring sizes vs. reset
        pc: Introduce pc-*-2.5 machine classes
        q35: Move options common to all classes to pc_i440fx_machine_options()
        q35: Move options common to all classes to pc_q35_machine_options()
        virtio-net: unbreak self announcement and guest offloads after migration
        virtio: right size for virtio_queue_get_avail_size

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit e6fd57ea297ec3aad32b24090c5d3757a99df3fe
  Author: Hitoshi Mitake <mitake.hitoshi@xxxxxxxxxxxxx>
  Date:   Tue Sep 1 12:03:10 2015 +0900

      sheepdog: refine discard support

      This patch refines discard support of the sheepdog driver. The
      existing discard mechanism was implemented on SD_OP_DISCARD_OBJ, which
      was introduced before fine grained reference counting on newer
      sheepdog. It doesn't care about relations of snapshots and clones and
      discards objects unconditionally.

      With this patch, the driver just updates an inode object for updating
      reference. Removing the object is done in sheep process side.

      Cc: Teruaki Ishizaki <ishizaki.teruaki@xxxxxxxxxxxxx>
      Cc: Vasiliy Tolstov <v.tolstov@xxxxxxxxx>
      Cc: Jeff Cody <jcody@xxxxxxxxxx>
      Signed-off-by: Hitoshi Mitake <mitake.hitoshi@xxxxxxxxxxxxx>
      Tested-by: Vasiliy Tolstov <v.tolstov@xxxxxxxxx>
      Message-id: 1441076590-8015-3-git-send-email-mitake.hitoshi@xxxxxxxxxxxxx
      Signed-off-by: Jeff Cody <jcody@xxxxxxxxxx>

  commit 498f21405a286f718a0767c791b7d2db19f4e5bd
  Author: Hitoshi Mitake <mitake.hitoshi@xxxxxxxxxxxxx>
  Date:   Tue Sep 1 12:03:09 2015 +0900

      sheepdog: use per AIOCB dirty indexes for non overlapping requests

      In the commit 96b14ff85acf, requests for overlapping areas are
      serialized. However, it cannot handle a case of non overlapping
      requests. In such a case, min_dirty_data_idx and max_dirty_data_idx
      can be overwritten by the requests and invalid inode update can
      happen e.g. a case like create(1, 2) and create(3, 4) are issued in
      parallel.

      This patch lets SheepdogAIOCB have dirty data indexes instead of
      BDRVSheepdogState for avoiding the above situation.

      This patch also does trivial renaming for better description:
      overwrapping -> overlapping

      Cc: Teruaki Ishizaki <ishizaki.teruaki@xxxxxxxxxxxxx>
      Cc: Vasiliy Tolstov <v.tolstov@xxxxxxxxx>
      Cc: Jeff Cody <jcody@xxxxxxxxxx>
      Signed-off-by: Hitoshi Mitake <mitake.hitoshi@xxxxxxxxxxxxx>
      Tested-by: Vasiliy Tolstov <v.tolstov@xxxxxxxxx>
      Message-id: 1441076590-8015-2-git-send-email-mitake.hitoshi@xxxxxxxxxxxxx
      Signed-off-by: Jeff Cody <jcody@xxxxxxxxxx>

  commit ab60b7485cece312ad9c21327ee678f0f9898fb5
  Author: Laurent Vivier <lvivier@xxxxxxxxxx>
  Date:   Tue Aug 25 17:24:39 2015 +0200

      net: remove muldiv64()

      muldiv64() is used to convert nanoseconds to microseconds.

          x = muldiv64(qemu_clock_get_ns(..), 1000000, get_ticks_per_sec());

      As  get_ticks_per_sec() is 10^9, it can be replaced by:

          x = qemu_clock_get_us(..);

      Signed-off-by: Laurent Vivier <lvivier@xxxxxxxxxx>
      Reviewed-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>

  commit fdfea124f9e12232f99d9f235267ca1eeeb23469
  Author: Laurent Vivier <lvivier@xxxxxxxxxx>
  Date:   Tue Aug 25 17:19:57 2015 +0200

      bt: remove muldiv64()

      Originally, timers were ticks based, and it made sense to
      add ticks to current time to know when to trigger an alarm.

      But since commit:

      7447545 change all other clock references to use nanosecond resolution 
accessors

      All timers use nanoseconds and we need to convert ticks to nanoseconds.

      As get_ticks_per_sec() is 10^9,

          a = muldiv64(b, get_ticks_per_sec(), 100);
          y = muldiv64(x, get_ticks_per_sec(), 1000000);

      can be converted to

          a = b * 10000000;
          y = x * 1000;

      Signed-off-by: Laurent Vivier <lvivier@xxxxxxxxxx>
      Reviewed-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit 0a4f9240f5b8b1bfe2d5c5c2748545bc23771bb4
  Author: Laurent Vivier <lvivier@xxxxxxxxxx>
  Date:   Tue Aug 25 17:13:01 2015 +0200

      hpet: remove muldiv64()

      hpet defines a clock period in femtoseconds but
      then converts it to nanoseconds to use the internal
      timers.

      We can define the period in nanoseconds and use it
      directly, this allows to remove muldiv64().

      We only need to convert the period to femtoseconds
      to put it in internal hpet capability register.

      Signed-off-by: Laurent Vivier <lvivier@xxxxxxxxxx>
      Reviewed-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit 352c98e502893dee405d0bd8301264fca3b79179
  Author: Laurent Vivier <lvivier@xxxxxxxxxx>
  Date:   Tue Aug 25 17:09:36 2015 +0200

      arm: clarify the use of muldiv64()

      muldiv64() is used to convert microseconds into CPU ticks.

      But it is not clear and not commented. This patch uses macro
      to clearly identify what is used: time, CPU frequency and ticks.
      For an elapsed time and a given frequency, we compute how many ticks
       we have.

      Signed-off-by: Laurent Vivier <lvivier@xxxxxxxxxx>
      Reviewed-by: Peter Crosthwaite <crosthwaite.peter@xxxxxxxxx>
      Acked-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit ccaf1749239aa33c5a5b755972232ffe1c0cf946
  Author: Laurent Vivier <lvivier@xxxxxxxxxx>
  Date:   Tue Aug 25 17:17:15 2015 +0200

      openrisc: remove muldiv64()

      Originally, timers were ticks based, and it made sense to
      add ticks to current time to know when to trigger an alarm.

      But since commit:

      7447545 change all other clock references to use nanosecond resolution 
accessors

      All timers use nanoseconds and we need to convert ticks to nanoseconds, by
      doing something like:

          y = muldiv64(x, get_ticks_per_sec(), TIMER_FREQ)

      where x is the number of device ticks and y the number of system ticks.

      y is used as nanoseconds in timer functions,
      it works because 1 tick is 1 nanosecond.
      (get_ticks_per_sec() is 10^9)

      But as openrisc timer frequency is 20 MHz, we can also do:

          y = x * 50; /* 20 MHz period is 50 ns */

      Signed-off-by: Laurent Vivier <lvivier@xxxxxxxxxx>

  commit 683dca6bd5057a87d9376475b0c7e30d56d8e532
  Author: Laurent Vivier <lvivier@xxxxxxxxxx>
  Date:   Tue Aug 25 16:16:21 2015 +0200

      mips: remove muldiv64()

      Originally, timers were ticks based, and it made sense to
      add ticks to current time to know when to trigger an alarm.

      But since commit:

      7447545 change all other clock references to use nanosecond resolution 
accessors

      All timers use nanoseconds and we need to convert ticks to nanoseconds, by
      doing something like:

          y = muldiv64(x, get_ticks_per_sec(), TIMER_FREQ)

      where x is the number of device ticks and y the number of system ticks.

      y is used as nanoseconds in timer functions,
      it works because 1 tick is 1 nanosecond.
      (get_ticks_per_sec() is 10^9)

      But as MIPS timer frequency is 100 MHz, we can also do:

          y = x * 10; /* 100 MHz period is 10 ns */

      Signed-off-by: Laurent Vivier <lvivier@xxxxxxxxxx>
      Reviewed-by: Leon Alrae <leon.alrae@xxxxxxxxxx>

  commit c6acbe861f1ed4203f4864baf756686064ba561f
  Author: Laurent Vivier <lvivier@xxxxxxxxxx>
  Date:   Mon Aug 24 19:29:45 2015 +0200

      pcnet: remove muldiv64()

      Originally, timers were ticks based, and it made sense to
      add ticks to current time to know when to trigger an alarm.

      But since commit:

      7447545 change all other clock references to use nanosecond resolution 
accessors

      All timers use nanoseconds and we need to convert ticks to nanoseconds, by
      doing something like:

          y = muldiv64(x, get_ticks_per_sec(), PCI_FREQUENCY)

      where x is the number of device ticks and y the number of system ticks.

      y is used as nanoseconds in timer functions,
      it works because 1 tick is 1 nanosecond.
      (get_ticks_per_sec() is 10^9)

      But as PCI frequency is 33 MHz, we can also do:

          y = x * 30; /* 33 MHz PCI period is 30 ns */

      Which is much more simple.

      This implies a 33.333333 MHz PCI frequency,
      but this is correct.

      Signed-off-by: Laurent Vivier <lvivier@xxxxxxxxxx>
      Reviewed-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>

  commit 37b9ab92f7f8295c61daa4a8893eb8fb1add63e2
  Author: Laurent Vivier <lvivier@xxxxxxxxxx>
  Date:   Mon Aug 24 19:29:45 2015 +0200

      rtl8139: remove muldiv64()

      Originally, timers were ticks based, and it made sense to
      add ticks to current time to know when to trigger an alarm.

      But since commit:

      7447545 change all other clock references to use nanosecond resolution 
accessors

      All timers use nanoseconds and we need to convert ticks to nanoseconds, by
      doing something like:

          y = muldiv64(x, get_ticks_per_sec(), PCI_FREQUENCY)

      where x is the number of device ticks and y the number of system ticks.

      y is used as nanoseconds in timer functions,
      it works because 1 tick is 1 nanosecond.
      (get_ticks_per_sec() is 10^9)

      But as PCI frequency is 33 MHz, we can also do:

          y = x * 30; /* 33 MHz PCI period is 30 ns */

      Which is much more simple.

      This implies a 33.333333 MHz PCI frequency,
      but this is correct.

      Signed-off-by: Laurent Vivier <lvivier@xxxxxxxxxx>
      Reviewed-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>

  commit 9491e9bc019a365dfa9780f462984a0d052f4c0d
  Author: Laurent Vivier <lvivier@xxxxxxxxxx>
  Date:   Mon Aug 24 19:29:45 2015 +0200

      i6300esb: remove muldiv64()

      Originally, timers were ticks based, and it made sense to
      add ticks to current time to know when to trigger an alarm.

      But since commit:

      7447545 change all other clock references to use nanosecond resolution 
accessors

      All timers use nanoseconds and we need to convert ticks to nanoseconds, by
      doing something like:

          y = muldiv64(x, get_ticks_per_sec(), PCI_FREQUENCY)

      where x is the number of device ticks and y the number of system ticks.

      y is used as nanoseconds in timer functions,
      it works because 1 tick is 1 nanosecond.
      (get_ticks_per_sec() is 10^9)

      But as PCI frequency is 33 MHz, we can also do:

          y = x * 30; /* 33 MHz PCI period is 30 ns */

      Which is much more simple.

      This implies a 33.333333 MHz PCI frequency,
      but this is correct.

      Signed-off-by: Laurent Vivier <lvivier@xxxxxxxxxx>

  commit 06c3916b35a1cf6db548450a0cfb96983c33c82f
  Author: Wen Congyang <wency@xxxxxxxxxxxxxx>
  Date:   Tue Sep 8 11:28:33 2015 +0800

      Backup: don't do copy-on-read in before_write_notifier

      We will copy data in before_write_notifier to do backup.
      It is a nested I/O request, so we cannot do copy-on-read.

      The steps to reproduce it:
      1. -drive copy-on-read=on,...  // qemu option
      2. drive_backup -f disk0 /path_to_backup.img // monitor command

      Signed-off-by: Wen Congyang <wency@xxxxxxxxxxxxxx>
      Tested-by: Jeff Cody <jcody@xxxxxxxxxx>
      Message-id: 1441682913-14320-3-git-send-email-wency@xxxxxxxxxxxxxx
      Signed-off-by: Jeff Cody <jcody@xxxxxxxxxx>

  commit 9568b511c9f91c3d21ea3e83426d4ee7168c98bb
  Author: Wen Congyang <wency@xxxxxxxxxxxxxx>
  Date:   Tue Sep 8 11:28:32 2015 +0800

      block: Introduce a new API bdrv_co_no_copy_on_readv()

      In some cases, we need to disable copy-on-read, and just
      read the data.

      Signed-off-by: Wen Congyang <wency@xxxxxxxxxxxxxx>
      Message-id: 1441682913-14320-2-git-send-email-wency@xxxxxxxxxxxxxx
      Signed-off-by: Jeff Cody <jcody@xxxxxxxxxx>

  commit 4da65c80921139f3e0ff63f5ea20c5d9c778364f
  Author: Liu Yuan <liuyuan@xxxxxxxxxxxxxxxxxxxx>
  Date:   Fri Aug 28 10:53:58 2015 +0800

      sheepdog: add reopen support

      With reopen supported, block-commit (and offline commit) is now supported 
for
      image files whose base image uses the Sheepdog protocol driver.

      Cc: qemu-devel@xxxxxxxxxx
      Cc: Jeff Cody <jcody@xxxxxxxxxx>
      Cc: Kevin Wolf <kwolf@xxxxxxxxxx>
      Cc: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Signed-off-by: Liu Yuan <liuyuan@xxxxxxxxxxxxxxxxxxxx>
      Message-id: 1440730438-24676-1-git-send-email-namei.unix@xxxxxxxxx
      Signed-off-by: Jeff Cody <jcody@xxxxxxxxxx>

  commit 18a8056e0bc744e5dd2bb5cb998423b607d99f19
  Author: Peter Lieven <pl@xxxxxxx>
  Date:   Thu Aug 27 12:30:41 2015 +0200

      block/nfs: cache allocated filesize for read-only files

      If the file is readonly its not expected to grow so
      save the blocking call to nfs_fstat_async and use
      the value saved at connection time. Also important
      the monitor (and thus the main loop) will not hang
      if block device info is queried and the NFS share
      is unresponsive.

      Signed-off-by: Peter Lieven <pl@xxxxxxx>
      Reviewed-by: Jeff Cody <jcody@xxxxxxxxxx>
      Reviewed-by: Max Reitz <mreitz@xxxxxxxxxx>
      Message-id: 1440671441-7978-1-git-send-email-pl@xxxxxxx
      Signed-off-by: Jeff Cody <jcody@xxxxxxxxxx>

  commit 055c6f912c8d3cd9a901972ae432c47e5872f71a
  Author: Peter Lieven <pl@xxxxxxx>
  Date:   Thu Aug 20 12:46:47 2015 +0200

      block/nfs: fix calculation of allocated file size

      st.st_blocks is always counted in 512 byte units. Do not
      use st.st_blksize as multiplicator which may be larger.

      Cc: qemu-stable@xxxxxxxxxx
      Signed-off-by: Peter Lieven <pl@xxxxxxx>
      Reviewed-by: Max Reitz <mreitz@xxxxxxxxxx>
      Reviewed-by: Jeff Cody <jcody@xxxxxxxxxx>
      Message-id: 1440067607-14547-1-git-send-email-pl@xxxxxxx
      Signed-off-by: Jeff Cody <jcody@xxxxxxxxxx>

  commit 8e9620a683925daf9900c2ac5f2dfa14b6439932
  Author: Thomas Huth <thuth@xxxxxxxxxx>
  Date:   Fri Sep 25 11:38:36 2015 +0200

      doc: Refresh URLs in the qemu-tech documentation

      The TwoOStwo and Willows page seem to have disappeared completely,
      and also some of the other links were not pointing to the right
      locations anymore.

      Signed-off-by: Thomas Huth <thuth@xxxxxxxxxx>
      Message-Id: <1443173916-8895-1-git-send-email-thuth@xxxxxxxxxx>
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit 717171bd2025f732d7fcf43efc08f1551953a0e3
  Author: Daniel P. Berrange <berrange@xxxxxxxxxx>
  Date:   Thu Sep 24 14:41:38 2015 +0100

      docs: describe the QEMU build system structure / design

      Developers who are new to QEMU, or have a background familiarity
      with GNU autotools, can have trouble getting their head around the
      home-grown QEMU build system. This document attempts to explain
      the structure / design of the configure script and the various
      Makefile pieces that live across the source tree.

      Signed-off-by: Daniel P. Berrange <berrange@xxxxxxxxxx>
      Message-Id: <1443102098-13642-1-git-send-email-berrange@xxxxxxxxxx>
      Acked-by: Laszlo Ersek <lersek@xxxxxxxxxx>
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit ae1e93801d9a60642b349c571122909f0019d59e
  Author: Pavel Dovgalyuk <Pavel.Dovgaluk@xxxxxxxxx>
  Date:   Thu Sep 17 19:25:01 2015 +0300

      typedef: add typedef for QemuOpts

      This patch moves typedefs for QemuOpts and related types
      to qemu/typedefs.h file.

      Reviewed-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

      Signed-off-by: Pavel Dovgalyuk <pavel.dovgaluk@xxxxxxxxx>
      Message-Id: <20150917162501.8676.85435.stgit@xxxxxxxxxxxxxxxxxx>
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit a4fc321219cc1c6bd5ca1262cdbbb2e8cee8d56e
  Author: Pavel Dovgalyuk <Pavel.Dovgaluk@xxxxxxxxx>
  Date:   Thu Sep 17 19:24:11 2015 +0300

      i386: interrupt poll processing

      This patch updates x86_cpu_exec_interrupt function.
      It can process two interrupt request at a time (poll and another one).
      This makes its execution non-deterministic. Determinism is requred
      for recorded icount execution.

      Signed-off-by: Pavel Dovgalyuk <pavel.dovgaluk@xxxxxxxxx>
      Message-Id: <20150917162410.8676.13042.stgit@xxxxxxxxxxxxxxxxxx>
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit 6220e900bcdc524a175b2d2e725ebb9bb11a0008
  Author: Pavel Dovgalyuk <Pavel.Dovgaluk@xxxxxxxxx>
  Date:   Thu Sep 17 19:23:31 2015 +0300

      i386: partial revert of interrupt poll fix

      Processing CPU_INTERRUPT_POLL requests in cpu_has_work functions
      break the determinism of cpu_exec. This patch is required to make
      interrupts processing deterministic.

      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

      Signed-off-by: Pavel Dovgalyuk <pavel.dovgaluk@xxxxxxxxx>
      Message-Id: <20150917162331.8676.15286.stgit@xxxxxxxxxxxxxxxxxx>
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit 4ecd4d16a0af714ff7d9a1ad2559c621bf27649f
  Author: Peter Crosthwaite <crosthwaitepeter@xxxxxxxxx>
  Date:   Sun May 10 23:29:10 2015 -0700

      ppc: Rename ELF_MACHINE to be PPC specific

      Rename ELF_MACHINE to be PPC specific. This is used as-is by the
      various PPC bootloaders and is locally defined to ELF_MACHINE in linux
      user in PPC specific ifdeffery.

      This removes another architecture specific definition from the global
      namespace (as desired by multi-arch).

      Cc: Alexander Graf <agraf@xxxxxxx>
      Cc: qemu-ppc@xxxxxxxxxx
      Reviewed-by: Richard Henderson <rth@xxxxxxxxxxx>
      Acked-By: Riku Voipio <riku.voipio@xxxxxxxxxx>
      Signed-off-by: Peter Crosthwaite <crosthwaite.peter@xxxxxxxxx>
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit a5e8788f89312f19f54dba0454ee5bf7209b4cd7
  Author: Peter Crosthwaite <crosthwaitepeter@xxxxxxxxx>
  Date:   Sun May 10 23:29:10 2015 -0700

      i386: Rename ELF_MACHINE to be x86 specific

      Rename ELF_MACHINE to be I386 specific. This is used as-is by the
      multiboot loader.

      Linux-user previously used this definition but will not anymore,
      falling back to the default bahaviour of using ELF_ARCH as ELF_MACHINE.

      This removes another architecture specific definition from the global
      namespace.

      Cc: Paolo Bonzini <pbonzini@xxxxxxxxxx>
      Cc: Richard Henderson <rth@xxxxxxxxxxx>
      Cc: Eduardo Habkost <ehabkost@xxxxxxxxxx>
      Reviewed-by: Eduardo Habkost <ehabkost@xxxxxxxxxx>
      Acked-by: Eduardo Habkost <ehabkost@xxxxxxxxxx>
      Reviewed-by: Richard Henderson <rth@xxxxxxxxxxx>
      Acked-By: Riku Voipio <riku.voipio@xxxxxxxxxx>
      Signed-off-by: Peter Crosthwaite <crosthwaite.peter@xxxxxxxxx>
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit a0036becd80f8eae260df68d7f2fd2d8d7d90f35
  Author: Peter Crosthwaite <crosthwaitepeter@xxxxxxxxx>
  Date:   Sun May 10 23:29:10 2015 -0700

      alpha: Remove ELF_MACHINE from cpu.h

      ELF_MACHINE is unused by target alpha.

      Cc: Richard Henderson <rth@xxxxxxxxxxx>
      Reviewed-by: Richard Henderson <rth@xxxxxxxxxxx>
      Acked-By: Riku Voipio <riku.voipio@xxxxxxxxxx>
      Signed-off-by: Peter Crosthwaite <crosthwaite.peter@xxxxxxxxx>
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit 04ce380e9e3fad1dbf4e86ebdf9315573a06b30e
  Author: Peter Crosthwaite <crosthwaitepeter@xxxxxxxxx>
  Date:   Sun May 10 23:29:10 2015 -0700

      mips: Remove ELF_MACHINE from cpu.h

      The only generic code relying on this is linux-user, but linux users'
      default behaviour of defaulting ELF_MACHINE to ELF_ARCH will handle
      this.

      The bootloaders can just pass EM_MIPS directly, as that is
      architecture specific code.

      This removes another architecture specific definition from the global
      namespace.

      Cc: Aurelien Jarno <aurelien@xxxxxxxxxxx>
      Cc: Leon Alrae <leon.alrae@xxxxxxxxxx>
      Reviewed-by: Aurelien Jarno <aurelien@xxxxxxxxxxx>
      Reviewed-by: Richard Henderson <rth@xxxxxxxxxxx>
      Acked-By: Riku Voipio <riku.voipio@xxxxxxxxxx>
      Signed-off-by: Peter Crosthwaite <crosthwaite.peter@xxxxxxxxx>
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit 77452383e0c45704e2339b58eac29a3730bc18b1
  Author: Peter Crosthwaite <crosthwaitepeter@xxxxxxxxx>
  Date:   Sun May 10 23:29:10 2015 -0700

      sparc: Remove ELF_MACHINE from cpu.h

      The bootloaders can just pass EM_SPARC or EM_SPARCV9 directly, as
      they are architecture specific code (to one or the other).

      This removes another architecture specific definition from the global
      namespace.

      Cc: Mark Cave-Ayland <mark.cave-ayland@xxxxxxxxxxxx>
      Reviewed-by: Richard Henderson <rth@xxxxxxxxxxx>
      Acked-By: Riku Voipio <riku.voipio@xxxxxxxxxx>
      Signed-off-by: Peter Crosthwaite <crosthwaite.peter@xxxxxxxxx>
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit 99a4434ed7355ba9b282b872ba2c2eb294f5dbec
  Author: Peter Crosthwaite <crosthwaitepeter@xxxxxxxxx>
  Date:   Sun May 10 23:29:10 2015 -0700

      s390: Remove ELF_MACHINE from cpu.h

      The bootloader can just pass EM_S390 directly, as that
      is architecture specific code.

      This removes another architecture specific definition from the global
      namespace.

      Cc: Richard Henderson <rth@xxxxxxxxxxx>
      Cc: Alexander Graf <agraf@xxxxxxx>
      Reviewed-by: Richard Henderson <rth@xxxxxxxxxxx>
      Acked-By: Riku Voipio <riku.voipio@xxxxxxxxxx>
      Signed-off-by: Peter Crosthwaite <crosthwaite.peter@xxxxxxxxx>
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit bf337d4eae5ccf4d7f5d91b8d4471e7523f051de
  Author: Peter Crosthwaite <crosthwaitepeter@xxxxxxxxx>
  Date:   Sun May 10 23:29:10 2015 -0700

      sh4: Remove ELF_MACHINE from cpu.h

      The only generic code relying on this is linux-user, but linux users'
      default behaviour of defaulting ELF_MACHINE to ELF_ARCH will handle
      this.

      This removes another architecture specific definition from the global
      namespace.

      Cc: Aurelien Jarno <aurelien@xxxxxxxxxxx>
      Acked-by: Aurelien Jarno <aurelien@xxxxxxxxxxx>
      Reviewed-by: Richard Henderson <rth@xxxxxxxxxxx>
      Acked-By: Riku Voipio <riku.voipio@xxxxxxxxxx>
      Signed-off-by: Peter Crosthwaite <crosthwaite.peter@xxxxxxxxx>
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit 943cd387223df9398279a473ef20605c315ed2df
  Author: Peter Crosthwaite <crosthwaitepeter@xxxxxxxxx>
  Date:   Sun May 10 23:29:10 2015 -0700

      xtensa: Remove ELF_MACHINE from cpu.h

      The bootloaders can just pass EM_XTENSA directly, as that
      is architecture specific code.

      This removes another architecture specific definition from the global
      namespace.

      Cc: Max Filippov <jcmvbkbc@xxxxxxxxx>
      Reviewed-by: Richard Henderson <rth@xxxxxxxxxxx>
      Acked-By: Riku Voipio <riku.voipio@xxxxxxxxxx>
      Signed-off-by: Peter Crosthwaite <crosthwaite.peter@xxxxxxxxx>
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit 7183128bc9f335d66ed84316431c14e733e01a03
  Author: Peter Crosthwaite <crosthwaitepeter@xxxxxxxxx>
  Date:   Sun May 10 23:29:10 2015 -0700

      tricore: Remove ELF_MACHINE from cpu.h

      The bootloader can just pass EM_TRICORE directly, as that
      is architecture specific code.

      This removes another architecture specific definition from the global
      namespace.

      Cc: Bastian Koppelmann <kbastian@xxxxxxxxxxxxxxxxxxxxx>
      Acked-By: Bastian Koppelmann <kbastian@xxxxxxxxxxxxxxxxxxxxx>
      Reviewed-by: Richard Henderson <rth@xxxxxxxxxxx>
      Acked-By: Riku Voipio <riku.voipio@xxxxxxxxxx>
      Signed-off-by: Peter Crosthwaite <crosthwaite.peter@xxxxxxxxx>
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit ed03ecf8f07a0c59a2fb422f91e80a6edd068d06
  Author: Peter Crosthwaite <crosthwaitepeter@xxxxxxxxx>
  Date:   Sun May 10 23:29:10 2015 -0700

      or32: Remove ELF_MACHINE from cpu.h

      The only generic code relying on this is linux-user, but linux users'
      default behaviour of defaulting ELF_MACHINE to ELF_ARCH will handle
      this.

      The bootloader can just pass EM_OPENRISC directly, as that is
      architecture specific code.

      This removes another architecture specific definition from the global
      namespace.

      Cc: Jia Liu <proljc@xxxxxxxxx>
      Reviewed-by: Richard Henderson <rth@xxxxxxxxxxx>
      Acked-By: Riku Voipio <riku.voipio@xxxxxxxxxx>
      Signed-off-by: Peter Crosthwaite <crosthwaite.peter@xxxxxxxxx>
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit 22d2fb4c594e8ac540f5b3132ce0d7a635112b1a
  Author: Peter Crosthwaite <crosthwaitepeter@xxxxxxxxx>
  Date:   Sun May 10 23:29:10 2015 -0700

      lm32: Remove ELF_MACHINE from cpu.h

      The bootloaders can just pass EM_LATTICEMICO32 directly, as that is
      architecture specific code.

      This removes another architecture specific definition from the global
      namespace.

      Cc: Michael Walle <michael@xxxxxxxx>
      Acked-By: Michael Walle <michael@xxxxxxxx>
      Reviewed-by: Richard Henderson <rth@xxxxxxxxxxx>
      Acked-By: Riku Voipio <riku.voipio@xxxxxxxxxx>
      Signed-off-by: Peter Crosthwaite <crosthwaite.peter@xxxxxxxxx>
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit 663c40a50d06c8c299cc7449bf2c7b8f3261c8a9
  Author: Peter Crosthwaite <crosthwaitepeter@xxxxxxxxx>
  Date:   Sun May 10 23:29:10 2015 -0700

      unicore: Remove ELF_MACHINE from cpu.h

      The only generic code relying on this is linux-user, but linux users'
      default behaviour of defaulting ELF_MACHINE to ELF_ARCH will handle
      this.

      This removes another architecture specific definition from the global
      namespace.

      Cc: Guan Xuetao <gxt@xxxxxxxxxxxxxxx>
      Reviewed-by: Richard Henderson <rth@xxxxxxxxxxx>
      Acked-By: Riku Voipio <riku.voipio@xxxxxxxxxx>
      Signed-off-by: Peter Crosthwaite <crosthwaite.peter@xxxxxxxxx>
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit b744d332f3ef17adc1219be7098b0a4cc30b2dbe
  Author: Peter Crosthwaite <crosthwaitepeter@xxxxxxxxx>
  Date:   Sun May 10 23:29:10 2015 -0700

      moxie: Remove ELF_MACHINE from cpu.h

      The bootloader can just pass EM_MOXIE directly, as that is architecture
      specific code.

      This removes another architecture specific definition from the global
      namespace.

      Cc: Anthony Green <green@xxxxxxxxxxxxxx>
      Reviewed-by: Richard Henderson <rth@xxxxxxxxxxx>
      Acked-By: Riku Voipio <riku.voipio@xxxxxxxxxx>
      Signed-off-by: Peter Crosthwaite <crosthwaite.peter@xxxxxxxxx>
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit 7233df4949df2b6c2b417beaf336a180b3c66e25
  Author: Peter Crosthwaite <crosthwaitepeter@xxxxxxxxx>
  Date:   Sun May 10 23:29:10 2015 -0700

      cris: Remove ELF_MACHINE from cpu.h

      The only generic code relying on this is linux-user, but linux users'
      default behaviour of defaulting ELF_MACHINE to ELF_ARCH will handle
      this.

      The bootloader can just pass EM_CRIS directly, as that is architecture
      specific code.

      This removes another architecture specific definition from the global
      namespace.

      Cc: Edgar E. Iglesias <edgar.iglesias@xxxxxxxxx>
      Reviewed-by: Richard Henderson <rth@xxxxxxxxxxx>
      Acked-By: Riku Voipio <riku.voipio@xxxxxxxxxx>
      Signed-off-by: Peter Crosthwaite <crosthwaite.peter@xxxxxxxxx>
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit 45e6b8b61a7bbb71d1fa6c4193b47ba3a1f9f033
  Author: Peter Crosthwaite <crosthwaitepeter@xxxxxxxxx>
  Date:   Sun May 10 23:29:10 2015 -0700

      m68k: Remove ELF_MACHINE from cpu.h

      The only generic code relying on this is linux-user, but linux users'
      default behaviour of defaulting ELF_MACHINE to ELF_ARCH will handle
      this.

      The machine model bootloaders can just pass EM_68K directly, as that
      is architecture specific code.

      This removes another architecture specific definition from the global
      namespace.

      Cc: Laurent Vivier <laurent@xxxxxxxxx>
      Cc: Greg Ungerer <gerg@xxxxxxxxxxx>
      Reviewed-by: Richard Henderson <rth@xxxxxxxxxxx>
      Acked-By: Riku Voipio <riku.voipio@xxxxxxxxxx>
      Reviewed-by: Greg Ungerer <gerg@xxxxxxxxxxx>
      Reviewed-by: Laurent Vivier <laurent@xxxxxxxxx>
      Signed-off-by: Peter Crosthwaite <crosthwaite.peter@xxxxxxxxx>
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit f4fc2bbfa2abd655ddcc622a8ae18c368bbce992
  Author: Peter Crosthwaite <crosthwaitepeter@xxxxxxxxx>
  Date:   Sun May 10 23:29:10 2015 -0700

      mb: Remove ELF_MACHINE from cpu.h

      The only generic code relying on this is linux-user, but linux-users'
      default behaviour or setting ELF_MACHINE to ELF_ARCH will handle this.

      The microblaze bootloader can just pass EM_MICROBLAZE directly, as that
      is architecture specific code.

      This removes another architecture specific definition from the global
      namespace.

      Cc: Edgar E. Iglesias <edgar.iglesias@xxxxxxxxx>
      Reviewed-by: Richard Henderson <rth@xxxxxxxxxxx>
      Acked-By: Riku Voipio <riku.voipio@xxxxxxxxxx>
      Signed-off-by: Peter Crosthwaite <crosthwaite.peter@xxxxxxxxx>
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit b597c3f7da17fcb37d394a16a6c0ef0a02846177
  Author: Peter Crosthwaite <crosthwaitepeter@xxxxxxxxx>
  Date:   Sun May 10 23:29:25 2015 -0700

      arm: Remove ELF_MACHINE from cpu.h

      The only generic code relying on this is linux-user. Linux user
      already has a lot of #ifdef TARGET_ customisation so instead, define
      ELF_ARCH as either EM_ARM or EM_AARCH64 appropriately.

      The armv7m bootloader can just pass EM_ARM directly, as that
      is architecture specific code. Note that arm_boot already has its own
      logic selecting an arm specific elf machine so this makes V7M more
      consistent with arm_boot.

      This removes another architecture specific definition from the global
      namespace.

      Cc: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Reviewed-by: Richard Henderson <rth@xxxxxxxxxxx>
      Acked-By: Riku Voipio <riku.voipio@xxxxxxxxxx>
      Signed-off-by: Peter Crosthwaite <crosthwaite.peter@xxxxxxxxx>
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit 98dbe5aca8c328b40a0598d6ab478d9b869d1b5c
  Author: Peter Crosthwaite <crosthwaite.peter@xxxxxxxxx>
  Date:   Sat Aug 29 12:07:50 2015 -0700

      elf: Update EM_MOXIE definition

      EM_MOXIE now has a proper assigned elf code. Use it. Register the old
      interim value as EM_MOXIE_OLD and accept either in elf loading.

      Cc: Anthony Green <green@xxxxxxxxxxxxxx>
      Reviewed-by: Richard Henderson <rth@xxxxxxxxxxx>
      Signed-off-by: Peter Crosthwaite <crosthwaite.peter@xxxxxxxxx>
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit 7cc472218c807ef85714ec71b161c39ee29d634e
  Author: Peter Crosthwaite <crosthwaite.peter@xxxxxxxxx>
  Date:   Mon Aug 17 21:53:16 2015 -0700

      elf_ops: Fix coding style for EM alias case statement

      Fix the coding style for these cases as per CODING_STYLE. Reverse the
      Yoda conditions and add missing if braces.

      Reviewed-by: Richard Henderson <rth@xxxxxxxxxxx>
      Signed-off-by: Peter Crosthwaite <crosthwaite.peter@xxxxxxxxx>
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit d276a604bfba002aafc3af2a906b7412907ea598
  Author: Peter Crosthwaite <crosthwaite.peter@xxxxxxxxx>
  Date:   Sun Jul 19 11:29:32 2015 -0700

      linux-user: elfload: Provide default for elf_check_arch

      For many arch's this macro is defined as the predicatable behaviour
      of checking the argument for eqaulity against ELF_ARCH. Provide a
      default define as such, so only archs with special handling (usually
      allowing multiple EM values) need to provide a def.

      Arches that do any of:

      1: provide this def exactly the same way as the new default
              (alpha, x86_64)
      2: check against ELF_MACHINE while defining ELF_ARCH == ELF_MACHINE
              (arm, aarch64)
      3: check against EM_FOO directly while defining ELF_ARCH == EM_FOO
              (unicore32, sparc32, ppc32, mips, openrisc, sh4, cris, m86k)

      have their elf_check_arch removed as the default will provide the
      correct behaviour.

      Reviewed-by: Richard Henderson <rth@xxxxxxxxxxx>
      Acked-By: Riku Voipio <riku.voipio@xxxxxxxxxx>
      Signed-off-by: Peter Crosthwaite <crosthwaite.peter@xxxxxxxxx>
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit 75be901cdcd20acc724534e2dff58bc7b539292f
  Author: Peter Crosthwaite <crosthwaite.peter@xxxxxxxxx>
  Date:   Sun Jul 19 05:02:37 2015 -0700

      linux_user: elfload: Default ELF_MACHINE to ELF_ARCH

      In most (but not all) cases, ELF_MACHINE and ELF_ARCH are safely the
      same. Default ELF_MACHINE to ELF_ARCH. This makes defining ELF_MACHINE
      optional for target-*/cpu.h when they are known to match.

      Reviewed-by: Richard Henderson <rth@xxxxxxxxxxx>
      Acked-By: Riku Voipio <riku.voipio@xxxxxxxxxx>
      Signed-off-by: Peter Crosthwaite <crosthwaite.peter@xxxxxxxxx>
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit 6bde8fd69f874a107f04cea2695ebece849213c5
  Author: Pavel Butsykin <pbutsykin@xxxxxxxxxxxxx>
  Date:   Tue Sep 22 16:18:21 2015 +0300

      hmp: implemented io apic dump state for TCG

      Added support emulator for the hmp command "info ioapic"

      Signed-off-by: Pavel Butsykin <pbutsykin@xxxxxxxxxxxxx>
      Signed-off-by: Denis V. Lunev <den@xxxxxxxxxx>
      CC: Paolo Bonzini <pbonzini@xxxxxxxxxx>
      CC: Andreas F�¤rber <afaerber@xxxxxxx>
      Message-Id: <1442927901-1084-10-git-send-email-den@xxxxxxxxxx>
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit d665d696c53f776ec2cb91505658969b9eb9906b
  Author: Pavel Butsykin <pbutsykin@xxxxxxxxxxxxx>
  Date:   Tue Sep 22 16:18:20 2015 +0300

      hmp: added io apic dump state

      Added the hmp command to query io apic state, may be usefull after guest
      crashes to understand IRQ routing in guest.

      Implementation is only for kvm here. The dump will look like
      (qemu) info ioapic
      ioapic id=0x00 sel=0x26 (redir[11])
      pin 0  0x0000000000010000 dest=0 vec=0   active-hi edge  masked fixed  
physical
      pin 1  0x0000000000000031 dest=0 vec=49  active-hi edge         fixed  
physical
      ...
      pin 23 0x0000000000010000 dest=0 vec=0   active-hi edge  masked fixed  
physical
      IRR        (none)
      Remote IRR (none)

      Signed-off-by: Pavel Butsykin <pbutsykin@xxxxxxxxxxxxx>
      Signed-off-by: Denis V. Lunev <den@xxxxxxxxxx>
      CC: Paolo Bonzini <pbonzini@xxxxxxxxxx>
      CC: Andreas F�¤rber <afaerber@xxxxxxx>
      Message-Id: <1442927901-1084-9-git-send-email-den@xxxxxxxxxx>
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit af599407352a2e05235d96196e8841ad1b39dd0f
  Author: Pavel Butsykin <pbutsykin@xxxxxxxxxxxxx>
  Date:   Tue Sep 22 16:18:19 2015 +0300

      ioapic_internal.h: added more constants

      Added the masks for easy  access to fields of the redirection table entry

      Signed-off-by: Pavel Butsykin <pbutsykin@xxxxxxxxxxxxx>
      Signed-off-by: Denis V. Lunev <den@xxxxxxxxxx>
      CC: Paolo Bonzini <pbonzini@xxxxxxxxxx>
      CC: Andreas F�¤rber <afaerber@xxxxxxx>
      Message-Id: <1442927901-1084-8-git-send-email-den@xxxxxxxxxx>
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit 1f871d49e3446f34a434860ce403c43eaad820a1
  Author: Pavel Butsykin <pbutsykin@xxxxxxxxxxxxx>
  Date:   Tue Sep 22 16:18:18 2015 +0300

      hmp: added local apic dump state

      Added the hmp command to query local apic registers state, may be
      usefull after guest crashes to understand IRQ routing in guest.

      (qemu) info lapic
      dumping local APIC state for CPU 0

      LVT0    0x00010700 active-hi edge  masked                      ExtINT 
(vec 0)
      LVT1    0x00000400 active-hi edge                              NMI
      LVTPC   0x00010000 active-hi edge  masked                      Fixed  
(vec 0)
      LVTERR  0x000000fe active-hi edge                              Fixed  
(vec 254)
      LVTTHMR 0x00010000 active-hi edge  masked                      Fixed  
(vec 0)
      LVTT    0x000000ef active-hi edge                 one-shot     Fixed  
(vec 239)
      Timer   DCR=0x3 (divide by 16) initial_count = 61360
      SPIV    0x000001ff APIC enabled, focus=off, spurious vec 255
      ICR     0x000000fd physical edge de-assert no-shorthand
      ICR2    0x00000001 cpu 1 (X2APIC ID)
      ESR     0x00000000
      ISR     (none)
      IRR     239

      APR 0x00 TPR 0x00 DFR 0x0f LDR 0x00 PPR 0x00

      Signed-off-by: Pavel Butsykin <pbutsykin@xxxxxxxxxxxxx>
      Signed-off-by: Denis V. Lunev <den@xxxxxxxxxx>
      CC: Paolo Bonzini <pbonzini@xxxxxxxxxx>
      CC: Andreas F�¤rber <afaerber@xxxxxxx>
      Message-Id: <1442927901-1084-7-git-send-email-den@xxxxxxxxxx>
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit caf15319e8b636a2606e232a95c1623857db8152
  Author: Pavel Butsykin <pbutsykin@xxxxxxxxxxxxx>
  Date:   Tue Sep 22 16:18:17 2015 +0300

      monitor: make monitor_fprintf and mon_get_cpu externally visible

      monitor_fprintf and mon_get_cpu will be used in the target-specific 
monitor,
      so it is advisable to make it external.

      Signed-off-by: Pavel Butsykin <pbutsykin@xxxxxxxxxxxxx>
      Signed-off-by: Denis V. Lunev <den@xxxxxxxxxx>
      CC: Paolo Bonzini <pbonzini@xxxxxxxxxx>
      CC: Andreas F�¤rber <afaerber@xxxxxxx>
      Message-Id: <1442927901-1084-6-git-send-email-den@xxxxxxxxxx>
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit b6cfc3c2ac5a1025d8fe7d74421a73ec495408f9
  Author: Pavel Butsykin <pbutsykin@xxxxxxxxxxxxx>
  Date:   Tue Sep 22 16:18:16 2015 +0300

      apic_internal.h: fix formatting and drop unused consts

      Fix formatting of local apic definitions and drop unused constant
      APIC_INPUT_POLARITY, APIC_SEND_PENDING. Magic numbers in shifts are
      replaced with constants defined just above.

      Signed-off-by: Pavel Butsykin <pbutsykin@xxxxxxxxxxxxx>
      Signed-off-by: Denis V. Lunev <den@xxxxxxxxxx>
      CC: Paolo Bonzini <pbonzini@xxxxxxxxxx>
      CC: Andreas F�¤rber <afaerber@xxxxxxx>
      Message-Id: <1442927901-1084-5-git-send-email-den@xxxxxxxxxx>
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit 6519d187e301c5a14a8c9b32fb93027b04a4336d
  Author: Pavel Butsykin <pbutsykin@xxxxxxxxxxxxx>
  Date:   Tue Sep 22 16:18:15 2015 +0300

      apic_internal.h: added more constants

      These constants are needed for optimal access to
      bit fields local apic registers without magic numbers.

      Signed-off-by: Pavel Butsykin <pbutsykin@xxxxxxxxxxxxx>
      Signed-off-by: Denis V. Lunev <den@xxxxxxxxxx>
      CC: Paolo Bonzini <pbonzini@xxxxxxxxxx>
      CC: Andreas F�¤rber <afaerber@xxxxxxx>
      Message-Id: <1442927901-1084-4-git-send-email-den@xxxxxxxxxx>
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit a22bf99c5852f369dc620be2c3c93535a5b69a58
  Author: Pavel Butsykin <pbutsykin@xxxxxxxxxxxxx>
  Date:   Tue Sep 22 16:18:14 2015 +0300

      apic_internal.h: rename ESR_ILLEGAL_ADDRESS to APIC_ESR_ILLEGAL_ADDRESS

      Added prefix APIC_ for determining the constant of a particular subsystem,
      improve the overall readability and match other constant names.

      Signed-off-by: Pavel Butsykin <pbutsykin@xxxxxxxxxxxxx>
      Signed-off-by: Denis V. Lunev <den@xxxxxxxxxx>
      CC: Paolo Bonzini <pbonzini@xxxxxxxxxx>
      CC: Andreas F�¤rber <afaerber@xxxxxxx>
      Message-Id: <1442927901-1084-3-git-send-email-den@xxxxxxxxxx>
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit 82a5e042fafe3def60380c847fa194220069f888
  Author: Pavel Butsykin <pbutsykin@xxxxxxxxxxxxx>
  Date:   Tue Sep 22 16:18:13 2015 +0300

      apic_internal.h: make some apic_get_* functions externally visible

      Move apic_get_bit(), apic_set_bit() to apic_internal.h, make the 
apic_get_ppr
      symbol external. It's necessary to work with isr, tmr, irr and ppr outside
      hw/intc/apic.c

      Signed-off-by: Pavel Butsykin <pbutsykin@xxxxxxxxxxxxx>
      Signed-off-by: Denis V. Lunev <den@xxxxxxxxxx>
      CC: Paolo Bonzini <pbonzini@xxxxxxxxxx>
      CC: Andreas F�¤rber <afaerber@xxxxxxx>
      Message-Id: <1442927901-1084-2-git-send-email-den@xxxxxxxxxx>
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit 2f5a3b1252ac238590cba83a38494e1103c32e4e
  Author: Paolo Bonzini <pbonzini@xxxxxxxxxx>
  Date:   Thu Jul 30 10:21:00 2015 +0200

      ioapic: fix contents of arbitration register

      The arbitration register should read to the same value as the
      IOAPIC id register.  Fixes kvm-unit-tests ioapic.flat.

      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit c5955a561ccdb95ede14e83de0ee8eec00868bd3
  Author: Paolo Bonzini <pbonzini@xxxxxxxxxx>
  Date:   Thu Jul 30 10:19:24 2015 +0200

      ioapic: coalesce level interrupts

      If a level-triggered interrupt goes down and back up before the
      corresponding EOI, it should be coalesced.  This fixes one testcase
      in kvm-unit-tests' ioapic.flat.

      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit f536f1124265026a0ab597773bd9df396fb59565
  Author: Paolo Bonzini <pbonzini@xxxxxxxxxx>
  Date:   Tue Sep 22 11:40:00 2015 +0200

      MAINTAINERS: add maintainer for network device front-ends

      Only "Odd Fixes" status, but let's add a point of contact.

      Cc: Jason Wang <jasowang@xxxxxxxxxx>
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit 61af0ee61b551b64f9a59b7e08133e357cae4b64
  Author: Paolo Bonzini <pbonzini@xxxxxxxxxx>
  Date:   Tue Sep 22 11:40:00 2015 +0200

      MAINTAINERS: add maintainer for character device front-ends

      Only "Odd Fixes" status, but let's add a point of contact.

      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit 28d54e58fd21e3176a2825c824a5921215835a3c
  Author: Paolo Bonzini <pbonzini@xxxxxxxxxx>
  Date:   Tue Sep 22 11:37:27 2015 +0200

      MAINTAINERS: add IPack section

      Reviewed-by: Alberto Garcia <berto@xxxxxxxxxx>
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit 0c6aa7ee4026105a43bc36b93279ecb8e55cd843
  Author: Paolo Bonzini <pbonzini@xxxxxxxxxx>
  Date:   Tue Sep 22 11:37:07 2015 +0200

      MAINTAINERS: Add more s390 files

      Cc: Alexander Graf <agraf@xxxxxxx>
      Reviewed-by: Christian Borntraeger <borntraeger@xxxxxxxxxx>
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit c17652ee4094ce4feb1daf2f064c45db0e58ed02
  Author: Paolo Bonzini <pbonzini@xxxxxxxxxx>
  Date:   Tue Sep 22 11:36:16 2015 +0200

      MAINTAINERS: Add disassemblers to the various backends

      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit dcc1a2fd95d9e3e786fd5c7c61466c2fccef1e31
  Author: Paolo Bonzini <pbonzini@xxxxxxxxxx>
  Date:   Tue Sep 22 11:35:49 2015 +0200

      MAINTAINERS: there is no PPC64 TCG backend anymore

      PPC32 and PPC64 were unified.

      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit ba10f729f1f158333fcffe00f8656365a74cc662
  Author: Paolo Bonzini <pbonzini@xxxxxxxxxx>
  Date:   Tue Sep 22 11:54:32 2015 +0200

      get_maintainer.pl: \C is deprecated

      "Match a single C-language char (octet) even if that is part of a larger
      UTF-8 character.  Thus it breaks up characters into their UTF-8 bytes,
      so you may end up with malformed pieces of UTF-8."

      Just use a period instead.

      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit 500887768a2428e480d13f6f0978f85d349bc312
  Author: Marc-André Lureau <marcandre.lureau@xxxxxxxxxx>
  Date:   Fri Sep 18 16:18:40 2015 +0200

      vhost-scsi: include linux/vhost.h

      Replace ad-hoc declarations with the linux header.

      Signed-off-by: Marc-André Lureau <marcandre.lureau@xxxxxxxxxx>
      Message-Id: 
<1442585920-28373-1-git-send-email-marcandre.lureau@xxxxxxxxxx>
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit 57f54629299de6ad2981a275049ace2c3c165173
  Author: Daniel P. Berrange <berrange@xxxxxxxxxx>
  Date:   Fri Sep 18 11:01:35 2015 +0100

      Makefile: fix build when VPATH is outside GIT tree

      Steve Ellcey / Leon Alrae reported that QEMU fails to build when
      the VPATH directory is outside of the GIT tree, and the system
      emulators & tools build is disabled. eg

         cd ..
         mkdir build
         cd build
         ../qemu/configure --disable-system --disable-tools
         make
         (...)
         make[1]: *** No rule to make target `../qom/object.o', needed by 
`qemu-aarch64'. Stop.
         make: *** [subdir-aarch64-linux-user] Error 2

      The problem is due to the fact that some sub directory deps
      were listed against SOFTMMU_SUBDIR_RULES instead of SUBDIR_RULES,
      so were only processed for system emulators, not user emalutors.

      Signed-off-by: Daniel P. Berrange <berrange@xxxxxxxxxx>
      Message-Id: <1442570495-22029-1-git-send-email-berrange@xxxxxxxxxx>
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit 0eb2baeb449d27d6e6208a257dba6be1aad4d476
  Author: Paolo Bonzini <pbonzini@xxxxxxxxxx>
  Date:   Wed Sep 16 17:26:16 2015 +0200

      scsi-generic: let guests recognize readonly=on on passthrough devices

      Passed-through SCSI devices can be opened with the readonly=on option.
      When this happens, Linux filters away write commands so that the guest
      cannot overwrite the contents of the device.

      However, the guest does not know that the device is read-only, and
      accepts writes.  The writes only fail later when the page cache is
      flushed.

      This patch modifies scsi-generic to modify the MODE SENSE data and
      set the read-only bit in the device-specific parameters, so that
      the guest OS treats the disk as write protected.

      Reviewed-by: Fam Zheng <famz@xxxxxxxxxx>
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit 5e43efb29ae877da131e6c1a4761cd7f4eec5a16
  Author: Paolo Bonzini <pbonzini@xxxxxxxxxx>
  Date:   Wed Sep 16 18:35:09 2015 +0200

      checkpatch: do not recommend qemu_strtok over strtok

      If anything it should recommend strtok_r!

      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit fe8545386726a2b1f8af409bcd5ea3d33218af54
  Author: Marc-André Lureau <marcandre.lureau@xxxxxxxxxx>
  Date:   Wed Sep 16 18:02:57 2015 +0200

      tests: add some qemu_strtosz() tests

      While reading the function I decided to write some tests.

      Signed-off-by: Marc-André Lureau <marcandre.lureau@xxxxxxxxxx>
      Message-Id: <1442419377-9309-2-git-send-email-marcandre.lureau@xxxxxxxxxx>
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit 4677bb40f809394bef5fa07329dea855c0371697
  Author: Marc-André Lureau <marcandre.lureau@xxxxxxxxxx>
  Date:   Wed Sep 16 18:02:56 2015 +0200

      utils: rename strtosz to use qemu prefix

      Not only it makes sense, but it gets rid of checkpatch warning:
      WARNING: consider using qemu_strtosz in preference to strtosz

      Also remove get rid of tabs to please checkpatch.

      Signed-off-by: Marc-André Lureau <marcandre.lureau@xxxxxxxxxx>
      Message-Id: <1442419377-9309-1-git-send-email-marcandre.lureau@xxxxxxxxxx>
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit 48bec07e8de2782fea2ea293998044bef2ab676d
  Author: Daniel P. Berrange <berrange@xxxxxxxxxx>
  Date:   Wed Sep 16 14:52:23 2015 +0100

      qemu-nbd: convert to use the QAPI SocketAddress object

      The qemu-nbd program currently uses a QemuOpts objects
      when setting up sockets. Switch it over to use the
      QAPI SocketAddress objects instead.

      Signed-off-by: Daniel P. Berrange <berrange@xxxxxxxxxx>
      Message-Id: <1442411543-28513-3-git-send-email-berrange@xxxxxxxxxx>
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit 7a5ed43764c04866b7642c7b6afcfb67bd2d424f
  Author: Daniel P. Berrange <berrange@xxxxxxxxxx>
  Date:   Wed Sep 16 14:52:22 2015 +0100

      nbd: convert to use the QAPI SocketAddress object

      The nbd block driver currently uses a QemuOpts object
      when setting up sockets. Switch it over to use the
      QAPI SocketAddress object instead.

      Signed-off-by: Daniel P. Berrange <berrange@xxxxxxxxxx>
      Message-Id: <1442411543-28513-2-git-send-email-berrange@xxxxxxxxxx>
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit f178bc6b68e6c65cda7354ec4a671860b3123f7a
  Author: Paolo Bonzini <pbonzini@xxxxxxxxxx>
  Date:   Tue Sep 22 11:56:48 2015 +0200

      MAINTAINERS: add more devices to the PCI section

      Cc: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>
      Reviewed-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>

  commit 9cc3b73cd8a88e16756f5d14fa87e156a4ce1e8d
  Author: Paolo Bonzini <pbonzini@xxxxxxxxxx>
  Date:   Tue Sep 22 11:56:47 2015 +0200

      MAINTAINERS: add more devices to the PC section

      For chipset devices, I can co-maintain it with Michael.

      Cc: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>
      Reviewed-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>

  commit 8a47d575dfac0f6675e2ac56c5921cc520d021a6
  Merge: 9438fe9 4d9310f
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Thu Sep 24 22:09:41 2015 +0100

      Merge remote-tracking branch 'remotes/weil/tags/pull-wxx-20150924' into 
staging

      wxx patch queue

      # gpg: Signature made Thu 24 Sep 2015 20:24:50 BST using RSA key ID 
677450AD
      # gpg: Good signature from "Stefan Weil <sw@xxxxxxxxxxx>"
      # gpg:                 aka "Stefan Weil <stefan.weil@xxxxxxxxxxx>"
      # gpg:                 aka "Stefan Weil <stefan.weil@xxxxxxxxxxxxxxxxxxx>"
      # gpg: WARNING: This key is not certified with sufficiently trusted 
signatures!
      # gpg:          It is not certain that the signature belongs to the owner.
      # Primary key fingerprint: 4923 6FEA 75C9 5D69 8EC2  B78A E08C 21D5 6774 
50AD

      * remotes/weil/tags/pull-wxx-20150924:
        oslib-win32: only provide localtime_r/gmtime_r if missing
        gtk: avoid redefining _WIN32_WINNT macro
        qemu-thread: add a fast path to the Win32 QemuEvent
        slirp: Fix non blocking connect for w32
        nsis: Add QEMU version information to Windows registry

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 4d9310f427b477a126f6f2006c3a73b9764948b6
  Author: Daniel P. Berrange <berrange@xxxxxxxxxx>
  Date:   Tue Sep 22 15:13:26 2015 +0100

      oslib-win32: only provide localtime_r/gmtime_r if missing

      The oslib-win32 file currently provides a localtime_r and
      gmtime_r replacement unconditionally. Some versions of
      Mingw-w64 would provide crude macros for localtime_r/gmtime_r
      which QEMU takes care to disable. Latest versions of Mingw-w64
      now provide actual functions for localtime_r/gmtime_r, but
      with a twist that you have to include unistd.h or pthread.h
      before including time.h.  By luck some files in QEMU have
      such an include order, resulting in compile errors:

        CC    util/osdep.o
      In file included from include/qemu-common.h:48:0,
                       from util/osdep.c:48:
      include/sysemu/os-win32.h:77:12: error: redundant redeclaration of 
'gmtime_r' [-Werror=redundant-decls]
       struct tm *gmtime_r(const time_t *timep, struct tm *result);
                  ^
      In file included from include/qemu-common.h:35:0,
                       from util/osdep.c:48:
      /usr/i686-w64-mingw32/sys-root/mingw/include/time.h:272:107: note: 
previous definition of 'gmtime_r' was here
      In file included from include/qemu-common.h:48:0,
                       from util/osdep.c:48:
      include/sysemu/os-win32.h:79:12: error: redundant redeclaration of 
'localtime_r' [-Werror=redundant-decls]
       struct tm *localtime_r(const time_t *timep, struct tm *result);
                  ^
      In file included from include/qemu-common.h:35:0,
                       from util/osdep.c:48:
      /usr/i686-w64-mingw32/sys-root/mingw/include/time.h:269:107: note: 
previous definition of 'localtime_r' was here

      This change adds a configure test to see if localtime_r
      exits, and only enables the QEMU impl if missing. We also
      re-arrange qemu-common.h try attempt to guarantee that all
      source files get unistd.h before time.h and thus see the
      localtime_r/gmtime_r defs.

      [sw: Use "official" spellings for Mingw-w64, MinGW in comments.]
      [sw: Terminate sentences with a dot in comments.]

      Signed-off-by: Daniel P. Berrange <berrange@xxxxxxxxxx>
      Reviewed-by: Denis V. Lunev <den@xxxxxxxxxx>
      Signed-off-by: Stefan Weil <sw@xxxxxxxxxxx>

  commit c8f3f17cf1015d6621f79aa6a88280539621a108
  Author: Daniel P. Berrange <berrange@xxxxxxxxxx>
  Date:   Tue Sep 8 11:34:35 2015 +0100

      gtk: avoid redefining _WIN32_WINNT macro

      When building for Mingw64 target on Fedora 22 a warning
      is issued about _WIN32_WINNT being redefined.

      In file included from ui/gtk.c:40:0:
      include/ui/gtk.h:5:0: warning: "_WIN32_WINNT" redefined
       # define _WIN32_WINNT 0x0601 /* needed to get definition of 
MAPVK_VK_TO_VSC */
        ^
      In file included from 
/usr/i686-w64-mingw32/sys-root/mingw/include/crtdefs.h:10:0,
                       from 
/usr/i686-w64-mingw32/sys-root/mingw/include/stdio.h:9,
                       from 
/home/berrange/src/virt/qemu/include/qemu/fprintf-fn.h:12,
                       from 
/home/berrange/src/virt/qemu/include/qemu-common.h:18,
                       from ui/gtk.c:37:
      /usr/i686-w64-mingw32/sys-root/mingw/include/_mingw.h:225:0: note: this 
is the location of the previous definition
       #define _WIN32_WINNT 0x502
       ^

      Rather than try to get MAPVK_VK_TO_VSC defined indirectly
      by defining _WIN32_WINNT, instead just define it explicitly
      if missing.

      Signed-off-by: Daniel P. Berrange <berrange@xxxxxxxxxx>
      Signed-off-by: Stefan Weil <sw@xxxxxxxxxxx>
      Acked-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit 7c9b2bf67775ecc1359ce973580807d173e7f710
  Author: Paolo Bonzini <pbonzini@xxxxxxxxxx>
  Date:   Wed Aug 12 15:38:18 2015 +0200

      qemu-thread: add a fast path to the Win32 QemuEvent

      QemuEvents are used heavily by call_rcu.  We do not want them to be slow,
      but the current implementation does a kernel call on every invocation
      of qemu_event_* and won't cut it.

      So, wrap a Win32 manual-reset event with a fast userspace path.  The
      states and transitions are the same as for the futex and mutex/condvar
      implementations, but the slow path is different of course.  The idea
      is to reset the Win32 event lazily, as part of a test-reset-test-wait
      sequence.  Such a sequence is, indeed, how QemuEvents are used by
      RCU and other subsystems!

      The patch includes a formal model of the algorithm.

      Tested-by: Stefan Weil <sw@xxxxxxxxxxx>
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>
      Signed-off-by: Stefan Weil <sw@xxxxxxxxxxx>

  commit a246a01631f90230374c2b8ffce608232e2aa654
  Author: Stefan Weil <sw@xxxxxxxxxxx>
  Date:   Thu Jul 30 23:08:12 2015 +0200

      slirp: Fix non blocking connect for w32

      Signed-off-by: Stefan Weil <sw@xxxxxxxxxxx>

  commit 805d8a67647768173c27761cd86e6f99a9d3b7cd
  Author: Stefan Weil <sw@xxxxxxxxxxx>
  Date:   Sun May 3 19:57:09 2015 +0200

      nsis: Add QEMU version information to Windows registry

      The uninstall keys include an option key "DisplayVersion" which we set
      now. By default the version value is read from file VERSION, but it is
      also possible to pass VERSION=#.#.# to make.

      Signed-off-by: Stefan Weil <sw@xxxxxxxxxxx>

  commit 9438fe9e56760e5e5e11d6c7d12ed9c64a0c8446
  Merge: eb9d0ea 7b02f54
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Thu Sep 24 17:04:31 2015 +0100

      Merge remote-tracking branch 'remotes/elmarco/tags/rm-libcacard' into 
staging

      Remove libcacard

      # gpg: Signature made Wed 23 Sep 2015 22:37:11 BST using RSA key ID 
75969CE5
      # gpg: Good signature from "Marc-André Lureau 
<marcandre.lureau@xxxxxxxxxx>"
      # gpg:                 aka "Marc-André Lureau 
<marcandre.lureau@xxxxxxxxx>"
      # gpg: WARNING: This key is not certified with sufficiently trusted 
signatures!
      # gpg:          It is not certain that the signature belongs to the owner.
      # Primary key fingerprint: 87A9 BD93 3F87 C606 D276  F62D DAE8 E109 7596 
9CE5

      * remotes/elmarco/tags/rm-libcacard:
        libcacard: use the standalone project

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 7263a0ad7899994b719ebed736a1119cc2e08110
  Author: Changchun Ouyang <changchun.ouyang@xxxxxxxxx>
  Date:   Wed Sep 23 12:20:01 2015 +0800

      vhost-user: add a new message to disable/enable a specific virt queue.

      Add a new message, VHOST_USER_SET_VRING_ENABLE, to enable or disable
      a specific virt queue, which is similar to attach/detach queue for
      tap device.

      virtio driver on guest doesn't have to use max virt queue pair, it
      could enable any number of virt queue ranging from 1 to max virt
      queue pair.

      Signed-off-by: Changchun Ouyang <changchun.ouyang@xxxxxxxxx>
      Signed-off-by: Yuanhan Liu <yuanhan.liu@xxxxxxxxxxxxxxx>
      Reviewed-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: Yuanhan Liu <yuanhan.liu@xxxxxxxxxxxxxxx>
      Reviewed-by: Jason Wang <jasowang@xxxxxxxxxx>
      Tested-by: Marcel Apfelbaum <marcel@xxxxxxxxxx>

  commit b931bfbf042983f311b3b09894d8030b2755a638
  Author: Changchun Ouyang <changchun.ouyang@xxxxxxxxx>
  Date:   Wed Sep 23 12:20:00 2015 +0800

      vhost-user: add multiple queue support

      This patch is initially based a patch from Nikolay Nikolaev.

      This patch adds vhost-user multiple queue support, by creating a nc
      and vhost_net pair for each queue.

      Qemu exits if find that the backend can't support the number of requested
      queues (by providing queues=# option). The max number is queried by a
      new message, VHOST_USER_GET_QUEUE_NUM, and is sent only when protocol
      feature VHOST_USER_PROTOCOL_F_MQ is present first.

      The max queue check is done at vhost-user initiation stage. We initiate
      one queue first, which, in the meantime, also gets the max_queues the
      backend supports.

      In older version, it was reported that some messages are sent more times
      than necessary. Here we came an agreement with Michael that we could
      categorize vhost user messages to 2 types: non-vring specific messages,
      which should be sent only once, and vring specific messages, which should
      be sent per queue.

      Here I introduced a helper function vhost_user_one_time_request(), which
      lists following messages as non-vring specific messages:

              VHOST_USER_SET_OWNER
              VHOST_USER_RESET_DEVICE
              VHOST_USER_SET_MEM_TABLE
              VHOST_USER_GET_QUEUE_NUM

      For above messages, we simply ignore them when they are not sent the first
      time.

      Signed-off-by: Nikolay Nikolaev <n.nikolaev@xxxxxxxxxxxxxxxxxxxxxx>
      Signed-off-by: Changchun Ouyang <changchun.ouyang@xxxxxxxxx>
      Signed-off-by: Yuanhan Liu <yuanhan.liu@xxxxxxxxxxxxxxx>
      Reviewed-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: Yuanhan Liu <yuanhan.liu@xxxxxxxxxxxxxxx>
      Reviewed-by: Jason Wang <jasowang@xxxxxxxxxx>
      Tested-by: Marcel Apfelbaum <marcel@xxxxxxxxxx>

  commit fc57fd9900dc6344b8833e7641f63cddc6840301
  Author: Yuanhan Liu <yuanhan.liu@xxxxxxxxxxxxxxx>
  Date:   Wed Sep 23 12:19:59 2015 +0800

      vhost: introduce vhost_backend_get_vq_index method

      Minusing the idx with the base(dev->vq_index) for vhost-kernel, and
      then adding it back for vhost-user doesn't seem right. Here introduces
      a new method vhost_backend_get_vq_index() for getting the right vq
      index for following vhost messages calls.

      Suggested-by: Jason Wang <jasowang@xxxxxxxxxx>
      Signed-off-by: Yuanhan Liu <yuanhan.liu@xxxxxxxxxxxxxxx>
      Reviewed-by: Jason Wang <jasowang@xxxxxxxxxx>
      Reviewed-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: Yuanhan Liu <yuanhan.liu@xxxxxxxxxxxxxxx>
      Tested-by: Marcel Apfelbaum <marcel@xxxxxxxxxx>

  commit e2051e9e004649b53af4db34f78c689fb44e075b
  Author: Yuanhan Liu <yuanhan.liu@xxxxxxxxxxxxxxx>
  Date:   Wed Sep 23 12:19:58 2015 +0800

      vhost-user: add VHOST_USER_GET_QUEUE_NUM message

      This is for querying how many queues the backend supports if it has mq
      support(when VHOST_USER_PROTOCOL_F_MQ flag is set from the quried
      protocol features).

      vhost_net_get_max_queues() is the interface to export that value, and
      to tell if the backend supports # of queues user requested, which is
      done in the following patch.

      Signed-off-by: Yuanhan Liu <yuanhan.liu@xxxxxxxxxxxxxxx>
      Reviewed-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: Yuanhan Liu <yuanhan.liu@xxxxxxxxxxxxxxx>
      Tested-by: Marcel Apfelbaum <marcel@xxxxxxxxxx>

  commit d1f8b30ec8dde0318fd1b98d24a64926feae9625
  Author: Yuanhan Liu <yuanhan.liu@xxxxxxxxxxxxxxx>
  Date:   Wed Sep 23 12:19:57 2015 +0800

      vhost: rename VHOST_RESET_OWNER to VHOST_RESET_DEVICE

      Quote from Michael:

          We really should rename VHOST_RESET_OWNER to VHOST_RESET_DEVICE.

      Suggested-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: Yuanhan Liu <yuanhan.liu@xxxxxxxxxxxxxxx>
      Reviewed-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: Yuanhan Liu <yuanhan.liu@xxxxxxxxxxxxxxx>
      Reviewed-by: Marcel Apfelbaum <marcel@xxxxxxxxxx>
      Tested-by: Marcel Apfelbaum <marcel@xxxxxxxxxx>

  commit dcb10c000cdd4d14f5ac4f07b04fb666494ef4a8
  Author: Michael S. Tsirkin <mst@xxxxxxxxxx>
  Date:   Wed Sep 23 12:19:56 2015 +0800

      vhost-user: add protocol feature negotiation

      Support a separate bitmask for vhost-user protocol features,
      and messages to get/set protocol features.

      Invoke them at init.

      No features are defined yet.

      [ leverage vhost_user_call for request handling -- Yuanhan Liu ]

      Signed-off-by: Michael S. Tsirkin <address@hidden>
      Signed-off-by: Yuanhan Liu <yuanhan.liu@xxxxxxxxxxxxxxx>
      Reviewed-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: Yuanhan Liu <yuanhan.liu@xxxxxxxxxxxxxxx>
      Reviewed-by: Marcel Apfelbaum <marcel@xxxxxxxxxx>
      Tested-by: Marcel Apfelbaum <marcel@xxxxxxxxxx>

  commit 7305483a3d113456681ba6c6e8dd41513decd5f6
  Author: Yuanhan Liu <yuanhan.liu@xxxxxxxxxxxxxxx>
  Date:   Wed Sep 23 12:19:55 2015 +0800

      vhost-user: use VHOST_USER_XXX macro for switch statement

      So that we could let vhost_user_call to handle extented requests,
      such as VHOST_USER_GET/SET_PROTOCOL_FEATURES, instead of invoking
      vhost_user_read/write and constructing the msg again by ourself.

      Signed-off-by: Yuanhan Liu <yuanhan.liu@xxxxxxxxxxxxxxx>
      Reviewed-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: Yuanhan Liu <yuanhan.liu@xxxxxxxxxxxxxxx>
      Reviewed-by: Marcel Apfelbaum <marcel@xxxxxxxxxx>
      Tested-by: Marcel Apfelbaum <marcel@xxxxxxxxxx>

  commit 542571d523268357fd8f5b1a523ba2a6191c4c18
  Author: Cornelia Huck <cornelia.huck@xxxxxxxxxx>
  Date:   Fri Sep 11 15:16:44 2015 +0200

      virtio-ccw: enable virtio-1

      Let's enable revision 1 for virtio-ccw devices. We can always offer
      VERSION_1 as drivers in legacy mode won't be able to see it anyway.

      We have to introduce a way to set a lower maximum revision for a device
      to accommodate the following cases:
      - compat machines (to enforce legacy only)
      - virtio-blk with scsi support (version 1 + scsi is fenced by common
        code, with a user-configured max revision of 0 we can allow scsi
        via not offering VERSION_1)

      Signed-off-by: Cornelia Huck <cornelia.huck@xxxxxxxxxx>
      Reviewed-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>

  commit b4f8f9df152fca0e79b7a3ca40a3eea700a40855
  Author: Cornelia Huck <cornelia.huck@xxxxxxxxxx>
  Date:   Fri Sep 11 15:16:43 2015 +0200

      virtio-ccw: feature bits > 31 handling

      We currently switch off the VERSION_1 feature bit if the guest has
      not negotiated at least revision 1. As no feature bits beyond 31 are
      valid however unless VERSION_1 has been negotiated, make sure that
      legacy guests never see a feature bit beyond 31.

      Reviewed-by: David Hildenbrand <dahi@xxxxxxxxxxxxxxxxxx>
      Signed-off-by: Cornelia Huck <cornelia.huck@xxxxxxxxxx>
      Reviewed-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>

  commit 79cd0c80f82215a32890e3d30ff621b32ece5156
  Author: Cornelia Huck <cornelia.huck@xxxxxxxxxx>
  Date:   Fri Sep 11 15:16:42 2015 +0200

      virtio-ccw: support ring size changes

      Wire up changing the ring size for virtio-1 devices.

      Signed-off-by: Cornelia Huck <cornelia.huck@xxxxxxxxxx>
      Reviewed-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>

  commit 46c5d0823d0186daf4064065bf739858dadfcf8c
  Author: Cornelia Huck <cornelia.huck@xxxxxxxxxx>
  Date:   Fri Sep 11 15:16:41 2015 +0200

      virtio: ring sizes vs. reset

      We allow guests to change the size of the virtqueue rings by supplying
      a number of buffers that is different from the number of buffers the
      device was initialized with. Current code has some problems, however,
      since reset does not reset the ringsizes to the default values (as this
      is not saved anywhere).

      Let's extend the core code to keep track of the default ringsizes and
      migrate them once the guest changed them for any of the virtqueues
      for a device.

      Reviewed-by: Jason Wang <jasowang@xxxxxxxxxx>
      Signed-off-by: Cornelia Huck <cornelia.huck@xxxxxxxxxx>
      Reviewed-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>

  commit 87e896abe6d926caba19a9b8a83936fca2137f05
  Author: Eduardo Habkost <ehabkost@xxxxxxxxxx>
  Date:   Fri Sep 11 17:14:25 2015 -0300

      pc: Introduce pc-*-2.5 machine classes

      Signed-off-by: Eduardo Habkost <ehabkost@xxxxxxxxxx>
      Reviewed-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>

  commit 254bdb1cbfd467ff9897c75a28a472e4381ce4cf
  Author: Eduardo Habkost <ehabkost@xxxxxxxxxx>
  Date:   Fri Sep 11 17:14:24 2015 -0300

      q35: Move options common to all classes to pc_i440fx_machine_options()

      The existing default_machine_opts and default_display settings will
      still apply to future machine classes. So it makes sense to move them to
      pc_i440fx_machine_options() instead of keeping them in a
      version-specific machine_options function.

      Signed-off-by: Eduardo Habkost <ehabkost@xxxxxxxxxx>
      Reviewed-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>

  commit 0b7783a79ef73a06f3a67b68e72d109afe975b77
  Author: Eduardo Habkost <ehabkost@xxxxxxxxxx>
  Date:   Fri Sep 11 17:14:23 2015 -0300

      q35: Move options common to all classes to pc_q35_machine_options()

      The existing default_machine_opts, default_display, no_floppy, and
      no_tco settings will still apply to future machine classes. So it makes
      sense to move them to pc_q35_machine_options() instead of keeping them
      in a version-specific machine_options function.

      Signed-off-by: Eduardo Habkost <ehabkost@xxxxxxxxxx>
      Reviewed-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>

  commit 1f8828ef573c83365b4a87a776daf8bcef1caa21
  Author: Jason Wang <jasowang@xxxxxxxxxx>
  Date:   Fri Sep 11 16:01:56 2015 +0800

      virtio-net: unbreak self announcement and guest offloads after migration

      After commit 019a3edbb25f1571e876f8af1ce4c55412939e5d ("virtio: make
      features 64bit wide"). Device's guest_features was actually set after
      vdc->load(). This breaks the assumption that device specific load()
      function can check guest_features. For virtio-net, self announcement
      and guest offloads won't work after migration.

      Fixing this by defer them to virtio_net_load() where guest_features
      were guaranteed to be set. Other virtio devices looks fine.

      Fixes: 019a3edbb25f1571e876f8af1ce4c55412939e5d
             ("virtio: make features 64bit wide")
      Cc: qemu-stable@xxxxxxxxxx
      Cc: Gerd Hoffmann <kraxel@xxxxxxxxxx>
      Signed-off-by: Jason Wang <jasowang@xxxxxxxxxx>
      Reviewed-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Reviewed-by: Cornelia Huck <cornelia.huck@xxxxxxxxxx>

  commit 50764fc8a382dc17ccc06c0ba29184d0fd73016e
  Author: Pierre Morel <pmorel@xxxxxxxxxxxxxxxxxx>
  Date:   Thu Sep 10 13:37:10 2015 +0200

      virtio: right size for virtio_queue_get_avail_size

      Being working on dataplane I notice something strange:

      virtio_queue_get_avail_size() used a 64bit size index
      for the calculation of the available ring size.

      It is quite strange but it did work with the old calculation
      of the avail ring, at most with performance penalty,
      and I wonder where I missed something.

      This patch let use a 16bit size as defined in virtio_ring.h

      Signed-off-by: Pierre Morel <pmorel@xxxxxxxxxxxxxxxxxx>
      Reviewed-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>

  commit 9d146b2e2fbc1c2e42be1e3ee6c0d507ea79f0f9
  Author: Alex Williamson <alex.williamson@xxxxxxxxxx>
  Date:   Wed Sep 23 21:27:17 2015 -0600

      vfio/pci: Remove use of g_malloc0_n() from quirks

      For compatibility with glib 2.22.

      Reported-by: Wen Congyang <wency@xxxxxxxxxxxxxx>
      Signed-off-by: Alex Williamson <alex.williamson@xxxxxxxxxx>

  commit eb9d0ea063fc7bdfab76b84085602a9e48d13ec7
  Merge: fefa4b1 85b4d5d
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Thu Sep 24 01:32:11 2015 +0100

      Merge remote-tracking branch 
'remotes/pmaydell/tags/pull-target-arm-20150924' into staging

      target-arm queue:
       * support VGICv3 in KVM
       * fix bug in ACPI table entries for flash devices in virt board
       * update Allwinner entry in MAINTAINERS

      # gpg: Signature made Thu 24 Sep 2015 01:29:55 BST using RSA key ID 
14360CDE
      # gpg: Good signature from "Peter Maydell <peter.maydell@xxxxxxxxxx>"
      # gpg:                 aka "Peter Maydell <pmaydell@xxxxxxxxx>"
      # gpg:                 aka "Peter Maydell 
<pmaydell@xxxxxxxxxxxxxxxxxxxxxx>"

      * remotes/pmaydell/tags/pull-target-arm-20150924:
        MAINTAINERS: update Allwinner A10 maintainer
        hw/arm/virt-acpi-build: Fix wrong size of flash in ACPI table
        hw/arm/virt: Add gic-version option to virt machine
        hw/intc: Initial implementation of vGICv3
        arm_kvm: Do not assume particular GIC type in kvm_arch_irqchip_create()
        intc/gic: Extract some reusable vGIC code
        hw/intc: Implement GIC-500 base class

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 85b4d5dae12580ecdd446c0f71afa04a95641c91
  Author: Beniamino Galvani <b.galvani@xxxxxxxxx>
  Date:   Thu Sep 24 01:29:37 2015 +0100

      MAINTAINERS: update Allwinner A10 maintainer

      Change the maintainer for Allwinner A10 to myself as Li Guang's mail
      address bounces. While at it, extend the file pattern for the entry to
      include allwinner_emac.[ch].

      Signed-off-by: Beniamino Galvani <b.galvani@xxxxxxxxx>
      Reviewed-by: Peter Crosthwaite <crosthwaite.peter@xxxxxxxxx>
      Message-id: 1442865156-5598-1-git-send-email-b.galvani@xxxxxxxxx
      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit cd37aaf876717a75d7af3a7465e8706cc4e13661
  Author: Shannon Zhao <shannon.zhao@xxxxxxxxxx>
  Date:   Thu Sep 24 01:29:37 2015 +0100

      hw/arm/virt-acpi-build: Fix wrong size of flash in ACPI table

      While virt machine creates two flash devices with total size 0x08000000,
      the ACPI table generation code was wrongly using this total size as the
      size of each flash device, so it would overlap other MMIO spaces.
      Make each device entry in the table half the total; this brings the
      ACPI table into line with the code which generates the device tree
      and which creates the flash devices themselves.

      Signed-off-by: Shannon Zhao <shannon.zhao@xxxxxxxxxx>
      Reviewed-by: Andrew Jones <drjones@xxxxxxxxxx>
      Reviewed-by: Wei Huang <wei@xxxxxxxxxx>
      Tested-by: Graeme Gregory <graeme.gregory@xxxxxxxxxx>
      Message-id: 1442455041-6596-1-git-send-email-shannon.zhao@xxxxxxxxxx
      [PMM: edited commit message]
      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit b92ad3949bc9cacd1652b4e07e7f6003b9e512af
  Author: Pavel Fedin <p.fedin@xxxxxxxxxxx>
  Date:   Thu Sep 24 01:29:37 2015 +0100

      hw/arm/virt: Add gic-version option to virt machine

      Add gic_version to VirtMachineState, set it to value of the option
      and pass it around where necessary. Instantiate devices and fdt
      nodes according to the choice.

      max_cpus for virt machine increased to 123 (calculated from redistributor
      space available in the memory map). GICv2 compatibility check happens
      inside arm_gic_common_realize().

      ITS region is added to the memory map too, however currently it not used,
      just reserved.

      Signed-off-by: Pavel Fedin <p.fedin@xxxxxxxxxxx>
      Tested-by: Ashok kumar <ashoks@xxxxxxxxxxxx>
      [PMM: Added missing cpu_to_le* calls, thanks to Shannon Zhao]
      Reviewed-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit a7bf30342e6a7924132a5c70047928261d3c7e42
  Author: Pavel Fedin <p.fedin@xxxxxxxxxxx>
  Date:   Thu Sep 24 01:29:37 2015 +0100

      hw/intc: Initial implementation of vGICv3

      This is the initial version of KVM-accelerated GICv3 support.
      State load and save are not yet supported, live migration is
      not possible.

      In order to get correct class name in a simpler way, gicv3_class_name()
      function is implemented, similar to gic_class_name().

      Signed-off-by: Pavel Fedin <p.fedin@xxxxxxxxxxx>
      Reviewed-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Tested-by: Ashok kumar <ashoks@xxxxxxxxxxxx>
      Message-id: 
69d8f01d14994d7a1a140e96aef59fd332d02293.1441784344.git.p.fedin@xxxxxxxxxxx
      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 34e85cd9173816cd48f5578c7838c26afbe592c4
  Author: Pavel Fedin <p.fedin@xxxxxxxxxxx>
  Date:   Thu Sep 24 01:29:37 2015 +0100

      arm_kvm: Do not assume particular GIC type in kvm_arch_irqchip_create()

      This allows us to use different GIC types from v2. There are no kernels
      which could advertise KVM_CAP_DEVICE_CTRL without the actual ability to
      create GIC with it.

      GIC version probe code moved to kvm_arm_vgic_probe() which will be used
      later.

      Signed-off-by: Pavel Fedin <p.fedin@xxxxxxxxxxx>
      Reviewed-by: Eric Auger <eric.auger@xxxxxxxxxx>
      Tested-by: Ashok kumar <ashoks@xxxxxxxxxxxx>
      Reviewed-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Message-id: 
015f4d9e4a8a50dfbdd734c4730558e24a69c6dc.1441784344.git.p.fedin@xxxxxxxxxxx
      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 4b3cfe72d9b9c53be31a88e7eebdda14f1757d3e
  Author: Pavel Fedin <p.fedin@xxxxxxxxxxx>
  Date:   Thu Sep 24 01:29:36 2015 +0100

      intc/gic: Extract some reusable vGIC code

      Some functions previously used only by vGICv2 are useful also for vGICv3
      implementation. Untie them from GICState and make accessible from within
      other modules:
      - kvm_arm_gic_set_irq()
      - kvm_gic_supports_attr() - moved to common code and renamed to
        kvm_device_check_attr()
      - kvm_gic_access() - turned into GIC-independent kvm_device_access().
        Data pointer changed to void * because some GICv3 registers are
        64-bit wide

      Some of these changes are not used right now, but they will be helpful for
      implementing live migration.

      Actually kvm_dist_get() and kvm_dist_put() could also be made reusable, 
but
      they would require two extra parameters (s->dev_fd and s->num_cpu) as 
well as
      lots of typecasts of 's' to DeviceState * and back to GICState *. This 
makes
      the code very ugly so i decided to stop at this point. I tried also an
      approach with making a base class for all possible GICs, but it would 
contain
      only three variables (dev_fd, cpu_num and irq_num), and accessing them 
through
      the rest of the code would be again tedious (either ugly casts or 
qemu-style
      separate object pointer). So i disliked it too.

      Signed-off-by: Pavel Fedin <p.fedin@xxxxxxxxxxx>
      Tested-by: Ashok kumar <ashoks@xxxxxxxxxxxx>
      Reviewed-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Message-id: 
2ef56d1dd64ffb75ed02a10dcdaf605e5b8ff4f8.1441784344.git.p.fedin@xxxxxxxxxxx
      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit ff8f06ee7680fb505079d33caaf8f5ebff0853bc
  Author: Shlomo Pongratz <shlomo.pongratz@xxxxxxxxxx>
  Date:   Thu Sep 24 01:29:36 2015 +0100

      hw/intc: Implement GIC-500 base class

      This class is to be used by both software and KVM implementations of GICv3

      Currently it is mostly a placeholder, but in future it is supposed to hold
      qemu's representation of GICv3 state, which is necessary for migration.

      The interface of this class is fully compatible with GICv2 one. This is
      done in order to simplify integration with existing code.

      Signed-off-by: Shlomo Pongratz <shlomo.pongratz@xxxxxxxxxx>
      Signed-off-by: Pavel Fedin <p.fedin@xxxxxxxxxxx>
      Reviewed-by: Eric Auger <eric.auger@xxxxxxxxxx>
      Tested-by: Ashok kumar <ashoks@xxxxxxxxxxxx>
      Reviewed-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Message-id: 
aff8baaee493cdcab0694b4a1d4dd5ff27c37ed2.1441784344.git.p.fedin@xxxxxxxxxxx
      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 7b02f5447c64d1854468f758398c9f6fe9e5721f
  Author: Marc-André Lureau <marcandre.lureau@xxxxxxxxxx>
  Date:   Sun Aug 30 11:48:40 2015 +0200

      libcacard: use the standalone project

      libcacard is now a standalone project hosted with the Spice project (see
      the 2.5.0 release announcement), remove it from qemu tree.

      Use the library if found during configure or if --enable-smartcard.

      Signed-off-by: Marc-André Lureau <marcandre.lureau@xxxxxxxxxx>
      Reviewed-by: Michael Tokarev <mjt@xxxxxxxxxx>
      Reviewed-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>
      Tested-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit fefa4b128de06cec6d513f00ee61e8208aed4a87
  Merge: 684bb57 89dcccc
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Wed Sep 23 21:39:46 2015 +0100

      Merge remote-tracking branch 
'remotes/awilliam/tags/vfio-update-20150923.0' into staging

      VFIO updates 2015-09-23

       - Tracing improvements to use common prefixes for functional areas
       - Quirks overhaul:
         - Split PCI quirks to separate file
         - Make them understandable and more extensible
         - Improve use of MemoryRegions and eliminate use of target pagesize
       - Eliminate build-time debugging, everything migrated to runtime opts

      # gpg: Signature made Wed 23 Sep 2015 21:09:05 BST using RSA key ID 
3BB08B22
      # gpg: Good signature from "Alex Williamson <alex.williamson@xxxxxxxxxx>"
      # gpg:                 aka "Alex Williamson <alex@xxxxxxxxxxx>"
      # gpg:                 aka "Alex Williamson <alwillia@xxxxxxxxxx>"
      # gpg:                 aka "Alex Williamson <alex.l.williamson@xxxxxxxxx>"

      * remotes/awilliam/tags/vfio-update-20150923.0:
        vfio/pci: Add emulated PCI IDs
        vfio/pci: Cache vendor and device ID
        vfio/pci: Move AMD device specific reset to quirks
        vfio/pci: Remove old config window and mirror quirks
        vfio/pci: Config mirror quirk
        vfio/pci: Config window quirks
        vfio/pci: Rework RTL8168 quirk
        vfio/pci: Cleanup Nvidia 0x3d0 quirk
        vfio/pci: Cleanup ATI 0x3c3 quirk
        vfio/pci: Foundation for new quirk structure
        vfio/pci: Cleanup ROM blacklist quirk
        vfio/pci: Split quirks to a separate file
        vfio/pci: Extract PCI structures to a separate header
        vfio: Change polarity of our no-mmap option
        vfio/pci: Make interrupt bypass runtime configurable
        vfio/pci: Rename MSI/X functions for easier tracing
        vfio/pci: Rename INTx functions for easier tracing
        vfio/pci: Cleanup vfio_early_setup_msix() error path
        vfio/pci: Cleanup RTL8168 quirk and tracing

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 89dcccc5931cc8afc2ccc7cd378695165768148b
  Author: Alex Williamson <alex.williamson@xxxxxxxxxx>
  Date:   Wed Sep 23 13:04:49 2015 -0600

      vfio/pci: Add emulated PCI IDs

      Specifying an emulated PCI vendor/device ID can be useful for testing
      various quirk paths, even though the behavior and functionality of
      the device with bogus IDs is fully unsupportable.  We need to use a
      uint32_t for the vendor/device IDs, even though the registers
      themselves are only 16-bit in order to be able to determine whether
      the value is valid and user set.

      The same support is added for subsystem vendor/device ID, though these
      have the possibility of being useful and supported for more than a
      testing tool.  An emulated platform might want to impose their own
      subsystem IDs or at least hide the physical subsystem ID.  Windows
      guests will often reinstall drivers due to a change in subsystem IDs,
      something that VM users may want to avoid.  Of course careful
      attention would be required to ensure that guest drivers do not rely
      on the subsystem ID as a basis for device driver quirks.

      All of these options are added using the standard experimental option
      prefix and should not be considered stable.

      Signed-off-by: Alex Williamson <alex.williamson@xxxxxxxxxx>

  commit ff635e3775447b7e797f1bad8cf33403199faba1
  Author: Alex Williamson <alex.williamson@xxxxxxxxxx>
  Date:   Wed Sep 23 13:04:49 2015 -0600

      vfio/pci: Cache vendor and device ID

      Simplify access to commonly referenced PCI vendor and device ID by
      caching it on the VFIOPCIDevice struct.

      Signed-off-by: Alex Williamson <alex.williamson@xxxxxxxxxx>

  commit c9c5000991148383d628aac59f1593937be572e4
  Author: Alex Williamson <alex.williamson@xxxxxxxxxx>
  Date:   Wed Sep 23 13:04:49 2015 -0600

      vfio/pci: Move AMD device specific reset to quirks

      This is just another quirk, for reset rather than affecting memory
      regions.  Move it to our new quirks file.

      Signed-off-by: Alex Williamson <alex.williamson@xxxxxxxxxx>

  commit 958d553405462e95b9d15e8ca6cfb602f7815277
  Author: Alex Williamson <alex.williamson@xxxxxxxxxx>
  Date:   Wed Sep 23 13:04:48 2015 -0600

      vfio/pci: Remove old config window and mirror quirks

      These are now unused.

      Signed-off-by: Alex Williamson <alex.williamson@xxxxxxxxxx>

  commit 0d38fb1c5f921acc050d5f80a2ff4e627b565494
  Author: Alex Williamson <alex.williamson@xxxxxxxxxx>
  Date:   Wed Sep 23 13:04:48 2015 -0600

      vfio/pci: Config mirror quirk

      Re-implement our mirror quirk using the new infrastructure.

      Signed-off-by: Alex Williamson <alex.williamson@xxxxxxxxxx>

  commit 0e54f24a5b4bb756715928058b60a7d5f70ccd7f
  Author: Alex Williamson <alex.williamson@xxxxxxxxxx>
  Date:   Wed Sep 23 13:04:48 2015 -0600

      vfio/pci: Config window quirks

      Config windows make use of an address register and a data register.
      In VGA cards, these are often used to provide real mode code in the
      BIOS an easy way to access MMIO registers since the window often
      resides in an I/O port register.  When the MMIO register has a mirror
      of PCI config space, we need to trap those accesses and redirect them
      to emulated config space.

      The previous version of this functionality made use of a single
      MemoryRegion and single match address.  This version uses separate
      MemoryRegions for each of the address and data registers and allows
      for multiple match addresses.  This is useful for Nvidia cards which
      have two ranges which index into PCI config space.

      The previous implementation is left for the follow-on patch for a more
      reviewable diff.

      Signed-off-by: Alex Williamson <alex.williamson@xxxxxxxxxx>

  commit 954258a5f11b51abd1ceed7c96d1204d4cef1353
  Author: Alex Williamson <alex.williamson@xxxxxxxxxx>
  Date:   Wed Sep 23 13:04:47 2015 -0600

      vfio/pci: Rework RTL8168 quirk

      Another rework of this quirk, this time to update to the new quirk
      structure.  We can handle the address and data registers with
      separate MemoryRegions and a quirk specific data structure, making the
      code much more understandable.

      Signed-off-by: Alex Williamson <alex.williamson@xxxxxxxxxx>

  commit 6029a424be37e0d7949546af7593b9b604611480
  Author: Alex Williamson <alex.williamson@xxxxxxxxxx>
  Date:   Wed Sep 23 13:04:47 2015 -0600

      vfio/pci: Cleanup Nvidia 0x3d0 quirk

      The Nvidia 0x3d0 quirk makes use of a two separate registers and gives
      us our first chance to make use of separate memory regions for each to
      simplify the code a bit.

      Signed-off-by: Alex Williamson <alex.williamson@xxxxxxxxxx>

  commit b946d286114e09a81c303c7ec8ec3f7b33dff9e8
  Author: Alex Williamson <alex.williamson@xxxxxxxxxx>
  Date:   Wed Sep 23 13:04:47 2015 -0600

      vfio/pci: Cleanup ATI 0x3c3 quirk

      This is an easy quirk that really doesn't need a data structure if
      its own.  We can pass vdev as the opaque data and access to the
      MemoryRegion isn't required.

      Signed-off-by: Alex Williamson <alex.williamson@xxxxxxxxxx>

  commit 8c4f234853d9d438dc1733ca98674b1139a87c99
  Author: Alex Williamson <alex.williamson@xxxxxxxxxx>
  Date:   Wed Sep 23 13:04:46 2015 -0600

      vfio/pci: Foundation for new quirk structure

      VFIOQuirk hosts a single memory region and a fixed set of data fields
      that try to handle all the quirk cases, but end up making those that
      don't exactly match really confusing.  This patch introduces a struct
      intended to provide more flexibility and simpler code.  VFIOQuirk is
      stripped to its basics, an opaque data pointer for quirk specific
      data and a pointer to an array of MemoryRegions with a counter.  This
      still allows us to have common teardown routines, but adds much
      greater flexibility to support multiple memory regions and quirk
      specific data structures that are easier to maintain.  The existing
      VFIOQuirk is transformed into VFIOLegacyQuirk, which further patches
      will eliminate entirely.

      Signed-off-by: Alex Williamson <alex.williamson@xxxxxxxxxx>

  commit 056dfcb695cde3c62b7dc1d5ed6d2e38b3a73e29
  Author: Alex Williamson <alex.williamson@xxxxxxxxxx>
  Date:   Wed Sep 23 13:04:45 2015 -0600

      vfio/pci: Cleanup ROM blacklist quirk

      Create a vendor:device ID helper that we'll also use as we rework the
      rest of the quirks.  Re-reading the config entries, even if we get
      more blacklist entries, is trivial overhead and only incurred during
      device setup.  There's no need to typedef the blacklist structure,
      it's a static private data type used once.  The elements get bumped
      up to uint32_t to avoid future maintenance issues if PCI_ANY_ID gets
      used for a blacklist entry (avoiding an actual hardware match).  Our
      test loop is also crying out to be simplified as a for loop.

      Signed-off-by: Alex Williamson <alex.williamson@xxxxxxxxxx>

  commit c00d61d8fa22b096b15e19ee2fde846ffc1c0b5d
  Author: Alex Williamson <alex.williamson@xxxxxxxxxx>
  Date:   Wed Sep 23 13:04:45 2015 -0600

      vfio/pci: Split quirks to a separate file

      Signed-off-by: Alex Williamson <alex.williamson@xxxxxxxxxx>

  commit 78f33d2bfd26ec552d9e824bcc1dbb8e2736ce34
  Author: Alex Williamson <alex.williamson@xxxxxxxxxx>
  Date:   Wed Sep 23 13:04:44 2015 -0600

      vfio/pci: Extract PCI structures to a separate header

      Signed-off-by: Alex Williamson <alex.williamson@xxxxxxxxxx>

  commit 5e15d79b8681c7f4e2079833288785708e7520d3
  Author: Alex Williamson <alex.williamson@xxxxxxxxxx>
  Date:   Wed Sep 23 13:04:44 2015 -0600

      vfio: Change polarity of our no-mmap option

      The default should be to allow mmap and new drivers shouldn't need to
      expose an option or set it to other than the allocation default in
      their initfn.  Take advantage of the experimental flag to change this
      option to the correct polarity.

      Signed-off-by: Alex Williamson <alex.williamson@xxxxxxxxxx>

  commit 46746dbaa8c2c421b9bda78193caad57d7fb1136
  Author: Alex Williamson <alex.williamson@xxxxxxxxxx>
  Date:   Wed Sep 23 13:04:44 2015 -0600

      vfio/pci: Make interrupt bypass runtime configurable

      Tracing is more effective when we can completely disable all KVM
      bypass paths.  Make these runtime rather than build-time configurable.

      Signed-off-by: Alex Williamson <alex.williamson@xxxxxxxxxx>

  commit 0de70dc7bab1cd58d02e86ed27e291843983b13b
  Author: Alex Williamson <alex.williamson@xxxxxxxxxx>
  Date:   Wed Sep 23 13:04:43 2015 -0600

      vfio/pci: Rename MSI/X functions for easier tracing

      This allows vfio_msi* tracing.  The MSI/X interrupt tracing is also
      pulled out of #ifdef DEBUG_VFIO to avoid a recompile for tracing this
      path.  A few cycles to read the message is hardly anything if we're
      already in QEMU.

      Signed-off-by: Alex Williamson <alex.williamson@xxxxxxxxxx>

  commit 870cb6f104e5d3364288d894746dd88fe9ac59cb
  Author: Alex Williamson <alex.williamson@xxxxxxxxxx>
  Date:   Wed Sep 23 13:04:43 2015 -0600

      vfio/pci: Rename INTx functions for easier tracing

      Rename functions and tracing callbacks so that we can trace vfio_intx*
      to see all the INTx related activities.

      Signed-off-by: Alex Williamson <alex.williamson@xxxxxxxxxx>

  commit b5bd049fa907bccc4600ad1855e1c9c0e62f0be3
  Author: Alex Williamson <alex.williamson@xxxxxxxxxx>
  Date:   Wed Sep 23 13:04:43 2015 -0600

      vfio/pci: Cleanup vfio_early_setup_msix() error path

      With the addition of the Chelsio quirk we have an error path out of
      vfio_early_setup_msix() that doesn't free the allocated VFIOMSIXInfo
      struct.  This doesn't introduce a leak as it still gets freed in the
      vfio_put_device() path, but it's complicated and sloppy to rely on
      that.  Restructure to free the allocated data on error and only link
      it into the vdev on success.

      Signed-off-by: Alex Williamson <alex.williamson@xxxxxxxxxx>
      Reported-by: Laszlo Ersek <lersek@xxxxxxxxxx>
      Reviewed-by: Laszlo Ersek <lersek@xxxxxxxxxx>

  commit d451008e0fdf7fb817c791397e7999d5f3687e58
  Author: Alex Williamson <alex.williamson@xxxxxxxxxx>
  Date:   Wed Sep 23 13:04:42 2015 -0600

      vfio/pci: Cleanup RTL8168 quirk and tracing

      There's quite a bit of cleanup that can be done to the RTL8168 quirk,
      as well as the tracing to prevent a spew of uninteresting accesses
      for anything else the driver might choose to use the window registers
      for besides the MSI-X table.  There should be no functional change,
      but it's now possible to get compact and useful traces by enabling
      vfio_rtl8168_quirk*, ex:

      vfio_rtl8168_quirk_write 0000:04:00.0 [address]: 0x1f000
      vfio_rtl8168_quirk_read 0000:04:00.0 [address]: 0x8001f000
      vfio_rtl8168_quirk_read 0000:04:00.0 [data]: 0xfee0100c
      vfio_rtl8168_quirk_write 0000:04:00.0 [address]: 0x1f004
      vfio_rtl8168_quirk_read 0000:04:00.0 [address]: 0x8001f004
      vfio_rtl8168_quirk_read 0000:04:00.0 [data]: 0x0
      vfio_rtl8168_quirk_write 0000:04:00.0 [address]: 0x1f008
      vfio_rtl8168_quirk_read 0000:04:00.0 [address]: 0x8001f008
      vfio_rtl8168_quirk_read 0000:04:00.0 [data]: 0x49b1
      vfio_rtl8168_quirk_write 0000:04:00.0 [address]: 0x1f00c
      vfio_rtl8168_quirk_read 0000:04:00.0 [address]: 0x8001f00c
      vfio_rtl8168_quirk_read 0000:04:00.0 [data]: 0x0

      Signed-off-by: Alex Williamson <alex.williamson@xxxxxxxxxx>

  commit 684bb5770ec5d72a66620f64fc5d9672bf8d3509
  Merge: 27c7275 d76548a
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Wed Sep 23 16:52:54 2015 +0100

      Merge remote-tracking branch 'remotes/dgibson/tags/spapr-next-20150923' 
into staging

      sPAPR Patch Queue: 2015-09-23

      Highlights:
          * pseries-2.5 machine type
          * Memory hotplug for "pseries" guests
          * Fixes to the PAPR Dynamic Reconfiguration hotplug code
          * Several PAPR compliance fixes
          * New SLOF with:
              * GPT support
              * Much faster VGA handling

      # gpg: Signature made Wed 23 Sep 2015 02:50:10 BST using DSA key ID 
FDDA6FC6
      # gpg: Good signature from "David Gibson <david@xxxxxxxxxxxxxxxxxxxxx>"
      # gpg: WARNING: This key is not certified with a trusted signature!
      # gpg:          There is no indication that the signature belongs to the 
owner.
      # Primary key fingerprint: F730 2185 38B4 D13E FD80  34F2 6882 CAC6 FDDA 
6FC6

      * remotes/dgibson/tags/spapr-next-20150923: (36 commits)
        sPAPR: Enable EEH on VFIO PCI device only
        sPAPR: Revert don't enable EEH on emulated PCI devices
        ppc/spapr: Implement H_RANDOM hypercall in QEMU
        ppc/spapr: Fix buffer overflow in spapr_populate_drconf_memory()
        spapr: Fix default NUMA node allocation for threads
        spapr: Move memory hotplug to RTAS_LOG_V6_HP_ID_DRC_COUNT type
        spapr: Support hotplug by specifying DRC count
        spapr: Revert to memory@XXXX representation for non-hotplugged memory
        spapr: Populate ibm,associativity-lookup-arrays correctly for non-NUMA
        spapr: Provide better error message when slots exceed max allowed
        spapr: Don't allow memory hotplug to memory less nodes
        spapr: Memory hotplug support
        spapr: Make hash table size a factor of maxram_size
        spapr: Support ibm,dynamic-reconfiguration-memory
        spapr: Add LMB DR connectors
        spapr: Use QEMU limit for maximum CPUs number
        spapr: Don't use QOM [*] syntax for DR connectors.
        spapr_drc: use RTAS return codes for methods called by RTAS
        spapr: Initialize hotplug memory address space
        spapr_drc: don't allow 'empty' DRCs to be unisolated or allocated
        ...

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit d76548a98f4e18d3c65a3d921bbb70caf9be6138
  Author: Gavin Shan <gwshan@xxxxxxxxxxxxxxxxxx>
  Date:   Fri Sep 18 17:30:44 2015 +1000

      sPAPR: Enable EEH on VFIO PCI device only

      This checks if the PCI device retrieved from the PCI device address
      is VFIO PCI device when enabling EEH functionality. If it's not
      VFIO PCI device, the EEH functonality isn't enabled.

      Signed-off-by: Gavin Shan <gwshan@xxxxxxxxxxxxxxxxxx>
      Signed-off-by: David Gibson <david@xxxxxxxxxxxxxxxxxxxxx>

  commit 47445c80fb57035331574ac1ac0bcee67fb84aeb
  Author: Gavin Shan <gwshan@xxxxxxxxxxxxxxxxxx>
  Date:   Fri Sep 18 17:30:43 2015 +1000

      sPAPR: Revert don't enable EEH on emulated PCI devices

      This reverts commit 7cb18007 ("sPAPR: Don't enable EEH on emulated
      PCI devices") as rtas_ibm_set_eeh_option() isn't the right place
      to check if there has the corresponding PCI device for the input
      address, which can be PE address, not PCI device address.

      Signed-off-by: Gavin Shan <gwshan@xxxxxxxxxxxxxxxxxx>
      Signed-off-by: David Gibson <david@xxxxxxxxxxxxxxxxxxxxx>

  commit 4d9392be6c1aada69ce86c0f6584128976985394
  Author: Thomas Huth <thuth@xxxxxxxxxx>
  Date:   Thu Sep 17 10:49:41 2015 +0200

      ppc/spapr: Implement H_RANDOM hypercall in QEMU

      The PAPR interface defines a hypercall to pass high-quality
      hardware generated random numbers to guests. Recent kernels can
      already provide this hypercall to the guest if the right hardware
      random number generator is available. But in case the user wants
      to use another source like EGD, or QEMU is running with an older
      kernel, we should also have this call in QEMU, so that guests that
      do not support virtio-rng yet can get good random numbers, too.

      This patch now adds a new pseudo-device to QEMU that either
      directly provides this hypercall to the guest or is able to
      enable the in-kernel hypercall if available. The in-kernel
      hypercall can be enabled with the use-kvm property, e.g.:

       qemu-system-ppc64 -device spapr-rng,use-kvm=true

      For handling the hypercall in QEMU instead, a "RngBackend" is
      required since the hypercall should provide "good" random data
      instead of pseudo-random (like from a "simple" library function
      like rand() or g_random_int()). Since there are multiple RngBackends
      available, the user must select an appropriate back-end via the
      "rng" property of the device, e.g.:

       qemu-system-ppc64 -object rng-random,filename=/dev/hwrng,id=gid0 \
                         -device spapr-rng,rng=gid0 ...

      See http://wiki.qemu-project.org/Features-Done/VirtIORNG for
      other example of specifying RngBackends.

      Signed-off-by: Thomas Huth <thuth@xxxxxxxxxx>
      Signed-off-by: David Gibson <david@xxxxxxxxxxxxxxxxxxxxx>

  commit ef001f069e0f175a036929782c5c63053df9569a
  Author: Thomas Huth <thuth@xxxxxxxxxx>
  Date:   Tue Sep 15 21:34:20 2015 +0200

      ppc/spapr: Fix buffer overflow in spapr_populate_drconf_memory()

      The buffer that is allocated in spapr_populate_drconf_memory()
      is used for setting both, the "ibm,dynamic-memory" and the
      "ibm,associativity-lookup-arrays" property. However, only the
      size of the first one is taken into account when allocating the
      memory. So if the length of the second property is larger than
      the length of the first one, we run into a buffer overflow here!
      Fix it by taking the length of the second property into account,
      too.

      Fixes: "spapr: Support ibm,dynamic-reconfiguration-memory" patch
      Signed-off-by: Thomas Huth <thuth@xxxxxxxxxx>
      Reviewed-by: David Gibson <david@xxxxxxxxxxxxxxxxxxxxx>
      Signed-off-by: David Gibson <david@xxxxxxxxxxxxxxxxxxxxx>

  commit 20bb648dca6d7fe8cdd1941194e7851950b25dc5
  Author: David Gibson <david@xxxxxxxxxxxxxxxxxxxxx>
  Date:   Tue Sep 8 11:21:52 2015 +1000

      spapr: Fix default NUMA node allocation for threads

      At present, if guest numa nodes are requested, but the cpus in each node
      are not specified, spapr just uses the default behaviour or assigning each
      vcpu round-robin to nodes.

      If smp_threads != 1, that will assign adjacent threads in a core to
      different NUMA nodes.  As well as being just weird, that's a configuration
      that can't be represented in the device tree we give to the guest, which
      means the guest and qemu end up with different ideas of the NUMA topology.

      This patch implements mc->cpu_index_to_socket_id in the spapr code to
      make sure vcpus get assigned to nodes only at the socket granularity.

      Signed-off-by: David Gibson <david@xxxxxxxxxxxxxxxxxxxxx>
      Reviewed-by: Alexey Kardashevskiy <aik@xxxxxxxxx>

  commit 0a4178692c2375a4516da7b71629bd08ee8697ee
  Author: Bharata B Rao <bharata@xxxxxxxxxxxxxxxxxx>
  Date:   Mon Aug 3 11:05:43 2015 +0530

      spapr: Move memory hotplug to RTAS_LOG_V6_HP_ID_DRC_COUNT type

      Till now memory hotplug used RTAS_LOG_V6_HP_ID_DRC_INDEX hotplug type
      which meant that we generated one hotplug type of EPOW event for every
      256MB (SPAPR_MEMORY_BLOCK_SIZE). This quickly overruns the kernel
      rtas log buffer thus resulting in loss of memory hotplug events. Switch
      to RTAS_LOG_V6_HP_ID_DRC_COUNT hotplug type for memory so that we
      generate only one event per hotplug request.

      Signed-off-by: Bharata B Rao <bharata@xxxxxxxxxxxxxxxxxx>
      Reviewed-by: Michael Roth <mdroth@xxxxxxxxxxxxxxxxxx>
      Reviewed-by: David Gibson <david@xxxxxxxxxxxxxxxxxxxxx>
      Signed-off-by: David Gibson <david@xxxxxxxxxxxxxxxxxxxxx>

  commit 7a36ae7a9f4f136d40fe1da4aab66b364d4aa56d
  Author: Bharata B Rao <bharata@xxxxxxxxxxxxxxxxxx>
  Date:   Mon Aug 3 11:05:42 2015 +0530

      spapr: Support hotplug by specifying DRC count

      Support hotplug identifier type RTAS_LOG_V6_HP_ID_DRC_COUNT that allows
      hotplugging of DRCs by specifying the DRC count.

      While we are here, rename

      spapr_hotplug_req_add_event() to spapr_hotplug_req_add_by_index()
      spapr_hotplug_req_remove_event() to spapr_hotplug_req_remove_by_index()

      so that they match with spapr_hotplug_req_add_by_count().

      Signed-off-by: Bharata B Rao <bharata@xxxxxxxxxxxxxxxxxx>
      Reviewed-by: David Gibson <david@xxxxxxxxxxxxxxxxxxxxx>
      Signed-off-by: David Gibson <david@xxxxxxxxxxxxxxxxxxxxx>

  commit e8f986fc57a664a74b9f685b466506366a15201b
  Author: Bharata B Rao <bharata@xxxxxxxxxxxxxxxxxx>
  Date:   Mon Aug 3 11:05:41 2015 +0530

      spapr: Revert to memory@XXXX representation for non-hotplugged memory

      Don't represent non-hotluggable memory under drconf node. With this
      we don't have to create DRC objects for them.

      The effect of this patch is that we revert back to memory@XXXX 
representation
      for all the memory specified with -m option and represent the cold
      plugged memory and hot-pluggable memory under
      ibm,dynamic-reconfiguration-memory.

      Signed-off-by: Bharata B Rao <bharata@xxxxxxxxxxxxxxxxxx>
      Reviewed-by: David Gibson <david@xxxxxxxxxxxxxxxxxxxxx>
      Signed-off-by: David Gibson <david@xxxxxxxxxxxxxxxxxxxxx>

  commit 6663864e950d40c467ae4ab81c4dac64d7a8d9e6
  Author: Bharata B Rao <bharata@xxxxxxxxxxxxxxxxxx>
  Date:   Mon Aug 3 11:05:40 2015 +0530

      spapr: Populate ibm,associativity-lookup-arrays correctly for non-NUMA

      When NUMA isn't configured explicitly, assume node 0 is present for
      the purpose of creating ibm,associativity-lookup-arrays property
      under ibm,dynamic-reconfiguration-memory DT node. This ensures that
      the associativity index property is correctly updated in 
ibm,dynamic-memory
      for the LMB that is hotplugged.

      Signed-off-by: Bharata B Rao <bharata@xxxxxxxxxxxxxxxxxx>
      Reviewed-by: David Gibson <david@xxxxxxxxxxxxxxxxxxxxx>
      Signed-off-by: David Gibson <david@xxxxxxxxxxxxxxxxxxxxx>

  commit 19a35c9e1b964f420ee07141f049e6c96c63b740
  Author: Bharata B Rao <bharata@xxxxxxxxxxxxxxxxxx>
  Date:   Mon Aug 3 11:05:39 2015 +0530

      spapr: Provide better error message when slots exceed max allowed

      Currently when user specifies more slots than allowed max of
      SPAPR_MAX_RAM_SLOTS (32), we error out like this:

      qemu-system-ppc64: unsupported amount of memory slots: 64

      Let the user know about the max allowed slots like this:

      qemu-system-ppc64: Specified number of memory slots 64 exceeds max 
supported 32

      Signed-off-by: Bharata B Rao <bharata@xxxxxxxxxxxxxxxxxx>
      Reviewed-by: David Gibson <david@xxxxxxxxxxxxxxxxxxxxx>
      Signed-off-by: David Gibson <david@xxxxxxxxxxxxxxxxxxxxx>

  commit b556854bd8524c26b8be98ab1bfdf0826831e793
  Author: Bharata B Rao <bharata@xxxxxxxxxxxxxxxxxx>
  Date:   Mon Jun 29 14:14:32 2015 +0530

      spapr: Don't allow memory hotplug to memory less nodes

      Currently PowerPC kernel doesn't allow hot-adding memory to memory-less
      node, but instead will silently add the memory to the first node that has
      some memory. This causes two unexpected behaviours for the user.

      - Memory gets hotplugged to a different node than what the user specified.
      - Since pc-dimm subsystem in QEMU still thinks that memory belongs to
        memory-less node, a reboot will set things accordingly and the 
previously
        hotplugged memory now ends in the right node. This appears as if some
        memory moved from one node to another.

      So until kernel starts supporting memory hotplug to memory-less
      nodes, just prevent such attempts upfront in QEMU.

      Signed-off-by: Bharata B Rao <bharata@xxxxxxxxxxxxxxxxxx>
      Reviewed-by: David Gibson <david@xxxxxxxxxxxxxxxxxxxxx>
      Signed-off-by: David Gibson <david@xxxxxxxxxxxxxxxxxxxxx>

  commit c20d332a85c95245e3b720bfea1bd02e3a311463
  Author: Bharata B Rao <bharata@xxxxxxxxxxxxxxxxxx>
  Date:   Tue Sep 1 11:22:35 2015 +1000

      spapr: Memory hotplug support

      Make use of pc-dimm infrastructure to support memory hotplug
      for PowerPC.

      Signed-off-by: Bharata B Rao <bharata@xxxxxxxxxxxxxxxxxx>
      Reviewed-by: David Gibson <david@xxxxxxxxxxxxxxxxxxxxx>
      Signed-off-by: David Gibson <david@xxxxxxxxxxxxxxxxxxxxx>

  commit ce881f774d69d941eb999c25f0cb1f72cd228795
  Author: Bharata B Rao <bharata@xxxxxxxxxxxxxxxxxx>
  Date:   Mon Jun 29 14:14:30 2015 +0530

      spapr: Make hash table size a factor of maxram_size

      The hash table size is dependent on ram_size, but since with hotplug
      the memory can grow till maxram_size. Hence make hash table size dependent
      on maxram_size.

      This allows to hotplug huge amounts of memory to the guest.

      Signed-off-by: Bharata B Rao <bharata@xxxxxxxxxxxxxxxxxx>
      Reviewed-by: David Gibson <david@xxxxxxxxxxxxxxxxxxxxx>
      Signed-off-by: David Gibson <david@xxxxxxxxxxxxxxxxxxxxx>

  commit 03d196b7c57f22f796197f221f9d95336debee9e
  Author: Bharata B Rao <bharata@xxxxxxxxxxxxxxxxxx>
  Date:   Mon Jul 13 10:34:00 2015 +1000

      spapr: Support ibm,dynamic-reconfiguration-memory

      Parse ibm,architecture.vec table obtained from the guest and enable
      memory node configuration via ibm,dynamic-reconfiguration-memory if guest
      supports it. This is in preparation to support memory hotplug for
      sPAPR guests.

      This changes the way memory node configuration is done. Currently all
      memory nodes are built upfront. But after this patch, only memory@0 node
      for RMA is built upfront. Guest kernel boots with just that and rest of
      the memory nodes (via memory@XXX or ibm,dynamic-reconfiguration-memory)
      are built when guest does ibm,client-architecture-support call.

      Note: This patch needs a SLOF enhancement which is already part of
      SLOF binary in QEMU.

      Signed-off-by: Bharata B Rao <bharata@xxxxxxxxxxxxxxxxxx>
      Reviewed-by: David Gibson <david@xxxxxxxxxxxxxxxxxxxxx>
      Signed-off-by: David Gibson <david@xxxxxxxxxxxxxxxxxxxxx>

  commit 224245bf524189789d231f38434c9f8fd57a249c
  Author: David Gibson <david@xxxxxxxxxxxxxxxxxxxxx>
  Date:   Wed Aug 12 13:16:48 2015 +1000

      spapr: Add LMB DR connectors

      Enable memory hotplug for pseries 2.4 and add LMB DR connectors.
      With memory hotplug, enforce RAM size, NUMA node memory size and maxmem
      to be a multiple of SPAPR_MEMORY_BLOCK_SIZE (256M) since that's the
      granularity in which LMBs are represented and hot-added.

      LMB DR connectors will be used by the memory hotplug code.

      Signed-off-by: Bharata B Rao <bharata@xxxxxxxxxxxxxxxxxx>
      Signed-off-by: Michael Roth <mdroth@xxxxxxxxxxxxxxxxxx>
                     [spapr_drc_reset implementation]
      [since this missed the 2.4 cutoff, changing to only enable for 2.5]
      Signed-off-by: David Gibson <david@xxxxxxxxxxxxxxxxxxxxx>

  commit 38b02bd846672f33bc2eabcb9847c4b78069e097
  Author: Alexey Kardashevskiy <aik@xxxxxxxxx>
  Date:   Thu Aug 6 13:37:24 2015 +1000

      spapr: Use QEMU limit for maximum CPUs number

      sPAPR uses hard coded limit of maximum 255 supported CPUs which is
      exactly the same as QEMU-wide limit which is MAX_CPUMASK_BITS and also
      defined as 255.

      This makes use of a global CPU number limit for the "pseries" machine.

      In order to anticipate future increase of the MAX_CPUMASK_BITS
      (or to help debugging large systems), this also bumps the FDT_MAX_SIZE
      limit from 256K to 1M assuming that 1 CPU core needs roughly 512 bytes
      in the device tree so the new limit can cover up to 2048 CPU cores.

      Signed-off-by: Alexey Kardashevskiy <aik@xxxxxxxxx>
      Reviewed-by: David Gibson <david@xxxxxxxxxxxxxxxxxxxxx>
      Signed-off-by: David Gibson <david@xxxxxxxxxxxxxxxxxxxxx>

  commit 94649d423e4647fca3bc3e8b2b363d6d2adee9ce
  Author: David Gibson <david@xxxxxxxxxxxxxxxxxxxxx>
  Date:   Wed Sep 16 16:57:51 2015 +1000

      spapr: Don't use QOM [*] syntax for DR connectors.

      The dynamic reconfiguration (hotplug) code for the pseries machine type
      uses a "DR connector" QOM object for each resource it will be possible
      to hotplug.  Each of these is added to its owner using
          object_property_add_child(owner, "dr-connector[*], ...);

      That works ok, mostly, but it means that the property indices are
      arbitrary, depending on the order in which the connectors are constructed.
      That might line up to something useful, but it doesn't have to.

      It will get worse once we add hotplug RAM support.  That will add a DR
      connector object for every 256MB of potential memory.  So if maxmem=2T,
      for example, there are 8192 objects under the same parent.

      The QOM interfaces aren't really designed for this.  In particular
      object_property_add() with [*] has O(n^2) time complexity (in the number 
of
      existing children): first it has a linear search through array indices to
      find a free slot, each of which is attempted to a recursive call to
      object_property_add() with a specific [N].  Those calls are O(n) because
      there's a linear search through all properties to check for duplicates.

      By using a meaningful index value, which we already know is unique we can
      avoid the [*] special behaviour.  That lets us reduce the total time for
      creating the DR objects from O(n^3) to O(n^2).

      O(n^2) is still kind of crappy, but it's enough to reduce the startup time
      of qemu (with in-progress memory hotplug support) with maxmem=2T from ~20
      minutes to ~4 seconds.

      Signed-off-by: David Gibson <david@xxxxxxxxxxxxxxxxxxxxx>
      Cc: Bharata B Rao <bharata@xxxxxxxxxxxxxxxxxx>
      Tested-by: Bharata B Rao <bharata@xxxxxxxxxxxxxxxxxx>
      Reviewed-by: Alexey Kardashevskiy <aik@xxxxxxxxx>

  commit 0cb688d22b3941af02fee78ba21dc3a39c367e0b
  Author: Michael Roth <mdroth@xxxxxxxxxxxxxxxxxx>
  Date:   Thu Sep 10 16:11:02 2015 -0500

      spapr_drc: use RTAS return codes for methods called by RTAS

      Certain methods in sPAPRDRConnector objects are only ever called by
      RTAS and in many cases are responsible for the logic that determines
      the RTAS return codes.

      Rather than having a level of indirection requiring RTAS code to
      re-interpret return values from such methods to determine the
      appropriate return code, just pass them through directly.

      This requires changing method return types to uint32_t to match the
      type of values currently passed to RTAS helpers.

      In the case of read accesses like drc->entity_sense() where we weren't
      previously reporting any errors, just the read value, we modify the
      function to return RTAS return code, and pass the read value back via
      reference.

      Suggested-by: Bharata B Rao <bharata@xxxxxxxxxxxxxxxxxx>
      Suggested-by: David Gibson <david@xxxxxxxxxxxxxxxxxxxxx>
      Cc: Bharata B Rao <bharata@xxxxxxxxxxxxxxxxxx>
      Signed-off-by: Michael Roth <mdroth@xxxxxxxxxxxxxxxxxx>
      Reviewed-by: David Gibson <david@xxxxxxxxxxxxxxxxxxxxx>
      Signed-off-by: David Gibson <david@xxxxxxxxxxxxxxxxxxxxx>

  commit 4a1c9cf0073e733b421e7b82ad673e7cf6ed8454
  Author: Bharata B Rao <bharata@xxxxxxxxxxxxxxxxxx>
  Date:   Mon Jun 29 14:14:27 2015 +0530

      spapr: Initialize hotplug memory address space

      Initialize a hotplug memory region under which all the hotplugged
      memory is accommodated. Also enable memory hotplug by setting
      CONFIG_MEM_HOTPLUG.

      Modelled on i386 memory hotplug.

      Signed-off-by: Bharata B Rao <bharata@xxxxxxxxxxxxxxxxxx>
      Reviewed-by: David Gibson <david@xxxxxxxxxxxxxxxxxxxxx>
      Signed-off-by: David Gibson <david@xxxxxxxxxxxxxxxxxxxxx>

  commit 9d1852ce11c888e3ad5096be505d14045d8b49ae
  Author: Michael Roth <mdroth@xxxxxxxxxxxxxxxxxx>
  Date:   Thu Sep 10 16:11:03 2015 -0500

      spapr_drc: don't allow 'empty' DRCs to be unisolated or allocated

      Logical resources start with allocation-state:UNUSABLE /
      isolation-state:ISOLATED. During hotplug, guests will transition
      them to allocation-state:USABLE, and then to
      isolation-state:UNISOLATED.

      For cases where we cannot transition to allocation-state:USABLE,
      in this case due to no device/resource being association with
      the logical DRC, we should return an error -3.

      For physical DRCs, we default to allocation-state:USABLE and stay
      there, so in this case we should report an error -3 when the guest
      attempts to make the isolation-state:ISOLATED transition for a DRC
      with no device associated.

      These are as documented in PAPR 2.7, 13.5.3.4.

      We also ensure allocation-state:USABLE when the guest attempts
      transition to isolation-state:UNISOLATED to deal with misbehaving
      guests attempting to bring online an unallocated logical resource.

      This is as documented in PAPR 2.7, 13.7.

      Currently we implement no such error logic. Fix this by handling
      these error cases as PAPR defines.

      Cc: Bharata B Rao <bharata@xxxxxxxxxxxxxxxxxx>
      Signed-off-by: Michael Roth <mdroth@xxxxxxxxxxxxxxxxxx>
      Reviewed-by: David Gibson <david@xxxxxxxxxxxxxxxxxxxxx>
      Signed-off-by: David Gibson <david@xxxxxxxxxxxxxxxxxxxxx>

  commit a8ad731a001d41582c9cec4015f73ab3bc11a28d
  Author: Michael Roth <mdroth@xxxxxxxxxxxxxxxxxx>
  Date:   Tue Sep 15 16:34:59 2015 -0500

      spapr_pci: fix device tree props for MSI/MSI-X

      PAPR requires ibm,req#msi and ibm,req#msi-x to be present in the
      device node to define the number of msi/msi-x interrupts the device
      supports, respectively.

      Currently we have ibm,req#msi-x hardcoded to a non-sensical constant
      that happens to be 2, and are missing ibm,req#msi entirely. The result
      of that is that msi-x capable devices get limited to 2 msi-x
      interrupts (which can impact performance), and msi-only devices likely
      wouldn't work at all. Additionally, if devices expect a minimum that
      exceeds 2, the guest driver may fail to load entirely.

      SLOF still owns the generation of these properties at boot-time
      (although other device properties have since been offloaded to QEMU),
      but for hotplugged devices we rely on the values generated by QEMU
      and thus hit the limitations above.

      Fix this by generating these properties in QEMU as expected by guests.

      In the future it may make sense to modify SLOF to pass through these
      values directly as we do with other props since we're duplicating SLOF
      code.

      Cc: qemu-ppc@xxxxxxxxxx
      Cc: qemu-stable@xxxxxxxxxx
      Cc: David Gibson <david@xxxxxxxxxxxxxxxxxxxxx>
      Cc: Nikunj A Dadhania <nikunj@xxxxxxxxxxxxxxxxxx>
      Signed-off-by: Michael Roth <mdroth@xxxxxxxxxxxxxxxxxx>
      Reviewed-by: David Gibson <david@xxxxxxxxxxxxxxxxxxxxx>
      Signed-off-by: David Gibson <david@xxxxxxxxxxxxxxxxxxxxx>

  commit ef9971dd69bdd84b0987b0e1e4f421223b080afd
  Author: Alexey Kardashevskiy <aik@xxxxxxxxx>
  Date:   Tue Sep 8 11:25:13 2015 +1000

      spapr: Enable in-kernel H_SET_MODE handling

      For setting debug watchpoints, sPAPR guests use H_SET_MODE hypercall.
      The existing QEMU H_SET_MODE handler does not support this but
      the KVM handler in HV KVM does. However it is not enabled.

      This enables the in-kernel H_SET_MODE handler which handles:
      - Completed Instruction Address Breakpoint Register
      - Watch point 0 registers.

      The rest is still handled in QEMU.

      Reported-by: Anton Blanchard <anton@xxxxxxxxx>
      Signed-off-by: Alexey Kardashevskiy <aik@xxxxxxxxx>
      Reviewed-by: David Gibson <david@xxxxxxxxxxxxxxxxxxxxx>
      Signed-off-by: David Gibson <david@xxxxxxxxxxxxxxxxxxxxx>

  commit 22419c2a90b859dcab49f9472259ad8a3ce091d6
  Author: David Gibson <david@xxxxxxxxxxxxxxxxxxxxx>
  Date:   Tue Sep 8 11:21:31 2015 +1000

      pseries: Fix incorrect calculation of threads per socket for chip-id

      The device tree presented to pseries machine type guests includes an
      ibm,chip-id property which gives essentially the socket number of each
      vcpu core (individual vcpu threads don't get a node in the device
      tree).

      To calculate this, it uses a vcpus_per_socket variable computed as
      (smp_cpus / #sockets).  This is correct for the usual case where
      smp_cpus == smp_threads * smp_cores * #sockets.

      However, you can start QEMU with the number of cores and threads
      mismatching the total number of vcpus (whether that _should_ be
      permitted is a topic for another day).  It's a bit hard to say what
      the "real" number of vcpus per socket here is, but for most purposes
      (smp_threads * smp_cores) will more meaningfully match how QEMU
      behaves with respect to socket boundaries.

      Signed-off-by: David Gibson <david@xxxxxxxxxxxxxxxxxxxxx>
      Reviewed-by: Alexey Kardashevskiy <aik@xxxxxxxxx>

  commit 92d7a30cb3656f577f87b19042d9b66ff3b20e3b
  Author: Alexey Kardashevskiy <aik@xxxxxxxxx>
  Date:   Thu Aug 13 19:24:16 2015 +1000

      pseries: Update SLOF firmware image to qemu-slof-20150813

      The changes are:
      1. GPT support;
      2. Much faster VGA support.

      The full changelog is:
        > Add missing half word access case to _FASTRMOVE and _FASTMOVE
        > Remove unused RMOVE64 stub
        > fbuffer: Implement RFILL as an accelerated primitive
        > fbuffer: Implement MRMOVE as an accelerated primitive
        > fbuffer: Precalculate line length in bytes
        > terminal: Disable the terminal-write trace by default
        > boot: remove trailing ":" in the bootpath
        > ci: implement boot client interface
        > boot: bootpath should be complete device path
        > fbuffer: Use a smaller cursor
        > fbuffer: Improve invert-region helper
        > usb-hid: Caps is not always shift
        > cas: Increase FDT buffer size to accomodate larger ibm, cas node 
properties
        > README: Update with patch submittion note
        > disk-label: add support for booting from GPT FAT partition
        > disk-label: introduce helper to check fat filesystem
        > introduce 8-byte LE helpers
        > disk-label: simplify gpt-prep-partition? routine
        > fbuffer: introduce the invert-region-x helper
        > fbuffer: introduce the invert-region helper
        > fbuffer: simplify address computations in fb8-toggle-cursor

      Signed-off-by: Alexey Kardashevskiy <aik@xxxxxxxxx>
      Signed-off-by: David Gibson <david@xxxxxxxxxxxxxxxxxxxxx>

  commit 785652dc4db2023aeda4e381eb08e0beae67b870
  Author: Laurent Vivier <lvivier@xxxxxxxxxx>
  Date:   Thu Aug 13 14:53:02 2015 +0200

      pseries: define coldplugged devices as "configured"

      When a device is hotplugged, attach() sets "configured" to
      false, waiting an action from the OS to configure it and then
      to call ibm,configure-connector. On ibm,configure-connector,
      the hypervisor sets "configured" to true.

      In case of coldplugged device, attach() sets "configured" to
      false, but firmware and OS never call the ibm,configure-connector
      in this case, so it remains set to false.

      It could be harmless, but when we unplug a device, hypervisor
      waits the device becomes configured because for it, a not configured
      device is a device being configured, so it waits the end of configuration
      to unplug it... and it never happens, so it is never unplugged.

      This patch set by default coldplugged device to "configured=true",
      hotplugged device to "configured=false".

      Signed-off-by: Laurent Vivier <lvivier@xxxxxxxxxx>
      Reviewed-by: David Gibson <david@xxxxxxxxxxxxxxxxxxxxx>
      Signed-off-by: David Gibson <david@xxxxxxxxxxxxxxxxxxxxx>

  commit a14aa92b20c5482b9b694901304b8100b3c4b5a1
  Author: Gavin Shan <gwshan@xxxxxxxxxxxxxxxxxx>
  Date:   Tue Sep 1 11:05:12 2015 +1000

      sPAPR: Introduce rtas_ldq()

      This introduces rtas_ldq() to load 64-bits parameter from continuous
      two 4-bytes memory chunk of RTAS parameter buffer, to simplify the
      code.

      Signed-off-by: Gavin Shan <gwshan@xxxxxxxxxxxxxxxxxx>
      Reviewed-by: Thomas Huth <thuth@xxxxxxxxxx>
      Reviewed-by: David Gibson <david@xxxxxxxxxxxxxxxxxxxxx>
      Signed-off-by: David Gibson <david@xxxxxxxxxxxxxxxxxxxxx>

  commit e6fc9568c865f2f81499475a4e322cd563fdfd90
  Author: Bharata B Rao <bharata@xxxxxxxxxxxxxxxxxx>
  Date:   Tue Sep 1 09:53:52 2015 +1000

      spapr_rtas: Prevent QEMU crash during hotplug without a prior device_add

      If drmgr is used in the guest to hotplug a device before a device_add
      has been issued via the QEMU monitor, QEMU segfaults in 
configure_connector
      call. This occurs due to accessing of NULL FDT which otherwise would have
      been created and associated with the DRC during device_add command.

      Check for NULL FDT and return failure from configure_connector call.
      As per PAPR+, an error value of -9003 seems appropriate for this failure.

      Signed-off-by: Bharata B Rao <bharata@xxxxxxxxxxxxxxxxxx>
      Cc: Michael Roth <mdroth@xxxxxxxxxxxxxxxxxx>
      Reviewed-by: David Gibson <david@xxxxxxxxxxxxxxxxxxxxx>
      Signed-off-by: David Gibson <david@xxxxxxxxxxxxxxxxxxxxx>

  commit aaf87c6616370685a7cff6a21616fc5db7495014
  Author: Thomas Huth <thuth@xxxxxxxxxx>
  Date:   Tue Sep 1 11:29:02 2015 +1000

      ppc/spapr: Use qemu_log_mask() for hcall_dprintf()

      To see the output of the hcall_dprintf statements, you currently have
      to enable the DEBUG_SPAPR_HCALLS macro in include/hw/ppc/spapr.h.
      This is ugly because a) not every user who wants to debug guest
      problems can or wants to recompile QEMU to be able to see such issues,
      and b) since this macro is disabled by default, the code in the
      hcall_dprintf() brackets tends to bitrot until somebody temporarily
      enables that macro again.
      Since the hcall_dprintf statements except one indicate guest
      problems, let's always use qemu_log_mask(LOG_GUEST_ERROR, ...) for
      this macro instead. One spot indicated an unimplemented host feature,
      so this is changed into qemu_log_mask(LOG_UNIMP, ...) instead. Now
      it's possible to see all those messages by simply adding the CLI
      parameter "-d guest_errors,unimp", without the need to re-compile
      the binary.

      Signed-off-by: Thomas Huth <thuth@xxxxxxxxxx>
      Reviewed-by: David Gibson <david@xxxxxxxxxxxxxxxxxxxxx>
      Signed-off-by: David Gibson <david@xxxxxxxxxxxxxxxxxxxxx>

  commit 627c2ef7898794a28d706ecdf094491bebbb083a
  Author: David Gibson <david@xxxxxxxxxxxxxxxxxxxxx>
  Date:   Thu Sep 3 10:08:23 2015 +1000

      spapr_drc: Fix potential undefined behaviour

      The DRC_INDEX_ID_MASK macro does a left shift on ~0, which is a signed
      quantity, and therefore undefined behaviour according to the C spec.  In
      particular this causes warnings from the clang sanitizer.

      This fixes it by calculating the same mask without using ~0 (I think the
      new method is a more common idiom for generating masks anyway).  For good
      measure I also use 1ULL to force the expression's type to unsigned long
      long, which should be good for assigning to anything we're going to want
      to.

      Reported-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Signed-off-by: David Gibson <david@xxxxxxxxxxxxxxxxxxxxx>
      Reviewed-by: Alexey Kardashevskiy <aik@xxxxxxxxx>

  commit ad440b4ae0727dbef5cace419d94d774de96886c
  Author: Andrew Jones <drjones@xxxxxxxxxx>
  Date:   Tue Sep 1 11:25:35 2015 +1000

      spapr: add dumpdtb support

      dumpdtb (-machine dumpdtb=<file>) allows one to inspect the generated
      device tree of machine types that generate device trees. This is
      useful for a) seeing what's there b) debugging/testing device tree
      generator patches. It can be used as follows

      $QEMU_CMDLINE -machine dumpdtb=dtb
      dtc -I dtb -O dts dtb

      Signed-off-by: Andrew Jones <drjones@xxxxxxxxxx>
      Reviewed-by: David Gibson <david@xxxxxxxxxxxxxxxxxxxxx>
      Signed-off-by: David Gibson <david@xxxxxxxxxxxxxxxxxxxxx>

  commit e39432282e2d2db42645c2ce183dfcaa1488752b
  Author: Sam Bobroff <sam.bobroff@xxxxxxxxxxx>
  Date:   Tue Sep 1 11:24:37 2015 +1000

      spapr: SPLPAR Characteristics

      Improve the SPLPAR Characteristics information:

          Add MaxPlatProcs: set to max_cpus, the maximum CPUs that could be
          addded to the system.
          Add DesMem: set to the initial memory of the system.
          Add DesProcs: set to smp_cpus, the inital number of CPUs in the
          system.

      These tokens and values are specified by PAPR.

      Signed-off-by: Sam Bobroff <sam.bobroff@xxxxxxxxxxx>
      Reviewed-by: David Gibson <david@xxxxxxxxxxxxxxxxxxxxx>
      Signed-off-by: David Gibson <david@xxxxxxxxxxxxxxxxxxxxx>

  commit b359bd6a424b8de7db994d7120e87a7465b69337
  Author: Sam Bobroff <sam.bobroff@xxxxxxxxxxx>
  Date:   Tue Sep 1 11:23:47 2015 +1000

      spapr: Make ibm, change-msi respect 3 return values

      Currently, rtas_ibm_change_msi() always returns four values even if
      less are specified.

      Correct this by only returning the fourth parameter if it was
      requested.

      This is specified by PAPR.

      Signed-off-by: Sam Bobroff <sam.bobroff@xxxxxxxxxxx>
      Reviewed-by: David Gibson <david@xxxxxxxxxxxxxxxxxxxxx>
      Signed-off-by: David Gibson <david@xxxxxxxxxxxxxxxxxxxxx>

  commit a95f99224c08efcf91b4259c34754f69d962bf23
  Author: Sam Bobroff <sam.bobroff@xxxxxxxxxxx>
  Date:   Tue Sep 1 11:23:34 2015 +1000

      spapr: Add /rtas/ibm,change-msix-capable

      QEMU is MSI-X capable and makes it available via ibm,change-msi, so
      we should indicate this by adding /rtas/ibm,change-msix-capable to the
      device tree.

      This is specificed by PAPR.

      Signed-off-by: Sam Bobroff <sam.bobroff@xxxxxxxxxxx>
      Reviewed-by: David Gibson <david@xxxxxxxxxxxxxxxxxxxxx>
      Signed-off-by: David Gibson <david@xxxxxxxxxxxxxxxxxxxxx>

  commit 2c1aaa819a0d68a51086f5d7e8f9a0114ae0305c
  Author: Sam Bobroff <sam.bobroff@xxxxxxxxxxx>
  Date:   Tue Sep 1 11:23:19 2015 +1000

      spapr: Add /ibm,partition-name

      QEMU has a notion of the guest name, so if it's present we might as
      well put that into the device tree as /ibm,partition-name.

      This is specificed by PAPR.

      Signed-off-by: Sam Bobroff <sam.bobroff@xxxxxxxxxxx>
      Reviewed-by: David Gibson <david@xxxxxxxxxxxxxxxxxxxxx>
      Signed-off-by: David Gibson <david@xxxxxxxxxxxxxxxxxxxxx>

  commit fb0fc8f62c16b5b0910545f56c64aaafc91533ce
  Author: David Gibson <david@xxxxxxxxxxxxxxxxxxxxx>
  Date:   Wed Aug 12 13:15:56 2015 +1000

      spapr: Create pseries-2.5 machine

      Add pseries-2.5 machine version.

      Signed-off-by: Bharata B Rao <bharata@xxxxxxxxxxxxxxxxxx>
      [Altered to merge before memory hotplug -- dwg]
      [Altered to work with b9f072d01 -- dwg]
      Signed-off-by: David Gibson <david@xxxxxxxxxxxxxxxxxxxxx>

  commit 613e7a764501a236cdfce39561f9bcf60c78cf49
  Author: Bharata B Rao <bharata@xxxxxxxxxxxxxxxxxx>
  Date:   Thu Jul 30 20:25:15 2015 +0530

      spapr: Provide an error message when migration fails due to htab_shift 
mismatch

      Include an error message when migration fails due to mismatch in
      htab_shift values at source and target. This should provide a bit more
      verbose message in addition to the current migration failure message
      that reads like:

      qemu-system-ppc64: error while loading state for instance 0x0 of device 
'spapr/htab'

      After this patch, the failure message will look like this:

      qemu-system-ppc64: htab_shift mismatch: source 29 target 24
      qemu-system-ppc64: error while loading state for instance 0x0 of device 
'spapr/htab'

      Signed-off-by: Bharata B Rao <bharata@xxxxxxxxxxxxxxxxxx>
      Signed-off-by: David Gibson <david@xxxxxxxxxxxxxxxxxxxxx>

  commit 27c7275a56948f48f536e2d1599b22355f5714ac
  Merge: 482d7c0 f479832
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Tue Sep 22 19:22:23 2015 +0100

      Merge remote-tracking branch 'remotes/kraxel/tags/pull-ipxe-20150903-1' 
into staging

      ipxe: update to 35c53797 to 4e03af8, build tweaks.

      # gpg: Signature made Thu 03 Sep 2015 13:52:01 BST using RSA key ID 
D3E87138
      # gpg: Good signature from "Gerd Hoffmann (work) <kraxel@xxxxxxxxxx>"
      # gpg:                 aka "Gerd Hoffmann <gerd@xxxxxxxxxx>"
      # gpg:                 aka "Gerd Hoffmann (private) <kraxel@xxxxxxxxx>"

      * remotes/kraxel/tags/pull-ipxe-20150903-1:
        ipxe: update binaries
        ipxe: use upstream configuration
        ipxe: don't override GITVERSION
        ipxe: update from 35c53797 to 4e03af8

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 482d7c0854423608e20e56b5824b7340bd3af7df
  Merge: 6138fbd abadcbc
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Tue Sep 22 16:51:36 2015 +0100

      Merge remote-tracking branch 
'remotes/armbru/tags/pull-monitor-2015-09-22' into staging

      Monitor patches

      # gpg: Signature made Tue 22 Sep 2015 10:33:34 BST using RSA key ID 
EB918653
      # gpg: Good signature from "Markus Armbruster <armbru@xxxxxxxxxx>"
      # gpg:                 aka "Markus Armbruster <armbru@xxxxxxxxxxxx>"

      * remotes/armbru/tags/pull-monitor-2015-09-22:
        hmp: Restore "info pci"
        monitor: allow device_del to accept QOM paths

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit abadcbc838a3b256819fd8932c34a4af41ec187f
  Author: Paolo Bonzini <pbonzini@xxxxxxxxxx>
  Date:   Fri Sep 18 17:18:29 2015 +0200

      hmp: Restore "info pci"

      Dropped by commit da76ee76f78b9705e2a91e3c964aef28fecededb's
      transition to hmp-commands-info.hx.

      Reported-by: Markus Armbruster <armbru@xxxxxxxxxx>
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>
      Message-Id: <1442589509-10806-1-git-send-email-pbonzini@xxxxxxxxxx>
      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>
      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>

  commit 6287d827d494b5850049584c3f7fb1a589dbb1de
  Author: Daniel P. Berrange <berrange@xxxxxxxxxx>
  Date:   Fri Sep 11 13:33:56 2015 +0100

      monitor: allow device_del to accept QOM paths

      Currently device_del requires that the client provide the
      device short ID. device_add allows devices to be created
      without giving an ID, at which point there is no way to
      delete them with device_del. The QOM object path, however,
      provides an alternative way to identify the devices.

      Allowing device_del to accept an object path ensures all
      devices are deletable regardless of whether they have an
      ID.

       (qemu) device_add usb-mouse
       (qemu) qom-list /machine/peripheral-anon
       device[0] (child<usb-mouse>)
       type (string)
       (qemu) device_del /machine/peripheral-anon/device[0]

      Devices are required to be marked as hotpluggable
      otherwise an error is raised

       (qemu) device_del /machine/unattached/device[4]
       Device 'PIIX3' does not support hotplugging

      Signed-off-by: Daniel P. Berrange <berrange@xxxxxxxxxx>
      Message-Id: <1441974836-17476-1-git-send-email-berrange@xxxxxxxxxx>
      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>
      [Commit message touched up, accidental white-space change dropped]
      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>

  commit 6138fbdebd72f6822367e88d14ddc635b5a5ddfb
  Merge: 9e72681 b2af43c
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Tue Sep 22 00:37:05 2015 +0100

      Merge remote-tracking branch 'remotes/spice/tags/pull-spice-20150921-1' 
into staging

      spice: surface switch fast path requires same format too.

      # gpg: Signature made Mon 21 Sep 2015 10:05:54 BST using RSA key ID 
D3E87138
      # gpg: Good signature from "Gerd Hoffmann (work) <kraxel@xxxxxxxxxx>"
      # gpg:                 aka "Gerd Hoffmann <gerd@xxxxxxxxxx>"
      # gpg:                 aka "Gerd Hoffmann (private) <kraxel@xxxxxxxxx>"

      * remotes/spice/tags/pull-spice-20150921-1:
        spice: surface switch fast path requires same format too.

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 9e72681d16792d0ffc42bab634b1753ff299bdfd
  Merge: 75ebcd7 1a9a507
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Mon Sep 21 22:33:51 2015 +0100

      Merge remote-tracking branch 'remotes/armbru/tags/pull-qapi-2015-09-21' 
into staging

      qapi: QMP introspection

      # gpg: Signature made Mon 21 Sep 2015 08:59:17 BST using RSA key ID 
EB918653
      # gpg: Good signature from "Markus Armbruster <armbru@xxxxxxxxxx>"
      # gpg:                 aka "Markus Armbruster <armbru@xxxxxxxxxxxx>"

      * remotes/armbru/tags/pull-qapi-2015-09-21: (26 commits)
        qapi-introspect: Hide type names
        qapi: New QMP command query-qmp-schema for QMP introspection
        qapi: Pseudo-type '**' is now unused, drop it
        qapi-schema: Fix up misleading specification of netdev_add
        qom: Don't use 'gen': false for qom-get, qom-set, object-add
        qapi: Introduce a first class 'any' type
        qapi: Make output visitor return qnull() instead of NULL
        qapi: Improve built-in type documentation
        qapi-commands: De-duplicate output marshaling functions
        qapi: De-duplicate parameter list generation
        qapi: Rename qmp_marshal_input_FOO() to qmp_marshal_FOO()
        qapi-commands: Rearrange code
        qapi-visit: Rearrange code a bit
        qapi: Clean up after recent conversions to QAPISchemaVisitor
        qapi: Replace dirty is_c_ptr() by method c_null()
        qapi-event: Convert to QAPISchemaVisitor, fixing data with base
        qapi-event: Eliminate global variable event_enum_value
        qapi: De-duplicate enum code generation
        qapi-commands: Convert to QAPISchemaVisitor
        qapi-visit: Convert to QAPISchemaVisitor, fixing bugs
        ...

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 75ebcd7f080fa30893272f6fe07354e4ffa11b46
  Merge: d345e0d 81dfaf1
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Mon Sep 21 19:42:33 2015 +0100

      Merge remote-tracking branch 'remotes/aurel/tags/pull-tcg-mips-20150921' 
into staging

      TCG MIPS queue

      - Fixes for 64-bit guests
      - Small cleanups

      # gpg: Signature made Sun 20 Sep 2015 23:33:15 BST using RSA key ID 
1DDD8C9B
      # gpg: Good signature from "Aurelien Jarno <aurelien@xxxxxxxxxxx>"
      # gpg:                 aka "Aurelien Jarno <aurelien@xxxxxxxx>"
      # gpg:                 aka "Aurelien Jarno <aurel32@xxxxxxxxxx>"
      # gpg: WARNING: This key is not certified with sufficiently trusted 
signatures!
      # gpg:          It is not certain that the signature belongs to the owner.
      # Primary key fingerprint: 7746 2642 A9EF 94FD 0F77  196D BA9C 7806 1DDD 
8C9B

      * remotes/aurel/tags/pull-tcg-mips-20150921:
        tcg/mips: pass oi to tcg_out_tlb_load
        tcg/mips: move tcg_out_addsub2
        tcg/mips: Fix clobbering of qemu_ld inputs

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit d345e0d7b755591da379b23c628613d0a5cd2566
  Merge: 1864098 8f60f8e
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Mon Sep 21 17:01:46 2015 +0100

      Merge remote-tracking branch 'remotes/agraf/tags/signed-ppc-for-upstream' 
into staging

      Patch queue for ppc - 2015-09-20

      Highlights this time around:

        - e500: Fix u-boot boot with -M virt by updating to new version
        - e500: fix ATMU reads
        - book3s: Fixes (unaligned exceptions, vector instructions)
        - yet another dbdma ide fix

      I'm out taking care of my son for the next 2 months. During that time
      please consider David Gibson the interim ppc queue maintainer. I'm sure
      Aurelien will be more than happy to help him review patches as well ;-).

      # gpg: Signature made Sun 20 Sep 2015 21:51:16 BST using RSA key ID 
03FEDC60
      # gpg: Good signature from "Alexander Graf <agraf@xxxxxxx>"
      # gpg:                 aka "Alexander Graf <alex@xxxxxxxxx>"

      * remotes/agraf/tags/signed-ppc-for-upstream:
        target-ppc: fix xscmpodp and xscmpudp decoding
        target-ppc: fix vcipher, vcipherlast, vncipherlast and vpermxor
        PPC: E500: Update u-boot to commit 79c884d7e4
        target-ppc: Fix SRR0 when taking unaligned exceptions
        PPC: e500 pci host: Fix ATMUs register reads
        mac_dbdma: always clear FLUSH bit once DBDMA channel flush is complete
        kvm_ppc: remove kvmppc_timer_hack

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 1a9a507b2e3e90aa719c96b4c092e7fad7215f21
  Author: Markus Armbruster <armbru@xxxxxxxxxx>
  Date:   Wed Sep 16 13:06:29 2015 +0200

      qapi-introspect: Hide type names

      To eliminate the temptation for clients to look up types by name
      (which are not ABI), replace all type names by meaningless strings.

      Reduces output of query-schema by 13 out of 85KiB.

      As a debugging aid, provide option -u to suppress the hiding.

      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>
      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>
      Message-Id: <1442401589-24189-27-git-send-email-armbru@xxxxxxxxxx>

  commit 39a181581650f4d50f4445bc6276d9716cece050
  Author: Markus Armbruster <armbru@xxxxxxxxxx>
  Date:   Wed Sep 16 13:06:28 2015 +0200

      qapi: New QMP command query-qmp-schema for QMP introspection

      qapi/introspect.json defines the introspection schema.  It's designed
      for QMP introspection, but should do for similar uses, such as QGA.

      The introspection schema does not reflect all the rules and
      restrictions that apply to QAPI schemata.  A valid QAPI schema has an
      introspection value conforming to the introspection schema, but the
      converse is not true.

      Introspection lowers away a number of schema details, and makes
      implicit things explicit:

      * The built-in types are declared with their JSON type.

        All integer types are mapped to 'int', because how many bits we use
        internally is an implementation detail.  It could be pressed into
        external interface service as very approximate range information,
        but that's a bad idea.  If we need range information, we better do
        it properly.

      * Implicit type definitions are made explicit, and given
        auto-generated names:

        - Array types, named by appending "List" to the name of their
          element type, like in generated C.

        - The enumeration types implicitly defined by simple union types,
          named by appending "Kind" to the name of their simple union type,
          like in generated C.

        - Types that don't occur in generated C.  Their names start with ':'
          so they don't clash with the user's names.

      * All type references are by name.

      * The struct and union types are generalized into an object type.

      * Base types are flattened.

      * Commands take a single argument and return a single result.

        Dictionary argument or list result is an implicit type definition.

        The empty object type is used when a command takes no arguments or
        produces no results.

        The argument is always of object type, but the introspection schema
        doesn't reflect that.

        The 'gen': false directive is omitted as implementation detail.

        The 'success-response' directive is omitted as well for now, even
        though it's not an implementation detail, because it's not used by
        QMP.

      * Events carry a single data value.

        Implicit type definition and empty object type use, just like for
        commands.

        The value is of object type, but the introspection schema doesn't
        reflect that.

      * Types not used by commands or events are omitted.

        Indirect use counts as use.

      * Optional members have a default, which can only be null right now

        Instead of a mandatory "optional" flag, we have an optional default.
        No default means mandatory, default null means optional without
        default value.  Non-null is available for optional with default
        (possible future extension).

      * Clients should *not* look up types by name, because type names are
        not ABI.  Look up the command or event you're interested in, then
        follow the references.

        TODO Should we hide the type names to eliminate the temptation?

      New generator scripts/qapi-introspect.py computes an introspection
      value for its input, and generates a C variable holding it.

      It can generate awfully long lines.  Marked TODO.

      A new test-qmp-input-visitor test case feeds its result for both
      tests/qapi-schema/qapi-schema-test.json and qapi-schema.json to a
      QmpInputVisitor to verify it actually conforms to the schema.

      New QMP command query-qmp-schema takes its return value from that
      variable.  Its reply is some 85KiBytes for me right now.

      If this turns out to be too much, we have a couple of options:

      * We can use shorter names in the JSON.  Not the QMP style.

      * Optionally return the sub-schema for commands and events given as
        arguments.

        Right now qmp_query_schema() sends the string literal computed by
        qmp-introspect.py.  To compute sub-schema at run time, we'd have to
        duplicate parts of qapi-introspect.py in C.  Unattractive.

      * Let clients cache the output of query-qmp-schema.

        It changes only on QEMU upgrades, i.e. rarely.  Provide a command
        query-qmp-schema-hash.  Clients can have a cache indexed by hash,
        and re-query the schema only when they don't have it cached.  Even
        simpler: put the hash in the QMP greeting.

      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>
      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>

  commit 2d21291ae645955fcc4652ebfec81ad338169ac6
  Author: Markus Armbruster <armbru@xxxxxxxxxx>
  Date:   Wed Sep 16 13:06:27 2015 +0200

      qapi: Pseudo-type '**' is now unused, drop it

      'gen': false needs to stay for now, because netdev_add is still using
      it.

      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>
      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>
      Reviewed-by: Daniel P. Berrange <berrange@xxxxxxxxxx>
      Message-Id: <1442401589-24189-25-git-send-email-armbru@xxxxxxxxxx>

  commit b8a98326d565516bfcaa6582781605d167471b48
  Author: Markus Armbruster <armbru@xxxxxxxxxx>
  Date:   Wed Sep 16 13:06:26 2015 +0200

      qapi-schema: Fix up misleading specification of netdev_add

      It doesn't take a 'props' argument, let alone one in the format
      "NAME=VALUE,..."

      The bogus arguments specification doesn't matter due to 'gen': false.
      Clean it up to be incomplete rather than wrong, and document the
      incompleteness.

      While there, improve netdev_add usage example in the manual: add a
      device option to show how it's done.

      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>
      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>
      Reviewed-by: Daniel P. Berrange <berrange@xxxxxxxxxx>
      Message-Id: <1442401589-24189-24-git-send-email-armbru@xxxxxxxxxx>

  commit 6eb3937e9b20319e1c4f4d53e906fda8f5ccda10
  Author: Markus Armbruster <armbru@xxxxxxxxxx>
  Date:   Wed Sep 16 13:06:25 2015 +0200

      qom: Don't use 'gen': false for qom-get, qom-set, object-add

      With the previous commit, the generated marshalers just work, and save
      us a bit of handwritten code.

      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>
      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>
      Reviewed-by: Daniel P. Berrange <berrange@xxxxxxxxxx>
      Message-Id: <1442401589-24189-23-git-send-email-armbru@xxxxxxxxxx>

  commit 28770e057f265a4e70bcbdfc2447cce7b5f2dc19
  Author: Markus Armbruster <armbru@xxxxxxxxxx>
  Date:   Wed Sep 16 13:06:24 2015 +0200

      qapi: Introduce a first class 'any' type

      It's first class, because unlike '**', it actually works, i.e. doesn't
      require 'gen': false.

      '**' will go away next.

      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>
      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>
      Reviewed-by: Daniel P. Berrange <berrange@xxxxxxxxxx>

  commit 6c2f9a15dfc8c18ba94defb0f819109902a817cb
  Author: Markus Armbruster <armbru@xxxxxxxxxx>
  Date:   Wed Sep 16 13:06:23 2015 +0200

      qapi: Make output visitor return qnull() instead of NULL

      Before commit 1d10b44, it crashed.  Since then, it returns NULL, with
      a FIXME comment.  The FIXME is valid: code that assumes QObject *
      can't be null exists.  I'm not aware of a way to feed this problematic
      return value to code that actually chokes on null in the current code,
      but the next few commits will create one, failing "make check".

      Commit 481b002 solved a very similar problem by introducing a special
      null QObject.  Using this special null QObject is clearly the right
      way to resolve this FIXME, so do that, and update the test
      accordingly.

      However, the patch isn't quite right: it messes up the reference
      counting.  After about SIZE_MAX visits, the reference counter
      overflows, failing the assertion in qnull_destroy_obj().  Because
      that's many orders of magnitude more visits of nulls than we expect,
      we take this patch despite its flaws, to get the QMP introspection
      stuff in without further delay.  We'll want to fix it for real before
      the release.

      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>
      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>
      Reviewed-by: Daniel P. Berrange <berrange@xxxxxxxxxx>
      Message-Id: <1442401589-24189-21-git-send-email-armbru@xxxxxxxxxx>

  commit f133f2db1eedd409d3c1b0892f65b99f83c74754
  Author: Markus Armbruster <armbru@xxxxxxxxxx>
  Date:   Wed Sep 16 13:06:22 2015 +0200

      qapi: Improve built-in type documentation

      Clarify how they map to JSON.  Add how they map to C.  Fix the
      reference to StringInputVisitor.

      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>
      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>
      Reviewed-by: Daniel P. Berrange <berrange@xxxxxxxxxx>
      Message-Id: <1442401589-24189-20-git-send-email-armbru@xxxxxxxxxx>

  commit 56d92b003a223585980df5403ee9e3a55de90adf
  Author: Markus Armbruster <armbru@xxxxxxxxxx>
  Date:   Wed Sep 16 13:06:21 2015 +0200

      qapi-commands: De-duplicate output marshaling functions

      gen_marshal_output() uses its parameter name only for name of the
      generated function.  Name it after the type being marshaled instead of
      its caller, and drop duplicates.

      Saves 7 copies of qmp_marshal_output_int() in qemu-ga, and one copy of
      qmp_marshal_output_str() in qemu-system-*.

      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>
      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>
      Reviewed-by: Daniel P. Berrange <berrange@xxxxxxxxxx>
      Message-Id: <1442401589-24189-19-git-send-email-armbru@xxxxxxxxxx>

  commit 03b4367a556179e3e59affa535493427bd009e9d
  Author: Markus Armbruster <armbru@xxxxxxxxxx>
  Date:   Wed Sep 16 13:06:20 2015 +0200

      qapi: De-duplicate parameter list generation

      Generated qapi-event.[ch] lose line breaks.  No change otherwise.

      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>
      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>
      Reviewed-by: Daniel P. Berrange <berrange@xxxxxxxxxx>
      Message-Id: <1442401589-24189-18-git-send-email-armbru@xxxxxxxxxx>

  commit 7fad30f06eb6aa57aaa8f3d264288f24ae7646f0
  Author: Markus Armbruster <armbru@xxxxxxxxxx>
  Date:   Wed Sep 16 13:06:19 2015 +0200

      qapi: Rename qmp_marshal_input_FOO() to qmp_marshal_FOO()

      These functions marshal both input and output.

      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>
      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>
      Reviewed-by: Daniel P. Berrange <berrange@xxxxxxxxxx>
      Message-Id: <1442401589-24189-17-git-send-email-armbru@xxxxxxxxxx>

  commit f15380190a6e635e6c579ca24d672aa4aa068632
  Author: Markus Armbruster <armbru@xxxxxxxxxx>
  Date:   Wed Sep 16 13:06:18 2015 +0200

      qapi-commands: Rearrange code

      Rename gen_marshal_input() to gen_marshal(), because the generated
      function marshals both arguments and results.

      Rename gen_visitor_input_containers_decl() to gen_marshal_vars(), and
      move the other variable declarations there, too.

      Rename gen_visitor_input_block() to gen_marshal_input_visit(), and
      rearrange its code slightly.

      Rename gen_marshal_input_decl() to gen_marshal_proto(), because the
      result isn't a full declaration, unlike gen_command_decl()'s.

      New gen_marshal_decl() actually returns a full declaration.

      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>
      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>
      Reviewed-by: Daniel P. Berrange <berrange@xxxxxxxxxx>
      Message-Id: <1442401589-24189-16-git-send-email-armbru@xxxxxxxxxx>

  commit 60f8546acd113e636bf2ba8af991ebe0f6e8ad66
  Author: Markus Armbruster <armbru@xxxxxxxxxx>
  Date:   Wed Sep 16 13:06:17 2015 +0200

      qapi-visit: Rearrange code a bit

      Move gen_visit_decl() to a better place.  Inline
      generate_visit_struct_body().

      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>
      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>
      Reviewed-by: Daniel P. Berrange <berrange@xxxxxxxxxx>
      Message-Id: <1442401589-24189-15-git-send-email-armbru@xxxxxxxxxx>

  commit e98859a9b96d71dea8f9af43325edd43c7effe66
  Author: Markus Armbruster <armbru@xxxxxxxxxx>
  Date:   Wed Sep 16 13:06:16 2015 +0200

      qapi: Clean up after recent conversions to QAPISchemaVisitor

      Generate just 'FOO' instead of 'struct FOO' when possible.

      Drop helper functions that are now unused.

      Make pep8 and pylint reasonably happy.

      Rename generate_FOO() functions to gen_FOO() for consistency.

      Use more consistent and sensible variable names.

      Consistently use c_ for mapping keys when their value is a C
      identifier or type.

      Simplify gen_enum() and gen_visit_union()

      Consistently use single quotes for C text string literals.

      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>
      Message-Id: <1442401589-24189-14-git-send-email-armbru@xxxxxxxxxx>
      Reviewed-by: Daniel P. Berrange <berrange@xxxxxxxxxx>
      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>

  commit 5710153e7310995b5d4127af267e36d8529b3b30
  Author: Markus Armbruster <armbru@xxxxxxxxxx>
  Date:   Wed Sep 16 13:06:15 2015 +0200

      qapi: Replace dirty is_c_ptr() by method c_null()

      is_c_ptr() looks whether the end of the C text for the type looks like
      a pointer.  Works, but is fragile.

      We now have a better tool: use QAPISchemaType method c_null().  The
      initializers for non-pointers become prettier: 0, false or the
      enumeration constant with the value 0 instead of {0}.

      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>
      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>
      Reviewed-by: Daniel P. Berrange <berrange@xxxxxxxxxx>
      Message-Id: <1442401589-24189-13-git-send-email-armbru@xxxxxxxxxx>

  commit 05f43a960877cf941635324b2d0a74c0d0f7128e
  Author: Markus Armbruster <armbru@xxxxxxxxxx>
  Date:   Wed Sep 16 13:06:14 2015 +0200

      qapi-event: Convert to QAPISchemaVisitor, fixing data with base

      Fixes events whose data is struct with base to include the struct's
      base members.  Test case is qapi-schema-test.json's event
      __org.qemu_x-command:

          { 'event': '__ORG.QEMU_X-EVENT', 'data': '__org.qemu_x-Struct' }

          { 'struct': '__org.qemu_x-Struct', 'base': '__org.qemu_x-Base',
            'data': { '__org.qemu_x-member2': 'str' } }

          { 'struct': '__org.qemu_x-Base',
            'data': { '__org.qemu_x-member1': '__org.qemu_x-Enum' } }

      Patch's effect on generated qapi_event_send___org_qemu_x_event():

          -void qapi_event_send___org_qemu_x_event(const char 
*__org_qemu_x_member2,
          +void qapi_event_send___org_qemu_x_event(__org_qemu_x_Enum 
__org_qemu_x_member1,
          +                                        const char 
*__org_qemu_x_member2,
                                                   Error **errp)
           {
               QDict *qmp;
          @@ -224,6 +225,10 @@ void qapi_event_send___org_qemu_x_event(
                   goto clean;
               }

          +    visit_type___org_qemu_x_Enum(v, &__org_qemu_x_member1, 
"__org.qemu_x-member1", &local_err);
          +    if (local_err) {
          +        goto clean;
          +    }
               visit_type_str(v, (char **)&__org_qemu_x_member2, 
"__org.qemu_x-member2", &local_err);
               if (local_err) {
                   goto clean;

      Code is generated in a different order now, but that doesn't matter.

      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>
      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>
      Reviewed-by: Daniel P. Berrange <berrange@xxxxxxxxxx>

  commit 7b24626cd019ed5084c8e3370999176a1ebd44be
  Author: Markus Armbruster <armbru@xxxxxxxxxx>
  Date:   Wed Sep 16 13:06:13 2015 +0200

      qapi-event: Eliminate global variable event_enum_value

      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>
      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>
      Reviewed-by: Daniel P. Berrange <berrange@xxxxxxxxxx>
      Message-Id: <1442401589-24189-11-git-send-email-armbru@xxxxxxxxxx>

  commit efd2eaa6c2992c214a13f102b6ddd4dca4697fb3
  Author: Markus Armbruster <armbru@xxxxxxxxxx>
  Date:   Wed Sep 16 13:06:12 2015 +0200

      qapi: De-duplicate enum code generation

      Duplicated in commit 21cd70d.  Yes, we can't import qapi-types, but
      that's no excuse.  Move the helpers from qapi-types.py to qapi.py, and
      replace the duplicates in qapi-event.py.

      The generated event enumeration type's lookup table becomes
      const-correct (see commit 2e4450f), and uses explicit indexes instead
      of relying on order (see commit 912ae9c).

      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>
      Message-Id: <1442401589-24189-10-git-send-email-armbru@xxxxxxxxxx>
      Reviewed-by: Daniel P. Berrange <berrange@xxxxxxxxxx>
      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>

  commit ee44602857660e79f46547de02e26d65bcaf1519
  Author: Markus Armbruster <armbru@xxxxxxxxxx>
  Date:   Wed Sep 16 13:06:11 2015 +0200

      qapi-commands: Convert to QAPISchemaVisitor

      Output unchanged apart from reordering and white-space.

      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>
      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>
      Message-Id: <1442401589-24189-9-git-send-email-armbru@xxxxxxxxxx>
      Reviewed-by: Daniel P. Berrange <berrange@xxxxxxxxxx>

  commit 441cbac0c7e641780decbc674a9a68c6a5200f71
  Author: Markus Armbruster <armbru@xxxxxxxxxx>
  Date:   Wed Sep 16 13:06:10 2015 +0200

      qapi-visit: Convert to QAPISchemaVisitor, fixing bugs

      Fixes flat unions to visit the base's base members (the previous
      commit merely added them to the struct).  Same test case.

      Patch's effect on visit_type_UserDefFlatUnion():

           static void visit_type_UserDefFlatUnion_fields(Visitor *m, 
UserDefFlatUnion **obj, Error **errp)
           {
               Error *err = NULL;

          +    visit_type_int(m, &(*obj)->integer, "integer", &err);
          +    if (err) {
          +        goto out;
          +    }
               visit_type_str(m, &(*obj)->string, "string", &err);
               if (err) {
                   goto out;

      Test cases updated for the bug fix.

      Fixes alternates to generate a visitor for their implicit enumeration
      type.  None of them are currently used, obviously.  Example:
      block-core.json's BlockdevRef now generates
      visit_type_BlockdevRefKind().

      Code is generated in a different order now, and therefore has got a
      few new forward declarations.  Doesn't matter.

      The guard QAPI_VISIT_BUILTIN_VISITOR_DECL is renamed to
      QAPI_VISIT_BUILTIN.

      The previous commit's two ugly special cases exist here, too.  Mark
      both TODO.

      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>
      Reviewed-by: Daniel P. Berrange <berrange@xxxxxxxxxx>
      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>

  commit 2b162ccbe875e5323fc04c1009addbdea4d35220
  Author: Markus Armbruster <armbru@xxxxxxxxxx>
  Date:   Wed Sep 16 13:06:09 2015 +0200

      qapi-types: Convert to QAPISchemaVisitor, fixing flat unions

      Fixes flat unions to get the base's base members.  Test case is from
      commit 2fc0043, in qapi-schema-test.json:

          { 'union': 'UserDefFlatUnion',
            'base': 'UserDefUnionBase',
            'discriminator': 'enum1',
            'data': { 'value1' : 'UserDefA',
                      'value2' : 'UserDefB',
                      'value3' : 'UserDefB' } }

          { 'struct': 'UserDefUnionBase',
            'base': 'UserDefZero',
            'data': { 'string': 'str', 'enum1': 'EnumOne' } }

          { 'struct': 'UserDefZero',
            'data': { 'integer': 'int' } }

      Patch's effect on UserDefFlatUnion:

           struct UserDefFlatUnion {
               /* Members inherited from UserDefUnionBase: */
          +    int64_t integer;
               char *string;
               EnumOne enum1;
               /* Own members: */
               union { /* union tag is @enum1 */
                   void *data;
                   UserDefA *value1;
                   UserDefB *value2;
                   UserDefB *value3;
               };
           };

      Flat union visitors remain broken.  They'll be fixed next.

      Code is generated in a different order now, but that doesn't matter.

      The two guards QAPI_TYPES_BUILTIN_STRUCT_DECL and
      QAPI_TYPES_BUILTIN_CLEANUP_DECL are replaced by just
      QAPI_TYPES_BUILTIN.

      Two ugly special cases for simple unions now stand out like sore
      thumbs:

      1. The type tag is named 'type' everywhere, except in generated C,
         where it's 'kind'.

      2. QAPISchema lowers simple unions to semantically equivalent flat
         unions.  However, the C generated for a simple unions differs from
         the C generated for its equivalent flat union, and we therefore
         need special code to preserve that pointless difference for now.

      Mark both TODO.

      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>
      Reviewed-by: Daniel P. Berrange <berrange@xxxxxxxxxx>
      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>

  commit b2af43cc379e1d4c30d92af257bedebf0e3f618a
  Author: Gerd Hoffmann <kraxel@xxxxxxxxxx>
  Date:   Fri Sep 18 12:07:18 2015 +0200

      spice: surface switch fast path requires same format too.

      Commit "555e72f spice: rework mirror allocation, add no-resize fast path"
      adds a fast path for surface switches which does't go through the full
      primary surface destroy and re-recreation in case the new surface is
      identical to the old one (page-flip).  It checks the size only though,
      but the format must be identical too.  This patch adds the format check.

      Commit "0002a51 ui/spice: Support shared surface for most pixman
      formats" increases the chance to actually trigger this.

      https://bugzilla.redhat.com/show_bug.cgi?id=1247479

      Signed-off-by: Gerd Hoffmann <kraxel@xxxxxxxxxx>

  commit 156402e5042193c45e70c378a93ccafd3832d8ff
  Author: Markus Armbruster <armbru@xxxxxxxxxx>
  Date:   Wed Sep 16 13:06:08 2015 +0200

      tests/qapi-schema: Convert test harness to QAPISchemaVisitor

      The old code prints the result of parsing (list of expression
      dictionaries), and partial results of semantic analysis (list of enum
      dictionaries, list of struct dictionaries).

      The new code prints a trace of a schema visit, i.e. what the back-ends
      are going to use.  Built-in and array types are omitted, because
      they're boring.

      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>
      Reviewed-by: Daniel P. Berrange <berrange@xxxxxxxxxx>
      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>

  commit 3f7dc21bee1e930d5cccf607b8f83831c3bbdb09
  Author: Markus Armbruster <armbru@xxxxxxxxxx>
  Date:   Wed Sep 16 13:06:07 2015 +0200

      qapi: New QAPISchemaVisitor

      The visitor will help keeping the code generation code simple and
      reasonably separated from QAPISchema details.

      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>
      Message-Id: <1442401589-24189-5-git-send-email-armbru@xxxxxxxxxx>
      Reviewed-by: Daniel P. Berrange <berrange@xxxxxxxxxx>
      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>

  commit f51d8c3db11b0f3052b3bb4b8b0c7f0bc76f7136
  Author: Markus Armbruster <armbru@xxxxxxxxxx>
  Date:   Wed Sep 16 13:06:06 2015 +0200

      qapi: QAPISchema code generation helper methods

      New methods c_name(), c_type(), c_null(), json_type(),
      alternate_qtype().

      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>
      Message-Id: <1442401589-24189-4-git-send-email-armbru@xxxxxxxxxx>
      Reviewed-by: Daniel P. Berrange <berrange@xxxxxxxxxx>
      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>

  commit ac88219a6c78302c693fb60fe6cf04358540fbce
  Author: Markus Armbruster <armbru@xxxxxxxxxx>
  Date:   Wed Sep 16 13:06:05 2015 +0200

      qapi: New QAPISchema intermediate reperesentation

      The QAPI code generators work with a syntax tree (nested dictionaries)
      plus a few symbol tables (also dictionaries) on the side.

      They have clearly outgrown these simple data structures.  There's lots
      of rummaging around in dictionaries, and information is recomputed on
      the fly.  For the work I'm going to do, I want more clearly defined
      and more convenient interfaces.

      Going forward, I also want less coupling between the back-ends and the
      syntax tree, to make messing with the syntax easier.

      Create a bunch of classes to represent QAPI schemata.

      Have the QAPISchema initializer call the parser, then walk the syntax
      tree to create the new internal representation, and finally perform
      semantic analysis.

      Shortcut: the semantic analysis still relies on existing check_exprs()
      to do the actual semantic checking.  All this code needs to move into
      the classes.  Mark as TODO.

      Simple unions are lowered to flat unions.  Flat unions and structs are
      represented as a more general object type.

      Catching name collisions in generated code would be nice.  Mark as
      TODO.

      We generate array types eagerly, even though most of them aren't used.
      Mark as TODO.

      Nothing uses the new intermediate representation just yet, thus no
      change to generated files.

      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>
      Reviewed-by: Daniel P. Berrange <berrange@xxxxxxxxxx>
      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>

  commit a4bcb2080d5c1d08bab512d76fb260296e2cae74
  Author: Markus Armbruster <armbru@xxxxxxxxxx>
  Date:   Wed Sep 16 13:06:04 2015 +0200

      qapi: Rename class QAPISchema to QAPISchemaParser

      I want to name a new class QAPISchema.

      While there, make it a new-style class.

      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>
      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>
      Reviewed-by: Daniel P. Berrange <berrange@xxxxxxxxxx>
      Message-Id: <1442401589-24189-2-git-send-email-armbru@xxxxxxxxxx>

  commit 8f60f8e2e574f341709128ff7637e685fd640254
  Author: Aurelien Jarno <aurelien@xxxxxxxxxxx>
  Date:   Sun Sep 13 23:03:45 2015 +0200

      target-ppc: fix xscmpodp and xscmpudp decoding

      The xscmpodp and xscmpudp instructions only have the AX, BX bits in
      there encoding, the lowest bit (usually TX) is marked as an invalid
      bit. We therefore can't decode them with GEN_XX2FORM, which decodes
      the two lowest bit.

      Introduce a new form GEN_XX2FORM, which decodes AX and BX and mark
      the lowest bit as invalid.

      Signed-off-by: Aurelien Jarno <aurelien@xxxxxxxxxxx>
      Reviewed-by: Richard Henderson <rth@xxxxxxxxxxx>
      Tested-by: Richard W.M. Jones <rjones@xxxxxxxxxx>
      Signed-off-by: Alexander Graf <agraf@xxxxxxx>

  commit 65cf1f65be0fc4883edbd66feeab3ddaceb11c00
  Author: Aurelien Jarno <aurelien@xxxxxxxxxxx>
  Date:   Sun Sep 13 23:03:44 2015 +0200

      target-ppc: fix vcipher, vcipherlast, vncipherlast and vpermxor

      For vector instructions, the helpers get pointers to the vector register
      in arguments. Some operands might point to the same register, including
      the operand holding the result.

      When emulating instructions which access the vector elements in a
      non-linear way, we need to store the result in an temporary variable.

      This fixes openssl when emulating a POWER8 CPU.

      Signed-off-by: Aurelien Jarno <aurelien@xxxxxxxxxxx>
      Reviewed-by: Richard Henderson <rth@xxxxxxxxxxx>
      Signed-off-by: Alexander Graf <agraf@xxxxxxx>

  commit d4574435a6530bbd96ae130eddfe5b676f91367a
  Author: Alexander Graf <agraf@xxxxxxx>
  Date:   Fri Aug 28 13:10:17 2015 +0200

      PPC: E500: Update u-boot to commit 79c884d7e4

      The current U-Boot binary in QEMU has a bug where it fails to support
      dynamic CCSR addressing. Without this support, u-boot can not boot the
      ppce500 machine anymore. This has been fixed upstream in u-boot commit
      e834975b.

      Update the u-boot blob we carry in QEMU to the latest u-boot upstream,
      so that we can successfully run u-boot with the ppce500 machine again.

      CC: qemu-stable@xxxxxxxxxx
      Signed-off-by: Alexander Graf <agraf@xxxxxxx>
      Tested-by: Thomas Huth <thuth@xxxxxxxxxx>

  commit 6bb9a0a9ef9b9b1c2434a52d1c1d066ce179adf8
  Author: Anton Blanchard <anton@xxxxxxxxx>
  Date:   Thu Jul 2 14:44:06 2015 +1000

      target-ppc: Fix SRR0 when taking unaligned exceptions

      We are setting SRR0 to the instruction before the one causing the
      unaligned exception. A quick testcase:

      . = 0x100
      .globl _start
      _start:
        /* Cause a 0x600 */
        li      3,0x1
        stwcx.  3,0,3
      1:        b       1b

      . = 0x600
      1:        b       1b

      Built into something we can load as a BIOS image:

      gcc -mbig -c test.S
      ld -EB -Ttext 0x0 -o test test.o
      objcopy -O binary test test.bin

      Run with:

      qemu-system-ppc64 -nographic -bios test.bin

      Shows an incorrect SRR0 (points at the li):

      SRR0 0000000000000100

      With the patch we get the correct SRR0:

      SRR0 0000000000000104

      Signed-off-by: Anton Blanchard <anton@xxxxxxxxx>
      Signed-off-by: Alexander Graf <agraf@xxxxxxx>

  commit e7f08320f055e1093007b3f1d55b145d5f4daaa1
  Author: Rudolf Marek <mar@xxxxxxxxx>
  Date:   Fri Aug 14 13:38:55 2015 +0200

      PPC: e500 pci host: Fix ATMUs register reads

      There is a bug in the register mask when reading
      the ATMUs registers. As the result some registers
      cannot be read, and read is aliased to the other
      registers. Fix it.

      Signed-off-by: Rudolf Marek <rudolf.marek@xxxxxxxxx>
      Signed-off-by: Alexander Graf <agraf@xxxxxxx>

  commit 1cde732d88af34849343dc1f0e68072eab0841b9
  Author: Mark Cave-Ayland <mark.cave-ayland@xxxxxxxxxxxx>
  Date:   Sun Aug 23 11:50:55 2015 +0100

      mac_dbdma: always clear FLUSH bit once DBDMA channel flush is complete

      The code to flush the DBDMA channel was effectively duplicated in
      dbdma_control_write(), except for the fact that the copy executed outside 
of a
      RUN bit transition was broken by not clearing the FLUSH bit once the 
flush was
      complete.

      Newer PPC Linux kernels would timeout waiting for the FLUSH bit to clear 
again
      after submitting a FLUSH command. Fix this by always clearing the FLUSH 
bit
      once the channel flush is complete and removing the repeated code.

      Reported-by: Aurelien Jarno <aurelien@xxxxxxxxxxx>
      Signed-off-by: Mark Cave-Ayland <mark.cave-ayland@xxxxxxxxxxxx>
      Reviewed-by: Aurelien Jarno <aurelien@xxxxxxxxxxx>
      Signed-off-by: Alexander Graf <agraf@xxxxxxx>

  commit 116dc18db6854cc38c6abff799019b7237365a36
  Author: Paolo Bonzini <pbonzini@xxxxxxxxxx>
  Date:   Mon Jul 27 14:46:02 2015 +0200

      kvm_ppc: remove kvmppc_timer_hack

      QEMU does have an I/O thread now, that can be interrupted at any time
      because the VCPU thread runs outside the iothread mutex.

      Therefore, the kvmppc_timer_hack is obsolete.  Remove it.

      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>
      Signed-off-by: Alexander Graf <agraf@xxxxxxx>

  commit 18640989a9f5e4d2e84b566c52ff1fccfa0dbf4a
  Merge: b12a84c 3b53e45
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Sat Sep 19 15:59:52 2015 +0100

      Merge remote-tracking branch 
'remotes/afaerber/tags/qom-devices-for-peter' into staging

      QOM infrastructure fixes and device conversions

      * QOM API error handling fixes
      * Performance improvements for device GPIO property creation
      * Remaining conversion of QEMUMachine to QOM

      # gpg: Signature made Sat 19 Sep 2015 15:40:44 BST using RSA key ID 
3E7E013F
      # gpg: Good signature from "Andreas Färber <afaerber@xxxxxxx>"
      # gpg:                 aka "Andreas Färber <afaerber@xxxxxxxx>"

      * remotes/afaerber/tags/qom-devices-for-peter: (21 commits)
        machine: Eliminate QEMUMachine and qemu_register_machine()
        Revert use of DEFINE_MACHINE() for registrations of multiple machines
        Use DEFINE_MACHINE() to register all machines
        mac_world: Break long line
        machine: DEFINE_MACHINE() macro
        exynos4: Declare each QEMUMachine as a separate variable
        exynos4: Use MachineClass instead of exynos4_machines array
        exynos4: Use EXYNOS4210_NCPUS instead of max_cpus on error message
        machine: Set MachineClass::name automatically
        machine: Ensure all TYPE_MACHINE subclasses have the right suffix
        mac99: Use MACHINE_TYPE_NAME to encode class name
        s390: Rename s390-ccw-virtio-2.4 class name to use MACHINE_TYPE_NAME
        s390-virtio: Rename machine class name to use MACHINE_TYPE_NAME
        pseries: Rename machine class names to use MACHINE_TYPE_NAME
        arm: Rename virt machine class to use MACHINE_TYPE_NAME
        vexpress: Rename machine classes to use MACHINE_TYPE_NAME
        vexpress: Don't set name on abstract class
        machine: MACHINE_TYPE_NAME macro
        qdev: Do not use slow [*] expansion for GPIO creation
        qom: Fix invalid error check in property_get_str()
        ...

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 3b53e45f43825caaaf4fad6a5b85ce6a9949ff02
  Author: Eduardo Habkost <ehabkost@xxxxxxxxxx>
  Date:   Fri Sep 4 15:37:09 2015 -0300

      machine: Eliminate QEMUMachine and qemu_register_machine()

      The struct is not used anymore and can be eliminated.

      Signed-off-by: Eduardo Habkost <ehabkost@xxxxxxxxxx>
      Signed-off-by: Andreas Färber <afaerber@xxxxxxx>

  commit 8a661aea0e7f6e776c6ebc9abe339a85b34fea1d
  Author: Andreas Färber <afaerber@xxxxxxx>
  Date:   Sat Sep 19 10:49:44 2015 +0200

      Revert use of DEFINE_MACHINE() for registrations of multiple machines

      The script used for converting from QEMUMachine had used one
      DEFINE_MACHINE() per machine registered. In cases where multiple
      machines are registered from one source file, avoid the excessive
      generation of module init functions by reverting this unrolling.

      Signed-off-by: Andreas Färber <afaerber@xxxxxxx>

  commit e264d29de28c5b0be3d063307ce9fb613b427cc3
  Author: Eduardo Habkost <ehabkost@xxxxxxxxxx>
  Date:   Fri Sep 4 15:37:08 2015 -0300

      Use DEFINE_MACHINE() to register all machines

      Convert all machines to use DEFINE_MACHINE() instead of QEMUMachine
      automatically using a script.

      Signed-off-by: Eduardo Habkost <ehabkost@xxxxxxxxxx>
      [AF: Style cleanups, convert imx25_pdk machine]
      Signed-off-by: Andreas Färber <afaerber@xxxxxxx>

  commit f309ae852c67833c3cac11747474fbb013529382
  Author: Eduardo Habkost <ehabkost@xxxxxxxxxx>
  Date:   Fri Sep 4 15:37:07 2015 -0300

      mac_world: Break long line

      Coding style change only.

      Signed-off-by: Eduardo Habkost <ehabkost@xxxxxxxxxx>
      Signed-off-by: Andreas Färber <afaerber@xxxxxxx>

  commit ed0b6de343448d1014b53bcf541041373322fa1c
  Author: Eduardo Habkost <ehabkost@xxxxxxxxxx>
  Date:   Fri Sep 4 15:37:06 2015 -0300

      machine: DEFINE_MACHINE() macro

      The macro will allow easy registration of a TYPE_MACHINE subclass, using
      only the machine name and a MachineClass initialization function as
      parameter.

      Signed-off-by: Eduardo Habkost <ehabkost@xxxxxxxxxx>
      Signed-off-by: Andreas Färber <afaerber@xxxxxxx>

  commit 97c6671cf16640f997fc8c54ef456bbad125b635
  Author: Eduardo Habkost <ehabkost@xxxxxxxxxx>
  Date:   Fri Sep 4 15:37:05 2015 -0300

      exynos4: Declare each QEMUMachine as a separate variable

      This will make the code follow the same pattern used for other machines,
      and will make it easier to automatically convert the code to be
      QOM-based.

      Signed-off-by: Eduardo Habkost <ehabkost@xxxxxxxxxx>
      Signed-off-by: Andreas Färber <afaerber@xxxxxxx>

  commit ca17776088e41dabdc3bb07334dbc73d631e30e3
  Author: Eduardo Habkost <ehabkost@xxxxxxxxxx>
  Date:   Fri Sep 4 15:37:04 2015 -0300

      exynos4: Use MachineClass instead of exynos4_machines array

      We don't need a QEMUMachine array to query max_cpus, if we can get the
      corresponding MachineClass.

      Signed-off-by: Eduardo Habkost <ehabkost@xxxxxxxxxx>
      Signed-off-by: Andreas Färber <afaerber@xxxxxxx>

  commit 6aadcc71354bc683fdedd8a3d369095d23095e1c
  Author: Eduardo Habkost <ehabkost@xxxxxxxxxx>
  Date:   Fri Sep 4 15:37:03 2015 -0300

      exynos4: Use EXYNOS4210_NCPUS instead of max_cpus on error message

      The code is checking smp_cpus against EXYNOS4210_NCPUS, not against
      max_cpus, so use EXYNOS4210_NCPUS in the error message for consistency.

      Signed-off-by: Eduardo Habkost <ehabkost@xxxxxxxxxx>
      Signed-off-by: Andreas Färber <afaerber@xxxxxxx>

  commit 98cec76a7076c4a38e16f1a9de170a7942b3be54
  Author: Eduardo Habkost <ehabkost@xxxxxxxxxx>
  Date:   Thu Aug 20 14:54:36 2015 -0700

      machine: Set MachineClass::name automatically

      Now all TYPE_MACHINE subclasses use MACHINE_TYPE_NAME to generate the
      class name. So instead of requiring each subclass to set
      MachineClass::name manually, we can now set it automatically at the
      TYPE_MACHINE class_base_init() function.

      Signed-off-by: Eduardo Habkost <ehabkost@xxxxxxxxxx>
      Reviewed-by: Marcel Apfelbaum <marcel@xxxxxxxxxx>
      [AF/ehabkost: Updated for s390-ccw machines]
      [AF: Cleanup of intermediate virt and vexpress name handling]
      Signed-off-by: Andreas Färber <afaerber@xxxxxxx>

  commit dcb3d601115eed77aef543fe3a920adc17544e06
  Author: Eduardo Habkost <ehabkost@xxxxxxxxxx>
  Date:   Thu Aug 20 14:54:35 2015 -0700

      machine: Ensure all TYPE_MACHINE subclasses have the right suffix

      Now that all non-abstract TYPE_MACHINE subclasses have the -machine
      suffix, add an assert to ensure this will be always true.

      Signed-off-by: Eduardo Habkost <ehabkost@xxxxxxxxxx>
      Reviewed-by: Marcel Apfelbaum <marcel@xxxxxxxxxx>
      Signed-off-by: Andreas Färber <afaerber@xxxxxxx>

  commit c0f365186b30f97ef221489834e7ae146fc22db8
  Author: Eduardo Habkost <ehabkost@xxxxxxxxxx>
  Date:   Thu Aug 20 14:54:34 2015 -0700

      mac99: Use MACHINE_TYPE_NAME to encode class name

      It will result in exactly the same class name, but it will make the code
      consistent with the other classes.

      Signed-off-by: Eduardo Habkost <ehabkost@xxxxxxxxxx>
      Reviewed-by: David Gibson <david@xxxxxxxxxxxxxxxxxxxxx>
      Signed-off-by: Andreas Färber <afaerber@xxxxxxx>

  commit af62e639fcc190f09c51e8b73dc6492b30ae2111
  Author: Eduardo Habkost <ehabkost@xxxxxxxxxx>
  Date:   Thu Aug 20 14:54:33 2015 -0700

      s390: Rename s390-ccw-virtio-2.4 class name to use MACHINE_TYPE_NAME

      Machine class names should use the "-machine" suffix to allow
      class-name-based machine class lookup to work. Rename the
      s390-ccw-virtio-2.4 machine class using the MACHINE_TYPE_NAME macro.

      Signed-off-by: Eduardo Habkost <ehabkost@xxxxxxxxxx>
      Reviewed-by: David Gibson <david@xxxxxxxxxxxxxxxxxxxxx>
      [AF/ehabkost: Updated for 2.5 machine]
      Signed-off-by: Andreas Färber <afaerber@xxxxxxx>

  commit 4c264d4b3d352d55663bd81667b5d177af1e871e
  Author: Eduardo Habkost <ehabkost@xxxxxxxxxx>
  Date:   Thu Aug 20 14:54:32 2015 -0700

      s390-virtio: Rename machine class name to use MACHINE_TYPE_NAME

      Machine class names should use the "-machine" suffix to allow
      class-name-based machine class lookup to work. Rename the s390-virtio
      machine class using the MACHINE_TYPE_NAME macro.

      Signed-off-by: Eduardo Habkost <ehabkost@xxxxxxxxxx>
      Reviewed-by: David Gibson <david@xxxxxxxxxxxxxxxxxxxxx>
      Acked-by: Cornelia Huck <cornelia.huck@xxxxxxxxxx>
      Signed-off-by: Andreas Färber <afaerber@xxxxxxx>

  commit b9f072d01f81786f577c24d4f45050e63872cb13
  Author: Eduardo Habkost <ehabkost@xxxxxxxxxx>
  Date:   Thu Aug 20 14:54:31 2015 -0700

      pseries: Rename machine class names to use MACHINE_TYPE_NAME

      Machine class names should use the "-machine" suffix to allow
      class-name-based machine class lookup to work. Rename the the pseries
      machine classes using the MACHINE_TYPE_NAME macro.

      Signed-off-by: Eduardo Habkost <ehabkost@xxxxxxxxxx>
      Reviewed-by: David Gibson <david@xxxxxxxxxxxxxxxxxxxxx>
      Signed-off-by: Andreas Färber <afaerber@xxxxxxx>

  commit 64d3459c8586c8821970cbc99450340278507cfe
  Author: Eduardo Habkost <ehabkost@xxxxxxxxxx>
  Date:   Thu Aug 20 14:54:30 2015 -0700

      arm: Rename virt machine class to use MACHINE_TYPE_NAME

      Machine class names should use the "-machine" suffix to allow
      class-name-based machine class lookup to work. Rename the arm virt
      machine class using the MACHINE_TYPE_NAME macro.

      Signed-off-by: Eduardo Habkost <ehabkost@xxxxxxxxxx>
      Reviewed-by: David Gibson <david@xxxxxxxxxxxxxxxxxxxxx>
      Signed-off-by: Andreas Färber <afaerber@xxxxxxx>

  commit fc603d29e96a2982f1b02123f83176f00a660b40
  Author: Eduardo Habkost <ehabkost@xxxxxxxxxx>
  Date:   Thu Aug 20 14:54:29 2015 -0700

      vexpress: Rename machine classes to use MACHINE_TYPE_NAME

      Machine class names should use the "-machine" suffix to allow
      class-name-based machine class lookup to work. Rename the vexpress
      machine classes using the MACHINE_TYPE_NAME macro.

      Signed-off-by: Eduardo Habkost <ehabkost@xxxxxxxxxx>
      Reviewed-by: David Gibson <david@xxxxxxxxxxxxxxxxxxxxx>
      [AF: Introduce VEXPRESS_*_MACHINE_NAME]
      Signed-off-by: Andreas Färber <afaerber@xxxxxxx>

  commit 54477b07fb81ab4a55c263f3449bc07469db30fb
  Author: Eduardo Habkost <ehabkost@xxxxxxxxxx>
  Date:   Thu Aug 20 14:54:28 2015 -0700

      vexpress: Don't set name on abstract class

      The MachineClass::name field won't be ever be used on TYPE_VEXPRESS, as
      it is an abstract class and the machine class lookup code explicitly
      skips abstract classes. We can remove it to make the code simpler.

      Signed-off-by: Eduardo Habkost <ehabkost@xxxxxxxxxx>
      Reviewed-by: David Gibson <david@xxxxxxxxxxxxxxxxxxxxx>
      Signed-off-by: Andreas Färber <afaerber@xxxxxxx>

  commit c84a8f01b2a5d8bf98c447796d4a747333a5b1fd
  Author: Eduardo Habkost <ehabkost@xxxxxxxxxx>
  Date:   Thu Aug 20 14:54:27 2015 -0700

      machine: MACHINE_TYPE_NAME macro

      The macro will be useful to ensure the machine class names follow the
      right format to make machine class lookup by class name work correctly.

      Signed-off-by: Eduardo Habkost <ehabkost@xxxxxxxxxx>
      Reviewed-by: Marcel Apfelbaum <marcel@xxxxxxxxxx>
      Reviewed-by: David Gibson <david@xxxxxxxxxxxxxxxxxxxxx>
      Signed-off-by: Andreas Färber <afaerber@xxxxxxx>

  commit 81dfaf1a8f7f95259801da9732472f879023ef77
  Author: Aurelien Jarno <aurelien@xxxxxxxxxxx>
  Date:   Fri Jul 10 22:10:02 2015 +0200

      tcg/mips: pass oi to tcg_out_tlb_load

      Instead of computing mem_index and s_bits in both tcg_out_qemu_ld and
      tcg_out_qemu_st function and passing them to tcg_out_tlb_load, directly
      pass oi to the tcg_out_tlb_load function and compute mem_index and
      s_bits there.

      Reviewed-by: Richard Henderson <rth@xxxxxxxxxxx>
      Signed-off-by: Aurelien Jarno <aurelien@xxxxxxxxxxx>

  commit d9f26847f1429bdb8ccaa4e7bd5f8b57a9da0e8d
  Author: Aurelien Jarno <aurelien@xxxxxxxxxxx>
  Date:   Fri Jul 10 22:04:48 2015 +0200

      tcg/mips: move tcg_out_addsub2

      Somehow the tcg_out_addsub2 function ended-up in the middle of the
      qemu_ld/st related functions. Move it with other arithmetics related
      functions.

      Reviewed-by: Richard Henderson <rth@xxxxxxxxxxx>
      Signed-off-by: Aurelien Jarno <aurelien@xxxxxxxxxxx>

  commit 5eb4f645eba8a79ea643b228c74a79183d436c97
  Author: James Hogan <james.hogan@xxxxxxxxxx>
  Date:   Mon Sep 14 11:34:54 2015 +0100

      tcg/mips: Fix clobbering of qemu_ld inputs

      The MIPS TCG backend implements qemu_ld with 64-bit targets using the v0
      register (base) as a temporary to load the upper half of the QEMU TLB
      comparator (see line 5 below), however this happens before the input
      address is used (line 8 to mask off the low bits for the TLB
      comparison, and line 12 to add the host-guest offset). If the input
      address (addrl) also happens to have been placed in v0 (as in the second
      column below), it gets clobbered before it is used.

           addrl in t2              addrl in v0

       1 srl     a0,t2,0x7        srl     a0,v0,0x7
       2 andi    a0,a0,0x1fe0     andi    a0,a0,0x1fe0
       3 addu    a0,a0,s0         addu    a0,a0,s0
       4 lw      at,9136(a0)      lw      at,9136(a0)      set TCG_TMP0 (at)
       5 lw      v0,9140(a0)      lw      v0,9140(a0)      set base (v0)
       6 li      t9,-4093         li      t9,-4093
       7 lw      a0,9160(a0)      lw      a0,9160(a0)      set addend (a0)
       8 and     t9,t9,t2         and     t9,t9,v0         use addrl
       9 bne     at,t9,0x836d8c8  bne     at,t9,0x836d838  use TCG_TMP0
      10  nop                      nop
      11 bne     v0,t8,0x836d8c8  bne     v0,a1,0x836d838  use base
      12  addu   v0,a0,t2          addu   v0,a0,v0         use addrl, addend
      13 lw      t0,0(v0)         lw      t0,0(v0)

      Fix by using TCG_TMP0 (at) as the temporary instead of v0 (base),
      pushing the load on line 5 forward into the delay slot of the low
      comparison (line 10). The early load of the addend on line 7 also needs
      pushing even further for 64-bit targets, or it will clobber a0 before
      we're done with it. The output for 32-bit targets is unaffected.

       srl     a0,v0,0x7
       andi    a0,a0,0x1fe0
       addu    a0,a0,s0
       lw      at,9136(a0)
      -lw      v0,9140(a0)      load high comparator
       li      t9,-4093
      -lw      a0,9160(a0)      load addend
       and     t9,t9,v0
       bne     at,t9,0x836d838
      - nop
      + lw     at,9140(a0)      load high comparator
      +lw      a0,9160(a0)      load addend
      -bne     v0,a1,0x836d838
      +bne     at,a1,0x836d838
        addu   v0,a0,v0
       lw      t0,0(v0)

      Cc: qemu-stable@xxxxxxxxxx
      Reviewed-by: Richard Henderson <rth@xxxxxxxxxxx>
      Reviewed-by: Aurelien Jarno <aurelien@xxxxxxxxxxx>
      Signed-off-by: James Hogan <james.hogan@xxxxxxxxxx>
      Signed-off-by: Aurelien Jarno <aurelien@xxxxxxxxxxx>

  commit 6c76b37742d4db8176af37b667b5420727e79e2c
  Author: Pavel Fedin <p.fedin@xxxxxxxxxxx>
  Date:   Fri Jul 31 15:23:22 2015 +0300

      qdev: Do not use slow [*] expansion for GPIO creation

      Expansion of [*] suffix is very slow because index expansion is done using
      trial and error strategy, starting every time from zero and retrying with
      the next index until insertion succeeds. With large number of already 
added
      properties this process takes huge amount of time (O(n^2) complexity).

      Some architectures (like ARM) use very large amount of IRQ pins in 
interrupt
      controller models. This flaw makes machine startup extremely slow
      (~20 seconds for ARM64 with 32 CPUs). This patch decreases this time down 
to
      ~10 seconds.

      Also in qdev_init_gpio_out_named() memset() is now called only once for 
the
      whole array instead of per-cell cleaning

      Signed-off-by: Pavel Fedin <p.fedin@xxxxxxxxxxx>
      Reviewed-by: Daniel P. Berrange <berrange@xxxxxxxxxx>
      Signed-off-by: Andreas Färber <afaerber@xxxxxxx>

  commit e1c8237df5395f6a453f18109bd9dd33fb2a397c
  Author: Markus Armbruster <armbru@xxxxxxxxxx>
  Date:   Tue Aug 25 20:00:46 2015 +0200

      qom: Fix invalid error check in property_get_str()

      When a function returns a null pointer on error and only on error, you
      can do

          if (!foo(foos, errp)) {
              ... handle error ...
          }

      instead of the more cumbersome

          Error *err = NULL;

          if (!foo(foos, &err)) {
              error_propagate(errp, err);
              ... handle error ...
          }

      A StringProperty's getter, however, may return null on success!  We
      then fail to call visit_type_str().

      Screwed up in 6a146eb, v1.1.

      Fails tests/qom-test in my current, heavily hacked QAPI branch.  No
      reproducer for master known (but I didn't look hard).

      Cc: Anthony Liguori <anthony@xxxxxxxxxxxxx>
      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>
      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>
      Cc: qemu-stable@xxxxxxxxxx
      Signed-off-by: Andreas Färber <afaerber@xxxxxxx>

  commit 4715d42efe8632b0f9d2594a80e917de45e4ef88
  Author: Markus Armbruster <armbru@xxxxxxxxxx>
  Date:   Tue Aug 25 20:00:45 2015 +0200

      qom: Do not reuse errp after a possible error

      The argument for an Error **errp parameter must point to a null
      pointer.  If it doesn't, and an error happens, error_set() fails its
      assertion.

      Instead of

          foo(foos, errp);
          bar(bars, errp);

      you need to do something like

          Error *err = NULL;

          foo(foos, &err);
          if (err) {
              error_propagate(errp, err);
              goto out;
          }

          bar(bars, errp);
      out:

      Screwed up in commit 0e55884 (v1.3.0): property_get_bool().

      Screwed up in commit 1f21772 (v2.1.0): object_property_get_enum() and
      object_property_get_uint16List().

      Screwed up in commit a8e3fbe (v2.4.0): property_get_enum(),
      property_set_enum().

      Found by inspection, no actual crashes observed.

      Fix them up.

      Cc: Anthony Liguori <anthony@xxxxxxxxxxxxx>
      Cc: Hu Tao <hutao@xxxxxxxxxxxxxx>
      Cc: Daniel P. Berrange <berrange@xxxxxxxxxx>
      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>
      Reviewed-by: Daniel P. Berrange <berrange@xxxxxxxxxx>
      Cc: qemu-stable@xxxxxxxxxx
      Signed-off-by: Andreas Färber <afaerber@xxxxxxx>

  commit b12a84ce3c27e42c8f51c436aa196938d5cc2c71
  Author: Rainer Müller <raimue@xxxxxxxxxxxxx>
  Date:   Wed Sep 9 16:08:30 2015 +0200

      cocoa: Suppress Cocoa window with -display

      Do not open a Cocoa window when another display is selected that will be
      initialized later. The Cocoa display cannot be selected with -display,
      so there is no need to check its argument.

      Signed-off-by: Rainer Müller <raimue@xxxxxxxxxxxxx>
      Reviewed-by: Andreas Färber <andreas.faerber@xxxxxx>
      Message-id: 1441807710-25431-1-git-send-email-raimue@xxxxxxxxxxxxx
      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit a53efe9c47c9a441b307c5cec64d08d9647ab6a4
  Merge: ffa4822 e47f9eb
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Fri Sep 18 16:57:59 2015 +0100

      Merge remote-tracking branch 'remotes/jnsnow/tags/ide-pull-request' into 
staging

      # gpg: Signature made Fri 18 Sep 2015 15:59:02 BST using RSA key ID 
AAFC390E
      # gpg: Good signature from "John Snow (John Huston) <jsnow@xxxxxxxxxx>"

      * remotes/jnsnow/tags/ide-pull-request:
        ahci: clean up initial d2h semantics
        ahci: remove cmd_fis argument from write_fis_d2h
        ahci: fix signature generation
        ahci: remove dead reset code
        atapi: abort transfers with 0 byte limits
        ide: fix ATAPI command permissions
        ide-test: add cdrom dma test
        ide-test: add cdrom pio test
        qtest/ahci: export generate_pattern
        qtest/ahci: use generate_pattern everywhere
        ide: unify io_buffer_offset increments

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit e47f9eb148fc3b9a67d318951ebceb834205f94c
  Author: John Snow <jsnow@xxxxxxxxxx>
  Date:   Tue Sep 1 16:50:41 2015 -0400

      ahci: clean up initial d2h semantics

      with write_fis_d2h and signature generation tidied up,
      let's adjust the initial d2h semantics to make more sense.

      The initial d2h is considered delivered if there is guest
      memory to save it to.

      Signed-off-by: John Snow <jsnow@xxxxxxxxxx>
      Reviewed-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Message-id: 1441140641-17631-5-git-send-email-jsnow@xxxxxxxxxx

  commit 28ee82557cdbf3d9023b58f7229b0d0fd1a3d776
  Author: John Snow <jsnow@xxxxxxxxxx>
  Date:   Tue Sep 1 16:50:40 2015 -0400

      ahci: remove cmd_fis argument from write_fis_d2h

      It's no longer used. We used to generate a D2H FIS based
      upon the command FIS that prompted the update, but in reality,
      the D2H FIS is generated purely from register state.

      cmd_fis is vestigial, so get rid of it.

      Signed-off-by: John Snow <jsnow@xxxxxxxxxx>
      Reviewed-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Message-id: 1441140641-17631-4-git-send-email-jsnow@xxxxxxxxxx

  commit 33a983cb2821600f4ed5720919434256e8371ec2
  Author: John Snow <jsnow@xxxxxxxxxx>
  Date:   Tue Sep 1 16:50:39 2015 -0400

      ahci: fix signature generation

      The initial register device-to-host FIS no longer needs to specially
      set certain fields, as these can be handled generically by setting those
      fields explicitly with the signatures we want at port reset time.

      (1) Signatures are decomposed into their four component registers and
          set upon (AHCI) port reset.
      (2) the signature cache register is no longer set manually per-each
          device type, but instead just once during ahci_init_d2h.

      Signed-off-by: John Snow <jsnow@xxxxxxxxxx>
      Reviewed-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Message-id: 1441140641-17631-3-git-send-email-jsnow@xxxxxxxxxx

  commit f91a0aa3743c8bdf0dc0f646606a3dc8bb2c7df8
  Author: John Snow <jsnow@xxxxxxxxxx>
  Date:   Tue Sep 1 16:50:38 2015 -0400

      ahci: remove dead reset code

      This check is dead due to an earlier conditional.
      AHCI does not currently support hotplugging, so
      checks to see if devices are present or not are useless.

      Remove it.

      Reported-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Signed-off-by: John Snow <jsnow@xxxxxxxxxx>
      Reviewed-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Message-id: 1441140641-17631-2-git-send-email-jsnow@xxxxxxxxxx

  commit 9ef2e93f9b1888c7d0deb4a105149138e6ad2e98
  Author: John Snow <jsnow@xxxxxxxxxx>
  Date:   Thu Sep 17 14:17:05 2015 -0400

      atapi: abort transfers with 0 byte limits

      We're supposed to abort on transfers like this, unless we fill
      Word 125 of our IDENTIFY data with a default transfer size, which
      we don't currently do.

      This is an ATA error, not a SCSI/ATAPI one.
      See ATA8-ACS3 sections 7.17.6.49 or 7.21.5.

      If we don't do this, QEMU will loop forever trying to transfer
      zero bytes, which isn't particularly useful.

      Signed-off-by: John Snow <jsnow@xxxxxxxxxx>
      Reviewed-by: Markus Armbruster <armbru@xxxxxxxxxx>
      Message-id: 1442253685-23349-2-git-send-email-jsnow@xxxxxxxxxx

  commit d9033e1d3aa666c5071580617a57bd853c5d794a
  Author: John Snow <jsnow@xxxxxxxxxx>
  Date:   Thu Sep 17 14:17:05 2015 -0400

      ide: fix ATAPI command permissions

      We're a little too lenient with what we'll let an ATAPI drive handle.
      Clamp down on the IDE command execution table to remove CD_OK permissions
      from commands that are not and have never been ATAPI commands.

      For ATAPI command validity, please see:
      - ATA4 Section 6.5 ("PACKET Command feature set")
      - ATA8/ACS Section 4.3 ("The PACKET feature set")
      - ACS3 Section 4.3 ("The PACKET feature set")

      ACS3 has a historical command validity table in Table B.4
      ("Historical Command Assignments") that can be referenced to find when
      a command was introduced, deprecated, obsoleted, etc.

      The only reference for ATAPI command validity is by checking that
      version's PACKET feature set section.

      ATAPI was introduced by T13 into ATA4, all commands retired prior to ATA4
      therefore are assumed to have never been ATAPI commands.

      Mandatory commands, as listed in ATA8-ACS3, are:

      - DEVICE RESET
      - EXECUTE DEVICE DIAGNOSTIC
      - IDENTIFY DEVICE
      - IDENTIFY PACKET DEVICE
      - NOP
      - PACKET
      - READ SECTOR(S)
      - SET FEATURES

      Optional commands as listed in ATA8-ACS3, are:

      - FLUSH CACHE
      - READ LOG DMA EXT
      - READ LOG EXT
      - WRITE LOG DMA EXT
      - WRITE LOG EXT

      All other commands are illegal to send to an ATAPI device and should
      be rejected by the device.

      CD_OK removal justifications:

      0x06 WIN_DSM              Defined in ACS2. Not valid for ATAPI.
      0x21 WIN_READ_ONCE        Retired in ATA5. Not ATAPI in ATA4.
      0x94 WIN_STANDBYNOW2      Retired in ATA4. Did not coexist with ATAPI.
      0x95 WIN_IDLEIMMEDIATE2   Retired in ATA4. Did not coexist with ATAPI.
      0x96 WIN_STANDBY2         Retired in ATA4. Did not coexist with ATAPI.
      0x97 WIN_SETIDLE2         Retired in ATA4. Did not coexist with ATAPI.
      0x98 WIN_CHECKPOWERMODE2  Retired in ATA4. Did not coexist with ATAPI.
      0x99 WIN_SLEEPNOW2        Retired in ATA4. Did not coexist with ATAPI.
      0xE0 WIN_STANDBYNOW1      Not part of ATAPI in ATA4, ACS or ACS3.
      0xE1 WIN_IDLEIMMDIATE     Not part of ATAPI in ATA4, ACS or ACS3.
      0xE2 WIN_STANDBY          Not part of ATAPI in ATA4, ACS or ACS3.
      0xE3 WIN_SETIDLE1         Not part of ATAPI in ATA4, ACS or ACS3.
      0xE4 WIN_CHECKPOWERMODE1  Not part of ATAPI in ATA4, ACS or ACS3.
      0xE5 WIN_SLEEPNOW1        Not part of ATAPI in ATA4, ACS or ACS3.
      0xF8 WIN_READ_NATIVE_MAX  Obsoleted in ACS3. Not ATAPI in ATA4 or ACS.

      This patch fixes a divide by zero fault that can be caused by sending
      the WIN_READ_NATIVE_MAX command to an ATAPI drive, which causes it to
      attempt to use zeroed CHS values to perform sector arithmetic.

      Reported-by: Qinghao Tang <luodalongde@xxxxxxxxx>
      Signed-off-by: John Snow <jsnow@xxxxxxxxxx>
      Reviewed-by: Markus Armbruster <armbru@xxxxxxxxxx>
      Message-id: 1441816082-21031-1-git-send-email-jsnow@xxxxxxxxxx
      CC: qemu-stable@xxxxxxxxxx

  commit 00ea63fd18d0b7e0248e476c5150a04a06e79a3b
  Author: John Snow <jsnow@xxxxxxxxxx>
  Date:   Thu Sep 17 14:17:05 2015 -0400

      ide-test: add cdrom dma test

      Now, test the DMA functionality of the ATAPI drive.

      Signed-off-by: John Snow <jsnow@xxxxxxxxxx>
      Message-id: 1441926555-19471-5-git-send-email-jsnow@xxxxxxxxxx

  commit f7ba8d7fb6a7f22f8ecf99f61a35079accaba5c4
  Author: John Snow <jsnow@xxxxxxxxxx>
  Date:   Thu Sep 17 14:17:04 2015 -0400

      ide-test: add cdrom pio test

      Add a simple read test for ATAPI devices,
      using the PIO mechanism.

      Signed-off-by: John Snow <jsnow@xxxxxxxxxx>
      Message-id: 1441926555-19471-4-git-send-email-jsnow@xxxxxxxxxx

  commit ab4f705751c39d59e5039a145cf4703320e4207e
  Author: John Snow <jsnow@xxxxxxxxxx>
  Date:   Thu Sep 17 14:17:04 2015 -0400

      qtest/ahci: export generate_pattern

      Share the pattern function for ide and ahci test.

      Signed-off-by: John Snow <jsnow@xxxxxxxxxx>
      Message-id: 1441926555-19471-3-git-send-email-jsnow@xxxxxxxxxx

  commit d7531638db73396c9e89ade086bbeab6023656f9
  Author: John Snow <jsnow@xxxxxxxxxx>
  Date:   Thu Sep 17 14:17:04 2015 -0400

      qtest/ahci: use generate_pattern everywhere

      Fix the pattern generation to actually be interesting,
      and make sure all buffers in the ahci-test actually use it.

      Signed-off-by: John Snow <jsnow@xxxxxxxxxx>
      Message-id: 1441926555-19471-2-git-send-email-jsnow@xxxxxxxxxx

  commit ffa4822c015d5670ef6a2239f3cbd2ff2cec57de
  Merge: 3bf1f5e 0bdaa3a
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Fri Sep 18 14:41:53 2015 +0100

      Merge remote-tracking branch 'remotes/armbru/tags/pull-error-2015-09-18' 
into staging

      Error reporting patches

      # gpg: Signature made Fri 18 Sep 2015 13:42:49 BST using RSA key ID 
EB918653
      # gpg: Good signature from "Markus Armbruster <armbru@xxxxxxxxxx>"
      # gpg:                 aka "Markus Armbruster <armbru@xxxxxxxxxxxx>"

      * remotes/armbru/tags/pull-error-2015-09-18:
        memory: Fix bad error handling in memory_region_init_ram_ptr()
        loader: Fix memory_region_init_resizeable_ram() error handling
        Fix bad error handling after memory_region_init_ram()
        error: New error_fatal
        MAINTAINERS: Add "Error reporting" entry
        error: Copy location information in error_copy()
        hmp: Allow for error message hints on HMP
        error: only prepend timestamp on stderr

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 0bdaa3a429c6d07cd437b442a1f15f70be1addaa
  Author: Markus Armbruster <armbru@xxxxxxxxxx>
  Date:   Fri Sep 11 16:51:45 2015 +0200

      memory: Fix bad error handling in memory_region_init_ram_ptr()

      Commit ef701d7 screwed up handling of out-of-memory conditions.
      Before the commit, we report the error and exit(1), in one place.  The
      commit lifts the error handling up the call chain some, to three
      places.  Fine.  Except it uses &error_abort in these places, changing
      the behavior from exit(1) to abort(), and thus undoing the work of
      commit 3922825 "exec: Don't abort when we can't allocate guest
      memory".

      The previous two commits fixed one of the three places, another one
      was fixed in commit 33e0eb5.  This commit fixes the third one.

      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>
      Message-Id: <1441983105-26376-5-git-send-email-armbru@xxxxxxxxxx>
      Reviewed-by: Peter Crosthwaite <crosthwaite.peter@xxxxxxxxx>

  commit df8abec8cb48f6c439516fd78b3ab6535e6fd493
  Author: Markus Armbruster <armbru@xxxxxxxxxx>
  Date:   Fri Sep 11 16:51:44 2015 +0200

      loader: Fix memory_region_init_resizeable_ram() error handling

      Commit ef701d7 screwed up handling of out-of-memory conditions.
      Before the commit, we report the error and exit(1), in one place.  The
      commit lifts the error handling up the call chain some, to three
      places.  Fine.  Except it uses &error_abort in these places, changing
      the behavior from exit(1) to abort(), and thus undoing the work of
      commit 3922825 "exec: Don't abort when we can't allocate guest
      memory".

      The previous commit fixed up uses of memory_region_init_ram().  One of
      them was replaced by memory_region_init_resizeable_ram() [sic!] in
      commit a166614, so Coccinelle missed it.  Fix it up.

      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>
      Message-Id: <1441983105-26376-4-git-send-email-armbru@xxxxxxxxxx>
      Reviewed-by: Peter Crosthwaite <crosthwaite.peter@xxxxxxxxx>

  commit f8ed85ac992c48814d916d5df4d44f9a971c5de4
  Author: Markus Armbruster <armbru@xxxxxxxxxx>
  Date:   Fri Sep 11 16:51:43 2015 +0200

      Fix bad error handling after memory_region_init_ram()

      Symptom:

          $ qemu-system-x86_64 -m 10000000
          Unexpected error in ram_block_add() at /work/armbru/qemu/exec.c:1456:
          upstream-qemu: cannot set up guest memory 'pc.ram': Cannot allocate 
memory
          Aborted (core dumped)

      Root cause: commit ef701d7 screwed up handling of out-of-memory
      conditions.  Before the commit, we report the error and exit(1), in
      one place, ram_block_add().  The commit lifts the error handling up
      the call chain some, to three places.  Fine.  Except it uses
      &error_abort in these places, changing the behavior from exit(1) to
      abort(), and thus undoing the work of commit 3922825 "exec: Don't
      abort when we can't allocate guest memory".

      The three places are:

      * memory_region_init_ram()

        Commit 4994653 (right after commit ef701d7) lifted the error
        handling further, through memory_region_init_ram(), multiplying the
        incorrect use of &error_abort.  Later on, imitation of existing
        (bad) code may have created more.

      * memory_region_init_ram_ptr()

        The &error_abort is still there.

      * memory_region_init_rom_device()

        Doesn't need fixing, because commit 33e0eb5 (soon after commit
        ef701d7) lifted the error handling further, and in the process
        changed it from &error_abort to passing it up the call chain.
        Correct, because the callers are realize() methods.

      Fix the error handling after memory_region_init_ram() with a
      Coccinelle semantic patch:

          @r@
          expression mr, owner, name, size, err;
          position p;
          @@
                  memory_region_init_ram(mr, owner, name, size,
          (
          -                              &error_abort
          +                              &error_fatal
          |
                                         err@p
          )
                                        );
          @script:python@
              p << r.p;
          @@
          print "%s:%s:%s" % (p[0].file, p[0].line, p[0].column)

      When the last argument is &error_abort, it gets replaced by
      &error_fatal.  This is the fix.

      If the last argument is anything else, its position is reported.  This
      lets us check the fix is complete.  Four positions get reported:

      * ram_backend_memory_alloc()

        Error is passed up the call chain, ultimately through
        user_creatable_complete().  As far as I can tell, it's callers all
        handle the error sanely.

      * fsl_imx25_realize(), fsl_imx31_realize(), dp8393x_realize()

        DeviceClass.realize() methods, errors handled sanely further up the
        call chain.

      We're good.  Test case again behaves:

          $ qemu-system-x86_64 -m 10000000
          qemu-system-x86_64: cannot set up guest memory 'pc.ram': Cannot 
allocate memory
          [Exit 1 ]

      The next commits will repair the rest of commit ef701d7's damage.

      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>
      Message-Id: <1441983105-26376-3-git-send-email-armbru@xxxxxxxxxx>
      Reviewed-by: Peter Crosthwaite <crosthwaite.peter@xxxxxxxxx>

  commit a29a37b994ca3c5a1d39fa0e8934f7e0f2cf57ef
  Author: Markus Armbruster <armbru@xxxxxxxxxx>
  Date:   Fri Sep 11 16:51:42 2015 +0200

      error: New error_fatal

      Similar to error_abort, but doesn't report where the error was
      created, and terminates the process with exit(1) rather than abort().

      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>
      Message-Id: <1441983105-26376-2-git-send-email-armbru@xxxxxxxxxx>
      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>
      Reviewed-by: Peter Crosthwaite <crosthwaite.peter@xxxxxxxxx>

  commit 4f966768acd1d677d24d60a01c160c18a09cce80
  Author: Markus Armbruster <armbru@xxxxxxxxxx>
  Date:   Sat Sep 12 13:29:56 2015 +0200

      MAINTAINERS: Add "Error reporting" entry

      Error reporting work has been flowing through my tree for a while.
      Time for MAINTAINERS to catch up.

      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>
      Message-Id: <1442057396-21989-1-git-send-email-armbru@xxxxxxxxxx>
      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>
      Reviewed-by: Peter Crosthwaite <crosthwaite.peter@xxxxxxxxx>

  commit 88e2ce291595ed8f12636b40523fdb215a9d3374
  Author: Eric Blake <eblake@xxxxxxxxxx>
  Date:   Thu Sep 10 10:34:50 2015 -0600

      error: Copy location information in error_copy()

      Commit 1e9b65bb forgot to propagate source information to copied
      errors.

      Signed-off-by: Eric Blake <eblake@xxxxxxxxxx>
      Message-Id: <1441902890-23064-1-git-send-email-eblake@xxxxxxxxxx>
      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>

  commit 50b7b000c9171c1253c1c875f46f654c3c0e1fc8
  Author: Eric Blake <eblake@xxxxxxxxxx>
  Date:   Thu Sep 10 10:19:16 2015 -0600

      hmp: Allow for error message hints on HMP

      Commits 7216ae3d and d2828429 disabled some error message hints,
      all because a change to use modern error reporting meant that the
      hint would be output prior to the actual error.  Fix this by making
      hints a first-class member of Error.

      For example, we are now back to the pleasant:

       $ qemu-system-x86_64 --nodefaults -S --vnc :0 --chardev null,id=,
       qemu-system-x86_64: --chardev null,id=,: Parameter 'id' expects an 
identifier
       Identifiers consist of letters, digits, '-', '.', '_', starting with a 
letter.

      Signed-off-by: Eric Blake <eblake@xxxxxxxxxx>
      Reviewed-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>
      Message-Id: <1441901956-21991-1-git-send-email-eblake@xxxxxxxxxx>
      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>

  commit 615cf669b55a689f9e535ecf87075e50004b6e0a
  Author: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
  Date:   Mon Aug 10 14:15:41 2015 +0100

      error: only prepend timestamp on stderr

      The -msg timestamp=on option prepends a timestamp to error messages.
      This is useful on stderr where it allows users to identify when an error
      was raised.

      Timestamps do not make sense on the monitor since error_report() is
      called in response to a synchronous monitor command and the user already
      knows "when" the command was issued.  Additionally, the rest of the
      monitor conversation lacks timestamps so the error timestamp cannot be
      correlated with other activity.

      Only prepend timestamps on stderr.  This fixes libvirt's 'drive_del'
      processing, which did not expect a timestamp.  Other QEMU monitor
      clients are probably equally confused by timestamps on monitor error
      messages.

      Cc: Markus Armbruster <armbru@xxxxxxxxxx>
      Cc: Seiji Aguchi <seiji.aguchi@xxxxxxx>
      Cc: Frank Schreuder <fschreuder@xxxxxxxxxx>
      Cc: Daniel P. Berrange <berrange@xxxxxxxxxx>
      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Message-Id: <1439212541-16997-1-git-send-email-stefanha@xxxxxxxxxx>
      Reviewed-by: Daniel P. Berrange <berrange@xxxxxxxxxx>
      Tested-by: Frank Schreuder <fschreuder@xxxxxxxxxx>
      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>

  commit 3bf1f5ec6a7ec8ee06c95bf308d213ebaa129ee0
  Merge: 16a1b6e 9c708c7
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Fri Sep 18 12:55:27 2015 +0100

      Merge remote-tracking branch 'remotes/lalrae/tags/mips-20150918' into 
staging

      MIPS patches 2015-09-18

      Changes:
      * fixes for rdhwr, tlbwr, mtc0, recip.fmt, rsqrt.fmt and daui instructions
      * removal of MIPS_DEBUG code
      * use tcg_gen_extrh_i64_i32()
      * improve random tlb index generation in cpu_mips_get_random()
      * exception handling improvements to correctly restore icount

      # gpg: Signature made Fri 18 Sep 2015 12:15:28 BST using RSA key ID 
0B29DA6B
      # gpg: Good signature from "Leon Alrae <leon.alrae@xxxxxxxxxx>"

      * remotes/lalrae/tags/mips-20150918:
        target-mips: improve exception handling
        target-mips: correct MTC0 instruction on MIPS64
        target-mips: add missing restriction in DAUI instruction
        target-mips: fix corner case in TLBWR causing QEMU to hang
        pic32: use LCG algorithm for generated random index of TLBWR instruction
        target-mips: get rid of MIPS_DEBUG_SIGN_EXTENSIONS
        target-mips: get rid of MIPS_DEBUG
        target-mips: Fix RDHWR on CP0.Count
        target-mips: remove wrong checks for recip.fmt and rsqrt.fmt
        target-mips: Use tcg_gen_extrh_i64_i32

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 9c708c7f9fbb813a3fac02f2728e51e62f2f5ffc
  Author: Pavel Dovgaluk <Pavel.Dovgaluk@xxxxxxxxx>
  Date:   Fri Jul 10 12:57:08 2015 +0300

      target-mips: improve exception handling

      This patch improves exception handling in MIPS.
      Instructions generate several types of exceptions.
      When exception is generated, it breaks the execution of the current
      translation block. Implementation of the exceptions handling does not
      correctly restore icount for the instruction which caused the exception.
      In most cases icount will be decreased by the value equal to the size of
      TB. This patch passes pointer to the translation block internals to the
      exception handler. It allows correct restoring of the icount value.

      Signed-off-by: Pavel Dovgalyuk <pavel.dovgaluk@xxxxxxxxx>
      Reviewed-by: Aurelien Jarno <aurelien@xxxxxxxxxxx>
      Reviewed-by: Leon Alrae <leon.alrae@xxxxxxxxxx>
      [leon.alrae@xxxxxxxxxx: avoid retranslation in linux-user SC, break lines
       which are over 80 chars, remove v3 changelog from the commit message]
      Signed-off-by: Leon Alrae <leon.alrae@xxxxxxxxxx>

  commit d54a299b83a07642c85a22bfe19b69ca4def9ec4
  Author: Leon Alrae <leon.alrae@xxxxxxxxxx>
  Date:   Wed Sep 9 12:44:25 2015 +0100

      target-mips: correct MTC0 instruction on MIPS64

      MTC0 on a 64-bit processor should move entire 64-bit GPR content to CP0
      register.

      Signed-off-by: Leon Alrae <leon.alrae@xxxxxxxxxx>
      Reviewed-by: Aurelien Jarno <aurelien@xxxxxxxxxxx>

  commit db77d8523909b32d798cd2c80de422b68f9e5c42
  Author: Leon Alrae <leon.alrae@xxxxxxxxxx>
  Date:   Wed Sep 9 14:45:36 2015 +0100

      target-mips: add missing restriction in DAUI instruction

      rs cannot be the zero register, Reserved Instruction exception must be
      signalled for this case.

      Signed-off-by: Leon Alrae <leon.alrae@xxxxxxxxxx>
      Reviewed-by: Aurelien Jarno <aurelien@xxxxxxxxxxx>

  commit 3adafef2f35d9061b56a09071b2589b9e0b36f76
  Author: Leon Alrae <leon.alrae@xxxxxxxxxx>
  Date:   Thu Sep 10 10:15:28 2015 +0100

      target-mips: fix corner case in TLBWR causing QEMU to hang

      cpu_mips_get_random() function is used to generate a random index from
      CP0.Wired to TLBSize-1 range. Current implementation avoids generating
      the same as before value, hence the while loop. If the guest sets
      CP0.Wired to TLBSize-1 (which actually does not sound to be very
      practical) QEMU will get stuck in the loop infinitely as we always
      generate the same index.

      Signed-off-by: Leon Alrae <leon.alrae@xxxxxxxxxx>
      Reviewed-by: Aurelien Jarno <aurelien@xxxxxxxxxxx>

  commit ceb0ee147df35adc7b705da1c84a4624c9cabb21
  Author: Serge Vakulenko <serge.vakulenko@xxxxxxxxx>
  Date:   Sun Jul 5 23:14:50 2015 -0700

      pic32: use LCG algorithm for generated random index of TLBWR instruction

      The LFSR algorithm, used for generating random TLB indexes for TLBWR
      instruction, was inclined to produce a degenerate sequence in some cases.
      For example, for 16-entry TLB size and Wired=1, it gives: 15, 6, 7, 2,
      7, 2, 7, 2, 7, 2, 7, 2, 7, 2, 7, 2, 7, 2, 7, 2, 7, 2, 7, 2, 7, 2, 7, 2...
      When replaced with LCG algorithm from ISO/IEC 9899 standard, the sequence
      looks much better, with about the same computational effort needed.

      Signed-off-by: Serge Vakulenko <serge.vakulenko@xxxxxxxxx>
      Reviewed-by: Aurelien Jarno <aurelien@xxxxxxxxxxx>
      Reviewed-by: Leon Alrae <leon.alrae@xxxxxxxxxx>
      Signed-off-by: Leon Alrae <leon.alrae@xxxxxxxxxx>

  commit b307446e04232b3a87e9da04886895a8e5a4a407
  Author: Aurelien Jarno <aurelien@xxxxxxxxxxx>
  Date:   Sun Sep 13 23:07:59 2015 +0200

      target-mips: get rid of MIPS_DEBUG_SIGN_EXTENSIONS

      MIPS_DEBUG_SIGN_EXTENSIONS was used sometimes ago to verify that 32-bit
      instructions correctly sign extend their results. It's now not need
      anymore, remove it.

      Cc: Leon Alrae <leon.alrae@xxxxxxxxxx>
      Signed-off-by: Aurelien Jarno <aurelien@xxxxxxxxxxx>
      Reviewed-by: Leon Alrae <leon.alrae@xxxxxxxxxx>
      Signed-off-by: Leon Alrae <leon.alrae@xxxxxxxxxx>

  commit 9d68ac14dab3f5af33a6b23458941dc6fb261fce
  Author: Aurelien Jarno <aurelien@xxxxxxxxxxx>
  Date:   Sun Sep 13 23:07:58 2015 +0200

      target-mips: get rid of MIPS_DEBUG

      MIPS_DEBUG is a define used to dump the instruction disassembling. It
      has to be defined at compile time. In practice I believe it's more
      efficient to just look at the instruction disassembly and op dump using
      -d in_asm,op. This patch therefore removes the corresponding code, which
      clutters translate.c.

      Cc: Leon Alrae <leon.alrae@xxxxxxxxxx>
      Signed-off-by: Aurelien Jarno <aurelien@xxxxxxxxxxx>
      Reviewed-by: Leon Alrae <leon.alrae@xxxxxxxxxx>
      Signed-off-by: Leon Alrae <leon.alrae@xxxxxxxxxx>

  commit cdfcad788394ff53e317043e07b8e34f4987c659
  Author: Alex Smith <alex.smith@xxxxxxxxxx>
  Date:   Tue Sep 8 11:34:11 2015 +0100

      target-mips: Fix RDHWR on CP0.Count

      For RDHWR on the CP0.Count register, env->CP0_Count was being returned.
      This value is a delta against the QEMU_CLOCK_VIRTUAL clock, not the
      correct current value of CP0.Count. Use cpu_mips_get_count() instead.

      Signed-off-by: Alex Smith <alex.smith@xxxxxxxxxx>
      Cc: Aurelien Jarno <aurelien@xxxxxxxxxxx>
      Cc: Leon Alrae <leon.alrae@xxxxxxxxxx>
      Reviewed-by: Leon Alrae <leon.alrae@xxxxxxxxxx>
      Reviewed-by: Aurelien Jarno <aurelien@xxxxxxxxxxx>
      Signed-off-by: Leon Alrae <leon.alrae@xxxxxxxxxx>

  commit ca6c7803d2beae43299a80f4549d36579881fc0b
  Author: Petar Jovanovic <petar.jovanovic@xxxxxxxxxx>
  Date:   Wed Aug 26 14:12:20 2015 +0200

      target-mips: remove wrong checks for recip.fmt and rsqrt.fmt

      Instructions recip.{s|d} and rsqrt.{s|d} do not require 64-bit FPU neither
      they require any particular mode for its FPU. This patch removes the 
checks
      that may break a program that uses these instructions.

      Signed-off-by: Petar Jovanovic <petar.jovanovic@xxxxxxxxxx>
      Reviewed-by: Leon Alrae <leon.alrae@xxxxxxxxxx>
      Signed-off-by: Leon Alrae <leon.alrae@xxxxxxxxxx>

  commit 71f303cd246ae22ce6fdacb3801b5abbca25c409
  Author: Richard Henderson <rth@xxxxxxxxxxx>
  Date:   Wed Sep 2 15:50:14 2015 -0700

      target-mips: Use tcg_gen_extrh_i64_i32

      We can tidy gen_load_fpr32h, as well as introduce a helper
      to cleanup the MACC instructions.

      Signed-off-by: Richard Henderson <rth@xxxxxxxxxxx>
      Reviewed-by: Leon Alrae <leon.alrae@xxxxxxxxxx>
      Signed-off-by: Leon Alrae <leon.alrae@xxxxxxxxxx>

  commit aaeda4a3c9e4d1d25c65ce8ca98e2de06daf1eec
  Author: John Snow <jsnow@xxxxxxxxxx>
  Date:   Thu Sep 17 14:17:04 2015 -0400

      ide: unify io_buffer_offset increments

      IDEState's io_buffer_offset was originally added to keep track of offsets
      in AHCI rather exclusively, but it was added to IDEState instead of an
      AHCI-specific structure.

      AHCI fakes all PIO transfers using DMA and a scatter-gather list. When
      the core or atapi layers invoke HBA-specific mechanisms for transfers,
      they do not always know that it is being backed by DMA or a sglist, so
      this offset is not always updated by the HBA code everywhere.

      If we modify it in dma_buf_commit, however, any HBA that needs to use
      this offset to manage operating on only part of a sglist will have
      access to it.

      This will fix ATAPI PIO transfers performed through the AHCI HBA,
      which were previously not modifying this value appropriately.

      This will fix ATAPI PIO transfers larger than one sector.

      Reported-by: Hannes Reinecke <hare@xxxxxxx>
      Signed-off-by: John Snow <jsnow@xxxxxxxxxx>
      Reviewed-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>
      Tested-by: Laszlo Ersek <lersek@xxxxxxxxxx>
      Message-id: 1440546331-29087-2-git-send-email-jsnow@xxxxxxxxxx
      CC: qemu-stable@xxxxxxxxxx

  commit 16a1b6e97c2a2919fd296db4bea2f9da2ad3cc4d
  Author: Juan Quintela <quintela@xxxxxxxxxx>
  Date:   Fri May 4 12:54:34 2012 +0200

      target-cris: update CPU state save/load to use VMStateDescription

      Update the CRIS CPU state save/load to use a VMStateDescription struct
      rather than cpu_save/cpu_load functions.

      Have to define TLBSet struct.
      Multidimensional arrays in C are a mess, just unroll them.

      Signed-off-by: Juan Quintela <quintela@xxxxxxxxxx>
      [PMM:
       * expand commit message a little since it's no longer one patch in
         a 35-patch series
       * add header/copyright comment to machine.c; credited copyright is
         Red Hat and author is Juan, since this commit gives the file all-new
         contents; license is LGPL-2-or-later, to match other target-cris code
       * remove hardcoded tab
       * add fields for locked_irq, interrupt_vector, fault_vector, trap_vector
       * drop minimum_version_id_old fields
       * bump version_id to 2 as we are not compatible with old state format
       * remove unnecessary hw/boards.h include
       * update to register via dc->vmsd]
      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Acked-by: Edgar E. Iglesias <edgar.iglesias@xxxxxxxxxx>

  commit cc450bfdc030d1943d99b3cb526a3e2cb4f3cd72
  Merge: 1c9f03b 271a234
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Thu Sep 17 13:07:50 2015 +0100

      Merge remote-tracking branch 'remotes/stefanha/tags/net-pull-request' 
into staging

      # gpg: Signature made Thu 17 Sep 2015 12:43:56 BST using RSA key ID 
81AB73C8
      # gpg: Good signature from "Stefan Hajnoczi <stefanha@xxxxxxxxxx>"
      # gpg:                 aka "Stefan Hajnoczi <stefanha@xxxxxxxxx>"

      * remotes/stefanha/tags/net-pull-request:
        net: smc91c111: flush packets on RCR register changes
        net: smc91c111: gate can_receive() on rx FIFO having a slot
        net: smc91c111: guard flush_queued_packets() on can_rx()
        MAINTAINERS: Stefan will not maintain net subsystem

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 271a234a2359975101396916f37f3c7d347c61b8
  Author: Peter Crosthwaite <crosthwaitepeter@xxxxxxxxx>
  Date:   Thu Sep 10 21:24:12 2015 -0700

      net: smc91c111: flush packets on RCR register changes

      The SOFT_RST or RXEN in the control register can be used as a condition
      to unblock the net layer via can_receive(). So check for possible
      flushes on RCR changes. This will drop all pending packets on soft
      reset or disable which is the functional intent of the can_receive()
      logic.

      Signed-off-by: Peter Crosthwaite <crosthwaite.peter@xxxxxxxxx>
      Reviewed-by: Fam Zheng <famz@xxxxxxxxxx>
      Tested-by: Richard Purdie <richard.purdie@xxxxxxxxxxxxxxxxxxx>
      Message-id: 
b114d4c96f4afbdaa15f1361d9c07e3021755915.1441873621.git.crosthwaite.peter@xxxxxxxxx
      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>

  commit e62cb54cd5d08dc1c029f254b0d18faa138971b2
  Author: Peter Crosthwaite <crosthwaitepeter@xxxxxxxxx>
  Date:   Thu Sep 10 21:23:57 2015 -0700

      net: smc91c111: gate can_receive() on rx FIFO having a slot

      Return false from can_receive() when the FIFO doesn't have a free RX
      slot. This fixes a bug in the current code where the allocated buffer
      is freed before the fifo pop, triggering a premature flush of queued RX
      packets. It also will handle a corner case, where the guest manually
      frees the allocated buffer before popping the rx FIFO (hence it is not
      enough to just delay the flush_queued_packets()).

      Reported-by: Richard Purdie <richard.purdie@xxxxxxxxxxxxxxxxxxx>
      Signed-off-by: Peter Crosthwaite <crosthwaite.peter@xxxxxxxxx>
      Reviewed-by: Fam Zheng <famz@xxxxxxxxxx>
      Tested-by: Richard Purdie <richard.purdie@xxxxxxxxxxxxxxxxxxx>
      Message-id: 
97bfdfc5cbce0bd5e0cbbbff35ce7a1bf6f8603d.1441873621.git.crosthwaite.peter@xxxxxxxxx
      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>

  commit 8d06b149271cbd5b19bed5bde8da5ecef40ecbc6
  Author: Peter Crosthwaite <crosthwaitepeter@xxxxxxxxx>
  Date:   Thu Sep 10 21:23:43 2015 -0700

      net: smc91c111: guard flush_queued_packets() on can_rx()

      Check that the core can once again receive packets before asking the
      net layer to do a flush. This will make it more convenient to flush
      packets when adding new conditions to can_receive.

      Add missing if braces while moving the can_receive() core code.

      Signed-off-by: Peter Crosthwaite <crosthwaite.peter@xxxxxxxxx>
      Reviewed-by: Fam Zheng <famz@xxxxxxxxxx>
      Tested-by: Richard Purdie <richard.purdie@xxxxxxxxxxxxxxxxxxx>
      Message-id: 
92e15e12a6964274f4bc0eb71b61a7d94326f6c6.1441873621.git.crosthwaite.peter@xxxxxxxxx
      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>

  commit 1c9f03b81ce9136cf1bd3c111582b320b507dfec
  Merge: 3c4698d d626834
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Wed Sep 16 18:06:54 2015 +0100

      Merge remote-tracking branch 'remotes/bonzini/tags/for-upstream' into 
staging

      * Linux header update and cleanup
      * Support for HyperV crash report
      * Cleanup of target-specific HMP commands
      * Multiarch batch
      * Checkpatch fix for Perl 5.22
      * NBD fix
      * Revert incorrect commit 5243722376

      # gpg: Signature made Wed 16 Sep 2015 16:39:01 BST using RSA key ID 
78C7AE83
      # gpg: Good signature from "Paolo Bonzini <bonzini@xxxxxxx>"
      # gpg:                 aka "Paolo Bonzini <pbonzini@xxxxxxxxxx>"

      * remotes/bonzini/tags/for-upstream: (24 commits)
        nbd: release exp->blk after all clients are closed
        checkpatch: Escape left braces in regex
        monitor: uninclude cpu_ldst
        include/exec: Move cputlb exec.c defs out
        cputlb: Change tlb_set_dirty() arg to cpu
        cputlb: move CPU_LOOP() for tlb_reset() to exec.c
        translate: move real_host_page setting to -common
        tcg: Move tci_tb_ptr to -common
        tcg: split tcg_op_defs to -common
        translate-all: Move tcg_handle_interrupt() to -common
        cpu-exec: Migrate some generic fns to cpu-exec-common
        qemu-char: Use g_new() & friends where that makes obvious sense
        monitor: added generation of documentation for hmp-commands-info.hx
        hmp-commands.hx: fix end of table info
        monitor: remove target-specific code from monitor.c
        hmp-commands-info: move info_cmds content out of monitor.c
        i386/kvm: Hyper-v crash msrs set/get'ers and migration
        kvm: Add kvm system event crash handler
        cpu: Add crash_occurred flag into CPUState
        target-i386: move asm-x86/hyperv.h to standard-headers
        ...

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit d6268348493f32ecc096caa637620757472a1196
  Author: Wen Congyang <wency@xxxxxxxxxxxxxx>
  Date:   Wed Sep 16 16:35:46 2015 +0800

      nbd: release exp->blk after all clients are closed

      If the socket fd is shutdown, there may be some data which is received 
before
      shutdown. We will read the data and do read/write in nbd_trip(). But the 
exp's
      blk is NULL, and it will cause qemu crashed.

      Reported-by: Li Zhijian <lizhijian@xxxxxxxxxxxxxx>
      Signed-off-by: Wen Congyang <wency@xxxxxxxxxxxxxx>
      Message-Id: <55F929E2.1020501@xxxxxxxxxxxxxx>
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit 04f2562f8ec6af573508880ac607d098a5d3ad7f
  Author: Fam Zheng <famz@xxxxxxxxxx>
  Date:   Fri Sep 11 19:07:36 2015 +0800

      checkpatch: Escape left braces in regex

      Latest perl now deprecates "{" literal in regex and print warnings like
      "unescaped left brace in regex is deprecated".  Add escape to keep it
      happy.

      Signed-off-by: Fam Zheng <famz@xxxxxxxxxx>
      Message-Id: <1441969656-2640-1-git-send-email-famz@xxxxxxxxxx>
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit e6b65fe1c234b5f63af075b9c85691ea744ead34
  Author: Peter Crosthwaite <crosthwaitepeter@xxxxxxxxx>
  Date:   Thu Sep 10 22:39:45 2015 -0700

      monitor: uninclude cpu_ldst

      This header is non-needed anymore and wont work in multi-arch where
      this service is not provided to core code.

      Cc: Markus Armbruster <armbru@xxxxxxxxxx>
      Signed-off-by: Peter Crosthwaite <crosthwaite.peter@xxxxxxxxx>
      Message-Id: 
<4e96622ab5320603829b6f94b8c4e94d573d34fc.1441614289.git.crosthwaite.peter@xxxxxxxxx>
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit dfccc7602374c9fd3b083208b552d62daa244811
  Author: Peter Crosthwaite <crosthwaitepeter@xxxxxxxxx>
  Date:   Thu Sep 10 22:39:43 2015 -0700

      include/exec: Move cputlb exec.c defs out

      Move the architecture agnostic function prototypes for exec.c out of
      cputlb.h to exec-all.h. This allows hiding of the arch specific
      cputlb.h from exec.c which should be getting close to having no
      architecture specifics. Prepares support for multi-arch, which will have
      a minimal cpu.h that services exec.c but not cputlb.h.

      Reviewed-by: Richard Henderson <rth@xxxxxxxxxxx>
      Signed-off-by: Peter Crosthwaite <crosthwaite.peter@xxxxxxxxx>
      Message-Id: 
<b4fe754c58c860315e35d44430c26b1c967ce2c9.1441614289.git.crosthwaite.peter@xxxxxxxxx>
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit bcae01e468d961ad9afaf4148329147e4be209ab
  Author: Peter Crosthwaite <crosthwaitepeter@xxxxxxxxx>
  Date:   Thu Sep 10 22:39:42 2015 -0700

      cputlb: Change tlb_set_dirty() arg to cpu

      Change tlb_set_dirty() to accept a CPU instead of an env pointer. This
      allows for removal of another CPUArchState usage from prototypes that
      need to be QOMified.

      Signed-off-by: Peter Crosthwaite <crosthwaite.peter@xxxxxxxxx>
      Message-Id: 
<d2b1dcbe7945112989861d8ba7369449c11cc273.1441614289.git.crosthwaite.peter@xxxxxxxxx>
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit 9a13565d52bfd321934fb44ee004bbaf5f5913a8
  Author: Peter Crosthwaite <crosthwaitepeter@xxxxxxxxx>
  Date:   Thu Sep 10 22:39:41 2015 -0700

      cputlb: move CPU_LOOP() for tlb_reset() to exec.c

      To prepare for multi-arch, cputlb.c should only have awareness of one
      single architecture. This means it should not have access to the full
      CPU lists which may be heterogeneous. Instead, push the CPU_LOOP() up
      to the one and only caller in exec.c.

      Signed-off-by: Peter Crosthwaite <crosthwaite.peter@xxxxxxxxx>
      Message-Id: 
<db06dc6c49f8970caaf116d0385f00ee10a56f2f.1441614289.git.crosthwaite.peter@xxxxxxxxx>
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit 5f12a788c04cf36442f3be00ebf6fdc3b8c8c4ba
  Author: Peter Crosthwaite <crosthwaitepeter@xxxxxxxxx>
  Date:   Thu Sep 10 22:39:36 2015 -0700

      translate: move real_host_page setting to -common

      Move the size and mask globals for the "real" host page size to
      translate-common. This is to allow system-level code to use
      REAL_HOST_PAGE_ALIGN and friends in builds which hide translate-all
      behind arch-obj.

      Cc: dgilbert@xxxxxxxxxx
      Signed-off-by: Peter Crosthwaite <crosthwaite.peter@xxxxxxxxx>
      Message-Id: 
<b437638691f044bc690a7f03b1240c8b0f34ab57.1441614289.git.crosthwaite.peter@xxxxxxxxx>
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit 162e992270fd3587b21fa77fd4a8ccc879c402c9
  Author: Peter Crosthwaite <crosthwaitepeter@xxxxxxxxx>
  Date:   Thu Sep 10 22:39:35 2015 -0700

      tcg: Move tci_tb_ptr to -common

      This requires global visibility to common code. Move to tcg-common.

      Cc: Stefan Weil <sw@xxxxxxxxxxx>
      Signed-off-by: Peter Crosthwaite <crosthwaite.peter@xxxxxxxxx>
      Message-Id: 
<cb0340eba225ab4945aa6cf7c9013f33aa05bcf8.1441614289.git.crosthwaite.peter@xxxxxxxxx>
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit 7d8f787d9d261d6880b69e35ed682241e3f9242f
  Author: Peter Crosthwaite <crosthwaitepeter@xxxxxxxxx>
  Date:   Thu Sep 10 22:39:34 2015 -0700

      tcg: split tcg_op_defs to -common

      tcg_op_defs (and the _max) are both needed by the TCI disassembler. For
      multi-arch, tcg.c will be multiple-compiled (arch-obj) with its symbols
      hidden from common code. So split the definition off to new file,
      tcg-common.c which will remain a regular obj-y for use by both the TCI
      disas as well as the multiple tcg.c's.

      Cc: Stefan Weil <sw@xxxxxxxxxxx>
      Signed-off-by: Peter Crosthwaite <crosthwaite.peter@xxxxxxxxx>
      Message-Id: 
<4b607425886d85aee65878e4935dfad46b3e6085.1441614289.git.crosthwaite.peter@xxxxxxxxx>
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit 9b68a7754a892d8deb7696cfe609fe2ec3c6034a
  Author: Peter Crosthwaite <crosthwaitepeter@xxxxxxxxx>
  Date:   Thu Sep 10 22:39:33 2015 -0700

      translate-all: Move tcg_handle_interrupt() to -common

      Move this function to common code. It has no arch specific
      dependencies. Prepares support for multi-arch where the translate-all
      interface needs to be virtualised. One less thing to virtualise.

      Reviewed-by: Richard Henderson <rth@xxxxxxxxxxx>
      Signed-off-by: Peter Crosthwaite <crosthwaite.peter@xxxxxxxxx>
      Message-Id: 
<44a7c73604ed2552af47ed02b047b6a772b683e0.1441614289.git.crosthwaite.peter@xxxxxxxxx>
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit 5abf9495ca9ff41160260ac274115825c10545cc
  Author: Peter Crosthwaite <crosthwaitepeter@xxxxxxxxx>
  Date:   Thu Sep 10 22:39:31 2015 -0700

      cpu-exec: Migrate some generic fns to cpu-exec-common

      The goal is to split the functions such that cpu-exec is CPU specific
      content, while cpus-exec-common.c is generic code only. The function
      interface to cpu-exec needs to be virtualised to prepare support for
      multi-arch and moving these definitions out saves bloating the QOM
      interface. So move these definitions out of cpu-exec to a new module,
      cpu-exec-common.

      Signed-off-by: Peter Crosthwaite <crosthwaite.peter@xxxxxxxxx>
      Message-Id: 
<3cefeb3fbbb33031670951a0e74de2778529da3f.1441614289.git.crosthwaite.peter@xxxxxxxxx>
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit 2d528d45ecf5ee3c1a566a9f3d664464925ef830
  Author: Markus Armbruster <armbru@xxxxxxxxxx>
  Date:   Mon Sep 14 13:54:03 2015 +0200

      qemu-char: Use g_new() & friends where that makes obvious sense

      g_new(T, n) is neater than g_malloc(sizeof(T) * n).  It's also safer,
      for two reasons.  One, it catches multiplication overflowing size_t.
      Two, it returns T * rather than void *, which lets the compiler catch
      more type errors.

      This commit only touches allocations with size arguments of the form
      sizeof(T).  Same Coccinelle semantic patch as in commit b45c03f.

      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>
      Message-Id: <1442231643-23630-1-git-send-email-armbru@xxxxxxxxxx>
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit 2cd8af2d44268ffd4d224d6c297e8c644c01fa8d
  Author: Pavel Butsykin <pbutsykin@xxxxxxxxxxxxx>
  Date:   Thu Sep 10 18:39:01 2015 +0300

      monitor: added generation of documentation for hmp-commands-info.hx

      It will be easier if you need to add info-commands to edit
      only hmp-commands-info.hx, before this had to edit monitor.c and
      hmp-commands.hx.

      From the build point of view all documentation is saved into
      qemu-monitor-info.texi which from now on is used for all user
      documentation building.

      Signed-off-by: Pavel Butsykin <pbutsykin@xxxxxxxxxxxxx>
      Signed-off-by: Denis V. Lunev <den@xxxxxxxxxx>
      CC: Paolo Bonzini <pbonzini@xxxxxxxxxx>
      CC: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Message-Id: <1441899541-1856-5-git-send-email-den@xxxxxxxxxx>
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit 70703344de56c2119fcb7c2e01be3fa02087fb3c
  Author: Pavel Butsykin <pbutsykin@xxxxxxxxxxxxx>
  Date:   Thu Sep 10 18:39:00 2015 +0300

      hmp-commands.hx: fix end of table info

      The table info(information about the system state) closes earlier
      and some of its elements are outside(trace-events, rocker, etc). This
      can be confusing and lead to additional bugs.

      Signed-off-by: Pavel Butsykin <pbutsykin@xxxxxxxxxxxxx>
      Signed-off-by: Denis V. Lunev <den@xxxxxxxxxx>
      CC: Paolo Bonzini <pbonzini@xxxxxxxxxx>
      CC: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Message-Id: <1441899541-1856-4-git-send-email-den@xxxxxxxxxx>
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit bf957284006b6325e6ed64fd839c237c15b42029
  Author: Pavel Butsykin <pbutsykin@xxxxxxxxxxxxx>
  Date:   Thu Sep 10 18:38:59 2015 +0300

      monitor: remove target-specific code from monitor.c

      Move target-specific code out of /monitor.c to /target-*/monitor.c,
      this will avoid code cluttering and using random ifdeffery.  The solution
      is quite simple, but solves the issue of the separation of target-specific
      code from monitor.

      Signed-off-by: Pavel Butsykin <pbutsykin@xxxxxxxxxxxxx>
      Signed-off-by: Denis V. Lunev <den@xxxxxxxxxx>
      CC: Paolo Bonzini <pbonzini@xxxxxxxxxx>
      CC: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Message-Id: <1441899541-1856-3-git-send-email-den@xxxxxxxxxx>
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit da76ee76f78b9705e2a91e3c964aef28fecededb
  Author: Pavel Butsykin <pbutsykin@xxxxxxxxxxxxx>
  Date:   Thu Sep 10 18:38:58 2015 +0300

      hmp-commands-info: move info_cmds content out of monitor.c

      For moving target- and device-specific code  from monitor.c,
      to beginning we move info_cmds content to hmp-commands-info.hx

      Signed-off-by: Pavel Butsykin <pbutsykin@xxxxxxxxxxxxx>
      Signed-off-by: Denis V. Lunev <den@xxxxxxxxxx>
      CC: Paolo Bonzini <pbonzini@xxxxxxxxxx>
      CC: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Message-Id: <1441899541-1856-2-git-send-email-den@xxxxxxxxxx>
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit f2a53c9e05a24352a0f9740db0539ce5aeed22ca
  Author: Andrey Smetanin <asmetanin@xxxxxxxxxxxxx>
  Date:   Wed Sep 9 14:41:30 2015 +0200

      i386/kvm: Hyper-v crash msrs set/get'ers and migration

      KVM Hyper-V based guests can notify hypervisor about
      occurred guest crash by writing into Hyper-V crash MSR's.
      This patch does handling and migration of HV_X64_MSR_CRASH_P0-P4,
      HV_X64_MSR_CRASH_CTL msrs. User can enable these MSR's by
      'hv-crash' option.

      Signed-off-by: Andrey Smetanin <asmetanin@xxxxxxxxxxxxx>
      Signed-off-by: Denis V. Lunev <den@xxxxxxxxxx>
      CC: Paolo Bonzini <pbonzini@xxxxxxxxxx>
      CC: Andreas Färber <afaerber@xxxxxxx>
      Message-Id: <1435924905-8926-13-git-send-email-den@xxxxxxxxxx>
      [Folks, stop abrviating variable names!!! Also fix compilation on
       non-Linux/x86. - Paolo]
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit 7c207b90465bc16a39b9fb8d9194f161059f69bf
  Author: Andrey Smetanin <asmetanin@xxxxxxxxxxxxx>
  Date:   Fri Jul 3 15:01:43 2015 +0300

      kvm: Add kvm system event crash handler

      KVM kernel can send guest crash events into userspace.
      Appropriate guest crash handler is called when kernel guest
      crash event received. Guest crash event recognized by a
      KVM_SYSTEM_EVENT_CRASH type of system event.

      Signed-off-by: Andrey Smetanin <asmetanin@xxxxxxxxxxxxx>
      Signed-off-by: Denis V. Lunev <den@xxxxxxxxxx>
      CC: Paolo Bonzini <pbonzini@xxxxxxxxxx>
      CC: Andreas Färber <afaerber@xxxxxxx>
      Message-Id: <1435924905-8926-11-git-send-email-den@xxxxxxxxxx>
      [Rebase: add lock/unlock iothread around qemu_system_guest_panicked - 
Paolo]
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit bac05aa9a77af1ca7972c8dc07560f4daa7c2dfc
  Author: Andrey Smetanin <asmetanin@xxxxxxxxxxxxx>
  Date:   Fri Jul 3 15:01:44 2015 +0300

      cpu: Add crash_occurred flag into CPUState

      CPUState::crash_occurred field inside CPUState marks
      that guest crash occurred. This value is added into
      cpu common migration subsection.

      Signed-off-by: Andrey Smetanin <asmetanin@xxxxxxxxxxxxx>
      Signed-off-by: Denis V. Lunev <den@xxxxxxxxxx>
      CC: Paolo Bonzini <pbonzini@xxxxxxxxxx>
      CC: Andreas Färber <afaerber@xxxxxxx>
      Message-Id: <1435924905-8926-12-git-send-email-den@xxxxxxxxxx>
      [Document the new field. - Paolo]
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit 73aa529a48b4ed7fce21fc74e62fb24db526af5f
  Author: Paolo Bonzini <pbonzini@xxxxxxxxxx>
  Date:   Wed Sep 9 15:25:52 2015 +0200

      target-i386: move asm-x86/hyperv.h to standard-headers

      The Hyper-V definitions are an industry standard and can be used
      from code that is not KVM-specific.

      Reviewed-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Reviewed-by: Cornelia Huck <cornelia.huck@xxxxxxxxxx>
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit eddb4de3cc1403546b29e260068c4c1397cbd62d
  Author: Paolo Bonzini <pbonzini@xxxxxxxxxx>
  Date:   Wed Sep 9 15:25:52 2015 +0200

      update-linux-headers: copy standard-headers files one by one

      cp_virtio is called for both the asm-s390/ and linux/ directories,
      so it looks for pci_regs.h and input.h files in asm-s390/ too.  This
      makes little sense.  In the next patch we will have the opposite
      problem; we want to add asm-x86/hyperv.h, and there's also a
      linux/hyperv.h file with unwanted dependencies on additional Linux
      uapi headers.  We do not want to copy linux/hyperv.h.

      The solution is to make cp_virtio (now renamed to cp_portable) copy
      one file only, instead of using the "find" command, and call it multiple
      times.  The new function is really just a reindentation of the old one.

      Reviewed-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Reviewed-by: Cornelia Huck <cornelia.huck@xxxxxxxxxx>
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit 120758fba4c52d1ccf3a8ae1fe3b7495f2b584d8
  Author: Paolo Bonzini <pbonzini@xxxxxxxxxx>
  Date:   Wed Sep 9 14:50:17 2015 +0200

      update Linux headers to 4.3-rc1

      The update to 4.2 was reviewed by Michael S. Tsirkin and Cornelia
      Huck.  The further update to 4.3-rc1 only touches KVM files.

      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit 84090bbce91a386ae6e5f61b26f36783196712d2
  Author: Paolo Bonzini <pbonzini@xxxxxxxxxx>
  Date:   Thu Sep 10 11:31:12 2015 +0200

      pci: remove Link Training error from AER error list

      The spec says:

          Undefined â?? The value read from this bit is
          undefined. In previous versions of this
          specification, this bit was used to indicate a Link
          Training Error. System software must ignore the
          value read from this bit. System software is
          permitted to write any value to this bit.

      Do not allow injecting it.

      Suggested-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Reviewed-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit 05620f85e930b0ac3dc22fdf8e4c390fa11afdeb
  Author: Paolo Bonzini <pbonzini@xxxxxxxxxx>
  Date:   Wed Sep 16 14:26:59 2015 +0200

      Revert "rcu: init rcu_registry_lock after fork"

      This reverts commit 5243722376873a48e9852a58b91f4d4101ee66e4.
      The patch forgot about rcu_sync_lock and was committed by mistake.

      Reported-by: Laszlo Ersek <lersek@xxxxxxxxxx>
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit 3c4698d0b5cb19212868f94f0ba4743c2c86f91f
  Merge: 1a3abef 4054cde
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Wed Sep 16 16:19:49 2015 +0100

      Merge remote-tracking branch 'remotes/rth/tags/pull-target-i386-20150915' 
into staging

      Exception handling improvments from Pavel Dovgalyuk.

      # gpg: Signature made Tue 15 Sep 2015 20:36:14 BST using RSA key ID 
4DD0279B
      # gpg: Good signature from "Richard Henderson <rth7680@xxxxxxxxx>"
      # gpg:                 aka "Richard Henderson <rth@xxxxxxxxxx>"
      # gpg:                 aka "Richard Henderson <rth@xxxxxxxxxxx>"

      * remotes/rth/tags/pull-target-i386-20150915:
        target-i386: exception handling for other helper functions
        target-i386: exception handling for seg_helper functions
        target-i386: exception handling for memory helpers
        target-i386: exception handling for div instructions
        target-i386: exception handling for FPU instructions
        target-i386: introduce new raise_exception functions

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 5fc51cc3ddcc7035313fc3e0ee6f351b5c083491
  Author: Jason Wang <jasowang@xxxxxxxxxx>
  Date:   Wed Sep 16 11:05:30 2015 +0800

      MAINTAINERS: Stefan will not maintain net subsystem

      Talked with Stefan, he will not maintain net subsystem.

      Cc: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Cc: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: Jason Wang <jasowang@xxxxxxxxxx>
      Message-id: 1442372730-11360-1-git-send-email-jasowang@xxxxxxxxxx
      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>

  commit 4054cdec0423c7190bfc733c27c303d513d531ab
  Author: Pavel Dovgalyuk <Pavel.Dovgaluk@xxxxxxxxx>
  Date:   Fri Jul 10 12:57:41 2015 +0300

      target-i386: exception handling for other helper functions

      This patch fixes exception handling for other helper functions.

      Signed-off-by: Pavel Dovgalyuk <pavel.dovgaluk@xxxxxxxxx>
      Signed-off-by: Richard Henderson <rth@xxxxxxxxxxx>

  commit 100ec0991958d0c1b61f140e64dbe92991c6dd2c
  Author: Pavel Dovgalyuk <Pavel.Dovgaluk@xxxxxxxxx>
  Date:   Fri Jul 10 12:57:36 2015 +0300

      target-i386: exception handling for seg_helper functions

      This patch fixes exception handling for seg_helper functions.

      Signed-off-by: Pavel Dovgalyuk <pavel.dovgaluk@xxxxxxxxx>
      Signed-off-by: Richard Henderson <rth@xxxxxxxxxxx>

  commit 2afbdf84807d673eb682cb78158e11cdacbf4673
  Author: Pavel Dovgalyuk <Pavel.Dovgaluk@xxxxxxxxx>
  Date:   Fri Jul 10 12:57:30 2015 +0300

      target-i386: exception handling for memory helpers

      This patch fixes exception handling for memory helpers
      and removes obsolete PC update from translate.c.

      Reviewed-by: Aurelien Jarno <aurelien@xxxxxxxxxxx>
      Signed-off-by: Pavel Dovgalyuk <pavel.dovgaluk@xxxxxxxxx>
      Signed-off-by: Richard Henderson <rth@xxxxxxxxxxx>

  commit cc33c5d66bb315f77739f761a3f868a7d138c041
  Author: Pavel Dovgalyuk <Pavel.Dovgaluk@xxxxxxxxx>
  Date:   Fri Jul 10 12:57:25 2015 +0300

      target-i386: exception handling for div instructions

      This patch fixes exception handling for div instructions
      and removes obsolete PC update from translate.c.

      Reviewed-by: Richard Henderson <rth@xxxxxxxxxxx>
      Reviewed-by: Aurelien Jarno <aurelien@xxxxxxxxxxx>

      Signed-off-by: Pavel Dovgalyuk <pavel.dovgaluk@xxxxxxxxx>
      Signed-off-by: Richard Henderson <rth@xxxxxxxxxxx>

  commit 6cad09d2f74d7318f737acaa21b3da49a0c9e670
  Author: Pavel Dovgalyuk <Pavel.Dovgaluk@xxxxxxxxx>
  Date:   Fri Jul 10 12:57:19 2015 +0300

      target-i386: exception handling for FPU instructions

      This patch fixes exception handling for FPU instructions
      and removes obsolete PC update from translate.c.

      Reviewed-by: Aurelien Jarno <aurelien@xxxxxxxxxxx>
      Reviewed-by: Richard Henderson <rth@xxxxxxxxxxx>

      Signed-off-by: Pavel Dovgalyuk <pavel.dovgaluk@xxxxxxxxx>
      Signed-off-by: Richard Henderson <rth@xxxxxxxxxxx>

  commit 9198009529d06b6489b68a7505942cca3a50893f
  Author: Pavel Dovgalyuk <Pavel.Dovgaluk@xxxxxxxxx>
  Date:   Fri Jul 10 12:57:13 2015 +0300

      target-i386: introduce new raise_exception functions

      This patch introduces new versions of raise_exception functions
      that receive TB return address as an argument.

      Reviewed-by: Aurelien Jarno <aurelien@xxxxxxxxxxx>
      Reviewed-by: Richard Henderson <rth@xxxxxxxxxxx>

      Signed-off-by: Pavel Dovgalyuk <pavel.dovgaluk@xxxxxxxxx>
      Signed-off-by: Richard Henderson <rth@xxxxxxxxxxx>

  commit 1a3abef74b5df6d6d3e851aaeacac8f265adcf80
  Merge: 6196224 461aa67
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Tue Sep 15 17:24:27 2015 +0100

      Merge remote-tracking branch 'remotes/rth/tags/pull-tile-20150915' into 
staging

      TileGX basic instructions

      # gpg: Signature made Tue 15 Sep 2015 15:57:08 BST using RSA key ID 
4DD0279B
      # gpg: Good signature from "Richard Henderson <rth7680@xxxxxxxxx>"
      # gpg:                 aka "Richard Henderson <rth@xxxxxxxxxx>"
      # gpg:                 aka "Richard Henderson <rth@xxxxxxxxxxx>"

      * remotes/rth/tags/pull-tile-20150915: (35 commits)
        target-tilegx: Handle v1shl, v1shru, v1shrs
        target-tilegx: Handle v1shli, v1shrui
        target-tilegx: Handle v4int_l/h
        target-tilegx: Handle atomic instructions
        target-tilegx: Handle mtspr, mfspr
        target-tilegx: Handle v1cmpeq, v1cmpne
        target-tilegx: Handle mask instructions
        target-tilegx: Handle scalar multiply instructions
        target-tilegx: Handle conditional move instructions
        target-tilegx: Handle shift instructions
        target-tilegx: Handle bitfield instructions
        target-tilegx: Implement system and memory management instructions
        target-tilegx: Handle comparison instructions
        target-tilegx: Handle conditional branch instructions
        target-tilegx: Handle unconditional jump instructions
        target-tilegx: Handle post-increment load and store instructions
        target-tilegx: Handle basic load and store instructions
        target-tilegx: Handle most bit manipulation instructions
        target-arm: Use new revbit functions
        host-utils: Add revbit functions
        ...

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 461aa6783eec27f209b026c6647fc7a83b2997cd
  Author: Richard Henderson <rth@xxxxxxxxxxx>
  Date:   Mon Aug 24 08:56:45 2015 -0700

      target-tilegx: Handle v1shl, v1shru, v1shrs

      Reviewed-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Signed-off-by: Richard Henderson <rth@xxxxxxxxxxx>

  commit 3be19e8c83949b62895dd27866e26a1bf806ad56
  Author: Richard Henderson <rth@xxxxxxxxxxx>
  Date:   Mon Aug 24 08:13:59 2015 -0700

      target-tilegx: Handle v1shli, v1shrui

      Reviewed-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Signed-off-by: Richard Henderson <rth@xxxxxxxxxxx>

  commit 5151c69abcc049a587b894f0b8e19e1c6d72dc1d
  Author: Richard Henderson <rth@xxxxxxxxxxx>
  Date:   Mon Aug 24 08:01:52 2015 -0700

      target-tilegx: Handle v4int_l/h

      Reviewed-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Signed-off-by: Richard Henderson <rth@xxxxxxxxxxx>

  commit 0583b2332355dadb2d4681fe5a4eca882eb5b889
  Author: Richard Henderson <rth@xxxxxxxxxxx>
  Date:   Mon Aug 24 07:55:47 2015 -0700

      target-tilegx: Handle atomic instructions

      Reviewed-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Signed-off-by: Richard Henderson <rth@xxxxxxxxxxx>

  commit 03b217b168edfb45501146e98f60a6aea6bbb943
  Author: Richard Henderson <rth@xxxxxxxxxxx>
  Date:   Sat Aug 22 14:19:45 2015 -0700

      target-tilegx: Handle mtspr, mfspr

      Reviewed-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Signed-off-by: Richard Henderson <rth@xxxxxxxxxxx>

  commit e7346cf0366b2167ddd2cfe9197018bf0ebccbaf
  Author: Richard Henderson <rth@xxxxxxxxxxx>
  Date:   Sat Aug 22 12:37:59 2015 -0700

      target-tilegx: Handle v1cmpeq, v1cmpne

      Reviewed-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Signed-off-by: Richard Henderson <rth@xxxxxxxxxxx>

  commit 661ff7431fb33bc29c6b27e053e1e7656105a106
  Author: Richard Henderson <rth@xxxxxxxxxxx>
  Date:   Sat Aug 22 10:42:44 2015 -0700

      target-tilegx: Handle mask instructions

      Reviewed-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Signed-off-by: Richard Henderson <rth@xxxxxxxxxxx>

  commit 4ff49775ecc5e975ca5e4c1b6be25fb611ab38fa
  Author: Richard Henderson <rth@xxxxxxxxxxx>
  Date:   Sat Aug 22 10:37:38 2015 -0700

      target-tilegx: Handle scalar multiply instructions

      Reviewed-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Signed-off-by: Richard Henderson <rth@xxxxxxxxxxx>

  commit f090f9f7ce6bc112710a693e176341b5031eafd8
  Author: Richard Henderson <rth@xxxxxxxxxxx>
  Date:   Sat Aug 22 00:15:07 2015 -0700

      target-tilegx: Handle conditional move instructions

      Reviewed-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Signed-off-by: Richard Henderson <rth@xxxxxxxxxxx>

  commit 2369976deb9fa03bb32be690025a6f51de4cd377
  Author: Richard Henderson <rth@xxxxxxxxxxx>
  Date:   Fri Aug 21 14:41:41 2015 -0700

      target-tilegx: Handle shift instructions

      Reviewed-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Signed-off-by: Richard Henderson <rth@xxxxxxxxxxx>

  commit c06b1817297b4486c372950b4f65d34417aa01d0
  Author: Richard Henderson <rth@xxxxxxxxxxx>
  Date:   Fri Aug 21 14:06:57 2015 -0700

      target-tilegx: Handle bitfield instructions

      Reviewed-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Signed-off-by: Richard Henderson <rth@xxxxxxxxxxx>

  commit d5dbd6eb388a936bb4ea027c48f8f960ae3977c9
  Author: Richard Henderson <rth@xxxxxxxxxxx>
  Date:   Fri Aug 21 13:14:25 2015 -0700

      target-tilegx: Implement system and memory management instructions

      Most of which are either nops or exceptions.

      Reviewed-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Signed-off-by: Richard Henderson <rth@xxxxxxxxxxx>

  commit 73c543776b6983178026f744d3579ae16ae9b5b2
  Author: Richard Henderson <rth@xxxxxxxxxxx>
  Date:   Fri Aug 21 11:57:42 2015 -0700

      target-tilegx: Handle comparison instructions

      Reviewed-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Signed-off-by: Richard Henderson <rth@xxxxxxxxxxx>

  commit e04e98bf277309c3964cfd773c0d4c0428f64399
  Author: Richard Henderson <rth@xxxxxxxxxxx>
  Date:   Fri Aug 21 11:03:37 2015 -0700

      target-tilegx: Handle conditional branch instructions

      Reviewed-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Signed-off-by: Richard Henderson <rth@xxxxxxxxxxx>

  commit c230a9944dc902e595852b9cd764e4b12d0dc541
  Author: Richard Henderson <rth@xxxxxxxxxxx>
  Date:   Fri Aug 21 10:23:07 2015 -0700

      target-tilegx: Handle unconditional jump instructions

      Reviewed-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Signed-off-by: Richard Henderson <rth@xxxxxxxxxxx>

  commit 01cd675cfe89c62b27d3d6e28c0fae503c803bf0
  Author: Richard Henderson <rth@xxxxxxxxxxx>
  Date:   Fri Aug 21 09:49:44 2015 -0700

      target-tilegx: Handle post-increment load and store instructions

      Reviewed-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Signed-off-by: Richard Henderson <rth@xxxxxxxxxxx>

  commit 0426335d4fedb506197ccfd5aadbee2c9c5cd13b
  Author: Richard Henderson <rth@xxxxxxxxxxx>
  Date:   Fri Aug 21 09:47:56 2015 -0700

      target-tilegx: Handle basic load and store instructions

      Reviewed-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Signed-off-by: Richard Henderson <rth@xxxxxxxxxxx>

  commit 7f41a8d67232bee48ede90ea43f962fdb9e98371
  Author: Richard Henderson <rth@xxxxxxxxxxx>
  Date:   Thu Aug 20 21:30:51 2015 -0700

      target-tilegx: Handle most bit manipulation instructions

      The crc instructions are omitted from this set.

      Reviewed-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Signed-off-by: Richard Henderson <rth@xxxxxxxxxxx>

  commit 42fedbca8f5b54324ed89be3484d4a3dc9946387
  Author: Richard Henderson <rth@xxxxxxxxxxx>
  Date:   Mon Sep 14 13:38:53 2015 -0700

      target-arm: Use new revbit functions

      Reviewed-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Signed-off-by: Richard Henderson <rth@xxxxxxxxxxx>

  commit 652a4b7e736f432a6809d1d2b52d169ab0b9aa3b
  Author: Richard Henderson <rth@xxxxxxxxxxx>
  Date:   Mon Sep 14 13:00:34 2015 -0700

      host-utils: Add revbit functions

      Reviewed-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Signed-off-by: Richard Henderson <rth@xxxxxxxxxxx>

  commit 89b8c7504fbc53a35c76e7738dbdf53f3c254b8f
  Author: Richard Henderson <rth@xxxxxxxxxxx>
  Date:   Thu Aug 20 21:11:28 2015 -0700

      target-tilegx: Handle arithmetic instructions

      Reviewed-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Signed-off-by: Richard Henderson <rth@xxxxxxxxxxx>

  commit a9fdfc7e7bf122f603486f4277db91a3d0d274ab
  Author: Richard Henderson <rth@xxxxxxxxxxx>
  Date:   Mon Aug 24 08:31:10 2015 -0700

      target-tilegx: Handle simple logical operations

      Reviewed-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Signed-off-by: Richard Henderson <rth@xxxxxxxxxxx>

  commit 444e06b17201a16a77f070955dc2d518cbaf36aa
  Author: Chen Gang <xili_gchen_5257@xxxxxxxxxxx>
  Date:   Fri Aug 21 05:43:37 2015 +0800

      target-tilegx: Add TILE-Gx building files

      Add related configuration and make files for tilegx.
      The target can now build, though not run anything.

      Signed-off-by: Chen Gang <gang.chen.5i5j@xxxxxxxxx>
      Reviewed-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Message-Id: <BLU436-SMTP1588E5A03AD5E94B07E988B9660@xxxxxxx>
      Signed-off-by: Richard Henderson <rth@xxxxxxxxxxx>

  commit 9b9dc7aceca411f1fb69d5426e5e88dd204813ed
  Author: Richard Henderson <rth@xxxxxxxxxxx>
  Date:   Fri Aug 21 11:49:38 2015 -0700

      target-tilegx: Generate SEGV properly

      Reviewed-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Signed-off-by: Richard Henderson <rth@xxxxxxxxxxx>

  commit 619622424dba749feef752d76d79ef2569f7f250
  Merge: 1078f5d 3e305e4
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Tue Sep 15 15:42:58 2015 +0100

      Merge remote-tracking branch 
'remotes/berrange/tags/vnc-crypto-v9-for-upstream' into staging

      Merge vnc-crypto-v9

      # gpg: Signature made Tue 15 Sep 2015 15:32:38 BST using RSA key ID 
15104FDF
      # gpg: Good signature from "Daniel P. Berrange <dan@xxxxxxxxxxxx>"
      # gpg:                 aka "Daniel P. Berrange <berrange@xxxxxxxxxx>"

      * remotes/berrange/tags/vnc-crypto-v9-for-upstream:
        ui: convert VNC server to use QCryptoTLSSession
        ui: fix return type for VNC I/O functions to be ssize_t
        crypto: introduce new module for handling TLS sessions
        crypto: add sanity checking of TLS x509 credentials
        crypto: introduce new module for TLS x509 credentials
        crypto: introduce new module for TLS anonymous credentials
        crypto: introduce new base module for TLS credentials
        qom: allow QOM to be linked into tools binaries
        crypto: move crypto objects out of libqemuutil.la
        tests: remove repetition in unit test object deps
        qapi: allow override of default enum prefix naming

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 8fd29dd72b44b08af536248cbfc77f5c6bdf803d
  Author: Richard Henderson <rth@xxxxxxxxxxx>
  Date:   Thu Aug 20 20:36:48 2015 -0700

      target-tilegx: Framework for decoding bundles

      Reviewed-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Signed-off-by: Richard Henderson <rth@xxxxxxxxxxx>

  commit 5b212be632c8ec1e1fd851055445562ebe705352
  Author: Chen Gang <xili_gchen_5257@xxxxxxxxxxx>
  Date:   Fri Aug 21 05:41:51 2015 +0800

      target-tilegx: Add several helpers for instructions translation

      The related instructions are exception, cntlz, cnttz, shufflebytes.

      Reviewed-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Signed-off-by: Chen Gang <gang.chen.5i5j@xxxxxxxxx>
      Message-Id: <BLU436-SMTP83F96FD8422BE49AFDC9DFB9660@xxxxxxx>
      [rth: Remove incorrect implementation of add_saturate.]
      Signed-off-by: Richard Henderson <rth@xxxxxxxxxxx>

  commit 9f64170df2c767ea65adee6434968034fb2ff5aa
  Author: Chen Gang <xili_gchen_5257@xxxxxxxxxxx>
  Date:   Fri Aug 21 05:41:01 2015 +0800

      target-tilegx: Add cpu basic features for linux-user

      It implements minimized cpu features for linux-user.

      Signed-off-by: Chen Gang <gang.chen.5i5j@xxxxxxxxx>
      Reviewed-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Message-Id: <BLU436-SMTP114819BB03D853801AA9C3CB9660@xxxxxxx>
      Signed-off-by: Richard Henderson <rth@xxxxxxxxxxx>

  commit b69773a8a70d64189c5caa8d328dc2b6bfb7007d
  Author: Chen Gang <xili_gchen_5257@xxxxxxxxxxx>
  Date:   Fri Aug 21 05:40:18 2015 +0800

      target-tilegx: Add special register information from Tilera Corporation

      The related copy is from Linux kernel "arch/tile/include/uapi/arch/
      spr_def_64.h".

      Signed-off-by: Chen Gang <gang.chen.5i5j@xxxxxxxxx>
      Reviewed-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Message-Id: <BLU436-SMTP1093D605AAE9B4837B564B8B9660@xxxxxxx>
      Signed-off-by: Richard Henderson <rth@xxxxxxxxxxx>

  commit 4fe221820f99251eaa4307bf45145651740803e5
  Author: Richard Henderson <rth@xxxxxxxxxxx>
  Date:   Fri Aug 21 09:49:30 2015 -0700

      target-tilegx: Fix LDNA_ADD_IMM8_OPCODE_X1

      An obvious typo in the mnemonic here.

      Reviewed-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Signed-off-by: Richard Henderson <rth@xxxxxxxxxxx>

  commit c6c00e17229863dedd710e53da732190f7660aa6
  Author: Richard Henderson <rth@xxxxxxxxxxx>
  Date:   Thu Aug 20 20:40:14 2015 -0700

      target-tilegx: Modify _SPECIAL_ opcodes

      Both ADDX_SPECIAL_0_OPCODE_Y1 and ADD_SPECIAL_0_OPCODE_Y1
      do not appear to be "special" in any way, except that they
      don't follow the normal naming convention using _RRR_.

      Reviewed-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Signed-off-by: Richard Henderson <rth@xxxxxxxxxxx>

  commit 2c56c87fcf1355fbc9da20d06ebe7ddb320ada92
  Author: Chen Gang <xili_gchen_5257@xxxxxxxxxxx>
  Date:   Fri Aug 21 05:39:33 2015 +0800

      target-tilegx: Modify opcode_tilegx.h to fit QEMU usage

      Use 'inline' instead of '__inline', and also use 'uint64_t' instead of
      "unsigned long long"

      Signed-off-by: Chen Gang <gang.chen.5i5j@xxxxxxxxx>
      Reviewed-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Message-Id: <BLU436-SMTP1945B04384351D5EE7D9DECB9660@xxxxxxx>
      Signed-off-by: Richard Henderson <rth@xxxxxxxxxxx>

  commit b1406c6c5912d820b0a0b11b89623fae96fc74bc
  Author: Chen Gang <xili_gchen_5257@xxxxxxxxxxx>
  Date:   Fri Aug 21 05:38:46 2015 +0800

      target-tilegx: Add opcode basic implementation from Tilera Corporation

      It is copied from Linux kernel "arch/tile/include/uapi/arch/
      opcode_tilegx.h".

      Signed-off-by: Chen Gang <gang.chen.5i5j@xxxxxxxxx>
      Reviewed-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Message-Id: <BLU436-SMTP2087FA98B64A20B25155D9AB9660@xxxxxxx>
      Signed-off-by: Richard Henderson <rth@xxxxxxxxxxx>

  commit 704eff6c23fc807e0c7f729518f73fb7ad26d98c
  Author: Chen Gang <xili_gchen_5257@xxxxxxxxxxx>
  Date:   Fri Aug 21 05:37:33 2015 +0800

      linux-user: Conditionalize syscalls which are not defined in tilegx

      Some of architectures (e.g. tilegx), several syscall macros are not
      supported, so switch them.

      Signed-off-by: Chen Gang <gang.chen.5i5j@xxxxxxxxx>
      Reviewed-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Message-Id: <BLU436-SMTP457D6FC9B2B9BA87AEB22CB9660@xxxxxxx>
      Signed-off-by: Richard Henderson <rth@xxxxxxxxxxx>

  commit b16189b22244e4cc158a3425b377b219586ec8ca
  Author: Chen Gang <xili_gchen_5257@xxxxxxxxxxx>
  Date:   Fri Aug 21 05:36:37 2015 +0800

      linux-user: Support tilegx architecture in linux-user

      Add main working flow feature, system call processing feature, and elf64
      tilegx binary loading feature, based on Linux kernel tilegx 64-bit
      implementation.

      [rth: Moved all of the implementation of atomic instructions to a later 
patch.]

      Signed-off-by: Chen Gang <gang.chen.5i5j@xxxxxxxxx>
      Reviewed-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Message-Id: <BLU436-SMTP938552D42808AA60634582B9660@xxxxxxx>
      Signed-off-by: Richard Henderson <rth@xxxxxxxxxxx>

  commit 3e305e4a4752f70c0b5c3cf5b43ec957881714f7
  Author: Daniel P. Berrange <berrange@xxxxxxxxxx>
  Date:   Thu Aug 6 14:39:32 2015 +0100

      ui: convert VNC server to use QCryptoTLSSession

      Switch VNC server over to using the QCryptoTLSSession object
      for the TLS session. This removes the direct use of gnutls
      from the VNC server code. It also removes most knowledge
      about TLS certificate handling from the VNC server code.
      This has the nice effect that all the CONFIG_VNC_TLS
      conditionals go away and the user gets an actual error
      message when requesting TLS instead of it being silently
      ignored.

      With this change, the existing configuration options for
      enabling TLS with -vnc are deprecated.

      Old syntax for anon-DH credentials:

        -vnc hostname:0,tls

      New syntax:

        -object tls-creds-anon,id=tls0,endpoint=server \
        -vnc hostname:0,tls-creds=tls0

      Old syntax for x509 credentials, no client certs:

        -vnc hostname:0,tls,x509=/path/to/certs

      New syntax:

        -object 
tls-creds-x509,id=tls0,dir=/path/to/certs,endpoint=server,verify-peer=no \
        -vnc hostname:0,tls-creds=tls0

      Old syntax for x509 credentials, requiring client certs:

        -vnc hostname:0,tls,x509verify=/path/to/certs

      New syntax:

        -object 
tls-creds-x509,id=tls0,dir=/path/to/certs,endpoint=server,verify-peer=yes \
        -vnc hostname:0,tls-creds=tls0

      This aligns VNC with the way TLS credentials are to be
      configured in the future for chardev, nbd and migration
      backends. It also has the benefit that the same TLS
      credentials can be shared across multiple VNC server
      instances, if desired.

      If someone uses the deprecated syntax, it will internally
      result in the creation of a 'tls-creds' object with an ID
      based on the VNC server ID. This allows backwards compat
      with the CLI syntax, while still deleting all the original
      TLS code from the VNC server.

      Signed-off-by: Daniel P. Berrange <berrange@xxxxxxxxxx>

  commit 2cb154bc19854232b5379236dd9dfc06d83ced1e
  Author: Chen Gang <xili_gchen_5257@xxxxxxxxxxx>
  Date:   Fri Aug 21 05:35:43 2015 +0800

      linux-user: tilegx: Add architecture related features

      They are based on Linux kernel tilegx architecture for 64 bit binary,
      and also based on tilegx ABI reference document, and also reference from
      other targets implementations.

      Signed-off-by: Chen Gang <gang.chen.5i5j@xxxxxxxxx>
      Reviewed-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Message-Id: <BLU436-SMTP2508945F92945BB525605A3B9660@xxxxxxx>
      Signed-off-by: Richard Henderson <rth@xxxxxxxxxxx>

  commit fdd1ab6ad5c27a1564a1c73045908736b228458b
  Author: Daniel P. Berrange <berrange@xxxxxxxxxx>
  Date:   Thu Aug 6 15:35:55 2015 +0100

      ui: fix return type for VNC I/O functions to be ssize_t

      Various VNC server I/O functions return 'long' and then
      also pass this to a method accepting 'int'. All these
      should be ssize_t to match the signature of read/write
      APIs and thus avoid potential for integer truncation /
      wraparound.

      Signed-off-by: Daniel P. Berrange <berrange@xxxxxxxxxx>
      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>

  commit d321e1e5268103af616ec4c623c6326c3f7c7bc7
  Author: Daniel P. Berrange <berrange@xxxxxxxxxx>
  Date:   Mon Mar 2 17:23:31 2015 +0000

      crypto: introduce new module for handling TLS sessions

      Introduce a QCryptoTLSSession object that will encapsulate
      all the code for setting up and using a client/sever TLS
      session. This isolates the code which depends on the gnutls
      library, avoiding #ifdefs in the rest of the codebase, as
      well as facilitating any possible future port to other TLS
      libraries, if desired. It makes use of the previously
      defined QCryptoTLSCreds object to access credentials to
      use with the session. It also includes further unit tests
      to validate the correctness of the TLS session handshake
      and certificate validation. This is functionally equivalent
      to the current TLS session handling code embedded in the
      VNC server, and will obsolete it.

      Signed-off-by: Daniel P. Berrange <berrange@xxxxxxxxxx>

  commit 9a2fd4347c40321f5cbb4ab4220e759fcbf87d03
  Author: Daniel P. Berrange <berrange@xxxxxxxxxx>
  Date:   Mon Apr 13 14:01:39 2015 +0100

      crypto: add sanity checking of TLS x509 credentials

      If the administrator incorrectly sets up their x509 certificates,
      the errors seen at runtime during connection attempts are very
      obscure and difficult to diagnose. This has been a particular
      problem for people using openssl to generate their certificates
      instead of the gnutls certtool, because the openssl tools don't
      turn on the various x509 extensions that gnutls expects to be
      present by default.

      This change thus adds support in the TLS credentials object to
      sanity check the certificates when QEMU first loads them. This
      gives the administrator immediate feedback for the majority of
      common configuration mistakes, reducing the pain involved in
      setting up TLS. The code is derived from equivalent code that
      has been part of libvirt's TLS support and has been seen to be
      valuable in assisting admins.

      It is possible to disable the sanity checking, however, via
      the new 'sanity-check' property on the tls-creds object type,
      with a value of 'no'.

      Unit tests are included in this change to verify the correctness
      of the sanity checking code in all the key scenarios it is
      intended to cope with. As part of the test suite, the pkix_asn1_tab.c
      from gnutls is imported. This file is intentionally copied from the
      (long since obsolete) gnutls 1.6.3 source tree, since that version
      was still under GPLv2+, rather than the GPLv3+ of gnutls >= 2.0.

      Signed-off-by: Daniel P. Berrange <berrange@xxxxxxxxxx>

  commit 85bcbc789eb65b54548a507b747ffffe6175b404
  Author: Daniel P. Berrange <berrange@xxxxxxxxxx>
  Date:   Fri Mar 13 17:39:26 2015 +0000

      crypto: introduce new module for TLS x509 credentials

      Introduce a QCryptoTLSCredsX509 class which is used to
      manage x509 certificate TLS credentials. This will be
      the preferred credential type offering strong security
      characteristics

      Example CLI configuration:

       $QEMU -object tls-creds-x509,id=tls0,endpoint=server,\
                     dir=/path/to/creds/dir,verify-peer=yes

      The 'id' value in the -object args will be used to associate the
      credentials with the network services. For example, when the VNC
      server is later converted it would use

       $QEMU -object tls-creds-x509,id=tls0,.... \
             -vnc 127.0.0.1:1,tls-creds=tls0

      Signed-off-by: Daniel P. Berrange <berrange@xxxxxxxxxx>
      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>

  commit e00adf6c3edf8dbbe7eb60c94e24fe2158e8342f
  Author: Daniel P. Berrange <berrange@xxxxxxxxxx>
  Date:   Fri Mar 13 17:39:26 2015 +0000

      crypto: introduce new module for TLS anonymous credentials

      Introduce a QCryptoTLSCredsAnon class which is used to
      manage anonymous TLS credentials. Use of this class is
      generally discouraged since it does not offer strong
      security, but it is required for backwards compatibility
      with the current VNC server implementation.

      Simple example CLI configuration:

       $QEMU -object tls-creds-anon,id=tls0,endpoint=server

      Example using pre-created diffie-hellman parameters

       $QEMU -object tls-creds-anon,id=tls0,endpoint=server,\
                     dir=/path/to/creds/dir

      The 'id' value in the -object args will be used to associate the
      credentials with the network services. For example, when the VNC
      server is later converted it would use

       $QEMU -object tls-creds-anon,id=tls0,.... \
             -vnc 127.0.0.1:1,tls-creds=tls0

      Signed-off-by: Daniel P. Berrange <berrange@xxxxxxxxxx>
      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>

  commit a090187de116a3d0b8146ca481249c8fc83ad3ee
  Author: Daniel P. Berrange <berrange@xxxxxxxxxx>
  Date:   Fri Mar 13 17:39:26 2015 +0000

      crypto: introduce new base module for TLS credentials

      Introduce a QCryptoTLSCreds class to act as the base class for
      storing TLS credentials. This will be later subclassed to provide
      handling of anonymous and x509 credential types. The subclasses
      will be user creatable objects, so instances can be created &
      deleted via 'object-add' and 'object-del' QMP commands respectively,
      or via the -object command line arg.

      If the credentials cannot be initialized an error will be reported
      as a QMP reply, or on stderr respectively.

      The idea is to make it possible to represent and manage TLS
      credentials independently of the network service that is using
      them. This will enable multiple services to use the same set of
      credentials and minimize code duplication. A later patch will
      convert the current VNC server TLS code over to use this object.

      The representation of credentials will be functionally equivalent
      to that currently implemented in the VNC server with one exception.
      The new code has the ability to (optionally) load a pre-generated
      set of diffie-hellman parameters, if the file dh-params.pem exists,
      whereas the current VNC server will always generate them on startup.
      This is beneficial for admins who wish to avoid the (small) time
      sink of generating DH parameters at startup and/or avoid depleting
      entropy.

      Signed-off-by: Daniel P. Berrange <berrange@xxxxxxxxxx>

  commit 0c7012e0558e4312e575fd4c70652d8ef2265ff7
  Author: Daniel P. Berrange <berrange@xxxxxxxxxx>
  Date:   Wed Sep 2 11:18:16 2015 +0100

      qom: allow QOM to be linked into tools binaries

      The qom objects are currently added to common-obj-y
      which is only linked into the system emulators. The
      later crypto patches will depend on QOM infrastructure
      and will also be used from tools binaries. Thus the QOM
      objects are moved into a new qom-obj-y variable which
      can be referenced when linking tools, system emulators
      and tests.

      Signed-off-by: Daniel P. Berrange <berrange@xxxxxxxxxx>

  commit fb37726db77b21f3731b90693d2c93ade1777528
  Author: Daniel P. Berrange <berrange@xxxxxxxxxx>
  Date:   Wed Sep 2 10:57:27 2015 +0100

      crypto: move crypto objects out of libqemuutil.la

      Future patches will be adding more crypto related APIs which
      rely on QOM infrastructure. This creates a problem, because
      QOM relies on library constructors to register objects. When
      you have a file in a static .a library though which is only
      referenced by a constructor the linker is dumb and will drop
      that file when linking to the final executable :-( The only
      workaround for this is to link the .a library to the executable
      using the -Wl,--whole-archive flag, but this creates its own
      set of problems because QEMU is relying on lazy linking for
      libqemuutil.a. Using --whole-archive majorly increases the
      size of final executables as they now contain a bunch of
      object code they don't actually use.

      The least bad option is to thus not include the crypto objects
      in libqemuutil.la, and instead define a crypto-obj-y variable
      that is referenced directly by all the executables that need
      this code (tools + softmmu, but not qemu-ga). We avoid pulling
      entire of crypto-obj-y into the userspace emulators as that
      would force them to link to gnutls too, which is not required.

      Signed-off-by: Daniel P. Berrange <berrange@xxxxxxxxxx>

  commit 1078f5db8ada5097600443838492ef07103790c2
  Merge: b76a0d5 2cb5d2a
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Tue Sep 15 14:11:28 2015 +0100

      Merge remote-tracking branch 'remotes/kraxel/tags/pull-gtk-20150915-1' 
into staging

      gtk: misc grab tweaks, locale fix.

      # gpg: Signature made Tue 15 Sep 2015 11:35:36 BST using RSA key ID 
D3E87138
      # gpg: Good signature from "Gerd Hoffmann (work) <kraxel@xxxxxxxxxx>"
      # gpg:                 aka "Gerd Hoffmann <gerd@xxxxxxxxxx>"
      # gpg:                 aka "Gerd Hoffmann (private) <kraxel@xxxxxxxxx>"

      * remotes/kraxel/tags/pull-gtk-20150915-1:
        gtk: use setlocale() for LC_MESSAGES only
        gtk: don't grab input when entering fullscreen.
        gtk: set free_scale when setting zoom_fit
        gtk: trace input grab reason
        gtk: move gd_update_caption calls to gd_{grab,ungrab}_{pointer,keyboard}
        gtk: check for existing grabs in gd_grab_{pointer,keyboard}

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit b76a0d5db25ad9f81346930230092fdf1e88a5a1
  Merge: 007e620 737d2b3
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Tue Sep 15 13:03:53 2015 +0100

      Merge remote-tracking branch 'remotes/stefanha/tags/net-pull-request' 
into staging

      This net pull request contains security fixes for qemu.git/master.  The 
patches
      should also be applied to stable trees.

      The ne2000 NIC model has QEMU memory corruption issue.  Both ne2000 and 
e1000
      have an infinite loop.

      Please see the patches for CVE numbers and details on the bugs.

      # gpg: Signature made Tue 15 Sep 2015 13:02:21 BST using RSA key ID 
81AB73C8
      # gpg: Good signature from "Stefan Hajnoczi <stefanha@xxxxxxxxxx>"
      # gpg:                 aka "Stefan Hajnoczi <stefanha@xxxxxxxxx>"

      * remotes/stefanha/tags/net-pull-request:
        net: avoid infinite loop when receiving packets(CVE-2015-5278)
        net: add checks to validate ring buffer pointers(CVE-2015-5279)
        e1000: Avoid infinite loop in processing transmit descriptor 
(CVE-2015-6815)

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 737d2b3c41d59eb8f94ab7eb419b957938f24943
  Author: P J P <pjp@xxxxxxxxxxxxxxxxx>
  Date:   Tue Sep 15 16:46:59 2015 +0530

      net: avoid infinite loop when receiving packets(CVE-2015-5278)

      Ne2000 NIC uses ring buffer of NE2000_MEM_SIZE(49152)
      bytes to process network packets. While receiving packets
      via ne2000_receive() routine, a local 'index' variable
      could exceed the ring buffer size, leading to an infinite
      loop situation.

      Reported-by: Qinghao Tang <luodalongde@xxxxxxxxx>
      Signed-off-by: P J P <pjp@xxxxxxxxxxxxxxxxx>
      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>

  commit 9bbdbc66e5765068dce76e9269dce4547afd8ad4
  Author: P J P <pjp@xxxxxxxxxxxxxxxxx>
  Date:   Tue Sep 15 16:40:49 2015 +0530

      net: add checks to validate ring buffer pointers(CVE-2015-5279)

      Ne2000 NIC uses ring buffer of NE2000_MEM_SIZE(49152)
      bytes to process network packets. While receiving packets
      via ne2000_receive() routine, a local 'index' variable
      could exceed the ring buffer size, which could lead to a
      memory buffer overflow. Added other checks at initialisation.

      Reported-by: Qinghao Tang <luodalongde@xxxxxxxxx>
      Signed-off-by: P J P <pjp@xxxxxxxxxxxxxxxxx>
      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>

  commit b947ac2bf26479e710489739c465c8af336599e7
  Author: P J P <pjp@xxxxxxxxxxxxxxxxx>
  Date:   Fri Sep 4 17:21:06 2015 +0100

      e1000: Avoid infinite loop in processing transmit descriptor 
(CVE-2015-6815)

      While processing transmit descriptors, it could lead to an infinite
      loop if 'bytes' was to become zero; Add a check to avoid it.

      [The guest can force 'bytes' to 0 by setting the hdr_len and mss
      descriptor fields to 0.
      --Stefan]

      Signed-off-by: P J P <pjp@xxxxxxxxxxxxxxxxx>
      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Reviewed-by: Thomas Huth <thuth@xxxxxxxxxx>
      Message-id: 1441383666-6590-1-git-send-email-stefanha@xxxxxxxxxx

  commit 2cb5d2a47c655331bcf0ab16bab8fe4701182c58
  Author: Alberto Garcia <berto@xxxxxxxxxx>
  Date:   Thu Sep 10 18:19:32 2015 +0300

      gtk: use setlocale() for LC_MESSAGES only

      The QEMU code is not internationalized and assumes that it runs under
      the C locale, but if we use the GTK+ UI we'll end up importing the
      locale settings from the environment. This can break things, such as
      the JSON generator and iotest 120 in locales that use a decimal comma.

      We do however have translations for a few simple strings for the GTK+
      menu items, so in order to run QEMU using the C locale, and yet have a
      translated UI let's use setlocale() for LC_MESSAGES only.

      Cc: qemu-stable@xxxxxxxxxx
      Signed-off-by: Alberto Garcia <berto@xxxxxxxxxx>
      Signed-off-by: Gerd Hoffmann <kraxel@xxxxxxxxxx>

  commit 78aee081122837cb488b12657a00deeb676b4730
  Author: Gerd Hoffmann <kraxel@xxxxxxxxxx>
  Date:   Wed Sep 9 10:14:54 2015 +0200

      gtk: don't grab input when entering fullscreen.

      Kick off all grabbing logic from fullscreen mode.  In the current state
      it seems to create more problems than it solves.  Try running qemu/gtk
      fullscreen on one head of a multihead host for example ...

      There probably was a reason the grab-on-fullscreen logic was added in
      the first place.  So please test and report any issues so we can try to
      find a sane way to handle it.

      Signed-off-by: Gerd Hoffmann <kraxel@xxxxxxxxxx>
      Reviewed-by: Marc-André Lureau <marcandre.lureau@xxxxxxxxxx>

  commit 1d73cd782fb910811a2e6b9d9b3375c4803d731c
  Author: Gerd Hoffmann <kraxel@xxxxxxxxxx>
  Date:   Wed Sep 9 10:34:41 2015 +0200

      gtk: set free_scale when setting zoom_fit

      free_scale field tracks zoom-fit menu toggle state,
      so we should keep them in sync ...

      Signed-off-by: Gerd Hoffmann <kraxel@xxxxxxxxxx>
      Reviewed-by: Marc-André Lureau <marcandre.lureau@xxxxxxxxxx>

  commit d531deef119666d4b3605e186a43010782efd899
  Author: Gerd Hoffmann <kraxel@xxxxxxxxxx>
  Date:   Wed Sep 9 10:12:20 2015 +0200

      gtk: trace input grab reason

      Add a reason to grab calls and trace points,
      so it is easier to debug grab related ui issues.

      Signed-off-by: Gerd Hoffmann <kraxel@xxxxxxxxxx>
      Reviewed-by: Marc-André Lureau <marcandre.lureau@xxxxxxxxxx>

  commit 695cc59d42f2e285abd5cf278bdc07360a995eaa
  Author: Gerd Hoffmann <kraxel@xxxxxxxxxx>
  Date:   Wed Sep 9 10:03:59 2015 +0200

      gtk: move gd_update_caption calls to gd_{grab,ungrab}_{pointer,keyboard}

      Then we don't have to pair the grab/ungrab calls with update_caption
      calls any more because things happen automatically ;)

      Signed-off-by: Gerd Hoffmann <kraxel@xxxxxxxxxx>
      Reviewed-by: Marc-André Lureau <marcandre.lureau@xxxxxxxxxx>

  commit aa4f4058ba8cde200e62ef3dafc4e1595f6033e9
  Author: Gerd Hoffmann <kraxel@xxxxxxxxxx>
  Date:   Wed Sep 9 09:57:01 2015 +0200

      gtk: check for existing grabs in gd_grab_{pointer,keyboard}

      If a grab is already active for our window, do nothing.
      If a grab is already active for another window, release it.

      Cleanup some checks and ungrab calls in the code which are
      not needed any more.

      Signed-off-by: Gerd Hoffmann <kraxel@xxxxxxxxxx>
      Reviewed-by: Marc-André Lureau <marcandre.lureau@xxxxxxxxxx>

  commit b124533e069a6624316da2096d170b0bd9197d86
  Author: Daniel P. Berrange <berrange@xxxxxxxxxx>
  Date:   Wed Sep 2 11:35:52 2015 +0100

      tests: remove repetition in unit test object deps

      Most of the unit tests have identical sets of object deps.
      For example all block unit tests need to depend on

       $(block-obj-y) libqemuutil.a libqemustub.a

      Currently each unit test repeats this list of test deps.
      This list of deps will grow as future patches add more
      modules to the build, so define some common variables
      that can be used by all unit tests to remove the
      repetition.

      Signed-off-by: Daniel P. Berrange <berrange@xxxxxxxxxx>

  commit 351d36e454cddc67a1675740916636a7ccbf1c4b
  Author: Daniel P. Berrange <berrange@xxxxxxxxxx>
  Date:   Wed Aug 26 14:21:20 2015 +0100

      qapi: allow override of default enum prefix naming

      The camel_to_upper() method applies some heuristics to turn
      a mixed case type name into an all-uppercase name. This is
      used for example, to generate enum constant name prefixes.

      The heuristics don't also generate a satisfactory name
      though. eg

        { 'enum': 'QCryptoTLSCredsEndpoint',
          'data': ['client', 'server']}

      Results in Q_CRYPTOTLS_CREDS_ENDPOINT_CLIENT. This has
      an undesirable _ after the initial Q and is missing an
      _ between the CRYPTO & TLS strings.

      Rather than try to add more and more heuristics to try
      to cope with this, simply allow the QAPI schema to
      specify the desired enum constant prefix explicitly.

      eg

        { 'enum': 'QCryptoTLSCredsEndpoint',
          'prefix': 'QCRYPTO_TLS_CREDS_ENDPOINT',
          'data': ['client', 'server']}

      Now gives the QCRYPTO_TLS_CREDS_ENDPOINT_CLIENT name.

      Signed-off-by: Daniel P. Berrange <berrange@xxxxxxxxxx>

  commit 007e620a7576e4ce2ea6955541e87d8ae8ed32ae
  Merge: 2752e5b 2ac0152
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Mon Sep 14 18:51:09 2015 +0100

      Merge remote-tracking branch 'remotes/kevin/tags/for-upstream' into 
staging

      Block layer patches (v2)

      # gpg: Signature made Mon 14 Sep 2015 15:56:54 BST using RSA key ID 
C88F2FD6
      # gpg: Good signature from "Kevin Wolf <kwolf@xxxxxxxxxx>"

      * remotes/kevin/tags/for-upstream: (23 commits)
        qcow2: Make qcow2_alloc_bytes() more explicit
        vmdk: Fix next_cluster_sector for compressed write
        iotests: Add test for checking large image files
        qcow2: Make size_to_clusters() return uint64_t
        qemu-iotests: More qcow2 reopen tests
        qemu-iotests: Reopen qcow2 with lazy-refcounts change
        qcow2: Support updating driver-specific options in reopen
        qcow2: Make qcow2_update_options() suitable for transactions
        qcow2: Fix memory leak in qcow2_update_options() error path
        qcow2: Leave s unchanged on qcow2_update_options() failure
        qcow2: Move rest of option handling to qcow2_update_options()
        qcow2: Move qcow2_update_options() call up
        qcow2: Factor out qcow2_update_options()
        qcow2: Improve error message
        qemu-io: Add command 'reopen'
        qemu-io: Remove duplicate 'open' error message
        block: Allow specifying driver-specific options to reopen
        qcow2: Rename BDRVQcowState to BDRVQcow2State
        block: Drop bdrv_find_whitelisted_format()
        block: Drop drv parameter from bdrv_fill_options()
        ...

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 2752e5bedb26fa0c7291f810f9f534b688b2f1d2
  Author: Markus Armbruster <armbru@xxxxxxxxxx>
  Date:   Mon Sep 7 17:45:55 2015 +0200

      qapi: Fix cgen() for Python older than 2.7

      A feature new in Python 2.7 crept into commit 77e703b: re.subn()'s
      fifth argument.  Avoid that, use re.compile().

      Reported-by: Laurent Desnogues <laurent.desnogues@xxxxxxxxx>
      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>
      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>
      Tested-by: Laurent Desnogues <laurent.desnogues@xxxxxxxxx>
      Message-id: 1441640755-23902-1-git-send-email-armbru@xxxxxxxxxx
      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit a2aa09e18186801931763fbd40a751fa39971b18
  Merge: 7e4804d 47d4be1
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Mon Sep 14 16:13:16 2015 +0100

      Merge remote-tracking branch 'remotes/bonzini/tags/for-upstream' into 
staging

      * Support for jemalloc
      * qemu_mutex_lock_iothread "No such process" fix
      * cutils: qemu_strto* wrappers
      * iohandler.c simplification
      * Many other fixes and misc patches.

      And some MTTCG work (with Emilio's fixes squashed):
      * Signal-free TCG kick
      * Removing spinlock in favor of QemuMutex
      * User-mode emulation multi-threading fixes/docs

      # gpg: Signature made Thu 10 Sep 2015 09:03:07 BST using RSA key ID 
78C7AE83
      # gpg: Good signature from "Paolo Bonzini <bonzini@xxxxxxx>"
      # gpg:                 aka "Paolo Bonzini <pbonzini@xxxxxxxxxx>"

      * remotes/bonzini/tags/for-upstream: (44 commits)
        cutils: work around platform differences in strto{l,ul,ll,ull}
        cpu-exec: fix lock hierarchy for user-mode emulation
        exec: make mmap_lock/mmap_unlock globally available
        tcg: comment on which functions have to be called with mmap_lock held
        tcg: add memory barriers in page_find_alloc accesses
        remove unused spinlock.
        replace spinlock by QemuMutex.
        cpus: remove tcg_halt_cond and tcg_cpu_thread globals
        cpus: protect work list with work_mutex
        scripts/dump-guest-memory.py: fix after RAMBlock change
        configure: Add support for jemalloc
        add macro file for coccinelle
        configure: factor out adding disas configure
        vhost-scsi: fix wrong vhost-scsi firmware path
        checkpatch: remove tests that are not relevant outside the kernel
        checkpatch: adapt some tests to QEMU
        CODING_STYLE: update mixed declaration rules
        qmp: Add example usage of strto*l() qemu wrapper
        cutils: Add qemu_strtoull() wrapper
        cutils: Add qemu_strtoll() wrapper
        ...

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 2ac01520be8717f3492b10a083c3e0e22cb52cda
  Author: Max Reitz <mreitz@xxxxxxxxxx>
  Date:   Fri Sep 11 18:47:51 2015 +0200

      qcow2: Make qcow2_alloc_bytes() more explicit

      In case of -EAGAIN returned by update_refcount(), we should discard the
      cluster offset we were trying to allocate and request a new one, because
      in theory that old offset might now be taken by a refcount block.

      In practice, this was not the case due to update_refcount() generally
      returning strictly monotonic increasing cluster offsets. However, this
      behavior is not set in stone, and it is also not obvious when looking at
      qcow2_alloc_bytes() alone, so we should not rely on it.

      Reported-by: Kevin Wolf <kwolf@xxxxxxxxxx>
      Signed-off-by: Max Reitz <mreitz@xxxxxxxxxx>
      Signed-off-by: Kevin Wolf <kwolf@xxxxxxxxxx>

  commit 3efffc3292d94271a15b1606b4a56adf6c6f04ed
  Author: Radoslav Gerganov <rgerganov@xxxxxxxxxx>
  Date:   Thu Sep 10 10:53:14 2015 +0300

      vmdk: Fix next_cluster_sector for compressed write

      When the VMDK is streamOptimized (or compressed), the
      next_cluster_sector must not be incremented by a fixed number of
      sectors. Instead of this, it must be rounded up to the next consecutive
      sector. Fixing this results in much smaller compressed images.

      Signed-off-by: Radoslav Gerganov <rgerganov@xxxxxxxxxx>
      Reviewed-by: Fam Zheng <famz@xxxxxxxxxx>
      Signed-off-by: Kevin Wolf <kwolf@xxxxxxxxxx>

  commit 097b500c2dff7addfcd5f4c8a111f6bfd0cb3977
  Author: Max Reitz <mreitz@xxxxxxxxxx>
  Date:   Wed Sep 9 18:09:47 2015 +0200

      iotests: Add test for checking large image files

      Add a test for checking a qcow2 file with a multiple of 2^32 clusters.

      Signed-off-by: Max Reitz <mreitz@xxxxxxxxxx>
      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>
      Signed-off-by: Kevin Wolf <kwolf@xxxxxxxxxx>

  commit b6d36def6d9e9fd187327182d0abafc9b7085d8f
  Author: Max Reitz <mreitz@xxxxxxxxxx>
  Date:   Mon Sep 14 16:39:47 2015 +0200

      qcow2: Make size_to_clusters() return uint64_t

      Sadly, some images may have more clusters than what can be represented
      using a plain int. We should be prepared for that case (in
      qcow2_check_refcounts() we actually were trying to catch that case, but
      since size_to_clusters() truncated the returned value, that check never
      did anything useful).

      Cc: qemu-stable <qemu-stable@xxxxxxxxxx>
      Signed-off-by: Max Reitz <mreitz@xxxxxxxxxx>
      Signed-off-by: Kevin Wolf <kwolf@xxxxxxxxxx>

  commit 231f66d2a3401473778c70a75d5f670765ab6d91
  Author: Kevin Wolf <kwolf@xxxxxxxxxx>
  Date:   Fri Sep 4 19:13:14 2015 +0200

      qemu-iotests: More qcow2 reopen tests

      Signed-off-by: Kevin Wolf <kwolf@xxxxxxxxxx>
      Reviewed-by: Max Reitz <mreitz@xxxxxxxxxx>

  commit e615053b1bd3e108a73958a54e3d0c5b965e15d3
  Author: Kevin Wolf <kwolf@xxxxxxxxxx>
  Date:   Fri Sep 4 18:26:09 2015 +0200

      qemu-iotests: Reopen qcow2 with lazy-refcounts change

      Signed-off-by: Kevin Wolf <kwolf@xxxxxxxxxx>
      Reviewed-by: Max Reitz <mreitz@xxxxxxxxxx>

  commit 5b0959a7d432062dcd740f8065004285b15695fa
  Author: Kevin Wolf <kwolf@xxxxxxxxxx>
  Date:   Thu Apr 16 13:42:27 2015 +0200

      qcow2: Support updating driver-specific options in reopen

      For updating the cache sizes, disabling lazy refcounts and updating the
      clean_cache_timer there is a bit more to do than just changing the
      variables, but otherwise we're all set for changing options during
      bdrv_reopen().

      Just implement the missing pieces and hook the functions up in
      bdrv_reopen().

      Signed-off-by: Kevin Wolf <kwolf@xxxxxxxxxx>
      Reviewed-by: Max Reitz <mreitz@xxxxxxxxxx>

  commit ee55b17304d998ddf9c792496110da0cca37aac5
  Author: Kevin Wolf <kwolf@xxxxxxxxxx>
  Date:   Thu Apr 16 16:16:02 2015 +0200

      qcow2: Make qcow2_update_options() suitable for transactions

      Before we can allow updating options at runtime with bdrv_reopen(), we
      need to split the function into prepare/commit/abort parts.

      Signed-off-by: Kevin Wolf <kwolf@xxxxxxxxxx>
      Reviewed-by: Max Reitz <mreitz@xxxxxxxxxx>

  commit c1344ded70cf7d471aeb6fc08134997414631811
  Author: Kevin Wolf <kwolf@xxxxxxxxxx>
  Date:   Fri Apr 17 16:35:50 2015 +0200

      qcow2: Fix memory leak in qcow2_update_options() error path

      Signed-off-by: Kevin Wolf <kwolf@xxxxxxxxxx>
      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>
      Reviewed-by: Max Reitz <mreitz@xxxxxxxxxx>

  commit 007dbc396cfc613d72ecea7744fe7398b300aa7d
  Author: Kevin Wolf <kwolf@xxxxxxxxxx>
  Date:   Thu Apr 16 13:11:39 2015 +0200

      qcow2: Leave s unchanged on qcow2_update_options() failure

      On return, either all new options should be applied to BDRVQcowState (on
      success), or all of the old settings should be preserved (on failure).

      Signed-off-by: Kevin Wolf <kwolf@xxxxxxxxxx>
      Reviewed-by: Max Reitz <mreitz@xxxxxxxxxx>

  commit 94edf3fbe8277284ad7d33de632839c7b93414a9
  Author: Kevin Wolf <kwolf@xxxxxxxxxx>
  Date:   Thu Apr 16 11:44:26 2015 +0200

      qcow2: Move rest of option handling to qcow2_update_options()

      With this commit, the handling of driver-specific options in
      qcow2_open() is completely separated out into qcow2_update_options().

      Signed-off-by: Kevin Wolf <kwolf@xxxxxxxxxx>
      Reviewed-by: Max Reitz <mreitz@xxxxxxxxxx>

  commit 90efa0eaef2d1bbd161db6fd7a74d8e5a00d35a8
  Author: Kevin Wolf <kwolf@xxxxxxxxxx>
  Date:   Thu Apr 16 11:36:10 2015 +0200

      qcow2: Move qcow2_update_options() call up

      qcow2_update_options() only updates some variables in BDRVQcowState and
      doesn't really depend on other parts of it being initialised yet, so it
      can be moved so that it immediately follows the other half of option
      handling code in qcow2_open().

      Signed-off-by: Kevin Wolf <kwolf@xxxxxxxxxx>
      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>
      Reviewed-by: Max Reitz <mreitz@xxxxxxxxxx>

  commit 4c75d1a157a6a0a6163c31f775b5e8ee5dd29f11
  Author: Kevin Wolf <kwolf@xxxxxxxxxx>
  Date:   Thu Apr 16 11:29:27 2015 +0200

      qcow2: Factor out qcow2_update_options()

      Eventually we want to be able to change options at runtime. As a first
      step towards that goal, separate some option handling code from the
      general initialisation code in qcow2_open().

      Signed-off-by: Kevin Wolf <kwolf@xxxxxxxxxx>
      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>
      Reviewed-by: Max Reitz <mreitz@xxxxxxxxxx>

  commit f113ae839ec9d6d25169bfa521a1affb999201c2
  Author: Kevin Wolf <kwolf@xxxxxxxxxx>
  Date:   Wed May 13 11:07:07 2015 +0200

      qcow2: Improve error message

      Eric says that "any" sounds better than "either", and my non-native
      feeling says the same, so let's change it.

      Suggested-by: Eric Blake <eblake@xxxxxxxxxx>
      Signed-off-by: Kevin Wolf <kwolf@xxxxxxxxxx>
      Reviewed-by: Max Reitz <mreitz@xxxxxxxxxx>

  commit 5bbd2e595e542ef6e5c76537e2bbad06192f72f4
  Author: Kevin Wolf <kwolf@xxxxxxxxxx>
  Date:   Mon Dec 8 17:37:28 2014 +0100

      qemu-io: Add command 'reopen'

      Signed-off-by: Kevin Wolf <kwolf@xxxxxxxxxx>
      Reviewed-by: Max Reitz <mreitz@xxxxxxxxxx>

  commit ff7cfd7d926eca40abeb9a1440829dc83facf54a
  Author: Kevin Wolf <kwolf@xxxxxxxxxx>
  Date:   Wed May 13 10:39:13 2015 +0200

      qemu-io: Remove duplicate 'open' error message

      qemu_opts_parse_noisily() already prints an error message with the exact
      reason why the parsing failed. No need to add another less specific one.

      Signed-off-by: Kevin Wolf <kwolf@xxxxxxxxxx>
      Reviewed-by: Max Reitz <mreitz@xxxxxxxxxx>

  commit 4d2cb0925176f3eb75ef8e5f9c02cc84d7930de2
  Author: Kevin Wolf <kwolf@xxxxxxxxxx>
  Date:   Fri Apr 10 17:50:50 2015 +0200

      block: Allow specifying driver-specific options to reopen

      Signed-off-by: Kevin Wolf <kwolf@xxxxxxxxxx>
      Reviewed-by: Max Reitz <mreitz@xxxxxxxxxx>

  commit ff99129ab89a532f0ca0a0b89b9aa004c09d9b9d
  Author: Kevin Wolf <kwolf@xxxxxxxxxx>
  Date:   Mon Sep 7 17:12:56 2015 +0200

      qcow2: Rename BDRVQcowState to BDRVQcow2State

      BDRVQcowState is already used by qcow1, and gdb is always confused which
      one to use. Rename the qcow2 one so they can be distinguished.

      Signed-off-by: Kevin Wolf <kwolf@xxxxxxxxxx>
      Reviewed-by: Max Reitz <mreitz@xxxxxxxxxx>
      Reviewed-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Reviewed-by: Alberto Garcia <berto@xxxxxxxxxx>

  commit cf25ff850f0b5d44cb79daea88daaf24ce7e4c44
  Author: Max Reitz <mreitz@xxxxxxxxxx>
  Date:   Wed Aug 26 19:47:52 2015 +0200

      block: Drop bdrv_find_whitelisted_format()

      It is unused by now, so we can drop it.

      Signed-off-by: Max Reitz <mreitz@xxxxxxxxxx>
      Reviewed-by: Alberto Garcia <berto@xxxxxxxxxx>
      Signed-off-by: Kevin Wolf <kwolf@xxxxxxxxxx>

  commit 053e1578c9fa6a58e50e44de689f288063c77dbe
  Author: Max Reitz <mreitz@xxxxxxxxxx>
  Date:   Wed Aug 26 19:47:51 2015 +0200

      block: Drop drv parameter from bdrv_fill_options()

      Now that this parameter is effectively unused, we can drop it and change
      the function accordingly.

      Signed-off-by: Max Reitz <mreitz@xxxxxxxxxx>
      Reviewed-by: Alberto Garcia <berto@xxxxxxxxxx>
      Signed-off-by: Kevin Wolf <kwolf@xxxxxxxxxx>

  commit ce343771243a656b420c7a1b4099130f4a35bd5e
  Author: Max Reitz <mreitz@xxxxxxxxxx>
  Date:   Wed Aug 26 19:47:50 2015 +0200

      block: Drop drv parameter from bdrv_open_inherit()

      Now that this parameter is effectively unused, we can drop it and just
      pass NULL to bdrv_fill_options().

      Signed-off-by: Max Reitz <mreitz@xxxxxxxxxx>
      Reviewed-by: Alberto Garcia <berto@xxxxxxxxxx>
      Signed-off-by: Kevin Wolf <kwolf@xxxxxxxxxx>

  commit 6ebf9aa2ef7f3e094d91ea27140dc6e73774386a
  Author: Max Reitz <mreitz@xxxxxxxxxx>
  Date:   Wed Aug 26 19:47:49 2015 +0200

      block: Drop drv parameter from bdrv_open()

      Now that this parameter is effectively unused, we can drop it and just
      pass NULL on to bdrv_open_inherit().

      Signed-off-by: Max Reitz <mreitz@xxxxxxxxxx>
      Reviewed-by: Alberto Garcia <berto@xxxxxxxxxx>
      Signed-off-by: Kevin Wolf <kwolf@xxxxxxxxxx>

  commit e6641719fed794be8e0c48a69761528ae6c95ed9
  Author: Max Reitz <mreitz@xxxxxxxxxx>
  Date:   Wed Aug 26 19:47:48 2015 +0200

      block: Always pass NULL as drv for bdrv_open()

      Change all callers of bdrv_open() to pass the driver name in the options
      QDict instead of passing its BlockDriver pointer.

      Signed-off-by: Max Reitz <mreitz@xxxxxxxxxx>
      Reviewed-by: Alberto Garcia <berto@xxxxxxxxxx>
      Signed-off-by: Kevin Wolf <kwolf@xxxxxxxxxx>

  commit 7e4804dafd4689312ef1172b549927a973bb5414
  Merge: 2b750d9 f0d574d
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Mon Sep 14 14:57:50 2015 +0100

      Merge remote-tracking branch 
'remotes/pmaydell/tags/pull-target-arm-20150914' into staging

      target-arm queue:
       * fix GIC region size in xlnx-zynqmp
       * xlnx-zynqmp: Remove unnecessary brackets
       * improve A64 generated TCG code
       * add GPIO devices to i.MX25 and i.MX31
       * more missing pieces for EL2 support

      # gpg: Signature made Mon 14 Sep 2015 14:51:12 BST using RSA key ID 
14360CDE
      # gpg: Good signature from "Peter Maydell <peter.maydell@xxxxxxxxxx>"
      # gpg:                 aka "Peter Maydell <pmaydell@xxxxxxxxx>"
      # gpg:                 aka "Peter Maydell 
<pmaydell@xxxxxxxxxxxxxxxxxxxxxx>"

      * remotes/pmaydell/tags/pull-target-arm-20150914: (24 commits)
        target-arm: Add VMPIDR_EL2
        target-arm: Break out mpidr_read_val()
        target-arm: Add VPIDR_EL2
        target-arm: Suppress EPD for S2, EL2 and EL3 translations
        target-arm: Suppress TBI for S2 translations
        target-arm: Add VTTBR_EL2
        target-arm: Add VTCR_EL2
        hw/cpu/{a15mpcore, a9mpcore}: Handle missing has_el3 CPU props 
gracefully
        i.MX: Add GPIO devices to i.MX25 SOC
        i.MX: Add GPIO devices to i.MX31 SOC
        i.MX: Add GPIO device
        target-arm: Use tcg_gen_extrh_i64_i32
        target-arm: Recognize ROR
        target-arm: Eliminate unnecessary zero-extend in disas_bitfield
        target-arm: Recognize UXTB, UXTH, LSR, LSL
        target-arm: Recognize SXTB, SXTH, SXTW, ASR
        target-arm: Implement fcsel with movcond
        target-arm: Implement ccmp branchless
        target-arm: Use setcond and movcond for csel
        target-arm: Handle always condition codes within arm_test_cc
        ...

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit f0d574d63f4603ec431f16ad535a555bf7548b94
  Author: Edgar E. Iglesias <edgar.iglesias@xxxxxxxxxx>
  Date:   Mon Sep 14 14:39:51 2015 +0100

      target-arm: Add VMPIDR_EL2

      Signed-off-by: Edgar E. Iglesias <edgar.iglesias@xxxxxxxxxx>
      Message-id: 1442135278-25281-9-git-send-email-edgar.iglesias@xxxxxxxxx
      Reviewed-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 06a7e6477c129ceaa72bd400cf281d44c456be43
  Author: Edgar E. Iglesias <edgar.iglesias@xxxxxxxxxx>
  Date:   Mon Sep 14 14:39:51 2015 +0100

      target-arm: Break out mpidr_read_val()

      Break out mpidr_read_val() to allow future sharing of the
      code that conditionally sets the M and U bits of MPIDR.

      No functional changes.

      Signed-off-by: Edgar E. Iglesias <edgar.iglesias@xxxxxxxxxx>
      Message-id: 1442135278-25281-8-git-send-email-edgar.iglesias@xxxxxxxxx
      Reviewed-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 731de9e60074620aa7d565f01f989adacd493514
  Author: Edgar E. Iglesias <edgar.iglesias@xxxxxxxxxx>
  Date:   Mon Sep 14 14:39:50 2015 +0100

      target-arm: Add VPIDR_EL2

      Signed-off-by: Edgar E. Iglesias <edgar.iglesias@xxxxxxxxxx>
      Message-id: 1442135278-25281-7-git-send-email-edgar.iglesias@xxxxxxxxx
      Reviewed-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 0c5fbf3b4c1e5210354de71a3dc2ebc8c8a01f31
  Author: Edgar E. Iglesias <edgar.iglesias@xxxxxxxxxx>
  Date:   Mon Sep 14 14:39:50 2015 +0100

      target-arm: Suppress EPD for S2, EL2 and EL3 translations

      Stage-2 translations, EL2 and EL3 regimes don't have the
      EPD control.

      Signed-off-by: Edgar E. Iglesias <edgar.iglesias@xxxxxxxxxx>
      Message-id: 1442135278-25281-6-git-send-email-edgar.iglesias@xxxxxxxxx
      Reviewed-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 1edee4708a0e3163cbf20fac325be456abd960bb
  Author: Edgar E. Iglesias <edgar.iglesias@xxxxxxxxxx>
  Date:   Mon Sep 14 14:39:50 2015 +0100

      target-arm: Suppress TBI for S2 translations

      Stage-2 MMU translations do not have configurable TBI as
      the top byte is always 0 (48-bit IPAs).

      Signed-off-by: Edgar E. Iglesias <edgar.iglesias@xxxxxxxxxx>
      Message-id: 1442135278-25281-5-git-send-email-edgar.iglesias@xxxxxxxxx
      Reviewed-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit b698e9cfd282b228b36d426b75facb83e07a1072
  Author: Edgar E. Iglesias <edgar.iglesias@xxxxxxxxxx>
  Date:   Mon Sep 14 14:39:50 2015 +0100

      target-arm: Add VTTBR_EL2

      Signed-off-by: Edgar E. Iglesias <edgar.iglesias@xxxxxxxxxx>
      Message-id: 1442135278-25281-4-git-send-email-edgar.iglesias@xxxxxxxxx
      Reviewed-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 68e9c2fe65bca7fc1bdc2411923333c3e87544a3
  Author: Edgar E. Iglesias <edgar.iglesias@xxxxxxxxxx>
  Date:   Mon Sep 14 14:39:50 2015 +0100

      target-arm: Add VTCR_EL2

      Signed-off-by: Edgar E. Iglesias <edgar.iglesias@xxxxxxxxxx>
      Message-id: 1442135278-25281-3-git-send-email-edgar.iglesias@xxxxxxxxx
      Reviewed-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      [PMM: fixed typo in comment]
      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 6533a1fcc2efa08570aa6d85851638783dddf2c6
  Author: Edgar E. Iglesias <edgar.iglesias@xxxxxxxxxx>
  Date:   Mon Sep 14 14:39:49 2015 +0100

      hw/cpu/{a15mpcore, a9mpcore}: Handle missing has_el3 CPU props gracefully

      Handle missing CPU support for EL3 gracefully.

      Signed-off-by: Edgar E. Iglesias <edgar.iglesias@xxxxxxxxxx>
      Message-id: 1442135278-25281-2-git-send-email-edgar.iglesias@xxxxxxxxx
      Reviewed-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 6abc7158cb62e559ce7b3a99e116e3ec051a0c45
  Author: Jean-Christophe Dubois <jcd@xxxxxxxxxxxxxxx>
  Date:   Mon Sep 14 14:39:49 2015 +0100

      i.MX: Add GPIO devices to i.MX25 SOC

      Signed-off-by: Jean-Christophe Dubois <jcd@xxxxxxxxxxxxxxx>
      Reviewed-by: Peter Crosthwaite <crosthwaite.peter@xxxxxxxxx>
      Message-id: 
2eb129ba8713aedfe877eaa3d8de80061d880fbb.1441828793.git.jcd@xxxxxxxxxxxxxxx
      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit dde0c4ca6b849eb5c376f255767c019bb45a1d57
  Author: Jean-Christophe Dubois <jcd@xxxxxxxxxxxxxxx>
  Date:   Mon Sep 14 14:39:49 2015 +0100

      i.MX: Add GPIO devices to i.MX31 SOC

      Signed-off-by: Jean-Christophe Dubois <jcd@xxxxxxxxxxxxxxx>
      Reviewed-by: Peter Crosthwaite <crosthwaite.peter@xxxxxxxxx>
      Message-id: 
60b67c9a8b948159f4b4163ead86fbf701c011c6.1441828793.git.jcd@xxxxxxxxxxxxxxx
      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit f4427280977902273f98280b2572d88b6ed53144
  Author: Jean-Christophe Dubois <jcd@xxxxxxxxxxxxxxx>
  Date:   Mon Sep 14 14:39:49 2015 +0100

      i.MX: Add GPIO device

      Signed-off-by: Jean-Christophe Dubois <jcd@xxxxxxxxxxxxxxx>
      Reviewed-by: Peter Crosthwaite <crosthwaite.peter@xxxxxxxxx>
      Message-id: 
5ea3b0021e47cf7f7d883a7edbabee44980f3df7.1441828793.git.jcd@xxxxxxxxxxxxxxx
      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 7cb36e18b2f1c1f971ebdc2121de22a8c2e94fd6
  Author: Richard Henderson <rth@xxxxxxxxxxx>
  Date:   Mon Sep 14 14:39:49 2015 +0100

      target-arm: Use tcg_gen_extrh_i64_i32

      Usually, eliminate an operation from the translator by combining
      a shift with an extract.

      In the case of gen_set_NZ64, we don't need a boolean value for cpu_ZF,
      merely a non-zero value.  Given that we can extract both halves of a
      64-bit input in one call, this simplifies the code.

      Reviewed-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Signed-off-by: Richard Henderson <rth@xxxxxxxxxxx>
      Message-id: 1441909103-24666-12-git-send-email-rth@xxxxxxxxxxx
      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 8fb0ad8e16ab3d03433244a1a03e1df757342ad8
  Author: Richard Henderson <rth@xxxxxxxxxxx>
  Date:   Mon Sep 14 14:39:49 2015 +0100

      target-arm: Recognize ROR

      Reviewed-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Signed-off-by: Richard Henderson <rth@xxxxxxxxxxx>
      Message-id: 1441909103-24666-11-git-send-email-rth@xxxxxxxxxxx
      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit d3a77b42decd0cbfa62a5526e67d1d6d380c83a9
  Author: Richard Henderson <rth@xxxxxxxxxxx>
  Date:   Mon Sep 14 14:39:48 2015 +0100

      target-arm: Eliminate unnecessary zero-extend in disas_bitfield

      For !SF, this initial ext32u can't be optimized away by the
      current TCG code generator.  (It would require backward bit
      liveness propagation.)

      But since the range of bits for !SF are already constrained by
      unallocated_encoding, we'll never reference the high bits anyway.

      Reviewed-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Signed-off-by: Richard Henderson <rth@xxxxxxxxxxx>
      Message-id: 1441909103-24666-10-git-send-email-rth@xxxxxxxxxxx
      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 9924e85829fe21b5f38a5d267c9aea44c5d478ac
  Author: Richard Henderson <rth@xxxxxxxxxxx>
  Date:   Mon Sep 14 14:39:48 2015 +0100

      target-arm: Recognize UXTB, UXTH, LSR, LSL

      These are all special case aliases of UBFM.

      Reviewed-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Signed-off-by: Richard Henderson <rth@xxxxxxxxxxx>
      Message-id: 1441909103-24666-9-git-send-email-rth@xxxxxxxxxxx
      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit ef60151bee9a95e3a5cc98b345a19ed7eb435ddb
  Author: Richard Henderson <rth@xxxxxxxxxxx>
  Date:   Mon Sep 14 14:39:48 2015 +0100

      target-arm: Recognize SXTB, SXTH, SXTW, ASR

      These are all special case aliases of SBFM.

      Reviewed-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Signed-off-by: Richard Henderson <rth@xxxxxxxxxxx>
      Message-id: 1441909103-24666-8-git-send-email-rth@xxxxxxxxxxx
      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 6e061029d74455d83f6fa070ac33de7a356cf60d
  Author: Richard Henderson <rth@xxxxxxxxxxx>
  Date:   Mon Sep 14 14:39:48 2015 +0100

      target-arm: Implement fcsel with movcond

      Reviewed-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Signed-off-by: Richard Henderson <rth@xxxxxxxxxxx>
      Message-id: 1441909103-24666-7-git-send-email-rth@xxxxxxxxxxx
      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 7dd03d773e0dafae9271318fc8d6b2b14de74403
  Author: Richard Henderson <rth@xxxxxxxxxxx>
  Date:   Mon Sep 14 14:39:48 2015 +0100

      target-arm: Implement ccmp branchless

      This can allow much of a ccmp to be elided when particular
      flags are subsequently dead.

      Signed-off-by: Richard Henderson <rth@xxxxxxxxxxx>
      Message-id: 1441909103-24666-6-git-send-email-rth@xxxxxxxxxxx
      Reviewed-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 259cb68491ab36427e7e5d820fe543d53b006ec6
  Author: Richard Henderson <rth@xxxxxxxxxxx>
  Date:   Mon Sep 14 14:39:47 2015 +0100

      target-arm: Use setcond and movcond for csel

      Reviewed-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Signed-off-by: Richard Henderson <rth@xxxxxxxxxxx>
      Message-id: 1441909103-24666-5-git-send-email-rth@xxxxxxxxxxx
      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 9305eac09e61d857c9cc11e20db754dfc25a82db
  Author: Richard Henderson <rth@xxxxxxxxxxx>
  Date:   Mon Sep 14 14:39:47 2015 +0100

      target-arm: Handle always condition codes within arm_test_cc

      Handling this with TCG_COND_ALWAYS will allow these unlikely
      cases to be handled without special cases in the rest of the
      translator.  The TCG optimizer ought to be able to reduce
      these ALWAYS conditions completely.

      Reviewed-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Signed-off-by: Richard Henderson <rth@xxxxxxxxxxx>
      Message-id: 1441909103-24666-4-git-send-email-rth@xxxxxxxxxxx
      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 6c2c63d3a02c79e9035ca0370cc549d0f938a4dd
  Author: Richard Henderson <rth@xxxxxxxxxxx>
  Date:   Mon Sep 14 14:39:47 2015 +0100

      target-arm: Introduce DisasCompare

      Split arm_gen_test_cc into 3 functions, so that it can be reused
      for non-branch TCG comparisons.

      Signed-off-by: Richard Henderson <rth@xxxxxxxxxxx>
      Message-id: 1441909103-24666-3-git-send-email-rth@xxxxxxxxxxx
      Reviewed-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 78bcaa3e37afbd0c5316634f917c13487384b6ca
  Author: Richard Henderson <rth@xxxxxxxxxxx>
  Date:   Mon Sep 14 14:39:47 2015 +0100

      target-arm: Share all common TCG temporaries

      This is a bug fix for aarch64.  At present, we have branches using
      the 32-bit (translate.c) versions of cpu_[NZCV]F, but we set the flags
      using the 64-bit (translate-a64.c) versions of cpu_[NZCV]F.  From
      the view of the TCG code generator, these are unrelated variables.

      The bug is hard to see because we currently only read these variables
      from branches, and upon reaching a branch TCG will first spill live
      variables and then reload the arguments of the branch.  Since the
      32-bit versions were never live until reaching the branch, we'd re-read
      the data that had just been spilled from the 64-bit versions.

      There is currently no such problem with the cpu_exclusive_* variables,
      but there's no point in tempting fate.

      Cc: qemu-stable@xxxxxxxxxx
      Reviewed-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Signed-off-by: Richard Henderson <rth@xxxxxxxxxxx>
      Message-id: 1441909103-24666-2-git-send-email-rth@xxxxxxxxxxx
      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 24cfc8dc583db57303137fd41f9f42806ea315a0
  Author: Alistair Francis <alistair.francis@xxxxxxxxxx>
  Date:   Mon Sep 14 14:39:47 2015 +0100

      xlnx-zynqmp: Remove unnecessary brackets around error messages

      The errp and err variable have unnecessary brackets around them,
      so remove the brackets.

      Signed-off-by: Alistair Francis <alistair.francis@xxxxxxxxxx>
      Reviewed-by: Peter Crosthwaite <crosthwaite.peter@xxxxxxxxx>
      Message-id: 
9900393572b63f2ec3d68785ca98193d81e0ac71.1441758563.git.alistair.francis@xxxxxxxxxx
      Reviewed-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 52c16b458ab2f8766867bc5fc099b0a604a36f77
  Author: Nathan Rossi <nathan@xxxxxxxxxxxxxxx>
  Date:   Mon Sep 14 14:39:47 2015 +0100

      arm: xlnx-zynqmp: Fix up GIC region size

      The GIC in ZynqMP cover a 64K address space, however the actual
      registers are decoded within a 4K address space and mirrored at the 4K
      boundaries. This change fixes the defined size for these regions as it
      was set to 0x4000/16K incorrectly.

      Signed-off-by: Nathan Rossi <nathan@xxxxxxxxxxxxxxx>
      Reviewed-by: Edgar E. Iglesias <edgar.iglesias@xxxxxxxxxx>
      Message-id: 1441719672-25296-1-git-send-email-nathan@xxxxxxxxxxxxxxx
      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 2b750d9d261bda7f75b39dfc1e1e5f22502929d5
  Merge: 8f6e82e cdd14a8
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Mon Sep 14 10:46:38 2015 +0100

      Merge remote-tracking branch 'remotes/aurel/tags/pull-sh4-next-20150913' 
into staging

      sh4-next:

      - TCG optimizations
      - fix initramfs endianness issue

      # gpg: Signature made Sun 13 Sep 2015 22:16:12 BST using RSA key ID 
1DDD8C9B
      # gpg: Good signature from "Aurelien Jarno <aurelien@xxxxxxxxxxx>"
      # gpg:                 aka "Aurelien Jarno <aurelien@xxxxxxxx>"
      # gpg:                 aka "Aurelien Jarno <aurel32@xxxxxxxxxx>"
      # gpg: WARNING: This key is not certified with a trusted signature!
      # gpg:          There is no indication that the signature belongs to the 
owner.
      # Primary key fingerprint: 7746 2642 A9EF 94FD 0F77  196D BA9C 7806 1DDD 
8C9B

      * remotes/aurel/tags/pull-sh4-next-20150913:
        sh4: Fix initramfs initialization for endiannes-mismatched targets
        target-sh4: improve shad instruction
        target-sh4: improve shld instruction
        target-sh4: improve cmp/str instruction
        target-sh4: use deposit in swap.b instruction
        target-sh4: add flags markups for FP helpers

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit cdd14a8cf25c34ff8d0777530e8d16565f6bf7a1
  Author: Guenter Roeck <linux@xxxxxxxxxxxx>
  Date:   Wed Aug 12 07:20:36 2015 -0700

      sh4: Fix initramfs initialization for endiannes-mismatched targets

      If host and target endianness does not match, loding an initramfs does 
not work.
      Fix by writing boot parameters with appropriate endianness conversion.

      Signed-off-by: Guenter Roeck <linux@xxxxxxxxxxxx>
      Signed-off-by: Aurelien Jarno <aurelien@xxxxxxxxxxx>

  commit be654c83608eaba199ed45444debf2dd46a88fe6
  Author: Aurelien Jarno <aurelien@xxxxxxxxxxx>
  Date:   Sun Jul 5 22:39:03 2015 +0200

      target-sh4: improve shad instruction

      The SH4 shad instruction can shift in both direction, depending on the
      sign of the shift. This is currently implemented using branches, which
      is not really efficient and prevents the optimizer to do its job. In
      practice it is often used with a constant loaded in a register just
      before.

      Simplify the implementation by computing both the value shifted to the
      left and to the right, and then selecting the correct one with a
      movcond. As with a negative value the shift amount can go up to 32 which
      is undefined, we shift the value in two steps.

      Reviewed-by: Richard Henderson <rth@xxxxxxxxxxx>
      Signed-off-by: Aurelien Jarno <aurelien@xxxxxxxxxxx>

  commit 577601616dea10db10a716de1be448f8564076f4
  Author: Aurelien Jarno <aurelien@xxxxxxxxxxx>
  Date:   Sun Jul 5 22:37:18 2015 +0200

      target-sh4: improve shld instruction

      The SH4 shld instruction can shift in both direction, depending on the
      sign of the shift. This is currently implemented using branches, which
      is not really efficient and prevents the optimizer to do its job. In
      practice it is often used with a constant loaded in a register just
      before.

      Simplify the implementation by computing both the value shifted to the
      left and to the right, and then selecting the correct one with a
      movcond. As with a negative value the shift amount can go up to 32 which
      is undefined, we shift the value in two steps.

      Reviewed-by: Richard Henderson <rth@xxxxxxxxxxx>
      Signed-off-by: Aurelien Jarno <aurelien@xxxxxxxxxxx>

  commit eb6ca2b4a69325e95526bc0f2897791df04e44dc
  Author: Aurelien Jarno <aurelien@xxxxxxxxxxx>
  Date:   Sun Jul 5 18:50:09 2015 +0200

      target-sh4: improve cmp/str instruction

      Instead of testing bytes one by one, we can use the following trick
      from https://graphics.stanford.edu/~seander/bithacks.html:

        haszero(v) = (v - 0x01010101) & ~v & 0x80808080

      The subexpression v - 0x01010101, evaluates to a high bit set in any
      byte whenever the corresponding byte in v is zero or greater than 0x80.
      The sub-expression ~v & 0x80808080 evaluates to high bits set in bytes
      where the byte of v doesn't have its high bit set (so the byte was less
      than 0x80). Finally, by ANDing these two sub-expressions the result is
      the high bits set where the bytes in v were zero, since the high bits
      set due to a value greater than 0x80 in the first sub-expression are
      masked off by the second.

      Reviewed-by: Richard Henderson <rth@xxxxxxxxxxx>
      Signed-off-by: Aurelien Jarno <aurelien@xxxxxxxxxxx>

  commit 218fd7301f88df440da3e16b9cfca000cd2fe111
  Author: Aurelien Jarno <aurelien@xxxxxxxxxxx>
  Date:   Sun Jul 5 17:05:08 2015 +0200

      target-sh4: use deposit in swap.b instruction

      Reviewed-by: Richard Henderson <rth@xxxxxxxxxxx>
      Signed-off-by: Aurelien Jarno <aurelien@xxxxxxxxxxx>

  commit 7f6bdc431a5c567fca0130d79c8b14f531a0eb14
  Author: Aurelien Jarno <aurelien@xxxxxxxxxxx>
  Date:   Wed Jun 17 12:53:13 2015 +0200

      target-sh4: add flags markups for FP helpers

      Most floating point helpers can trigger an exception, but don't change
      the globals. Mark these helpers as TCG_CALL_NO_WG.

      Reviewed-by: Richard Henderson <rth@xxxxxxxxxxx>
      Signed-off-by: Aurelien Jarno <aurelien@xxxxxxxxxxx>

  commit 8f6e82e4ecec9bc2726725275a138bc30f3ffc81
  Merge: 30c38c9 1c3c8af
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Fri Sep 11 18:01:56 2015 +0100

      Merge remote-tracking branch 'remotes/rth/tags/pull-tcg-20150911' into 
staging

      queued tcg related patches

      # gpg: Signature made Fri 11 Sep 2015 16:17:00 BST using RSA key ID 
4DD0279B
      # gpg: Good signature from "Richard Henderson <rth7680@xxxxxxxxx>"
      # gpg:                 aka "Richard Henderson <rth@xxxxxxxxxx>"
      # gpg:                 aka "Richard Henderson <rth@xxxxxxxxxxx>"

      * remotes/rth/tags/pull-tcg-20150911:
        cpu-exec: introduce loop exit with restore function
        softmmu: remove now unused functions
        softmmu: add helper function to pass through retaddr
        tlb: Add "ifetch" argument to cpu_mmu_index()

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 30c38c90bd3f1bb105ebc069ac1821067c980b7c
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Fri Aug 14 18:46:32 2015 +0100

      scripts/qemu-gdb: Add brief comment describing usage

      Add a brief comment describing how to use the debug support
      from GDB.

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Reviewed-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Message-id: 1439574392-4403-5-git-send-email-peter.maydell@xxxxxxxxxx

  commit 5e3c72d41e6909450e32f0b99545748cc25e9597
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Fri Aug 14 18:46:31 2015 +0100

      scripts/qemu-gdb: Silently pass through SIGUSR1

      SIGUSR1 is QEMU's IPI signal, and it gets sent a lot, so is
      best silently passed through to the guest without stopping.
      Make qemu-gdb.py do this bit of configuration for the user.

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Reviewed-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Message-id: 1439574392-4403-4-git-send-email-peter.maydell@xxxxxxxxxx

  commit 191590f09dcbd26822a8bc67628cbd341dd5c07f
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Fri Aug 14 18:46:30 2015 +0100

      scripts/qemu-gdb: Split CoroutineCommand into its own file

      Split the implementation of CoroutineCommand into its own file.

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Reviewed-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Message-id: 1439574392-4403-3-git-send-email-peter.maydell@xxxxxxxxxx

  commit 93b1b365dc06ff7c69d3131d68c083f824db5311
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Fri Aug 14 18:46:29 2015 +0100

      scripts/qemu-gdb: Split MtreeCommand into its own module

      As we add more commands to our Python gdb debugging support, it's
      going to get unwieldy to have everything in a single file. Split
      the implementation of the 'mtree' command from qemu-gdb.py into
      its own module.

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Reviewed-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Message-id: 1439574392-4403-2-git-send-email-peter.maydell@xxxxxxxxxx

  commit 1c3c8af1fb40a481c07749e0448644d9b7700415
  Author: Pavel Dovgalyuk <Pavel.Dovgaluk@xxxxxxxxx>
  Date:   Fri Jul 10 12:57:02 2015 +0300

      cpu-exec: introduce loop exit with restore function

      This patch introduces loop exit function, which also
      restores guest CPU state according to the value of host
      program counter.

      Reviewed-by: Aurelien Jarno <aurelien@xxxxxxxxxxx>
      Signed-off-by: Pavel Dovgalyuk <pavel.dovgaluk@xxxxxxxxx>
      Message-Id: <20150710095702.13280.97477.stgit@PASHA-ISP>
      Signed-off-by: Richard Henderson <rth@xxxxxxxxxxx>

  commit b8611499b940b1b4db67aa985e3a844437bcbf00
  Author: Pavel Dovgalyuk <Pavel.Dovgaluk@xxxxxxxxx>
  Date:   Fri Jul 10 12:56:56 2015 +0300

      softmmu: remove now unused functions

      Now that the cpu_ld/st_* function directly call helper_ret_ld/st, we can
      drop the old helper_ld/st functions.

      Reviewed-by: Aurelien Jarno <aurelien@xxxxxxxxxxx>
      Signed-off-by: Pavel Dovgalyuk <pavel.dovgaluk@xxxxxxxxx>
      Message-Id: <20150710095656.13280.7085.stgit@PASHA-ISP>
      Signed-off-by: Richard Henderson <rth@xxxxxxxxxxx>

  commit 282dffc8a4bfe8724548cabb8a26698bde0a6e18
  Author: Pavel Dovgalyuk <Pavel.Dovgaluk@xxxxxxxxx>
  Date:   Fri Jul 10 12:56:50 2015 +0300

      softmmu: add helper function to pass through retaddr

      This patch introduces several helpers to pass return address
      which points to the TB. Correct return address allows correct
      restoring of the guest PC and icount. These functions should be used when
      helpers embedded into TB invoke memory operations.

      Reviewed-by: Aurelien Jarno <aurelien@xxxxxxxxxxx>
      Signed-off-by: Pavel Dovgalyuk <pavel.dovgaluk@xxxxxxxxx>
      Message-Id: <20150710095650.13280.32255.stgit@PASHA-ISP>
      Signed-off-by: Richard Henderson <rth@xxxxxxxxxxx>

  commit 97ed5ccdee95f0b98bedc601ff979e368583472c
  Author: Benjamin Herrenschmidt <benh@xxxxxxxxxxxxxxxxxxx>
  Date:   Mon Aug 17 17:34:10 2015 +1000

      tlb: Add "ifetch" argument to cpu_mmu_index()

      This is set to true when the index is for an instruction fetch
      translation.

      The core get_page_addr_code() sets it, as do the SOFTMMU_CODE_ACCESS
      acessors.

      All targets ignore it for now, and all other callers pass "false".

      This will allow targets who wish to split the mmu index between
      instruction and data accesses to do so. A subsequent patch will
      do just that for PowerPC.

      Signed-off-by: Benjamin Herrenschmidt <benh@xxxxxxxxxxxxxxxxxxx>
      Message-Id: <1439796853-4410-2-git-send-email-benh@xxxxxxxxxxxxxxxxxxx>
      Signed-off-by: Richard Henderson <rth@xxxxxxxxxxx>

  commit ba9cef7b6e487a5a8969db81d09b8eec8a2b50c6
  Merge: 7b9c09f af5b83d
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Fri Sep 11 12:07:29 2015 +0100

      Merge remote-tracking branch 
'remotes/mjt/tags/pull-trivial-patches-2015-09-11' into staging

      trivial patches for 2015-09-11

      # gpg: Signature made Fri 11 Sep 2015 12:02:43 BST using RSA key ID 
A4C3D7DB
      # gpg: Good signature from "Michael Tokarev <mjt@xxxxxxxxxx>"
      # gpg:                 aka "Michael Tokarev <mjt@xxxxxxxxx>"
      # gpg:                 aka "Michael Tokarev <mjt@xxxxxxxxxx>"

      * remotes/mjt/tags/pull-trivial-patches-2015-09-11: (26 commits)
        virtio-vga: enable for i386
        hw/arm/spitz: Remove meaningless blank Property
        hw/gpio/zaurus: Remove meaningless blank Property
        hw/virtio/virtio-pci: Remove meaningless blank Property
        hw/s390x/s390-virtio-bus: Remove meaningless blank Property
        typofixes - v4
        qapi-schema: remove legacy<> from doc
        disas/microblaze: Remove unused code
        help: dd missing newline
        Target-ppc: Remove unnecessary variable
        baum: Fix build with debugging enabled
        linux-user: Fix warnings caused by missing 'static' attribute
        opts: produce valid command line in qemu_opts_print
        docs: fix a qga/qapi-schema.json comment
        trivial: remove trailing newline from error_report
        maint: avoid useless "if (foo) free(foo)" pattern
        maint: avoid useless "if (foo) free(foo)" pattern
        maint: remove unused include for strings.h
        maint: remove unused include for signal.h
        maint: remove unused include for dirent.h
        ...

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit af5b83d7d5297f8bdfd3353a420c120c4fd5adfd
  Author: Gerd Hoffmann <kraxel@xxxxxxxxxx>
  Date:   Mon Jul 13 13:58:46 2015 +0200

      virtio-vga: enable for i386

      This one just syncs x86_64 and i386.

      Cc: Paolo Bonzini <pbonzini@xxxxxxxxxx>
      Cc: qemu-trivial@xxxxxxxxxx
      Signed-off-by: Gerd Hoffmann <kraxel@xxxxxxxxxx>
      Signed-off-by: Michael Tokarev <mjt@xxxxxxxxxx>

  commit a3c088a72c70401fd4d1342173dd971c2fce5e4d
  Author: Shannon Zhao <shannon.zhao@xxxxxxxxxx>
  Date:   Tue May 12 10:25:20 2015 +0800

      hw/arm/spitz: Remove meaningless blank Property

      Signed-off-by: Shannon Zhao <zhaoshenglong@xxxxxxxxxx>
      Signed-off-by: Shannon Zhao <shannon.zhao@xxxxxxxxxx>
      Signed-off-by: Michael Tokarev <mjt@xxxxxxxxxx>

  commit c11b05836ead1e6354aa31857d31c0d908e7e08c
  Author: Shannon Zhao <shannon.zhao@xxxxxxxxxx>
  Date:   Tue May 12 10:25:19 2015 +0800

      hw/gpio/zaurus: Remove meaningless blank Property

      Signed-off-by: Shannon Zhao <zhaoshenglong@xxxxxxxxxx>
      Signed-off-by: Shannon Zhao <shannon.zhao@xxxxxxxxxx>
      Signed-off-by: Michael Tokarev <mjt@xxxxxxxxxx>

  commit 6328d69de09243929d90665eb6a6e0c96c4d06fc
  Author: Shannon Zhao <shannon.zhao@xxxxxxxxxx>
  Date:   Tue May 12 10:25:18 2015 +0800

      hw/virtio/virtio-pci: Remove meaningless blank Property

      Signed-off-by: Shannon Zhao <zhaoshenglong@xxxxxxxxxx>
      Signed-off-by: Shannon Zhao <shannon.zhao@xxxxxxxxxx>
      Signed-off-by: Michael Tokarev <mjt@xxxxxxxxxx>

  commit 01630e24b0993adb4874b5416e897646c964bb8f
  Author: Shannon Zhao <shannon.zhao@xxxxxxxxxx>
  Date:   Tue May 12 10:25:16 2015 +0800

      hw/s390x/s390-virtio-bus: Remove meaningless blank Property

      Signed-off-by: Shannon Zhao <zhaoshenglong@xxxxxxxxxx>
      Signed-off-by: Shannon Zhao <shannon.zhao@xxxxxxxxxx>
      Acked-by: Cornelia Huck <cornelia.huck@xxxxxxxxxx>
      Signed-off-by: Michael Tokarev <mjt@xxxxxxxxxx>

  commit 67cc32ebfd8c0ee3fcdb26780a8991baf5eb1d45
  Author: Veres Lajos <vlajos@xxxxxxxxx>
  Date:   Tue Sep 8 22:45:14 2015 +0100

      typofixes - v4

      Signed-off-by: Veres Lajos <vlajos@xxxxxxxxx>
      Signed-off-by: Michael Tokarev <mjt@xxxxxxxxxx>

  commit 33b23b4b5e15923acaf315b01a535c15b239483b
  Author: Marc-André Lureau <marcandre.lureau@xxxxxxxxxx>
  Date:   Fri Sep 4 21:41:01 2015 +0200

      qapi-schema: remove legacy<> from doc

      The legacy<> type is no longer used since 7ce7ffe02.

      Signed-off-by: Marc-André Lureau <marcandre.lureau@xxxxxxxxxx>
      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>
      Signed-off-by: Michael Tokarev <mjt@xxxxxxxxxx>

  commit 76621d1faa25405ab13cfe73890f9069b2890ed4
  Author: Stefan Weil <sw@xxxxxxxxxxx>
  Date:   Sat Aug 29 09:44:33 2015 +0200

      disas/microblaze: Remove unused code

      Signed-off-by: Stefan Weil <sw@xxxxxxxxxxx>
      Reviewed-by: Edgar E. Iglesias <edgar.iglesias@xxxxxxxxxx>
      Signed-off-by: Michael Tokarev <mjt@xxxxxxxxxx>

  commit 2382053f1deea2a2b49cf15571be7b542bec5fcf
  Author: Laurent Vivier <lvivier@xxxxxxxxxx>
  Date:   Fri Sep 4 21:30:04 2015 +0200

      help: dd missing newline

      Signed-off-by: Laurent Vivier <lvivier@xxxxxxxxxx>
      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>
      Signed-off-by: Michael Tokarev <mjt@xxxxxxxxxx>

  commit 74c373e42f3dccae3b3b1e91a82ab8f748a39a6f
  Author: Shraddha Barke <shraddha.6596@xxxxxxxxx>
  Date:   Sat Sep 5 00:50:28 2015 +0530

      Target-ppc: Remove unnecessary variable

      Compress lines and remove the variable ret.

      Change made using Coccinelle script

      @@
      expression ret;
      @@
      - if (ret) return ret;
      - return 0;
      + return ret;
      @@
      local idexpression ret;
      expression e;
      @@
      - ret = e;
      - return ret;
      + return e;
      @@
      type T; identifier i;
      @@
      - T i;
      ... when != i

      Signed-off-by: Shraddha Barke <shraddha.6596@xxxxxxxxx>
      Signed-off-by: Michael Tokarev <mjt@xxxxxxxxxx>

  commit 70cbae1dd85c9b4bb7c42bb282baacaaed0dd9bd
  Author: Samuel Thibault <samuel.thibault@xxxxxxx>
  Date:   Sun Aug 30 17:12:13 2015 +0200

      baum: Fix build with debugging enabled

      cur and buf are pointers, so the difference is a ptrdiff_t

      Signed-off-by: Samuel Thibault <samuel.thibault@xxxxxxxxxxxx>
      Reviewed-by: Stefan Weil <sw@xxxxxxxxxxx>
      Signed-off-by: Michael Tokarev <mjt@xxxxxxxxxx>

  commit 8cb76755615326dd824ee3c7f3588afcd17acb28
  Author: Stefan Weil <sw@xxxxxxxxxxx>
  Date:   Sat Aug 29 09:29:52 2015 +0200

      linux-user: Fix warnings caused by missing 'static' attribute

      Warnings from the Sparse static analysis tool:

      linux-user/main.c:40:12: warning:
       symbol 'filename' was not declared. Should it be static?
      linux-user/main.c:41:12: warning:
       symbol 'argv0' was not declared. Should it be static?
      linux-user/main.c:42:5: warning:
       symbol 'gdbstub_port' was not declared. Should it be static?
      linux-user/main.c:43:11: warning:
       symbol 'envlist' was not declared. Should it be static?

      Signed-off-by: Stefan Weil <sw@xxxxxxxxxxx>
      Reviewed-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Signed-off-by: Michael Tokarev <mjt@xxxxxxxxxx>

  commit fe646693acc13ac48b98435d14149ab04dc597bc
  Author: KÅ?vágó, Zoltán <dirty.ice.hu@xxxxxxxxx>
  Date:   Tue Jul 7 16:42:10 2015 +0200

      opts: produce valid command line in qemu_opts_print

      This will let us print options in a format that the user would actually
      write it on the command line (foo=bar,baz=asd,etc=def), without
      prepending a spurious comma at the beginning of the list, or quoting
      values unnecessarily.  This patch provides the following changes:
      * write and id=, if the option has an id
      * do not print separator before the first element
      * do not quote string arguments
      * properly escape commas (,) for QEMU

      Signed-off-by: KÅ?vágó, Zoltán <DirtY.iCE.hu@xxxxxxxxx>
      Reviewed-by: Markus Armbruster <armbru@xxxxxxxxxx>
      Reviewed-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Reviewed-by: Marc-André Lureau <marcandre.lureau@xxxxxxxxxx>
      Signed-off-by: Michael Tokarev <mjt@xxxxxxxxxx>

  commit 71e0e067b2bef8823c389c3705a8bcbb2bb12429
  Author: Marc-André Lureau <marcandre.lureau@xxxxxxxxxx>
  Date:   Thu Aug 27 12:48:35 2015 +0200

      docs: fix a qga/qapi-schema.json comment

      For consistency with the rest of the comment blocks.

      Signed-off-by: Marc-André Lureau <marcandre.lureau@xxxxxxxxxx>
      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>
      Signed-off-by: Michael Tokarev <mjt@xxxxxxxxxx>

  commit 594fd21102aa7b7dce1509b31944d10836108c6b
  Author: John Snow <jsnow@xxxxxxxxxx>
  Date:   Mon Jun 29 16:56:26 2015 -0400

      trivial: remove trailing newline from error_report

      Minor cleanup.

      Signed-off-by: John Snow <jsnow@xxxxxxxxxx>
      Reviewed-by: Gonglei <arei.gonglei@xxxxxxxxxx>
      Reviewed-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Signed-off-by: Michael Tokarev <mjt@xxxxxxxxxx>

  commit 012aef073461fd24a901d7a8742532093b7f6ae5
  Author: Markus Armbruster <armbru@xxxxxxxxxx>
  Date:   Wed Aug 26 14:02:53 2015 +0200

      maint: avoid useless "if (foo) free(foo)" pattern

      My Coccinelle semantic patch finds a few more, because it also fixes up
      the equally pointless conditional

          if (foo) {
              free(foo);
              foo = NULL;
          }

      Result (feel free to squash it into your patch):

      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>
      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>
      Signed-off-by: Michael Tokarev <mjt@xxxxxxxxxx>

  commit ef1e1e0782e99c9dcf2b35e5310cdd8ca9211374
  Author: Daniel P. Berrange <berrange@xxxxxxxxxx>
  Date:   Wed Aug 26 12:17:18 2015 +0100

      maint: avoid useless "if (foo) free(foo)" pattern

      The free() and g_free() functions both happily accept
      NULL on any platform QEMU builds on. As such putting a
      conditional 'if (foo)' check before calls to 'free(foo)'
      merely serves to bloat the lines of code.

      Signed-off-by: Daniel P. Berrange <berrange@xxxxxxxxxx>
      Reviewed-by: Markus Armbruster <armbru@xxxxxxxxxx>
      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>
      Signed-off-by: Michael Tokarev <mjt@xxxxxxxxxx>

  commit 4595a48a10e576638795950b61957f83d2ed09b4
  Author: Daniel P. Berrange <berrange@xxxxxxxxxx>
  Date:   Wed Aug 26 12:17:17 2015 +0100

      maint: remove unused include for strings.h

      A number of files were including strings.h but not using any
      of the functions it provides

      Signed-off-by: Daniel P. Berrange <berrange@xxxxxxxxxx>
      Reviewed-by: Markus Armbruster <armbru@xxxxxxxxxx>
      Signed-off-by: Michael Tokarev <mjt@xxxxxxxxxx>

  commit 1618d2ae7f1728ea26fa38cb661253f134d389ed
  Author: Daniel P. Berrange <berrange@xxxxxxxxxx>
  Date:   Wed Aug 26 12:17:16 2015 +0100

      maint: remove unused include for signal.h

      A number of files were including signal.h but not using any
      of the functions it provides

      Signed-off-by: Daniel P. Berrange <berrange@xxxxxxxxxx>
      Reviewed-by: Markus Armbruster <armbru@xxxxxxxxxx>
      Signed-off-by: Michael Tokarev <mjt@xxxxxxxxxx>

  commit d7646f241c8efc17b4b86cc7a304472792f0cc74
  Author: Daniel P. Berrange <berrange@xxxxxxxxxx>
  Date:   Wed Aug 26 12:17:15 2015 +0100

      maint: remove unused include for dirent.h

      A number of files were including dirent.h but not using any
      of the functions it provides

      Signed-off-by: Daniel P. Berrange <berrange@xxxxxxxxxx>
      Reviewed-by: Markus Armbruster <armbru@xxxxxxxxxx>
      Signed-off-by: Michael Tokarev <mjt@xxxxxxxxxx>

  commit 8abae4d31d92be2085fd66566585cba7699ad332
  Author: Daniel P. Berrange <berrange@xxxxxxxxxx>
  Date:   Wed Aug 26 12:17:14 2015 +0100

      maint: remove unused include for assert.h

      A number of files were including assert.h but not using any
      of the functions it provides

      Signed-off-by: Daniel P. Berrange <berrange@xxxxxxxxxx>
      Reviewed-by: Markus Armbruster <armbru@xxxxxxxxxx>
      Signed-off-by: Michael Tokarev <mjt@xxxxxxxxxx>

  commit b6af097528caba5b23b79db3f1f1fd08fa4fa11e
  Author: Daniel P. Berrange <berrange@xxxxxxxxxx>
  Date:   Wed Aug 26 12:17:13 2015 +0100

      maint: remove / fix many doubled words

      Many source files have doubled words (eg "the the", "to to",
      and so on). Most of these can simply be removed, but a couple
      were actual mis-spellings (eg "to to" instead of "to do").
      There was even one triple word score "to to to" :-)

      Signed-off-by: Daniel P. Berrange <berrange@xxxxxxxxxx>
      Reviewed-by: Marc-André Lureau <marcandre.lureau@xxxxxxxxxx>
      Reviewed-by: Markus Armbruster <armbru@xxxxxxxxxx>
      Signed-off-by: Michael Tokarev <mjt@xxxxxxxxxx>

  commit a8f15a27752d855d339befd8de4f0ad1c4dbb0ab
  Author: Daniel P. Berrange <berrange@xxxxxxxxxx>
  Date:   Wed Aug 26 12:17:12 2015 +0100

      maint: remove double semicolons in many files

      A number of source files have statements accidentally
      terminated by a double semicolon - eg 'foo = bar;;'.
      This is harmless but a mistake none the less.

      The tcg/ia64/tcg-target.c file is whitelisted because
      it has valid use of ';;' in a comment containing assembly
      code.

      Signed-off-by: Daniel P. Berrange <berrange@xxxxxxxxxx>
      Reviewed-by: Marc-André Lureau <marcandre.lureau@xxxxxxxxxx>
      Reviewed-by: Markus Armbruster <armbru@xxxxxxxxxx>
      Signed-off-by: Michael Tokarev <mjt@xxxxxxxxxx>

  commit fee562e9e41290a22623de83b673a8929ec5280d
  Author: Laurent Vivier <lvivier@xxxxxxxxxx>
  Date:   Tue Aug 4 10:27:31 2015 +0200

      i6300esb: fix timer overflow

      We use muldiv64() to compute the time to wait:

          timeout = muldiv64(get_ticks_per_sec(), timeout, 33000000);

      but get_ticks_per_sec() is 10^9 (30 bit value) and timeout
      is a 35 bit value.

      Whereas muldiv64 is:

          uint64_t muldiv64(uint64_t a, uint32_t b, uint32_t c)

      So we loose 3 bits of timeout.

      Swapping get_ticks_per_sec() and timeout fixes it.

      We can also replace it by a multiplication by 30 ns,
      but this changes PCI clock frequency from 33MHz to 33.333333MHz
      and we need to do this on all the QEMU PCI devices (later...)

      Signed-off-by: Laurent Vivier <lvivier@xxxxxxxxxx>
      Reviewed-by: David Gibson <david@xxxxxxxxxxxxxxxxxxxxx>
      Signed-off-by: Michael Tokarev <mjt@xxxxxxxxxx>

  commit 6883de6c9b647d5629ffe131ed5d97c06bb0db1a
  Author: Andrey Korolyov <andrey@xxxxxxx>
  Date:   Fri Jul 31 22:12:54 2015 +0300

      Trivial: fix commandline help message

      Fix obvious typo in printed help for qemu-nbd.

      Signed-off-by: Andrey Korolyov <andrey@xxxxxxx>
      Signed-off-by: Michael Tokarev <mjt@xxxxxxxxxx>

  commit a23797efb14f4d8f093e3b68f8265c88e9ff1de6
  Author: Stefan Weil <sw@xxxxxxxxxxx>
  Date:   Thu Jul 30 07:46:43 2015 +0200

      Update language files for QEMU 2.4.0

      Signed-off-by: Stefan Weil <sw@xxxxxxxxxxx>
      Signed-off-by: Michael Tokarev <mjt@xxxxxxxxxx>

  commit 7b9c09f7d486647784c605739d69b708a7249c9b
  Merge: fe55641 cae99f1
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Thu Sep 10 18:25:52 2015 +0100

      Merge remote-tracking branch 
'remotes/sstabellini/tags/xen-2015-09-10-tag' into staging

      xen-2015-09-10

      # gpg: Signature made Thu 10 Sep 2015 17:52:08 BST using RSA key ID 
70E1AE90
      # gpg: Good signature from "Stefano Stabellini 
<stefano.stabellini@xxxxxxxxxxxxx>"

      * remotes/sstabellini/tags/xen-2015-09-10-tag: (29 commits)
        xen/pt: Don't slurp wholesale the PCI configuration registers
        xen/pt: Check for return values for xen_host_pci_[get|set] in init
        xen/pt: Move bulk of xen_pt_unregister_device in its own routine.
        xen/pt: Make xen_pt_unregister_device idempotent
        xen/pt: Log xen_host_pci_get/set errors in MSI code.
        xen/pt: Log xen_host_pci_get in two init functions
        xen/pt: Remove XenPTReg->data field.
        xen/pt: Check if reg->init function sets the 'data' past the reg->size
        xen/pt: Sync up the dev.config and data values.
        xen/pt: Use xen_host_pci_get_[byte|word] instead of dev.config
        xen/pt: Use XEN_PT_LOG properly to guard against compiler warnings.
        xen/pt/msi: Add the register value when printing logging and error 
messages
        xen: use errno instead of rc for xc_domain_add_to_physmap
        xen/pt: xen_host_pci_config_read returns -errno, not -1 on failure
        xen/pt: Make xen_pt_msi_set_enable static
        xen/pt: Update comments with proper function name.
        xen/HVM: atomically access pointers in bufioreq handling
        xen-hvm: When using xc_domain_add_to_physmap also include errno when 
reporting
        xen, gfx passthrough: add opregion mapping
        xen, gfx passthrough: register host bridge specific to passthrough
        ...

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit cae99f1d779a6e2c8721ce2dd80bafdbf0abe7a0
  Author: Konrad Rzeszutek Wilk <konrad.wilk@xxxxxxxxxx>
  Date:   Wed Jul 8 15:58:41 2015 -0400

      xen/pt: Don't slurp wholesale the PCI configuration registers

      Instead we have the emulation registers ->init functions which
      consult the host values to see what the initial value should be
      and they are responsible for populating the dev.config.

      Reviewed-by: Stefano Stabellini <stefano.stabellini@xxxxxxxxxxxxx>
      Signed-off-by: Konrad Rzeszutek Wilk <konrad.wilk@xxxxxxxxxx>
      Signed-off-by: Stefano Stabellini <stefano.stabellini@xxxxxxxxxxxxx>

  commit 3d3697f2576424a2c0830a7b2e7c94c79dea9b50
  Author: Konrad Rzeszutek Wilk <konrad.wilk@xxxxxxxxxx>
  Date:   Thu Jul 2 14:33:44 2015 -0400

      xen/pt: Check for return values for xen_host_pci_[get|set] in init

      and if we have failures we call xen_pt_destroy introduced in
      'xen/pt: Move bulk of xen_pt_unregister_device in its own routine.'
      and free all of the allocated structures.

      Acked-by: Stefano Stabellini <stefano.stabellini@xxxxxxxxxxxxx>
      Signed-off-by: Konrad Rzeszutek Wilk <konrad.wilk@xxxxxxxxxx>
      Signed-off-by: Stefano Stabellini <stefano.stabellini@xxxxxxxxxxxxx>

  commit df6aa45752bf8145adcba9b077c346e9b758ebd1
  Author: Konrad Rzeszutek Wilk <konrad.wilk@xxxxxxxxxx>
  Date:   Tue Sep 8 16:21:59 2015 -0400

      xen/pt: Move bulk of xen_pt_unregister_device in its own routine.

      This way we can call it if we fail during init.

      This code movement introduces no changes.

      Acked-by: Stefano Stabellini <stefano.stabellini@xxxxxxxxxxxxx>
      Signed-off-by: Konrad Rzeszutek Wilk <konrad.wilk@xxxxxxxxxx>
      Signed-off-by: Stefano Stabellini <stefano.stabellini@xxxxxxxxxxxxx>

  commit bce33948178e338eac2629284b199c0c1f05f8a3
  Author: Konrad Rzeszutek Wilk <konrad.wilk@xxxxxxxxxx>
  Date:   Tue Sep 8 16:21:29 2015 -0400

      xen/pt: Make xen_pt_unregister_device idempotent

      To deal with xen_host_pci_[set|get]_ functions returning error values
      and clearing ourselves in the init function we should make the
      .exit (xen_pt_unregister_device) function be idempotent in case
      the generic code starts calling .exit (or for fun does it before
      calling .init!).

      Reviewed-by: Stefano Stabellini <stefano.stabellini@xxxxxxxxxxxxx>
      Signed-off-by: Konrad Rzeszutek Wilk <konrad.wilk@xxxxxxxxxx>
      Signed-off-by: Stefano Stabellini <stefano.stabellini@xxxxxxxxxxxxx>

  commit fe2da64c5ab882124aaf14c27d62409d02ff1786
  Author: Konrad Rzeszutek Wilk <konrad.wilk@xxxxxxxxxx>
  Date:   Wed Jun 24 17:27:40 2015 -0400

      xen/pt: Log xen_host_pci_get/set errors in MSI code.

      We seem to only use these functions when de-activating the
      MSI - so just log errors.

      Reviewed-by: Stefano Stabellini <stefano.stabellini@xxxxxxxxxxxxx>
      Signed-off-by: Konrad Rzeszutek Wilk <konrad.wilk@xxxxxxxxxx>
      Signed-off-by: Stefano Stabellini <stefano.stabellini@xxxxxxxxxxxxx>

  commit ea6c50f99de4b36a2c3e90dedabac46aef7992ac
  Author: Konrad Rzeszutek Wilk <konrad.wilk@xxxxxxxxxx>
  Date:   Wed Jun 24 17:18:26 2015 -0400

      xen/pt: Log xen_host_pci_get in two init functions

      To help with troubleshooting in the field.

      Acked-by: Stefano Stabellini <stefano.stabellini@xxxxxxxxxxxxx>
      Signed-off-by: Konrad Rzeszutek Wilk <konrad.wilk@xxxxxxxxxx>
      Signed-off-by: Stefano Stabellini <stefano.stabellini@xxxxxxxxxxxxx>

  commit e2779de053b64f023de382fd87b3596613d47d1e
  Author: Konrad Rzeszutek Wilk <konrad.wilk@xxxxxxxxxx>
  Date:   Wed Jul 1 15:41:33 2015 -0400

      xen/pt: Remove XenPTReg->data field.

      We do not want to have two entries to cache the guest configuration
      registers: XenPTReg->data and dev.config. Instead we want to use
      only the dev.config.

      To do without much complications we rip out the ->data field
      and replace it with an pointer to the dev.config. This way we
      have the type-checking (uint8_t, uint16_t, etc) and as well
      and pre-computed location.

      Alternatively we could compute the offset in dev.config by
      using the XenPTRRegInfo and XenPTRegGroup every time but
      this way we have the pre-computed values.

      This change also exposes some mis-use:
       - In 'xen_pt_status_reg_init' we used u32 for the Capabilities Pointer
         register, but said register is an an u16.
       - In 'xen_pt_msgdata_reg_write' we used u32 but should have only use u16.

      Signed-off-by: Konrad Rzeszutek Wilk <konrad.wilk@xxxxxxxxxx>
      Signed-off-by: Stefano Stabellini <stefano.stabellini@xxxxxxxxxxxxx>

  commit 5b4dd0f55ed3027557ed9a6fd89d5aa379122feb
  Author: Konrad Rzeszutek Wilk <konrad.wilk@xxxxxxxxxx>
  Date:   Mon Jun 29 16:41:14 2015 -0400

      xen/pt: Check if reg->init function sets the 'data' past the reg->size

      It should never happen, but in case it does (an developer adds
      a new register and the 'init_val' expands past the register
      size) we want to report. The code will only write up to
      reg->size so there is no runtime danger of the register spilling
      across other ones - however to catch this sort of thing
      we still return an error.

      Signed-off-by: Konrad Rzeszutek Wilk <konrad.wilk@xxxxxxxxxx>
      Signed-off-by: Stefano Stabellini <stefano.stabellini@xxxxxxxxxxxxx>

  commit 2e87512eccf3c5e40f3142ff5a763f4f850839f4
  Author: Konrad Rzeszutek Wilk <konrad.wilk@xxxxxxxxxx>
  Date:   Mon Jun 29 16:24:40 2015 -0400

      xen/pt: Sync up the dev.config and data values.

      For a passthrough device we maintain a state of emulated
      registers value contained within d->config. We also consult
      the host registers (and apply ro and write masks) whenever
      the guest access the registers. This is done in xen_pt_pci_write_config
      and xen_pt_pci_read_config.

      Also in this picture we call pci_default_write_config which
      updates the d->config and if the d->config[PCI_COMMAND] register
      has PCI_COMMAND_MEMORY (or PCI_COMMAND_IO) acts on those changes.

      On startup the d->config[PCI_COMMAND] are the host values, not
      what the guest initial values should be, which is exactly what
      we do _not_ want to do for 64-bit BARs when the guest just wants
      to read the size of the BAR. Huh you say?

      To get the size of 64-bit memory space BARs,  the guest has
      to calculate ((BAR[x] & 0xFFFFFFF0) + ((BAR[x+1] & 0xFFFFFFFF) << 32))
      which means it has to do two writes of ~0 to BARx and BARx+1.

      prior to this patch and with XSA120-addendum patch (Linux kernel)
      the PCI_COMMAND register is copied from the host it can have
      PCI_COMMAND_MEMORY bit set which means that QEMU will try to
      update the hypervisor's P2M with BARx+1 value to ~0 (0xffffffff)
      (to sync the guest state to host) instead of just having
      xen_pt_pci_write_config and xen_pt_bar_reg_write apply the
      proper masks and return the size to the guest.

      To thwart this, this patch syncs up the host values with the
      guest values taking into account the emu_mask (bit set means
      we emulate, PCI_COMMAND_MEMORY and PCI_COMMAND_IO are set).
      That is we copy the host values - masking out any bits which
      we will emulate. Then merge it with the initial emulation register
      values. Lastly this value is then copied both in
      dev.config _and_ XenPTReg->data field.

      There is also reg->size accounting taken into consideration
      that ends up being used in patch.
       xen/pt: Check if reg->init function sets the 'data' past the reg->size

      This fixes errors such as these:

      (XEN) memory_map:add: dom2 gfn=fffe0 mfn=fbce0 nr=20
      (DEBUG) 189 pci dev 04:0 BAR16 wrote ~0.
      (DEBUG) 200 pci dev 04:0 BAR16 read 0x0fffe0004.
      (XEN) memory_map:remove: dom2 gfn=fffe0 mfn=fbce0 nr=20
      (DEBUG) 204 pci dev 04:0 BAR16 wrote 0x0fffe0004.
      (DEBUG) 217 pci dev 04:0 BAR16 read upper 0x000000000.
      (XEN) memory_map:add: dom2 gfn=ffffffff00000 mfn=fbce0 nr=20
      (XEN) p2m.c:883:d0v0 p2m_set_entry failed! mfn=ffffffffffffffff rc:-22
      (XEN) memory_map:fail: dom2 gfn=ffffffff00000 mfn=fbce0 nr=20 ret:-22
      (XEN) memory_map:remove: dom2 gfn=ffffffff00000 mfn=fbce0 nr=20
      (XEN) p2m.c:920:d0v0 gfn_to_mfn failed! gfn=ffffffff00000 type:4
      (XEN) p2m.c:920:d0v0 gfn_to_mfn failed! gfn=ffffffff00001 type:4
      ..
      (XEN) memory_map: error -22 removing dom2 access to [fbce0,fbcff]
      (DEBUG) 222 pci dev 04:0 BAR16 read upper 0x0ffffffff.
      (XEN) memory_map:remove: dom2 gfn=ffffffff00000 mfn=fbce0 nr=20
      (XEN) memory_map: error -22 removing dom2 access to [fbce0,fbcff]

      [The DEBUG is to illustate what the hvmloader was doing]

      Also we swap from xen_host_pci_long to using 
xen_host_pci_get_[byte,word,long].

      Otherwise we get:

      xen_pt_config_reg_init: Offset 0x0004 mismatch! Emulated=0x0000, 
host=0x2300017, syncing to 0x2300014.
      xen_pt_config_reg_init: Error: Offset 0x0004:0x2300014 expands past 
register size(2)!

      which is not surprising. We read the value as an 32-bit (from host),
      then operate it as a 16-bit - and the remainder is left unchanged.

      We end up writing the value as 16-bit (so 0014) to dev.config
      (as we use proper xen_set_host_[byte,word,long] so we don't spill
      to other registers) but in XenPTReg->data it is as 32-bit (0x2300014)!

      It is harmless as the read/write functions end up using an size mask
      and never modify the bits past 16-bit (reg->size is 2).

      This patch fixes the warnings by reading the value using the
      proper size.

      Note that the check for size is still left in-case the developer
      sets bits past the reg->size in the ->init routines. The author
      tried to fiddle with QEMU_BUILD_BUG to make this work but failed.

      Reviewed-by: Stefano Stabellini <stefano.stabellini@xxxxxxxxxxxxx>
      Reported-by: Sander Eikelenboom <linux@xxxxxxxxxxxxxx>
      Signed-off-by: Konrad Rzeszutek Wilk <konrad.wilk@xxxxxxxxxx>
      Signed-off-by: Stefano Stabellini <stefano.stabellini@xxxxxxxxxxxxx>

  commit 6aa07b1494d2725f24af097ca19c750ac25a7c11
  Author: Konrad Rzeszutek Wilk <konrad.wilk@xxxxxxxxxx>
  Date:   Mon Jun 29 14:01:13 2015 -0400

      xen/pt: Use xen_host_pci_get_[byte|word] instead of dev.config

      During init time we treat the dev.config area as a cache
      of the host view. However during execution time we treat it
      as guest view (by the generic PCI API). We need to sync Xen's
      code to the generic PCI API view. This is the first step
      by replacing all of the code that uses dev.config or
      pci_get_[byte|word] to get host value to actually use the
      xen_host_pci_get_[byte|word] functions.

      Interestingly in 'xen_pt_ptr_reg_init' we also needed to swap
      reg_field from uint32_t to uint8_t - since the access is only
      for one byte not four bytes. We can split this as a seperate
      patch however we would have to use a cast to thwart compiler
      warnings in the meantime.

      We also truncated 'flags' to 'flag' to make the code fit within
      the 80 characters.

      Reviewed-by: Stefano Stabellini <stefano.stabellini@xxxxxxxxxxxxx>
      Signed-off-by: Konrad Rzeszutek Wilk <konrad.wilk@xxxxxxxxxx>
      Signed-off-by: Stefano Stabellini <stefano.stabellini@xxxxxxxxxxxxx>

  commit fe556410cf09d6181a4e694c6db31562fdcfbeba
  Merge: fbf054c 1e9b65b
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Thu Sep 10 14:51:35 2015 +0100

      Merge remote-tracking branch 'remotes/armbru/tags/pull-error-2015-09-10' 
into staging

      error: On abort, report where the error was created

      # gpg: Signature made Thu 10 Sep 2015 13:01:39 BST using RSA key ID 
EB918653
      # gpg: Good signature from "Markus Armbruster <armbru@xxxxxxxxxx>"
      # gpg:                 aka "Markus Armbruster <armbru@xxxxxxxxxxxx>"

      * remotes/armbru/tags/pull-error-2015-09-10:
        error: On abort, report where the error was created
        error: Revamp interface documentation
        error: error_set_errno() is unused, drop
        qga/vss-win32: Document the DLL requires non-null errp
        qga: Clean up unnecessarily dirty casts
        error: Make error_setg() a function
        error: De-duplicate code creating Error objects

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 54fd08136e4ac8b88b88b15c397010e3b0de379f
  Author: Konrad Rzeszutek Wilk <konrad.wilk@xxxxxxxxxx>
  Date:   Mon Jun 29 16:06:19 2015 -0400

      xen/pt: Use XEN_PT_LOG properly to guard against compiler warnings.

      If XEN_PT_LOGGING_ENABLED is enabled the XEN_PT_LOG macros start
      using the first argument. Which means if within the function there
      is only one user of the argument ('d') and XEN_PT_LOGGING_ENABLED
      is not set, we get compiler warnings. This is not the case now
      but with the "xen/pt: Use xen_host_pci_get_[byte|word] instead of 
dev.config"
      we will hit - so this sync up the function to the rest of them.

      Reviewed-by: Stefano Stabellini <stefano.stabellini@xxxxxxxxxxxxx>
      Signed-off-by: Konrad Rzeszutek Wilk <konrad.wilk@xxxxxxxxxx>
      Signed-off-by: Stefano Stabellini <stefano.stabellini@xxxxxxxxxxxxx>

  commit faf5f56bf9f45ffc24a41fc8fc5ab76677aef688
  Author: Konrad Rzeszutek Wilk <konrad.wilk@xxxxxxxxxx>
  Date:   Mon Jun 29 12:30:37 2015 -0400

      xen/pt/msi: Add the register value when printing logging and error 
messages

      We would like to know what the MSI register value is to help
      in troubleshooting in the field. As such modify the logging
      logic to include such details in xen_pt_msgctrl_reg_write.

      Reviewed-by: Stefano Stabellini <stefano.stabellini@xxxxxxxxxxxxx>
      Signed-off-by: Konrad Rzeszutek Wilk <konrad.wilk@xxxxxxxxxx>
      Signed-off-by: Stefano Stabellini <stefano.stabellini@xxxxxxxxxxxxx>

  commit 20a544c7dc2428e8816ed4a87af732884e885f2d
  Author: Konrad Rzeszutek Wilk <konrad.wilk@xxxxxxxxxx>
  Date:   Mon Jun 29 12:51:05 2015 -0400

      xen: use errno instead of rc for xc_domain_add_to_physmap

      In Xen 4.6 commit cd2f100f0f61b3f333d52d1737dd73f02daee592
      "libxc: Fix do_memory_op to return negative value on errors"
      made the libxc API less odd-ball: On errors, return value is
      -1 and error code is in errno. On success the return value
      is either 0 or an positive value.

      Since we could be running with an old toolstack in which the
      Exx value is in rc or the newer, we add an wrapper around
      the xc_domain_add_to_physmap (called xen_xc_domain_add_to_physmap)
      which will always return the EXX.

      Xen 4.6 did not change the libxc functions mentioned (same parameters)
      so we piggyback on the fact that Xen 4.6 has a new function:
      commit 504ed2053362381ac01b98db9313454488b7db40 "tools/libxc: Expose
      new hypercall xc_reserved_device_memory_map" and check for that.

      Reviewed-by: Stefano Stabellini <stefano.stabellini@xxxxxxxxxxxxx>
      Suggested-by: Stefano Stabellini <stefano.stabellini@xxxxxxxxxxxxx>
      Signed-off-by: Konrad Rzeszutek Wilk <konrad.wilk@xxxxxxxxxx>
      Signed-off-by: Stefano Stabellini <stefano.stabellini@xxxxxxxxxxxxx>

  commit 52c7265f602701751b55d437b347bd73debf9d91
  Author: Konrad Rzeszutek Wilk <konrad.wilk@xxxxxxxxxx>
  Date:   Mon Jun 29 13:58:17 2015 -0400

      xen/pt: xen_host_pci_config_read returns -errno, not -1 on failure

      However the init routines assume that on errors the return
      code is -1 (as the libxc API is) - while those xen_host_* routines follow
      another paradigm - negative errno on return, 0 on success.

      Reviewed-by: Stefano Stabellini <stefano.stabellini@xxxxxxxxxxxxx>
      Signed-off-by: Konrad Rzeszutek Wilk <konrad.wilk@xxxxxxxxxx>
      Signed-off-by: Stefano Stabellini <stefano.stabellini@xxxxxxxxxxxxx>

  commit cf8124f0078a7625fdf9836589210267817ae0ae
  Author: Konrad Rzeszutek Wilk <konrad.wilk@xxxxxxxxxx>
  Date:   Wed Jun 24 17:26:43 2015 -0400

      xen/pt: Make xen_pt_msi_set_enable static

      As we do not use it outside our code.

      Reviewed-by: Stefano Stabellini <stefano.stabellini@xxxxxxxxxxxxx>
      Signed-off-by: Konrad Rzeszutek Wilk <konrad.wilk@xxxxxxxxxx>
      Signed-off-by: Stefano Stabellini <stefano.stabellini@xxxxxxxxxxxxx>

  commit d3b9facba71ed45c9c1c09ca28eb5568a194b4de
  Author: Konrad Rzeszutek Wilk <konrad.wilk@xxxxxxxxxx>
  Date:   Wed Jun 24 17:16:01 2015 -0400

      xen/pt: Update comments with proper function name.

      It has changed but the comments still refer to the old names.

      Reviewed-by: Stefano Stabellini <stefano.stabellini@xxxxxxxxxxxxx>
      Signed-off-by: Konrad Rzeszutek Wilk <konrad.wilk@xxxxxxxxxx>
      Signed-off-by: Stefano Stabellini <stefano.stabellini@xxxxxxxxxxxxx>

  commit d8b441a3fbfd075c48ab2a519d779d926624ed79
  Author: Jan Beulich <JBeulich@xxxxxxxx>
  Date:   Fri Jul 24 03:38:28 2015 -0600

      xen/HVM: atomically access pointers in bufioreq handling

      The number of slots per page being 511 (i.e. not a power of two) means
      that the (32-bit) read and write indexes going beyond 2^32 will likely
      disturb operation. The hypervisor side gets I/O req server creation
      extended so we can indicate that we're using suitable atomic accesses
      where needed, allowing it to atomically canonicalize both pointers when
      both have gone through at least one cycle.

      The Xen side counterpart (which is not a functional prereq to this
      change, albeit a build one) went in already (commit b7007bc6f9).

      Signed-off-by: Jan Beulich <jbeulich@xxxxxxxx>
      Signed-off-by: Stefano Stabellini <stefano.stabellini@xxxxxxxxxxxxx>

  commit e763addd19e59dbd1986d4b0faae63dcb9a0f6aa
  Author: Konrad Rzeszutek Wilk <konrad.wilk@xxxxxxxxxx>
  Date:   Fri Mar 13 15:36:58 2015 -0400

      xen-hvm: When using xc_domain_add_to_physmap also include errno when 
reporting

      .errors - as it will most likely have the proper error value.

      Signed-off-by: Konrad Rzeszutek Wilk <konrad.wilk@xxxxxxxxxx>
      Acked-by: Stefano Stabellini <stefano.stabellini@xxxxxxxxxxxxx>
      Signed-off-by: Stefano Stabellini <stefano.stabellini@xxxxxxxxxxxxx>

  commit 5cec8aa38cc3b7c8cf9ce66abdda28b3598e2d88
  Author: Tiejun Chen <tiejun.chen@xxxxxxxxx>
  Date:   Wed Jul 15 13:37:50 2015 +0800

      xen, gfx passthrough: add opregion mapping

      The OpRegion shouldn't be mapped 1:1 because the address in the host
      can't be used in the guest directly.

      This patch traps read and write access to the opregion of the Intel
      GPU config space (offset 0xfc).

      The original patch is from Jean Guyader <jean.guyader@xxxxxxxxxxxxx>

      Signed-off-by: Tiejun Chen <tiejun.chen@xxxxxxxxx>
      Signed-off-by: Yang Zhang <yang.z.zhang@xxxxxxxxx>
      Acked-by: Stefano Stabellini <stefano.stabellini@xxxxxxxxxxxxx>
      Signed-off-by: Stefano Stabellini <stefano.stabellini@xxxxxxxxxxxxx>

  commit 998250e976613decf9e0da68b3922df330eac3f6
  Author: Tiejun Chen <tiejun.chen@xxxxxxxxx>
  Date:   Wed Jul 15 13:37:49 2015 +0800

      xen, gfx passthrough: register host bridge specific to passthrough

      Just register that pci host bridge specific to passthrough.

      Signed-off-by: Tiejun Chen <tiejun.chen@xxxxxxxxx>
      Acked-by: Stefano Stabellini <stefano.stabellini@xxxxxxxxxxxxx>
      Signed-off-by: Stefano Stabellini <stefano.stabellini@xxxxxxxxxxxxx>

  commit f37d630a69992822f2eb4a47a5a5fc6a54a6dd08
  Author: Tiejun Chen <tiejun.chen@xxxxxxxxx>
  Date:   Wed Jul 15 13:37:48 2015 +0800

      xen, gfx passthrough: register a isa bridge

      Currently we just register this isa bridge when we use IGD
      passthrough in Xen side.

      Signed-off-by: Tiejun Chen <tiejun.chen@xxxxxxxxx>
      Acked-by: Stefano Stabellini <stefano.stabellini@xxxxxxxxxxxxx>
      Signed-off-by: Stefano Stabellini <stefano.stabellini@xxxxxxxxxxxxx>

  commit bd8107d7301d3fa44f04aa435e06efb2226ca58c
  Author: Tiejun Chen <tiejun.chen@xxxxxxxxx>
  Date:   Wed Jul 15 13:37:47 2015 +0800

      igd gfx passthrough: create a isa bridge

      Currently IGD drivers always need to access PCH by 1f.0. But we
      don't want to poke that directly to get ID, and although in real
      world different GPU should have different PCH. But actually the
      different PCH DIDs likely map to different PCH SKUs. We do the
      same thing for the GPU. For PCH, the different SKUs are going to
      be all the same silicon design and implementation, just different
      features turn on and off with fuses. The SW interfaces should be
      consistent across all SKUs in a given family (eg LPT). But just
      same features may not be supported.

      Most of these different PCH features probably don't matter to the
      Gfx driver, but obviously any difference in display port connections
      will so it should be fine with any PCH in case of passthrough.

      So currently use one PCH version, 0x8c4e, to cover all HSW(Haswell)
      scenarios, 0x9cc3 for BDW(Broadwell).

      Signed-off-by: Tiejun Chen <tiejun.chen@xxxxxxxxx>
      Signed-off-by: Stefano Stabellini <stefano.stabellini@xxxxxxxxxxxxx>
      Acked-by: Michael S. Tsirkin <mst@xxxxxxxxxx>

  commit 881213f1b9c5a8f4101405a5802d548cb62a4274
  Author: Tiejun Chen <tiejun.chen@xxxxxxxxx>
  Date:   Wed Jul 15 13:37:46 2015 +0800

      xen, gfx passthrough: retrieve VGA BIOS to work

      Now we retrieve VGA bios like kvm stuff in qemu but we need to
      fix Device Identification in case if its not matched with the
      real IGD device since Seabios is always trying to compare this
      ID to work out VGA BIOS.

      Signed-off-by: Tiejun Chen <tiejun.chen@xxxxxxxxx>
      Acked-by: Stefano Stabellini <stefano.stabellini@xxxxxxxxxxxxx>
      Signed-off-by: Stefano Stabellini <stefano.stabellini@xxxxxxxxxxxxx>

  commit 798141799ccd5235a928b8fc0411d7d74e706489
  Author: Tiejun Chen <tiejun.chen@xxxxxxxxx>
  Date:   Wed Jul 15 13:37:45 2015 +0800

      xen, gfx passthrough: basic graphics passthrough support

      basic gfx passthrough support:
      - add a vga type for gfx passthrough
      - register/unregister legacy VGA I/O ports and MMIOs for passthrough GFX

      Signed-off-by: Tiejun Chen <tiejun.chen@xxxxxxxxx>
      Signed-off-by: Yang Zhang <yang.z.zhang@xxxxxxxxx>
      Acked-by: Stefano Stabellini <stefano.stabellini@xxxxxxxxxxxxx>
      Signed-off-by: Stefano Stabellini <stefano.stabellini@xxxxxxxxxxxxx>

  commit bcd7461e7e84a65f1dfaa6af6e00aa498978d29d
  Author: Tiejun Chen <tiejun.chen@xxxxxxxxx>
  Date:   Wed Jul 15 13:37:44 2015 +0800

      hw/pci-assign: split pci-assign.c

      We will try to reuse assign_dev_load_option_rom in xen side, and
      especially its a good beginning to unify pci assign codes both on
      kvm and xen in the future.

      [Fix build for Windows]

      Signed-off-by: Tiejun Chen <tiejun.chen@xxxxxxxxx>
      Signed-off-by: Stefano Stabellini <stefano.stabellini@xxxxxxxxxxxxx>
      Acked-by: Michael S. Tsirkin <mst@xxxxxxxxxx>

  commit 595a4f07d6bd18ba11c78b95d6a78089fee26eca
  Author: Tiejun Chen <tiejun.chen@xxxxxxxxx>
  Date:   Wed Jul 15 13:37:43 2015 +0800

      piix: create host bridge to passthrough

      Implement a pci host bridge specific to passthrough. Actually
      this just inherits the standard one. And we also just expose
      a minimal real host bridge pci configuration subset.

      [Replace pread with lseek and read to fix Windows build]

      Signed-off-by: Tiejun Chen <tiejun.chen@xxxxxxxxx>
      Signed-off-by: Stefano Stabellini <stefano.stabellini@xxxxxxxxxxxxx>
      Acked-by: Michael S. Tsirkin <mst@xxxxxxxxxx>

  commit 1e9b65bb1bad51735cab6c861c29b592dccabf0e
  Author: Markus Armbruster <armbru@xxxxxxxxxx>
  Date:   Fri Jun 19 19:21:59 2015 +0200

      error: On abort, report where the error was created

      This is particularly useful when we abort in error_propagate(),
      because there the stack backtrace doesn't lead to where the error was
      created.  Looks like this:

          Unexpected error in parse_block_error_action() at 
.../qemu/blockdev.c:322:
          qemu-system-x86_64: -drive if=none,werror=foo: 'foo' invalid write 
error action
          Aborted (core dumped)

      Note: to get this example output, I monkey-patched drive_new() to pass
      &error_abort to blockdev_init().

      To keep the error handling boiler plate from growing even more, all
      error_setFOO() become macros expanding into error_setFOO_internal()
      with additional __FILE__, __LINE__, __func__ arguments.  Not exactly
      pretty, but it works.

      The macro trickery breaks down when you take the address of an
      error_setFOO().  Fortunately, we do that in just one place: qemu-ga's
      Windows VSS provider and requester DLL wants to call
      error_setg_win32() through a function pointer "to avoid linking glib
      to the DLL".  Use error_setg_win32_internal() there.  The use of the
      function pointer is already wrapped in a macro, so the churn isn't
      bad.

      Code size increases by some 35KiB for me (0.7%).  Tolerable.  Could be
      less if we passed relative rather than absolute source file names to
      the compiler, or forwent reporting __func__.

      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>
      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>
      Acked-by: Laszlo Ersek <lersek@xxxxxxxxxx>

  commit edf6f3b3358597d37da0cf636ce3ed8a546d0f26
  Author: Markus Armbruster <armbru@xxxxxxxxxx>
  Date:   Fri Jun 19 18:29:24 2015 +0200

      error: Revamp interface documentation

      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>
      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>

  commit 4463dcb85c9f992f0c4d93f2142c8d64dcc85c5c
  Author: Markus Armbruster <armbru@xxxxxxxxxx>
  Date:   Fri Jun 19 22:16:14 2015 +0200

      error: error_set_errno() is unused, drop

      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>
      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>

  commit 08e64640357cd9517aa30fd49840f05f0f2ee3a4
  Author: Markus Armbruster <armbru@xxxxxxxxxx>
  Date:   Sat Jun 20 09:33:56 2015 +0200

      qga/vss-win32: Document the DLL requires non-null errp

      requester.cpp uses this pattern to receive an error and pass it on to
      the caller (err_is_set() macro peeled off for clarity):

          ... code that may set errset->errp ...
          if (errset->errp && *errset->errp) {
              ... handle error ...
          }

      This breaks when errset->errp is null.  As far as I can tell, it
      currently isn't, so this is merely fragile, not actually broken.

      The robust way to do this is to receive the error in a local variable,
      then propagate it up, like this:

          Error *err = NULL;

          ... code that may set err ...
          if (err)
              ... handle error ...
              error_propagate(errset->errp, err);
          }

      See also commit 5e54769, 0f230bf, a903f40.

      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>
      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>

  commit e7cf59e84767e30b507b6bd7c1347072ec12b636
  Author: Markus Armbruster <armbru@xxxxxxxxxx>
  Date:   Fri Jun 19 20:44:54 2015 +0200

      qga: Clean up unnecessarily dirty casts

      qga_vss_fsfreeze() casts error_set_win32() from

          void (*)(Error **, int, ErrorClass, const char *, ...)

      to

          void (*)(void **, int, int, const char *, ...)

      The result is later called.  Since the two types are not compatible,
      the call is undefined behavior.  It works in practice anyway.

      However, there's no real need for trickery here.  Clean it up as
      follows:

      * Declare struct Error, and fix the first parameter.

      * Switch to error_setg_win32().  This gets rid of the troublesome
        ErrorClass parameter.  Requires converting error_setg_win32() from
        macro to function, but that's trivially easy, because this is the
        only user of error_set_win32().

      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>
      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>

  commit a9499ddd82a99c66cc72a08e72427c423acfea1c
  Author: Markus Armbruster <armbru@xxxxxxxxxx>
  Date:   Fri Jun 19 15:36:16 2015 +0200

      error: Make error_setg() a function

      Saves a tiny amount of code at every call site.

      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>
      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>

  commit 552375088a832fd5945ede92d01f98977b4eca13
  Author: Markus Armbruster <armbru@xxxxxxxxxx>
  Date:   Fri Jun 19 13:59:47 2015 +0200

      error: De-duplicate code creating Error objects

      Duplicated when commit 680d16d added error_set_errno(), and again when
      commit 20840d4 added error_set_win32().

      Make the original copy in error_set() reusable by factoring out
      error_setv(), then rewrite error_set_errno() and error_set_win32() on
      top of it.

      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>
      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>

  commit fbf054cb0a8ce2dc8f2d3012fb9204ef50d28d17
  Merge: fc04a73 0f288f8
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Thu Sep 10 10:24:30 2015 +0100

      Merge remote-tracking branch 'remotes/mst/tags/for_upstream' into staging

      virtio,pc,acpi fixes, cleanups

      Fixes all over the place.

      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>

      # gpg: Signature made Thu 10 Sep 2015 10:16:18 BST using RSA key ID 
D28D5469
      # gpg: Good signature from "Michael S. Tsirkin <mst@xxxxxxxxxx>"
      # gpg:                 aka "Michael S. Tsirkin <mst@xxxxxxxxxx>"

      * remotes/mst/tags/for_upstream:
        hw/pci: fix pci_update_mappings() trace events
        pc: memhotplug: keep reserved-memory-end broken on 2.4 and earlier 
machines
        pc: memhotplug: fix incorrectly set reserved-memory-end
        acpi: Remove unused definition.
        virtio: avoid leading underscores for helpers
        pc: Remove redundant arguments from xen_hvm_init()
        pci: Fix pci_device_iommu_address_space() bus propagation

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 0f288f854b96f56247e38f4207f71647133f0184
  Author: Laszlo Ersek <lersek@xxxxxxxxxx>
  Date:   Tue Sep 1 23:33:23 2015 +0200

      hw/pci: fix pci_update_mappings() trace events

      The current trace prototypes and (matching) trace calls lead to
      "unorthodox" PCI BDF notation in at least the stderr trace backend. For
      example, the four BARs of a QXL video card at 00:01.0 (bus 0, slot 1,
      function 0) are traced like this (PID and timestamps removed):

        pci_update_mappings_add d=0x7f14a73bf890 00:00.1 0,0x84000000+0x4000000
        pci_update_mappings_add d=0x7f14a73bf890 00:00.1 1,0x80000000+0x4000000
        pci_update_mappings_add d=0x7f14a73bf890 00:00.1 2,0x88200000+0x2000
        pci_update_mappings_add d=0x7f14a73bf890 00:00.1 3,0xd060+0x20

      The slot and function values are in reverse order.

      Stick with the conventional BDF notation.

      Cc: "Michael S. Tsirkin" <mst@xxxxxxxxxx>
      Cc: Don Koch <dkoch@xxxxxxxxxxx>
      Cc: qemu-trivial@xxxxxxxxxx
      Fixes: 7828d75045
      Signed-off-by: Laszlo Ersek <lersek@xxxxxxxxxx>
      Reviewed-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>

  commit 2f8b50083b321e470ef8e2502910ade40cbfa020
  Author: Igor Mammedov <imammedo@xxxxxxxxxx>
  Date:   Mon Sep 7 13:55:32 2015 +0200

      pc: memhotplug: keep reserved-memory-end broken on 2.4 and earlier 
machines

      it will prevent guests on old machines from seeing
      inconsistent memory mapping in firmware/ACPI views.

      Signed-off-by: Igor Mammedov <imammedo@xxxxxxxxxx>
      Reviewed-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Reviewed-by: Eduardo Habkost <ehabkost@xxxxxxxxxx>

  commit 3385e8e2640e5c38582f6e8413042bd23d97c640
  Author: Igor Mammedov <imammedo@xxxxxxxxxx>
  Date:   Mon Sep 7 13:55:31 2015 +0200

      pc: memhotplug: fix incorrectly set reserved-memory-end

      reserved-memory-end tells firmware address from which
      it could start treating memory as PCI address space
      and map PCI BARs after it to avoid collisions with
      RAM.
      Currently it is incorrectly pointing to address where
      hotplugged memory range starts which could redirect
      hotplugged RAM accesses to PCI BARs when firmware
      maps them over RAM or viceverse.
      Fix this by pointing reserved-memory-end to the end
      of memory hotplug area.

      Signed-off-by: Igor Mammedov <imammedo@xxxxxxxxxx>
      Reviewed-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Reviewed-by: Eduardo Habkost <ehabkost@xxxxxxxxxx>

  commit 9372e3f5678cdd86e1ddfb957d9da4b1889a0dd0
  Author: Richard W.M. Jones <rjones@xxxxxxxxxx>
  Date:   Wed Sep 2 20:03:38 2015 +0100

      acpi: Remove unused definition.

      Signed-off-by: Richard W.M. Jones <rjones@xxxxxxxxxx>
      Reviewed-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>

  commit 95129d6fc9ead97155627a4ca0cfd37282883658
  Author: Cornelia Huck <cornelia.huck@xxxxxxxxxx>
  Date:   Mon Aug 17 11:48:29 2015 +0200

      virtio: avoid leading underscores for helpers

      Commit ef546f1275f6563e8934dd5e338d29d9f9909ca6 ("virtio: add
      feature checking helpers") introduced a helper __virtio_has_feature.
      We don't want to use reserved identifiers, though, so let's
      rename __virtio_has_feature to virtio_has_feature and virtio_has_feature
      to virtio_vdev_has_feature.

      Signed-off-by: Cornelia Huck <cornelia.huck@xxxxxxxxxx>
      Reviewed-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>

  commit 91176e310527fac8414c417c093659e42e4564ea
  Author: Eduardo Habkost <ehabkost@xxxxxxxxxx>
  Date:   Mon Aug 17 11:42:29 2015 -0700

      pc: Remove redundant arguments from xen_hvm_init()

      Remove arguments that can be found in PCMachineState.

      Signed-off-by: Eduardo Habkost <ehabkost@xxxxxxxxxx>
      Reviewed-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>

  commit 5af2ae2305143f1805a696f9554231e1fc246edc
  Author: Benjamin Herrenschmidt <benh@xxxxxxxxxxxxxxxxxxx>
  Date:   Sun Jul 5 09:19:15 2015 +1000

      pci: Fix pci_device_iommu_address_space() bus propagation

      he current code walks up the bus tree for an iommu, however it passes
      to the iommu_fn() callback the bus/devfn of the immediate child of
      the level where the callback was found, rather than the original
      bus/devfn where the search started from.

      This prevents iommu's like POWER8 (and in fact also Q35) to properly
      provide an address space for a subset of devices that aren't immediate
      children of the iommu.

      PCIe carries the originator bdfn acccross to the iommu on all DMA
      transactions, so we must be able to properly identify devices at all
      levels.

      This changes the function pci_device_iommu_address_space() to pass
      the original pointers to the iommu_fn() callback instead.

      Signed-off-by: Benjamin Herrenschmidt <benh@xxxxxxxxxxxxxxxxxxx>
      Reviewed-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>

  commit 47d4be12c3997343e436c6cca89aefbbbeb70863
  Author: Paolo Bonzini <pbonzini@xxxxxxxxxx>
  Date:   Thu Sep 10 10:02:00 2015 +0200

      cutils: work around platform differences in strto{l,ul,ll,ull}

      Linux returns 0 if no conversion was made, while OS X and presumably
      the BSDs return EINVAL.  The OS X convention rejects more invalid
      inputs, so convert to it and adjust the test case.

      Windows returns 1 from strtoul and strtoull (instead of -1) for
      negative out-of-range input; fix it up.

      Reported-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit 9fd1a94888cd6a559f95c3596ec1ac28b74838c1
  Author: Paolo Bonzini <pbonzini@xxxxxxxxxx>
  Date:   Tue Aug 11 11:33:24 2015 +0200

      cpu-exec: fix lock hierarchy for user-mode emulation

      tb_lock has to be taken inside the mmap_lock (example:
      tb_invalidate_phys_range is called by target_mmap), but
      tb_link_page is taking the mmap_lock and it is called
      with the tb_lock held.

      To fix this, take the mmap_lock in tb_find_slow, not
      in tb_link_page.

      Reviewed-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit 8fd19e6cfd5b6cdf028c6ac2ff4157ed831ea3a6
  Author: Paolo Bonzini <pbonzini@xxxxxxxxxx>
  Date:   Tue Aug 11 10:57:52 2015 +0200

      exec: make mmap_lock/mmap_unlock globally available

      There is some iffy lock hierarchy going on in translate-all.c.  To
      fix it, we need to take the mmap_lock in cpu-exec.c.  Make the
      functions globally available.

      Reviewed-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit 756920876f60829fad0d15df4f3fa205077a8131
  Author: Paolo Bonzini <pbonzini@xxxxxxxxxx>
  Date:   Tue Aug 11 10:59:50 2015 +0200

      tcg: comment on which functions have to be called with mmap_lock held

      Reviewed-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit 6940fab84b826175cf90d48d0e3da1b76518f5b4
  Author: Paolo Bonzini <pbonzini@xxxxxxxxxx>
  Date:   Wed Aug 12 09:41:40 2015 +0200

      tcg: add memory barriers in page_find_alloc accesses

      page_find is reading the radix tree outside all locks, so it has to
      use the RCU primitives.  It does not need RCU critical sections
      because the PageDescs are never removed, so there is never a need
      to wait for the end of code sections that use a PageDesc.

      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit 2496ff1311283480f9de3614080b8842d838ade4
  Author: KONRAD Frederic <fred.konrad@xxxxxxxxxxxxx>
  Date:   Mon Aug 10 17:27:03 2015 +0200

      remove unused spinlock.

      This just removes spinlock as it is not used anymore.

      Signed-off-by: KONRAD Frederic <fred.konrad@xxxxxxxxxxxxx>
      Message-Id: <1439220437-23957-6-git-send-email-fred.konrad@xxxxxxxxxxxxx>
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit 677ef6230b603571ae05125db469f7b4c8912a77
  Author: KONRAD Frederic <fred.konrad@xxxxxxxxxxxxx>
  Date:   Mon Aug 10 17:27:02 2015 +0200

      replace spinlock by QemuMutex.

      spinlock is only used in two cases:
        * cpu-exec.c: to protect TranslationBlock
        * mem_helper.c: for lock helper in target-i386 (which seems broken).

      It's a pthread_mutex_t in user-mode, so we can use QemuMutex directly,
      with an #ifdef.  The #ifdef will be removed when multithreaded TCG
      will need the mutex as well.

      Signed-off-by: KONRAD Frederic <fred.konrad@xxxxxxxxxxxxx>
      Message-Id: <1439220437-23957-5-git-send-email-fred.konrad@xxxxxxxxxxxxx>
      Signed-off-by: Emilio G. Cota <cota@xxxxxxxxx>
      [Merge Emilio G. Cota's patch to remove volatile. - Paolo]
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit d5f8d61390de8f2acc0da93f184e421a709cb503
  Author: KONRAD Frederic <fred.konrad@xxxxxxxxxxxxx>
  Date:   Mon Aug 10 17:27:06 2015 +0200

      cpus: remove tcg_halt_cond and tcg_cpu_thread globals

      This hides the tcg_halt_cond and tcg_cpu_thread global variables
      inside qemu_tcg_init_vcpu.  Multi-threaded TCG will need one
      QemuCond and one QemuThread per virtual cpu, so it's preferrable
      to use cpu->halt_cond and cpu->thread.

      Signed-off-by: KONRAD Frederic <fred.konrad@xxxxxxxxxxxxx>
      Message-Id: <1439220437-23957-9-git-send-email-fred.konrad@xxxxxxxxxxxxx>
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit 376692b9dc6f02303ee07a4146d08d8727d79c0c
  Author: Paolo Bonzini <pbonzini@xxxxxxxxxx>
  Date:   Fri Jul 10 12:32:32 2015 +0200

      cpus: protect work list with work_mutex

      Protect the list of queued work items with something other than
      the BQL, as a preparation for running the work items outside it.

      Reviewed-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Signed-off-by: KONRAD Frederic <fred.konrad@xxxxxxxxxxxxx>
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit 0c71d41e2aa3c7356500ae624166f3bb8c201aee
  Author: Michael S. Tsirkin <mst@xxxxxxxxxx>
  Date:   Thu Aug 27 12:06:23 2015 +0300

      scripts/dump-guest-memory.py: fix after RAMBlock change

      commit 9b8424d5735278ca382f11adc7c63072b632ab83
          "exec: split length -> used_length/max_length"
      changed field names in struct RAMBlock

      It turns out that scripts/dump-guest-memory.py was
      poking at this field, update it accordingly.

      Cc: qemu-stable@xxxxxxxxxx
      Cc: Paolo Bonzini <pbonzini@xxxxxxxxxx>
      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Message-Id: <1440666378-3152-1-git-send-email-mst@xxxxxxxxxx>
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit 7b01cb974f1093885c40bf4d0d3e78e27e531363
  Author: Alexandre Derumier <aderumier@xxxxxxxxx>
  Date:   Fri Jun 19 12:56:58 2015 +0200

      configure: Add support for jemalloc

      This adds "--enable-jemalloc" and "--disable-jemalloc" to allow linking
      to jemalloc memory allocator.

      We have already tcmalloc support,
      but it seem to not working well with a lot of iothreads/disks.

      The main problem is that tcmalloc use a shared thread cache of 16MB
      by default.
      With more threads, this cache is shared, and some bad garbage collections
      can occur if the cache is too low.

      It's possible to tcmalloc cache increase it with a env var:
      TCMALLOC_MAX_TOTAL_THREAD_CACHE_BYTES=256MB

      With default 16MB, performances are  really bad with more than 2 disks.
      Increasing to 256MB, it's helping but still have problem with 16 
disks/iothreads.

      Jemalloc don't have performance problem with default configuration.

      Here the benchmark results in iops of 1 qemu vm randread 4K iodepth=32,
      with rbd block backend (librbd is doing a lot of memory allocation),
      1 iothread by disk

      glibc malloc
      ------------

      1 disk      29052
      2 disks     55878
      4 disks     127899
      8 disks     240566
      15 disks    269976

      jemalloc
      --------

      1 disk      41278
      2 disks     75781
      4 disks     195351
      8 disks     294241
      15 disks    298199

      tcmalloc 2.2.1 default 16M cache
      --------------------------------

      1 disk   37911
      2 disks  67698
      4 disks  41076
      8 disks  43312
      15 disks 37569

      tcmalloc : 256M cache
      ---------------------------

      1 disk     33914
      2 disks    58839
      4 disks    148205
      8 disks    213298
      15 disks   218383

      Signed-off-by: Alexandre Derumier <aderumier@xxxxxxxxx>
      Message-Id: <1434711418-20429-1-git-send-email-aderumier@xxxxxxxxx>
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit 3f7a899ff4e0681ed148b1cea07dc65550114fdb
  Author: Paolo Bonzini <pbonzini@xxxxxxxxxx>
  Date:   Mon Sep 7 09:50:09 2015 +0200

      add macro file for coccinelle

      Coccinelle chokes on some idioms from compiler.h and queue.h.
      Extract those in a macro file, to be used with "--macro-file
      scripts/cocci-macro-file.h".

      Reviewed-by: Markus Armbruster <armbru@xxxxxxxxxx>
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit c765fcac96e111199225c7387c01694fe076b341
  Author: Peter Crosthwaite <crosthwaitepeter@xxxxxxxxx>
  Date:   Sat Aug 29 03:33:59 2015 -0700

      configure: factor out adding disas configure

      Every arch adds its disas configury to both its own config as well
      config_disas_all. Make a small function do to both at once.

      Signed-off-by: Peter Crosthwaite <crosthwaite.peter@xxxxxxxxx>
      Message-Id: 
<1440844439-19391-1-git-send-email-crosthwaite.peter@xxxxxxxxx>
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit f42bf6a262ab5923a1a3bc8f731b830396937c47
  Author: Gonglei <arei.gonglei@xxxxxxxxxx>
  Date:   Wed Aug 26 09:52:51 2015 +0800

      vhost-scsi: fix wrong vhost-scsi firmware path

      vhost-scsi bootindex does't work because Qemu passes
      wrong fireware path to seabios.

      before:
        /pci@i0cf8/scsi@7channel@0/vhost-scsi@0,0
      after applying the patch:
        /pci@i0cf8/scsi@7/channel@0/vhost-scsi@0,0

      Reported-by: Subo <subo7@xxxxxxxxxx>
      Signed-off-by: Gonglei <arei.gonglei@xxxxxxxxxx>
      Message-Id: <1440553971-11108-1-git-send-email-arei.gonglei@xxxxxxxxxx>
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit f1e155bbf863ade457019c6f09d4cba06b2d6bb4
  Author: Paolo Bonzini <pbonzini@xxxxxxxxxx>
  Date:   Sun Aug 16 23:01:19 2015 +0200

      checkpatch: remove tests that are not relevant outside the kernel

      Fully removing Sparse support requires more invasive changes.  Only
      remove the really kernel-specific parts such as address space names.

      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit 71c47b01ca0df34d6b41e0975be6e0633c5254cf
  Author: Paolo Bonzini <pbonzini@xxxxxxxxxx>
  Date:   Sun Aug 16 23:15:46 2015 +0200

      checkpatch: adapt some tests to QEMU

      Mostly change severity levels, but some tests can also be adjusted to 
refer
      to QEMU APIs or data structures.

      Reviewed-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit 690a35e1f2acf4ccd0501b18228bc6fba8f9c768
  Author: Paolo Bonzini <pbonzini@xxxxxxxxxx>
  Date:   Fri Jun 19 09:28:13 2015 +0200

      CODING_STYLE: update mixed declaration rules

      Mixed declarations do come in handy at the top of #ifdef blocks.
      Reluctantly allow this particular usage and suggest an alternative.

      Reviewed-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit d4ba8cb0a17e7de54753ff1bdeee4428118bb9ab
  Author: Carlos L. Torres <carlos.torres@xxxxxxxxxxxxx>
  Date:   Sun Jul 19 18:02:21 2015 -0500

      qmp: Add example usage of strto*l() qemu wrapper

      Signed-off-by: Carlos L. Torres <carlos.torres@xxxxxxxxxxxxx>
      Message-Id: 
<11ac63e95d88551f1c2c9b1216b15d3cb8ba4468.1437346779.git.carlos.torres@xxxxxxxxxxxxx>
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit 3904e6bf042391abc749d717465022e96e276fc7
  Author: Carlos L. Torres <carlos.torres@xxxxxxxxxxxxx>
  Date:   Sun Jul 19 18:02:20 2015 -0500

      cutils: Add qemu_strtoull() wrapper

      Add wrapper for strtoull() function. Include unit tests.

      Signed-off-by: Carlos L. Torres <carlos.torres@xxxxxxxxxxxxx>
      Message-Id: 
<e0f0f611c9a81f3c29f451d0b17d755dfab1e90a.1437346779.git.carlos.torres@xxxxxxxxxxxxx>
      [Use uint64_t in prototype. - Paolo]
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit 8ac4df40cc5de606a8ac9174e2340c21093b4e3b
  Author: Carlos L. Torres <carlos.torres@xxxxxxxxxxxxx>
  Date:   Sun Jul 19 18:02:19 2015 -0500

      cutils: Add qemu_strtoll() wrapper

      Add wrapper for strtoll() function. Include unit tests.

      Signed-off-by: Carlos L. Torres <carlos.torres@xxxxxxxxxxxxx>
      Message-Id: 
<7454a6bb9ec03b629e8beb4f109dd30dc2c9804c.1437346779.git.carlos.torres@xxxxxxxxxxxxx>
      [Use int64_t in prototype, since that's what QEMU uses. - Paolo]
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit c817c01548b1500753d0bea3852938d919161778
  Author: Carlos L. Torres <carlos.torres@xxxxxxxxxxxxx>
  Date:   Sun Jul 19 18:02:18 2015 -0500

      cutils: Add qemu_strtoul() wrapper

      Add wrapper for strtoul() function. Include unit tests.

      Signed-off-by: Carlos L. Torres <carlos.torres@xxxxxxxxxxxxx>
      Message-Id: 
<9621b4ae8e35fded31c715c2ae2a98f904f07ad0.1437346779.git.carlos.torres@xxxxxxxxxxxxx>
      [Fix tests for 32-bit build. - Paolo]
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit 764e0fa497ff5bbc9c9d7c116da2f00f34e71716
  Author: Carlos L. Torres <carlos.torres@xxxxxxxxxxxxx>
  Date:   Sun Jul 19 18:02:17 2015 -0500

      cutils: Add qemu_strtol() wrapper

      Add wrapper for strtol() function. Include unit tests.

      Signed-off-by: Carlos L. Torres <carlos.torres@xxxxxxxxxxxxx>
      Message-Id: 
<07199f1c0ff3892790c6322123aee1e92f580550.1437346779.git.carlos.torres@xxxxxxxxxxxxx>
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit d1142fb83efdcf8a6c2dee825569892203e16d2c
  Author: Emilio G. Cota <cota@xxxxxxxxx>
  Date:   Sun Aug 23 20:23:39 2015 -0400

      translate-all: remove obsolete comment about l1_map

      l1_map is based on physical addresses in full-system mode, as pointed
      out in an earlier comment. Said comment also mentions that virtual
      addresses are only used in l1_map in user-only mode.

      Signed-off-by: Emilio G. Cota <cota@xxxxxxxxx>
      Message-Id: <1440375847-17603-11-git-send-email-cota@xxxxxxxxx>
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit 709037636992e9289ce9147e59d56fb35d90b140
  Author: Emilio G. Cota <cota@xxxxxxxxx>
  Date:   Sun Aug 23 20:23:41 2015 -0400

      linux-user: call rcu_(un)register_thread on pthread_(exit|create)

      Signed-off-by: Emilio G. Cota <cota@xxxxxxxxx>
      Message-Id: <1440375847-17603-13-git-send-email-cota@xxxxxxxxx>
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit 492e1ca9bd3f43ba417a5cf918e6c769aa2478b9
  Author: Emilio G. Cota <cota@xxxxxxxxx>
  Date:   Sun Aug 23 20:23:38 2015 -0400

      rcu: fix comment with s/rcu_gp_lock/rcu_registry_lock/

      Signed-off-by: Emilio G. Cota <cota@xxxxxxxxx>
      Message-Id: <1440375847-17603-10-git-send-email-cota@xxxxxxxxx>
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit 5243722376873a48e9852a58b91f4d4101ee66e4
  Author: Emilio G. Cota <cota@xxxxxxxxx>
  Date:   Sun Aug 23 20:23:37 2015 -0400

      rcu: init rcu_registry_lock after fork

      We were unlocking this lock after fork, which is wrong since
      only the thread that holds a mutex is allowed to unlock it.

      Signed-off-by: Emilio G. Cota <cota@xxxxxxxxx>
      Message-Id: <1440375847-17603-9-git-send-email-cota@xxxxxxxxx>
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit 12a1ddc160cb6a73e8a6c319f3962a20da2cd22f
  Author: Michael Marineau <michael.marineau@xxxxxxxxxx>
  Date:   Sun Aug 9 00:02:55 2015 -0700

      Makefile.target: include top level build dir in vpath

      Using ccache with CCACHE_BASEDIR set to $(SRC_PATH) or a parent will
      rewrite all absolute paths to relative paths. This interacts poorly with
      QEMU's two-level build directory scheme. For example, lets say
      BUILD_DIR=$(SRC_PATH)/build so build/blockdev.d will contain:

        blockdev.o: ../blockdev.c ../include/sysemu/block-backend.h \

      Now the target build under build/x86_64-softmmu or similar will depend
      on ../blockdev.o which in turn will get make to source ../blockdev.d to
      check its dependencies. Since make always considers paths relative to
      the current working directory rather than the makefile the path appeared
      in the relative path to ../blockdev.c is useless.

      This change simply adds the top level build directory to vpath so paths
      relative to the source directory, top build directory, and target build
      directory all work just fine.

      Signed-off-by: Michael Marineau <michael.marineau@xxxxxxxxxx>
      Message-Id: 
<1439103775-11836-1-git-send-email-michael.marineau@xxxxxxxxxx>
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit 3c9589e180d98cdadb143bd2a792fb9d19d9aec6
  Author: Dr. David Alan Gilbert <dgilbert@xxxxxxxxxx>
  Date:   Fri Aug 14 11:25:14 2015 +0100

      Move RAMBlock and ram_list to ram_addr.h

      Signed-off-by: Dr. David Alan Gilbert <dgilbert@xxxxxxxxxx>
      Message-Id: <1439547914-18249-1-git-send-email-dgilbert@xxxxxxxxxx>
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit e0c382113f768cc375a0d61b7cb3692f1b4bba58
  Author: Paolo Bonzini <pbonzini@xxxxxxxxxx>
  Date:   Wed Aug 26 00:19:19 2015 +0200

      tcg: signal-free qemu_cpu_kick

      Signals are slow and do not exist on Win32.  The previous patches
      have done most of the legwork to introduce memory barriers (some
      of them were even there already for the sake of Windows!) and
      we can now set the flags directly in the iothread.

      qemu_cpu_kick_thread is not used anymore on TCG, since the TCG thread is
      never outside usermode while the CPU is running (not halted).  Instead run
      the content of the signal handler (now in qemu_cpu_kick_no_halt) directly.
      qemu_cpu_kick_no_halt is also used in qemu_mutex_lock_iothread to avoid
      the overhead of qemu_cond_broadcast.

      Reviewed-by: Richard Henderson <rth@xxxxxxxxxxx>
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit 9102dedaa1ee1e89ce4a81283c403ff4928e9ef9
  Author: Paolo Bonzini <pbonzini@xxxxxxxxxx>
  Date:   Tue Aug 18 06:52:09 2015 -0700

      use qemu_cpu_kick instead of cpu_exit or qemu_cpu_kick_thread

      Use the same API to trigger interruption of a CPU, no matter if
      under TCG or KVM.  There is no difference: these calls come from
      the CPU thread, so the qemu_cpu_kick calls will send a signal
      to the running thread and it will be processed synchronously,
      just like a call to cpu_exit.  The only difference is in the
      overhead, but neither call to cpu_exit (now qemu_cpu_kick)
      is in a hot path.

      Reviewed-by: Richard Henderson <rth@xxxxxxxxxxx>
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit aed807c8e2bf009b2c6a35490d4fd4383887221d
  Author: Paolo Bonzini <pbonzini@xxxxxxxxxx>
  Date:   Tue Aug 18 06:43:15 2015 -0700

      tcg: synchronize exit_request and tcg_current_cpu accesses

      Synchronize the remaining pair of accesses in cpu_signal.  These should
      be necessary on Windows as well, at least in theory.  Probably
      SuspendProcess and ResumeProcess introduce some implicit memory
      barrier.

      Reviewed-by: Richard Henderson <rth@xxxxxxxxxxx>
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit ab096a75cd626dcd4ad34b2a11652df0269bee0d
  Author: Paolo Bonzini <pbonzini@xxxxxxxxxx>
  Date:   Tue Aug 18 06:34:19 2015 -0700

      tcg: synchronize cpu->exit_request and cpu->tcg_exit_req accesses

      Reviewed-by: Richard Henderson <rth@xxxxxxxxxxx>
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit b0a46fa796504c7334202877a68c857e49f7c96c
  Author: Paolo Bonzini <pbonzini@xxxxxxxxxx>
  Date:   Tue Aug 18 06:32:02 2015 -0700

      tcg: assign cpu->current_tb in a simpler place

      TCG has not been reading cpu->current_tb from signal handlers for years.
      The code that synchronized cpu_exec with the signal handler is not
      needed anymore.

      Reviewed-by: Richard Henderson <rth@xxxxxxxxxxx>
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit f240eb6fdcf63a5600e15fb44c6960586459a97f
  Author: Paolo Bonzini <pbonzini@xxxxxxxxxx>
  Date:   Wed Aug 26 00:17:58 2015 +0200

      remove qemu/tls.h

      TLS is now required on all platforms, so DECLARE_TLS/DEFINE_TLS is not
      needed anymore.  Removing it does not break Windows because of the
      previous patch.

      Reviewed-by: Richard Henderson <rth@xxxxxxxxxxx>
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit 9373e63297c43752f9cf085feb7f5aed57d959f8
  Author: Paolo Bonzini <pbonzini@xxxxxxxxxx>
  Date:   Tue Aug 18 06:24:34 2015 -0700

      tcg: introduce tcg_current_cpu

      This is already useful on Windows in order to remove tls.h, because
      accesses to current_cpu are done from a different thread on that
      platform.  It will be used on POSIX platforms as soon TCG stops using
      signals to interrupt the execution of translated code.

      Reviewed-by: Richard Henderson <rth@xxxxxxxxxxx>
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit 5039d6e23586fe6bbedc5e4fe302b48a66890ade
  Author: Paolo Bonzini <pbonzini@xxxxxxxxxx>
  Date:   Mon Feb 16 14:13:11 2015 +0100

      i8257: remove cpu_request_exit irq

      This is unused.  cpu_exit now is almost exclusively an internal function
      to the CPU execution loop.  In a few patches, we'll change the remaining
      occurrences to qemu_cpu_kick, making it truly internal.

      Reviewed-by: Richard henderson <rth@xxxxxxxxxxx>
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit 19d2b5e6ff7202c2bf45c547efa85ae6c2d76bbd
  Author: Paolo Bonzini <pbonzini@xxxxxxxxxx>
  Date:   Mon Feb 16 14:08:22 2015 +0100

      i8257: rewrite DMA_schedule to avoid hooking into the CPU loop

      The i8257 DMA controller uses an idle bottom half, which by default
      does not cause the main loop to exit.  Therefore, the DMA_schedule
      function is there to ensure that the CPU relinquishes the iothread
      mutex to the iothread.

      However, this is not enough since the iothread will call
      aio_compute_timeout() and go to sleep again.  In the iothread
      world, forcing execution of the idle bottom half is much simpler,
      and only requires a call to qemu_notify_event().  Do it, removing
      the need for the "cpu_request_exit" pseudo-irq.  The next patch
      will remove it.

      Reviewed-by: Richard Henderson <rth@xxxxxxxxxxx>
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit fc04a730b7e60f4a62d6260d4eb9c537d1d3643f
  Merge: 8611280 6fdf328
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Tue Sep 8 18:02:36 2015 +0100

      Merge remote-tracking branch 
'remotes/pmaydell/tags/pull-target-arm-20150908' into staging

      target-arm queue:
       * Implement priority handling properly via GICC_APR
       * Enable TZ extensions on the GIC if we're using them
       * Minor preparatory patches for EL3 support
       * cadence_gem: Correct Marvell PHY SPCFC reset value
       * Support AHCI in ZynqMP

      # gpg: Signature made Tue 08 Sep 2015 17:48:33 BST using RSA key ID 
14360CDE
      # gpg: Good signature from "Peter Maydell <peter.maydell@xxxxxxxxxx>"
      # gpg:                 aka "Peter Maydell <pmaydell@xxxxxxxxx>"
      # gpg:                 aka "Peter Maydell 
<pmaydell@xxxxxxxxxxxxxxxxxxxxxx>"

      * remotes/pmaydell/tags/pull-target-arm-20150908:
        xlnx-zynqmp: Connect the sysbus AHCI to ZynqMP
        xlnx-zynqmp.c: Convert some of the error_propagate() calls to 
error_abort
        ahci.c: Don't assume AHCIState's parent is AHCIPCIState
        ahci: Separate the AHCI state structure into the header
        cadence_gem: Correct Marvell PHY SPCFC reset value
        target-arm: Add AArch64 access to PAR_EL1
        target-arm: Correct opc1 for AT_S12Exx
        target-arm: Log the target EL when taking exceptions
        target-arm: Fix default_exception_el() function for the case when EL3 
is not supported
        hw/arm/virt: Enable TZ extensions on the GIC if we are using them
        hw/arm/virt: Default to not providing TrustZone support
        hw/cpu/{a15mpcore, a9mpcore}: enable TrustZone in GIC if it is enabled 
in CPUs
        hw/intc/arm_gic_common: Configure IRQs as NS if doing direct NS kernel 
boot
        hw/arm: new interface for devices which need to behave differently for 
kernel boot
        qom: Add recursive version of object_child_for_each
        hw/intc/arm_gic: Actually set the active bits for active interrupts
        hw/intc/arm_gic: Drop running_irq and last_active arrays
        hw/intc/arm_gic: Fix handling of GICC_APR<n>, GICC_NSAPR<n> registers
        hw/intc/arm_gic: Running priority is group priority, not full priority
        armv7m_nvic: Implement ICSR without using internal GIC state

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 6fdf3282d16e7fb6e798824fb5f4f60c6a73067d
  Author: Alistair Francis <alistair.francis@xxxxxxxxxx>
  Date:   Tue Sep 8 17:38:45 2015 +0100

      xlnx-zynqmp: Connect the sysbus AHCI to ZynqMP

      Connect the Sysbus AHCI device to ZynqMP.

      Signed-off-by: Alistair Francis <alistair.francis@xxxxxxxxxx>
      Reviewed-by: Sai Pavan Boddu <saipava@xxxxxxxxxx>
      [PMM: removed unnecessary brackets in error_propagate call]
      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit e1292517103f7ad6a8dc9f0795d170a78ed408a8
  Author: Alistair Francis <alistair.francis@xxxxxxxxxx>
  Date:   Tue Sep 8 17:38:45 2015 +0100

      xlnx-zynqmp.c: Convert some of the error_propagate() calls to error_abort

      Convert all of the non-realize error_propagate() calls into error_abort
      calls as they shouldn't be user visible failure cases.

      Signed-off-by: Alistair Francis <alistair.francis@xxxxxxxxxx>
      Reviewed-by: Peter Crosthwaite <crosthwaite.peter@xxxxxxxxx>
      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit bb639f829f139ddc83325b3b6825f93096ee44f1
  Author: Alistair Francis <alistair.francis@xxxxxxxxxx>
  Date:   Tue Sep 8 17:38:45 2015 +0100

      ahci.c: Don't assume AHCIState's parent is AHCIPCIState

      The AHCIState struct can either have AHCIPCIState or SysbusAHCIState
      as a parent. The ahci_irq_lower() and ahci_irq_raise() functions
      assume that it is always AHCIPCIState, which is not always the
      case, which causes a seg fault. Verify what the container of AHCIState
      is before setting the PCIDevice struct.

      Signed-off-by: Alistair Francis <alistair.francis@xxxxxxxxxx>
      Acked-by: John Snow <jsnow@xxxxxxxxxx>
      Reviewed-by: Peter Crosthwaite <crosthwaite.peter@xxxxxxxxx>
      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 5ea8b9c5a3e823d1446a7e67d6d3b8d86bfd33d8
  Author: Alistair Francis <alistair.francis@xxxxxxxxxx>
  Date:   Tue Sep 8 17:38:45 2015 +0100

      ahci: Separate the AHCI state structure into the header

      Pull the AHCI state structure out into the header. This allows
      other containers to access the struct. This is required to add
      the device to modern SoC containers.

      Signed-off-by: Alistair Francis <alistair.francis@xxxxxxxxxx>
      Reviewed-by: Sai Pavan Boddu <saipava@xxxxxxxxxx>
      Reviewed-by: Peter Crosthwaite <crosthwaite.peter@xxxxxxxxx>
      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 7777b7a0ba27696ddf34a19818be17cc415551cc
  Author: Alistair Francis <alistair.francis@xxxxxxxxxx>
  Date:   Tue Sep 8 17:38:45 2015 +0100

      cadence_gem: Correct Marvell PHY SPCFC reset value

      Bit 15 of the PHY Specific Status Register is reserved and
      should remain 0. Fix the reset value to ensure that the 15th
      bit is not set.

      Signed-off-by: Alistair Francis <alistair.francis@xxxxxxxxxx>
      Reviewed-by: Edgar E. Iglesias <edgar.iglesias@xxxxxxxxxx>
      Message-id: 
c795069e49040ff770fe2ece19dfe1791b729e22.1441316450.git.alistair.francis@xxxxxxxxxx
      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit c96fc9b52d0a318d8026a0bcaba204d319ad91e0
  Author: Edgar E. Iglesias <edgar.iglesias@xxxxxxxxxx>
  Date:   Tue Sep 8 17:38:44 2015 +0100

      target-arm: Add AArch64 access to PAR_EL1

      Signed-off-by: Edgar E. Iglesias <edgar.iglesias@xxxxxxxxxx>
      Reviewed-by: Alistair Francis <alistair.francis@xxxxxxxxxx>
      Message-id: 1441311266-8644-4-git-send-email-edgar.iglesias@xxxxxxxxx
      Reviewed-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 7a379c7e68f1b2286602b0beeeb58dcef7c9e760
  Author: Edgar E. Iglesias <edgar.iglesias@xxxxxxxxxx>
  Date:   Tue Sep 8 17:38:44 2015 +0100

      target-arm: Correct opc1 for AT_S12Exx

      Signed-off-by: Edgar E. Iglesias <edgar.iglesias@xxxxxxxxxx>
      Reviewed-by: Alistair Francis <alistair.francis@xxxxxxxxxx>
      Message-id: 1441311266-8644-3-git-send-email-edgar.iglesias@xxxxxxxxx
      Reviewed-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit dbc29a868cf5b7e6fa7bb2e6c4f188b9470779c5
  Author: Edgar E. Iglesias <edgar.iglesias@xxxxxxxxxx>
  Date:   Tue Sep 8 17:38:44 2015 +0100

      target-arm: Log the target EL when taking exceptions

      Log the target EL when taking exceptions. This is useful when
      debugging guest SW or QEMU itself while transitioning through
      the various ELs.

      Signed-off-by: Edgar E. Iglesias <edgar.iglesias@xxxxxxxxxx>
      Reviewed-by: Alistair Francis <alistair.francis@xxxxxxxxxx>
      Message-id: 1441311266-8644-2-git-send-email-edgar.iglesias@xxxxxxxxx
      Reviewed-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit cef9ee706792b1e205fe472b67053a0e82cd058e
  Author: Sergey Sorokin <afarallax@xxxxxxxxx>
  Date:   Tue Sep 8 17:38:44 2015 +0100

      target-arm: Fix default_exception_el() function for the case when EL3 is 
not supported

      If EL3 is not supported in current configuration,
      we should not try to get EL3 bitness.

      Signed-off-by: Sergey Sorokin <afarallax@xxxxxxxxx>
      Message-id: 1441208342-10601-2-git-send-email-afarallax@xxxxxxxxx
      Reviewed-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 0e21f183ca2d000bbda1fb63959a3d41a1c3ff42
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Tue Sep 8 17:38:44 2015 +0100

      hw/arm/virt: Enable TZ extensions on the GIC if we are using them

      If we're creating a board with support for TrustZone, then enable
      it on the GIC model as well as on the CPUs.

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Reviewed-by: Peter Crosthwaite <crosthwaite.peter@xxxxxxxxx>
      Reviewed-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Reviewed-by: Edgar E. Iglesias <edgar.iglesias@xxxxxxxxxx>
      Tested-by: Edgar E. Iglesias <edgar.iglesias@xxxxxxxxxx>
      Message-id: 1441383782-24378-7-git-send-email-peter.maydell@xxxxxxxxxx

  commit 2d710006a0da4a9b7ddf5c02d072e178906d0ef6
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Tue Sep 8 17:38:44 2015 +0100

      hw/arm/virt: Default to not providing TrustZone support

      Switch the default for the 'virt' board to not providing TrustZone
      support in either the CPU or the GIC. This is primarily for the
      benefit of UEFI, which currently assumes there is no TrustZone
      support, and does not set the GIC up correctly if it is TZ-aware.
      It also means the board is consistent about its behaviour whether
      we're using KVM or TCG (KVM never has TrustZone support).

      If TrustZone support is required (for instance for running test
      suites or TZ-aware firmware) it can be enabled with the
      "-machine secure=on" command line option.

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Reviewed-by: Peter Crosthwaite <crosthwaite.peter@xxxxxxxxx>
      Reviewed-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Reviewed-by: Edgar E. Iglesias <edgar.iglesias@xxxxxxxxxx>
      Tested-by: Edgar E. Iglesias <edgar.iglesias@xxxxxxxxxx>
      Message-id: 1441383782-24378-6-git-send-email-peter.maydell@xxxxxxxxxx

  commit 4182bbb19d2e266dde0d4ed32e85e1b1be79bc61
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Tue Sep 8 17:38:43 2015 +0100

      hw/cpu/{a15mpcore, a9mpcore}: enable TrustZone in GIC if it is enabled in 
CPUs

      If the A9 and A15 CPUs which we're creating the peripherals for have
      TrustZone (EL3) enabled, then also enable it in the GIC we create.

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Reviewed-by: Peter Crosthwaite <crosthwaite.peter@xxxxxxxxx>
      Reviewed-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Reviewed-by: Edgar E. Iglesias <edgar.iglesias@xxxxxxxxxx>
      Tested-by: Edgar E. Iglesias <edgar.iglesias@xxxxxxxxxx>
      Message-id: 1441383782-24378-5-git-send-email-peter.maydell@xxxxxxxxxx

  commit 8ff41f3995ad2d942ecafb72519c1f09cb811259
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Tue Sep 8 17:38:43 2015 +0100

      hw/intc/arm_gic_common: Configure IRQs as NS if doing direct NS kernel 
boot

      If we directly boot a kernel in NonSecure on a system where the GIC
      supports the security extensions then we must cause the GIC to
      configure its interrupts into group 1 (NonSecure) rather than the
      usual group 0, and with their initial priority set to the highest
      NonSecure priority rather than the usual highest Secure priority.
      Otherwise the guest kernel will be unable to use any interrupts.

      Implement this behaviour, controlled by a flag which we set if
      appropriate when the ARM bootloader code calls our ARMLinuxBootIf
      interface callback.

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Reviewed-by: Peter Crosthwaite <crosthwaite.peter@xxxxxxxxx>
      Reviewed-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Reviewed-by: Edgar E. Iglesias <edgar.iglesias@xxxxxxxxxx>
      Tested-by: Edgar E. Iglesias <edgar.iglesias@xxxxxxxxxx>
      Message-id: 1441383782-24378-4-git-send-email-peter.maydell@xxxxxxxxxx

  commit d8b1ae4237b5f8cf5037a7f341ff43dc02955256
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Tue Sep 8 17:38:43 2015 +0100

      hw/arm: new interface for devices which need to behave differently for 
kernel boot

      For ARM we have a little minimalist bootloader in hw/arm/boot.c which
      takes the place of firmware if we're directly booting a Linux kernel.
      Unfortunately a few devices need special case handling in this situation
      to do the initialization which on real hardware would be done by
      firmware. (In particular if we're booting a kernel in NonSecure state
      then we need to make a TZ-aware GIC put all its interrupts into Group 1,
      or the guest will be unable to use them.)

      Create a new QOM interface which can be implemented by devices which
      need to do something different from their default reset behaviour.
      The callback will be called after machine initialization and before
      first reset.

      Suggested-by: Peter Crosthwaite <peter.crosthwaite@xxxxxxxxxx>
      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Reviewed-by: Edgar E. Iglesias <edgar.iglesias@xxxxxxxxxx>
      Reviewed-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Tested-by: Edgar E. Iglesias <edgar.iglesias@xxxxxxxxxx>
      Message-id: 1441383782-24378-3-git-send-email-peter.maydell@xxxxxxxxxx

  commit d714b8de7747f20fe42e5716d1d44f91e2b891f4
  Author: Peter Crosthwaite <peter.crosthwaite@xxxxxxxxxx>
  Date:   Tue Sep 8 17:38:43 2015 +0100

      qom: Add recursive version of object_child_for_each

      Useful for iterating through an entire QOM subtree.

      Signed-off-by: Peter Crosthwaite <peter.crosthwaite@xxxxxxxxxx>
      Reviewed-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Reviewed-by: Edgar E. Iglesias <edgar.iglesias@xxxxxxxxxx>
      Tested-by: Edgar E. Iglesias <edgar.iglesias@xxxxxxxxxx>
      Message-id: 1441383782-24378-2-git-send-email-peter.maydell@xxxxxxxxxx

  commit d5523a13656fb8df902a15a9fd8bd652b85e97e0
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Tue Sep 8 17:38:43 2015 +0100

      hw/intc/arm_gic: Actually set the active bits for active interrupts

      Although we were correctly handling interrupts becoming active
      and then inactive, we weren't actually exposing this to the guest
      by setting the 'active' flag for the interrupt, so reads
      of GICD_ICACTIVERn and GICD_ISACTIVERn would generally incorrectly
      return zeroes. Correct this oversight.

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Message-id: 1438089748-5528-6-git-send-email-peter.maydell@xxxxxxxxxx

  commit 72889c8a809f4c65796b98d5af6a18c92510ed86
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Tue Sep 8 17:38:42 2015 +0100

      hw/intc/arm_gic: Drop running_irq and last_active arrays

      The running_irq and last_active arrays represent state which
      doesn't exist in a real hardware GIC. The only thing we use
      them for is updating the running priority when an interrupt
      is completed, but in fact we can use the active-priority
      registers to do this. The running priority is always the
      priority corresponding to the lowest set bit in the active
      priority registers, because only one interrupt at any
      particular priority can be active at once.

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Message-id: 1438089748-5528-5-git-send-email-peter.maydell@xxxxxxxxxx

  commit 51fd06e0eee8257fdcc147200796e362cf2298ea
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Tue Sep 8 17:38:42 2015 +0100

      hw/intc/arm_gic: Fix handling of GICC_APR<n>, GICC_NSAPR<n> registers

      A GICv2 has both GICC_APR<n> and GICC_NSAPR<n> registers, with
      the latter holding the active priority bits for Group 1 interrupts
      (usually Nonsecure interrupts), and the Nonsecure view of the
      GICC_APR<n> is the second half of the GICC_NSAPR<n> registers.
      Turn our half-hearted implementation of APR<n> into a proper
      implementation of both APR<n> and NSAPR<n>:

       * Add the underlying state for NSAPR<n>
       * Make sure APR<n> aren't visible for pre-GICv2
       * Implement reading of NSAPR<n>
       * Make non-secure reads of APR<n> behave correctly
       * Implement writing to APR<n> and NSAPR<n>

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Message-id: 1438089748-5528-4-git-send-email-peter.maydell@xxxxxxxxxx

  commit df92cfa60eef82dad112ca5c5d0239ec5ba7aac3
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Tue Sep 8 17:38:42 2015 +0100

      hw/intc/arm_gic: Running priority is group priority, not full priority

      Priority values for the GIC are divided into a "group priority"
      and a "subpriority" (with the division being determined by the
      binary point register). The running priority is only determined
      by the group priority of the active interrupts, not the
      subpriority. In particular, this means that there can't be more
      than one active interrupt at any particular group priority.

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Message-id: 1438089748-5528-3-git-send-email-peter.maydell@xxxxxxxxxx

  commit b06c262b45cf7afcf56dd0f2189ad8948b117e7d
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Tue Sep 8 17:38:42 2015 +0100

      armv7m_nvic: Implement ICSR without using internal GIC state

      Change the implementation of the Interrupt Control and State Register
      in the v7M NVIC to not use the running_irq and last_active internal
      state fields in the GIC. These fields don't correspond to state in
      a real GIC and will be removed soon.
      The changes to the ICSR are:
       * the VECTACTIVE field is documented as identical to the IPSR[8:0]
         field, so implement it that way
       * implement RETTOBASE via looking at the active state bits

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Message-id: 1438089748-5528-2-git-send-email-peter.maydell@xxxxxxxxxx

  commit 76d39ab49ec68608a3c0bafec7bed70f21302b0e
  Author: Tiejun Chen <tiejun.chen@xxxxxxxxx>
  Date:   Wed Jul 15 13:37:42 2015 +0800

      pc_init1: pass parameters just with types

      Pass types to configure pc_init1().

      Signed-off-by: Tiejun Chen <tiejun.chen@xxxxxxxxx>
      Signed-off-by: Stefano Stabellini <stefano.stabellini@xxxxxxxxxxxxx>
      Acked-by: Michael S. Tsirkin <mst@xxxxxxxxxx>

  commit 7bb836e4a27b7e364f3c8c4ebe41172fc8c70f75
  Author: Michael S. Tsirkin <mst@xxxxxxxxxx>
  Date:   Wed Jul 15 13:37:41 2015 +0800

      i440fx: make types configurable at run-time

      IGD passthrough wants to supply a different pci and
      host devices, inheriting i440fx devices. Make types
      configurable.

      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: Tiejun Chen <tiejun.chen@xxxxxxxxx>
      Signed-off-by: Stefano Stabellini <stefano.stabellini@xxxxxxxxxxxxx>

  commit eeb6b13a5a45d16a7b348891921d496bc5d6df2c
  Author: Don Slutz <dslutz@xxxxxxxxxxx>
  Date:   Thu Apr 30 14:27:09 2015 -0400

      xen-hvm: Add trace to ioreq

      Signed-off-by: Stefano Stabellini <stefano.stabellini@xxxxxxxxxxxxx>
      Signed-off-by: Don Slutz <dslutz@xxxxxxxxxxx>

  commit 8611280505119e296757a60711a881341603fa5a
  Author: Richard Henderson <rth@xxxxxxxxxxx>
  Date:   Wed Sep 2 14:46:01 2015 -0700

      target-microblaze: Use setcond for pcmp*

      Signed-off-by: Richard Henderson <rth@xxxxxxxxxxx>
      Reviewed-by: Edgar E. Iglesias <edgar.iglesias@xxxxxxxxxx>
      Tested-by: Edgar E. Iglesias <edgar.iglesias@xxxxxxxxxx>
      Signed-off-by: Edgar E. Iglesias <edgar.iglesias@xxxxxxxxxx>

  commit 88174019d2e1d2e1c304d507654d37f6d7504957
  Author: Richard Henderson <rth@xxxxxxxxxxx>
  Date:   Wed Sep 2 11:38:10 2015 -0700

      target-cris: Use movcond and setcond

      Signed-off-by: Richard Henderson <rth@xxxxxxxxxxx>
      Reviewed-by: Edgar E. Iglesias <edgar.iglesias@xxxxxxxxxx>
      Tested-by: Edgar E. Iglesias <edgar.iglesias@xxxxxxxxxx>
      Signed-off-by: Edgar E. Iglesias <edgar.iglesias@xxxxxxxxxx>

  commit 5f5b5942d56a138baad0ae01458d5d0e62d5be68
  Author: Andrey Smetanin <asmetanin@xxxxxxxxxxxxx>
  Date:   Fri Jul 3 15:01:42 2015 +0300

      Added generic panic handler qemu_system_guest_panicked()

      There are pieces of guest panic handling code
      that can be shared in one generic function.
      These code replaced by call qemu_system_guest_panicked().

      Signed-off-by: Andrey Smetanin <asmetanin@xxxxxxxxxxxxx>
      Signed-off-by: Denis V. Lunev <den@xxxxxxxxxx>
      CC: Paolo Bonzini <pbonzini@xxxxxxxxxx>
      CC: Andreas F�¤rber <afaerber@xxxxxxx>
      Message-Id: <1435924905-8926-10-git-send-email-den@xxxxxxxxxx>
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit 6d1f252d8c1ba73bf6ed9af28731a9c9c3d473a2
  Author: Peter Lieven <pl@xxxxxxx>
  Date:   Fri Aug 14 13:33:36 2015 +0200

      block/iscsi: validate block size returned from target

      It has been reported that at least tgtd returns a block size of 0
      for LUN 0. To avoid running into divide by zero later on and protect
      against other problematic block sizes validate the block size right
      at connection time.

      Cc: qemu-stable@xxxxxxxxxx
      Reported-by: Andrey Korolyov <andrey@xxxxxxx>
      Signed-off-by: Peter Lieven <pl@xxxxxxx>
      Message-Id: <1439552016-8557-1-git-send-email-pl@xxxxxxx>
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit f3926945c85689e8af324c0db0b39be771dbbebb
  Author: Fam Zheng <famz@xxxxxxxxxx>
  Date:   Mon Sep 7 11:28:58 2015 +0800

      iohandler: Use aio API

      iohandler.c shares the same interface with aio, but with duplicated
      code. It's better to rebase iohandler, also because that aio is a
      more friendly interface to multi-threads.

      Create a global AioContext instance and let its GSource handle the
      iohandler events.

      Signed-off-by: Fam Zheng <famz@xxxxxxxxxx>
      Message-Id: <1441596538-4412-1-git-send-email-famz@xxxxxxxxxx>
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit 46036b2462c7ff56c0af6466ea6b9248197a38a8
  Author: Aníbal Limón <anibal.limon@xxxxxxxxxxxxxxx>
  Date:   Thu Sep 3 15:48:33 2015 -0500

      cpus.c: qemu_mutex_lock_iothread fix race condition at cpu thread init

      When QEMU starts the RCU thread executes qemu_mutex_lock_thread
      causing error "qemu:qemu_cpu_kick_thread: No such process" and exits.

      This isn't occur frequently but in glibc the thread id can exist and
      this not guarantee that the thread is on active/running state. If is
      inserted a sleep(1) after newthread assignment [1] the issue appears.

      So not make assumption that thread exist if first_cpu->thread is set
      then change the validation of cpu to created that is set into cpu
      threads (kvm, tcg, dummy).

      [1] 
https://sourceware.org/git/?p=glibc.git;a=blob;f=nptl/pthread_create.c;h=d10f4ea8004e1d8f3a268b95cc0f8d93b8d89867;hb=HEAD#l621

      Cc: qemu-stable@xxxxxxxxxx
      Signed-off-by: Aníbal Limón <anibal.limon@xxxxxxxxxxxxxxx>
      Message-Id: 
<1441313313-3040-1-git-send-email-anibal.limon@xxxxxxxxxxxxxxx>
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit d12f7309483e20d1bae9304f4b812bf53a8e6510
  Author: Emilio G. Cota <cota@xxxxxxxxx>
  Date:   Sun Aug 23 20:23:36 2015 -0400

      seqlock: read sequence number atomically

      With this change we make sure that the compiler will not
      optimise the read of the sequence number in any way.

      Signed-off-by: Emilio G. Cota <cota@xxxxxxxxx>
      Message-Id: <1440375847-17603-8-git-send-email-cota@xxxxxxxxx>
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit 123fdbac9b8f1e394fbe92e8b5359193e94ba5bf
  Author: Emilio G. Cota <cota@xxxxxxxxx>
  Date:   Sun Aug 23 20:23:35 2015 -0400

      seqlock: add missing 'inline' to seqlock_read_retry

      Signed-off-by: Emilio G. Cota <cota@xxxxxxxxx>
      Message-Id: <1440375847-17603-7-git-send-email-cota@xxxxxxxxx>
      Reviewed-by: Alex Bennée <alex.bennee@xxxxxxxxxx>
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit 9d34158a5af734e8de0b42b0a7228200c426a8d0
  Merge: 8f1ed5f bd80a8a
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Mon Sep 7 16:07:47 2015 +0100

      Merge remote-tracking branch 'remotes/cohuck/tags/s390x-20150907' into 
staging

      s390x fixes and improvements:
      - various bugfixes (css/event-facility)
      - more efficient adapter interrupt routes setup
      - gdb enhancement
      - sclp got treated with a lot of remodelling/cleanup

      # gpg: Signature made Mon 07 Sep 2015 15:42:43 BST using RSA key ID 
C6F02FAF
      # gpg: Good signature from "Cornelia Huck <huckc@xxxxxxxxxxxxxxxxxx>"
      # gpg:                 aka "Cornelia Huck <cornelia.huck@xxxxxxxxxx>"

      * remotes/cohuck/tags/s390x-20150907: (23 commits)
        s390/sclp: simplify calculation of rnmax
        s390/sclp: store the increment_size in the sclp device
        s390: unify allocation of initial memory
        s390: move memory calculation into the sclp device
        s390/sclp: ignore memory hotplug operations if it is disabled
        s390: disallow memory hotplug for the s390-virtio machine
        s390: no need to manually parse for slots and maxmem
        s390/sclp: move sclp_service_interrupt into the sclp device
        s390/sclp: move sclp_execute related functions into the SCLP class
        s390/sclp: introduce a root sclp device
        s390/sclp: temporarily fix unassignment/reassignment of memory 
subregions
        s390/sclp: replace sclp event types with proper defines
        s390/sclp: rework sclp event facility initialization + device 
realization
        sclp/s390: rework sclp cpu hotplug device notification
        s390x/gdb: support reading/writing of control registers
        s390x/kvm: make setting of in-kernel irq routes more efficient
        pc-bios/s390-ccw: rebuild image
        pc-bios/s390-ccw: Device detection in higher subchannel sets
        s390x/event-facility: fix location of receive mask
        s390x/css: start with cleared cstat/dstat
        ...

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit bd80a8ad555c2b5f79591b29edcf8196b8a5109b
  Author: David Hildenbrand <dahi@xxxxxxxxxxxxxxxxxx>
  Date:   Mon Jun 1 13:04:03 2015 +0200

      s390/sclp: simplify calculation of rnmax

      rnmax can be directly calculated using machine->maxram_size.

      Reviewed-by: Matthew Rosato <mjrosato@xxxxxxxxxxxxxxxxxx>
      Signed-off-by: David Hildenbrand <dahi@xxxxxxxxxxxxxxxxxx>
      Signed-off-by: Cornelia Huck <cornelia.huck@xxxxxxxxxx>

  commit 71a2fd355d8fa429bcc04740c260635e084255f2
  Author: David Hildenbrand <dahi@xxxxxxxxxxxxxxxxxx>
  Date:   Mon Jun 1 13:03:23 2015 +0200

      s390/sclp: store the increment_size in the sclp device

      Let's calculate it once and reuse it.

      Suggested-by: Matthew Rosato <mjrosato@xxxxxxxxxxxxxxxxxx>
      Reviewed-by: Matthew Rosato <mjrosato@xxxxxxxxxxxxxxxxxx>
      Signed-off-by: David Hildenbrand <dahi@xxxxxxxxxxxxxxxxxx>
      Signed-off-by: Cornelia Huck <cornelia.huck@xxxxxxxxxx>

  commit 80d23275e3c4bc93fa6f123613d5ff389ed3fc62
  Author: David Hildenbrand <dahi@xxxxxxxxxxxxxxxxxx>
  Date:   Fri May 29 15:01:55 2015 +0200

      s390: unify allocation of initial memory

      Now that the calculation of the initial memory is hidden in the sclp
      device, we can unify the allocation of the initial memory.

      The remaining ugly part is the reserved memory for the virtio queues,
      but that can be cleaned up later.

      Reviewed-by: Matthew Rosato <mjrosato@xxxxxxxxxxxxxxxxxx>
      Signed-off-by: David Hildenbrand <dahi@xxxxxxxxxxxxxxxxxx>
      Signed-off-by: Cornelia Huck <cornelia.huck@xxxxxxxxxx>

  commit 1cf065fb87e8787e3e9cebcdb4713b81e4e61422
  Author: David Hildenbrand <dahi@xxxxxxxxxxxxxxxxxx>
  Date:   Fri May 29 13:53:08 2015 +0200

      s390: move memory calculation into the sclp device

      The restrictions for memory calculation belong to the sclp device.

      Let's move the calculation to that point, so we are able to unify it for
      both s390 machines. The sclp device is the first device to be initialized.
      It performs the calculation and safely stores it in the machine, where
      other parts of the system can access an reuse it.

      The memory hotplug device is now only created when it is really needed.

      Reviewed-by: Matthew Rosato <mjrosato@xxxxxxxxxxxxxxxxxx>
      Signed-off-by: David Hildenbrand <dahi@xxxxxxxxxxxxxxxxxx>
      Signed-off-by: Cornelia Huck <cornelia.huck@xxxxxxxxxx>

  commit b02ef3d92b19ad304a84433d3817f0903296ebc7
  Author: David Hildenbrand <dahi@xxxxxxxxxxxxxxxxxx>
  Date:   Fri May 29 14:06:39 2015 +0200

      s390/sclp: ignore memory hotplug operations if it is disabled

      If no memory hotplug device was created, the sclp command facility is
      not exposed (SCLP_FC_ASSIGN_ATTACH_READ_STOR). We therefore have no
      memory hotplug and should correctly report SCLP_RC_INVALID_SCLP_COMMAND
      if any such command is executed.

      This gets rid of these ugly asserts that could have been triggered
      for the s390-virtio machine.

      Reviewed-by: Matthew Rosato <mjrosato@xxxxxxxxxxxxxxxxxx>
      Signed-off-by: David Hildenbrand <dahi@xxxxxxxxxxxxxxxxxx>
      Signed-off-by: Cornelia Huck <cornelia.huck@xxxxxxxxxx>

  commit 2998ffee245e3a141ce1b6fca127744c3e19dc63
  Author: David Hildenbrand <dahi@xxxxxxxxxxxxxxxxxx>
  Date:   Fri May 29 13:22:12 2015 +0200

      s390: disallow memory hotplug for the s390-virtio machine

      That machine type doesn't currently support memory hotplug, so let's abort
      if it is requested. Reason is, that the virtio queues are allocated for 
now
      at the end of the initial ram - extending the ram is therefore not 
possible.

      Reviewed-by: Matthew Rosato <mjrosato@xxxxxxxxxxxxxxxxxx>
      Signed-off-by: David Hildenbrand <dahi@xxxxxxxxxxxxxxxxxx>
      Signed-off-by: Cornelia Huck <cornelia.huck@xxxxxxxxxx>

  commit 311467f77eab5c3e1f8e0f6f446201e3a1f46e70
  Author: David Hildenbrand <dahi@xxxxxxxxxxxxxxxxxx>
  Date:   Fri May 29 13:14:50 2015 +0200

      s390: no need to manually parse for slots and maxmem

      ram_slots and maxram_size has already been parsed and verified by
      common code for us.

      Reviewed-by: Matthew Rosato <mjrosato@xxxxxxxxxxxxxxxxxx>
      Signed-off-by: David Hildenbrand <dahi@xxxxxxxxxxxxxxxxxx>
      Signed-off-by: Cornelia Huck <cornelia.huck@xxxxxxxxxx>

  commit 1723a1b6313851d9704961e1f527312ee0a5fce4
  Author: David Hildenbrand <dahi@xxxxxxxxxxxxxxxxxx>
  Date:   Wed May 13 15:06:44 2015 +0200

      s390/sclp: move sclp_service_interrupt into the sclp device

      Let's make that function a method of the new sclp device, keeping
      the wrapper for existing users.

      We can now let go of get_event_facility().

      Reviewed-by: Matthew Rosato <mjrosato@xxxxxxxxxxxxxxxxxx>
      Signed-off-by: David Hildenbrand <dahi@xxxxxxxxxxxxxxxxxx>
      Signed-off-by: Cornelia Huck <cornelia.huck@xxxxxxxxxx>

  commit 25a3c5af57db0319f5cfb4c439efbc78b230599e
  Author: David Hildenbrand <dahi@xxxxxxxxxxxxxxxxxx>
  Date:   Wed May 27 10:04:56 2015 +0200

      s390/sclp: move sclp_execute related functions into the SCLP class

      Let's move the sclp_execute related functions into the SCLP class
      and pass the device state as parameter, so we have easy access to
      the SCLPDevice later on.

      Reviewed-by: Matthew Rosato <mjrosato@xxxxxxxxxxxxxxxxxx>
      Signed-off-by: David Hildenbrand <dahi@xxxxxxxxxxxxxxxxxx>
      Signed-off-by: Cornelia Huck <cornelia.huck@xxxxxxxxxx>

  commit 515190d9da0c85084d32d6ad36afb15a6d35729e
  Author: David Hildenbrand <dahi@xxxxxxxxxxxxxxxxxx>
  Date:   Wed May 27 09:49:43 2015 +0200

      s390/sclp: introduce a root sclp device

      Let's create a root sclp device, which has other sclp devices as
      children (e.g. the event facility for now) and can later be used
      for migration of sclp specific attributes and setup of memory.

      Reviewed-by: Matthew Rosato <mjrosato@xxxxxxxxxxxxxxxxxx>
      Signed-off-by: David Hildenbrand <dahi@xxxxxxxxxxxxxxxxxx>
      Signed-off-by: Cornelia Huck <cornelia.huck@xxxxxxxxxx>

  commit 732bdd383ee06be2655b1a849a628ff03b0000b8
  Author: David Hildenbrand <dahi@xxxxxxxxxxxxxxxxxx>
  Date:   Sat Jun 13 08:46:54 2015 +0200

      s390/sclp: temporarily fix unassignment/reassignment of memory subregions

      Commit 374f2981d1f1 ("memory: protect current_map by RCU") broke
      unassignment of standby memory on s390x. Looks like that the new
      parallelism allows races with our (semi broken) memory hotplug code. The
      flatview_unref() can now be executed after our unparenting. Therefore
      memory_region_unref() tries to unreference the MemoryRegion itself instead
      of the parent.

      In theory, MemoryRegions are now bound to separate devices that control
      their lifetime. We don't have this yet, so we really want to control their
      lifetime manually.

      This patch fixes it temporarily, until we have a proper rework. The only
      drawback is that they won't pop up in "info qom-tree", but that's better
      than qemu crashes.

      We have to release the reference to a memory region after a
      memory_region_find, as it automatically takes a reference. As we're now
      able to reassign memory, the MemoryRegion is in fact deleted (otherwise
      vmstate_register_ram() would complain).

      Reviewed-by: Matthew Rosato <mjrosato@xxxxxxxxxxxxxxxxxx>
      Signed-off-by: David Hildenbrand <dahi@xxxxxxxxxxxxxxxxxx>
      Signed-off-by: Cornelia Huck <cornelia.huck@xxxxxxxxxx>

  commit 35925a7a73e7df4118cb11667095bd2d8fc4e091
  Author: David Hildenbrand <dahi@xxxxxxxxxxxxxxxxxx>
  Date:   Mon May 11 15:31:47 2015 +0200

      s390/sclp: replace sclp event types with proper defines

      Introduce TYPE_SCLP_QUIESCE and make use of it. Also use
      TYPE_SCLP_CPU_HOTPLUG where applicable.

      Reviewed-by: Matthew Rosato <mjrosato@xxxxxxxxxxxxxxxxxx>
      Signed-off-by: David Hildenbrand <dahi@xxxxxxxxxxxxxxxxxx>
      Signed-off-by: Cornelia Huck <cornelia.huck@xxxxxxxxxx>

  commit f6102c329c43d7d5e0bee1fc2fe4043e05f9810c
  Author: David Hildenbrand <dahi@xxxxxxxxxxxxxxxxxx>
  Date:   Thu May 21 12:43:31 2015 +0200

      s390/sclp: rework sclp event facility initialization + device realization

      The current code only works by chance. The event facility is a sysbus
      device, but specifies in its class structure as parent the DeviceClass
      (instead of a device class).

      The init function in return lies therefore at the same position as
      the init function of SysBusDeviceClass and gets triggered instead -
      a very bad idea of doing that (e.g. the parameter types don't match).

      Let's bring the initialization code up to date, initializing the event
      facility + child events in .instance_init and moving the realization of
      the child events out of the init call, into the realization step.

      Device realization is now automatically performed when the event facility
      itself is realized. That realization implicitly triggers realization of
      the child bus, which in turn initializes the events.

      Please note that we have to manually propagate the realization of the bus
      children, common code still has a TODO set for that task.

      Reviewed-by: Matthew Rosato <mjrosato@xxxxxxxxxxxxxxxxxx>
      Signed-off-by: David Hildenbrand <dahi@xxxxxxxxxxxxxxxxxx>
      Signed-off-by: Cornelia Huck <cornelia.huck@xxxxxxxxxx>

  commit 073f57ae347a41cbcc940ae0286bbbab993b9148
  Author: David Hildenbrand <dahi@xxxxxxxxxxxxxxxxxx>
  Date:   Mon May 11 15:30:43 2015 +0200

      sclp/s390: rework sclp cpu hotplug device notification

      Let's get rid of this strange local variable + irq logic and
      work directly on the QOM. (hint: what happens if two such devices
      are created?)

      We could introduce proper QOM class + state for the cpu hotplug device,
      however that would result in too much overhead for a simple
      "trigger_signal" function.

      Also remove one unnecessary class function initialization.

      Reviewed-by: Matthew Rosato <mjrosato@xxxxxxxxxxxxxxxxxx>
      Signed-off-by: David Hildenbrand <dahi@xxxxxxxxxxxxxxxxxx>
      Signed-off-by: Cornelia Huck <cornelia.huck@xxxxxxxxxx>

  commit 5b9f6345a616c321a5ea2f35e09043edd933767e
  Author: David Hildenbrand <dahi@xxxxxxxxxxxxxxxxxx>
  Date:   Tue Jun 23 11:00:09 2015 +0200

      s390x/gdb: support reading/writing of control registers

      Let's support reading and writing of control registers for kvm and tcg.

      We have to take care of flushing the tlb (tcg) and pushing the changed
      registers into kvm.

      Reviewed-by: Christian Borntraeger <borntraeger@xxxxxxxxxx>
      Signed-off-by: David Hildenbrand <dahi@xxxxxxxxxxxxxxxxxx>
      Signed-off-by: Cornelia Huck <cornelia.huck@xxxxxxxxxx>

  commit c0194a00b0beb66814756ee255a8a86b2a92c27e
  Author: Jens Freimann <jfrei@xxxxxxxxxxxxxxxxxx>
  Date:   Mon Jul 27 16:53:27 2015 +0200

      s390x/kvm: make setting of in-kernel irq routes more efficient

      When we add new adapter routes we call kvm_irqchip_add_route() for every
      virtqueue and in the same step also do the KVM_SET_GSI_ROUTING ioctl.

      This is unnecessary costly as the interface allows us to set multiple
      routes in one go. Let's first add all routes to the table stored in the
      global kvm_state and then do the ioctl to commit the routes to the
      in-kernel irqchip.

      This saves us several ioctls to the kernel where for each call a list
      is reallocated and populated.

      Signed-off-by: Jens Freimann <jfrei@xxxxxxxxxxxxxxxxxx>
      Reviewed-by: David Hildenbrand <dahi@xxxxxxxxxxxxxxxxxx>
      Acked-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>
      Signed-off-by: Cornelia Huck <cornelia.huck@xxxxxxxxxx>

  commit 9f70b85c405093f24d9df22215ead6596819832f
  Author: Cornelia Huck <cornelia.huck@xxxxxxxxxx>
  Date:   Tue Aug 11 10:53:41 2015 +0200

      pc-bios/s390-ccw: rebuild image

      Contains:
      - Device detection in higher subchannel sets

      Signed-off-by: Cornelia Huck <cornelia.huck@xxxxxxxxxx>

  commit 0f79b89bc2bdbed35d2c57d722acc4c31a5a2ce4
  Author: Alexander Yarygin <yarygin@xxxxxxxxxxxxxxxxxx>
  Date:   Thu Jun 25 18:35:58 2015 +0300

      pc-bios/s390-ccw: Device detection in higher subchannel sets

      If no bootdevice was specified, we try to autodetect a suitable IPL
      device. Current code only searched in subchannel set 0; extend this
      search to higher subchannel sets as well.

      Signed-off-by: Alexander Yarygin <yarygin@xxxxxxxxxxxxxxxxxx>
      Reviewed-by: David Hildenbrand <dahi@xxxxxxxxxxxxxxxxxx>
      Reviewed-by: Cornelia Huck <cornelia.huck@xxxxxxxxxx>
      Signed-off-by: Cornelia Huck <cornelia.huck@xxxxxxxxxx>

  commit f7822aa8b610a4fec57a09066974e5c088592c08
  Author: Cornelia Huck <cornelia.huck@xxxxxxxxxx>
  Date:   Mon Jul 27 16:55:23 2015 +0200

      s390x/event-facility: fix location of receive mask

      For read event mask, we assumed that the layout of the sccb was

      |sccb header|event buffer header|receive mask|...|

      The correct layout, however, is

      |sccb header|receive mask|...|

      as in-buffer and

      |sccb header|event buffer header|...|

      as out-buffer.

      Fix this: This makes selective read work.

      Reviewed-by: David Hildenbrand <dahi@xxxxxxxxxxxxxxxxxx>
      Signed-off-by: Cornelia Huck <cornelia.huck@xxxxxxxxxx>

  commit 6b7741c2bedeae2e8c54fffce81723ca0a0c25c0
  Author: Cornelia Huck <cornelia.huck@xxxxxxxxxx>
  Date:   Fri Jul 24 12:08:37 2015 +0200

      s390x/css: start with cleared cstat/dstat

      When executing the start function, we should start with a clear state
      regarding subchannel and device status; it is easy to forget updating one
      of them after the ccw has been processed.

      Note that we don't need to care about resetting the various control
      fields: They are cleared by tsch(), and if they were still pending,
      we wouldn't be able to execute the start function in the first
      place.

      Also note that we don't want to clear cstat/dstat if a suspended
      subchannel is resumed.

      This fixes a bug where we would continue to present channel-program
      check in cstat even though later ccw requests for the subchannel
      finished without error (i.e. cstat should be 0).

      Cc: qemu-stable@xxxxxxxxxx
      Signed-off-by: Cornelia Huck <cornelia.huck@xxxxxxxxxx>
      Reviewed-by: David Hildenbrand <dahi@xxxxxxxxxxxxxxxxxx>

  commit 3335ddddf9e5ba7743dc8e3f767f4ef857ccd20c
  Author: Cornelia Huck <cornelia.huck@xxxxxxxxxx>
  Date:   Wed Jul 1 15:28:06 2015 +0200

      s390x/event-facility: fix receive mask check

      For selective read event, we need to check if any event is requested
      that is not active instead of whether none of the requested events is
      active.

      Reviewed-by: David Hildenbrand <dahi@xxxxxxxxxxxxxxxxxx>
      Reviewed-by: Eric Farman <farman@xxxxxxxxxxxxxxxxxx>
      Signed-off-by: Cornelia Huck <cornelia.huck@xxxxxxxxxx>

  commit fa4463e0432ab66432a28d6b975f8eed99b3f4fa
  Author: Cornelia Huck <cornelia.huck@xxxxxxxxxx>
  Date:   Thu Jul 16 10:42:18 2015 +0200

      s390x/css: ccw-0 enforces count > 0

      Type-0 ccws need to have a count > 0 for any command other than TIC.
      Generate a channel-program check if this is not the case.

      Reviewed-by: Matthew Rosato <mjrosato@xxxxxxxxxxxxxxxxxx>
      Signed-off-by: Cornelia Huck <cornelia.huck@xxxxxxxxxx>

  commit fde8206b8061f808c880709c2ac26a645b11c211
  Author: Pierre Morel <pmorel@xxxxxxxxxxxxxxxxxx>
  Date:   Wed Jul 15 16:16:20 2015 +0200

      s390x/css: handle ccw-0 TIC correctly

      In CCW-0 format TIC command 4 highest bits are ignored in the subchannel.
      In CCW-1 format the TIC command 4 highest bits must be 0.
      To convert TIC from CCW-0 to CCW-1 we clear the 4 highest bits
      to guarantee compatibility.

      Signed-off-by: Pierre Morel <pmorel@xxxxxxxxxxxxxxxxxx>
      Reviewed-by: Cornelia Huck <cornelia.huck@xxxxxxxxxx>
      Signed-off-by: Cornelia Huck <cornelia.huck@xxxxxxxxxx>

  commit 8f1ed5f5081416d5d1cc9569aa826114c5b21213
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Fri Jul 24 13:33:12 2015 +0100

      Make pow2ceil() and pow2floor() inline

      Since the pow2floor() function is now used in a hot code path,
      make it inline; for consistency, provide pow2ceil() as an inline
      function too.

      Because these functions use ctz64() we have to put the inline
      versions into host-utils.h, so they have access to ctz64(),
      and move the inline is_power_of_2() along with them.

      We then need to include host-utils.h from qemu-common.h so that
      the files which use these functions via qemu-common.h still have
      access to them.

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Reviewed-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>
      Message-id: 1437741192-20955-7-git-send-email-peter.maydell@xxxxxxxxxx

  commit 10944a19209bb520054569e0f156f50338901264
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Fri Jul 24 13:33:11 2015 +0100

      Remove unused qemu_fls function

      Nothing uses qemu_fls() any more, so delete it.

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Reviewed-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>
      Message-id: 1437741192-20955-6-git-send-email-peter.maydell@xxxxxxxxxx

  commit 6554f5c03793bb8a3d5dedcebf758a1694fa186c
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Fri Jul 24 13:33:10 2015 +0100

      exec.c: Use pow2floor() rather than hand-calculation

      Use pow2floor() to round down to the nearest power of 2,
      rather than an inline calculation.

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Reviewed-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>
      Message-id: 1437741192-20955-5-git-send-email-peter.maydell@xxxxxxxxxx

  commit 26efcec158a87133bb6255ae7d3127a5fa6e66fd
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Fri Jul 24 13:33:09 2015 +0100

      hw/block/nvme.c: Use pow2ceil() rather than hand-calculation

      Use pow2ceil() to round up to the next power of 2, rather
      than an inline calculation.

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Reviewed-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>
      Message-id: 1437741192-20955-4-git-send-email-peter.maydell@xxxxxxxxxx

  commit 1d0148fe6c121b21476ac1ba5120f8990e7fe6cd
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Fri Jul 24 13:33:08 2015 +0100

      hw/virtio/virtio-pci: Use pow2ceil() rather than hand-calculation

      Use the utility function pow2ceil() for rounding up to the next
      largest power of 2, rather than inline calculation.

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Reviewed-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Message-id: 1437741192-20955-3-git-send-email-peter.maydell@xxxxxxxxxx

  commit 9bff5d8135fc3f37932d4177727d293aa93ce79b
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Fri Jul 24 13:33:07 2015 +0100

      hw/pci: Use pow2ceil() rather than hand-calculation

      A couple of places in hw/pci use an inline calculation to round a
      size up to the next largest power of 2. We have a utility routine
      for this, so use it.

      (The behaviour of the old code is different if the size value
      is 0 -- it would leave it as 0 rather than rounding up to 1,
      but in both cases we know the size can't be 0.
      In the case where the size value had bit 31 set, the old code
      would invoke undefined behaviour; the new code will give a
      result of 0. Presumably that could never happen either.)

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Reviewed-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Message-id: 1437741192-20955-2-git-send-email-peter.maydell@xxxxxxxxxx

  commit 4169198617dc8d3e80697964b91eaea551e7f956
  Merge: 298fae3 c804b57
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Mon Sep 7 11:23:08 2015 +0100

      Merge remote-tracking branch 'remotes/kevin/tags/for-upstream' into 
staging

      Block layer patches

      # gpg: Signature made Fri 04 Sep 2015 20:45:33 BST using RSA key ID 
C88F2FD6
      # gpg: Good signature from "Kevin Wolf <kwolf@xxxxxxxxxx>"

      * remotes/kevin/tags/for-upstream:
        quorum: validate vote threshold against num_children even if 
read-pattern is fifo
        qcow2: reorder fields in Qcow2CachedTable to reduce padding
        docs: document how to configure the qcow2 L2/refcount caches
        qcow2: add option to clean unused cache entries after some time
        qcow2: mark the memory as no longer needed after qcow2_cache_empty()
        iotests: Warn if python subprocess is killed
        iotests: Do not suppress segfaults in bash tests
        iotests: Respect -nodefaults in tests 41 and 55
        iotests: More options for VM.add_drive()
        qemu-img: Fix crash in amend invocation
        block/raw-posix: Use raw_normalize_devicepath()
        qemu-iotests: s390x: fix test 130
        qemu-iotests: s390x: fix test 049, reject negative sizes in QemuOpts
        qemu-iotests: s390x: fix test 041 and 055
        qemu-iotests: disable default qemu devices for cross-platform 
compatibility
        qemu-iotests: qemu machine type support

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 298fae38972cc0165415ead04b64bfcae55640d9
  Merge: b597aa0 8d45c54
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Mon Sep 7 10:43:18 2015 +0100

      Merge remote-tracking branch 
'remotes/pmaydell/tags/pull-target-arm-20150907' into staging

      target-arm queue:
       * cleanup to use g_new() and friends
       * support semihosting in A64
       * add SMBIOS support to mach-virt
       * remove hw_error() usages
       * fix bug in the AArch32:AArch64 register mapping
       * add a second PCI memory window in highmem on virt board
       * fix bug in arm_excp_unmasked()
       * add i.MX31 SoC
       * remove restriction on handling affinity values in virt board

      # gpg: Signature made Mon 07 Sep 2015 10:40:48 BST using RSA key ID 
14360CDE
      # gpg: Good signature from "Peter Maydell <peter.maydell@xxxxxxxxxx>"
      # gpg:                 aka "Peter Maydell <pmaydell@xxxxxxxxx>"
      # gpg:                 aka "Peter Maydell 
<pmaydell@xxxxxxxxxxxxxxxxxxxxxx>"

      * remotes/pmaydell/tags/pull-target-arm-20150907: (27 commits)
        arm/virt: Add full-sized CPU affinity handling
        target-arm: Refactor CPU affinity handling
        i.MX: Add i2C devices to i.MX31 SOC
        i.MX: Add qtest support for I2C device emulator.
        i.MX: Add the i.MX25 PDK platform
        i.MX: Add SOC support for i.MX25
        i.MX: Add FEC Ethernet Emulator
        i.MX: Add I2C controller emulator
        i.MX: KZM: use standalone i.MX31 SOC support
        i.MX: Add SOC support for i.MX31
        target-arm: Fix arm_excp_unmasked() function
        hw/arm/virt: Add high MMIO PCI region, 512G in size
        target-arm: Fix AArch32:AArch64 general-purpose register mapping
        arm: Remove hw_error() usages.
        arm: cpu: assert() on no-EL2 virt IRQ error condition.
        smbios: implement smbios support for mach-virt
        smbios: add smbios 3.0 support
        target-arm: Wire up HLT 0xf000 as the A64 semihosting instruction
        target-arm/arm-semi.c: SYS_EXIT on A64 takes a parameter block
        target-arm/arm-semi.c: Implement A64 specific SyncCacheRange call
        ...

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 8d45c54d4fd3612bd616afcc5c278394f312927b
  Author: Pavel Fedin <p.fedin@xxxxxxxxxxx>
  Date:   Mon Sep 7 10:39:31 2015 +0100

      arm/virt: Add full-sized CPU affinity handling

      At least with KVM, currently there's no reason why QEMU would not be
      capable of handling Aff3 != 0. This commit fixes up FDT creation in such
      a case.

      Signed-off-by: Pavel Fedin <p.fedin@xxxxxxxxxxx>
      Message-id: 
eef5a86e6d9a313780dbc23b35fcb65df42a3e9e.1441366248.git.p.fedin@xxxxxxxxxxx
      [PMM: folded two overlong lines]
      Reviewed-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 0f4a9e45ec35811ee250ac232d84d3c6d4fcd7fc
  Author: Pavel Fedin <p.fedin@xxxxxxxxxxx>
  Date:   Mon Sep 7 10:39:31 2015 +0100

      target-arm: Refactor CPU affinity handling

      Introduces reusable definitions for CPU affinity masks/shifts and gets rid
      of hardcoded magic numbers.

      Signed-off-by: Pavel Fedin <p.fedin@xxxxxxxxxxx>
      Message-id: 
7e6def4d0d91ae64615cdd2035b94d408d0a23c6.1441366248.git.p.fedin@xxxxxxxxxxx
      [PMM: folded overlong line]
      Reviewed-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit d4e26d106a1ea35a81176cb5398406b08316adc7
  Author: Jean-Christophe Dubois <jcd@xxxxxxxxxxxxxxx>
  Date:   Mon Sep 7 10:39:31 2015 +0100

      i.MX: Add i2C devices to i.MX31 SOC

      Signed-off-by: Jean-Christophe Dubois <jcd@xxxxxxxxxxxxxxx>
      Reviewed-by: Peter Crosthwaite <crosthwaite.peter@xxxxxxxxx>
      Message-id: 
fb20e6bf5cf946c4530b2cfb55c7e37f5a0fc051.1441057361.git.jcd@xxxxxxxxxxxxxxx
      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 7f3986278b0bc214e83111ea55c8d12bac79c4fa
  Author: Jean-Christophe Dubois <jcd@xxxxxxxxxxxxxxx>
  Date:   Mon Sep 7 10:39:31 2015 +0100

      i.MX: Add qtest support for I2C device emulator.

      This is using a ds1338 RTC chip on the I2C bus. This RTC chip is
      not present on the real 3DS PDK board.

      Signed-off-by: Jean-Christophe Dubois <jcd@xxxxxxxxxxxxxxx>
      Acked-by: Peter Crosthwaite <crosthwaite.peter@xxxxxxxxx>
      Message-id: 
05601683a2a95c881cbc9f22651a044d969bd0ae.1441057361.git.jcd@xxxxxxxxxxxxxxx
      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 65f57c43632b102f8b1ef20baf1fc218c6b8d9cd
  Author: Jean-Christophe Dubois <jcd@xxxxxxxxxxxxxxx>
  Date:   Mon Sep 7 10:39:31 2015 +0100

      i.MX: Add the i.MX25 PDK platform

      Tested by booting a minimal Linux system on the emulated platform
      Tested by booting the Xvisor hypervisor on the emulated platform

      Signed-off-by: Jean-Christophe Dubois <jcd@xxxxxxxxxxxxxxx>
      Reviewed-by: Peter Crosthwaite <crosthwaite.peter@xxxxxxxxx>
      Message-id: 
d27347300d253509d921bc27a6d0a14db877478b.1441057361.git.jcd@xxxxxxxxxxxxxxx
      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit ee708c999d45e3f742d2f1287694a1b9da87044b
  Author: Jean-Christophe Dubois <jcd@xxxxxxxxxxxxxxx>
  Date:   Mon Sep 7 10:39:30 2015 +0100

      i.MX: Add SOC support for i.MX25

          For now we support the following devices:
            * CPU: ARM926
            * Interrupt Controller: AVIC
            * CCM
            * UART x 5
            * EPIT x 2
            * GPT x 4
            * FEC
            * I2C x 3

      Signed-off-by: Jean-Christophe Dubois <jcd@xxxxxxxxxxxxxxx>
      Reviewed-by: Peter Crosthwaite <crosthwaite.peter@xxxxxxxxx>
      Message-id: 
62218bfa90f9101f79098e768c3d58bd92dcb7f3.1441057361.git.jcd@xxxxxxxxxxxxxxx
      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit fcbd8018e645f3ab1ef9af94dc88a0d3272926d3
  Author: Jean-Christophe Dubois <jcd@xxxxxxxxxxxxxxx>
  Date:   Mon Sep 7 10:39:30 2015 +0100

      i.MX: Add FEC Ethernet Emulator

      This is based on mcf_fec.c FEC implementation for Coldfire

        * A generic PHY was added (borrowwed from LAN9118)
        * The buffer management is also modified as buffers are
          slightly different between Coldfire and i.MX

      Signed-off-by: Jean-Christophe Dubois <jcd@xxxxxxxxxxxxxxx>
      Reviewed-by: Peter Crosthwaite <peter.crosthwaite@xxxxxxxxxx>
      Message-id: 
fb314f8a120aa49f8f6ad886f312c649b484fb5a.1441057361.git.jcd@xxxxxxxxxxxxxxx
      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 20d0f9cf6a41bad52baba3ebc485849617cc42cf
  Author: Jean-Christophe Dubois <jcd@xxxxxxxxxxxxxxx>
  Date:   Mon Sep 7 10:39:30 2015 +0100

      i.MX: Add I2C controller emulator

      The slave mode is not implemented.

      Signed-off-by: Jean-Christophe Dubois <jcd@xxxxxxxxxxxxxxx>
      Reviewed-by: Peter Crosthwaite <peter.crosthwaite@xxxxxxxxxx>
      Message-id: 
508dbf2ebe26ec383d3a12a1db5a7890ac8acf20.1441057361.git.jcd@xxxxxxxxxxxxxxx
      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit f044ac4980922e23b608afc2f35648ebadb42950
  Author: Jean-Christophe Dubois <jcd@xxxxxxxxxxxxxxx>
  Date:   Mon Sep 7 10:39:30 2015 +0100

      i.MX: KZM: use standalone i.MX31 SOC support

      Convert the KZM board to use the i.MX31 SoC defintition instead of
      redefining the entire SoC on the machine level. Major rewrite of the
      machine init code.

      While touching the memory map comment de-indent to the correct level
      of indentation.

      This obsoletes the legacy i.MX device device creation helpers which are 
removed.

      Tested by booting a minimal Linux system on the emulated platform

      Signed-off-by: Jean-Christophe Dubois <jcd@xxxxxxxxxxxxxxx>
      Reviewed-by: Peter Crosthwaite <crosthwaite.peter@xxxxxxxxx>
      Message-id: 
5e783561f092e1c939562fdff001f1ab1194b07f.1441057361.git.jcd@xxxxxxxxxxxxxxx
      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 558df83db778dc2e839353357a508349b180d79b
  Author: Jean-Christophe Dubois <jcd@xxxxxxxxxxxxxxx>
  Date:   Mon Sep 7 10:39:30 2015 +0100

      i.MX: Add SOC support for i.MX31

      For now we support the following devices:
        * CPU: ARM1136
        * Interrupt Controller: AVIC
        * CCM
        * UART x 2
        * EPIT x 2
        * GPT

      Signed-off-by: Jean-Christophe Dubois <jcd@xxxxxxxxxxxxxxx>
      Reviewed-by: Peter Crosthwaite <peter.crosthwaite@xxxxxxxxxx>
      Message-id: 
f146d819594e41568daec42a1d0f440cdfe3df76.1441057361.git.jcd@xxxxxxxxxxxxxxx
      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 771842585f3119f69641ed90a97d56eb9ed6f5ae
  Author: Sergey Sorokin <afarallax@xxxxxxxxx>
  Date:   Mon Sep 7 10:39:30 2015 +0100

      target-arm: Fix arm_excp_unmasked() function

      There is an error in arm_excp_unmasked() function:
      bitwise operator & is used with integer and bool operands
      causing an incorrect zeroed result.
      The patch fixes it.

      Signed-off-by: Sergey Sorokin <afarallax@xxxxxxxxx>
      Message-id: 1441209238-16881-1-git-send-email-afarallax@xxxxxxxxx
      Reviewed-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 5125f9cd2532f0aca25d966ecd27d0e30d4af7c9
  Author: Pavel Fedin <p.fedin@xxxxxxxxxxx>
  Date:   Mon Sep 7 10:39:29 2015 +0100

      hw/arm/virt: Add high MMIO PCI region, 512G in size

      This large region is necessary for some devices like ivshmem and video 
cards
      32-bit kernels can be built without LPAE support. In this case such a 
kernel
      will not be able to use PCI controller which has windows in high 
addresses.
      In order to work around the problem, "highmem" option is introduced. It
      defaults to on on, but can be manually set to off in order to be able to 
run
      those old 32-bit guests.

      Signed-off-by: Pavel Fedin <p.fedin@xxxxxxxxxxx>
      Reviewed-by: Alexander Graf <agraf@xxxxxxx>
      Reviewed-by: Igor Mammedov <imammedo@xxxxxxxxxx>
      Reviewed-by: Shannon Zhao <shannon.zhao@xxxxxxxxxx>
      [PMM: Added missing ULL suffixes and a comment to the a15memmap[] entry]
      Reviewed-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 3a9148d0bdcee990fbe86759b9b1f5723c1d7fbc
  Author: Sergey Sorokin <afarallax@xxxxxxxxx>
  Date:   Mon Sep 7 10:39:29 2015 +0100

      target-arm: Fix AArch32:AArch64 general-purpose register mapping

      There is an error in functions aarch64_sync_32_to_64() and
      aarch64_sync_64_to_32() with mapping of registers between AArch32 and
      AArch64.  This commit fixes the mapping to match the v8 ARM ARM
      section D1.20.1 (table D1-77).

      Signed-off-by: Sergey Sorokin <afarallax@xxxxxxxxx>
      Message-id: 1440796451-15276-1-git-send-email-afarallax@xxxxxxxxx
      Reviewed-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      [PMM: tidied commit message a bit]
      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 8f6fd322f6e25995629a1a07b56bc5b91fb947ca
  Author: Peter Crosthwaite <crosthwaitepeter@xxxxxxxxx>
  Date:   Mon Sep 7 10:39:29 2015 +0100

      arm: Remove hw_error() usages.

      All of these hw_errors are fatal and indicate something wrong with
      QEMU implementation.

      Convert to g_assert_not_reached.

      Reviewed-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Signed-off-by: Peter Crosthwaite <crosthwaite.peter@xxxxxxxxx>
      Message-id: 
169194d09017e5725535d31a1507d454c0043706.1440842587.git.crosthwaite.peter@xxxxxxxxx
      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit f128bf297ba100877313cb3e9c0da845da0bb58c
  Author: Peter Crosthwaite <crosthwaitepeter@xxxxxxxxx>
  Date:   Mon Sep 7 10:39:29 2015 +0100

      arm: cpu: assert() on no-EL2 virt IRQ error condition.

      Replace the hw_error() for no-EL2 VIRQ with an assert.

      Signed-off-by: Peter Crosthwaite <crosthwaite.peter@xxxxxxxxx>
      Message-id: 
93b6acdee6cafe8ff0422a294a5640c3d35f0e17.1440842587.git.crosthwaite.peter@xxxxxxxxx
      Reviewed-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit c30e15658b1b3dc9c241a515322ca5dc6fa6b4fe
  Author: Wei Huang <wei@xxxxxxxxxx>
  Date:   Mon Sep 7 10:39:29 2015 +0100

      smbios: implement smbios support for mach-virt

      This patch generates smbios tables for ARM mach-virt. Also add
      CONFIG_SMBIOS=y for ARM default config.

      Acked-by: Gabriel Somlo <somlo@xxxxxxx>
      Tested-by: Gabriel Somlo <somlo@xxxxxxx>
      Reviewed-by: Laszlo Ersek <lersek@xxxxxxxxxx>
      Reviewed-by: Shannon Zhao <shannon.zhao@xxxxxxxxxx>
      Tested-by: Leif Lindholm <leif.lindholm@xxxxxxxxxx>
      Signed-off-by: Wei Huang <wei@xxxxxxxxxx>
      Message-id: 1440615870-9518-3-git-send-email-wei@xxxxxxxxxx
      [PMM: Added missing braces around an if().]
      Reviewed-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 86299120060f734a2f7c1137a46de0b8c78135b7
  Author: Wei Huang <wei@xxxxxxxxxx>
  Date:   Mon Sep 7 10:39:28 2015 +0100

      smbios: add smbios 3.0 support

      This patch adds support for SMBIOS 3.0 entry point. When caller invokes
      smbios_set_defaults(), it can specify entry point as 2.1 or 3.0. Then
      smbios_get_tables() will return the entry point table in right format.

      Acked-by: Gabriel Somlo <somlo@xxxxxxx>
      Tested-by: Gabriel Somlo <somlo@xxxxxxx>
      Tested-by: Leif Lindholm <leif.lindholm@xxxxxxxxxx>
      Signed-off-by: Wei Huang <wei@xxxxxxxxxx>
      Reviewed-by: Laszlo Ersek <lersek@xxxxxxxxxx>
      Message-id: 1440615870-9518-2-git-send-email-wei@xxxxxxxxxx
      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 8012c84ff92a36d05dfe61af9b24dd01a7ea25e4
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Mon Sep 7 10:39:28 2015 +0100

      target-arm: Wire up HLT 0xf000 as the A64 semihosting instruction

      For the A64 instruction set, the semihosting call instruction
      is 'HLT 0xf000'. Wire this up to call do_arm_semihosting()
      if semihosting is enabled.

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Reviewed-by: Christopher Covington <christopher.covington@xxxxxxxxxx>
      Tested-by: Christopher Covington <cov@xxxxxxxxxxxxxx>
      Message-id: 1439483745-28752-10-git-send-email-peter.maydell@xxxxxxxxxx

  commit 7446d35e1dd69e1da8241277eae09e293741b362
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Mon Sep 7 10:39:28 2015 +0100

      target-arm/arm-semi.c: SYS_EXIT on A64 takes a parameter block

      The A64 semihosting API changes the interface for SYS_EXIT so
      that instead of taking a single exception type in a register,
      it takes a parameter block containing the exception type and
      a sub-code. Implement this.

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Tested-by: Christopher Covington <cov@xxxxxxxxxxxxxx>
      Message-id: 1439483745-28752-9-git-send-email-peter.maydell@xxxxxxxxxx

  commit e9ebfbfcf31c11fb3bd2fc436fa17ce45a4e7086
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Mon Sep 7 10:39:28 2015 +0100

      target-arm/arm-semi.c: Implement A64 specific SyncCacheRange call

      The A64 semihosting ABI defines a new call SyncCacheRange
      for doing a 'clean D-cache and invalidate I-cache' sequence.
      Since QEMU doesn't implement caches, we can implement this as a nop.

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Reviewed-by: Christopher Covington <christopher.covington@xxxxxxxxxx>
      Tested-by: Christopher Covington <cov@xxxxxxxxxxxxxx>
      Message-id: 1439483745-28752-8-git-send-email-peter.maydell@xxxxxxxxxx

  commit faacc041619581c566c21ed87aa1933420731282
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Mon Sep 7 10:39:28 2015 +0100

      target-arm/arm-semi.c: Support widening APIs to 64 bits

      The 64-bit A64 semihosting API has some pervasive changes from
      the 32-bit version:
       * all parameter blocks are arrays of 64-bit values, not 32-bit
       * the semihosting call number is passed in W0
       * the return value is a 64-bit value in X0

      Implement the necessary handling for this widening.

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Reviewed-by: Christopher Covington <christopher.covington@xxxxxxxxxx>
      Tested-by: Christopher Covington <cov@xxxxxxxxxxxxxx>
      Message-id: 1439483745-28752-7-git-send-email-peter.maydell@xxxxxxxxxx

  commit 44d4a499b79d12d5c29f32bf2070c89335573c03
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Mon Sep 7 10:39:27 2015 +0100

      include/exec/softmmu-semi.h: Add support for 64-bit values

      Add support for getting and setting 64-bit values in the
      softmmu semihosting support functions. This will be needed
      for 64-bit ARM semihosting.

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Tested-by: Christopher Covington <cov@xxxxxxxxxxxxxx>
      Message-id: 1439483745-28752-6-git-send-email-peter.maydell@xxxxxxxxxx

  commit bb19cbc95ada89ce5e02c132bc6f3268b1a1bfa3
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Mon Sep 7 10:39:27 2015 +0100

      target-arm/arm-semi.c: Factor out repeated 'return env->regs[0]'

      Factor out a repeated pattern in the semihosting code:

          gdb_do_syscall(arm_semi_cb, "system,%s", arg0, (int)arg1+1);
          /* arm_semi_cb sets env->regs[0] to the syscall return value */
          return env->regs[0];

      For A64 the return value will go in a different register; pull
      the sequence out into its own function that passes the return
      value in a static variable rather than overloading regs[0]
      for the purpose, so the code will work on both A32/T32 and A64.

      Note that the lack-of-synchronization bug noted in the FIXME
      comment is not introduced by this commit, but was already present.

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Reviewed-by: Christopher Covington <christopher.covington@xxxxxxxxxx>
      Tested-by: Christopher Covington <cov@xxxxxxxxxxxxxx>
      Message-id: 1439483745-28752-5-git-send-email-peter.maydell@xxxxxxxxxx

  commit 19239b39e7501dedec8d92f0eca79c187685bcce
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Mon Sep 7 10:39:27 2015 +0100

      gdbstub: Implement gdb_do_syscallv()

      Implement a variant of the existing gdb_do_syscall() which
      takes a va_list.

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Tested-by: Christopher Covington <cov@xxxxxxxxxxxxxx>
      Message-id: 1439483745-28752-4-git-send-email-peter.maydell@xxxxxxxxxx

  commit 205ace55ffff77964e50af08c99639ec47db53f6
  Author: Christopher Covington <christopher.covington@xxxxxxxxxx>
  Date:   Mon Sep 7 10:39:27 2015 +0100

      target-arm: Improve semihosting debug prints

      Print semihosting debugging information before the
      do_arm_semihosting() call so that angel_SWIreason_ReportException,
      which causes the function to not return, gets the same debug prints as
      other semihosting calls. Also print out the semihosting call number.

      Signed-off-by: Christopher Covington <christopher.covington@xxxxxxxxxx>
      Reviewed-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Tested-by: Christopher Covington <cov@xxxxxxxxxxxxxx>
      Message-id: 1439483745-28752-3-git-send-email-peter.maydell@xxxxxxxxxx

  commit 857b55adb77004d9ec9202078b7f1f3a1a076112
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Mon Sep 7 10:39:27 2015 +0100

      target-arm/arm-semi.c: Fix broken SYS_WRITE0 via gdb

      A spurious trailing "\n" in the gdb syscall format string used
      for SYS_WRITE0 meant that gdb would reject the remote syscall,
      with the effect that the output from the guest was silently dropped.
      Remove the newline so that gdb accepts the packet.

      Cc: qemu-stable@xxxxxxxxxx

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit b45c03f585ea9bb1af76c73e82195418c294919d
  Author: Markus Armbruster <armbru@xxxxxxxxxx>
  Date:   Mon Sep 7 10:39:27 2015 +0100

      arm: Use g_new() & friends where that makes obvious sense

      g_new(T, n) is neater than g_malloc(sizeof(T) * n).  It's also safer,
      for two reasons.  One, it catches multiplication overflowing size_t.
      Two, it returns T * rather than void *, which lets the compiler catch
      more type errors.

      This commit only touches allocations with size arguments of the form
      sizeof(T).

      Coccinelle semantic patch:

          @@
          type T;
          @@
          -g_malloc(sizeof(T))
          +g_new(T, 1)
          @@
          type T;
          @@
          -g_try_malloc(sizeof(T))
          +g_try_new(T, 1)
          @@
          type T;
          @@
          -g_malloc0(sizeof(T))
          +g_new0(T, 1)
          @@
          type T;
          @@
          -g_try_malloc0(sizeof(T))
          +g_try_new0(T, 1)
          @@
          type T;
          expression n;
          @@
          -g_malloc(sizeof(T) * (n))
          +g_new(T, n)
          @@
          type T;
          expression n;
          @@
          -g_try_malloc(sizeof(T) * (n))
          +g_try_new(T, n)
          @@
          type T;
          expression n;
          @@
          -g_malloc0(sizeof(T) * (n))
          +g_new0(T, n)
          @@
          type T;
          expression n;
          @@
          -g_try_malloc0(sizeof(T) * (n))
          +g_try_new0(T, n)
          @@
          type T;
          expression p, n;
          @@
          -g_realloc(p, sizeof(T) * (n))
          +g_renew(T, p, n)
          @@
          type T;
          expression p, n;
          @@
          -g_try_realloc(p, sizeof(T) * (n))
          +g_try_renew(T, p, n)
          @@
          type T;
          expression n;
          @@
          -(T *)g_new(T, n)
          +g_new(T, n)
          @@
          type T;
          expression n;
          @@
          -(T *)g_new0(T, n)
          +g_new0(T, n)
          @@
          type T;
          expression p, n;
          @@
          -(T *)g_renew(T, p, n)
          +g_renew(T, p, n)

      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>
      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>
      Message-id: 1440524394-15640-1-git-send-email-armbru@xxxxxxxxxx
      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit c804b5791d51608c0e12e4cc2b40b3d763ce796c
  Merge: 2ef6093 834cb2a
  Author: Kevin Wolf <kwolf@xxxxxxxxxx>
  Date:   Fri Sep 4 21:43:40 2015 +0200

      Merge remote-tracking branch 
'mreitz/tags/pull-block-for-kevin-2015-09-04' into queue-block

      Block patches from 2015-08-24 until 2015-09-04.

      # gpg: Signature made Fri Sep  4 21:02:10 2015 CEST using RSA key ID 
E838ACAD
      # gpg: Good signature from "Max Reitz <mreitz@xxxxxxxxxx>"

      * mreitz/tags/pull-block-for-kevin-2015-09-04:
        quorum: validate vote threshold against num_children even if 
read-pattern is fifo
        qcow2: reorder fields in Qcow2CachedTable to reduce padding
        docs: document how to configure the qcow2 L2/refcount caches
        qcow2: add option to clean unused cache entries after some time
        qcow2: mark the memory as no longer needed after qcow2_cache_empty()

      Signed-off-by: Kevin Wolf <kwolf@xxxxxxxxxx>

  commit 834cb2ada5db197a11c99142d50222945d196fc0
  Author: Wen Congyang <wency@xxxxxxxxxxxxxx>
  Date:   Fri Jul 3 14:45:06 2015 +0800

      quorum: validate vote threshold against num_children even if read-pattern 
is fifo

      We need to use threshold to check if too many write operation fails.
      If threshold is larger than num children, we always get write error
      event even if all write operations success.

      Signed-off-by: Wen Congyang <wency@xxxxxxxxxxxxxx>
      Message-id: 55962F72.3060003@xxxxxxxxxxxxxx
      Reviewed-by: Alberto Garcia <berto@xxxxxxxxxx>
      Reviewed-by: Max Reitz <mreitz@xxxxxxxxxx>
      Signed-off-by: Max Reitz <mreitz@xxxxxxxxxx>

  commit 909c260c71d1bee7018e17034580ffd0743508db
  Author: Alberto Garcia <berto@xxxxxxxxxx>
  Date:   Tue Aug 4 15:14:42 2015 +0300

      qcow2: reorder fields in Qcow2CachedTable to reduce padding

      Changing the current ordering saves 8 bytes per cache entry in x86_64.

      Signed-off-by: Alberto Garcia <berto@xxxxxxxxxx>
      Reviewed-by: Max Reitz <mreitz@xxxxxxxxxx>
      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>
      Reviewed-by: Kevin Wolf <kwolf@xxxxxxxxxx>
      Message-id: 
0bd55291211df3dfb514d0e7d2031dd5c4f9f807.1438690126.git.berto@xxxxxxxxxx
      Signed-off-by: Max Reitz <mreitz@xxxxxxxxxx>

  commit 7f65ce834accce0b7e4bc79313bacf229b957783
  Author: Alberto Garcia <berto@xxxxxxxxxx>
  Date:   Tue Aug 4 15:14:41 2015 +0300

      docs: document how to configure the qcow2 L2/refcount caches

      QEMU has options to configure the size of the L2 and refcount
      caches for the qcow2 format. However, choosing the right sizes for
      a particular disk image is not a straightforward operation since
      the ratio between the cache size and the allocated disk space is
      not obvious and depends on the size of the cluster and the refcount
      entries.

      This document attempts to give an overview of both caches and how to
      configure their sizes.

      Signed-off-by: Alberto Garcia <berto@xxxxxxxxxx>
      Reviewed-by: Max Reitz <mreitz@xxxxxxxxxx>
      Message-id: 
55de928e139b1ba3f3d40fe9c6c88f30b1f36410.1438690126.git.berto@xxxxxxxxxx
      Signed-off-by: Max Reitz <mreitz@xxxxxxxxxx>

  commit 279621c046ce57de0af9e3c00663b48d3a7835ae
  Author: Alberto Garcia <berto@xxxxxxxxxx>
  Date:   Tue Aug 4 15:14:40 2015 +0300

      qcow2: add option to clean unused cache entries after some time

      This adds a new 'cache-clean-interval' option that cleans all qcow2
      cache entries that haven't been used in a certain interval, given in
      seconds.

      This allows setting a large L2 cache size so it can handle scenarios
      with lots of I/O and at the same time use little memory during periods
      of inactivity.

      This feature currently relies on MADV_DONTNEED to free that memory, so
      it is not useful in systems that don't follow that behavior.

      Signed-off-by: Alberto Garcia <berto@xxxxxxxxxx>
      Reviewed-by: Max Reitz <mreitz@xxxxxxxxxx>
      Message-id: 
a70d12da60433df9360ada648b3f34b8f6f354ce.1438690126.git.berto@xxxxxxxxxx
      Signed-off-by: Max Reitz <mreitz@xxxxxxxxxx>

  commit 355ee2d0e8ca536a6278c9c763ddd2f136eace3f
  Author: Alberto Garcia <berto@xxxxxxxxxx>
  Date:   Tue Aug 4 15:14:39 2015 +0300

      qcow2: mark the memory as no longer needed after qcow2_cache_empty()

      After having emptied the cache, the data in the cache tables is no
      longer useful, so we can tell the kernel that we are done with it. In
      Linux this frees the resources associated with it.

      The effect of this can be seen in the HMP commit operation: it moves
      data from the top to the base image (and fills both caches), then it
      empties the top image. At this point the data in that cache is no
      longer needed so it's just wasting memory.

      Signed-off-by: Alberto Garcia <berto@xxxxxxxxxx>
      Reviewed-by: Max Reitz <mreitz@xxxxxxxxxx>
      Message-id: 
08538b098e1faf6c92496477cf9b47a20e5aacea.1438690126.git.berto@xxxxxxxxxx
      Signed-off-by: Max Reitz <mreitz@xxxxxxxxxx>

  commit 2ef6093cd6990314304f2d3b18eb476ee418d73c
  Author: Max Reitz <mreitz@xxxxxxxxxx>
  Date:   Wed Sep 2 20:52:28 2015 +0200

      iotests: Warn if python subprocess is killed

      Currently, if a subprocess of a python test (i.e. qemu-io, qemu-img, or
      qemu) receives a signal and is subsequently aborted, this is not logged.

      This patch makes python tests always check the exit code of these
      subprocesses, and emit a message if they have been killed.

      Signed-off-by: Max Reitz <mreitz@xxxxxxxxxx>
      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>
      Signed-off-by: Kevin Wolf <kwolf@xxxxxxxxxx>

  commit 934659c460d46c948cf348822fda1d38556ed9a4
  Author: Max Reitz <mreitz@xxxxxxxxxx>
  Date:   Wed Sep 2 20:52:27 2015 +0200

      iotests: Do not suppress segfaults in bash tests

      Currently, if a qemu/qemu-io/qemu-img/qemu-nbd invocation receives a
      segmentation fault, that message is invisible in most cases since the
      output is generally filtered and bash suppresses the segmentation fault
      notice for any but the last element of a pipe.

      Most of the time, the test will then fail anyway because of missing
      output, but not necessarily (as happened with test 82 recently).

      Fix this by making the corresponding environment variables point to
      wrapper functions which execute the respective command in a subshell.

      Giving options to qemu/qemu-io/qemu-img and path names with spaces were
      broken for the Python tests; this patch "accidentally" fixes that.

      Signed-off-by: Max Reitz <mreitz@xxxxxxxxxx>
      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>
      Signed-off-by: Kevin Wolf <kwolf@xxxxxxxxxx>

  commit 0ed82f7a096537923ef3705946f254d2f61eaf93
  Author: Max Reitz <mreitz@xxxxxxxxxx>
  Date:   Wed Sep 2 20:52:26 2015 +0200

      iotests: Respect -nodefaults in tests 41 and 55

      While -nodefaults is set in $QEMU_OPTIONS, this is currently (wrongly)
      ignored for Python iotests. In order to be prepared for when this is
      fixed, we should explicitly add an IDE CD-ROM drive instead of relying
      on it being created automatically.

      Signed-off-by: Max Reitz <mreitz@xxxxxxxxxx>
      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>
      Signed-off-by: Kevin Wolf <kwolf@xxxxxxxxxx>

  commit 8e4922535b6479c7a2fa6b14b0148c6ae4fcc003
  Author: Max Reitz <mreitz@xxxxxxxxxx>
  Date:   Wed Sep 2 20:52:25 2015 +0200

      iotests: More options for VM.add_drive()

      This patch allows specifying the interface to be used for the drive, and
      makes specifying a path optional (if the path is None, the "file" option
      will be omitted, thus creating an empty drive).

      Signed-off-by: Max Reitz <mreitz@xxxxxxxxxx>
      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>
      Signed-off-by: Kevin Wolf <kwolf@xxxxxxxxxx>

  commit e814dffcc9810ed77fe99081be9751b620a894c4
  Author: Max Reitz <mreitz@xxxxxxxxxx>
  Date:   Thu Aug 20 16:00:38 2015 -0700

      qemu-img: Fix crash in amend invocation

      Example:
      $ ./qemu-img create -f qcow2 /tmp/t.qcow2 64M
      $ ./qemu-img amend -f qcow2 -o backing_file=/tmp/t.qcow2, -o help \
          /tmp/t.qcow2

      This should not crash. This actually is tested by iotest 082, but not
      caught due to the segmentation fault being silent (which is something
      that needs to be fixed, too).

      Reported-by: Dr. David Alan Gilbert <dgilbert@xxxxxxxxxx>
      Cc: qemu-stable <qemu-stable@xxxxxxxxxx>
      Signed-off-by: Max Reitz <mreitz@xxxxxxxxxx>
      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>
      Signed-off-by: Kevin Wolf <kwolf@xxxxxxxxxx>

  commit bdd03cdf5dc3176bc7169a1d5709303e9279fffb
  Author: Max Reitz <mreitz@xxxxxxxxxx>
  Date:   Wed Aug 12 17:33:31 2015 +0200

      block/raw-posix: Use raw_normalize_devicepath()

      The filename given to qemu_open() in block/raw-posix.c should generally
      have been processed by raw_normalize_devicepath(); unless we are only
      probing (in which case the caller often checks whether the file is a
      block device or not, and this property will be changed by
      raw_normalize_devicepath() on NetBSD) or it is about a deprecated device
      (i.e. floppy).

      Signed-off-by: Max Reitz <mreitz@xxxxxxxxxx>
      Signed-off-by: Kevin Wolf <kwolf@xxxxxxxxxx>

  commit 137a905fdf43880c077438d57ef2d319569da9eb
  Author: Bo Tu <tubo@xxxxxxxxxxxxxxxxxx>
  Date:   Fri Jul 3 15:28:50 2015 +0800

      qemu-iotests: s390x: fix test 130

      The default device id of hard disk on the s390 platform is "virtio0"
      which differs to the "ide0-hd0" for the x86 platform. Setting id in
      the drive definition, ie:"qemu -drive id=testdisk", will be the same
      on all platforms.

      Reviewed-by: Max Reitz <mreitz@xxxxxxxxxx>
      Signed-off-by: Bo Tu <tubo@xxxxxxxxxxxxxxxxxx>
      Signed-off-by: Kevin Wolf <kwolf@xxxxxxxxxx>

  commit 212789925efffe1c552b114321ee74081a7efb03
  Author: Bo Tu <tubo@xxxxxxxxxxxxxxxxxx>
  Date:   Fri Jul 3 15:28:49 2015 +0800

      qemu-iotests: s390x: fix test 049, reject negative sizes in QemuOpts

      when creating an image qemu-img enable us specifying the size of the
      image using -o size=xx options. But when we specify an invalid size
      such as a negtive size then different platform gives different result.

      parse_option_size() function in util/qemu-option.c will be called to
      parse the size, a cast was called in the function to cast the input
      (saved as a double in the function) size to an unsigned int64 value,
      when the input is a negtive value or exceeds the maximum of uint64, then
      the result is undefined.

      According to C99 6.3.1.4, the result of converting a floating point
      number to an integer that cannot represent the (integer part of) number
      is undefined.  And sure enough the results are different on x86 and
      s390.

      C99 Language spec 6.3.1.4 Real floating and integers:
      the result of this assignment/cast is undefined if the float is not
      in the open interval (-1, U<type>_MAX+1).

      Reviewed-by: Max Reitz <mreitz@xxxxxxxxxx>
      Reviewed-by: Sascha Silbe <silbe@xxxxxxxxxxxxxxxxxx>
      Signed-off-by: Bo Tu <tubo@xxxxxxxxxxxxxxxxxx>
      Signed-off-by: Kevin Wolf <kwolf@xxxxxxxxxx>

  commit d8683155fa76cabff112271771e43e21034ff2ba
  Author: Bo Tu <tubo@xxxxxxxxxxxxxxxxxx>
  Date:   Fri Jul 3 15:28:48 2015 +0800

      qemu-iotests: s390x: fix test 041 and 055

      There is no 'ide-cd' device defined on non-pc platform, so
      test_medium_not_found() test should be skipped.

      Reviewed-by: Max Reitz <mreitz@xxxxxxxxxx>
      Reviewed-by: Michael Mueller <mimu@xxxxxxxxxxxxxxxxxx>
      Reviewed-by: Sascha Silbe <silbe@xxxxxxxxxxxxxxxxxx>
      Signed-off-by: Xiao Guang Chen <chenxg@xxxxxxxxxxxxxxxxxx>
      Signed-off-by: Kevin Wolf <kwolf@xxxxxxxxxx>

  commit 2711fd33a4b18c5e35a6f7efe57b5d868def829e
  Author: Bo Tu <tubo@xxxxxxxxxxxxxxxxxx>
  Date:   Fri Jul 3 15:28:47 2015 +0800

      qemu-iotests: disable default qemu devices for cross-platform 
compatibility

      This patch fixes an io test suite issue that was introduced with the
      commit c88930a6866e74953e931ae749781e98e486e5c8 'qemu-char: Permit only
      a single "stdio" character device'. The option supresses the creation of
      default devices such as the floopy and cdrom. Output files for test case
      067, 071, 081 and 087 need to be updated to accommodate this change.
      Use virtio-blk instead of virtio-blk-pci as the device driver for test
      case 067. For virtio-blk-pci is the same with virtio-blk as device
      driver but other platform such as s390 may not recognize the 
virtio-blk-pci.

      The default devices differ across machines. As the qemu output often
      contains these devices (or events for them, like opening a CD tray on
      reset), the reference output currently is rather machine-specific.

      All existing qemu tests explicitly configure the devices they're working
      with, so just pass -nodefaults to qemu by default to disable the default
      devices. Update the reference outputs accordingly.

      Reviewed-by: Max Reitz <mreitz@xxxxxxxxxx>
      Reviewed-by: Michael Mueller <mimu@xxxxxxxxxxxxxxxxxx>
      Reviewed-by: Sascha Silbe <silbe@xxxxxxxxxxxxxxxxxx>
      Signed-off-by: Xiao Guang Chen <chenxg@xxxxxxxxxxxxxxxxxx>
      Signed-off-by: Kevin Wolf <kwolf@xxxxxxxxxx>

  commit e166b4148208656635ea2fe39df8b1e875a34fb8
  Author: Bo Tu <tubo@xxxxxxxxxxxxxxxxxx>
  Date:   Fri Jul 3 15:28:46 2015 +0800

      qemu-iotests: qemu machine type support

      This patch adds qemu machine type support to the io test suite.
      Based on the qemu default machine type and alias of the default machine
      type the reference output file can now vary from the default to a
      machine specific output file if necessary. When using a machine specific
      reference file if the default machine has an alias then use the alias as 
the output
      file name otherwise use the default machine name as the output file name.

      Reviewed-by: Max Reitz <mreitz@xxxxxxxxxx>
      Reviewed-by: Michael Mueller <mimu@xxxxxxxxxxxxxxxxxx>
      Reviewed-by: Sascha Silbe <silbe@xxxxxxxxxxxxxxxxxx>
      Signed-off-by: Xiao Guang Chen <chenxg@xxxxxxxxxxxxxxxxxx>
      Signed-off-by: Kevin Wolf <kwolf@xxxxxxxxxx>

  commit b597aa037dbd98014c8dec3d69a5e2240f432533
  Merge: b5bff75 6231316
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Fri Sep 4 17:37:50 2015 +0100

      Merge remote-tracking branch 
'remotes/armbru/tags/pull-monitor-2015-09-04' into staging

      Monitor patches

      # gpg: Signature made Fri 04 Sep 2015 12:40:11 BST using RSA key ID 
EB918653
      # gpg: Good signature from "Markus Armbruster <armbru@xxxxxxxxxx>"
      # gpg:                 aka "Markus Armbruster <armbru@xxxxxxxxxxxx>"

      * remotes/armbru/tags/pull-monitor-2015-09-04:
        hmp: add info iothreads command
        qmp-shell: add documentation

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit b5bff7518d8e4feda95f5c523cb24f72863c1df6
  Merge: b041066 c4f498f
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Fri Sep 4 15:53:48 2015 +0100

      Merge remote-tracking branch 'remotes/armbru/tags/pull-qapi-2015-09-04' 
into staging

      qapi: Another round of fixes and cleanups

      # gpg: Signature made Fri 04 Sep 2015 14:48:54 BST using RSA key ID 
EB918653
      # gpg: Good signature from "Markus Armbruster <armbru@xxxxxxxxxx>"
      # gpg:                 aka "Markus Armbruster <armbru@xxxxxxxxxxxx>"

      * remotes/armbru/tags/pull-qapi-2015-09-04: (33 commits)
        qapi: Generators crash when --output-dir isn't given, fix
        docs/qapi-code-gen.txt: Fix QAPI schema examples
        qapi: Simplify error reporting for array types
        qapi: Fix errors for non-string, non-dictionary members
        tests/qapi-schema: Cover non-string, non-dictionary members
        tests/qapi-schema: Cover two more syntax errors
        qapi: Drop one of two "simple union must not have base" checks
        qapi: Generated code cleanup
        qapi-commands: Drop useless initialization
        qapi-commands: Don't feed output of mcgen() to mcgen() again
        qapi-commands: Inline gen_marshal_output_call()
        qapi-commands: Fix gen_err_check(e) for e and e != 'local_err'
        qapi: Command returning anonymous type doesn't work, outlaw
        qapi: Fix to reject union command and event arguments
        qapi-tests: New tests for union, alternate command arguments
        tests/qapi-schema: Rename tests from data- to args-
        tests/qapi-schema: Restore test case for flat union base bug
        qapi: Document flaws in checking of names
        qapi: Document shortcoming with union 'data' branch
        qapi: Document that input visitor semantics are prone to leaks
        ...

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit c4f498fe8532cdacc609262b104322911108df54
  Author: Markus Armbruster <armbru@xxxxxxxxxx>
  Date:   Thu Sep 3 10:24:25 2015 +0200

      qapi: Generators crash when --output-dir isn't given, fix

      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>
      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>

  commit 94a3f0af388820d74a9d89d1a856d2baa448c696
  Author: Markus Armbruster <armbru@xxxxxxxxxx>
  Date:   Thu Sep 3 10:18:06 2015 +0200

      docs/qapi-code-gen.txt: Fix QAPI schema examples

      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>
      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>

  commit eddf817bd823a90df209dfbdc2a0b2ec33b7cb77
  Author: Markus Armbruster <armbru@xxxxxxxxxx>
  Date:   Mon Aug 31 13:54:39 2015 +0200

      qapi: Simplify error reporting for array types

      check_type() first checks and peels off the array type, then checks
      the element type.  For two out of four error messages, it takes pains
      to report errors for "array of T" instead of just T.  Odd.  Let's
      examine the errors.

      * Unknown element type, e.g.
        tests/qapi-schema/args-array-unknown.json:

            Member 'array' of 'data' for command 'oops' uses unknown type
            'array of NoSuchType'

        To make sense of this, you need to know that 'array of NoSuchType'
        refers to '[NoSuchType]'.  Easy enough.  However, simply reporting

            Member 'array' of 'data' for command 'oops' uses unknown type
            'NoSuchType'

        is at least as easy to understand.

      * Element type's meta-type is inadmissible, e.g.
        tests/qapi-schema/returns-whitelist.json:

            'returns' for command 'no-way-this-will-get-whitelisted' cannot
            use built-in type 'array of int'

        'array of int' is technically not a built-in type, but that's
        pedantry.  However, simply reporting

            'returns' for command 'no-way-this-will-get-whitelisted' cannot
            use built-in type 'int'

        avoids the issue, and is at least as easy to understand.

      * The remaining two errors are unreachable, because the array checking
        ensures that value is a string.

      Thus, reporting some errors for "array of T" instead of just T works,
      but doesn't really improve things.  Drop it.

      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>
      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>

  commit c6b71e5ae73802057d700e2419b80aef1651f213
  Author: Markus Armbruster <armbru@xxxxxxxxxx>
  Date:   Mon Aug 31 17:28:52 2015 +0200

      qapi: Fix errors for non-string, non-dictionary members

      Fixes the errors demonstrated by the previous commit.

      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>
      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>

  commit 10689e36eb99e99751497ac8cef2a946e9a3a850
  Author: Markus Armbruster <armbru@xxxxxxxxxx>
  Date:   Mon Aug 31 17:17:42 2015 +0200

      tests/qapi-schema: Cover non-string, non-dictionary members

      We always report "should be a dictionary" then.  This is misleading:
      when allow_dict, it can be a dictionary or a type name string, else it
      can only be a type name.

      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>
      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>

  commit 91f9816da4d505d379753896f3f7b6abb910324b
  Author: Markus Armbruster <armbru@xxxxxxxxxx>
  Date:   Mon Aug 31 15:47:55 2015 +0200

      tests/qapi-schema: Cover two more syntax errors

      Syntax error coverage should now be complete.

      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>
      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>

  commit 65fbe125451da9421070ab03944c9600a264eefc
  Author: Markus Armbruster <armbru@xxxxxxxxxx>
  Date:   Mon Aug 31 15:37:42 2015 +0200

      qapi: Drop one of two "simple union must not have base" checks

      The first check ensures the second one can't trigger.  Drop the first
      one, because the second one is in a more logical place, and emits a
      nicer error message.

      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>
      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>

  commit 3a864e7c52af15017d5082a9ee39a7919f46d2b5
  Author: Markus Armbruster <armbru@xxxxxxxxxx>
  Date:   Wed Jul 1 16:55:15 2015 +0200

      qapi: Generated code cleanup

      Clean up white-space, brace placement, and superfluous #ifdef
      QAPI_TYPES_BUILTIN_CLEANUP_DEF.

      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>
      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>

  commit 3f99144cd9afbf51a7fbddf20b921402c2d4f68c
  Author: Markus Armbruster <armbru@xxxxxxxxxx>
  Date:   Fri Jul 31 18:51:18 2015 +0200

      qapi-commands: Drop useless initialization

      In generated command handlers, the assignment to retval dominates its
      only use.  Therefore, its initialization is useless.  Drop it.

      Suggested-by: Eric Blake <eblake@xxxxxxxxxx>
      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>
      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>

  commit 1f9a7a1a5862ad224aa86f9b4c046248ffc27aa3
  Author: Markus Armbruster <armbru@xxxxxxxxxx>
  Date:   Sat Jun 27 17:49:34 2015 +0200

      qapi-commands: Don't feed output of mcgen() to mcgen() again

      Multiple passes through mcgen() is prone to produce unwanted blank
      lines, which we then combat by sprinkling .rstrip() on top.  Just
      don't do it.

      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>
      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>

  commit e02bca281c82f874d84578af4deea46142232115
  Author: Markus Armbruster <armbru@xxxxxxxxxx>
  Date:   Sat Jun 27 17:21:12 2015 +0200

      qapi-commands: Inline gen_marshal_output_call()

      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>
      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>

  commit 8102307f51e68280ac965a140a87073d5c31e9a5
  Author: Markus Armbruster <armbru@xxxxxxxxxx>
  Date:   Sat Jun 27 16:48:14 2015 +0200

      qapi-commands: Fix gen_err_check(e) for e and e != 'local_err'

      gen_err_check() hard-codes 'local_err' instead of substituting the
      argument.  Currently harmless, since all callers pass either None or
      'local_err'.

      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>
      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>

  commit 9b090d42aea9a0abbf39a1d75561a186057b5fe6
  Author: Markus Armbruster <armbru@xxxxxxxxxx>
  Date:   Fri Jul 31 17:59:38 2015 +0200

      qapi: Command returning anonymous type doesn't work, outlaw

      Reproducer: with

          { 'command': 'user_def_cmd4', 'returns': { 'a': 'int' } }

      added to qapi-schema-test.json, qapi-commands.py dies when it tries to
      generate the command handler function

          Traceback (most recent call last):
            File "/work/armbru/qemu/scripts/qapi-commands.py", line 359, in 
<module>
              ret = generate_command_decl(cmd['command'], arglist, ret_type) + 
"\n"
            File "/work/armbru/qemu/scripts/qapi-commands.py", line 29, in 
generate_command_decl
              ret_type=c_type(ret_type), name=c_name(name),
            File "/work/armbru/qemu/scripts/qapi.py", line 927, in c_type
              assert isinstance(value, str) and value != ""
          AssertionError

      because the return type doesn't exist.

      Simply outlaw this usage, and drop or dumb down test cases accordingly.

      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>
      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>

  commit 315932b5edb86597adafbd1faa2d29c46499d8c3
  Author: Markus Armbruster <armbru@xxxxxxxxxx>
  Date:   Wed Jul 1 10:12:24 2015 +0200

      qapi: Fix to reject union command and event arguments

      A command's or event's 'data' must be a struct type, given either as a
      dictionary, or as struct type name.

      Commit dd883c6 tightened the checking there, but not enough: we still
      accept 'union'.  Fix to reject it.

      We may want to support union types there, but we'll have to extend
      qapi-commands.py and qapi-events.py for it.

      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>
      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>

  commit d9658d58e33128df32093b7a84bed76b527fb884
  Author: Markus Armbruster <armbru@xxxxxxxxxx>
  Date:   Wed Jul 1 09:54:11 2015 +0200

      qapi-tests: New tests for union, alternate command arguments

      A command's 'data' must be a struct type, given either as a
      dictionary, or as struct type name.

      Existing test case data-int.json covers simple type 'int'.  Add test
      cases for type names referring to union and alternate types.

      The latter is caught (good), but the former is not (bug).

      Events have the same problem, but since they get checked by the same
      code, we don't bother to duplicate the tests.

      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>
      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>

  commit 6af9a8fc8ec83f823c079211bc7a2414b1d4e5fe
  Author: Markus Armbruster <armbru@xxxxxxxxxx>
  Date:   Fri Jul 31 13:30:50 2015 +0200

      tests/qapi-schema: Rename tests from data- to args-

      Since every schema entity has 'data', the data- prefix conveys no
      information.  These tests actually exercise commands.  Only commands
      have arguments, so change the prefix to to args-.

      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>
      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>

  commit 80e60a19a82cf872652d1923e800fecef5cc7def
  Author: Markus Armbruster <armbru@xxxxxxxxxx>
  Date:   Fri Jun 26 13:21:10 2015 +0200

      tests/qapi-schema: Restore test case for flat union base bug

      Test case added in commit 2fc0043, and messed up in commit 5223070.

      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>
      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>

  commit d90675fa4bc256238b3dd3a7fdd5f9029eca00b8
  Author: Markus Armbruster <armbru@xxxxxxxxxx>
  Date:   Fri Jul 31 11:33:52 2015 +0200

      qapi: Document flaws in checking of names

      We don't actually enforce our "other than downstream extensions [...],
      all names should begin with a letter" rule.  Add a FIXME.

      We should reject names that differ only in '_' vs. '.'  vs. '-',
      because they're liable to clash in generated C.  Add a FIXME.

      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>
      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>

  commit ca56a822dd538017715345cbbe1f8829e0cc2742
  Author: Eric Blake <eblake@xxxxxxxxxx>
  Date:   Thu Jul 30 17:07:17 2015 -0600

      qapi: Document shortcoming with union 'data' branch

      Add a FIXME to remind us to fully audit whether removing the
      'void *data' branch of each qapi union type can be done safely.

      Signed-off-by: Eric Blake <eblake@xxxxxxxxxx>
      Message-Id: <1438297637-26789-1-git-send-email-eblake@xxxxxxxxxx>
      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>

  commit 2f52e20597ebd55ede668b2b7d162a84f419b03e
  Author: Eric Blake <eblake@xxxxxxxxxx>
  Date:   Thu Jul 30 16:33:07 2015 -0600

      qapi: Document that input visitor semantics are prone to leaks

      Most functions that can return a pointer or set an Error ** value
      are decent enough to guarantee a NULL return when reporting an error.
      Not so with our generated qapi visitor functions.  If the caller
      is not careful to clean up partially-allocated objects on error,
      then the caller suffers a memory leak.

      Properly fixing it is probably complex enough to save for a later
      day, so merely document it for now.

      Signed-off-by: Eric Blake <eblake@xxxxxxxxxx>
      Message-Id: <1438295587-19069-1-git-send-email-eblake@xxxxxxxxxx>
      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>

  commit 999387782f736d7ac0083f4f02e2bc4ce7a9a27b
  Author: Markus Armbruster <armbru@xxxxxxxxxx>
  Date:   Fri Jun 26 13:14:02 2015 +0200

      tests/qapi-schema: Document events with base don't work

      When event FOO's 'data' is a struct with a base, we consider only the
      struct's direct members, and ignore its base.  The generated
      qapi_event_send_foo() doesn't take arguments for base members.

      No such events currently exist in the QMP schema.

      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>
      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>

  commit 422e16aac4bd4476f5b40bee3049089de34ef6b6
  Author: Markus Armbruster <armbru@xxxxxxxxxx>
  Date:   Fri Jun 26 17:52:45 2015 +0200

      tests/qapi-schema: Document alternate's enum lacks visit function

      We generate a declaration, but no definition.

      The QMP schema has two: Qcow2OverlapChecks and BlockdevRef.  Neither
      visit_type_Qcow2OverlapChecksKind() nor visit_type_BlockdevRefKind()
      is actually used.

      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>
      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>

  commit 40b3adec13a9e022ff5a2e2b81c243fc0a026746
  Author: Markus Armbruster <armbru@xxxxxxxxxx>
  Date:   Fri Jun 26 17:21:42 2015 +0200

      qapi-visit: Fix two name arguments passed to visitors

      The generated code passes mangled schema names to visit_type_enum()
      and union's visit_start_struct().  Fix it to pass the names
      unadulterated, like we do everywhere else.

      Only qapi-schema-test.json actually has names where this makes a
      difference: enum __org.qemu_x-Enum, flat union __org.qemu_x-Union2,
      simple union __org.qemu_x-Union1 and its implicit enum
      __org.qemu_x-Union1Kind.

      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>
      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>

  commit 8c07eddc619d618965fdd7a96bfe3b5c59f42b52
  Author: Markus Armbruster <armbru@xxxxxxxxxx>
  Date:   Tue Jun 30 09:27:04 2015 +0200

      qapi-visit: Replace list implicit_structs by set

      Use set because that's what it is.  While there, rename to
      implicit_structs_seen.

      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>
      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>

  commit 8c3f8e77215bfedb7854221868f655e148506936
  Author: Markus Armbruster <armbru@xxxxxxxxxx>
  Date:   Fri Jun 26 10:19:11 2015 +0200

      qapi-visit: Fix generated code when schema has forward refs

      The visit_type_implicit_FOO() are generated on demand, right before
      their first use.  Used by visit_type_STRUCT_fields() when STRUCT has
      base FOO, and by visit_type_UNION() when flat UNION has member a FOO.

      If the schema defines FOO after its first use as struct base or flat
      union member, visit_type_implicit_FOO() calls
      visit_type_implicit_FOO() before its definition, which doesn't
      compile.

      Rearrange qapi-schema-test.json to demonstrate the bug.

      Fix by generating the necessary forward declaration.

      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>
      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>

  commit 1e6c1616a91cdcbe9a8387541f7689b8c11632aa
  Author: Markus Armbruster <armbru@xxxxxxxxxx>
  Date:   Sun Jun 28 20:05:53 2015 +0200

      qapi: Generate a nicer struct for flat unions

      The struct generated for a flat union is weird: the members of its
      base are at the end, except for the union tag, which is at the
      beginning.

      Example: qapi-schema-test.json has

          { 'struct': 'UserDefUnionBase',
            'data': { 'string': 'str', 'enum1': 'EnumOne' } }

          { 'union': 'UserDefFlatUnion',
            'base': 'UserDefUnionBase',
            'discriminator': 'enum1',
            'data': { 'value1' : 'UserDefA',
                      'value2' : 'UserDefB',
                      'value3' : 'UserDefB' } }

      We generate:

          struct UserDefFlatUnion
          {
              EnumOne enum1;
              union {
                  void *data;
                  UserDefA *value1;
                  UserDefB *value2;
                  UserDefB *value3;
              };
              char *string;
          };

      Change to put all base members at the beginning, unadulterated.  Not
      only is this easier to understand, it also permits casting the flat
      union to its base, if that should become useful.

      We now generate:

          struct UserDefFlatUnion
          {
              /* Members inherited from UserDefUnionBase: */
              char *string;
              EnumOne enum1;
              /* Own members: */
              union { /* union tag is @enum1 */
                  void *data;
                  UserDefA *value1;
                  UserDefB *value2;
                  UserDefB *value3;
              };
          };

      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>
      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>

  commit 0f61af3eb396ae163cd1572ce12e05f5d08d7c15
  Author: Markus Armbruster <armbru@xxxxxxxxxx>
  Date:   Fri Jul 31 10:30:04 2015 +0200

      qapi: Fix generated code when flat union has member 'kind'

      A flat union's tag member gets renamed to 'kind' in the generated
      code.  Breaks when another member named 'kind' exists.

      Example, adapted from qapi-schema-test.json:

          { 'struct': 'UserDefUnionBase',
            'data': { 'kind': 'str', 'enum1': 'EnumOne' } }

      We generate:

          struct UserDefFlatUnion
          {
              EnumOne kind;
              union {
                  void *data;
                  UserDefA *value1;
                  UserDefB *value2;
                  UserDefB *value3;
              };
              char *kind;
          };

      Kill the silly rename.

      Reported-by: Eric Blake <eblake@xxxxxxxxxx>
      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>
      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>

  commit 5aa05d3f72e556752167f7005d6a3dea0f4432c5
  Author: Markus Armbruster <armbru@xxxxxxxxxx>
  Date:   Sun Jun 28 21:36:26 2015 +0200

      qapi: Drop unused and useless parameters and variables

      gen_sync_call()'s parameter indent is useless: gen_sync_call() uses it
      only as optional argument for push_indent() and pop_indent(), their
      default is four, and gen_sync_call()'s only caller passes four.  Drop
      the parameter.

      gen_visitor_input_containers_decl()'s parameter obj is always
      "QOBJECT(args)".  Use that, and drop the parameter.

      Drop unused parameters of gen_marshal_output(),
      gen_marshal_input_decl(), generate_visit_struct_body(),
      generate_visit_list(), generate_visit_enum(), generate_declaration(),
      generate_enum_declaration(), generate_decl_enum().

      Drop unused variables in generate_event_enum_lookup(),
      generate_enum_lookup(), generate_visit_struct_fields(), check_event().

      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>
      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>

  commit 1cf47a15f18312436c7fa2d97be5fbe6df0292f5
  Author: Markus Armbruster <armbru@xxxxxxxxxx>
  Date:   Wed Jul 1 13:13:54 2015 +0200

      qapi: Reject -p arguments that break qapi-event.py

      qapi-event.py breaks when you ask for a funny prefix like '@'.
      Protect it.

      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>
      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>

  commit 016a335bd8ca624f43adbb08fa1698c29ec52a1a
  Author: Markus Armbruster <armbru@xxxxxxxxxx>
  Date:   Wed Jul 1 12:59:40 2015 +0200

      qapi-event: Clean up how name of enum QAPIEvent is made

      Use c_name() instead of ad hoc code.  Doesn't upcase the -p prefix,
      which is an improvement in my book.  Unbreaks prefix containing '.',
      but other funny characters remain broken.  To be fixed next.

      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>
      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>

  commit 00dfc3b2c272d98556ec6095d56bdd8b036babf9
  Author: Markus Armbruster <armbru@xxxxxxxxxx>
  Date:   Sat Jun 27 07:27:21 2015 +0200

      qapi: Simplify guardname()

      The guards around built-in declarations lose their _H.  It never made
      much sense anyway.

      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>
      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>

  commit 77e703b861d34bb2879f3e845482d5cf0a3a0ad1
  Author: Markus Armbruster <armbru@xxxxxxxxxx>
  Date:   Wed Jun 24 19:27:32 2015 +0200

      qapi: Clean up cgen() and mcgen()

      Commit 05dfb26 added eatspace stripping to mcgen().  Move it to
      cgen(), just in case somebody gets tempted to use cgen() directly
      instead of via mcgen().

      cgen() indents blank lines.  No such lines get generated right now,
      but fix it anyway.

      We use triple-quoted strings for program text, like this:

          '''
          Program text
          any number of lines
          '''

      Keeps the program text relatively readable, but puts an extra newline
      at either end.  mcgen() "fixes" that by dropping the first and last
      line outright.  Drop only the newlines.

      This unmasks a bug in qapi-commands.py: four quotes instead of three.
      Fix it up.

      Output doesn't change

      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>
      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>

  commit 4247f839009159cb2cbaddfbd41513e180c4fe52
  Author: Markus Armbruster <armbru@xxxxxxxxxx>
  Date:   Tue Jun 9 15:24:36 2015 +0200

      qapi: Clarify docs on including the same file multiple times

      It's idempotent.

      While there, update examples to current code.

      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>
      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>

  commit 62313160cb5b6bdfbd77a063e94a5a7d25e59f2b
  Author: Ting Wang <kathy.wangting@xxxxxxxxxx>
  Date:   Fri Jun 26 16:07:13 2015 +0800

      hmp: add info iothreads command

      Make "info iothreads" available on the HMP monitor.

      For example, the results are as follows when executing qemu
      command with "-object iothread,id=iothread-1 -object
      iothread,id=iothread-2".
      (qemu) info iothreads
      iothread-1: thread_id=123
      iothread-2: thread_id=456

      Signed-off-by: Ting Wang <kathy.wangting@xxxxxxxxxx>
      Message-Id: <1435306033-58372-1-git-send-email-kathy.wangting@xxxxxxxxxx>
      Reviewed-by: Luiz Capitulino <lcapitulino@xxxxxxxxxx>
      Reviewed-by: Amos Jianjun Kong <kongjianjun@xxxxxxxxx>
      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>

  commit e2f9a6572bb400e64e7a56526c5f7a4a9f8f6f90
  Author: John Snow <jsnow@xxxxxxxxxx>
  Date:   Wed Jul 1 14:25:49 2015 -0400

      qmp-shell: add documentation

      I should probably document the changes that were made.

      Signed-off-by: John Snow <jsnow@xxxxxxxxxx>
      Message-Id: <1435775149-17285-1-git-send-email-jsnow@xxxxxxxxxx>
      Reviewed-By: Kashyap Chamarthy <kchamart@xxxxxxxxxx>
      Reviewed-by: Luiz Capitulino <lcapitulino@xxxxxxxxxx>
      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>

  commit b041066421e8dcc7d080dfcfd83551c9c9f24ade
  Merge: 550e66e 987bd27
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Thu Sep 3 16:17:28 2015 +0100

      Merge remote-tracking branch 'remotes/stefanha/tags/tracing-pull-request' 
into staging

      # gpg: Signature made Thu 03 Sep 2015 15:46:52 BST using RSA key ID 
81AB73C8
      # gpg: Good signature from "Stefan Hajnoczi <stefanha@xxxxxxxxxx>"
      # gpg:                 aka "Stefan Hajnoczi <stefanha@xxxxxxxxx>"

      * remotes/stefanha/tags/tracing-pull-request:
        trace-events: Add hmp completion

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 987bd27000b6e21df6c73f6badb945ab5e42996a
  Author: Dr. David Alan Gilbert <dgilbert@xxxxxxxxxx>
  Date:   Fri Aug 14 11:27:43 2015 +0100

      trace-events: Add hmp completion

      Add completion for the trace event names in the hmp trace-event
      command.

      Signed-off-by: Dr. David Alan Gilbert <dgilbert@xxxxxxxxxx>
      Message-id: 1439548063-18410-1-git-send-email-dgilbert@xxxxxxxxxx
      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>

  commit 550e66ea4cce7b6664d6caf7e651814cc2d30421
  Merge: 561578c 9ef4017
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Thu Sep 3 14:33:03 2015 +0100

      Merge remote-tracking branch 'remotes/cohuck/tags/s390x-20150903' into 
staging

      First batch of s390x patches for 2.5:
      - introduce 2.5 compat machine
      - support for migration of storage keys

      # gpg: Signature made Thu 03 Sep 2015 11:28:06 BST using RSA key ID 
C6F02FAF
      # gpg: Good signature from "Cornelia Huck <huckc@xxxxxxxxxxxxxxxxxx>"
      # gpg:                 aka "Cornelia Huck <cornelia.huck@xxxxxxxxxx>"

      * remotes/cohuck/tags/s390x-20150903:
        s390x: Disable storage key migration on old machine type
        s390x: Migrate guest storage keys (initial memory only)
        s390x: Info skeys sub-command
        s390x: Dump-skeys hmp support
        s390x: Dump storage keys qmp command
        s390x: Enable new s390-storage-keys device
        s390x: Create QOM device for s390 storage keys
        s390x: add 2.5 compat s390-ccw-virtio machine

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit f4798320144245da66128edb840bd940fd287d28
  Author: Gerd Hoffmann <kraxel@xxxxxxxxxx>
  Date:   Thu Apr 9 11:39:28 2015 +0200

      ipxe: update binaries

      Signed-off-by: Gerd Hoffmann <kraxel@xxxxxxxxxx>
      Reviewed-by: Laszlo Ersek <lersek@xxxxxxxxxx>

  commit cf2b4b5b77a7bfe9216efc76117447b88acd47a9
  Author: Gerd Hoffmann <kraxel@xxxxxxxxxx>
  Date:   Thu Sep 3 14:40:29 2015 +0200

      ipxe: use upstream configuration

      Upstream supports named configurations now and ships with
      settings for qemu.  Use them, drop our config header copying.

      Signed-off-by: Gerd Hoffmann <kraxel@xxxxxxxxxx>

  commit f927f16213506a493ac416d9a9fa73c7460a766e
  Author: Gerd Hoffmann <kraxel@xxxxxxxxxx>
  Date:   Thu Apr 9 11:37:15 2015 +0200

      ipxe: don't override GITVERSION

      We had build problems due to the git version checking in the ipxe build
      system in the past.  Don't remember the details, but the problem seems
      to be gone now, so lets remove the workaround.

      Signed-off-by: Gerd Hoffmann <kraxel@xxxxxxxxxx>

      [ most likely ipxe commit 6153c09c41034250408f3596555fcaae715da46c:
        [build] Set GITVERSION only if there is a git repository ]

      Reviewed-by: Laszlo Ersek <lersek@xxxxxxxxxx>

  commit d4517d170c041ab654c9e65e5bbd3d79956af5b7
  Author: Gerd Hoffmann <kraxel@xxxxxxxxxx>
  Date:   Thu Apr 9 10:52:19 2015 +0200

      ipxe: update from 35c53797 to 4e03af8

      git shortlog
      ============

      Alex Williamson (1):
            [dhcp] Extract timing parameters out to config/dhcp.h

      Bernd Wiebelt (1):
            [tg3] Add support for BCM57766

      Christian Hesse (3):
            [intel] Add PCI device IDs for Intel I218-LM and I218-V
            [build] Add missing "const" qualifiers
            [ath9k] Remove confusing logic inversion in an ANI variable

      Christian Nilsson (1):
            [bios] Add ANSI blink attribute

      Daniel Pieczko (1):
            [prefix] Use correct register for KEEP_IT_REAL physical address 
conversion

      Ed Swierk (1):
            [intel] Update PCI device IDs for Intel 82599 and X540 10G NICs

      Fabrice Bacchella (2):
            [efi] Improve NII driver logging
            [efi] Work around bugs in Emulex NII driver

      Laszlo Ersek (1):
            [virtio] Downgrade per-iobuf debug messages to DBGC2

      Michael Brown (284):
            [device] Provide a driver-private data field for root devices
            [iobuf] Add iob_split() to split an I/O buffer into portions
            [rndis] Add generic RNDIS device abstraction
            [hyperv] Add support for Hyper-V hypervisor
            [hyperv] Add support for VMBus devices
            [hyperv] Add support for NetVSC paravirtual network devices
            [rndis] Send RNDIS_INITIALISE_MSG
            [rndis] Send RNDIS_HALT_MSG
            [hyperv] Tear down NetVSC RX buffer GPADL after closing VMBus device
            [rndis] Clear receive filter when closing the device
            [hyperv] Receive all VMBus messages in a poll
            [hyperv] Increase TX ring size
            [hyperv] Assume that VMBus xfer page ranges correspond to RNDIS 
messages
            [rndis] Ignore start-of-day RNDIS_INDICATE_STATUS_MSG with status 
0x40020006
            [hyperv] Tidy up debug output
            [hyperv] Require support for VMBus version 3.0 or newer
            [build] Include Hyper-V driver in the all-drivers build
            [pci] Allow drivers to specify a PCI class
            [romprefix] Ensure UNDI loader can be included by all ROM types
            [usb] Add basic support for USB devices
            [usb] Add basic support for USB hubs
            [usb] Add support for xHCI host controllers
            [ncm] Add support for CDC-NCM USB Ethernet devices
            [usb] Report xHCI host controller events
            [ncm] Use large multi-packet buffers by default
            [tftp] Explicitly abort connection whenever parent interface is 
closed
            [uri] Allow tftp_uri() to construct a URI with a custom port
            [pxe] Use tftp_uri() to construct PXE TFTP URIs
            [pxe] Maintain a queue for received PXE UDP packets
            [ncm] Reserve headroom in received packets
            [usb] Try multiple USB device configurations
            [usb] Handle CDC union functional descriptors
            [usb] Parse endpoint descriptor bInterval field
            [usb] Allow usb_stream() to enforce a terminating short packet
            [ecm] Add support for CDC-ECM USB Ethernet devices
            [xhci] Delay after (possibly) forcing port link state to RxDetect
            [build] Move branding information to config/branding.h
            [build] Use PRODUCT_SHORT_NAME for end-user visible strings
            [build] Allow product URI to be customised via config/branding.h
            [build] Allow error message URI to be customised via 
config/branding.h
            [build] Allow command help text URI to be customised via 
config/branding.h
            [build] Allow setting help text URI to be customised via 
config/branding.h
            [build] Allow product tag line to be customised via 
config/branding.h
            [rndis] Add rndis_rx_err()
            [usb] Handle port status changes received after failing to find a 
driver
            [efi] Disallow R_X86_64_32 relocations
            [build] Apply the "-fno-PIE -nopie" workaround only to i386 builds
            [usb] Provide generic framework for refilling receive endpoints
            [usb] Use generic refill framework for USB hub interrupt endpoints
            [ecm] Use generic refill framework for bulk IN and interrupt 
endpoints
            [ncm] Use generic refill framework for bulk IN and interrupt 
endpoints
            [libc] Remove unused string functions
            [libc] Rewrite string functions
            [test] Add self-tests for more string functions
            [test] Add constant-length memset() self-tests
            [libc] Reduce size of memset()
            [usb] Add generic USB network device framework
            [ecm] Use generic USB network device framework
            [ncm] Use generic USB network device framework
            [timer] Rewrite the 8254 Programmable Interval Timer support
            [xhci] Leak memory if controller fails to disable slot
            [xhci] Abort commands on timeout
            [test] Add IPv4 self-tests
            [legal] Add missing copyright header to net/ipv4.c
            [ipv4] Rewrite inet_aton()
            [libc] Rewrite strtoul()
            [hyperv] Check for required features
            [prefix] Use .bss16 as temporary stack space for calls to 
install_block
            [zbin] Use LZMA compression
            [zbin] Perform extra normalisation after completing decompression
            [prefix] Call decompressor in flat real mode when DEBUG=libprefix 
is enabled
            [zbin] Allow decompressor to generate debug output via BIOS console
            [zbin] Fix check for existence of most recent output byte
            [zbin] Remove now-unused unnrv2b.S decompressor
            [legal] Update GPLv2 licence text
            [legal] Include full licence text for all GPL2_OR_LATER files
            [mucurses] Add missing FILE_LICENCE declarations
            [legal] Add support for the Unmodified Binary Distribution Licence
            [legal] Add UBDL relicensing tool
            [legal] Relicense files under GPL2_OR_LATER_OR_UBDL
            [legal] Relicense files under GPL2_OR_LATER_OR_UBDL
            [legal] Relicense files under GPL2_OR_LATER_OR_UBDL
            [legal] Relicense files under GPL2_OR_LATER_OR_UBDL
            [libc] Rewrite unrelicensable portions of stddef.h
            [libc] Rewrite unrelicensable portions of ctype.h
            [libc] Rewrite setjmp() and longjmp()
            [libc] Rewrite byte-swapping code
            [elf] Rewrite ELF header
            [list] Relicense list.h
            [iscsi] Rewrite unrelicensable portions of iscsi.c
            [pci] Remove outdated and mostly-unused pci_ids.h file
            [pci] Rewrite unrelicensable portions of pci.h
            [settings] Use list_first_entry() when unregistering child settings
            [settings] Rewrite unrelicensable portions of settings.c
            [menu] Abstract out the generic concept of a jump scroller
            [settings] Use generic jump scrolling abstraction
            [malloc] Move valgrind headers out of arch/x86
            [malloc] Rewrite unrelicensable portions of malloc.c
            [build] Remove unused IMPORT_SYMBOL() and EXPORT_SYMBOL() macros
            [build] Remove unused __keepme macro
            [pxe] Remove obsolete references to pxeparent_dhcp
            [build] Remove obsolete and unused portions of config.c
            [build] Use REQUIRE_OBJECT() to drag in per-object configuration
            [build] Fix the REQUIRE_SYMBOL mechanism
            [i386] Move real_to_user() to realmode.h
            [linux] Rewrite headers included in all builds
            [retry] Rewrite unrelicensable portions of retry.c
            [retry] Colourise debug output
            [legal] Relicense files under GPL2_OR_LATER_OR_UBDL
            [xhci] Enable USB3 ports on Intel PCH8/PCH9 controllers
            [xhci] Undo PCH-specific quirk fixes when removing device
            [xen] Set the "feature-rx-notify" flag for netfront devices
            [http] Abstract out HTTP Digest hash algorithm operations
            [http] Support MD5-sess Digest authentication
            [dm96xx] Add driver for Davicom DM96xx USB Ethernet NICs
            [legal] Relicense Davicom DM96xx drivers
            [mii] Add generic mii_check_link() function
            [smsc75xx] Add driver for SMSC/Microchip LAN75xx USB Ethernet NICs
            [legal] Relicense files under GPL2_OR_LATER_OR_UBDL
            [tcp] Implement support for TCP Selective Acknowledgements (SACK)
            [smsc75xx] Move RX FIFO overflow message to DBGLVL_EXTRA
            [tcpip] Fix dubious calculation of min_port
            [libc] Add ffs(), ffsl(), and ffsll()
            [usb] Add the concept of a USB bus maximum transfer size
            [ncm] Respect maximum transfer size of the bus
            [usb] Add functions for manual device address assignment
            [xhci] Forcibly disable SMIs if BIOS fails to release ownership
            [autoboot] Match against parent devices when matching by bus type 
and location
            [usb] Add config/usb.h for USB configuration options
            [xhci] Do not release ownership back to BIOS when booting an OS
            [ehci] Add support for EHCI host controllers
            [netdevice] Add missing bus types to netdev_fetch_bustype()
            [usb] Fix USB timeouts to match specification
            [libprefix] Fix building on 64-bit FreeBSD 8.4
            [xhci] Ring doorbell as part of endpoint reset
            [usb] Reset endpoints without waiting for a new transfer to be 
enqueued
            [usb] Add clear_tt() hub method to clear transaction translator 
buffer
            [usb] Clear transaction translator buffers when applicable
            [ehci] Support USB1 devices attached via transaction translators
            [usb] Improve debug messages for failed control transactions
            [xhci] Support USB1 devices attached via transaction translators
            [libc] Fix typo in longjmp()
            [libc] Add x86_64 versions of setjmp() and longjmp()
            [test] Add setjmp()/longjmp() self-tests
            [test] Simplify digest algorithm self-tests
            [crypto] Add SHA-224 algorithm
            [crypto] Add SHA-512 algorithm
            [crypto] Add SHA-384 algorithm
            [crypto] Add SHA-512/256 algorithm
            [crypto] Add SHA-512/224 algorithm
            [efi] Ensure drivers are disconnected when ExitBootServices() is 
called
            [peerdist] Add support for decoding PeerDist Content Information
            [xhci] Always reset root hub ports
            [romprefix] Allow autoboot device filter to be disabled
            [util] Add ability to dump PCI device ID list
            [efi] Add EFI entropy source
            [efi] Add EFI time source
            [efi] Provide a dummy data block in nii_initialise()
            [efi] Poll media status only if advertised as supported
            [efi] Poll for TX completions only when there is an outstanding TX 
buffer
            [efi] Use the EFI_RNG_PROTOCOL as an entropy source if available
            [eepro100] Remove duplicate PCI_ROM() line
            [prism2] Remove duplicate PCI_ROM() lines
            [build] Allow building PCI ROMs with device ID lists
            [build] Fix compiler warning on OpenBSD 5.7
            [build] Work around binutils quirk on OpenBSD 5.7
            [build] Use a single call to parserom.pl to speed up building
            [intel] Report any unexpected interrupt causes
            [intel] Force RX polling on VMware emulated 82545em
            [realtek] Do not attempt to access EEPROM on RTL8169 chips
            [rtl818x] Obviate RTL_ROM() hack
            [build] Construct all-drivers list based on driver class
            [test] Include IPv6 support when performing settings self-tests
            [base16] Add buffer size parameter to base16_encode() and 
base16_decode()
            [base64] Add buffer size parameter to base64_encode() and 
base64_decode()
            [settings] Add "base64" setting type
            [vram] Add "vram" built-in setting to dump video RAM
            [usb] Include setup packet within I/O buffer for message transfers
            [pci] Provide PCI_CLASS() to calculate a scalar PCI class value
            [usb] Detect missed disconnections
            [usb] Maintain a list of all USB buses
            [usb] Maintain single lists of halted endpoints and changed ports
            [ehci] Poll child companion controllers after disowning port
            [usb] Add find_usb_bus_by_location() helper function
            [ehci] Allow UHCI/OHCI controllers to locate the EHCI companion 
controller
            [uhci] Add support for UHCI host controllers
            [usb] Provide usb_endpoint_name() for use by host controller drivers
            [xhci] Use meaningful device names in debug messages
            [ehci] Use meaningful device names in debug messages
            [uhci] Use meaningful device names in debug messages
            [ipv6] Disambiguate received ICMPv6 errors
            [usb] Add USB_INTERRUPT_OUT internal type
            [usb] Add generic USB human interface device (HID) framework
            [usb] Add basic support for USB keyboards
            [usb] Do not call usb_hotplug() when registering a new hub
            [usb] Always clear recorded disconnections after performing hotplug 
actions
            [intel] Expose intel_diag() for use by other Intel NIC drivers
            [intel] Allow for the use of advanced TX descriptors
            [intel] Add support for mailbox used by virtual functions
            [intel] Add intelxvf driver for Intel 10 GigE virtual function NICs
            [int13con] Add basic ability to log to a local disk via INT 13
            [intel] Add intelxvf_stats() to dump packet statistics registers
            [intel] Fix operation when physical function has jumbo frames 
enabled
            [neighbour] Return success when deferring a packet
            [xhci] Fix length of allocated slot array
            [build] Fix .ids.o creation for drivers not in the all-drivers build
            [xhci] Fix comparison of signed and unsigned integers
            [ipoib] Fix REMAC cache discarder
            [xhci] Record device-specific quirks in xHCI device structure
            [xhci] Ignore invalid protocol speed ID values on Intel Skylake 
platforms
            [pci] Use flat real mode to call INT 1a,b101
            [tcp] Do not shrink window when discarding received packets
            [mromprefix] Report a dummy size at offset 0x02 of .mrom payload
            [ethernet] Add minimal support for receiving LLC frames
            [netdevice] Add a generic concept of a "blocked link"
            [stp] Add support for detecting Spanning Tree Protocol 
non-forwarding ports
            [stp] Fix interpretaton of hello time
            [dhcp] Defer discovery if link is blocked
            [pxe] Always reconstruct packet for PXENV_GET_CACHED_INFO
            [serial] Add general abstraction of a 16550-compatible UART
            [gdb] Use new UART abstraction in GDB serial transport
            [serial] Use new UART abstraction in serial console driver
            [ipoib] Mark REMAC cache as expensive
            [ipoib] Attempt to generate ARPs as needed to repopulate REMAC cache
            [gdb] Allow gdbstub to be started on an arbitrary serial port
            [xen] Wait for and clear XenStore event before receiving data
            [tcp] Gracefully close connections during shutdown
            [ipoib] Transmit multicast packets as broadcasts
            [efi] Fix receive and transmit completion reporting
            [efi] Allow user experience to be downgraded
            [build] Add named configuration for qemu
            [tcp] Ensure FIN is actually sent if connection is closed while idle
            [fault] Generalise NETDEV_DISCARD_RATE fault injection mechanism
            [fault] Add inject_corruption() to randomly corrupt data
            [profile] Add profile_custom() for profiling with arbitrary time 
units
            [interface] Add intf_poke() helper
            [xfer] Use intf_poke() to implement xfer_window_changed()
            [xfer] Add xfer_check_order() utility function
            [xferbuf] Generalise to handle umalloc()-based buffers
            [xferbuf] Add xfer_buffer() to provide direct access to underlying 
buffer
            [downloader] Use generic data-transfer buffer mechanism
            [downloader] Provide direct access to the underlying data transfer 
buffer
            [build] Fix compiler warnings on some gcc versions
            [crypto] Add bit-rotation functions for 8-bit and 16-bit values
            [802.11] Use correct SHA1_DIGEST_SIZE constant name
            [crypto] Add ECB block cipher mode (for debug and self-tests only)
            [test] Generalise cipher tests and use okx()
            [test] Define shortcuts for frequently-used NIST AES test vectors
            [test] Add NIST self-tests for AES128 and AES256 in ECB mode
            [crypto] Replace AES implementation
            [test] Add NIST self-tests for AES192 in ECB and CBC modes
            [crypto] Remove AXTLS headers
            [build] Fix strict-aliasing warning on older gcc versions
            [ipv6] Treat a missing network device name as "netX"
            [netdevice] Avoid using zero as a network device index
            [ipv4] Redefine IP address constants to avoid unnecessary byte 
swapping
            [ipv4] Allow IPv4 socket addresses to include a scope ID
            [iscsi] Add missing "break" statements
            [netdevice] Allow network devices to disclaim IRQ support at runtime
            [peerdist] Include trimmed range within content information block
            [peerdist] Add support for constructing and decoding discovery 
messages
            [peerdist] Add support for constructing and decoding retrieval 
messages
            [pool] Add a generic concept of a pooled connection
            [linebuf] Support buffering of multiple lines
            [elf] Reject ELFBoot images requiring virtual addressing
            [comboot] Avoid dragging in serial console support unconditionally
            [serial] Check for UART existence in uart_select()
            [tls] Do not access beyond the end of a 24-bit integer
            [tls] Report supported signature algorithms in ClientHello
            [crypto] Support SHA-{224,384,512} in X.509 certificates
            [efi] Hold off watchdog timer while running
            [efi] Add missing "ULL" suffix on 64-bit constant
            [block] Add generic block device translator
            [http] Rewrite HTTP core to support content encodings
            [peerdist] Add segment discovery mechanism
            [peerdist] Add individual block download mechanism
            [peerdist] Add block download multiplexer
            [peerdist] Add support for PeerDist (aka BranchCache) HTTP content 
encoding
            [dhcp] Allow pseudo-DHCP servers to use pseudo-identifiers
            [dhcp] Ignore ProxyDHCPACKs without PXE options
            [pxe] Warn about PXE NBPs that may be EFI executables
            [test] Allow self-tests to report exit status when running under 
Linux
            [image] Detect image type when image is first registered
            [autoboot] Display image information as part of the default control 
flow

      Olaf Hering (1):
            [build] Sort objects in blib.a

      Robin Smidsrød (2):
            [vbox] Enable some more features now that we have LZMA compression
            [build] Rewrite parserom.pl to support multiple source files

      Thomas Miletich (1):
            [intel] Add PCI ID for I218-LM

      Tufan Karadere (1):
            [crypto] Add ASN.1 OIDs for sha{224,384,512}WithRsaEncryption

      Wissam Shoukair (2):
            [comboot] Implement INT22,0x000c
            [ipoib] Fix a race when chain-loading undionly.kpxe in IPoIB

      Signed-off-by: Gerd Hoffmann <kraxel@xxxxxxxxxx>

  commit 561578c2a82292ddf55737791d2838b797f49f35
  Merge: fc8135a 08b0b23
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Thu Sep 3 13:05:45 2015 +0100

      Merge remote-tracking branch 'remotes/rth/tags/pull-tcg-20150902' into 
staging

      queued tcg patches

      # gpg: Signature made Wed 02 Sep 2015 22:35:37 BST using RSA key ID 
4DD0279B
      # gpg: Good signature from "Richard Henderson <rth7680@xxxxxxxxx>"
      # gpg:                 aka "Richard Henderson <rth@xxxxxxxxxx>"
      # gpg:                 aka "Richard Henderson <rth@xxxxxxxxxxx>"

      * remotes/rth/tags/pull-tcg-20150902:
        tcg/i386: omit a few REXW prefixes in softmmu code
        tcg/aarch64: Fix tcg_out_qemu_{ld, st} for guest_base == 0

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit fc8135a46d095f865d285e697a874f617bfeeb90
  Merge: 654cd2c 112e451
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Thu Sep 3 12:09:41 2015 +0100

      Merge remote-tracking branch 'remotes/rth/tags/pull-axp-20150902' into 
staging

      cmpbge emulation improvements

      # gpg: Signature made Wed 02 Sep 2015 20:25:10 BST using RSA key ID 
4DD0279B
      # gpg: Good signature from "Richard Henderson <rth7680@xxxxxxxxx>"
      # gpg:                 aka "Richard Henderson <rth@xxxxxxxxxx>"
      # gpg:                 aka "Richard Henderson <rth@xxxxxxxxxxx>"

      * remotes/rth/tags/pull-axp-20150902:
        target-alpha: Special case cmpbge with zero
        target-alpha: Rewrite helper_cmpbge using bit tests

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 9ef40173fbe99c0562d227980779a73613788782
  Author: Jason J. Herne <jjherne@xxxxxxxxxxxxxxxxxx>
  Date:   Thu Jul 9 13:56:44 2015 -0400

      s390x: Disable storage key migration on old machine type

      This code disables storage key migration when an older machine type is
      specified.

      Reviewed-by: David Hildenbrand <dahi@xxxxxxxxxxxxxxxxxx>
      Signed-off-by: Jason J. Herne <jjherne@xxxxxxxxxxxxxxxxxx>
      Signed-off-by: Cornelia Huck <cornelia.huck@xxxxxxxxxx>

  commit 186208fa1fa1b4fa1fe0b77c0fa61b9c0de6d66d
  Author: Jason J. Herne <jjherne@xxxxxxxxxxxxxxxxxx>
  Date:   Fri Jun 26 14:11:23 2015 -0400

      s390x: Migrate guest storage keys (initial memory only)

      Routines to save/load guest storage keys are provided. register_savevm is
      called to register them as migration handlers.

      We prepare the protocol to support more complex parameters. So we will
      later be able to support standby memory (having empty holes), compression
      and "state live migration" like done for ram.

      Reviewed-by: David Hildenbrand <dahi@xxxxxxxxxxxxxxxxxx>
      Signed-off-by: Jason J. Herne <jjherne@xxxxxxxxxxxxxxxxxx>
      Signed-off-by: Cornelia Huck <cornelia.huck@xxxxxxxxxx>

  commit a08f0081c9886c1914d7bc2e6a29636a769fec84
  Author: Jason J. Herne <jjherne@xxxxxxxxxxxxxxxxxx>
  Date:   Fri Jun 26 14:10:16 2015 -0400

      s390x: Info skeys sub-command

      Provide an  info skeys hmp sub-command to allow the end user to dump a 
storage
      key for a given address. This is useful for guest operating system 
developers.

      Reviewed-by: Thomas Huth <thuth@xxxxxxxxxxxxxxxxxx>
      Reviewed-by: David Hildenbrand <dahi@xxxxxxxxxxxxxxxxxx>
      Signed-off-by: Jason J. Herne <jjherne@xxxxxxxxxxxxxxxxxx>
      Signed-off-by: Cornelia Huck <cornelia.huck@xxxxxxxxxx>

  commit a4538a5cc57dd493ed1545be98fa0ead0d391b8a
  Author: Jason J. Herne <jjherne@xxxxxxxxxxxxxxxxxx>
  Date:   Fri Jun 26 14:07:21 2015 -0400

      s390x: Dump-skeys hmp support

      Add dump-skeys command to the human monitor.

      Reviewed-by: Thomas Huth <thuth@xxxxxxxxxxxxxxxxxx>
      Reviewed-by: David Hildenbrand <dahi@xxxxxxxxxxxxxxxxxx>
      Signed-off-by: Jason J. Herne <jjherne@xxxxxxxxxxxxxxxxxx>
      Signed-off-by: Cornelia Huck <cornelia.huck@xxxxxxxxxx>

  commit 7ee0c3e33a0f8664c529ce621ea83326817fc14a
  Author: Jason J. Herne <jjherne@xxxxxxxxxxxxxxxxxx>
  Date:   Fri Jun 26 14:03:16 2015 -0400

      s390x: Dump storage keys qmp command

      Provide a dump-skeys qmp command to allow the end user to dump storage
      keys. This is useful for debugging problems with guest storage key support
      within Qemu and for guest operating system developers.

      Reviewed-by: Thomas Huth <thuth@xxxxxxxxxxxxxxxxxx>
      Reviewed-by: David Hildenbrand <dahi@xxxxxxxxxxxxxxxxxx>
      Signed-off-by: Jason J. Herne <jjherne@xxxxxxxxxxxxxxxxxx>
      Signed-off-by: Cornelia Huck <cornelia.huck@xxxxxxxxxx>
      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>

  commit 0f5f669147b52f89928bdf180165f74c4219210e
  Author: Jason J. Herne <jjherne@xxxxxxxxxxxxxxxxxx>
  Date:   Fri Jun 26 14:01:00 2015 -0400

      s390x: Enable new s390-storage-keys device

      s390 guest initialization is modified to make use of new s390-storage-keys
      device. Old code that globally allocated storage key array is removed.
      The new device enables storage key access for kvm guests.

      Cache storage key QOM objects in frequently used helper functions to 
avoid a
      performance hit every time we use one of these functions.

      Reviewed-by: Cornelia Huck <cornelia.huck@xxxxxxxxxx>
      Reviewed-by: Thomas Huth <thuth@xxxxxxxxxxxxxxxxxx>
      Reviewed-by: David Hildenbrand <dahi@xxxxxxxxxxxxxxxxxx>
      Signed-off-by: Jason J. Herne <jjherne@xxxxxxxxxxxxxxxxxx>
      Signed-off-by: Cornelia Huck <cornelia.huck@xxxxxxxxxx>

  commit 0efe406cac8a4d9f0b52eada4c6c2a768fe4b7d2
  Author: Jason J. Herne <jjherne@xxxxxxxxxxxxxxxxxx>
  Date:   Fri Jun 26 11:54:51 2015 -0400

      s390x: Create QOM device for s390 storage keys

      A new QOM style device is provided to back guest storage keys. A special
      version for KVM is created, which handles the storage key access via
      KVM_S390_GET_SKEYS and KVM_S390_SET_SKEYS ioctl.

      Reviewed-by: David Hildenbrand <dahi@xxxxxxxxxxxxxxxxxx>
      Signed-off-by: Jason J. Herne <jjherne@xxxxxxxxxxxxxxxxxx>
      Signed-off-by: Cornelia Huck <cornelia.huck@xxxxxxxxxx>

  commit 84b48ad63ba1da6345c3f22da7cdefc93fbc07f0
  Author: Cornelia Huck <cornelia.huck@xxxxxxxxxx>
  Date:   Fri Jul 17 13:16:52 2015 +0200

      s390x: add 2.5 compat s390-ccw-virtio machine

      Reviewed-by: Jason J. Herne <jjherne@xxxxxxxxxxxxxxxxxx>
      Signed-off-by: Cornelia Huck <cornelia.huck@xxxxxxxxxx>
      Acked-by: Christian Borntraeger <borntraeger@xxxxxxxxxx>

  commit 654cd2c5841d70e8053b39fb1a9162d5c113326b
  Merge: 0eac598 c5a9378
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Thu Sep 3 11:15:01 2015 +0100

      Merge remote-tracking branch 'remotes/stefanha/tags/net-pull-request' 
into staging

      # gpg: Signature made Wed 02 Sep 2015 17:14:40 BST using RSA key ID 
81AB73C8
      # gpg: Good signature from "Stefan Hajnoczi <stefanha@xxxxxxxxxx>"
      # gpg:                 aka "Stefan Hajnoczi <stefanha@xxxxxxxxx>"

      * remotes/stefanha/tags/net-pull-request:
        ne2000: Drop ne2000_can_receive
        vmxnet3: Drop net_vmxnet3_info.can_receive
        rtl8139: Do not consume the packet during overflow in standard mode.
        rtl8139: Fix receive buffer overflow check
        rtl8139: use ldl/stl wrapper for unaligned 32-bit access
        rtl8139: use net/eth.h macros instead of custom macros
        rtl8139: remove duplicate net/eth.h definitions

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 0eac5986fc4cfe845d6d656c3a4dc29e004b3a3e
  Merge: f8b8091 e12f378
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Thu Sep 3 09:50:37 2015 +0100

      Merge remote-tracking branch 'remotes/stefanha/tags/block-pull-request' 
into staging

      # gpg: Signature made Wed 02 Sep 2015 17:01:33 BST using RSA key ID 
81AB73C8
      # gpg: Good signature from "Stefan Hajnoczi <stefanha@xxxxxxxxxx>"
      # gpg:                 aka "Stefan Hajnoczi <stefanha@xxxxxxxxx>"

      * remotes/stefanha/tags/block-pull-request:
        block: more check for replaced node
        MAINTAINERS: add responsible person for Parallels format driver

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 08b0b23be639b955e5e3d84dc42fa4e5ce6a8728
  Author: Aurelien Jarno <aurelien@xxxxxxxxxxx>
  Date:   Sun Jul 19 13:50:32 2015 +0200

      tcg/i386: omit a few REXW prefixes in softmmu code

      When computing the TLB address we are likely to mask out the high
      32-bits by using shr + and. We can use 32-bit instructions in that
      case. This saves 2 bytes per TLB access.

      Signed-off-by: Aurelien Jarno <aurelien@xxxxxxxxxxx>
      Message-Id: <1437306632-20655-1-git-send-email-aurelien@xxxxxxxxxxx>
      Signed-off-by: Richard Henderson <rth@xxxxxxxxxxx>

  commit 352bcb0a2b816ff9ab9d75d0f2384650d9e9ab19
  Author: Richard Henderson <rth@xxxxxxxxxxx>
  Date:   Tue Sep 1 15:58:02 2015 -0400

      tcg/aarch64: Fix tcg_out_qemu_{ld, st} for guest_base == 0

      In ffc6372851d8631a9f9fa56ec613b3244dc635b9, we swapped the guest
      base to the address base register from the address index register.
      Except that 31 in the base slot is SP not XZR, so we need to be
      more intelligent about which reg gets placed in which slot.

      Cc: qemu-stable@xxxxxxxxxx (v2.4.0)
      Reviewed-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>
      Reported-by: Andreas Färber <afaerber@xxxxxxx>
      Signed-off-by: Richard Henderson <rth@xxxxxxxxxxx>

  commit 16ef9d0252318d7e32e445fd7474af55dbaab7db
  Author: Emilio G. Cota <cota@xxxxxxxxx>
  Date:   Sun Aug 23 20:23:40 2015 -0400

      qemu-thread: handle spurious futex_wait wakeups

      Signed-off-by: Emilio G. Cota <cota@xxxxxxxxx>
      Message-Id: <1440375847-17603-12-git-send-email-cota@xxxxxxxxx>
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit e12f3784097a26a1ba51be420f41038b4c0ae5d1
  Author: Wen Congyang <wency@xxxxxxxxxxxxxx>
  Date:   Fri Jul 17 10:12:22 2015 +0800

      block: more check for replaced node

      We use mirror+replace to fix quorum's broken child. bs/s->common.bs
      is quorum, and to_replace is the broken child. The new child is target_bs.
      Without this patch, the replace node can be any node, and it can be
      top BDS with BB, or another quorum's child. We just check if the broken
      child is part of the quorum BDS in this patch.

      Signed-off-by: Wen Congyang <wency@xxxxxxxxxxxxxx>
      Message-id: 55A86486.1000404@xxxxxxxxxxxxxx
      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>

  commit f307371217c42d62015b8d83300a11cd9d3966f3
  Author: Denis V. Lunev <den@xxxxxxxxxx>
  Date:   Fri Aug 21 20:44:16 2015 +0300

      MAINTAINERS: add responsible person for Parallels format driver

      Denis has spent 6 years working with this format in Parallels and QEMU
      code was rewritten almost completely by his. Thus it would be quite
      natural to add him as a maintainer and point of contact.

      Patches are going to flow though Stefan's tree.

      Signed-off-by: Denis V. Lunev <den@xxxxxxxxxx>
      Message-id: 1440179056-12934-1-git-send-email-den@xxxxxxxxxx
      CC: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>

  commit c5a93780453e6da919287c17e873c843544ef2a3
  Author: Fam Zheng <famz@xxxxxxxxxx>
  Date:   Wed Jul 1 13:25:05 2015 +0800

      ne2000: Drop ne2000_can_receive

      ne2000_receive already checks the same conditions and drops the packet
      if it's not ready, removing the .can_receive callback avoids the
      necessity to add explicit flushes when the conditions turn true (which
      is required by the new semantics of .can_receive since 6e99c63
      "net/socket: Drop net_socket_can_send").

      Plus the "return 1" if E8390_STOP is also suspicious.

      Signed-off-by: Fam Zheng <famz@xxxxxxxxxx>
      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>

  commit 2734a20b8161831ba68c9166014e00522599d1e2
  Author: Fam Zheng <famz@xxxxxxxxxx>
  Date:   Wed Jul 1 10:26:27 2015 +0800

      vmxnet3: Drop net_vmxnet3_info.can_receive

      Commit 6e99c63 ("net/socket: Drop net_socket_can_send") changed the
      semantics around .can_receive for sockets to now require the device to
      flush queued pkts when transitioning to a .can_receive=true state. But
      it's OK to drop incoming packets when the link is not active.

      Signed-off-by: Fam Zheng <famz@xxxxxxxxxx>
      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>

  commit 26c4e7ca72d970d120f0f51244bc8d37458512a0
  Author: Vladislav Yasevich <vyasevic@xxxxxxxxxx>
  Date:   Tue Sep 1 11:26:46 2015 -0400

      rtl8139: Do not consume the packet during overflow in standard mode.

      When operation in standard mode, we currently return the size
      of packet during buffer overflow.  This consumes the overflow
      packet.  Return 0 instead so we can re-process the overflow packet
      when we have room.

      This fixes issues with lost/dropped fragments of large messages.

      Signed-off-by: Vladislav Yasevich <vyasevic@xxxxxxxxxx>
      Reviewed-by: Jason Wang <jasowang@xxxxxxxxxx>
      Message-id: 1441121206-6997-3-git-send-email-vyasevic@xxxxxxxxxx
      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>

  commit fabdcd3392f16fc666b1d04fc1bbe5f1dbbf10a4
  Author: Vladislav Yasevich <vyasevic@xxxxxxxxxx>
  Date:   Tue Sep 1 11:26:45 2015 -0400

      rtl8139: Fix receive buffer overflow check

      rtl8139_do_receive() tries to check for the overflow condition
      by making sure that packet_size + 8 does not exceed the
      available buffer space.  The issue here is that RxBuffAddr,
      used to calculate available buffer space, is aligned to a
      a 4 byte boundry after every update.  So it is possible that
      every packet ends up being slightly padded when written
      to the receive buffer.  This padding is not taken into
      account when checking for overflow and we may end up missing
      the overflow condition can causing buffer overwrite.

      This patch takes alignment into consideration when
      checking for overflow condition.

      Signed-off-by: Vladislav Yasevich <vyasevic@xxxxxxxxxx>
      Reviewed-by: Jason Wang <jasowang@xxxxxxxxxx>
      Message-id: 1441121206-6997-2-git-send-email-vyasevic@xxxxxxxxxx
      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>

  commit 26c0114d3f69c3accaf83d56ff1d850bd0213b58
  Author: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
  Date:   Mon Aug 3 13:15:57 2015 +0100

      rtl8139: use ldl/stl wrapper for unaligned 32-bit access

      The tx offload feature accesses a 16-bit aligned TCP header struct.  The
      32-bit fields must be accessed using ldl/stl wrappers since some host
      architectures fault on unaligned access.

      Suggested-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Reviewed-by: Jason Wang <jasowang@xxxxxxxxxx>
      Message-id: 1438604157-29664-4-git-send-email-stefanha@xxxxxxxxxx

  commit 1bf11332c4770e2750247733c713a4e771047282
  Author: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
  Date:   Mon Aug 3 13:15:56 2015 +0100

      rtl8139: use net/eth.h macros instead of custom macros

      Eliminate the following "custom" macros since they are just duplicates
      of net/eth.h macros under a different name:

        ETHER_ADDR_LEN -> ETH_ALEN
        ETH_P_8021Q -> ETH_P_VLAN
        IP_HEADER_LENGTH -> IP_HDR_GET_LEN
        TCP_FLAG_FIN -> TH_FIN
        TCP_FLAG_PUSH -> TH_PUSH

      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Reviewed-by: Jason Wang <jasowang@xxxxxxxxxx>
      Message-id: 1438604157-29664-3-git-send-email-stefanha@xxxxxxxxxx

  commit 5d61721a621ef28d2f43fb5008afd38376be552b
  Author: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
  Date:   Mon Aug 3 13:15:55 2015 +0100

      rtl8139: remove duplicate net/eth.h definitions

      The transmit offload features inspect Ethernet, IP, TCP, and UDP
      headers.  Avoid redefining these net/eth.h structs.

      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Reviewed-by: Jason Wang <jasowang@xxxxxxxxxx>
      Message-id: 1438604157-29664-2-git-send-email-stefanha@xxxxxxxxxx

  commit f8b8091d2779d956011a3fb83ff60dbf7465c71d
  Merge: 090d0bf 15b19ed
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Tue Sep 1 19:42:43 2015 +0100

      Merge remote-tracking branch 
'remotes/mdroth/tags/qga-pull-2015-09-01-v2-tag' into staging

      qemu-ga patch queue

      * add config file dump/load support for qemu-ga
      * various w32 build fixes, particularly WRT to msi package creation
      * fixes for msi installer
      * w32 support for guest-set-user-password

      v2:
      * replaced g_list_free_full with g_list_foreach to maintain glib 2.22
        compatibility

      # gpg: Signature made Tue 01 Sep 2015 19:34:15 BST using RSA key ID 
F108B584
      # gpg: Good signature from "Michael Roth <flukshun@xxxxxxxxx>"
      # gpg:                 aka "Michael Roth <mdroth@xxxxxxxxxx>"
      # gpg:                 aka "Michael Roth <mdroth@xxxxxxxxxxxxxxxxxx>"

      * remotes/mdroth/tags/qga-pull-2015-09-01-v2-tag: (26 commits)
        Makefile: qemu-ga: fix msi target error message
        build: qemu-ga: fix VSS dependencies
        configure: qemu-ga: explicitly enable qemu-ga MSI support when probed
        configure: qemu-ga: move MSI installer probe after qga probe
        qemu-ga: implement win32 guest-set-user-password
        qga: start a man page
        qga: add --dump-conf option
        qga: add an optional qemu-ga.conf system configuration
        qga: free a bit more
        qga: move agent run in a separate function
        qga: fill default options in main()
        qga: move option parsing to separate function
        qga: copy argument strings
        qga: rename 'path' to 'channel_path'
        qga: make split_list() return allocated strings
        qga: move string split in separate function
        qga: use exit() when parsing options
        qga: misc spelling
        configure: qemu-ga: report MSI install support in summary
        qemu-ga: Fixed paths issue with MSI build
        ...

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 15b19ed85fb5464b736ef0ece1edce194de2194a
  Author: Michael Roth <mdroth@xxxxxxxxxxxxxxxxxx>
  Date:   Wed Aug 26 17:05:01 2015 -0500

      Makefile: qemu-ga: fix msi target error message

      'msi' target reports error if we attempt to use it when QEMU hasn't
      been ./configure'd to enable it. The parenthesis cause an interpreter
      error if we don't enclose the error in quotes.

      Reviewed-by: Marc-André Lureau <marcandre.lureau@xxxxxxxxxx>
      Signed-off-by: Michael Roth <mdroth@xxxxxxxxxxxxxxxxxx>

  commit f33ca81f134a4f528117aafe11bfbd09f8c7fcfc
  Author: Michael Roth <mdroth@xxxxxxxxxxxxxxxxxx>
  Date:   Wed Aug 26 16:19:41 2015 -0500

      build: qemu-ga: fix VSS dependencies

      Currently VSS dll/tlb files for use in w32 builds are only built as a
      result of having been added to the general 'tools' target alongside
      qemu-ga. This is fine for default make target, but if we build
      qemu-ga directly via `make qemu-ga.exe`, the VSS files are not
      created.

      Fix this by moving the VSS dependencies to qemu-ga.exe directly.
      With this move we can move the VSS files back out of 'tools',
      and drop the extra handling from MSI target in Makefile.

      Now we can build qemu-ga MSI package with:
        ./configure ...
        make qemu-ga.exe
        make msi

      or simply:
        ./configure ...
        make msi

      and no longer need to do a full build beforehand.

      Reviewed-by: Marc-André Lureau <marcandre.lureau@xxxxxxxxxx>
      Signed-off-by: Michael Roth <mdroth@xxxxxxxxxxxxxxxxxx>

  commit 1a34904e5b59fd42f238dc50992af1c3a11a458b
  Author: Michael Roth <mdroth@xxxxxxxxxxxxxxxxxx>
  Date:   Wed Aug 26 11:14:31 2015 -0500

      configure: qemu-ga: explicitly enable qemu-ga MSI support when probed

      Currently, if we don't explicitly disable support for MSI installer
      via --disable-guest-agent-msi, the configure variable that tracks
      the flag, 'guest_agent_msi', never gets set unless one of the probes
      fails. Subsequent code then treats this unset value the same as if it
      were a "yes" value (via != "no" style checks).

      Instead, set the default "yes" value explicitly after the probes, then
      make subsequent code expect the values to be set.

      This makes it easier to report on whether or not MSI support was
      enabled via probe by looking at the ./configure summary.

      Signed-off-by: Michael Roth <mdroth@xxxxxxxxxxxxxxxxxx>

  commit 9d6bc27b7e0e8520f1f91721d9c738e027eeb6c4
  Author: Michael Roth <mdroth@xxxxxxxxxxxxxxxxxx>
  Date:   Wed Aug 26 10:49:13 2015 -0500

      configure: qemu-ga: move MSI installer probe after qga probe

      MSI probe assumes that qemu-ga support has been probed already, but in
      cases where --enable-guest-agent/--disable-guest-agent have not been
      passed to configure, qemu-ga support may end up getting enabled later,
      as is the case with w32 builds. This leads to MSI probe prematurely
      reporting error due to lack of qemu-ga support.

      Fix this by moving MSI installer probe after the final qga probes.

      Reviewed-by: Marc-André Lureau <marcandre.lureau@xxxxxxxxxx>
      Signed-off-by: Michael Roth <mdroth@xxxxxxxxxxxxxxxxxx>

  commit 259434b8067e1c61017e9a5b8667b6526b474ff2
  Author: Marc-André Lureau <marcandre.lureau@xxxxxxxxx>
  Date:   Tue Jun 30 16:37:13 2015 +0200

      qemu-ga: implement win32 guest-set-user-password

      Use NetUserSetInfo() to set the user password.

      This function is notoriously known to be problematic for users with EFS
      encrypted files. But the alternative, NetUserChangePassword() requires
      the old password. Nevertheless, The EFS file should be recovered by
      changing back to the old password.

      Signed-off-by: Marc-André Lureau <marcandre.lureau@xxxxxxxxx>
      Reviewed-by: Daniel P. Berrange <berrange@xxxxxxxxxx>
      Signed-off-by: Michael Roth <mdroth@xxxxxxxxxxxxxxxxxx>

  commit 665b5d0dff3b1cc9e9dd6ca84e8fa4070e46ee9f
  Author: Marc-André Lureau <marcandre.lureau@xxxxxxxxxx>
  Date:   Thu Aug 27 01:34:59 2015 +0200

      qga: start a man page

      Add a simple man page for the qemu agent.

      Signed-off-by: Marc-André Lureau <marcandre.lureau@xxxxxxxxxx>
      Reviewed-by: Michael Roth <mdroth@xxxxxxxxxxxxxxxxxx>
      *squashed in review comments from Eric Blake <eblake@xxxxxxxxxx>
      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>
      Signed-off-by: Michael Roth <mdroth@xxxxxxxxxxxxxxxxxx>

  commit aeadcbb6338ddd8aedbc1473ba7e254623951248
  Author: Marc-André Lureau <marcandre.lureau@xxxxxxxxxx>
  Date:   Thu Aug 27 01:34:58 2015 +0200

      qga: add --dump-conf option

      This new option allows to review the agent configuration,
      and ease the task of writing a configuration file.

      Signed-off-by: Marc-André Lureau <marcandre.lureau@xxxxxxxxxx>
      Reviewed-by: Michael Roth <mdroth@xxxxxxxxxxxxxxxxxx>
      Reviewed-by: Denis V. Lunev <den@xxxxxxxxxx>
      * removed unecessary keyfile != NULL prior to free
      * documented --dump-conf is qemu-ga --help output
      Signed-off-by: Michael Roth <mdroth@xxxxxxxxxxxxxxxxxx>

  commit e236d060cba8d2d6d26a7e076c895d2a6812dafb
  Author: Marc-André Lureau <marcandre.lureau@xxxxxxxxxx>
  Date:   Thu Aug 27 01:34:57 2015 +0200

      qga: add an optional qemu-ga.conf system configuration

      Learn to configure the agent with a system configuration.

      This may simplify command-line handling, especially when the blacklist
      is long.

      Among the other benefits, this may standardize the configuration of an
      init service (instead of distro-specific init keys/files)

      Signed-off-by: Marc-André Lureau <marcandre.lureau@xxxxxxxxxx>
      Reviewed-by: Michael Roth <mdroth@xxxxxxxxxxxxxxxxxx>
      Reviewed-by: Denis V. Lunev <den@xxxxxxxxxx>
      * removed unecessary keyfile != NULL prior to free
      Signed-off-by: Michael Roth <mdroth@xxxxxxxxxxxxxxxxxx>

  commit d4c8a5d49e514bfeac2040ee5371b4e6a7d8d561
  Author: Marc-André Lureau <marcandre.lureau@xxxxxxxxxx>
  Date:   Thu Aug 27 01:34:56 2015 +0200

      qga: free a bit more

      Now that main() has a single exit point, we can free a few
      more allocations.

      Signed-off-by: Marc-André Lureau <marcandre.lureau@xxxxxxxxxx>
      Reviewed-by: Denis V. Lunev <den@xxxxxxxxxx>
      Signed-off-by: Michael Roth <mdroth@xxxxxxxxxxxxxxxxxx>

  commit e3d3103975112a1ab8a0129a4be1cfe3314bce8b
  Author: Marc-André Lureau <marcandre.lureau@xxxxxxxxxx>
  Date:   Thu Aug 27 01:34:55 2015 +0200

      qga: move agent run in a separate function

      Once the options are populated, move the running state to
      a run_agent() function.

      Signed-off-by: Marc-André Lureau <marcandre.lureau@xxxxxxxxxx>
      Reviewed-by: Michael Roth <mdroth@xxxxxxxxxxxxxxxxxx>
      Reviewed-by: Denis V. Lunev <den@xxxxxxxxxx>
      * fixed up an s/ga_state/s/ artifact causing segfault
      * replaced g_list_free_full with g_list_foreach to maintain glib
        2.22 compatibility
      Signed-off-by: Michael Roth <mdroth@xxxxxxxxxxxxxxxxxx>

  commit ef8be55429b9a6718c7e07ede20391c09be65974
  Author: Marc-André Lureau <marcandre.lureau@xxxxxxxxxx>
  Date:   Thu Aug 27 01:34:54 2015 +0200

      qga: fill default options in main()

      Fill all default options during main(). This is a preparation patch
      to allow to dump the configuration.

      Signed-off-by: Marc-André Lureau <marcandre.lureau@xxxxxxxxxx>
      Reviewed-by: Michael Roth <mdroth@xxxxxxxxxxxxxxxxxx>
      Reviewed-by: Denis V. Lunev <den@xxxxxxxxxx>
      Signed-off-by: Michael Roth <mdroth@xxxxxxxxxxxxxxxxxx>

  commit 7a40669491b344a4fe66a0957fe47d594b808f08
  Author: Marc-André Lureau <marcandre.lureau@xxxxxxxxxx>
  Date:   Thu Aug 27 01:34:53 2015 +0200

      qga: move option parsing to separate function

      Move option parsing out of giant main().

      Signed-off-by: Marc-André Lureau <marcandre.lureau@xxxxxxxxxx>
      Reviewed-by: Michael Roth <mdroth@xxxxxxxxxxxxxxxxxx>
      Reviewed-by: Denis V. Lunev <den@xxxxxxxxxx>
      Signed-off-by: Michael Roth <mdroth@xxxxxxxxxxxxxxxxxx>

  commit 2e38d9903be28493ccd6de4a55e5226e9f07dea9
  Author: Marc-André Lureau <marcandre.lureau@xxxxxxxxxx>
  Date:   Thu Aug 27 01:34:52 2015 +0200

      qga: copy argument strings

      Following patch will return allocated strings, so we must correctly
      initialize alloc & free them. The nice side effect is that we no longer
      have to check for "fixed_state_dir" to call ga_install_service() with a
      NULL state dir. The default values are set after parsing the command
      line options.

      Signed-off-by: Marc-André Lureau <marcandre.lureau@xxxxxxxxxx>
      Reviewed-by: Michael Roth <mdroth@xxxxxxxxxxxxxxxxxx>
      Reviewed-by: Denis V. Lunev <den@xxxxxxxxxx>
      Signed-off-by: Michael Roth <mdroth@xxxxxxxxxxxxxxxxxx>

  commit 44de156ca7bfaf899745291a0d603d4f7550f5ea
  Author: Marc-André Lureau <marcandre.lureau@xxxxxxxxxx>
  Date:   Thu Aug 27 01:34:51 2015 +0200

      qga: rename 'path' to 'channel_path'

      'path' is already a global function, rename the variable since it's
      going to be in global scope in a later patch.

      Signed-off-by: Marc-André Lureau <marcandre.lureau@xxxxxxxxxx>
      Reviewed-by: Michael Roth <mdroth@xxxxxxxxxxxxxxxxxx>
      Reviewed-by: Denis V. Lunev <den@xxxxxxxxxx>
      Signed-off-by: Michael Roth <mdroth@xxxxxxxxxxxxxxxxxx>

  commit 4bca81ceedb59397f6082777f6ed4b39d456be85
  Author: Marc-André Lureau <marcandre.lureau@xxxxxxxxxx>
  Date:   Thu Aug 27 01:34:50 2015 +0200

      qga: make split_list() return allocated strings

      In order to avoid any confusion, let's allocate new strings when
      splitting.

      Signed-off-by: Marc-André Lureau <marcandre.lureau@xxxxxxxxxx>
      Reviewed-by: Denis V. Lunev <den@xxxxxxxxxx>
      Signed-off-by: Michael Roth <mdroth@xxxxxxxxxxxxxxxxxx>

  commit 23b42894b389eccb45ab66da3a3e77d3a8cfc2b6
  Author: Marc-André Lureau <marcandre.lureau@xxxxxxxxxx>
  Date:   Thu Aug 27 01:34:49 2015 +0200

      qga: move string split in separate function

      The function is going to be reused in a later patch.

      Signed-off-by: Marc-André Lureau <marcandre.lureau@xxxxxxxxxx>
      Reviewed-by: Michael Roth <mdroth@xxxxxxxxxxxxxxxxxx>
      Reviewed-by: Denis V. Lunev <den@xxxxxxxxxx>
      Signed-off-by: Michael Roth <mdroth@xxxxxxxxxxxxxxxxxx>

  commit c6c84523cd890e95b946c6a8f264ff54a7d5b930
  Author: Marc-André Lureau <marcandre.lureau@xxxxxxxxxx>
  Date:   Thu Aug 27 01:34:48 2015 +0200

      qga: use exit() when parsing options

      The option parsing is going to be moved to a separate function,
      use exit() consistently.

      Signed-off-by: Marc-André Lureau <marcandre.lureau@xxxxxxxxxx>
      Reviewed-by: Denis V. Lunev <den@xxxxxxxxxx>
      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>
      Reviewed-by: Michael Roth <mdroth@xxxxxxxxxxxxxxxxxx>
      Signed-off-by: Michael Roth <mdroth@xxxxxxxxxxxxxxxxxx>

  commit 2e2a58e0e49ddb3561b541dc01c3206543b3a1a3
  Author: Marc-André Lureau <marcandre.lureau@xxxxxxxxxx>
  Date:   Thu Aug 27 01:34:47 2015 +0200

      qga: misc spelling

      Signed-off-by: Marc-André Lureau <marcandre.lureau@xxxxxxxxxx>
      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>
      Reviewed-by: Denis V. Lunev <den@xxxxxxxxxx>
      Reviewed-by: Michael Roth <mdroth@xxxxxxxxxxxxxxxxxx>
      Signed-off-by: Michael Roth <mdroth@xxxxxxxxxxxxxxxxxx>

  commit 4c875d89cb11f4033012eebd63963ab725f8108e
  Author: Michael Roth <mdroth@xxxxxxxxxxxxxxxxxx>
  Date:   Tue Aug 25 15:46:18 2015 -0500

      configure: qemu-ga: report MSI install support in summary

      Currently we need to examine config-host.mak to determine whether
      options/probes for MSI package generation had desired result. Report
      this more prominently in ./configure summary as we do with other
      guest agent configure options.

      Reviewed-by: Marc-André Lureau <marcandre.lureau@xxxxxxxxxx>
      Signed-off-by: Michael Roth <mdroth@xxxxxxxxxxxxxxxxxx>

  commit decdfbd28d754f6ff596c0201ab55e9ff4df5b4e
  Author: Leonid Bloch <leonid@xxxxxxxxxx>
  Date:   Wed Aug 26 15:07:16 2015 +0300

      qemu-ga: Fixed paths issue with MSI build

      Previously, if building out-of-tree, the MSI build would fail since
      it wasn't able to find the needed files.

      Signed-off-by: Leonid Bloch <leonid@xxxxxxxxxx>
      Reviewed-by: Marc-André Lureau <marcandre.lureau@xxxxxxxxxx>
      * fixed up commit msg formating
      Signed-off-by: Michael Roth <mdroth@xxxxxxxxxxxxxxxxxx>

  commit 848849dddf68630021351f5068de12f5c54ae2f8
  Author: Leonid Bloch <leonid@xxxxxxxxxx>
  Date:   Mon Aug 3 20:54:24 2015 +0300

      qemu-ga: Prevent QEMU-GA VSS provider from being unregistered on MSI 
reinstall

      Previously, running the .msi would unregister the QEMU GA VSS service if 
QEMU GA was already installed on the machine, and then register it only if QEMU 
GA was NOT previously installed. This behavior caused the service to be 
registered only after the INITIAL installation, and any subsequent run of the 
.msi (to redo, repair, or upgrade the installation) ended in the service being 
unregistered.

      Now, the VSS service is still unregistered if QEMU GA is already 
installed (so that a fix or an update could be performed) but then it is 
registered again (if the GA is not being uninstalled) thus finishing the 
repair/upgrade correctly. Additionally, downgrading is now prevented. If a user 
would like to downgrade a version, he/she must uninstall the newer version 
first.

      Signed-off-by: Leonid Bloch <leonid@xxxxxxxxxx>
      Reviewed-by: Marc-André Lureau <marcandre.lureau@xxxxxxxxxx>
      Signed-off-by: Michael Roth <mdroth@xxxxxxxxxxxxxxxxxx>

  commit 5e994f94121cdb9c48939cb489e2da646c229a48
  Author: Leonid Bloch <leonid@xxxxxxxxxx>
  Date:   Mon Aug 3 20:54:23 2015 +0300

      qemu-ga: Created a separate component for each installed file in the MSI

      This is done to follow the recommendations given here: 
https://msdn.microsoft.com/en-us/library/aa368269%28VS.85%29.aspx

      Signed-off-by: Leonid Bloch <leonid@xxxxxxxxxx>
      Reviewed-by: Marc-André Lureau <marcandre.lureau@xxxxxxxxxx>
      Signed-off-by: Michael Roth <mdroth@xxxxxxxxxxxxxxxxxx>

  commit 8b17ccccb23bcd7554d327f46bf4e07ae6da60c0
  Author: Leonid Bloch <leonid@xxxxxxxxxx>
  Date:   Mon Aug 3 20:54:22 2015 +0300

      qemu-ga: Minor cosmetic changes to the WXS file

      Signed-off-by: Leonid Bloch <leonid@xxxxxxxxxx>
      Signed-off-by: Michael Roth <mdroth@xxxxxxxxxxxxxxxxxx>

  commit 1d394fb78771f4ca307c6020ff3b041905350f70
  Author: Leonid Bloch <leonid@xxxxxxxxxx>
  Date:   Mon Aug 3 20:54:21 2015 +0300

      qemu-ga: Fixed GUID capitalization

      For compatibility, all the letters in GUID should be capital.

      Signed-off-by: Leonid Bloch <leonid@xxxxxxxxxx>
      Signed-off-by: Michael Roth <mdroth@xxxxxxxxxxxxxxxxxx>

  commit 0a18750f296c85a5a446dc04e1c49cd35ad9e7d5
  Author: Leonid Bloch <leonid@xxxxxxxxxx>
  Date:   Wed Jul 29 20:10:51 2015 +0300

      qemu-ga: Two MSI related cosmetic changes

      Signed-off-by: Leonid Bloch <leonid@xxxxxxxxxx>
      Signed-off-by: Michael Roth <mdroth@xxxxxxxxxxxxxxxxxx>

  commit 9f3917804dfda737650a22c745469809725b3c6e
  Author: Leonid Bloch <leonid@xxxxxxxxxx>
  Date:   Wed Jul 29 20:10:50 2015 +0300

      qemu-ga: Add .msi files to .gitignore

      Signed-off-by: Leonid Bloch <leonid@xxxxxxxxxx>
      Signed-off-by: Michael Roth <mdroth@xxxxxxxxxxxxxxxxxx>

  commit 090d0bfd948343d522cd20bc634105b5cfe2483b
  Author: Laurent Vivier <laurent@xxxxxxxxx>
  Date:   Fri Aug 28 12:23:41 2015 +0200

      s390: fix softmmu compilation

      guest_base must be used only in linux-user mode.

      Signed-off-by: Laurent Vivier <laurent@xxxxxxxxx>
      Message-id: 1440757421-9674-1-git-send-email-laurent@xxxxxxxxx
      Reviewed-by: Richard Henderson <rth@xxxxxxxxxxx>
      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 6c76ec68f68494d4a31b5d82073ed4d2798b8e13
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Fri Aug 28 11:42:53 2015 +0100

      qemu-doc.texi: Fix capitalization error in OS X build instructions

      Fix a capitalization error in the OS X build instructions;
      this was picked up in review of commit b352153f5f and intended to be
      corrected before I applied it, but I accidentally didn't include it.

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit b352153f5f7eb12b56602fc03ae4361e01201f90
  Author: G 3 <programmingkidx@xxxxxxxxx>
  Date:   Fri Aug 14 13:54:25 2015 -0400

      From: John Arbuckle <programmingkidx@xxxxxxxxx>

      qemu-doc.texi: Add information on compiling source code on Mac OS X

      Add information to the documentation on how to build QEMU
      on Mac OS X.

      Signed-off-by: John Arbuckle <programmingkidx@xxxxxxxxx>
      Reviewed-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      [PMM: fixed a minor capitalization error]
      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 351053e76d21d0eaa2e0f27c9b69c8ebf65f3650
  Merge: 47c9dfe a17d448
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Thu Aug 27 13:31:55 2015 +0100

      Merge remote-tracking branch 'remotes/weil/tags/pull-tci-20150826' into 
staging

      tci patch queue

      # gpg: Signature made Wed 26 Aug 2015 19:51:07 BST using RSA key ID 
677450AD
      # gpg: Good signature from "Stefan Weil <sw@xxxxxxxxxxx>"
      # gpg:                 aka "Stefan Weil <stefan.weil@xxxxxxxxxxx>"
      # gpg:                 aka "Stefan Weil <stefan.weil@xxxxxxxxxxxxxxxxxxx>"
      # gpg: WARNING: This key is not certified with a trusted signature!
      # gpg:          There is no indication that the signature belongs to the 
owner.
      # Primary key fingerprint: 4923 6FEA 75C9 5D69 8EC2  B78A E08C 21D5 6774 
50AD

      * remotes/weil/tags/pull-tci-20150826:
        exec-all: Translate TCI return addresses backwards too

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit a17d448274575efbfcc1c04ec2641a0afeb74e17
  Author: Peter Crosthwaite <crosthwaitepeter@xxxxxxxxx>
  Date:   Mon Aug 17 20:28:18 2015 -0700

      exec-all: Translate TCI return addresses backwards too

      This subtraction of return addresses applies directly to TCI as well as
      host-TCG. This fixes Linux boots for at least Microblaze, CRIS, ARM and
      SH4 when using TCI.

      [sw: Removed indentation for preprocessor statement]
      [sw: The patch also fixes Linux boot for x86_64]

      Reviewed-by: Richard Henderson <rth@xxxxxxxxxxx>
      Signed-off-by: Stefan Weil <sw@xxxxxxxxxxx>
      Signed-off-by: Peter Crosthwaite <crosthwaite.peter@xxxxxxxxx>

  commit 47c9dfee808f9455d732aea7c4390ad0972bbd84
  Merge: 7df9671 eb8934b
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Wed Aug 26 17:45:09 2015 +0100

      Merge remote-tracking branch 
'remotes/kraxel/tags/pull-cve-2015-5225-20150826-1' into staging

      vnc: fix memory corruption (CVE-2015-5225)

      # gpg: Signature made Wed 26 Aug 2015 17:37:21 BST using RSA key ID 
D3E87138
      # gpg: Good signature from "Gerd Hoffmann (work) <kraxel@xxxxxxxxxx>"
      # gpg:                 aka "Gerd Hoffmann <gerd@xxxxxxxxxx>"
      # gpg:                 aka "Gerd Hoffmann (private) <kraxel@xxxxxxxxx>"

      * remotes/kraxel/tags/pull-cve-2015-5225-20150826-1:
        vnc: fix memory corruption (CVE-2015-5225)

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit eb8934b0418b3b1d125edddc4fc334a54334a49b
  Author: Gerd Hoffmann <kraxel@xxxxxxxxxx>
  Date:   Mon Aug 17 19:56:53 2015 +0200

      vnc: fix memory corruption (CVE-2015-5225)

      The _cmp_bytes variable added by commit "bea60dd ui/vnc: fix potential
      memory corruption issues" can become negative.  Result is (possibly
      exploitable) memory corruption.  Reason for that is it uses the stride
      instead of bytes per scanline to apply limits.

      For the server surface is is actually fine.  vnc creates that itself,
      there is never any padding and thus scanline length always equals stride.

      For the guest surface scanline length and stride are typically identical
      too, but it doesn't has to be that way.  So add and use a new variable
      (guest_ll) for the guest scanline length.  Also rename min_stride to
      line_bytes to make more clear what it actually is.  Finally sprinkle
      in an assert() to make sure we never use a negative _cmp_bytes again.

      Reported-by: è??ç¥?è?³(åº?ç?¹) <zuozhi.fzz@xxxxxxxxxxxxxxx>
      Reviewed-by: P J P <ppandit@xxxxxxxxxx>
      Signed-off-by: Gerd Hoffmann <kraxel@xxxxxxxxxx>

  commit 7df9671989c1cfa693764f9ae6349324b2ada02a
  Merge: 34a4450 cea66e9
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Tue Aug 25 16:24:06 2015 +0100

      Merge remote-tracking branch 
'remotes/pmaydell/tags/pull-target-arm-20150825-1' into staging

      target-arm queue:
       * add missing EL2/EL3 TLBI operations
       * add missing EL2/EL3 ATS operations
       * add missing EL2/EL3 registers
       * update Xilinx MAINTAINERS info
       * Xilinx: connect the four OCM banks

      # gpg: Signature made Tue 25 Aug 2015 16:22:43 BST using RSA key ID 
14360CDE
      # gpg: Good signature from "Peter Maydell <peter.maydell@xxxxxxxxxx>"
      # gpg:                 aka "Peter Maydell <pmaydell@xxxxxxxxx>"
      # gpg:                 aka "Peter Maydell 
<pmaydell@xxxxxxxxxxxxxxxxxxxxxx>"

      * remotes/pmaydell/tags/pull-target-arm-20150825-1:
        target-arm: Implement AArch64 TLBI operations on IPAs
        target-arm: Implement missing EL3 TLB invalidate operations
        target-arm: Implement missing EL2 TLBI operations
        target-arm: Restrict AArch64 TLB flushes to the MMU indexes they must 
touch
        target-arm: Move TLBI ALLE1/ALLE1IS definitions into numeric order
        cputlb: Add functions for flushing TLB for a single MMU index
        target-arm: Implement AArch32 ATS1H* operations
        target-arm: Enable the AArch32 ATS12NSO ops
        target-arm: Add CP_ACCESS_TRAP_UNCATEGORIZED_EL2, 3
        target-arm: Wire up AArch64 EL2 and EL3 address translation ops
        target-arm: there is no TTBR1 for 32-bit EL2 stage 1 translations
        target-arm: Implement missing ACTLR registers
        target-arm: Implement missing AFSR registers
        target-arm: Implement missing AMAIR registers
        target-arm: Add missing MAIR_EL3 and TPIDR_EL3 registers
        MAINTAINERS: Add ZynqMP to MAINTAINERS file
        MAINTAINERS: Update Xilinx Maintainership
        xlnx-zynqmp: Connect the four OCM banks

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit cea66e91212164e02ad1d245c2371f7e8eb59e7f
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Tue Aug 25 15:45:10 2015 +0100

      target-arm: Implement AArch64 TLBI operations on IPAs

      Implement the AArch64 TLBI operations which take an intermediate
      physical address and invalidate stage 2 translations.

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Reviewed-by: Edgar E. Iglesias <edgar.iglesias@xxxxxxxxxx>
      Message-id: 1439548879-1972-7-git-send-email-peter.maydell@xxxxxxxxxx

  commit 43efaa33faa2bdaed789b9ddaa76b30880e57554
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Tue Aug 25 15:45:10 2015 +0100

      target-arm: Implement missing EL3 TLB invalidate operations

      Implement the remaining stage 1 TLB invalidate operations
      visible from EL3.

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Reviewed-by: Edgar E. Iglesias <edgar.iglesias@xxxxxxxxxx>
      Message-id: 1439548879-1972-6-git-send-email-peter.maydell@xxxxxxxxxx

  commit 2bfb9d75d37ceab6ef1674f54fca06c74f6978e7
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Tue Aug 25 15:45:09 2015 +0100

      target-arm: Implement missing EL2 TLBI operations

      Implement the missing TLBI operations that exist only
      if EL2 is implemented.

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Reviewed-by: Edgar E. Iglesias <edgar.iglesias@xxxxxxxxxx>
      Message-id: 1439548879-1972-5-git-send-email-peter.maydell@xxxxxxxxxx

  commit fd3ed969227f54f08f87d9eb6de2d4e48e99279b
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Tue Aug 25 15:45:09 2015 +0100

      target-arm: Restrict AArch64 TLB flushes to the MMU indexes they must 
touch

      Now we have the ability to flush the TLB only for specific MMU indexes,
      update the AArch64 TLB maintenance instruction implementations to only
      flush the parts of the TLB they need to, rather than doing full flushes.

      We take the opportunity to remove some duplicate functions (the per-asid
      tlb ops work like the non-per-asid ones because we don't support
      flushing a TLB only by ASID) and to bring the function names in line
      with the architectural TLBI operation names.

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Reviewed-by: Edgar E. Iglesias <edgar.iglesias@xxxxxxxxxx>
      Message-id: 1439548879-1972-4-git-send-email-peter.maydell@xxxxxxxxxx

  commit 83ddf975777cc23337b7ef92e83b1b9c949396f3
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Tue Aug 25 15:45:09 2015 +0100

      target-arm: Move TLBI ALLE1/ALLE1IS definitions into numeric order

      Move the two regdefs for TLBI ALLE1 and TLBI ALLE1IS down so that the
      whole set of AArch64 TLBI regdefs is arranged in numeric order.

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Reviewed-by: Edgar E. Iglesias <edgar.iglesias@xxxxxxxxxx>
      Message-id: 1439548879-1972-3-git-send-email-peter.maydell@xxxxxxxxxx

  commit d7a74a9d4a68e27b3a8ceda17bb95cb0a23d8e4d
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Tue Aug 25 15:45:09 2015 +0100

      cputlb: Add functions for flushing TLB for a single MMU index

      Guest CPU TLB maintenance operations may be sufficiently
      specialized to only need to flush TLB entries corresponding
      to a particular MMU index. Implement cputlb functions for
      this, to avoid the inefficiency of flushing TLB entries
      which we don't need to.

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Reviewed-by: Edgar E. Iglesias <edgar.iglesias@xxxxxxxxxx>
      Message-id: 1439548879-1972-2-git-send-email-peter.maydell@xxxxxxxxxx

  commit 14db7fe09a2c8d561ff37f98b328409906a560d7
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Tue Aug 25 15:45:08 2015 +0100

      target-arm: Implement AArch32 ATS1H* operations

      Implement the AArch32 ATS1H* operations which perform
      Hyp mode stage 1 translations.

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Reviewed-by: Edgar E. Iglesias <edgar.iglesias@xxxxxxxxxx>
      Message-id: 1437751263-21913-6-git-send-email-peter.maydell@xxxxxxxxxx

  commit 87562e4f4a2bdd028eef3549ce9cb4e7c83cb0bf
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Tue Aug 25 15:45:08 2015 +0100

      target-arm: Enable the AArch32 ATS12NSO ops

      Apply the correct conditions in the ats_access() function for
      the ATS12NSO* address translation operations:
       * succeed at EL2 or EL3
       * normal UNDEF trap from NS EL1
       * trap to EL3 from S EL1 (only possible if EL3 is AArch64)

      (This change means they're now available in our EL3-supporting
      CPUs when they would previously always UNDEF.)

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Reviewed-by: Edgar E. Iglesias <edgar.iglesias@xxxxxxxxxx>
      Message-id: 1437751263-21913-5-git-send-email-peter.maydell@xxxxxxxxxx

  commit e76157264da20b85698b09fa5eb8e02e515e232c
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Tue Aug 25 15:45:08 2015 +0100

      target-arm: Add CP_ACCESS_TRAP_UNCATEGORIZED_EL2, 3

      Some coprocessor register access functions need to be able
      to report "trap to EL3 with an 'uncategorized' syndrome";
      add the necessary CPAccessResult enum and handling for it.

      I don't currently know of any registers that need to trap
      to EL2 with the 'uncategorized' syndrome, but adding the
      _EL2 enum as well is trivial and fills in what would
      otherwise be an odd gap in the handling.

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Reviewed-by: Edgar E. Iglesias <edgar.iglesias@xxxxxxxxxx>
      Message-id: 1437751263-21913-4-git-send-email-peter.maydell@xxxxxxxxxx

  commit 2a47df953202e1f226aa045ea974427c4540a167
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Tue Aug 25 15:45:08 2015 +0100

      target-arm: Wire up AArch64 EL2 and EL3 address translation ops

      Wire up the AArch64 EL2 and EL3 address translation operations
      (AT S12E1*, AT S12E0*, AT S1E2*, AT S1E3*), and correct some
      errors in the ats_write64() function in previously unused code
      that would have done the wrong kind of lookup for accesses from
      EL3 when SCR.NS==0.

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Reviewed-by: Edgar E. Iglesias <edgar.iglesias@xxxxxxxxxx>
      Message-id: 1437751263-21913-3-git-send-email-peter.maydell@xxxxxxxxxx

  commit d0a2cbceb2aa20d64d53e1c20c7d26a78ade8382
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Tue Aug 25 15:45:08 2015 +0100

      target-arm: there is no TTBR1 for 32-bit EL2 stage 1 translations

      For EL2 stage 1 translations, there is no TTBR1. We were already
      handling this for 64-bit EL2; add the code to take the 'no TTBR1'
      code path for 64-bit EL2 as well.

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Reviewed-by: Edgar E. Iglesias <edgar.iglesias@xxxxxxxxxx>
      Message-id: 1437751263-21913-2-git-send-email-peter.maydell@xxxxxxxxxx

  commit 834a6c6920316d39aaf0e68ac936c0a3ad164815
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Tue Aug 25 15:45:07 2015 +0100

      target-arm: Implement missing ACTLR registers

      We already implemented ACTLR_EL1; add the missing ACTLR_EL2 and
      ACTLR_EL3, for consistency.

      Since we don't currently have any CPUs that need the EL2/EL3
      versions to reset to non-zero values, implement as RAZ/WI.

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Reviewed-by: Edgar E. Iglesias <edgar.iglesias@xxxxxxxxxx>
      Message-id: 1438281398-18746-5-git-send-email-peter.maydell@xxxxxxxxxx

  commit 37cd6c2478196623ca28526627ca8c69afe0d654
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Tue Aug 25 15:45:07 2015 +0100

      target-arm: Implement missing AFSR registers

      The AFSR registers are implementation dependent auxiliary fault
      status registers. We already implemented a RAZ/WI AFSR0_EL1 and
      AFSR_EL1; add the missing AFSR{0,1}_EL{2,3} for consistency.

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Reviewed-by: Edgar E. Iglesias <edgar.iglesias@xxxxxxxxxx>
      Message-id: 1438281398-18746-4-git-send-email-peter.maydell@xxxxxxxxxx

  commit 2179ef958c81480b841ffa0aab5e265688ffd2b0
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Tue Aug 25 15:45:07 2015 +0100

      target-arm: Implement missing AMAIR registers

      The AMAIR registers are for providing auxiliary implementation
      defined memory attributes. We already implemented a RAZ/WI
      AMAIR_EL1; add the EL2 and EL3 versions for consistency.

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Reviewed-by: Edgar E. Iglesias <edgar.iglesias@xxxxxxxxxx>
      Message-id: 1438281398-18746-3-git-send-email-peter.maydell@xxxxxxxxxx

  commit 4cfb8ad896a6f85953038bd913ce3d82d347013d
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Tue Aug 25 15:45:07 2015 +0100

      target-arm: Add missing MAIR_EL3 and TPIDR_EL3 registers

      Add the AArch64 registers MAIR_EL3 and TPIDR_EL3, which are the only
      two which we had implemented the 32-bit Secure equivalents of but
      not the 64-bit Secure versions.

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Reviewed-by: Edgar E. Iglesias <edgar.iglesias@xxxxxxxxxx>
      Message-id: 1438281398-18746-2-git-send-email-peter.maydell@xxxxxxxxxx

  commit 137805f5d8504933faa4fe129cdab88f2695a8c2
  Author: Alistair Francis <alistair.francis@xxxxxxxxxx>
  Date:   Tue Aug 25 15:45:07 2015 +0100

      MAINTAINERS: Add ZynqMP to MAINTAINERS file

      Add the Xilinx ZynqMP SoC and EP108 machine to the maintainers
      file.

      Signed-off-by: Alistair Francis <alistair.francis@xxxxxxxxxx>
      Reviewed-by: Peter Crosthwaite <peter.crosthwaite@xxxxxxxxxx>
      Message-id: 
fed078103a0b02cfb3adadbe8e80e4420d554505.1436486024.git.alistair.francis@xxxxxxxxxx
      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 4b46ba6145c4c9b79641efdcc9f1aa92fdbf779c
  Author: Alistair Francis <alistair.francis@xxxxxxxxxx>
  Date:   Tue Aug 25 15:45:06 2015 +0100

      MAINTAINERS: Update Xilinx Maintainership

      Peter C is leaving Xilinx, so update the maintainer list
      to point to Alistair and Edgar from Xilinx and Peter's
      personal email address.

      Signed-off-by: Alistair Francis <alistair.francis@xxxxxxxxxx>
      Reviewed-by: Peter Crosthwaite <peter.crosthwaite@xxxxxxxxxx>
      Message-id: 
54b4c070452bac05aa3a9c1d75899bc097fef831.1436486024.git.alistair.francis@xxxxxxxxxx
      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 6675d719154969456e841a7e1729c0dc14113a44
  Author: Alistair Francis <alistair.francis@xxxxxxxxxx>
  Date:   Tue Aug 25 15:45:06 2015 +0100

      xlnx-zynqmp: Connect the four OCM banks

      The Xilinx EP108 has four separate OCM banks which are located
      adjacent to each other. This patch adds the four banks to
      the ZynqMP SoC.

      Signed-off-by: Alistair Francis <alistair.francis@xxxxxxxxxx>
      Reviewed-by: Peter Crosthwaite <peter.crosthwaite@xxxxxxxxxx>
      Message-id: 
afa6ba31163a5d541a0bef4b0dc11f2597e0c495.1436813543.git.alistair.francis@xxxxxxxxxx
      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 34a4450434f1a5daee06fca223afcbb9c8f1ee24
  Merge: a30878e b76f21a
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Tue Aug 25 13:34:57 2015 +0100

      Merge remote-tracking branch 'remotes/rth/tags/pull-tcg-20150824' into 
staging

      queued tcg patches

      # gpg: Signature made Mon 24 Aug 2015 19:37:15 BST using RSA key ID 
4DD0279B
      # gpg: Good signature from "Richard Henderson <rth7680@xxxxxxxxx>"
      # gpg:                 aka "Richard Henderson <rth@xxxxxxxxxx>"
      # gpg:                 aka "Richard Henderson <rth@xxxxxxxxxxx>"

      * remotes/rth/tags/pull-tcg-20150824:
        linux-user: remove useless macros GUEST_BASE and RESERVED_VA
        linux-user: remove --enable-guest-base/--disable-guest-base
        tcg/aarch64: Use softmmu fast path for unaligned accesses
        tcg/s390: Use softmmu fast path for unaligned accesses
        tcg/ppc: Improve unaligned load/store handling on 64-bit backend
        tcg/i386: use softmmu fast path for unaligned accesses
        tcg: Remove tcg_gen_trunc_i64_i32
        tcg: Split trunc_shr_i32 opcode into extr[lh]_i64_i32
        tcg: update README about size changing ops
        tcg/optimize: add optimizations for ext_i32_i64 and extu_i32_i64 ops
        tcg: implement real ext_i32_i64 and extu_i32_i64 ops
        tcg: don't abuse TCG type in tcg_gen_trunc_shr_i64_i32
        tcg: rename trunc_shr_i32 into trunc_shr_i64_i32
        tcg/optimize: allow constant to have copies
        tcg/optimize: track const/copy status separately
        tcg/optimize: add temp_is_const and temp_is_copy functions
        tcg/optimize: optimize temps tracking
        tcg/optimize: fix constant signedness

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit b76f21a70748b735d6ac84fec4bb9bdaafa339b1
  Author: Laurent Vivier <laurent@xxxxxxxxx>
  Date:   Mon Aug 24 14:53:54 2015 +0200

      linux-user: remove useless macros GUEST_BASE and RESERVED_VA

      As we have removed CONFIG_USE_GUEST_BASE, we always use a guest base
      and the macros GUEST_BASE and RESERVED_VA become useless: replace
      them by their values.

      Reviewed-by: Alexander Graf <agraf@xxxxxxx>
      Signed-off-by: Laurent Vivier <laurent@xxxxxxxxx>
      Message-Id: <1440420834-8388-1-git-send-email-laurent@xxxxxxxxx>
      Signed-off-by: Richard Henderson <rth@xxxxxxxxxxx>

  commit 4cbea5986981998cda07b13794c7e3ff7bc42e80
  Author: Laurent Vivier <laurent@xxxxxxxxx>
  Date:   Mon Aug 24 01:42:07 2015 +0200

      linux-user: remove --enable-guest-base/--disable-guest-base

      All tcg host architectures now support the guest base and as
      there is no real performance lost, it can be always enabled.

      Anyway, guest base use can be disabled lively by setting guest
      base to 0.

      CONFIG_USE_GUEST_BASE is defined as (USE_GUEST_BASE && USER_ONLY),
      it should have to be replaced by CONFIG_USER_ONLY in non CONFIG_USER_ONLY
      parts, but as some other parts are using !CONFIG_SOFTMMU I have chosen to
      use !CONFIG_SOFTMMU instead.

      Reviewed-by: Alexander Graf <agraf@xxxxxxx>
      Signed-off-by: Laurent Vivier <laurent@xxxxxxxxx>
      Message-Id: <1440373328-9788-2-git-send-email-laurent@xxxxxxxxx>
      Signed-off-by: Richard Henderson <rth@xxxxxxxxxxx>

  commit 9ee14902bf107e37fb2c8119fa7bca424396237c
  Author: Richard Henderson <rth@xxxxxxxxxxx>
  Date:   Mon Aug 17 12:18:05 2015 -0700

      tcg/aarch64: Use softmmu fast path for unaligned accesses

      Signed-off-by: Richard Henderson <rth@xxxxxxxxxxx>

  commit a5e39810b9088b5d20fac8e0293f281e1c8b608f
  Author: Richard Henderson <rth@xxxxxxxxxxx>
  Date:   Thu Jul 23 13:32:35 2015 -0700

      tcg/s390: Use softmmu fast path for unaligned accesses

      Signed-off-by: Richard Henderson <rth@xxxxxxxxxxx>

  commit 68d45bb61c5bbfb3999486f78cf026c1e79eb301
  Author: Benjamin Herrenschmidt <benh@xxxxxxxxxxxxxxxxxxx>
  Date:   Tue Jul 21 15:19:38 2015 +1000

      tcg/ppc: Improve unaligned load/store handling on 64-bit backend

      Currently, we get to the slow path for any unaligned access in the
      backend, because we effectively preserve the bottom address bits
      below the alignment requirement when comparing with the TLB entry,
      so any non-0 bit there will cause the compare to fail.

      For the same number of instructions, we can instead add the access
      size - 1 to the address and stick to clearing all the bottom bits.

      That means that normal unaligned accesses will not fallback (the HW
      will handle them fine). Only when crossing a page boundary well we
      end up having a mismatch because we'll end up pointing to the next
      page which cannot possibly be in that same TLB entry.

      Reviewed-by: Aurelien Jarno <aurelien@xxxxxxxxxxx>
      Signed-off-by: Benjamin Herrenschmidt <benh@xxxxxxxxxxxxxxxxxxx>
      Message-Id: <1437455978.5809.2.camel@xxxxxxxxxxxxxxxxxxx>
      Signed-off-by: Richard Henderson <rth@xxxxxxxxxxx>

  commit 8cc580f6a0d8c0e2f590c1472cf5cd8e51761760
  Author: Aurelien Jarno <aurelien@xxxxxxxxxxx>
  Date:   Thu Jul 9 20:39:57 2015 +0200

      tcg/i386: use softmmu fast path for unaligned accesses

      Softmmu unaligned load/stores currently goes through through the slow
      path for two reasons:
        - to support unaligned access on host with strict alignement
        - to correctly handle accesses crossing pages

      x86 is only concerned by the second reason. Unaligned accesses are
      avoided by compilers, but are not uncommon. We therefore would like
      to see them going through the fast path, if they don't cross pages.

      For that we can use the fact that two adjacent TLB entries can't contain
      the same page. Therefore accessing the TLB entry corresponding to the
      first byte, but comparing its content to page address of the last byte
      ensures that we don't cross pages. We can do this check without adding
      more instructions in the TLB code (but increasing its length by one
      byte) by using the LEA instruction to combine the existing move with the
      size addition.

      On an x86-64 host, this gives a 3% boot time improvement for a powerpc
      guest and 4% for an x86-64 guest.

      [rth: Tidied calculation of the offset mask]

      Signed-off-by: Aurelien Jarno <aurelien@xxxxxxxxxxx>
      Message-Id: <1436467197-2183-1-git-send-email-aurelien@xxxxxxxxxxx>
      Signed-off-by: Richard Henderson <rth@xxxxxxxxxxx>

  commit ecc7b3aa71f5fdcf9ee87e74ca811d988282641d
  Author: Richard Henderson <rth@xxxxxxxxxxx>
  Date:   Fri Jul 24 11:49:53 2015 -0700

      tcg: Remove tcg_gen_trunc_i64_i32

      Replacing it with tcg_gen_extrl_i64_i32.

      Signed-off-by: Richard Henderson <rth@xxxxxxxxxxx>

  commit 609ad70562793937257c89d07bf7c1370b9fc9aa
  Author: Richard Henderson <rth@xxxxxxxxxxx>
  Date:   Fri Jul 24 07:16:00 2015 -0700

      tcg: Split trunc_shr_i32 opcode into extr[lh]_i64_i32

      Rather than allow arbitrary shift+trunc, only concern ourselves
      with low and high parts.  This is all that was being used anyway.

      Signed-off-by: Richard Henderson <rth@xxxxxxxxxxx>

  commit 870ad1547ac53bc79c21d86cf453b3b20cc660a2
  Author: Aurelien Jarno <aurelien@xxxxxxxxxxx>
  Date:   Mon Jul 27 12:41:45 2015 +0200

      tcg: update README about size changing ops

      Signed-off-by: Aurelien Jarno <aurelien@xxxxxxxxxxx>
      Signed-off-by: Richard Henderson <rth@xxxxxxxxxxx>

  commit 8bcb5c8f34f9215d4f88f388c7ff14c9bd5cecd3
  Author: Aurelien Jarno <aurelien@xxxxxxxxxxx>
  Date:   Mon Jul 27 12:41:45 2015 +0200

      tcg/optimize: add optimizations for ext_i32_i64 and extu_i32_i64 ops

      They behave the same as ext32s_i64 and ext32u_i64 from the constant
      folding and zero propagation point of view, except that they can't
      be replaced by a mov, so we don't compute the affected value.

      Signed-off-by: Aurelien Jarno <aurelien@xxxxxxxxxxx>
      Signed-off-by: Richard Henderson <rth@xxxxxxxxxxx>

  commit 4f2331e5b67af8172419eb1c8db510b497b30a7b
  Author: Aurelien Jarno <aurelien@xxxxxxxxxxx>
  Date:   Mon Jul 27 12:41:45 2015 +0200

      tcg: implement real ext_i32_i64 and extu_i32_i64 ops

      Implement real ext_i32_i64 and extu_i32_i64 ops. They ensure that a
      32-bit value is always converted to a 64-bit value and not propagated
      through the register allocator or the optimizer.

      Cc: Andrzej Zaborowski <balrogg@xxxxxxxxx>
      Cc: Alexander Graf <agraf@xxxxxxx>
      Cc: Blue Swirl <blauwirbel@xxxxxxxxx>
      Cc: Stefan Weil <sw@xxxxxxxxxxx>
      Acked-by: Claudio Fontana <claudio.fontana@xxxxxxxxxx>
      Signed-off-by: Aurelien Jarno <aurelien@xxxxxxxxxxx>
      Signed-off-by: Richard Henderson <rth@xxxxxxxxxxx>

  commit 6acd2558fdb7dd9de6b10697914bdc1d75d624e5
  Author: Aurelien Jarno <aurelien@xxxxxxxxxxx>
  Date:   Mon Jul 27 12:41:45 2015 +0200

      tcg: don't abuse TCG type in tcg_gen_trunc_shr_i64_i32

      The tcg_gen_trunc_shr_i64_i32 function takes a 64-bit argument and
      returns a 32-bit value. Directly call tcg_gen_op3 with the correct
      types instead of calling tcg_gen_op3i_i32 and abusing the TCG types.

      Signed-off-by: Aurelien Jarno <aurelien@xxxxxxxxxxx>
      Signed-off-by: Richard Henderson <rth@xxxxxxxxxxx>

  commit 0632e555fc4d281d69cb08d98d500d96185b041f
  Author: Aurelien Jarno <aurelien@xxxxxxxxxxx>
  Date:   Mon Jul 27 12:41:45 2015 +0200

      tcg: rename trunc_shr_i32 into trunc_shr_i64_i32

      The op is sometimes named trunc_shr_i32 and sometimes trunc_shr_i64_i32,
      and the name in the README doesn't match the name offered to the
      frontends.

      Always use the long name to make it clear it is a size changing op.

      Signed-off-by: Aurelien Jarno <aurelien@xxxxxxxxxxx>
      Signed-off-by: Richard Henderson <rth@xxxxxxxxxxx>

  commit 299f80130401153af1a6ddb3cc011781bcd47600
  Author: Aurelien Jarno <aurelien@xxxxxxxxxxx>
  Date:   Mon Jul 27 12:41:44 2015 +0200

      tcg/optimize: allow constant to have copies

      Now that copies and constants are tracked separately, we can allow
      constant to have copies, deferring the choice to use a register or a
      constant to the register allocation pass. This prevent this kind of
      regular constant reloading:

      -OUT: [size=338]
      +OUT: [size=298]
         mov    -0x4(%r14),%ebp
         test   %ebp,%ebp
         jne    0x7ffbe9cb0ed6
         mov    $0x40002219f8,%rbp
         mov    %rbp,(%r14)
      -  mov    $0x40002219f8,%rbp
         mov    $0x4000221a20,%rbx
         mov    %rbp,(%rbx)
         mov    $0x4000000000,%rbp
         mov    %rbp,(%r14)
      -  mov    $0x4000000000,%rbp
         mov    $0x4000221d38,%rbx
         mov    %rbp,(%rbx)
         mov    $0x40002221a8,%rbp
         mov    %rbp,(%r14)
      -  mov    $0x40002221a8,%rbp
         mov    $0x4000221d40,%rbx
         mov    %rbp,(%rbx)
         mov    $0x4000019170,%rbp
         mov    %rbp,(%r14)
      -  mov    $0x4000019170,%rbp
         mov    $0x4000221d48,%rbx
         mov    %rbp,(%rbx)
         mov    $0x40000049ee,%rbp
         mov    %rbp,0x80(%r14)
         mov    %r14,%rdi
         callq  0x7ffbe99924d0
         mov    $0x4000001680,%rbp
         mov    %rbp,0x30(%r14)
         mov    0x10(%r14),%rbp
         mov    $0x4000001680,%rbp
         mov    %rbp,0x30(%r14)
         mov    0x10(%r14),%rbp
         shl    $0x20,%rbp
         mov    (%r14),%rbx
         mov    %ebx,%ebx
         mov    %rbx,(%r14)
         or     %rbx,%rbp
         mov    %rbp,0x10(%r14)
         mov    %rbp,0x90(%r14)
         mov    0x60(%r14),%rbx
         mov    %rbx,0x38(%r14)
         mov    0x28(%r14),%rbx
         mov    $0x4000220e60,%r12
         mov    %rbx,(%r12)
         mov    $0x40002219c8,%rbx
         mov    %rbp,(%rbx)
         mov    0x20(%r14),%rbp
         sub    $0x8,%rbp
         mov    $0x4000004a16,%rbx
         mov    %rbx,0x0(%rbp)
         mov    %rbp,0x20(%r14)
         mov    $0x19,%ebp
         mov    %ebp,0xa8(%r14)
         mov    $0x4000015110,%rbp
         mov    %rbp,0x80(%r14)
         xor    %eax,%eax
         jmpq   0x7ffbebcae426
         lea    -0x5f6d72a(%rip),%rax        # 0x7ffbe3d437b3
         jmpq   0x7ffbebcae426

      Signed-off-by: Aurelien Jarno <aurelien@xxxxxxxxxxx>
      Signed-off-by: Richard Henderson <rth@xxxxxxxxxxx>

  commit b41059dd9deec367a4ccd296659f0bc5de2dc705
  Author: Aurelien Jarno <aurelien@xxxxxxxxxxx>
  Date:   Mon Jul 27 12:41:44 2015 +0200

      tcg/optimize: track const/copy status separately

      Instead of using an enum which could be either a copy or a const, track
      them separately. This will be used in the next patch.

      Constants are tracked through a bool. Copies are tracked by initializing
      temp's next_copy and prev_copy to itself, allowing to simplify the code
      a bit.

      Signed-off-by: Aurelien Jarno <aurelien@xxxxxxxxxxx>
      Signed-off-by: Richard Henderson <rth@xxxxxxxxxxx>

  commit d9c769c60948815ee03b2684b1c1c68ee4375149
  Author: Aurelien Jarno <aurelien@xxxxxxxxxxx>
  Date:   Mon Jul 27 12:41:44 2015 +0200

      tcg/optimize: add temp_is_const and temp_is_copy functions

      Add two accessor functions temp_is_const and temp_is_copy, to make the
      code more readable and make code change easier.

      Reviewed-by: Alex Bennée <alex.bennee@xxxxxxxxxx>
      Signed-off-by: Aurelien Jarno <aurelien@xxxxxxxxxxx>
      Signed-off-by: Richard Henderson <rth@xxxxxxxxxxx>

  commit 1208d7dd5fddc1fbd98de800d17429b4e5578848
  Author: Aurelien Jarno <aurelien@xxxxxxxxxxx>
  Date:   Mon Jul 27 12:41:44 2015 +0200

      tcg/optimize: optimize temps tracking

      The tcg_temp_info structure uses 24 bytes per temp. Now that we emulate
      vector registers on most guests, it's not uncommon to have more than 100
      used temps. This means we have initialize more than 2kB at least twice
      per TB, often more when there is a few goto_tb.

      Instead used a TCGTempSet bit array to track which temps are in used in
      the current basic block. This means there are only around 16 bytes to
      initialize.

      This improves the boot time of a MIPS guest on an x86-64 host by around
      7% and moves out tcg_optimize from the the top of the profiler list.

      [rth: Handle TCG_CALL_DUMMY_ARG]

      Signed-off-by: Aurelien Jarno <aurelien@xxxxxxxxxxx>
      Signed-off-by: Richard Henderson <rth@xxxxxxxxxxx>

  commit 29f3ff8d6cbc28f79933aeaa25805408d0984a8f
  Author: Aurelien Jarno <aurelien@xxxxxxxxxxx>
  Date:   Fri Jul 10 18:03:31 2015 +0200

      tcg/optimize: fix constant signedness

      By convention, on a 64-bit host TCG internally stores 32-bit constants
      as sign-extended. This is not the case in the optimizer when a 32-bit
      constant is folded.

      This doesn't seem to have more consequences than suboptimal code
      generation. For instance the x86 backend assumes sign-extended constants,
      and in some rare cases uses a 32-bit unsigned immediate 0xffffffff
      instead of a 8-bit signed immediate 0xff for the constant -1. This is
      with a ppc guest:

      before
      ------

       ---- 0x9f29cc
       movi_i32 tmp1,$0xffffffff
       movi_i32 tmp2,$0x0
       add2_i32 tmp0,CA,CA,tmp2,r6,tmp2
       add2_i32 tmp0,CA,tmp0,CA,tmp1,tmp2
       mov_i32 r10,tmp0

      0x7fd8c7dfe90c:  xor    %ebp,%ebp
      0x7fd8c7dfe90e:  mov    %ebp,%r11d
      0x7fd8c7dfe911:  mov    0x18(%r14),%r9d
      0x7fd8c7dfe915:  add    %r9d,%r10d
      0x7fd8c7dfe918:  adc    %ebp,%r11d
      0x7fd8c7dfe91b:  add    $0xffffffff,%r10d
      0x7fd8c7dfe922:  adc    %ebp,%r11d
      0x7fd8c7dfe925:  mov    %r11d,0x134(%r14)
      0x7fd8c7dfe92c:  mov    %r10d,0x28(%r14)

      after
      -----

       ---- 0x9f29cc
       movi_i32 tmp1,$0xffffffffffffffff
       movi_i32 tmp2,$0x0
       add2_i32 tmp0,CA,CA,tmp2,r6,tmp2
       add2_i32 tmp0,CA,tmp0,CA,tmp1,tmp2
       mov_i32 r10,tmp0

      0x7f37010d490c:  xor    %ebp,%ebp
      0x7f37010d490e:  mov    %ebp,%r11d
      0x7f37010d4911:  mov    0x18(%r14),%r9d
      0x7f37010d4915:  add    %r9d,%r10d
      0x7f37010d4918:  adc    %ebp,%r11d
      0x7f37010d491b:  add    $0xffffffffffffffff,%r10d
      0x7f37010d491f:  adc    %ebp,%r11d
      0x7f37010d4922:  mov    %r11d,0x134(%r14)
      0x7f37010d4929:  mov    %r10d,0x28(%r14)

      Signed-off-by: Aurelien Jarno <aurelien@xxxxxxxxxxx>
      Message-Id: <1436544211-2769-2-git-send-email-aurelien@xxxxxxxxxxx>
      Signed-off-by: Richard Henderson <rth@xxxxxxxxxxx>

  commit a30878e708c2149ce07d709a8b62edd944628449
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Fri Aug 14 16:10:52 2015 +0100

      configure: Don't permit SDL or GTK on OSX

      The cocoa GUI frontend assumes it is the only GUI (it redefines
      main() so it always gets control before the rest of QEMU), so
      it does not play well with other UIs like SDL or GTK. (Mostly
      people building QEMU on OSX don't have the necessary dependencies
      available for configure to build those other front ends, so
      mostly this problem goes unnoticed.)

      Make configure automatically disable the SDL and GTK front ends
      if the cocoa front end is enabled. (We were sort of attempting
      to do this for SDL before, but not in a way that worked very well.)

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Reviewed-by: Daniel P. Berrange <berrange@xxxxxxxxxx>
      Reviewed-by: John Arbuckle <programmingkidx@xxxxxxxxx>
      Message-id: 1439565052-3457-1-git-send-email-peter.maydell@xxxxxxxxxx

  commit 20fbcfdd58ea47607a5755979d43f8c48ac93f08
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Wed Aug 19 16:20:20 2015 +0100

      apic_internal.h: Include cpu.h directly

      apic_internal.h relies on cpu.h having been included (for the
      X86CPU type); include it directly rather than relying on it
      being pulled in via one of the other includes like timer.h.

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Reviewed-by: Daniel P. Berrange <berrange@xxxxxxxxxx>

  commit 49caffe0cc95a9d0dc344e3328be8197f3536cf8
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Wed Aug 19 16:20:20 2015 +0100

      qemu-common.h: Move muldiv64() to host-utils.h

      Move the muldiv64() function from qemu-common.h to host-utils.h.
      This puts it together with all the other arithmetic functions
      where we provide a version with __int128_t and a fallback
      without, and allows headers which need muldiv64() to avoid
      including qemu-common.h.

      We don't include host-utils from qemu-common.h, to avoid dragging
      more things into qemu-common.h than it already has; in practice
      everywhere that needs muldiv64() can get it via qemu/timer.h.

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Reviewed-by: Daniel P. Berrange <berrange@xxxxxxxxxx>

  commit 03557b9abaee78e9d1ef5cd236d32a7b3e75e6f8
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Wed Aug 19 16:20:20 2015 +0100

      osdep.h: Add header comment

      Add a header comment to osdep.h, explaining what the header is for
      and some rules to avoid circular-include difficulties.

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Reviewed-by: Daniel P. Berrange <berrange@xxxxxxxxxx>

  commit bfe7e449f14313f646da621288ca2fd12223414f
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Wed Aug 19 16:20:19 2015 +0100

      osdep.h: Move some OS header includes and fixups from qemu-common.h

      qemu-common.h has some system header includes and fixups for
      things that might be missing. This is really an OS dependency
      and belongs in osdep.h, so move it across.

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Reviewed-by: Daniel P. Berrange <berrange@xxxxxxxxxx>

  commit 1aad8104f3b69206da1f868639e1f69c26f6d482
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Wed Aug 19 16:20:19 2015 +0100

      qemu-common.h: Move Win32 fixups into os-win32.h

      qemu-common.h includes some fixups for things the Win32
      headers don't define or define weirdly. These really
      belong in os-win32.h, so move them there.

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Reviewed-by: Daniel P. Berrange <berrange@xxxxxxxxxx>

  commit 24134c4e9126bf505b612e901c63a102fc471083
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Wed Aug 19 16:20:19 2015 +0100

      compiler.h: Use glue() in QEMU_BUILD_BUG_ON define

      Rather than rolling custom concatenate-strings macros for the
      QEMU_BUILD_BUG_ON macro to use, use the glue() macro we already
      have (since it's now available to us in this header).

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Reviewed-by: Daniel P. Berrange <berrange@xxxxxxxxxx>

  commit 4912086865083a008f4fb73173fd0ddf2206c4d9
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Wed Aug 19 16:20:19 2015 +0100

      osdep.h: Move some compiler-specific things to compiler.h

      osdep.h has a few things which are really compiler specific;
      move them to compiler.h, and include compiler.h from osdep.h.

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Reviewed-by: Daniel P. Berrange <berrange@xxxxxxxxxx>

  commit 71baf787d8fa2a5d186f22d8154069fd212be37f
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Wed Aug 19 16:20:19 2015 +0100

      osdep.h: Remove qemu_printf

      qemu_printf is an ancient remnant which has been a simple #define to
      printf for over a decade, and is used in only a few places. Expand
      it out in those places and remove the #define.

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Reviewed-by: Daniel P. Berrange <berrange@xxxxxxxxxx>

  commit 38e20cac669083e2e10a2a9a9602cb99ec19299e
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Wed Aug 19 16:20:19 2015 +0100

      qapi/qmp-event.c: Don't manually include os-win32.h/os-posix.h

      qmp-event.c already includes qemu-common.h, so manually including
      os-win32.h/os-posix.h is unnecessary (and potentially fragile,
      since it's duplicating the #ifdef logic that chooses which of the
      two we need). Remove the unnecessary include logic.

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Reviewed-by: Daniel P. Berrange <berrange@xxxxxxxxxx>

  commit 4c4a29cb681ec0374616e07c69714b909641e929
  Merge: 5452b6f 6c05d3d
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Wed Aug 19 00:25:52 2015 +0100

      Merge remote-tracking branch 'remotes/rth/tags/pull-axp-201508018' into 
staging

      Alpha shadow register optimization

      # gpg: Signature made Tue 18 Aug 2015 19:09:41 BST using RSA key ID 
4DD0279B
      # gpg: Good signature from "Richard Henderson <rth7680@xxxxxxxxx>"
      # gpg:                 aka "Richard Henderson <rth@xxxxxxxxxx>"
      # gpg:                 aka "Richard Henderson <rth@xxxxxxxxxxx>"

      * remotes/rth/tags/pull-axp-201508018:
        target-alpha: Inline hw_ret
        target-alpha: Inline call_pal
        target-alpha: Use separate TCGv temporaries for the shadow registers

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 6c05d3ded7b51154e67c35e270c48784b7046883
  Author: Richard Henderson <rth@xxxxxxxxxxx>
  Date:   Tue Sep 16 12:55:12 2014 -0700

      target-alpha: Inline hw_ret

      Reviewed-by: Aurelien Jarno <aurelien@xxxxxxxxxxx>
      Signed-off-by: Richard Henderson <rth@xxxxxxxxxxx>

  commit 2f458b7c311f8d79028b04930f8c820b326fbcdd
  Author: Richard Henderson <rth@xxxxxxxxxxx>
  Date:   Tue Sep 16 12:35:59 2014 -0700

      target-alpha: Inline call_pal

      Reviewed-by: Aurelien Jarno <aurelien@xxxxxxxxxxx>
      Signed-off-by: Richard Henderson <rth@xxxxxxxxxxx>

  commit 591243846f7d0dc59f482a89e241a6ce02d25fae
  Author: Richard Henderson <rth@xxxxxxxxxxx>
  Date:   Tue Sep 16 12:16:38 2014 -0700

      target-alpha: Use separate TCGv temporaries for the shadow registers

      This avoids having to manually swap them around when swapping to and
      from PALmode.  We simply encode the shadow registers into the translation.

      The VMStateDescription version changes, because the meaning of "shadow"
      changes in the save file when in PALmode.  It would be possible to fix
      this, but I don't think it's worth the effort.

      Reviewed-by: Aurelien Jarno <aurelien@xxxxxxxxxxx>
      Signed-off-by: Richard Henderson <rth@xxxxxxxxxxx>

  commit 112e4518f0d38fc3c52e55c7d7e77b66a295ec2b
  Author: Richard Henderson <rth@xxxxxxxxxxx>
  Date:   Wed Aug 5 11:04:11 2015 -0700

      target-alpha: Special case cmpbge with zero

      Knowing the comparator is zero leads to a simpler operation.

      Signed-off-by: Richard Henderson <rth@xxxxxxxxxxx>

  commit 5452b6f61ae943aff5c13cdd65fb476efff636d3
  Merge: 6b324b3 9504c54
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Tue Aug 18 17:06:41 2015 +0100

      Merge remote-tracking branch 'remotes/bonzini/tags/for-upstream' into 
staging

      * SCSI fixes from Stefan and Fam
      * vhost-scsi fix from Igor and Lu Lina
      * a build system fix from Daniel
      * two more multi-arch-related patches from Peter C.
      * TCG patches from myself and Sergey Fedorov
      * RCU improvement from Wen Congyang
      * a few more simple cleanups

      # gpg: Signature made Fri 14 Aug 2015 22:41:52 BST using RSA key ID 
78C7AE83
      # gpg: Good signature from "Paolo Bonzini <bonzini@xxxxxxx>"
      # gpg:                 aka "Paolo Bonzini <pbonzini@xxxxxxxxxx>"
      # gpg: WARNING: This key is not certified with sufficiently trusted 
signatures!
      # gpg:          It is not certain that the signature belongs to the owner.
      # Primary key fingerprint: 46F5 9FBD 57D6 12E7 BFD4  E2F7 7E15 100C CD36 
69B1
      #      Subkey fingerprint: F133 3857 4B66 2389 866C  7682 BFFB D25F 78C7 
AE83

      * remotes/bonzini/tags/for-upstream:
        disas: Defeature print_target_address
        hw: fix mask for ColdFire UART command register
        scsi-generic: identify AIO callbacks more clearly
        scsi-disk: identify AIO callbacks more clearly
        scsi: create restart bottom half in the right AioContext
        configure: only add CONFIG_RDMA to config-host.h once
        qemu-nbd: remove unnecessary qemu_notify_event()
        vhost-scsi: Clarify vhost_virtqueue_mask argument
        exec: use macro ROUND_UP for alignment
        rcu: Allow calling rcu_(un)register_thread() during synchronize_rcu()
        exec: drop cpu_can_do_io, just read cpu->can_do_io
        cpu_defs: Simplify CPUTLB padding logic
        cpu-exec: Do not invalidate original TB in cpu_exec_nocache()
        vhost/scsi: call vhost_dev_cleanup() at unrealize() time
        virtio-scsi-test: Add test case for tail unaligned WRITE SAME
        scsi-disk: Fix assertion failure on WRITE SAME
        tests: virtio-scsi: clear unit attention after reset
        scsi-disk: fix cmd.mode field typo
        virtio-scsi: use virtqueue_map_sg() when loading requests

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 5f2a80adc6fd2b2e4e0579a6613a9913e3cc9a05
  Author: Richard Henderson <rth@xxxxxxxxxxx>
  Date:   Wed Aug 5 10:33:12 2015 -0700

      target-alpha: Rewrite helper_cmpbge using bit tests

      Not quite as good as using a proper host vector compare,
      but certainly better than a loop.

      Signed-off-by: Richard Henderson <rth@xxxxxxxxxxx>

  commit 9504c5445cb709415aea509954a922983925c2d3
  Author: Peter Crosthwaite <crosthwaitepeter@xxxxxxxxx>
  Date:   Sun Jul 5 13:50:32 2015 -0700

      disas: Defeature print_target_address

      It does not work in multi-arch as it requires the CPU specific
      TARGET_VIRT_ADDR_SPACE_BITS global define. Just use the generic
      version that does no masking. Targets should be responsible for
      passing in a sane virtual address.

      Signed-off-by: Peter Crosthwaite <crosthwaite.peter@xxxxxxxxx>
      Message-Id: 
<1436129432-16617-1-git-send-email-crosthwaite.peter@xxxxxxxxx>
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit 491ffc1f7ce857b88e9d310ce901ce033e45b75d
  Author: Paolo Bonzini <pbonzini@xxxxxxxxxx>
  Date:   Wed Jun 24 13:55:51 2015 +0200

      hw: fix mask for ColdFire UART command register

      The "miscellaneous commands" part of the register is 3 bits wide.
      Spotted by Coverity and confirmed in the datasheet, downloadable from
      http://cache.freescale.com/files/32bit/doc/ref_manual/MCF5307BUM.pdf
      (figure 14-6).

      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit fa0d653b06cec7b3188a733dc7394e030948018e
  Author: Paolo Bonzini <pbonzini@xxxxxxxxxx>
  Date:   Sun Jul 19 19:15:26 2015 +0200

      scsi-generic: identify AIO callbacks more clearly

      Functions that are not callbacks should assert that aiocb is NULL and
      have a SCSIGenericReq argument.

      AIO callbacks should assert that aiocb is not NULL.  They also have an
      opaque argument.

      Reviewed-by: Fam Zheng <famz@xxxxxxxxxx>
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit 5fd2b563a7624959ae7f000202785a30279021f8
  Author: Paolo Bonzini <pbonzini@xxxxxxxxxx>
  Date:   Sun Jul 19 19:15:26 2015 +0200

      scsi-disk: identify AIO callbacks more clearly

      Functions that are not callbacks should assert that aiocb is NULL and
      have a non-opaque argument (usually a pointer to SCSIDiskReq).

      AIO callbacks should assert that aiocb is not NULL and take care of
      calling block_acct done.  They also have an opaque argument.

      Reviewed-by: Fam Zheng <famz@xxxxxxxxxx>
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit d223c10453f1a7909349fd3e52a6047295d0e94f
  Author: Paolo Bonzini <pbonzini@xxxxxxxxxx>
  Date:   Wed Jul 22 16:38:17 2015 +0200

      scsi: create restart bottom half in the right AioContext

      This matches commit 4407c1c (virtio-blk: Schedule BH in the right context,
      2014-06-17), which did the same thing for virtio-blk.

      Reviewed-by: Fam Zheng <famz@xxxxxxxxxx>
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit 416471916542f30c49f2ed2187d634e9ad26d57d
  Author: Daniel P. Berrange <berrange@xxxxxxxxxx>
  Date:   Fri Jul 31 13:23:23 2015 +0100

      configure: only add CONFIG_RDMA to config-host.h once

      For unknown reasons (probably a git rebase merge mistake)

        commit 2da776db4846eadcb808598a5d3484d149773c05
        Author: Michael R. Hines <mrhines@xxxxxxxxxx>
        Date:   Mon Jul 22 10:01:54 2013 -0400

          rdma: core logic

      Adds CONFIG_RDMA to config-host.h twice, as can be seen
      in the generated file:

       $ grep CONFIG_RDMA config-host.h
       #define CONFIG_RDMA 1
       #define CONFIG_RDMA 1

      Signed-off-by: Daniel P. Berrange <berrange@xxxxxxxxxx>
      Message-Id: <1438345403-32467-1-git-send-email-berrange@xxxxxxxxxx>
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit 06832648e1dbd268d7b719b9a49df476af689c6d
  Author: Paolo Bonzini <pbonzini@xxxxxxxxxx>
  Date:   Mon Jul 27 13:52:55 2015 +0200

      qemu-nbd: remove unnecessary qemu_notify_event()

      This was needed when qemu-nbd was using qemu_set_fd_handler2.  It is
      not needed anymore now that nbd_update_server_fd_handler is called
      whenever nbd_can_accept() can change from false to true.
      nbd_update_server_fd_handler will call qemu_set_fd_handler(),
      which will call qemu_notify_event().

      Reviewed-by: Max Reitz <mreitz@xxxxxxxxxx>
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit fe2d1a81d96e8ffe74974bd4b3ebc608f1f6a25d
  Author: Lu Lina <lina.lulina@xxxxxxxxxx>
  Date:   Mon Jul 27 14:25:59 2015 +0800

      vhost-scsi: Clarify vhost_virtqueue_mask argument

      vhost_virtqueue_mask takes an "absolute" virtqueue index, while the
      code looks like it's passing an index that is relative to
      s->dev.vq_index.  In reality, s->dev.vq_index is always zero, so
      this patch does not make any difference, but the code is clearer.

      Signed-off-by: Lu Lina <lina.lulina@xxxxxxxxxx>
      Signed-off-by: Gonglei <arei.gonglei@xxxxxxxxxx>
      Message-Id: <1437978359-17960-1-git-send-email-arei.gonglei@xxxxxxxxxx>
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit 9284f31994919c001b54af57fc7d1bbb0d19b6fd
  Author: Chen Hanxiao <chenhanxiao@xxxxxxxxxxxxxx>
  Date:   Fri Jul 24 11:12:03 2015 +0800

      exec: use macro ROUND_UP for alignment

      Use ROUND_UP instead.

      Signed-off-by: Chen Hanxiao <chenhanxiao@xxxxxxxxxxxxxx>
      Message-Id: <1437707523-4910-1-git-send-email-chenhanxiao@xxxxxxxxxxxxxx>
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit c097a60b100c10d79d8bd5c91ce804e865d7e70b
  Author: Wen Congyang <wency@xxxxxxxxxxxxxx>
  Date:   Mon Jul 27 10:24:18 2015 +0800

      rcu: Allow calling rcu_(un)register_thread() during synchronize_rcu()

      If rcu_(un)register_thread() is called together with synchronize_rcu(),
      it will wait for the synchronize_rcu() to finish. But when 
synchronize_rcu()
      waits for some events, we can modify the list registry.
      We also use the lock rcu_gp_lock to assume that synchronize_rcu() isn't
      executed in more than one thread at the same time. Add a new mutex lock
      rcu_sync_lock to assume it and rename rcu_gp_lock to rcu_registry_lock.
      Release rcu_registry_lock when synchronize_rcu() waits for some events.

      Signed-off-by: Wen Congyang <wency@xxxxxxxxxxxxxx>
      Message-Id: <55B59652.4090503@xxxxxxxxxxxxxx>
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit 414b15c909c88e4cf5f10e80d033b3aa90bcc9e1
  Author: Paolo Bonzini <pbonzini@xxxxxxxxxx>
  Date:   Wed Jun 24 14:16:26 2015 +0200

      exec: drop cpu_can_do_io, just read cpu->can_do_io

      After commit 626cf8f (icount: set can_do_io outside TB execution,
      2014-12-08), can_do_io is set to 1 if not executing code.  It is
      no longer necessary to make this assumption in cpu_can_do_io.

      It is also possible to remove the use_icount test, simply by
      never setting cpu->can_do_io to 0 unless use_icount is true.

      With these changes cpu_can_do_io boils down to a read of
      cpu->can_do_io.

      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit 6b324b3e5906fd9a9ce7f4f24decd1f1c7afde97
  Merge: 074a992 8887f84
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Fri Aug 14 18:06:44 2015 +0100

      Merge remote-tracking branch 'remotes/stefanha/tags/net-pull-request' 
into staging

      # gpg: Signature made Fri 14 Aug 2015 16:01:19 BST using RSA key ID 
81AB73C8
      # gpg: Good signature from "Stefan Hajnoczi <stefanha@xxxxxxxxxx>"
      # gpg:                 aka "Stefan Hajnoczi <stefanha@xxxxxxxxx>"

      * remotes/stefanha/tags/net-pull-request:
        tests: test rx recovery from cont
        tests: introduce basic pci test for virtio-net
        net/vmxnet3: Fix incorrect debug message

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 074a9925e1cfd659d5376dcaccd1436d3840e611
  Merge: 8e0adf6 e424aff
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Fri Aug 14 16:52:34 2015 +0100

      Merge remote-tracking branch 'remotes/cody/tags/block-pull-request' into 
staging

      # gpg: Signature made Fri 14 Aug 2015 14:54:27 BST using RSA key ID 
C0DE3057
      # gpg: Good signature from "Jeffrey Cody <jcody@xxxxxxxxxx>"
      # gpg:                 aka "Jeffrey Cody <jeff@xxxxxxxxxxxxx>"
      # gpg:                 aka "Jeffrey Cody <codyprime@xxxxxxxxx>"
      # gpg: WARNING: This key is not certified with sufficiently trusted 
signatures!
      # gpg:          It is not certain that the signature belongs to the owner.
      # Primary key fingerprint: 9957 4B4D 3474 90E7 9D98  D624 BDBE 7B27 C0DE 
3057

      * remotes/cody/tags/block-pull-request:
        mirror: Fix coroutine reentrance
        block/mirror: limit qiov to IOV_MAX elements

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 8e0adf64140ab93aba79be2f0227a47eda78e464
  Merge: be1f13a 92e11a1
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Fri Aug 14 15:51:24 2015 +0100

      Merge remote-tracking branch 'remotes/stefanha/tags/block-pull-request' 
into staging

      # gpg: Signature made Fri 14 Aug 2015 15:41:14 BST using RSA key ID 
81AB73C8
      # gpg: Good signature from "Stefan Hajnoczi <stefanha@xxxxxxxxxx>"
      # gpg:                 aka "Stefan Hajnoczi <stefanha@xxxxxxxxx>"

      * remotes/stefanha/tags/block-pull-request:
        throttle: add throttle_max_is_missing_limit() test
        throttle: refuse bps_max/iops_max without bps/iops

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit e424aff5f307227b1c2512bbb8ece891bb895cef
  Author: Kevin Wolf <kwolf@xxxxxxxxxx>
  Date:   Thu Aug 13 10:41:50 2015 +0200

      mirror: Fix coroutine reentrance

      This fixes a regression introduced by commit dcfb3beb ("mirror: Do zero
      write on target if sectors not allocated"), which was reported to cause
      aborts with the message "Co-routine re-entered recursively".

      The cause for this bug is the following code in mirror_iteration_done():

          if (s->common.busy) {
              qemu_coroutine_enter(s->common.co, NULL);
          }

      This has always been ugly because - unlike most places that reenter - it
      doesn't have a specific yield that it pairs with, but is more
      uncontrolled.  What we really mean here is "reenter the coroutine if
      it's in one of the four explicit yields in mirror.c".

      This used to be equivalent with s->common.busy because neither
      mirror_run() nor mirror_iteration() call any function that could yield.
      However since commit dcfb3beb this doesn't hold true any more:
      bdrv_get_block_status_above() can yield.

      So what happens is that bdrv_get_block_status_above() wants to take a
      lock that is already held, so it adds itself to the queue of waiting
      coroutines and yields. Instead of being woken up by the unlock function,
      however, it gets woken up by mirror_iteration_done(), which is obviously
      wrong.

      In most cases the code actually happens to cope fairly well with such
      cases, but in this specific case, the unlock must already have scheduled
      the coroutine for wakeup when mirror_iteration_done() reentered it. And
      then the coroutine happened to process the scheduled restarts and tried
      to reenter itself recursively.

      This patch fixes the problem by pairing the reenter in
      mirror_iteration_done() with specific yields instead of abusing
      s->common.busy.

      Cc: qemu-stable@xxxxxxxxxx
      Signed-off-by: Kevin Wolf <kwolf@xxxxxxxxxx>
      Reviewed-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>
      Reviewed-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Reviewed-by: Jeff Cody <jcody@xxxxxxxxxx>
      Message-id: 1439455310-11263-1-git-send-email-kwolf@xxxxxxxxxx
      Signed-off-by: Jeff Cody <jcody@xxxxxxxxxx>

  commit d90dedfcd5b9faad105bf28b718c9477d8467e77
  Merge: be1f13a cae98cb
  Author: Jeff Cody <jcody@xxxxxxxxxx>
  Date:   Fri Aug 14 09:41:30 2015 -0400

      Merge branch 'block-next' into HEAD

  commit be1f13ac9d9fc21908975460652a72f5f0c018c5
  Merge: 5c314a2 c855701
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Thu Aug 13 17:47:44 2015 +0100

      Merge remote-tracking branch 'remotes/lalrae/tags/mips-20150813' into 
staging

      MIPS patches 2015-08-13

      Changes:
      * mips32r5-generic CPU updated and renamed to P5600
      * improvements in LWL/LDL, logging and fulong2e

      # gpg: Signature made Thu 13 Aug 2015 17:10:59 BST using RSA key ID 
0B29DA6B
      # gpg: Good signature from "Leon Alrae <leon.alrae@xxxxxxxxxx>"
      # gpg: WARNING: This key is not certified with a trusted signature!
      # gpg:          There is no indication that the signature belongs to the 
owner.
      # Primary key fingerprint: 8DD3 2F98 5495 9D66 35D4  4FC0 5211 8E3C 0B29 
DA6B

      * remotes/lalrae/tags/mips-20150813:
        target-mips: Use CPU_LOG_INT for logging related to interrupts
        hw/pci-host/bonito: Avoid buffer overrun for bad LDMA/COP accesses
        target-mips: simplify LWL/LDL mask generation
        target-mips: update mips32r5-generic into P5600

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit c85570163bdf1ba29cb52a63f22ff1c48f1b9398
  Author: Richard Henderson <rth@xxxxxxxxxxx>
  Date:   Mon Aug 3 11:49:12 2015 -0700

      target-mips: Use CPU_LOG_INT for logging related to interrupts

      There are now no unconditional uses of qemu_log in the subdirectory.

      Signed-off-by: Richard Henderson <rth@xxxxxxxxxxx>
      Reviewed-by: Aurelien Jarno <aurelien@xxxxxxxxxxx>
      Reviewed-by: Leon Alrae <leon.alrae@xxxxxxxxxx>
      Signed-off-by: Leon Alrae <leon.alrae@xxxxxxxxxx>

  commit 58d479786b11a7e982419c1e0905b8490ef9a787
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Thu Jul 30 16:33:42 2015 +0100

      hw/pci-host/bonito: Avoid buffer overrun for bad LDMA/COP accesses

      The LDMA and COP memory regions represent four 32 bit registers
      each, but the memory regions themselves are 0x100 bytes large.
      Add guards to the read and write accessors so that bogus accesses
      beyond the four defined registers don't just run off the end of
      the bonldma and boncop structs and into whatever lies beyond.

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Acked-by: Aurelien Jarno <aurelien@xxxxxxxxxxx>
      Signed-off-by: Leon Alrae <leon.alrae@xxxxxxxxxx>

  commit eb02cc3f89013612cb05df23b5441741e902bbd2
  Author: Aurelien Jarno <aurelien@xxxxxxxxxxx>
  Date:   Wed Jul 15 17:05:09 2015 +0200

      target-mips: simplify LWL/LDL mask generation

      The LWL/LDL instructions mask the GPR with a mask depending on the
      address alignement. It is currently computed by doing:

          mask = 0x7fffffffffffffffull >> (t1 ^ 63)

      It's simpler to generate it by doing:

          mask = ~(-1 << t1)

      It uses one TCG instruction less, and it avoids a 32/64-bit constant
      loading which can take a few instructions on RISC hosts.

      Cc: Leon Alrae <leon.alrae@xxxxxxxxxx>
      Signed-off-by: Aurelien Jarno <aurelien@xxxxxxxxxxx>
      Reviewed-by: Richard Henderson <rth@xxxxxxxxxxx>
      Reviewed-by: Leon Alrae <leon.alrae@xxxxxxxxxx>
      Signed-off-by: Leon Alrae <leon.alrae@xxxxxxxxxx>

  commit aff2bc6dc6d839caf6df0900437cc2cc9e180605
  Author: Yongbok Kim <yongbok.kim@xxxxxxxxxx>
  Date:   Fri Jul 10 12:10:52 2015 +0100

      target-mips: update mips32r5-generic into P5600

      As full specification of P5600 is available, mips32r5-generic should
      be renamed to P5600 and corrected as its intention.
      Correct PRid and detail of configuration.
      Features which are not currently supported are described as FIXME.

      Fix Config.MM bit location

      Signed-off-by: Yongbok Kim <yongbok.kim@xxxxxxxxxx>
      [leon.alrae@xxxxxxxxxx: correct cache line sizes and LLAddr shift]
      Signed-off-by: Leon Alrae <leon.alrae@xxxxxxxxxx>

  commit 5c314a2eb713f560d753cb194d194fd462cff719
  Merge: 425591e d31e5ae
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Thu Aug 13 15:07:34 2015 +0100

      Merge remote-tracking branch 'remotes/mst/tags/for_upstream' into staging

      virtio,pc,acpi fixes, cleanups

      Mostly cleanups, notably Eduardo's compat code rework,
      and smbios rearrangement for use by ARM.

      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>

      # gpg: Signature made Thu 13 Aug 2015 12:59:16 BST using RSA key ID 
D28D5469
      # gpg: Good signature from "Michael S. Tsirkin <mst@xxxxxxxxxx>"
      # gpg:                 aka "Michael S. Tsirkin <mst@xxxxxxxxxx>"

      * remotes/mst/tags/for_upstream: (24 commits)
        MAINTAINERS: list smbios maintainers
        smbios: move smbios code into a common folder
        smbios: remove dependency on x86 e820 tables
        smbios: extract x86 smbios building code into a function
        acpi: avoid potential uninitialized access to cpu_hp_io_base
        virtio-net: remove useless codes
        pci: allow 0 address for PCI IO/MEM regions
        pc: Remove redundant arguments from pc_memory_init()
        pc: Remove redundant arguments from pc_cmos_init()
        pc: Remove redundant arguments from *load_linux()
        pc: Use PCMachineState as pc_guest_info_init() argument
        pc: Move {above,below}_4g_mem_size variables to PCMachineState
        pc: Use PCMachineState for pc_memory_init() argument
        pc: Use PCMachineState for pc_cmos_init() argument
        pc: Eliminate pc_default_machine_options()
        pc: Eliminate pc_common_machine_options()
        pc: Move PCMachineClass, PCMachineState to qemu/typedefs.h
        pc: Rename pc_machine variables to pcms
        pc: Use error_abort when registering properties
        target-i386: Remove x86_cpu_compat_set_features()
        ...

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit d31e5ae7f2c16de2caf752b7f7f903569fea894d
  Author: Michael S. Tsirkin <mst@xxxxxxxxxx>
  Date:   Wed Aug 12 12:17:36 2015 +0300

      MAINTAINERS: list smbios maintainers

      Now that smbios has its own directory, list its
      maintainers. Same people as ACPI so just reuse that
      entry.

      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>

  commit 60d8f328b878ead45a5e5e347935097e3426bbd9
  Author: Wei Huang <wei@xxxxxxxxxx>
  Date:   Tue Aug 11 22:08:20 2015 -0400

      smbios: move smbios code into a common folder

      To share smbios among different architectures, this patch moves SMBIOS
      code (smbios.c and smbios.h) from x86 specific folders into new
      hw/smbios directories. As a result, CONFIG_SMBIOS=y is defined in
      x86 default config files.

      Acked-by: Gabriel Somlo <somlo@xxxxxxx>
      Tested-by: Gabriel Somlo <somlo@xxxxxxx>
      Reviewed-by: Laszlo Ersek <lersek@xxxxxxxxxx>
      Tested-by: Leif Lindholm <leif.lindholm@xxxxxxxxxx>
      Signed-off-by: Wei Huang <wei@xxxxxxxxxx>
      Reviewed-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>

  commit 89cc4a2760be800b5924dd705b1369bc29783c9f
  Author: Wei Huang <wei@xxxxxxxxxx>
  Date:   Tue Aug 11 22:08:19 2015 -0400

      smbios: remove dependency on x86 e820 tables

      Current smbios builds type 19 table from e820, which is x86 specific.
      This patch removes smbios' dependency on e820 by passing an array
      of memory area to smbios_get_tables().

      Acked-by: Gabriel Somlo <somlo@xxxxxxx>
      Tested-by: Gabriel Somlo <somlo@xxxxxxx>
      Reviewed-by: Laszlo Ersek <lersek@xxxxxxxxxx>
      Tested-by: Leif Lindholm <leif.lindholm@xxxxxxxxxx>
      Signed-off-by: Wei Huang <wei@xxxxxxxxxx>
      Reviewed-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>

  commit 5fd0a9d410dc876ce134359c489d1d639ea32889
  Author: Wei Huang <wei@xxxxxxxxxx>
  Date:   Tue Aug 11 22:08:18 2015 -0400

      smbios: extract x86 smbios building code into a function

      This patch extracts out the procedure of buidling x86 SMBIOS tables
      into a dedicated function.

      Acked-by: Gabriel Somlo <somlo@xxxxxxx>
      Tested-by: Gabriel Somlo <somlo@xxxxxxx>
      Reviewed-by: Laszlo Ersek <lersek@xxxxxxxxxx>
      Tested-by: Leif Lindholm <leif.lindholm@xxxxxxxxxx>
      Signed-off-by: Wei Huang <wei@xxxxxxxxxx>
      Reviewed-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>

  commit 94aaca6457e52bb9c8a53af3c89bfeec40afadfc
  Author: Daniel P. Berrange <berrange@xxxxxxxxxx>
  Date:   Fri Jul 31 11:14:35 2015 +0100

      acpi: avoid potential uninitialized access to cpu_hp_io_base

      When building QEMU with Mingw64 toolchain I see a warning

       CC    x86_64-softmmu/hw/i386/acpi-build.o
        hw/i386/acpi-build.c: In function 'acpi_build':
        hw/i386/acpi-build.c:1138:9: warning: 'pm.cpu_hp_io_base' may be used 
uninitialized in this function [-Wmaybe-uninitialized]
                 aml_append(crs,
                 ^
        hw/i386/acpi-build.c:1666:16: note: 'pm.cpu_hp_io_base' was declared 
here
             AcpiPmInfo pm;
                        ^

      In acpi_get_pm_info() some of the fields are pre-initialized
      to 0, but this one was missed.

      Signed-off-by: Daniel P. Berrange <berrange@xxxxxxxxxx>
      Reviewed-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Reviewed-by: Igor Mammedov <imammedo@xxxxxxxxxx>

  commit bd89dd98b2b835bbff43f02f2e7c823eb0c61331
  Author: Jason Wang <jasowang@xxxxxxxxxx>
  Date:   Mon Aug 3 13:20:38 2015 +0800

      virtio-net: remove useless codes

      After commit 40bad8f3deba15e2074ff34cfe923c12916b1cc5("virtio-net: fix
      used len for tx"), async_tx.len was no longer used afterwards. So
      remove useless codes with it.

      Signed-off-by: Jason Wang <jasowang@xxxxxxxxxx>
      Reviewed-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>

  commit e402463073ae51d00dc6cf98556e2f5c4b008a31
  Author: Laurent Vivier <lvivier@xxxxxxxxxx>
  Date:   Fri Jul 24 10:35:13 2015 +0200

      pci: allow 0 address for PCI IO/MEM regions

      Some kernels program a 0 address for io regions. PCI 3.0 spec
      section 6.2.5.1 doesn't seem to disallow this.

      based on patch by Michael Roth <mdroth@xxxxxxxxxxxxxxxxxx>

      Add pci_allow_0_addr in MachineClass to conditionally
      allow addr 0 for pseries, as this can break other architectures.

      This patch allows to hotplug PCI card in pseries machine, as the first
      added card BAR0 is always set to 0 address.

      This as a temporary hack, waiting to fix PCI memory priorities for more
      machine types...

      Signed-off-by: Laurent Vivier <lvivier@xxxxxxxxxx>
      Reviewed-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>

  commit c8d163bc9e037ec32b2250b2d7950b1d1bc3fd61
  Author: Eduardo Habkost <ehabkost@xxxxxxxxxx>
  Date:   Fri Aug 7 16:55:55 2015 -0300

      pc: Remove redundant arguments from pc_memory_init()

      Remove arguments that can be found in PCMachineState.

      Signed-off-by: Eduardo Habkost <ehabkost@xxxxxxxxxx>
      Reviewed-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>

  commit 880768546eabea369068f30f22e5d26aa4c6970b
  Author: Eduardo Habkost <ehabkost@xxxxxxxxxx>
  Date:   Fri Aug 7 16:55:54 2015 -0300

      pc: Remove redundant arguments from pc_cmos_init()

      Remove arguments that can be found in PCMachineState.

      Signed-off-by: Eduardo Habkost <ehabkost@xxxxxxxxxx>
      Reviewed-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>

  commit df1f79fdbb98f948f0f9d77a5a48a643026ef31d
  Author: Eduardo Habkost <ehabkost@xxxxxxxxxx>
  Date:   Fri Aug 7 16:55:53 2015 -0300

      pc: Remove redundant arguments from *load_linux()

      Remove arguments that can be found in PCMachineState.

      Signed-off-by: Eduardo Habkost <ehabkost@xxxxxxxxxx>
      Reviewed-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>

  commit b9cfc918ddcbbb5d3b8c1a47675b927cc25eb632
  Author: Eduardo Habkost <ehabkost@xxxxxxxxxx>
  Date:   Fri Aug 7 16:55:52 2015 -0300

      pc: Use PCMachineState as pc_guest_info_init() argument

      Signed-off-by: Eduardo Habkost <ehabkost@xxxxxxxxxx>
      Reviewed-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>

  commit c0aa4e1ecbcad29bb9f1d654f930300b975c3ba8
  Author: Eduardo Habkost <ehabkost@xxxxxxxxxx>
  Date:   Fri Aug 7 16:55:51 2015 -0300

      pc: Move {above,below}_4g_mem_size variables to PCMachineState

      This will make the info readily available for the other initialization
      functions, and will allow us to simplify their argument list.

      Signed-off-by: Eduardo Habkost <ehabkost@xxxxxxxxxx>
      Reviewed-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>

  commit 62b160c02ca46f0b5a06cc4416c47708c7ffd76b
  Author: Eduardo Habkost <ehabkost@xxxxxxxxxx>
  Date:   Fri Aug 7 16:55:50 2015 -0300

      pc: Use PCMachineState for pc_memory_init() argument

      pc_memory_init() already expects a PCMachineState object, there's no
      point in upcasting it to MachineState before calling the function.

      Signed-off-by: Eduardo Habkost <ehabkost@xxxxxxxxxx>
      Reviewed-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>

  commit 23d3040704e8e2a10f3e21e2c6594b3a8c7b20db
  Author: Eduardo Habkost <ehabkost@xxxxxxxxxx>
  Date:   Fri Aug 7 16:55:49 2015 -0300

      pc: Use PCMachineState for pc_cmos_init() argument

      pc_cmos_init() already expects a PCMachineState object, there's no point
      in upcasting it to MachineState before calling the function.

      While doing it, reorder the arguments so PCMachineState is the first
      function argument.

      Signed-off-by: Eduardo Habkost <ehabkost@xxxxxxxxxx>
      Reviewed-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>

  commit 4458fb3a7993249f466662b18ccae75f1a313200
  Author: Eduardo Habkost <ehabkost@xxxxxxxxxx>
  Date:   Fri Aug 7 16:55:48 2015 -0300

      pc: Eliminate pc_default_machine_options()

      The only PC machines that didn't call pc_default_machine_options() were
      isaps and xenfv. Both were already overwriting max_cpus, and only isapc
      was not overwriting hot_add_cpu.

      After making isapc set hot_add_cpu to NULL, we can move the
      pc_default_machine_options() code the PC common class_init.

      Signed-off-by: Eduardo Habkost <ehabkost@xxxxxxxxxx>
      Reviewed-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>

  commit 41742767bfa8127954b6f57b39b590adcde3ac6c
  Author: Eduardo Habkost <ehabkost@xxxxxxxxxx>
  Date:   Fri Aug 7 16:55:47 2015 -0300

      pc: Eliminate pc_common_machine_options()

      All TYPE_PC_MACHINE subclasses call pc_common_machine_options().
      TYPE_PC_MACHINE can simply initialize the common options on class_init
      directly.

      Signed-off-by: Eduardo Habkost <ehabkost@xxxxxxxxxx>
      Reviewed-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>

  commit 8170dfa077761ed979b45f608cf706253a764f0d
  Author: Eduardo Habkost <ehabkost@xxxxxxxxxx>
  Date:   Fri Aug 7 16:55:46 2015 -0300

      pc: Move PCMachineClass, PCMachineState to qemu/typedefs.h

      They will be used inside hw/xen/xen.h, which doesn't include
      hw/i386/pc.h.

      Signed-off-by: Eduardo Habkost <ehabkost@xxxxxxxxxx>
      Reviewed-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>

  commit ec68007a29bff36dab96ae3ea731c85b4b66fdca
  Author: Eduardo Habkost <ehabkost@xxxxxxxxxx>
  Date:   Fri Aug 7 16:55:45 2015 -0300

      pc: Rename pc_machine variables to pcms

      Make the code use the same variable name everywhere. "pcms" is already
      being used in existing code and it's shorter.

      Signed-off-by: Eduardo Habkost <ehabkost@xxxxxxxxxx>
      Reviewed-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>

  commit dda65c7c4b9b4925bdd056c66d4e1ef5cf4a8fb8
  Author: Eduardo Habkost <ehabkost@xxxxxxxxxx>
  Date:   Fri Aug 7 16:55:44 2015 -0300

      pc: Use error_abort when registering properties

      No errors should happen when registering the properties, but we
      shouldn't silently ignore them if they happen.

      Signed-off-by: Eduardo Habkost <ehabkost@xxxxxxxxxx>
      Reviewed-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>

  commit e8963e5cecd4bb47ec3a7221ae591f278de6b5d0
  Author: Eduardo Habkost <ehabkost@xxxxxxxxxx>
  Date:   Fri Aug 7 16:55:43 2015 -0300

      target-i386: Remove x86_cpu_compat_set_features()

      The function is not used by PC code anymore and can be removed.

      Signed-off-by: Eduardo Habkost <ehabkost@xxxxxxxxxx>
      Reviewed-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>

  commit 27add3814157f5506672e85ff918d1b379ae8ac0
  Author: Eduardo Habkost <ehabkost@xxxxxxxxxx>
  Date:   Fri Aug 7 16:55:42 2015 -0300

      pc: Use PC_COMPAT_* for CPUID feature compatibility

      Now we can use compat_props to keep CPUID feature compatibility, using
      the boolean QOM properties for CPUID feature flags.

      This simplifies the compatibility code, and reduces duplication between
      pc_piix.c and pc_q35.c.

      Signed-off-by: Eduardo Habkost <ehabkost@xxxxxxxxxx>
      Reviewed-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>

  commit e33d22fab3ad64bedc1c9addb0a0fa437995c12a
  Author: Eduardo Habkost <ehabkost@xxxxxxxxxx>
  Date:   Fri Aug 7 16:15:31 2015 -0300

      piix: Document coreboot-specific RAM size config register

      The existing i440fx initialization code sets a PCI config register that
      isn't documented anywhere in the Intel 440FX datasheet. Register 0x57 is
      DRAMC (DRAM Control) and has nothing to do with the RAM size.

      This was implemented in commit ec5f92ce6ac8ec09056be77e03c941be188648fa
      because old coreboot code tried to read registers 0x5a-0x5f,0x56,0x57 to
      get the RAM size from QEMU, but I couldn't find out why coreboot did
      that. I assume it was a mistake, and the original code was supposed to
      be reading the DRB[0-7] registers (offsets 0x60-0x67).

      Document that coreboot-specific register offset in a macro and a
      comment, for future reference.

      Cc: Ed Swierk <eswierk@xxxxxxxxxxxxxxxxxx>
      Cc: Richard Smith <smithbone@xxxxxxxxx>
      Signed-off-by: Eduardo Habkost <ehabkost@xxxxxxxxxx>
      Reviewed-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>

  commit 27fa7479801ac23609110535a997b2e3ed6eb867
  Author: Victor Kaplansky <victork@xxxxxxxxxx>
  Date:   Sun Aug 9 12:39:59 2015 +0300

      make: load only required dependency files.

      The old rules.mak loads dependency .d files using include directive
      with file glob pattern "*.d". This breaks the build when build tree has
      left-over *.d files from another build.

      This patch fixes this by
        - loading precise list of .d files made from *.o and *.mo.
        - specifying explicit list of required dependency info files for
           *.hex autogenerated sources.

      Note that Makefile still includes some .d in root directory by including
      "*.d".

      Signed-off-by: Victor Kaplansky <victork@xxxxxxxxxx>
      Reviewed-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>

  commit 998b7b1db4f61ee2784d8e9050c3dda15abd4425
  Author: Victor Kaplansky <victork@xxxxxxxxxx>
  Date:   Sun Aug 9 12:39:53 2015 +0300

      make: fix where dependency *.d are stored.

      In rules like "bar/%.o: %.c" there is a difference between $(*D) and
      $(@D). $(*D) expands to '.', while $(@D) expands to 'bar'.  It is
      cleaner to generate *.d in the same directory where appropriate *.o
      resides. This allows precise including of dependency info from .d files.

      As a hack, we also touch two sources for generated *.hex files.  Without
      this hack, anyone doing "git pull; make" will not get *.hex rebuilt
      correctly since the dependency file would be missing.

      Signed-off-by: Victor Kaplansky <victork@xxxxxxxxxx>
      Reviewed-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>

  commit 425591e3effb0bdd4dec2a5b0d092009ee1a8f32
  Merge: ca0e5d8 f7a6785
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Thu Aug 13 12:04:24 2015 +0100

      Merge remote-tracking branch 
'remotes/pmaydell/tags/pull-target-arm-20150813' into staging

      target-arm queue:
       * i.MX code cleanup/refactorings
       * i.MX UART fix to work with uninitialized chardev
       * minor GIC code refactorings
       * implement the ARM Secure physical timer
       * implement the ARM Hypervisor timer

      # gpg: Signature made Thu 13 Aug 2015 11:40:56 BST using RSA key ID 
14360CDE
      # gpg: Good signature from "Peter Maydell <peter.maydell@xxxxxxxxxx>"

      * remotes/pmaydell/tags/pull-target-arm-20150813: (27 commits)
        i.MX: Fix UART driver to work with unitialized "chardev" device
        hw/cpu/a15mpcore: Wire up hyp and secure physical timer interrupts
        hw/arm/virt: Wire up secure timer interrupt
        target-arm: Add AArch32 banked register access to secure physical timer
        target-arm: Add the AArch64 view of the Secure physical timer
        target-arm: Add debug check for mismatched cpreg resets
        Introduce gic_class_name() instead of repeating condition
        hw/arm/gic: Kill code duplication
        Merge memory_region_init_reservation() into memory_region_init_io()
        i.MX: Fix Coding style for GPT emulator
        i.MX: Split GPT emulator in a header file and a source file
        i.MX: Fix Coding style for EPIT emulator
        i.MX: Split EPIT emulator in a header file and a source file
        i.MX: Fix Coding style for CCM emulator
        i.MX: Split CCM emulator in a header file and a source file
        i.MX: Fix Coding style for AVIC emulator.
        i.MX: Split AVIC emulator in a header file and a source file
        i.MX:Fix Coding style for UART emulator.
        i.MX: Move serial initialization to init/realize of DeviceClass.
        i.MX: Split UART emulator in a header file and a source file
        ...

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit f7a6785e12d834d05200b0595070db453344b25d
  Author: Jean-Christophe Dubois <jcd@xxxxxxxxxxxxxxx>
  Date:   Thu Aug 13 11:26:22 2015 +0100

      i.MX: Fix UART driver to work with unitialized "chardev" device

      The "chardev" property initialization might have failed (for example 
because
      there are not enough chardevs provided by QEMU).

      The serial device emulator needs to be able to work with an uninitialized
      (NULL) chardev device pointer.

      This patch adds some missing tests on the chr pointer value before
      using it.

      Signed-off-by: Jean-Christophe Dubois <jcd@xxxxxxxxxxxxxxx>
      Reviewed-by: Peter Crosthwaite <peter.crosthwaite@xxxxxxxxxx>
      Message-id: 1438342461-18967-1-git-send-email-jcd@xxxxxxxxxxxxxxx
      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 5dfaa75b4d96fe88858a98d947b97e697e2811e6
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Thu Aug 13 11:26:22 2015 +0100

      hw/cpu/a15mpcore: Wire up hyp and secure physical timer interrupts

      Since we now support both the hypervisor and the secure physical timer, 
wire
      their interrupt lines up in the a15mpcore wrapper object.

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Message-id: 1437047249-2357-5-git-send-email-peter.maydell@xxxxxxxxxx
      Reviewed-by: Edgar E. Iglesias <edgar.iglesias@xxxxxxxxxx>

  commit a007b1f85813ef6450ad3e761e46c189e3f40e04
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Thu Aug 13 11:26:22 2015 +0100

      hw/arm/virt: Wire up secure timer interrupt

      Wire up the secure timer interrupt. Since we've defined
      that the plain old physical timer is the NS timer, we can
      drop the now-out-of-date comment about QEMU not having TZ.

      Use a data-driven loop to wire up the timer interrupts, since
      we now have four of them and the code is the same for each.

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Message-id: 1437047249-2357-4-git-send-email-peter.maydell@xxxxxxxxxx
      Reviewed-by: Edgar E. Iglesias <edgar.iglesias@xxxxxxxxxx>

  commit 9ff9dd3c875956523bb4c19ca712e5d05aab3c65
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Thu Aug 13 11:26:22 2015 +0100

      target-arm: Add AArch32 banked register access to secure physical timer

      If EL3 is AArch32, then the secure physical timer is accessed via
      banking of the registers used for the non-secure physical timer.
      Implement this banking.

      Note that the access controls for the AArch32 banked registers
      remain the same as the physical-timer checks; they are not the
      same as the controls on the AArch64 secure timer registers.

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Message-id: 1437047249-2357-3-git-send-email-peter.maydell@xxxxxxxxxx
      Reviewed-by: Edgar E. Iglesias <edgar.iglesias@xxxxxxxxxx>

  commit b4d3978c2fdf944e428a46d2850dbd950b6fbe78
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Thu Aug 13 11:26:22 2015 +0100

      target-arm: Add the AArch64 view of the Secure physical timer

      On CPUs with EL3, there are two physical timers, one for Secure and one
      for Non-secure. Implement this extra timer and the AArch64 registers
      which access it.

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Reviewed-by: Edgar E. Iglesias <edgar.iglesias@xxxxxxxxxx>
      Message-id: 1437047249-2357-2-git-send-email-peter.maydell@xxxxxxxxxx

  commit 49a661910c1374858602a3002b67115893673c25
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Thu Aug 13 11:26:21 2015 +0100

      target-arm: Add debug check for mismatched cpreg resets

      It's easy to accidentally define two cpregs which both try
      to reset the same underlying state field (for instance a
      clash between an AArch64 EL3 definition and an AArch32
      banked register definition). if the two definitions disagree
      about the reset value then the result is dependent on which
      one happened to be reached last in the hashtable enumeration.

      Add a consistency check to detect and assert in these cases:
      after reset, we run a second pass where we check that the
      reset operation doesn't change the value of the register.

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Reviewed-by: Edgar E. Iglesias <edgar.iglesias@xxxxxxxxxx>
      Message-id: 1436797559-20835-1-git-send-email-peter.maydell@xxxxxxxxxx

  commit e6fbcbc4e57322a8de1307556e68a4cd6d0d8c8b
  Author: Pavel Fedin <p.fedin@xxxxxxxxxxx>
  Date:   Thu Aug 13 11:26:21 2015 +0100

      Introduce gic_class_name() instead of repeating condition

      This small inline returns correct GIC class name depending on whether we
      use KVM acceleration or not. Avoids duplicating the condition everywhere.

      Signed-off-by: Pavel Fedin <p.fedin@xxxxxxxxxxx>
      Reviewed-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Message-id: 
4f26901be9b844b563673ce3ad08eeedbb7a7132.1438758065.git.p.fedin@xxxxxxxxxxx
      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 7926c210ab0c44fc3612461a50f487d16be98dca
  Author: Pavel Fedin <p.fedin@xxxxxxxxxxx>
  Date:   Thu Aug 13 11:26:21 2015 +0100

      hw/arm/gic: Kill code duplication

      Extracted duplicated initialization code from SW-emulated and KVM GIC
      implementations and put into gic_init_irqs_and_mmio()

      Signed-off-by: Pavel Fedin <p.fedin@xxxxxxxxxxx>
      Message-id: 
8ea5b2781ef39cb5989420987fc73c70e377687d.1438758065.git.p.fedin@xxxxxxxxxxx
      Reviewed-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 6d6d2abf2c2e52c0f404d0a31a963e945b0cc7ad
  Author: Pavel Fedin <p.fedin@xxxxxxxxxxx>
  Date:   Thu Aug 13 11:26:21 2015 +0100

      Merge memory_region_init_reservation() into memory_region_init_io()

      Just specifying ops = NULL in some cases can be more convenient than 
having
      two functions.

      Signed-off-by: Pavel Fedin <p.fedin@xxxxxxxxxxx>
      Acked-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>
      Reviewed-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Message-id: 
78a379ab1b6b30ab497db7971ad336dad1dbee76.1438758065.git.p.fedin@xxxxxxxxxxx
      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 68b85290c7e23cfa159e1a5058d959814c6fa289
  Author: Jean-Christophe Dubois <jcd@xxxxxxxxxxxxxxx>
  Date:   Thu Aug 13 11:26:21 2015 +0100

      i.MX: Fix Coding style for GPT emulator

      Signed-off-by: Jean-Christophe Dubois <jcd@xxxxxxxxxxxxxxx>
      Reviewed-by: Peter Crosthwaite <crosthwaite.peter@xxxxxxxxx>
      Message-id: 
cc7d1589e774e87c346b75a6c25e07957f436ced.1437080501.git.jcd@xxxxxxxxxxxxxxx
      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit d647b26dc68a71db89a0c431841f1532ef7502e9
  Author: Jean-Christophe Dubois <jcd@xxxxxxxxxxxxxxx>
  Date:   Thu Aug 13 11:26:20 2015 +0100

      i.MX: Split GPT emulator in a header file and a source file

      Signed-off-by: Jean-Christophe Dubois <jcd@xxxxxxxxxxxxxxx>
      Reviewed-by: Peter Crosthwaite <peter.crosthwaite@xxxxxxxxxx>
      Message-id: 
e32fba56b9dae3cc7c83726550514b2d0c890ae0.1437080501.git.jcd@xxxxxxxxxxxxxxx
      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 565328fcc35f34242b29182313e4d7cf525d9b1c
  Author: Jean-Christophe Dubois <jcd@xxxxxxxxxxxxxxx>
  Date:   Thu Aug 13 11:26:20 2015 +0100

      i.MX: Fix Coding style for EPIT emulator

      Signed-off-by: Jean-Christophe Dubois <jcd@xxxxxxxxxxxxxxx>
      Reviewed-by: Peter Crosthwaite <crosthwaite.peter@xxxxxxxxx>
      Message-id: 
d8d70683c6a48ac318c1635595619cfb0eb31681.1437080501.git.jcd@xxxxxxxxxxxxxxx
      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 951cd00e924ed06a72f4c2831f4cf7be9e6b90ef
  Author: Jean-Christophe Dubois <jcd@xxxxxxxxxxxxxxx>
  Date:   Thu Aug 13 11:26:20 2015 +0100

      i.MX: Split EPIT emulator in a header file and a source file

      Signed-off-by: Jean-Christophe Dubois <jcd@xxxxxxxxxxxxxxx>
      Reviewed-by: Peter Crosthwaite <peter.crosthwaite@xxxxxxxxxx>
      Message-id: 
948927cab0c85da9a753c5f6d5501323d5604c8e.1437080501.git.jcd@xxxxxxxxxxxxxxx
      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit c14875b2e1b70b470492a000e0bc0b19978d34a2
  Author: Jean-Christophe Dubois <jcd@xxxxxxxxxxxxxxx>
  Date:   Thu Aug 13 11:26:20 2015 +0100

      i.MX: Fix Coding style for CCM emulator

      Signed-off-by: Jean-Christophe Dubois <jcd@xxxxxxxxxxxxxxx>
      Reviewed-by: Peter Crosthwaite <crosthwaite.peter@xxxxxxxxx>
      Message-id: 
ff0b6720b1c55204e663f07be47c0203f6871084.1437080501.git.jcd@xxxxxxxxxxxxxxx
      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 282e74c83fd8af08d14fb1220a960e34b60e505f
  Author: Jean-Christophe Dubois <jcd@xxxxxxxxxxxxxxx>
  Date:   Thu Aug 13 11:26:20 2015 +0100

      i.MX: Split CCM emulator in a header file and a source file

      Signed-off-by: Jean-Christophe Dubois <jcd@xxxxxxxxxxxxxxx>
      Reviewed-by: Peter Crosthwaite <peter.crosthwaite@xxxxxxxxxx>
      Message-id: 
b1d6f990229b2608bbaba24f4ff359571c0b07da.1437080501.git.jcd@xxxxxxxxxxxxxxx
      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit dbeedce78eea56ac4d482722291d6a7ebfd414d2
  Author: Jean-Christophe Dubois <jcd@xxxxxxxxxxxxxxx>
  Date:   Thu Aug 13 11:26:20 2015 +0100

      i.MX: Fix Coding style for AVIC emulator.

      Signed-off-by: Jean-Christophe Dubois <jcd@xxxxxxxxxxxxxxx>
      Reviewed-by: Peter Crosthwaite <crosthwaite.peter@xxxxxxxxx>
      Message-id: 
01e1d9026220992405819f25640ebd5bb843fc93.1437080501.git.jcd@xxxxxxxxxxxxxxx
      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit f250c6a7510e0069fdc7fd1fb76700db4daa9ddd
  Author: Jean-Christophe Dubois <jcd@xxxxxxxxxxxxxxx>
  Date:   Thu Aug 13 11:26:19 2015 +0100

      i.MX: Split AVIC emulator in a header file and a source file

      Signed-off-by: Jean-Christophe Dubois <jcd@xxxxxxxxxxxxxxx>
      Reviewed-by: Peter Crosthwaite <peter.crosthwaite@xxxxxxxxxx>
      Message-id: 
06829257e845d693be05c7d491134313c1615d1a.1437080501.git.jcd@xxxxxxxxxxxxxxx
      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit fa2650a37e58877d889a726a47aadbf4578ef87e
  Author: Jean-Christophe Dubois <jcd@xxxxxxxxxxxxxxx>
  Date:   Thu Aug 13 11:26:19 2015 +0100

      i.MX:Fix Coding style for UART emulator.

      Signed-off-by: Jean-Christophe Dubois <jcd@xxxxxxxxxxxxxxx>
      Reviewed-by: Peter Crosthwaite <crosthwaite.peter@xxxxxxxxx>
      Message-id: 
23ab872b7cd30b1399384fb26a2ebb75e9761d7b.1437080501.git.jcd@xxxxxxxxxxxxxxx
      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit f6c64000f966d17ef1bead1e066f039d0be64d74
  Author: Jean-Christophe Dubois <jcd@xxxxxxxxxxxxxxx>
  Date:   Thu Aug 13 11:26:19 2015 +0100

      i.MX: Move serial initialization to init/realize of DeviceClass.

      Move constructor to DeviceClass methods
       * imx_serial_init
       * imx_serial_realize

      imx32_serial_properties is renamed to imx_serial_properties.

      Signed-off-by: Jean-Christophe Dubois <jcd@xxxxxxxxxxxxxxx>
      Reviewed-by: Peter Crosthwaite <crosthwaite.peter@xxxxxxxxx>
      Message-id: 
6854bd75e2b5af312e04e760587e249dbaff807f.1437080501.git.jcd@xxxxxxxxxxxxxxx
      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit cd0bda20874d65b5ac4ab6e69d3eec4f095a924b
  Author: Jean-Christophe Dubois <jcd@xxxxxxxxxxxxxxx>
  Date:   Thu Aug 13 11:26:19 2015 +0100

      i.MX: Split UART emulator in a header file and a source file

      Signed-off-by: Jean-Christophe Dubois <jcd@xxxxxxxxxxxxxxx>
      Reviewed-by: Peter Crosthwaite <peter.crosthwaite@xxxxxxxxxx>
      Message-id: 
a51ef50fa222a614169056d5389a6d3ed6a63b04.1437080501.git.jcd@xxxxxxxxxxxxxxx
      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit a5c6a584a74c9c66a07a2ce019bbdd3bcf4e4909
  Author: Edgar E. Iglesias <edgar.iglesias@xxxxxxxxxx>
  Date:   Thu Aug 13 11:26:19 2015 +0100

      hw/arm/virt: Connect the Hypervisor timer

      Reviewed-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Signed-off-by: Edgar E. Iglesias <edgar.iglesias@xxxxxxxxxx>
      Message-id: 1436791864-4582-8-git-send-email-edgar.iglesias@xxxxxxxxx
      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 0e3e858f6a88b3c3befe9c98227aec846c01d9a1
  Author: Edgar E. Iglesias <edgar.iglesias@xxxxxxxxxx>
  Date:   Thu Aug 13 11:26:18 2015 +0100

      hw/arm/virt: Replace magic IRQ constants with macros

      Replace magic constants with macros from
      hw/arm/virt.h and hw/intc/arm_gic_common.h.

      Reviewed-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Signed-off-by: Edgar E. Iglesias <edgar.iglesias@xxxxxxxxxx>
      Message-id: 1436791864-4582-7-git-send-email-edgar.iglesias@xxxxxxxxx
      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit b0e66d95e4f587b5818d2760668301ee0871ba5e
  Author: Edgar E. Iglesias <edgar.iglesias@xxxxxxxxxx>
  Date:   Thu Aug 13 11:26:18 2015 +0100

      target-arm: Add the Hypervisor timer

      Signed-off-by: Edgar E. Iglesias <edgar.iglesias@xxxxxxxxxx>
      Reviewed-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Message-id: 1436791864-4582-6-git-send-email-edgar.iglesias@xxxxxxxxx
      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 0e3eca4c26d6aa4f082db8e63fd81a16df061f3c
  Author: Edgar E. Iglesias <edgar.iglesias@xxxxxxxxxx>
  Date:   Thu Aug 13 11:26:18 2015 +0100

      target-arm: Pass timeridx as argument to various timer functions

      Prepare for adding the Hypervisor timer, no functional change.

      Signed-off-by: Edgar E. Iglesias <edgar.iglesias@xxxxxxxxxx>
      Reviewed-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Message-id: 1436791864-4582-5-git-send-email-edgar.iglesias@xxxxxxxxx
      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit d57b9ee84f6b2786f025712609edb259d0de086d
  Author: Edgar E. Iglesias <edgar.iglesias@xxxxxxxxx>
  Date:   Thu Aug 13 11:26:18 2015 +0100

      target-arm: Rename and move gt_cnt_reset

      Rename gt_cnt_reset to gt_timer_reset as the function really
      resets the timers and not the counters. Move the registration
      from counter regs to timer regs.

      Signed-off-by: Edgar E. Iglesias <edgar.iglesias@xxxxxxxxxx>
      Reviewed-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Message-id: 1436791864-4582-4-git-send-email-edgar.iglesias@xxxxxxxxx
      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 0b6440afb807a80c6d64dcc987bcfed87e1ace17
  Author: Edgar E. Iglesias <edgar.iglesias@xxxxxxxxxx>
  Date:   Thu Aug 13 11:26:18 2015 +0100

      target-arm: Add CNTHCTL_EL2

      Adds control for trapping selected timer and counter accesses to EL2.

      Reviewed-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Signed-off-by: Edgar E. Iglesias <edgar.iglesias@xxxxxxxxxx>
      Message-id: 1436791864-4582-3-git-send-email-edgar.iglesias@xxxxxxxxx
      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit edac4d8a168b9c0c4a765bbc5507e46fa5557b78
  Author: Edgar E. Iglesias <edgar.iglesias@xxxxxxxxxx>
  Date:   Thu Aug 13 11:26:17 2015 +0100

      target-arm: Add CNTVOFF_EL2

      Adds support for the virtual timer offset controlled by EL2.

      Reviewed-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Signed-off-by: Edgar E. Iglesias <edgar.iglesias@xxxxxxxxxx>
      Message-id: 1436791864-4582-2-git-send-email-edgar.iglesias@xxxxxxxxx
      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit ca0e5d8b0d065a95d0f9042f71b2ace45b015596
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Tue Aug 11 23:15:55 2015 +0100

      Open 2.5 development tree

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 5c79ae3615d5dafdf1bb09b7a356a3a005714e3d
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Tue Aug 11 15:30:34 2015 +0100

      Update version for v2.4.0 release

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit b4a4b8d0e0767c85946fd8fc404643bf5766351a
  Author: Peter Crosthwaite <crosthwaitepeter@xxxxxxxxx>
  Date:   Sun Jul 5 14:08:53 2015 -0700

      cpu_defs: Simplify CPUTLB padding logic

      There was a complicated subtractive arithmetic for determining the
      padding on the CPUTLBEntry structure. Simplify this with a union.

      Signed-off-by: Peter Crosthwaite <crosthwaite.peter@xxxxxxxxx>
      Message-Id: 
<1436130533-18565-1-git-send-email-crosthwaite.peter@xxxxxxxxx>
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit 02d57ea115b7669f588371c86484a2e8ebc369be
  Author: Sergey Fedorov <serge.fdrv@xxxxxxxxx>
  Date:   Tue Jun 30 12:35:09 2015 +0300

      cpu-exec: Do not invalidate original TB in cpu_exec_nocache()

      Instead of invalidating an original TB in cpu_exec_nocache()
      prematurely, just save a link to it in the temporary generated TB. If
      cpu_io_recompile() is raised subsequently from the temporary TB,
      invalidate the original one as well. That allows reusing the original TB
      each time cpu_exec_nocache() is called to handle expired instruction
      counter in icount mode.

      Signed-off-by: Sergey Fedorov <serge.fdrv@xxxxxxxxx>
      Message-Id: <1435656909-29116-1-git-send-email-serge.fdrv@xxxxxxxxx>
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit cae98cb87d269c33d23b2bccd79bb8d99a60d811
  Author: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
  Date:   Wed Jul 1 15:45:50 2015 +0100

      block/mirror: limit qiov to IOV_MAX elements

      If mirror has more free buffers than IOV_MAX, preadv(2)/pwritev(2)
      EINVAL failures may be encountered.

      It is possible to trigger this by setting granularity to a low value
      like 8192.

      This patch stops appending chunks once IOV_MAX is reached.

      The spurious EINVAL failure can be reproduced with a qcow2 image file
      and the following QMP invocation:

        qmp.command('drive-mirror', device='virtio0', target='/tmp/r7.s1',
                    granularity=8192, sync='full', mode='absolute-paths',
                    format='raw')

      While the guest is running dd if=/dev/zero of=/var/tmp/foo oflag=direct
      bs=4k.

      Cc: Jeff Cody <jcody@xxxxxxxxxx>
      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Reviewed-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>
      Message-id: 1435761950-26714-1-git-send-email-stefanha@xxxxxxxxxx
      Signed-off-by: Jeff Cody <jcody@xxxxxxxxxx>

  commit 2d697366a14ce95da2e9a59ea9872d3034eb49e4
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Wed Aug 5 17:02:58 2015 +0100

      Update version for v2.4.0-rc4 release

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 0175409df42c20257171df87657dd705558aa94d
  Merge: e94867e 74aae7b
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Wed Aug 5 16:02:00 2015 +0100

      Merge remote-tracking branch 'remotes/mst/tags/for_upstream' into staging

      virtio fix for 2.4

      Fixes migration in virtio 1 mode.
      We still have a known bug with memory hotplug, it doesn't
      look like we can fix that in time for 2.4.

      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>

      # gpg: Signature made Wed 05 Aug 2015 15:57:39 BST using RSA key ID 
D28D5469
      # gpg: Good signature from "Michael S. Tsirkin <mst@xxxxxxxxxx>"
      # gpg:                 aka "Michael S. Tsirkin <mst@xxxxxxxxxx>"

      * remotes/mst/tags/for_upstream:
        virtio: fix 1.0 virtqueue migration

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit e94867ed5f241008d0f53142b2704a075f9ed505
  Author: Sascha Silbe <silbe@xxxxxxxxxxxxxxxxxx>
  Date:   Tue Aug 4 16:48:25 2015 +0200

      block: don't register quorum driver if SHA256 support is unavailable

      Commit 488981a4 [block: convert quorum blockdrv to use crypto APIs]
      broke qemu-iotest 041 on hosts with GnuTLS < 2.10.0. It converted a
      compile-time check to a run-time check at device open time. The result
      is that we now advertise a feature (the quorum block driver) that will
      never work (on those hosts). There's no way (short of parsing
      human-readable error messages) for qemu-iotests or any other API
      consumer to recognise that the quorum block driver isn't _actually_
      available and shouldn't be used or tested.

      Move the run-time check to bdrv_quorum_init() to avoid registering the
      quorum block driver if we know it cannot work. This way API consumers
      can recognise it's unavailable.

      Fixes: 488981a4af396551a3178d032cc2b41d9553ada2
      Signed-off-by: Sascha Silbe <silbe@xxxxxxxxxxxxxxxxxx>
      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>
      Reviewed-by: Daniel P. Berrange <berrange@xxxxxxxxxx>
      Reviewed-by: Alberto Garcia <berto@xxxxxxxxxx>
      Message-id: 1438699705-21761-1-git-send-email-silbe@xxxxxxxxxxxxxxxxxx
      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 74aae7b22b8a67cf31937b2f4bdefe2881e799e9
  Author: Jason Wang <jasowang@xxxxxxxxxx>
  Date:   Wed Aug 5 17:50:07 2015 +0800

      virtio: fix 1.0 virtqueue migration

      1.0 does not requires physically-contiguous pages layout for a
      virtqueue. So we could not infer avail and used from desc. This means
      we need to migrate vring.avail and vring.used when host support virtio
      1.0. This fixes malfunction of virtio 1.0 device after migration.

      Cc: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Cc: Cornelia Huck <cornelia.huck@xxxxxxxxxx>
      Cc: Dr. David Alan Gilbert <dgilbert@xxxxxxxxxx>
      Signed-off-by: Jason Wang <jasowang@xxxxxxxxxx>
      Reviewed-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>

  commit 92e11a17612108b1729bde4ce61aad0cc1ce5889
  Author: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
  Date:   Tue Aug 4 11:22:13 2015 +0100

      throttle: add throttle_max_is_missing_limit() test

      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Reviewed-by: Alberto Garcia <berto@xxxxxxxxxx>
      Message-id: 1438683733-21111-3-git-send-email-stefanha@xxxxxxxxxx

  commit ee2bdc33c913b7d765baa5aa338c29fb30a05c9a
  Author: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
  Date:   Tue Aug 4 11:22:12 2015 +0100

      throttle: refuse bps_max/iops_max without bps/iops

      The bps_max/iops_max values are meaningless without corresponding
      bps/iops values.  Reported an error if bps_max/iops_max is given without
      bps/iops.

      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Reviewed-by: Alberto Garcia <berto@xxxxxxxxxx>
      Message-id: 1438683733-21111-2-git-send-email-stefanha@xxxxxxxxxx

  commit 2be4f242b50a84bf360df02480b173bfed161107
  Merge: 426d0e7 27751aa
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Tue Aug 4 16:51:24 2015 +0100

      Merge remote-tracking branch 'remotes/ehabkost/tags/x86-pull-request' 
into staging

      X86 queue, 2015-08-04

      # gpg: Signature made Tue 04 Aug 2015 16:49:42 BST using RSA key ID 
984DC5A6
      # gpg: Good signature from "Eduardo Habkost <ehabkost@xxxxxxxxxx>"
      # gpg: WARNING: This key is not certified with sufficiently trusted 
signatures!
      # gpg:          It is not certain that the signature belongs to the owner.
      # Primary key fingerprint: 5A32 2FD5 ABC4 D3DB ACCF  D1AA 2807 936F 984D 
C5A6

      * remotes/ehabkost/tags/x86-pull-request:
        target-i386: fix IvyBridge xlevel in PC_COMPAT_2_3

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 27751aabd1e0359d84314bc230beccdef2168d1f
  Author: Radim KrÄ?máÅ? <rkrcmar@xxxxxxxxxx>
  Date:   Tue Aug 4 16:17:21 2015 +0200

      target-i386: fix IvyBridge xlevel in PC_COMPAT_2_3

      Previous patch changed xlevel and missed the compatibility code.

      Fixes: 3046bb5debc8 ("target-i386: emulate CPUID level of real hardware")
      Signed-off-by: Radim KrÄ?máÅ? <rkrcmar@xxxxxxxxxx>
      Reviewed-by: Andreas Färber <afaerber@xxxxxxx>
      Reviewed-by: Eduardo Habkost <ehabkost@xxxxxxxxxx>
      Acked-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: Eduardo Habkost <ehabkost@xxxxxxxxxx>

  commit 426d0e7b7e031a1592292b3eb275483b341a2f28
  Merge: 260425a b7f26e5
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Tue Aug 4 12:57:06 2015 +0100

      Merge remote-tracking branch 'remotes/lalrae/tags/mips-20150804' into 
staging

      MIPS patches 2015-08-04

      Changes:
      * fix semihosting for microMIPS R6
      * fix an abort when booting mips64 kernel with --enable-tcg-debug

      # gpg: Signature made Tue 04 Aug 2015 12:32:17 BST using RSA key ID 
0B29DA6B
      # gpg: Good signature from "Leon Alrae <leon.alrae@xxxxxxxxxx>"
      # gpg: WARNING: This key is not certified with a trusted signature!
      # gpg:          There is no indication that the signature belongs to the 
owner.
      # Primary key fingerprint: 8DD3 2F98 5495 9D66 35D4  4FC0 5211 8E3C 0B29 
DA6B

      * remotes/lalrae/tags/mips-20150804:
        target-mips: Copy restrictions from ext/ins to dext/dins
        target-mips: fix semihosting for microMIPS R6

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit b7f26e523914b982a1c1bfa8295f77ff9787c33c
  Author: Richard Henderson <rth@xxxxxxxxxxx>
  Date:   Mon Aug 3 12:35:53 2015 -0700

      target-mips: Copy restrictions from ext/ins to dext/dins

      The checks in dins is required to avoid triggering an assertion
      in tcg_gen_deposit_tl.  The check in dext is just for completeness.
      Fold the other D cases in via fallthru.

      In this case the errant dins appears to be data, not code, as
      translation failed to stop after a break insn.

      Signed-off-by: Richard Henderson <rth@xxxxxxxxxxx>
      Reviewed-by: Aurelien Jarno <aurelien@xxxxxxxxxxx>
      Reviewed-by: Leon Alrae <leon.alrae@xxxxxxxxxx>
      Signed-off-by: Leon Alrae <leon.alrae@xxxxxxxxxx>

  commit 060ebfef1a09b58fb219b3769b72efb407515bf1
  Author: Leon Alrae <leon.alrae@xxxxxxxxxx>
  Date:   Mon Aug 3 13:01:19 2015 +0100

      target-mips: fix semihosting for microMIPS R6

      In semihosting mode the SDBBP 1 instructions should trigger UHI syscall,
      but in QEMU this does not happen for recently added microMIPS R6.
      Consequently bare metal microMIPS R6 programs supporting UHI will not run.

      Signed-off-by: Leon Alrae <leon.alrae@xxxxxxxxxx>
      Reviewed-by: Aurelien Jarno <aurelien@xxxxxxxxxxx>

  commit 8887f84c54f6e74124544d1700a205e5b6821b3d
  Author: Jason Wang <jasowang@xxxxxxxxxx>
  Date:   Fri Jul 17 15:25:54 2015 +0800

      tests: test rx recovery from cont

      Rx should be recovered after cont.

      Signed-off-by: Jason Wang <jasowang@xxxxxxxxxx>
      Message-id: 1437117954-16342-2-git-send-email-jasowang@xxxxxxxxxx
      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>

  commit 2af40254bf0cb49c50656eb8be172e111c9c70c6
  Author: Jason Wang <jasowang@xxxxxxxxxx>
  Date:   Fri Jul 17 15:25:53 2015 +0800

      tests: introduce basic pci test for virtio-net

      Signed-off-by: Jason Wang <jasowang@xxxxxxxxxx>
      Reviewed-by: Fam Zheng <famz@xxxxxxxxxx>
      Message-id: 1437117954-16342-1-git-send-email-jasowang@xxxxxxxxxx
      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>

  commit b9f7c377df4f04e9119cb0e917438dd37ef34029
  Author: Dana Rubin <dana.rubin@xxxxxxxxxxxxxxxxxx>
  Date:   Tue Jul 28 21:44:50 2015 +0300

      net/vmxnet3: Fix incorrect debug message

      From: Dana Rubin <dana.rubin@xxxxxxxxxxxxxxxxxx>

      In commit 80da311d81,
         "net/vmxnet3: Fix RX TCP/UDP checksum on partially summed packets"
      a debug message was introduced in vmxnet3_rx_need_csum_calculate() for
      an unlikely input condition.

      The message accidentally printed 'len' variable instead of 'pkt_len'.
      Fix, providing the correct argument.

      Signed-off-by: Dana Rubin <dana.rubin@xxxxxxxxxxxxxxxxxx>
      Signed-off-by: Shmulik Ladkani <shmulik.ladkani@xxxxxxxxxxxxxxxxxx>
      Message-id: 
1438109090-18957-1-git-send-email-shmulik.ladkani@xxxxxxxxxxxxxxxxxx
      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>

  commit 260425ab405ea76c44dd59744d05176d4f579a52
  Merge: e95edef 6cd3878
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Mon Aug 3 18:52:55 2015 +0100

      Merge remote-tracking branch 'remotes/sstabellini/tags/cve-2015-5166-tag' 
into staging

      cve-2015-5166

      # gpg: Signature made Mon 03 Aug 2015 15:27:44 BST using RSA key ID 
70E1AE90
      # gpg: Good signature from "Stefano Stabellini 
<stefano.stabellini@xxxxxxxxxxxxx>"

      * remotes/sstabellini/tags/cve-2015-5166-tag:
        Fix release_drive on unplugged devices (pci_piix3_xen_ide_unplug)

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit e95edefbd0559e1d0aa09549641b5d9af1f96fac
  Merge: f60c871 8c6dc68
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Mon Aug 3 17:33:35 2015 +0100

      Merge remote-tracking branch 
'remotes/sstabellini/tags/xen-migration-2.4-tag' into staging

      xen-migration-2.4

      # gpg: Signature made Mon 03 Aug 2015 17:18:36 BST using RSA key ID 
70E1AE90
      # gpg: Good signature from "Stefano Stabellini 
<stefano.stabellini@xxxxxxxxxxxxx>"

      * remotes/sstabellini/tags/xen-migration-2.4-tag:
        migration: Fix regression for xenfv and pc,accel=xen machine.
        migration: Fix global state with Xen.

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 8c6dc68f4cff9eef870497a19a5373dde9dbdcc2
  Author: Anthony PERARD <anthony.perard@xxxxxxxxxx>
  Date:   Mon Aug 3 15:29:21 2015 +0100

      migration: Fix regression for xenfv and pc,accel=xen machine.

      This fix migration from the same QEMU version and from previous QEMU
      version.

      >From the global state section, we don't need runstate with Xen. Right 
now,
      the way the Xen toolstack knows when QEMU is ready is when QEMU reach
      "running" runstate.

      The configuration section and the section footers are not going to be
      present in previous version of QEMU with xenfv machine, so we skip them.

      The Xen toolstack libxenlight does not specify a particular version of the
      'pc' machine, so migration from older version of QEMU used by Xen to newer
      one would break due to missing "configuration" section and section 
footers.

      Signed-off-by: Anthony PERARD <anthony.perard@xxxxxxxxxx>
      Signed-off-by: Stefano Stabellini <stefano.stabellini@xxxxxxxxxxxxx>

  commit c69adea462a97c02001b2dd1edd2a0692d27f5a2
  Author: Anthony PERARD <anthony.perard@xxxxxxxxxx>
  Date:   Mon Aug 3 15:29:19 2015 +0100

      migration: Fix global state with Xen.

      When doing migration via the QMP command xen_save_devices_state, the
      current runstate is not store into the global state section. Also the
      current runstate is not the one we want on the receiver side.

      During migration, the Xen toolstack paused QEMU before save the devices
      state. Also, the toolstack expect QEMU to autostart when the migration is
      finished.
      So this patch store "running" as it's current runstate.

      Signed-off-by: Anthony PERARD <anthony.perard@xxxxxxxxxx>
      Signed-off-by: Stefano Stabellini <stefano.stabellini@xxxxxxxxxxxxx>

  commit f60c87154ac722c528fd5582f7137914a93c5eec
  Author: Andreas Färber <afaerber@xxxxxxx>
  Date:   Fri Jul 24 16:47:37 2015 +0200

      configure: Drop vnc-ws feature from help text

      Commit 8e9b0d2 (ui: convert VNC websockets to use crypto APIs) dropped
      the --enable-vnc-ws option but forgot to update the help text. Fix this.

      Cc: Daniel P. Berrange <berrange@xxxxxxxxxx>
      Cc: Paolo Bonzini <pbonzini@xxxxxxxxxx>
      Signed-off-by: Andreas Färber <afaerber@xxxxxxx>
      Reviewed-by: Daniel P. Berrange <berrange@xxxxxxxxxx>
      Message-id: 1437749257-3313-1-git-send-email-afaerber@xxxxxxx
      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 6cd387833d05e8ad31829d97e474dc420625aed9
  Author: Stefano Stabellini <stefano.stabellini@xxxxxxxxxxxxx>
  Date:   Mon Aug 3 13:56:57 2015 +0000

      Fix release_drive on unplugged devices (pci_piix3_xen_ide_unplug)

      pci_piix3_xen_ide_unplug should completely unhook the unplugged
      IDEDevice from the corresponding BlockBackend, otherwise the next call
      to release_drive will try to detach the drive again.

      Suggested-by: Kevin Wolf <kwolf@xxxxxxxxxx>
      Signed-off-by: Stefano Stabellini <stefano.stabellini@xxxxxxxxxxxxx>

  commit 2a3612ccc1fa9cea77bd193afbfe21c77e7e91ef
  Merge: bd80b59 8357946
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Mon Aug 3 13:09:10 2015 +0100

      Merge remote-tracking branch 
'remotes/stefanha/tags/rtl8139-cplus-tx-input-validation-pull-request' into 
staging

      Pull request

      # gpg: Signature made Mon Aug  3 13:08:25 2015 BST using RSA key ID 
81AB73C8
      # gpg: Good signature from "Stefan Hajnoczi <stefanha@xxxxxxxxxx>"
      # gpg:                 aka "Stefan Hajnoczi <stefanha@xxxxxxxxx>"

      * remotes/stefanha/tags/rtl8139-cplus-tx-input-validation-pull-request:
        rtl8139: check TCP Data Offset field (CVE-2015-5165)
        rtl8139: skip offload on short TCP header (CVE-2015-5165)
        rtl8139: check IP Total Length field (CVE-2015-5165)
        rtl8139: check IP Header Length field (CVE-2015-5165)
        rtl8139: skip offload on short Ethernet/IP header (CVE-2015-5165)
        rtl8139: drop tautologous if (ip) {...} statement (CVE-2015-5165)
        rtl8139: avoid nested ifs in IP header parsing (CVE-2015-5165)

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 8357946b15f0a31f73dd691b7da95f29318ed310
  Author: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
  Date:   Wed Jul 15 17:39:29 2015 +0100

      rtl8139: check TCP Data Offset field (CVE-2015-5165)

      The TCP Data Offset field contains the length of the header.  Make sure
      it is valid and does not exceed the IP data length.

      Reported-by: ��海(�路) <donghai.zdh@xxxxxxxxxxxxxxx>
      Reviewed-by: Jason Wang <jasowang@xxxxxxxxxx>
      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>

  commit 4240be45632db7831129f124bcf53c1223825b0f
  Author: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
  Date:   Wed Jul 15 17:36:15 2015 +0100

      rtl8139: skip offload on short TCP header (CVE-2015-5165)

      TCP Large Segment Offload accesses the TCP header in the packet.  If the
      packet is too short we must not attempt to access header fields:

        tcp_header *p_tcp_hdr = (tcp_header*)(eth_payload_data + hlen);
        int tcp_hlen = TCP_HEADER_DATA_OFFSET(p_tcp_hdr);

      Reported-by: ��海(�路) <donghai.zdh@xxxxxxxxxxxxxxx>
      Reviewed-by: Jason Wang <jasowang@xxxxxxxxxx>
      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>

  commit c6296ea88df040054ccd781f3945fe103f8c7c17
  Author: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
  Date:   Wed Jul 15 17:34:40 2015 +0100

      rtl8139: check IP Total Length field (CVE-2015-5165)

      The IP Total Length field includes the IP header and data.  Make sure it
      is valid and does not exceed the Ethernet payload size.

      Reported-by: ��海(�路) <donghai.zdh@xxxxxxxxxxxxxxx>
      Reviewed-by: Jason Wang <jasowang@xxxxxxxxxx>
      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>

  commit 03247d43c577dfea8181cd40177ad5ba77c8db76
  Author: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
  Date:   Wed Jul 15 17:32:32 2015 +0100

      rtl8139: check IP Header Length field (CVE-2015-5165)

      The IP Header Length field was only checked in the IP checksum case, but
      is used in other cases too.

      Reported-by: ��海(�路) <donghai.zdh@xxxxxxxxxxxxxxx>
      Reviewed-by: Jason Wang <jasowang@xxxxxxxxxx>
      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>

  commit e1c120a9c54872f8a538ff9129d928de4e865cbd
  Author: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
  Date:   Wed Jul 15 14:30:37 2015 +0100

      rtl8139: skip offload on short Ethernet/IP header (CVE-2015-5165)

      Transmit offload features access Ethernet and IP headers the packet.  If
      the packet is too short we must not attempt to access header fields:

        int proto = be16_to_cpu(*(uint16_t *)(saved_buffer + 12));
        ...
        eth_payload_data = saved_buffer + ETH_HLEN;
        ...
        ip = (ip_header*)eth_payload_data;
        if (IP_HEADER_VERSION(ip) != IP_HEADER_VERSION_4) {

      Reported-by: ��海(�路) <donghai.zdh@xxxxxxxxxxxxxxx>
      Reviewed-by: Jason Wang <jasowang@xxxxxxxxxx>
      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>

  commit d6812d60e7932de3cd0f602c0ee63dd3d09f1847
  Author: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
  Date:   Wed Jul 15 17:17:28 2015 +0100

      rtl8139: drop tautologous if (ip) {...} statement (CVE-2015-5165)

      The previous patch stopped using the ip pointer as an indicator that the
      IP header is present.  When we reach the if (ip) {...} statement we know
      ip is always non-NULL.

      Remove the if statement to reduce nesting.

      Reported-by: ��海(�路) <donghai.zdh@xxxxxxxxxxxxxxx>
      Reviewed-by: Jason Wang <jasowang@xxxxxxxxxx>
      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>

  commit 39b8e7dcaf04cbdb926b478f825b160d852752b5
  Author: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
  Date:   Wed Jul 15 17:13:32 2015 +0100

      rtl8139: avoid nested ifs in IP header parsing (CVE-2015-5165)

      Transmit offload needs to parse packet headers.  If header fields have
      unexpected values the offload processing is skipped.

      The code currently uses nested ifs because there is relatively little
      input validation.  The next patches will add missing input validation
      and a goto label is more appropriate to avoid deep if statement nesting.

      Reported-by: ��海(�路) <donghai.zdh@xxxxxxxxxxxxxxx>
      Reviewed-by: Jason Wang <jasowang@xxxxxxxxxx>
      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>

  commit bd80b5963f58c601f31d3186b89887bf8e182fb5
  Merge: ff90f84 c99d696
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Mon Aug 3 11:44:07 2015 +0100

      Merge remote-tracking branch 
'remotes/aurel/tags/pull-tcg-mips-s390-20150803' into staging

      TCG MIPS and S390 fixes for 2.4.

      # gpg: Signature made Mon Aug  3 09:09:59 2015 BST using RSA key ID 
1DDD8C9B
      # gpg: Good signature from "Aurelien Jarno <aurelien@xxxxxxxxxxx>"
      # gpg:                 aka "Aurelien Jarno <aurelien@xxxxxxxx>"
      # gpg:                 aka "Aurelien Jarno <aurel32@xxxxxxxxxx>"
      # gpg: WARNING: This key is not certified with a trusted signature!
      # gpg:          There is no indication that the signature belongs to the 
owner.
      # Primary key fingerprint: 7746 2642 A9EF 94FD 0F77  196D BA9C 7806 1DDD 
8C9B

      * remotes/aurel/tags/pull-tcg-mips-s390-20150803:
        tcg/mips: fix add2
        tcg/s390x: Mask TCGMemOp appropriately for indexing
        tcg/mips: Mask TCGMemOp appropriately for indexing
        tcg/mips: fix TLB loading for BE host with 32-bit guests

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit ff90f84e74d7c8641a493585ba9ea8d6e0d19855
  Merge: cb48f67 91ced51
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Mon Aug 3 10:44:23 2015 +0100

      Merge remote-tracking branch 'remotes/jnsnow/tags/ide-pull-request' into 
staging

      # gpg: Signature made Fri Jul 31 23:24:06 2015 BST using RSA key ID 
AAFC390E
      # gpg: Good signature from "John Snow (John Huston) <jsnow@xxxxxxxxxx>"
      # gpg: WARNING: This key is not certified with sufficiently trusted 
signatures!
      # gpg:          It is not certain that the signature belongs to the owner.
      # Primary key fingerprint: FAEB 9711 A12C F475 812F  18F2 88A9 064D 1835 
61EB
      #      Subkey fingerprint: F9B7 ABDB BCAC DF95 BE76  CBD0 7DEF 8106 AAFC 
390E

      * remotes/jnsnow/tags/ide-pull-request:
        ahci: fix ICC mask definition
        macio: re-add TRIM support

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit c99d69694af4ed15b33e3f7c2e3ef6972c14358d
  Author: Aurelien Jarno <aurelien@xxxxxxxxxxx>
  Date:   Fri Jul 31 16:38:25 2015 +0200

      tcg/mips: fix add2

      The add2 code in the tcg_out_addsub2 function doesn't take into account
      the case where rl == al == bl. In that case we can't compute the carry
      after the addition. As it corresponds to a multiplication by 2, the
      carry bit is the bit 31.

      While this is a corner case, this prevents x86-64 guests to boot on a
      MIPS host.

      Cc: qemu-stable@xxxxxxxxxx
      Reviewed-by: Richard Henderson <rth@xxxxxxxxxxx>
      Signed-off-by: Aurelien Jarno <aurelien@xxxxxxxxxxx>

  commit 3c8691f568f49bf623dcb2850464d4156d95e61b
  Author: Aurelien Jarno <aurelien@xxxxxxxxxxx>
  Date:   Thu Jul 30 22:13:26 2015 +0200

      tcg/s390x: Mask TCGMemOp appropriately for indexing

      Commit 2b7ec66f fixed TCGMemOp masking following the MO_AMASK addition,
      but two cases were forgotten in the TCG S390 backend.

      Reviewed-by: Richard Henderson <rth@xxxxxxxxxxx>
      Signed-off-by: Aurelien Jarno <aurelien@xxxxxxxxxxx>

  commit 4214a8cb7c15ec43d4b2a43ebf248b273a0f4d45
  Author: Aurelien Jarno <aurelien@xxxxxxxxxxx>
  Date:   Thu Jul 30 22:11:51 2015 +0200

      tcg/mips: Mask TCGMemOp appropriately for indexing

      Commit 2b7ec66f fixed TCGMemOp masking following the MO_AMASK addition,
      but two cases were forgotten in the TCG MIPS backend.

      Reviewed-by: Richard Henderson <rth@xxxxxxxxxxx>
      Signed-off-by: Aurelien Jarno <aurelien@xxxxxxxxxxx>

  commit e72c4fb81db52be881c9356f1c60e0a7817d2d32
  Author: Aurelien Jarno <aurelien@xxxxxxxxxxx>
  Date:   Thu Jul 30 23:39:34 2015 +0200

      tcg/mips: fix TLB loading for BE host with 32-bit guests

      For 32-bit guest, we load a 32-bit address from the TLB, so there is no
      need to compensate for the low or high part. This fixes 32-bit guests on
      big-endian hosts.

      Cc: qemu-stable@xxxxxxxxxx
      Reviewed-by: Richard Henderson <rth@xxxxxxxxxxx>
      Signed-off-by: Aurelien Jarno <aurelien@xxxxxxxxxxx>

  commit 91ced514461e1a533bfb9e2eea32bd7df678b1cd
  Author: John Snow <jsnow@xxxxxxxxxx>
  Date:   Tue Jul 21 14:02:01 2015 -0400

      ahci: fix ICC mask definition

      There are likely others that could be updated, but we'll
      go with a light touch for 2.4 for now.

      Without the Unsigned specifier, this shifts bits into the
      signed bit, which makes clang unhappy and could cause
      unwanted behavior.

      Reported-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Signed-off-by: John Snow <jsnow@xxxxxxxxxx>
      Message-id: 1437501721-24495-1-git-send-email-jsnow@xxxxxxxxxx

  commit 0e826a061a3e8e8485488a7da02cc139fc07d620
  Author: Aurelien Jarno <aurelien@xxxxxxxxxxx>
  Date:   Wed Jul 29 21:27:48 2015 +0200

      macio: re-add TRIM support

      Commit bd4214fc dropped TRIM support by mistake. Given it is still
      advertised to the host when using a drive with discard=on, this cause
      the IDE bus to hang when the host issues a TRIM command.

      This patch fixes that by re-adding the TRIM code, ported to the new
      new DMA implementation.

      Cc: Mark Cave-Ayland <mark.cave-ayland@xxxxxxxxxxxx>
      Cc: John Snow <jsnow@xxxxxxxxxx>
      Signed-off-by: Aurelien Jarno <aurelien@xxxxxxxxxxx>
      Message-id: 1438198068-32428-1-git-send-email-aurelien@xxxxxxxxxxx
      Signed-off-by: John Snow <jsnow@xxxxxxxxxx>

  commit af103c9310b7ab56a2552965d9d1274b0024f27b
  Author: Igor Mammedov <imammedo@xxxxxxxxxx>
  Date:   Thu Jul 30 15:29:59 2015 +0200

      vhost/scsi: call vhost_dev_cleanup() at unrealize() time

      vhost-scsi calls vhost_dev_init() at realize() time
      but forgets to call it's counterpart vhost_dev_cleanup()
      at unrealize() time.

      Calling it should fix leaking of memory table and
      mem_sections table in vhost device. And also unregister
      vhost's memory listerner to prevent access from
      memory core to freed memory.

      Signed-off-by: Igor Mammedov <imammedo@xxxxxxxxxx>
      Message-Id: <1438262999-287627-1-git-send-email-imammedo@xxxxxxxxxx>
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit 975b66555cb56af453c6852e7e821e2451700527
  Author: Fam Zheng <famz@xxxxxxxxxx>
  Date:   Wed Jul 29 16:45:12 2015 +0800

      virtio-scsi-test: Add test case for tail unaligned WRITE SAME

      Signed-off-by: Fam Zheng <famz@xxxxxxxxxx>
      Message-Id: <1438159512-3871-3-git-send-email-famz@xxxxxxxxxx>
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit a56537a12757a8cdee24ad8c83e5af7a9833ea70
  Author: Fam Zheng <famz@xxxxxxxxxx>
  Date:   Wed Jul 29 16:45:11 2015 +0800

      scsi-disk: Fix assertion failure on WRITE SAME

      The last portion of an unaligned WRITE SAME command could fail the
      assertion in bdrv_aligned_pwritev:

          assert(!qiov || bytes == qiov->size);

      Because we updated data->iov.iov_len right above this if block, but
      data->qiov still has the old size.

      Reinitialize the qiov to make them equal and keep block layer happy.

      Cc: qemu-stable@xxxxxxxxxx
      Signed-off-by: Fam Zheng <famz@xxxxxxxxxx>
      Message-Id: <1438159512-3871-2-git-send-email-famz@xxxxxxxxxx>
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit 4bb7b0daf8ea34bcc582642d35a2e4902f7841db
  Author: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
  Date:   Thu Jul 30 14:16:13 2015 +0100

      tests: virtio-scsi: clear unit attention after reset

      The unit attention after reset (power on) prevents normal commands from
      running.  The unaligned WRITE SAME test never executed its command!

      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Message-Id: <1438262173-11546-4-git-send-email-stefanha@xxxxxxxxxx>
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit c85a7a0057ca454607a40cde991d495e0deec34d
  Author: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
  Date:   Thu Jul 30 14:16:12 2015 +0100

      scsi-disk: fix cmd.mode field typo

      The cmd.xfer field is the data length.  The cmd.mode field is the data
      transfer direction.

      scsi_handle_rw_error() was using the wrong error policy for read
      requests.

      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Message-Id: <1438262173-11546-3-git-send-email-stefanha@xxxxxxxxxx>
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit 1cc933453bf2baae1feb7c8e757bdfd0ef639002
  Author: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
  Date:   Thu Jul 30 14:16:11 2015 +0100

      virtio-scsi: use virtqueue_map_sg() when loading requests

      The VirtQueueElement struct is serialized during migration but the
      in_sg[]/out_sg[] iovec arrays are not usable on the destination host
      because the pointers are meaningless.

      Use virtqueue_map_sg() to refresh in_sg[]/out_sg[] to valid pointers
      based on in_addr[]/out_addr[] hwaddrs.

      Cc: Paolo Bonzini <pbonzini@xxxxxxxxxx>
      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Message-Id: <1438262173-11546-2-git-send-email-stefanha@xxxxxxxxxx>
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit cb48f67ad8c7b33c617d4f8144a27706e69fd688
  Author: Richard Henderson <rth@xxxxxxxxxxx>
  Date:   Wed Jul 29 11:40:52 2015 -0700

      bsd-user: Fix operand to cpu_x86_exec

      Signed-off-by: Richard Henderson <rth@xxxxxxxxxxx>
      Reviewed-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Message-id: 1438195252-21968-1-git-send-email-rth@xxxxxxxxxxx
      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 7008d580acad326148a725bd20695882ba10247a
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Wed Jul 29 18:50:11 2015 +0100

      Update version for v2.4.0-rc3 release

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 46739a2d7ace71b43cacf73ea71c10429db0d5e8
  Merge: b83d017 ca96ac4
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Wed Jul 29 17:08:38 2015 +0100

      Merge remote-tracking branch 'remotes/stefanha/tags/block-pull-request' 
into staging

      Pull request

      These fixes make dataplane work again after the notify_me optimization was
      added.  They also solve QEMUBH memory leaks and fix a bug in dataplane's
      cleanup code.

      # gpg: Signature made Wed Jul 29 14:50:26 2015 BST using RSA key ID 
81AB73C8
      # gpg: Good signature from "Stefan Hajnoczi <stefanha@xxxxxxxxxx>"
      # gpg:                 aka "Stefan Hajnoczi <stefanha@xxxxxxxxx>"

      * remotes/stefanha/tags/block-pull-request:
        AioContext: force event loop iteration using BH
        AioContext: avoid leaking BHs on cleanup
        virtio-blk-dataplane: delete bottom half before the AioContext is freed

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit ca96ac44dcd290566090b2435bc828fded356ad9
  Author: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
  Date:   Tue Jul 28 18:34:09 2015 +0200

      AioContext: force event loop iteration using BH

      The notify_me optimization introduced in commit eabc97797310
      ("AioContext: fix broken ctx->dispatching optimization") skips
      event_notifier_set() calls when the event loop thread is not blocked in
      ppoll(2).

      This optimization causes a deadlock if two aio_context_acquire() calls
      race.  notify_me = 0 during the race so the winning thread can enter
      ppoll(2) unaware that the other thread is waiting its turn to acquire
      the AioContext.

      This patch forces ppoll(2) to return by scheduling a BH instead of
      calling aio_notify().

      The following deadlock with virtio-blk dataplane is fixed:

        qemu ... -object iothread,id=iothread0 \
                 -drive if=none,id=drive0,file=test.img,... \
                 -device virtio-blk-pci,iothread=iothread0,drive=drive0

      This command-line results in a hang early on without this patch.

      Thanks to Paolo Bonzini <pbonzini@xxxxxxxxxx> for investigating this bug
      with me.

      Cc: Christian Borntraeger <borntraeger@xxxxxxxxxx>
      Cc: Cornelia Huck <cornelia.huck@xxxxxxxxxx>
      Cc: Paolo Bonzini <pbonzini@xxxxxxxxxx>
      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>
      Message-id: 1438101249-25166-4-git-send-email-pbonzini@xxxxxxxxxx
      Message-Id: <1438014819-18125-3-git-send-email-stefanha@xxxxxxxxxx>
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>
      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>

  commit a076972a4d36381d610a854f0c336507650a1d34
  Author: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
  Date:   Tue Jul 28 18:34:08 2015 +0200

      AioContext: avoid leaking BHs on cleanup

      BHs are freed during aio_bh_poll().  This leads to memory leaks if there
      is no aio_bh_poll() between qemu_bh_delete() and aio_ctx_finalize().

      Suggested-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>
      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>
      Message-id: 1438101249-25166-3-git-send-email-pbonzini@xxxxxxxxxx
      Message-Id: <1438014819-18125-2-git-send-email-stefanha@xxxxxxxxxx>
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>
      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>

  commit fed105e2756dde98efa5e80baca02ae516dd1e51
  Author: Paolo Bonzini <pbonzini@xxxxxxxxxx>
  Date:   Tue Jul 28 18:34:07 2015 +0200

      virtio-blk-dataplane: delete bottom half before the AioContext is freed

      Other uses of aio_bh_new are safe as long as all scheduled bottom
      halves are run before an iothread is destroyed, which bdrv_drain will
      ensure:

      - archipelago_finish_aiocb: BH deletes itself

      - inject_error: BH deletes itself

      - blkverify_aio_bh: BH deletes itself

      - abort_aio_request: BH deletes itself

      - curl_aio_readv: BH deletes itself

      - gluster_finish_aiocb: BH deletes itself

      - bdrv_aio_rw_vector: BH deletes itself

      - bdrv_co_maybe_schedule_bh: BH deletes itself

      - iscsi_schedule_bh, iscsi_co_generic_cb: BH deletes itself

      - laio_attach_aio_context: deleted in laio_detach_aio_context,
      called through bdrv_detach_aio_context before deleting the iothread

      - nfs_co_generic_cb: BH deletes itself

      - null_aio_common: BH deletes itself

      - qed_aio_complete: BH deletes itself

      - rbd_finish_aiocb: BH deletes itself

      - dma_blk_cb: BH deletes itself

      - virtio_blk_dma_restart_cb: BH deletes itself

      - qemu_bh_new: main loop AioContext is never destroyed

      - test-aio.c: bh_delete_cb deletes itself, otherwise deleted in
      the same function that calls aio_bh_new

      Reported-by: Cornelia Huck <cornelia.huck@xxxxxxxxxx>
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>
      Message-id: 1438101249-25166-2-git-send-email-pbonzini@xxxxxxxxxx
      Message-Id: <1438086628-13000-1-git-send-email-pbonzini@xxxxxxxxxx>
      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>

  commit b83d017d88b2c4710c7a4614ecf9f845e4db80ba
  Merge: 170f209 7bba83b
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Tue Jul 28 19:02:04 2015 +0100

      Merge remote-tracking branch 'remotes/stefanha/tags/net-pull-request' 
into staging

      Pull request

      These two .can_receive() are now reviewed.  The net subsystem queue for 
2.4 is now empty.

      # gpg: Signature made Tue Jul 28 13:26:03 2015 BST using RSA key ID 
81AB73C8
      # gpg: Good signature from "Stefan Hajnoczi <stefanha@xxxxxxxxxx>"
      # gpg:                 aka "Stefan Hajnoczi <stefanha@xxxxxxxxx>"

      * remotes/stefanha/tags/net-pull-request:
        xen: Drop net_rx_ok
        hw/net: handle flow control in mcf_fec driver receiver

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 170f209d7848dc2f14b3f3dccc34a49558680d4d
  Merge: 8b89b3a c147b51
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Tue Jul 28 17:09:56 2015 +0100

      Merge remote-tracking branch 'remotes/mst/tags/for_upstream' into staging

      virtio fixes for 2.4

      Mostly virtio 1 spec compliance fixes.
      We are unlikely to make it perfectly compliant in
      the first release, but it seems worth it to try.

      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>

      # gpg: Signature made Mon Jul 27 21:55:48 2015 BST using RSA key ID 
D28D5469
      # gpg: Good signature from "Michael S. Tsirkin <mst@xxxxxxxxxx>"
      # gpg:                 aka "Michael S. Tsirkin <mst@xxxxxxxxxx>"

      * remotes/mst/tags/for_upstream:
        virtio: minor cleanup
        acpi: fix pvpanic device is not shown in ui
        virtio-blk: only clear VIRTIO_F_ANY_LAYOUT for legacy device
        virtio-blk: fail get_features when both scsi and 1.0 were set
        virtio: get_features() can fail
        virtio-pci: fix memory MR cleanup for modern
        virtio: set any_layout in virtio core
        virtio-9p: fix any_layout
        virtio-serial: fix ANY_LAYOUT
        virtio: hide legacy features from modern guests

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 8b89b3a8df0a7d1ddbc9744f66a495986af667ca
  Merge: 5e868d2 52579c6
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Tue Jul 28 15:25:24 2015 +0100

      Merge remote-tracking branch 'remotes/lalrae/tags/mips-20150728' into 
staging

      MIPS patches 2015-07-28

      Changes:
      * net/dp8393x fixes
      * Vectored Interrupts bug fix
      * fix for a bug in machine.c which was provoking a warning on FreeBSD

      # gpg: Signature made Tue Jul 28 10:47:19 2015 BST using RSA key ID 
0B29DA6B
      # gpg: Good signature from "Leon Alrae <leon.alrae@xxxxxxxxxx>"
      # gpg: WARNING: This key is not certified with a trusted signature!
      # gpg:          There is no indication that the signature belongs to the 
owner.
      # Primary key fingerprint: 8DD3 2F98 5495 9D66 35D4  4FC0 5211 8E3C 0B29 
DA6B

      * remotes/lalrae/tags/mips-20150728:
        net/dp8393x: do not use memory_region_init_rom_device with NULL
        net/dp8393x: remove check of runt packets
        net/dp8393x: disable user creation
        target-mips: fix offset calculation for Interrupts
        target-mips: fix passing incompatible pointer type in machine.c

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 5e868d2e5e4aff76bdef787e44bc2d1eca18901f
  Merge: 9f8c5b6 52c91da
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Tue Jul 28 14:19:16 2015 +0100

      Merge remote-tracking branch 'remotes/bonzini/tags/for-upstream' into 
staging

      * crypto fixes
      * megasas SIGSEGV fix
      * memory refcount change to fix virtio hot-unplug

      # gpg: Signature made Tue Jul 28 08:29:07 2015 BST using RSA key ID 
78C7AE83
      # gpg: Good signature from "Paolo Bonzini <bonzini@xxxxxxx>"
      # gpg:                 aka "Paolo Bonzini <pbonzini@xxxxxxxxxx>"
      # gpg: WARNING: This key is not certified with sufficiently trusted 
signatures!
      # gpg:          It is not certain that the signature belongs to the owner.
      # Primary key fingerprint: 46F5 9FBD 57D6 12E7 BFD4  E2F7 7E15 100C CD36 
69B1
      #      Subkey fingerprint: F133 3857 4B66 2389 866C  7682 BFFB D25F 78C7 
AE83

      * remotes/bonzini/tags/for-upstream:
        memory: do not add a reference to the owner of aliased regions
        megasas: Add write function to handle write access to PCI BAR 3
        crypto: extend unit tests to cover decryption too
        crypto: fix built-in AES decrypt function

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 9f8c5b69c2b9ca8b9c3e569b0f41bd60a0b9e9fe
  Merge: 776f878 325e390
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Tue Jul 28 13:22:57 2015 +0100

      Merge remote-tracking branch 
'remotes/cody/tags/jtc-for-upstream-pull-request' into staging

      # gpg: Signature made Tue Jul 28 05:22:29 2015 BST using RSA key ID 
C0DE3057
      # gpg: Good signature from "Jeffrey Cody <jcody@xxxxxxxxxx>"
      # gpg:                 aka "Jeffrey Cody <jeff@xxxxxxxxxxxxx>"
      # gpg:                 aka "Jeffrey Cody <codyprime@xxxxxxxxx>"
      # gpg: WARNING: This key is not certified with sufficiently trusted 
signatures!
      # gpg:          It is not certain that the signature belongs to the owner.
      # Primary key fingerprint: 9957 4B4D 3474 90E7 9D98  D624 BDBE 7B27 C0DE 
3057

      * remotes/cody/tags/jtc-for-upstream-pull-request:
        block/ssh: Avoid segfault if inet_connect doesn't set errno.
        sheepdog: serialize requests to overwrapping area

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 7bba83bf80eae9c9e323319ff40d0ca477b0a77a
  Author: Fam Zheng <famz@xxxxxxxxxx>
  Date:   Tue Jul 28 17:52:56 2015 +0800

      xen: Drop net_rx_ok

      Let net_rx_packet() (which checks the same conditions) drops the packet
      if the device is not ready. Drop net_xen_info.can_receive and update the
      return value for the buffer full case.

      We rely on the qemu_flush_queued_packets() in net_event() to wake up
      the peer when the buffer becomes available again.

      Signed-off-by: Fam Zheng <famz@xxxxxxxxxx>
      Message-id: 1438077176-378-1-git-send-email-famz@xxxxxxxxxx
      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>

  commit 776f87845137a9b300a4815ba6bf6879310795aa
  Merge: 84a29c7 226d007
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Tue Jul 28 11:28:44 2015 +0100

      Merge remote-tracking branch 
'remotes/mjt/tags/pull-trivial-patches-2015-07-27' into staging

      trivial patches for 2015-07-27

      # gpg: Signature made Mon Jul 27 20:50:14 2015 BST using RSA key ID 
A4C3D7DB
      # gpg: Good signature from "Michael Tokarev <mjt@xxxxxxxxxx>"
      # gpg:                 aka "Michael Tokarev <mjt@xxxxxxxxx>"
      # gpg:                 aka "Michael Tokarev <mjt@xxxxxxxxxx>"

      * remotes/mjt/tags/pull-trivial-patches-2015-07-27:
        gdbstub: Set current CPU on interruptions
        qapi: add missing @
        Fix Cortex-A9 global timer
        gitignore: Ignore shader generated files
        vmstate: remove unused declaration
        make: Clean build messages
        qemu-common.h: Document cutils.c string functions
        device_tree: Fix a typo
        hw/acpi/ich9: clean up stale comment about KVM not supporting SMM
        hw/acpi/ich9: clear smi_en on reset

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit ff1d2ac949dc94d8a0e71fd46939fb69c2ef075b
  Author: Greg Ungerer <gerg@xxxxxxxxxxx>
  Date:   Tue Jul 28 11:02:54 2015 +1000

      hw/net: handle flow control in mcf_fec driver receiver

      The network mcf_fec driver emulated receive side method is not dealing
      with network queue flow control properly.

      Modify the receive side to check if we have enough space in the
      descriptors to store the current packet. If not we process none of it
      and return 0. When the guest frees up some buffers through its descriptors
      we signal the qemu net layer to send more packets.

      [Fixed coding style: 4-space indent and curly braces on if statement.
      --Stefan]

      Signed-off-by: Greg Ungerer <gerg@xxxxxxxxxxx>
      Message-id: 1438045374-10358-1-git-send-email-gerg@xxxxxxxxxxx
      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>

  commit 52579c681cb12bf64de793e85edc50d990f4d42f
  Author: Hervé Poussineau <hpoussin@xxxxxxxxxxx>
  Date:   Sun Jul 26 22:32:55 2015 +0200

      net/dp8393x: do not use memory_region_init_rom_device with NULL

      Replace memory_region_init_rom_device() with memory_region_init_ram() and
      memory_region_set_readonly().
      This fixes a guest-triggerable QEMU crash when guest tries to write to 
PROM.

      Signed-off-by: Hervé Poussineau <hpoussin@xxxxxxxxxxx>
      [leon.alrae@xxxxxxxxxx: shorten subject length]
      Signed-off-by: Leon Alrae <leon.alrae@xxxxxxxxxx>

  commit 30dfa9a46cd845db3f43f5c11b129f4a50941b02
  Author: Hervé Poussineau <hpoussin@xxxxxxxxxxx>
  Date:   Fri Jul 24 20:42:23 2015 +0200

      net/dp8393x: remove check of runt packets

      Ethernet requires that messages are at least 64 bytes on the wire. This
      limitation does not exist on emulation (no wire message), so remove the
      check. Netcard is now able to receive small network packets.

      Signed-off-by: Hervé Poussineau <hpoussin@xxxxxxxxxxx>
      Reviewed-by: Aurelien Jarno <aurelien@xxxxxxxxxxx>
      Signed-off-by: Leon Alrae <leon.alrae@xxxxxxxxxx>

  commit f6351288b65130deb8102b17143f5d84f817a02a
  Author: Hervé Poussineau <hpoussin@xxxxxxxxxxx>
  Date:   Fri Jul 24 20:42:21 2015 +0200

      net/dp8393x: disable user creation

      Netcard needs an address space to write data to, which can't be specified
      on command line.
      This fixes a crash when user starts QEMU with "-device dp8393x"

      Signed-off-by: Hervé Poussineau <hpoussin@xxxxxxxxxxx>
      Reviewed-by: Aurelien Jarno <aurelien@xxxxxxxxxxx>
      Signed-off-by: Leon Alrae <leon.alrae@xxxxxxxxxx>

  commit 84a29c7efd02baa97b0d60d1e59e8357f7a5e0f1
  Merge: f8787f8 77c102c
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Tue Jul 28 09:11:48 2015 +0100

      Merge remote-tracking branch 'remotes/kevin/tags/for-upstream' into 
staging

      Block layer patches for 2.4.0-rc3

      # gpg: Signature made Mon Jul 27 16:19:17 2015 BST using RSA key ID 
C88F2FD6
      # gpg: Good signature from "Kevin Wolf <kwolf@xxxxxxxxxx>"

      * remotes/kevin/tags/for-upstream:
        block: qemu-iotests - add check for multiplication overflow in vpc
        block: vpc - prevent overflow if max_table_entries >= 0x40000000

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit da52a4dfcc4864fd2260ec4eab331f75b1f0240b
  Author: Yongbok Kim <yongbok.kim@xxxxxxxxxx>
  Date:   Fri Jul 10 12:10:02 2015 +0100

      target-mips: fix offset calculation for Interrupts

      Correct computation of vector offsets for EXCP_EXT_INTERRUPT.
      For instance, if Cause.IV is 0 the vector offset should be 0x180.

      Simplify the finding vector number logic for the Vectored Interrupts.

      Signed-off-by: Yongbok Kim <yongbok.kim@xxxxxxxxxx>
      Reviewed-by: Leon Alrae <leon.alrae@xxxxxxxxxx>
      [leon.alrae@xxxxxxxxxx: cosmetic changes]
      Signed-off-by: Leon Alrae <leon.alrae@xxxxxxxxxx>

  commit 8bcbb834a015432bfb4d09a883c21f017eadd978
  Author: Leon Alrae <leon.alrae@xxxxxxxxxx>
  Date:   Wed Jul 22 14:59:23 2015 +0100

      target-mips: fix passing incompatible pointer type in machine.c

      Reported-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Signed-off-by: Leon Alrae <leon.alrae@xxxxxxxxxx>

  commit 325e3904210c779a13fbbc9ee156056d045d7eee
  Author: Richard W.M. Jones <rjones@xxxxxxxxxx>
  Date:   Wed Jul 22 14:27:47 2015 +0100

      block/ssh: Avoid segfault if inet_connect doesn't set errno.

      On some (but not all) systems:

        $ qemu-img create -f qcow2 overlay -b ssh://xen/
        Segmentation fault

      It turns out this happens when inet_connect returns -1 in the
      following code, but errno == 0.

        s->sock = inet_connect(s->hostport, errp);
        if (s->sock < 0) {
            ret = -errno;
            goto err;
        }

      In the test case above, no host called "xen" exists, so getaddrinfo fails.

      On Fedora 22, getaddrinfo happens to set errno = ENOENT (although it
      is *not* documented to do that), so it doesn't segfault.

      On RHEL 7, errno is not set by the failing getaddrinfo, so ret =
      -errno = 0, so the caller doesn't know there was an error and
      continues with a half-initialized BDRVSSHState struct, and everything
      goes south from there, eventually resulting in a segfault.

      Fix this by setting ret to -EIO (same as block/nbd.c and
      block/sheepdog.c).  The real error is saved in the Error** errp
      struct, so it is printed correctly:

        $ ./qemu-img create -f qcow2 overlay -b ssh://xen/
        qemu-img: overlay: address resolution failed for xen:22: No address 
associated with hostname

      Signed-off-by: Richard W.M. Jones <rjones@xxxxxxxxxx>
      Reported-by: Jun Li
      BZ: https://bugzilla.redhat.com/show_bug.cgi?id=1147343
      Signed-off-by: Jeff Cody <jcody@xxxxxxxxxx>

  commit 6a55c82cece217ab99ed95a412fa7ddf5d5f257b
  Author: Hitoshi Mitake <mitake.hitoshi@xxxxxxxxxxxxx>
  Date:   Sat Jul 18 01:44:24 2015 +0900

      sheepdog: serialize requests to overwrapping area

      Current sheepdog driver only serializes create requests in oid
      unit. This mechanism isn't enough for handling requests to
      overwrapping area spanning multiple oids, so it can result bugs like
      below:
      https://bugs.launchpad.net/sheepdog-project/+bug/1456421

      This patch adds a new serialization mechanism for the problem. The
      difference from the old one is:
      1. serialize entire aiocb if their targetting areas overwrap
      2. serialize all requests (read, write, and discard), not only creates

      This patch also removes the old mechanism because the new one can be
      an alternative.

      Cc: Kevin Wolf <kwolf@xxxxxxxxxx>
      Cc: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Cc: Teruaki Ishizaki <ishizaki.teruaki@xxxxxxxxxxxxx>
      Cc: Vasiliy Tolstov <v.tolstov@xxxxxxxxx>
      Signed-off-by: Hitoshi Mitake <mitake.hitoshi@xxxxxxxxxxxxx>
      Tested-by: Vasiliy Tolstov <v.tolstov@xxxxxxxxx>
      Signed-off-by: Jeff Cody <jcody@xxxxxxxxxx>

  commit 52c91dac6bd891656f297dab76da51fc8bc61309
  Author: Paolo Bonzini <pbonzini@xxxxxxxxxx>
  Date:   Mon Jul 27 16:29:56 2015 +0200

      memory: do not add a reference to the owner of aliased regions

      Very often the owner of the aliased region is the same as the owner of 
the alias
      region itself.  When this happens, the reference count can never go back 
to 0 and
      the owner is leaked.  This is for example breaking hot-unplug of 
virtio-pci
      devices (the device cannot be plugged back again with the same id).

      Another common use for alias is to transform the system I/O address space
      into an MMIO regions; in this case the aliased region never dies, so there
      is no problem.  Otherwise the owner is always the same for aliasing
      and aliased region.

      I checked all calls to memory_region_init_alias introduced after commit
      dfde4e6 (memory: add ref/unref calls, 2013-05-06) and they do not need the
      reference in order to keep the owner of the aliased region alive.

      Reported-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Tested-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit 55875fc4ca45a35e36134663ade946d86fe7bfcd
  Author: Salva Peiró <speirofr@xxxxxxxxx>
  Date:   Mon Jul 27 10:51:52 2015 +0200

      megasas: Add write function to handle write access to PCI BAR 3

      This patch fixes a QEMU SEGFAULT when a write operation is performed on
      the memory region of the PCI BAR 3 (base address space).
      When a writeb(0xe0000000) is performed the .write function is invoked to
      handle the write access, however, since the .write is not initialised,
      the call to 0, causes QEMU to SEGFAULT.

      Signed-off-by: Salva Peiró <speirofr@xxxxxxxxx>
      Acked-by: Hannes Reinecke <hare@xxxxxxxx>
      Message-Id: <1437987112-24744-1-git-send-email-speirofr@xxxxxxxxx>
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit c147b5153e733a14fc65d2098e7036754c185ad1
  Author: Michael S. Tsirkin <mst@xxxxxxxxxx>
  Date:   Mon Jul 27 18:39:37 2015 +0300

      virtio: minor cleanup

      There's no need for blk to set ANY_LAYOUT, it's
      done by virtio core as necessary.

      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>

  commit 8ef3ea253b5aaaa00f3b9999f3ff19e74cfa26f8
  Author: Gal Hammer <ghammer@xxxxxxxxxx>
  Date:   Sun Jul 26 11:00:51 2015 +0300

      acpi: fix pvpanic device is not shown in ui

      Commit 2332333c added a _STA method that hides the device. The fact
      that the device is not shown in the gui make it harder to install its
      Windows' device.

      https://bugzilla.redhat.com/show_bug.cgi?id=1238141

      Signed-off-by: Gal Hammer <ghammer@xxxxxxxxxx>
      Reviewed-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Reviewed-by: Igor Mammedov <imammedo@xxxxxxxxxx>

  commit 226d007dbd75ec8d0f12d0f9e1ce66caf55d49e4
  Author: Jan Kiszka <jan.kiszka@xxxxxxxxxxx>
  Date:   Fri Jul 24 18:52:31 2015 +0200

      gdbstub: Set current CPU on interruptions

      gdb expects that the thread ID for c and g-class operations is set to
      the CPU we provide when reporting VM stop conditions. If the stub is
      still tuned to a different CPU, the wrong information is delivered to
      the gdb frontend.

      Signed-off-by: Jan Kiszka <jan.kiszka@xxxxxxxxxxx>
      Signed-off-by: Michael Tokarev <mjt@xxxxxxxxxx>

  commit 801db5ecdac7575a1b0250243eea1767da553e50
  Author: Marc-André Lureau <marcandre.lureau@xxxxxxxxxx>
  Date:   Fri Jul 3 11:51:01 2015 +0200

      qapi: add missing @

      Signed-off-by: Marc-André Lureau <marcandre.lureau@xxxxxxxxxx>
      Reviewed-by: Markus Armbruster <armbru@xxxxxxxxxx>
      Signed-off-by: Michael Tokarev <mjt@xxxxxxxxxx>

  commit 786f9ce20382704249883d7052f6869011d44281
  Author: Johannes Schlatow <schlatow@xxxxxxxxxxxxxxxx>
  Date:   Mon Jun 29 17:45:41 2015 +0200

      Fix Cortex-A9 global timer

      The auto increment bit of the timer control register was wrongly
      defined.

      See Cortex-A9 MPcore Technical Reference Manual, Section 4.4.2.

      Signed-off-by: Johannes Schlatow <schlatow@xxxxxxxxxxxxxxxx>
      Signed-off-by: Michael Tokarev <mjt@xxxxxxxxxx>

  commit 7e71e111e0544ec35af40c3dc29f21697c8f17bf
  Author: Michal Privoznik <mprivozn@xxxxxxxxxx>
  Date:   Tue Jun 23 14:30:20 2015 +0200

      gitignore: Ignore shader generated files

      As of d98bc0b65 there are two files that are automatically generated:
      ui/shader/texture-blit-frag.h and /ui/shader/texture-blit-vert.h. None
      of them is wanted to be tracked by git. Put them into the ignore file
      then.

      Signed-off-by: Michal Privoznik <mprivozn@xxxxxxxxxx>
      Signed-off-by: Michael Tokarev <mjt@xxxxxxxxxx>

  commit 7155f2ca9d66f5598fd8d071e71d6758019a6e48
  Author: Marc-André Lureau <marcandre.lureau@xxxxxxxxx>
  Date:   Tue Jun 23 18:41:27 2015 +0200

      vmstate: remove unused declaration

      Since 38e0735e, register_device_unmigratable() has been removed

      Signed-off-by: Marc-André Lureau <marcandre.lureau@xxxxxxxxx>
      Signed-off-by: Michael Tokarev <mjt@xxxxxxxxxx>

  commit f6288b9c88bae7d76d8bfe17e672976d79079296
  Author: Stefan Weil <sw@xxxxxxxxxxx>
  Date:   Sat Jul 18 16:54:32 2015 +0200

      make: Clean build messages

      We want to have uniform build messages, so fix some messages
      which did not follow the standard pattern.

      Signed-off-by: Stefan Weil <sw@xxxxxxxxxxx>
      Signed-off-by: Michael Tokarev <mjt@xxxxxxxxxx>

  commit ab6036630865eff8bb12dd51dfa6921b4607fc81
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Sun Jul 19 21:34:22 2015 +0100

      qemu-common.h: Document cutils.c string functions

      Add documentation comments for various utility string functions
      which we have implemented in util/cutils.c:
       pstrcpy()
       strpadcpy()
       pstrcat()
       strstart()
       stristart()
       qemu_strnlen()
       qemu_strsep()

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>
      Signed-off-by: Michael Tokarev <mjt@xxxxxxxxxx>

  commit cc47a16bcbbc2d1f79511799ca3625c6522f5838
  Author: Kamalesh Babulal <kamalesh@xxxxxxxxxxxxxxxxxx>
  Date:   Fri Jul 24 13:48:13 2015 +0530

      device_tree: Fix a typo

      Fix spelling of 'allocting' -> 'allocating'.

      Signed-off-by: Kamalesh Babulal <kamalesh@xxxxxxxxxxxxxxxxxx>
      Signed-off-by: Michael Tokarev <mjt@xxxxxxxxxx>

  commit f3c30aeaa7888aee96a1fa28f259fb8312d47ab2
  Author: Laszlo Ersek <lersek@xxxxxxxxxx>
  Date:   Fri Jul 24 20:16:01 2015 +0200

      hw/acpi/ich9: clean up stale comment about KVM not supporting SMM

      Commit fba72476c6 ("ich9: add smm_enabled field and arguments") detached
      SMM availability from kvm_enabled(). However, the comment in pm_reset()
      was not updated; let's do it now.

      Cc: "Michael S. Tsirkin" <mst@xxxxxxxxxx>
      Cc: Igor Mammedov <imammedo@xxxxxxxxxx>
      Cc: Gerd Hoffmann <kraxel@xxxxxxxxxx>
      Cc: Paolo Bonzini <pbonzini@xxxxxxxxxx>
      Cc: qemu-trivial@xxxxxxxxxx
      Signed-off-by: Laszlo Ersek <lersek@xxxxxxxxxx>
      Reviewed-by: Igor Mammedov <imammedo@xxxxxxxxxx>
      Signed-off-by: Michael Tokarev <mjt@xxxxxxxxxx>

  commit be66680e8320d612f1c96096a217e642e458f47b
  Author: Laszlo Ersek <lersek@xxxxxxxxxx>
  Date:   Fri Jul 24 20:16:00 2015 +0200

      hw/acpi/ich9: clear smi_en on reset

      Otherwise on reboot firmware might think (due to APMC_EN remaining set
      from the previous boot) that SMI support is absent.

      Cc: "Michael S. Tsirkin" <mst@xxxxxxxxxx>
      Cc: Igor Mammedov <imammedo@xxxxxxxxxx>
      Cc: Gerd Hoffmann <kraxel@xxxxxxxxxx>
      Cc: Paolo Bonzini <pbonzini@xxxxxxxxxx>
      Cc: qemu-trivial@xxxxxxxxxx
      Signed-off-by: Laszlo Ersek <lersek@xxxxxxxxxx>
      Reviewed-by: Igor Mammedov <imammedo@xxxxxxxxxx>
      Signed-off-by: Michael Tokarev <mjt@xxxxxxxxxx>

  commit f8787f8723eaca1be99e3b1873e54de163fffa93
  Merge: edec47c bbeb823
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Mon Jul 27 19:37:09 2015 +0100

      Merge remote-tracking branch 'remotes/rth/tags/pull-tcg-20150727' into 
staging

      Fix buglets for 2.4

      # gpg: Signature made Mon Jul 27 15:26:48 2015 BST using RSA key ID 
4DD0279B
      # gpg: Good signature from "Richard Henderson <rth7680@xxxxxxxxx>"
      # gpg:                 aka "Richard Henderson <rth@xxxxxxxxxx>"
      # gpg:                 aka "Richard Henderson <rth@xxxxxxxxxxx>"

      * remotes/rth/tags/pull-tcg-20150727:
        tcg: mark temps as mem_coherent = 0 for mov with a constant
        tcg: correctly mark dead inputs for mov with a constant

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit edec47cfef96209987cb7922286cb384916aae02
  Author: Paolo Bonzini <pbonzini@xxxxxxxxxx>
  Date:   Fri Jul 24 13:42:55 2015 +0200

      main-loop: fix qemu_notify_event for aio_notify optimization

      aio_notify can be optimized away, and in fact almost always will.  
However,
      qemu_notify_event is used in places where this is incorrect---most 
notably,
      when handling SIGTERM.  When aio_notify is optimized away, it is possible 
that
      QEMU enters a blocking ppoll immediately afterwards and stays there, 
without
      reaching main_loop_should_exit().

      Fix this by using a bottom half.  The bottom half can be optimized too, 
but
      scheduling it is enough for the ppoll not to block.  The hang is thus 
avoided.

      Reported-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>
      Reviewed-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Message-id: 1437738175-23624-1-git-send-email-pbonzini@xxxxxxxxxx
      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 77c102c26ead946fe7589d4bddcdfa5cb431ebfe
  Author: Jeff Cody <jcody@xxxxxxxxxx>
  Date:   Fri Jul 24 10:26:52 2015 -0400

      block: qemu-iotests - add check for multiplication overflow in vpc

      This checks that VPC is able to successfully fail (without segfault)
      on an image file with a max_table_entries that exceeds 0x40000000.

      This table entry is within the valid range for VPC (although too large
      for this sample image).

      Cc: qemu-stable@xxxxxxxxxx
      Signed-off-by: Jeff Cody <jcody@xxxxxxxxxx>
      Signed-off-by: Kevin Wolf <kwolf@xxxxxxxxxx>

  commit b15deac79530d818092cb49a8021bcce83d71b5b
  Author: Jeff Cody <jcody@xxxxxxxxxx>
  Date:   Fri Jul 24 10:26:51 2015 -0400

      block: vpc - prevent overflow if max_table_entries >= 0x40000000

      When we allocate the pagetable based on max_table_entries, we multiply
      the max table entry value by 4 to accomodate a table of 32-bit integers.
      However, max_table_entries is a uint32_t, and the VPC driver accepts
      ranges for that entry over 0x40000000.  So during this allocation:

      s->pagetable = qemu_try_blockalign(bs->file, s->max_table_entries * 4);

      The size arg overflows, allocating significantly less memory than
      expected.

      Since qemu_try_blockalign() size argument is size_t, cast the
      multiplication correctly to prevent overflow.

      The value of "max_table_entries * 4" is used elsewhere in the code as
      well, so store the correct value for use in all those cases.

      We also check the Max Tables Entries value, to make sure that it is <
      SIZE_MAX / 4, so we know the pagetable size will fit in size_t.

      Cc: qemu-stable@xxxxxxxxxx
      Reported-by: Richard W.M. Jones <rjones@xxxxxxxxxx>
      Signed-off-by: Jeff Cody <jcody@xxxxxxxxxx>
      Signed-off-by: Kevin Wolf <kwolf@xxxxxxxxxx>

  commit 3737129917c918767cdb8acd8ca6b342c45fa154
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Fri Jul 24 18:28:08 2015 +0100

      configure: Work around broken static pkg-config info for Ubuntu gnutls

      Unfortunately Ubuntu's pkg-config information for gnutls is broken
      for the static linking case, and outputs --libs options which the
      compiler does not recognize. Work around this problem by testing
      that the --cflags/--libs output will at least allow compilation
      before enabling gnutls support.

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Reviewed-by: Daniel P. Berrange <berrange@xxxxxxxxxx>
      Message-id: 1437758888-22486-1-git-send-email-peter.maydell@xxxxxxxxxx

  commit c9b11f971cfa1fd3eed716f62f4b835553b75490
  Author: Jason Wang <jasowang@xxxxxxxxxx>
  Date:   Mon Jul 27 17:49:21 2015 +0800

      virtio-blk: only clear VIRTIO_F_ANY_LAYOUT for legacy device

      Chapter 6.3 of spec said

      "
      Transitional devices MUST offer, and if offered by the device
      transitional drivers MUST accept the following:

      VIRTIO_F_ANY_LAYOUT (27)
      "

      So this patch only clear VIRTIO_F_LAYOUT for legacy device.

      Cc: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Cc: Kevin Wolf <kwolf@xxxxxxxxxx>
      Cc: qemu-block@xxxxxxxxxx
      Signed-off-by: Jason Wang <jasowang@xxxxxxxxxx>
      Reviewed-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Acked-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit efb8206ca7f19f5a6ece1f2851a73a29de309b1e
  Author: Jason Wang <jasowang@xxxxxxxxxx>
  Date:   Mon Jul 27 17:49:20 2015 +0800

      virtio-blk: fail get_features when both scsi and 1.0 were set

      SCSI passthrough was no longer supported in virtio 1.0, so this patch
      fail the get_features() when both 1.0 and scsi is set. And also only
      advertise VIRTIO_BLK_F_SCSI for legacy virtio-blk device.

      Signed-off-by: Jason Wang <jasowang@xxxxxxxxxx>
      Reviewed-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Acked-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit 9d5b731dd2d64deb3bc798ef4e3c08603d54ae02
  Author: Jason Wang <jasowang@xxxxxxxxxx>
  Date:   Mon Jul 27 17:49:19 2015 +0800

      virtio: get_features() can fail

      Signed-off-by: Jason Wang <jasowang@xxxxxxxxxx>
      Reviewed-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Acked-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit 27462695cde2a2208b1ff8074c2e917b8203590b
  Author: Michael S. Tsirkin <mst@xxxxxxxxxx>
  Date:   Mon Jul 27 11:06:17 2015 +0300

      virtio-pci: fix memory MR cleanup for modern

      Each memory_region_add_subregion must be paired with
      memory_region_del_subregion.

      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Reviewed-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit bbeb82395eaca0e3c38b433b2d2a5bad4a5fbd81
  Author: Aurelien Jarno <aurelien@xxxxxxxxxxx>
  Date:   Mon Jul 27 12:55:58 2015 +0200

      tcg: mark temps as mem_coherent = 0 for mov with a constant

      When a constant has to be loaded in a mov op, we fail to set
      mem_coherent = 0. This patch fixes that.

      Cc: Richard Henderson <rth@xxxxxxxxxxx>
      Signed-off-by: Aurelien Jarno <aurelien@xxxxxxxxxxx>
      Message-Id: <1437994568-7825-3-git-send-email-aurelien@xxxxxxxxxxx>
      Signed-off-by: Richard Henderson <rth@xxxxxxxxxxx>

  commit 7df69deadf2f25c19b3ac121404ee31f71dce845
  Author: Aurelien Jarno <aurelien@xxxxxxxxxxx>
  Date:   Mon Jul 27 12:55:57 2015 +0200

      tcg: correctly mark dead inputs for mov with a constant

      When tcg_reg_alloc_mov propagate a constant, we failed to correctly mark
      a temp as dead if the liveness analysis hints so. This fixes the
      following assert when configure with --enable-debug-tcg:

        qemu-x86_64: tcg/tcg.c:1827: tcg_reg_alloc_bb_end: Assertion 
`ts->val_type == TEMP_VAL_DEAD' failed.

      Cc: Richard Henderson <rth@xxxxxxxxxxx>
      Reported-by: Richard Henderson <rth@xxxxxxxxxxx>
      Signed-off-by: Aurelien Jarno <aurelien@xxxxxxxxxxx>
      Message-Id: <1437994568-7825-2-git-send-email-aurelien@xxxxxxxxxxx>
      Signed-off-by: Richard Henderson <rth@xxxxxxxxxxx>

  commit 122e7dab8ac549c8c5a9e1e13aa2464190e888de
  Merge: e40db4c f9f7492
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Mon Jul 27 14:53:42 2015 +0100

      Merge remote-tracking branch 'remotes/stefanha/tags/net-pull-request' 
into staging

      Pull request

      Here are NIC fixes from Fam Zheng that prevent rx hangs (caused by NIC 
models
      where .can_receive() stops rx but qemu_flush_queued_packets() isn't 
called).

      # gpg: Signature made Mon Jul 27 14:51:48 2015 BST using RSA key ID 
81AB73C8
      # gpg: Good signature from "Stefan Hajnoczi <stefanha@xxxxxxxxxx>"
      # gpg:                 aka "Stefan Hajnoczi <stefanha@xxxxxxxxx>"

      * remotes/stefanha/tags/net-pull-request:
        axienet: Flush queued packets when rx is done
        dp8393x: Flush packets when link comes up
        stellaris_enet: Flush queued packets when read done
        mipsnet: Flush queued packets when receiving is enabled
        milkymist-minimac2: Flush queued packets when link comes up
        mcf_fec: Drop mcf_fec_can_receive
        etsec: Flush queue when rx buffer is consumed
        etsec: Move etsec_can_receive into etsec_receive
        usbnet: Drop usbnet_can_receive
        eepro100: Drop nic_can_receive
        pcnet: Drop pcnet_can_receive
        xgmac: Drop packets with eth_can_rx is false.
        hw/net: fix mcf_fec driver receiver
        hw/net: add simple phy support to mcf_fec driver
        hw/net: add ANLPAR bit definitions to generic mii
        hw/net: create common collection of MII definitions

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit f9f7492ea4a9dda538fedeec31399fb940533a16
  Author: Fam Zheng <famz@xxxxxxxxxx>
  Date:   Wed Jul 15 18:19:13 2015 +0800

      axienet: Flush queued packets when rx is done

      eth_can_rx checks s->rxsize and returns false if it is non-zero. Because
      of the .can_receive semantics change, this will make the incoming queue
      disabled by peer, until it is explicitly flushed. So we should flush it
      when s->rxsize is becoming zero.

      Squash eth_can_rx semantics into etx_rx and drop .can_receive()
      callback, also add flush when rx buffer becomes available again after a
      packet gets queued.

      The other conditions, "!axienet_rx_resetting(s) &&
      axienet_rx_enabled(s)" are OK because enet_write already calls
      qemu_flush_queued_packets when the register bits are changed.

      Signed-off-by: Fam Zheng <famz@xxxxxxxxxx>
      Reviewed-by: Jason Wang <jasowang@xxxxxxxxxx>
      Reviewed-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Message-id: 1436955553-22791-13-git-send-email-famz@xxxxxxxxxx
      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>

  commit 4594f93a732f1f5936c3a5225481586e24bffa9e
  Author: Fam Zheng <famz@xxxxxxxxxx>
  Date:   Wed Jul 15 18:19:12 2015 +0800

      dp8393x: Flush packets when link comes up

      .can_receive callback changes semantics that once return 0, backend will
      try sending again until explicitly flushed, change the device to meet
      that.

      dp8393x_can_receive checks SONIC_CR_RXEN bit in SONIC_CR register and
      SONIC_ISR_RBE bit in SONIC_ISR register, try flushing the queue when
      either bit is being updated.

      Signed-off-by: Fam Zheng <famz@xxxxxxxxxx>
      Reviewed-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Reviewed-by: Jason Wang <jasowang@xxxxxxxxxx>
      Message-id: 1436955553-22791-12-git-send-email-famz@xxxxxxxxxx
      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>

  commit 1ef4a6069f8b4c09c3383cd4b8e27b6ff25b2d41
  Author: Fam Zheng <famz@xxxxxxxxxx>
  Date:   Wed Jul 15 18:19:11 2015 +0800

      stellaris_enet: Flush queued packets when read done

      If s->np reaches 31, the queue will be disabled by peer when it sees
      stellaris_enet_can_receive() returns false, until we explicitly flushes
      it which notifies the peer. Do this when guest is done reading all
      existing data.

      Move the semantics to stellaris_enet_receive, by returning 0 when the
      buffer is full, so that new packets will be queued.  In
      stellaris_enet_read, flush and restart the queue when guest has done
      reading.

      Signed-off-by: Fam Zheng <famz@xxxxxxxxxx>
      Reviewed-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Reviewed-by: Jason Wang <jasowang@xxxxxxxxxx>
      Message-id: 1436955553-22791-11-git-send-email-famz@xxxxxxxxxx
      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>

  commit 1dd58ae0583c3d3fb15fa1d563d6b497558d3ad0
  Author: Fam Zheng <famz@xxxxxxxxxx>
  Date:   Wed Jul 15 18:19:10 2015 +0800

      mipsnet: Flush queued packets when receiving is enabled

      Drop .can_receive and move the semantics to mipsnet_receive, by
      returning 0.

      After 0 is returned, we must flush the queue explicitly to restart it:
      Call qemu_flush_queued_packets when s->busy or s->rx_count is being
      updated.

      Signed-off-by: Fam Zheng <famz@xxxxxxxxxx>
      Reviewed-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Reviewed-by: Jason Wang <jasowang@xxxxxxxxxx>
      Message-id: 1436955553-22791-10-git-send-email-famz@xxxxxxxxxx
      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>

  commit 3b7031e9609baf710823aa7880fd9802b39c4563
  Author: Fam Zheng <famz@xxxxxxxxxx>
  Date:   Wed Jul 15 18:19:09 2015 +0800

      milkymist-minimac2: Flush queued packets when link comes up

      Drop .can_receive and move the semantics into minimac2_rx, by returning
      0.

      That is once minimac2_rx returns 0, incoming packets will be queued
      until the queue is explicitly flushed. We do this when s->regs[R_STATE0]
      or s->regs[R_STATE1] is changed in minimac2_write.

      Also drop the unused trace point.

      Signed-off-by: Fam Zheng <famz@xxxxxxxxxx>
      Reviewed-by: Jason Wang <jasowang@xxxxxxxxxx>
      Reviewed-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Message-id: 1436955553-22791-9-git-send-email-famz@xxxxxxxxxx
      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>

  commit e813f0d8813944061fa9bde861cf6899379843e6
  Author: Fam Zheng <famz@xxxxxxxxxx>
  Date:   Wed Jul 15 18:19:08 2015 +0800

      mcf_fec: Drop mcf_fec_can_receive

      The semantics of .can_receive requires us to flush the queue explicitly
      when s->rx_enabled becomes true after it returns 0, but the packet being
      queued is not meaningful since the guest hasn't activated the card.
      Let's just drop the packet in this case.

      Signed-off-by: Fam Zheng <famz@xxxxxxxxxx>
      Reviewed-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Reviewed-by: Jason Wang <jasowang@xxxxxxxxxx>
      Message-id: 1436955553-22791-8-git-send-email-famz@xxxxxxxxxx
      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>

  commit 575bafd1f387c5f06b59cf2515f6bb1eff9d119d
  Author: Fam Zheng <famz@xxxxxxxxxx>
  Date:   Wed Jul 15 18:19:07 2015 +0800

      etsec: Flush queue when rx buffer is consumed

      The BH will be scheduled when etsec->rx_buffer_len is becoming 0, which
      is the condition of queuing.

      Signed-off-by: Fam Zheng <famz@xxxxxxxxxx>
      Reviewed-by: Jason Wang <jasowang@xxxxxxxxxx>
      Reviewed-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Message-id: 1436955553-22791-7-git-send-email-famz@xxxxxxxxxx
      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>

  commit b6cb6610c27c5b0773a340499f19c3477bf45aeb
  Author: Fam Zheng <famz@xxxxxxxxxx>
  Date:   Wed Jul 15 18:19:06 2015 +0800

      etsec: Move etsec_can_receive into etsec_receive

      When etsec_reset returns 0, peer would queue the packet as if
      .can_receive returns false. Drop etsec_can_receive and let etsec_receive
      carry the semantics.

      Signed-off-by: Fam Zheng <famz@xxxxxxxxxx>
      Reviewed-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Reviewed-by: Jason Wang <jasowang@xxxxxxxxxx>
      Message-id: 1436955553-22791-6-git-send-email-famz@xxxxxxxxxx
      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>

  commit 913440249ea2e697177e9d43167ac325a8dfe907
  Author: Fam Zheng <famz@xxxxxxxxxx>
  Date:   Wed Jul 15 18:19:05 2015 +0800

      usbnet: Drop usbnet_can_receive

      usbnet_receive already drops packet if rndis_state is not
      RNDIS_DATA_INITIALIZED, and queues packet if in buffer is not available.
      The only difference is s->dev.config but that is similar to rndis_state.

      Drop usbnet_can_receive and move these checks to usbnet_receive, so that
      we don't need to explicitly flush the queue when s->dev.config changes
      value.

      Signed-off-by: Fam Zheng <famz@xxxxxxxxxx>
      Reviewed-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Reviewed-by: Jason Wang <jasowang@xxxxxxxxxx>
      Message-id: 1436955553-22791-5-git-send-email-famz@xxxxxxxxxx
      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>

  commit 363db4b249244f31d3c47fbd5a8b128c95ba8fe7
  Author: Fam Zheng <famz@xxxxxxxxxx>
  Date:   Wed Jul 15 18:19:04 2015 +0800

      eepro100: Drop nic_can_receive

      nic_receive already checks the conditions and drop packets if false.
      Due to the new semantics since 6e99c63 ("net/socket: Drop
      net_socket_can_send"), having .can_receive returning 0 requires us to
      explicitly flush the queued packets when the conditions are becoming
      true, but queuing the packets when guest driver is not ready doesn't
      make much sense.

      Signed-off-by: Fam Zheng <famz@xxxxxxxxxx>
      Reviewed-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Reviewed-by: Jason Wang <jasowang@xxxxxxxxxx>
      Message-id: 1436955553-22791-4-git-send-email-famz@xxxxxxxxxx
      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>

  commit b0ba0b9b6b402d738f11f27eea6c94d97bf84cbf
  Author: Fam Zheng <famz@xxxxxxxxxx>
  Date:   Wed Jul 15 18:19:03 2015 +0800

      pcnet: Drop pcnet_can_receive

      pcnet_receive already checks the conditions and drop packets if false.
      Due to the new semantics since 6e99c63 ("net/socket: Drop
      net_socket_can_send"), having .can_receive returning 0 requires us to
      explicitly flush the queued packets when the conditions are becoming
      true, but queuing the packets when guest driver is not ready doesn't
      make much sense.

      Signed-off-by: Fam Zheng <famz@xxxxxxxxxx>
      Reviewed-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Reviewed-by: Jason Wang <jasowang@xxxxxxxxxx>
      Message-id: 1436955553-22791-3-git-send-email-famz@xxxxxxxxxx
      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>

  commit 8c8c460c5f38f878675631a66286a6e87bb4d111
  Author: Fam Zheng <famz@xxxxxxxxxx>
  Date:   Wed Jul 15 18:19:02 2015 +0800

      xgmac: Drop packets with eth_can_rx is false.

      Signed-off-by: Fam Zheng <famz@xxxxxxxxxx>
      Reviewed-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Reviewed-by: Jason Wang <jasowang@xxxxxxxxxx>
      Message-id: 1436955553-22791-2-git-send-email-famz@xxxxxxxxxx
      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>

  commit 491a1f494ed4c0d1a8593dd04b645f8e63c4cfae
  Author: Greg Ungerer <gerg@xxxxxxxxxxx>
  Date:   Fri Jun 26 15:27:16 2015 +1000

      hw/net: fix mcf_fec driver receiver

      The network mcf_fec driver emulated receive side method is returning a
      result of 0 causing the network layer to disable receive for this emulated
      device. This results in the guest only ever receiving one packet.

      Fix the recieve side processing to return the number of bytes that we
      passed back through to the guest.

      Signed-off-by: Greg Ungerer <gerg@xxxxxxxxxxx>
      Reviewed-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Message-id: 1435296436-12152-5-git-send-email-gerg@xxxxxxxxxxx
      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>

  commit 299f7bec5a109db7563e1286cedf1f4d84e69e6d
  Author: Greg Ungerer <gerg@xxxxxxxxxxx>
  Date:   Fri Jun 26 15:27:15 2015 +1000

      hw/net: add simple phy support to mcf_fec driver

      The Linux fec driver needs at least basic phy support to probe and work.
      The current qemu mcf_fec emulation has no support for the reading or
      writing of the MDIO lines to access an attached phy.

      This code adds a very simple set of register results for a fixed phy
      setup - very similar to that used on an m5208evb board. This is enough
      to probe and identify an emulated attached phy.

      Signed-off-by: Greg Ungerer <gerg@xxxxxxxxxxx>
      Reviewed-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Message-id: 1435296436-12152-4-git-send-email-gerg@xxxxxxxxxxx
      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>

  commit 3634869b27b6b2ff538bcc5bf8dfd1235ede7034
  Author: Greg Ungerer <gerg@xxxxxxxxxxx>
  Date:   Fri Jun 26 15:27:14 2015 +1000

      hw/net: add ANLPAR bit definitions to generic mii

      Add a base set of bit definitions for the standard MII phy 
"Auto-Negotiation
      Link Partner Ability Register" (ANLPAR).

      The original definitions moved into mii.h from the allwinner_emac driver
      did not define these.

      Signed-off-by: Greg Ungerer <gerg@xxxxxxxxxxx>
      Reviewed-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Message-id: 1435296436-12152-3-git-send-email-gerg@xxxxxxxxxxx
      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>

  commit 3e230569bf16aa36562967cd76b742c6824481b1
  Author: Greg Ungerer <gerg@xxxxxxxxxxx>
  Date:   Fri Jun 26 15:27:13 2015 +1000

      hw/net: create common collection of MII definitions

      Create a common set of definitions of address and register values for
      ethernet MII phys. A few of the current ethernet drivers have at least
      a partial set of these definitions. Others just use hard coded raw
      constant numbers.

      This initial set is copied directly from the allwinner_emac code.

      Signed-off-by: Greg Ungerer <gerg@xxxxxxxxxxx>
      Reviewed-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Message-id: 1435296436-12152-2-git-send-email-gerg@xxxxxxxxxxx
      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>

  commit e40db4c6d391419c0039fe274c74df32a6ca1a28
  Merge: f793d97 cb72cba
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Mon Jul 27 13:10:00 2015 +0100

      Merge remote-tracking branch 
'remotes/jnsnow/tags/cve-2015-5154-pull-request' into staging

      # gpg: Signature made Mon Jul 27 13:01:10 2015 BST using RSA key ID 
AAFC390E
      # gpg: Good signature from "John Snow (John Huston) <jsnow@xxxxxxxxxx>"
      # gpg: WARNING: This key is not certified with sufficiently trusted 
signatures!
      # gpg:          It is not certain that the signature belongs to the owner.
      # Primary key fingerprint: FAEB 9711 A12C F475 812F  18F2 88A9 064D 1835 
61EB
      #      Subkey fingerprint: F9B7 ABDB BCAC DF95 BE76  CBD0 7DEF 8106 AAFC 
390E

      * remotes/jnsnow/tags/cve-2015-5154-pull-request:
        ide: Clear DRQ after handling all expected accesses
        ide/atapi: Fix START STOP UNIT command completion
        ide: Check array bounds before writing to io_buffer (CVE-2015-5154)

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 019c2ab8623daee210df8b1085a33b1e83c9ee11
  Author: Daniel P. Berrange <berrange@xxxxxxxxxx>
  Date:   Tue Jul 21 09:55:02 2015 +0100

      crypto: extend unit tests to cover decryption too

      The current unit test only verifies the encryption API,
      resulting in us missing a recently introduced bug in the
      decryption API from commit d3462e3. It was fortunately
      later discovered & fixed by commit bd09594, thanks to the
      QEMU I/O tests for qcow2 encryption, but we should really
      detect this directly in the crypto unit tests. Also remove
      an accidental debug message and simplify some asserts.

      Signed-off-by: Daniel P. Berrange <berrange@xxxxxxxxxx>
      Message-Id: <1437468902-23230-1-git-send-email-berrange@xxxxxxxxxx>
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit 6775e2c4298618828de9bb3c5584d4de20120e46
  Author: Daniel P. Berrange <berrange@xxxxxxxxxx>
  Date:   Fri Jul 24 13:23:54 2015 +0100

      crypto: fix built-in AES decrypt function

      The qcrypto_cipher_decrypt_aes method was using the wrong
      key material, and passing the wrong mode. This caused it
      to incorrectly decrypt ciphertext.

      Signed-off-by: Daniel P. Berrange <berrange@xxxxxxxxxx>
      Message-Id: <1437740634-6261-1-git-send-email-berrange@xxxxxxxxxx>
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit 09999a5f7fc8e3636feda4358a79a25a09467594
  Author: Michael S. Tsirkin <mst@xxxxxxxxxx>
  Date:   Wed Jul 22 12:32:25 2015 +0300

      virtio: set any_layout in virtio core

      Exceptions:
          - virtio-blk
          - compat machine types

      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>

  commit cd4bfbb20d957a480032e2626ef1188b62c74d00
  Author: Michael S. Tsirkin <mst@xxxxxxxxxx>
  Date:   Thu Jul 23 20:57:53 2015 +0300

      virtio-9p: fix any_layout

      virtio pci allows any device to have a modern interface,
      this in turn requires ANY_LAYOUT support.
      Fix up ANY_LAYOUT for virtio-9p.

      Reported-by: Jason Wang <jasowang@xxxxxxxxxx>
      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Reviewed-by: Jason Wang <jasowang@xxxxxxxxxx>

  commit 7882080388be5088e72c425b02223c02e6cb4295
  Author: Michael S. Tsirkin <mst@xxxxxxxxxx>
  Date:   Thu Jul 23 17:52:02 2015 +0300

      virtio-serial: fix ANY_LAYOUT

      Don't assume a specific layout for control messages.
      Required by virtio 1.

      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Reviewed-by: Amit Shah <amit.shah@xxxxxxxxxx>
      Reviewed-by: Jason Wang <jasowang@xxxxxxxxxx>

  commit 5f456073aa9ba54e421aa82dd38e4d40d0a0af85
  Author: Michael S. Tsirkin <mst@xxxxxxxxxx>
  Date:   Wed Jul 22 13:09:25 2015 +0300

      virtio: hide legacy features from modern guests

      NOTIFY_ON_EMPTY, ANY_LAYOUT and BAD are only valid on the legacy
      interface.

      Hide them from modern guests.

      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>

  commit cb72cba83021fa42719e73a5249c12096a4d1cfc
  Author: Kevin Wolf <kwolf@xxxxxxxxxx>
  Date:   Sun Jul 26 23:42:53 2015 -0400

      ide: Clear DRQ after handling all expected accesses

      This is additional hardening against an end_transfer_func that fails to
      clear the DRQ status bit. The bit must be unset as soon as the PIO
      transfer has completed, so it's better to do this in a central place
      instead of duplicating the code in all commands (and forgetting it in
      some).

      Signed-off-by: Kevin Wolf <kwolf@xxxxxxxxxx>
      Reviewed-by: John Snow <jsnow@xxxxxxxxxx>

  commit 03441c3a4a42beb25460dd11592539030337d0f8
  Author: Kevin Wolf <kwolf@xxxxxxxxxx>
  Date:   Sun Jul 26 23:42:53 2015 -0400

      ide/atapi: Fix START STOP UNIT command completion

      The command must be completed on all code paths. START STOP UNIT with
      pwrcnd set should succeed without doing anything.

      Signed-off-by: Kevin Wolf <kwolf@xxxxxxxxxx>
      Reviewed-by: John Snow <jsnow@xxxxxxxxxx>

  commit d2ff85854512574e7209f295e87b0835d5b032c6
  Author: Kevin Wolf <kwolf@xxxxxxxxxx>
  Date:   Sun Jul 26 23:42:53 2015 -0400

      ide: Check array bounds before writing to io_buffer (CVE-2015-5154)

      If the end_transfer_func of a command is called because enough data has
      been read or written for the current PIO transfer, and it fails to
      correctly call the command completion functions, the DRQ bit in the
      status register and s->end_transfer_func may remain set. This allows the
      guest to access further bytes in s->io_buffer beyond s->data_end, and
      eventually overflowing the io_buffer.

      One case where this currently happens is emulation of the ATAPI command
      START STOP UNIT.

      This patch fixes the problem by adding explicit array bounds checks
      before accessing the buffer instead of relying on end_transfer_func to
      function correctly.

      Cc: qemu-stable@xxxxxxxxxx
      Signed-off-by: Kevin Wolf <kwolf@xxxxxxxxxx>
      Reviewed-by: John Snow <jsnow@xxxxxxxxxx>

  commit f793d97e454a56d17e404004867985622ca1a63b
  Merge: 30fdfae 178846b
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Fri Jul 24 13:07:10 2015 +0100

      Merge remote-tracking branch 'remotes/bonzini/tags/for-upstream' into 
staging

      * qemu-char fixes
      * SCSI fixes (including CVE-2015-5158)
      * RCU fixes
      * Framebuffer logic to set DIRTY_MEMORY_VGA
      * Fix compiler warning for --disable-vnc
      * qemu-doc fixes
      * x86 TCG pasto fix

      # gpg: Signature made Fri Jul 24 12:57:52 2015 BST using RSA key ID 
78C7AE83
      # gpg: Good signature from "Paolo Bonzini <bonzini@xxxxxxx>"
      # gpg:                 aka "Paolo Bonzini <pbonzini@xxxxxxxxxx>"
      # gpg: WARNING: This key is not certified with sufficiently trusted 
signatures!
      # gpg:          It is not certain that the signature belongs to the owner.
      # Primary key fingerprint: 46F5 9FBD 57D6 12E7 BFD4  E2F7 7E15 100C CD36 
69B1
      #      Subkey fingerprint: F133 3857 4B66 2389 866C  7682 BFFB D25F 78C7 
AE83

      * remotes/bonzini/tags/for-upstream:
        target-i386/FPU: a misprint in helper_fistll_ST0
        qemu-doc: fix typos
        framebuffer: set DIRTY_MEMORY_VGA on RAM that is used for the 
framebuffer
        memory: count number of active VGA logging clients
        vl: Fix compiler warning for builds without VNC
        scsi: Handle no media case for scsi_get_configuration
        rcu: actually register threads that have RCU read-side critical sections
        scsi: fix buffer overflow in scsi_req_parse_cdb (CVE-2015-5158)
        vnc: fix memory leak
        qemu-char: Fix missed data on unix socket
        qemu-char: handle EINTR for TCP character devices
        exec.c: Use atomic_rcu_read() to access dispatch in 
memory_region_section_get_iotlb()

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 178846bdd93994c1acafe4423f99ead8bb24cf38
  Author: Dmitry Poletaev <poletaev-qemu@xxxxxxxxx>
  Date:   Wed Jul 8 12:48:40 2015 +0300

      target-i386/FPU: a misprint in helper_fistll_ST0

      There is a cut-and-paste mistake in the patch
      https://lists.gnu.org/archive/html/qemu-devel/2014-11/msg01657.html .
      It cause errors in guest work.  Here is the bugfix.

      Signed-off-by: Dmitry Poletaev <poletaev-qemu@xxxxxxxxx>
      Reported-by: Kirill Batuzov <batuzovk@xxxxxxxxx>
      Message-Id: <2692911436348920@xxxxxxxxxxxxxxx>
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit d274e07c6df4cc8207b01892ff6f81118ea6083c
  Author: Gonglei <arei.gonglei@xxxxxxxxxx>
  Date:   Fri Jul 3 17:50:57 2015 +0800

      qemu-doc: fix typos

      Signed-off-by: Gonglei <arei.gonglei@xxxxxxxxxx>
      Message-Id: <1435917057-9396-1-git-send-email-arei.gonglei@xxxxxxxxxx>
      Reviewed-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit c1076c3e13a86140cc2ba29866512df8460cc7c2
  Author: Paolo Bonzini <pbonzini@xxxxxxxxxx>
  Date:   Mon Jul 13 12:00:29 2015 +0200

      framebuffer: set DIRTY_MEMORY_VGA on RAM that is used for the framebuffer

      The MemoryRegionSection contains enough information to access the
      RAM region underlying the framebuffer, and can be cached inside the
      display device.

      By doing this, the new framebuffer_update_memory_section function can
      enable dirty memory logging on the relevant RAM region.  The function
      must be called whenever the stride or base of the framebuffer changes;
      a simple way to cover these cases is to call it on every full frame
      invalidation, which is a rare case.

      framebuffer_update_display now works entirely on a MemoryRegionSection,
      without going through cpu_physical_memory_map/unmap.

      Reviewed-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit deb809edb85334c8e90530e1071b98f4da25ebaa
  Author: Paolo Bonzini <pbonzini@xxxxxxxxxx>
  Date:   Tue Jul 14 13:56:53 2015 +0200

      memory: count number of active VGA logging clients

      For a board that has multiple framebuffer devices, both of them
      might want to use DIRTY_MEMORY_VGA on the same memory region.
      The lack of reference counting in memory_region_set_log makes
      this very awkward to implement.

      Suggested-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit fb4309695905de889d318caec8eb13d3b2c118d5
  Author: Stefan Weil <sw@xxxxxxxxxxx>
  Date:   Wed Jul 22 19:53:30 2015 +0200

      vl: Fix compiler warning for builds without VNC

      This regression was caused by commit 70b94331.

        CC    vl.o
      vl.c: In function â??select_displayâ??:
      vl.c:2064:12: error: unused variable â??errâ?? [-Werror=unused-variable]
           Error *err = NULL;
                  ^

      Reported-by: Claudio Fontana <claudio.fontana@xxxxxxxxxx>
      Signed-off-by: Stefan Weil <sw@xxxxxxxxxxx>
      Message-Id: <1437587610-26433-1-git-send-email-sw@xxxxxxxxxxx>
      Reviewed-by: Wen Congyang <wency@xxxxxxxxxxxxxx>
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit 7d99f4c1b5d12de7644a5bd8c3d46bff05c9ca7c
  Author: Matthew Rosato <mjrosato@xxxxxxxxxxxxxxxxxx>
  Date:   Wed Jul 15 14:52:32 2015 -0400

      scsi: Handle no media case for scsi_get_configuration

      Currently, scsi_get_configuration always returns a current
      profile (DVD or CD), even when there is actually no media present.
      By comparison, ide/atapi uses a default profile of 0 (MMC_PROFILE_NONE)
      for this case and checks for tray_open, so let's do the same for scsi.

      This fixes a problem I'm seeing with Fedora 22 guests where systemd
      cdrom_id fails to unmount after a QEMU-initiated eject against a
      scsi cdrom device because it believes the media is still present
      (but unreadable).

      Signed-off-by: Matthew Rosato <mjrosato@xxxxxxxxxxxxxxxxxx>
      Message-Id: 
<1436986352-10695-1-git-send-email-mjrosato@xxxxxxxxxxxxxxxxxx>
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit ab28bd23125fb4a0411c3a3f01c4edacbc261486
  Author: Paolo Bonzini <pbonzini@xxxxxxxxxx>
  Date:   Thu Jul 9 08:55:38 2015 +0200

      rcu: actually register threads that have RCU read-side critical sections

      Otherwise, grace periods are detected too early!

      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit c170aad8b057223b1139d72e5ce7acceafab4fa9
  Author: Paolo Bonzini <pbonzini@xxxxxxxxxx>
  Date:   Tue Jul 21 08:59:39 2015 +0200

      scsi: fix buffer overflow in scsi_req_parse_cdb (CVE-2015-5158)

      This is a guest-triggerable buffer overflow present in QEMU 2.2.0
      and newer.  scsi_cdb_length returns -1 as an error value, but the
      caller does not check it.

      Luckily, the massive overflow means that QEMU will just SIGSEGV,
      making the impact much smaller.

      Reported-by: Zhu Donghai (��海) <donghai.zdh@xxxxxxxxxxxxxxx>
      Fixes: 1894df02811f6b79ea3ffbf1084599d96f316173
      Reviewed-by: Fam Zheng <famz@xxxxxxxxxx>
      Cc: qemu-stable@xxxxxxxxxx
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit 60928458e5eea3c77a7eb0a4194927872f463947
  Author: Gonglei <arei.gonglei@xxxxxxxxxx>
  Date:   Wed Jul 22 17:08:53 2015 +0800

      vnc: fix memory leak

      If vnc's password is configured, it will leak memory
      which cipher variable pointed on every vnc connection.

      Cc: Daniel P. Berrange <berrange@xxxxxxxxxx>
      Reviewed-by: Daniel P. Berrange <berrange@xxxxxxxxxx>
      Signed-off-by: Gonglei <arei.gonglei@xxxxxxxxxx>
      Message-Id: <1437556133-11268-1-git-send-email-arei.gonglei@xxxxxxxxxx>
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit 30fdfae49d53cfc678859095e49ac60b79562d6f
  Merge: f75b709 9615212
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Fri Jul 24 11:11:30 2015 +0100

      Merge remote-tracking branch 'remotes/rth/tags/pull-tcg-20150723' into 
staging

      Last minute fixes for 2.4.

      # gpg: Signature made Fri Jul 24 04:42:31 2015 BST using RSA key ID 
4DD0279B
      # gpg: Good signature from "Richard Henderson <rth7680@xxxxxxxxx>"
      # gpg:                 aka "Richard Henderson <rth@xxxxxxxxxx>"
      # gpg:                 aka "Richard Henderson <rth@xxxxxxxxxxx>"

      * remotes/rth/tags/pull-tcg-20150723:
        tcg/optimize: fix tcg_opt_gen_movi
        tcg/aarch64: use 32-bit offset for 32-bit softmmu emulation
        tcg/aarch64: use 32-bit offset for 32-bit user-mode emulation
        tcg/aarch64: add ext argument to tcg_out_insn_3310
        tcg/i386: Extend addresses for 32-bit guests

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit f75b709853d2b2b0f2a8e149229aa1c7c1ee1c60
  Merge: 12e21eb 759b484
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Fri Jul 24 09:17:44 2015 +0100

      Merge remote-tracking branch 
'remotes/awilliam/tags/vfio-fixes-20150723.0' into staging

      VFIO fixes for v2.4.0-rc3
      - Fix Realtek NIC quirk (Alex Williamson)
      - Restore bootindex functionality (Alex Williamson)

      # gpg: Signature made Thu Jul 23 19:51:23 2015 BST using RSA key ID 
3BB08B22
      # gpg: Good signature from "Alex Williamson <alex.williamson@xxxxxxxxxx>"
      # gpg:                 aka "Alex Williamson <alex@xxxxxxxxxxx>"
      # gpg:                 aka "Alex Williamson <alwillia@xxxxxxxxxx>"
      # gpg:                 aka "Alex Williamson <alex.l.williamson@xxxxxxxxx>"

      * remotes/awilliam/tags/vfio-fixes-20150723.0:
        vfio/pci: Fix bootindex
        vfio/pci: Fix RTL8168 NIC quirks

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 961521261a3d600b0695b2e6d2b0f490076f7e90
  Author: Aurelien Jarno <aurelien@xxxxxxxxxxx>
  Date:   Fri Jul 10 18:03:30 2015 +0200

      tcg/optimize: fix tcg_opt_gen_movi

      Due to a copy&paste, the new op value is tested against mov_i32 instead
      of movi_i32. The test is therefore always false. Fix that.

      Signed-off-by: Aurelien Jarno <aurelien@xxxxxxxxxxx>
      Message-Id: <1436544211-2769-1-git-send-email-aurelien@xxxxxxxxxxx>
      Signed-off-by: Richard Henderson <rth@xxxxxxxxxxx>

  commit 80adb8fcad4778376a11d394a9e01516819e2327
  Author: Richard Henderson <rth@xxxxxxxxxxx>
  Date:   Thu Jul 23 18:04:52 2015 -0400

      tcg/aarch64: use 32-bit offset for 32-bit softmmu emulation

      Similar to the same fix for user-mode, except this instance
      occurs on the softmmu path.  Again, the tlb addend must be
      the base register, while the guest address is the index.

      Reviewed-by: Aurelien Jarno <aurelien@xxxxxxxxxxx>
      Signed-off-by: Richard Henderson <rth@xxxxxxxxxxx>

  commit ffc6372851d8631a9f9fa56ec613b3244dc635b9
  Author: Paolo Bonzini <pbonzini@xxxxxxxxxx>
  Date:   Wed Jul 15 17:27:01 2015 +0200

      tcg/aarch64: use 32-bit offset for 32-bit user-mode emulation

      Thanks to the previous patch, it is now easy for tcg_out_qemu_ld and
      tcg_out_qemu_st to use a 32-bit zero extended offset.  However, the
      guest base register x28 must be the base and addr_reg must be the
      index.

      Reported-by: Leon Alrae <leon.alrae@xxxxxxxxxx>
      Reviewed-by: Aurelien Jarno <aurelien@xxxxxxxxxxx>
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>
      Message-Id: <1436974021-28978-3-git-send-email-pbonzini@xxxxxxxxxx>
      Signed-off-by: Richard Henderson <rth@xxxxxxxxxxx>

  commit 6c0f0c0f124718650a8d682ba275044fc02f6fe2
  Author: Paolo Bonzini <pbonzini@xxxxxxxxxx>
  Date:   Wed Jul 15 17:27:00 2015 +0200

      tcg/aarch64: add ext argument to tcg_out_insn_3310

      The new argument lets you pick uxtw or uxtx mode for the offset
      register.  For now, all callers pass TCG_TYPE_I64 so that uxtx
      is generated.  The bits for uxtx are removed from I3312_TO_I3310.

      Reported-by: Leon Alrae <leon.alrae@xxxxxxxxxx>
      Reviewed-by: Aurelien Jarno <aurelien@xxxxxxxxxxx>
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>
      Message-Id: <1436974021-28978-2-git-send-email-pbonzini@xxxxxxxxxx>
      Signed-off-by: Richard Henderson <rth@xxxxxxxxxxx>

  commit ee8ba9e4d8458b8bba5455a7ae704620c4f2ef4b
  Author: Richard Henderson <rth@xxxxxxxxxxx>
  Date:   Thu Jul 16 22:25:49 2015 +0100

      tcg/i386: Extend addresses for 32-bit guests

      Removing the ??? comment explaining why it (mostly) worked.

      Reviewed-by: Aurelien Jarno <aurelien@xxxxxxxxxxx>
      Signed-off-by: Richard Henderson <rth@xxxxxxxxxxx>
      Message-Id: <1437081950-7206-2-git-send-email-rth@xxxxxxxxxxx>

  commit 12e21eb088a51161c78ee39ed54ac56ebcff4243
  Merge: b69b305 6b26996
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Thu Jul 23 12:54:53 2015 +0100

      Merge remote-tracking branch 'remotes/ehabkost/tags/numa-pull-request' 
into staging

      NUMA queue, 2015-07-22

      # gpg: Signature made Wed Jul 22 19:11:04 2015 BST using RSA key ID 
984DC5A6
      # gpg: Good signature from "Eduardo Habkost <ehabkost@xxxxxxxxxx>"
      # gpg: WARNING: This key is not certified with sufficiently trusted 
signatures!
      # gpg:          It is not certain that the signature belongs to the owner.
      # Primary key fingerprint: 5A32 2FD5 ABC4 D3DB ACCF  D1AA 2807 936F 984D 
C5A6

      * remotes/ehabkost/tags/numa-pull-request:
        hostmem: Fix qemu_opt_get_bool() crash in host_memory_backend_init()

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 4bf1cb03fbc43b0055af60d4ff093d6894aa4338
  Author: Nils Carlson <pyssling@xxxxxxxxxxx>
  Date:   Sun Jul 19 20:39:56 2015 +0000

      qemu-char: Fix missed data on unix socket

      Commit 812c1057 introduced HUP detection on unix and tcp sockets prior
      to a read in tcp_chr_read. This unfortunately broke CloudStack 4.2
      which relied on the old behaviour where data on a socket was readable
      even if a HUP was present.

      A working solution is to properly check the return values from recv,
      handling a closed socket once there is no more data to read.

      Also enable polling for G_IO_NVAL to ensure the callback is called
      for all possible events as these should now be possible to handle
      with the improved error detection.

      Signed-off-by: Nils Carlson <pyssling@xxxxxxxxxxx>
      Message-Id: <1437338396-22336-1-git-send-email-pyssling@xxxxxxxxxxx>
      [Do not handle EINTR; use socket_error(). - Paolo]
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit 9172f428afc1461b1d9b33ebca3a679b9adf7c3a
  Author: Paolo Bonzini <pbonzini@xxxxxxxxxx>
  Date:   Tue Jul 21 09:25:54 2015 +0200

      qemu-char: handle EINTR for TCP character devices

      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit 0b8e2c1002afddc8ef3d52fa6fc29e4768429f98
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Mon Jul 20 12:27:16 2015 +0100

      exec.c: Use atomic_rcu_read() to access dispatch in 
memory_region_section_get_iotlb()

      When accessing the dispatch pointer in an AddressSpace within an RCU
      critical section we should always use atomic_rcu_read(). Fix an
      access within memory_region_section_get_iotlb() which was incorrectly
      doing a direct pointer access.

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Message-Id: <1437391637-31576-1-git-send-email-peter.maydell@xxxxxxxxxx>
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit 759b484c5d7f92bd01f98797c07e8543ee187888
  Author: Alex Williamson <alex.williamson@xxxxxxxxxx>
  Date:   Wed Jul 22 14:56:01 2015 -0600

      vfio/pci: Fix bootindex

      bootindex was incorrectly changed to a device Property during the
      platform code split, resulting in it no longer working.  Remove it.

      Signed-off-by: Alex Williamson <alex.williamson@xxxxxxxxxx>
      Cc: qemu-stable@xxxxxxxxxx # v2.3+

  commit 69970fcef937bddd7f745efe39501c7716fdfe56
  Author: Alex Williamson <alex.williamson@xxxxxxxxxx>
  Date:   Wed Jul 22 14:56:01 2015 -0600

      vfio/pci: Fix RTL8168 NIC quirks

      The RTL8168 quirk correctly describes using bit 31 as a signal to
      mark a latch/completion, but the code mistakenly uses bit 28.  This
      causes the Realtek driver to spin on this register for quite a while,
      20k cycles on Windows 7 v7.092 driver.  Then it gets frustrated and
      tries to set the bit itself and spins for another 20k cycles.  For
      some this still results in a working driver, for others not.  About
      the only thing the code really does in its current form is protect
      the guest from sneaking in writes to the real hardware MSI-X table.
      The fix is obviously to use bit 31 as we document that we should.

      The other problem doesn't seem to affect current drivers as nobody
      seems to use these window registers for writes to the MSI-X table, but
      we need to use the stored data when a write is triggered, not the
      value of the current write, which only provides the offset.

      Note that only the Windows drivers from Realtek seem to use these
      registers, the Microsoft drivers provided with Windows 8.1 do not
      access them, nor do Linux in-kernel drivers.

      Link: https://bugs.launchpad.net/qemu/+bug/1384892
      Signed-off-by: Alex Williamson <alex.williamson@xxxxxxxxxx>
      Cc: qemu-stable@xxxxxxxxxx # v2.1+

  commit 6b2699672d5b56f8c2902fb9db9879e8cafb2afe
  Author: Eduardo Habkost <ehabkost@xxxxxxxxxx>
  Date:   Thu Jul 16 17:29:12 2015 -0300

      hostmem: Fix qemu_opt_get_bool() crash in host_memory_backend_init()

      This fixes the following crash, introduced by commit
      49d2e648e8087d154d8bf8b91f27c8e05e79d5a6:

        $ gdb --args qemu-system-x86_64 -machine pc,mem-merge=off -object 
memory-backend-ram,id=ram-node0,size=1024
        [...]
        Program received signal SIGABRT, Aborted.
        (gdb) bt
        #0  0x00007ffff253b8c7 in raise () at /lib64/libc.so.6
        #1  0x00007ffff253d52a in abort () at /lib64/libc.so.6
        #2  0x00007ffff253446d in __assert_fail_base () at /lib64/libc.so.6
        #3  0x00007ffff2534522 in  () at /lib64/libc.so.6
        #4  0x00005555558bb80a in qemu_opt_get_bool_helper 
(opts=0x55555621b650, name=name@entry=0x5555558ec922 "mem-merge", 
defval=defval@entry=true, del=del@entry=false) at qemu/util/qemu-option.c:388
        #5  0x00005555558bbb5a in qemu_opt_get_bool (opts=<optimized out>, 
name=name@entry=0x5555558ec922 "mem-merge", defval=defval@entry=true) at 
qemu/util/qemu-option.c:398
        #6  0x0000555555720a24 in host_memory_backend_init (obj=0x5555562ac970) 
at qemu/backends/hostmem.c:226

      Instead of using qemu_opt_get_bool(), that didn't work with
      qemu_machine_opts for a long time, we can use the corresponding
      MachineState fields.

      Reviewed-by: Marcel Apfelbaum <marcel@xxxxxxxxxx>
      Signed-off-by: Eduardo Habkost <ehabkost@xxxxxxxxxx>

  commit b69b30532e0a80e25449244c01b0cbed000c99a3
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Wed Jul 22 18:17:19 2015 +0100

      Update version for v2.4.0-rc2 release

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 3edf6b3f1e68104dba692337fdcecdba39e73c59
  Merge: dc94bd9 a52b2cb
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Wed Jul 22 16:22:49 2015 +0100

      Merge remote-tracking branch 'remotes/elmarco/tags/for-upstream' into 
staging

      qxl: build fix for 2.4

      # gpg: Signature made Wed Jul 22 15:55:00 2015 BST using DSA key ID 
F43F0992
      # gpg: Good signature from "Marc-André Lureau 
<marcandre.lureau@xxxxxxxxxx>"
      # gpg:                 aka "Marc-Andre Lureau 
<marcandre.lureau@xxxxxxxxx>"
      # gpg:                 aka "Marc-Andre Lureau 
<marc-andre.lureau@xxxxxxxxx>"
      # gpg:                 aka "Marc-André Lureau 
<marc-andre.lureau@xxxxxxxxx>"
      # gpg:                 aka "Marc-André Lureau (elmarco) 
<marcandre.lureau@xxxxxxxxx>"
      # gpg: WARNING: This key is not certified with a trusted signature!
      # gpg:          There is no indication that the signature belongs to the 
owner.
      # Primary key fingerprint: 7346 2483 9404 4E20 ABFF  7D48 D864 9487 F43F 
0992

      * remotes/elmarco/tags/for-upstream:
        qxl: Fix new function name for spice-server library

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit a52b2cbf218d52f9e357961acb271a98a2bdff71
  Author: Frediano Ziglio <fziglio@xxxxxxxxxx>
  Date:   Mon Jul 20 09:43:23 2015 +0100

      qxl: Fix new function name for spice-server library

      The new spice-server function to limit the number of monitors (0.12.6)
      changed while development from spice_qxl_set_monitors_config_limit to
      spice_qxl_max_monitors (accepted upstream).
      By mistake I post patch with former name.
      This patch fix the function name.

      Signed-off-by: Frediano Ziglio <fziglio@xxxxxxxxxx>
      Acked-by: Christophe Fergeau <cfergeau@xxxxxxxxxx>
      Acked-by: Martin Kletzander <mkletzan@xxxxxxxxxx>
      Signed-off-by: Marc-André Lureau <marcandre.lureau@xxxxxxxxxx>

  commit dc94bd9166af5236a56bd5bb06845911915a925c
  Merge: b9c4630 05e514b
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Wed Jul 22 12:52:34 2015 +0100

      Merge remote-tracking branch 'remotes/stefanha/tags/block-pull-request' 
into staging

      # gpg: Signature made Wed Jul 22 12:43:35 2015 BST using RSA key ID 
81AB73C8
      # gpg: Good signature from "Stefan Hajnoczi <stefanha@xxxxxxxxxx>"
      # gpg:                 aka "Stefan Hajnoczi <stefanha@xxxxxxxxx>"

      * remotes/stefanha/tags/block-pull-request:
        AioContext: optimize clearing the EventNotifier
        AioContext: fix broken placement of event_notifier_test_and_clear
        AioContext: fix broken ctx->dispatching optimization
        aio-win32: reorganize polling loop
        tests: remove irrelevant assertions from test-aio
        qemu-timer: initialize "timers_done_ev" to set
        mirror: Speed up bitmap initial scanning

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 05e514b1d4d5bd4209e2c8bbc76ff05c85a235f3
  Author: Paolo Bonzini <pbonzini@xxxxxxxxxx>
  Date:   Tue Jul 21 16:07:53 2015 +0200

      AioContext: optimize clearing the EventNotifier

      It is pretty rare for aio_notify to actually set the EventNotifier.  It
      can happen with worker threads such as thread-pool.c's, but otherwise it
      should never be set thanks to the ctx->notify_me optimization.  The
      previous patch, unfortunately, added an unconditional call to
      event_notifier_test_and_clear; now add a userspace fast path that
      avoids the call.

      Note that it is not possible to do the same with event_notifier_set;
      it would break, as proved (again) by the included formal model.

      This patch survived over 3000 reboots on aarch64 KVM.

      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>
      Reviewed-by: Fam Zheng <famz@xxxxxxxxxx>
      Tested-by: Richard W.M. Jones <rjones@xxxxxxxxxx>
      Message-id: 1437487673-23740-7-git-send-email-pbonzini@xxxxxxxxxx
      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>

  commit 21a03d17f2edb1e63f7137d97ba355cc6f19d79f
  Author: Paolo Bonzini <pbonzini@xxxxxxxxxx>
  Date:   Tue Jul 21 16:07:52 2015 +0200

      AioContext: fix broken placement of event_notifier_test_and_clear

      event_notifier_test_and_clear must be called before processing events.
      Otherwise, an aio_poll could "eat" the notification before the main
      I/O thread invokes ppoll().  The main I/O thread then never wakes up.
      This is an example of what could happen:

         i/o thread       vcpu thread                     worker thread
         ---------------------------------------------------------------------
         lock_iothread
         notify_me = 1
         ...
         unlock_iothread
                                                           bh->scheduled = 1
                                                           event_notifier_set
                          lock_iothread
                          notify_me = 3
                          ppoll
                          notify_me = 1
                          aio_dispatch
                           aio_bh_poll
                            thread_pool_completion_bh
                                                           bh->scheduled = 1
                                                           event_notifier_set
                           node->io_read(node->opaque)
                            event_notifier_test_and_clear
         ppoll
         *** hang ***

      "Tracing" with qemu_clock_get_ns shows pretty much the same behavior as
      in the previous bug, so there are no new tricks here---just stare more
      at the code until it is apparent.

      One could also use a formal model, of course.  The included one shows
      this with three processes: notifier corresponds to a QEMU thread pool
      worker, temporary_waiter to a VCPU thread that invokes aio_poll(),
      waiter to the main I/O thread.  I would be happy to say that the
      formal model found the bug for me, but actually I wrote it after the
      fact.

      This patch is a bit of a big hammer.  The next one optimizes it,
      with help (this time for real rather than a posteriori :)) from
      another, similar formal model.

      Reported-by: Richard W. M. Jones <rjones@xxxxxxxxxx>
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>
      Reviewed-by: Fam Zheng <famz@xxxxxxxxxx>
      Tested-by: Richard W.M. Jones <rjones@xxxxxxxxxx>
      Message-id: 1437487673-23740-6-git-send-email-pbonzini@xxxxxxxxxx
      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>

  commit eabc977973103527bbb8fed69c91cfaa6691f8ab
  Author: Paolo Bonzini <pbonzini@xxxxxxxxxx>
  Date:   Tue Jul 21 16:07:51 2015 +0200

      AioContext: fix broken ctx->dispatching optimization

      This patch rewrites the ctx->dispatching optimization, which was the cause
      of some mysterious hangs that could be reproduced on aarch64 KVM only.
      The hangs were indirectly caused by aio_poll() and in particular by
      flash memory updates's call to blk_write(), which invokes aio_poll().
      Fun stuff: they had an extremely short race window, so much that
      adding all kind of tracing to either the kernel or QEMU made it
      go away (a single printf made it half as reproducible).

      On the plus side, the failure mode (a hang until the next keypress)
      made it very easy to examine the state of the process with a debugger.
      And there was a very nice reproducer from Laszlo, which failed pretty
      often (more than half of the time) on any version of QEMU with a non-debug
      kernel; it also failed fast, while still in the firmware.  So, it could
      have been worse.

      For some unknown reason they happened only with virtio-scsi, but
      that's not important.  It's more interesting that they disappeared with
      io=native, making thread-pool.c a likely suspect for where the bug arose.
      thread-pool.c is also one of the few places which use bottom halves
      across threads, by the way.

      I hope that no other similar bugs exist, but just in case :) I am
      going to describe how the successful debugging went...  Since the
      likely culprit was the ctx->dispatching optimization, which mostly
      affects bottom halves, the first observation was that there are two
      qemu_bh_schedule() invocations in the thread pool: the one in the aio
      worker and the one in thread_pool_completion_bh.  The latter always
      causes the optimization to trigger, the former may or may not.  In
      order to restrict the possibilities, I introduced new functions
      qemu_bh_schedule_slow() and qemu_bh_schedule_fast():

           /* qemu_bh_schedule_slow: */
           ctx = bh->ctx;
           bh->idle = 0;
           if (atomic_xchg(&bh->scheduled, 1) == 0) {
               event_notifier_set(&ctx->notifier);
           }

           /* qemu_bh_schedule_fast: */
           ctx = bh->ctx;
           bh->idle = 0;
           assert(ctx->dispatching);
           atomic_xchg(&bh->scheduled, 1);

      Notice how the atomic_xchg is still in qemu_bh_schedule_slow().  This
      was already debated a few months ago, so I assumed it to be correct.
      In retrospect this was a very good idea, as you'll see later.

      Changing thread_pool_completion_bh() to qemu_bh_schedule_fast() didn't
      trigger the assertion (as expected).  Changing the worker's invocation
      to qemu_bh_schedule_slow() didn't hide the bug (another assumption
      which luckily held).  This already limited heavily the amount of
      interaction between the threads, hinting that the problematic events
      must have triggered around thread_pool_completion_bh().

      As mentioned early, invoking a debugger to examine the state of a
      hung process was pretty easy; the iothread was always waiting on a
      poll(..., -1) system call.  Infinite timeouts are much rarer on x86,
      and this could be the reason why the bug was never observed there.
      With the buggy sequence more or less resolved to an interaction between
      thread_pool_completion_bh() and poll(..., -1), my "tracing" strategy was
      to just add a few qemu_clock_get_ns(QEMU_CLOCK_REALTIME) calls, hoping
      that the ordering of aio_ctx_prepare(), aio_ctx_dispatch, poll() and
      qemu_bh_schedule_fast() would provide some hint.  The output was:

          (gdb) p last_prepare
          $3 = 103885451
          (gdb) p last_dispatch
          $4 = 103876492
          (gdb) p last_poll
          $5 = 115909333
          (gdb) p last_schedule
          $6 = 115925212

      Notice how the last call to qemu_poll_ns() came after aio_ctx_dispatch().
      This makes little sense unless there is an aio_poll() call involved,
      and indeed with a slightly different instrumentation you can see that
      there is one:

          (gdb) p last_prepare
          $3 = 107569679
          (gdb) p last_dispatch
          $4 = 107561600
          (gdb) p last_aio_poll
          $5 = 110671400
          (gdb) p last_schedule
          $6 = 110698917

      So the scenario becomes clearer:

         iothread                   VCPU thread
      --------------------------------------------------------------------------
         aio_ctx_prepare
         aio_ctx_check
         qemu_poll_ns(timeout=-1)
                                    aio_poll
                                      aio_dispatch
                                        thread_pool_completion_bh
                                          qemu_bh_schedule()

      At this point bh->scheduled = 1 and the iothread has not been woken up.
      The solution must be close, but this alone should not be a problem,
      because the bottom half is only rescheduled to account for rare situations
      (see commit 3c80ca1, thread-pool: avoid deadlock in nested aio_poll()
      calls, 2014-07-15).

      Introducing a third thread---a thread pool worker thread, which
      also does qemu_bh_schedule()---does bring out the problematic case.
      The third thread must be awakened *after* the callback is complete and
      thread_pool_completion_bh has redone the whole loop, explaining the
      short race window.  And then this is what happens:

                                                            thread pool worker
      --------------------------------------------------------------------------
                                                            <I/O completes>
                                                            qemu_bh_schedule()

      Tada, bh->scheduled is already 1, so qemu_bh_schedule() does nothing
      and the iothread is never woken up.  This is where the bh->scheduled
      optimization comes into play---it is correct, but removing it would
      have masked the bug.

      So, what is the bug?

      Well, the question asked by the ctx->dispatching optimization ("is any
      active aio_poll dispatching?") was wrong.  The right question to ask
      instead is "is any active aio_poll *not* dispatching", i.e. in the prepare
      or poll phases?  In that case, the aio_poll is sleeping or might go to
      sleep anytime soon, and the EventNotifier must be invoked to wake
      it up.

      In any other case (including if there is *no* active aio_poll at all!)
      we can just wait for the next prepare phase to pick up the event (e.g. a
      bottom half); the prepare phase will avoid the blocking and service the
      bottom half.

      Expressing the invariant with a logic formula, the broken one looked like:

         !(exists(thread): in_dispatching(thread)) => !optimize

      or equivalently:

         !(exists(thread):
                in_aio_poll(thread) && in_dispatching(thread)) => !optimize

      In the correct one, the negation is in a slightly different place:

         (exists(thread):
               in_aio_poll(thread) && !in_dispatching(thread)) => !optimize

      or equivalently:

         (exists(thread): in_prepare_or_poll(thread)) => !optimize

      Even if the difference boils down to moving an exclamation mark :)
      the implementation is quite different.  However, I think the new
      one is simpler to understand.

      In the old implementation, the "exists" was implemented with a boolean
      value.  This didn't really support well the case of multiple concurrent
      event loops, but I thought that this was okay: aio_poll holds the
      AioContext lock so there cannot be concurrent aio_poll invocations, and
      I was just considering nested event loops.  However, aio_poll _could_
      indeed be concurrent with the GSource.  This is why I came up with the
      wrong invariant.

      In the new implementation, "exists" is computed simply by counting how 
many
      threads are in the prepare or poll phases.  There are some interesting
      points to consider, but the gist of the idea remains:

      1) AioContext can be used through GSource as well; as mentioned in the
      patch, bit 0 of the counter is reserved for the GSource.

      2) the counter need not be updated for a non-blocking aio_poll, because
      it won't sleep forever anyway.  This is just a matter of checking
      the "blocking" variable.  This requires some changes to the win32
      implementation, but is otherwise not too complicated.

      3) as mentioned above, the new implementation will not call aio_notify
      when there is *no* active aio_poll at all.  The tests have to be
      adjusted for this change.  The calls to aio_notify in async.c are fine;
      they only want to kick aio_poll out of a blocking wait, but need not
      do anything if aio_poll is not running.

      4) nested aio_poll: these just work with the new implementation; when
      a nested event loop is invoked, the outer event loop is never in the
      prepare or poll phases.  The outer event loop thus has already decremented
      the counter.

      Reported-by: Richard W. M. Jones <rjones@xxxxxxxxxx>
      Reported-by: Laszlo Ersek <lersek@xxxxxxxxxx>
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>
      Reviewed-by: Fam Zheng <famz@xxxxxxxxxx>
      Tested-by: Richard W.M. Jones <rjones@xxxxxxxxxx>
      Message-id: 1437487673-23740-5-git-send-email-pbonzini@xxxxxxxxxx
      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>

  commit 6493c975af75be5b8d9ade954239bdf5492b7911
  Author: Paolo Bonzini <pbonzini@xxxxxxxxxx>
  Date:   Tue Jul 21 16:07:50 2015 +0200

      aio-win32: reorganize polling loop

      Preparatory bugfixes and tweaks to the loop before the next patch:

      - disable dispatch optimization during aio_prepare.  This fixes a bug.

      - do not modify "blocking" until after the first WaitForMultipleObjects
      call.  This is needed in the next patch.

      - change the loop to do...while.  This makes it obvious that the loop
      is always entered at least once.  In the next patch this is important
      because the first iteration undoes the ctx->notify_me increment that
      happened before entering the loop.

      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>
      Reviewed-by: Fam Zheng <famz@xxxxxxxxxx>
      Tested-by: Richard W.M. Jones <rjones@xxxxxxxxxx>
      Message-id: 1437487673-23740-4-git-send-email-pbonzini@xxxxxxxxxx
      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>

  commit 12d69ac03b45156356b240424623719f15d8143e
  Author: Paolo Bonzini <pbonzini@xxxxxxxxxx>
  Date:   Tue Jul 21 16:07:49 2015 +0200

      tests: remove irrelevant assertions from test-aio

      In these tests, the purpose of the initial calls to aio_poll and
      g_main_context_iteration is simply to put the AioContext in a
      known state; the return value of the function does not really
      matter.  The next patch will change those return values; change
      the assertions to a while loop which expresses the intention
      better.

      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>
      Reviewed-by: Fam Zheng <famz@xxxxxxxxxx>
      Tested-by: Richard W.M. Jones <rjones@xxxxxxxxxx>
      Message-id: 1437487673-23740-3-git-send-email-pbonzini@xxxxxxxxxx
      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>

  commit e4efd8a488d0a68b0af34d8ee245463df7c8bdf4
  Author: Paolo Bonzini <pbonzini@xxxxxxxxxx>
  Date:   Tue Jul 21 16:07:48 2015 +0200

      qemu-timer: initialize "timers_done_ev" to set

      The normal value for the event is to be set.  If we do not do
      this, pause_all_vcpus (through qemu_clock_enable) hangs unless
      timerlist_run_timers has been run at least once for the timerlist.
      This can happen with the following patches, that make aio_notify do
      nothing most of the time.

      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>
      Reviewed-by: Fam Zheng <famz@xxxxxxxxxx>
      Tested-by: Richard W.M. Jones <rjones@xxxxxxxxxx>
      Message-id: 1437487673-23740-2-git-send-email-pbonzini@xxxxxxxxxx
      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>

  commit 999006975840f8cdf2038a587d852a6cbfe58e3b
  Author: Fam Zheng <famz@xxxxxxxxxx>
  Date:   Thu Jul 9 11:47:58 2015 +0800

      mirror: Speed up bitmap initial scanning

      Limiting to sectors_per_chunk for each bdrv_is_allocated_above is slow,
      because the underlying protocol driver would issue much more queries
      than necessary. We should coalesce the query.

      Signed-off-by: Fam Zheng <famz@xxxxxxxxxx>
      Reviewed-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Message-id: <1436413678-7114-4-git-send-email-famz@xxxxxxxxxx>
      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>

  commit b9c46307996856d03ddc1527468ff5401ac03a79
  Merge: 774ee47 5f8343d
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Tue Jul 21 20:56:20 2015 +0100

      Merge remote-tracking branch 
'remotes/mdroth/tags/qga-pull-2015-07-21-tag' into staging

      tag for qga-pull-2015-07-21

      Small fix to correct schema versioning annotations for recently-added
      GuestDiskBusType enum values. Not the end of the world, but ideally
      this inconsistency would be corrected prior to 2.4 release.

      # gpg: Signature made Tue Jul 21 20:43:24 2015 BST using RSA key ID 
F108B584
      # gpg: Good signature from "Michael Roth <flukshun@xxxxxxxxx>"
      # gpg:                 aka "Michael Roth <mdroth@xxxxxxxxxx>"
      # gpg:                 aka "Michael Roth <mdroth@xxxxxxxxxxxxxxxxxx>"
      # gpg: WARNING: This key is not certified with sufficiently trusted 
signatures!
      # gpg:          It is not certain that the signature belongs to the owner.
      # Primary key fingerprint: CEAC C9E1 5534 EBAB B82D  3FA0 3353 C9CE F108 
B584

      * remotes/mdroth/tags/qga-pull-2015-07-21-tag:
        qga: fixed versions for guest bus types in qapi-schema

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 5f8343d0670e91adadb7898304c8ed4355af05a2
  Author: Olga Krishtal <okrishtal@xxxxxxxxxxxxx>
  Date:   Tue Jul 21 15:25:08 2015 +0300

      qga: fixed versions for guest bus types in qapi-schema

      Signed-off-by: Olga Krishtal <okrishtal@xxxxxxxxxxxxx>
      Signed-off-by: Denis V. Lunev <den@xxxxxxxxxx>
      CC: Eric Blake <eblake@xxxxxxxxxx>
      CC: Michael Roth <mdroth@xxxxxxxxxxxxxxxxxx>
      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>
      *added semi-colon to better delineate 2.2 vs. 2.4 versioning
      Signed-off-by: Michael Roth <mdroth@xxxxxxxxxxxxxxxxxx>

  commit 774ee4772b6838b78741ea52d4bf26b8922244c5
  Merge: a1bc040 57b7309
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Tue Jul 21 12:21:08 2015 +0100

      Merge remote-tracking branch 
'remotes/pmaydell/tags/pull-target-arm-20150721' into staging

      target-arm queue:
       * don't sync CNTVCT with kernel all the time (fixes VM time weirdnesses)
       * fix a warning compiling disas/arm-a64 with -Wextra

      # gpg: Signature made Tue Jul 21 12:15:33 2015 BST using RSA key ID 
14360CDE
      # gpg: Good signature from "Peter Maydell <peter.maydell@xxxxxxxxxx>"

      * remotes/pmaydell/tags/pull-target-arm-20150721:
        disas/arm-a64: Add missing compiler attribute GCC_FMT_ATTR
        target-arm: kvm: Differentiate registers based on write-back levels

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 57b73090e041ece40cc619a3c43a6fafcb3dd647
  Author: Stefan Weil <sw@xxxxxxxxxxx>
  Date:   Tue Jul 21 11:18:45 2015 +0100

      disas/arm-a64: Add missing compiler attribute GCC_FMT_ATTR

      Type fprintf_function which fits here was defined with this attribute.

      Signed-off-by: Stefan Weil <sw@xxxxxxxxxxx>
      Reviewed-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Message-id: 1437208027-14584-1-git-send-email-sw@xxxxxxxxxxx
      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 4b7a6bf402bd064605c287eecadc493ccf2d4897
  Author: Christoffer Dall <christoffer.dall@xxxxxxxxxx>
  Date:   Tue Jul 21 11:18:45 2015 +0100

      target-arm: kvm: Differentiate registers based on write-back levels

      Some registers like the CNTVCT register should only be written to the
      kernel as part of machine initialization or on vmload operations, but
      never during runtime, as this can potentially make time go backwards or
      create inconsistent time observations between VCPUs.

      Introduce a list of registers that should not be written back at runtime
      and check this list on syncing the register state to the KVM state.

      Signed-off-by: Christoffer Dall <christoffer.dall@xxxxxxxxxx>
      Message-id: 1437046488-10773-1-git-send-email-christoffer.dall@xxxxxxxxxx
      [PMM: tweaked a few comments, added the new argument to the stub
       write_list_to_kvmstate() in target-arm/kvm-stub.c]
      Reviewed-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit a1bc040dabc12039944e22d9529f20d6132400dd
  Merge: bd03a38 47c7199
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Tue Jul 21 10:04:32 2015 +0100

      Merge remote-tracking branch 'remotes/jnsnow/tags/ide-pull-request' into 
staging

      # gpg: Signature made Mon Jul 20 19:27:04 2015 BST using RSA key ID 
AAFC390E
      # gpg: Good signature from "John Snow (John Huston) <jsnow@xxxxxxxxxx>"
      # gpg: WARNING: This key is not certified with sufficiently trusted 
signatures!
      # gpg:          It is not certain that the signature belongs to the owner.
      # Primary key fingerprint: FAEB 9711 A12C F475 812F  18F2 88A9 064D 1835 
61EB
      #      Subkey fingerprint: F9B7 ABDB BCAC DF95 BE76  CBD0 7DEF 8106 AAFC 
390E

      * remotes/jnsnow/tags/ide-pull-request:
        tests: Fix broken targets check-report-qtest-*
        ahci: Force ICC bits in PxCMD to zero
        qtest/ide: add another short PRDT test flavor

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 47c719964a8240c99d4b7a2b4695ae026c619b83
  Author: Stefan Weil <sw@xxxxxxxxxxx>
  Date:   Mon Jul 20 12:21:18 2015 -0400

      tests: Fix broken targets check-report-qtest-*

      They need QTEST_QEMU_IMG. Without it, the tests raise an assertion:

      $ make -C bin check-report-qtest-i386.xml
      make: Entering directory 'bin'
      GTESTER check-report-qtest-i386.xml
      blkdebug: Suspended request 'A'
      blkdebug: Resuming request 'A'
      ahci-test: tests/libqos/libqos.c:162:
       mkimg: Assertion `qemu_img_path' failed.
      main-loop: WARNING: I/O thread spun for 1000 iterations

      Signed-off-by: Stefan Weil <sw@xxxxxxxxxxx>
      Reviewed-by: John Snow <jsnow@xxxxxxxxxx>
      Message-id: 1437231284-17455-1-git-send-email-sw@xxxxxxxxxxx
      Signed-off-by: John Snow <jsnow@xxxxxxxxxx>

  commit bd03a38fdf85fb1d4f0c9f59bbc154b516f66360
  Merge: 13566fe 625de44
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Mon Jul 20 18:26:53 2015 +0100

      Merge remote-tracking branch 'remotes/stefanha/tags/net-pull-request' 
into staging

      # gpg: Signature made Mon Jul 20 18:25:14 2015 BST using RSA key ID 
81AB73C8
      # gpg: Good signature from "Stefan Hajnoczi <stefanha@xxxxxxxxxx>"
      # gpg:                 aka "Stefan Hajnoczi <stefanha@xxxxxxxxx>"

      * remotes/stefanha/tags/net-pull-request:
        net: Flush queued packets when guest resumes
        lan9118: Drop lan9118_can_receive
        etraxfs_eth: Drop eth_can_receive
        musicpal: Drop eth_can_receive
        net/vmxnet3: Fix RX TCP/UDP checksum on partially summed packets
        net/vmxnet3: Refactor 'vmxnet_rx_pkt_attach_data'
        socket: pass correct size in net_socket_send()

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 625de449fc5597f2e1aff9cb586e249e198f03c9
  Author: Fam Zheng <famz@xxxxxxxxxx>
  Date:   Tue Jul 7 09:21:07 2015 +0800

      net: Flush queued packets when guest resumes

      Since commit 6e99c63 "net/socket: Drop net_socket_can_send" and friends,
      net queues need to be explicitly flushed after qemu_can_send_packet()
      returns false, because the netdev side will disable the polling of fd.

      This fixes the case of "cont" after "stop" (or migration).

      Signed-off-by: Fam Zheng <famz@xxxxxxxxxx>
      Message-id: 1436232067-29144-1-git-send-email-famz@xxxxxxxxxx
      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>

  commit b49b8c572f885ea2b16fc744e8837e974df34401
  Author: Fam Zheng <famz@xxxxxxxxxx>
  Date:   Wed Jul 1 15:10:47 2015 +0800

      lan9118: Drop lan9118_can_receive

      True is the default.

      Signed-off-by: Fam Zheng <famz@xxxxxxxxxx>
      Reviewed-by: Jason Wang <jasowang@xxxxxxxxxx>
      Message-id: 1435734647-8371-4-git-send-email-famz@xxxxxxxxxx
      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>

  commit da69028261abd12dbf974754e69d017f6e8710b5
  Author: Fam Zheng <famz@xxxxxxxxxx>
  Date:   Wed Jul 1 15:10:46 2015 +0800

      etraxfs_eth: Drop eth_can_receive

      True is the default.

      Signed-off-by: Fam Zheng <famz@xxxxxxxxxx>
      Reviewed-by: Jason Wang <jasowang@xxxxxxxxxx>
      Message-id: 1435734647-8371-3-git-send-email-famz@xxxxxxxxxx
      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>

  commit f63eab8becf92b18c18b6c31950f99f764848902
  Author: Fam Zheng <famz@xxxxxxxxxx>
  Date:   Wed Jul 1 15:10:45 2015 +0800

      musicpal: Drop eth_can_receive

      True is the default.

      Signed-off-by: Fam Zheng <famz@xxxxxxxxxx>
      Reviewed-by: Jason Wang <jasowang@xxxxxxxxxx>
      Message-id: 1435734647-8371-2-git-send-email-famz@xxxxxxxxxx
      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>

  commit 80da311d81c389860bc387fbe6677c71f7a3c596
  Author: Dana Rubin <dana.rubin@xxxxxxxxxxxxxxxxxx>
  Date:   Tue Jul 14 11:55:16 2015 +0300

      net/vmxnet3: Fix RX TCP/UDP checksum on partially summed packets

      Convert partially summed packets to be fully checksummed.

      In case csum offloaded packet, vmxnet3 implementation always passes an
      RxCompDesc with the "Checksum calculated and found correct" notification
      to the OS. This emulates the observed ESXi behavior.

      Therefore, if packet has the NEEDS_CSUM bit set, we must calculate and
      place a fully computed checksum into the tcp/udp header. Otherwise, the
      OS driver will receive a checksum-correct indication but with the actual
      tcp/udp checksum field having just the pseudo header csum value.

      If host OS performs forwarding, it will forward an incorrectly
      checksummed packet.

      Signed-off-by: Dana Rubin <dana.rubin@xxxxxxxxxxxxxxxxxx>
      Signed-off-by: Shmulik Ladkani <shmulik.ladkani@xxxxxxxxxxxxxxxxxx>
      Message-id: 
1436864116-19154-3-git-send-email-shmulik.ladkani@xxxxxxxxxxxxxxxxxx
      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>

  commit fcf0cdc362dd96cb8d2935b892d3dd9ab73ad393
  Author: Shmulik Ladkani <shmulik.ladkani@xxxxxxxxxxxxxxxxxx>
  Date:   Tue Jul 14 11:55:15 2015 +0300

      net/vmxnet3: Refactor 'vmxnet_rx_pkt_attach_data'

      Separate RX packet protocol parsing out of 'vmxnet_rx_pkt_attach_data'.

      Signed-off-by: Shmulik Ladkani <shmulik.ladkani@xxxxxxxxxxxxxxxxxx>
      Message-id: 
1436864116-19154-2-git-send-email-shmulik.ladkani@xxxxxxxxxxxxxxxxxx
      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>

  commit 091f1f52963d7093ea578e4a05e67bc015b21192
  Author: Jason Wang <jasowang@xxxxxxxxxx>
  Date:   Tue Jul 7 17:00:56 2015 +0800

      socket: pass correct size in net_socket_send()

      We should pass the size of packet instead of the remaining to
      qemu_send_packet_async().

      Fixes: 6e99c631f116221d169ea53953d91b8aa74d297a
             ("net/socket: Drop net_socket_can_send")

      Signed-off-by: Jason Wang <jasowang@xxxxxxxxxx>
      Reviewed-by: Fam Zheng <famz@xxxxxxxxxx>
      Message-id: 1436259656-24263-1-git-send-email-jasowang@xxxxxxxxxx
      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>

  commit 09b61db7c140c5a71bfde36614c5a1f4f0d382a6
  Author: Stefan Fritsch <sf@xxxxxxxxxxx>
  Date:   Mon Jul 20 12:21:18 2015 -0400

      ahci: Force ICC bits in PxCMD to zero

      The AHCI spec requires that the HBA sets the ICC bits to zero after the
      ICC change is done. Since we don't do any ICC change, force the bits to
      zero all the time.

      This fixes delays with some OSs (e.g. OpenBSD) waiting for the ICC bits
      to change to 0.

      Signed-off-by: Stefan Fritsch <sf@xxxxxxxxxxx>
      Reviewed-by: Kevin Wolf <kwolf@xxxxxxxxxx>
      Reviewed-by: John Snow <jsnow@xxxxxxxxxx>
      Message-id: E1ZFpg7-00027N-HW@xxxxxxxxxxxxxxx
      Signed-off-by: John Snow <jsnow@xxxxxxxxxx>

  commit 58732810230719765a6618004be8f0070c9f3d31
  Author: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
  Date:   Mon Jul 20 12:21:18 2015 -0400

      qtest/ide: add another short PRDT test flavor

      The existing short PRDT test case does not transfer any data because the
      first PRD is less than 1 sector.

      This patch adds another short PRDT test case where the first sector can
      be read but the PRDT is still smaller than the requested number of
      sectors.  This exercises a different code path in ide_dma_cb().

      Cc: John Snow <jsnow@xxxxxxxxxx>
      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Reviewed-by: John Snow <jsnow@xxxxxxxxxx>
      Message-id: 1435770571-9906-1-git-send-email-stefanha@xxxxxxxxxx
      Signed-off-by: John Snow <jsnow@xxxxxxxxxx>

  commit 13566fe3e584e7b14a6f45246976b91677dc2a77
  Author: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
  Date:   Wed Jul 8 15:10:09 2015 +0100

      timer: rename NSEC_PER_SEC due to Mac OS X header clash

      Commit e0cf11f31c24cfb17f44ed46c254d84c78e7f6e9 ("timer: Use a single
      definition of NSEC_PER_SEC for the whole codebase") renamed
      NANOSECONDS_PER_SECOND to NSEC_PER_SEC.

      On Mac OS X there is a <dispatch/time.h> system header which also
      defines NSEC_PER_SEC.  This causes compiler warnings.

      Let's use the old name instead.  It's longer but it doesn't clash.

      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Message-id: 1436364609-7929-1-git-send-email-stefanha@xxxxxxxxxx
      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit dcc8a3ab632d0f11a1bf3b08381cf0f93e616b9f
  Merge: f73ca73 bd09594
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Mon Jul 20 16:01:31 2015 +0100

      Merge remote-tracking branch 'remotes/kevin/tags/for-upstream' into 
staging

      Block layer patches for 2.4.0-rc2

      # gpg: Signature made Mon Jul 20 15:48:56 2015 BST using RSA key ID 
C88F2FD6
      # gpg: Good signature from "Kevin Wolf <kwolf@xxxxxxxxxx>"

      * remotes/kevin/tags/for-upstream:
        crypto: Fix aes_decrypt_wrapper()

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit f73ca7363440240b7ee5ee7f7ddb1c64751efb54
  Merge: 7135847 f9d6dbf
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Mon Jul 20 13:25:28 2015 +0100

      Merge remote-tracking branch 'remotes/mst/tags/for_upstream' into staging

      virtio, vhost, pc fixes for 2.4

      The only notable thing here is vhost-user multiqueue
      revert. We'll work on making it stable in 2.5,
      reverting now means we won't have to maintain
      bug for bug compability forever.

      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>

      # gpg: Signature made Mon Jul 20 12:24:00 2015 BST using RSA key ID 
D28D5469
      # gpg: Good signature from "Michael S. Tsirkin <mst@xxxxxxxxxx>"
      # gpg:                 aka "Michael S. Tsirkin <mst@xxxxxxxxxx>"

      * remotes/mst/tags/for_upstream:
        virtio-net: remove virtio queues if the guest doesn't support multiqueue
        virtio-net: Flush incoming queues when DRIVER_OK is being set
        pci_add_capability: remove duplicate comments
        virtio-net: unbreak any layout
        Revert "vhost-user: add multi queue support"
        ich9: fix skipped vmstate_memhp_state subsection

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit bd09594603f1498e7623f0030988b62e2052f7da
  Author: Kevin Wolf <kwolf@xxxxxxxxxx>
  Date:   Fri Jul 17 19:44:10 2015 +0200

      crypto: Fix aes_decrypt_wrapper()

      Commit d3462e3 broke qcow2's encryption functionality by using encrypt
      instead of decrypt in the wrapper function it introduces. This was found
      by qemu-iotests case 134.

      Signed-off-by: Kevin Wolf <kwolf@xxxxxxxxxx>
      Reviewed-by: Daniel P. Berrange <berrange@xxxxxxxxxx>

  commit f9d6dbf0bf6e91b8ed896369ab1b7e91e5a1a4df
  Author: Wen Congyang <wency@xxxxxxxxxxxxxx>
  Date:   Wed Jul 15 17:20:59 2015 +0800

      virtio-net: remove virtio queues if the guest doesn't support multiqueue

      commit da51a335 adds all queues in .realize(). But if the
      guest doesn't support multiqueue, we forget to remove them. And
      we cannot handle the ctrl vq corretly. The guest will hang.

      Signed-off-by: Wen Congyang <wency@xxxxxxxxxxxxxx>
      Reviewed-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Acked-by: Jason Wang <jasowang@xxxxxxxxxx>

  commit 38705bb57bf1cd9e3f837cf11bcdee3876786c07
  Author: Fam Zheng <famz@xxxxxxxxxx>
  Date:   Wed Jul 15 11:02:27 2015 +0800

      virtio-net: Flush incoming queues when DRIVER_OK is being set

      This patch fixes network hang after "stop" then "cont", while network
      packets keep arriving.

      Tested both manually (tap, host pinging guest) and with Jason's qtest
      series (plus his "[PATCH 2.4] socket: pass correct size in
      net_socket_send()" fix).

      As virtio_net_set_status is called when guest driver is setting status
      byte and when vm state is changing, it is a good opportunity to flush
      queued packets.

      This is necessary because during vm stop the backend (e.g. tap) would
      stop rx processing after .can_receive returns false, until the queue is
      explicitly flushed or purged.

      The other interesting condition in .can_receive, virtio_queue_ready(),
      is handled by virtio_net_handle_rx() when guest kicks; the 3rd condition
      is invalid queue index which doesn't need flushing.

      Signed-off-by: Fam Zheng <famz@xxxxxxxxxx>
      Reviewed-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>

  commit 9a2a66238e3bf2b681d6321c4667a2d589c8ebed
  Author: Chen Hanxiao <chenhanxiao@xxxxxxxxxxxxxx>
  Date:   Tue Jul 14 16:16:11 2015 +0800

      pci_add_capability: remove duplicate comments

      Signed-off-by: Chen Hanxiao <chenhanxiao@xxxxxxxxxxxxxx>
      Reviewed-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>

  commit feb93f361739071778ca2d23df3876db399548f7
  Author: Jason Wang <jasowang@xxxxxxxxxx>
  Date:   Fri Jul 17 15:19:18 2015 +0800

      virtio-net: unbreak any layout

      Commit 032a74a1c0fcdd5fd1c69e56126b4c857ee36611
      ("virtio-net: byteswap virtio-net header") breaks any layout by
      requiring out_sg[0].iov_len >= n->guest_hdr_len. Fixing this by
      copying header to temporary buffer if swap is needed, and then use
      this buffer as part of out_sg.

      Fixes 032a74a1c0fcdd5fd1c69e56126b4c857ee36611
      ("virtio-net: byteswap virtio-net header")
      Cc: qemu-stable@xxxxxxxxxx
      Cc: clg@xxxxxxxxxx
      Signed-off-by: Jason Wang <jasowang@xxxxxxxxxx>
      Reviewed-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>

  commit d345ed2da3279b015605823397235b8c5ca5251f
  Author: Michael S. Tsirkin <mst@xxxxxxxxxx>
  Date:   Wed Jul 15 13:47:31 2015 +0300

      Revert "vhost-user: add multi queue support"

      This reverts commit 830d70db692e374b55555f4407f96a1ceefdcc97.

      The interface isn't fully backwards-compatible, which is bad.
      Let's redo this properly after 2.4.

      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>

  commit 75d663611e81c748522d9cdcb5230bd02db86d05
  Author: Paulo Alcantara <pcacjr@xxxxxxxxx>
  Date:   Mon Jul 13 17:45:42 2015 -0300

      ich9: fix skipped vmstate_memhp_state subsection

      By declaring another .subsections array for vmstate_tco_io_state made
      vmstate_memhp_state not registered anymore. There must be only one
      .subsections array for all subsections.

      Cc: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Cc: Amit Shah <amit.shah@xxxxxxxxxx>
      Reported-by: Amit Shah <amit.shah@xxxxxxxxxx>
      Signed-off-by: Paulo Alcantara <pcacjr@xxxxxxxxx>
      Reviewed-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Reviewed-by: Amit Shah <amit.shah@xxxxxxxxxx>

  commit 71358470eec668f5dc53def25e585ce250cea9bf
  Merge: 5b5e8cd 621a20e
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Fri Jul 17 15:22:45 2015 +0100

      Merge remote-tracking branch 'remotes/amit-virtio-rng/tags/vrng-2.4' into 
staging

      Fire timer only when required.  Brings down wakeups by a big number.

      # gpg: Signature made Fri Jul 17 14:41:40 2015 BST using RSA key ID 
854083B6
      # gpg: Good signature from "Amit Shah <amit@xxxxxxxxxxxx>"
      # gpg:                 aka "Amit Shah <amit@xxxxxxxxxx>"
      # gpg:                 aka "Amit Shah <amitshah@xxxxxxx>"

      * remotes/amit-virtio-rng/tags/vrng-2.4:
        virtio-rng: trigger timer only when guest requests for entropy

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 621a20e08155179b1902c428361e80f41429f50d
  Author: Pankaj Gupta <pagupta@xxxxxxxxxx>
  Date:   Wed Jul 15 17:46:47 2015 +0530

      virtio-rng: trigger timer only when guest requests for entropy

      This patch triggers timer only when guest requests for
      entropy. As soon as first request from guest for entropy
      comes we set the timer. Timer bumps up the quota value
      when it gets triggered.

      Signed-off-by: Pankaj Gupta <pagupta@xxxxxxxxxx>
      Reviewed-by: Amit Shah <amit.shah@xxxxxxxxxx>
      Message-Id: <1436962608-9961-2-git-send-email-pagupta@xxxxxxxxxx>

      [Re-worded patch subject, removed extra whitespace -- Amit]

      Signed-off-by: Amit Shah <amit.shah@xxxxxxxxxx>

  commit 5b5e8cdd7da7a2214dd062afff5b866234aab228
  Merge: fd1a9ef 92fdfa4
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Fri Jul 17 12:39:12 2015 +0100

      Merge remote-tracking branch 'remotes/kraxel/tags/pull-usb-20150717-1' 
into staging

      usb: fixes for 2.4 (ccid, xhci and usb-host)

      # gpg: Signature made Fri Jul 17 12:21:42 2015 BST using RSA key ID 
D3E87138
      # gpg: Good signature from "Gerd Hoffmann (work) <kraxel@xxxxxxxxxx>"
      # gpg:                 aka "Gerd Hoffmann <gerd@xxxxxxxxxx>"
      # gpg:                 aka "Gerd Hoffmann (private) <kraxel@xxxxxxxxx>"

      * remotes/kraxel/tags/pull-usb-20150717-1:
        Revert "xhci: set timer to retry xfers"
        usb-ccid: add missing wakeup calls
        usb-ccid: fix 61b4887b41b270bc837ead57bc502d904af023bb
        Re-attach usb device to kernel while usb_host_open fails

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 92fdfa4bef9c92addcc009dd3e0131172b4fdc78
  Author: Gerd Hoffmann <kraxel@xxxxxxxxxx>
  Date:   Fri Jul 17 10:12:55 2015 +0200

      Revert "xhci: set timer to retry xfers"

      This reverts commit 4e8cfbe1143d8384387595b500212d7a7f11aeae.

      We should not poll via timer, and with ccid being fixed
      to properly notify us about pending transfers we don't have to.

      Signed-off-by: Gerd Hoffmann <kraxel@xxxxxxxxxx>

  commit 86d7e214c224f939c897cfa3b6d597f7af4b5bba
  Author: Gerd Hoffmann <kraxel@xxxxxxxxxx>
  Date:   Thu Jul 16 16:33:07 2015 +0200

      usb-ccid: add missing wakeup calls

      Properly notify the host adapter that we have
      data pending, so it doesn't has to poll us.

      Signed-off-by: Gerd Hoffmann <kraxel@xxxxxxxxxx>

  commit cfda2cef3d0320d7a133600ffdb6e33547aaba8f
  Author: Gerd Hoffmann <kraxel@xxxxxxxxxx>
  Date:   Fri Jul 17 11:34:11 2015 +0200

      usb-ccid: fix 61b4887b41b270bc837ead57bc502d904af023bb

      QOMification dropped the parent device lookup, fix it.

      Signed-off-by: Gerd Hoffmann <kraxel@xxxxxxxxxx>

  commit fd1a9ef9c2493b5bc98e8e041333a57b635c5d71
  Merge: b4329bf 562f937
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Fri Jul 17 10:52:12 2015 +0100

      Merge remote-tracking branch 'remotes/kraxel/tags/pull-input-20150717-1' 
into staging

      input: fixes for 2.4

      # gpg: Signature made Fri Jul 17 07:45:17 2015 BST using RSA key ID 
D3E87138
      # gpg: Good signature from "Gerd Hoffmann (work) <kraxel@xxxxxxxxxx>"
      # gpg:                 aka "Gerd Hoffmann <gerd@xxxxxxxxxx>"
      # gpg:                 aka "Gerd Hoffmann (private) <kraxel@xxxxxxxxx>"

      * remotes/kraxel/tags/pull-input-20150717-1:
        hid: clarify hid_keyboard_process_keycode
        virtio-input: move sys/ioctl.h include
        virtio-input: fix segfault in virtio_input_hid_properties

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 562f93754b95fd6dc65ad9a2aa15a90b2da7e8a4
  Author: Paolo Bonzini <pbonzini@xxxxxxxxxx>
  Date:   Tue Jul 14 11:18:06 2015 +0200

      hid: clarify hid_keyboard_process_keycode

      Coverity thinks the fallthroughs are smelly.  They are correct, but
      everything else in this function is like "wut?".

      Refer explicitly to bits 8 and 9 of hs->kbd.modifiers instead of
      shifting right first and using (1 << 7).  Document what the scancode
      is when hid_code is 0xe0.  And add plenty of comments.

      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>
      Signed-off-by: Gerd Hoffmann <kraxel@xxxxxxxxxx>

  commit b4329bf41c86bac8b56cadb097081960cc4839a0
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Thu Jul 16 20:32:20 2015 +0100

      Update version for v2.4.0-rc1 release

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit b92304ee814f0fe8109c8946dfb4dd4b63e89871
  Merge: 67ff64e d3462e3
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Thu Jul 16 19:18:15 2015 +0100

      Merge remote-tracking branch 'remotes/bonzini/tags/for-upstream' into 
staging

      * MIPS-KVM fixes.
      * Coverity fixes.
      * Nettle function prototype fixes.
      * Memory API refcount fix.

      # gpg: Signature made Thu Jul 16 19:01:27 2015 BST using RSA key ID 
78C7AE83
      # gpg: Good signature from "Paolo Bonzini <bonzini@xxxxxxx>"
      # gpg:                 aka "Paolo Bonzini <pbonzini@xxxxxxxxxx>"
      # gpg: WARNING: This key is not certified with sufficiently trusted 
signatures!
      # gpg:          It is not certain that the signature belongs to the owner.
      # Primary key fingerprint: 46F5 9FBD 57D6 12E7 BFD4  E2F7 7E15 100C CD36 
69B1
      #      Subkey fingerprint: F133 3857 4B66 2389 866C  7682 BFFB D25F 78C7 
AE83

      * remotes/bonzini/tags/for-upstream:
        crypto: avoid undefined behavior in nettle calls
        crypto: fix build with nettle >= 3.0.0
        memory: fix refcount leak in memory_region_present
        RDMA: Fix error exits
        arm/xlnx-zynqmp: fix memory leak
        ppc/spapr_drc: fix memory leak
        mips/kvm: Sign extend registers written to KVM
        mips/kvm: Fix Big endian 32-bit register access

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit d3462e378f40ba6838b6c42584c30769ca633e6f
  Author: Radim KrÄ?máÅ? <rkrcmar@xxxxxxxxxx>
  Date:   Fri Jul 10 19:18:01 2015 +0200

      crypto: avoid undefined behavior in nettle calls

      Calling a function pointer that was cast from an incompatible function
      results in undefined behavior.  'void *' isn't compatible with 'struct
      XXX *', so we can't cast to nettle_cipher_func, but have to provide a
      wrapper.  (Conversion from 'void *' to 'struct XXX *' might require
      computation, which won't be done if we drop argument's true type, and
      pointers can have different sizes so passing arguments on stack would
      bug.)

      Having two different prototypes based on nettle version doesn't make
      this solution any nicer.

      Reported-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Signed-off-by: Radim KrÄ?máÅ? <rkrcmar@xxxxxxxxxx>
      Message-Id: <1437062641-12684-3-git-send-email-rkrcmar@xxxxxxxxxx>
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit becaeb726ae7da4212a788773ebdfe87b4833f5c
  Author: Radim KrÄ?máÅ? <rkrcmar@xxxxxxxxxx>
  Date:   Fri Jul 10 19:18:00 2015 +0200

      crypto: fix build with nettle >= 3.0.0

      In nettle 3, cbc_encrypt() accepts 'nettle_cipher_func' instead of
      'nettle_crypt_func' and these two differ in 'const' qualifier of the
      first argument.  The build fails with:

        In file included from crypto/cipher.c:71:0:
        ./crypto/cipher-nettle.c: In function â??qcrypto_cipher_encryptâ??:
        ./crypto/cipher-nettle.c:154:38: error: passing argument 2 of
        â??nettle_cbc_encryptâ?? from incompatible pointer type
                 cbc_encrypt(ctx->ctx_encrypt, ctx->alg_encrypt,
                                                     ^
        In file included from ./crypto/cipher-nettle.c:24:0,
                         from crypto/cipher.c:71:
        /usr/include/nettle/cbc.h:48:1: note: expected
        â??void (*)(const void *, size_t, uint8_t *, const uint8_t *)
        but argument is of type
        â??void (*)(      void *, size_t, uint8_t *, const uint8_t *)

      To allow both versions, we switch to the new definition and #if typedef
      it for old versions.

      Signed-off-by: Radim KrÄ?máÅ? <rkrcmar@xxxxxxxxxx>
      Message-Id: <1436548682-9315-2-git-send-email-rkrcmar@xxxxxxxxxx>
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit c6742b14fe7352059cd4954a356a8105757af31b
  Author: Paolo Bonzini <pbonzini@xxxxxxxxxx>
  Date:   Tue Jul 14 13:45:34 2015 +0200

      memory: fix refcount leak in memory_region_present

      memory_region_present() leaks a reference to a MemoryRegion in the
      case "mr == container".  While fixing it, avoid reference counting
      altogether for memory_region_present(), by using RCU only.

      The return value could in principle be already invalid immediately
      after memory_region_present returns, but presumably the caller knows
      that and it's using memory_region_present to probe for devices that
      are unpluggable, or something like that.  The RCU critical section
      is needed anyway, because it protects as->current_map.

      Reported-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit 24b41d66c8ad8f77839fca777b92e365dad0cf5c
  Author: Dr. David Alan Gilbert <dgilbert@xxxxxxxxxx>
  Date:   Fri Jul 10 20:08:52 2015 +0100

      RDMA: Fix error exits

      The error checks I added used 'break' after the error, but I'm
      in a switch inside the while loop, so they need to be 'goto out'.

      Spotted by coverity; entries 1311368 and 1311369

      Fixes: afcddefd

      Signed-off-by: Dr. David Alan Gilbert <dgilbert@xxxxxxxxxx>
      Message-Id: <1436555332-19076-1-git-send-email-dgilbert@xxxxxxxxxx>
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit 5348c62cab309b68ecd13a33c9f21e8d6071af72
  Author: Gonglei <arei.gonglei@xxxxxxxxxx>
  Date:   Fri Jul 10 08:51:29 2015 +0800

      arm/xlnx-zynqmp: fix memory leak

      fix CID 1311372.

      Signed-off-by: Gonglei <arei.gonglei@xxxxxxxxxx>
      Message-Id: <1436489490-236-4-git-send-email-arei.gonglei@xxxxxxxxxx>
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit 586d2142a9f1aa5a1dceb0941e7b3f0953974a8b
  Author: Gonglei <arei.gonglei@xxxxxxxxxx>
  Date:   Fri Jul 10 08:51:28 2015 +0800

      ppc/spapr_drc: fix memory leak

      fix CID 1311373.

      Signed-off-by: Gonglei <arei.gonglei@xxxxxxxxxx>
      Message-Id: <1436489490-236-3-git-send-email-arei.gonglei@xxxxxxxxxx>
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit 02dae26ac4ceb1e82c432cfca4d9b65ae82343c6
  Author: James Hogan <james.hogan@xxxxxxxxxx>
  Date:   Fri Apr 24 11:26:53 2015 +0100

      mips/kvm: Sign extend registers written to KVM

      In case we're running on a 64-bit host, be sure to sign extend the
      general purpose registers and hi/lo/pc before writing them to KVM, so as
      to take advantage of MIPS32/MIPS64 compatibility.

      Signed-off-by: James Hogan <james.hogan@xxxxxxxxxx>
      Cc: Paolo Bonzini <pbonzini@xxxxxxxxxx>
      Cc: Leon Alrae <leon.alrae@xxxxxxxxxx>
      Cc: Aurelien Jarno <aurelien@xxxxxxxxxxx>
      Cc: kvm@xxxxxxxxxxxxxxx
      Cc: qemu-stable@xxxxxxxxxx
      Message-Id: <1429871214-23514-3-git-send-email-james.hogan@xxxxxxxxxx>
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit f8b3e48b2d269551cd40f94770dc20da2f402325
  Author: James Hogan <james.hogan@xxxxxxxxxx>
  Date:   Fri Apr 24 11:26:52 2015 +0100

      mips/kvm: Fix Big endian 32-bit register access

      Fix access to 32-bit registers on big endian targets. The pointer passed
      to the kernel must be for the actual 32-bit value, not a temporary
      64-bit value, otherwise on big endian systems the kernel will only
      interpret the upper half.

      Signed-off-by: James Hogan <james.hogan@xxxxxxxxxx>
      Cc: Paolo Bonzini <pbonzini@xxxxxxxxxx>
      Cc: Leon Alrae <leon.alrae@xxxxxxxxxx>
      Cc: Aurelien Jarno <aurelien@xxxxxxxxxxx>
      Cc: kvm@xxxxxxxxxxxxxxx
      Cc: qemu-stable@xxxxxxxxxx
      Message-Id: <1429871214-23514-2-git-send-email-james.hogan@xxxxxxxxxx>
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit 67ff64e08245a5b8de98d9b2acefb840a1fae340
  Merge: 2d5ee9e 567161f
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Thu Jul 16 16:55:00 2015 +0100

      Merge remote-tracking branch 'remotes/spice/tags/pull-spice-20150716-1' 
into staging

      qxl: allow to specify head limit to qxl driver

      # gpg: Signature made Thu Jul 16 16:31:40 2015 BST using RSA key ID 
D3E87138
      # gpg: Good signature from "Gerd Hoffmann (work) <kraxel@xxxxxxxxxx>"
      # gpg:                 aka "Gerd Hoffmann <gerd@xxxxxxxxxx>"
      # gpg:                 aka "Gerd Hoffmann (private) <kraxel@xxxxxxxxx>"

      * remotes/spice/tags/pull-spice-20150716-1:
        qxl: allow to specify head limit to qxl driver

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 6110ce59af199194ef63cb31ec722487df3f42fe
  Author: Lin Ma <lma@xxxxxxxx>
  Date:   Wed Jun 24 13:40:11 2015 +0800

      Re-attach usb device to kernel while usb_host_open fails

      Signed-off-by: Lin Ma <lma@xxxxxxxx>
      Reviewed-by: Gonglei <arei.gonglei@xxxxxxxxxx>
      Signed-off-by: Gerd Hoffmann <kraxel@xxxxxxxxxx>

  commit e2f6bac3010419426b636d2b307f66deecd60813
  Author: Gerd Hoffmann <kraxel@xxxxxxxxxx>
  Date:   Tue Jul 14 13:44:12 2015 +0200

      virtio-input: move sys/ioctl.h include

      Drop from include/standard-headers/linux/input.h
      Add to hw/input/virtio-input-host.c instead.

      That allows to build virtio-input (except pass-through) on windows.

      Signed-off-by: Gerd Hoffmann <kraxel@xxxxxxxxxx>

  commit 2a19b229f6c2f7288bb8c2498bffb01d67810dee
  Author: Lin Ma <lma@xxxxxxxx>
  Date:   Tue Jul 14 19:27:30 2015 +0800

      virtio-input: fix segfault in virtio_input_hid_properties

      commit 5cce173 introduced virtio-input segfault, This patch fixes it.

      Signed-off-by: Lin Ma <lma@xxxxxxxx>
      Signed-off-by: Gerd Hoffmann <kraxel@xxxxxxxxxx>

  commit 567161fdd47aeb6987e700702f6bbfef04ae0236
  Author: Frediano Ziglio <fziglio@xxxxxxxxxx>
  Date:   Mon Jul 6 07:56:38 2015 +0100

      qxl: allow to specify head limit to qxl driver

      This patch allow to limit number of heads using qxl driver. By default
      qxl driver is not limited on any kind on head use so can decide to use
      as much heads.

      libvirt has this as a video card parameter (actually set to 1 but not
      used). This parameter will allow to limit setting a use can do (which
      could be confusing).

      Signed-off-by: Frediano Ziglio <fziglio@xxxxxxxxxx>
      Signed-off-by: Gerd Hoffmann <kraxel@xxxxxxxxxx>

  commit 2d5ee9e7a7dd495d233cf9613a865f63f88e3375
  Merge: 3749c11 908680c
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Thu Jul 16 10:40:22 2015 +0100

      Merge remote-tracking branch 'remotes/lalrae/tags/mips-20150716' into 
staging

      MIPS patches 2015-07-16

      Changes:
      * bug fixes

      # gpg: Signature made Thu Jul 16 09:04:56 2015 BST using RSA key ID 
0B29DA6B
      # gpg: Good signature from "Leon Alrae <leon.alrae@xxxxxxxxxx>"
      # gpg: WARNING: This key is not certified with a trusted signature!
      # gpg:          There is no indication that the signature belongs to the 
owner.
      # Primary key fingerprint: 8DD3 2F98 5495 9D66 35D4  4FC0 5211 8E3C 0B29 
DA6B

      * remotes/lalrae/tags/mips-20150716:
        target-mips: fix page fault address for LWL/LWR/LDL/LDR
        linux-user: Fix MIPS N64 trap and break instruction bug
        target-mips: fix resource leak reported by Coverity
        target-mips: fix logically dead code reported by Coverity
        target-mips: correct DERET instruction
        target-mips: fix ASID synchronisation for MIPS MT
        disas/mips: fix disassembling R6 instructions
        target-mips: fix to clear MSACSR.Cause
        target-mips: fix MIPS64R6-generic configuration

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 3749c11a720689694101dcf2ebc43217a02f960f
  Merge: be0df8c 3046bb5
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Wed Jul 15 22:05:13 2015 +0100

      Merge remote-tracking branch 'remotes/ehabkost/tags/x86-pull-request' 
into staging

      X86 queue, 2015-07-15

      Two bug fixes:
      * Memory leak due to extra g_strdup() when registering X86CPU alias 
properties
      * Fix CPUID levels so that W10 insider can run as guest OS

      # gpg: Signature made Wed Jul 15 21:26:59 2015 BST using RSA key ID 
984DC5A6
      # gpg: Good signature from "Eduardo Habkost <ehabkost@xxxxxxxxxx>"
      # gpg: WARNING: This key is not certified with sufficiently trusted 
signatures!
      # gpg:          It is not certain that the signature belongs to the owner.
      # Primary key fingerprint: 5A32 2FD5 ABC4 D3DB ACCF  D1AA 2807 936F 984D 
C5A6

      * remotes/ehabkost/tags/x86-pull-request:
        target-i386: emulate CPUID level of real hardware
        target-i386: Don't strdup() alias property name

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit be0df8cd1eb8e182a9b61a2b4d1c57824cffadc4
  Merge: 7692401 672558d
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Wed Jul 15 21:06:54 2015 +0100

      Merge remote-tracking branch 'remotes/ehabkost/tags/numa-pull-request' 
into staging

      NUMA queue, 2015-07-15

      # gpg: Signature made Wed Jul 15 21:01:37 2015 BST using RSA key ID 
984DC5A6
      # gpg: Good signature from "Eduardo Habkost <ehabkost@xxxxxxxxxx>"
      # gpg: WARNING: This key is not certified with sufficiently trusted 
signatures!
      # gpg:          It is not certain that the signature belongs to the owner.
      # Primary key fingerprint: 5A32 2FD5 ABC4 D3DB ACCF  D1AA 2807 936F 984D 
C5A6

      * remotes/ehabkost/tags/numa-pull-request:
        numa: Fix memory leak in numa_set_mem_node_id()

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 3046bb5debc8153a542acb1df93b2a1a85527a15
  Author: Radim KrÄ?máÅ? <rkrcmar@xxxxxxxxxx>
  Date:   Thu Jul 9 21:07:39 2015 +0200

      target-i386: emulate CPUID level of real hardware

      W10 insider has a bug where it ignores CPUID level and interprets
      CPUID.(EAX=07H, ECX=0H) incorrectly, because CPUID in fact returned
      CPUID.(EAX=04H, ECX=0H);  this resulted in execution of unsupported
      instructions.

      While it's a Windows bug, there is no reason to emulate incorrect level.

      I used http://instlatx64.atw.hu/ as a source of CPUID and checked that
      it matches Penryn Xeon X5472, Westmere Xeon W3520, SandyBridge i5-2540M,
      and Haswell i5-4670T.

      kvm64 and qemu64 were bumped to 0xD to allow all available features for
      them (and to avoid the same Windows bug).

      Signed-off-by: Radim KrÄ?máÅ? <rkrcmar@xxxxxxxxxx>
      Reviewed-by: Eduardo Habkost <ehabkost@xxxxxxxxxx>
      Signed-off-by: Eduardo Habkost <ehabkost@xxxxxxxxxx>

  commit d461a44ca4b164549fe19b14d2cdf0524f778ce1
  Author: Eduardo Habkost <ehabkost@xxxxxxxxxx>
  Date:   Thu Jul 9 12:24:43 2015 -0300

      target-i386: Don't strdup() alias property name

      Now object_property_add_alias() calls g_strdup() on the target property
      name, so we don't need to call g_strdup() ourselves.

      Signed-off-by: Eduardo Habkost <ehabkost@xxxxxxxxxx>

  commit 672558d2ea8dd782d1d2adc6e16af3bc34029a36
  Author: Bharata B Rao <bharata@xxxxxxxxxxxxxxxxxx>
  Date:   Thu Jul 9 20:57:36 2015 +0530

      numa: Fix memory leak in numa_set_mem_node_id()

      Fix a memory leak in numa_set_mem_node_id().

      Signed-off-by: Bharata B Rao <bharata@xxxxxxxxxxxxxx>
      Reported-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>
      Reviewed-by: Eduardo Habkost <ehabkost@xxxxxxxxxx>
      Signed-off-by: Eduardo Habkost <ehabkost@xxxxxxxxxx>

  commit 7692401a0826803522cfde533bdcc149932ddc6a
  Merge: 711dc6f 76e2aef
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Wed Jul 15 17:28:59 2015 +0100

      Merge remote-tracking branch 
'remotes/pmaydell/tags/pull-target-arm-20150715' into staging

      target arm queue:
       * handle broken AArch64 kernels which assume DTB won't cross a 2MB 
boundary
       * correct broken SCTLR_EL3 reset value

      # gpg: Signature made Wed Jul 15 17:24:24 2015 BST using RSA key ID 
14360CDE
      # gpg: Good signature from "Peter Maydell <peter.maydell@xxxxxxxxxx>"

      * remotes/pmaydell/tags/pull-target-arm-20150715:
        hw/arm/boot: Increase fdt alignment
        target-arm: Fix broken SCTLR_EL3 reset

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 76e2aef392629f2b2a468f5158d5c397cc5beed2
  Author: Alexander Graf <agraf@xxxxxxx>
  Date:   Wed Jul 15 17:16:26 2015 +0100

      hw/arm/boot: Increase fdt alignment

      The Linux kernel on aarch64 creates a page table entry at early bootup
      that spans the 2MB range on memory spanning the fdt start address:

        [ ALIGN_DOWN(fdt, 2MB) ... ALIGN_DOWN(fdt, 2MB) + 2MB ]

      This means that when our current 4k alignment happens to fall at the end
      of the aligned region, Linux tries to access memory that is not mapped.

      The easy fix is to instead increase the alignment to 2MB, making Linux's
      logic always succeed.

      We leave the existing 4k alignment for 32bit kernels to not cause any
      regressions due to space constraints.

      Reported-by: Andreas Schwab <schwab@xxxxxxx>
      Signed-off-by: Alexander Graf <agraf@xxxxxxx>
      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit e46e1a74ef482f1ef773e750df9654ef4442ca29
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Wed Jul 15 17:16:26 2015 +0100

      target-arm: Fix broken SCTLR_EL3 reset

      The SCTLR_EL3 cpreg definition was implicitly resetting the
      register state to 0, which is both wrong and clashes with
      the reset done via the SCTLR definition (since sctlr[3]
      is unioned with sctlr_s). This went unnoticed until recently,
      when an unrelated change (commit a903c449b41f105aa) happened to
      perturb the order of enumeration through the cpregs hashtable for
      reset such that the erroneous reset happened after the correct one
      rather than before it. Fix this by marking SCTLR_EL3 as an alias,
      so its reset is left up to the AArch32 view.

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Reviewed-by: Edgar E. Iglesias <edgar.iglesias@xxxxxxxxxx>

  commit 711dc6f36b74fe65a6e5a1847f1152717d887f8a
  Merge: f5dec79 796a060
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Wed Jul 15 14:23:58 2015 +0100

      Merge remote-tracking branch 
'remotes/cody/tags/jtc-for-upstream-pull-request' into staging

      # gpg: Signature made Wed Jul 15 03:25:16 2015 BST using RSA key ID 
C0DE3057
      # gpg: Good signature from "Jeffrey Cody <jcody@xxxxxxxxxx>"
      # gpg:                 aka "Jeffrey Cody <jeff@xxxxxxxxxxxxx>"
      # gpg:                 aka "Jeffrey Cody <codyprime@xxxxxxxxx>"
      # gpg: WARNING: This key is not certified with sufficiently trusted 
signatures!
      # gpg:          It is not certain that the signature belongs to the owner.
      # Primary key fingerprint: 9957 4B4D 3474 90E7 9D98  D624 BDBE 7B27 C0DE 
3057

      * remotes/cody/tags/jtc-for-upstream-pull-request:
        block/curl: Don't lose original error when a connection fails.
        mirror: correct buf_size
        block: keep bitmap if incremental backup job is cancelled
        blockdev: no need to drain in qmp_block_commit
        block/mirror: Sleep periodically during bitmap scanning

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 908680c6441ac468f4871d513f42be396ea0d264
  Author: Aurelien Jarno <aurelien@xxxxxxxxxxx>
  Date:   Tue Jul 14 17:45:16 2015 +0200

      target-mips: fix page fault address for LWL/LWR/LDL/LDR

      When a LWL, LWR, LDL or LDR instruction triggers a page fault, QEMU
      currently reports the aligned address in CP0 BadVAddr, while the Windows
      NT kernel expects the unaligned address.

      This patch adds a byte access with the unaligned address at the
      beginning of the LWL/LWR/LDL/LDR instructions to possibly trigger a page
      fault and fill the QEMU TLB.

      Cc: Leon Alrae <leon.alrae@xxxxxxxxxx>
      Reported-by: Hervé Poussineau <hpoussin@xxxxxxxxxxx>
      Tested-by: Hervé Poussineau <hpoussin@xxxxxxxxxxx>
      Signed-off-by: Aurelien Jarno <aurelien@xxxxxxxxxxx>
      Signed-off-by: Leon Alrae <leon.alrae@xxxxxxxxxx>

  commit f01a361bfcce4bd0c439b0e051ef2a1e56727a44
  Author: Andrew Bennett <andrew.bennett@xxxxxxxxxx>
  Date:   Mon Jun 29 10:20:07 2015 +0000

      linux-user: Fix MIPS N64 trap and break instruction bug

      For the MIPS N64 ABI when QEMU reads the break/trap instruction so that
      it can inspect the break/trap code it reads 8 rather than 4 bytes
      which means it finds the code field from the instruction after the
      break/trap instruction.  This then causes the break/trap handling
      code to fail because it does not understand the code number.

      The fix forces QEMU to always read 4 bytes of instruction data rather
      than deciding how much to read based on the ABI.

      Signed-off-by: Andrew Bennett <andrew.bennett@xxxxxxxxxx>
      Reviewed-by: Leon Alrae <leon.alrae@xxxxxxxxxx>
      Signed-off-by: Leon Alrae <leon.alrae@xxxxxxxxxx>

  commit 26e7e982b267e71d40cd20e9e234fedef6770a90
  Author: Leon Alrae <leon.alrae@xxxxxxxxxx>
  Date:   Tue Jul 14 11:08:15 2015 +0100

      target-mips: fix resource leak reported by Coverity

      UHI assert and link operations call lock_user_string() twice to obtain two
      strings pointed by gpr[4] and gpr[5]. If the second lock_user_string()
      fails, then the first one won't get freed. Fix this by introducing another
      macro responsible for obtaining two strings and handling allocation
      failure.

      Signed-off-by: Leon Alrae <leon.alrae@xxxxxxxxxx>
      Reviewed-by: Aurelien Jarno <aurelien@xxxxxxxxxxx>

  commit 47ada0ad3431b39863918dc80386634693d317b5
  Author: Leon Alrae <leon.alrae@xxxxxxxxxx>
  Date:   Tue Jul 14 11:08:14 2015 +0100

      target-mips: fix logically dead code reported by Coverity

      Make use of CMPOP in floating-point compare instructions.

      Signed-off-by: Leon Alrae <leon.alrae@xxxxxxxxxx>
      Reviewed-by: Aurelien Jarno <aurelien@xxxxxxxxxxx>

  commit fe87c2b36ae9c1c9a5279f3891f3bce1b573baa0
  Author: Leon Alrae <leon.alrae@xxxxxxxxxx>
  Date:   Tue Jul 14 11:08:13 2015 +0100

      target-mips: correct DERET instruction

      Fix Debug Mode flag clearing, and when DERET is placed between LL and SC
      do not make SC fail.

      Signed-off-by: Leon Alrae <leon.alrae@xxxxxxxxxx>
      Reviewed-by: Aurelien Jarno <aurelien@xxxxxxxxxxx>

  commit 6a973e6b6584221bed89a01e755b88e58b496652
  Author: Aurelien Jarno <aurelien@xxxxxxxxxxx>
  Date:   Wed Jul 1 15:59:13 2015 +0200

      target-mips: fix ASID synchronisation for MIPS MT

      When syncing the task ASID with EntryHi, correctly or the value instead
      of assigning it.

      Reported-by: "Dr. David Alan Gilbert" <dgilbert@xxxxxxxxxx>
      Signed-off-by: Aurelien Jarno <aurelien@xxxxxxxxxxx>
      Cc: Leon Alrae <leon.alrae@xxxxxxxxxx>
      Reviewed-by: Leon Alrae <leon.alrae@xxxxxxxxxx>
      Signed-off-by: Leon Alrae <leon.alrae@xxxxxxxxxx>

  commit 6b9c26fb5eed2345398daca4eef601da2f3d7867
  Author: Yongbok Kim <yongbok.kim@xxxxxxxxxx>
  Date:   Tue Jun 30 16:33:15 2015 +0100

      disas/mips: fix disassembling R6 instructions

      In the Release 6 of the MIPS Architecture, LL, SC, LLD, SCD, PREF
      and CACHE instructions have 9 bits offsets.

      Signed-off-by: Yongbok Kim <yongbok.kim@xxxxxxxxxx>
      Reviewed-by: Aurelien Jarno <aurelien@xxxxxxxxxxx>
      Reviewed-by: Leon Alrae <leon.alrae@xxxxxxxxxx>
      Signed-off-by: Leon Alrae <leon.alrae@xxxxxxxxxx>

  commit d4f4f0d5d9e74c19614479592c8bc865d92773d0
  Author: Yongbok Kim <yongbok.kim@xxxxxxxxxx>
  Date:   Tue Jun 30 15:44:28 2015 +0100

      target-mips: fix to clear MSACSR.Cause

      MSACSR.Cause bits are needed to be cleared before a vector floating-point
      instructions.
      FEXDO.df, FEXUPL.df and FEXUPR.df were missed out.

      Signed-off-by: Yongbok Kim <yongbok.kim@xxxxxxxxxx>
      Reviewed-by: Aurelien Jarno <aurelien@xxxxxxxxxxx>
      Reviewed-by: Leon Alrae <leon.alrae@xxxxxxxxxx>
      Signed-off-by: Leon Alrae <leon.alrae@xxxxxxxxxx>

  commit 4dc89b782095d7a0b919fafd7b1322b3cb1279f1
  Author: Yongbok Kim <yongbok.kim@xxxxxxxxxx>
  Date:   Mon Jun 29 10:11:23 2015 +0100

      target-mips: fix MIPS64R6-generic configuration

      Fix core configuration for MIPS64R6-generic to make it as close as
      I6400.
      I6400 core has 48-bit of Virtual Address available (SEGBITS).
      MIPS SIMD Architecture is available.
      Rearrange order of bits to match the specification.

      Signed-off-by: Yongbok Kim <yongbok.kim@xxxxxxxxxx>
      Reviewed-by: Aurelien Jarno <aurelien@xxxxxxxxxxx>
      Reviewed-by: Leon Alrae <leon.alrae@xxxxxxxxxx>
      Signed-off-by: Leon Alrae <leon.alrae@xxxxxxxxxx>

  commit f5dec79ee88034b2da52463145a2056500db9ff2
  Merge: 661725d 560d027
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Wed Jul 15 12:22:31 2015 +0100

      Merge remote-tracking branch 
'remotes/juanquintela/tags/migration/20150715-1' into staging

      migration/next for 20150715

      # gpg: Signature made Wed Jul 15 11:23:33 2015 BST using RSA key ID 
5872D723
      # gpg: Good signature from "Juan Quintela <quintela@xxxxxxxxxx>"
      # gpg:                 aka "Juan Quintela <quintela@xxxxxxxxxx>"

      * remotes/juanquintela/tags/migration/20150715-1:
        migration: We also want to store the global state for savevm
        migration: reduce the count of strlen call
        migration: Register global state section before loadvm
        migration: Write documetation for events capabilites
        migration: Trace event and migration event are different things
        migration: Only change state after migration has finished

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 560d027b54067ffa4e79c6f7c0a499abb0d749a3
  Author: Juan Quintela <quintela@xxxxxxxxxx>
  Date:   Wed Jul 15 09:53:46 2015 +0200

      migration: We also want to store the global state for savevm

      Commit df4b1024526cae3479da3492d6371fd4a7324a03 introduced global_state
      section.  But it only filled the state while doing migration.  While
      doing a savevm, we stored an empty string as state.  So when we did a
      loadvm, it complained that state was invalid.

      Fedora 21, 4.1.1, qemu 2.4.0-rc0
      > ../../configure --target-list="x86_64-softmmu"

      068 2s ... - output mismatch (see 068.out.bad)
      --- /home/bos/jhuston/src/qemu/tests/qemu-iotests/068.out 2015-07-08
      17:56:18.588164979 -0400
      +++ 068.out.bad   2015-07-09 17:39:58.636651317 -0400
      @@ -6,6 +6,8 @@
       QEMU X.Y.Z monitor - type 'help' for more information
       (qemu) savevm 0
       (qemu) quit
      +qemu-system-x86_64: Unknown savevm section or instance 'globalstate' 0
      +qemu-system-x86_64: Error -22 while loading VM state
       QEMU X.Y.Z monitor - type 'help' for more information
       (qemu) quit
       *** done
      Failures: 068
      Failed 1 of 1 tests

      Actually, there were two problems here:
      - we registered global_state too late for load_vm (fixed on another
        patch on the list)
      - we didn't store a valid state for savevm (fixed by this patch).

      Reported-by: John Snow <jsnow@xxxxxxxxxx>
      Signed-off-by: Juan Quintela <quintela@xxxxxxxxxx>
      Reviewed-by: Dr. David Alan Gilbert <dgilbert@xxxxxxxxxx>
      Reviewed-by: Amit Shah <amit.shah@xxxxxxxxxx>
      Tested-by:  Christian Borntraeger <borntraeger@xxxxxxxxxx>

  commit 9f5f380b54d6ad80cf35d93c8cd71c8d7a1b52b7
  Author: Liang Li <liang.z.li@xxxxxxxxx>
  Date:   Mon Jul 13 17:34:10 2015 +0800

      migration: reduce the count of strlen call

      'strlen' is called three times in 'save_page_header', it's
      inefficient.

      Signed-off-by: Liang Li <liang.z.li@xxxxxxxxx>
      Reviewed-by: Juan Quintela <quintela@xxxxxxxxxx>
      Reviewed-by: Amit Shah <amit.shah@xxxxxxxxxx>
      Signed-off-by: Juan Quintela <quintela@xxxxxxxxxx>

  commit 48212d87d6655b029231d830a77983c21552fe49
  Author: Juan Quintela <quintela@xxxxxxxxxx>
  Date:   Fri Jul 10 14:51:58 2015 +0200

      migration: Register global state section before loadvm

      Otherwise, it is not found

      Signed-off-by: Juan Quintela <quintela@xxxxxxxxxx>

  commit 72e72e1a71e5e67a11204606a5c09f6cc3089a53
  Author: Juan Quintela <quintela@xxxxxxxxxx>
  Date:   Wed Jul 8 14:13:10 2015 +0200

      migration: Write documetation for events capabilites

      Reported-by: Jiri Denemark <jdenemar@xxxxxxxxxx>
      Signed-off-by: Juan Quintela <quintela@xxxxxxxxxx>

  commit 4ba4bc5e9bfab457a96ac56dc470730a330aded8
  Author: Juan Quintela <quintela@xxxxxxxxxx>
  Date:   Wed Jul 8 13:58:27 2015 +0200

      migration: Trace event and migration event are different things

      We can want the trace event even without migration events enabled.

      Reported-by:  Wen Congyang <ghostwcy@xxxxxxxxx>
      Signed-off-by: Juan Quintela <quintela@xxxxxxxxxx>
      Reviewed-by: Dr. David Alan Gilbert <dgilbert@xxxxxxxxxx>

  commit 172c4356f38fbf91675256447a3bedd08220214f
  Author: Juan Quintela <quintela@xxxxxxxxxx>
  Date:   Wed Jul 8 13:56:26 2015 +0200

      migration: Only change state after migration has finished

      On previous change, we changed state at post load time if it was not
      running, special casing the "running" change.  Now, we change any states
      at the end of the migration.

      Signed-off-by: Juan Quintela <quintela@xxxxxxxxxx>
      Tested-by: Christian Borntraeger <borntraeger@xxxxxxxxxx>

  commit 796a060bc0fab40953997976a2e30d9d6235bc7b
  Author: Richard W.M. Jones <rjones@xxxxxxxxxx>
  Date:   Wed Jul 8 14:37:48 2015 +0100

      block/curl: Don't lose original error when a connection fails.

      Currently if qemu is connected to a curl source (eg. web server), and
      the web server fails / times out / dies, you always see a bogus EIO
      "Input/output error".

      For example, choose a large file located on any local webserver which
      you control:

        $ qemu-img convert -p http://example.com/large.iso /tmp/test

      Once it starts copying the file, stop the webserver and you will see
      qemu-img fail with:

        qemu-img: error while reading sector 61440: Input/output error

      This patch does two things: Firstly print the actual error from curl
      so it doesn't get lost.  Secondly, change EIO to EPROTO.  EPROTO is a
      POSIX.1 compatible errno which more accurately reflects that there was
      a protocol error, rather than some kind of hardware failure.

      After this patch is applied, the error changes to:

        $ qemu-img convert -p http://example.com/large.iso /tmp/test
        qemu-img: curl: transfer closed with 469989 bytes remaining to read
        qemu-img: error while reading sector 16384: Protocol error

      Signed-off-by: Richard W.M. Jones <rjones@xxxxxxxxxx>
      Reviewed-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Signed-off-by: Jeff Cody <jcody@xxxxxxxxxx>

  commit 48ac0a4df84662f23da25262443e1810b70c2228
  Author: Wen Congyang <wency@xxxxxxxxxxxxxx>
  Date:   Fri May 15 15:51:36 2015 +0800

      mirror: correct buf_size

      If bus_size is less than 0, the command fails.
      If buf_size is 0, use DEFAULT_MIRROR_BUF_SIZE.
      If buf_size % granularity is not 0, mirror_free_init() will
      do dangerous things.

      Signed-off-by: Wen Congyang <wency@xxxxxxxxxxxxxx>
      Reviewed-by: Fam Zheng <famz@xxxxxxxxxx>
      Message-id: 5555A588.3080907@xxxxxxxxxxxxxx
      Signed-off-by: Jeff Cody <jcody@xxxxxxxxxx>

  commit 17d9716d7b5381c4b6566bb1a06267d2bfcd1821
  Author: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
  Date:   Mon Jun 15 16:02:14 2015 +0100

      block: keep bitmap if incremental backup job is cancelled

      Reclaim the dirty bitmap if an incremental backup block job is
      cancelled.  The ret variable may be 0 when the job is cancelled so it's
      not enough to check ret < 0.

      Reviewed-by: John Snow <jsnow@xxxxxxxxxx>
      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Message-id: 1434380534-7680-1-git-send-email-stefanha@xxxxxxxxxx
      Signed-off-by: Jeff Cody <jcody@xxxxxxxxxx>

  commit 299bf097375f9d148cda579ad85477304e38856b
  Author: Paolo Bonzini <pbonzini@xxxxxxxxxx>
  Date:   Thu May 28 16:21:43 2015 +0200

      blockdev: no need to drain in qmp_block_commit

      Draining is not necessary, I/O can happen as soon as the
      commit coroutine yields.  Draining can be necessary before
      reopening the file for read/write, or while modifying the
      backing file chain, but that is done separately in
      bdrv_reopen_multiple or bdrv_close; this particular
      bdrv_drain_all does nothing for that.

      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>
      Reviewed-by: Fam Zheng <famz@xxxxxxxxxx>
      Reviewed-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Message-id: 1432822903-25821-1-git-send-email-pbonzini@xxxxxxxxxx
      Signed-off-by: Jeff Cody <jcody@xxxxxxxxxx>

  commit 4c0cbd6fec7db182a6deb52d5a8a8e7b0c5cbe64
  Author: Fam Zheng <famz@xxxxxxxxxx>
  Date:   Wed May 13 11:11:13 2015 +0800

      block/mirror: Sleep periodically during bitmap scanning

      Before, we only yield after initializing dirty bitmap, where the QMP
      command would return. That may take very long, and guest IO will be
      blocked.

      Add sleep points like the later mirror iterations.

      Signed-off-by: Fam Zheng <famz@xxxxxxxxxx>
      Reviewed-by: Wen Congyang <wency@xxxxxxxxxxxxxx>
      Reviewed-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>
      Reviewed-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Message-id: 1431486673-19280-1-git-send-email-famz@xxxxxxxxxx
      Signed-off-by: Jeff Cody <jcody@xxxxxxxxxx>

  commit 661725da09f47eb92d356fac10a4cf3b7ad1f61d
  Merge: f394798 2af9170
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Tue Jul 14 18:50:16 2015 +0100

      Merge remote-tracking branch 'remotes/cohuck/tags/s390x-20150714' into 
staging

      s390x fixes for 2.4:
      - virtio migration regression
      - missing diag288 watchdog resets

      # gpg: Signature made Tue Jul 14 18:17:54 2015 BST using RSA key ID 
C6F02FAF
      # gpg: Good signature from "Cornelia Huck <huckc@xxxxxxxxxxxxxxxxxx>"
      # gpg:                 aka "Cornelia Huck <cornelia.huck@xxxxxxxxxx>"

      * remotes/cohuck/tags/s390x-20150714:
        s390/virtio-ccw: Fix migration
        watchdog/diag288: correctly register for system reset requests

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 2af9170c8c269c4fba73e5271453ca15a57f5844
  Author: Christian Borntraeger <borntraeger@xxxxxxxxxx>
  Date:   Tue Jul 7 13:47:23 2015 +0200

      s390/virtio-ccw: Fix migration

      commit 213941d73b ("virtio-ccw: migrate ->revision") broke
      migration:
      2015-07-07T11:22:55.570968Z qemu-system-s390x: VQ 39 address 0x0 
inconsistent with Host index 0x100
      2015-07-07T11:22:55.571008Z qemu-system-s390x: error while loading state 
for instance 0x0 of

      If thinint support is active, the config_load function returns early.
      Make sure to load the revision all the time.

      Signed-off-by: Christian Borntraeger <borntraeger@xxxxxxxxxx>
      Fixes: 213941d73b ("virtio-ccw: migrate ->revision")
      Message-Id: <1436269643-66303-1-git-send-email-borntraeger@xxxxxxxxxx>
      Signed-off-by: Cornelia Huck <cornelia.huck@xxxxxxxxxx>

  commit 0c7322cfd3fd382c0096c2a9f00775818a878e13
  Author: Xu Wang <gesaint@xxxxxxxxxxxxxxxxxx>
  Date:   Mon Jun 29 08:21:10 2015 +0200

      watchdog/diag288: correctly register for system reset requests

      The diag288 watchdog is no sysbus device, therefore it doesn't get
      triggered on resets automatically using dc->reset.

      Let's register the reset handler manually, so we get correctly notified
      again when a system reset was requested. Also reset the watchdog on
      subsystem resets that don't trigger a full system reset.

      Signed-off-by: Xu Wang <gesaint@xxxxxxxxxxxxxxxxxx>
      Reviewed-by: David Hildenbrand <dahi@xxxxxxxxxxxxxxxxxx>
      Signed-off-by: Cornelia Huck <cornelia.huck@xxxxxxxxxx>
      Tested-by: Christian Borntraeger <borntraeger@xxxxxxxxxx>
      Reviewed-by: Andreas Färber <afaerber@xxxxxxx>

  commit f3947986d9bbbae1087c4c33880d3f8dbf1f1384
  Merge: 0030ff4 e34d8f2
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Tue Jul 14 16:51:44 2015 +0100

      Merge remote-tracking branch 'remotes/kevin/tags/for-upstream' into 
staging

      Block layer patches for 2.4.0-rc1

      # gpg: Signature made Tue Jul 14 16:15:35 2015 BST using RSA key ID 
C88F2FD6
      # gpg: Good signature from "Kevin Wolf <kwolf@xxxxxxxxxx>"

      * remotes/kevin/tags/for-upstream:
        rbd: fix ceph settings precedence
        rbd: make qemu's cache setting override any ceph setting
        MAINTAINERS: update email address
        rbd: remove unused constants and fields
        block: Fix backing file child when modifying graph
        block: Reorder cleanups in bdrv_close()
        block: Introduce bdrv_unref_child()
        block: Introduce bdrv_open_child()
        block: Move bdrv_attach_child() calls up the call chain
        nvme: properly report volatile write caches
        nvme: implement the Flush command

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit e34d8f297d51b7ffa5dce72df1e45fa94cff989c
  Author: Josh Durgin <jdurgin@xxxxxxxxxx>
  Date:   Wed Jun 10 20:28:46 2015 -0700

      rbd: fix ceph settings precedence

      Apply the ceph settings from a config file before any ceph settings
      from the command line. Since the ceph config file location may be
      specified on the command line, parse it once to read the config file,
      and do a second pass to apply the rest of the command line ceph
      options.

      Signed-off-by: Josh Durgin <jdurgin@xxxxxxxxxx>
      Signed-off-by: Kevin Wolf <kwolf@xxxxxxxxxx>

  commit 99a3c89d5d538dc6c360e35dffb797cfe06e9cda
  Author: Josh Durgin <jdurgin@xxxxxxxxxx>
  Date:   Wed Jun 10 20:28:45 2015 -0700

      rbd: make qemu's cache setting override any ceph setting

      To be safe, when cache=none is used ceph settings should not be able
      to override it to turn on caching. This was previously possible with
      rbd_cache=true in the rbd device configuration or a ceph configuration
      file. Similarly, rbd settings could have turned off caching when qemu
      requested it, although this would just be a performance problem.

      Fix this by changing rbd's cache setting to match qemu after all other
      ceph settings have been applied.

      Signed-off-by: Josh Durgin <jdurgin@xxxxxxxxxx>
      Reviewed-by: Jeff Cody <jcody@xxxxxxxxxx>
      Signed-off-by: Kevin Wolf <kwolf@xxxxxxxxxx>

  commit 5a8ac6d9d70e1a078d04ad75a5c055b00a041d70
  Author: Josh Durgin <jdurgin@xxxxxxxxxx>
  Date:   Wed Jun 10 20:28:44 2015 -0700

      MAINTAINERS: update email address

      The old one still works for now, but will not work indefinitely.

      Signed-off-by: Josh Durgin <jdurgin@xxxxxxxxxx>
      Reviewed-by: Jeff Cody <jcody@xxxxxxxxxx>
      Signed-off-by: Kevin Wolf <kwolf@xxxxxxxxxx>

  commit 3dbf00e058e450173c6f892bb572df871eb4ea58
  Author: Josh Durgin <jdurgin@xxxxxxxxxx>
  Date:   Wed Jun 10 20:28:43 2015 -0700

      rbd: remove unused constants and fields

      RBDAIOCB.status was only used for cancel, which was removed in
      7691e24dbebb46658e89b3f950fda6ec78bbb823.

      RBDAIOCB.sector_num was never used.

      RADOSCB.done and rcbid were never used.

      RBD_FD* are obsolete since the pipe was removed in
      e04fb07fd1676e9facd7f3f878c1bbe03bccd26b.

      Signed-off-by: Josh Durgin <jdurgin@xxxxxxxxxx>
      Reviewed-by: Jeff Cody <jcody@xxxxxxxxxx>
      Signed-off-by: Kevin Wolf <kwolf@xxxxxxxxxx>

  commit 80a1e130917e0745625129553c943743eb663727
  Author: Kevin Wolf <kwolf@xxxxxxxxxx>
  Date:   Wed Jun 17 15:52:09 2015 +0200

      block: Fix backing file child when modifying graph

      This patch moves bdrv_attach_child() from the individual places that add
      a backing file to a BDS to bdrv_set_backing_hd(), which is called by all
      of them. It also adds bdrv_detach_child() there.

      For normal operation (starting with one backing file chain and not
      changing it until the topmost image is closed) and live snapshots, this
      constitutes no change in behaviour.

      For all other cases, this is a fix for the bug that the old backing file
      was still referenced as a child, and the new one wasn't referenced.

      Signed-off-by: Kevin Wolf <kwolf@xxxxxxxxxx>
      Reviewed-by: Max Reitz <mreitz@xxxxxxxxxx>

  commit 9a7dedbc43c7c400663d2876a8ccb6d942a1429a
  Author: Kevin Wolf <kwolf@xxxxxxxxxx>
  Date:   Tue Jun 16 10:58:20 2015 +0200

      block: Reorder cleanups in bdrv_close()

      Block drivers may still want to access their child nodes in their
      .bdrv_close handler. If they unref and/or detach a child by themselves,
      this should not result in a double free.

      There is additional code for backing files, which are just a special
      case of child nodes. The same applies for them.

      Signed-off-by: Kevin Wolf <kwolf@xxxxxxxxxx>
      Reviewed-by: Max Reitz <mreitz@xxxxxxxxxx>

  commit 33a604075c51e5528eed970eeaeefe609ea2337d
  Author: Kevin Wolf <kwolf@xxxxxxxxxx>
  Date:   Mon Jun 15 13:51:04 2015 +0200

      block: Introduce bdrv_unref_child()

      This is the counterpart for bdrv_open_child(). It decreases the
      reference count of the child BDS and removes it from the list of
      children of the given parent BDS.

      Signed-off-by: Kevin Wolf <kwolf@xxxxxxxxxx>
      Reviewed-by: Max Reitz <mreitz@xxxxxxxxxx>

  commit b4b059f628173dd1d722ee8a9c592a80aec1fc2f
  Author: Kevin Wolf <kwolf@xxxxxxxxxx>
  Date:   Mon Jun 15 13:24:19 2015 +0200

      block: Introduce bdrv_open_child()

      It is the same as bdrv_open_image(), except that it doesn't only return
      success or failure, but the newly created BdrvChild object for the new
      child node.

      As the BdrvChild object already contains a BlockDriverState pointer (and
      this is supposed to become the only pointer so that bdrv_append() and
      friends can just change a single pointer in BdrvChild), the pbs
      parameter is removed for bdrv_open_child().

      Signed-off-by: Kevin Wolf <kwolf@xxxxxxxxxx>
      Reviewed-by: Max Reitz <mreitz@xxxxxxxxxx>

  commit df5817926790f6e84d1936eab523556f96fa577a
  Author: Kevin Wolf <kwolf@xxxxxxxxxx>
  Date:   Mon Jun 15 11:53:47 2015 +0200

      block: Move bdrv_attach_child() calls up the call chain

      Let the callers of bdrv_open_inherit() call bdrv_attach_child(). It
      needs to be called in all cases where bdrv_open_inherit() succeeds (i.e.
      returns 0) and a child_role is given.

      bdrv_attach_child() is moved upwards to avoid a forward declaration.

      Signed-off-by: Kevin Wolf <kwolf@xxxxxxxxxx>
      Reviewed-by: Max Reitz <mreitz@xxxxxxxxxx>

  commit 30349fd038ffb26528fad21abe1e264031364449
  Author: Christoph Hellwig <hch@xxxxxx>
  Date:   Thu Jun 11 12:01:39 2015 +0200

      nvme: properly report volatile write caches

      Implement support in Identify and Get/Set Features to properly report
      and allow to change the Volatile Write Cache status reported by the
      virtual NVMe device.

      Signed-off-by: Christoph Hellwig <hch@xxxxxx>
      Acked-by: Keith Busch <keith.busch@xxxxxxxxx>
      Signed-off-by: Kevin Wolf <kwolf@xxxxxxxxxx>

  commit 8b9d74e0eebb2106b767d66355d38086be72ad2b
  Author: Christoph Hellwig <hch@xxxxxx>
  Date:   Thu Jun 11 12:01:38 2015 +0200

      nvme: implement the Flush command

      Implement a real flush instead of faking it.  This is especially important
      as Qemu assume Write back cashing by default and thus requires a working
      cache flush operation for data integrity.

      Signed-off-by: Christoph Hellwig <hch@xxxxxx>
      Acked-by: Keith Busch <keith.busch@xxxxxxxxx>
      Signed-off-by: Kevin Wolf <kwolf@xxxxxxxxxx>

  commit 0030ff40472b9ebf0e0595afbc8d7e428218c5d7
  Merge: f3a1b50 a169513
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Tue Jul 14 14:52:45 2015 +0100

      Merge remote-tracking branch 'remotes/kraxel/tags/pull-vnc-20150714-1' 
into staging

      vnc: fix vnc client authentication

      # gpg: Signature made Tue Jul 14 14:38:48 2015 BST using RSA key ID 
D3E87138
      # gpg: Good signature from "Gerd Hoffmann (work) <kraxel@xxxxxxxxxx>"
      # gpg:                 aka "Gerd Hoffmann <gerd@xxxxxxxxxx>"
      # gpg:                 aka "Gerd Hoffmann (private) <kraxel@xxxxxxxxx>"

      * remotes/kraxel/tags/pull-vnc-20150714-1:
        vnc: fix vnc client authentication

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit a16951375f7669b7faf27f72ca753e25325c5179
  Author: Wolfgang Bumiller <w.bumiller@xxxxxxxxxxx>
  Date:   Tue Jul 14 14:51:40 2015 +0200

      vnc: fix vnc client authentication

      Commit 800567a61 updated the code to the generic crypto API
      and mixed up encrypt and decrypt functions in
      procotol_client_auth_vnc.
      (Used to be: deskey(key, EN0) which encrypts, and was
      changed to qcrypto_cipher_decrypt in 800567a61.)
      Changed it to qcrypto_cipher_encrypt now.

      Signed-off-by: Wolfgang Bumiller <w.bumiller@xxxxxxxxxxx>
      Signed-off-by: Gerd Hoffmann <kraxel@xxxxxxxxxx>

  commit f3a1b5068cea303a55e2a21a97e66d057eaae638
  Merge: 6e3c0c6 4421c6a
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Mon Jul 13 13:35:51 2015 +0100

      Merge remote-tracking branch 'remotes/mst/tags/for_upstream' into staging

      pc,virtio: fixes for 2.4

      pc and virtio changes, bugfixes only.

      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>

      # gpg: Signature made Mon Jul 13 13:03:38 2015 BST using RSA key ID 
D28D5469
      # gpg: Good signature from "Michael S. Tsirkin <mst@xxxxxxxxxx>"
      # gpg:                 aka "Michael S. Tsirkin <mst@xxxxxxxxxx>"

      * remotes/mst/tags/for_upstream:
        pc: fix reuse of pc-i440fx-2.4 in pc-i440fx-2.3
        Revert "virtio-net: enable virtio 1.0"
        virtio-pci: don't crash on illegal length
        qdev: fix 64 bit properties

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 4421c6a38a37d558b8e6f82d2d54aee30350f57f
  Author: Eduardo Habkost <ehabkost@xxxxxxxxxx>
  Date:   Tue Jun 23 14:00:51 2015 -0300

      pc: fix reuse of pc-i440fx-2.4 in pc-i440fx-2.3

      commit fddd179ab962f6f78a8493742e1068d6a620e059,
          "pc: Convert *_MACHINE_OPTIONS macros into functions"
      broke the chaining of *_machine_options() functions on
      pc-i440fx-2.3, at:

        -#define PC_I440FX_2_3_MACHINE_OPTIONS \
        -    PC_I440FX_2_4_MACHINE_OPTIONS, \
        -    .alias = NULL, \
        -    .is_default = 0
        +static void pc_i440fx_2_3_machine_options(QEMUMachine *m)
        +{
        +    pc_i440fx_machine_options(m);
        +    m->alias = NULL;
        +    m->is_default = 0;
        +}

      I have replaced PC_I440FX_2_4_MACHINE_OPTIONS with a
      pc_i440fx_machine_options() call, instead of calling
      pc_i440fx_2_4_machine_options(). This broke the setting of 
default_machine_opts
      and default_display on pc-i440fx-{2.0,2,1,2.2,2.3}.

      Fix this by making pc_i440fx_2_3_machine_options() reuse
      pc_i440fx_2_4_machine_options().

      Reported-by: "Dr. David Alan Gilbert" <dgilbert@xxxxxxxxxx>
      Signed-off-by: Eduardo Habkost <ehabkost@xxxxxxxxxx>
      Signed-off-by: Michael Roth <mdroth@xxxxxxxxxxxxxxxxxx>
      Reviewed-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Reviewed-by: Laszlo Ersek <lersek@xxxxxxxxxx>

  commit 06c4670ff6d4acdc5a24e3d25748ee4a489d5869
  Author: Jason Wang <jasowang@xxxxxxxxxx>
  Date:   Mon Jul 13 13:46:50 2015 +0800

      Revert "virtio-net: enable virtio 1.0"

      This reverts commit df91055db5c9cee93d70ca8c08d72119a240b987.

      This is because:
      - vhost support virtio 1.0 now
      - transport code (e.g virtio-pci) set this feature when modern is
        enabled, setting this unconditionally will break disable-modern=on.

      Cc: Cornelia Huck <cornelia.huck@xxxxxxxxxx>
      Signed-off-by: Jason Wang <jasowang@xxxxxxxxxx>
      Reviewed-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>

  commit 2a6391232fa58f32469fb61d55343eff32a91083
  Author: Michael S. Tsirkin <mst@xxxxxxxxxx>
  Date:   Mon Jul 13 10:32:50 2015 +0300

      virtio-pci: don't crash on illegal length

      Some guests seem to access cfg with an illegal length value.
      It's worth fixing them but debugging is easier if
      qemu does not crash.

      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>

  commit 8aedc369c6ae4fb4c4c6920f703b000015df3d8d
  Author: Cornelia Huck <cornelia.huck@xxxxxxxxxx>
  Date:   Thu Jul 9 13:01:14 2015 +0200

      qdev: fix 64 bit properties

      64 bit props used 32 bit callbacks in two places, leading to broken
      feature bits on virtio (example: got 0x31000000000006d4 which is
      obviously bogus). Fix this.

      Fixes: fdba6d96 ("qdev: add 64bit properties")
      Signed-off-by: Cornelia Huck <cornelia.huck@xxxxxxxxxx>
      Reviewed-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Tested-by: Christian Borntraeger <borntraeger@xxxxxxxxxx>
      Acked-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit 6e3c0c6edbdddb8dd676bec1ac51b5faffc19a77
  Author: Stefan Weil <sw@xxxxxxxxxxx>
  Date:   Fri Jul 10 21:22:39 2015 +0200

      tci: Fix regression with INDEX_op_qemu_st_i32, INDEX_op_qemu_st_i64

      Commit 59227d5d45bb3c31dc2118011691c35b3c00879c did not update the
      code in tcg/tci/tcg-target.c for those two cases.

      Signed-off-by: Stefan Weil <sw@xxxxxxxxxxx>
      Message-id: 1436556159-3002-1-git-send-email-sw@xxxxxxxxxxx
      Reviewed-by: Richard Henderson <rth@xxxxxxxxxxx>
      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 6169b60285fe1ff730d840a49527e721bfb30899
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Thu Jul 9 17:56:56 2015 +0100

      Update version for v2.4.0-rc0 release

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 16c1321bd78ad79a7252b714184ee2a0b5944c56
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Thu Jul 9 17:46:24 2015 +0100

      tci: Fix compile failure by including qemu-common.h

      Compilation of TCI was accidentally broken by the recent disassembler
      changes:

        CC    x86_64-softmmu/arch_init.o
      In file included from target-i386/cpu-qom.h:23:0,
                       from target-i386/cpu.h:986,
                       from include/qemu-common.h:122,
                       from include/disas/bfd.h:12,
                       from disas/tci.c:20:
      include/qom/cpu.h:178:43: error: unknown type name â??disassemble_infoâ??
           void (*disas_set_info)(CPUState *cpu, disassemble_info *info);
                                                 ^
      include/qom/cpu.h:179:1: error:
      no semicolon at end of struct or union [-Werror]
       } CPUClass;
       ^
      cc1: all warnings being treated as errors

      The underlying cause of this is an include loop:
       bfd.h -> qemu-common.h -> target-arm/cpu.h ->  target-arm/cpu-qom.h
        -> qom/cpu.h -> bfd.h

      which means that if bfd.h is included first then qom/cpu.h doesn't
      get the definition of the disassemble_info type that it wanted.
      The easiest fix for this is to include qemu-common.h from tci.c
      before including disas/bfd.h.

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit a9dc4cf94c182f03c0061483891f53d1d21e5e68
  Merge: 0326248 4f4f697
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Thu Jul 9 16:22:37 2015 +0100

      Merge remote-tracking branch 'remotes/bonzini/tags/for-upstream' into 
staging

      Fixes for two bad bugs.  For 2.4-rc0.

      # gpg: Signature made Thu Jul  9 15:54:19 2015 BST using RSA key ID 
78C7AE83
      # gpg: Good signature from "Paolo Bonzini <bonzini@xxxxxxx>"
      # gpg:                 aka "Paolo Bonzini <pbonzini@xxxxxxxxxx>"
      # gpg: WARNING: This key is not certified with sufficiently trusted 
signatures!
      # gpg:          It is not certain that the signature belongs to the owner.
      # Primary key fingerprint: 46F5 9FBD 57D6 12E7 BFD4  E2F7 7E15 100C CD36 
69B1
      #      Subkey fingerprint: F133 3857 4B66 2389 866C  7682 BFFB D25F 78C7 
AE83

      * remotes/bonzini/tags/for-upstream:
        crypto: fix builtin qcrypto_cipher_free
        migration: fix RCU deadlock

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 4f4f6976d80614e2d81cea4385885876f24bb257
  Author: Paolo Bonzini <pbonzini@xxxxxxxxxx>
  Date:   Thu Jul 9 16:52:48 2015 +0200

      crypto: fix builtin qcrypto_cipher_free

      This was dereferencing a pointer before checking if it was NULL.

      Reported-by: Christian Borntraeger <borntraeger@xxxxxxxxxx>
      Reported-by: Aurelien Jarno <aurelien@xxxxxxxxxxx>
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit 032624868df264d395ee9900331f08bad1431022
  Merge: 5a2db89 6b625fd
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Thu Jul 9 15:00:37 2015 +0100

      Merge remote-tracking branch 'remotes/afaerber/tags/qom-cpu-for-peter' 
into staging

      QOM CPUState and X86CPU

      * Further QOM'ification of CPU initialization
      * Propagation of CPUState arguments and elimination of ENV_GET_CPU() usage
      * cpu_set_pc() abstraction
      * CPUClass::disas_set_info() hook

      # gpg: Signature made Thu Jul  9 14:23:12 2015 BST using RSA key ID 
3E7E013F
      # gpg: Good signature from "Andreas Färber <afaerber@xxxxxxx>"
      # gpg:                 aka "Andreas Färber <afaerber@xxxxxxxx>"

      * remotes/afaerber/tags/qom-cpu-for-peter: (22 commits)
        disas: cris: QOMify target specific disas setup
        disas: cris: Fix 0 buffer length case
        disas: microblaze: QOMify target specific disas setup
        disas: arm: QOMify target specific disas setup
        disas: arm-a64: Make printfer and stream variable
        disas: QOMify target specific setup
        disas: Add print_insn to disassemble info
        microblaze: boot: Use cpu_set_pc()
        hw/arm/boot: Use cpu_set_pc()
        gdbstub: Use cpu_set_pc() helper
        cpu: Add wrapper for the set_pc() hook
        cpu-exec: Purge all uses of ENV_GET_CPU()
        cpu: Change cpu_exec_init() arg to cpu, not env
        cpu: Change tcg_cpu_exec() arg to cpu, not env
        gdbstub: Change gdbserver_fork() to accept cpu instead of env
        translate-all: Change tb_flush() env argument to cpu
        target-ppc: Move cpu_exec_init() call to realize function
        cpu: Convert cpu_index into a bitmap
        cpu: Add Error argument to cpu_exec_init()
        cpu: Reorder cpu->as, cpu->thread_id, cpu->memory_dispatch init
        ...

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 6b625fde5eb8d1c969969392f1c92b58beed2183
  Author: Peter Crosthwaite <crosthwaitepeter@xxxxxxxxx>
  Date:   Tue Jun 23 20:57:38 2015 -0700

      disas: cris: QOMify target specific disas setup

      Move the target_disas() cris specifics to the QOM disas_set_info() hook
      and delete the cris specific code in disas.c.

      This also now adds support for monitor_disas() to cris.

      E.g.
      (qemu) xp 0x40004000
      0000000040004000: 0x1e6f25f0

      And before this patch:
      (qemu) xp/i 0x40004000
      0x40004000: Asm output not supported on this arch

      After:
      (qemu) xp/i 0x40004000
      0x40004000:  di
      (qemu) xp/i 0x40004002
      0x40004002:  move.d 0xb003c004,$r1

      Note: second example is 6-byte misaligned instruction!

      Reviewed-by: Edgar E. Iglesias <edgar.iglesias@xxxxxxxxxx>
      Signed-off-by: Peter Crosthwaite <crosthwaite.peter@xxxxxxxxx>
      Signed-off-by: Andreas Färber <afaerber@xxxxxxx>

  commit 51d373cf5f5a39fa315342d12ec910fe59d87090
  Author: Peter Crosthwaite <crosthwaitepeter@xxxxxxxxx>
  Date:   Tue Jun 23 20:57:37 2015 -0700

      disas: cris: Fix 0 buffer length case

      Cris has the complication of variable length instructions and has
      a check in place to clamp memory reads in case the disas request
      doesn't have enough bytes for the instruction being disas'd. This
      breaks down in the case where disassembling for the monitor where
      the buffer length is defaulted to 0.

      The buffer length should never be zero for a regular target_disas,
      so we can safely assume the 0 case is for the monitor in which case
      consider the buffer length to be the max for cris instructions.

      Reviewed-by: Edgar E. Iglesias <edgar.iglesias@xxxxxxxxxx>
      Signed-off-by: Peter Crosthwaite <crosthwaite.peter@xxxxxxxxx>
      Signed-off-by: Andreas Färber <afaerber@xxxxxxx>

  commit efc6674be845e40d443b62e80eb9ea9a9adfee3c
  Author: Peter Crosthwaite <crosthwaitepeter@xxxxxxxxx>
  Date:   Tue Jun 23 20:57:36 2015 -0700

      disas: microblaze: QOMify target specific disas setup

      Move the target_disas() MB specifics to the QOM disas_set_info hook
      and delete the MB specific code in disas.c.

      This also now adds support for monitor_disas() to Microblaze.

      E.g.
      (qemu) xp 0x90000000
      0000000090000000: 0x94208001

      And before this patch:
      (qemu) xp/i 0x90000000
      0x90000000: Asm output not supported on this arch

      After:
      (qemu) xp/i 0x90000000
      0x90000000:  mfs    r1, rmsr

      Reviewed-by: Edgar E. Iglesias <edgar.iglesias@xxxxxxxxxx>
      Signed-off-by: Peter Crosthwaite <crosthwaite.peter@xxxxxxxxx>
      Signed-off-by: Andreas Färber <afaerber@xxxxxxx>

  commit 484406200e51eac023b346fdf987f86af1f6fe75
  Author: Peter Crosthwaite <crosthwaitepeter@xxxxxxxxx>
  Date:   Tue Jun 23 20:57:35 2015 -0700

      disas: arm: QOMify target specific disas setup

      Move the target_disas() ARM specifics to the QOM disas_set_info hook
      and delete the ARM specific code in disas.c.

      This has the extra advantage of the more fully featured target_disas()
      implementation now applying to monitor_disas().

      Currently, target_disas() has multi-endian, thumb and AArch64
      support whereas the existing monitor_disas() support only has vanilla
      AA32 support.

      E.G. Running an AA64 linux kernel the following -d in_asm disas happens
      (taget_disas()):

      IN:
      0x0000000040000000:  580000c0      ldr x0, pc+24 (addr 0x40000018)
      0x0000000040000004:  aa1f03e1      mov x1, xzr

      However before this patch, disasing the same from the monitor:

      (qemu) xp/i 0x40000000
      0x0000000040000000:  580000c0      stmdapl  r0, {r6, r7}

      After this patch:
      (qemu) xp/i 0x40000000
      0x0000000040000000:  580000c0      ldr x0, pc+24 (addr 0x40000018)

      Reviewed-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Signed-off-by: Peter Crosthwaite <crosthwaite.peter@xxxxxxxxx>
      Signed-off-by: Andreas Färber <afaerber@xxxxxxx>

  commit fb200d5f003118f63205f34bbe553efcf3a66a81
  Author: Peter Crosthwaite <crosthwaitepeter@xxxxxxxxx>
  Date:   Tue Jun 23 20:57:34 2015 -0700

      disas: arm-a64: Make printfer and stream variable

      In a normal disassembly flow, the printf() and stream being used varies
      from disas job to job. In particular it varies if mixing monitor_disas
      and target_disas.

      Make both the printf() function and target stream settable in the
      QEMUDisassmbler class.

      Reviewed-by: Claudio Fontana <claudio.fontana@xxxxxxxxxx>
      Tested-by: Claudio Fontana <claudio.fontana@xxxxxxxxxx>
      Reviewed-by: Richard Henderson <rth@xxxxxxxxxxx>
      Signed-off-by: Peter Crosthwaite <crosthwaite.peter@xxxxxxxxx>
      Signed-off-by: Andreas Färber <afaerber@xxxxxxx>

  commit 37b9de463bff4fc786bb5f0778829e68d2c97bd0
  Author: Peter Crosthwaite <crosthwaitepeter@xxxxxxxxx>
  Date:   Tue Jun 23 20:57:33 2015 -0700

      disas: QOMify target specific setup

      Add a QOM function hook for target-specific disassembly setup. This
      allows removal of the #ifdeffery currently implementing target specific
      disas setup from disas.c.

      Reviewed-by: Richard Henderson <rth@xxxxxxxxxxx>
      Signed-off-by: Peter Crosthwaite <crosthwaite.peter@xxxxxxxxx>
      Signed-off-by: Andreas Färber <afaerber@xxxxxxx>

  commit 2de295c544dda8680a82fe465c92d236d49c4d4f
  Author: Peter Crosthwaite <crosthwaitepeter@xxxxxxxxx>
  Date:   Tue Jun 23 20:57:32 2015 -0700

      disas: Add print_insn to disassemble info

      Add the print_insn pointer to the disassemble info structure. This is
      to prepare for QOMification support, where a QOM CPU hook function will
      be responsible for setting the print_insn() function. Add this function
      to the existing struct to consolidate such that only the one struct
      needs to be passed to the new QOM API.

      Reviewed-by: Richard Henderson <rth@xxxxxxxxxxx>
      Signed-off-by: Peter Crosthwaite <crosthwaite.peter@xxxxxxxxx>
      Signed-off-by: Andreas Färber <afaerber@xxxxxxx>

  commit 691b9572e337f2d74b4b527c3dc76f542c6a5734
  Author: Peter Crosthwaite <crosthwaitepeter@xxxxxxxxx>
  Date:   Tue Jun 23 20:19:23 2015 -0700

      microblaze: boot: Use cpu_set_pc()

      Use cpu_set_pc() for setting program counters when bootloading. This
      removes an instance of system level code having to reach into the CPU
      env.

      Reviewed-by: Andreas Färber <afaerber@xxxxxxx>
      Signed-off-by: Peter Crosthwaite <crosthwaite.peter@xxxxxxxxx>
      [AF: Avoid duplicated CPU() casts through local variable]
      Signed-off-by: Andreas Färber <afaerber@xxxxxxx>

  commit 4df81c6ed1eddcbbb920a977e76f599e05b39b77
  Author: Peter Crosthwaite <crosthwaitepeter@xxxxxxxxx>
  Date:   Tue Jun 23 20:19:22 2015 -0700

      hw/arm/boot: Use cpu_set_pc()

      Use cpu_set_pc() across the board for setting program counters. This
      removes instances of system level code having to reach into the CPU
      env.

      Reviewed-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Reviewed-by: Andreas Färber <afaerber@xxxxxxx>
      Signed-off-by: Peter Crosthwaite <crosthwaite.peter@xxxxxxxxx>
      [AF: Avoid repeated casts with local variables]
      Signed-off-by: Andreas Färber <afaerber@xxxxxxx>

  commit 4a2b24edb73f98fa58fd8965db5b312617de7a02
  Author: Peter Crosthwaite <crosthwaitepeter@xxxxxxxxx>
  Date:   Tue Jun 23 20:19:21 2015 -0700

      gdbstub: Use cpu_set_pc() helper

      Use the cpu_set_pc() helper which will take care of CPUClass retrieval
      for us.

      Signed-off-by: Peter Crosthwaite <crosthwaite.peter@xxxxxxxxx>
      Signed-off-by: Andreas Färber <afaerber@xxxxxxx>

  commit 2991b8904730d663f12ad42e35798ecc22fe151c
  Author: Peter Crosthwaite <crosthwaitepeter@xxxxxxxxx>
  Date:   Tue Jun 23 20:19:20 2015 -0700

      cpu: Add wrapper for the set_pc() hook

      Add a wrapper around the CPUClass::set_pc() hook.

      Signed-off-by: Peter Crosthwaite <crosthwaite.peter@xxxxxxxxx>
      Signed-off-by: Andreas Färber <afaerber@xxxxxxx>

  commit ea3e9847408131abc840240bd61e892d28459452
  Author: Peter Crosthwaite <crosthwaitepeter@xxxxxxxxx>
  Date:   Thu Jun 18 10:24:55 2015 -0700

      cpu-exec: Purge all uses of ENV_GET_CPU()

      Remove un-needed usages of ENV_GET_CPU() by converting the APIs to use
      CPUState pointers and retrieving the env_ptr as minimally needed.

      Scripted conversion for target-* change:

      for I in target-*/cpu.h; do
          sed -i \
          's/\(^int cpu_[^_]*_exec(\)[^ ][^ ]* \*s);$/\1CPUState *cpu);/' \
          $I;
      done

      Signed-off-by: Peter Crosthwaite <crosthwaite.peter@xxxxxxxxx>
      Signed-off-by: Andreas Färber <afaerber@xxxxxxx>

  commit 4bad9e392e788a218967167a38ce2ae7a32a6231
  Author: Peter Crosthwaite <crosthwaitepeter@xxxxxxxxx>
  Date:   Tue Jun 23 19:31:18 2015 -0700

      cpu: Change cpu_exec_init() arg to cpu, not env

      The callers (most of them in target-foo/cpu.c) to this function all
      have the cpu pointer handy. Just pass it to avoid an ENV_GET_CPU() from
      core code (in exec.c).

      Cc: Paolo Bonzini <pbonzini@xxxxxxxxxx>
      Cc: Richard Henderson <rth@xxxxxxxxxxx>
      Cc: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Cc: "Edgar E. Iglesias" <edgar.iglesias@xxxxxxxxx>
      Cc: Eduardo Habkost <ehabkost@xxxxxxxxxx>
      Cc: Michael Walle <michael@xxxxxxxx>
      Cc: Leon Alrae <leon.alrae@xxxxxxxxxx>
      Cc: Anthony Green <green@xxxxxxxxxxxxxx>
      Cc: Jia Liu <proljc@xxxxxxxxx>
      Cc: Alexander Graf <agraf@xxxxxxx>
      Cc: Blue Swirl <blauwirbel@xxxxxxxxx>
      Cc: Mark Cave-Ayland <mark.cave-ayland@xxxxxxxxxxxx>
      Cc: Bastian Koppelmann <kbastian@xxxxxxxxxxxxxxxxxxxxx>
      Cc: Guan Xuetao <gxt@xxxxxxxxxxxxxxx>
      Cc: Max Filippov <jcmvbkbc@xxxxxxxxx>
      Reviewed-by: Andreas Färber <afaerber@xxxxxxx>
      Reviewed-by: Aurelien Jarno <aurelien@xxxxxxxxxxx>
      Signed-off-by: Peter Crosthwaite <crosthwaite.peter@xxxxxxxxx>
      Signed-off-by: Andreas Färber <afaerber@xxxxxxx>

  commit 3d57f7893c90d911d786cb2c622b0926fc808b57
  Author: Peter Crosthwaite <crosthwaitepeter@xxxxxxxxx>
  Date:   Tue Jun 23 19:31:17 2015 -0700

      cpu: Change tcg_cpu_exec() arg to cpu, not env

      The sole caller of this function navigates the cpu->env_ptr only for
      this function to take it back the cpu pointer straight away. Pass in
      cpu pointer instead and grab the env pointer locally in the function.
      Removes a core code usage of ENV_GET_CPU().

      Reviewed-by: Andreas Färber <afaerber@xxxxxxx>
      Reviewed-by: Eduardo Habkost <ehabkost@xxxxxxxxxx>
      Signed-off-by: Peter Crosthwaite <crosthwaite.peter@xxxxxxxxx>
      Signed-off-by: Andreas Färber <afaerber@xxxxxxx>

  commit f7ec7f7b269813603b1d64bb9833f9e711f0115c
  Author: Peter Crosthwaite <crosthwaitepeter@xxxxxxxxx>
  Date:   Tue Jun 23 19:31:16 2015 -0700

      gdbstub: Change gdbserver_fork() to accept cpu instead of env

      All callsites to this function navigate the cpu->env_ptr only for the
      function to take the env ptr back to the original cpu ptr. Change the
      function to just pass in the CPU pointer instead. Removes a core code
      usage of ENV_GET_CPU() (in gdbstub.c).

      Cc: Riku Voipio <riku.voipio@xxxxxx>
      Reviewed-by: Andreas Färber <afaerber@xxxxxxx>
      Reviewed-by: Eduardo Habkost <ehabkost@xxxxxxxxxx>
      Signed-off-by: Peter Crosthwaite <crosthwaite.peter@xxxxxxxxx>
      Signed-off-by: Andreas Färber <afaerber@xxxxxxx>

  commit bbd77c180d7ff1b04a7661bb878939b2e1d23798
  Author: Peter Crosthwaite <crosthwaitepeter@xxxxxxxxx>
  Date:   Tue Jun 23 19:31:15 2015 -0700

      translate-all: Change tb_flush() env argument to cpu

      All of the core-code usages of this API have the cpu pointer handy so
      pass it in. There are only 3 architecture specific usages (2 of which
      are commented out) which can just use ENV_GET_CPU() locally to get the
      cpu pointer. The reduces core code usage of the CPU env, which brings
      us closer to common-obj'ing these core files.

      Cc: Riku Voipio <riku.voipio@xxxxxx>
      Cc: Paolo Bonzini <pbonzini@xxxxxxxxxx>
      Reviewed-by: Eduardo Habkost <ehabkost@xxxxxxxxxx>
      Acked-by: Eduardo Habkost <ehabkost@xxxxxxxxxx>
      Signed-off-by: Peter Crosthwaite <crosthwaite.peter@xxxxxxxxx>
      Signed-off-by: Andreas Färber <afaerber@xxxxxxx>

  commit 6dd0f8342ddfbd8db3e3de1a17686cedbc14e9f1
  Author: Bharata B Rao <bharata@xxxxxxxxxxxxxxxxxx>
  Date:   Tue Jun 23 19:31:14 2015 -0700

      target-ppc: Move cpu_exec_init() call to realize function

      Move cpu_exec_init() call from instance_init to realize. This allows
      any failures from cpu_exec_init() to be handled appropriately.
      Also add corresponding cpu_exec_exit() call from unrealize.

      cpu_dt_id assignment from instance_init is no longer needed since
      correct assignment for cpu_dt_id is already present in realizefn.

      Signed-off-by: Bharata B Rao <bharata@xxxxxxxxxxxxxxxxxx>
      Reviewed-by: David Gibson <david@xxxxxxxxxxxxxxxxxxxxx>
      Reviewed-by: Peter Crosthwaite <peter.crosthwaite@xxxxxxxxxx>
      Acked-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>
      Signed-off-by: Peter Crosthwaite <crosthwaite.peter@xxxxxxxxx>
      [AF: Keep calling cpu_exec_init() for CONFIG_USER_ONLY]
      Signed-off-by: Andreas Färber <afaerber@xxxxxxx>

  commit b7bca7333411bd19c449147e8202ae6b0e4a8e09
  Author: Bharata B Rao <bharata@xxxxxxxxxxxxxxxxxx>
  Date:   Tue Jun 23 19:31:13 2015 -0700

      cpu: Convert cpu_index into a bitmap

      Currently CPUState::cpu_index is monotonically increasing and a newly
      created CPU always gets the next higher index. The next available
      index is calculated by counting the existing number of CPUs. This is
      fine as long as we only add CPUs, but there are architectures which
      are starting to support CPU removal, too. For an architecture like PowerPC
      which derives its CPU identifier (device tree ID) from cpu_index, the
      existing logic of generating cpu_index values causes problems.

      With the currently proposed method of handling vCPU removal by parking
      the vCPU fd in QEMU
      (Ref: http://lists.gnu.org/archive/html/qemu-devel/2015-02/msg02604.html),
      generating cpu_index this way will not work for PowerPC.

      This patch changes the way cpu_index is handed out by maintaining
      a bit map of the CPUs that tracks both addition and removal of CPUs.

      The CPU bitmap allocation logic is part of cpu_exec_init(), which is
      called by instance_init routines of various CPU targets. Newly added
      cpu_exec_exit() API handles the deallocation part and this routine is
      called from generic CPU instance_finalize.

      Note: This new CPU enumeration is for !CONFIG_USER_ONLY only.
      CONFIG_USER_ONLY continues to have the old enumeration logic.

      Signed-off-by: Bharata B Rao <bharata@xxxxxxxxxxxxxxxxxx>
      Reviewed-by: Eduardo Habkost <ehabkost@xxxxxxxxxx>
      Reviewed-by: Igor Mammedov <imammedo@xxxxxxxxxx>
      Reviewed-by: David Gibson <david@xxxxxxxxxxxxxxxxxxxxx>
      Reviewed-by: Peter Crosthwaite <peter.crosthwaite@xxxxxxxxxx>
      Acked-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>
      Signed-off-by: Peter Crosthwaite <crosthwaite.peter@xxxxxxxxx>
      [AF: max_cpus -> MAX_CPUMASK_BITS]
      Signed-off-by: Andreas Färber <afaerber@xxxxxxx>

  commit 5a790cc4b942e651fec7edc597c19b637fad5a76
  Author: Bharata B Rao <bharata@xxxxxxxxxxxxxxxxxx>
  Date:   Tue Jun 23 19:31:12 2015 -0700

      cpu: Add Error argument to cpu_exec_init()

      Add an Error argument to cpu_exec_init() to let users collect the
      error. This is in preparation to change the CPU enumeration logic
      in cpu_exec_init(). With the new enumeration logic, cpu_exec_init()
      can fail if cpu_index values corresponding to max_cpus have already
      been handed out.

      Since all current callers of cpu_exec_init() are from instance_init,
      use error_abort Error argument to abort in case of an error.

      Signed-off-by: Bharata B Rao <bharata@xxxxxxxxxxxxxxxxxx>
      Reviewed-by: Eduardo Habkost <ehabkost@xxxxxxxxxx>
      Reviewed-by: Igor Mammedov <imammedo@xxxxxxxxxx>
      Reviewed-by: David Gibson <david@xxxxxxxxxxxxxxxxxxxxx>
      Reviewed-by: Peter Crosthwaite <peter.crosthwaite@xxxxxxxxxx>
      Acked-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>
      Signed-off-by: Peter Crosthwaite <crosthwaite.peter@xxxxxxxxx>
      Signed-off-by: Andreas Färber <afaerber@xxxxxxx>

  commit 291135b5da228e58900c120e12354cc0a23608e3
  Author: Eduardo Habkost <ehabkost@xxxxxxxxxx>
  Date:   Mon Apr 27 17:00:33 2015 -0300

      cpu: Reorder cpu->as, cpu->thread_id, cpu->memory_dispatch init

      Instead of initializing cpu->as, cpu->thread_id, and reloading memory
      map while holding cpu_list_lock(), do it earlier, before locking the CPU
      list and initializing cpu_index.

      This allows the code handling cpu_index and global CPU list to be
      isolated from the rest.

      Cc: Paolo Bonzini <pbonzini@xxxxxxxxxx>
      Signed-off-by: Eduardo Habkost <ehabkost@xxxxxxxxxx>
      Signed-off-by: Andreas Färber <afaerber@xxxxxxx>

  commit 7c39163e389e6e6e16965606fb5a26abcdb6ad73
  Author: Eduardo Habkost <ehabkost@xxxxxxxxxx>
  Date:   Mon Apr 27 17:00:32 2015 -0300

      cpu: Initialize breakpoint/watchpoint lists in cpu_common_initfn()

      One small step in the simplification of cpu_exec_init().

      Reviewed-by: Igor Mammedov <imammedo@xxxxxxxxxx>
      Signed-off-by: Eduardo Habkost <ehabkost@xxxxxxxxxx>
      Signed-off-by: Andreas Färber <afaerber@xxxxxxx>

  commit 199fc85acd0571902eeefef6ea861b8ba4c8201f
  Author: Eduardo Habkost <ehabkost@xxxxxxxxxx>
  Date:   Mon Apr 27 17:00:31 2015 -0300

      cpu: No need to zero-initialize CPUState::numa_node

      QOM objects are already zero-filled when instantiated, there's no need
      to explicitly set numa_node to 0.

      Reviewed-by: Igor Mammedov <imammedo@xxxxxxxxxx>
      Signed-off-by: Eduardo Habkost <ehabkost@xxxxxxxxxx>
      Signed-off-by: Andreas Färber <afaerber@xxxxxxx>

  commit 5a2db89615c8efabbeca74fe5e0f14f312d3bbe3
  Author: James Hogan <james.hogan@xxxxxxxxxx>
  Date:   Thu Jul 9 10:17:15 2015 +0100

      mips/kvm: Sync with newer MIPS KVM headers

      The KVM_REG_MIPS_COUNT_* definitions are now included in
      linux-headers/asm-mips/kvm.h since commit b061808d39fa ("linux-headers:
      update linux headers to kvm/next"), therefore the duplicate definitions
      in target-mips/kvm.c can now be dropped (the definitions were tweaked
      slightly in commit 7a52ce8a1607 ("linux-headers: update") which
      triggered the following build warnings turned errors):

      target-mips/kvm.c:232:0: error: "KVM_REG_MIPS_COUNT_CTL" redefined 
[-Werror]
      linux-headers/asm/kvm.h:129:0: note: this is the location of the previous 
definition
      target-mips/kvm.c:236:0: error: "KVM_REG_MIPS_COUNT_RESUME" redefined 
[-Werror]
      linux-headers/asm/kvm.h:141:0: note: this is the location of the previous 
definition
      target-mips/kvm.c:239:0: error: "KVM_REG_MIPS_COUNT_HZ" redefined 
[-Werror]
      linux-headers/asm/kvm.h:147:0: note: this is the location of the previous 
definition

      Also update the MIPS_C0_{32,64} macros to utilise definitions more
      recently added to the asm-mips/kvm.h header.

      Signed-off-by: James Hogan <james.hogan@xxxxxxxxxx>
      Reviewed-by: Leon Alrae <leon.alrae@xxxxxxxxxx>
      Message-id: 1436433435-24898-3-git-send-email-james.hogan@xxxxxxxxxx
      Cc: Paolo Bonzini <pbonzini@xxxxxxxxxx>
      Cc: Leon Alrae <leon.alrae@xxxxxxxxxx>
      Cc: Aurelien Jarno <aurelien@xxxxxxxxxxx>
      Cc: kvm@xxxxxxxxxxxxxxx
      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit a8f13961fdcff3a5969b9884368e875aa068f1c9
  Author: James Hogan <james.hogan@xxxxxxxxxx>
  Date:   Thu Jul 9 10:17:14 2015 +0100

      tcg/mips: Fix build error from merged memop+mmu_idx parameter

      Commit 3972ef6f830d ("tcg: Push merged memop+mmu_idx parameter to
      softmmu routines") caused the following build errors when building TCG
      for MIPS:

      In file included from tcg/tcg.c:258:0:
      tcg/mips/tcg-target.c In function â??tcg_out_qemu_ld_slow_pathâ??:
      tcg/mips/tcg-target.c:1015:22: error: â??lbâ?? undeclared (first use in 
this function)
      tcg/mips/tcg-target.c In function â??tcg_out_qemu_st_slow_pathâ??:
      tcg/mips/tcg-target.c:1058:22: error: â??lbâ?? undeclared (first use in 
this function)

      It looks like lb was meant to refer to the TCGLabelQemuLdst *l
      parameter, so fix both references to lb to refer to just l.

      Fixes: 3972ef6f830d ("tcg: Push merged memop+mmu_idx parameter to softmmu 
routines")
      Signed-off-by: James Hogan <james.hogan@xxxxxxxxxx>
      Reviewed-by: Leon Alrae <leon.alrae@xxxxxxxxxx>
      Message-id: 1436433435-24898-2-git-send-email-james.hogan@xxxxxxxxxx
      Cc: Aurelien Jarno <aurelien@xxxxxxxxxxx>
      Cc: Leon Alrae <leon.alrae@xxxxxxxxxx>
      Cc: Richard Henderson <rth@xxxxxxxxxxx>
      Cc: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit d09a6fde1590ca3a45b608b6873a680f208dfeb5
  Author: Paolo Bonzini <pbonzini@xxxxxxxxxx>
  Date:   Thu Jul 9 08:47:58 2015 +0200

      migration: fix RCU deadlock

      migration_end calls synchronize_rcu() within a critical section.
      That causes a deadlock; move the call after rcu_read_unlock().

      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit acf7b7fdf31fa76b53803790917c8acf23a2badb
  Merge: c8e8428 2828a30
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Wed Jul 8 20:46:35 2015 +0100

      Merge remote-tracking branch 'remotes/bonzini/tags/for-upstream' into 
staging

      Bugfixes and Daniel Berrange's crypto library.

      # gpg: Signature made Wed Jul  8 12:12:29 2015 BST using RSA key ID 
78C7AE83
      # gpg: Good signature from "Paolo Bonzini <bonzini@xxxxxxx>"
      # gpg:                 aka "Paolo Bonzini <pbonzini@xxxxxxxxxx>"
      # gpg: WARNING: This key is not certified with sufficiently trusted 
signatures!
      # gpg:          It is not certain that the signature belongs to the owner.
      # Primary key fingerprint: 46F5 9FBD 57D6 12E7 BFD4  E2F7 7E15 100C CD36 
69B1
      #      Subkey fingerprint: F133 3857 4B66 2389 866C  7682 BFFB D25F 78C7 
AE83

      * remotes/bonzini/tags/for-upstream:
        ossaudio: fix memory leak
        ui: convert VNC to use generic cipher API
        block: convert qcow/qcow2 to use generic cipher API
        ui: convert VNC websockets to use crypto APIs
        block: convert quorum blockdrv to use crypto APIs
        crypto: add a nettle cipher implementation
        crypto: add a gcrypt cipher implementation
        crypto: introduce generic cipher API & built-in implementation
        crypto: move built-in D3DES implementation into crypto/
        crypto: move built-in AES implementation into crypto/
        crypto: introduce new module for computing hash digests
        vl: move rom_load_all after machine init done

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit c8e84287da7dd6a46c0bb0e53190e79ba4eedf24
  Merge: d09952e 702c8c8
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Wed Jul 8 19:44:28 2015 +0100

      Merge remote-tracking branch 'remotes/jnsnow/tags/ide-pull-request' into 
staging

      # gpg: Signature made Wed Jul  8 19:08:28 2015 BST using RSA key ID 
AAFC390E
      # gpg: Good signature from "John Snow (John Huston) <jsnow@xxxxxxxxxx>"
      # gpg: WARNING: This key is not certified with sufficiently trusted 
signatures!
      # gpg:          It is not certain that the signature belongs to the owner.
      # Primary key fingerprint: FAEB 9711 A12C F475 812F  18F2 88A9 064D 1835 
61EB
      #      Subkey fingerprint: F9B7 ABDB BCAC DF95 BE76  CBD0 7DEF 8106 AAFC 
390E

      * remotes/jnsnow/tags/ide-pull-request:
        ahci: Fix CD-ROM signature
        libqos/ahci: fix ahci_write_fis for ncq on ppc64

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 702c8c8be2f3317c81fff83f82d8a5f1d50d41b8
  Author: Hannes Reinecke <hare@xxxxxxx>
  Date:   Mon Jul 6 17:49:51 2015 -0400

      ahci: Fix CD-ROM signature

      The CD-ROM signature is 0xeb140101, not 0xeb140000.
      Without this change OVMF/Duet runs into a timeout trying
      to detect a SATA cdrom.

      Signed-off-by: Hannes Reinecke <hare@xxxxxxx>
      Signed-off-by: John Snow <jsnow@xxxxxxxxxx>
      Reviewed-by: Kevin Wolf <kwolf@xxxxxxxxxx>
      Message-id: 1436219392-31915-2-git-send-email-jsnow@xxxxxxxxxx

  commit 9ab9993f71b7eac6788deae2fbb7ec659ceb4a1e
  Author: John Snow <jsnow@xxxxxxxxxx>
  Date:   Mon Jul 6 15:17:09 2015 -0400

      libqos/ahci: fix ahci_write_fis for ncq on ppc64

      Don't try to correct the endianness of NCQ commands, which do not
      use any fields wider than a single byte.

      This corrects the /x86_64/ahci/io/ncq/simple test (and others)
      for ppc64 BE hosts.

      Reported-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Signed-off-by: John Snow <jsnow@xxxxxxxxxx>
      Tested-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Message-id: 1436210229-4118-2-git-send-email-jsnow@xxxxxxxxxx

  commit d09952ee8caeea928695d5a3dc3ec50d8afb98c6
  Author: Paul Durrant <paul.durrant@xxxxxxxxxx>
  Date:   Tue Jul 7 14:32:38 2015 +0100

      Fix the compatibility typedef of ioservid_t to match the Xen headers

      There is a mismatch between the definition of ioservid_t in
      xen_common.h and the definition in the Xen public headers. This patch
      corrects the definition in xen_common.h.

      Signed-off-by: Paul Durrant <paul.durrant@xxxxxxxxxx>
      Tested-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Message-id: 1436275958-25174-1-git-send-email-paul.durrant@xxxxxxxxxx
      Cc: Stefano Stabellini <stefano.stabellini@xxxxxxxxxxxxx>
      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit c8232b39bb18a91cde39b8e0b60e731a4ce782b1
  Merge: 62a3864 c4fc82b
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Wed Jul 8 13:36:19 2015 +0100

      Merge remote-tracking branch 'remotes/mst/tags/for_upstream' into staging

      pc,virtio,pci: fixes and updates

      Most notably, this includes the TCO support for ICH: the last feature for 
2.4
      as we are entering the hard freeze.

      Bugfixes only from now on.

      virtio pci also gained cfg access capability - arguably a bugfix
      since virtio spec makes it mandatory, but it's a big patch.

      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>

      # gpg: Signature made Wed Jul  8 10:40:07 2015 BST using RSA key ID 
D28D5469
      # gpg: Good signature from "Michael S. Tsirkin <mst@xxxxxxxxxx>"
      # gpg:                 aka "Michael S. Tsirkin <mst@xxxxxxxxxx>"

      * remotes/mst/tags/for_upstream:
        tco-test: fix up config accesses and re-enable
        virtio fix cfg endian-ness for BE targets
        virtio-pci: implement cfg capability
        virtio: define virtio_pci_cfg_cap in header.
        pcie: Set the "link active" in the link status register
        pci_regs.h: import from linux
        virtio_net: reuse constants from linux
        hw/i386/pc: don't carry FDC from pc_basic_device_init() to 
pc_cmos_init()
        hw/i386/pc: reflect any FDC @ ioport 0x3f0 in the CMOS
        hw/i386/pc: factor out pc_cmos_init_floppy()
        ich9: implement strap SPKR pin logic
        tests: add testcase for TCO watchdog emulation
        ich9: add TCO interface emulation
        acpi: split out ICH ACPI support
        Revert "dataplane: allow virtio-1 devices"
        dataplane: fix cross-endian issues

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 62a3864eb09414d3cee94a2a592ecd414200912f
  Merge: 59dc0a1 c54e1eb
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Wed Jul 8 12:35:14 2015 +0100

      Merge remote-tracking branch 
'remotes/mdroth/tags/qga-pull-2015-07-06-v3-tag' into staging

      tag for qga-pull-2015-07-06-v3

      v3:
        - fix missing <windows.h> in configure test program.

      v2:
        - added configure check for guest-get-fs-info to avoid breakage on older
          MinGWs
        - removed extraneous include of ws2ipdef.h in w32
          guest-network-get-interfaces. ws2tcpip.h already provides those
          definitions, and older MinGWs don't have it.
        - rebased on latest master

      # gpg: Signature made Wed Jul  8 03:01:18 2015 BST using RSA key ID 
F108B584
      # gpg: Good signature from "Michael Roth <flukshun@xxxxxxxxx>"
      # gpg:                 aka "Michael Roth <mdroth@xxxxxxxxxx>"
      # gpg:                 aka "Michael Roth <mdroth@xxxxxxxxxxxxxxxxxx>"
      # gpg: WARNING: This key is not certified with sufficiently trusted 
signatures!
      # gpg:          It is not certain that the signature belongs to the owner.
      # Primary key fingerprint: CEAC C9E1 5534 EBAB B82D  3FA0 3353 C9CE F108 
B584

      * remotes/mdroth/tags/qga-pull-2015-07-06-v3-tag:
        qga: added GuestPCIAddress information
        qga: added bus type and disk location path
        configure: add configure check for ntdddisk.h
        qga: added mountpoint and filesystem type for single volume
        qga: added empty qmp_quest_get_fsinfo functionality.
        qga: fail early for invalid time
        qga: win32 qmp_guest_network_get_interfaces implementation
        qga: add win32 library iphlpapi
        Revert "guest agent: remove g_strcmp0 usage"
        qga/qmp_guest_fstrim: Return per path fstrim result
        qga/commands-posix: Fix bug in guest-fstrim

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 2828a307232ffceeddec9feb6a87ac660b68b693
  Author: Gonglei <arei.gonglei@xxxxxxxxxx>
  Date:   Tue Jun 23 09:01:10 2015 +0800

      ossaudio: fix memory leak

      Variable "conf" going out of scope leaks the storage
      it points to in line 856.

      Signed-off-by: Gonglei <arei.gonglei@xxxxxxxxxx>
      Message-Id: <1435021270-7768-1-git-send-email-arei.gonglei@xxxxxxxxxx>
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit 800567a613510c77a55decac4d25fea154d1ee22
  Author: Daniel P. Berrange <berrange@xxxxxxxxxx>
  Date:   Wed Jul 1 18:10:38 2015 +0100

      ui: convert VNC to use generic cipher API

      Switch the VNC server over to use the generic cipher API, this
      allows it to use the pluggable DES implementations, instead of
      being hardcoded to use QEMU's built-in impl.

      Signed-off-by: Daniel P. Berrange <berrange@xxxxxxxxxx>
      Message-Id: <1435770638-25715-11-git-send-email-berrange@xxxxxxxxxx>
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit f6fa64f6d22b0ed53fb3be5883cd9719d17cb4f0
  Author: Daniel P. Berrange <berrange@xxxxxxxxxx>
  Date:   Wed Jul 1 18:10:37 2015 +0100

      block: convert qcow/qcow2 to use generic cipher API

      Switch the qcow/qcow2 block driver over to use the generic cipher
      API, this allows it to use the pluggable AES implementations,
      instead of being hardcoded to use QEMU's built-in impl.

      Signed-off-by: Daniel P. Berrange <berrange@xxxxxxxxxx>
      Message-Id: <1435770638-25715-10-git-send-email-berrange@xxxxxxxxxx>
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit 8e9b0d24fb986d4241ae3b77752eca5dab4cb486
  Author: Daniel P. Berrange <berrange@xxxxxxxxxx>
  Date:   Wed Jul 1 18:10:36 2015 +0100

      ui: convert VNC websockets to use crypto APIs

      Remove the direct use of gnutls for hash processing in the
      websockets code, in favour of using the crypto APIs. This
      allows the websockets code to be built unconditionally
      removing countless conditional checks from the VNC code.

      Signed-off-by: Daniel P. Berrange <berrange@xxxxxxxxxx>
      Message-Id: <1435770638-25715-9-git-send-email-berrange@xxxxxxxxxx>
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit 488981a4af396551a3178d032cc2b41d9553ada2
  Author: Daniel P. Berrange <berrange@xxxxxxxxxx>
  Date:   Wed Jul 1 18:10:35 2015 +0100

      block: convert quorum blockdrv to use crypto APIs

      Get rid of direct use of gnutls APIs in quorum blockdrv in
      favour of using the crypto APIs. This avoids the need to
      do conditional compilation of the quorum driver. It can
      simply report an error at file open file instead if the
      required hash algorithm isn't supported by QEMU.

      Signed-off-by: Daniel P. Berrange <berrange@xxxxxxxxxx>
      Message-Id: <1435770638-25715-8-git-send-email-berrange@xxxxxxxxxx>
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit ed754746fea55df726f4de3dadb5bea0b6aa7409
  Author: Daniel P. Berrange <berrange@xxxxxxxxxx>
  Date:   Wed Jul 1 18:10:34 2015 +0100

      crypto: add a nettle cipher implementation

      If we are linking to gnutls already and gnutls is built against
      nettle, then we should use nettle as a cipher backend in
      preference to our built-in backend.

      This will be used when linking against some GNUTLS 2.x versions
      and all GNUTLS 3.x versions.

      Signed-off-by: Daniel P. Berrange <berrange@xxxxxxxxxx>
      Message-Id: <1435770638-25715-7-git-send-email-berrange@xxxxxxxxxx>
      [Change "#elif" to "#elif defined". - Paolo]
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit 62893b67cd82bbd48b013c1cec25f0d863612c80
  Author: Daniel P. Berrange <berrange@xxxxxxxxxx>
  Date:   Wed Jul 1 18:10:33 2015 +0100

      crypto: add a gcrypt cipher implementation

      If we are linking to gnutls already and gnutls is built against
      gcrypt, then we should use gcrypt as a cipher backend in
      preference to our built-in backend.

      This will be used when linking against GNUTLS 1.x and many
      GNUTLS 2.x versions.

      Signed-off-by: Daniel P. Berrange <berrange@xxxxxxxxxx>
      Message-Id: <1435770638-25715-6-git-send-email-berrange@xxxxxxxxxx>
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit ca38a4cc9e36647437b837b346a41981fb8880cd
  Author: Daniel P. Berrange <berrange@xxxxxxxxxx>
  Date:   Wed Jul 1 18:10:32 2015 +0100

      crypto: introduce generic cipher API & built-in implementation

      Introduce a generic cipher API and an implementation of it that
      supports only the built-in AES and DES-RFB algorithms.

      The test suite checks the supported algorithms + modes to
      validate that every backend implementation is actually correctly
      complying with the specs.

      Signed-off-by: Daniel P. Berrange <berrange@xxxxxxxxxx>
      Message-Id: <1435770638-25715-5-git-send-email-berrange@xxxxxxxxxx>
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit c4fc82bf1ad088a84ccedf779f6aa928e4fadb5f
  Author: Michael S. Tsirkin <mst@xxxxxxxxxx>
  Date:   Wed Jul 8 10:06:15 2015 +0300

      tco-test: fix up config accesses and re-enable

      The mistake that made the test fail was that it tried to
      use a BAR address as an offset for config accesses to LPC.

      Config accesses don't need a BAR, and LPC does not have one. Don't
      attempt to map it.

      With this change applied, TCO test passes, so re-enable it.

      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>

  commit 1e40356ce5f6ccfa0bb57104a533c62952c560ce
  Author: Michael S. Tsirkin <mst@xxxxxxxxxx>
  Date:   Sun Jul 5 15:08:09 2015 +0200

      virtio fix cfg endian-ness for BE targets

      address_space_rw assumes data is in target format
      and byte-swaps it if target is BE and device is LE.
      Use fixed-endian LE APIs instead.

      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>

  commit ada434cd0b44ce984318621e4bb79e067360d737
  Author: Michael S. Tsirkin <mst@xxxxxxxxxx>
  Date:   Thu Jul 2 14:59:49 2015 +0200

      virtio-pci: implement cfg capability

      spec says we must, so let's do it!

      Note: the implementation is incorrect for BE targets.
      Will fix with a patch on top, not a big deal now as
      the only user is seabios, used on x86 only.

      Tested-by: Gerd Hoffmann <kraxel@xxxxxxxxxx>
      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>

  commit c36f24a2045d7a002b767ce023acfd9be63df692
  Author: Michael S. Tsirkin <mst@xxxxxxxxxx>
  Date:   Thu Jul 2 12:52:44 2015 +0200

      virtio: define virtio_pci_cfg_cap in header.

      Update virtio pci header from linux-next virtio maintainer tree.
      We already have VIRTIO_PCI_CAP_PCI_CFG, let's define the structure
      that goes with it.

      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>

  commit b2101eae63ea57b571cee4a9075a4287d24ba4a4
  Author: Benjamin Herrenschmidt <benh@xxxxxxxxxxxxxxxxxxx>
  Date:   Sun Jul 5 09:26:03 2015 +1000

      pcie: Set the "link active" in the link status register

      Some firmwares can test that and assume the device hasn't come
      up if that bit isn't set

      Signed-off-by: Benjamin Herrenschmidt <benh@xxxxxxxxxxxxxxxxxxx>
      Reviewed-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>

  commit 412a82457ef54821362ba27804e24a92fce09761
  Author: Michael S. Tsirkin <mst@xxxxxxxxxx>
  Date:   Wed Jul 1 11:42:18 2015 +0200

      pci_regs.h: import from linux

      It seems to make sense to import pci_regs.h from linux:
      why maintain our own?
      As a first step, move the header to standard-headers,
      and add it to the update script.

      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>

  commit f56fc2d319b18d5e510988374929188867a5f930
  Author: Michael S. Tsirkin <mst@xxxxxxxxxx>
  Date:   Wed Jul 1 11:36:57 2015 +0200

      virtio_net: reuse constants from linux

      VIRTIO_NET_F_CTRL_GUEST_OFFLOADS now appears in the
      linux header, let's reuse it.

      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>

  commit 220a8846429ac954932e16010efb07af0aba4529
  Author: Laszlo Ersek <lersek@xxxxxxxxxx>
  Date:   Thu Jun 25 15:35:07 2015 +0200

      hw/i386/pc: don't carry FDC from pc_basic_device_init() to pc_cmos_init()

      Thanks to the last patch, pc_cmos_init() doesn't need the (optional)
      board-default FDC any longer as an input parameter. Update
      pc_basic_device_init() not to hand it back to pc_init1() / pc_q35_init(),
      and update the latter not to carry the FDC to pc_cmos_init(). This
      simplifies the code.

      pc_init1() | pc_q35_init()
        pc_basic_device_init()
        pc_cmos_init()

      Cc: Jan Tomko <jtomko@xxxxxxxxxx>
      Cc: John Snow <jsnow@xxxxxxxxxx>
      Cc: Markus Armbruster <armbru@xxxxxxxxxx>
      Cc: Paolo Bonzini <pbonzini@xxxxxxxxxx>
      Signed-off-by: Laszlo Ersek <lersek@xxxxxxxxxx>
      Reviewed-by: John Snow <jsnow@xxxxxxxxxx>
      Reviewed-by: Markus Armbruster <armbru@xxxxxxxxxx>
      Reviewed-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>

  commit b86f46132cd86b03f9e4a1cf6295f8b416e16afa
  Author: Laszlo Ersek <lersek@xxxxxxxxxx>
  Date:   Thu Jun 25 15:35:06 2015 +0200

      hw/i386/pc: reflect any FDC @ ioport 0x3f0 in the CMOS

      With the pc-q35-2.4 machine type, if the user creates an ISA FDC manually:

        -device isa-fdc,driveA=drive-fdc0-0-0 \
        -drive file=...,if=none,id=drive-fdc0-0-0,format=raw

      then the board-default FDC will be skipped, and only the explicitly
      requested FDC will exist. qtree-wise, this is correct; however such an FDC
      is currently not registered in the CMOS, because that code is only reached
      for the board-default FDC.

      The pc_cmos_init_late() one-shot reset handler -- one-shot because the
      CMOS is not reprogrammed during warm reset -- should search for any ISA
      FDC devices, created implicitly (by board code) or explicitly, and set the
      CMOS accordingly to the ISA FDC(s) with iobase=0x3f0:

      - if there is no such FDC, report both drives absent,
      - if there is exactly one such FDC, report its drives in the CMOS,
      - if there are more than one such FDCs, then pick one (it is not specified
        which one), and print a warning about the ambiguity.

      Cc: Jan Tomko <jtomko@xxxxxxxxxx>
      Cc: John Snow <jsnow@xxxxxxxxxx>
      Cc: Markus Armbruster <armbru@xxxxxxxxxx>
      Cc: Paolo Bonzini <pbonzini@xxxxxxxxxx>
      Reported-by: Jan Tomko <jtomko@xxxxxxxxxx>
      Suggested-by: Markus Armbruster <armbru@xxxxxxxxxx>
      Signed-off-by: Laszlo Ersek <lersek@xxxxxxxxxx>
      Reviewed-by: John Snow <jsnow@xxxxxxxxxx>
      Reviewed-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>

  commit 7444ca4ee2382170774ae201c473270d65620d75
  Author: Laszlo Ersek <lersek@xxxxxxxxxx>
  Date:   Thu Jun 25 15:35:05 2015 +0200

      hw/i386/pc: factor out pc_cmos_init_floppy()

      Extract the pc_cmos_init_floppy() function from pc_cmos_init(). The
      function sets two RTC registers: floppy drive types (0x10), overwriting
      the earlier value in there), and REG_EQUIPMENT_BYTE (0x14), setting bits
      in the prior value.

      Cc: Jan Tomko <jtomko@xxxxxxxxxx>
      Cc: John Snow <jsnow@xxxxxxxxxx>
      Cc: Markus Armbruster <armbru@xxxxxxxxxx>
      Cc: Paolo Bonzini <pbonzini@xxxxxxxxxx>
      Signed-off-by: Laszlo Ersek <lersek@xxxxxxxxxx>
      Reviewed-by: John Snow <jsnow@xxxxxxxxxx>
      Reviewed-by: Markus Armbruster <armbru@xxxxxxxxxx>
      Reviewed-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>

  commit 5add35bec1e249bb5345a47008c8f298d4760be4
  Author: Paulo Alcantara <pcacjr@xxxxxxxxx>
  Date:   Sun Jun 28 14:58:58 2015 -0300

      ich9: implement strap SPKR pin logic

      If the signal is sampled high, this indicates that the system is
      strapped to the "No Reboot" mode (ICH9 will disable the TCO Timer system
      reboot feature). The status of this strap is readable via the NO_REBOOT
      bit (CC: offset 0x3410:bit 5).

      The NO_REBOOT bit is set when SPKR pin on ICH9 is sampled high. This bit
      may be set or cleared by software if the strap is sampled low but may
      not override the strap when it indicates "No Reboot".

      This patch implements the logic where hardware has ability to set SPKR
      pin through a property named "noreboot" and it's sampled high by
      default.

      Signed-off-by: Paulo Alcantara <pcacjr@xxxxxxxxx>
      Reviewed-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>

  commit 45dcdb9da632b5a5e7639707e12b1b17029c5a1e
  Author: Paulo Alcantara <pcacjr@xxxxxxxxx>
  Date:   Sun Jun 28 14:58:57 2015 -0300

      tests: add testcase for TCO watchdog emulation

      This patch adds a testcase that covers the following:
        1) TCO default values
        2) first and second TCO timeout
        3) watch and validate ticks counter through TCO_RLD register
        4) maximum supported TCO timeout (0x3ff)
        5) watchdog actions (pause/reset/shutdown/none) upon second TCO
           timeout
        6) set and get of TCO control and status bits

      MST: The test does not pass yet, so it's disabled by default.

      Signed-off-by: Paulo Alcantara <pcacjr@xxxxxxxxx>
      Reviewed-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>

  commit c54e1eb4928d4e6762c7100d1d1ef5f08ddf922b
  Author: Michael Roth <mdroth@xxxxxxxxxxxxxxxxxx>
  Date:   Tue Jul 7 19:12:18 2015 -0500

      qga: added GuestPCIAddress information

      PCIAddress inforfation is obtained via SetupApi, which provides the
      information about address, bus, etc. We look throught entire device tree
      in the system and try to find device object for given volume. For this PDO
      SetupDiGetDeviceRegistryProperty is called, which reads PCI configuration
      for a given devicei if it is possible.

      This is the most convinient way for a userspace service. The lookup is
      performed for every volume available. However, this information is
      not mandatory for vss-provider.

      In order to use SetupApi we need to notify linker about it. We do not need
      to install additional libs, so we do not make separate configuration
      option to use libsetupapi.su

      SetupApi gives as the same information as kernel driver
      with IRP_MN_QUERY_INTERFACE.
      https://support.microsoft.com/en-us/kb/253232

      Signed-off-by: Olga Krishtal <okrishtal@xxxxxxxxxxxxx>
      Signed-off-by: Denis V. Lunev <den@xxxxxxxxxx>
      CC: Eric Blake <eblake@xxxxxxxxxx>
      CC: Michael Roth <mdroth@xxxxxxxxxxxxxxxxxx>
      * stub out get_pci_info if !CONFIG_QGA_NTDDSCSI
      Signed-off-by: Michael Roth <mdroth@xxxxxxxxxxxxxxxxxx>

  commit a3ef3b2272d8349c932f8c440bcaa31d8518b1c0
  Author: Olga Krishtal <okrishtal@xxxxxxxxxxxxx>
  Date:   Tue Jun 30 13:25:22 2015 +0300

      qga: added bus type and disk location path

      According to Microsoft disk location path can be obtained via
      IOCTL_SCSI_GET_ADDRESS. Unfortunately this ioctl can not be used for all
      devices. There are certain bus types which could be obtained with this
      API. Please, refer to the following link for more details
      https://technet.microsoft.com/en-us/library/ee851589(v=ws.10).aspx

      Bus type could be obtained using IOCTL_STORAGE_QUERY_PROPERTY. Enum
      STORAGE_BUS_TYPE describes all buses supported by OS.

      Windows defines more bus types than Linux. Thus some values have been 
added
      to GuestDiskBusType.

      Signed-off-by: Olga Krishtal <okrishtal@xxxxxxxxxxxxx>
      Signed-off-by: Denis V. Lunev <den@xxxxxxxxxx>
      CC: Eric Blake <eblake@xxxxxxxxxx>
      CC: Michael Roth <mdroth@xxxxxxxxxxxxxxxxxx>
      * fixed warning in CreateFile due to use of NULL instead of 0
      * only provide disk info when CONFIG_QGA_NTDDSCSI=y
      Signed-off-by: Michael Roth <mdroth@xxxxxxxxxxxxxxxxxx>

  commit 50cbebb9a339f43cda2005785010361497151882
  Author: Michael Roth <mdroth@xxxxxxxxxxxxxxxxxx>
  Date:   Tue Jul 7 18:10:09 2015 -0500

      configure: add configure check for ntdddisk.h

      This header file provides w32 ioctl definitions for working with disk
      devices. Older versions of mingw do not expose this in a useable way,
      so add a configure check and report it via CONFIG_QGA_NTDDSCSI.

      Subsequent patches will use this macro to stub out functionality that
      relies on this in cases where it's not available.

      Signed-off-by: Michael Roth <mdroth@xxxxxxxxxxxxxxxxxx>

  commit d2b3f390d4e4b5d9dd74ae703d365a7b75a234ea
  Author: Olga Krishtal <okrishtal@xxxxxxxxxxxxx>
  Date:   Tue Jun 30 13:25:21 2015 +0300

      qga: added mountpoint and filesystem type for single volume

      We should use GetVolumeXXX api to work with volumes. This will help us to
      resolve the situation with volumes without drive letter, i.e. when the
      volume is mounted as a folder. Such volume is called mounted folder.
      This volume is a regular mounted volume from all other points of view.
      The information about non mounted volume is reported as System Reserved.
      This volume is not mounted and thus it is not writable.

      GuestDiskAddressList API is not used because operations are performed with
      volumes but no with disks. This means that spanned disk will
      be counted and handled as a single volume. It is worth mentioning
      that the information about every disk in the volume can be queried
      via IOCTL_VOLUME_GET_VOLUME_DISK_EXTENTS.

      Signed-off-by: Olga Krishtal <okrishtal@xxxxxxxxxxxxx>
      Signed-off-by: Denis V. Lunev <den@xxxxxxxxxx>
      CC: Eric Blake <eblake@xxxxxxxxxx>
      CC: Michael Roth <mdroth@xxxxxxxxxxxxxxxxxx>
      Signed-off-by: Michael Roth <mdroth@xxxxxxxxxxxxxxxxxx>

  commit ef0a03f23061b9994fe5b2c3a208bc9fcba0099d
  Author: Olga Krishtal <okrishtal@xxxxxxxxxxxxx>
  Date:   Tue Jun 30 13:25:20 2015 +0300

      qga: added empty qmp_quest_get_fsinfo functionality.

      We need qmp_quest_get_fsinfo togather with vss-provider, which works with
      volumes. The call to this function is implemented via
      FindFirst/NextVolumes. Moreover, volumes in Windows OS are filesystem 
unit,
      so it will be more effective to work with them rather with devices.

      Signed-off-by: Olga Krishtal <okrishtal@xxxxxxxxxxxxx>
      Signed-off-by: Denis V. Lunev <den@xxxxxxxxxx>
      CC: Eric Blake <eblake@xxxxxxxxxx>
      CC: Michael Roth <mdroth@xxxxxxxxxxxxxxxxxx>
      Signed-off-by: Michael Roth <mdroth@xxxxxxxxxxxxxxxxxx>

  commit 00d2f3707a63881a0cec8d00cbd467f9b2d8af41
  Author: Marc-André Lureau <marcandre.lureau@xxxxxxxxxx>
  Date:   Sun Jul 5 16:28:58 2015 +0200

      qga: fail early for invalid time

      It's possible to set system time with dates after 2070, however, it's
      not possible to set the RTC. It has limitation to up to year
      2070 (1970+100). In order to keep both clock in sync and before the
      kernel complains on invalid values, bail out early.

      Signed-off-by: Marc-André Lureau <marcandre.lureau@xxxxxxxxxx>
      Signed-off-by: Michael Roth <mdroth@xxxxxxxxxxxxxxxxxx>

  commit d6c5528b0ce91667714b8c7dabaf4fbf8a898a9c
  Author: Kirk Allan <kallan@xxxxxxxx>
  Date:   Tue Jun 2 11:41:07 2015 -0600

      qga: win32 qmp_guest_network_get_interfaces implementation

      By default, IPv4 prefixes will be derived by matching the address
      to those returned by GetAdaptersInfo.  IPv6 prefixes can not be
      matched this way due to the unpredictable order of entries.

      In Windows Vista/2008 guests and newer, both IPv4 and IPv6 prefixes
      can be retrieved from OnLinkPrefixLength.  Setting --extra-cflags
      in the build configuration to "-D_WIN32_WINNT=0x600"
      or greater makes OnLinkPrefixLength available.  Setting --extra-cflags
      is not required and if not set, the default approach to get the prefix
      will be taken.

      Signed-off-by: Kirk Allan <kallan@xxxxxxxx>
      * drop ws2ipdef.h, it's missing on old mingw, and ws2tcpip.h already
        includes it automatically on new builds
      Signed-off-by: Michael Roth <mdroth@xxxxxxxxxxxxxxxxxx>

  commit 601e5a0618ef3238e18fc38ece55ea4260910d5f
  Author: Kirk Allan <kallan@xxxxxxxx>
  Date:   Tue Jun 2 11:41:06 2015 -0600

      qga: add win32 library iphlpapi

      Add the iphlpapi library to use APIs such as GetAdaptersInfo and
      GetAdaptersAddresses.

      Signed-off-by: Kirk Allan <kallan@xxxxxxxx>
      Signed-off-by: Michael Roth <mdroth@xxxxxxxxxxxxxxxxxx>

  commit f300414cfe9bb9e7b86411a670b68c1aa8edbd35
  Author: Markus Armbruster <armbru@xxxxxxxxxx>
  Date:   Wed May 27 19:53:49 2015 +0200

      Revert "guest agent: remove g_strcmp0 usage"

      Since we now require GLib 2.22+ (commit f40685c), we don't have to
      work around lack of g_strcmp0() anymore.

      This reverts commit 8f4774789947bc4bc4c8d026a289fe980d3d2ee1.

      Conflicts:
        qemu-ga.c

      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>
      Reviewed-by: John Snow <jsnow@xxxxxxxxxx>
      Signed-off-by: Michael Roth <mdroth@xxxxxxxxxxxxxxxxxx>

  commit e82855d9aa4580620773b1b145ecab6ca1f2578c
  Author: Justin Ossevoort <justin@xxxxxxxxxxxxxxxxx>
  Date:   Mon May 11 08:58:45 2015 +0200

      qga/qmp_guest_fstrim: Return per path fstrim result

      The current guest-fstrim support only returns an error if some
      mountpoint was unable to be trimmed, skipping any possible additional
      mountpoints. The result of the TRIM operation itself is also discarded.

      This change returns a per mountpoint result of the TRIM operation. If an
      error occurs on some mountpoints that error is returned and the
      guest-fstrim continue with any additional mountpoints.

      The returned values for errors, minimum and trimmed are dependant on the
      filesystem, storage stacks and kernel version.

      Signed-off-by: Justin Ossevoort <justin@xxxxxxxxxxxxxxxxx>
      * s/type/struct/ in schema type definitions
      * moved version annotation for new guest-fstrim return field to
        the field itself rather than applying to the entire command
      Signed-off-by: Michael Roth <mdroth@xxxxxxxxxxxxxxxxxx>

  commit 73a652a1b08445e8d91e50cdbb2da50e571c61b3
  Author: Justin Ossevoort <justin@xxxxxxxxxxxxxxxxx>
  Date:   Mon May 11 08:58:44 2015 +0200

      qga/commands-posix: Fix bug in guest-fstrim

      The FITRIM ioctl updates the fstrim_range structure it receives. This
      way the caller can determine how many bytes were trimmed. The
      guest-fstrim logic reuses the same fstrim_range for each filesystem,
      effectively limiting each filesystem to trim at most as much as the
      previous was able to trim.

      If a previous filesystem would have trimmed 0 bytes, than the next
      filesystem would report an error 'Invalid argument' because a FITRIM
      request with length 0 is not valid.

      This change resets the fstrim_range structure for each filesystem.

      Signed-off-by: Justin Ossevoort <justin@xxxxxxxxxxxxxxxxx>
      Reviewed-by: Thomas Huth <thuth@xxxxxxxxxx>
      Signed-off-by: Michael Roth <mdroth@xxxxxxxxxxxxxxxxxx>

  commit 59dc0a1e9b4ccd9d8d7366fdc31acd5c1fbb240a
  Merge: 7ce0f7d cd3b29b
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Tue Jul 7 23:16:42 2015 +0100

      Merge remote-tracking branch 
'remotes/agraf/tags/signed-s390-for-upstream' into staging

      Patch queue for s390 - 2015-07-07

      A few last minute fixes for 2.4. All of them are s390 TCG bug fixes.

      # gpg: Signature made Tue Jul  7 16:52:22 2015 BST using RSA key ID 
03FEDC60
      # gpg: Good signature from "Alexander Graf <agraf@xxxxxxx>"
      # gpg:                 aka "Alexander Graf <alex@xxxxxxxxx>"

      * remotes/agraf/tags/signed-s390-for-upstream:
        tcg/s390: fix branch target change during code retranslation
        target-s390x: fix CONVERT TO BINARY (CVD, CVDY)
        target-s390x: fix EXECUTE instruction executing TRT
        target-s390x: fix MOVE LONG instruction

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 7ce0f7dc87e50ebf58ac756ff6be17ec97d3ba4e
  Merge: 1a63203 6319b1d
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Tue Jul 7 21:16:06 2015 +0100

      Merge remote-tracking branch 'remotes/agraf/tags/signed-ppc-for-upstream' 
into staging

      Patch queue for ppc - 2015-07-07

      A few last minute PPC changes for 2.4:

        - spapr: Update SLOF
        - spapr: Fix a few bugs
        - spapr: Preparation for hotplug
        - spapr: Minor code cleanups
        - linux-user: Add mftb handling
        - kvm: Enable hugepage support with memory-backend-file
        - mac99: Remove nonexistent interrupt pin (Mac OS 9 fix)

      # gpg: Signature made Tue Jul  7 16:48:41 2015 BST using RSA key ID 
03FEDC60
      # gpg: Good signature from "Alexander Graf <agraf@xxxxxxx>"
      # gpg:                 aka "Alexander Graf <alex@xxxxxxxxx>"

      * remotes/agraf/tags/signed-ppc-for-upstream: (30 commits)
        sPAPR: Clear stale MSIx table during EEH reset
        sPAPR: Reenable EEH functionality on reboot
        sPAPR: Don't enable EEH on emulated PCI devices
        spapr-vty: Use TYPE_ definition instead of hardcoding
        spapr_vty: lookup should only return valid VTY objects
        spapr_pci: drop redundant args in spapr_[populate, create]_pci_child_dt
        spapr_pci: populate ibm,loc-code
        spapr_pci: enumerate and add PCI device tree
        xics_kvm: Don't enable KVM_CAP_IRQ_XICS if already enabled
        ppc: Update cpu_model in MachineState
        spapr: Consolidate cpu init code into a routine
        spapr: Reorganize CPU dt generation code
        cpus: Add a macro to walk CPUs in reverse
        spapr: Support ibm, lrdr-capacity device tree property
        spapr: Consider max_cpus during xics initialization
        Revert "hw/ppc/spapr_pci.c: Avoid functions not in glib 2.12 
(g_hash_table_iter_*)"
        spapr_iommu: translate sPAPRTCEAccess to IOMMUAccessFlags
        spapr_iommu: drop erroneous check in h_put_tce_indirect()
        spapr_pci: set device node unit address as hex
        spapr_pci: encode class code including Prog IF register
        ...

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 1a632032d1ea09a09dc424ac2b10a4a11cd52ab9
  Merge: 30c6672 06ef227
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Tue Jul 7 20:12:55 2015 +0100

      Merge remote-tracking branch 'remotes/ehabkost/tags/x86-pull-request' 
into staging

      X86 queue, 2015-07-07

      Patch "target-i386: emulate CPUID level of real hardware" was removed 
after the
      2015-07-03 pull request.

      # gpg: Signature made Tue Jul  7 15:46:23 2015 BST using RSA key ID 
984DC5A6
      # gpg: Good signature from "Eduardo Habkost <ehabkost@xxxxxxxxxx>"
      # gpg: WARNING: This key is not certified with sufficiently trusted 
signatures!
      # gpg:          It is not certain that the signature belongs to the owner.
      # Primary key fingerprint: 5A32 2FD5 ABC4 D3DB ACCF  D1AA 2807 936F 984D 
C5A6

      * remotes/ehabkost/tags/x86-pull-request:
        target-i386: avoid overflow in the tsc-frequency property
        i386: Introduce ARAT CPU feature

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 30c6672aa4b4bc9bdba3a7e46c49bba191660143
  Merge: 9861b71 9703116
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Tue Jul 7 19:12:45 2015 +0100

      Merge remote-tracking branch 'remotes/stefanha/tags/block-pull-request' 
into staging

      Pull request

      v2:
       * Drop block/nfs patch since it exposes an unfinished QAPI interface 
[kwolf]

      # gpg: Signature made Tue Jul  7 14:29:47 2015 BST using RSA key ID 
81AB73C8
      # gpg: Good signature from "Stefan Hajnoczi <stefanha@xxxxxxxxxx>"
      # gpg:                 aka "Stefan Hajnoczi <stefanha@xxxxxxxxx>"

      * remotes/stefanha/tags/block-pull-request:
        blockjob: add block_job_release function
        block/raw-posix: Don't think /dev/fd/<NN> is a floppy drive.
        block: Use bdrv_drain to replace uncessary bdrv_drain_all
        block: Initialize local_err in bdrv_append_temp_snapshot
        block: update bdrv_drain_all()/bdrv_drain() comments
        qcow2: remove unnecessary check

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 9861b71fd63f04175fddd1e93a417bae4a7808d7
  Merge: f2562fb dd63169
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Tue Jul 7 17:19:59 2015 +0100

      Merge remote-tracking branch 
'remotes/juanquintela/tags/migration/20150707' into staging

      migration/next for 20150707

      # gpg: Signature made Tue Jul  7 13:56:30 2015 BST using RSA key ID 
5872D723
      # gpg: Good signature from "Juan Quintela <quintela@xxxxxxxxxx>"
      # gpg:                 aka "Juan Quintela <quintela@xxxxxxxxxx>"

      * remotes/juanquintela/tags/migration/20150707: (28 commits)
        migration: extend migration_bitmap
        migration: protect migration_bitmap
        check_section_footers: Check the correct section_id
        migration: Add migration events on target side
        migration: Make events a capability
        migration: create migration event
        migration: No need to call trace_migrate_set_state()
        migration: Use always helper to set state
        migration: ensure we start in NONE state
        migration: Use cmpxchg correctly
        migration: Add configuration section
        vmstate: Create optional sections
        global_state: Make section optional
        migration: create new section to store global state
        runstate: migration allows more transitions now
        runstate: Add runstate store
        Fix older machine type compatibility on power with section footers
        Fail more cleanly in mismatched RAM cases
        Sanity check RDMA remote data
        Sort destination RAMBlocks to be the same as the source
        ...

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit cd3b29b745b0ff393b2d37317837bc726b8dacc8
  Author: Aurelien Jarno <aurelien@xxxxxxxxxxx>
  Date:   Tue Jun 16 07:11:41 2015 +0200

      tcg/s390: fix branch target change during code retranslation

      Make sure to not modify the branch target. This ensure that the
      branch target is not corrupted during partial retranslation.

      Signed-off-by: Aurelien Jarno <aurelien@xxxxxxxxxxx>
      Tested-by: Alexander Graf <agraf@xxxxxxx>
      Reviewed-by: Richard Henderson <rth@xxxxxxxxxxx>
      Signed-off-by: Alexander Graf <agraf@xxxxxxx>

  commit 92f2b4e71e988ad2751c71717e9fe3387753442a
  Author: Aurelien Jarno <aurelien@xxxxxxxxxxx>
  Date:   Thu Jun 25 21:16:58 2015 +0200

      target-s390x: fix CONVERT TO BINARY (CVD, CVDY)

      current_number being shift left by more than 32 bits, we can't use a
      simple int. Similarly use an int64_t type for the input binary value,
      to not get the -2^31 case wrong. Finally don't initialize shift to 4,
      it's already done in the for loop.

      Signed-off-by: Aurelien Jarno <aurelien@xxxxxxxxxxx>
      Reviewed-by: Richard Henderson <rth@xxxxxxxxxxx>
      Signed-off-by: Alexander Graf <agraf@xxxxxxx>

  commit c9c19b493286db7358f9ee26401b927bbbd21604
  Author: Aurelien Jarno <aurelien@xxxxxxxxxxx>
  Date:   Sun Jun 21 18:51:08 2015 +0200

      target-s390x: fix EXECUTE instruction executing TRT

      A break is missing in the EXECUTE instruction, when executing the
      TRANSLATE AND TEST instruction.

      Reported-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>
      Signed-off-by: Aurelien Jarno <aurelien@xxxxxxxxxxx>
      Reviewed-By: Richard Henderson <rth@xxxxxxxxxxx>
      Signed-off-by: Alexander Graf <agraf@xxxxxxx>

  commit b5edcddda31b464e73cc0a79e88457e603c3b247
  Author: Aurelien Jarno <aurelien@xxxxxxxxxxx>
  Date:   Tue Jun 16 22:57:47 2015 +0200

      target-s390x: fix MOVE LONG instruction

      The MOVE LONG instruction should pad the destination operand with the
      byte from bit positions 32-39 of the source length (r2 + 1), not with
      the same byte in the source address.

      Signed-off-by: Aurelien Jarno <aurelien@xxxxxxxxxxx>
      Reviewed-by: Richard Henderson <rth@xxxxxxxxxxx>
      Signed-off-by: Alexander Graf <agraf@xxxxxxx>

  commit 6319b1dad04e66f450fb3ac6c31d2bf3940068b8
  Author: Gavin Shan <gwshan@xxxxxxxxxxxxxxxxxx>
  Date:   Thu Jul 2 16:23:28 2015 +1000

      sPAPR: Clear stale MSIx table during EEH reset

      The PCI device MSIx table is cleaned out in hardware after EEH PE
      reset. However, we still hold the stale MSIx entries in QEMU, which
      should be cleared accordingly. Otherwise, we will run into another
      (recursive) EEH error and the PCI devices contained in the PE have
      to be offlined exceptionally.

      The patch introduces function spapr_phb_vfio_eeh_pre_reset(), which
      is called by sPAPR when asserting hot or fundamental reset, to clear
      stale MSIx table for VFIO PCI devices before EEH PE reset so that
      MSIx table could be restored properly after EEH PE reset.

      Signed-off-by: Gavin Shan <gwshan@xxxxxxxxxxxxxxxxxx>
      Signed-off-by: David Gibson <david@xxxxxxxxxxxxxxxxxxxxx>
      Signed-off-by: Alexander Graf <agraf@xxxxxxx>

  commit aef87d1b879416909a4ac73e6fe2cea4a5630f40
  Author: Gavin Shan <gwshan@xxxxxxxxxxxxxxxxxx>
  Date:   Thu Jul 2 16:23:27 2015 +1000

      sPAPR: Reenable EEH functionality on reboot

      When rebooting the guest, some PEs might be in frozen state. The
      contained PCI devices won't work properly if their frozen states
      aren't cleared in time. One case running into this situation would
      be maximal EEH error times encountered in the guest.

      The patch reenables the EEH functinality on PEs on PHB's reset
      callback, which will clear their frozen states if needed.

      Signed-off-by: Gavin Shan <gwshan@xxxxxxxxxxxxxxxxxx>
      Reviewed-by: David Gibson <david@xxxxxxxxxxxxxxxxxxxxx>
      Signed-off-by: David Gibson <david@xxxxxxxxxxxxxxxxxxxxx>
      Signed-off-by: Alexander Graf <agraf@xxxxxxx>

  commit 7cb180079e245024cf92ca218ca58858b679a7d6
  Author: Gavin Shan <gwshan@xxxxxxxxxxxxxxxxxx>
  Date:   Thu Jul 2 16:23:26 2015 +1000

      sPAPR: Don't enable EEH on emulated PCI devices

      There might have emulated PCI devices, together with VFIO PCI
      devices under one PHB. The EEH capability shouldn't enabled
      on emulated PCI devices.

      The patch returns error when enabling EEH capability on emulated
      PCI devices by RTAS call "ibm,set-eeh-option".

      Signed-off-by: Gavin Shan <gwshan@xxxxxxxxxxxxxxxxxx>
      Signed-off-by: David Gibson <david@xxxxxxxxxxxxxxxxxxxxx>
      Signed-off-by: Alexander Graf <agraf@xxxxxxx>

  commit e275934d2dd44e38e0c6d53f9c22383d2ba57c17
  Author: David Gibson <david@xxxxxxxxxxxxxxxxxxxxx>
  Date:   Thu Jul 2 16:23:25 2015 +1000

      spapr-vty: Use TYPE_ definition instead of hardcoding

      There's a call to object_dynamic_cast() in spapr_vty which uses the type
      name "spapr-vty" directly, instead of the usual idiom of using the 
#defined
      TYPE_VIO_SPAPR_VTY_DEVICE.  Fix it.

      Signed-off-by: David Gibson <david@xxxxxxxxxxxxxxxxxxxxx>
      Signed-off-by: Alexander Graf <agraf@xxxxxxx>

  commit 0f888bfaddfc5f55b0d82cde2e1164658a672375
  Author: David Gibson <david@xxxxxxxxxxxxxxxxxxxxx>
  Date:   Thu Jul 2 16:23:24 2015 +1000

      spapr_vty: lookup should only return valid VTY objects

      If a guest passes the reg property of a valid VIO object that is not a VTY
      to either H_GET_TERM_CHAR or H_PUT_TERM_CHAR, QEMU hits a dynamic cast
      assertion and aborts.

      PAPR+ says "Hypervisor checks the termno parameter for validity against 
the
      Vterm IOA unit addresses assigned to the partition, else return 
H_Parameter."

      This patch adds a type check to ensure vty_lookup() either returns a 
pointer
      to a valid VTY object or NULL.  H_GET_TERM_CHAR and H_PUT_TERM_CHAR will
      now return H_PARAMETER to the guest instead of crashing.

      The patch has no effect on the reg == 0 hack used to implement the RTAS 
call
      display-character.

      Signed-off-by: Greg Kurz <gkurz@xxxxxxxxxxxxxxxxxx>
      Signed-off-by: David Gibson <david@xxxxxxxxxxxxxxxxxxxxx>
      Signed-off-by: Alexander Graf <agraf@xxxxxxx>

  commit e634b89c6ed2309814de7a89bd7c5ced96f59291
  Author: Nikunj A Dadhania <nikunj@xxxxxxxxxxxxxxxxxx>
  Date:   Thu Jul 2 16:23:23 2015 +1000

      spapr_pci: drop redundant args in spapr_[populate, create]_pci_child_dt

      * phb_index is not being used and if required can be obtained from sphb
      * use helper to get drc_index in spapr_populate_pci_child_dt()
      * Check if drc_index is zero

      Suggested-by: Alexey Kardashevskiy <aik@xxxxxxxxx>
      Signed-off-by: Nikunj A Dadhania <nikunj@xxxxxxxxxxxxxxxxxx>
      Signed-off-by: David Gibson <david@xxxxxxxxxxxxxxxxxxxxx>
      Signed-off-by: Alexander Graf <agraf@xxxxxxx>

  commit 16b0ea1d852873cf17630133d86df6a68e23f38c
  Author: Nikunj A Dadhania <nikunj@xxxxxxxxxxxxxxxxxx>
  Date:   Thu Jul 2 16:23:22 2015 +1000

      spapr_pci: populate ibm,loc-code

      Each hardware instance has a platform unique location code.  The OF
      device tree that describes a part of a hardware entity must include
      the â??ibm,loc-codeâ?? property with a value that represents the location
      code for that hardware entity.

      Populate ibm,loc-code.

      1) PCI passthru devices need to identify with its own ibm,loc-code
         available on the host. In failure cases use:
         vfio_<name>:<phb-index>:<bus>:<slot>.<fn>

      2) Emulated devices encode as following:
         qemu_<name>:<phb-index>:<bus>:<slot>.<fn>

      Signed-off-by: Nikunj A Dadhania <nikunj@xxxxxxxxxxxxxxxxxx>
      Signed-off-by: David Gibson <david@xxxxxxxxxxxxxxxxxxxxx>
      Signed-off-by: Alexander Graf <agraf@xxxxxxx>

  commit 1d2d974244c6f1629ca83f1de293eaa557634627
  Author: Nikunj A Dadhania <nikunj@xxxxxxxxxxxxxxxxxx>
  Date:   Thu Jul 2 16:23:21 2015 +1000

      spapr_pci: enumerate and add PCI device tree

      All the PCI enumeration and device node creation was off-loaded to
      SLOF. With PCI hotplug support, code needed to be added to add device
      node. This creates multiple copy of the code one in SLOF and other in
      hotplug code. To unify this, the patch adds the pci device node
      creation in Qemu. For backward compatibility, a flag
      "qemu,phb-enumerated" is added to the phb, suggesting to SLOF to not
      do device node creation.

      Signed-off-by: Nikunj A Dadhania <nikunj@xxxxxxxxxxxxxxxxxx>
      [ Squashed Michael's drc_index changes ]
      Signed-off-by: Michael Roth <mdroth@xxxxxxxxxxxxxxxxxx>
      Signed-off-by: Nikunj A Dadhania <nikunj@xxxxxxxxxxxxxxxxxx>
      Signed-off-by: David Gibson <david@xxxxxxxxxxxxxxxxxxxxx>
      Signed-off-by: Alexander Graf <agraf@xxxxxxx>

  commit a45863bda90daa8ec39e5a312b9734fd4665b016
  Author: Bharata B Rao <bharata@xxxxxxxxxxxxxxxxxx>
  Date:   Thu Jul 2 16:23:20 2015 +1000

      xics_kvm: Don't enable KVM_CAP_IRQ_XICS if already enabled

      When supporting CPU hot removal by parking the vCPU fd and reusing
      it during hotplug again, there can be cases where we try to reenable
      KVM_CAP_IRQ_XICS CAP for the vCPU for which it was already enabled.
      Introduce a boolean member in ICPState to track this and don't
      reenable the CAP if it was already enabled earlier.

      Re-enabling this CAP should ideally work, but currently it results in
      kernel trying to create and associate ICP with this vCPU and that
      fails since there is already an ICP associated with it. Hence this
      patch is needed to work around this problem in the kernel.

      This change allows CPU hot removal to work for sPAPR.

      Signed-off-by: Bharata B Rao <bharata@xxxxxxxxxxxxxxxxxx>
      Reviewed-by: David Gibson <david@xxxxxxxxxxxxxxxxxxxxx>
      Signed-off-by: David Gibson <david@xxxxxxxxxxxxxxxxxxxxx>
      Signed-off-by: Alexander Graf <agraf@xxxxxxx>

  commit 19fb2c36e2475a2c68e7287e0e089d858dd7cc50
  Author: Bharata B Rao <bharata@xxxxxxxxxxxxxxxxxx>
  Date:   Thu Jul 2 16:23:19 2015 +1000

      ppc: Update cpu_model in MachineState

      Keep cpu_model field in MachineState uptodate so that it can be used
      from the CPU hotplug path.

      Signed-off-by: Bharata B Rao <bharata@xxxxxxxxxxxxxxxxxx>
      Reviewed-by: David Gibson <david@xxxxxxxxxxxxxxxxxxxxx>
      Signed-off-by: David Gibson <david@xxxxxxxxxxxxxxxxxxxxx>
      Signed-off-by: Alexander Graf <agraf@xxxxxxx>

  commit bab99ea09897fb65255cc4e147d87c077fafcfe6
  Author: Bharata B Rao <bharata@xxxxxxxxxxxxxxxxxx>
  Date:   Thu Jul 2 16:23:18 2015 +1000

      spapr: Consolidate cpu init code into a routine

      Factor out bits of sPAPR specific CPU initialization code into
      a separate routine so that it can be called from CPU hotplug
      path too.

      Signed-off-by: Bharata B Rao <bharata@xxxxxxxxxxxxxxxxxx>
      Signed-off-by: David Gibson <david@xxxxxxxxxxxxxxxxxxxxx>
      Signed-off-by: Alexander Graf <agraf@xxxxxxx>

  commit 0da6f3fef9ae52127c14dfad1fdf1781e33ec5ec
  Author: Bharata B Rao <bharata@xxxxxxxxxxxxxxxxxx>
  Date:   Thu Jul 2 16:23:17 2015 +1000

      spapr: Reorganize CPU dt generation code

      Reorganize CPU device tree generation code so that it be reused from
      hotplug path. CPU dt entries are now generated from spapr_finalize_fdt()
      instead of spapr_create_fdt_skel().

      Note: This is how the split-up looks like now:

      Boot path
      ---------
      spapr_finalize_fdt
       spapr_populate_cpus_dt_node
        spapr_populate_cpu_dt
         spapr_fixup_cpu_numa_dt
         spapr_fixup_cpu_smt_dt

      ibm,cas path
      ------------
      spapr_h_cas_compose_response
       spapr_fixup_cpu_dt
        spapr_fixup_cpu_numa_dt
        spapr_fixup_cpu_smt_dt

      Signed-off-by: Bharata B Rao <bharata@xxxxxxxxxxxxxxxxxx>
      Signed-off-by: David Gibson <david@xxxxxxxxxxxxxxxxxxxxx>
      Signed-off-by: Alexander Graf <agraf@xxxxxxx>

  commit 8487d1231830917099c801e4f2f0e698e8535063
  Author: Bharata B Rao <bharata@xxxxxxxxxxxxxxxxxx>
  Date:   Thu Jul 2 16:23:16 2015 +1000

      cpus: Add a macro to walk CPUs in reverse

      Add CPU_FOREACH_REVERSE that walks CPUs in reverse.

      Needed for PowerPC CPU device tree reorganization.

      Signed-off-by: Bharata B Rao <bharata@xxxxxxxxxxxxxxxxxx>
      Reviewed-by: Andreas Färber <afaerber@xxxxxxx>
      Signed-off-by: David Gibson <david@xxxxxxxxxxxxxxxxxxxxx>
      Signed-off-by: Alexander Graf <agraf@xxxxxxx>

  commit db4ef288f4a6d285b39dc8ac477092d76971a300
  Author: Bharata B Rao <bharata@xxxxxxxxxxxxxxxxxx>
  Date:   Thu Jul 2 16:23:15 2015 +1000

      spapr: Support ibm, lrdr-capacity device tree property

      Add support for ibm,lrdr-capacity since this is needed by the guest
      kernel to know about the possible hot-pluggable CPUs and Memory. With
      this, pseries kernels will start reporting correct maxcpus in
      /sys/devices/system/cpu/possible.

      Also define the minimum hotpluggable memory size as 256MB.

      Signed-off-by: Bharata B Rao <bharata@xxxxxxxxxxxxxxxxxx>
      Reviewed-by: David Gibson <david@xxxxxxxxxxxxxxxxxxxxx>
      Signed-off-by: David Gibson <david@xxxxxxxxxxxxxxxxxxxxx>
      [agraf: Fix compile error on 32bit hosts]
      Signed-off-by: Alexander Graf <agraf@xxxxxxx>

  commit 9e734e3deefd460188ea9bd107b65a528ccb7255
  Author: Bharata B Rao <bharata@xxxxxxxxxxxxxxxxxx>
  Date:   Thu Jul 2 16:23:14 2015 +1000

      spapr: Consider max_cpus during xics initialization

      Use max_cpus instead of smp_cpus when intializating xics system. Also
      report max_cpus in ibm,interrupt-server-ranges device tree property of
      interrupt controller node.

      Signed-off-by: Bharata B Rao <bharata@xxxxxxxxxxxxxxxxxx>
      Signed-off-by: David Gibson <david@xxxxxxxxxxxxxxxxxxxxx>
      Signed-off-by: Alexander Graf <agraf@xxxxxxx>

  commit 708414f03c3bebbd7ba8e4e98fb92602d2af8d0c
  Author: Markus Armbruster <armbru@xxxxxxxxxx>
  Date:   Thu Jul 2 16:23:13 2015 +1000

      Revert "hw/ppc/spapr_pci.c: Avoid functions not in glib 2.12 
(g_hash_table_iter_*)"

      Since we now require GLib 2.22+ (commit f40685c), we don't have to
      work around lack of g_hash_table_iter_init() & friends anymore.

      This reverts commit f8833a37c0c6b22ddd57b45e48cfb0f97dbd5af4.

      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>
      Signed-off-by: David Gibson <david@xxxxxxxxxxxxxxxxxxxxx>
      Signed-off-by: Alexander Graf <agraf@xxxxxxx>

  commit 5709af3b9520c6912fc909128ae284512b127600
  Author: Greg Kurz <gkurz@xxxxxxxxxxxxxxxxxx>
  Date:   Thu Jul 2 16:23:12 2015 +1000

      spapr_iommu: translate sPAPRTCEAccess to IOMMUAccessFlags

      The fact that these enums have matching values is pure coincidence. We
      actually need to translate from the PAPR definition to the QEMU one.

      This patch doesn't fix any bug, it is only code cleanup.

      Suggested-by: Alexey Kardashevskiy <aik@xxxxxxxxx>
      Signed-off-by: Greg Kurz <gkurz@xxxxxxxxxxxxxxxxxx>
      Signed-off-by: David Gibson <david@xxxxxxxxxxxxxxxxxxxxx>
      Signed-off-by: Alexander Graf <agraf@xxxxxxx>

  commit 4d9ab7d4ed46c63d047862d11946996005742a09
  Author: Greg Kurz <gkurz@xxxxxxxxxxxxxxxxxx>
  Date:   Thu Jul 2 16:23:11 2015 +1000

      spapr_iommu: drop erroneous check in h_put_tce_indirect()

      The tce_list variable is not a TCE but the address to a TCE: we shouldn't
      clear permission bits as we do now. And this is dead code anyway since we
      check tce_list is 4K aligned a few lines above.

      This patch doesn't fix any bug, it is only code cleanup.

      Suggested-by: Alexey Kardashevskiy <aik@xxxxxxxxx>
      Signed-off-by: Greg Kurz <gkurz@xxxxxxxxxxxxxxxxxx>
      Signed-off-by: David Gibson <david@xxxxxxxxxxxxxxxxxxxxx>
      Signed-off-by: Alexander Graf <agraf@xxxxxxx>

  commit 9b7d9284c3b114112a7759ce0a885df0767fe8d9
  Author: Nikunj A Dadhania <nikunj@xxxxxxxxxxxxxxxxxx>
  Date:   Thu Jul 2 16:23:10 2015 +1000

      spapr_pci: set device node unit address as hex

      Device node names should encode the unit address as hex, while the
      code was encodind it as integers.

      Also, use FDT_NAME_MAX macro for allocating and composing the name.

      Signed-off-by: Nikunj A Dadhania <nikunj@xxxxxxxxxxxxxxxxxx>
      Reviewed-by: Thomas Huth <thuth@xxxxxxxxxx>
      Signed-off-by: David Gibson <david@xxxxxxxxxxxxxxxxxxxxx>
      Signed-off-by: Alexander Graf <agraf@xxxxxxx>

  commit 4a7c34741584e91aa838a9e45b8ec5cdc65a343b
  Author: Nikunj A Dadhania <nikunj@xxxxxxxxxxxxxxxxxx>
  Date:   Thu Jul 2 16:23:09 2015 +1000

      spapr_pci: encode class code including Prog IF register

      Current code missed the Prog IF register. All Class Code, Subclass,
      and Prog IF registers are needed to identify the accurate device type.

      For example: USB controllers use the PROG IF for denoting: USB
      FullSpeed, HighSpeed or SuperSpeed.

      Signed-off-by: Nikunj A Dadhania <nikunj@xxxxxxxxxxxxxxxxxx>
      Reviewed-by: Thomas Huth <thuth@xxxxxxxxxx>
      Signed-off-by: David Gibson <david@xxxxxxxxxxxxxxxxxxxxx>
      Signed-off-by: Alexander Graf <agraf@xxxxxxx>

  commit 72187935b475454792512d44782a33f112b120e6
  Author: Nikunj A Dadhania <nikunj@xxxxxxxxxxxxxxxxxx>
  Date:   Thu Jul 2 16:23:08 2015 +1000

      spapr_pci: encode missing 64-bit memory address space

      The properties reg/assigned-resources need to encode 64-bit memory
      address space as part of phys.hi dword.

        00 if configuration space
        01 if IO region,
        10 if 32-bit MEM region
        11 if 64-bit MEM region

      Signed-off-by: Nikunj A Dadhania <nikunj@xxxxxxxxxxxxxxxxxx>
      Reviewed-by: Thomas Huth <thuth@xxxxxxxxxx>
      Signed-off-by: David Gibson <david@xxxxxxxxxxxxxxxxxxxxx>
      Signed-off-by: Alexander Graf <agraf@xxxxxxx>

  commit 183930c0d753e53d22c27d573b1803b04f8d68ac
  Author: David Gibson <david@xxxxxxxxxxxxxxxxxxxxx>
  Date:   Thu Jul 2 16:23:07 2015 +1000

      spapr: Add sPAPRMachineClass

      Currently although we have an sPAPRMachineState descended from 
MachineState
      we don't have an sPAPRMAchineClass descended from MachineClass.  So far it
      hasn't been needed, but several upcoming features are going to want it,
      so this patch creates a stub implementation.

      Signed-off-by: Michael Roth <mdroth@xxxxxxxxxxxxxxxxxx>
      Signed-off-by: Bharata B Rao <bharata@xxxxxxxxxxxxxxxxxx>
      Signed-off-by: David Gibson <david@xxxxxxxxxxxxxxxxxxxxx>
      Signed-off-by: Alexander Graf <agraf@xxxxxxx>

  commit 1b71890729953825c57d52ace48a7671c295e899
  Author: David Gibson <david@xxxxxxxxxxxxxxxxxxxxx>
  Date:   Thu Jul 2 16:23:06 2015 +1000

      spapr: Remove obsolete entry_point field from sPAPRMachineState

      The sPAPRMachineState structure includes an entry_point field containing
      the initial PC value for starting the machine, even though this always has
      the value 0x100.

      I think this is a hangover from very early versions which bypassed the
      firmware when using -kernel.  In any case it has no function now, so 
remove
      it.

      Signed-off-by: David Gibson <david@xxxxxxxxxxxxxxxxxxxxx>
      Signed-off-by: Alexander Graf <agraf@xxxxxxx>

  commit fb16499418aa7d71d2a4f2e3d79de444c4d054c0
  Author: David Gibson <david@xxxxxxxxxxxxxxxxxxxxx>
  Date:   Thu Jul 2 16:23:05 2015 +1000

      spapr: Remove obsolete ram_limit field from sPAPRMachineState

      The ram_limit field was imported from sPAPREnvironment where it predates
      the machine's ram size being available generically from machine->ram_size.

      Worse, the existing code was inconsistent about where it got the ram size
      from.  Sometimes it used spapr->ram_limit, sometimes the global 'ram_size'
      and sometimes a local 'ram_size' masking the global.

      This cleans up the code to consistently use machine->ram_size, eliminating
      spapr->ram_limit in the process.

      Signed-off-by: David Gibson <david@xxxxxxxxxxxxxxxxxxxxx>
      Signed-off-by: Alexander Graf <agraf@xxxxxxx>

  commit 28e0204254c3f03e77106056a3a5730c4b8a2ac6
  Author: David Gibson <david@xxxxxxxxxxxxxxxxxxxxx>
  Date:   Thu Jul 2 16:23:04 2015 +1000

      spapr: Merge sPAPREnvironment into sPAPRMachineState

      The code for -machine pseries maintains a global sPAPREnvironment 
structure
      which keeps track of general state information about the guest platform.
      This predates the existence of the MachineState structure, but performs
      basically the same function.

      Now that we have the generic MachineState, fold sPAPREnvironment into
      sPAPRMachineState, the pseries specific subclass of MachineState.

      This is mostly a matter of search and replace, although a few places which
      relied on the global spapr variable are changed to find the structure via
      qdev_get_machine().

      Signed-off-by: David Gibson <david@xxxxxxxxxxxxxxxxxxxxx>
      Signed-off-by: Alexander Graf <agraf@xxxxxxx>

  commit 780184aae65d72378737e9cdb8fb61b0121e1e21
  Author: Alexey Kardashevskiy <aik@xxxxxxxxx>
  Date:   Thu Jul 2 16:23:03 2015 +1000

      pseries: Update SLOF firmware image to qemu-slof-20150429

      The changelog is:
        > version: update to 20150429
        > pci: Use QEMU created PCI device nodes
        > usb: support 64-bit pci bars
        > pci: Support 64-bit address translation
        > pci: program correct bridge limit registers during probe
        > scsi: handle report-luns failure
        > Fix "key?" Forth word when using USB keyboards
        > Remove bulk.fs package
        > Include make.rules in the library Makefiles

      Signed-off-by: Alexey Kardashevskiy <aik@xxxxxxxxx>
      Signed-off-by: Alexander Graf <agraf@xxxxxxx>

  commit f303f117fec32c0705f88860e3eadf94135211c9
  Author: Greg Kurz <gkurz@xxxxxxxxxxxxxxxxxx>
  Date:   Thu Jul 2 16:23:02 2015 +1000

      spapr: ensure we have at least one XICS server

      XICS needs to know the upper value for cpu_index as it is used to compute
      the number of servers:

          smp_cpus * kvmppc_smt_threads() / smp_threads

      When passing -smp cpus=1,threads=9 on a POWER8 host, we end up with:

          1 * 8 / 9 = 0

      ... which leads to an assertion in both emulated:

      Number of servers needs to be greater 0
      Aborted (core dumped)

      ... and in-kernel XICS:

      xics_kvm_realize: Assertion `icp->nr_servers' failed.
      Aborted (core dumped)

      With this patch, we are sure that nr_servers > 0. Passing the same bogus
      -smp option then leads to:

      qemu-system-ppc64: Cannot support more than 8 threads on PPC with KVM

      ... which is a lot more explicit than the XICS errors.

      Signed-off-by: Greg Kurz <gkurz@xxxxxxxxxxxxxxxxxx>
      Signed-off-by: David Gibson <david@xxxxxxxxxxxxxxxxxxxxx>
      Signed-off-by: Alexander Graf <agraf@xxxxxxx>

  commit 2d103aae876518a91636ad6f4a4d866269c0d953
  Author: Michael Roth <mdroth@xxxxxxxxxxxxxxxxxx>
  Date:   Thu Jul 2 15:46:14 2015 -0500

      target-ppc: fix hugepage support when using memory-backend-file

      Current PPC code relies on -mem-path being used in order for
      hugepage support to be detected. With the introduction of
      MemoryBackendFile we can now handle this via:
        -object memory-file-backend,mem-path=...,id=hugemem0 \
        -numa node,id=mem0,memdev=hugemem0

      Management tools like libvirt treat the 2 approaches as
      interchangeable in some cases, which can lead to user-visible
      regressions even for previously supported guest configurations.

      Fix these by also iterating through any configured memory
      backends that may be backed by hugepages.

      Since the old code assumed hugepages always backed the entirety
      of guest memory, play it safe an pick the minimum across the
      max pages sizes for all backends, even ones that aren't backed
      by hugepages.

      Signed-off-by: Michael Roth <mdroth@xxxxxxxxxxxxxxxxxx>
      Reviewed-by: David Gibson <david@xxxxxxxxxxxxxxxxxxxxx>
      Signed-off-by: Alexander Graf <agraf@xxxxxxx>

  commit 5c464f66f5696724c892339de242fac41f4d57a6
  Author: Cormac O'Brien <i.am.cormac.obrien@xxxxxxxxx>
  Date:   Wed Jun 17 17:04:11 2015 -0500

      macio: remove nonexistent interrupt on pin 1

      The current macio implementation declares an interrupt that doesn't 
appear to
      exist in the hardware or any other emulator implementation. OpenBIOS 
detects
      this interrupt and generates an 'interrupts' property in the macio device 
tree
      entry. Mac OS 9 halts boot when it detects this interrupt, so it has been
      removed to permit further progress in the boot process.

      Signed-off-by: Cormac O'Brien <i.am.cormac.obrien@xxxxxxxxx>
      Reviewed-by: Mark Cave-Ayland <mark.cave-ayland@xxxxxxxxxxxx>
      Signed-off-by: Alexander Graf <agraf@xxxxxxx>

  commit 7d6b1daedd00b35e50ce87ea835f662b36a23160
  Author: Laurent Vivier <laurent@xxxxxxxxx>
  Date:   Tue Jun 30 11:49:54 2015 +0200

      linux-user, ppc: mftbl can be used by user application

      In qemu-linux-user, when calling gethostbyname2(),
      it was hanging in .__res_nmkquery.

      (gdb) bt
      0 in .__res_nmkquery () from /lib64/libresolv.so.2
      1 in .__libc_res_nquery () from /lib64/libresolv.so.2
      2 in .__libc_res_nsearch () from /lib64/libresolv.so.2
      3 in ._nss_dns_gethostbyname3_r () from /lib64/libnss_dns.so.2
      4 in ._nss_dns_gethostbyname2_r () from /lib64/libnss_dns.so.2
      5 in .gethostbyname2_r () from /lib64/libc.so.6
      6 in .gethostbyname2 () from /lib64/libc.so.6

      .__res_nmkquery() is:

      ...
      do { RANDOM_BITS (randombits); } while ((randombits & 0xffff) == 0);
      ...

      <.__res_nmkquery+112>:    mftbl   r11
      <.__res_nmkquery+116>:    clrlwi  r10,r11,16
      <.__res_nmkquery+120>:    cmpwi   cr7,r10,0
      <.__res_nmkquery+124>:    beq     cr7,<.__res_nmkquery+112>

      but as mftbl (Move From Time Base Lower) is not implemented,
      r11 is always 0, so we have an infinite loop.

      This patch fills the Time Base register with cpu_get_real_ticks().

      Signed-off-by: Laurent Vivier <laurent@xxxxxxxxx>
      Signed-off-by: Alexander Graf <agraf@xxxxxxx>

  commit f2562fbb7ac54d597cfe05f613d30296d1850d1b
  Merge: aeb7218 849729b
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Tue Jul 7 15:48:49 2015 +0100

      Merge remote-tracking branch 'remotes/stefanha/tags/net-pull-request' 
into staging

      # gpg: Signature made Tue Jul  7 13:38:13 2015 BST using RSA key ID 
81AB73C8
      # gpg: Good signature from "Stefan Hajnoczi <stefanha@xxxxxxxxxx>"
      # gpg:                 aka "Stefan Hajnoczi <stefanha@xxxxxxxxx>"

      * remotes/stefanha/tags/net-pull-request:
        rocker: tests: don't need to specify master/self when setting vlans
        rocker: mark copy-to-cpu pkts as forwarding offloaded
        rocker: return -1 when dropping packet on ingress
        rocker: fix missing break statements
        rocker: fix misplaced break statement
        rocker: don't queue receive pkts when port is disabled
        vmxnet3: Fix incorrect small packet padding
        e1000: flush packets when link comes up
        rocker: fix memory leak

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 06ef227e5158cca6710e6c268d6a7f65a5e2811b
  Author: Paolo Bonzini <pbonzini@xxxxxxxxxx>
  Date:   Wed Jun 24 14:11:27 2015 +0200

      target-i386: avoid overflow in the tsc-frequency property

      The TSC frequency fits comfortably in an int when expressed in kHz,
      but it may overflow when converted to Hz.  In this case,
      tsc-frequency returns a negative value because x86_cpuid_get_tsc_freq
      does a 32-bit multiplication before assigning to int64_t.

      For simplicity just make tsc_khz a 64-bit value.

      Spotted by Coverity.

      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>
      Reviewed-by: Eduardo Habkost <ehabkost@xxxxxxxxxx>
      Signed-off-by: Eduardo Habkost <ehabkost@xxxxxxxxxx>

  commit 28b8e4d0bf93ba176b4b7be819d537383c5a9060
  Author: Jan Kiszka <jan.kiszka@xxxxxxxxxxx>
  Date:   Sun Jun 7 11:15:08 2015 +0200

      i386: Introduce ARAT CPU feature

      ARAT signals that the APIC timer does not stop in power saving states.
      As our APICs are emulated, it's fine to expose this feature to guests,
      at least when asking for KVM host features or with CPU types that
      include the flag. The exact model number that introduced the feature is
      not known, but reports can be found that it's at least available since
      Sandy Bridge.

      Signed-off-by: Jan Kiszka <jan.kiszka@xxxxxxxxxxx>
      Acked-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>
      Acked-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Reviewed-by: Eduardo Habkost <ehabkost@xxxxxxxxxx>
      Signed-off-by: Eduardo Habkost <ehabkost@xxxxxxxxxx>

  commit aeb72188e073d515e1f5a80f6b603692a396477b
  Merge: 1452673 501eea4
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Tue Jul 7 14:44:19 2015 +0100

      Merge remote-tracking branch 'remotes/kraxel/tags/pull-vga-20150707-1' 
into staging

      virtio-gpu property fixes, add testcase

      # gpg: Signature made Tue Jul  7 10:24:16 2015 BST using RSA key ID 
D3E87138
      # gpg: Good signature from "Gerd Hoffmann (work) <kraxel@xxxxxxxxxx>"
      # gpg:                 aka "Gerd Hoffmann <gerd@xxxxxxxxxx>"
      # gpg:                 aka "Gerd Hoffmann (private) <kraxel@xxxxxxxxx>"

      * remotes/kraxel/tags/pull-vga-20150707-1:
        virtio-gpu: add to display-vga test
        virtio-gpu: use virtio_instance_init_common, fixup properties
        virtio-gpu: update console device property.

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 970311646a701eecb103eb28093e8924d2fa6861
  Author: Ting Wang <kathy.wangting@xxxxxxxxxx>
  Date:   Fri Jun 26 17:37:35 2015 +0800

      blockjob: add block_job_release function

      There is job resource leak in function mirror_start_job,
      although bdrv_create_dirty_bitmap is unlikely failed.
      Add block_job_release for each release when needed.

      Signed-off-by: Ting Wang <kathy.wangting@xxxxxxxxxx>
      Reviewed-by: John Snow <jsnow@xxxxxxxxxx>
      Message-id: 1435311455-56048-1-git-send-email-kathy.wangting@xxxxxxxxxx
      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>

  commit 25d9747b6427de8253221d544b45e50888d4cef7
  Author: Richard W.M. Jones <rjones@xxxxxxxxxx>
  Date:   Wed Jul 1 15:40:14 2015 +0100

      block/raw-posix: Don't think /dev/fd/<NN> is a floppy drive.

      In libguestfs we use /dev/fd/<NN> to pass pre-opened file descriptors
      to qemu-img.  Lately I've discovered that although this works, qemu
      believes that these are floppy disk images.  That in itself isn't much
      of a problem, but now qemu prints a warning about host floppy
      pass-thru being deprecated.

      Extend the existing test so that it ignores /dev/fd/ as well as
      /dev/fdset/

      A simple test of this, if you are using the bash shell, is:

        qemu-img info <( cat /dev/null )

      without this patch:

        $ qemu-img info <( cat /dev/null )
        qemu-img: Host floppy pass-through is deprecated
        Support for it will be removed in a future release.
        qemu-img: Could not open '/dev/fd/63': Could not refresh total sector 
count: Illegal seek

      with this patch:

        $ qemu-img info <( cat /dev/null )
        qemu-img: Could not open '/dev/fd/63': Could not refresh total sector 
count: Illegal seek

      Signed-off-by: Richard W.M. Jones <rjones@xxxxxxxxxx>
      Reviewed-by: Markus Armbruster <armbru@xxxxxxxxxx>
      Message-id: 1435761614-31358-1-git-send-email-rjones@xxxxxxxxxx
      Fixes: https://bugs.launchpad.net/qemu/+bug/1470536
      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>

  commit 53ec73e264f481b79b52efcadc9ceb8f8996975c
  Author: Fam Zheng <famz@xxxxxxxxxx>
  Date:   Fri May 29 18:53:14 2015 +0800

      block: Use bdrv_drain to replace uncessary bdrv_drain_all

      There callers work on a single BlockDriverState subtree, where using
      bdrv_drain() is more accurate.

      Signed-off-by: Fam Zheng <famz@xxxxxxxxxx>
      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>

  commit c2e0dbbfd7265eb9a7170ab195d8f9f8a1cbd1af
  Author: Fam Zheng <famz@xxxxxxxxxx>
  Date:   Mon Jul 6 12:24:44 2015 +0800

      block: Initialize local_err in bdrv_append_temp_snapshot

      Cc: qemu-stable@xxxxxxxxxx
      Signed-off-by: Fam Zheng <famz@xxxxxxxxxx>
      Message-id: 1436156684-16526-1-git-send-email-famz@xxxxxxxxxx
      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>

  commit dd63169766abd2b8dc33f4451dac5e778458a47c
  Author: Li Zhijian <lizhijian@xxxxxxxxxxxxxx>
  Date:   Thu Jul 2 20:18:06 2015 +0800

      migration: extend migration_bitmap

      Prevously, if we hotplug a device(e.g. device_add e1000) during
      migration is processing in source side, qemu will add a new ram
      block but migration_bitmap is not extended.
      In this case, migration_bitmap will overflow and lead qemu abort
      unexpectedly.

      Signed-off-by: Li Zhijian <lizhijian@xxxxxxxxxxxxxx>
      Signed-off-by: Wen Congyang <wency@xxxxxxxxxxxxxx>
      Signed-off-by: Juan Quintela <quintela@xxxxxxxxxx>

  commit 2ff64038a59e8de2baa485806be0838f49f70b79
  Author: Li Zhijian <lizhijian@xxxxxxxxxxxxxx>
  Date:   Thu Jul 2 20:18:05 2015 +0800

      migration: protect migration_bitmap

      Signed-off-by: Li Zhijian <lizhijian@xxxxxxxxxxxxxx>
      Signed-off-by: Wen Congyang <wency@xxxxxxxxxxxxxx>
      Signed-off-by: Juan Quintela <quintela@xxxxxxxxxx>

  commit 59f39a47411ab6007a592555dc639aa9753f8d23
  Author: Dr. David Alan Gilbert <dgilbert@xxxxxxxxxx>
  Date:   Thu Jul 2 09:22:03 2015 +0100

      check_section_footers: Check the correct section_id

      The section footers check was incorrectly checking the section_id
      in the SaveStateEntry not the LoadStateEntry.  These can validly be 
different
      if the two QEMU instances have instantiated their devices in a
      different order.  The test only cares that we're finishing the same
      section we started, and hence it's the LoadStateEntry that we care about.

      Signed-off-by: Dr. David Alan Gilbert <dgilbert@xxxxxxxxxx>
      Reported-by: Christian Borntraeger <borntraeger@xxxxxxxxxx>
      Signed-off-by: Juan Quintela <quintela@xxxxxxxxxx>

  commit 7cf1fe6d68eb2ad3b77e2a89f097354db5d627e2
  Author: Juan Quintela <quintela@xxxxxxxxxx>
  Date:   Wed May 20 17:15:42 2015 +0200

      migration: Add migration events on target side

      We reuse the migration events from the source side, sending them on the
      appropiate place.

      Signed-off-by: Juan Quintela <quintela@xxxxxxxxxx>
      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>
      Reviewed-by: Dr. David Alan Gilbert <dgilbert@xxxxxxxxxx>

  commit b05dc72342b27585909d9e99d95d17fd3dfbb269
  Author: Juan Quintela <quintela@xxxxxxxxxx>
  Date:   Tue Jul 7 14:44:05 2015 +0200

      migration: Make events a capability

      Make check fails with events.  THis is due to the parser/lexer that it
      uses.  Just in case that they are more broken parsers, just only send
      events when there are capabilities.

      Signed-off-by: Juan Quintela <quintela@xxxxxxxxxx>
      Reviewed-by: Dr. David Alan Gilbert <dgilbert@xxxxxxxxxx>

  commit 598cd2bda0845096d2f06500e45b4d0d399b384a
  Author: Juan Quintela <quintela@xxxxxxxxxx>
  Date:   Wed May 20 12:16:15 2015 +0200

      migration: create migration event

      We have one argument that tells us what event has happened.

      Signed-off-by: Juan Quintela <quintela@xxxxxxxxxx>
      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>

  commit f2bb932491185a39922dff0514c4b08c092f3c35
  Author: Juan Quintela <quintela@xxxxxxxxxx>
  Date:   Wed Jun 17 01:38:25 2015 +0200

      migration: No need to call trace_migrate_set_state()

      We now use the helper everywhere, so no need to call this on this two
      places.  See on previous commit that there were a place where we missed
      to mark the trace.  Now all tracing is done in migrate_set_state().

      Signed-off-by: Juan Quintela <quintela@xxxxxxxxxx>
      Reviewed-by: Dr. David Alan Gilbert <dgilbert@xxxxxxxxxx>

  commit 7844337d1efb2c47dc3f306d7621e1cafca8ba67
  Author: Juan Quintela <quintela@xxxxxxxxxx>
  Date:   Wed Jun 17 01:36:40 2015 +0200

      migration: Use always helper to set state

      There were three places that were not using the migrate_set_state()
      helper, just fix that.

      Signed-off-by: Juan Quintela <quintela@xxxxxxxxxx>
      Reviewed-by: Dr. David Alan Gilbert <dgilbert@xxxxxxxxxx>

  commit 656a233440e552230f9d1da016b94a81b86658dc
  Author: Juan Quintela <quintela@xxxxxxxxxx>
  Date:   Wed Jul 1 09:32:29 2015 +0200

      migration: ensure we start in NONE state

      Signed-off-by: Juan Quintela <quintela@xxxxxxxxxx>
      Reviewed-by: Dr. David Alan Gilbert <dgilbert@xxxxxxxxxx>

  commit a5c17b5f68ff7e37ce6e6e1f5457307fe07629e7
  Author: Juan Quintela <quintela@xxxxxxxxxx>
  Date:   Wed Jun 17 02:06:20 2015 +0200

      migration: Use cmpxchg correctly

      cmpxchg returns the old value

      Signed-off-by: Juan Quintela <quintela@xxxxxxxxxx>
      Reviewed-by: Dr. David Alan Gilbert <dgilbert@xxxxxxxxxx>

  commit 61964c23e5ddd5a33f15699e45ce126f879e3e33
  Author: Juan Quintela <quintela@xxxxxxxxxx>
  Date:   Wed May 13 18:17:43 2015 +0200

      migration: Add configuration section

      It needs to be the first one and it is not optional, that is the reason
      why it is opencoded.  For new machine types, it is required that machine
      type name is the same in both sides.

      It is just done right now for pc's.

      Signed-off-by: Juan Quintela <quintela@xxxxxxxxxx>
      Reviewed-by: Dr. David Alan Gilbert <dgilbert@xxxxxxxxxx>

  commit df8961522a3d6bc7bb60c2830ef59e7c6c67a928
  Author: Juan Quintela <quintela@xxxxxxxxxx>
  Date:   Wed Oct 15 09:39:14 2014 +0200

      vmstate: Create optional sections

      To make sections optional, we need to do it at the beggining of the code.

      Signed-off-by: Juan Quintela <quintela@xxxxxxxxxx>
      Reviewed-by: Dr. David Alan Gilbert <dgilbert@xxxxxxxxxx>

  commit 13d16814d2058f10461e6987c8216950389c1310
  Author: Juan Quintela <quintela@xxxxxxxxxx>
  Date:   Wed Oct 8 13:58:24 2014 +0200

      global_state: Make section optional

      This section would be sent:

      a- for all new machine types
      b- for old machine types if section state is different form 
{running,paused}
         that were the only giving us troubles.

      So, in new qemus: it is alwasy there.  In old qemus: they are only
      there if it an error has happened, basically stoping on target.

      Signed-off-by: Juan Quintela <quintela@xxxxxxxxxx>
      Reviewed-by: Dr. David Alan Gilbert <dgilbert@xxxxxxxxxx>

  commit df4b1024526cae3479da3492d6371fd4a7324a03
  Author: Juan Quintela <quintela@xxxxxxxxxx>
  Date:   Wed Oct 8 10:58:10 2014 +0200

      migration: create new section to store global state

      This includes a new section that for now just stores the current qemu 
state.

      Right now, there are only one way to control what is the state of the
      target after migration.

      - If you run the target qemu with -S, it would start stopped.
      - If you run the target qemu without -S, it would run just after 
migration finishes.

      The problem here is what happens if we start the target without -S and
      there happens one error during migration that puts current state as
      -EIO.  Migration would ends (notice that the error happend doing block
      IO, network IO, i.e. nothing related with migration), and when
      migration finish, we would just "continue" running on destination,
      probably hanging the guest/corruption data, whatever.

      Signed-off-by: Juan Quintela <quintela@xxxxxxxxxx>
      Reviewed-by: Dr. David Alan Gilbert <dgilbert@xxxxxxxxxx>

  commit ca3fc39ea9045188e37b84c4f92ee79c7ed4b1c3
  Author: Juan Quintela <quintela@xxxxxxxxxx>
  Date:   Wed Oct 8 12:47:08 2014 +0200

      runstate: migration allows more transitions now

      Next commit would allow to move from incoming migration to error 
happening on source.

      Should we add more states to this transition?  Luiz?

      Signed-off-by: Juan Quintela <quintela@xxxxxxxxxx>
      Reviewed-by: Dr. David Alan Gilbert <dgilbert@xxxxxxxxxx>

  commit 5e0f1940caf49f56e3bee123aa92e42a3f7fad20
  Author: Juan Quintela <quintela@xxxxxxxxxx>
  Date:   Wed Oct 8 11:53:22 2014 +0200

      runstate: Add runstate store

      This allows us to store the current state to send it through migration.

      Signed-off-by: Juan Quintela <quintela@xxxxxxxxxx>
      Reviewed-by: Dr. David Alan Gilbert <dgilbert@xxxxxxxxxx>

  commit ff14e817f6c5f110b77e22185b256a17a96aa881
  Author: Dr. David Alan Gilbert <dgilbert@xxxxxxxxxx>
  Date:   Fri Jun 12 18:37:52 2015 +0100

      Fix older machine type compatibility on power with section footers

      I forgot to add compatibility for Power when adding section footers.

      Signed-off-by: Dr. David Alan Gilbert <dgilbert@xxxxxxxxxx>

      Fixes: 37fb569c0198cba58e3e
      Signed-off-by: Juan Quintela <quintela@xxxxxxxxxx>

  commit ef4b722d19cab845eaa0d1f912018b09a9d8288b
  Author: Dr. David Alan Gilbert <dgilbert@xxxxxxxxxx>
  Date:   Thu Jun 11 18:17:28 2015 +0100

      Fail more cleanly in mismatched RAM cases

      If the number of RAMBlocks was different on the source from the
      destination, QEMU would hang waiting for a disconnect on the source
      and wouldn't release from that hang until the destination was manually
      killed.

      Mark the stream as being in error, this causes the destination to die
      and the source to carry on.

      (It still gets a whole bunch of warnings on the destination, and I've
      not managed to complete another migration after the 1st one, still
      progress).

      Signed-off-by: Dr. David Alan Gilbert <dgilbert@xxxxxxxxxx>
      Signed-off-by: Juan Quintela <quintela@xxxxxxxxxx>

  commit afcddefdbe75d0c20bf6e11b5512ba768ce0700c
  Author: Dr. David Alan Gilbert <dgilbert@xxxxxxxxxx>
  Date:   Thu Jun 11 18:17:27 2015 +0100

      Sanity check RDMA remote data

      Perform some basic (but probably not complete) sanity checking on
      requests from the RDMA source.

      Signed-off-by: Dr. David Alan Gilbert <dgilbert@xxxxxxxxxx>
      Reviewed-by: Michael R. Hines <mrhines@xxxxxxxxxx>
      Signed-off-by: Juan Quintela <quintela@xxxxxxxxxx>

  commit e4d633207c129dc5b7d145240ac4a1997ef3902f
  Author: Dr. David Alan Gilbert <dgilbert@xxxxxxxxxx>
  Date:   Thu Jun 11 18:17:26 2015 +0100

      Sort destination RAMBlocks to be the same as the source

      Use the order of incoming RAMBlocks from the source to record
      an index number; that then allows us to sort the destination
      local RAMBlock list to match the source.

      Now that the RAMBlocks are known to be in the same order, this
      simplifies the RDMA Registration step which previously tried to
      match RAMBlocks based on offset (which isn't guaranteed to match).

      Looking at the existing compress code, I think it was erroneously
      relying on an assumption of matching ordering, which this fixes.

      Signed-off-by: Dr. David Alan Gilbert <dgilbert@xxxxxxxxxx>
      Signed-off-by: Juan Quintela <quintela@xxxxxxxxxx>

  commit 760ff4bebc86d08b252809e0da7261c986d022ff
  Author: Dr. David Alan Gilbert <dgilbert@xxxxxxxxxx>
  Date:   Thu Jun 11 18:17:25 2015 +0100

      Rework ram block hash

      RDMA uses a hash from block offset->RAM Block; this isn't needed
      on the destination, and it becomes harder to maintain after the next
      patch in the series that sorts the block list.

      Split the hash so that it's only generated on the source.

      Signed-off-by: Dr. David Alan Gilbert <dgilbert@xxxxxxxxxx>
      Signed-off-by: Juan Quintela <quintela@xxxxxxxxxx>

  commit 03fcab38617ac9bcd6ed28cb1b6a0ecd8fb3bc82
  Author: Dr. David Alan Gilbert <dgilbert@xxxxxxxxxx>
  Date:   Thu Jun 11 18:17:24 2015 +0100

      Allow rdma_delete_block to work without the hash

      In the next patch we remove the hash on the destination,
      rdma_delete_block does two things with the hash which can be avoided:
        a) The caller passes the offset and rdma_delete_block looks it up
           in the hash; fixed by getting the caller to pass the block
        b) The hash gets recreated after deletion; fixed by making that
           conditional on the hash being initialised.

      While this function is currently only used during cleanup, Michael
      asked that we keep it general for future dynamic block registration
      work.

      Signed-off-by: Dr. David Alan Gilbert <dgilbert@xxxxxxxxxx>
      Signed-off-by: Juan Quintela <quintela@xxxxxxxxxx>

  commit 632e3a5cd812d6bbd38fd2f3ffc189ff5ea51926
  Author: Dr. David Alan Gilbert <dgilbert@xxxxxxxxxx>
  Date:   Thu Jun 11 18:17:23 2015 +0100

      Rework ram_control_load_hook to hook during block load

      We need the names of RAMBlocks as they're loaded for RDMA,
      reuse a slightly modified ram_control_load_hook:
        a) Pass a 'data' parameter to use for the name in the block-reg
           case
        b) Only some hook types now require the presence of a hook function.

      Signed-off-by: Dr. David Alan Gilbert <dgilbert@xxxxxxxxxx>
      Signed-off-by: Juan Quintela <quintela@xxxxxxxxxx>

  commit b12f7777981953b7d939496283014740bdd6de64
  Author: Dr. David Alan Gilbert <dgilbert@xxxxxxxxxx>
  Date:   Thu Jun 11 18:17:22 2015 +0100

      Translate offsets to destination address space

      The 'offset' field in RDMACompress and 'current_addr' field
      in RDMARegister are commented as being offsets within a particular
      RAMBlock, however they appear to actually be offsets within the
      ram_addr_t space.

      The code currently assumes that the offsets on the source/destination
      match, this change removes the need for the assumption for these
      structures by translating the addresses into the ram_addr_t space of
      the destination host.

      Note: An alternative would be to change the fields to actually
      take the data they're commented for; this would potentially be
      simpler but would break stream compatibility for those cases
      that currently work.

      Signed-off-by: Dr. David Alan Gilbert <dgilbert@xxxxxxxxxx>
      Signed-off-by: Juan Quintela <quintela@xxxxxxxxxx>

  commit 4fb5364b9096d6110c46604dbf1e19b7e766e757
  Author: Dr. David Alan Gilbert <dgilbert@xxxxxxxxxx>
  Date:   Thu Jun 11 18:17:21 2015 +0100

      Store block name in local blocks structure

      In a later patch the block name will be used to match up two views
      of the block list.  Keep a copy of the block name with the local block
      list.

      (At some point it could be argued that it would be best just to let
      migration see the innards of RAMBlock and avoid the need to use
      foreach).

      Signed-off-by: Dr. David Alan Gilbert <dgilbert@xxxxxxxxxx>
      Reviewed-by: Michael R. Hines <mrhines@xxxxxxxxxx>
      Signed-off-by: Juan Quintela <quintela@xxxxxxxxxx>

  commit 24ec68ef84fdacd5dddb83f3b341165c4815e6d6
  Author: Dr. David Alan Gilbert <dgilbert@xxxxxxxxxx>
  Date:   Thu Jun 11 18:17:20 2015 +0100

      rdma typos

      A couple of typo fixes.

      Signed-off-by: Dr. David Alan Gilbert <dgilbert@xxxxxxxxxx>
      Signed-off-by: Juan Quintela <quintela@xxxxxxxxxx>

  commit 1aca9a5f7d5a1ef9ee0233eac0fccc77ea6f0626
  Author: Dr. David Alan Gilbert <dgilbert@xxxxxxxxxx>
  Date:   Tue Jun 23 17:34:35 2015 +0100

      Only try and read a VMDescription if it should be there

      The VMDescription section maybe after the EOF mark, the current code
      does a 'qemu_get_byte' and either gets the header byte identifying the
      description or an error (which it ignores).  Doing the 'get' upsets
      RDMA which hangs on old machine types without the VMDescription.

      Just avoid reading the VMDescription if we wouldn't send it.

      Signed-off-by: Dr. David Alan Gilbert <dgilbert@xxxxxxxxxx>
      Signed-off-by: Juan Quintela <quintela@xxxxxxxxxx>

  commit 728470bea15b11ba7b3e3db54f0d9939908e0e65
  Author: Gonglei <arei.gonglei@xxxxxxxxxx>
  Date:   Tue Jun 23 15:56:38 2015 +0800

      rdma: fix memory leak

      Variable "r" going out of scope leaks the storage
      it points to in line 3268.

      Signed-off-by: Gonglei <arei.gonglei@xxxxxxxxxx>
      Reviewed-by: Amit Shah <amit.shah@xxxxxxxxxx>
      Signed-off-by: Juan Quintela <quintela@xxxxxxxxxx>

  commit 849729bb796e0ecbb3f370f119682f2821dd1441
  Author: Scott Feldman <sfeldma@xxxxxxxxx>
  Date:   Wed Jul 1 03:33:12 2015 -0700

      rocker: tests: don't need to specify master/self when setting vlans

      4.1 Linux kernel doesn't require specifying "master" or "self" when 
setting
      vlans on a port, so clean these up from the tests that use vlans.

      Signed-off-by: Scott Feldman <sfeldma@xxxxxxxxx>
      Message-id: 1435746792-41278-6-git-send-email-sfeldma@xxxxxxxxx
      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>

  commit d0d2555852c5e684a97dce787d3c2a65b9a6d64c
  Author: Scott Feldman <sfeldma@xxxxxxxxx>
  Date:   Wed Jul 1 03:33:11 2015 -0700

      rocker: mark copy-to-cpu pkts as forwarding offloaded

      For pkts copied to the CPU (to be processed by guest driver), mark the Rx
      descriptor with flag "OFFLOAD_FWD" to indicate device has already 
forwarded
      pkt.  The guest driver will use this indicator to avoid duplicate
      forwarding in the guest OS.

      Examples include bcast/mcast/unknown ucast pkts flooded to bridged ports.
      We want to avoid both the device and the guest bridge driver flooding 
these
      pkts, which would result in duplicates pkts on the wire.  Packet sampling,
      such as sFlow, can also use this technique to mark pkts for the guest OS 
to
      record but otherwise drop.

      Signed-off-by: Scott Feldman <sfeldma@xxxxxxxxx>
      Message-id: 1435746792-41278-5-git-send-email-sfeldma@xxxxxxxxx
      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>

  commit 96497af0afd60e57749316f1bc196b417055c585
  Author: Scott Feldman <sfeldma@xxxxxxxxx>
  Date:   Wed Jul 1 03:33:10 2015 -0700

      rocker: return -1 when dropping packet on ingress

      Signed-off-by: Scott Feldman <sfeldma@xxxxxxxxx>
      Message-id: 1435746792-41278-4-git-send-email-sfeldma@xxxxxxxxx
      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>

  commit f211fcd75fec96ec9850885622ed028c6f7ebdf4
  Author: Scott Feldman <sfeldma@xxxxxxxxx>
  Date:   Wed Jul 1 03:33:09 2015 -0700

      rocker: fix missing break statements

      Signed-off-by: Scott Feldman <sfeldma@xxxxxxxxx>
      Reported-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>
      Message-id: 1435746792-41278-3-git-send-email-sfeldma@xxxxxxxxx
      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>

  commit d1a88c96b7f94c8e12c07518f55fce8873e814d0
  Author: Scott Feldman <sfeldma@xxxxxxxxx>
  Date:   Wed Jul 1 03:33:08 2015 -0700

      rocker: fix misplaced break statement

      Premature break in switch case block.  This particular case (group L2 
rewrite)
      will be used for L2 LAG and L3 ECMP support, neither of which are enabled 
in
      the guest driver at this time, but are under development.

      Signed-off-by: Scott Feldman <sfeldma@xxxxxxxxx>
      Reported-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>
      Message-id: 1435746792-41278-2-git-send-email-sfeldma@xxxxxxxxx
      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>

  commit 66851f640b73a5a84160ee6ab19ab429f68bbb9f
  Author: Scott Feldman <sfeldma@xxxxxxxxx>
  Date:   Tue Jun 30 19:25:53 2015 -0700

      rocker: don't queue receive pkts when port is disabled

      Commit 6e99c63 ("net/socket: Drop net_socket_can_send") changed the
      semantics around .can_receive for sockets to now require the device to
      flush queued pkts when transitioning to a .can_receive=true state.  Rocker
      device was not flushing the queue on .can_receive=true transition, so the
      receiver was stuck.

      But, turns out we really don't want any queuing at all on the port when 
the
      port is disabled, otherwise when the port transitions to enabled, we'd
      receive and forward stale pkts that really should have been dropped.  So,
      let's remove .can_receive so avoid queuing and drop the pkt in .receive if
      the port is disabled.

      Signed-off-by: Scott Feldman <sfeldma@xxxxxxxxx>
      Reviewed-by: Fam Zheng <famz@xxxxxxxxxx>
      Message-id: 1435717553-36187-1-git-send-email-sfeldma@xxxxxxxxx
      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>

  commit b83b5f2ef9753713c2fb64ff4cae7cb1e080624e
  Author: Brian Kress <kressb@xxxxxxxxx>
  Date:   Tue Jun 23 11:49:25 2015 -0400

      vmxnet3: Fix incorrect small packet padding

      When running ESXi under qemu there is an issue with the ESXi guest
      discarding packets that are too short.  The guest discards any packets
      under the normal minimum length for an ethernet packet (60).  This
      results in odd behaviour where other hosts or VMs on other hosts can
      communicate with the ESXi guest just fine (since there's a physical NIC
      somewhere doing padding), but VMs on the host and the host itself cannot
      because the ARP request packets are too small for the ESXi host to
      accept.

      Someone in the past thought this was worth fixing, and added code to the
      vmxnet3 qemu emulation such that if it is receiving packets smaller than
      60 bytes to pad the packet out to 60. Unfortunately this code is wrong
      (or at least in the wrong place). It does so BEFORE before taking into
      account the vnet_hdr at the front of the packet added by the tap device.
      As a result, it might add padding, but it never adds enough.
      Specifically it adds 10 less (the length of the vnet_hdr) than it needs
      to.

      The following (hopefully "obviously correct") patch simply swaps the
      order of processing the vnet header and the padding.  With this patch an
      ESXi guest is able to communicate with the host or other local VMs.

      Signed-off-by: Brian Kress <kressb@xxxxxxxxx>
      Reviewed-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>
      Reviewed-by: Dmitry Fleytman <dmitry@xxxxxxxxxx>
      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>

  commit 5df6a1855b62dc653515d919e48c5b6f00c48f32
  Author: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
  Date:   Thu Jun 25 10:18:05 2015 +0100

      e1000: flush packets when link comes up

      e1000_can_receive() checks the link up status register bit.  If the bit
      is clear, packets will be queued and the peer may disable receive to
      avoid wasting CPU reading packets that cannot be delivered.  The queue
      must be flushed once the link comes back up again.

      This patch fixes broken e1000 receive with Mac OS X Snow Leopard guests
      and tap networking.  Flushing the queue invokes the async send callback,
      which re-enables tap fd read.

      Reported-by: Jonathan Liu <net147@xxxxxxxxx>
      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Reviewed-by: Fam Zheng <famz@xxxxxxxxxx>
      Message-id: 1435223885-12745-1-git-send-email-stefanha@xxxxxxxxxx

  commit ec50dd4634ae06091e61f42b7ba975f9ed510ad0
  Author: Gonglei <arei.gonglei@xxxxxxxxxx>
  Date:   Thu Jun 25 14:24:10 2015 +0800

      rocker: fix memory leak

      Meanwhile, using g_new0 instead of g_malloc0,
      refer to commit 5839e53.

      Signed-off-by: Gonglei <arei.gonglei@xxxxxxxxxx>
      Message-id: 1435213450-6700-1-git-send-email-arei.gonglei@xxxxxxxxxx
      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>

  commit 920557971b60e53c2f3f22e5d6c620ab1ed411fd
  Author: Paulo Alcantara <pcacjr@xxxxxxxxx>
  Date:   Sun Jun 28 14:58:56 2015 -0300

      ich9: add TCO interface emulation

      This interface provides some registers within a 32-byte range and can be
      acessed through PCI-to-LPC bridge interface (PMBASE + 0x60).

      It's commonly used as a watchdog timer to detect system lockups through
      SMIs that are generated -- if TCO_EN bit is set -- on every timeout. If
      NO_REBOOT bit is not set in GCS (General Control and Status register),
      the system will be resetted upon second timeout if TCO_RLD register
      wasn't previously written to prevent timeout.

      This patch adds support to TCO watchdog logic and few other features
      like mapping NMIs to SMIs (NMI2SMI_EN bit), system intruder detection,
      etc. are not implemented yet.

      Signed-off-by: Paulo Alcantara <pcacjr@xxxxxxxxx>
      Reviewed-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>

  commit 71ba2f0af398f616e154137d9fdda25c2da01324
  Author: Michael S. Tsirkin <mst@xxxxxxxxxx>
  Date:   Tue Jul 7 13:00:56 2015 +0300

      acpi: split out ICH ACPI support

      MIPS doesn't need it, and including it creates problem as we are adding
      dependency on ISA LPC bridge.

      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>

  commit 9fd72468dfe40532df7c64d35054994058106c42
  Author: Daniel P. Berrange <berrange@xxxxxxxxxx>
  Date:   Wed Jul 1 18:10:31 2015 +0100

      crypto: move built-in D3DES implementation into crypto/

      To prepare for a generic internal cipher API, move the
      built-in D3DES implementation into the crypto/ directory.

      This is not in fact a normal D3DES implementation, it is
      D3DES with double & triple length modes removed, and the
      key bytes in reversed bit order. IOW it is crippled
      specifically for the "benefit" of RFB, so call the new
      files desrfb.c instead of d3des.c to make it clear that
      it isn't a generally useful impl.

      Signed-off-by: Daniel P. Berrange <berrange@xxxxxxxxxx>
      Message-Id: <1435770638-25715-4-git-send-email-berrange@xxxxxxxxxx>
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit 6f2945cde60545aae7f31ab9d5ef29531efbc94f
  Author: Daniel P. Berrange <berrange@xxxxxxxxxx>
  Date:   Wed Jul 1 18:10:30 2015 +0100

      crypto: move built-in AES implementation into crypto/

      To prepare for a generic internal cipher API, move the
      built-in AES implementation into the crypto/ directory

      Signed-off-by: Daniel P. Berrange <berrange@xxxxxxxxxx>
      Message-Id: <1435770638-25715-3-git-send-email-berrange@xxxxxxxxxx>
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit ddbb0d09661f5fce21b335ba9aea8202d189b98e
  Author: Daniel P. Berrange <berrange@xxxxxxxxxx>
  Date:   Wed Jul 1 18:10:29 2015 +0100

      crypto: introduce new module for computing hash digests

      Introduce a new crypto/ directory that will (eventually) contain
      all the cryptographic related code. This initially defines a
      wrapper for initializing gnutls and for computing hashes with
      gnutls. The former ensures that gnutls is guaranteed to be
      initialized exactly once in QEMU regardless of CLI args. The
      block quorum code currently fails to initialize gnutls so it
      only works by luck, if VNC server TLS is not requested. The
      hash APIs avoids the need to litter the rest of the code with
      preprocessor checks and simplifies callers by allocating the
      correct amount of memory for the requested hash.

      Signed-off-by: Daniel P. Berrange <berrange@xxxxxxxxxx>
      Message-Id: <1435770638-25715-2-git-send-email-berrange@xxxxxxxxxx>
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit 7a63f3cdc44230109c91cdc0ee912c3cc7837141
  Author: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
  Date:   Thu Jul 2 17:24:41 2015 +0100

      block: update bdrv_drain_all()/bdrv_drain() comments

      The doc comments for bdrv_drain_all() and bdrv_drain() are outdated:

       * The bdrv_drain() comment is a poor man's bdrv_lock()/bdrv_unlock()
         which Fam Zheng is currently developing.  Unfortunately this warning
         was never really enough because devices keep submitting I/O and op
         blockers don't prevent that.

       * The bdrv_drain_all() comment is still partially correct but reflects
         the nature of the implementation rather than API documentation.

      Do make it clear that bdrv_drain() is only appropriate within an
      AioContext.  For anything spanning AioContexts you need
      bdrv_drain_all().

      Cc: Markus Armbruster <armbru@xxxxxxxxxx>
      Cc: Paolo Bonzini <pbonzini@xxxxxxxxxx>
      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Reviewed-by: Markus Armbruster <armbru@xxxxxxxxxx>
      Reviewed-by: Fam Zheng <famz@xxxxxxxxxx>
      Message-id: 1435854281-6078-1-git-send-email-stefanha@xxxxxxxxxx

  commit 1bd84ee717bf146c19281cce48a36a2f4d71748d
  Author: Alberto Garcia <berto@xxxxxxxxxx>
  Date:   Thu Jul 2 11:06:11 2015 +0300

      qcow2: remove unnecessary check

      The value of 'i' is guaranteed to be >= 0

      Signed-off-by: Alberto Garcia <berto@xxxxxxxxxx>
      Message-id: 1435824371-2660-1-git-send-email-berto@xxxxxxxxxx
      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>

  commit 501eea4f4187b6c62b6cf348ab0b100d57d8c56b
  Author: Gerd Hoffmann <kraxel@xxxxxxxxxx>
  Date:   Mon Apr 28 11:10:12 2014 +0200

      virtio-gpu: add to display-vga test

      Signed-off-by: Gerd Hoffmann <kraxel@xxxxxxxxxx>

  commit b3409a31001e86d48221ea967b1c696c6497f318
  Author: Gerd Hoffmann <kraxel@xxxxxxxxxx>
  Date:   Wed Jun 24 12:22:09 2015 +0200

      virtio-gpu: use virtio_instance_init_common, fixup properties

      Switch over to virtio_instance_init_common.  Drop duplicate properties
      in virtio-gpu-pci and virtio-vga as they are properly aliased now.  Also
      drop the indirection via DEFINE_VIRTIO_GPU_PROPERTIES, we don't need it
      any more as the properties are defined in a single place now.

      Signed-off-by: Gerd Hoffmann <kraxel@xxxxxxxxxx>

  commit e18882952e46634ab7f53ef018a5e2e980996d48
  Author: Gerd Hoffmann <kraxel@xxxxxxxxxx>
  Date:   Wed Jun 24 12:19:42 2015 +0200

      virtio-gpu: update console device property.

      Update the device link of the QemuConsole, so it points to the
      virtio-gpu-pci or virtio-vga device instead of virtio-gpu-device.

      This is needed because we want to find the device by id, for
      example for input routing, and the id specified on the command
      line is attached to the pci proxy, not the virtio device.

      Signed-off-by: Gerd Hoffmann <kraxel@xxxxxxxxxx>

  commit 6b3f7f639ed8861cd034292f9bb85b00c73658a6
  Author: Eric Auger <eric.auger@xxxxxxxxxx>
  Date:   Tue Jun 16 17:07:54 2015 +0100

      vl: move rom_load_all after machine init done

      On ARM, commit ac9d32e39664e060cd1b538ff190980d57ad69e4 postponed the
      memory preparation for boot until the machine init done notifier. This
      has for consequence to insert ROM at machine init done time.

      However the rom_load_all function stayed called before the ROM are
      inserted. As a consequence the rom_load_all function does not do
      everything it is expected to do, on ARM.

      It currently registers the ROM reset notifier but does not iterate through
      the registered ROM list. the isrom field is not set properly. This latter
      is used to report info in the monitor and also to decide whether the
      rom->data can be freed on ROM reset notifier.

      To fix that regression the patch moves the rom_load_all call after
      machine init done. We also take the opportunity to rename the rom_load_all
      function into rom_check_and_resgister_reset() and integrate the
      rom_load_done in it.

      Signed-off-by: Eric Auger <eric.auger@xxxxxxxxxx>
      Reported-by: Peter Crosthwaite <peter.crosthwaite@xxxxxxxxxx>
      Message-Id: <1434470874-22573-1-git-send-email-eric.auger@xxxxxxxxxx>
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit 1452673888f6d7f0454276d049846c9bec659233
  Merge: f6e3035 4330296
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Tue Jul 7 09:22:40 2015 +0100

      Merge remote-tracking branch 
'remotes/awilliam/tags/vfio-update-20150706.0' into staging

      VFIO updates for 2.4-rc0
      - "real" host page size API (Peter Crosthwaite)
      - platform device irqfd support (Eric Auger)
      - spapr container disconnect fix (Alexey Kardashevskiy)
      - quirk for broken Chelsio hardware (Gabriel Laupre)
      - coverity fix (Paolo Bonzini)

      # gpg: Signature made Mon Jul  6 19:23:49 2015 BST using RSA key ID 
3BB08B22
      # gpg: Good signature from "Alex Williamson <alex.williamson@xxxxxxxxxx>"
      # gpg:                 aka "Alex Williamson <alex@xxxxxxxxxxx>"
      # gpg:                 aka "Alex Williamson <alwillia@xxxxxxxxxx>"
      # gpg:                 aka "Alex Williamson <alex.l.williamson@xxxxxxxxx>"

      * remotes/awilliam/tags/vfio-update-20150706.0:
        vfio/pci : Add pba_offset PCI quirk for Chelsio T5 devices
        vfio: Unregister IOMMU notifiers when container is destroyed
        hw/vfio/platform: add irqfd support
        kvm: some fixes to kvm_resamplefds_allowed
        sysbus: add irq_routing_notifier
        intc: arm_gic_kvm: set the qemu_irq/gsi mapping
        kvm-all.c: add qemu_irq/gsi hash table and utility routines
        kvm: rename kvm_irqchip_[add,remove]_irqfd_notifier with gsi suffix
        vfio: cpu: Use "real" page size API
        cpu-all: complete "real" host page size API
        vfio: fix return type of pread

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

      Conflicts:
        kvm-all.c

  commit f329c74c1e7f08399f0d237f78571eb0ca6a89dd
  Author: Cornelia Huck <cornelia.huck@xxxxxxxxxx>
  Date:   Tue Jun 23 15:52:56 2015 +0200

      Revert "dataplane: allow virtio-1 devices"

      This reverts commit f5a5628cf0b65b223fa0c9031714578dfac4cf04.

      This was an old patch that had been already superseded by b0e5d90eb
      ("dataplane: endianness-aware accesses").

      Signed-off-by: Cornelia Huck <cornelia.huck@xxxxxxxxxx>
      Reviewed-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Acked-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>

  commit be1e50a27d5b6845729ae0854f57f3816cf47edb
  Author: Greg Kurz <gkurz@xxxxxxxxxxxxxxxxxx>
  Date:   Fri Jun 26 09:32:28 2015 +0200

      dataplane: fix cross-endian issues

      Accesses to vring_avail_event and vring_used_event must honor the queue
      endianness.

      This patch allows cross-endian setups to use dataplane (tested with ppc64
      on ppc64le, and vice-versa).

      Suggested-by: Cornelia Huck <cornelia.huck@xxxxxxxxxx>
      Signed-off-by: Greg Kurz <gkurz@xxxxxxxxxxxxxxxxxx>
      Reviewed-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Reviewed-by: Cornelia Huck <cornelia.huck@xxxxxxxxxx>

  commit f6e3035f75e5c6a73485335765ae070304c7a110
  Merge: 7edd8e4 355023f
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Mon Jul 6 23:37:53 2015 +0100

      Merge remote-tracking branch 'remotes/bonzini/tags/for-upstream-smm' into 
staging

      This series implements KVM support for SMM, and lets you enable/disable
      it through the "smm" property of x86 machine types.

      # gpg: Signature made Mon Jul  6 17:41:05 2015 BST using RSA key ID 
78C7AE83
      # gpg: Good signature from "Paolo Bonzini <bonzini@xxxxxxx>"
      # gpg:                 aka "Paolo Bonzini <pbonzini@xxxxxxxxxx>"
      # gpg: WARNING: This key is not certified with sufficiently trusted 
signatures!
      # gpg:          It is not certain that the signature belongs to the owner.
      # Primary key fingerprint: 46F5 9FBD 57D6 12E7 BFD4  E2F7 7E15 100C CD36 
69B1
      #      Subkey fingerprint: F133 3857 4B66 2389 866C  7682 BFFB D25F 78C7 
AE83

      * remotes/bonzini/tags/for-upstream-smm:
        pc: add SMM property
        ich9: add smm_enabled field and arguments
        pc_piix: rename kvm_enabled to smm_enabled
        target-i386: register a separate KVM address space including SMRAM 
regions
        kvm-all: kvm_irqchip_create is not expected to fail
        kvm-all: add support for multiple address spaces
        kvm-all: make KVM's memory listener more generic
        kvm-all: move internal types to kvm_int.h
        kvm-all: remove useless typedef
        kvm-all: put kvm_mem_flags to more work
        target-i386: add support for SMBASE MSR and SMIs
        piix4/ich9: do not raise SMI on ACPI enable/disable commands
        linux-headers: Update to 4.2-rc1

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 43302969966bc3a95470bfc300289a83068ef5d9
  Author: Gabriel Laupre <glaupre@xxxxxxxxxxx>
  Date:   Mon Jul 6 12:15:15 2015 -0600

      vfio/pci : Add pba_offset PCI quirk for Chelsio T5 devices

      Fix pba_offset initialization value for Chelsio T5 Virtual Function
      device. The T5 hardware has a bug in it where it reports a Pending 
Interrupt
      Bit Array Offset of 0x8000 for its SR-IOV Virtual Functions instead
      of the 0x1000 that the hardware actually uses internally. As the hardware
      doesn't return the correct pba_offset value, add a quirk to instead
      return a hardcoded value of 0x1000 when a Chelsio T5 VF device is
      detected.

      This bug has been fixed in the Chelsio's next chip series T6 but there are
      no plans to respin the T5 ASIC for this bug. It is just documented in the
      T5 Errata and left it at that.

      Signed-off-by: Gabriel Laupre <glaupre@xxxxxxxxxxx>
      Reviewed-by: Bandan Das <bsd@xxxxxxxxxx>
      Signed-off-by: Alex Williamson <alex.williamson@xxxxxxxxxx>

  commit f8d8a944009b7e836c718a05590ea6b36146978f
  Author: Alexey Kardashevskiy <aik@xxxxxxxxx>
  Date:   Mon Jul 6 12:15:15 2015 -0600

      vfio: Unregister IOMMU notifiers when container is destroyed

      On systems with guest visible IOMMU, adding a new memory region onto
      PCI bus calls vfio_listener_region_add() for every DMA window. This
      installs a notifier for IOMMU memory regions. The notifier is supposed
      to be removed vfio_listener_region_del(), however in the case of mixed
      PHB (emulated + VFIO devices) when last VFIO device is unplugged and
      container gets destroyed, all existing DMA windows stay alive altogether
      with the notifiers which are on the linked list which head was in
      the destroyed container.

      This unregisters IOMMU memory region notifier when a container is
      destroyed.

      Signed-off-by: Alexey Kardashevskiy <aik@xxxxxxxxx>
      Reviewed-by: David Gibson <david@xxxxxxxxxxxxxxxxxxxxx>
      Signed-off-by: Alex Williamson <alex.williamson@xxxxxxxxxx>

  commit fb5f816499a5184a1336d72db030b8419b523082
  Author: Eric Auger <eric.auger@xxxxxxxxxx>
  Date:   Mon Jul 6 12:15:14 2015 -0600

      hw/vfio/platform: add irqfd support

      This patch aims at optimizing IRQ handling using irqfd framework.

      Instead of handling the eventfds on user-side they are handled on
      kernel side using
      - the KVM irqfd framework,
      - the VFIO driver virqfd framework.

      the virtual IRQ completion is trapped at interrupt controller
      This removes the need for fast/slow path swap.

      Overall this brings significant performance improvements.

      Signed-off-by: Alvise Rigo <a.rigo@xxxxxxxxxxxxxxxxxxxxxx>
      Signed-off-by: Eric Auger <eric.auger@xxxxxxxxxx>
      Reviewed-by: Alex Bennée <alex.bennee@xxxxxxxxxx>
      Tested-by: Vikram Sethi <vikrams@xxxxxxxxxxxxxx>
      Acked-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Signed-off-by: Alex Williamson <alex.williamson@xxxxxxxxxx>

  commit 879904e8635b316de18393222f02d46d2d1f7f4e
  Author: Eric Auger <eric.auger@xxxxxxxxxx>
  Date:   Mon Jul 6 12:15:14 2015 -0600

      kvm: some fixes to kvm_resamplefds_allowed

      Commit f41389ae3c54b introduced kvm_resamplefds_enabled() and
      associated kvm_resamplefds_allowed boolean. This patch adds
      non-KVM version for kvm_resamplefds_enabled and also declares
      kvm_resamplefds_allowed in kvm-stub as it is done for fellow
      kvm_irqfds_allowed.

      Signed-off-by: Eric Auger <eric.auger@xxxxxxxxxx>
      Reviewed-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Signed-off-by: Alex Williamson <alex.williamson@xxxxxxxxxx>

  commit 715ca691daca081108b33306faa6fa102f0df8d8
  Author: Eric Auger <eric.auger@xxxxxxxxxx>
  Date:   Mon Jul 6 12:15:14 2015 -0600

      sysbus: add irq_routing_notifier

      Add a new connect_irq_notifier notifier in the SysBusDeviceClass. This
      notifier, if populated, is called after sysbus_connect_irq.

      This mechanism is used to setup VFIO signaling once VFIO platform
      devices get attached to their platform bus, on a machine init done
      notifier.

      Signed-off-by: Eric Auger <eric.auger@xxxxxxxxxx>
      Reviewed-by: Peter Crosthwaite <peter.crosthwaite@xxxxxxxxxx>
      Tested-by: Vikram Sethi <vikrams@xxxxxxxxxxxxxx>
      Reviewed-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Signed-off-by: Alex Williamson <alex.williamson@xxxxxxxxxx>

  commit 6a1a9cfa1c4a3e5b521d82e6adb94311fc5b9f8b
  Author: Eric Auger <eric.auger@xxxxxxxxxx>
  Date:   Mon Jul 6 12:15:13 2015 -0600

      intc: arm_gic_kvm: set the qemu_irq/gsi mapping

      The arm_gic_kvm now calls kvm_irqchip_set_qemuirq_gsi to build
      the hash table storing qemu_irq/gsi mappings. From that point on
      irqfd can be setup directly from the qemu_irq using
      kvm_irqchip_add_irqfd_notifier.

      Signed-off-by: Eric Auger <eric.auger@xxxxxxxxxx>
      Tested-by: Vikram Sethi <vikrams@xxxxxxxxxxxxxx>
      Acked-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>
      Reviewed-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Signed-off-by: Alex Williamson <alex.williamson@xxxxxxxxxx>

  commit 197e35249a7360534e1aea0f2268ad0e1aa27121
  Author: Eric Auger <eric.auger@xxxxxxxxxx>
  Date:   Mon Jul 6 12:15:13 2015 -0600

      kvm-all.c: add qemu_irq/gsi hash table and utility routines

      VFIO platform device needs to setup irqfd but it does not know the
      gsi corresponding to the device qemu_irq. This patch proposes to
      store a hash table in kvm_state using the qemu_irq as key and the gsi
      as a value.

      kvm_irqchip_set_qemuirq_gsi allows to insert such a pair. The interrupt
      controller is supposed to use it.

      kvm_irqchip_[add, remove]_irqfd_notifier allows to setup/tear down
      irqfd directly from the qemu_irq.

      Signed-off-by: Eric Auger <eric.auger@xxxxxxxxxx>
      Tested-by: Vikram Sethi <vikrams@xxxxxxxxxxxxxx>
      Acked-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>
      Reviewed-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Signed-off-by: Alex Williamson <alex.williamson@xxxxxxxxxx>

  commit 1c9b71a7311ed99635a2d007fc8a856879537a05
  Author: Eric Auger <eric.auger@xxxxxxxxxx>
  Date:   Mon Jul 6 12:15:13 2015 -0600

      kvm: rename kvm_irqchip_[add,remove]_irqfd_notifier with gsi suffix

      Anticipating for the introduction of new add/remove functions taking
      a qemu_irq parameter, let's rename existing ones with a gsi suffix.

      Signed-off-by: Eric Auger <eric.auger@xxxxxxxxxx>
      Tested-by: Vikram Sethi <vikrams@xxxxxxxxxxxxxx>
      Acked-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>
      Reviewed-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Signed-off-by: Alex Williamson <alex.williamson@xxxxxxxxxx>

  commit f7ceed190d7dcd907afe4b46b23809aaad09a619
  Author: Peter Crosthwaite <crosthwaitepeter@xxxxxxxxx>
  Date:   Mon Jul 6 12:15:12 2015 -0600

      vfio: cpu: Use "real" page size API

      This is system level code, and should only depend on the host page
      size, not the target page size.

      Note that HOST_PAGE_SIZE is misleadingly lead and is really aligning
      to both host and target page size. Hence it's replacement with
      REAL_HOST_PAGE_SIZE.

      Signed-off-by: Peter Crosthwaite <crosthwaite.peter@xxxxxxxxx>
      Tested-by: Alexey Kardashevskiy <aik@xxxxxxxxx>
      Acked-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>
      Signed-off-by: Alex Williamson <alex.williamson@xxxxxxxxxx>

  commit 4e51361d79289aee2985dfed472f8d87bd53a8df
  Author: Peter Crosthwaite <crosthwaitepeter@xxxxxxxxx>
  Date:   Mon Jul 6 12:15:12 2015 -0600

      cpu-all: complete "real" host page size API

      Currently the "host" page size alignment API is really aligning to both
      host and target page sizes. There is the qemu_real_page_size which can
      be used for the actual host page size but it's missing a mask and ALIGN
      macro as provided for qemu_page_size. Complete the API. This allows
      system level code that cares about the host page size to use a
      consistent alignment interface without having to un-needingly align to
      the target page size. This also reduces system level code dependency
      on the cpu specific TARGET_PAGE_SIZE.

      Signed-off-by: Peter Crosthwaite <crosthwaite.peter@xxxxxxxxx>
      Tested-by: Alexey Kardashevskiy <aik@xxxxxxxxx>
      Acked-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>
      Signed-off-by: Alex Williamson <alex.williamson@xxxxxxxxxx>

  commit 7d489dcdf5fd71b5052ffd401b869a627e1c751f
  Author: Paolo Bonzini <pbonzini@xxxxxxxxxx>
  Date:   Mon Jul 6 12:15:12 2015 -0600

      vfio: fix return type of pread

      size_t is an unsigned type, thus the error case is never reached in
      the below call to pread.  If bytes is negative, it will be seen as
      a very high positive value.

      Spotted by Coverity.

      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>
      Signed-off-by: Alex Williamson <alex.williamson@xxxxxxxxxx>

  commit 355023f2010c4df619d88a0dd7012b4b9c74c12c
  Author: Paolo Bonzini <pbonzini@xxxxxxxxxx>
  Date:   Thu Jun 18 18:30:52 2015 +0200

      pc: add SMM property

      The property can take values on, off or auto.  The default is "off"
      for KVM and pre-2.4 machines, otherwise "auto" (which makes it
      available on TCG or on new-enough kernels).

      Acked-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit fba72476c6b7be60ac74c5bcdc06c61242d1fe4f
  Author: Paolo Bonzini <pbonzini@xxxxxxxxxx>
  Date:   Thu Jun 18 18:30:51 2015 +0200

      ich9: add smm_enabled field and arguments

      Q35's ACPI device is hard-coding SMM availability to KVM.  Place the
      logic where the board is created instead, so that it will be possible
      to override it.

      Acked-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit 61e66c6237a0ca3eac35cf3145ccbb3ab5b6354c
  Author: Paolo Bonzini <pbonzini@xxxxxxxxxx>
  Date:   Thu Jun 18 18:30:17 2015 +0200

      pc_piix: rename kvm_enabled to smm_enabled

      We will enable SMM even if KVM is in use.  Rename the field and
      arguments.

      Acked-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit 6410848bec38089424d54a6a8f10d4cf77182b5d
  Author: Paolo Bonzini <pbonzini@xxxxxxxxxx>
  Date:   Thu Jun 18 18:30:16 2015 +0200

      target-i386: register a separate KVM address space including SMRAM regions

      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit 8db4936bb648e15173d687bc162be14fd0d4260c
  Author: Paolo Bonzini <pbonzini@xxxxxxxxxx>
  Date:   Thu Jun 18 18:30:15 2015 +0200

      kvm-all: kvm_irqchip_create is not expected to fail

      KVM_CREATE_IRQCHIP should never fail, and so should its userspace
      wrapper kvm_irqchip_create.  The function does not do anything
      if the irqchip capability is not available, as is the case for PPC.

      With this patch, kvm_arch_init can allocate memory and it will not
      be leaked.

      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit 38bfe69180f99d05611a14bab4bb72c95e755b58
  Author: Paolo Bonzini <pbonzini@xxxxxxxxxx>
  Date:   Thu Jun 18 18:30:14 2015 +0200

      kvm-all: add support for multiple address spaces

      Make kvm_memory_listener_register public, and assign a kernel
      address space id to each KVMMemoryListener.

      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit 7bbda04c8d13d0a599b31ed1c10dc76a62f9d4dc
  Author: Paolo Bonzini <pbonzini@xxxxxxxxxx>
  Date:   Thu Jun 18 18:30:13 2015 +0200

      kvm-all: make KVM's memory listener more generic

      No semantic change, but s->slots moves into a new struct
      KVMMemoryListener.  KVM's memory listener becomes a member of struct
      KVMState, and becomes of type KVMMemoryListener.

      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit 8571ed35cfa50ed6b2aaee484dfa4f58176ebe00
  Author: Paolo Bonzini <pbonzini@xxxxxxxxxx>
  Date:   Thu Jun 18 18:28:45 2015 +0200

      kvm-all: move internal types to kvm_int.h

      i386 code will have to define a different KVMMemoryListener.  Create
      an internal header so that KVMSlot is not exposed outside.

      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit 714f78c587ba628169b8ae6f91866c52fe6a799f
  Author: Paolo Bonzini <pbonzini@xxxxxxxxxx>
  Date:   Thu Jun 18 18:28:44 2015 +0200

      kvm-all: remove useless typedef

      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit d6ff5cbc1231a5aec997abf3a809c7013e60472f
  Author: Andrew Jones <drjones@xxxxxxxxxx>
  Date:   Thu Jun 18 18:28:43 2015 +0200

      kvm-all: put kvm_mem_flags to more work

      Currently kvm_mem_flags just translates bools to bits, let's
      make it also determine the bools first. This avoids its parameter
      list growing each time we add a flag.

      Signed-off-by: Andrew Jones <drjones@xxxxxxxxxx>
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit fc12d72e10828ca6ff75f2ad432b741f07a10cef
  Author: Paolo Bonzini <pbonzini@xxxxxxxxxx>
  Date:   Thu Jun 18 18:28:42 2015 +0200

      target-i386: add support for SMBASE MSR and SMIs

      Apart from the MSR, the smi field of struct kvm_vcpu_events has to be
      translated into the corresponding CPUX86State fields.  Also,
      memory transaction flags depend on SMM state, so pull it from struct
      kvm_run on every exit from KVM to userspace.

      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit afd6895b45f20eb43b7ff95f7a76cc5af8d36cd7
  Author: Paolo Bonzini <pbonzini@xxxxxxxxxx>
  Date:   Thu Jun 18 18:28:41 2015 +0200

      piix4/ich9: do not raise SMI on ACPI enable/disable commands

      These commands are handled entirely by QEMU.  Do not raise an SMI
      when they happen, because Windows (at least 2008r2) expects these
      commands to work and (depending on the value of APMC_EN at
      startup) the firmware might not have installed an SMI handler.

      When this happens (e.g. the kernel supports SMIs, or you are using
      TCG, but you have used "-machine smm=off") RIP is moved to 0x38000
      where there is no code to execute.

      Acked-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit 25b8b39b6d7de95d0dd5ae7b66b3ac4b9b83e060
  Author: Alexey Kardashevskiy <aik@xxxxxxxxx>
  Date:   Mon Jul 6 12:10:57 2015 +1000

      linux-headers: Update to 4.2-rc1

      This updates linux-headers against master 4.2-rc1 (commit
      d770e558e21961ad6cfdf0ff7df0eb5d7d4f0754). This is the result of
      ./scripts/update-linux-headers.sh work.

      Cc: Paolo Bonzini <pbonzini@xxxxxxxxxx>
      Cc: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: Alexey Kardashevskiy <aik@xxxxxxxxx>
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit 7edd8e4660beb301d527257f8e04ebec0f841cb0
  Merge: 3fa18bc b242e0e
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Mon Jul 6 14:03:44 2015 +0100

      Merge remote-tracking branch 'remotes/bonzini/tags/for-upstream' into 
staging

      * more of Peter Crosthwaite's multiarch preparation patches
      * unlocked MMIO support in KVM
      * support for compilation with ICC

      # gpg: Signature made Mon Jul  6 13:59:20 2015 BST using RSA key ID 
78C7AE83
      # gpg: Good signature from "Paolo Bonzini <bonzini@xxxxxxx>"
      # gpg:                 aka "Paolo Bonzini <pbonzini@xxxxxxxxxx>"
      # gpg: WARNING: This key is not certified with sufficiently trusted 
signatures!
      # gpg:          It is not certain that the signature belongs to the owner.
      # Primary key fingerprint: 46F5 9FBD 57D6 12E7 BFD4  E2F7 7E15 100C CD36 
69B1
      #      Subkey fingerprint: F133 3857 4B66 2389 866C  7682 BFFB D25F 78C7 
AE83

      * remotes/bonzini/tags/for-upstream:
        exec: skip MMIO regions correctly in 
cpu_physical_memory_write_rom_internal
        Stop including qemu-common.h in memory.h
        kvm: Switch to unlocked MMIO
        acpi: mark PMTIMER as unlocked
        kvm: Switch to unlocked PIO
        kvm: First step to push iothread lock out of inner run loop
        memory: let address_space_rw/ld*/st* run outside the BQL
        exec: pull qemu_flush_coalesced_mmio_buffer() into 
address_space_rw/ld*/st*
        memory: Add global-locking property to memory regions
        main-loop: introduce qemu_mutex_iothread_locked
        main-loop: use qemu_mutex_lock_iothread consistently
        Fix irq route entries exceeding KVM_MAX_IRQ_ROUTES
        cpu-defs: Move out TB_JMP defines
        include/exec: Move tb hash functions out
        include/exec: Move standard exceptions to cpu-all.h
        cpu-defs: Move CPU_TEMP_BUF_NLONGS to tcg
        memory_mapping: Rework cpu related includes
        cutils: allow compilation with icc
        qemu-common: add VEC_OR macro

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit b242e0e0e2969c044a318e56f7988bbd84de1f63
  Author: Paolo Bonzini <pbonzini@xxxxxxxxxx>
  Date:   Sat Jul 4 00:24:51 2015 +0200

      exec: skip MMIO regions correctly in 
cpu_physical_memory_write_rom_internal

      Loading the BIOS in the mac99 machine is interesting, because there is a
      PROM in the middle of the BIOS region (from 16K to 32K).  Before memory
      region accesses were clamped, when QEMU was asked to load a BIOS from
      0xfff00000 to 0xffffffff it would put even those 16K from the BIOS file
      into the region.  This is weird because those 16K were not actually
      visible between 0xfff04000 and 0xfff07fff.  However, it worked.

      After clamping was added, this also worked.  In this case, the
      cpu_physical_memory_write_rom_internal function split the write in
      three parts: the first 16K were copied, the PROM area (second 16K) were
      ignored, then the rest was copied.

      Problems then started with commit 965eb2f (exec: do not clamp accesses
      to MMIO regions, 2015-06-17).  Clamping accesses is not done for MMIO
      regions because they can overlap wildly, and MMIO registers can be
      expected to perform full-width accesses based only on their address
      (with no respect for adjacent registers that could decode to completely
      different MemoryRegions).  However, this lack of clamping also applied
      to the PROM area!  cpu_physical_memory_write_rom_internal thus failed
      to copy the third range above, i.e. only copied the first 16K of the BIOS.

      In effect, address_space_translate is expecting _something else_ to do
      the clamping for MMIO regions if the incoming length is large.  This
      "something else" is memory_access_size in the case of address_space_rw,
      so use the same logic in cpu_physical_memory_write_rom_internal.

      Reported-by: Alexander Graf <agraf@xxxxxxxxxx>
      Reviewed-by: Laurent Vivier <lvivier@xxxxxxxxxx>
      Tested-by: Laurent Vivier <lvivier@xxxxxxxxxx>
      Fixes: 965eb2f
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit fba0a593b2809ecdda68650952cf3d3332ac1990
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Fri Jul 3 15:18:24 2015 +0100

      Stop including qemu-common.h in memory.h

      Including qemu-common.h from other header files is generally a bad
      idea, because it means it's very easy to end up with a circular
      dependency. For instance, if we wanted to include memory.h from
      qom/cpu.h we'd end up with this loop:
       memory.h -> qemu-common.h -> cpu.h -> cpu-qom.h -> qom/cpu.h -> memory.h

      Remove the include from memory.h. This requires us to fix up a few
      other files which were inadvertently getting declarations indirectly
      through memory.h.

      The biggest change is splitting the fprintf_function typedef out
      into its own header so other headers can get at it without having
      to include qemu-common.h.

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Message-Id: <1435933104-15216-1-git-send-email-peter.maydell@xxxxxxxxxx>
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit 3fa18bc9a55e067ba3012ab1d394f5d5a7e51419
  Merge: 261ccf4 1479073
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Mon Jul 6 12:51:51 2015 +0100

      Merge remote-tracking branch 'remotes/xtensa/tags/20150706-xtensa' into 
staging

      Xtensa fixes:

      - add 64-bit floating point registers;
      - fix gdb register map construction.

      # gpg: Signature made Mon Jul  6 11:27:45 2015 BST using RSA key ID 
F83FA044
      # gpg: Good signature from "Max Filippov 
<max.filippov@xxxxxxxxxxxxxxxxxx>"
      # gpg:                 aka "Max Filippov <jcmvbkbc@xxxxxxxxx>"

      * remotes/xtensa/tags/20150706-xtensa:
        target-xtensa: fix gdb register map construction
        target-xtensa: add 64-bit floating point registers

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 1479073b7e849fa03e5892eea0e0b5dadde1a98a
  Author: Max Filippov <jcmvbkbc@xxxxxxxxx>
  Date:   Wed Jul 1 13:00:29 2015 +0300

      target-xtensa: fix gdb register map construction

      Due to different gdb overlay organization between windowed/call0
      configurations core import script doesn't always work correctly.
      Simplify the script: always copy complete gdb register map from overlay,
      count registers at core registerstion time. Update existing cores.

      Signed-off-by: Max Filippov <jcmvbkbc@xxxxxxxxx>

  commit ddd44279fdbc545a9182cb642645af8a4672c267
  Author: Max Filippov <jcmvbkbc@xxxxxxxxx>
  Date:   Mon Jun 29 10:50:03 2015 +0300

      target-xtensa: add 64-bit floating point registers

      Xtensa ISA got specification for 64-bit floating point registers and
      opcodes, see ISA, 4.3.11 "Floating point coprocessor option".

      Add 64-bit FP registers.

      Although 64-bit floating point is currently not supported by xtensa
      translator, these registers need to be reported to gdb with proper size,
      otherwise it wouldn't find other registers.

      Signed-off-by: Max Filippov <jcmvbkbc@xxxxxxxxx>

  commit 261ccf426a6df854ba398be92413476919dd67f9
  Merge: f50a164 257621a
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Mon Jul 6 11:04:54 2015 +0100

      Merge remote-tracking branch 
'remotes/pmaydell/tags/pull-target-arm-20150706' into staging

      target-arm queue:
       * TLBI ALLEI1IS should operate on all CPUs, not just this one
       * Fix interval interrupt of cadence ttc in decrement mode
       * Implement YIELD insn to yield in ARM and Thumb translators
       * ARM GIC: reset all registers
       * arm_mptimer: fix timer shutdown and mode change
       * arm_mptimer: respect IT bit state

      # gpg: Signature made Mon Jul  6 10:58:27 2015 BST using RSA key ID 
14360CDE
      # gpg: Good signature from "Peter Maydell <peter.maydell@xxxxxxxxxx>"

      * remotes/pmaydell/tags/pull-target-arm-20150706:
        arm_mptimer: Respect IT bit state
        arm_mptimer: Fix timer shutdown and mode change
        hw/intc/arm_gic_common.c: Reset all registers
        target-arm: Implement YIELD insn to yield in ARM and Thumb translators
        target-arm: Split DISAS_YIELD from DISAS_WFE
        Fix interval interrupt of cadence ttc when timer is in decrement mode
        target-arm: fix write helper for TLBI ALLE1IS

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 257621a9566054472d1d55a819880d0f9da02bda
  Author: Dmitry Osipenko <digetx@xxxxxxxxx>
  Date:   Mon Jul 6 04:27:12 2015 +0300

      arm_mptimer: Respect IT bit state

      The timer should fire the interrupt only if the IT (interrupt enable) bit
      state of the control register is enabled.

      Signed-off-by: Dmitry Osipenko <digetx@xxxxxxxxx>
      Reviewed-by: Peter Crosthwaite <peter.crosthwaite@xxxxxxxxxx>
      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 8a52340cbaf60d4dd0a78bbfe12632639fe3da6d
  Author: Dmitry Osipenko <digetx@xxxxxxxxx>
  Date:   Mon Jul 6 01:47:47 2015 +0300

      arm_mptimer: Fix timer shutdown and mode change

      The running timer can't be stopped because timer control code just
      doesn't handle disabling the timer. Fix it by deleting the timer if
      the enable bit is cleared.

      The timer won't start periodic ticking if a ONE-SHOT -> PERIODIC mode
      change happens after a one-shot tick was completed. Fix it by
      re-starting ticking if the timer isn't ticking right now.

      To avoid code churning, these two fixes are squashed in one commit.

      Signed-off-by: Dmitry Osipenko <digetx@xxxxxxxxx>
      Reviewed-by: Peter Crosthwaite <peter.crosthwaite@xxxxxxxxxx>
      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 12dc273e98e4e111880b25c12bf671dc8951b8e6
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Mon Jun 29 19:25:45 2015 +0100

      hw/intc/arm_gic_common.c: Reset all registers

      The arm_gic_common reset function was missing reset code for
      several of the GIC's state fields:
       * bpr[]
       * abpr[]
       * priority1[]
       * priority2[]
       * sgi_pending[]
       * irq_target[] (SMP configurations only)

      These probably went unnoticed because most guests will either
      never touch them, or will write to them in the process of
      configuring the GIC before enabling interrupts.

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Message-id: 1435602345-32210-1-git-send-email-peter.maydell@xxxxxxxxxx
      Reviewed-by: Edgar E. Iglesias <edgar.iglesias@xxxxxxxxxx>

  commit c87e5a61c2b3024116f52f7e68273f864ff7ab82
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Mon Jul 6 10:05:44 2015 +0100

      target-arm: Implement YIELD insn to yield in ARM and Thumb translators

      Implement the YIELD instruction in the ARM and Thumb translators to
      actually yield control back to the top level loop rather than being
      a simple no-op. (We already do this for A64.)

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Reviewed-by: Peter Crosthwaite <peter.crosthwaite@xxxxxxxxxx>
      Message-id: 1435672316-3311-3-git-send-email-peter.maydell@xxxxxxxxxx

  commit 049e24a191c212d9468db84169197887f2c91586
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Mon Jul 6 10:05:44 2015 +0100

      target-arm: Split DISAS_YIELD from DISAS_WFE

      Currently we use DISAS_WFE for both WFE and YIELD instructions.
      This is functionally correct because at the moment both of them
      are implemented as "yield this CPU back to the top level loop so
      another CPU has a chance to run". However it's rather confusing
      that YIELD ends up calling HELPER(wfe), and if we ever want to
      implement real behaviour for WFE and SEV it's likely to trip us up.

      Split out the yield codepath to use DISAS_YIELD and a new
      HELPER(yield) function, and have HELPER(wfe) call HELPER(yield).

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Message-id: 1435672316-3311-2-git-send-email-peter.maydell@xxxxxxxxxx
      Reviewed-by: Peter Crosthwaite <peter.crosthwaite@xxxxxxxxxx>

  commit a7ffaf5c96e26820edffa94eeac766fe60bfdd31
  Author: Johannes Schlatow <schlatow@xxxxxxxxxxxxxxxx>
  Date:   Mon Jul 6 10:05:44 2015 +0100

      Fix interval interrupt of cadence ttc when timer is in decrement mode

      The interval interrupt is not set if the timer is in decrement mode.
      This is because x >=0 and x < interval after leaving the while-loop.

      Signed-off-by: Johannes Schlatow <schlatow@xxxxxxxxxxxxxxxx>
      Message-id: 20150630135821.51f3b4fd@johanness-latitude
      Reviewed-by: Peter Crosthwaite <peter.crosthwaite@xxxxxxxxxx>
      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 2a6332d968297266dbabf9d33f959e3a5efdd0f9
  Author: Sergey Fedorov <serge.fdrv@xxxxxxxxx>
  Date:   Mon Jul 6 10:05:43 2015 +0100

      target-arm: fix write helper for TLBI ALLE1IS

      TLBI ALLE1IS is an operation that does invalidate TLB entries on all PEs
      in the same Inner Sharable domain, not just on the current CPU. So we
      must use tlbiall_is_write() here.

      Signed-off-by: Sergey Fedorov <serge.fdrv@xxxxxxxxx>
      Message-id: 1435676538-31345-1-git-send-email-serge.fdrv@xxxxxxxxx
      Reviewed-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit f50a1640fb82708a5d528dee1ace42a224b95b15
  Merge: 63a9294 7c649ac
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Sun Jul 5 20:35:47 2015 +0100

      Merge remote-tracking branch 'remotes/jnsnow/tags/ide-pull-request' into 
staging

      # gpg: Signature made Sat Jul  4 07:06:08 2015 BST using RSA key ID 
AAFC390E
      # gpg: Good signature from "John Snow (John Huston) <jsnow@xxxxxxxxxx>"
      # gpg: WARNING: This key is not certified with sufficiently trusted 
signatures!
      # gpg:          It is not certain that the signature belongs to the owner.
      # Primary key fingerprint: FAEB 9711 A12C F475 812F  18F2 88A9 064D 1835 
61EB
      #      Subkey fingerprint: F9B7 ABDB BCAC DF95 BE76  CBD0 7DEF 8106 AAFC 
390E

      * remotes/jnsnow/tags/ide-pull-request: (35 commits)
        ahci: fix sdb fis semantics
        qtest/ahci: halted ncq migration test
        ahci: Do not map cmd_fis to generate response
        ahci: ncq migration
        ahci: add get_cmd_header helper
        ahci: add cmd header to ncq transfer state
        qtest/ahci: halted NCQ test
        ahci: correct ncq sector count
        ahci: correct types in NCQTransferState
        ahci: add rwerror=stop support for ncq
        ahci: factor ncq_finish out of ncq_cb
        ahci: refactor process_ncq_command
        ahci: assert is_ncq for process_ncq
        ahci: stash ncq command
        ide: add limit to .prepare_buf()
        qtest/ahci: ncq migration test
        qtest/ahci: simple ncq data test
        libqos/ahci: Force all NCQ commands to be LBA48
        libqos/ahci: set the NCQ tag on command_commit
        libqos/ahci: adjust expected NCQ interrupts
        ...

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 63a9294ddc9cf4f2bdcd0179324fedcbb6fae59f
  Merge: 3536064 e75e2a1
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Sun Jul 5 19:33:51 2015 +0100

      Merge remote-tracking branch 'remotes/ehabkost/tags/numa-pull-request' 
into staging

      NUMA queue, 2015-07-03

      # gpg: Signature made Fri Jul  3 21:49:58 2015 BST using RSA key ID 
984DC5A6
      # gpg: Good signature from "Eduardo Habkost <ehabkost@xxxxxxxxxx>"
      # gpg: WARNING: This key is not certified with sufficiently trusted 
signatures!
      # gpg:          It is not certain that the signature belongs to the owner.
      # Primary key fingerprint: 5A32 2FD5 ABC4 D3DB ACCF  D1AA 2807 936F 984D 
C5A6

      * remotes/ehabkost/tags/numa-pull-request:
        numa: API to lookup NUMA node by address
        numa: Store boot memory address range in node_info
        numa,pc-dimm: Store pc-dimm memory information in numa_info
        pc: Abort if HotplugHandlerClass::plug() fails
        pc,pc-dimm: Factor out reusable parts in pc_dimm_plug to a separate 
routine
        pc,pc-dimm: Extract hotplug related fields in PCMachineState to a 
structure

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 7c649ac5b607e2339fb54fc0fc01311ba5eacadd
  Author: John Snow <jsnow@xxxxxxxxxx>
  Date:   Sat Jul 4 02:06:05 2015 -0400

      ahci: fix sdb fis semantics

      There are two things to fix here:

      The first one is subtle: the PxSACT register in the AHCI HBA has different
      semantics from the field it is shadowing, the ACT field in the
      Set Device Bits FIS.

      In the HBA register, PxSACT acts as a bitfield indicating outstanding
      NCQ commands where a set bit indicates a pending NCQ operation. The FIS
      field however operates as an RWC register update to PxSACT, where a set
      bit indicates a *successfully* completed command.

      Correct the FIS semantics. At the same time, move the "clear finished"
      action to the SDB FIS generation instead of the register read to mimick
      how the other shadow registers work, which always just report the last
      reported value from a FIS, and not the most current values which may
      not have been reported by a FIS yet.

      Lastly and more simply, SATA 3.2 section 13.6.4.2 (and later sections)
      all specify that the Interrupt bit for the SDB FIS should always be set
      to one for NCQ commands. That's currently the only time we generate this
      FIS, so set it on all the time.

      Signed-off-by: John Snow <jsnow@xxxxxxxxxx>
      Reviewed-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Message-id: 1435767578-32743-16-git-send-email-jsnow@xxxxxxxxxx

  commit 8146d7dc2756138bd4011e8d882ead929f25f2d0
  Author: John Snow <jsnow@xxxxxxxxxx>
  Date:   Sat Jul 4 02:06:05 2015 -0400

      qtest/ahci: halted ncq migration test

      Signed-off-by: John Snow <jsnow@xxxxxxxxxx>
      Reviewed-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Message-id: 1435767578-32743-15-git-send-email-jsnow@xxxxxxxxxx

  commit dd6282217d8fee36e3854eab2635bec9cc5d5236
  Author: John Snow <jsnow@xxxxxxxxxx>
  Date:   Sat Jul 4 02:06:05 2015 -0400

      ahci: Do not map cmd_fis to generate response

      The Register D2H FIS should copy the current values of
      the registers instead of just parroting back the same
      values the guest sent back to it.

      In this case, the SECTOR COUNT variables are actually
      not generally meaningful in terms of standard commands
      (See ATA8-AC3 Section 9.2 Normal Outputs), so it actually
      probably doesn't matter what we put in here.

      Meanwhile, we do need to use the Register update FIS from
      the NCQ pathways (in error cases), so getting rid of
      references to cur_cmd here is a win for AHCI concurrency.

      Signed-off-by: John Snow <jsnow@xxxxxxxxxx>
      Reviewed-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Message-id: 1435767578-32743-14-git-send-email-jsnow@xxxxxxxxxx

  commit 684d50132fdd68f4c2cba9e65b50f9b8ef4c5164
  Author: John Snow <jsnow@xxxxxxxxxx>
  Date:   Sat Jul 4 02:06:05 2015 -0400

      ahci: ncq migration

      Migrate the NCQ queue. This is solely for the benefit of halted commands,
      since anything else should have completed and had any relevant status
      flushed to the HBA registers already.

      Signed-off-by: John Snow <jsnow@xxxxxxxxxx>
      Reviewed-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Message-id: 1435767578-32743-13-git-send-email-jsnow@xxxxxxxxxx

  commit ee364416c1b5ed1adc779ca7197451a131666236
  Author: John Snow <jsnow@xxxxxxxxxx>
  Date:   Sat Jul 4 02:06:05 2015 -0400

      ahci: add get_cmd_header helper

      cur_cmd is an internal bookmark that points to the
      current AHCI Command Header being processed by the
      AHCI state machine. With NCQ needing to occasionally
      rely on some of the same AHCI helpers, we cannot use
      cur_cmd and will need to grab explicit pointers instead.

      In an attempt to begin relying on the cur_cmd pointer
      less, add a helper to let us specifically get the pointer
      to the command header of particular interest.

      Signed-off-by: John Snow <jsnow@xxxxxxxxxx>
      Reviewed-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Message-id: 1435767578-32743-12-git-send-email-jsnow@xxxxxxxxxx

  commit c82bd3c893825fc76af3634f5461f5eabd94e9df
  Author: John Snow <jsnow@xxxxxxxxxx>
  Date:   Sat Jul 4 02:06:05 2015 -0400

      ahci: add cmd header to ncq transfer state

      While the rest of the AHCI device can rely on a single bookmarked
      pointer for the AHCI Command Header currently being processed, NCQ
      is asynchronous and may have many commands in flight simultaneously.

      Add a cmdh pointer to the ncq_tfs object and make the sglist prepare
      function take an AHCICmdHeader pointer so we can be explicit about
      where we'd like to build SGlists from.

      Signed-off-by: John Snow <jsnow@xxxxxxxxxx>
      Reviewed-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Message-id: 1435767578-32743-11-git-send-email-jsnow@xxxxxxxxxx

  commit 7f6cf5ee1236d94fc25830a47438e57aa294d9fe
  Author: John Snow <jsnow@xxxxxxxxxx>
  Date:   Sat Jul 4 02:06:05 2015 -0400

      qtest/ahci: halted NCQ test

      Signed-off-by: John Snow <jsnow@xxxxxxxxxx>
      Reviewed-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Message-id: 1435767578-32743-10-git-send-email-jsnow@xxxxxxxxxx

  commit e08a98357b5811e7933ff077f6da4b85175caf8a
  Author: John Snow <jsnow@xxxxxxxxxx>
  Date:   Sat Jul 4 02:06:05 2015 -0400

      ahci: correct ncq sector count

      uint16_t isn't enough to hold the real sector count, since a value of
      zero implies a full 64K sectors, so we need a uint32_t here.

      We *could* cheat and pretend that this value is 0-based and fit it in
      a uint16_t, but I'd rather waste 2 bytes instead of a future dev's
      10 minutes when they forget to +1/-1 accordingly somewhere.

      See SATA 3.2, section 13.6.4.1 "READ FPDMA QUEUED".

      Signed-off-by: John Snow <jsnow@xxxxxxxxxx>
      Reviewed-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Message-id: 1435767578-32743-9-git-send-email-jsnow@xxxxxxxxxx

  commit 9364384de0e3b8a5bdea67ba49bee9ea7f1b8f26
  Author: John Snow <jsnow@xxxxxxxxxx>
  Date:   Sat Jul 4 02:06:05 2015 -0400

      ahci: correct types in NCQTransferState

      Signed-off-by: John Snow <jsnow@xxxxxxxxxx>
      Reviewed-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Message-id: 1435767578-32743-8-git-send-email-jsnow@xxxxxxxxxx

  commit 7c03a691077e71a08bbca06568cd97f09537458c
  Author: John Snow <jsnow@xxxxxxxxxx>
  Date:   Sat Jul 4 02:06:04 2015 -0400

      ahci: add rwerror=stop support for ncq

      Handle NCQ failures for cases where we want to halt the VM on IO errors.
      Upon a VM state change, retry the halted NCQ commands.

      Signed-off-by: John Snow <jsnow@xxxxxxxxxx>
      Reviewed-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Message-id: 1435767578-32743-7-git-send-email-jsnow@xxxxxxxxxx

  commit 54f3223730736fca1e6e89bb7f99c4f8432fdabb
  Author: John Snow <jsnow@xxxxxxxxxx>
  Date:   Sat Jul 4 02:06:04 2015 -0400

      ahci: factor ncq_finish out of ncq_cb

      When we add werror=stop or rerror=stop support to NCQ,
      we'll want to take a codepath where we don't actually
      complete the command, so factor that out into a new routine.

      Signed-off-by: John Snow <jsnow@xxxxxxxxxx>
      Reviewed-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Message-id: 1435767578-32743-6-git-send-email-jsnow@xxxxxxxxxx

  commit 631ddc22cbb401f2777dc8b117196f0988df4eea
  Author: John Snow <jsnow@xxxxxxxxxx>
  Date:   Sat Jul 4 02:06:04 2015 -0400

      ahci: refactor process_ncq_command

      Split off execute_ncq_command so that we can call
      it separately later if we desire.

      Signed-off-by: John Snow <jsnow@xxxxxxxxxx>
      Reviewed-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Message-id: 1435767578-32743-5-git-send-email-jsnow@xxxxxxxxxx

  commit 922f893e57da24bc80db3e79bea56485d1c111fa
  Author: John Snow <jsnow@xxxxxxxxxx>
  Date:   Sat Jul 4 02:06:04 2015 -0400

      ahci: assert is_ncq for process_ncq

      We already checked this in the handle_cmd phase, so just
      change this to an assertion and simplify the error logic.

      (Also, fix the switch indent, because checkpatch.pl yelled.)
      ((Sorry for churn.))

      Signed-off-by: John Snow <jsnow@xxxxxxxxxx>
      Reviewed-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Message-id: 1435767578-32743-4-git-send-email-jsnow@xxxxxxxxxx

  commit 4614619ee4ad96d2715dc41f9430fb43335c15d2
  Author: John Snow <jsnow@xxxxxxxxxx>
  Date:   Sat Jul 4 02:06:04 2015 -0400

      ahci: stash ncq command

      For migration and werror=stop/rerror=stop resume purposes,
      it will be convenient to have the command handy inside of
      ncq_tfs.

      Eventually, we'd like to avoid reading from the FIS entirely
      after the initial read, so this is a byte (hah!) sized step
      in that direction.

      Signed-off-by: John Snow <jsnow@xxxxxxxxxx>
      Reviewed-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Message-id: 1435767578-32743-3-git-send-email-jsnow@xxxxxxxxxx

  commit a718978ed58abc1ad92567a9c17525136be02a71
  Author: John Snow <jsnow@xxxxxxxxxx>
  Date:   Sat Jul 4 02:06:04 2015 -0400

      ide: add limit to .prepare_buf()

      prepare_buf should not always grab as many descriptors
      as it can, sometimes it should self-limit.

      For example, an NCQ transfer of 1 sector with a PRDT that
      describes 4GiB of data should not copy 4GiB of data, it
      should just transfer that first 512 bytes.

      PIO is not affected, because the dma_buf_rw dma helpers
      already have a byte limit built-in to them, but DMA/NCQ
      will exhaust the entire list regardless of requested size.

      AHCI 1.3 specifies in section 6.1.6 Command List Underflow that
      NCQ is not required to detect underflow conditions. Non-NCQ
      pathways signal underflow by writing to the PRDBC field, which
      will already occur by writing the actual transferred byte count
      to the PRDBC, signaling the underflow.

      Our NCQ pathways aren't required to detect underflow, but since our DMA
      backend uses the size of the PRDT to determine the size of the transer,
      if our PRDT is bigger than the transaction (the underflow condition) it
      doesn't cost us anything to detect it and truncate the PRDT.

      This is a recoverable error and is not signaled to the guest, in either
      NCQ or normal DMA cases.

      For BMDMA, the existing pathways should see no guest-visible difference,
      but any bytes described in the overage will no longer be transferred
      before indicating to the guest that there was an underflow.

      Signed-off-by: John Snow <jsnow@xxxxxxxxxx>
      Reviewed-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Message-id: 1435767578-32743-2-git-send-email-jsnow@xxxxxxxxxx

  commit 07a1ee7958cc3433706ab0d3a07c42fdd9d98fe6
  Author: John Snow <jsnow@xxxxxxxxxx>
  Date:   Sat Jul 4 02:06:04 2015 -0400

      qtest/ahci: ncq migration test

      Signed-off-by: John Snow <jsnow@xxxxxxxxxx>
      Reviewed-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Message-id: 1435016308-6150-17-git-send-email-jsnow@xxxxxxxxxx

  commit 26ad004585835e7c126bb94fd5161db1c60169f3
  Author: John Snow <jsnow@xxxxxxxxxx>
  Date:   Sat Jul 4 02:06:04 2015 -0400

      qtest/ahci: simple ncq data test

      Test the NCQ pathways for a simple IO RW test.
      Also, test that libqos doesn't explode when
      running NCQ commands :)

      Signed-off-by: John Snow <jsnow@xxxxxxxxxx>
      Reviewed-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Message-id: 1435016308-6150-16-git-send-email-jsnow@xxxxxxxxxx

  commit e38cc93aca5d40a58e65bb0dfa23eaf3290bbf76
  Author: John Snow <jsnow@xxxxxxxxxx>
  Date:   Sat Jul 4 02:06:04 2015 -0400

      libqos/ahci: Force all NCQ commands to be LBA48

      NCQ commands are LBA48 by definition.

      See SATA 3.2 13.6.4.1 "READ FPDMA QUEUED", or
          SATA 3.2 13.6.5.1 "WRITE FPDMA QUEUED."

      Signed-off-by: John Snow <jsnow@xxxxxxxxxx>
      Reviewed-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Message-id: 1435016308-6150-15-git-send-email-jsnow@xxxxxxxxxx

  commit a8973ff50a04f96c3ce5c803c8fd3ec16ed8d6c5
  Author: John Snow <jsnow@xxxxxxxxxx>
  Date:   Sat Jul 4 02:06:04 2015 -0400

      libqos/ahci: set the NCQ tag on command_commit

      NCQ commands have the concept of a "TAG" that they need to set,
      but in the AHCI world, it is mandated that the TAG always match
      the command slot that you executed the NCQ from.

      See AHCI 9.3.1.1.5.2 "Native Queued Commands".

      Signed-off-by: John Snow <jsnow@xxxxxxxxxx>
      Reviewed-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Message-id: 1435016308-6150-14-git-send-email-jsnow@xxxxxxxxxx

  commit 359790c2542a8c4da3d4c8fb626ca2675a417d51
  Author: John Snow <jsnow@xxxxxxxxxx>
  Date:   Sat Jul 4 02:06:04 2015 -0400

      libqos/ahci: adjust expected NCQ interrupts

      NCQ commands will expect the SDBS interrupt,
      and in the normative case, do not expect to see
      a D2H Register FIS unless something went wrong.

      Signed-off-by: John Snow <jsnow@xxxxxxxxxx>
      Reviewed-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Message-id: 1435016308-6150-13-git-send-email-jsnow@xxxxxxxxxx

  commit 4de484698bdda6c5e093dfbe4368cdb364fdf87f
  Author: John Snow <jsnow@xxxxxxxxxx>
  Date:   Sat Jul 4 02:06:03 2015 -0400

      libqos/ahci: edit wait to be ncq aware

      The wait command should check to make sure SACT is clear as well
      as the Command Issue register.

      Signed-off-by: John Snow <jsnow@xxxxxxxxxx>
      Reviewed-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Message-id: 1435016308-6150-12-git-send-email-jsnow@xxxxxxxxxx

  commit cb45304108ab733aaf2e4351e77cb6d07ac88fd5
  Author: John Snow <jsnow@xxxxxxxxxx>
  Date:   Sat Jul 4 02:06:03 2015 -0400

      libqos/ahci: add NCQ frame support

      NCQ frames are generated a little differently than
      their non-NCQ cousins. Add support for them.

      Signed-off-by: John Snow <jsnow@xxxxxxxxxx>
      Reviewed-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Message-id: 1435016308-6150-11-git-send-email-jsnow@xxxxxxxxxx

  commit 40d29928caa6db154182f5314f497020f81e640e
  Author: John Snow <jsnow@xxxxxxxxxx>
  Date:   Sat Jul 4 02:06:03 2015 -0400

      libqos/ahci: fix cmd_sanity for ncq

      NCQ commands should not / do not update the byte count
      in the command header post command, so this field is
      meaningless for NCQ tests.

      Signed-off-by: John Snow <jsnow@xxxxxxxxxx>
      Reviewed-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Message-id: 1435016308-6150-10-git-send-email-jsnow@xxxxxxxxxx

  commit 34475239b8f1fff0b715cb20f8b534b9d07a897e
  Author: John Snow <jsnow@xxxxxxxxxx>
  Date:   Sat Jul 4 02:06:03 2015 -0400

      ahci/qtest: Execute IDENTIFY prior to data commands

      If you try to execute an NCQ command before trying to engage with the
      device by issuing an IDENTIFY command, the error bits that are part of
      the signature will fool the test suite into thinking there was a failure.

      Issue IDENTIFY first on "boot", which will clear the signature out of
      the registers for us.

      Signed-off-by: John Snow <jsnow@xxxxxxxxxx>
      Reviewed-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Message-id: 1435016308-6150-9-git-send-email-jsnow@xxxxxxxxxx

  commit 0437d32ae232af37d3b94064a563eb51d4eedd62
  Author: John Snow <jsnow@xxxxxxxxxx>
  Date:   Sat Jul 4 02:06:03 2015 -0400

      ahci: ncq sector count correction

      This value should not be size-corrected, 0 sectors does not imply
      1 sector(s). This is just debug information, but it's misleading!

      Signed-off-by: John Snow <jsnow@xxxxxxxxxx>
      Reviewed-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Message-id: 1435016308-6150-8-git-send-email-jsnow@xxxxxxxxxx

  commit 5d5f89212f19e3d7d3da1328137ca9e33eead7bf
  Author: John Snow <jsnow@xxxxxxxxxx>
  Date:   Sat Jul 4 02:06:03 2015 -0400

      ahci: add ncq debug checks

      Most of the time, these bits can be safely ignored. For the purposes
      of debugging however, it's nice to know that they're not being used.

      Signed-off-by: John Snow <jsnow@xxxxxxxxxx>
      Reviewed-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Message-id: 1435016308-6150-7-git-send-email-jsnow@xxxxxxxxxx

  commit d56f4d6965ebcf8f3c496845c286e3a66496fdff
  Author: John Snow <jsnow@xxxxxxxxxx>
  Date:   Sat Jul 4 02:06:03 2015 -0400

      ahci: separate prdtl from opts

      There's no real reason to have it bundled together, and this way
      is a little nicer to follow if you have the AHCI spec pulled up.

      Signed-off-by: John Snow <jsnow@xxxxxxxxxx>
      Reviewed-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Message-id: 1435016308-6150-6-git-send-email-jsnow@xxxxxxxxxx

  commit 3bcbe4aa803c1a41e5392ecac7b4fc3c99a42f89
  Author: John Snow <jsnow@xxxxxxxxxx>
  Date:   Sat Jul 4 02:06:03 2015 -0400

      ahci: check for ncq prdtl overflow

      Don't attempt the NCQ transfer if the PRDT we were given is not big
      enough to perform the entire transfer.

      Signed-off-by: John Snow <jsnow@xxxxxxxxxx>
      Reviewed-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Message-id: 1435016308-6150-5-git-send-email-jsnow@xxxxxxxxxx

  commit a55c8231d04e3023bc5c3da9290f01e7d6989a94
  Author: John Snow <jsnow@xxxxxxxxxx>
  Date:   Sat Jul 4 02:06:03 2015 -0400

      ahci: add ncq_err helper

      Set some appropriate error bits for NCQ for us.

      Signed-off-by: John Snow <jsnow@xxxxxxxxxx>
      Reviewed-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Message-id: 1435016308-6150-4-git-send-email-jsnow@xxxxxxxxxx

  commit b6fe41fa6dbdf7b92b76cd4848ef442de18e03d3
  Author: John Snow <jsnow@xxxxxxxxxx>
  Date:   Sat Jul 4 02:06:03 2015 -0400

      ahci: use shorter variables

      Trivial cleanup that I didn't want to tack-on to anything else.

      Signed-off-by: John Snow <jsnow@xxxxxxxxxx>
      Reviewed-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Message-id: 1435016308-6150-3-git-send-email-jsnow@xxxxxxxxxx

  commit 7763ed1506a9ffe74a80332182cc4f229251f998
  Author: John Snow <jsnow@xxxxxxxxxx>
  Date:   Sat Jul 4 02:06:03 2015 -0400

      ahci: Rename NCQFIS structure fields

      Several fields of the NCQFIS structure are ambiguously named. This patch
      clarifies the intended (if unsupported) usage of the NCQ fields to aid
      in creating more meaningful debug messages through the NCQ codepaths.

      Signed-off-by: John Snow <jsnow@xxxxxxxxxx>
      Reviewed-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Message-id: 1435016308-6150-2-git-send-email-jsnow@xxxxxxxxxx

  commit d31a3ebc28bf401cc5cce43f36068697d670c3f9
  Author: John Snow <jsnow@xxxxxxxxxx>
  Date:   Sat Jul 4 02:06:02 2015 -0400

      qtest/ahci: add port_reset test

      Test that we can survive a couple of cycles of running a basic identify
      test, some IO, and resetting the HBA. Ensures that we can bring the HBA
      back to compliant spec during the lifecycle of the VM.

      Signed-off-by: John Snow <jsnow@xxxxxxxxxx>
      Message-id: 1434470575-21625-5-git-send-email-jsnow@xxxxxxxxxx

  commit 95ea663693fdf4f39976f9aadb004fc77c2058ee
  Author: John Snow <jsnow@xxxxxxxxxx>
  Date:   Sat Jul 4 02:06:02 2015 -0400

      libqos/ahci: fix memory management bugs

      There's a handful of trivial bugs in the libqos/ahci functions,
      squish them together.

      - Zero cached pointers after freeing them
      - The Command List Buffer is an array of 32x 32 byte structures, not
        32x 8 byte pointers -- it's 1MiB, not 256 bytes. Zero it ALL.
      - Free the correct command in ahci_pick_cmd.

      Signed-off-by: John Snow <jsnow@xxxxxxxxxx>
      Message-id: 1434470575-21625-4-git-send-email-jsnow@xxxxxxxxxx

  commit 0d3e9d1f598e803a02c9bf43ec0b053e873ca79a
  Author: John Snow <jsnow@xxxxxxxxxx>
  Date:   Sat Jul 4 02:06:02 2015 -0400

      qtest/ahci: add test_max

      Test that the FIS delivered after a nondata command has appropriately
      updated registers, just as we'd expect a data command to do.

      Signed-off-by: John Snow <jsnow@xxxxxxxxxx>
      Message-id: 1434470575-21625-3-git-send-email-jsnow@xxxxxxxxxx

  commit e9ebb2f76778d19227476e34c3d7aa6b8975c1b6
  Author: John Snow <jsnow@xxxxxxxxxx>
  Date:   Sat Jul 4 02:06:02 2015 -0400

      ahci: Do not ignore memory access read size

      The only guidance the AHCI specification gives on memory access is:
      "Register accesses shall have a maximum size of 64-bits; 64-bit access
      must not cross an 8-byte alignment boundary."

      I interpret this to mean that aligned or unaligned 1, 2 and 4 byte
      accesses should work, as well as aligned 8 byte accesses.

      In practice, a real Q35/ICH9 responds to 1, 2, 4 and 8 byte reads
      regardless of alignment. Windows 7 can be observed making 1 byte
      reads to the middle of 32 bit registers to fetch error codes.

      Introduce a wrapper to support unaligned accesses to AHCI.
      This wrapper will support aligned 8 byte reads, but will make
      no effort to support unaligned 8 byte reads, which although they
      will work on real hardware, are not guaranteed to work and do
      not appear to be used by either Windows or Linux.

      Signed-off-by: John Snow <jsnow@xxxxxxxxxx>
      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>
      Message-id: 1434470575-21625-2-git-send-email-jsnow@xxxxxxxxxx

  commit e75e2a14d5c13ad38dcf72b69922dee2dafbb0d0
  Author: Bharata B Rao <bharata@xxxxxxxxxxxxxxxxxx>
  Date:   Mon Jun 29 13:50:27 2015 +0530

      numa: API to lookup NUMA node by address

      Introduce an API numa_get_node(ram_addr_t addr, Error **errp) that
      returns the NUMA node to which the given address belongs to. This
      API works uniformly for both boot time as well as hotplugged memory.

      This API is needed by sPAPR PowerPC to support
      ibm,dynamic-reconfiguration-memory device tree node which is needed for
      memory hotplug.

      Signed-off-by: Bharata B Rao <bharata@xxxxxxxxxxxxxxxxxx>
      Reviewed-by: David Gibson <david@xxxxxxxxxxxxxxxxxxxxx>
      Tested-by: Igor Mammedov <imammedo@xxxxxxxxxx>
      Signed-off-by: Eduardo Habkost <ehabkost@xxxxxxxxxx>

  commit abafabd8c982e875d60a10d37f0b91cff1003c55
  Author: Bharata B Rao <bharata@xxxxxxxxxxxxxxxxxx>
  Date:   Mon Jun 29 13:50:26 2015 +0530

      numa: Store boot memory address range in node_info

      Store memory address range information of boot memory  in address
      range list of numa_info.

      This helps to have a common NUMA node lookup by address function that
      works for both boot-time memory and hotplugged memory.

      Signed-off-by: Bharata B Rao <bharata@xxxxxxxxxxxxxxxxxx>
      Reviewed-by: David Gibson <david@xxxxxxxxxxxxxxxxxxxxx>
      Tested-by: Igor Mammedov <imammedo@xxxxxxxxxx>
      Signed-off-by: Eduardo Habkost <ehabkost@xxxxxxxxxx>

  commit fa9ea81d15d459f6c4a39d77ae680af94cebd65e
  Author: Bharata B Rao <bharata@xxxxxxxxxxxxxxxxxx>
  Date:   Mon Jun 29 13:50:25 2015 +0530

      numa,pc-dimm: Store pc-dimm memory information in numa_info

      Start storing the (start_addr, end_addr) of the pc-dimm memory
      in corresponding numa_info[node] so that this information can be used
      to lookup node by address.

      Signed-off-by: Bharata B Rao <bharata@xxxxxxxxxxxxxxxxxx>
      Reviewed-by: David Gibson <david@xxxxxxxxxxxxxxxxxxxxx>
      Reviewed-by: Igor Mammedov <imammedo@xxxxxxxxxx>
      Tested-by: Igor Mammedov <imammedo@xxxxxxxxxx>
      Signed-off-by: Eduardo Habkost <ehabkost@xxxxxxxxxx>

  commit 8e23184b6b2f8426041854b18fb56a3ff197d5a0
  Author: Bharata B Rao <bharata@xxxxxxxxxxxxxxxxxx>
  Date:   Mon Jun 29 13:50:24 2015 +0530

      pc: Abort if HotplugHandlerClass::plug() fails

      HotplugHandlerClass::plug() shouldn't fail and hence use error_abort
      to abort if it fails.

      Signed-off-by: Bharata B Rao <bharata@xxxxxxxxxxxxxxxxxx>
      Reviewed-by: David Gibson <david@xxxxxxxxxxxxxxxxxxxxx>
      Reviewed-by: Igor Mammedov <imammedo@xxxxxxxxxx>
      Tested-by: Igor Mammedov <imammedo@xxxxxxxxxx>
      Signed-off-by: Eduardo Habkost <ehabkost@xxxxxxxxxx>

  commit 43bbb49ef7032a8bfdafbd02d0286512af161089
  Author: Bharata B Rao <bharata@xxxxxxxxxxxxxxxxxx>
  Date:   Mon Jun 29 13:50:23 2015 +0530

      pc,pc-dimm: Factor out reusable parts in pc_dimm_plug to a separate 
routine

      pc_dimm_plug() has code that will be needed for memory plug handlers
      in other archs too. Extract code from pc_dimm_plug() into a generic
      routine pc_dimm_memory_plug() that resides in pc-dimm.c. Also
      correspondingly refactor re-usable unplug code into 
pc_dimm_memory_unplug().

      Signed-off-by: Bharata B Rao <bharata@xxxxxxxxxxxxxxxxxx>
      Reviewed-by: David Gibson <david@xxxxxxxxxxxxxxxxxxxxx>
      Reviewed-by: Igor Mammedov <imammedo@xxxxxxxxxx>
      Tested-by: Igor Mammedov <imammedo@xxxxxxxxxx>
      Signed-off-by: Eduardo Habkost <ehabkost@xxxxxxxxxx>

  commit a7d69ff10b085ba6f8236600829532984cdea714
  Author: Bharata B Rao <bharata@xxxxxxxxxxxxxxxxxx>
  Date:   Mon Jun 29 13:50:22 2015 +0530

      pc,pc-dimm: Extract hotplug related fields in PCMachineState to a 
structure

      Move hotplug_memory_base and hotplug_memory fields of PCMachineState
      into a separate structure so that the same can be made use of from
      other architectures supporing memory hotplug.

      Signed-off-by: Bharata B Rao <bharata@xxxxxxxxxxxxxxxxxx>
      Reviewed-by: David Gibson <david@xxxxxxxxxxxxxxxxxxxxx>
      Reviewed-by: Igor Mammedov <imammedo@xxxxxxxxxx>
      Tested-by: Igor Mammedov <imammedo@xxxxxxxxxx>
      Signed-off-by: Eduardo Habkost <ehabkost@xxxxxxxxxx>

  commit 35360642d043c2a5366e8a04a10e5545e7353bd5
  Merge: 5317b0f 496eaca
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Fri Jul 3 12:05:31 2015 +0100

      Merge remote-tracking branch 'remotes/kraxel/tags/pull-input-20150703-1' 
into staging

      virtio-input: add input routing support, update multiseat docs.

      # gpg: Signature made Fri Jul  3 11:22:33 2015 BST using RSA key ID 
D3E87138
      # gpg: Good signature from "Gerd Hoffmann (work) <kraxel@xxxxxxxxxx>"
      # gpg:                 aka "Gerd Hoffmann <gerd@xxxxxxxxxx>"
      # gpg:                 aka "Gerd Hoffmann (private) <kraxel@xxxxxxxxx>"

      * remotes/kraxel/tags/pull-input-20150703-1:
        update pci-bridge-seat section in docs/multiseat.txt
        virtio-input: add input routing support

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 496eacaa67653023540e090fb70b7caba429bbc0
  Author: Gerd Hoffmann <kraxel@xxxxxxxxxx>
  Date:   Wed Jul 1 10:59:47 2015 +0200

      update pci-bridge-seat section in docs/multiseat.txt

      Signed-off-by: Gerd Hoffmann <kraxel@xxxxxxxxxx>

  commit 5cce173323cfe1bb22f7a10f9b73ac7796909cef
  Author: Gerd Hoffmann <kraxel@xxxxxxxxxx>
  Date:   Wed Jun 24 11:59:16 2015 +0200

      virtio-input: add input routing support

      Add display and head properties for input routing to
      virtio-input devices, update multiseat documentation.

      Signed-off-by: Gerd Hoffmann <kraxel@xxxxxxxxxx>

  commit 5317b0f6d4bb581c5c8f88f31138ee301ad2b7e5
  Merge: 6686ce3 c4d3c0a
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Thu Jul 2 15:20:55 2015 +0100

      Merge remote-tracking branch 'remotes/cohuck/tags/s390x-20150702-v3' into 
staging

      Several s390x patches including:
      - missing virtio-1 related code for virtio-ccw
      - bugfixes in ipl device, gdb, virtio-ccw
      - bugfix in s390-ccw bios + rebuild
      - introduce versioned machines for s390-ccw-virtio

      # gpg: Signature made Thu Jul  2 15:05:34 2015 BST using RSA key ID 
C6F02FAF
      # gpg: Good signature from "Cornelia Huck <huckc@xxxxxxxxxxxxxxxxxx>"
      # gpg:                 aka "Cornelia Huck <cornelia.huck@xxxxxxxxxx>"

      * remotes/cohuck/tags/s390x-20150702-v3:
        s390x/migration: Introduce 2.4 machine
        s390x/gdb: synchronize cpu state after modifying acrs
        s390x/ipl: Fix boot if no bootindex was specified
        virtio-ccw: migrate ->revision
        s390x/virtio-ccw: support virtio-1 set_vq format
        s390x/virtio-ccw: add virtio set-revision call
        s390x/css: Add a callback for when subchannel gets disabled
        s390-ccw.img: update
        s390-ccw.img: Consume service interrupts
        css: mss/mcss-e vs. migration
        virtio-ccw: complete handling of guest-initiated resets

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit c4d3c0a2696c09a884b680d15b03325e46656a6c
  Author: Christian Borntraeger <borntraeger@xxxxxxxxxx>
  Date:   Wed Jul 1 11:16:57 2015 +0200

      s390x/migration: Introduce 2.4 machine

      The section footer changes commit f68945d42bab ("Add a protective
      section footer") and commit 37fb569c0198 ("Disable section footers
      on older machine types") broke migration for any non-versioned
      machines.

      This pinpoints a problem of s390-ccw machines: it needs to
      be versioned to be compatible with future changes in common
      code data structures such as section footers.

      Let's introduce a version scheme for s390-ccw-virtio machines.
      We will use the old s390-ccw-virtio name as alias to the latest
      version as all existing libvirt XML for the ccw type were expanded
      by libvirt to that name.

      The only downside of this patch is, that the old alias s390-ccw
      will no longer be available as machines can have only one alias,
      but it should not really matter.

      Cc: Dr. David Alan Gilbert <dgilbert@xxxxxxxxxx>
      Cc: Juan Quintela <quintela@xxxxxxxxxx>
      Cc: Boris Fiuczynski <fiuczy@xxxxxxxxxxxxxxxxxx>
      Cc: Jason J. Herne <jjherne@xxxxxxxxxxxxxxxxxx>
      Signed-off-by: Christian Borntraeger <borntraeger@xxxxxxxxxx>
      Message-Id: <1435742217-62246-1-git-send-email-borntraeger@xxxxxxxxxx>
      Reviewed-by: Juan Quintela <quintela@xxxxxxxxxx>
      Signed-off-by: Cornelia Huck <cornelia.huck@xxxxxxxxxx>

  commit 55b1b753dff022dcc95123bed35946b4977d31fa
  Author: David Hildenbrand <dahi@xxxxxxxxxxxxxxxxxx>
  Date:   Tue Jun 23 09:10:51 2015 +0200

      s390x/gdb: synchronize cpu state after modifying acrs

      Whenever we touch the access control registers, we have to make sure that
      the values will make it into kvm. Otherwise the change will simply be 
lost.

      When synchronizing qemu and kvm, a normal KVM_PUT_RUNTIME_STATE does not 
take
      care of these registers. Let's simply trigger a KVM_PUT_FULL_STATE sync,
      so the values will directly be written to kvm. The performance overhead 
can
      be ignored and this is much cleaner than manually writing these registers 
to kvm
      via our two supported ways.

      Reviewed-by: Christian Borntraeger <borntraeger@xxxxxxxxxx>
      Signed-off-by: David Hildenbrand <dahi@xxxxxxxxxxxxxxxxxx>
      Signed-off-by: Cornelia Huck <cornelia.huck@xxxxxxxxxx>

  commit 6efd2c2a125b4369b8def585b0dac35c849b5eb3
  Author: Christian Borntraeger <borntraeger@xxxxxxxxxx>
  Date:   Thu Jun 18 16:37:39 2015 +0200

      s390x/ipl: Fix boot if no bootindex was specified

      commit fa92e218df1d ("s390x/ipl: avoid sign extension") introduced
      a regression:

      qemu-system-s390x -drive file=image.qcow,format=qcow2
      does not boot, the bios states
      "No virtio-blk device found!"

      adding bootindex=1 does boot.

      The reason is that the uint32_t as return value will not do the right
      thing for the return -1 (default without bootindex).
      The bios itself, will interpret a 64bit -1 as autodetect (but it will
      interpret 32bit -1 as ccw device address ff.ff.ffff)

      Signed-off-by: Christian Borntraeger <borntraeger@xxxxxxxxxx>
      Cc: Paolo Bonzini <pbonzini@xxxxxxxxxx>
      Cc: Cornelia Huck <cornelia.huck@xxxxxxxxxx>
      Cc: qemu-stable@xxxxxxxxxx # v2.3.0
      Tested-by: Aurelien Jarno <aurelien@xxxxxxxxxxx>
      Reviewed-by: Aurelien Jarno <aurelien@xxxxxxxxxxx>
      Signed-off-by: Cornelia Huck <cornelia.huck@xxxxxxxxxx>

  commit 213941d73baf8ba7ec5381c8402fed7925d613d4
  Author: Cornelia Huck <cornelia.huck@xxxxxxxxxx>
  Date:   Thu Jun 25 12:20:08 2015 +0200

      virtio-ccw: migrate ->revision

      We need to migrate the revision field as well. No compatibility
      concerns as we already introduced migration of ->config_vector in
      this release.

      Signed-off-by: Cornelia Huck <cornelia.huck@xxxxxxxxxx>

  commit 0db87e0d1763d3fb4039c2cffb0f3264da88ab30
  Author: Cornelia Huck <cornelia.huck@xxxxxxxxxx>
  Date:   Thu Dec 11 14:25:13 2014 +0100

      s390x/virtio-ccw: support virtio-1 set_vq format

      Support the new CCW_CMD_SET_VQ format for virtio-1 devices.

      While we're at it, refactor the code a bit and enforce big endian
      fields (which had always been required, even for legacy).

      Reviewed-by: Thomas Huth <thuth@xxxxxxxxxxxxxxxxxx>
      Signed-off-by: Cornelia Huck <cornelia.huck@xxxxxxxxxx>
      Reviewed-by: Michael S. Tsirkin <mst@xxxxxxxxxx>

  commit c42767f2bbd18d4ec895395c01c64bbec16b5b84
  Author: Thomas Huth <thuth@xxxxxxxxxxxxxxxxxx>
  Date:   Thu Dec 11 14:25:12 2014 +0100

      s390x/virtio-ccw: add virtio set-revision call

      Handle the virtio-ccw revision according to what the guest sets.
      When revision 1 is selected, we have a virtio-1 standard device
      with byteswapping for the virtio rings.

      When a channel gets disabled, we have to revert to the legacy behavior
      in case the next user of the device does not negotiate the revision 1
      anymore (e.g. the boot firmware uses revision 1, but the operating
      system only uses the legacy mode).

      Note that revisions > 0 are still disabled.

      [CH: assure memory accesses are always BE]
      Signed-off-by: Thomas Huth <thuth@xxxxxxxxxxxxxxxxxx>
      Signed-off-by: Cornelia Huck <cornelia.huck@xxxxxxxxxx>
      Acked-by: Michael S. Tsirkin <mst@xxxxxxxxxx>

  commit 6686ce3f1628f045035d58db8890d20705fd5c34
  Merge: d2966f8 764ba3a
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Thu Jul 2 10:44:34 2015 +0100

      Merge remote-tracking branch 'remotes/stefanha/tags/block-pull-request' 
into staging

      # gpg: Signature made Thu Jul  2 10:10:39 2015 BST using RSA key ID 
81AB73C8
      # gpg: Good signature from "Stefan Hajnoczi <stefanha@xxxxxxxxxx>"
      # gpg:                 aka "Stefan Hajnoczi <stefanha@xxxxxxxxx>"

      * remotes/stefanha/tags/block-pull-request:
        block: remove redundant check before g_slist_find()
        block/nfs: limit maximum readahead size to 1MB
        block/iscsi: restore compatiblity with libiscsi 1.9.0
        iotests: Use event_wait in wait_ready
        qemu-iotests: Add test case for mirror with unmap
        qemu-iotests: Make block job methods common
        block: Remove bdrv_reset_dirty
        block: Fix dirty bitmap in bdrv_co_discard
        mirror: Do zero write on target if sectors not allocated
        qmp: Add optional bool "unmap" to drive-mirror
        block: Add bdrv_get_block_status_above
        timer: Use a single definition of NSEC_PER_SEC for the whole codebase
        timer: Move NANOSECONDS_PER_SECONDS to timer.h
        blockdev: no need to drain+flush in hmp_drive_del
        qapi: Rename 'dirty-bitmap' mode to 'incremental'
        qcow2: Handle EAGAIN returned from update_refcount
        block/iscsi: add support for request timeouts

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 764ba3ae511adddfa750db290ac8375d660ca5b9
  Author: Alberto Garcia <berto@xxxxxxxxxx>
  Date:   Mon Jun 29 16:12:13 2015 +0300

      block: remove redundant check before g_slist_find()

      An empty GSList is represented by a NULL pointer, therefore it's a
      perfectly valid argument for g_slist_find() and there's no need to
      make any additional check.

      Signed-off-by: Alberto Garcia <berto@xxxxxxxxxx>
      Message-id: 1435583533-5758-1-git-send-email-berto@xxxxxxxxxx
      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>

  commit 29c838cdc96c4d117f00c75bbcb941e1be9590fb
  Author: Peter Lieven <pl@xxxxxxx>
  Date:   Fri Jun 26 13:14:01 2015 +0200

      block/nfs: limit maximum readahead size to 1MB

      a malicious caller could otherwise specify a very
      large value via the URI and force libnfs to allocate
      a large amount of memory for the readahead buffer.

      Cc: qemu-stable@xxxxxxxxxx
      Signed-off-by: Peter Lieven <pl@xxxxxxx>
      Message-id: 1435317241-25585-1-git-send-email-pl@xxxxxxx
      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>

  commit 9049736ec70fdc886ac0df521fdd8b2886b2cb63
  Author: Peter Lieven <pl@xxxxxxx>
  Date:   Fri Jun 26 12:18:01 2015 +0200

      block/iscsi: restore compatiblity with libiscsi 1.9.0

      RHEL7 and others are stuck with libiscsi 1.9.0 since there
      unfortunately was an ABI breakage after that release.

      Signed-off-by: Peter Lieven <pl@xxxxxxx>
      Reviewed-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>
      Message-id: 1435313881-19366-1-git-send-email-pl@xxxxxxx
      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>

  commit d7b25297920d18fa2a2cde1ed21fde38a88c935f
  Author: Fam Zheng <famz@xxxxxxxxxx>
  Date:   Mon Jun 8 13:56:14 2015 +0800

      iotests: Use event_wait in wait_ready

      Only poll the specific type of event we are interested in, to avoid
      stealing events that should be consumed by someone else.

      Suggested-by: John Snow <jsnow@xxxxxxxxxx>
      Signed-off-by: Fam Zheng <famz@xxxxxxxxxx>
      Reviewed-by: John Snow <jsnow@xxxxxxxxxx>
      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>

  commit c615091793f53ff33b8f6c1b1ba711cf7c93e97b
  Author: Fam Zheng <famz@xxxxxxxxxx>
  Date:   Mon Jun 8 13:56:13 2015 +0800

      qemu-iotests: Add test case for mirror with unmap

      This checks that the discard on mirror source that effectively zeroes
      data is also reflected by the data of target.

      Signed-off-by: Fam Zheng <famz@xxxxxxxxxx>
      Reviewed-by: John Snow <jsnow@xxxxxxxxxx>
      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>

  commit 866323f39d5c7bb053f5e5bf753908ad9f5abec7
  Author: Fam Zheng <famz@xxxxxxxxxx>
  Date:   Mon Jun 8 13:56:12 2015 +0800

      qemu-iotests: Make block job methods common

      Signed-off-by: Fam Zheng <famz@xxxxxxxxxx>
      Reviewed-by: John Snow <jsnow@xxxxxxxxxx>
      Reviewed-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>
      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>

  commit 6e82e4bce127654b2dd42ef393587775be792334
  Author: Fam Zheng <famz@xxxxxxxxxx>
  Date:   Mon Jun 8 13:56:11 2015 +0800

      block: Remove bdrv_reset_dirty

      Using this function would always be wrong because a dirty bitmap must
      have a specific owner that consumes the dirty bits and calls
      bdrv_reset_dirty_bitmap().

      Remove the unused function to avoid future misuse.

      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>
      Signed-off-by: Fam Zheng <famz@xxxxxxxxxx>
      Reviewed-by: John Snow <jsnow@xxxxxxxxxx>
      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>

  commit 508249952c0ea7472c62e17bf8132295dab4912d
  Author: Fam Zheng <famz@xxxxxxxxxx>
  Date:   Mon Jun 8 13:56:10 2015 +0800

      block: Fix dirty bitmap in bdrv_co_discard

      Unsetting dirty globally with discard is not very correct. The discard 
may zero
      out sectors (depending on can_write_zeroes_with_unmap), we should 
replicate
      this change to destination side to make sure that the guest sees the same 
data.

      Calling bdrv_reset_dirty also troubles mirror job because the hbitmap 
iterator
      doesn't expect unsetting of bits after current position.

      So let's do it the opposite way which fixes both problems: set the dirty 
bits
      if we are to discard it.

      Reported-by: wangxiaolong@xxxxxxxxx
      Signed-off-by: Fam Zheng <famz@xxxxxxxxxx>
      Reviewed-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>
      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>
      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>

  commit dcfb3beb5130694b76b57de109619fcbf9c7e5b5
  Author: Fam Zheng <famz@xxxxxxxxxx>
  Date:   Mon Jun 8 13:56:09 2015 +0800

      mirror: Do zero write on target if sectors not allocated

      If guest discards a source cluster, mirroring with bdrv_aio_readv is 
overkill.
      Some protocols do zero upon discard, where it's best to use
      bdrv_aio_write_zeroes, otherwise, bdrv_aio_discard will be enough.

      Signed-off-by: Fam Zheng <famz@xxxxxxxxxx>
      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>

  commit 0fc9f8ea2800b76eaea20a8a3a91fbeeb4bfa81b
  Author: Fam Zheng <famz@xxxxxxxxxx>
  Date:   Mon Jun 8 13:56:08 2015 +0800

      qmp: Add optional bool "unmap" to drive-mirror

      If specified as "true", it allows discarding on target sectors where 
source is
      not allocated.

      Signed-off-by: Fam Zheng <famz@xxxxxxxxxx>
      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>

  commit ba3f0e2545c365ebe1dbddb0e53058710d41881e
  Author: Fam Zheng <famz@xxxxxxxxxx>
  Date:   Mon Jun 8 13:56:07 2015 +0800

      block: Add bdrv_get_block_status_above

      Like bdrv_is_allocated_above, this function follows the backing chain 
until seeing
      BDRV_BLOCK_ALLOCATED.  Base is not included.

      Reimplement bdrv_is_allocated on top.

      [Initialized bdrv_co_get_block_status_above() ret to 0 to silence
      mingw64 compiler warning about the unitialized variable.  assert(bs !=
      base) prevents that case but I suppose the program could be compiled
      with -DNDEBUG.
      --Stefan]

      Signed-off-by: Fam Zheng <famz@xxxxxxxxxx>
      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>

  commit e0cf11f31c24cfb17f44ed46c254d84c78e7f6e9
  Author: Alberto Garcia <berto@xxxxxxxxxx>
  Date:   Fri Jun 12 16:01:30 2015 +0300

      timer: Use a single definition of NSEC_PER_SEC for the whole codebase

      Signed-off-by: Alberto Garcia <berto@xxxxxxxxxx>
      Message-id: 
c6e55468856ba0b8f95913c4da111cc0ef266541.1434113783.git.berto@xxxxxxxxxx
      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>

  commit 471fae3c98d4f44b1957eb09d51ace440c585a20
  Author: Alberto Garcia <berto@xxxxxxxxxx>
  Date:   Fri Jun 12 16:01:29 2015 +0300

      timer: Move NANOSECONDS_PER_SECONDS to timer.h

      We want to be able to reuse this define by making it common to
      multiple QEMU modules.

      This also makes it an integer since there's no need for it to be a
      float.

      Signed-off-by: Alberto Garcia <berto@xxxxxxxxxx>
      Message-id: 
6375912849da2ab561046dd013684535ccecca44.1434113783.git.berto@xxxxxxxxxx
      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>

  commit 126b8bbdfe8bc4042f13f230a4b36f90646f47c6
  Author: Paolo Bonzini <pbonzini@xxxxxxxxxx>
  Date:   Thu May 28 16:17:09 2015 +0200

      blockdev: no need to drain+flush in hmp_drive_del

      bdrv_close already does that, and in fact hmp_drive_del would need
      another drain after the flush (which bdrv_close does).  So remove
      the duplication.

      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>
      Reviewed-by: Alberto Garcia <berto@xxxxxxxxxx>
      Reviewed-by: Fam Zheng <famz@xxxxxxxxxx>
      Reviewed-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Message-id: 1432822629-25401-1-git-send-email-pbonzini@xxxxxxxxxx
      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>

  commit 4b80ab2b7d950d5b22647b364e37eb81c756f061
  Author: John Snow <jsnow@xxxxxxxxxx>
  Date:   Thu Jun 4 20:20:34 2015 -0400

      qapi: Rename 'dirty-bitmap' mode to 'incremental'

      If we wish to make differential backups a feature that's easy to access,
      it might be pertinent to rename the "dirty-bitmap" mode to "incremental"
      to make it clear what /type/ of backup the dirty-bitmap is helping us
      perform.

      This is an API breaking change, but 2.4 has not yet gone live,
      so we have this flexibility.

      Signed-off-by: John Snow <jsnow@xxxxxxxxxx>
      Message-id: 1433463642-21840-2-git-send-email-jsnow@xxxxxxxxxx
      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>
      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>

  commit 3e5feb6202149e8a963a33b911216e40d790f1d7
  Author: JindÅ?ich MakoviÄ?ka <makovick@xxxxxxxxx>
  Date:   Wed Jun 24 07:05:25 2015 +0200

      qcow2: Handle EAGAIN returned from update_refcount

      Fixes a crash during image compression

      Signed-off-by: JindÅ?ich MakoviÄ?ka <makovick@xxxxxxxxx>
      Tested-by: Richard W.M. Jones <rjones@xxxxxxxxxx>
      Reviewed-by: Max Reitz <mreitz@xxxxxxxxxx>
      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>

  commit 5dd7a535b71a0f2f8e7af75c5d694174359ce323
  Author: Peter Lieven <pl@xxxxxxx>
  Date:   Tue Jun 16 13:45:07 2015 +0200

      block/iscsi: add support for request timeouts

      libiscsi starting with 1.15 will properly support timeout of iscsi
      commands. The default will remain no timeout, but this can
      be changed via cmdline parameters, e.g.:

      qemu -iscsi timeout=30 -drive file=iscsi://...

      If a timeout occurs a reconnect is scheduled and the timed out command
      will be requeued for processing after a successful reconnect.

      The required API call iscsi_set_timeout is present since libiscsi
      1.10 which was released in October 2013. However, due to some bugs
      in the libiscsi code the use is not recommended before version 1.15.

      Please note that this patch bumps the libiscsi requirement to 1.10
      to have all function and macros defined. The patch fixes also a
      off-by-one error in the NOP timeout calculation which was fixed
      while touching these code parts.

      Signed-off-by: Peter Lieven <pl@xxxxxxx>
      Message-id: 1434455107-19328-1-git-send-email-pl@xxxxxxx
      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>

  commit de7ea885c5394c1fba7443cbf33bd2745d32e6c2
  Author: Paolo Bonzini <pbonzini@xxxxxxxxxx>
  Date:   Thu Jun 18 18:47:26 2015 +0200

      kvm: Switch to unlocked MMIO

      Do not take the BQL before dispatching MMIO requests of KVM VCPUs.
      Instead, address_space_rw will do it if necessary. This enables completely
      BQL-free MMIO handling in KVM mode for upcoming devices with fine-grained
      locking.

      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>
      Message-Id: <1434646046-27150-10-git-send-email-pbonzini@xxxxxxxxxx>

  commit 7070e085d490c396f9237c8f10bf8b6e69cd0066
  Author: Paolo Bonzini <pbonzini@xxxxxxxxxx>
  Date:   Thu Jun 18 18:47:25 2015 +0200

      acpi: mark PMTIMER as unlocked

      Accessing QEMU_CLOCK_VIRTUAL is thread-safe.

      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>
      Message-Id: <1434646046-27150-9-git-send-email-pbonzini@xxxxxxxxxx>

  commit 80b7d2efb63c225797345c152cdd3392b9fe7b72
  Author: Jan Kiszka <jan.kiszka@xxxxxxxxxxx>
  Date:   Thu Jun 18 18:47:24 2015 +0200

      kvm: Switch to unlocked PIO

      Do not take the BQL before dispatching PIO requests of KVM VCPUs.
      Instead, address_space_rw will do it if necessary. This enables
      completely BQL-free PIO handling in KVM mode for upcoming devices with
      fine-grained locking.

      Signed-off-by: Jan Kiszka <jan.kiszka@xxxxxxxxxxx>
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>
      Message-Id: <1434646046-27150-8-git-send-email-pbonzini@xxxxxxxxxx>

  commit 4b8523ee896750c37b4fa224a40d34703cbdf4c6
  Author: Jan Kiszka <jan.kiszka@xxxxxxxxxxx>
  Date:   Thu Jun 18 18:47:23 2015 +0200

      kvm: First step to push iothread lock out of inner run loop

      This opens the path to get rid of the iothread lock on vmexits in KVM
      mode. On x86, the in-kernel irqchips has to be used because we otherwise
      need to synchronize APIC and other per-cpu state accesses that could be
      changed concurrently.

      Regarding pre/post-run callbacks, s390x and ARM should be fine without
      specific locking as the callbacks are empty. MIPS and POWER require
      locking for the pre-run callback.

      For the handle_exit callback, it is non-empty in x86, POWER and s390.
      Some POWER cases could do without the locking, but it is left in
      place for now.

      Signed-off-by: Jan Kiszka <jan.kiszka@xxxxxxxxxxx>
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>
      Message-Id: <1434646046-27150-7-git-send-email-pbonzini@xxxxxxxxxx>

  commit 4840f10eff37eebc609fcc933ab985dc66df95c6
  Author: Jan Kiszka <jan.kiszka@xxxxxxxxxxx>
  Date:   Thu Jun 18 18:47:22 2015 +0200

      memory: let address_space_rw/ld*/st* run outside the BQL

      The MMIO case is further broken up in two cases: if the caller does not
      hold the BQL on invocation, the unlocked one takes or avoids BQL depending
      on the locking strategy of the target memory region and its coalesced
      MMIO handling.  In this case, the caller should not hold _any_ lock
      (a friendly suggestion which is disregarded by virtio-scsi-dataplane).

      Signed-off-by: Jan Kiszka <jan.kiszka@xxxxxxxxxxx>
      Cc: Frederic Konrad <fred.konrad@xxxxxxxxxxxxx>
      Message-Id: <1434646046-27150-6-git-send-email-pbonzini@xxxxxxxxxx>
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit 125b3806668106667dd2ae049593852859e12b63
  Author: Paolo Bonzini <pbonzini@xxxxxxxxxx>
  Date:   Thu Jun 18 18:47:21 2015 +0200

      exec: pull qemu_flush_coalesced_mmio_buffer() into 
address_space_rw/ld*/st*

      As memory_region_read/write_accessor will now be run also without BQL 
held,
      we need to move coalesced MMIO flushing earlier in the dispatch process.

      Cc: Frederic Konrad <fred.konrad@xxxxxxxxxxxxx>
      Message-Id: <1434646046-27150-5-git-send-email-pbonzini@xxxxxxxxxx>
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit 196ea13104f802c508e57180b2a0d2b3418989a3
  Author: Jan Kiszka <jan.kiszka@xxxxxxxxxxx>
  Date:   Thu Jun 18 18:47:20 2015 +0200

      memory: Add global-locking property to memory regions

      This introduces the memory region property "global_locking". It is true
      by default. By setting it to false, a device model can request BQL-free
      dispatching of region accesses to its r/w handlers. The actual BQL
      break-up will be provided in a separate patch.

      Signed-off-by: Jan Kiszka <jan.kiszka@xxxxxxxxxxx>
      Cc: Frederic Konrad <fred.konrad@xxxxxxxxxxxxx>
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>
      Message-Id: <1434646046-27150-4-git-send-email-pbonzini@xxxxxxxxxx>

  commit afbe70535ff1a8a7a32910cc15ebecc0ba92e7da
  Author: Paolo Bonzini <pbonzini@xxxxxxxxxx>
  Date:   Thu Jun 18 18:47:19 2015 +0200

      main-loop: introduce qemu_mutex_iothread_locked

      This function will be used to avoid recursive locking of the iothread lock
      whenever address_space_rw/ld*/st* are called with the BQL held, which is
      almost always the case.

      Tracking whether the iothread is owned is very cheap (just use a TLS
      variable) but requires some care because now the lock must always be
      taken with qemu_mutex_lock_iothread().  Previously this wasn't the case.
      Outside TCG mode this is not a problem.  In TCG mode, we need to be
      careful and avoid the "prod out of compiled code" step if already
      in a VCPU thread.  This is easily done with a check on current_cpu,
      i.e. qemu_in_vcpu_thread().

      Hopefully, multithreaded TCG will get rid of the whole logic to kick
      VCPUs whenever an I/O event occurs!

      Cc: Frederic Konrad <fred.konrad@xxxxxxxxxxxxx>
      Message-Id: <1434646046-27150-3-git-send-email-pbonzini@xxxxxxxxxx>
      Reviewed-by: Fam Zheng <famz@xxxxxxxxxx>
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit 2e7f7a3c86f884a77296a137b7c730a4d580c5c9
  Author: Paolo Bonzini <pbonzini@xxxxxxxxxx>
  Date:   Thu Jun 18 18:47:18 2015 +0200

      main-loop: use qemu_mutex_lock_iothread consistently

      The next patch will require the BQL to be always taken with
      qemu_mutex_lock_iothread(), while right now this isn't the case.

      Outside TCG mode this is not a problem.  In TCG mode, we need to be
      careful and avoid the "prod out of compiled code" step if already
      in a VCPU thread.  This is easily done with a check on current_cpu,
      i.e. qemu_in_vcpu_thread().

      Hopefully, multithreaded TCG will get rid of the whole logic to kick
      VCPUs whenever an I/O event occurs!

      Cc: Frederic Konrad <fred.konrad@xxxxxxxxxxxxx>
      Message-Id: <1434646046-27150-2-git-send-email-pbonzini@xxxxxxxxxx>
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit bdf026317daa3b9dfa281f29e96fbb6fd48394c8
  Author: 马æ??é?? <kevinnma@xxxxxxxxxxx>
  Date:   Wed Jul 1 15:41:41 2015 +0200

      Fix irq route entries exceeding KVM_MAX_IRQ_ROUTES

      Last month, we experienced several guests crash(6cores-8cores), qemu logs
      display the following messages:

      qemu-system-x86_64: /build/qemu-2.1.2/kvm-all.c:976:
      kvm_irqchip_commit_routes: Assertion `ret == 0' failed.

      After analysis and verification, we can confirm it's irq-balance
      daemon(in guest) leads to the assertion failure. Start a 8 core guest with
      two disks, execute the following scripts will reproduce the BUG quickly:

      irq_affinity.sh
      ========================================================================

      vda_irq_num=25
      vdb_irq_num=27
      while [ 1 ]
      do
          for irq in {1,2,4,8,10,20,40,80}
              do
                  echo $irq > /proc/irq/$vda_irq_num/smp_affinity
                  echo $irq > /proc/irq/$vdb_irq_num/smp_affinity
                  dd if=/dev/vda of=/dev/zero bs=4K count=100 iflag=direct
                  dd if=/dev/vdb of=/dev/zero bs=4K count=100 iflag=direct
              done
      done
      ========================================================================

      QEMU setup static irq route entries in kvm_pc_setup_irq_routing(), PIC and
      IOAPIC share the first 15 GSI numbers, take up 23 GSI numbers, but take up
      38 irq route entries. When change irq smp_affinity in guest, a dynamic 
route
      entry may be setup, the current logic is: if allocate GSI number succeeds,
      a new route entry can be added. The available dynamic GSI numbers is
      1021(KVM_MAX_IRQ_ROUTES-23), but available irq route entries is only
      986(KVM_MAX_IRQ_ROUTES-38), GSI numbers greater than route entries.
      irq-balance's behavior will eventually leads to total irq route entries
      exceed KVM_MAX_IRQ_ROUTES, ioctl(KVM_SET_GSI_ROUTING) fail and
      kvm_irqchip_commit_routes() trigger assertion failure.

      This patch fix the BUG.

      Signed-off-by: Wenshuang Ma <kevinnma@xxxxxxxxxxx>
      Cc: qemu-stable@xxxxxxxxxx
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit 62ac4a52e27c706c860403fd1d8535a9a1073a19
  Author: Thomas Huth <thuth@xxxxxxxxxxxxxxxxxx>
  Date:   Thu Dec 11 14:25:11 2014 +0100

      s390x/css: Add a callback for when subchannel gets disabled

      We need a possibility to run code when a subchannel gets disabled.
      This patch adds the necessary infrastructure.

      Signed-off-by: Thomas Huth <thuth@xxxxxxxxxxxxxxxxxx>
      Signed-off-by: Cornelia Huck <cornelia.huck@xxxxxxxxxx>
      Reviewed-by: Michael S. Tsirkin <mst@xxxxxxxxxx>

  commit 6e7cd94462d65405037c993fc4401d6fceed6660
  Author: Cornelia Huck <cornelia.huck@xxxxxxxxxx>
  Date:   Thu Jun 25 13:48:58 2015 +0200

      s390-ccw.img: update

      Update for "s390-ccw.img: Consume service interrupts".

      Signed-off-by: Cornelia Huck <cornelia.huck@xxxxxxxxxx>

  commit bdc7fe3638fa7693eed5886b5b2afe0858d875fc
  Author: Christian Borntraeger <borntraeger@xxxxxxxxxx>
  Date:   Fri Jun 19 15:40:45 2015 +0200

      s390-ccw.img: Consume service interrupts

      We have to consume the outstanding service interrupt after each
      service call, otherwise a correct implementation will return
      CC=2 on subsequent service calls.

      Signed-off-by: Christian Borntraeger <borntraeger@xxxxxxxxxx>
      Reviewed-by: David Hildenbrand <dahi@xxxxxxxxxxxxxxxxxx>
      Signed-off-by: Cornelia Huck <cornelia.huck@xxxxxxxxxx>

  commit ec7353a146bb39c3bb3e5ccc50ca585aed97b7cf
  Author: Cornelia Huck <cornelia.huck@xxxxxxxxxx>
  Date:   Wed Jun 24 10:57:23 2015 +0200

      css: mss/mcss-e vs. migration

      Our main channel_subsys structure is not a device (yet), but we need
      to setup mss/mcss-e again if the guest had enabled it before. Use
      a hack that should catch most configurations (assuming that the guest
      will have enabled at least one device in higher subchannel sets or
      channel subsystems if it enabled the functionality.)

      Signed-off-by: Cornelia Huck <cornelia.huck@xxxxxxxxxx>

  commit fa8b0ca5d1b69975b715a259d3586cadf7a5280f
  Author: Cornelia Huck <cornelia.huck@xxxxxxxxxx>
  Date:   Tue Jun 23 15:46:31 2015 +0200

      virtio-ccw: complete handling of guest-initiated resets

      For a guest-initiated reset, we need to not only reset the virtio device,
      but also reset the VirtioCcwDevice into a clean state. This includes
      resetting the indicators, or else a guest will not be able to e.g.
      switch from classic interrupts to adapter interrupts.

      Split off this routine into a new function virtio_ccw_reset_virtio()
      to make the distinction between resetting the virtio-related devices
      and the base subchannel device clear.

      CC: qemu-stable@xxxxxxxxxx
      Signed-off-by: Cornelia Huck <cornelia.huck@xxxxxxxxxx>
      Reviewed-by: Christian Borntraeger <borntraeger@xxxxxxxxxx>

  commit d2966f804d70a244f5dde395fc5d22a50ed3e74e
  Merge: 2b464e1 a435612
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Mon Jun 29 17:03:20 2015 +0100

      Merge remote-tracking branch 'remotes/vivier/tags/pull-m68k-20150629' 
into staging

      Trivial m68k cleanup

      # gpg: Signature made Mon Jun 29 16:38:40 2015 BST using DSA key ID 
ABF36C53
      # gpg: Good signature from "Laurent Vivier <laurent@xxxxxxxxx>"
      # gpg:                 aka "Laurent Vivier <Laurent@xxxxxxxxx>"
      # gpg:                 aka "Laurent Vivier <Laurent@xxxxxxxxxxxx>"
      # gpg:                 aka "Laurent Vivier (Red Hat) <lvivier@xxxxxxxxxx>"
      # gpg:                 aka "[jpeg image of size 3881]"
      # gpg: WARNING: This key is not certified with a trusted signature!
      # gpg:          There is no indication that the signature belongs to the 
owner.
      # Primary key fingerprint: 9EC7 B78A C0AC E697 5E4B  BDE3 34A4 F6C9 ABF3 
6C53

      * remotes/vivier/tags/pull-m68k-20150629:
        m68k: remove useless parameter op_size from gen_lea_indexed()
        m68k: remove useless file m68k-qreg.h
        m68k: is_mem is useless

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit a435612616202c837d62626dbe3e33a4e9a95772
  Author: Laurent Vivier <laurent@xxxxxxxxx>
  Date:   Wed Jun 24 02:51:49 2015 +0200

      m68k: remove useless parameter op_size from gen_lea_indexed()

      Signed-off-by: Laurent Vivier <laurent@xxxxxxxxx>
      Reviewed-by: Thomas Huth <huth@xxxxxxxxxxxxx>

  commit bb337ac978b6def085eabf17830d5cc2a1bce6a8
  Author: Laurent Vivier <laurent@xxxxxxxxx>
  Date:   Wed Jun 24 02:07:24 2015 +0200

      m68k: remove useless file m68k-qreg.h

      Unused since:

          commit e1f3808e03f73e7a7fa966afbed2455dd052202e
          Author: pbrook <pbrook@c046a42c-6fe2-441c-8c8c-71466251a162>
          Date:   Sat May 24 22:29:16 2008 +0000

              Convert m68k target to TCG.

      Signed-off-by: Laurent Vivier <laurent@xxxxxxxxx>
      Reviewed-by: Thomas Huth <huth@xxxxxxxxxxxxx>

  commit 805167adcb900fa7b2b114d639c418f5313d0b42
  Author: Laurent Vivier <laurent@xxxxxxxxx>
  Date:   Wed Jun 24 01:00:22 2015 +0200

      m68k: is_mem is useless

      Remove is_mem as it is never tested anymore since:

          commit bfa50bc2638d877cf2900712b7503be22e8811cb
          Author: aliguori <aliguori@c046a42c-6fe2-441c-8c8c-71466251a162>
          Date:   Tue Nov 18 20:26:41 2008 +0000

              Remove premature memop TB terminations (Jan Kiszka)

      Signed-off-by: Laurent Vivier <laurent@xxxxxxxxx>
      Reviewed-by: Thomas Huth <huth@xxxxxxxxxxxxx>

  commit 2b464e13f0d30e6c0b8f69ec908fceab30aea986
  Merge: dc1e135 5f37fd8
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Mon Jun 29 13:26:43 2015 +0100

      Merge remote-tracking branch 
'remotes/bkoppelmann/tags/pull-tricore-20150629' into staging

      TriCore bugfixes

      # gpg: Signature made Mon Jun 29 13:08:17 2015 BST using RSA key ID 
6B69CA14
      # gpg: Good signature from "Bastian Koppelmann 
<kbastian@xxxxxxxxxxxxxxxxxxxxx>"

      * remotes/bkoppelmann/tags/pull-tricore-20150629:
        target-tricore: fix depositing bits from PCXI into ICR

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 5f37fd8e2980818ab71bc4b4e21129e29acd73f7
  Author: Paolo Bonzini <pbonzini@xxxxxxxxxx>
  Date:   Wed Jun 24 14:01:10 2015 +0200

      target-tricore: fix depositing bits from PCXI into ICR

      Spotted by Coverity, because (env->PCXI & MASK_PCXI_PCPN) >> 24
      is always zero.  The immediately preceding assignment is also
      wrong though.

      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>
      Signed-off-by: Bastian Koppelmann <kbastian@xxxxxxxxxxxxxxxxxxxxx>
      Message-Id: <1435147270-1040-1-git-send-email-pbonzini@xxxxxxxxxx>

  commit dc1e1350f8061021df765b396295329797d66933
  Merge: d14b9d7 d46f7c9
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Fri Jun 26 15:57:43 2015 +0100

      Merge remote-tracking branch 'remotes/mst/tags/for_upstream' into staging

      virtio, pci fixes, enhancements

      Almost exclusively bugfixes, though in this case,
      we are adding functionality to the pxb in order
      to make OVMF work on it.

      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>

      # gpg: Signature made Fri Jun 26 14:43:27 2015 BST using RSA key ID 
D28D5469
      # gpg: Good signature from "Michael S. Tsirkin <mst@xxxxxxxxxx>"
      # gpg:                 aka "Michael S. Tsirkin <mst@xxxxxxxxxx>"

      * remotes/mst/tags/for_upstream:
        Fix glib_subprocess test
        hw/pci-bridge: format special OFW unit address for PXB host
        hw/core: explicit OFW unit address callback for SysBusDeviceClass
        hw/pci-bridge: disable SHPC in PXB
        hw/pci-bridge: introduce "shpc" property
        hw/pci: introduce shpc_present() helper function
        hw/pci-bridge: add macro for "msi" property
        hw/pci-bridge: add macro for "chassis_nr" property
        hw/pci-bridge: expose _test parameter in SHPC_VMSTATE()
        migration: introduce VMSTATE_BUFFER_UNSAFE_INFO_TEST()
        add pci-bridge-seat
        pc: cleanup and convert TMP ACPI device description to AML API
        MAINTAINERS: add ACPI entry
        vhost: correctly pass error to caller in vhost_dev_enable_notifiers()
        balloon: add a feature bit to let Guest OS deflate balloon on oom
        qdev: fix OVERFLOW_BEFORE_WIDEN
        virito-pci: fix OVERRUN problem

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 41da4bd6420afd1209c408974920f63ff9c658e1
  Author: Peter Crosthwaite <crosthwaitepeter@xxxxxxxxx>
  Date:   Sat May 30 23:11:46 2015 -0700

      cpu-defs: Move out TB_JMP defines

      These are not Architecture specific in any way so move them out of
      cpu-defs.h. tb-hash.h is an appropriate place as a leading user and
      their strong relationship to TB hashing and caching.

      Reviewed-by: Richard Henderson <rth@xxxxxxxxxx>
      Signed-off-by: Peter Crosthwaite <crosthwaite.peter@xxxxxxxxx>
      Message-Id: 
<43ceca65a3fa240efac49aa0bf604ad0442e1710.1433052532.git.crosthwaite.peter@xxxxxxxxx>
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit e1b89321bafea9fb33d87852fc91fee579d17dfe
  Author: Peter Crosthwaite <crosthwaitepeter@xxxxxxxxx>
  Date:   Sat May 30 23:11:45 2015 -0700

      include/exec: Move tb hash functions out

      This is one of very few things in exec-all with a genuine CPU
      architecture dependency. Move these hashing helpers to a new
      header to trim exec-all.h down to a near architecture-agnostic
      header.

      The defs are only used by cpu-exec and translate-all which are both
      arch-obj's so the new tb-hash.h has no core code usage.

      Reviewed-by: Richard Henderson <rth@xxxxxxxxxx>
      Signed-off-by: Peter Crosthwaite <crosthwaite.peter@xxxxxxxxx>
      Message-Id: 
<9d048b96f7cfa64a4d9c0b88e0dd2877fac51d41.1433052532.git.crosthwaite.peter@xxxxxxxxx>
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit 9e0dc48c9f05505b53cb28f860456a0648e56ddf
  Author: Peter Crosthwaite <crosthwaitepeter@xxxxxxxxx>
  Date:   Sat May 30 23:11:42 2015 -0700

      include/exec: Move standard exceptions to cpu-all.h

      These exception indicies are generic and don't have any reliance on the
      per-arch cpu.h defs. Move them to cpu-all.h so they can be used by core
      code that does not have access to cpu-defs.h.

      Reviewed-by: Richard Henderson <rth@xxxxxxxxxx>
      Signed-off-by: Peter Crosthwaite <crosthwaite.peter@xxxxxxxxx>
      Message-Id: 
<dbebd3062c7cd4332240891a3564e73f374ddfcd.1433052532.git.crosthwaite.peter@xxxxxxxxx>
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit 6e0b07306d1793e8402dd218d2e38a7377b5fc27
  Author: Peter Crosthwaite <crosthwaitepeter@xxxxxxxxx>
  Date:   Sat May 30 23:11:34 2015 -0700

      cpu-defs: Move CPU_TEMP_BUF_NLONGS to tcg

      The usages of this define are pure TCG and there is no architecture
      specific variation of the value. Localise it to the TCG engine to
      remove another architecture agnostic piece from cpu-defs.h.

      This follows on from a28177820a868eafda8fab007561cc19f41941f4 where
      temp_buf was moved out of the CPU_COMMON obsoleting the need for
      the super early definition.

      Reviewed-by: Richard Henderson <rth@xxxxxxxxxxx>
      Signed-off-by: Peter Crosthwaite <crosthwaite.peter@xxxxxxxxx>
      Message-Id: 
<498e8e5325c1a1aff79e5bcfc28cb760ef6b214e.1433052532.git.crosthwaite.peter@xxxxxxxxx>
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit 94beb661bd90bcb477eed6d3b07aced988c40163
  Author: Peter Crosthwaite <crosthwaitepeter@xxxxxxxxx>
  Date:   Sun Jun 7 14:59:09 2015 -0700

      memory_mapping: Rework cpu related includes

      This makes it more consistent with all other core code files, which
      either just rely on qemu-common.h inclusion or precede cpu.h with
      qemu-common.h.

      cpu-all.h should not be included in addition to cpu.h. Remove it.

      Signed-off-by: Peter Crosthwaite <crosthwaite.peter@xxxxxxxxx>
      Message-Id: <1433714349-7262-1-git-send-email-crosthwaite.peter@xxxxxxxxx>
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit 27e7755bea57c66097000f7612271ceefcbeb4a4
  Author: Artyom Tarasenko <atar4qemu@xxxxxxxxx>
  Date:   Tue Jun 23 14:30:18 2015 +0200

      cutils: allow compilation with icc

      Use VEC_OR macro for operations on VECTYPE operands

      Signed-off-by: Artyom Tarasenko <atar4qemu@xxxxxxxxx>
      Message-Id: 
<3f62d7a3a265f7dd99e50d016a0333a99a4a082a.1435062067.git.atar4qemu@xxxxxxxxx>
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit 34664507c7f038842f20a2c787915680b1fabba2
  Author: Artyom Tarasenko <atar4qemu@xxxxxxxxx>
  Date:   Tue Jun 23 14:30:17 2015 +0200

      qemu-common: add VEC_OR macro

      Intel C Compiler version 15.0.3.187 Build 20150407 doesn't support
      '|' function for non floating-point simd operands.

      Define VEC_OR macro which uses _mm_or_si128 supported
      both in icc and gcc on x86 platform.

      Signed-off-by: Artyom Tarasenko <atar4qemu@xxxxxxxxx>
      Message-Id: 
<54c804cdb3b3a93e93ef98f085dc57c4092580b7.1435062067.git.atar4qemu@xxxxxxxxx>
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit d14b9d79be8a424ebc66450d565b81eff2296d55
  Merge: ccb0c7e 4e2c0b2
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Fri Jun 26 14:40:47 2015 +0100

      Merge remote-tracking branch 
'remotes/pmaydell/tags/pull-target-arm-20150626' into staging

      target-arm queue:
       * Change the virt board's default interface type for block devices to 
virtio
       * Improve some error messages that will now be triggered by some 
incorrect
         but previously worked-by-accident command lines
       * Print ELR if we're doing debug logging of AArch64 exception entry
       * Handle the "completely empty semihosting commandline" correctly for
         softmmu (we already did for linux-user)
       * Add GICv2m description to ACPI tables for virt board
       * Fix some incorrect table revision entries in virt board ACPI tables

      # gpg: Signature made Fri Jun 26 14:29:39 2015 BST using RSA key ID 
14360CDE
      # gpg: Good signature from "Peter Maydell <peter.maydell@xxxxxxxxxx>"

      * remotes/pmaydell/tags/pull-target-arm-20150626:
        hw/arm/virt: Make block devices default to virtio
        qdev-properties-system: Improve error message for drive assignment 
conflict
        qdev-properties-system: Change set_pointer's parse callback to use Error
        target-arm: A64: Print ELR when taking exceptions
        target-arm: default empty semihosting cmdline
        hw/arm/virt-acpi-build: Add GICv2m description in ACPI MADT table
        hw/arm/virt-acpi-build: Fix table revision and some comments

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 4e2c0b2a4ab810c8989e181a010e75aeaa1c55f3
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Fri Jun 26 14:22:37 2015 +0100

      hw/arm/virt: Make block devices default to virtio

      Now we have virtio-pci, we can make the virt board's default block
      device type be IF_VIRTIO. This allows users to use simplified
      command lines that don't have to explicitly create virtio-pci-blk
      devices; the -hda &c very short options now also work.

      This means we also need to set no_cdrom to avoid getting a
      default cdrom device -- this is needed because the virtio-blk
      device will fail if it is connected to a block backend with
      no media, which is what the default cdrom device typically is.
      Providing a cdrom with media via -cdrom will succeed, but silently
      create a device with non-removable medium. this is probably
      not really what the user wants, but is the best we can do now.

      Note that this change means that some command lines which used
      to work (by accident) will stop working. Where a drive was connected
      manually to a device but without 'if=none' being specified, we
      used to treat this as an IDE drive, which we would then not autoplug
      because the board doesn't support IDE. Now we will treat it as a
      virtio disk and autoplug it, which means the attempt to use the
      drive manually will fail:
        qemu-system-arm: -drive file=img.qcow2,id=foo: Drive 'foo' is already
        in use because it has been automatically connected to another device
        (did you need 'if=none' in the drive options?)
      The command line will have to be changed to include 'if=none', as the
      error message suggests.

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Reviewed-by: Markus Armbruster <armbru@xxxxxxxxxx>
      Reviewed-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Message-id: 1435068107-12594-4-git-send-email-peter.maydell@xxxxxxxxxx

  commit 62f7dbde4c75e48921fd1b773865250130c57bd8
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Fri Jun 26 14:22:36 2015 +0100

      qdev-properties-system: Improve error message for drive assignment 
conflict

      If the user forgot if=none on their drive specification they're likely
      to get an error message because the drive is assigned once automatically
      by QEMU and once by the manual id=/drive= user command line specification.
      Improve the error message produced in this case to explicitly guide the
      user towards if=none.

      We rephrase the "drive conflict but not for an if=something" error as
      well to keep the wording in line.

      The two cases that change are:

      (1) Drive specified as to be auto-connected and also manually connected
      (and the board does handle this if= type):

        qemu-system-x86_64 -nodefaults -display none \
           -drive if=scsi,file=tmp.qcow2,id=foo -device ide-hd,drive=foo

      Previously:
        qemu-system-x86_64: -device ide-hd,drive=foo: Property 'ide-hd.drive'
        can't take value 'foo', it's in use

      Now:
        qemu-system-x86_64: -device ide-hd,drive=foo: Drive 'foo' is already in
        use because it has been automatically connected to another device (did
        you need 'if=none' in the drive options?)

      (2) Drive specified to be manually connected in two different ways:

        qemu-system-x86_64 -nodefaults -display none \
         -drive if=none,file=tmp.qcow2,id=foo -device ide-hd,drive=foo \
         -device ide-hd,drive=foo

      Previously:
        qemu-system-x86_64: -device ide-hd,drive=foo: Property 'ide-hd.drive'
        can't take value 'foo', it's in use

      Now:
        qemu-system-x86_64: -device ide-hd,drive=foo: Drive 'foo' is already in
        use by another device

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Reviewed-by: Markus Armbruster <armbru@xxxxxxxxxx>
      Reviewed-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Message-id: 1435068107-12594-3-git-send-email-peter.maydell@xxxxxxxxxx

  commit f1fb9f0dc087c02b230be4cc96c5c76521f188fa
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Fri Jun 26 14:22:36 2015 +0100

      qdev-properties-system: Change set_pointer's parse callback to use Error

      Instead of having set_pointer() call a parse callback which returns
      an error number that we then convert to an Error string with
      error_set_from_qdev_prop_error(), make the parse callback take an
      Error** and set the error itself. This will allow parse routines
      to provide more helpful error messages than the generic ones.

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Reviewed-by: Markus Armbruster <armbru@xxxxxxxxxx>
      Reviewed-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Message-id: 1435068107-12594-2-git-send-email-peter.maydell@xxxxxxxxxx

  commit b21ab1fc217b4a2b8f2f85d16bdd8510a7817a34
  Author: Soren Brinkmann <soren.brinkmann@xxxxxxxxxx>
  Date:   Fri Jun 26 14:22:36 2015 +0100

      target-arm: A64: Print ELR when taking exceptions

      When taking an exception print the content of the exception link
      register. This is useful especially for synchronous exceptions because
      in that case this registers holds the address of the instruction that
      generated the exception.

      Signed-off-by: Soren Brinkmann <soren.brinkmann@xxxxxxxxxx>
      Message-id: 1435036655-16132-1-git-send-email-soren.brinkmann@xxxxxxxxxx
      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit f3c2bda216a00676e40301b5843ac3d6c3b2537a
  Author: Liviu Ionescu <ilg@xxxxxxxxxx>
  Date:   Fri Jun 26 14:22:36 2015 +0100

      target-arm: default empty semihosting cmdline

      If neither explicit semihosting args nor -kernel are used,
      make SYS_GET_CMDLINE return an empty string.

      Signed-off-by: Liviu Ionescu <ilg@xxxxxxxxxx>
      Message-id: AC7B5AFC-06AE-4FAD-9852-B65708E80E09@xxxxxxxxxx
      Reviewed-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit ca7937365305d144cf0c97b907dac6f70ea152ef
  Author: Shannon Zhao <shannon.zhao@xxxxxxxxxx>
  Date:   Fri Jun 26 14:22:36 2015 +0100

      hw/arm/virt-acpi-build: Add GICv2m description in ACPI MADT table

      Add GICv2m description in ACPI MADT table, so guest can use MSI when
      booting with ACPI.

      Signed-off-by: Shannon Zhao <zhaoshenglong@xxxxxxxxxx>
      Signed-off-by: Shannon Zhao <shannon.zhao@xxxxxxxxxx>
      Reviewed-by: Andrew Jones <drjones@xxxxxxxxxx>
      Tested-by: Andrew Jones <drjones@xxxxxxxxxx>
      Message-id: 1434676210-2276-1-git-send-email-shannon.zhao@xxxxxxxxxx
      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit d0652b5765859049c96a13372bbe075be44e756b
  Author: Shannon Zhao <shannon.zhao@xxxxxxxxxx>
  Date:   Fri Jun 26 14:22:36 2015 +0100

      hw/arm/virt-acpi-build: Fix table revision and some comments

      The table revision is not the ACPI spec version. Fix the wrong revision
      and also some comments.

      Signed-off-by: Shannon Zhao <shannon.zhao@xxxxxxxxxx>
      Reviewed-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Message-id: 1433820378-8336-1-git-send-email-zhaoshenglong@xxxxxxxxxx
      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit ccb0c7e122db72d3a5da798c6414d4912bba828f
  Merge: 0a4a031 4b3bcd0
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Fri Jun 26 11:32:58 2015 +0100

      Merge remote-tracking branch 'remotes/lalrae/tags/mips-20150626' into 
staging

      MIPS patches 2015-06-26

      Changes:
      * MIPS UHI semihosting support
      * microMIPS32 R6 support

      # gpg: Signature made Fri Jun 26 10:42:33 2015 BST using RSA key ID 
0B29DA6B
      # gpg: Good signature from "Leon Alrae <leon.alrae@xxxxxxxxxx>"
      # gpg: WARNING: This key is not certified with a trusted signature!
      # gpg:          There is no indication that the signature belongs to the 
owner.
      # Primary key fingerprint: 8DD3 2F98 5495 9D66 35D4  4FC0 5211 8E3C 0B29 
DA6B

      * remotes/lalrae/tags/mips-20150626:
        target-mips: add mips32r6-generic CPU definition
        target-mips: microMIPS32 R6 POOL16{A, C} instructions
        target-mips: microMIPS32 R6 Major instructions
        target-mips: microMIPS32 R6 POOL32{I, C} instructions
        target-mips: microMIPS32 R6 POOL32F instructions
        target-mips: microMIPS32 R6 POOL32A{XF} instructions
        target-mips: microMIPS32 R6 branches and jumps
        target-mips: add microMIPS32 R6 opcode enum
        target-mips: signal RI for removed instructions in microMIPS R6
        target-mips: raise RI exceptions when FIR.PS = 0
        target-mips: rearrange gen_compute_compact_branch
        target-mips: refactor {D}LSA, {D}ALIGN, {D}BITSWAP
        target-mips: remove an unused argument
        target-mips: add microMIPS TLBINV, TLBINVF
        target-mips: fix {RD, WR}PGPR in microMIPS
        target-mips: convert host to MIPS errno values when required
        target-mips: add Unified Hosting Interface (UHI) support
        target-mips: remove identical code in different branch
        hw/mips: Do not clear BEV for MIPS malta kernel load
        include/softmmu-semi.h: Make semihosting support 64-bit clean

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 4b3bcd016d83cc75f6a495c1db54b6c77f037adc
  Author: Yongbok Kim <yongbok.kim@xxxxxxxxxx>
  Date:   Thu Jun 25 00:24:27 2015 +0100

      target-mips: add mips32r6-generic CPU definition

      Define a new CPU definition supporting MIPS32 Release 6 ISA and
      microMIPS32 Release 6 ISA.

      Signed-off-by: Yongbok Kim <yongbok.kim@xxxxxxxxxx>
      Reviewed-by: Aurelien Jarno <aurelien@xxxxxxxxxxx>
      Signed-off-by: Leon Alrae <leon.alrae@xxxxxxxxxx>

  commit ed7ce6c0f9d4370826557ce33d652beb88ccb3e6
  Author: Yongbok Kim <yongbok.kim@xxxxxxxxxx>
  Date:   Thu Jun 25 00:24:26 2015 +0100

      target-mips: microMIPS32 R6 POOL16{A, C} instructions

      microMIPS32 Release 6 POOL16A/ POOL16C instructions

      Signed-off-by: Yongbok Kim <yongbok.kim@xxxxxxxxxx>
      Reviewed-by: Leon Alrae <leon.alrae@xxxxxxxxxx>
      Reviewed-by: Aurelien Jarno <aurelien@xxxxxxxxxxx>
      Signed-off-by: Leon Alrae <leon.alrae@xxxxxxxxxx>

  commit ab39ee452d74855adec91056812b8e1e5166302c
  Author: Yongbok Kim <yongbok.kim@xxxxxxxxxx>
  Date:   Thu Jun 25 00:24:25 2015 +0100

      target-mips: microMIPS32 R6 Major instructions

      Add new microMIPS32 Release 6 Major opcode instructions

      Signed-off-by: Yongbok Kim <yongbok.kim@xxxxxxxxxx>
      Reviewed-by: Aurelien Jarno <aurelien@xxxxxxxxxxx>
      Signed-off-by: Leon Alrae <leon.alrae@xxxxxxxxxx>

  commit 3b4a5489447e7ed17cc504572cf729833853e7ab
  Author: Yongbok Kim <yongbok.kim@xxxxxxxxxx>
  Date:   Thu Jun 25 00:24:24 2015 +0100

      target-mips: microMIPS32 R6 POOL32{I, C} instructions

      Add new microMIPS32 Release 6 POOL32I/POOL32C type instructions

      Signed-off-by: Yongbok Kim <yongbok.kim@xxxxxxxxxx>
      Reviewed-by: Leon Alrae <leon.alrae@xxxxxxxxxx>
      Reviewed-by: Aurelien Jarno <aurelien@xxxxxxxxxxx>
      Signed-off-by: Leon Alrae <leon.alrae@xxxxxxxxxx>

  commit 2a24a7badeb6ad3ba72e7984f299623035d564d6
  Author: Yongbok Kim <yongbok.kim@xxxxxxxxxx>
  Date:   Thu Jun 25 00:24:23 2015 +0100

      target-mips: microMIPS32 R6 POOL32F instructions

      Add new microMIPS32 Release 6 POOL32F instructions

      Signed-off-by: Yongbok Kim <yongbok.kim@xxxxxxxxxx>
      Reviewed-by: Leon Alrae <leon.alrae@xxxxxxxxxx>
      Reviewed-by: Aurelien Jarno <aurelien@xxxxxxxxxxx>
      Signed-off-by: Leon Alrae <leon.alrae@xxxxxxxxxx>

  commit e03320958305a68f2bc6a32c87d7ed48303438f9
  Author: Yongbok Kim <yongbok.kim@xxxxxxxxxx>
  Date:   Thu Jun 25 00:24:22 2015 +0100

      target-mips: microMIPS32 R6 POOL32A{XF} instructions

      Add new microMIPS32 Release 6 pool32a/pool32axf instructions.

      Signed-off-by: Yongbok Kim <yongbok.kim@xxxxxxxxxx>
      Reviewed-by: Leon Alrae <leon.alrae@xxxxxxxxxx>
      Reviewed-by: Aurelien Jarno <aurelien@xxxxxxxxxxx>
      Signed-off-by: Leon Alrae <leon.alrae@xxxxxxxxxx>

  commit 65935f070aa710cf340e96ae7ee36d2c1d5c8d15
  Author: Yongbok Kim <yongbok.kim@xxxxxxxxxx>
  Date:   Thu Jun 25 00:24:21 2015 +0100

      target-mips: microMIPS32 R6 branches and jumps

      Add new microMIPS32 Release 6 branch and jump instructions.

      Signed-off-by: Yongbok Kim <yongbok.kim@xxxxxxxxxx>
      Reviewed-by: Leon Alrae <leon.alrae@xxxxxxxxxx>
      Reviewed-by: Aurelien Jarno <aurelien@xxxxxxxxxxx>
      Signed-off-by: Leon Alrae <leon.alrae@xxxxxxxxxx>

  commit 3a1f426828cd8ffeec1a4fa8ca6ca3ed4f800edb
  Author: Yongbok Kim <yongbok.kim@xxxxxxxxxx>
  Date:   Thu Jun 25 00:24:20 2015 +0100

      target-mips: add microMIPS32 R6 opcode enum

      Add microMIPS32 Release 6 opcode enum.
      Remove RI checking for pre-R6 reserved opcode.

      Signed-off-by: Yongbok Kim <yongbok.kim@xxxxxxxxxx>
      Reviewed-by: Aurelien Jarno <aurelien@xxxxxxxxxxx>
      Signed-off-by: Leon Alrae <leon.alrae@xxxxxxxxxx>

  commit 9e8f441a7e094c0dc33a1c8f521d9e5bcfc1b4da
  Author: Yongbok Kim <yongbok.kim@xxxxxxxxxx>
  Date:   Thu Jun 25 00:24:19 2015 +0100

      target-mips: signal RI for removed instructions in microMIPS R6

      Signal a Reserved Instruction exception for removed instruction encoding
      in microMIPS Release 6.

      Signed-off-by: Yongbok Kim <yongbok.kim@xxxxxxxxxx>
      Reviewed-by: Leon Alrae <leon.alrae@xxxxxxxxxx>
      Reviewed-by: Aurelien Jarno <aurelien@xxxxxxxxxxx>
      Signed-off-by: Leon Alrae <leon.alrae@xxxxxxxxxx>

  commit e29c962804c4dd3fabd44e703aa87eec555ed910
  Author: Yongbok Kim <yongbok.kim@xxxxxxxxxx>
  Date:   Thu Jun 25 00:24:18 2015 +0100

      target-mips: raise RI exceptions when FIR.PS = 0

      64-bit paired-single (PS) floating point data type is optional in the
      pre-Release 6.
      It has to raise RI exception when PS type is not implemented. (FIR.PS = 0)
      (The PS data type is removed in the Release 6.)
      Loongson-2E and Loongson-2F don't have any implementation field in
      FCSR0(FIR) but do support PS data format, therefore for these cores RI 
will
      not be signalled regardless of PS bit.

      Signed-off-by: Yongbok Kim <yongbok.kim@xxxxxxxxxx>
      Reviewed-by: Leon Alrae <leon.alrae@xxxxxxxxxx>
      Reviewed-by: Aurelien Jarno <aurelien@xxxxxxxxxxx>
      Signed-off-by: Leon Alrae <leon.alrae@xxxxxxxxxx>

  commit 6893f07466b045c5faf314ab9e57ef3b4a6f9e49
  Author: Yongbok Kim <yongbok.kim@xxxxxxxxxx>
  Date:   Thu Jun 25 00:24:17 2015 +0100

      target-mips: rearrange gen_compute_compact_branch

      The function will be also used for microMIPS Release 6.

      Signed-off-by: Yongbok Kim <yongbok.kim@xxxxxxxxxx>
      Reviewed-by: Leon Alrae <leon.alrae@xxxxxxxxxx>
      Reviewed-by: Aurelien Jarno <aurelien@xxxxxxxxxxx>
      Signed-off-by: Leon Alrae <leon.alrae@xxxxxxxxxx>

  commit 1f1b4c008e250f870719ed38fbd0bcc14322fc01
  Author: Yongbok Kim <yongbok.kim@xxxxxxxxxx>
  Date:   Thu Jun 25 00:24:16 2015 +0100

      target-mips: refactor {D}LSA, {D}ALIGN, {D}BITSWAP

      Refactor those instructions in order to reuse them for microMIPS32
      Release 6.
      Rearrange gen_move_low32().

      Signed-off-by: Yongbok Kim <yongbok.kim@xxxxxxxxxx>
      Reviewed-by: Leon Alrae <leon.alrae@xxxxxxxxxx>
      Reviewed-by: Aurelien Jarno <aurelien@xxxxxxxxxxx>
      Signed-off-by: Leon Alrae <leon.alrae@xxxxxxxxxx>

  commit f60eeb0c5ddd8ceb8ca6b3ba032159027afab67a
  Author: Yongbok Kim <yongbok.kim@xxxxxxxxxx>
  Date:   Thu Jun 25 00:24:15 2015 +0100

      target-mips: remove an unused argument

      Remove an unused argument from decode_micromips32_opc()

      Signed-off-by: Yongbok Kim <yongbok.kim@xxxxxxxxxx>
      Reviewed-by: Leon Alrae <leon.alrae@xxxxxxxxxx>
      Reviewed-by: Aurelien Jarno <aurelien@xxxxxxxxxxx>
      Signed-off-by: Leon Alrae <leon.alrae@xxxxxxxxxx>

  commit e60ec06357470db5a0f25901ca19b6237e6da927
  Author: Yongbok Kim <yongbok.kim@xxxxxxxxxx>
  Date:   Thu Jun 25 00:24:14 2015 +0100

      target-mips: add microMIPS TLBINV, TLBINVF

      Add microMIPS TLBINV, TLBINVF

      Signed-off-by: Yongbok Kim <yongbok.kim@xxxxxxxxxx>
      Reviewed-by: Aurelien Jarno <aurelien@xxxxxxxxxxx>
      Reviewed-by: Leon Alrae <leon.alrae@xxxxxxxxxx>
      Signed-off-by: Leon Alrae <leon.alrae@xxxxxxxxxx>

  commit 1bf5902de03732d4067c4e90171a1741d6542c45
  Author: Yongbok Kim <yongbok.kim@xxxxxxxxxx>
  Date:   Thu Jun 25 00:24:13 2015 +0100

      target-mips: fix {RD, WR}PGPR in microMIPS

      rt, rs were swapped

      Signed-off-by: Yongbok Kim <yongbok.kim@xxxxxxxxxx>
      Reviewed-by: Aurelien Jarno <aurelien@xxxxxxxxxxx>
      Reviewed-by: Leon Alrae <leon.alrae@xxxxxxxxxx>
      Signed-off-by: Leon Alrae <leon.alrae@xxxxxxxxxx>

  commit 2c44b19c199f4ce2f1721120744d3d6e5d01d274
  Author: Leon Alrae <leon.alrae@xxxxxxxxxx>
  Date:   Fri Jun 19 11:08:44 2015 +0100

      target-mips: convert host to MIPS errno values when required

      Convert only errno values which can be returned by system calls in
      mips-semi.c and are not generic to all archs.

      Signed-off-by: Leon Alrae <leon.alrae@xxxxxxxxxx>
      Reviewed-by: Aurelien Jarno <aurelien@xxxxxxxxxxx>

  commit 3b3c1694cfd394b73de426edebdbf90c28f664fd
  Author: Leon Alrae <leon.alrae@xxxxxxxxxx>
  Date:   Fri Jun 19 11:08:43 2015 +0100

      target-mips: add Unified Hosting Interface (UHI) support

      Add UHI semihosting support for MIPS. QEMU run with "-semihosting" option
      will alter the behaviour of SDBBP 1 instruction -- UHI operation will be
      called instead of generating a debug exception.

      Also tweak Malta's pseudo-bootloader. On CPU reset the $4 register is set
      to -1 if semihosting arguments are passed to indicate that the UHI
      operations should be used to obtain input arguments.

      Signed-off-by: Leon Alrae <leon.alrae@xxxxxxxxxx>
      Reviewed-by: Aurelien Jarno <aurelien@xxxxxxxxxxx>

  commit ff334767728011218c62f7476232d260cb5b28e6
  Author: Leon Alrae <leon.alrae@xxxxxxxxxx>
  Date:   Fri Jun 19 11:08:42 2015 +0100

      target-mips: remove identical code in different branch

      Signed-off-by: Leon Alrae <leon.alrae@xxxxxxxxxx>
      Reviewed-by: Aurelien Jarno <aurelien@xxxxxxxxxxx>

  commit d6ca4277eee98b3c561e21ac105199891d346d79
  Author: Matthew Fortune <matthew.fortune@xxxxxxxxxx>
  Date:   Fri Jun 19 11:08:41 2015 +0100

      hw/mips: Do not clear BEV for MIPS malta kernel load

      The BEV flag controls whether the boot exception vector is still
      in place when starting a kernel.  When cleared the exception vector
      at EBASE (or hard coded address of 0x80000000) is used instead.

      The early stages of the linux kernel would benefit from BEV still
      being set to ensure any faults get handled by the boot rom exception
      handlers.  This is a moot point for system qemu as there aren't really
      any BEV handlers, but there are other good reasons to change this...

      The UHI (semi-hosting interface) defines special behaviours depending
      on whether an application starts in an environment with BEV set or
      cleared. When BEV is set then UHI assumes that a bootloader is
      relatively dumb and has no advanced exception handling logic.
      However, when BEV is cleared then UHI assumes that the bootloader
      has the ability to handle UHI exceptions with its exception handlers
      and will unwind and forward UHI SYSCALL exceptions to the exception
      vector that was installed prior to running the application.

      Signed-off-by: Matthew Fortune <matthew.fortune@xxxxxxxxxx>
      Signed-off-by: Leon Alrae <leon.alrae@xxxxxxxxxx>

  commit 9f6f7ca1490563d98003149e6de32caf25c670da
  Author: Maciej W. Rozycki <macro@xxxxxxxxxxxxxxxx>
  Date:   Fri Jun 19 11:08:40 2015 +0100

      include/softmmu-semi.h: Make semihosting support 64-bit clean

      Correct addresses passed around in semihosting to use a data type suitable
      for both 32-bit and 64-bit targets.

      Signed-off-by: Maciej W. Rozycki <macro@xxxxxxxxxxxxxxxx>
      Signed-off-by: Leon Alrae <leon.alrae@xxxxxxxxxx>
      Reviewed-by: Aurelien Jarno <aurelien@xxxxxxxxxxx>

  commit 0a4a0312bf8b029cbd32a97db2cad669cf65ac49
  Merge: 58e8b33 1e81aba
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Thu Jun 25 14:03:55 2015 +0100

      Merge remote-tracking branch 'remotes/stefanha/tags/net-pull-request' 
into staging

      # gpg: Signature made Wed Jun 24 16:37:23 2015 BST using RSA key ID 
81AB73C8
      # gpg: Good signature from "Stefan Hajnoczi <stefanha@xxxxxxxxxx>"
      # gpg:                 aka "Stefan Hajnoczi <stefanha@xxxxxxxxx>"

      * remotes/stefanha/tags/net-pull-request:
        net: simplify net_client_init1()
        net: drop if expression that is always true
        net: raise an error if -net type is invalid
        net: replace net_client_init1() netdev whitelist with blacklist
        net: add missing "netmap" to host_net_devices[]

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 58e8b33518fd2bb6dce0ba7b6347c3df85aea3c6
  Merge: 355df30 1204854
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Thu Jun 25 11:19:46 2015 +0100

      Merge remote-tracking branch 'remotes/stefanha/tags/block-pull-request' 
into staging

      # gpg: Signature made Wed Jun 24 16:27:53 2015 BST using RSA key ID 
81AB73C8
      # gpg: Good signature from "Stefan Hajnoczi <stefanha@xxxxxxxxxx>"
      # gpg:                 aka "Stefan Hajnoczi <stefanha@xxxxxxxxx>"

      * remotes/stefanha/tags/block-pull-request:
        virito-blk: drop duplicate check
        qemu-iotests: fix 051.out after qdev error message change
        iov: don't touch iov in iov_send_recv()
        raw-posix: Introduce hdev_is_sg()
        raw-posix: Use DPRINTF for DEBUG_FLOPPY
        raw-posix: DPRINTF instead of DEBUG_BLOCK_PRINT
        Fix migration in case of scsi-generic
        block: Use bdrv_is_sg() everywhere
        nvme: Fix memleak in nvme_dma_read_prp
        vvfat: add a label option
        util/hbitmap: Add an API to reset all set bits in hbitmap
        virtio-blk: Use blk_drain() to drain IO requests
        block-backend: Introduce blk_drain()
        throttle: Check current timers before updating any_timer_armed[]
        block: Let bdrv_drain_all() to call aio_poll() for each AioContext

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 1e81aba5ac0b908ab859bf8ddf43ece33732d49c
  Author: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
  Date:   Wed May 27 17:16:52 2015 +0100

      net: simplify net_client_init1()

      Drop the union and move the hubport creation into the !is_netdev case.

      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Reviewed-by: Thomas Huth <thuth@xxxxxxxxxx>
      Message-id: 1432743412-15943-6-git-send-email-stefanha@xxxxxxxxxx

  commit 4ef0defbad9bc8b195f3392d1b7dcb42cd7ebe11
  Author: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
  Date:   Wed May 27 17:16:51 2015 +0100

      net: drop if expression that is always true

      Both is_netdev and !is_netdev paths already check that
      net_client_init_func[opts->kind] is non-NULL so there is no need for the
      if statement.

      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Reviewed-by: Thomas Huth <thuth@xxxxxxxxxx>
      Message-id: 1432743412-15943-5-git-send-email-stefanha@xxxxxxxxxx

  commit d139e9a6cf01b8c31f5904b4ba40521d7224f7de
  Author: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
  Date:   Wed May 27 17:16:50 2015 +0100

      net: raise an error if -net type is invalid

      When a -net type is used that was not compiled into the binary there
      should be an error message.

      Note the special case for -net none, which is a no-op.

      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Reviewed-by: Thomas Huth <thuth@xxxxxxxxxx>
      Message-id: 1432743412-15943-4-git-send-email-stefanha@xxxxxxxxxx

  commit 1322629b4f25730aed973d51983e7a3b021fe9c9
  Author: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
  Date:   Wed May 27 17:16:49 2015 +0100

      net: replace net_client_init1() netdev whitelist with blacklist

      It's cumbersome to keep the whitelist up-to-date.  New netdev backends
      should most likely be allowed so a blacklist makes more sense than a
      whitelist.

      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Reviewed-by: Thomas Huth <thuth@xxxxxxxxxx>
      Message-id: 1432743412-15943-3-git-send-email-stefanha@xxxxxxxxxx

  commit 027a247bbf703e94258d07e38948946d7b85e91c
  Author: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
  Date:   Wed May 27 17:16:48 2015 +0100

      net: add missing "netmap" to host_net_devices[]

      Although hmp-commands.hx lists "netmap" as a valid host_net_add type,
      the command rejects it because it's missing from the list.

      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Message-id: 1432743412-15943-2-git-send-email-stefanha@xxxxxxxxxx

  commit 12048545019cd1d64c8147ea9277648e685fa489
  Author: Gonglei <arei.gonglei@xxxxxxxxxx>
  Date:   Wed Jun 24 17:29:24 2015 +0800

      virito-blk: drop duplicate check

      in_num = req->elem.in_num, and req->elem.in_num is
      checked in line 489, so the check about in_num variable
      is superflous, let's drop it.

      Signed-off-by: Gonglei <arei.gonglei@xxxxxxxxxx>
      Reviewed-by: Fam Zheng <famz@xxxxxxxxxx>
      Message-id: 1435138164-11728-1-git-send-email-arei.gonglei@xxxxxxxxxx
      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>

  commit a30c4eb2ce7b2c15ab556be3cfe2340c17271ddd
  Author: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
  Date:   Tue Jun 23 15:56:09 2015 +0100

      qemu-iotests: fix 051.out after qdev error message change

      Commit f006cf7fa9a63ba8e4ccf57d46231ce594301727 ("qdev-monitor:
      Propagate errors through qdev_device_add()") dropped a meaningless error
      message.  This change in output caused qemu-iotests 051 to fail:

         QEMU_PROG: -device ide-drive,drive=disk: Device initialization failed.
        -QEMU_PROG: -device ide-drive,drive=disk: Device 'ide-drive' could not 
be initialized

      Update 051.out so the test passes again.

      Cc: Markus Armbruster <armbru@xxxxxxxxxx>
      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Reviewed-by: Fam Zheng <famz@xxxxxxxxxx>
      Message-id: 1435071369-30936-1-git-send-email-stefanha@xxxxxxxxxx

  commit d46f7c9e648d8098ac73b36834ac81237b8c2c2d
  Author: Dr. David Alan Gilbert <dgilbert@xxxxxxxxxx>
  Date:   Wed Jun 24 10:45:42 2015 +0100

      Fix glib_subprocess test

      A typo means that the tests dependent on glib with subprocess
      support are never run.

      Fixes: 9d41401b90fa10b335d2e739149d36437cfbf622

      Signed-off-by: Dr. David Alan Gilbert <dgilbert@xxxxxxxxxx>
      Reviewed-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>

  commit 48ea3dedc54dbcb3c738ddef02a336739910ecfd
  Author: Laszlo Ersek <lersek@xxxxxxxxxx>
  Date:   Fri Jun 19 04:40:17 2015 +0200

      hw/pci-bridge: format special OFW unit address for PXB host

      We have agreed that OpenFirmware device paths in the "bootorder" fw_cfg
      file should follow the pattern

        /pci@i0cf8,%x/...

      for devices that live behind an extra root bus. The extra root bus in
      question is the %x'th among the extra root buses. (In other words, %x
      gives the position of the affected extra root bus relative to the other
      extra root buses, in bus_nr order.) %x starts at 1, and is formatted in
      hex.

      The portion of the unit address that comes before the comma is dynamically
      taken from the main host bridge, similarly to sysbus_get_fw_dev_path().

      Cc: Kevin O'Connor <kevin@xxxxxxxxxxxx>
      Cc: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Cc: Marcel Apfelbaum <marcel@xxxxxxxxxx>
      Signed-off-by: Laszlo Ersek <lersek@xxxxxxxxxx>
      Reviewed-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>

  commit 0b336b3b98d8983d821ef9b0f159acc7c77cbac7
  Author: Laszlo Ersek <lersek@xxxxxxxxxx>
  Date:   Fri Jun 19 04:40:16 2015 +0200

      hw/core: explicit OFW unit address callback for SysBusDeviceClass

      The sysbus_get_fw_dev_path() function formats OpenFirmware device path
      nodes ("driver-name@unit-address") for sysbus devices. The first choice
      for "unit-address" is the base address of the device's first MMIO region.
      The second choice is its first IO port.

      However, if two sysbus devices with the same "driver-name" lack both MMIO
      and PIO resources, then there is no good way to distinguish them based on
      their OFW nodes, because in this case unit-address is omitted completely
      for both devices. An example is TYPE_PXB_HOST ("pxb-host").

      For the sake of such devices, introduce the explicit_ofw_unit_address()
      "virtual member function". With this function, each sysbus device in the
      same SysBusDeviceClass can state its own address.

      Cc: Markus Armbruster <armbru@xxxxxxxxxx>
      Cc: Marcel Apfelbaum <marcel@xxxxxxxxxx>
      Cc: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: Laszlo Ersek <lersek@xxxxxxxxxx>
      Reviewed-by: Marcel Apfelbaum <marcel@xxxxxxxxxx>
      Tested-by: Marcel Apfelbaum <marcel@xxxxxxxxxx>
      Reviewed-by: Markus Armbruster <armbru@xxxxxxxxxx>
      Reviewed-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>

  commit d10dda2d60c8c225a89a53d53add799b69f6bb46
  Author: Laszlo Ersek <lersek@xxxxxxxxxx>
  Date:   Fri Jun 19 04:40:14 2015 +0200

      hw/pci-bridge: disable SHPC in PXB

      OVMF downloads the ACPI linker/loader script from QEMU when the edk2 PCI
      Bus driver globally signals the firmware that PCI enumeration and resource
      allocation have completed. At this point QEMU regenerates the ACPI payload
      in an fw_cfg read callback, and this is when the PXB's _CRS gets
      populated.

      Unfortunately, when this happens, the PCI_COMMAND_MEMORY bit is clear in
      the root bus's command register, *unlike* under SeaBIOS. The consequences
      unfold as follows:

      - When build_crs() fetches dev->io_regions[i].addr, it is all-bits-one,
        because pci_update_mappings() --> pci_bar_address() calculated it as
        PCI_BAR_UNMAPPED, due to the PCI_COMMAND_MEMORY bit being clear.

      - Consequently, the SHPC MMIO BAR (bar 0) of the bridge is not added to
        the _CRS, *despite* having been programmed in PCI config space.

      - Similarly, the SHPC MMIO BAR of the PXB is not removed from the main
        root bus's DWordMemory descriptor.

      - Guest OSes (Linux and Windows alike) notice the pre-programmed SHPC BAR
        within the PXB's config space, and notice that it conflicts with the
        main root bus's memory resource descriptors. Linux reports

        pci 0000:04:00.0: BAR 0: can't assign mem (size 0x100)
        pci 0000:04:00.0: BAR 0: trying firmware assignment [mem
                                 0x88200000-0x882000ff 64bit]
        pci 0000:04:00.0: BAR 0: [mem 0x88200000-0x882000ff 64bit] conflicts
                                 with PCI Bus 0000:00 [mem
                                 0x88200000-0xfebfffff]

        While Windows Server 2012 R2 reports

          https://technet.microsoft.com/en-us/library/cc732199%28v=ws.10%29.aspx

          This device cannot find enough free resources that it can use. If you
          want to use this device, you will need to disable one of the other
          devices on this system. (Code 12)

      This issue was apparently encountered earlier, see the "hack" in:

        https://lists.nongnu.org/archive/html/qemu-devel/2015-01/msg02983.html

      and the current hole-punching logic in build_crs() and build_ssdt() is
      probably supposed to remedy exactly that problem -- however, for OVMF they
      don't work, because at the end of the PCI enumeration and resource
      allocation, which cues the ACPI linker/loader client, the command register
      is clear.

      The "shpc" property of "pci-bridge", introduced in the previous patches,
      allows us to disable the standard hotplug controller cleanly, eliminating
      the SHPC bar and the conflict.

      Cc: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Cc: Marcel Apfelbaum <marcel@xxxxxxxxxx>
      Signed-off-by: Laszlo Ersek <lersek@xxxxxxxxxx>
      Reviewed-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>

  commit 4e5c9bfecf5da13e8e0f790002a55bb1cc0437b1
  Author: Laszlo Ersek <lersek@xxxxxxxxxx>
  Date:   Fri Jun 19 04:40:13 2015 +0200

      hw/pci-bridge: introduce "shpc" property

      In the PCI expander bridge, we will want to disable those features of
      pci-bridge that relate to SHPC (standard hotplug controller):

      - SHPC bar and underlying MemoryRegion
      - interrupt (INTx or MSI)
      - effective hotplug callbacks
      - other SHPC hooks (initialization, cleanup, migration etc)

      Introduce a new feature request bit in the PCIBridgeDev.flags field, and
      turn off the above if the bit is explicitly cleared.

      Suggested-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Cc: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Cc: Marcel Apfelbaum <marcel@xxxxxxxxxx>
      Signed-off-by: Laszlo Ersek <lersek@xxxxxxxxxx>
      Reviewed-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>

  commit 23ab143dcce8d7f758eb6946ebf68d8689018a9c
  Author: Laszlo Ersek <lersek@xxxxxxxxxx>
  Date:   Fri Jun 19 04:40:12 2015 +0200

      hw/pci: introduce shpc_present() helper function

      It follows msi_present() in "include/hw/pci/msi.h".

      Cc: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Cc: Marcel Apfelbaum <marcel@xxxxxxxxxx>
      Signed-off-by: Laszlo Ersek <lersek@xxxxxxxxxx>
      Reviewed-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>

  commit 7a7c6a41c5583b24f6a35b02c7f68c84ebd7e177
  Author: Laszlo Ersek <lersek@xxxxxxxxxx>
  Date:   Fri Jun 19 04:40:11 2015 +0200

      hw/pci-bridge: add macro for "msi" property

      This should help catch property name typos at compile time.

      Cc: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Cc: Marcel Apfelbaum <marcel@xxxxxxxxxx>
      Signed-off-by: Laszlo Ersek <lersek@xxxxxxxxxx>
      Reviewed-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>

  commit 3cf0ecb3c4f9bb6a7a58a62c0209509b4c9d13c6
  Author: Laszlo Ersek <lersek@xxxxxxxxxx>
  Date:   Fri Jun 19 04:40:10 2015 +0200

      hw/pci-bridge: add macro for "chassis_nr" property

      This should help catch property name typos at compile time.

      Cc: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Cc: Marcel Apfelbaum <marcel@xxxxxxxxxx>
      Signed-off-by: Laszlo Ersek <lersek@xxxxxxxxxx>
      Reviewed-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>

  commit 0034e56209c1333bfca53356ce82663d801a15c5
  Author: Laszlo Ersek <lersek@xxxxxxxxxx>
  Date:   Fri Jun 19 04:40:09 2015 +0200

      hw/pci-bridge: expose _test parameter in SHPC_VMSTATE()

      Change the signature of the function-like macro SHPC_VMSTATE(), so that we
      can produce and expect this field conditionally in the migration stream,
      starting with an upcoming patch.

      Cc: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Cc: Marcel Apfelbaum <marcel@xxxxxxxxxx>
      Signed-off-by: Laszlo Ersek <lersek@xxxxxxxxxx>
      Reviewed-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>

  commit 9df0b0e09c48ad543e6d12ee0c17d1857f83d3ca
  Author: Laszlo Ersek <lersek@xxxxxxxxxx>
  Date:   Fri Jun 19 04:40:08 2015 +0200

      migration: introduce VMSTATE_BUFFER_UNSAFE_INFO_TEST()

      There is no _TEST() variant of VMSTATE_BUFFER_UNSAFE_INFO() yet, but we'll
      soon need it. Introduce it and rebase the original
      VMSTATE_BUFFER_UNSAFE_INFO() on top.

      The parameter order of the new function-like macro follows that of
      VMSTATE_SINGLE_TEST(): "_test" is introduced between "_state" and
      "_version".

      Cc: Juan Quintela <quintela@xxxxxxxxxx>
      Cc: Amit Shah <amit.shah@xxxxxxxxxx>
      Cc: Marcel Apfelbaum <marcel@xxxxxxxxxx>
      Cc: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: Laszlo Ersek <lersek@xxxxxxxxxx>
      Reviewed-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>

  commit 355df30554445c043a12168e9c5f912742050548
  Merge: 000d604 3de3d69
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Tue Jun 23 18:25:55 2015 +0100

      Merge remote-tracking branch 
'remotes/mjt/tags/pull-trivial-patches-2015-06-23' into staging

      trivial patches for 2015-06-23

      # gpg: Signature made Tue Jun 23 18:23:45 2015 BST using RSA key ID 
A4C3D7DB
      # gpg: Good signature from "Michael Tokarev <mjt@xxxxxxxxxx>"
      # gpg:                 aka "Michael Tokarev <mjt@xxxxxxxxx>"
      # gpg:                 aka "Michael Tokarev <mjt@xxxxxxxxxx>"

      * remotes/mjt/tags/pull-trivial-patches-2015-06-23: (21 commits)
        util/qemu-sockets: improve ai_flag hints for ipv6 hosts
        hw/display/tcx.c: Fix memory leak
        hw/display/cg3.c: Fix memory leak
        Makefile: Add "make ctags"
        Makefile: Fix "make cscope TAGS"
        qemu-options: Use @itemx where appropriate
        qemu-options: Improve -global documentation
        throttle: Fix typo in the documentation of block_set_io_throttle
        hw/display/qxl-logger.c: Constify some variable
        configure: rearrange --help and consolidate enable/disable together
        libcacard: pkgconfig: tidy dependent libs
        vt82c686: QOMify
        xen_pt: QOMify
        wdt_i6300esb: QOMify
        piix4: QOMify
        piix: piix3 QOMify
        pci-assign: QOMify
        Print error when failing to load PCI config data
        Grammar: 'as to'->'as for'
        remove libdecnumber/dpd/decimal128Local.h
        ...

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 3de3d698d942d1116152417f882c897b26b44e41
  Author: Wolfgang Bumiller <w.bumiller@xxxxxxxxxxx>
  Date:   Thu May 21 14:33:29 2015 +0200

      util/qemu-sockets: improve ai_flag hints for ipv6 hosts

      *) Do not use AI_ADDRCONFIG on listening sockets, because this flag
      makes it impossible to explicitly listen on '127.0.0.1' if no global
      ipv4 address is configured additionally, making this a very
      uncomfortable option.
      *) Add AI_V4MAPPED hint for connecting sockets.

      If your system is globally only connected via ipv6 you often still want
      to be able to use '127.0.0.1' and 'localhost' (even if localhost doesn't
      also have an ipv6 entry).
      For example, PVE - unless explicitly asking for insecure mode - uses
      ipv4 loopback addresses with QEMU for live migrations tunneled over SSH.
      These fail to start because AI_ADDRCONFIG makes getaddrinfo refuse to
      work with '127.0.0.1'.

      As for the AI_V4MAPPED flag: glibc uses it by default, and providing
      non-0 flags removes it. I think it makes sense to use it.

      I also want to point out that glibc explicitly sidesteps POSIX standards
      when passing 0 as hints by then assuming both AI_V4MAPPED and
      AI_ADDRCONFIG (the latter being a rather weird choice IMO), while
      according to POSIX.1-2001 it should be assumed 0. (glibc considers its
      choice an improvement.)
      Since either AI_CANONNAME or AI_PASSIVE are passed in our cases, glibc's
      default flags in turn are disabled again unless explicitly added, which
      I do with this patch.

      Signed-off-by: Wolfgang Bumiller <w.bumiller@xxxxxxxxxxx>
      Signed-off-by: Michael Tokarev <mjt@xxxxxxxxxx>

  commit 8684e85ca911b41d6a82ac5bcc5a0bfaba5eb7da
  Author: Shannon Zhao <shannon.zhao@xxxxxxxxxx>
  Date:   Thu May 28 19:13:45 2015 +0800

      hw/display/tcx.c: Fix memory leak

      Signed-off-by: Shannon Zhao <zhaoshenglong@xxxxxxxxxx
      Signed-off-by: Shannon Zhao <shannon.zhao@xxxxxxxxxx>
      Signed-off-by: Michael Tokarev <mjt@xxxxxxxxxx>

  commit 22b2aeb82c811b227862c21e7a607087efbe5563
  Author: Shannon Zhao <shannon.zhao@xxxxxxxxxx>
  Date:   Thu May 28 19:13:42 2015 +0800

      hw/display/cg3.c: Fix memory leak

      Signed-off-by: Shannon Zhao <zhaoshenglong@xxxxxxxxxx>
      Signed-off-by: Shannon Zhao <shannon.zhao@xxxxxxxxxx>
      Signed-off-by: Michael Tokarev <mjt@xxxxxxxxxx>

  commit ae5fdc81a16534ea04fc475f8723e81857c46ad4
  Author: Fam Zheng <famz@xxxxxxxxxx>
  Date:   Fri May 22 13:35:08 2015 +0800

      Makefile: Add "make ctags"

      This generates ctags file

      Signed-off-by: Fam Zheng <famz@xxxxxxxxxx>
      Reviewed-by: John Snow <jsnow@xxxxxxxxxx>
      Signed-off-by: Michael Tokarev <mjt@xxxxxxxxxx>

  commit eaa2ddbb76798ec70d12351c0db43a7728d29150
  Author: Fam Zheng <famz@xxxxxxxxxx>
  Date:   Fri May 22 13:35:07 2015 +0800

      Makefile: Fix "make cscope TAGS"

      Cscope and TAGS files work in source directory rather than the build
      directory, also, don't ask users to run configure first, because they
      may have an out of tree build.

      Signed-off-by: Fam Zheng <famz@xxxxxxxxxx>
      Reviewed-by: John Snow <jsnow@xxxxxxxxxx>
      Signed-off-by: Michael Tokarev <mjt@xxxxxxxxxx>

  commit f9cfd6555a3afb142a74a68438c6f4ee4c127e66
  Author: Markus Armbruster <armbru@xxxxxxxxxx>
  Date:   Mon Jun 15 14:35:59 2015 +0200

      qemu-options: Use @itemx where appropriate

      Doesn't appear to make a difference, but let's use it consistently.

      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>
      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>
      Signed-off-by: Michael Tokarev <mjt@xxxxxxxxxx>

  commit ae08fd5a365e650d70acfe1d9027501707041b52
  Author: Markus Armbruster <armbru@xxxxxxxxxx>
  Date:   Mon Jun 15 14:35:58 2015 +0200

      qemu-options: Improve -global documentation

      Recent commit 3751d7c "vl: allow full-blown QemuOpts syntax for
      -global" overloaded its existing argument syntax DRIVER.PROP=VALUE
      with QemuOpts syntax.  Unambigious as long as no DRIVER contains '='.

      Its documentation claims that "the two syntaxes are equivalent."
      Improve it to spell out how exactly the old syntax gets desugared into
      the new one.

      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>
      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>
      Signed-off-by: Michael Tokarev <mjt@xxxxxxxxxx>

  commit 6b932c0a5f951f1cfd3c459d8946074b9df8b829
  Author: Alberto Garcia <berto@xxxxxxxxxx>
  Date:   Mon Jun 15 16:12:52 2015 +0300

      throttle: Fix typo in the documentation of block_set_io_throttle

      Signed-off-by: Alberto Garcia <berto@xxxxxxxxxx>
      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>
      Signed-off-by: Michael Tokarev <mjt@xxxxxxxxxx>

  commit a91e21186f81f712af8c02c7eec996ce25fb391f
  Author: Frediano Ziglio <fziglio@xxxxxxxxxx>
  Date:   Thu Jun 11 14:17:56 2015 +0100

      hw/display/qxl-logger.c: Constify some variable

      Signed-off-by: Frediano Ziglio <fziglio@xxxxxxxxxx>
      Signed-off-by: Michael Tokarev <mjt@xxxxxxxxxx>

  commit c23f23b970ae8ce75d2254c64cf23d95a757811e
  Author: Michael Tokarev <mjt@xxxxxxxxxx>
  Date:   Wed Jun 17 22:19:26 2015 +0300

      configure: rearrange --help and consolidate enable/disable together

      This is an attempt to rearrange configure --help output a bit
      and consolidate pairs of --enable/disable into its own section.

      After this, help text is easier to sort, manage and read.
      More descriptive text can be added as well, since we now have
      more space.

      While at it, mention en/dis-able-vte.

      Signed-off-by: Michael Tokarev <mjt@xxxxxxxxxx>

  commit 1e4db0595777b9b9a5a6a9f49ac3d187dda341f9
  Author: Michael Tokarev <mjt@xxxxxxxxxx>
  Date:   Wed Jun 17 21:02:03 2015 +0300

      libcacard: pkgconfig: tidy dependent libs

      libcacard.pc file lists only one package in Requires
      field, which is nss, while glib-2.0 is also a requiriment.
      Furthermore, for libraries used internally by the library
      (this is the way nss and glib are used by libcacard),
      Requires.private shold be used instead of Requires.

      Fix both issues.

      This does not affect linking of qemu because it links
      with objects from libcacard directly.

      Signed-off-by: Michael Tokarev <mjt@xxxxxxxxxx>

  commit 417349e6e95d9aa4e0fbc01434de30e8d405ab56
  Author: Gonglei <arei.gonglei@xxxxxxxxxx>
  Date:   Wed May 13 08:43:27 2015 +0800

      vt82c686: QOMify

      Signed-off-by: Gonglei <arei.gonglei@xxxxxxxxxx>
      Signed-off-by: Michael Tokarev <mjt@xxxxxxxxxx>

  commit f9b9d292afcb55f23b8863c0388a4b3e42c79747
  Author: Gonglei <arei.gonglei@xxxxxxxxxx>
  Date:   Wed May 13 08:43:26 2015 +0800

      xen_pt: QOMify

      Cc: Stefano Stabellini <stefano.stabellini@xxxxxxxxxxxxx>
      Signed-off-by: Gonglei <arei.gonglei@xxxxxxxxxx>
      Tested-by: Stefano Stabellini <stefano.stabellini@xxxxxxxxxxxxx>
      Signed-off-by: Michael Tokarev <mjt@xxxxxxxxxx>

  commit 41fc9050fed524d300062fd8fe7aecd5c7adf5ac
  Author: Gonglei <arei.gonglei@xxxxxxxxxx>
  Date:   Wed May 13 08:43:25 2015 +0800

      wdt_i6300esb: QOMify

      Signed-off-by: Gonglei <arei.gonglei@xxxxxxxxxx>
      Signed-off-by: Michael Tokarev <mjt@xxxxxxxxxx>

  commit acff3e48b7e1ac18e034cc612346bdc38ad96ee1
  Author: Gonglei <arei.gonglei@xxxxxxxxxx>
  Date:   Wed May 13 08:43:24 2015 +0800

      piix4: QOMify

      Signed-off-by: Gonglei <arei.gonglei@xxxxxxxxxx>
      Signed-off-by: Michael Tokarev <mjt@xxxxxxxxxx>

  commit b7c69719d21bea305b7cff6ecde0974edc5ff4b8
  Author: Gonglei <arei.gonglei@xxxxxxxxxx>
  Date:   Wed May 13 08:43:23 2015 +0800

      piix: piix3 QOMify

      Signed-off-by: Gonglei <arei.gonglei@xxxxxxxxxx>
      Signed-off-by: Michael Tokarev <mjt@xxxxxxxxxx>

  commit 1ea6305a834a01bba55309d012ee1fdc46c3eff2
  Author: Gonglei <arei.gonglei@xxxxxxxxxx>
  Date:   Wed May 13 08:43:22 2015 +0800

      pci-assign: QOMify

      Signed-off-by: Gonglei <arei.gonglei@xxxxxxxxxx>
      Signed-off-by: Michael Tokarev <mjt@xxxxxxxxxx>

  commit 7c59364d0329d36a7759033962a469ca714f884d
  Author: Dr. David Alan Gilbert <dgilbert@xxxxxxxxxx>
  Date:   Wed Jun 3 17:58:01 2015 +0100

      Print error when failing to load PCI config data

      When loading migration fails due to a disagreement about
      PCI config data we don't currently get any errors explaining
      that was the cause of the problem or which byte in the config
      data was at fault.

      Signed-off-by: Dr. David Alan Gilbert <dgilbert@xxxxxxxxxx>
      Signed-off-by: Michael Tokarev <mjt@xxxxxxxxxx>

  commit 4aab6282f8e1f7652b0470b078a08ab5678fb929
  Author: Dr. David Alan Gilbert <dgilbert@xxxxxxxxxx>
  Date:   Wed Jun 3 19:43:56 2015 +0100

      Grammar: 'as to'->'as for'

      Fixup migrate-incoming text as requested by Eric in:

       http://lists.nongnu.org/archive/html/qemu-devel/2015-03/msg03362.html

      Signed-off-by: Dr. David Alan Gilbert <dgilbert@xxxxxxxxxx>
      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>
      Signed-off-by: Michael Tokarev <mjt@xxxxxxxxxx>

  commit bfa3ab619731653e752c7cf0ab3395ec8e70fe79
  Author: Michael Tokarev <mjt@xxxxxxxxxx>
  Date:   Wed Jun 3 17:37:27 2015 +0300

      remove libdecnumber/dpd/decimal128Local.h

      Commit 72ac97cdfc added two equivalent versions of decimal128Local.h,
      one in libdecnumber/dpd/ and another in include/libdecnumber/dpd/.
      Being identical by the code, the two files however differs in the
      licensing terms.  The one in libdecnumber/dpd/ (which is being
      removed by this patch) is licensed as GPL3.1 (plus gcc runtime
      exception), which, as far as I know, is not compatible with GPL-2.
      This file is not used (it is included from
      include/libdecnumber/dpd/decimal128.h, so version in include/ is
      used).

      More, the version in include/ can also be removed, since none
      of the 3 defines from that file are actually used by the code.
      Even more, one of the defines from there, decimal128SetSign,
      is redefined (to equivalent value) in libdecnumber/dpd/decimal128.c,
      but again, never used.

      What a mess...

      Signed-off-by: Michael Tokarev <mjt@xxxxxxxxxx>
      Reviewed-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit a4969e90b8110d6880d1a7fcb3cab27c316a0d3e
  Author: Alex Bennée <alex.bennee@xxxxxxxxxx>
  Date:   Wed Jun 3 14:22:41 2015 +0100

      configure: append --extra-ldflags to LDFLAGS

      The help text says --extra-ldflags is appended to LDFLAGS so make it so.

      Signed-off-by: Alex Bennée <alex.bennee@xxxxxxxxxx>
      Signed-off-by: Michael Tokarev <mjt@xxxxxxxxxx>

  commit 000d6042da0d73e5a71318b5fa96e5a084534d12
  Merge: 6966b2a ffffbb3
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Tue Jun 23 17:46:20 2015 +0100

      Merge remote-tracking branch 'remotes/sstabellini/tags/xen-220615-3' into 
staging

      xen-220615, more SOB lines

      # gpg: Signature made Tue Jun 23 17:19:08 2015 BST using RSA key ID 
70E1AE90
      # gpg: Good signature from "Stefano Stabellini 
<stefano.stabellini@xxxxxxxxxxxxx>"

      * remotes/sstabellini/tags/xen-220615-3:
        Revert "xen-hvm: increase maxmem before calling 
xc_domain_populate_physmap"
        xen/pass-through: constify some static data
        xen/pass-through: log errno values rather than function return ones
        xen/pass-through: ROM BAR handling adjustments
        xen/pass-through: fold host PCI command register writes

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit ffffbb369f3ed9bca5ff2867143f76d0c6e069c0
  Author: Stefano Stabellini <stefano.stabellini@xxxxxxxxxxxxx>
  Date:   Mon Jun 22 13:00:42 2015 +0000

      Revert "xen-hvm: increase maxmem before calling 
xc_domain_populate_physmap"

      This reverts commit c1d322e6048796296555dd36fdd102d7fa2f50bf.

      The original commit fixes a bug when assigning a large number of
      devices which require option roms to a guest.  (One known
      configuration that needs extra memory is having more than 4 emulated
      NICs assigned.  Three or fewer NICs seems to work without this
      functionality.)

      However, by unilaterally increasing maxmem, it introduces two
      problems.

      First, now libxl's calculation of the required maxmem during migration
      is broken -- any guest which exercised this functionality will fail on
      migration.  (Guests which have the default number of devices are not
      affected.)

      Secondly, it makes it impossible for a higher-level toolstack or
      administer to predict how much memory a VM will actually use, making
      it much more difficult to effectively use all of the memory on a
      machine.

      Signed-off-by: George Dunlap <george.dunlap@xxxxxxxxxxxxx>
      Signed-off-by: Stefano Stabellini <stefano.stabellini@xxxxxxxxxxxxx>

  commit 74526eb01886ca45774c1e9c736f61536fa2bda1
  Author: Jan Beulich <JBeulich@xxxxxxxx>
  Date:   Fri Jun 5 13:04:55 2015 +0100

      xen/pass-through: constify some static data

      This is done indirectly by adjusting two typedefs and helps emphasizing
      that the respective tables aren't supposed to be modified at runtime
      (as they may be shared between devices).

      Signed-off-by: Jan Beulich <jbeulich@xxxxxxxx>
      Reviewed-by: Stefano Stabellini <stefano.stabellini@xxxxxxxxxxxxx>

  commit 3782f60d2047cb86567889307ce78baacf518635
  Author: Jan Beulich <JBeulich@xxxxxxxx>
  Date:   Fri Jun 5 13:04:18 2015 +0100

      xen/pass-through: log errno values rather than function return ones

      Functions setting errno commonly return just -1, which is of no
      particular use in the log file.

      Signed-off-by: Jan Beulich <jbeulich@xxxxxxxx>
      Reviewed-by: Stefano Stabellini <stefano.stabellini@xxxxxxxxxxxxx>

  commit 69976894c1d91c4b0c985fa05936cb6b8d01382b
  Author: Jan Beulich <JBeulich@xxxxxxxx>
  Date:   Mon Jun 8 14:11:51 2015 +0100

      xen/pass-through: ROM BAR handling adjustments

      Expecting the ROM BAR to be written with an all ones value when sizing
      the region is wrong - the low bit has another meaning (enable/disable)
      and bits 1..10 are reserved. The PCI spec also mandates writing all
      ones to just the address portion of the register.

      Use suitable constants also for initializing the ROM BAR register field
      description.

      Signed-off-by: Stefano Stabellini <stefano.stabellini@xxxxxxxxxxxxx>
      Signed-off-by: Jan Beulich <jbeulich@xxxxxxxx>

  commit 950fe0aa3f55ad6bb135fc9cde9ebf4df05f62fc
  Author: Jan Beulich <JBeulich@xxxxxxxx>
  Date:   Fri May 15 13:46:11 2015 +0100

      xen/pass-through: fold host PCI command register writes

      The code introduced to address XSA-126 allows simplification of other
      code in xen_pt_initfn(): All we need to do is update "cmd" suitably,
      as it'll be written back to the host register near the end of the
      function anyway.

      Signed-off-by: Stefano Stabellini <stefano.stabellini@xxxxxxxxxxxxx>
      Signed-off-by: Jan Beulich <jbeulich@xxxxxxxx>

  commit eb6c6a604890201e321a6ace32973d10dc033245
  Author: Gerd Hoffmann <kraxel@xxxxxxxxxx>
  Date:   Thu Jun 18 12:17:29 2015 +0200

      add pci-bridge-seat

      Simplifies multiseat configuration, see
      docs/multiseat.txt update for details.

      Signed-off-by: Gerd Hoffmann <kraxel@xxxxxxxxxx>
      Reviewed-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>

  commit 72d97b3a543a9c2c820bd463ba24751ae4247ac3
  Author: Igor Mammedov <imammedo@xxxxxxxxxx>
  Date:   Tue Jun 9 05:31:53 2015 +0200

      pc: cleanup and convert TMP ACPI device description to AML API

      remove some code duplication in acpi-build.c and drop 5
      ASL and binary blobs files with TPM ACPI device description,
      replacing them with 1 small hunk written in AML API.

      Signed-off-by: Igor Mammedov <imammedo@xxxxxxxxxx>
      Reviewed-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>

  commit 0e0b3592f6cfc56b3a4cc2c040552b7caaf2329f
  Author: Michael S. Tsirkin <mst@xxxxxxxxxx>
  Date:   Tue Jun 23 08:09:34 2015 +0200

      MAINTAINERS: add ACPI entry

      Igor agreed to help review ACPI patches, add an entry to MAINTAINERS
      with all ACPI stuff I could think of.
      Note: I listed ARM ACPI files here just to make sure we are Cc'd, no
      plan to maintain ACPI for ARM through my tree :)

      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>

  commit 16617e36b02ebdc83f215d89db9ac00f7d6d6d83
  Author: Jason Wang <jasowang@xxxxxxxxxx>
  Date:   Fri May 29 14:13:14 2015 +0800

      vhost: correctly pass error to caller in vhost_dev_enable_notifiers()

      We override the error value r in fail_vq, this will cause the caller
      can't detect the failure which may cause the caller may disable the
      notifiers twice if vhost is failed to start. Fix this by using another
      variable to keep track the return value of set_host_notifier().

      Fixes b0b3db79559e57db340b292621c397e7a6cdbdc5 ("vhost-net: cleanup
      host notifiers at last step")

      Cc: qemu-stable@xxxxxxxxxx
      Cc: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: Jason Wang <jasowang@xxxxxxxxxx>
      Reviewed-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>

  commit e3816255bf4b6377bb405331e2ee0dc14d841b80
  Author: Denis V. Lunev <den@xxxxxxxxxx>
  Date:   Mon Jun 15 13:52:52 2015 +0300

      balloon: add a feature bit to let Guest OS deflate balloon on oom

      Excessive virtio_balloon inflation can cause invocation of OOM-killer,
      when Linux is under severe memory pressure. Various mechanisms are
      responsible for correct virtio_balloon memory management. Nevertheless it
      is often the case that these control tools does not have enough time to
      react on fast changing memory load. As a result OS runs out of memory and
      invokes OOM-killer. The balancing of memory by use of the virtio balloon
      should not cause the termination of processes while there are pages in the
      balloon. Now there is no way for virtio balloon driver to free memory at
      the last moment before some process get killed by OOM-killer.

      This does not provide a security breach as balloon itself is running
      inside Guest OS and is working in the cooperation with the host. Thus
      some improvements from Guest side should be considered as normal.

      To solve the problem, introduce a virtio_balloon callback which is
      expected to be called from the oom notifier call chain in out_of_memory()
      function. If virtio balloon could release some memory, it will make the
      system return and retry the allocation that forced the out of memory
      killer to run.

      This behavior should be enabled if and only if appropriate feature bit
      is set on the device. It is off by default.

      This functionality was recently merged into vanilla Linux.

        commit 5a10b7dbf904bfe01bb9fcc6298f7df09eed77d5
        Author: Raushaniya Maksudova <rmaksudova@xxxxxxxxxxxxx>
        Date:   Mon Nov 10 09:36:29 2014 +1030

      This patch adds respective control bits into QEMU. It introduces
      deflate-on-oom option for balloon device which does the trick.

      Signed-off-by: Denis V. Lunev <den@xxxxxxxxxx>
      CC: Raushaniya Maksudova <rmaksudova@xxxxxxxxxxxxx>
      CC: Anthony Liguori <aliguori@xxxxxxxxxx>
      CC: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Reviewed-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>

      Acked-by: James Bottomley <JBottomley@xxxxxxxx>
      Reviewed-by: Christian Borntraeger <borntraeger@xxxxxxxxxx>

  commit 6b64640dd25846c4de42aa433db56e0ff975993a
  Author: Wen Congyang <wency@xxxxxxxxxxxxxx>
  Date:   Thu May 21 09:50:10 2015 +0800

      iov: don't touch iov in iov_send_recv()

      Signed-off-by: Wen Congyang <wency@xxxxxxxxxxxxxx>
      Message-id: 555D39D2.4000705@xxxxxxxxxxxxxx
      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>

  commit 3307ed7b3fac5ba99eb3b84904b0b7cdc3592a61
  Author: Dimitris Aragiorgis <dimara@xxxxxxxxxxx>
  Date:   Tue Jun 23 13:45:00 2015 +0300

      raw-posix: Introduce hdev_is_sg()

      Until now, an SG device was identified only by checking if its path
      started with "/dev/sg". Then, hdev_open() would set the bs->sg flag
      accordingly. The patch relies on the actual properties of the device
      instead of the specified file path.

      To this end, test for an SG device (e.g. /dev/sg0) by ensuring that
      all of the following holds:

       - The specified file name corresponds to a character device
       - The device supports the SG_GET_VERSION_NUM ioctl
       - The device supports the SG_GET_SCSI_ID ioctl

      Signed-off-by: Dimitris Aragiorgis <dimara@xxxxxxxxxxx>
      Message-id: 1435056300-14924-6-git-send-email-dimara@xxxxxxxxxxx
      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>

  commit a93a3982a6645463fa822131d38b17284edd5633
  Author: Dimitris Aragiorgis <dimara@xxxxxxxxxxx>
  Date:   Tue Jun 23 13:44:59 2015 +0300

      raw-posix: Use DPRINTF for DEBUG_FLOPPY

      Get rid of several #ifdef DEBUG_FLOPPY and substitute them with
      DPRINTF.

      Signed-off-by: Dimitris Aragiorgis <dimara@xxxxxxxxxxx>
      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>
      Reviewed-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Message-id: 1435056300-14924-5-git-send-email-dimara@xxxxxxxxxxx
      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>

  commit bcb225550dcc0d6fcef8e97012bae572ba78f73a
  Author: Dimitris Aragiorgis <dimara@xxxxxxxxxxx>
  Date:   Tue Jun 23 13:44:58 2015 +0300

      raw-posix: DPRINTF instead of DEBUG_BLOCK_PRINT

      Building the QEMU tools fails if we #define DEBUG_BLOCK inside
      block/raw-posix.c. Here instead of adding qemu-log.o in block-obj-y
      so that DEBUG_BLOCK_PRINT can be used, we substitute the latter with
      a simple DPRINTF() (that does not cause bit-rot).

      Signed-off-by: Dimitris Aragiorgis <dimara@xxxxxxxxxxx>
      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>
      Reviewed-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Message-id: 1435056300-14924-4-git-send-email-dimara@xxxxxxxxxxx
      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>

  commit 1b6bc94d5d43ff3e39abadae19f2dbcb0954eb93
  Author: Dimitris Aragiorgis <dimara@xxxxxxxxxxx>
  Date:   Tue Jun 23 13:44:57 2015 +0300

      Fix migration in case of scsi-generic

      During migration, QEMU uses fsync()/fdatasync() on the open file
      descriptor for read-write block devices to flush data just before
      stopping the VM.

      However, fsync() on a scsi-generic device returns -EINVAL which
      causes the migration to fail. This patch skips flushing data in case
      of an SG device, since submitting SCSI commands directly via an SG
      character device (e.g. /dev/sg0) bypasses the page cache completely,
      anyway.

      Note that fsync() not only flushes the page cache but also the disk
      cache. The scsi-generic device never sends flushes, and for
      migration it assumes that the same SCSI device is used by the
      destination host, so it does not issue any SCSI SYNCHRONIZE CACHE
      (10) command.

      Finally, remove the bdrv_is_sg() test from iscsi_co_flush() since
      this is now redundant (we flush the underlying protocol at the end
      of bdrv_co_flush() which, with this patch, we never reach).

      Signed-off-by: Dimitris Aragiorgis <dimara@xxxxxxxxxxx>
      Reviewed-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Message-id: 1435056300-14924-3-git-send-email-dimara@xxxxxxxxxxx
      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>

  commit b192af8acc597a6e8068873434e56e0c7de1b7d3
  Author: Dimitris Aragiorgis <dimara@xxxxxxxxxxx>
  Date:   Tue Jun 23 13:44:56 2015 +0300

      block: Use bdrv_is_sg() everywhere

      Instead of checking bs->sg use bdrv_is_sg() consistently throughout
      the code.

      Signed-off-by: Dimitris Aragiorgis <dimara@xxxxxxxxxxx>
      Reviewed-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>
      Reviewed-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Message-id: 1435056300-14924-2-git-send-email-dimara@xxxxxxxxxxx
      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>

  commit 25940fa7e57ffce9d495b4c2aadc39790535856d
  Author: Lu Lina <lina.lulina@xxxxxxxxxx>
  Date:   Fri Jun 19 14:27:34 2015 +0800

      nvme: Fix memleak in nvme_dma_read_prp

      Signed-off-by: Lu Lina <lina.lulina@xxxxxxxxxx>
      Acked-by: Keith Busch <keith.busch@xxxxxxxxx>
      Message-id: 1434695254-69808-1-git-send-email-kathy.wangting@xxxxxxxxxx
      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>

  commit d5941ddae82a35771656d7e35f64f7f8f19c5627
  Author: Wolfgang Bumiller <w.bumiller@xxxxxxxxxxx>
  Date:   Fri Jun 19 11:35:29 2015 +0200

      vvfat: add a label option

      Until now the vvfat volume label was hardcoded to be
      "QEMU VVFAT", now you can pass a file.label=labelname option
      to the -drive to change it.

      The FAT structure defines the volume label to be limited to
      11 bytes and is filled up spaces when shorter than that. The
      trailing spaces however aren't exposed to the user by
      operating systems.

      [Added missing comment '#' characters in block-core.json to fix build
      errors.
      --Stefan]

      Signed-off-by: Wolfgang Bumiller <w.bumiller@xxxxxxxxxxx>
      Message-id: 1434706529-13895-2-git-send-email-w.bumiller@xxxxxxxxxxx
      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>
      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>

  commit c6a8c3283f1d53e360073bdb32f87a97e78e2880
  Author: Wen Congyang <wency@xxxxxxxxxxxxxx>
  Date:   Fri May 22 09:29:46 2015 +0800

      util/hbitmap: Add an API to reset all set bits in hbitmap

      The function bdrv_clear_dirty_bitmap() is updated to use
      faster hbitmap_reset_all() call.

      Signed-off-by: Wen Congyang <wency@xxxxxxxxxxxxxx>
      Signed-off-by: zhanghailiang <zhang.zhanghailiang@xxxxxxxxxx>
      Signed-off-by: Gonglei <arei.gonglei@xxxxxxxxxx>
      Acked-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>
      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>
      Reviewed-by: John Snow <jsnow@xxxxxxxxxx>
      Message-id: 555E868A.60506@xxxxxxxxxxxxxx
      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>

  commit 6e40b3bfc7e82823cf4df5f0bf668f56db41e53a
  Author: Alexander Yarygin <yarygin@xxxxxxxxxxxxxxxxxx>
  Date:   Wed Jun 17 13:37:20 2015 +0300

      virtio-blk: Use blk_drain() to drain IO requests

      Each call of the virtio_blk_reset() function calls blk_drain_all(),
      which works for all existing BlockDriverStates, while draining only
      one is needed.

      This patch replaces blk_drain_all() by blk_drain() in
      virtio_blk_reset(). virtio_blk_data_plane_stop() should be called
      after draining because it restores vblk->complete_request.

      Cc: "Michael S. Tsirkin" <mst@xxxxxxxxxx>
      Cc: Christian Borntraeger <borntraeger@xxxxxxxxxx>
      Cc: Cornelia Huck <cornelia.huck@xxxxxxxxxx>
      Cc: Kevin Wolf <kwolf@xxxxxxxxxx>
      Cc: Paolo Bonzini <pbonzini@xxxxxxxxxx>
      Cc: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Signed-off-by: Alexander Yarygin <yarygin@xxxxxxxxxxxxxxxxxx>
      Message-id: 1434537440-28236-3-git-send-email-yarygin@xxxxxxxxxxxxxxxxxx
      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>

  commit 97b0385a346829cf03efe131a26a4b6a4cd0a21f
  Author: Alexander Yarygin <yarygin@xxxxxxxxxxxxxxxxxx>
  Date:   Wed Jun 17 13:37:19 2015 +0300

      block-backend: Introduce blk_drain()

      This patch introduces the blk_drain() function which allows to replace
      blk_drain_all() when only one BlockDriverState needs to be drained.

      Cc: Christian Borntraeger <borntraeger@xxxxxxxxxx>
      Cc: Cornelia Huck <cornelia.huck@xxxxxxxxxx>
      Cc: Kevin Wolf <kwolf@xxxxxxxxxx>
      Cc: Paolo Bonzini <pbonzini@xxxxxxxxxx>
      Cc: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Signed-off-by: Alexander Yarygin <yarygin@xxxxxxxxxxxxxxxxxx>
      Reviewed-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>
      Acked-by: Kevin Wolf <kwolf@xxxxxxxxxx>
      Message-id: 1434537440-28236-2-git-send-email-yarygin@xxxxxxxxxxxxxxxxxx
      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>

  commit 2f388b93a147258f9dbc83ebe63365edac4aa7a2
  Author: Alberto Garcia <berto@xxxxxxxxxx>
  Date:   Mon Jun 15 18:41:15 2015 +0300

      throttle: Check current timers before updating any_timer_armed[]

      Calling throttle_group_config() cancels all timers from a particular
      BlockDriverState, so any_timer_armed[] should be updated accordingly.

      However, with the current code it may happen that a timer is armed in
      a different BlockDriverState from the same group, so any_timer_armed[]
      would be set to false in a situation where there is still a timer
      armed.

      The consequence is that we might end up with two timers armed. This
      should not have any noticeable impact however, since all accesses to
      the ThrottleGroup are protected by a lock, and the situation would
      become normal again shortly thereafter as soon as all timers have been
      fired.

      The correct way to solve this is to check that we're actually
      cancelling a timer before updating any_timer_armed[].

      Signed-off-by: Alberto Garcia <berto@xxxxxxxxxx>
      Message-id: 1434382875-3998-1-git-send-email-berto@xxxxxxxxxx
      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>

  commit f406c03c093f1451ac0ba7fde31eeb78e5e5e417
  Author: Alexander Yarygin <yarygin@xxxxxxxxxxxxxxxxxx>
  Date:   Wed Jun 10 14:38:17 2015 +0300

      block: Let bdrv_drain_all() to call aio_poll() for each AioContext

      After the commit 9b536adc ("block: acquire AioContext in
      bdrv_drain_all()") the aio_poll() function got called for every
      BlockDriverState, in assumption that every device may have its own
      AioContext. If we have thousands of disks attached, there are a lot of
      BlockDriverStates but only a few AioContexts, leading to tons of
      unnecessary aio_poll() calls.

      This patch changes the bdrv_drain_all() function allowing it find shared
      AioContexts and to call aio_poll() only for unique ones.

      Cc: Christian Borntraeger <borntraeger@xxxxxxxxxx>
      Cc: Cornelia Huck <cornelia.huck@xxxxxxxxxx>
      Cc: Kevin Wolf <kwolf@xxxxxxxxxx>
      Cc: Paolo Bonzini <pbonzini@xxxxxxxxxx>
      Cc: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Signed-off-by: Alexander Yarygin <yarygin@xxxxxxxxxxxxxxxxxx>
      Reviewed-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Tested-by: Christian Borntraeger <borntraeger@xxxxxxxxxx>
      Message-id: 1433936297-7098-4-git-send-email-yarygin@xxxxxxxxxxxxxxxxxx
      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>

  commit 6966b2a07190004e18ede33ce50a65009b36f3a6
  Merge: a320697 a5d4d7b
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Tue Jun 23 13:32:50 2015 +0100

      Merge remote-tracking branch 'remotes/kraxel/tags/pull-input-20150623-1' 
into staging

      virtio-input: property fixes, add evdev passthrough

      # gpg: Signature made Tue Jun 23 09:33:29 2015 BST using RSA key ID 
D3E87138
      # gpg: Good signature from "Gerd Hoffmann (work) <kraxel@xxxxxxxxxx>"
      # gpg:                 aka "Gerd Hoffmann <gerd@xxxxxxxxxx>"
      # gpg:                 aka "Gerd Hoffmann (private) <kraxel@xxxxxxxxx>"

      * remotes/kraxel/tags/pull-input-20150623-1:
        Add MAINTAINERS entry for virtio-input
        virtio-input: evdev passthrough
        virtio-input: move properties, use virtio_instance_init_common

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit a3206972a9eab65ec8e8f9ae320ad628ba4b58f1
  Merge: 0c8ff72 a0b1a66
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Tue Jun 23 10:38:00 2015 +0100

      Merge remote-tracking branch 
'remotes/armbru/tags/pull-monitor-2015-06-22' into staging

      Monitor patches

      # gpg: Signature made Mon Jun 22 18:56:18 2015 BST using RSA key ID 
EB918653
      # gpg: Good signature from "Markus Armbruster <armbru@xxxxxxxxxx>"
      # gpg:                 aka "Markus Armbruster <armbru@xxxxxxxxxxxx>"

      * remotes/armbru/tags/pull-monitor-2015-06-22: (24 commits)
        Include monitor/monitor.h exactly where needed
        Include qapi/qmp/qerror.h exactly where needed
        qerror: Move #include out of qerror.h
        qerror: Finally unused, clean up
        qmp: Wean off qerror_report()
        tpm: Avoid qerror_report() outside QMP command handlers
        qerror: Clean up QERR_ macros to expand into a single string
        qerror: Eliminate QERR_DEVICE_NOT_FOUND
        vl: Use error_report() for --display errors
        vl: Avoid qerror_report() outside QMP command handlers
        QemuOpts: Wean off qerror_report_err()
        qdev-monitor: Propagate errors through qdev_device_add()
        qdev-monitor: Propagate errors through set_property()
        qdev-monitor: Convert qbus_find() to Error
        qdev-monitor: Fix check for full bus
        qdev-monitor: Stop error avalanche in qbus_find_recursive()
        disas: Remove uses of CPU env
        monitor: Split mon_get_cpu fn to remove ENV_GET_CPU
        monitor: Fix failure path for "S" argument
        monitor: Point to "help" command on syntax error
        ...

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit a5d4d7b580f42c47d240a2068c810e4147147f6e
  Author: Gerd Hoffmann <kraxel@xxxxxxxxxx>
  Date:   Fri Jun 19 10:25:34 2015 +0200

      Add MAINTAINERS entry for virtio-input

      Signed-off-by: Gerd Hoffmann <kraxel@xxxxxxxxxx>

  commit 006a5edebe656114e0e0a6fb24b8aae6401c1cf4
  Author: Gerd Hoffmann <kraxel@xxxxxxxxxx>
  Date:   Fri Mar 28 09:18:47 2014 +0100

      virtio-input: evdev passthrough

      This allows to assign host input devices to the guest:

      qemu -device virtio-input-host-pci,evdev=/dev/input/event<nr>

      The guest gets exclusive access to the input device, so be careful
      with assigning the keyboard if you have only one connected to your
      machine.

      Signed-off-by: Gerd Hoffmann <kraxel@xxxxxxxxxx>

  commit 6f2b9a5b24c488d38ace01910c684749ff922e26
  Author: Gerd Hoffmann <kraxel@xxxxxxxxxx>
  Date:   Thu Jun 18 17:45:47 2015 +0200

      virtio-input: move properties, use virtio_instance_init_common

      Move properties from virtio-*-pci to virtio-*-device.
      Also make better use of QOM and attach common properties
      to the abstract parent classes (virtio-input-device and
      virtio-input-pci-device).

      Switch the hid device instance init functions over to use
      virtio_instance_init_common, so we get the properties of the
      virtio device aliased properly to the virtio pci proxy.

      Signed-off-by: Gerd Hoffmann <kraxel@xxxxxxxxxx>

  commit 1fa795a853255fcc93e5d3e2a92d161a2ed96eb8
  Author: Gonglei <arei.gonglei@xxxxxxxxxx>
  Date:   Tue Jun 23 09:53:05 2015 +0800

      qdev: fix OVERFLOW_BEFORE_WIDEN

      Potentially overflowing expression "1 << prop->bitnr" with
      type "int" (32 bits, signed) is evaluated using 32-bit arithmetic,
      and then used in a context that expects an expression of type
      "uint64_t" (64 bits, unsigned).

      Cc: Gerd Hoffmann <kraxel@xxxxxxxxxx>
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>
      Signed-off-by: Gonglei <arei.gonglei@xxxxxxxxxx>
      Reviewed-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>

  commit 3750dabc69d76f0938cc726a64a70e4ae2fe21df
  Author: Gonglei <arei.gonglei@xxxxxxxxxx>
  Date:   Tue Jun 23 09:53:04 2015 +0800

      virito-pci: fix OVERRUN problem

      Overrunning array "proxy->guest_features" of 2 4-byte
      elements at element index 2 (byte offset 8) using index
      "proxy->gfselect" (which evaluates to 2). Normally, the
      Linux kernel driver just read/write '0' or '1' as the
      "proxy->gfselect" values, so using '<' instead of '=<' to
      make coverity happy and avoid potential harm.

      Cc: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: Gonglei <arei.gonglei@xxxxxxxxxx>
      Reviewed-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>

  commit a0b1a66ea39bca011108734147a72232a4d08c7a
  Author: Markus Armbruster <armbru@xxxxxxxxxx>
  Date:   Tue Mar 17 18:16:21 2015 +0100

      Include monitor/monitor.h exactly where needed

      In particular, don't include it into headers.

      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>
      Reviewed-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>
      Reviewed-by: Luiz Capitulino <lcapitulino@xxxxxxxxxx>

  commit cc7a8ea740ec74a144e866a1d24aa6b490e31923
  Author: Markus Armbruster <armbru@xxxxxxxxxx>
  Date:   Tue Mar 17 17:22:46 2015 +0100

      Include qapi/qmp/qerror.h exactly where needed

      In particular, don't include it into headers.

      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>
      Reviewed-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>
      Reviewed-by: Luiz Capitulino <lcapitulino@xxxxxxxxxx>

  commit d49b68364414d649b8e26232f2a600d415611662
  Author: Markus Armbruster <armbru@xxxxxxxxxx>
  Date:   Tue Mar 17 18:29:20 2015 +0100

      qerror: Move #include out of qerror.h

      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>
      Reviewed-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>
      Reviewed-by: Luiz Capitulino <lcapitulino@xxxxxxxxxx>

  commit 4629ed1e98961bbe678db68ef5f4342ff174a6c3
  Author: Markus Armbruster <armbru@xxxxxxxxxx>
  Date:   Tue Mar 17 14:29:59 2015 +0100

      qerror: Finally unused, clean up

      Remove it except for two things in qerror.h:

      * Two #include to be cleaned up separately to avoid cluttering this
        patch.

      * The QERR_ macros.  Mark as obsolete.

      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>
      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>
      Reviewed-by: Luiz Capitulino <lcapitulino@xxxxxxxxxx>

  commit 485febc6d1382a82e4e1640729fffbf0c1392a44
  Author: Markus Armbruster <armbru@xxxxxxxxxx>
  Date:   Fri Mar 13 17:25:50 2015 +0100

      qmp: Wean off qerror_report()

      The traditional QMP command handler interface

          int qmp_FOO(Monitor *mon, const QDict *params, QObject **ret_data);

      doesn't provide for returning an Error object.  Instead, the handler
      is expected to stash it in the monitor with qerror_report().

      When we rebased QMP on top of QAPI, we didn't change this interface.
      Instead, commit 776574d introduced "middle mode" as a temporary aid
      for converting existing QMP commands to QAPI one by one.  More than
      three years later, we're still using it.

      Middle mode has two effects:

      * Instead of the native input marshallers

            static void qmp_marshal_input_FOO(QDict *, QObject **, Error **)

        it generates input marshallers conforming to the traditional QMP
        command handler interface.

      * It suppresses generation of code to register them with
        qmp_register_command()

        This permits giving them internal linkage.

      As long as we need qmp-commands.hx, we can't use the registry behind
      qmp_register_command(), so the latter has to stay for now.

      The former has to go to get rid of qerror_report().  Changing all QMP
      commands to fit the QAPI mold in one go was impractical back when we
      started, but by now there are just a few stragglers left:
      do_qmp_capabilities(), qmp_qom_set(), qmp_qom_get(), qmp_object_add(),
      qmp_netdev_add(), do_device_add().

      Switch middle mode to generate native input marshallers, and adapt the
      stragglers.  Simplifies both the monitor code and the stragglers.

      Rename do_qmp_capabilities() to qmp_capabilities(), and
      do_device_add() to qmp_device_add, because that's how QMP command
      handlers are named today.

      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>
      Reviewed-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>
      Reviewed-by: Luiz Capitulino <lcapitulino@xxxxxxxxxx>

  commit 8b53a19675d2329695179e47aa3797692fb0d9ba
  Author: Markus Armbruster <armbru@xxxxxxxxxx>
  Date:   Tue Mar 17 12:09:02 2015 +0100

      tpm: Avoid qerror_report() outside QMP command handlers

      qerror_report() is a transitional interface to help with converting
      existing monitor commands to QMP.  It should not be used elsewhere.
      Replace by error_report().

      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>
      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>
      Reviewed-by: Luiz Capitulino <lcapitulino@xxxxxxxxxx>

  commit c6bd8c706a799eb0fece99f468aaa22b818036f3
  Author: Markus Armbruster <armbru@xxxxxxxxxx>
  Date:   Tue Mar 17 11:54:50 2015 +0100

      qerror: Clean up QERR_ macros to expand into a single string

      These macros expand into error class enumeration constant, comma,
      string.  Unclean.  Has been that way since commit 13f59ae.

      The error class is always ERROR_CLASS_GENERIC_ERROR since the previous
      commit.

      Clean up as follows:

      * Prepend every use of a QERR_ macro by ERROR_CLASS_GENERIC_ERROR, and
        delete it from the QERR_ macro.  No change after preprocessing.

      * Rewrite error_set(ERROR_CLASS_GENERIC_ERROR, ...) into
        error_setg(...).  Again, no change after preprocessing.

      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>
      Reviewed-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>
      Reviewed-by: Luiz Capitulino <lcapitulino@xxxxxxxxxx>

  commit 75158ebbe259f0bd8bf435e8f4827a43ec89c877
  Author: Markus Armbruster <armbru@xxxxxxxxxx>
  Date:   Mon Mar 16 08:57:47 2015 +0100

      qerror: Eliminate QERR_DEVICE_NOT_FOUND

      Error classes other than ERROR_CLASS_GENERIC_ERROR should not be used
      in new code.  Hiding them in QERR_ macros makes new uses hard to spot.
      Fortunately, there's just one such macro left.  Eliminate it with this
      coccinelle semantic patch:

          @@
          expression EP, E;
          @@
          -error_set(EP, QERR_DEVICE_NOT_FOUND, E)
          +error_set(EP, ERROR_CLASS_DEVICE_NOT_FOUND, "Device '%s' not found", 
E)

      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>
      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>
      Reviewed-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Reviewed-by: Luiz Capitulino <lcapitulino@xxxxxxxxxx>

  commit c6bf0f7ffa90c720377eb6bddd27037041acbc5b
  Author: Markus Armbruster <armbru@xxxxxxxxxx>
  Date:   Fri Feb 13 18:23:45 2015 +0100

      vl: Use error_report() for --display errors

      Results in nicer error messages.  Before this patch:

          Invalid GTK option string: gtk,lirum-larum

      After:

          qemu-system-x86_64: -display gtk,lirum-larum: Invalid GTK option 
string

      Of course, the thing ought to use QemuOpts instead of parsing by hand.

      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>
      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>
      Reviewed-by: Luiz Capitulino <lcapitulino@xxxxxxxxxx>

  commit 1459407e88632e6d66cd6b71326eaf78e0a80772
  Author: Markus Armbruster <armbru@xxxxxxxxxx>
  Date:   Fri Feb 27 09:47:12 2015 +0100

      vl: Avoid qerror_report() outside QMP command handlers

      qerror_report() is a transitional interface to help with converting
      existing monitor commands to QMP.  It should not be used elsewhere.
      Replace by error_report() in initial startup helpers parse_sandbox()
      and parse_add_fd().

      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>
      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>
      Reviewed-by: Luiz Capitulino <lcapitulino@xxxxxxxxxx>

  commit 70b9433109ed99217b812f19800de550e2e0ecd5
  Author: Markus Armbruster <armbru@xxxxxxxxxx>
  Date:   Fri Feb 13 12:50:26 2015 +0100

      QemuOpts: Wean off qerror_report_err()

      qerror_report_err() is a transitional interface to help with
      converting existing monitor commands to QMP.  It should not be used
      elsewhere.

      The only remaining user in qemu-option.c is qemu_opts_parse().  Is it
      used in QMP context?  If not, we can simply replace
      qerror_report_err() by error_report_err().

      The uses in qemu-img.c, qemu-io.c, qemu-nbd.c and under tests/ are
      clearly not in QMP context.

      The uses in vl.c aren't either, because the only QMP command handlers
      there are qmp_query_status() and qmp_query_machines(), and they don't
      call it.

      Remaining uses:

      * drive_def(): Command line -drive and such, HMP drive_add and pci_add

      * hmp_chardev_add(): HMP chardev-add

      * monitor_parse_command(): HMP core

      * tmp_config_parse(): Command line -tpmdev

      * net_host_device_add(): HMP host_net_add

      * net_client_parse(): Command line -net and -netdev

      * qemu_global_option(): Command line -global

      * vnc_parse_func(): Command line -display, -vnc, default display, HMP
        change, QMP change.  Bummer.

      * qemu_pci_hot_add_nic(): HMP pci_add

      * usb_net_init(): Command line -usbdevice, HMP usb_add

      Propagate errors through qemu_opts_parse().  Create a convenience
      function qemu_opts_parse_noisily() that passes errors to
      error_report_err().  Switch all non-QMP users outside tests to it.

      That leaves vnc_parse_func().  Propagate errors through it.  Since I'm
      touching it anyway, rename it to vnc_parse().

      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>
      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>
      Reviewed-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Reviewed-by: Luiz Capitulino <lcapitulino@xxxxxxxxxx>

  commit f006cf7fa9a63ba8e4ccf57d46231ce594301727
  Author: Markus Armbruster <armbru@xxxxxxxxxx>
  Date:   Thu Mar 12 14:00:41 2015 +0100

      qdev-monitor: Propagate errors through qdev_device_add()

      Also polish an error message while I'm touching the line anyway,

      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>
      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>
      Reviewed-by: Andreas Färber <afaerber@xxxxxxx>

  commit 4caa489d1337c1a72d2e36185e4586ad246b98e1
  Author: Markus Armbruster <armbru@xxxxxxxxxx>
  Date:   Thu Mar 12 13:58:02 2015 +0100

      qdev-monitor: Propagate errors through set_property()

      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>
      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>
      Reviewed-by: Andreas Färber <afaerber@xxxxxxx>

  commit d282842999b914c38c8be4659012aa619c22af8b
  Author: Markus Armbruster <armbru@xxxxxxxxxx>
  Date:   Wed Mar 11 19:16:04 2015 +0100

      qdev-monitor: Convert qbus_find() to Error

      As usual, the conversion breaks printing explanatory messages after
      the error: actual printing of the error gets delayed, so the
      explanations precede rather than follow it.

      Pity.  Disable them for now.  See also commit 7216ae3.

      While there, eliminate QERR_BUS_NOT_FOUND, and clean up unusual
      spelling in the error message.

      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>
      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>

  commit ed238ba2a0239368dd0cec9bfaf3300a5bd303ce
  Author: Markus Armbruster <armbru@xxxxxxxxxx>
  Date:   Wed Mar 11 18:39:16 2015 +0100

      qdev-monitor: Fix check for full bus

      Property bus has always been too screwed up to be really usable for
      values other than plain bus IDs.  This just fixes a bug that crept in
      in commit 1395af6 "qdev: add a maximum device allowed field for the
      bus."

      It doesn't always fail when it should:

          $ qemu-system-x86_64 -nodefaults -device virtio-serial-pci -device 
virtio-rng-device,bus=pci.0/virtio-serial-pci/virtio-bus

      Happily plugs the virtio-rng-device into the virtio-bus provided by
      virtio-serial-pci, even though its only slot is already occupied by a
      virtio-serial-device.

      And sometimes fails when it shouldn't:

          $ qemu-system-x86_64 -nodefaults -device virtio-serial-pci -device 
virtserialport,bus=virtio-bus/virtio-serial-device

      Yes, the virtio-bus is full, but the virtio-serial-bus provided by
      virtio-serial-device isn't, and that's the one we're trying to use.

      Root cause: we check "bus full" when we resolve the first element of
      the path.  That's the correct one only when it's also the last one.

      Fix by moving the "bus full" check to right before we return a bus.

      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>
      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>

  commit a5ec494e274ddcad6d487e3872e16964ef57e0de
  Author: Markus Armbruster <armbru@xxxxxxxxxx>
  Date:   Wed Mar 11 17:26:31 2015 +0100

      qdev-monitor: Stop error avalanche in qbus_find_recursive()

      Reproducer:

          $ qemu-system-x86_64 -nodefaults -device virtio-rng-pci -device 
virtio-rng-pci -device virtio-rng-device,bus=virtio-bus
          qemu-system-x86_64: -device virtio-rng-device,bus=virtio-bus: Bus 
'virtio-bus' is full
          qemu-system-x86_64: -device virtio-rng-device,bus=virtio-bus: Bus 
'virtio-bus' is full
          qemu-system-x86_64: -device virtio-rng-device,bus=virtio-bus: Bus 
'virtio-bus' not found

      qbus_find_recursive() reports the "is full" error itself, and leaves
      reporting "not found" to its caller.  The result is confusion.  Write
      it a function contract that permits leaving all error reporting to the
      caller, and implement it.  Update callers to detect and report "is
      full".

      Screwed up when commit 1395af6 added the max_dev limit and the "is
      full" error condition to enforce it.

      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>
      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>

  commit d49190c4208f2c556c3a01962a81f8a85d522bb1
  Author: Peter Crosthwaite <crosthwaitepeter@xxxxxxxxx>
  Date:   Sun May 24 14:20:41 2015 -0700

      disas: Remove uses of CPU env

      disas does not need to access the CPU env for any reason. Change the
      APIs to accept CPU pointers instead. Small change pattern needs to be
      applied to all target translate.c. This brings us closer to making
      disas.o a common-obj and less architecture specific in general.

      Cc: Richard Henderson <rth@xxxxxxxxxxx>
      Cc: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Cc: "Edgar E. Iglesias" <edgar.iglesias@xxxxxxxxx>
      Cc: Paolo Bonzini <pbonzini@xxxxxxxxxx>
      Cc: Eduardo Habkost <ehabkost@xxxxxxxxxx>
      Cc: Michael Walle <michael@xxxxxxxx>
      Cc: Aurelien Jarno <aurelien@xxxxxxxxxxx>
      Cc: Leon Alrae <leon.alrae@xxxxxxxxxx>
      Cc: Jia Liu <proljc@xxxxxxxxx>
      Cc: Alexander Graf <agraf@xxxxxxx>
      Cc: Mark Cave-Ayland <mark.cave-ayland@xxxxxxxxxxxx>
      Cc: Bastian Koppelmann <kbastian@xxxxxxxxxxxxxxxxxxxxx>
      Cc: Guan Xuetao <gxt@xxxxxxxxxxxxxxx>
      Cc: Max Filippov <jcmvbkbc@xxxxxxxxx>
      Reviewed-by: Richard Henderson <rth@xxxxxxxxxxx>
      Reviewed-by: Eduardo Habkost <ehabkost@xxxxxxxxxx>
      Signed-off-by: Peter Crosthwaite <crosthwaite.peter@xxxxxxxxx>
      Acked-by: Luiz Capitulino <lcapitulino@xxxxxxxxxx>
      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>

  commit 5bcda5f7349da01aded719b595f32ce2b9d396db
  Author: Peter Crosthwaite <crosthwaitepeter@xxxxxxxxx>
  Date:   Sun May 24 14:20:40 2015 -0700

      monitor: Split mon_get_cpu fn to remove ENV_GET_CPU

      The monitor currently has one helper, mon_get_cpu() which will return
      an env pointer. The target specific users of this API want an env, but
      all the target agnostic users really just want the cpu pointer. These
      users then need to use the target-specifically defined ENV_GET_CPU to
      navigate back up to the CPU from the ENV. Split the API for the two
      uses cases to remove all need for ENV_GET_CPU.

      Reviewed-by: Richard Henderson <rth@xxxxxxxxxxx>
      Reviewed-by: Andreas Färber <afaerber@xxxxxxx>
      Signed-off-by: Peter Crosthwaite <crosthwaite.peter@xxxxxxxxx>
      Acked-by: Luiz Capitulino <lcapitulino@xxxxxxxxxx>
      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>

  commit e549d2aaeba1cfac207c9a9675cc203e6372a22e
  Author: Bandan Das <bsd@xxxxxxxxxx>
  Date:   Wed Jun 3 18:38:10 2015 -0400

      monitor: Fix failure path for "S" argument

      Since the "S" argument type is only used with the "?" flag,
      the bug can't bite.

      Signed-off-by: Bandan Das <bsd@xxxxxxxxxx>
      Acked-by: Luiz Capitulino <lcapitulino@xxxxxxxxxx>
      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>

  commit dd41eea77129a4cd8ae5170b02e0fee175af314e
  Author: Bandan Das <bsd@xxxxxxxxxx>
  Date:   Wed Jun 3 18:38:09 2015 -0400

      monitor: Point to "help" command on syntax error

      When a command fails due to incorrect syntax or input, suggest using
      the "help" command to get more information about the command.  This
      is only applicable for HMP.

      Signed-off-by: Bandan Das <bsd@xxxxxxxxxx>
      Acked-by: Luiz Capitulino <lcapitulino@xxxxxxxxxx>
      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>

  commit ae50212ff717f3d295ebff352eb7d6cc08332b7e
  Author: Bandan Das <bsd@xxxxxxxxxx>
  Date:   Wed Jun 3 18:38:08 2015 -0400

      monitor: cleanup parsing of cmd name and cmd arguments

      There's too much going on in monitor_parse_command().
      Split up the arguments parsing bits into a separate function
      monitor_parse_arguments(). Let the original function check for
      command validity and sub-commands if any and return data (*cmd)
      that the newly introduced function can process and return a
      QDict. Also, pass a pointer to the cmdline to track current
      parser location.

      Suggested-by: Markus Armbruster <armbru@xxxxxxxxxx>
      Signed-off-by: Bandan Das <bsd@xxxxxxxxxx>
      Acked-by: Luiz Capitulino <lcapitulino@xxxxxxxxxx>
      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>

  commit 19f2db5c84e563597bd8b3c3190aef591060dec2
  Author: Bandan Das <bsd@xxxxxxxxxx>
  Date:   Wed Jun 3 18:38:07 2015 -0400

      monitor: remove debug prints

      The preferred solution is to use tracepoints and there
      is good chance of bitrot with the debug prints not being
      enabled at compile time. Remove them.

      Suggested-by: Markus Armbruster <armbru@xxxxxxxxxx>
      Signed-off-by: Bandan Das <bsd@xxxxxxxxxx>
      Acked-by: Luiz Capitulino <lcapitulino@xxxxxxxxxx>
      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>

  commit 34acbc95229f9f841bde83691a5af949c15e105b
  Author: Eric Blake <eblake@xxxxxxxxxx>
  Date:   Fri May 15 16:25:00 2015 -0600

      qobject: Use 'bool' inside qdict

      Now that qbool is fixed, let's fix getting and setting a bool
      value to a qdict member to also use C99 bool rather than int.

      I audited all callers to ensure that the changed return type
      will not cause any changed semantics.

      Signed-off-by: Eric Blake <eblake@xxxxxxxxxx>
      Reviewed-by: Alberto Garcia <berto@xxxxxxxxxx>
      Acked-by: Luiz Capitulino <lcapitulino@xxxxxxxxxx>
      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>

  commit fc48ffc39ed1060856475e4320d5896f26c945e8
  Author: Eric Blake <eblake@xxxxxxxxxx>
  Date:   Fri May 15 16:24:59 2015 -0600

      qobject: Use 'bool' for qbool

      We require a C99 compiler, so let's use 'bool' instead of 'int'
      when dealing with boolean values.  There are few enough clients
      to fix them all in one pass.

      Signed-off-by: Eric Blake <eblake@xxxxxxxxxx>
      Reviewed-by: Andreas Färber <afaerber@xxxxxxx>
      Reviewed-by: Alberto Garcia <berto@xxxxxxxxxx>
      Acked-by: Luiz Capitulino <lcapitulino@xxxxxxxxxx>
      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>

  commit 0c8ff723bd29e5c8b2ca989f857ae5c37ec49c4e
  Author: Greg Ungerer <gerg@xxxxxxxxxxx>
  Date:   Fri Jun 19 23:43:26 2015 +1000

      m68k: fix usp processing on interrupt entry and exception exit

      The action to potentially switch sp register is not occurring at the 
correct
      point in the interrupt entry or exception exit sequences.

      For the interrupt entry case the sp on entry is used to create the stack
      exception frame - but this may well be the user stack pointer, since we
      haven't done the switch yet. Re-order the flow to switch the sp regs then
      use the current sp to create the exception frame.

      For the return from exception case the code is unwinding the sp after
      switching sp registers. But it should always unwind the supervisor sp
      first, then carry out any required sp switch.

      Note that these problems don't effect operation unless the user sp bit is
      set in the CACR register. Only a single sp is used in the default power up
      state. Previously Linux only used this single sp mode. But modern versions
      of Linux use the user sp mode now, so we need correct behavior for Linux
      to work.

      Signed-off-by: Greg Ungerer <gerg@xxxxxxxxxxx>
      Reviewed-by: Peter Crosthwaite <peter.crosthwaite@xxxxxxxxxx>
      Reviewed-by: Laurent Vivier <laurent@xxxxxxxxx>
      Tested-by: Laurent Vivier <laurent@xxxxxxxxx>
      Message-id: 1434721406-25288-4-git-send-email-gerg@xxxxxxxxxxx
      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 2a8327e8a8288e301a2f01bc3ca2d465a3a4ca78
  Author: Greg Ungerer <gerg@xxxxxxxxxxx>
  Date:   Fri Jun 19 23:43:25 2015 +1000

      m68k: implement move to/from usp register instruction

      Fill out the code support for the move to/from usp instructions. They are
      being decoded, but there is no code to support there actions. So add it.

      Current versions of Linux running on the ColdFire 5208 use these 
instructions.

      Signed-off-by: Greg Ungerer <gerg@xxxxxxxxxxx>
      Reviewed-by: Richard Henderson <rth@xxxxxxxxxxx>
      Reviewed-by: Laurent Vivier <laurent@xxxxxxxxx>
      Tested-by: Laurent Vivier <laurent@xxxxxxxxx>
      Message-id: 1434721406-25288-3-git-send-email-gerg@xxxxxxxxxxx
      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 8c52f0cbba76310ad626e54996dbce08c7a8a820
  Author: Greg Ungerer <gerg@xxxxxxxxxxx>
  Date:   Fri Jun 19 23:43:24 2015 +1000

      m68k: implement more ColdFire 5208 interrupt controller functionality

      Implement the SIMR and CIMR registers of the 5208 interrupt controller.
      These are used by modern versions of Linux running on ColdFire (not sure
      of the exact version they were introduced, but they have been in for quite
      a while now).

      Without this change when attempting to run a linux-3.5 kernel you will
      see:

        qemu: hardware error: mcf_intc_write: Bad write offset 28

      and execution will stop and dump out.

      Signed-off-by: Greg Ungerer <gerg@xxxxxxxxxxx>
      Reviewed-by: Peter Crosthwaite <peter.crosthwaite@xxxxxxxxxx>
      Tested-by: Laurent Vivier <laurent@xxxxxxxxx>
      Message-id: 1434721406-25288-2-git-send-email-gerg@xxxxxxxxxxx
      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 0a3346f5dea0a679322df804e1e78d7c10d12a9f
  Merge: cb4e0f9 daeba96
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Mon Jun 22 12:50:30 2015 +0100

      Merge remote-tracking branch 
'remotes/afaerber/tags/qom-devices-for-peter' into staging

      QOM infrastructure fixes and device conversions

      * Changes to name string ownership for alias properties
      * Improvements around enum properties
      * Cleanups around -object handling
      * New helper functions
      * Cleanups of qdev init helper functions
      * Add path argument to qom-tree script
      * QTest cleanup to use new qtest_add_data_func() consistently

      # gpg: Signature made Fri Jun 19 18:14:38 2015 BST using RSA key ID 
3E7E013F
      # gpg: Good signature from "Andreas Färber <afaerber@xxxxxxx>"
      # gpg:                 aka "Andreas Färber <afaerber@xxxxxxxx>"

      * remotes/afaerber/tags/qom-devices-for-peter:
        qdev: Un-deprecate qdev_init_nofail()
        qdev: Deprecated qdev_init() is finally unused, drop
        qom: Don't pass string table to object_get_enum() function
        qom: Add an object_property_add_enum() helper function
        qom: Make enum string tables const-correct
        qom: Add object_new_with_props() / object_new_withpropv() helpers
        qom: Add helper function for getting user objects root
        vl: Create (most) objects before creating chardev backends
        doc: Document user creatable object types in help text
        backends: Fix typename of 'policy' enum property in hostmem obj
        scripts: Add support for path as argument of qom-tree
        tests: Use qtest_add_data_func() consistently
        qdev: Free property names after registering gpio aliases
        qom: strdup() target property name on object_property_add_alias()

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit cb4e0f9ddf7d45de7e4716cbab661ea568bd0b6c
  Merge: ad7020a e4a511f
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Mon Jun 22 11:50:07 2015 +0100

      Merge remote-tracking branch 'remotes/bonzini/tags/for-upstream' into 
staging

      * i8254 security fix
      * Avoid long 100% CPU wait after restarting guests that use the periodic 
timer
      * Fixes for access clamping (WinXP, MIPS)
      * wixl/.msi support for qemu-ga on Windows

      # gpg: Signature made Fri Jun 19 11:30:53 2015 BST using RSA key ID 
78C7AE83
      # gpg: Good signature from "Paolo Bonzini <bonzini@xxxxxxx>"
      # gpg:                 aka "Paolo Bonzini <pbonzini@xxxxxxxxxx>"
      # gpg: WARNING: This key is not certified with sufficiently trusted 
signatures!
      # gpg:          It is not certain that the signature belongs to the owner.
      # Primary key fingerprint: 46F5 9FBD 57D6 12E7 BFD4  E2F7 7E15 100C CD36 
69B1
      #      Subkey fingerprint: F133 3857 4B66 2389 866C  7682 BFFB D25F 78C7 
AE83

      * remotes/bonzini/tags/for-upstream:
        exec: clamp accesses against the MemoryRegionSection
        exec: do not clamp accesses to MMIO regions
        mc146818rtc: Reset the periodic timer on load
        qemu-timer: Call clock reset notifiers on forward jumps
        tests: virtio-scsi: Add test for unaligned WRITE SAME
        tests: virtio-scsi: Move start/stop to individual test functions
        libqos: Complete virtio device ID definition list
        libqos: Allow calling guest_free on NULL pointer
        tests: Link libqos virtio object to virtio-scsi-test
        i8254: fix out-of-bounds memory access in pit_ioport_read()
        qemu-ga: Building Windows MSI installation with configure/Makefile
        qemu-ga: Introduce Windows MSI script
        qemu-ga: debug printouts to help troubleshoot installation
        qemu-ga: adding vss-[un]install options
        qemu-log: Open file for logging when specified

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit ad7020a7e7b27d468ecc2aacb04ba4eb09017074
  Author: Alistair Francis <alistair.francis@xxxxxxxxxx>
  Date:   Thu Jun 18 21:16:52 2015 -0700

      target-microblaze: Remove dead code

      This code is already being run in the mb_cpu_realizefn()
      function. As PVR registers are preserved on reset this
      code is not required.

      Signed-off-by: Alistair Francis <alistair.francis@xxxxxxxxxx>
      Reviewed-by: Edgar E. Iglesias <edgar.iglesias@xxxxxxxxxx>
      Reviewed-by: Peter Crosthwaite <peter.crosthwaite@xxxxxxxxxx>
      Signed-off-by: Edgar E. Iglesias <edgar.iglesias@xxxxxxxxxx>

  commit 033af8e9aaba1994c4816cea5828aaddc383a907
  Author: Alistair Francis <alistair.francis@xxxxxxxxxx>
  Date:   Thu Jun 18 21:16:48 2015 -0700

      s3adsp1800: Remove the hardcoded values from the reset

      Remove the hardcoded values from the machine specific reset
      function, as the same values are already set in the standard
      MicroBlaze reset.

      This also allows the entire reset function to be deleted, as
      PVR registers are now preserved on reset.

      Signed-off-by: Alistair Francis <alistair.francis@xxxxxxxxxx>
      Reviewed-by: Edgar E. Iglesias <edgar.iglesias@xxxxxxxxxx>
      Reviewed-by: Peter Crosthwaite <peter.crosthwaite@xxxxxxxxxx>
      Signed-off-by: Edgar E. Iglesias <edgar.iglesias@xxxxxxxxxx>

  commit a87310a62d1885b8f6d6b5b30227cbd9792d2c3c
  Author: Alistair Francis <alistair.francis@xxxxxxxxxx>
  Date:   Thu Jun 18 21:16:45 2015 -0700

      ml605_mmu: Move the hardcoded values to the init function

      Move the hard coded register values to the init function.
      This also allows the entire reset function to be deleted, as
      PVR registers are now preserved on reset.

      The hardcoded PVR0 values can be removed as they are setting
      the endianness and stack protection, which is already done
      or invalid.

      Signed-off-by: Alistair Francis <alistair.francis@xxxxxxxxxx>
      Reviewed-by: Peter Crosthwaite <peter.crosthwaite@xxxxxxxxxx>
      Signed-off-by: Edgar E. Iglesias <edgar.iglesias@xxxxxxxxxx>

  commit 6fad9e986b82c7c7ed7cfa0cc3ee38b3510a5432
  Author: Alistair Francis <alistair.francis@xxxxxxxxxx>
  Date:   Thu Jun 18 21:16:42 2015 -0700

      target-microblaze: Convert pvr-full to a CPU property

      Originally the pvr-full PVR bits were manually set for each machine. This
      is a hassle and difficult to read, instead set them based on the CPU
      properties.

      Signed-off-by: Alistair Francis <alistair.francis@xxxxxxxxxx>
      Reviewed-by: Peter Crosthwaite <peter.crosthwaite@xxxxxxxxxx>
      Signed-off-by: Edgar E. Iglesias <edgar.iglesias@xxxxxxxxxx>

  commit 72e38754853443830152a3cfe586db1d9b15e8fe
  Author: Alistair Francis <alistair.francis@xxxxxxxxxx>
  Date:   Thu Jun 18 21:16:38 2015 -0700

      target-microblaze: Convert version_mask to a CPU property

      Originally the version_mask PVR bits were manually set for each
      machine. This is a hassle and difficult to read, instead set them
      based on the CPU properties.

      Signed-off-by: Alistair Francis <alistair.francis@xxxxxxxxxx>
      Reviewed-by: Peter Crosthwaite <peter.crosthwaite@xxxxxxxxxx>
      Signed-off-by: Edgar E. Iglesias <edgar.iglesias@xxxxxxxxxx>

  commit a88bbb006a523deabb90245a283d1914abd34e3e
  Author: Alistair Francis <alistair.francis@xxxxxxxxxx>
  Date:   Thu Jun 18 21:16:35 2015 -0700

      target-microblaze: Convert endi to a CPU property

      Originally the endi PVR bits were manually set for each machine. This
      is a hassle and difficult to read, instead set them based on the CPU
      properties.

      Signed-off-by: Alistair Francis <alistair.francis@xxxxxxxxxx>
      Reviewed-by: Edgar E. Iglesias <edgar.iglesias@xxxxxxxxxx>
      Reviewed-by: Peter Crosthwaite <peter.crosthwaite@xxxxxxxxxx>
      Signed-off-by: Edgar E. Iglesias <edgar.iglesias@xxxxxxxxxx>

  commit a6c3ed24748f06742413e174167b0faa7030c244
  Author: Alistair Francis <alistair.francis@xxxxxxxxxx>
  Date:   Thu Jun 18 21:16:32 2015 -0700

      target-microblaze: Convert dcache-writeback to a CPU property

      Originally  the dcache-writeback PVR bits were manually set for each 
machine.
      This is a hassle and difficult to read, instead set them based on the CPU
      properties.

      Signed-off-by: Alistair Francis <alistair.francis@xxxxxxxxxx>
      Reviewed-by: Edgar E. Iglesias <edgar.iglesias@xxxxxxxxxx>
      Reviewed-by: Peter Crosthwaite <peter.crosthwaite@xxxxxxxxxx>
      Signed-off-by: Edgar E. Iglesias <edgar.iglesias@xxxxxxxxxx>

  commit 714461237083c1eadcb9d686f8ce4088737c1d0a
  Author: Alistair Francis <alistair.francis@xxxxxxxxxx>
  Date:   Thu Jun 18 21:16:29 2015 -0700

      target-microblaze: Convert use-mmu to a CPU property

      Originally the use-mmu PVR bits were manually set for each machine. This
      is a hassle and difficult to read, instead set them based on the CPU
      properties.

      Signed-off-by: Alistair Francis <alistair.francis@xxxxxxxxxx>
      Reviewed-by: Peter Crosthwaite <peter.crosthwaite@xxxxxxxxxx>
      Signed-off-by: Edgar E. Iglesias <edgar.iglesias@xxxxxxxxxx>

  commit be67e9ab9740d5a80e5c37bfd35247a4e449bc5a
  Author: Alistair Francis <alistair.francis@xxxxxxxxxx>
  Date:   Thu Jun 18 21:16:25 2015 -0700

      target-microblaze: Rename the usefpu variable

      Rename the usefpu variable to use_fpu.

      Signed-off-by: Alistair Francis <alistair.francis@xxxxxxxxxx>
      Reviewed-by: Peter Crosthwaite <peter.crosthwaite@xxxxxxxxxx>
      Signed-off-by: Edgar E. Iglesias <edgar.iglesias@xxxxxxxxxx>

  commit f44c475cb6ded298486a589c4205ab70e485b48c
  Author: Alistair Francis <alistair.francis@xxxxxxxxxx>
  Date:   Fri May 29 16:32:35 2015 +1000

      target-microblaze: Disable stack protection by default

      Stack protection is not available when the MMU is enabled.
      As the MMU is enabled by default, disable stack protection
      by default.

      Signed-off-by: Alistair Francis <alistair.francis@xxxxxxxxxx>
      Signed-off-by: Edgar E. Iglesias <edgar.iglesias@xxxxxxxxxx>

  commit 4e5d45ae5756123b3b7000c8b0b3d3a9ea4737da
  Author: Alistair Francis <alistair.francis@xxxxxxxxxx>
  Date:   Fri May 29 16:31:58 2015 +1000

      target-microblaze: Convert use-fpu to a CPU property

      Originally the use-fpu PVR bits were manually set for each machine. This
      is a hassle and difficult to read, instead set them based on the CPU
      properties.

      Signed-off-by: Alistair Francis <alistair.francis@xxxxxxxxxx>
      Reviewed-by: Peter Crosthwaite <peter.crosthwaite@xxxxxxxxxx>
      Signed-off-by: Edgar E. Iglesias <edgar.iglesias@xxxxxxxxxx>

  commit f27183abaaaf48e9d1f8469c7e99a987444f4410
  Author: Alistair Francis <alistair.francis@xxxxxxxxxx>
  Date:   Fri May 29 16:31:20 2015 +1000

      target-microblaze: Tidy up the base-vectors property

      Rename the "xlnx.base-vectors" string to "base-vectors" and
      move the base_vectors variable into the cfg struct.

      Signed-off-by: Alistair Francis <alistair.francis@xxxxxxxxxx>
      Reviewed-by: Peter Crosthwaite <peter.crosthwaite@xxxxxxxxxx>
      Signed-off-by: Edgar E. Iglesias <edgar.iglesias@xxxxxxxxxx>

  commit 9aaaa181949e4a23ca298fb7006e2d8bac842e92
  Author: Alistair Francis <alistair.francis@xxxxxxxxxx>
  Date:   Fri May 29 16:30:43 2015 +1000

      target-microblaze: Allow the stack protection to be disabled

      Microblaze stack protection is configurable and isn't always enabled.
      This patch allows the stack protection to be disabled from the
      CPU properties.

      Signed-off-by: Alistair Francis <alistair.francis@xxxxxxxxxx>
      Signed-off-by: Edgar E. Iglesias <edgar.iglesias@xxxxxxxxxx>

  commit 8bac22423e4c3b70082dd6c1b492ccf21f3b5a0c
  Author: Alistair Francis <alistair.francis@xxxxxxxxxx>
  Date:   Fri May 29 16:30:05 2015 +1000

      target-microblaze: Preserve the pvr registers during reset

      Move the Microblaze PVR registers to the end of the CPUMBState
      and preserve them during reset. This is similar to what the
      QEMU ARM model does with some of it's registers.

      This allows the Microblaze PVR registers to only be set once
      at realise instead of constantly at reset.

      Signed-off-by: Alistair Francis <alistair.francis@xxxxxxxxxx>
      Reviewed-by: Peter Crosthwaite <peter.crosthwaite@xxxxxxxxxx>
      Reviewed-by: Edgar E. Iglesias <edgar.iglesias@xxxxxxxxxx>
      Signed-off-by: Edgar E. Iglesias <edgar.iglesias@xxxxxxxxxx>

  commit 53432dc9ea37d3be4c8efc3023c2382e9da5334a
  Author: Alistair Francis <alistair.francis@xxxxxxxxxx>
  Date:   Fri May 29 16:29:28 2015 +1000

      target-microblaze: Fix up indentation

      Fix up the incorrect indentation level in the helper_stackprot() function.

      Signed-off-by: Alistair Francis <alistair.francis@xxxxxxxxxx>
      Reviewed-by: Peter Crosthwaite <peter.crosthwaite@xxxxxxxxxx>
      Reviewed-by: Edgar E. Iglesias <edgar.iglesias@xxxxxxxxxx>
      Signed-off-by: Edgar E. Iglesias <edgar.iglesias@xxxxxxxxxx>

  commit d87636b18f8de901e76bedd9c7f55d3eaed924ee
  Author: Peter Crosthwaite <crosthwaitepeter@xxxxxxxxx>
  Date:   Sun May 24 20:31:40 2015 -0700

      microblaze: s3adsp: Instantiate CPU using QOM

      Instantiate and realise the CPU directly, rather than using
      cpu_mb_init. Microblazes cpu_model argument is a dummy so remove the
      default cpu_model set logic.

      Reviewed-by: Edgar E. Iglesias <edgar.iglesias@xxxxxxxxxx>
      Signed-off-by: Peter Crosthwaite <crosthwaite.peter@xxxxxxxxx>
      Signed-off-by: Edgar E. Iglesias <edgar.iglesias@xxxxxxxxxx>

  commit daeba9699d41ad79e2f3d34acea9c85c5d67a2ac
  Author: Markus Armbruster <armbru@xxxxxxxxxx>
  Date:   Fri Jun 19 16:17:23 2015 +0200

      qdev: Un-deprecate qdev_init_nofail()

      It's a perfectly sensible helper function.

      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>
      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>
      Signed-off-by: Andreas Färber <afaerber@xxxxxxx>

  commit 0210afe6690be045cb849b2f16bffabda575a9bf
  Author: Markus Armbruster <armbru@xxxxxxxxxx>
  Date:   Fri Jun 19 16:17:22 2015 +0200

      qdev: Deprecated qdev_init() is finally unused, drop

      qdev_init() is a wrapper around setting property "realized" to true,
      plus error handling that passes errors to qerror_report_err().
      qerror_report_err() is a transitional interface to help with
      converting existing monitor commands to QMP.  It should not be used
      elsewhere.

      All code has been modernized to avoid qdev_init() and its
      inappropriate error handling.  We can finally drop it.

      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>
      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>
      Signed-off-by: Andreas Färber <afaerber@xxxxxxx>

  commit a3590dacce94519c1747d8bf423744c6bb7d9941
  Author: Daniel P. Berrange <berrange@xxxxxxxxxx>
  Date:   Wed May 27 16:07:56 2015 +0100

      qom: Don't pass string table to object_get_enum() function

      Now that properties can be explicitly registered as an enum
      type, there is no need to pass the string table to the
      object_get_enum() function. The object property registration
      already has a pointer to the string table.

      In changing this method signature, the hostmem backend object
      has to be converted to use the new enum property registration
      code, which simplifies it somewhat.

      Signed-off-by: Daniel P. Berrange <berrange@xxxxxxxxxx>
      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>
      Signed-off-by: Andreas Färber <afaerber@xxxxxxx>

  commit a8e3fbedc827f992657f5670212e854f62ec12ad
  Author: Daniel P. Berrange <berrange@xxxxxxxxxx>
  Date:   Wed May 13 17:14:08 2015 +0100

      qom: Add an object_property_add_enum() helper function

      A QOM property can be parsed as enum using the visit_type_enum()
      helper function, but this forces callers to use the more complex
      generic object_property_add() method when registering it. It
      also requires that users of that object have access to the
      string map when they want to read the property value.

      This patch introduces a specialized object_property_add_enum()
      method which simplifies the use of enum properties, so the
      setters/getters directly get passed the int value.

        typedef enum {
           MYDEV_TYPE_FROG,
           MYDEV_TYPE_ALLIGATOR,
           MYDEV_TYPE_PLATYPUS,

           MYDEV_TYPE_LAST
        } MyDevType;

      Then provide a table of enum <-> string mappings

        static const char *const mydevtypemap[MYDEV_TYPE_LAST + 1] = {
           [MYDEV_TYPE_FROG] = "frog",
           [MYDEV_TYPE_ALLIGATOR] = "alligator",
           [MYDEV_TYPE_PLATYPUS] = "platypus",
           [MYDEV_TYPE_LAST] = NULL,
        };

      Assuming an object struct of

         typedef struct {
            Object parent_obj;
            MyDevType devtype;
            ...other fields...
         } MyDev;

      The property can then be registered as follows:

         static int mydev_prop_get_devtype(Object *obj,
                                           Error **errp G_GNUC_UNUSED)
         {
             MyDev *dev = MYDEV(obj);

             return dev->devtype;
         }

         static void mydev_prop_set_devtype(Object *obj,
                                            int value,
                                            Error **errp G_GNUC_UNUSED)
         {
             MyDev *dev = MYDEV(obj);

             dev->devtype = value;
         }

         object_property_add_enum(obj, "devtype",
                                  mydevtypemap, "MyDevType",
                                  mydev_prop_get_devtype,
                                  mydev_prop_set_devtype,
                                  NULL);

      Note there is no need to check the range of 'value' in
      the setter, because the string->enum conversion code will
      have already done that and reported an error as required.

      Signed-off-by: Daniel P. Berrange <berrange@xxxxxxxxxx>
      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>
      Signed-off-by: Andreas Färber <afaerber@xxxxxxx>

  commit 2e4450ff432daef524cb3557fca68a3b7b5c7823
  Author: Daniel P. Berrange <berrange@xxxxxxxxxx>
  Date:   Wed May 13 17:14:07 2015 +0100

      qom: Make enum string tables const-correct

      The enum string table parameters in various QOM/QAPI methods
      are declared 'const char *strings[]'. This results in const
      warnings if passed a variable that was declared as

         static const char * const strings[] = { .... };

      Add the extra const annotation to the parameters, since
      neither the string elements, nor the array itself should
      ever be modified.

      Signed-off-by: Daniel P. Berrange <berrange@xxxxxxxxxx>
      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>
      Signed-off-by: Andreas Färber <afaerber@xxxxxxx>

  commit a31bdae5a76ecc060c1eb8a66be1896072c1e8b2
  Author: Daniel P. Berrange <berrange@xxxxxxxxxx>
  Date:   Wed May 13 17:14:06 2015 +0100

      qom: Add object_new_with_props() / object_new_withpropv() helpers

      It is reasonably common to want to create an object, set a
      number of properties, register it in the hierarchy and then
      mark it as complete (if a user creatable type). This requires
      quite a lot of error prone, verbose, boilerplate code to achieve.

      First a pair of functions object_set_props() / object_set_propv()
      are added which allow for a list of objects to be set in
      one single API call.

      Then object_new_with_props() / object_new_with_propv() constructors
      are added which simplify the sequence of calls to create an
      object, populate properties, register in the object composition
      tree and mark the object complete, into a single method call.

      Usage would be:

         Error *err = NULL;
         Object *obj;
         obj = object_new_with_propv(TYPE_MEMORY_BACKEND_FILE,
                                     object_get_objects_root(),
                                     "hostmem0",
                                     &err,
                                     "share", "yes",
                                     "mem-path", "/dev/shm/somefile",
                                     "prealloc", "yes",
                                     "size", "1048576",
                                     NULL);

      Note all property values are passed in string form and will
      be parsed into their required data types, using normal QOM
      semantics for parsing from string format.

      Signed-off-by: Daniel P. Berrange <berrange@xxxxxxxxxx>
      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>
      Signed-off-by: Andreas Färber <afaerber@xxxxxxx>

  commit bc2256c4ae86308a1521c89456b599d441119418
  Author: Daniel P. Berrange <berrange@xxxxxxxxxx>
  Date:   Wed May 13 17:14:05 2015 +0100

      qom: Add helper function for getting user objects root

      Add object_get_objects_root() function which is a convenience for
      obtaining the Object * located at /objects in the object
      composition tree. Convert existing code over to use the new
      API where appropriate.

      Signed-off-by: Daniel P. Berrange <berrange@xxxxxxxxxx>
      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>
      Signed-off-by: Andreas Färber <afaerber@xxxxxxx>

  commit f08f9271bfe3f19a5eb3d7a2f48532065304d5c8
  Author: Daniel P. Berrange <berrange@xxxxxxxxxx>
  Date:   Wed May 13 17:14:04 2015 +0100

      vl: Create (most) objects before creating chardev backends

      Some types of object must be created before chardevs, other types of
      object must be created after chardevs. As such there is no option but
      to create objects in two phases.

      This takes the decision to create as many object types as possible
      right away before anyother backends are created, and only delay
      creation of those few which have an explicit dependency on the
      chardevs. Hopefully the set which need delaying will remain small
      over time.

      Signed-off-by: Daniel P. Berrange <berrange@xxxxxxxxxx>
      Reviewed-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>
      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>
      Signed-off-by: Andreas Färber <afaerber@xxxxxxx>

  commit b9174d4f250cacb43b7cd9e07cf9f86818d62afd
  Author: Daniel P. Berrange <berrange@xxxxxxxxxx>
  Date:   Wed May 13 17:14:03 2015 +0100

      doc: Document user creatable object types in help text

      The QEMU help for -object is essentially useless, just giving users
      the generic syntax. Move it down into its own section and introduce
      a nested table where each user creatable object can be documented.
      The existing memory-backend-file, rng-random and rng-egd object
      types are documented.

      Signed-off-by: Daniel P. Berrange <berrange@xxxxxxxxxx>
      Reviewed-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>
      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>
      Signed-off-by: Andreas Färber <afaerber@xxxxxxx>

  commit b1028b4e8683740cd257a9b77577734664e61511
  Author: Daniel P. Berrange <berrange@xxxxxxxxxx>
  Date:   Wed May 13 17:14:02 2015 +0100

      backends: Fix typename of 'policy' enum property in hostmem obj

      The 'policy' property was being registered with a typename of
      'str', but it is in fact an enum of the 'HostMemPolicy' type.

      Signed-off-by: Daniel P. Berrange <berrange@xxxxxxxxxx>
      Reviewed-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>
      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>
      Signed-off-by: Andreas Färber <afaerber@xxxxxxx>

  commit 799810fb2810ec4cb82f12ec9b023e1bfe434d71
  Merge: ffdb140 a59d31a
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Fri Jun 19 17:05:15 2015 +0100

      Merge remote-tracking branch 
'remotes/pmaydell/tags/pull-target-arm-20150619' into staging

      target-arm queue:
       * support --semihosting-config,arg=value
       * Cortex-R5 support (including implementing them on the Zynq board)
       * Cortex-M4 support (without FPU)
       * enable vfio-calxeda-xgmac
       * don't reset ALIAS sysregs

      # gpg: Signature made Fri Jun 19 14:41:54 2015 BST using RSA key ID 
14360CDE
      # gpg: Good signature from "Peter Maydell <peter.maydell@xxxxxxxxxx>"

      * remotes/pmaydell/tags/pull-target-arm-20150619:
        semihosting: add --semihosting-config arg sub-argument
        semihosting: create SemihostingConfig structure and semihost.h
        arm: xlnx-zynqmp: Add 2xCortexR5 CPUs
        arm: xlnx-zynqmp: Add boot-cpu property
        arm: xlnx-zynqmp: Preface CPU variables with "apu"
        target-arm: Add support for Cortex-R5
        target-arm: Implement PMSAv7 MPU
        target-arm: Add registers for PMSAv7
        target-arm/helper.c: define MPUIR register
        target-arm: Do not reset sysregs marked as ALIAS
        hw/arm/sysbus-fdt: enable vfio-calxeda-xgmac dynamic instantiation
        target-arm: Add the Cortex-M4 CPU

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit a59d31a1ebdce796a469242800db89bf09c94580
  Author: Leon Alrae <leon.alrae@xxxxxxxxxx>
  Date:   Fri Jun 19 14:17:45 2015 +0100

      semihosting: add --semihosting-config arg sub-argument

      Add new "arg" sub-argument to the --semihosting-config allowing the user
      to pass multiple input arguments separately. It is required for example
      by UHI semihosting to construct argc and argv.

      Also, update ARM semihosting to support new option (at the moment it is
      the only target which cares about arguments).

      If the semihosting is enabled and no semihosting args have been specified,
      then fall back to -kernel/-append. The -append string is split on 
whitespace
      before initializing semihosting.argv[1..n]; this is different from what
      QEMU MIPS machines' pseudo-bootloaders do (i.e. argv[1] contains the whole
      -append), but is more intuitive from UHI user's point of view and Linux
      kernel just does not care as it concatenates argv[1..n] into single 
cmdline
      string anyway.

      Signed-off-by: Leon Alrae <leon.alrae@xxxxxxxxxx>
      Message-id: 1434643256-16858-3-git-send-email-leon.alrae@xxxxxxxxxx
      Reviewed-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit cfe67cef48696e8b901aff38a82056ae64d69c98
  Author: Leon Alrae <leon.alrae@xxxxxxxxxx>
  Date:   Fri Jun 19 14:17:45 2015 +0100

      semihosting: create SemihostingConfig structure and semihost.h

      Remove semihosting_enabled and semihosting_target and replace them with
      SemihostingConfig structure containing equivalent fields. The structure
      is defined in vl.c where it is actually set.

      Also introduce separate header file include/exec/semihost.h allowing to
      access semihosting config related stuff from target specific semihosting
      code.

      Signed-off-by: Leon Alrae <leon.alrae@xxxxxxxxxx>
      Reviewed-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Message-id: 1434643256-16858-2-git-send-email-leon.alrae@xxxxxxxxxx
      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit b58850e79d8df1185bd4999df81fbe6954cd2790
  Author: Peter Crosthwaite <peter.crosthwaite@xxxxxxxxxx>
  Date:   Fri Jun 19 14:17:45 2015 +0100

      arm: xlnx-zynqmp: Add 2xCortexR5 CPUs

      Add the 2xCortexR5 CPUs to zynqmp board. They are powered off on reset
      (this is true of real hardware) by default or selectable as the boot
      processor.

      Signed-off-by: Peter Crosthwaite <peter.crosthwaite@xxxxxxxxxx>
      Message-id: 
da34128c73ca13fc4f8c3293e1a33d1e1e345655.1434501320.git.peter.crosthwaite@xxxxxxxxxx
      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 6396a193d36e10ff38f26d4ef785aba97362f29e
  Author: Peter Crosthwaite <peter.crosthwaite@xxxxxxxxxx>
  Date:   Fri Jun 19 14:17:45 2015 +0100

      arm: xlnx-zynqmp: Add boot-cpu property

      Add a string property that specifies the primary boot cpu. All CPUs
      except the one selected will start-powered-off. This allows for elf
      boots on any CPU, which prepares support for booting R5 elfs directly
      on the R5 processors.

      Signed-off-by: Peter Crosthwaite <peter.crosthwaite@xxxxxxxxxx>
      Message-id: 
53331c00d80c7ce9c6a83712348773f1b38fae2b.1434501320.git.peter.crosthwaite@xxxxxxxxxx
      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 2e5577bc5563ccf453249e884be9a223deabab5b
  Author: Peter Crosthwaite <peter.crosthwaite@xxxxxxxxxx>
  Date:   Fri Jun 19 14:17:45 2015 +0100

      arm: xlnx-zynqmp: Preface CPU variables with "apu"

      The CPUs currently supported by zynqmp are the APU (application
      processing unit) CPUs. There are other CPUs in Zynqmp so unqualified
      "cpus" in ambiguous. Preface the variables with "APU" accordingly, to
      prepare support adding the RPU (realtime processing unit) processors.

      Signed-off-by: Peter Crosthwaite <peter.crosthwaite@xxxxxxxxxx>
      Reviewed-by: Edgar E. Iglesias <edgar.iglesias@xxxxxxxxxx>
      Message-id: 
ce32287fc365aea898465e981da3546a227e0811.1434501320.git.peter.crosthwaite@xxxxxxxxxx
      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit d6a6b13ea1dfeb25c43a648e94cfe4395906f1da
  Author: Peter Crosthwaite <peter.crosthwaite@xxxxxxxxxx>
  Date:   Fri Jun 19 14:17:45 2015 +0100

      target-arm: Add support for Cortex-R5

      Introduce a CPU model for the Cortex R5 processor. ARMv7 with MPU,
      and both thumb and ARM div instructions.

      Also implement dummy ATCM and BTCM. These CPs are defined for R5 but
      don't have a lot of meaning in QEMU yet. Raz them so the guest can
      proceed if they are read. The TCM registers will return a size of 0,
      indicating no TCM.

      Reviewed-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Signed-off-by: Peter Crosthwaite <peter.crosthwaite@xxxxxxxxxx>
      Reviewed-by: Edgar E. Iglesias <edgar.iglesias@xxxxxxxxxx>
      Message-id: 
efe213163e6800578494aba864ac30329de4d396.1434501320.git.peter.crosthwaite@xxxxxxxxxx
      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit f6bda88ff839e2adefe4959b7def420b90703855
  Author: Peter Crosthwaite <peter.crosthwaite@xxxxxxxxxx>
  Date:   Fri Jun 19 14:17:45 2015 +0100

      target-arm: Implement PMSAv7 MPU

      Unified MPU only. Uses ARM architecture major revision to switch
      between PMSAv5 and v7 when ARM_FEATURE_MPU is set. PMSA v6 remains
      unsupported and is asserted against.

      Reviewed-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Signed-off-by: Peter Crosthwaite <peter.crosthwaite@xxxxxxxxxx>
      Message-id: 
dcb03cda6dd754c5cc6a962fa11f25089811e954.1434501320.git.peter.crosthwaite@xxxxxxxxxx
      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 6cb0b013a1fa421cdfb83257cd33f855cc90649a
  Author: Peter Crosthwaite <peter.crosthwaite@xxxxxxxxxx>
  Date:   Fri Jun 19 14:17:44 2015 +0100

      target-arm: Add registers for PMSAv7

      Define the arm CP registers for PMSAv7 and their accessor functions.
      RGNR serves as a shared index that indexes into arrays storing the
      DRBAR, DRSR and DRACR registers. DRBAR and friends have to be VMSDd
      separately from the CP interface using a new PMSA specific VMSD
      subsection.

      Reviewed-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Signed-off-by: Peter Crosthwaite <peter.crosthwaite@xxxxxxxxxx>
      Message-id: 
172cf135fbd8f5cea413c00e71cc1c3cac704744.1434501320.git.peter.crosthwaite@xxxxxxxxxx
      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 3281af8114c6b8ead02f08b58e3c36895c1ea047
  Author: Peter Crosthwaite <peter.crosthwaite@xxxxxxxxxx>
  Date:   Fri Jun 19 14:17:44 2015 +0100

      target-arm/helper.c: define MPUIR register

      Define the MPUIR register for MPU supporting ARMv6 and onwards.
      Currently we only support unified MPU.

      The size of the unified MPU is defined via the number of "dregions".
      So just a single config is added to specify this size. (When split MPU
      is implemented we will add an extra iregions config).

      Signed-off-by: Peter Crosthwaite <peter.crosthwaite@xxxxxxxxxx>
      Message-id: 
9f248950b803a08c8b3c978931663182f7e882e7.1434501320.git.peter.crosthwaite@xxxxxxxxxx
      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit b061a82b8afcc45ce09d770d9c0acdf429401054
  Author: Sergey Fedorov <serge.fdrv@xxxxxxxxx>
  Date:   Fri Jun 19 14:17:44 2015 +0100

      target-arm: Do not reset sysregs marked as ALIAS

      cp_reg_reset() is called from g_hash_table_foreach() which does not
      define a specific ordering of the hash table iteration. Thus doing reset
      for registers marked as ALIAS would give an ambiguous result when
      resetvalue is different for original and alias registers. Exit
      cp_reg_reset() early when passed an alias register. Then clean up alias
      register definitions from needless resetvalue and resetfn.

      In particular, this fixes a bug in the handling of the PMCR register,
      which had different resetvalues for its 32 and 64-bit views.

      Signed-off-by: Sergey Fedorov <serge.fdrv@xxxxxxxxx>
      Message-id: 1434554713-10220-1-git-send-email-serge.fdrv@xxxxxxxxx
      Reviewed-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit decf4f807b4498ca35a87e9de82bc9a4e64cc29a
  Author: Eric Auger <eric.auger@xxxxxxxxxx>
  Date:   Fri Jun 19 14:17:44 2015 +0100

      hw/arm/sysbus-fdt: enable vfio-calxeda-xgmac dynamic instantiation

      This patch allows the instantiation of the vfio-calxeda-xgmac device
      from the QEMU command line (-device vfio-calxeda-xgmac,host="<device>").

      A specialized device tree node is created for the guest, containing
      compat, dma-coherent, reg and interrupts properties.

      Signed-off-by: Eric Auger <eric.auger@xxxxxxxxxx>
      Acked-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Message-id: 1434455898-17895-1-git-send-email-eric.auger@xxxxxxxxxx
      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit ba890a9b2509a0087bb7eafddae02ea5ecbb7bb4
  Author: Aurelio C. Remonda <aurelioremonda@xxxxxxxxx>
  Date:   Fri Jun 19 14:17:44 2015 +0100

      target-arm: Add the Cortex-M4 CPU

      This patch adds the Cortex-M4 CPU. The M4 is basically the same as
      the M3, the main differences being the DSP instructions and an
      optional FPU.  Only no-FPU cortex-M4 is implemented here, cortex-M4F
      is not because the core target-arm code doesn't support the M-profile
      FPU model yet.

      Signed-off-by: Aurelio C. Remonda <aurelioremonda@xxxxxxxxx>
      Message-id: 1434461850-4104-1-git-send-email-aurelioremonda@xxxxxxxxx
      Reviewed-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit ffdb1409a79c9cc91afd9f58df625fdca16bf8b9
  Merge: 89e9429 693a3e0
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Fri Jun 19 12:54:08 2015 +0100

      Merge remote-tracking branch 
'remotes/pmaydell/tags/pull-cocoa-20150619-1' into staging

      cocoa queue:
       * Add Machine menu, with entries for pause, resume, reset, power down, 
and
         media change and eject for removable drives

      # gpg: Signature made Fri Jun 19 11:24:11 2015 BST using RSA key ID 
14360CDE
      # gpg: Good signature from "Peter Maydell <peter.maydell@xxxxxxxxxx>"

      * remotes/pmaydell/tags/pull-cocoa-20150619-1:
        ui/cocoa.m: Add machine menu items to change and eject removable drive 
media
        ui/cocoa.m: Add Reset and Power Down menu items to Machine menu
        ui/cocoa.m: Add Machine menu with pause and resume menu items

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 89e9429c3cb42400f3a80890e0c20b18aa62a11d
  Merge: 473a494 1e7398a
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Fri Jun 19 11:30:57 2015 +0100

      Merge remote-tracking branch 'remotes/mst/tags/for_upstream' into staging

      virtio, pci fixes, enhancements

      Most notably this includes virtio cross-endian patches.

      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>

      # gpg: Signature made Fri Jun 19 11:18:05 2015 BST using RSA key ID 
D28D5469
      # gpg: Good signature from "Michael S. Tsirkin <mst@xxxxxxxxxx>"
      # gpg:                 aka "Michael S. Tsirkin <mst@xxxxxxxxxx>"

      * remotes/mst/tags/for_upstream:
        vhost: enable vhost without without MSI-X
        pci: Don't register a specialized 'config_write' if default behavior is 
intended
        hw/core: rebase sysbus_get_fw_dev_path() to g_strdup_printf()
        vhost_net: re-enable when cross endian
        vhost-net: tell tap backend about the vnet endianness
        tap: fix non-linux build
        tap: add VNET_LE/VNET_BE operations
        vhost: set vring endianness for legacy virtio
        virtio: introduce virtio_legacy_is_cross_endian()
        linux-headers: sync vhost.h
        vhost-user: part of virtio

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit e4a511f8cc6f4a46d409fb5c9f72c38ba45f8d83
  Author: Paolo Bonzini <pbonzini@xxxxxxxxxx>
  Date:   Wed Jun 17 10:36:54 2015 +0200

      exec: clamp accesses against the MemoryRegionSection

      Because the clamping was done against the MemoryRegion,
      address_space_rw was effectively broken if a write spanned
      multiple sections that are not linear in underlying memory
      (with the memory not being under an IOMMU).

      This is visible with the MIPS rc4030 IOMMU, which is implemented
      as a series of alias memory regions that point to the actual RAM.

      Tested-by: Hervé Poussineau <hpoussin@xxxxxxxxxxx>
      Tested-by: Mark Cave-Ayland <mark.cave-ayland@xxxxxxxxxxxx>
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit 965eb2fcdfe919ecced6c34803535ad32dc1249c
  Author: Paolo Bonzini <pbonzini@xxxxxxxxxx>
  Date:   Wed Jun 17 10:40:27 2015 +0200

      exec: do not clamp accesses to MMIO regions

      It is common for MMIO registers to overlap, for example a 4 byte register
      at 0xcf8 (totally random choice... :)) and a 1 byte register at 0xcf9.
      If these registers are implemented via separate MemoryRegions, it is
      wrong to clamp the accesses as the value written would be truncated.

      Hence for these regions the effects of commit 23820db (exec: Respect
      as_translate_internal length clamp, 2015-03-16, previously applied as
      commit c3c1bb99) must be skipped.

      Tested-by: Hervé Poussineau <hpoussin@xxxxxxxxxxx>
      Tested-by: Mark Cave-Ayland <mark.cave-ayland@xxxxxxxxxxxx>
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit ae46e23964ad45d5bc72374040e87d8f52ac2178
  Author: Paul Donohue <qemu-devel@xxxxxxxxxx>
  Date:   Fri Jun 12 10:10:14 2015 -0400

      mc146818rtc: Reset the periodic timer on load

      When loading a VM from a snapshot or migration, clock changes can cause
      the periodic timer to stall or loop rapidly.

      qemu-timer has a reset notifier mechanism that is used to avoid timer
      stalls or loops if the host clock changes while the VM is running when
      using QEMU_CLOCK_HOST.  However, when loading a snapshot or migration,
      qemu-timer is initialized and fires the reset notifier before
      mc146818rtc is initialized and has registered its reset handler.  In
      addition, this mechanism isn't used when using QEMU_CLOCK_REALTIME,
      which might also change when loading a snapshot or migration.

      To correct that problem, this commit resets the periodic timer after
      loading from a snapshot or migration if the clock has either jumped
      backward or has jumped forward by more than the clock jump limit that
      is used by the reset notifier code in qemu-timer.

      Signed-off-by: Paul Donohue <qemu-git@xxxxxxxxxx>
      Message-Id: <20150612141013.GE2749@xxxxxxxxxxxx>
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit fb1a3a051d89975f26296163066bb0745ecca49d
  Author: Paul Donohue <qemu-devel@xxxxxxxxxx>
  Date:   Fri Jun 12 10:08:45 2015 -0400

      qemu-timer: Call clock reset notifiers on forward jumps

      Commit 691a0c9c introduced a mechanism by which QEMU_CLOCK_HOST can
      notify other parts of the emulator when the host clock has jumped
      backward.  This is used to avoid stalling timers that were scheduled
      based on the host clock.

      However, if the host clock jumps forward, then timers that were
      scheduled based on the host clock may fire rapidly and cause other
      problems.  For example, the mc146818rtc periodic timer will block
      execution of the VM and consume host CPU while firing every interrupt
      for the time period that was skipped by the host clock.

      To correct that problem, this commit fires the reset notification if the
      host clock jumps forward by more than a hard-coded limit.  The limit is
      currently set to a value of 60 seconds, which should be small enough to
      prevent excessive timer loops, but large enough to avoid frequent resets
      in idle VMs.

      Signed-off-by: Paul Donohue <qemu-git@xxxxxxxxxx>
      Message-Id: <20150612140845.GD2749@xxxxxxxxxxxx>
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit 397c767b2de5b918a7b890d02aae83d6dcb2a470
  Author: Fam Zheng <famz@xxxxxxxxxx>
  Date:   Fri Apr 24 19:35:20 2015 +0800

      tests: virtio-scsi: Add test for unaligned WRITE SAME

      This is an exercise for virtio-scsi tests using the libqos virtio
      library. A few common routines are added to facilitate future extensions
      of the test set.

      The added test case is a regression test for the bug in d7f4b1999e.

      Signed-off-by: Fam Zheng <famz@xxxxxxxxxx>
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit 693a3e01af8082f855094061650311fcaf3e1269
  Author: John Arbuckle <programmingkidx@xxxxxxxxx>
  Date:   Fri Jun 19 10:53:27 2015 +0100

      ui/cocoa.m: Add machine menu items to change and eject removable drive 
media

      Adds all removable devices to the Machine menu as a Change and Eject menu
      item pair. ide-cd0 would have a "Change ide-cd0..." and "Eject ide-cd0"
      menu items.

      Signed-off-by: John Arbuckle <programmingkidx@xxxxxxxxx>
      Reviewed-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 270746142c3c96549ecd82c6097a6d85a35f27cf
  Author: John Arbuckle <programmingkidx@xxxxxxxxx>
  Date:   Fri Jun 19 10:53:27 2015 +0100

      ui/cocoa.m: Add Reset and Power Down menu items to Machine menu

      Add "Reset" and "Power Down" menu items to Machine menu.

      Signed-off-by: John Arbuckle <programmingkidx@xxxxxxxxx>
      Reviewed-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 1e7398a140f7a6bd9f5a438e7ad0f1ef50990e25
  Author: Pankaj Gupta <pagupta@xxxxxxxxxx>
  Date:   Tue Jun 16 13:48:59 2015 +0530

      vhost: enable vhost without without MSI-X

      We use vhostforce to enable vhost even if Guests don't have MSI-X
      support and we fall back to QEMU virtio-net.

      This gives a very small performance gain, but the disadvantage
      is that guest now controls which virtio code is running
      (qemu or vhost) so our attack surface is doubled.

      This patch will enable vhost unconditionally whenever it's requested.
      For compatibility, enable vhost when vhostforce is set, as well.

      Signed-off-by: Pankaj Gupta <pagupta@xxxxxxxxxx>
      Reviewed-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Reviewed-by: Jason Wang <jasowang@xxxxxxxxxx>

  commit 74de5504fd063019433ec0746105da774ede790d
  Author: Shmulik Ladkani <shmulik.ladkani@xxxxxxxxxxxxxxxxxx>
  Date:   Tue Jun 16 11:24:39 2015 +0300

      pci: Don't register a specialized 'config_write' if default behavior is 
intended

      Few devices have their specialized 'config_write' methods which simply
      call 'pci_default_write_config' followed by a 'msix_write_config' or
      'msi_write_config' calls, using exact same arguments.

      This is unnecessary as 'pci_default_write_config' already invokes
      'msi_write_config' and 'msix_write_config'.

      Also, since 'pci_default_write_config' is the default 'config_write'
      handler, we can simply avoid the registration of these specialized
      versions.

      Cc: Leonid Shatz <leonid.shatz@xxxxxxxxxxxxxxxxxx>
      Signed-off-by: Shmulik Ladkani <shmulik.ladkani@xxxxxxxxxxxxxxxxxx>
      Reviewed-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>

  commit 5ba03e2dd785362026917e4cc8a1fd2c64e8e62c
  Author: Laszlo Ersek <lersek@xxxxxxxxxx>
  Date:   Wed Jun 17 14:45:03 2015 +0200

      hw/core: rebase sysbus_get_fw_dev_path() to g_strdup_printf()

      This is done mainly for improving readability, and in preparation for the
      next patch, but Markus pointed out another bonus for the string being
      returned:

      "No arbitrary length limit. Before the patch, it's 39 characters, and the
      code breaks catastrophically when qdev_fw_name() is longer: the second
      snprintf() is called with its first argument pointing beyond path[], and
      its second argument underflowing to a huge size."

      Cc: qemu-stable@xxxxxxxxxx
      Signed-off-by: Laszlo Ersek <lersek@xxxxxxxxxx>
      Tested-by: Marcel Apfelbaum <marcel@xxxxxxxxxx>
      Reviewed-by: Marcel Apfelbaum <marcel@xxxxxxxxxx>
      Reviewed-by: Markus Armbruster <armbru@xxxxxxxxxx>
      Reviewed-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>

  commit 1717388645670336c48aa05d19b0acd07687a821
  Author: Cédric Le Goater <clg@xxxxxxxxxx>
  Date:   Wed Jun 17 15:23:54 2015 +0200

      vhost_net: re-enable when cross endian

      Cross-endianness is now checked by the core vhost code.

      revert 371df9f5e0f1 "vhost-net: disable when cross-endian"

      Signed-off-by: Cédric Le Goater <clg@xxxxxxxxxx>
      [ added commit message, Greg Kurz <gkurz@xxxxxxxxxxxxxxxxxx> ]
      Signed-off-by: Greg Kurz <gkurz@xxxxxxxxxxxxxxxxxx>
      Reviewed-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>

  commit 5be7d9f1b1452613b95c6ba70b8d7ad3d0797991
  Author: Greg Kurz <gkurz@xxxxxxxxxxxxxxxxxx>
  Date:   Wed Jun 17 15:23:49 2015 +0200

      vhost-net: tell tap backend about the vnet endianness

      The default behaviour for TAP/MACVTAP is to consider vnet as native 
endian.

      This patch handles the cases when this is not true:
      - virtio 1.0: always little-endian
      - legacy cross-endian

      Signed-off-by: Greg Kurz <gkurz@xxxxxxxxxxxxxxxxxx>
      Reviewed-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>

  commit 4ee9b43be9a6e4ae161a1e6322bfef90818589f6
  Author: Michael S. Tsirkin <mst@xxxxxxxxxx>
  Date:   Thu Jun 18 16:52:23 2015 +0200

      tap: fix non-linux build

      tap_fd_set_vnet_le/tap_fd_set_vnet_be was missing,
      fix it up.

      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Reviewed-by: Thomas Huth <thuth@xxxxxxxxxx>
      Reviewed-by: Greg Kurz <gkurz@xxxxxxxxxxxxxxxxxx>

  commit 8524f1c79e614552c0165db9cc75a8a6bd8607a5
  Author: John Arbuckle <programmingkidx@xxxxxxxxx>
  Date:   Fri Jun 19 10:53:27 2015 +0100

      ui/cocoa.m: Add Machine menu with pause and resume menu items

      Add Machine menu to the Macintosh interface with pause
      and resume menu items. These items can either pause or
      resume execution of the guest operating system.

      Signed-off-by: John Arbuckle <programmingkidx@xxxxxxxxx>
      Message-id: 6D7AE6AA-0595-4FAD-AACF-9DFAB87248F0@xxxxxxxxx
      Reviewed-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 473a49460db0a90bfda046b8f3662b49f94098eb
  Author: Eduardo Habkost <ehabkost@xxxxxxxxxx>
  Date:   Thu Jun 18 13:49:28 2015 -0300

      q35: Re-enable FDC on pc-q35-2.3 and older

      commit ea96bc629cbd52be98b2967a4b4f72e91dfc3ee4 doesn't match the patch
      submitted by Laszlo to qemu-devel. We reuse pc_q35_2_4_machine_options()
      inside pc_q35_2_3_machine_options(), so we need to undo the no_floppy
      change in pc_q35_2_3_machine_options().

      (This discrepancy was due to a bad merge.)

      This restores the previous behavior where all the 2.3 and older machines
      had no_floppy=0.

      Reported-by: Ján Tomko <jtomko@xxxxxxxxxx>
      Reviewed-by: Laszlo Ersek <lersek@xxxxxxxxxx>
      Signed-off-by: Eduardo Habkost <ehabkost@xxxxxxxxxx>
      Message-id: 1434646168-3100-1-git-send-email-ehabkost@xxxxxxxxxx
      Cc: Laszlo Ersek <lersek@xxxxxxxxxx>
      Signed-off-by: Eduardo Habkost <ehabkost@xxxxxxxxxx>
      [PMM: mention that this was a merge issue, not a review issue]
      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit ff5397bc72a1716bb34302dd470343ebee7d6bf2
  Author: Martin Cerveny <M.Cerveny@xxxxxxxxxxxx>
  Date:   Wed May 13 14:14:54 2015 +0200

      scripts: Add support for path as argument of qom-tree

      Add processing of optional argument path as "tree base".

      Signed-off-by: Martin Cerveny <M.Cerveny@xxxxxxxxxxxx>
      Signed-off-by: Andreas Färber <afaerber@xxxxxxx>

  commit 53f77e4562f85ccf82c8831a4448e9aefb538837
  Author: Andreas Färber <afaerber@xxxxxxx>
  Date:   Wed Mar 25 18:40:15 2015 +0100

      tests: Use qtest_add_data_func() consistently

      Replace uses of g_test_add_data_func() for QTest test cases.

      It is still valid to use it for any non-QTest test cases,
      which are not run for multiple target binaries.

      Suggested-by: John Snow <jsnow@xxxxxxxxxx>
      Reviewed-by: John Snow <jsnow@xxxxxxxxxx>
      Signed-off-by: Andreas Färber <afaerber@xxxxxxx>

  commit 6bc5cf92c0ab0085ba9a6e0cebcf5a544f416ca7
  Author: Eduardo Habkost <ehabkost@xxxxxxxxxx>
  Date:   Thu Apr 9 16:57:30 2015 -0300

      qdev: Free property names after registering gpio aliases

      Now that object_property_add_alias() strdup()s target_name, we can free
      the property names in qdev_pass_gpios().

      Signed-off-by: Eduardo Habkost <ehabkost@xxxxxxxxxx>
      Reviewed-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>
      Reviewed-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Signed-off-by: Andreas Färber <afaerber@xxxxxxx>

  commit 1590d266d96b3f9b42443d6388dfc38f527ac2d8
  Author: Eduardo Habkost <ehabkost@xxxxxxxxxx>
  Date:   Thu Apr 9 16:57:29 2015 -0300

      qom: strdup() target property name on object_property_add_alias()

      With this, object_property_add_alias() callers can safely free the
      target property name, like what already happens with the 'name' argument
      to all object_property_add*() functions.

      Signed-off-by: Eduardo Habkost <ehabkost@xxxxxxxxxx>
      Reviewed-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>
      Reviewed-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Signed-off-by: Andreas Färber <afaerber@xxxxxxx>

  commit 8ffe756da0481233e1bd518b2b16489f51856292
  Merge: 1b58f5a e1d4210
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Thu Jun 18 13:32:39 2015 +0100

      Merge remote-tracking branch 'remotes/armbru/tags/pull-qapi-2015-06-18' 
into staging

      QAPI patches

      # gpg: Signature made Thu Jun 18 13:20:00 2015 BST using RSA key ID 
EB918653
      # gpg: Good signature from "Markus Armbruster <armbru@xxxxxxxxxx>"
      # gpg:                 aka "Markus Armbruster <armbru@xxxxxxxxxxxx>"

      * remotes/armbru/tags/pull-qapi-2015-06-18:
        qapi-types: Bury code dead since commit 6b5abc7
        qapi-types: Split generate_fwd_builtin() off generate_fwd_struct()
        qapi-types: Drop unused members parameters
        qapi-types: Don't filter out expressions with 'gen'
        qapi: Catch and reject flat union branch of array type
        tests/qapi-schema: New flat union array branch test case
        qapi: Better separate the different kinds of helpers
        qapi: Move exprs checking from parse_schema() to check_exprs()
        qapi: Fix to reject stray 't', 'f' and 'n'
        qapi: Simplify inclusion cycle detection
        qapi: Fix file name in error messages for included files
        qapi: Improve a couple of confusing variable names
        qapi: Eliminate superfluous QAPISchema attribute input_dir
        qapi: Drop bogus command from docs
        MAINTAINERS: Fix up QAPI and QAPI schema file patterns

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit e1d4210c3a50059a3889cedc44a8aa193fa63d7d
  Author: Markus Armbruster <armbru@xxxxxxxxxx>
  Date:   Fri Jun 12 09:45:55 2015 +0200

      qapi-types: Bury code dead since commit 6b5abc7

      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>
      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>

  commit c5ecd7e18f912ab5e91f09b0333fb07567885d42
  Author: Markus Armbruster <armbru@xxxxxxxxxx>
  Date:   Fri Jun 12 09:22:32 2015 +0200

      qapi-types: Split generate_fwd_builtin() off generate_fwd_struct()

      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>
      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>

  commit ae0a7a109037160465f55f8bab06897f0a904def
  Author: Markus Armbruster <armbru@xxxxxxxxxx>
  Date:   Fri Jun 12 10:40:17 2015 +0200

      qapi-types: Drop unused members parameters

      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>
      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>

  commit 4f3568002393380558705397bda4cd5f224ffe29
  Author: Markus Armbruster <armbru@xxxxxxxxxx>
  Date:   Fri Jun 12 08:32:51 2015 +0200

      qapi-types: Don't filter out expressions with 'gen'

      Useless, because it can only occur in commands, and we're not dealing
      with commands here.

      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>
      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>

  commit f9a1427361fe06ac67480d580412dc4ed6f5d03b
  Author: Markus Armbruster <armbru@xxxxxxxxxx>
  Date:   Wed Jun 10 13:07:43 2015 +0200

      qapi: Catch and reject flat union branch of array type

      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>
      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>

  commit 75276710ae0a9f802a9774a8d845a2c84f89305a
  Author: Markus Armbruster <armbru@xxxxxxxxxx>
  Date:   Wed Jun 10 13:03:04 2015 +0200

      tests/qapi-schema: New flat union array branch test case

      The new test demonstrates another generator crash.

      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>
      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>

  commit 00e4b285a31d19dcd88bd46729c9e09bfc9cc7fd
  Author: Markus Armbruster <armbru@xxxxxxxxxx>
  Date:   Wed Jun 10 10:04:36 2015 +0200

      qapi: Better separate the different kinds of helpers

      Insert comments to separate sections dealing with parsing, semantic
      analysis, code generation, and so forth.

      Move helpers to their proper section.

      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>
      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>

  commit 4d076d67c2c74662db092ecf4f99600b18209b2e
  Author: Markus Armbruster <armbru@xxxxxxxxxx>
  Date:   Wed Jun 10 08:55:21 2015 +0200

      qapi: Move exprs checking from parse_schema() to check_exprs()

      To have expression semantic analysis in one place rather than two.

      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>
      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>

  commit e565d934d21e3544b820cd03b88061e71ab644a0
  Author: Markus Armbruster <armbru@xxxxxxxxxx>
  Date:   Wed Jun 10 08:24:58 2015 +0200

      qapi: Fix to reject stray 't', 'f' and 'n'

      Screwed up in commit e53188a.

      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>
      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>

  commit a1366087270b312d94ff8c4031395a4218f160d4
  Author: Markus Armbruster <armbru@xxxxxxxxxx>
  Date:   Tue Jun 9 16:54:09 2015 +0200

      qapi: Simplify inclusion cycle detection

      We maintain a stack of filenames in include_hist for convenient cycle
      detection.

      As error_path() demonstrates, the same information is readily
      available in the expr_info, so just use that, and drop include_hist.

      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>
      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>

  commit 8608d2525186062099a38971c276752e7a38903a
  Author: Markus Armbruster <armbru@xxxxxxxxxx>
  Date:   Tue Jun 9 18:32:29 2015 +0200

      qapi: Fix file name in error messages for included files

      We print the name as it appears in the include expression.  Tools
      processing error messages want it relative to the working directory.
      Make it so.

      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>
      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>

  commit 54414047eca5bee7d5ba6e7af5fb251f8635896c
  Author: Markus Armbruster <armbru@xxxxxxxxxx>
  Date:   Tue Jun 9 16:22:45 2015 +0200

      qapi: Improve a couple of confusing variable names

      old name      new name
      ----------------------------
      input_file    fname
      input_relname fname
      input_fname   abs_fname
      include_path  incl_abs_fname
      parent_info   incl_info

      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>
      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>

  commit 12c707944927b8aa42752198dcf419a0bafe5d33
  Author: Markus Armbruster <armbru@xxxxxxxxxx>
  Date:   Tue Jun 9 16:49:13 2015 +0200

      qapi: Eliminate superfluous QAPISchema attribute input_dir

      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>
      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>

  commit 836c3b01d2630192d6f5a941ca073bc8d650574b
  Author: Markus Armbruster <armbru@xxxxxxxxxx>
  Date:   Tue Jun 9 14:38:58 2015 +0200

      qapi: Drop bogus command from docs

      Commit 87a560c4 added it in the wrong place.  Commit 59a2c4ce added it
      in the right place, but didn't remove it from the wrong place.  Do
      that now.

      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>
      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>

  commit 0311c5bde313c9ffcda2a198bd7cc70ae130d973
  Author: Markus Armbruster <armbru@xxxxxxxxxx>
  Date:   Fri Jun 12 15:15:54 2015 +0200

      MAINTAINERS: Fix up QAPI and QAPI schema file patterns

      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>
      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>

  commit 1b58f5a7f6fbe811cc486cd5786483bad5d51bbf
  Merge: e207527 a3122b6
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Thu Jun 18 11:36:42 2015 +0100

      Merge remote-tracking branch 'remotes/mcayland/tags/qemu-openbios-signed' 
into staging

      Update OpenBIOS images

      # gpg: Signature made Wed Jun 17 20:06:06 2015 BST using RSA key ID 
AE0F321F
      # gpg: Good signature from "Mark Cave-Ayland 
<mark.cave-ayland@xxxxxxxxxxxx>"

      * remotes/mcayland/tags/qemu-openbios-signed:
        Update OpenBIOS images

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit e20752775197d3606c50703422d2c5d53ecf54bb
  Author: Leon Alrae <leon.alrae@xxxxxxxxxx>
  Date:   Wed Jun 17 13:35:00 2015 +0100

      vfio: fix build error on CentOS 5.7

      Include linux/vfio.h after sys/ioctl.h, just like in hw/vfio/common.c.

      Signed-off-by: Leon Alrae <leon.alrae@xxxxxxxxxx>
      Acked-by: Alex Williamson <alex.williamson@xxxxxxxxxx>
      Message-id: 1434544500-22405-1-git-send-email-leon.alrae@xxxxxxxxxx
      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit a3122b681aee8a41268c610ca3a5e7a066a9091a
  Author: Mark Cave-Ayland <mark.cave-ayland@xxxxxxxxxxxx>
  Date:   Wed Jun 17 20:02:15 2015 +0100

      Update OpenBIOS images

      Update OpenBIOS images to SVN r1340 built from submodule.

      Signed-off-by: Mark Cave-Ayland <mark.cave-ayland@xxxxxxxxxxxx>

  commit c80cd6bb9c20ef518c56319ce44d2971171e677d
  Author: Greg Kurz <gkurz@xxxxxxxxxxxxxxxxxx>
  Date:   Wed Jun 17 15:23:44 2015 +0200

      tap: add VNET_LE/VNET_BE operations

      The linux tap and macvtap backends can be told to parse vnet headers
      according to little or big endian. This is done through the TUNSETVNETLE
      and TUNSETVNETBE ioctls.

      This patch brings all the plumbing for QEMU to use these APIs.

      Signed-off-by: Greg Kurz <gkurz@xxxxxxxxxxxxxxxxxx>
      Reviewed-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>

  commit 04b7a1523d65bb5c78832098cf3108a1aadcaf8a
  Author: Greg Kurz <gkurz@xxxxxxxxxxxxxxxxxx>
  Date:   Wed Jun 17 15:23:39 2015 +0200

      vhost: set vring endianness for legacy virtio

      Legacy virtio is native endian: if the guest and host endianness differ,
      we have to tell vhost so it can swap bytes where appropriate. This is
      done through a vhost ring ioctl.

      Signed-off-by: Greg Kurz <gkurz@xxxxxxxxxxxxxxxxxx>
      Reviewed-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>

  commit 41d283bdab08868a244b9c19dce507fdf15a8990
  Author: Greg Kurz <gkurz@xxxxxxxxxxxxxxxxxx>
  Date:   Wed Jun 17 15:23:34 2015 +0200

      virtio: introduce virtio_legacy_is_cross_endian()

      This helper will be used by vhost and tap to detect cross-endianness in
      the legacy virtio case.

      Signed-off-by: Greg Kurz <gkurz@xxxxxxxxxxxxxxxxxx>
      Reviewed-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>

  commit 332f64073bddc9240cd572f64682a44572b67049
  Author: Greg Kurz <gkurz@xxxxxxxxxxxxxxxxxx>
  Date:   Wed Jun 17 15:23:29 2015 +0200

      linux-headers: sync vhost.h

      This patch brings the cross-endian vhost API to QEMU.

      Signed-off-by: Greg Kurz <gkurz@xxxxxxxxxxxxxxxxxx>
      Reviewed-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>

  commit 06b008d941fd3e9684d38a9b3181a1cf301c78d1
  Author: Fam Zheng <famz@xxxxxxxxxx>
  Date:   Fri Apr 24 19:35:19 2015 +0800

      tests: virtio-scsi: Move start/stop to individual test functions

      Signed-off-by: Fam Zheng <famz@xxxxxxxxxx>
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit bea2f0982b335c13448dbde8a409107764fa8b59
  Author: Fam Zheng <famz@xxxxxxxxxx>
  Date:   Fri Apr 24 19:35:18 2015 +0800

      libqos: Complete virtio device ID definition list

      Signed-off-by: Fam Zheng <famz@xxxxxxxxxx>
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit 28452758c405e16d9890c44d6031d44233e8cb38
  Author: Fam Zheng <famz@xxxxxxxxxx>
  Date:   Fri Apr 24 19:35:17 2015 +0800

      libqos: Allow calling guest_free on NULL pointer

      Signed-off-by: Fam Zheng <famz@xxxxxxxxxx>
      Reviewed-by: John Snow <jsnow@xxxxxxxxxx>
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit ebe7d8b166c59b029521f8d95db011e5e0fc649d
  Author: Fam Zheng <famz@xxxxxxxxxx>
  Date:   Fri Apr 24 19:35:16 2015 +0800

      tests: Link libqos virtio object to virtio-scsi-test

      Signed-off-by: Fam Zheng <famz@xxxxxxxxxx>
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit d4862a87e31a51de9eb260f25c9e99a75efe3235
  Author: Petr Matousek <pmatouse@xxxxxxxxxx>
  Date:   Wed Jun 17 12:46:11 2015 +0200

      i8254: fix out-of-bounds memory access in pit_ioport_read()

      Due converting PIO to the new memory read/write api we no longer provide
      separate I/O region lenghts for read and write operations. As a result,
      reading from PIT Mode/Command register will end with accessing
      pit->channels with invalid index.

      Fix this by ignoring read from the Mode/Command register.

      This is CVE-2015-3214.

      Reported-by: Matt Tait <matttait@xxxxxxxxxx>
      Fixes: 0505bcdec8228d8de39ab1a02644e71999e7c052
      Cc: qemu-stable@xxxxxxxxxx
      Signed-off-by: Petr Matousek <pmatouse@xxxxxxxxxx>
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit 9dacf32d2cbd66cbcce7944ebdfd6b2df20e33b8
  Author: Yossi Hindin <yhindin@xxxxxxxxxx>
  Date:   Wed May 6 14:57:40 2015 +0300

      qemu-ga: Building Windows MSI installation with configure/Makefile

      New options were added to enable Windows MSI installation package
      creation:

      Option --enable-guest-agent-msi, like the name suggests, enables building
      Windows MSI package for QEMU guest agent; option --disable-guest-agent-msi
      disables MSI package creation; by default, no MSI package is created

      Signed-off-by: Yossi Hindin <yhindin@xxxxxxxxxx>
      Message-Id: <1430913460-13174-5-git-send-email-yhindin@xxxxxxxxxx>
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit 66ae13bb9eb2b16b59698e992bfcea61563b9d78
  Author: Yossi Hindin <yhindin@xxxxxxxxxx>
  Date:   Wed May 6 14:57:39 2015 +0300

      qemu-ga: Introduce Windows MSI script

      The script enables building Windows MSI installation package on Linux 
with wixl tool.

      Signed-off-by: Yossi Hindin <yhindin@xxxxxxxxxx>
      Message-Id: <1430913460-13174-4-git-send-email-yhindin@xxxxxxxxxx>
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit c69403fcd4a0cb89f838a212ab71e4a1a3464c95
  Author: Yossi Hindin <yhindin@xxxxxxxxxx>
  Date:   Wed May 6 14:57:38 2015 +0300

      qemu-ga: debug printouts to help troubleshoot installation

      Debug printouts extended, helps installation troubleshooting

      Signed-off-by: Yossi Hindin <yhindin@xxxxxxxxxx>
      Message-Id: <1430913460-13174-3-git-send-email-yhindin@xxxxxxxxxx>
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit 5e031072e71eebab3d7d2ea4609e84bc928d893e
  Author: Yossi Hindin <yhindin@xxxxxxxxxx>
  Date:   Wed May 6 14:57:37 2015 +0300

      qemu-ga: adding vss-[un]install options

      Existing command line options include '-s install' and '-s uninstall'.
      These options install/uninstall both Windows QEMU GA service
      and optional VSS COM server. The QEMU GA Windows service allows
      always-on serving guest agent's QMP commands and VSS COM server
      enables guest agent integration with Volume Shadow Service.

      This commit introdices new options '-s vss-install' and '-s 
vss-uninstall',
      affecting only GA VSS COM server registration. The new options are useful
      for registering and unregistering the COM server during MSI installation,
      upgrade and uninstallation.

      Signed-off-by: Yossi Hindin <yhindin@xxxxxxxxxx>
      Message-Id: <1430913460-13174-2-git-send-email-yhindin@xxxxxxxxxx>
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit 67633bb4f7743be2cb2e70b61e482ab92bf1724e
  Author: Pranith Kumar <bobby.prani@xxxxxxxxx>
  Date:   Wed Jun 10 10:20:24 2015 -0400

      qemu-log: Open file for logging when specified

      qemu-log defaults to stderr when there is no '-D' option mentioned on 
command
      line. When '-D' option is specified, we also need to specify '-d' option 
for it
      to use the specified logfile. When using monitor to enable logging this is
      troublesome since there will be no '-d' option because of which monitor 
dumps
      the logs to stderr.

      Fix this by opening the log file when '-D' is specified on the command 
line.
      Also fix an ancient comment which does not hold true since changing 
location and
      log level has now been streamlined.

      Signed-off-by: Pranith Kumar <bobby.prani@xxxxxxxxx>
      CC: Paolo Bonzini <pbonzini@xxxxxxxxxx>
      CC: Luiz Capitulino <lcapitulino@xxxxxxxxxx>
      CC: Markus Armbruster <armbru@xxxxxxxxxx>
      CC: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Message-Id: <1433946024-18439-1-git-send-email-bobby.prani@xxxxxxxxx>
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit f754c3c9cce3c4789733d9068394be4256dfe6a8
  Merge: a09f4a9 1f68f1d
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Wed Jun 17 12:43:26 2015 +0100

      Merge remote-tracking branch 
'remotes/agraf/tags/signed-s390-for-upstream' into staging

      Patch queue for s390 - 2015-06-17

      This is a special one. Two awesome features in one pull request:

        - CCW support for TCG
        - Watchpoint support for TCG

      To celebrate this, we also switch the default machine model from 
s390-virtio
      to s390-ccw and give users a fully working s390x model again!

      # gpg: Signature made Wed Jun 17 11:42:26 2015 BST using RSA key ID 
03FEDC60
      # gpg: Good signature from "Alexander Graf <agraf@xxxxxxx>"
      # gpg:                 aka "Alexander Graf <alex@xxxxxxxxx>"

      * remotes/agraf/tags/signed-s390-for-upstream: (26 commits)
        s390x: Switch to s390-ccw machine as default
        target-s390x: PER: add Breaking-Event-Address register
        target-s390x: PER instruction-fetch nullification event support
        target-s390x: PER store-using-real-address event support
        target-s390x: PER storage-alteration event support
        translate-all: fix watchpoints if retranslation not possible
        target-s390x: PER instruction-fetch event support
        target-s390x: PER successful-branching event support
        target-s390x: basic PER event handling
        target-s390x: add get_per_in_range function
        target-s390x: add get_per_atmid function
        target-s390x: add PER related constants
        target-s390x: mvc_fast_memmove: access memory through softmmu
        target-s390x: mvc_fast_memset: access memory through softmmu
        target-s390x: function to adjust the length wrt page boundary
        softmmu: provide tlb_vaddr_to_host function for user mode
        target-s390x: wire up I/O instructions in TCG mode
        target-s390x: wire up DIAG REIPL in TCG mode
        target-s390x: wire up DIAG IPL in TCG mode
        target-s390x: fix s390_cpu_initial_reset
        ...

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 1f68f1d36c3af09ed31a529ad69c3d09880d10fd
  Author: Alexander Graf <agraf@xxxxxxx>
  Date:   Tue Jun 16 23:06:33 2015 +0200

      s390x: Switch to s390-ccw machine as default

      We now finally have TCG support for the basic set of instructions 
necessary
      to run the s390-ccw machine. That means in any aspect possible that 
machine
      type is now superior to the legacy s390-virtio machine.

      Switch over to the ccw machine as default. That way people don't get a 
halfway
      broken machine with the s390x target.

      Signed-off-by: Alexander Graf <agraf@xxxxxxx>
      Reviewed-by: Aurelien Jarno <aurelien@xxxxxxxxxxx>
      Acked-by: Christian Borntraeger <borntraeger@xxxxxxxxxx>

  commit 3da0ab35292fe93640cfdd95aa8bedec8f145d2c
  Author: Aurelien Jarno <aurelien@xxxxxxxxxxx>
  Date:   Sat Jun 13 00:46:03 2015 +0200

      target-s390x: PER: add Breaking-Event-Address register

      This patch adds support for PER Breaking-Event-Address register. Like
      real hardware, it save the current PSW address when the PSW address is
      changed by an instruction. We have to take care of optimizations QEMU
      does, a branch to the next instruction is still a branch.

      This register is copied to low core memory when a program exception
      happens.

      Signed-off-by: Aurelien Jarno <aurelien@xxxxxxxxxxx>
      Signed-off-by: Alexander Graf <agraf@xxxxxxx>

  commit 83bb161299c019e25a3add59504f0b69e6257dcd
  Author: Aurelien Jarno <aurelien@xxxxxxxxxxx>
  Date:   Sat Jun 13 00:46:02 2015 +0200

      target-s390x: PER instruction-fetch nullification event support

      For the instruction-fetch nullification event, we just reuse the
      existing instruction-fetch code and trigger the exception immediately
      in that case.

      There is no need to save the CPU state in the TCG code as it has been
      saved by the previous instruction before calling the per_check_exception
      helper.

      Signed-off-by: Aurelien Jarno <aurelien@xxxxxxxxxxx>
      Signed-off-by: Alexander Graf <agraf@xxxxxxx>

  commit 2f54394997bfc808bbfbebb2d8294edd17d63808
  Author: Aurelien Jarno <aurelien@xxxxxxxxxxx>
  Date:   Sat Jun 13 00:46:01 2015 +0200

      target-s390x: PER store-using-real-address event support

      This PER event happens each time the STURA or STURG instructions are
      used. As they use helpers, we can just save the event in the PER code
      there, if enabled.

      Signed-off-by: Aurelien Jarno <aurelien@xxxxxxxxxxx>
      Signed-off-by: Alexander Graf <agraf@xxxxxxx>

  commit 311918b979c5364c30392c1054ed77d047a83953
  Author: Aurelien Jarno <aurelien@xxxxxxxxxxx>
  Date:   Sat Jun 13 00:46:00 2015 +0200

      target-s390x: PER storage-alteration event support

      For the PER storage-alteration event we can use the QEMU watchpoint
      infrastructure. When PER is enabled or PER control register changed we
      enable the corresponding watchpoints. When a watchpoint arises we can
      save the event. Unfortunately the current code does not provide the
      address space used to trigger the watchpoint. For now we assume it comes
      from the default ASC.

      Signed-off-by: Aurelien Jarno <aurelien@xxxxxxxxxxx>
      Signed-off-by: Alexander Graf <agraf@xxxxxxx>

  commit 8d302e76755b8157373073d7107e31b0b13f80c1
  Author: Aurelien Jarno <aurelien@xxxxxxxxxxx>
  Date:   Sat Jun 13 00:45:59 2015 +0200

      translate-all: fix watchpoints if retranslation not possible

      The tb_check_watchpoint function currently assumes that all memory
      access is done either directly through the TCG code or through an
      helper which knows its return address. This is obviously wrong as the
      helpers use cpu_ldxx/stxx_data functions to access the memory.

      Instead of aborting in that case, don't try to retranslate the code, but
      assume that the CPU state (and especially the program counter) has been
      saved before calling the helper. Then invalidate the TB based on this
      address.

      Signed-off-by: Aurelien Jarno <aurelien@xxxxxxxxxxx>
      Signed-off-by: Alexander Graf <agraf@xxxxxxx>

  commit f0e0d817c22539cd2ce1bcb5487e076f117b04c0
  Author: Aurelien Jarno <aurelien@xxxxxxxxxxx>
  Date:   Sat Jun 13 00:45:58 2015 +0200

      target-s390x: PER instruction-fetch event support

      For the PER instruction-fetch, we can't use the QEMU breakpoint
      infrastructure as it triggers for a single address and not a full
      address range, and as it actually stop before the instruction and
      not before.

      We therefore call an helper with the just fetched instruction address,
      which check if the address is within the PER address range. If it is
      the case, an event is recorded and will be signaled through an
      exception.

      Note that we implement here the PER-3 behaviour, that is an invalid
      opcode is not considered as an instruction fetch. Without PER-3 this
      behavious is undefined.

      Signed-off-by: Aurelien Jarno <aurelien@xxxxxxxxxxx>
      Signed-off-by: Alexander Graf <agraf@xxxxxxx>

  commit 2c2275eb41c612df4bd115cf71d6e651d105f69c
  Author: Aurelien Jarno <aurelien@xxxxxxxxxxx>
  Date:   Sat Jun 13 00:45:57 2015 +0200

      target-s390x: PER successful-branching event support

      For the PER successful-branching event support, we can't rely on any
      QEMU infrastucture. We therefore call an helper in all places where
      a branch can be taken. We have to pay attention to the branch to next
      case, as it's still a taken branch.

      We don't need to care about the cases using goto_tb, as we have disabled
      them in the previous patch.

      Signed-off-by: Aurelien Jarno <aurelien@xxxxxxxxxxx>
      Signed-off-by: Alexander Graf <agraf@xxxxxxx>

  commit 777c98c32ce577a9671b9267ff6e2802f69ebafd
  Author: Aurelien Jarno <aurelien@xxxxxxxxxxx>
  Date:   Sat Jun 13 00:45:56 2015 +0200

      target-s390x: basic PER event handling

      This patch add basic support to generate PER exceptions. It adds two
      fields to the cpu structure to record for the PER address and PER
      code & ATMID values. When an exception is triggered and a PER event is
      pending, the two PER values are copied to the lowcore area.

      At the end of an instruction, an helper is checking for a possible
      pending PER event and triggers an exception in that case. For that to
      work with branches, we need to disable TB chaining when PER is
      activated. Fortunately it's already in the TB flags.

      Finally in case of a SERVICE CALL exception, we need to trigger the PER
      exception immediately after.

      Signed-off-by: Aurelien Jarno <aurelien@xxxxxxxxxxx>
      Signed-off-by: Alexander Graf <agraf@xxxxxxx>

  commit d453d103831c966e7920f146eb3416e43b588f89
  Author: Aurelien Jarno <aurelien@xxxxxxxxxxx>
  Date:   Sat Jun 13 00:45:55 2015 +0200

      target-s390x: add get_per_in_range function

      This function checks if an address is in between the PER starting
      address and the PER ending address, taking care of a possible
      address range loop.

      Signed-off-by: Aurelien Jarno <aurelien@xxxxxxxxxxx>
      Signed-off-by: Alexander Graf <agraf@xxxxxxx>

  commit a8f931a931f8866abdb2f836d0fb6fb7d2606645
  Author: Aurelien Jarno <aurelien@xxxxxxxxxxx>
  Date:   Sat Jun 13 00:45:54 2015 +0200

      target-s390x: add get_per_atmid function

      This function returns the ATMID field that is stored in the
      per_perc_atmid lowcore entry.

      Signed-off-by: Aurelien Jarno <aurelien@xxxxxxxxxxx>
      Signed-off-by: Alexander Graf <agraf@xxxxxxx>

  commit fb01bf4c6b86d9ac00ea87d60f97871ee1488188
  Author: Aurelien Jarno <aurelien@xxxxxxxxxxx>
  Date:   Sat Jun 13 00:45:53 2015 +0200

      target-s390x: add PER related constants

      Signed-off-by: Aurelien Jarno <aurelien@xxxxxxxxxxx>
      Signed-off-by: Alexander Graf <agraf@xxxxxxx>

  commit 6da528d14de29138ca5ac43d6d059889dd24f464
  Author: Aurelien Jarno <aurelien@xxxxxxxxxxx>
  Date:   Sat Jun 13 00:45:52 2015 +0200

      target-s390x: mvc_fast_memmove: access memory through softmmu

      mvc_fast_memmove is bypassing the softmmu functions, getting the
      physical source and destination addresses using the mmu_translate
      function and accessing the corresponding physical memory. This
      prevents watchpoints to work correctly.

      Instead use the tlb_vaddr_to_host function to get the host addresses
      corresponding to the guest source and destination addresses through the
      softmmu code and fallback to the byte level code in case the
      corresponding address are not in the QEMU TLB or being examined through
      a watchpoint. As a bonus it works even for area crossing pages by
      splitting the are into chunks contained in a single page, bringing some
      performances improvements. We can therefore remove the 8-byte
      loads/stores method, as it is now quite unlikely to be used.

      At the same time change the name of the function to fast_memmove as it's
      not specific to mvc and use the same argument order as the C memmove
      function.

      Signed-off-by: Aurelien Jarno <aurelien@xxxxxxxxxxx>
      Signed-off-by: Alexander Graf <agraf@xxxxxxx>

  commit fc89efe693278c79273f3bbf6b581e8a749c85b0
  Author: Aurelien Jarno <aurelien@xxxxxxxxxxx>
  Date:   Sat Jun 13 00:45:51 2015 +0200

      target-s390x: mvc_fast_memset: access memory through softmmu

      mvc_fast_memset is bypassing the softmmu functions, getting the
      physical address using the mmu_translate function and accessing the
      corresponding physical memory. This prevents watchpoints to work
      correctly.

      Instead use the tlb_vaddr_to_host function to get the host address
      corresponding to the guest address through the softmmu code and fallback
      to the byte level code in case the corresponding address is not in the
      QEMU TLB or being examined through a watchpoint. As a bonus it works
      even for area crossing pages by splitting the are into chunks contained
      in a single page, bringing some performances improvements.

      At the same time change the name of the function to fast_memset as it's
      not specific to mvc and use the same argument order as the C memset
      function.

      Signed-off-by: Aurelien Jarno <aurelien@xxxxxxxxxxx>
      Signed-off-by: Alexander Graf <agraf@xxxxxxx>

  commit d7ce6b7a0ba4328a286d09d96395a8fc2fd6943c
  Author: Aurelien Jarno <aurelien@xxxxxxxxxxx>
  Date:   Sat Jun 13 00:45:50 2015 +0200

      target-s390x: function to adjust the length wrt page boundary

      This patch adds a function to adjust the length of a transfer so that
      it doesn't cross a page boundary in softmmu mode. It does nothing in
      user mode.

      Signed-off-by: Aurelien Jarno <aurelien@xxxxxxxxxxx>
      Signed-off-by: Alexander Graf <agraf@xxxxxxx>

  commit 2e83c496261c799b0fe6b8e18ac80cdc0a5c97ce
  Author: Aurelien Jarno <aurelien@xxxxxxxxxxx>
  Date:   Sat Jun 13 00:45:49 2015 +0200

      softmmu: provide tlb_vaddr_to_host function for user mode

      To avoid to many #ifdef in target code, provide a tlb_vaddr_to_host for
      both user and softmmu modes. In the first case the function always
      succeed and just call the g2h function.

      Signed-off-by: Aurelien Jarno <aurelien@xxxxxxxxxxx>
      Signed-off-by: Alexander Graf <agraf@xxxxxxx>

  commit ad8a4570add09a7635cb8cd1c9327640521ee7a7
  Author: Alexander Graf <agraf@xxxxxxx>
  Date:   Mon Jun 15 17:57:09 2015 +0200

      target-s390x: wire up I/O instructions in TCG mode

      The code handling the I/O instructions for KVM decodes the instruction
      itself. In TCG mode also pass the full instruction word to the helpers.

      Signed-off-by: Alexander Graf <agraf@xxxxxxx>
      Signed-off-by: Aurelien Jarno <aurelien@xxxxxxxxxxx>
      Signed-off-by: Alexander Graf <agraf@xxxxxxx>

  commit 2ecacb0b4b6c73af424b7b4389fa55809368a98b
  Author: Aurelien Jarno <aurelien@xxxxxxxxxxx>
  Date:   Mon Jun 15 17:57:08 2015 +0200

      target-s390x: wire up DIAG REIPL in TCG mode

      Signed-off-by: Aurelien Jarno <aurelien@xxxxxxxxxxx>
      Signed-off-by: Alexander Graf <agraf@xxxxxxx>

  commit 8df7eef3059394bd53cdf7609aac9a50a78aa030
  Author: Aurelien Jarno <aurelien@xxxxxxxxxxx>
  Date:   Mon Jun 15 17:57:07 2015 +0200

      target-s390x: wire up DIAG IPL in TCG mode

      DIAG IPL is already implemented for KVM, but not wired from TCG. For
      that change the format of the instruction so that we can get R1 and R3
      numbers in addition to the function code.

      The diag function can change plenty of things, including CC, so we
      should enter with a static CC. Also it doesn't set the value of general
      register 2 to 0 as in the current code. We also need to exit the CPU
      loop after a reset, which means a new PSW.

      Signed-off-by: Aurelien Jarno <aurelien@xxxxxxxxxxx>
      Signed-off-by: Alexander Graf <agraf@xxxxxxx>

  commit cbed0ba78f04ce9e2e718431f64eb4b621288aca
  Author: Aurelien Jarno <aurelien@xxxxxxxxxxx>
  Date:   Mon Jun 15 17:57:06 2015 +0200

      target-s390x: fix s390_cpu_initial_reset

      The s390_cpu_initial_reset function zeroes a big part of the CPU state
      structure, including CPU_COMMON, and thus the QEMU TLB structure. As
      they should not be initialized with zeroes only, we need to call the
      tlb_flush to initialize it correctly.

      Signed-off-by: Aurelien Jarno <aurelien@xxxxxxxxxxx>
      Signed-off-by: Alexander Graf <agraf@xxxxxxx>

  commit cc0d079d4582ee0ed97b5e3e3da4f6cb2b5bd67f
  Author: Aurelien Jarno <aurelien@xxxxxxxxxxx>
  Date:   Mon Jun 15 17:57:05 2015 +0200

      target-s390x: initialize I/O interrupt queue

      env->io_index[] should be set to -1 during CPU reset to mark the
      I/O interrupt queue as empty.

      Signed-off-by: Aurelien Jarno <aurelien@xxxxxxxxxxx>
      Signed-off-by: Alexander Graf <agraf@xxxxxxx>

  commit 7107e5a756317151666d47d1bc1e170293babaff
  Author: Aurelien Jarno <aurelien@xxxxxxxxxxx>
  Date:   Mon Jun 15 17:57:04 2015 +0200

      target-s390x: correctly initialize ext interrupt queue

      env->ext_index should be initialized to -1 to mark the external
      interrupt queue as emtpy. This should not be done in s390_cpu_initfn
      as all the interrupt fields are later reset to 0 by the memset in
      s390_cpu_initial_reset or s390_cpu_full_reset. Move the initialization
      there.

      Signed-off-by: Aurelien Jarno <aurelien@xxxxxxxxxxx>
      Signed-off-by: Alexander Graf <agraf@xxxxxxx>

  commit 06e3c077daa08c0a616e9507eb737401883ab645
  Author: Aurelien Jarno <aurelien@xxxxxxxxxxx>
  Date:   Mon Jun 15 17:57:03 2015 +0200

      target-s390x: fix setcc in TCG mode

      In TCG mode we should store the CC value in env->cc_op. However do it
      inconditionnaly because:
      - the tcg_enabled function is not inlined
      - it's probably faster to always store the value, especially given it
        is likely in the same cache line than env->psw.mask.

      Signed-off-by: Aurelien Jarno <aurelien@xxxxxxxxxxx>
      Signed-off-by: Alexander Graf <agraf@xxxxxxx>

  commit a499973ff32bc58f2db7b88ad5597ffdbc2becd7
  Author: Aurelien Jarno <aurelien@xxxxxxxxxxx>
  Date:   Mon Jun 15 17:57:02 2015 +0200

      virtio-ccw: disable ioevent bit when ioeventfds are not enabled

      This remove the corresponding error messages in TCG mode, and allow to
      simplify the s390_assign_subch_ioeventfd() function.

      Signed-off-by: Aurelien Jarno <aurelien@xxxxxxxxxxx>
      Signed-off-by: Alexander Graf <agraf@xxxxxxx>

  commit d49f4ab48ec76e590ad72a2d6c3fba8459d3ded7
  Author: Alexander Graf <agraf@xxxxxxx>
  Date:   Mon Jun 15 17:57:01 2015 +0200

      s390/ioinst: fix endianness in ioinst_schib_valid

      The ioinst_schib_valid gets a SCHIB in guest endianness, we should
      byteswap the fields we access.

      Signed-off-by: Alexander Graf <agraf@xxxxxxx>
      Signed-off-by: Aurelien Jarno <aurelien@xxxxxxxxxxx>
      Signed-off-by: Alexander Graf <agraf@xxxxxxx>

  commit ae52e585bf5e9678a77be033fd4b430a2e78dfed
  Author: Aurelien Jarno <aurelien@xxxxxxxxxxx>
  Date:   Mon Jun 15 17:57:00 2015 +0200

      s390/ioinst: fix IO_INT_WORD_ISC macro

      The I/O-Interruption Subclass field corresponds to bits 2 to 5 (BE
      notation) of the Interruption-Identification Word. The value should
      be shift by 27 instead of 24.

      Signed-off-by: Aurelien Jarno <aurelien@xxxxxxxxxxx>
      Reviewed-by: Christian Borntraeger <borntraeger@xxxxxxxxxx>
      Signed-off-by: Alexander Graf <agraf@xxxxxxx>

  commit a09f4a9d19c500ea5cbcdc0bd7f0d540cf54f9f5
  Merge: 8c29f8d f3bcd42
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Wed Jun 17 11:12:35 2015 +0100

      Merge remote-tracking branch 
'remotes/kraxel/tags/pull-seabios-1.8.2-20150617-1' into staging

      update seabios to release 1.8.2
      add vgabios for virtio-vga

      # gpg: Signature made Wed Jun 17 08:34:22 2015 BST using RSA key ID 
D3E87138
      # gpg: Good signature from "Gerd Hoffmann (work) <kraxel@xxxxxxxxxx>"
      # gpg:                 aka "Gerd Hoffmann <gerd@xxxxxxxxxx>"
      # gpg:                 aka "Gerd Hoffmann (private) <kraxel@xxxxxxxxx>"

      * remotes/kraxel/tags/pull-seabios-1.8.2-20150617-1:
        update seabios and vgabios binaries
        tag our seabios builds
        update seabios submodule to release 1.8.2

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 8c29f8d6b9595ac0f9ab1b41f22e91aebab482d7
  Merge: 93f6d1c f8d30a4
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Wed Jun 17 10:13:40 2015 +0100

      Merge remote-tracking branch 'remotes/kvaneesh/tags/for-upstream-signed' 
into staging

      VirtFS update:

      * Fix for virtfs-proxy-helper crash
      * Gracefully handle the error condition on input validation in 
virtfs-proxy-helper

      # gpg: Signature made Tue Jun 16 16:21:28 2015 BST using RSA key ID 
04C4E23A
      # gpg: Good signature from "Aneesh Kumar K.V 
<aneesh.kumar@xxxxxxxxxxxxxxxxxx>"
      # gpg: WARNING: This key is not certified with a trusted signature!
      # gpg:          There is no indication that the signature belongs to the 
owner.
      # Primary key fingerprint: 4846 9DE7 1860 360F A6E9  968C DE41 A4FE 04C4 
E23A

      * remotes/kvaneesh/tags/for-upstream-signed:
        virtfs-proxy-helper: fail gracefully if socket path is too long
        virtfs-proxy-helper: add missing long option terminator

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit f3bcd42683dcc48c576281399d6cf6b34da6ba41
  Author: Gerd Hoffmann <kraxel@xxxxxxxxxx>
  Date:   Wed Jun 17 09:28:03 2015 +0200

      update seabios and vgabios binaries

      Signed-off-by: Gerd Hoffmann <kraxel@xxxxxxxxxx>

  commit 7edf2f0ec4edbde50be3b54306adf5b8b16ca68b
  Author: Gerd Hoffmann <kraxel@xxxxxxxxxx>
  Date:   Wed Jun 17 09:24:55 2015 +0200

      tag our seabios builds

      Signed-off-by: Gerd Hoffmann <kraxel@xxxxxxxxxx>

  commit 10500ce26069b7c4746e8a2276aa03220a29581c
  Author: Gerd Hoffmann <kraxel@xxxxxxxxxx>
  Date:   Wed Jun 17 09:11:47 2015 +0200

      update seabios submodule to release 1.8.2

      git shortlog rel-1.8.1..rel-1.8.2
      =================================

      Gerd Hoffmann (1):
            vga: rework virtio-vga support

      Kevin O'Connor (5):
            vgabios: Add config option for assembler fixups
            vgabios: Emulate "leal" instruction
            build: Support "make VERSION=xyz" to override the default build 
version
            build: CONFIG_VGA_FIXUP_ASM should depend on CONFIG_BUILD_VGABIOS
            vgabios: On bda_save_restore() the saved vbe_mode also has flags in 
it

      Paolo Bonzini (1):
            smm: ignore bits 16,18-31 of SMM revision ID

      Vladimir Serbinenko (1):
            ahci: Ignore max_ports.

      Signed-off-by: Gerd Hoffmann <kraxel@xxxxxxxxxx>

  commit f8d30a4f96d6c3a12e692d2e69b8fe4734b916c6
  Author: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
  Date:   Mon Mar 30 14:57:16 2015 +0100

      virtfs-proxy-helper: fail gracefully if socket path is too long

      Replace the assertion check with graceful failure when the socket path
      is too long.  Programs should not crash on invalid input.  Print an
      error message and exit properly.

      Cc: Shannon Zhao <zhaoshenglong@xxxxxxxxxx>
      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Signed-off-by: Aneesh Kumar K.V <aneesh.kumar@xxxxxxxxxxxxxxxxxx>

  commit bf6667d63ef4c4fbaf91051589a594ec1c235308
  Author: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
  Date:   Mon Mar 30 14:57:15 2015 +0100

      virtfs-proxy-helper: add missing long option terminator

      The getopt_long(3) long options array must have a zeroed terminator.

      This patch solves a segmentation fault when an unknown command-line
      option is encountered:

        $ fsdev/virtfs-proxy-helper --help
        Segmentation fault (core dumped)

      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Signed-off-by: Aneesh Kumar K.V <aneesh.kumar@xxxxxxxxxxxxxxxxxx>

  commit 93f6d1c16036aaf34055d16f54ea770fb8d6d280
  Merge: 4316536 7a4dfd1
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Tue Jun 16 10:35:43 2015 +0100

      Merge remote-tracking branch 'remotes/kraxel/tags/pull-vga-20150615-1' 
into staging

      virtio-gpu: pci support bits and virtio-vga.

      # gpg: Signature made Mon Jun 15 13:55:19 2015 BST using RSA key ID 
D3E87138
      # gpg: Good signature from "Gerd Hoffmann (work) <kraxel@xxxxxxxxxx>"
      # gpg:                 aka "Gerd Hoffmann <gerd@xxxxxxxxxx>"
      # gpg:                 aka "Gerd Hoffmann (private) <kraxel@xxxxxxxxx>"

      * remotes/kraxel/tags/pull-vga-20150615-1:
        virtio-vga: add vgabios configuration
        virtio-vga: add '-vga virtio' support
        virtio-vga: add virtio gpu device with vga compatibility
        virtio-gpu-pci: add virtio pci support
        virtio-gpu: fix error message

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 4316536bf424d2e7f9cfa7d0dd561adb0986cc81
  Merge: 1dfe73b 45c874e
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Tue Jun 16 09:07:22 2015 +0100

      Merge remote-tracking branch 'remotes/riku/tags/pull-linux-user-20150616' 
into staging

      linux-user patches for 2.4 softfreeze
      second spin with ioctl patch refreshed

      # gpg: Signature made Tue Jun 16 08:03:14 2015 BST using RSA key ID 
DE3C9BC0
      # gpg: Good signature from "Riku Voipio <riku.voipio@xxxxxx>"
      # gpg:                 aka "Riku Voipio <riku.voipio@xxxxxxxxxx>"

      * remotes/riku/tags/pull-linux-user-20150616:
        linux-user: ioctl() command type is int
        linux-user: fix the breakpoint inheritance in spawned threads
        linux-user: use __get_user and __put_user in cmsg conversions
        linux-user: Fix length handling in host_to_target_cmsg
        linux-user: Use abi_ulong for TARGET_ELF_PAGESTART
        linux-user: Allocate thunk size dynamically

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 45c874ebbae661238bfa3c0534480ebe2940b112
  Author: Laurent Vivier <laurent@xxxxxxxxx>
  Date:   Tue Jun 16 00:35:28 2015 +0200

      linux-user: ioctl() command type is int

      When executing a 64bit target chroot on 64bit host,
      the ioctl() command can mismatch.

      It seems the previous commit doesn't solve the problem in
      my case:

          9c6bf9c7 linux-user: Fix ioctl cmd type mismatch on 64-bit targets

      For example, a ppc64 chroot on an x86_64 host:

      bash-4.3# ls
      Unsupported ioctl: cmd=0x80087467
      Unsupported ioctl: cmd=0x802c7415

      The origin of the problem is in syscall.c:do_ioctl().

          static abi_long do_ioctl(int fd, abi_long cmd, abi_long arg)

      In this case (ppc64) abi_long is long (on the x86_64), and

          cmd = 0x0000000080087467

      then
          if (ie->target_cmd == cmd)

      target_cmd is int, so target_cmd = 0x80087467
      and to compare an int with a long, the sign is extended to 64bit,
      so the comparison is:

          if (0xffffffff80087467 == 0x0000000080087467)

      which doesn't match whereas it should.

      This patch uses int in the case of the target command type
      instead of abi_long.

      Signed-off-by: Laurent Vivier <laurent@xxxxxxxxx>
      Signed-off-by: Riku Voipio <riku.voipio@xxxxxxxxxx>

  commit 1d085f6cae51b1a0fb92ad03ce8bf038e29c9750
  Author: Thierry Bultel <thierry.bultel@xxxxxxxxxxxxx>
  Date:   Fri Jun 12 11:24:10 2015 +0200

      linux-user: fix the breakpoint inheritance in spawned threads

      When a thread is spawned, cpu_copy re-initializes
      the bp & wp lists of current thread, instead of the ones
      of the new thread.
      The effect is that breakpoints are no longer hit.

      Signed-off-by: Thierry Bultel <thierry.bultel@xxxxxxxxxxxxx>
      Signed-off-by: Riku Voipio <riku.voipio@xxxxxxxxxx>

  commit 876e23cb2e545148a0ee4effda5c63c861855941
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Tue May 26 19:46:32 2015 +0100

      linux-user: use __get_user and __put_user in cmsg conversions

      The target payloads in cmsg conversions may not have the alignment
      required by the host. Using the get_user and put_user functions is
      the easiest way to handle this and also do the byte-swapping we
      require.

      (Note that prior to this commit target_to_host_cmsg was incorrectly
      using __put_user() rather than __get_user() for the SCM_CREDENTIALS
      conversion, which meant it wasn't getting the benefit of the
      misalignment handling.)

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Signed-off-by: Riku Voipio <riku.voipio@xxxxxxxxxx>

  commit c2aeb2586bd258ad76fcfe308f883075e73ff1d2
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Tue May 26 19:46:31 2015 +0100

      linux-user: Fix length handling in host_to_target_cmsg

      The previous code for handling payload length when converting
      cmsg structures from host to target had a number of problems:
       * we required the msg->msg_controllen to declare the buffer
         to have enough space for final trailing padding (we were
         checking against CMSG_SPACE), whereas the kernel does not
         require this, and common userspace code assumes this. (In
         particular, glibc's "try to talk to nscd" code that it will
         run on startup will receive a cmsg with a 4 byte payload and
         only allocate 4 bytes for it, which was causing us to do
         the wrong thing on architectures that need 8-alignment.)
       * we weren't correctly handling the fact that the SO_TIMESTAMP
         payload may be larger for the target than the host
       * we weren't marking the messages with MSG_CTRUNC when we did
         need to truncate a message that wasn't truncated by the host,
         but were instead logging a QEMU message; since truncation is
         always the result of a guest giving us an insufficiently
         sized buffer, we should report it to the guest as the kernel
         does and don't log anything

      Rewrite the parts of the function that deal with length to
      fix these issues, and add a comment in target_to_host_cmsg
      to explain why the overflow logging it does is a QEMU bug,
      not a guest issue.

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Signed-off-by: Riku Voipio <riku.voipio@xxxxxxxxxx>

  commit 1dfe73b94de5a75038a725b17dc7d08a23a977ec
  Merge: b500e4d f264d51
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Mon Jun 15 18:43:09 2015 +0100

      Merge remote-tracking branch 
'remotes/pmaydell/tags/pull-target-arm-20150615' into staging

      target-arm queue:
       * Handle "extended small page" descriptors correctly
       * Use extended address bits from supersection short descriptors
       * Update interrupt status for all cores in gic_update
       * Fix off-by-one in exynos4210_fimd bit-swap code
       * Remove stray unused 'pending_exception' field
       * Add Cortex-A53 KVM support
       * Fix reset value of REVIDR
       * Add AArch32 MIDR aliases for ARMv8 cores
       * MAINTAINERS update for ARM ACPI code
       * Trust the kernel's value of MPIDR if we're using KVM
       * Various pxa2xx device updates to avoid old APIs
       * Mark pxa2xx copro registers as ARM_CP_IO so -icount works
       * Correctly UNDEF Thumb2 DSP insns on Cortex-M3
       * Initial work towards implementing PMSAv7
       * Fix a reset order bug introduced recently
       * Correct "preferred return address" for cpreg access exceptions
       * Add ACPI SPCR table for the virt board

      # gpg: Signature made Mon Jun 15 18:19:34 2015 BST using RSA key ID 
14360CDE
      # gpg: Good signature from "Peter Maydell <peter.maydell@xxxxxxxxxx>"

      * remotes/pmaydell/tags/pull-target-arm-20150615: (28 commits)
        hw/arm/virt-acpi-build: Add SPCR table
        ACPI: Add definitions for the SPCR table
        target-arm: Correct "preferred return address" for cpreg access 
exceptions
        hw/arm/boot: fix rom_reset notifier registration order
        arm: helper: rename get_phys_addr_mpu
        arm: Add has-mpu property
        arm: Implement uniprocessor with MP config
        arm: Refactor get_phys_addr FSR return mechanism
        arm: helper: Factor out CP regs common to [pv]msa
        arm: Don't add v7mp registers in MPU systems
        arm: Do not define TLBTR in PMSA systems
        target-arm: Add the THUMB_DSP feature
        hw/sd/pxa2xx_mmci: Stop using old_mmio in MemoryRegionOps
        hw/arm/pxa2xx: Convert pxa2xx-ssp to VMState
        hw/arm/pxa2xx: Add reset method for pxa2xx_ssp
        hw/arm/pxa2xx: Convert pxa2xx-fir to QOM and VMState
        hw/arm/pxa2xx: Mark coprocessor registers as ARM_CP_IO
        target-arm: Use the kernel's idea of MPIDR if we're using KVM
        MAINTAINERS: Add myself as ARM ACPI Subsystem maintainer
        target-arm: add AArch32 MIDR aliases in ARMv8
        ...

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit f264d51d8ad939d7fb339d61a8cf680ed0cb21a2
  Author: Andrew Jones <drjones@xxxxxxxxxx>
  Date:   Mon Jun 15 18:06:11 2015 +0100

      hw/arm/virt-acpi-build: Add SPCR table

      Signed-off-by: Andrew Jones <drjones@xxxxxxxxxx>
      Tested-by: Shannon Zhao <shannon.zhao@xxxxxxxxxx>
      Reviewed-by: Igor Mammedov <imammedo@xxxxxxxxxx>
      Acked-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Message-id: 1433929959-29530-3-git-send-email-drjones@xxxxxxxxxx
      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit b8a0d75ef85b8f24c92a6c50817fa9579b4a98d9
  Author: Andrew Jones <drjones@xxxxxxxxxx>
  Date:   Mon Jun 15 18:06:11 2015 +0100

      ACPI: Add definitions for the SPCR table

      SPCR is the Serial Port Console Redirection Table. See the document
      linked from http://uefi.org/acpi. For serial port types, "Interface
      Type", see the documentation for the Debug Port Table 2 (DBG2).

      Signed-off-by: Andrew Jones <drjones@xxxxxxxxxx>
      Tested-by: Shannon Zhao <shannon.zhao@xxxxxxxxxx>
      Reviewed-by: Igor Mammedov <imammedo@xxxxxxxxxx>
      Acked-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Message-id: 1433929959-29530-2-git-send-email-drjones@xxxxxxxxxx
      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 3977ee5d7a9f2e3664dd8b233f3224694e23b62b
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Mon Jun 15 18:06:11 2015 +0100

      target-arm: Correct "preferred return address" for cpreg access exceptions

      The architecture defines that when taking an exception trying to
      access a coprocessor register, the "preferred return address" for
      the exception is the address of the instruction that caused the
      exception. Correct an off-by-4 error which meant we were returning
      the address after the instruction for traps which happened because
      of a failure of a runtime access-check function on an AArch32
      register. (Traps caused by translate-time checkable permissions
      failures had the correct address, as did traps on AArch64 registers.)

      This fixes https://bugs.launchpad.net/qemu/+bug/1463338

      Reported-by: Robert Buhren <robert@xxxxxxxxxxxxxxx>
      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Message-id: 1433861440-30133-1-git-send-email-peter.maydell@xxxxxxxxxx

  commit 63a183ed0eac2956574745c84faffa042d99afb8
  Author: Eric Auger <eric.auger@xxxxxxxxxx>
  Date:   Mon Jun 15 18:06:11 2015 +0100

      hw/arm/boot: fix rom_reset notifier registration order

      commit ac9d32e39664e060cd1b538ff190980d57ad69e4 had the consequence to
      register the do_cpu_reset after the rom_reset one. Hence they get
      executed in the wrong order. This commit restores the registration of
      do_cpu_reset in arm_load_kernel.

      Signed-off-by: Eric Auger <eric.auger@xxxxxxxxxx>
      Reported-by: Peter Crosthwaite <peter.crosthwaite@xxxxxxxxxx>
      Reviewed-by: Peter Crosthwaite <peter.crosthwaite@xxxxxxxxxx>
      Tested-by: Peter Crosthwaite <peter.crosthwaite@xxxxxxxxxx>
      Message-id: 1434111582-9325-1-git-send-email-eric.auger@xxxxxxxxxx
      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 13689d43646482f7305282de1bdd662c0d2b8b77
  Author: Peter Crosthwaite <peter.crosthwaite@xxxxxxxxxx>
  Date:   Mon Jun 15 18:06:10 2015 +0100

      arm: helper: rename get_phys_addr_mpu

      This get_phys_addr is really for pmsav5. Rename it accordingly.

      Reviewed-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Signed-off-by: Peter Crosthwaite <peter.crosthwaite@xxxxxxxxxx>
      Message-id: 
bf4b019aa87d682a45998105ef8e4d4e97a5e117.1434066412.git.peter.crosthwaite@xxxxxxxxxx
      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 8f325f568fbd0158cd413e7d637573ba90b3eaab
  Author: Peter Crosthwaite <peter.crosthwaite@xxxxxxxxxx>
  Date:   Mon Jun 15 18:06:10 2015 +0100

      arm: Add has-mpu property

      For processors that support MPUs, add a property to de-feature it. This
      is similar to the implementation of the EL3 feature.

      The processor definition in init sets ARM_FEATURE_MPU if it can support
      an MPU. post_init exposes the property, defaulting to true. If cleared
      by the instantiator, ARM_FEATURE_MPU is then removed at realize time.

      This is to support R profile processors that may or may-not have an MPU
      configured.

      Signed-off-by: Peter Crosthwaite <peter.crosthwaite@xxxxxxxxxx>
      Message-id: 
632918cc48786e868ea18aa6bd12f70597994cad.1434066412.git.peter.crosthwaite@xxxxxxxxxx
      Reviewed-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit a8e81b319d1ae1224cc7059877dcdf04a5aad59d
  Author: Peter Crosthwaite <peter.crosthwaite@xxxxxxxxxx>
  Date:   Mon Jun 15 18:06:10 2015 +0100

      arm: Implement uniprocessor with MP config

      Add a boolean for indicating uniprocessors with MP extensions. This
      drives the U bit in MPIDR. Prepares support for Cortex-R5.

      Signed-off-by: Peter Crosthwaite <peter.crosthwaite@xxxxxxxxxx>
      Message-id: 
a70a80583df265e0174f01fa1fc92b33ea6d1db5.1434066412.git.peter.crosthwaite@xxxxxxxxxx
      Reviewed-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit b7cc4e82f04a1c5b218a657f677a2fdd1e1c2889
  Author: Peter Crosthwaite <peter.crosthwaite@xxxxxxxxxx>
  Date:   Mon Jun 15 18:06:10 2015 +0100

      arm: Refactor get_phys_addr FSR return mechanism

      Currently, the return code for get_phys_addr is overloaded for both
      success/fail and FSR value return. This doesn't handle the case where
      there is an error with a 0 FSR. This case exists in PMSAv7.

      So rework get_phys_addr and friends to return a success/failure boolean
      return code and populate the FSR via a caller provided uint32_t
      pointer.

      Signed-off-by: Peter Crosthwaite <peter.crosthwaite@xxxxxxxxxx>
      Message-id: 
a209e3d8ae00cda55260c970891f520210e26bad.1434066412.git.peter.crosthwaite@xxxxxxxxxx
      Reviewed-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 8e5d75c950a1241f6e1243c37f28cd58f68fedc9
  Author: Peter Crosthwaite <peter.crosthwaite@xxxxxxxxxx>
  Date:   Mon Jun 15 18:06:10 2015 +0100

      arm: helper: Factor out CP regs common to [pv]msa

      V6+ PMSA and VMSA share some common registers that are currently
      in the VMSA definition block. Split them out into a new def that can
      be shared to PMSA.

      Signed-off-by: Peter Crosthwaite <peter.crosthwaite@xxxxxxxxxx>
      Message-id: 
284db78a43c63c9bfbb60de539672c361bcb6af8.1434066412.git.peter.crosthwaite@xxxxxxxxxx
      Reviewed-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 5e5cf9e35f25f9f932a6ce25107c11b67b426a43
  Author: Peter Crosthwaite <peter.crosthwaite@xxxxxxxxxx>
  Date:   Mon Jun 15 18:06:10 2015 +0100

      arm: Don't add v7mp registers in MPU systems

      These registers are VMSA specific so they should be conditional on
      VMSA (i.e. !MPU).

      Signed-off-by: Peter Crosthwaite <peter.crosthwaite@xxxxxxxxxx>
      Message-id: 
7bb8843e45f2635c6b7a583c5bb5da51ed4442a0.1434066412.git.peter.crosthwaite@xxxxxxxxxx
      Reviewed-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 8085ce63c5967d200f1241b6c0a189371993c5df
  Author: Peter Crosthwaite <peter.crosthwaite@xxxxxxxxxx>
  Date:   Mon Jun 15 18:06:10 2015 +0100

      arm: Do not define TLBTR in PMSA systems

      If doing a PMSA (MPU) system do not define the VMSA specific TLBTR CP.
      The def is done separately from VMSA registers group as it is affected
      by both the OMAP/STRONGARM RW errata and the MIDR backgrounding.

      Signed-off-by: Peter Crosthwaite <peter.crosthwaite@xxxxxxxxxx>
      Message-id: 
b03fea3840207edf633f5c9189400c3dd6a28d14.1434066412.git.peter.crosthwaite@xxxxxxxxxx
      Reviewed-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 62b44f059a84d1ac580a653fc4110dfabaef6b83
  Author: Aurelio C. Remonda <aurelioremonda@xxxxxxxxx>
  Date:   Mon Jun 15 18:06:09 2015 +0100

      target-arm: Add the THUMB_DSP feature

      Create an ARM_FEATURE_THUMB_DSP controlling the Thumb encodings of
      the 85 DSP instructions (these are all Thumb2). This is enabled for
      all non-M-profile CPUs with Thumb2 support, as the instructions are
      mandatory for R and A profiles. On M profile they are optional and
      not present in the Cortex-M3 (though they are in the M4).

      The effect of this commit is that we will now treat the DSP
      encodings as illegal instructions on M3, when previously we
      incorrectly implemented them.

      Signed-off-by: Aurelio C. Remonda <aurelioremonda@xxxxxxxxx>
      Message-id: 1434311355-26554-1-git-send-email-aurelioremonda@xxxxxxxxx
      [PMM: added clz/crc32/crc32c and default case to the early-decode switch;
       minor format/spacing fixups; reworded commit message a bit]
      Reviewed-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 13e1e476b4bc111d36fffaea025f90d8db52b697
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Mon Jun 15 18:06:09 2015 +0100

      hw/sd/pxa2xx_mmci: Stop using old_mmio in MemoryRegionOps

      Update the pxa2xx_mmci device to stop using the old_mmio read
      and write callbacks in its MemoryRegionOps. This actually
      simplifies the code because the separate byte/halfword/word
      access functions were all calling into a single function to
      do the work anyway.

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Reviewed-by: Peter Crosthwaite <peter.crosthwaite@xxxxxxxxxx>
      Message-id: 1434117989-7367-6-git-send-email-peter.maydell@xxxxxxxxxx

  commit 8e079caf82c3658ee64bca37c91953b38296d427
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Mon Jun 15 18:06:09 2015 +0100

      hw/arm/pxa2xx: Convert pxa2xx-ssp to VMState

      The pxa2xx-ssp device is already a QOM device but is still
      using the old-style register_savevm(); convert to VMState.

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Reviewed-by: Peter Crosthwaite <peter.crosthwaite@xxxxxxxxxx>
      Message-id: 1434117989-7367-5-git-send-email-peter.maydell@xxxxxxxxxx

  commit ce3203464bee89d2ae958717222981326a37775e
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Mon Jun 15 18:06:09 2015 +0100

      hw/arm/pxa2xx: Add reset method for pxa2xx_ssp

      The pxa2xx_ssp device was missing a reset method; add one.

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Reviewed-by: Peter Crosthwaite <peter..crosthwaite@xxxxxxxxxx>
      Message-id: 1434117989-7367-4-git-send-email-peter.maydell@xxxxxxxxxx

  commit 1fd9f2df241554b68b3a19ad1c94c475c7bb85ea
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Mon Jun 15 18:06:09 2015 +0100

      hw/arm/pxa2xx: Convert pxa2xx-fir to QOM and VMState

      Convert the pxa2xx-fir device to QOM, including using a
      VMState for its migration info.

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Reviewed-by: Peter Crosthwaite <peter.crosthwaite@xxxxxxxxxx>
      Message-id: 1434117989-7367-3-git-send-email-peter.maydell@xxxxxxxxxx

  commit 14c3032a7ebd5a354381465453c0c0690b7342d1
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Mon Jun 15 18:06:09 2015 +0100

      hw/arm/pxa2xx: Mark coprocessor registers as ARM_CP_IO

      The pxa2xx custom coprocessor registers in cp6 and cp14 do device
      accesses, so mark the non-constant regs as ARM_CP_IO so that
      icount works correctly and doesn't abort.

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Reviewed-by: Peter Crosthwaite <peter.crosthwaite@xxxxxxxxxx>
      Message-id: 1434117989-7367-2-git-send-email-peter.maydell@xxxxxxxxxx

  commit eb5e1d3c85dffe677da2550d211f9304a7d5ba3b
  Author: Pavel Fedin <p.fedin@xxxxxxxxxxx>
  Date:   Mon Jun 15 18:06:09 2015 +0100

      target-arm: Use the kernel's idea of MPIDR if we're using KVM

      When we're using KVM, the kernel's internal idea of the MPIDR
      affinity fields must match the values we tell it for the guest
      vcpu cluster configuration in the device tree. Since at the moment
      the kernel doesn't support letting userspace tell it the correct
      affinity fields to use, we must read the kernel's view and
      reflect that back in the device tree.

      Signed-off-by: Shlomo Pongratz <shlomo.pongratz@xxxxxxxxxx>
      Signed-off-by: Pavel Fedin <p.fedin@xxxxxxxxxxx>
      Message-id: 02f601d0a1e6$90c7d630$b2578290$@samsung.com
      [PMM: Use a local #define rather than a global variable for
       the TCG ARM_CPUS_PER_CLUSTER setting. Tweak a comment. Update the
       commit message.]
      Reviewed-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 8f4d260e70aff7c3796d97c78ba0663696e2d503
  Author: Shannon Zhao <shannon.zhao@xxxxxxxxxx>
  Date:   Mon Jun 15 18:06:08 2015 +0100

      MAINTAINERS: Add myself as ARM ACPI Subsystem maintainer

      Add Shannon Zhao as the maintainer for the ARM ACPI Subsystem.

      Signed-off-by: Shannon Zhao <zhaoshenglong@xxxxxxxxxx>
      Signed-off-by: Shannon Zhao <shannon.zhao@xxxxxxxxxx>
      Reviewed-by: Claudio Fontana <claudio.fontana@xxxxxxxxxx>
      Acked-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Message-id: 1433248318-6076-1-git-send-email-shannon.zhao@xxxxxxxxxx
      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit ac00c79ff6635ae9fd732ff357ada0d05e795500
  Author: Sergey Fedorov <serge.fdrv@xxxxxxxxx>
  Date:   Mon Jun 15 18:06:08 2015 +0100

      target-arm: add AArch32 MIDR aliases in ARMv8

      According to ARMv8 ARM, there are additional aliases to MIDR system 
register in
      AArch32 state. So add them to the list.

      Signed-off-by: Sergey Fedorov <serge.fdrv@xxxxxxxxx>
      Message-id: 1433321048-23793-3-git-send-email-serge.fdrv@xxxxxxxxx
      Reviewed-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 13b72b2b9aa7ab7ee129e38e9587acd6a1b9a932
  Author: Sergey Fedorov <serge.fdrv@xxxxxxxxx>
  Date:   Mon Jun 15 18:06:08 2015 +0100

      target-arm: Fix REVIDR reset value

      According to ARM Cortex-A53/A57 TRM, REVIDR reset value should be zero. 
So let
      REVIDR reset value be specified by CPU model and correct it for 
Cortex-A53/A57.

      Signed-off-by: Sergey Fedorov <serge.fdrv@xxxxxxxxx>
      Message-id: 1433321048-23793-2-git-send-email-serge.fdrv@xxxxxxxxx
      Reviewed-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 8772de2c53b44c75f18140646aa928e6d77cb9d8
  Author: Shannon Zhao <shannon.zhao@xxxxxxxxxx>
  Date:   Mon Jun 15 18:06:08 2015 +0100

      hw/arm/virt: Add cortex-a53 cpu support in machine virt

      Add cortex-a53 cpu support in machine virt, so it can be used for TCG
      and KVM.

      Signed-off-by: Shannon Zhao <zhaoshenglong@xxxxxxxxxx>
      Signed-off-by: Shannon Zhao <shannon.zhao@xxxxxxxxxx>
      Reviewed-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Message-id: 1433207452-4512-3-git-send-email-shannon.zhao@xxxxxxxxxx
      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 7525465e6def0ef878741087b36e4657016dce80
  Author: Shannon Zhao <shannon.zhao@xxxxxxxxxx>
  Date:   Mon Jun 15 18:06:08 2015 +0100

      target-arm/kvm64: Add cortex-a53 cpu support

      Since commit e353102(target-arm: cpu64: Add support for Cortex-A53) has
      added Cortex-A53 cpu support for target-arm, this patch just enables it
      for kvm-arm.

      Here adding XGENE_POTENZA just makes the enum continuous.

      Signed-off-by: Shannon Zhao <zhaoshenglong@xxxxxxxxxx>
      Signed-off-by: Shannon Zhao <shannon.zhao@xxxxxxxxxx>
      Message-id: 1433207452-4512-2-git-send-email-shannon.zhao@xxxxxxxxxx
      [PMM: Don't add the CPU types to cpus_to_try[]; this array only
       lists old CPUs which were supported in pre-PREFERRED_TARGET kernels]
      Reviewed-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit a79e0218e0ae27c9cdd2648bd46e5a916c903cc2
  Author: Alex Bennée <alex.bennee@xxxxxxxxxx>
  Date:   Mon Jun 15 18:06:08 2015 +0100

      target-arm/cpu.h: remove pending_exception

      This isn't used by any of the code. In fact it looks like it was never
      used as it came in with ARMv7 support.

      Signed-off-by: Alex Bennée <alex.bennee@xxxxxxxxxx>
      Message-id: 1434020015-8868-1-git-send-email-alex.bennee@xxxxxxxxxx
      Reviewed-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 644ead5be1a851abff16886240c5c6fc1c5137c0
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Mon Jun 15 18:06:08 2015 +0100

      hw/display/exynos4210_fimd: Fix bit-swapping code

      fimd_swap_data() includes code to reverse the bits in a
      64-bit integer, but an off-by-one error meant that it would
      try to shift off the top of the integer. Correct the bug
      (spotted by Coverity).

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Message-id: 1432912615-23107-1-git-send-email-peter.maydell@xxxxxxxxxx

  commit 235069a380147e31236b94c31528fc5170c3a421
  Author: Johan Karlsson <Johan.Karlsson@xxxxxxxx>
  Date:   Mon Jun 15 18:06:07 2015 +0100

      arm_gic: gic_update should always update all cores

      This patch fixes so that gic_update always updates all the cores with
      new pending irq states.  If the function returns early it is possible
      to get interrupts that has already been acknowledged.

      Signed-off-by: Johan Karlsson <johan.karlsson@xxxxxxxx>
      [PMM: rebased to apply to current master]
      Reviewed-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 4e42a6ca37e39e56725518851f4388e46bd91129
  Author: Sergey Fedorov <serge.fdrv@xxxxxxxxx>
  Date:   Mon Jun 15 18:06:07 2015 +0100

      target-arm: use extended address bits from supersection short descriptor

      Since ARMv7 with LPAE support, a supersection short translation table
      descriptor has had extended base address fields which hold bits 39:32 of
      translated address. These fields are IMPDEF in ARMv6 and ARMv7 without
      LPAE support.

      Signed-off-by: Sergey Fedorov <serge.fdrv@xxxxxxxxx>
      Message-id: 1433235718-30485-1-git-send-email-serge.fdrv@xxxxxxxxx
      Reviewed-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit fc1891c74ae122a9dc7854f38bae7db03cd911e6
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Mon Jun 15 18:06:07 2015 +0100

      target-arm: Handle "extended small page" descriptors correctly

      The old ARMv5-style page table format includes a kind of second level
      descriptor named the "extended small page" format, whose primary purpose
      is to allow specification of the TEX memory attribute bits on a 4K page.
      This exists on ARMv6 and also (as an implementation extension) on XScale
      CPUs; it's UNPREDICTABLE on v5.

      We were mishandling this in two ways:
       (1) we weren't implementing it for v6 (probably never noticed because
      Linux will use the new-style v6 page table format there)
       (2) we were not correctly setting the page_size, which is 4K, not 1K

      The latter bug went unnoticed for years because the only thing which
      the page_size affects is which TLB entries get flushed when the guest
      does a TLB invalidate on an address in the page, and prior to commit
      2f0d8631b7 we were doing a full TLB flush very frequently due to Linux's
      habit of writing the SCTLR pointlessly a lot.

      (We can assume that after commit 2f0d8631b7 the bug went unnoticed
      for a year because nobody's actually using the Zaurus/XScale emulation...)

      Report the correct page size for these descriptors, and permit them
      on ARMv6 CPUs. This fixes a problem where a kernel image for Zaurus
      can boot the kernel OK but gets random segfaults when it tries to
      run userspace programs.

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Message-id: 1432844085-16441-1-git-send-email-peter.maydell@xxxxxxxxxx

  commit b500e4db8e3e0b5f41a2dd14e2001200e5fc7d6b
  Merge: 46bca54 d95d7d8
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Mon Jun 15 16:15:32 2015 +0100

      Merge remote-tracking branch 'remotes/kraxel/tags/pull-audio-20150615-1' 
into staging

      audio: remove obsolete backends (esd, fmod, winwave).
      audio: stop using global variables, small fixes.
      audio: remove some obsolte and unused code.

      # gpg: Signature made Mon Jun 15 13:24:44 2015 BST using RSA key ID 
D3E87138
      # gpg: Good signature from "Gerd Hoffmann (work) <kraxel@xxxxxxxxxx>"
      # gpg:                 aka "Gerd Hoffmann <gerd@xxxxxxxxxx>"
      # gpg:                 aka "Gerd Hoffmann (private) <kraxel@xxxxxxxxx>"

      * remotes/kraxel/tags/pull-audio-20150615-1:
        ossaudio: use trace events instead of debug config flag
        alsaaudio: use trace events instead of verbose
        dsoundaudio: remove primary buffer
        dsoundaudio: remove *_retries kludges
        audio: remove plive
        audio: remove LOG_TO_MONITOR along with default_mon
        MAINTAINERS: remove malc from audio
        sdlaudio: do not allow multiple instances
        coreaudio: do not use global variables where possible
        dsoundaudio: do not use global variables
        paaudio: fix possible resource leak
        wavaudio: do not use global variables
        ossaudio: do not use global variables
        alsaaudio: do not use global variables
        paaudio: do not use global variables
        audio: expose drv_opaque to init_out and init_in
        only enable dsound in case the header file is present
        audio: remove winwave audio driver
        audio: remove fmod backend
        audio: remove esd backend

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 6a084ea39aec84d352dbd3de0f523daaaaac8c7d
  Author: Michael S. Tsirkin <mst@xxxxxxxxxx>
  Date:   Mon Jun 15 16:20:21 2015 +0200

      vhost-user: part of virtio

      vhost user is related to virtio, add it to the relevant entry.

      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>

  commit 46bca5404b08201bb9df1ac32bc88fc7e6db1f74
  Merge: f3e3b08 8369e33
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Mon Jun 15 13:24:50 2015 +0100

      Merge remote-tracking branch 'remotes/borntraeger/tags/s390x-20150615' 
into staging

      s390x/kvm/watchdog

      1. Implement a diag288 based watchdog
      2. Fix virtio-ccw BIOS for gcc >= 4.9

      # gpg: Signature made Mon Jun 15 12:36:25 2015 BST using RSA key ID 
B5A61C7C
      # gpg: Good signature from "Christian Borntraeger (IBM) 
<borntraeger@xxxxxxxxxx>"

      * remotes/borntraeger/tags/s390x-20150615:
        s390/bios: build with -fdelete-null-pointer-checks
        watchdog: Add new Virtual Watchdog action INJECT-NMI
        nmi: Implement inject_nmi() for non-monitor context use
        s390x/watchdog: diag288 migration support
        s390x/kvm: diag288 instruction interception and handling
        s390x/watchdog: introduce diag288 watchdog device
        watchdog: change option wording to allow for more watchdogs

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 8369e339d24f365750da456588e742674c153437
  Author: Aurelien Jarno <aurelien@xxxxxxxxxxx>
  Date:   Mon Jun 15 12:24:03 2015 +0200

      s390/bios: build with -fdelete-null-pointer-checks

      Starting with version 4.9, GCC assumes it can't safely dereference null
      pointers, and uses this for some optimizations. On s390, the lowcore
      memory is located at address 0, so this assumption is wrong and breaks
      the s390-ccw firmware. Pass -fdelete-null-pointer-checks to avoid that.

      Cc: Cornelia Huck <cornelia.huck@xxxxxxxxxx>
      Cc: Christian Borntraeger <borntraeger@xxxxxxxxxx>
      Cc: Alexander Graf <agraf@xxxxxxx>
      Signed-off-by: Aurelien Jarno <aurelien@xxxxxxxxxxx>
      Message-Id: <1434363843-14576-1-git-send-email-aurelien@xxxxxxxxxxx>
      Signed-off-by: Christian Borntraeger <borntraeger@xxxxxxxxxx>

  commit d95d7d802c33f6277c9fb967c14ae0cc99aeb072
  Author: KÅ?vágó, Zoltán <dirty.ice.hu@xxxxxxxxx>
  Date:   Fri Jun 12 14:33:07 2015 +0200

      ossaudio: use trace events instead of debug config flag

      Signed-off-by: KÅ?vágó, Zoltán <DirtY.iCE.hu@xxxxxxxxx>
      Signed-off-by: Gerd Hoffmann <kraxel@xxxxxxxxxx>

  commit fbb7ef56d55723a4996c288b50a16e6283eea13f
  Author: KÅ?vágó, Zoltán <dirty.ice.hu@xxxxxxxxx>
  Date:   Fri Jun 12 14:33:06 2015 +0200

      alsaaudio: use trace events instead of verbose

      Signed-off-by: KÅ?vágó, Zoltán <DirtY.iCE.hu@xxxxxxxxx>
      Signed-off-by: Gerd Hoffmann <kraxel@xxxxxxxxxx>

  commit 6dd35fd81e06d469b6f5280adee0a16ee383db57
  Author: KÅ?vágó, Zoltán <dirty.ice.hu@xxxxxxxxx>
  Date:   Fri Jun 12 14:33:05 2015 +0200

      dsoundaudio: remove primary buffer

      Enabling this option just creates a playback buffer with the specified 
settings,
      and then ignores it. It's probably some outdated hack to set audio 
formats on
      windows. (The first created stream dictates all other streams settings, 
at least
      on some Windows versions). Setting DAC_FIXED_SETTINGS should have the same
      effect as setting (the now removed) primary buffer.

      Signed-off-by: KÅ?vágó, Zoltán <DirtY.iCE.hu@xxxxxxxxx>
      Signed-off-by: Gerd Hoffmann <kraxel@xxxxxxxxxx>

  commit 2762955f723570944966347600b5746e7dd99388
  Author: KÅ?vágó, Zoltán <dirty.ice.hu@xxxxxxxxx>
  Date:   Fri Jun 12 14:33:04 2015 +0200

      dsoundaudio: remove *_retries kludges

      According to MSDN this may happen when the window is not in the 
foreground, but
      the default is 1 since a long time (which means no retries), so it should 
be ok.
      I've found no problems during testing it on Windows 7 and wine, so this 
was
      probably only the case with some old Windows versions.

      Signed-off-by: KÅ?vágó, Zoltán <DirtY.iCE.hu@xxxxxxxxx>
      Signed-off-by: Gerd Hoffmann <kraxel@xxxxxxxxxx>

  commit 73ad33ef7ba0d1e7c7f276663f36c4f72b9193a9
  Author: KÅ?vágó, Zoltán <dirty.ice.hu@xxxxxxxxx>
  Date:   Fri Jun 12 14:33:03 2015 +0200

      audio: remove plive

      It was useless even 3 years ago, so it can probably safely go away:
      https://lists.nongnu.org/archive/html/qemu-devel/2012-03/msg02427.html

      Signed-off-by: KÅ?vágó, Zoltán <DirtY.iCE.hu@xxxxxxxxx>
      Signed-off-by: Gerd Hoffmann <kraxel@xxxxxxxxxx>

  commit 06ac27f683c52890a6d174adba8c92354fa1eceb
  Author: KÅ?vágó, Zoltán <dirty.ice.hu@xxxxxxxxx>
  Date:   Fri Jun 12 14:33:02 2015 +0200

      audio: remove LOG_TO_MONITOR along with default_mon

      Setting QEMU_AUDIO_LOG_TO_MONITOR=1 can crash qemu (if qemu tries to log
      to the monitor before it's being initialized), and also nothing else in
      qemu logs to the monitor.

      This log to monitor feature was the last thing that used the default_mon
      variable, so I removed it too (as using it can cause problems).

      Signed-off-by: KÅ?vágó, Zoltán <DirtY.iCE.hu@xxxxxxxxx>
      Signed-off-by: Gerd Hoffmann <kraxel@xxxxxxxxxx>

  commit 65eb1e6b4c1c4f66deff9cdf9bfbdea267c59343
  Author: Gerd Hoffmann <kraxel@xxxxxxxxxx>
  Date:   Tue Jun 9 12:51:36 2015 +0200

      MAINTAINERS: remove malc from audio

      email bounces, with a appearently permanent error:
      "av1474@xxxxxxxx mail receiving disabled, rejecting"

      Signed-off-by: Gerd Hoffmann <kraxel@xxxxxxxxxx>
      Reviewed-by: Gonglei <arei.gonglei@xxxxxxxxxx>

  commit 81ebb07c56a28aa7ca47c38eb44690025a9dd6b9
  Author: KÅ?vágó, Zoltán <dirty.ice.hu@xxxxxxxxx>
  Date:   Wed Jun 3 23:03:55 2015 +0200

      sdlaudio: do not allow multiple instances

      Since SDL uses a lot of global data, we can't create independent
      instances of sdl audio backend.

      Signed-off-by: KÅ?vágó, Zoltán <DirtY.iCE.hu@xxxxxxxxx>
      Signed-off-by: Gerd Hoffmann <kraxel@xxxxxxxxxx>

  commit d1f52a1d704de2252bc48c64ca4d46086cb249a2
  Author: KÅ?vágó, Zoltán <dirty.ice.hu@xxxxxxxxx>
  Date:   Wed Jun 3 23:03:54 2015 +0200

      coreaudio: do not use global variables where possible

      Signed-off-by: KÅ?vágó, Zoltán <DirtY.iCE.hu@xxxxxxxxx>
      Signed-off-by: Gerd Hoffmann <kraxel@xxxxxxxxxx>

  commit 191e1f0acd32360b917fa54a52389b97d9b52b6f
  Author: KÅ?vágó, Zoltán <dirty.ice.hu@xxxxxxxxx>
  Date:   Wed Jun 3 23:03:52 2015 +0200

      dsoundaudio: do not use global variables

      Signed-off-by: KÅ?vágó, Zoltán <DirtY.iCE.hu@xxxxxxxxx>
      Signed-off-by: Gerd Hoffmann <kraxel@xxxxxxxxxx>

  commit 49dd6d0d33e1a59b4055713079e64062bc5092b5
  Author: KÅ?vágó, Zoltán <dirty.ice.hu@xxxxxxxxx>
  Date:   Wed Jun 3 23:03:53 2015 +0200

      paaudio: fix possible resource leak

      qpa_audio_init did not clean up resources properly if the initialization
      failed. This hopefully fixes it.

      Signed-off-by: KÅ?vágó, Zoltán <DirtY.iCE.hu@xxxxxxxxx>
      Signed-off-by: Gerd Hoffmann <kraxel@xxxxxxxxxx>

  commit f2dcc6cec285938967446d412b0477e02e26f3ca
  Author: KÅ?vágó, Zoltán <dirty.ice.hu@xxxxxxxxx>
  Date:   Wed Jun 3 23:03:51 2015 +0200

      wavaudio: do not use global variables

      Signed-off-by: KÅ?vágó, Zoltán <DirtY.iCE.hu@xxxxxxxxx>
      Signed-off-by: Gerd Hoffmann <kraxel@xxxxxxxxxx>

  commit 4045a85ad1aadb1a56038ed3358e2093ba88f91f
  Author: KÅ?vágó, Zoltán <dirty.ice.hu@xxxxxxxxx>
  Date:   Wed Jun 3 23:03:50 2015 +0200

      ossaudio: do not use global variables

      Signed-off-by: KÅ?vágó, Zoltán <DirtY.iCE.hu@xxxxxxxxx>
      Signed-off-by: Gerd Hoffmann <kraxel@xxxxxxxxxx>

  commit 765b37da3f2824afd45b38c038af44da42b956f6
  Author: KÅ?vágó, Zoltán <dirty.ice.hu@xxxxxxxxx>
  Date:   Wed Jun 3 23:03:48 2015 +0200

      alsaaudio: do not use global variables

      Signed-off-by: KÅ?vágó, Zoltán <DirtY.iCE.hu@xxxxxxxxx>
      Signed-off-by: Gerd Hoffmann <kraxel@xxxxxxxxxx>

  commit 9a644c4b4dfc7ebe7994bfa568cbeaa1847ca5ff
  Author: KÅ?vágó, Zoltán <dirty.ice.hu@xxxxxxxxx>
  Date:   Wed Jun 3 23:03:49 2015 +0200

      paaudio: do not use global variables

      Signed-off-by: KÅ?vágó, Zoltán <DirtY.iCE.hu@xxxxxxxxx>
      Signed-off-by: Gerd Hoffmann <kraxel@xxxxxxxxxx>

  commit 5706db1deb061ee9affdcea81e59c4c2cad7c41e
  Author: KÅ?vágó, Zoltán <dirty.ice.hu@xxxxxxxxx>
  Date:   Wed Jun 3 23:03:47 2015 +0200

      audio: expose drv_opaque to init_out and init_in

      Currently the opaque pointer returned by audio_driver's init is only
      exposed to the driver's fini, but not to audio_pcm_ops. This way if
      someone wants to share a variable with the driver and the pcm, he must
      use global variables. This patch fixes it by adding a third parameter to
      audio_pcm_op's init_out and init_in.

      Signed-off-by: KÅ?vágó, Zoltán <DirtY.iCE.hu@xxxxxxxxx>
      Signed-off-by: Gerd Hoffmann <kraxel@xxxxxxxxxx>

  commit 307119e7d948bcdb5918fd762153deda471e695b
  Author: Gerd Hoffmann <kraxel@xxxxxxxxxx>
  Date:   Wed Jun 10 09:07:35 2015 +0200

      only enable dsound in case the header file is present

      Signed-off-by: Gerd Hoffmann <kraxel@xxxxxxxxxx>

  commit f3e3b083d4c266ea864ae3c83da49d4086857679
  Merge: 8aeaa05 67251a3
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Mon Jun 15 10:43:06 2015 +0100

      Merge remote-tracking branch 'remotes/kevin/tags/for-upstream' into 
staging

      Block layer core and image format patches

      # gpg: Signature made Fri Jun 12 16:08:53 2015 BST using RSA key ID 
C88F2FD6
      # gpg: Good signature from "Kevin Wolf <kwolf@xxxxxxxxxx>"

      * remotes/kevin/tags/for-upstream: (25 commits)
        block: Fix reopen flag inheritance
        block: Add BlockDriverState.inherits_from
        block: Add list of children to BlockDriverState
        queue.h: Add QLIST_FIX_HEAD_PTR()
        block: Drain requests before swapping nodes in bdrv_swap()
        block: Move flag inheritance to bdrv_open_inherit()
        block: Use QemuOpts in bdrv_open_common()
        block: Use macro for cache option names
        vmdk: Use bdrv_open_image()
        quorum: Use bdrv_open_image()
        check-qdict: Test cases for new functions
        qdict: Add qdict_{set,copy}_default()
        qdict: Add qdict_array_entries()
        iotests: Add tests for overriding BDRV_O_PROTOCOL
        block: driver should override flags in bdrv_open()
        block: Change bitmap truncate conditional to assertion
        block: record new size in bdrv_dirty_bitmap_truncate
        raw-posix: Fix .bdrv_co_get_block_status() for unaligned image size
        vmdk: Use vmdk_find_index_in_cluster everywhere
        vmdk: Fix index_in_cluster calculation in vmdk_co_get_block_status
        ...

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 3cec7cc22f95ce31565e8e2c03b06a2f7ae8bc6f
  Author: KÅ?vágó, Zoltán <dirty.ice.hu@xxxxxxxxx>
  Date:   Wed Jun 3 23:03:46 2015 +0200

      audio: remove winwave audio driver

      DirectSound should be a superior choice on Windows.

      Signed-off-by: KÅ?vágó, Zoltán <DirtY.iCE.hu@xxxxxxxxx>
      Signed-off-by: Gerd Hoffmann <kraxel@xxxxxxxxxx>

  commit 14382605da6bda74516f275695bd3345bc54c464
  Author: KÅ?vágó, Zoltán <dirty.ice.hu@xxxxxxxxx>
  Date:   Wed Jun 3 23:03:45 2015 +0200

      audio: remove fmod backend

      Signed-off-by: KÅ?vágó, Zoltán <DirtY.iCE.hu@xxxxxxxxx>
      Signed-off-by: Gerd Hoffmann <kraxel@xxxxxxxxxx>

  commit 0bac111167e33838fa869cacd16f92e5899252b3
  Author: KÅ?vágó, Zoltán <dirty.ice.hu@xxxxxxxxx>
  Date:   Wed Jun 3 23:03:44 2015 +0200

      audio: remove esd backend

      ESD is no longer developed and replaced by PulseAudio.

      Signed-off-by: KÅ?vágó, Zoltán <DirtY.iCE.hu@xxxxxxxxx>
      Signed-off-by: Gerd Hoffmann <kraxel@xxxxxxxxxx>

  commit 79cb1f1d698da5e1e183863aa3c8a91b2e750664
  Author: Yongbok Kim <yongbok.kim@xxxxxxxxxx>
  Date:   Mon Apr 20 16:15:20 2015 +0100

      linux-user: Use abi_ulong for TARGET_ELF_PAGESTART

      TARGET_ELF_PAGESTART is required to use abi_ulong to correctly handle
      addresses for different target bits width.
      This patch fixes a problem when running a 64-bit user mode application
      on 32-bit host machines.

      Signed-off-by: Yongbok Kim <yongbok.kim@xxxxxxxxxx>
      Reviewed-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Signed-off-by: Riku Voipio <riku.voipio@xxxxxxxxxx>

  commit 8be656b87c6bb1b9f8af3ff78094413d71e4443a
  Author: Alexander Graf <agraf@xxxxxxx>
  Date:   Wed May 6 23:47:32 2015 +0200

      linux-user: Allocate thunk size dynamically

      We store all struct types in an array of static size without ever
      checking whether we overrun it. Of course some day someone (like me
      in another, ancient ALSA enabling patch set) will run into the limit
      without realizing it.

      So let's make the allocation dynamic. We already know the number of
      structs that we want to allocate, so we only need to pass the variable
      into the respective piece of code.

      Also, to ensure we don't accidently overwrite random memory, add some
      asserts to sanity check whether a thunk is actually part of our array.

      Signed-off-by: Alexander Graf <agraf@xxxxxxx>
      Signed-off-by: Riku Voipio <riku.voipio@xxxxxxxxxx>

  commit 8aeaa055f5d3d4e87bf870892ba301eae57bdc1d
  Merge: 0a2df85 2db33f8
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Fri Jun 12 18:04:14 2015 +0100

      Merge remote-tracking branch 'remotes/stefanha/tags/block-pull-request' 
into staging

      # gpg: Signature made Fri Jun 12 15:57:47 2015 BST using RSA key ID 
81AB73C8
      # gpg: Good signature from "Stefan Hajnoczi <stefanha@xxxxxxxxxx>"
      # gpg:                 aka "Stefan Hajnoczi <stefanha@xxxxxxxxx>"

      * remotes/stefanha/tags/block-pull-request:
        qemu-iotests: expand test 093 to support group throttling
        throttle: Update throttle infrastructure copyright
        throttle: add the name of the ThrottleGroup to BlockDeviceInfo
        throttle: acquire the ThrottleGroup lock in bdrv_swap()
        throttle: Add throttle group support
        throttle: Add throttle group infrastructure tests
        throttle: Add throttle group infrastructure
        throttle: Extract timers from ThrottleState into a separate structure
        raw-posix: Fix .bdrv_co_get_block_status() for unaligned image size
        Revert "iothread: release iothread around aio_poll"

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 67251a311371c4d22e803f151f47fe817175b6c3
  Author: Kevin Wolf <kwolf@xxxxxxxxxx>
  Date:   Thu Apr 9 18:54:04 2015 +0200

      block: Fix reopen flag inheritance

      When reopening an image, the block layer already takes care to reopen
      bs->file as well with recalculated inherited flags. The same must happen
      for any other child (most notably missing before this patch: backing
      files).

      If bs->file (or any other child) didn't originally inherit from bs, e.g.
      because it was created separately and then only referenced, it must not
      inherit flags on reopen either, so check the inherited_from field before
      propagation the reopen down.

      VMDK already reopened its extents manually; this code can now be
      dropped.

      Signed-off-by: Kevin Wolf <kwolf@xxxxxxxxxx>
      Reviewed-by: Max Reitz <mreitz@xxxxxxxxxx>
      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>

  commit bddcec3745b0220d4a7eda700950812a94398668
  Author: Kevin Wolf <kwolf@xxxxxxxxxx>
  Date:   Thu Apr 9 18:47:50 2015 +0200

      block: Add BlockDriverState.inherits_from

      Currently, the block layer assumes that any block node can have only one
      parent, and if it has a parent, that it inherits some options/flags from
      this parent.

      This is not true any more: With references used in block device
      creation, a single node can be used by multiple parents, or it can be
      created separately and not inherit flags from any parent.

      To handle reopens correctly, a node must know from which parent it
      inherited options. This patch adds the information to BlockDriverState.

      Signed-off-by: Kevin Wolf <kwolf@xxxxxxxxxx>
      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>
      Reviewed-by: Max Reitz <mreitz@xxxxxxxxxx>

  commit 6e93e7c41fdfdee3068770cae79380e1d986b76a
  Author: Kevin Wolf <kwolf@xxxxxxxxxx>
  Date:   Wed Apr 8 13:49:41 2015 +0200

      block: Add list of children to BlockDriverState

      This allows iterating over all children of a given BDS, not only
      including bs->file and bs->backing_hd, but also driver-specific
      ones like VMDK extents or Quorum children.

      For bdrv_swap(), the list of children of the swapped BDS stays at that
      BDS (because that's where the pointers stay as well). The list head
      moves and pointers to it must be fixed up therefore.

      The list of children in the parent of the swapped BDS is not affected by
      the swap. The contents of the BDS objects is swapped, so the existing
      pointer in the parent automatically points to the newly swapped in BDS.

      Signed-off-by: Kevin Wolf <kwolf@xxxxxxxxxx>
      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>
      Reviewed-by: Max Reitz <mreitz@xxxxxxxxxx>

  commit ae81693004fd95f7013e42811944707a92948d9a
  Author: Kevin Wolf <kwolf@xxxxxxxxxx>
  Date:   Wed Jun 10 13:47:35 2015 +0200

      queue.h: Add QLIST_FIX_HEAD_PTR()

      If the head of a list has been moved to a different memory location, the
      le_prev link in the first list entry has to be fixed up. Provide a macro
      that implements this fixup.

      Signed-off-by: Kevin Wolf <kwolf@xxxxxxxxxx>
      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>
      Reviewed-by: Max Reitz <mreitz@xxxxxxxxxx>

  commit 6ee4ce1ee75a651c246d926c2302281b51981f6d
  Author: Kevin Wolf <kwolf@xxxxxxxxxx>
  Date:   Wed Jun 10 13:33:17 2015 +0200

      block: Drain requests before swapping nodes in bdrv_swap()

      bdrv_swap() requires that there are no requests in flight on either of
      the two devices. The request coroutine would work on the wrong
      BlockDriverState object (with bs->opaque even being interpreted as a
      different type potentially) and all sorts of bad things would result
      from this.

      The currently existing callers mostly ensure that there is no I/O
      pending on nodes that are swapped. In detail, this is:

      1. Live snapshots. This goes through qmp_transaction(), which calls
         bdrv_drain_all() before doing anything. The command is executed
         synchronously, so no new I/O can be issued concurrently.

      2. snapshot=on in bdrv_open(). We're in the middle of opening the image
         (both the original image and its temporary overlay), so there can't
         be any I/O in flight yet.

      3. Mirroring. bdrv_drain() is already used on the source device so that
         the mirror doesn't miss anything. However, the main loop runs between
         that and the bdrv_swap() (which is actually a bug, being addressed in
         another series), so there is a small window in which new I/O might be
         issued that would be in flight during bdrv_swap().

      It is safer to just drain the request queue of both devices in
      bdrv_swap() instead of relying on callers to do the right thing.

      Signed-off-by: Kevin Wolf <kwolf@xxxxxxxxxx>
      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>
      Reviewed-by: Max Reitz <mreitz@xxxxxxxxxx>

  commit f3930ed0bb1945b59da8e591072b5c79606d0760
  Author: Kevin Wolf <kwolf@xxxxxxxxxx>
  Date:   Wed Apr 8 13:43:47 2015 +0200

      block: Move flag inheritance to bdrv_open_inherit()

      Instead of letting every caller of bdrv_open() determine the right flags
      for its child node manually and pass them to the function, pass the
      parent node and the role of the newly opened child (like backing file,
      protocol layer, etc.).

      Signed-off-by: Kevin Wolf <kwolf@xxxxxxxxxx>
      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>
      Reviewed-by: Max Reitz <mreitz@xxxxxxxxxx>

  commit 18edf289a8951f3a48caff3b5fe17f2d414c2924
  Author: Kevin Wolf <kwolf@xxxxxxxxxx>
  Date:   Tue Apr 7 17:12:56 2015 +0200

      block: Use QemuOpts in bdrv_open_common()

      Instead of manually parsing options and then deleting them from the
      options QDict, just use QemuOpts like most other places that deal with
      block device options.

      More options will be added there and then QemuOpts is a lot more
      manageable than open-coding everything.

      Signed-off-by: Kevin Wolf <kwolf@xxxxxxxxxx>
      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>
      Reviewed-by: Max Reitz <mreitz@xxxxxxxxxx>

  commit 54861b9280e95dd16c062b26a9d0adfe3608c63c
  Author: Kevin Wolf <kwolf@xxxxxxxxxx>
  Date:   Tue Apr 7 16:55:00 2015 +0200

      block: Use macro for cache option names

      Signed-off-by: Kevin Wolf <kwolf@xxxxxxxxxx>
      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>
      Reviewed-by: Max Reitz <mreitz@xxxxxxxxxx>
      Reviewed-by: Jeff Cody <jcody@xxxxxxxxxx>
      Reviewed-by: Alberto Garcia <berto@xxxxxxxxxx>

  commit a646836784a0fc50fee6f9a0d3fb968289714128
  Author: Kevin Wolf <kwolf@xxxxxxxxxx>
  Date:   Tue Apr 7 15:35:59 2015 +0200

      vmdk: Use bdrv_open_image()

      Besides standardising on a single interface for opening child nodes,
      this patch allows the user to specify options to individual extent
      nodes. Overriding file names isn't possible with this yet, so it's of
      limited usefulness, but still a step forward.

      Signed-off-by: Kevin Wolf <kwolf@xxxxxxxxxx>
      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>
      Reviewed-by: Max Reitz <mreitz@xxxxxxxxxx>
      Reviewed-by: Jeff Cody <jcody@xxxxxxxxxx>

  commit ea6828d81b34d42f407e8de28694d2751ee660a2
  Author: Kevin Wolf <kwolf@xxxxxxxxxx>
  Date:   Wed Jan 21 18:49:28 2015 +0100

      quorum: Use bdrv_open_image()

      Besides standardising on a single interface for opening child nodes,
      this simplifies the .bdrv_open() implementation of the quorum block
      driver by using block layer functionality for handling BlockdevRefs.

      Signed-off-by: Kevin Wolf <kwolf@xxxxxxxxxx>
      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>
      Reviewed-by: Max Reitz <mreitz@xxxxxxxxxx>
      Reviewed-by: Jeff Cody <jcody@xxxxxxxxxx>
      Reviewed-by: Alberto Garcia <berto@xxxxxxxxxx>

  commit ef1919df26b9b094aa41733466b134111fcdbd36
  Author: Kevin Wolf <kwolf@xxxxxxxxxx>
  Date:   Thu May 28 17:37:55 2015 +0200

      check-qdict: Test cases for new functions

      This adds test cases for the following new QDict functions:

      * qdict_array_entries()
      * qdict_set_default_str()
      * qdict_copy_default()

      Signed-off-by: Kevin Wolf <kwolf@xxxxxxxxxx>
      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>
      Reviewed-by: Max Reitz <mreitz@xxxxxxxxxx>

  commit 7990d2c99c974ae8e3c3f719d8321ddc6eac93bc
  Author: Kevin Wolf <kwolf@xxxxxxxxxx>
  Date:   Mon Jan 19 21:22:45 2015 +0100

      qdict: Add qdict_{set,copy}_default()

      In the block layer functions that determine options for a child block
      device, it's a common pattern to either copy options from the parent's
      options or to set a default string if the option isn't explicitly set
      yet for the child. Provide convenience functions so that it becomes a
      one-liner for each option.

      Signed-off-by: Kevin Wolf <kwolf@xxxxxxxxxx>
      Reviewed-by: Max Reitz <mreitz@xxxxxxxxxx>
      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>

  commit bd50530a9f40f6560a03caeaaddd451e2ce90ed8
  Author: Kevin Wolf <kwolf@xxxxxxxxxx>
  Date:   Wed Jan 21 17:15:44 2015 +0100

      qdict: Add qdict_array_entries()

      This counts the entries in a flattened array in a QDict without
      actually splitting the QDict into a QList.

      bdrv_open_image() doesn't take a QList, but rather a QDict and a key
      prefix string, so this is more convenient for block drivers which have a
      dynamically sized list of child nodes (e.g. Quorum) and are to be
      converted to using bdrv_open_image() as the standard interface for
      opening child nodes.

      Signed-off-by: Kevin Wolf <kwolf@xxxxxxxxxx>
      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>
      Reviewed-by: Max Reitz <mreitz@xxxxxxxxxx>

  commit 0a2df857a7038c75379cc575de5d4be4c0ac629e
  Merge: 9faffeb fafa4d5
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Fri Jun 12 15:39:05 2015 +0100

      Merge remote-tracking branch 'remotes/stefanha/tags/net-pull-request' 
into staging

      # gpg: Signature made Fri Jun 12 13:57:20 2015 BST using RSA key ID 
81AB73C8
      # gpg: Good signature from "Stefan Hajnoczi <stefanha@xxxxxxxxxx>"
      # gpg:                 aka "Stefan Hajnoczi <stefanha@xxxxxxxxx>"

      * remotes/stefanha/tags/net-pull-request:
        qmp/hmp: add rocker device support
        rocker: bring link up/down on PHY enable/disable
        rocker: update tests using hw-derived interface names
        rocker: Add support for phys name
        iohandler: Change return type of qemu_set_fd_handler to "void"
        event-notifier: Always return 0 for posix implementation
        xen_backend: Remove unused error handling of qemu_set_fd_handler
        oss: Remove unused error handling of qemu_set_fd_handler
        alsaaudio: Remove unused error handling of qemu_set_fd_handler
        main-loop: Drop qemu_set_fd_handler2
        Change qemu_set_fd_handler2(..., NULL, ...) to qemu_set_fd_handler
        tap: Drop tap_can_send
        net/socket: Drop net_socket_can_send
        netmap: Drop netmap_can_send
        l2tpv3: Drop l2tpv3_can_send
        stubs: Add qemu_set_fd_handler

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit a68197ff5b11f5a58d48e485d16a36758aeca7f4
  Author: Max Reitz <mreitz@xxxxxxxxxx>
  Date:   Thu Mar 19 14:53:17 2015 -0400

      iotests: Add tests for overriding BDRV_O_PROTOCOL

      This adds tests for overriding the qemu-internal BDRV_O_PROTOCOL flag by
      explicitly specifying a block driver. As one test must be run over the
      NBD protocol while the other must not, this patch adds two separate
      iotests.

      Signed-off-by: Max Reitz <mreitz@xxxxxxxxxx>
      Signed-off-by: Kevin Wolf <kwolf@xxxxxxxxxx>

  commit 53a295131274c87914c97053e2ca00f19a9c2efa
  Author: Max Reitz <mreitz@xxxxxxxxxx>
  Date:   Thu Mar 19 14:53:16 2015 -0400

      block: driver should override flags in bdrv_open()

      The BDRV_O_PROTOCOL flag should have an impact only if no driver is
      specified explicitly. Therefore, if bdrv_open() is called with an
      explicit block driver argument (either through the options QDict or
      through the drv parameter) and that block driver is a protocol block
      driver, BDRV_O_PROTOCOL should be set; if it is a format block driver,
      BDRV_O_PROTOCOL should be unset.

      While there was code to unset the flag in case a format block driver
      has been selected, it only followed the bdrv_fill_options() function
      call whereas the flag in fact needs to be adjusted before it is used
      there.

      With that change, BDRV_O_PROTOCOL will always be set if the BDS should
      be a protocol driver; if the driver has been specified explicitly, the
      new code will set it; and bdrv_fill_options() will only "probe" a
      protocol driver if BDRV_O_PROTOCOL is set. The probing after
      bdrv_fill_options() cannot select a protocol driver.

      Thus, bdrv_open_image() to open BDS.file is never called if a protocol
      BDS is about to be created. With that change in turn it is impossible to
      call bdrv_open_common() with a protocol drv and file != NULL, which
      allows us to remove the bdrv_swap() call.

      This change breaks a test case in qemu-iotest 051:
      "-drive file=t.qcow2,file.driver=qcow2" now works because the explicitly
      specified "qcow2" overrides the BDRV_O_PROTOCOL which is automatically
      set for the "file" BDS (and the filename is just passed down).
      Therefore, this patch removes that test case.

      Signed-off-by: Max Reitz <mreitz@xxxxxxxxxx>
      Signed-off-by: Kevin Wolf <kwolf@xxxxxxxxxx>

  commit 06207b0ff596aa4bb192d1fafc593847ed888e39
  Author: John Snow <jsnow@xxxxxxxxxx>
  Date:   Wed Jun 10 13:24:54 2015 -0400

      block: Change bitmap truncate conditional to assertion

      This is an artifact of an older version that had both all-bitmap and
      single-bitmap truncate functions, and some info got lost in the shuffle.

      Bitmaps can only be frozen during a backup operation, and a backup
      operation should prevent a resize operation, so just assert that this
      cannot happen.

      Suggested-by: Kevin Wolf <kwolf@xxxxxxxxxx>
      Signed-off-by: John Snow <jsnow@xxxxxxxxxx>
      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>
      Signed-off-by: Kevin Wolf <kwolf@xxxxxxxxxx>

  commit 5270b6a0d0cf41e49d634007ace40f5dfc381940
  Author: John Snow <jsnow@xxxxxxxxxx>
  Date:   Mon Jun 8 16:49:15 2015 -0400

      block: record new size in bdrv_dirty_bitmap_truncate

      ce1ffea8 neglected to update the BdrvDirtyBitmap structure
      itself for internal consistency. It's currently not an issue,
      but for migration and persistence series this will cause headaches.

      Signed-off-by: John Snow <jsnow@xxxxxxxxxx>
      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>
      Signed-off-by: Kevin Wolf <kwolf@xxxxxxxxxx>

  commit b8684454e152ca2e100f4b59d80de2be27186206
  Author: Kevin Wolf <kwolf@xxxxxxxxxx>
  Date:   Tue Jun 9 10:45:16 2015 +0200

      raw-posix: Fix .bdrv_co_get_block_status() for unaligned image size

      Image files with an unaligned image size have a final hole that starts
      at EOF, i.e. in the middle of a sector. Currently, *pnum == 0 is
      returned when checking the status of this sector. In qemu-img, this
      triggers an assertion failure.

      In order to fix this, one type for the sector that contains EOF must be
      found. Treating a hole as data is safe, so this patch rounds the
      calculated number of data sectors up, so that a partial sector at EOF is
      treated as a full data sector.

      This fixes https://bugzilla.redhat.com/show_bug.cgi?id=1229394

      Signed-off-by: Kevin Wolf <kwolf@xxxxxxxxxx>
      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>
      Tested-by: Cole Robinson <crobinso@xxxxxxxxxx>

  commit 90df601f06de14f062d2e8dc1bc57f0decf86fd1
  Author: Fam Zheng <famz@xxxxxxxxxx>
  Date:   Thu Jun 4 14:02:57 2015 +0800

      vmdk: Use vmdk_find_index_in_cluster everywhere

      Signed-off-by: Fam Zheng <famz@xxxxxxxxxx>
      Reviewed-by: Max Reitz <mreitz@xxxxxxxxxx>
      Signed-off-by: Kevin Wolf <kwolf@xxxxxxxxxx>

  commit 61f0ed1d54601b91b8195c1a30d7046f83283b40
  Author: Fam Zheng <famz@xxxxxxxxxx>
  Date:   Thu Jun 4 14:02:56 2015 +0800

      vmdk: Fix index_in_cluster calculation in vmdk_co_get_block_status

      It has the similar issue with b1649fae49a8. Since the calculation
      is repeated for a few times already, introduce a function so it can be
      reused.

      Signed-off-by: Fam Zheng <famz@xxxxxxxxxx>
      Reviewed-by: Max Reitz <mreitz@xxxxxxxxxx>
      Signed-off-by: Kevin Wolf <kwolf@xxxxxxxxxx>

  commit bc85ef265a0118d044ff62ae217c186cb08e0866
  Author: Max Reitz <mreitz@xxxxxxxxxx>
  Date:   Mon Jun 1 18:09:19 2015 +0200

      qcow2: Add DEFAULT_L2_CACHE_CLUSTERS

      If a relatively large cluster size is chosen, the default of 1 MB L2
      cache is not really appropriate. In this case, unless overridden by the
      user, the default cache size should not be determined by its size in
      bytes but by the number of L2 tables (clusters) it is supposed to
      contain.

      Note that without this patch, MIN_L2_CACHE_SIZE will effectively take
      over the same role. However, providing space for just two L2 tables is
      not enough to be the default.

      Signed-off-by: Max Reitz <mreitz@xxxxxxxxxx>
      Reviewed-by: Alberto Garcia <berto@xxxxxxxxxx>
      Signed-off-by: Kevin Wolf <kwolf@xxxxxxxxxx>

  commit a4291eafc597c0944057930acf3e51d899f79c2e
  Author: Max Reitz <mreitz@xxxxxxxxxx>
  Date:   Mon Jun 1 18:09:18 2015 +0200

      iotests: qcow2 COW with minimal L2 cache size

      This adds a test case to test 103 for performing a COW operation in a
      qcow2 image using an L2 cache with minimal size (which should be at
      least two clusters so the COW can access both source and destination
      simultaneously).

      Signed-off-by: Max Reitz <mreitz@xxxxxxxxxx>
      Reviewed-by: Alberto Garcia <berto@xxxxxxxxxx>
      Signed-off-by: Kevin Wolf <kwolf@xxxxxxxxxx>

  commit 57e216695948a79d9ced82fc217a37cce70fd986
  Author: Max Reitz <mreitz@xxxxxxxxxx>
  Date:   Mon Jun 1 18:09:17 2015 +0200

      qcow2: Set MIN_L2_CACHE_SIZE to 2

      The L2 cache must cover at least two L2 tables, because during COW two
      L2 tables are accessed simultaneously.

      Reported-by: Alexander Graf <agraf@xxxxxxx>
      Cc: qemu-stable <qemu-stable@xxxxxxxxxx>
      Signed-off-by: Max Reitz <mreitz@xxxxxxxxxx>
      Tested-by: Alexander Graf <agraf@xxxxxxx>
      Reviewed-by: Alberto Garcia <berto@xxxxxxxxxx>
      Signed-off-by: Kevin Wolf <kwolf@xxxxxxxxxx>

  commit 9aa711d75030356f1e179b9f71780da5fd1a45bb
  Author: Fam Zheng <famz@xxxxxxxxxx>
  Date:   Tue May 19 10:46:13 2015 +0000

      qemu-iotests: Fix 128 if sudo required

      If passwordless "sudo" works, use it in the qemu-io cmd.

      Signed-off-by: Fam Zheng <famz@xxxxxxxxxx>
      Reviewed-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Signed-off-by: Kevin Wolf <kwolf@xxxxxxxxxx>

  commit ff793890faeb119c8dad53b7ed614407ff7b027a
  Author: John Snow <jsnow@xxxxxxxxxx>
  Date:   Fri May 22 12:01:41 2015 -0400

      iotests: remove assertIsNotNone call

      RHEL6 doesn't have Python 2.7, so replace this call with
      assertNotEqual(x, None) which will work just as well.

      Reported-by: Kevin Wolf <kwolf@xxxxxxxxxx>
      Signed-off-by: John Snow <jsnow@xxxxxxxxxx>
      Reviewed-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Signed-off-by: Kevin Wolf <kwolf@xxxxxxxxxx>

  commit 9faffeb7772fddcb5d3fb2dbdcfe7e8a38f01637
  Merge: 4cb618a d218b28
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Fri Jun 12 14:31:13 2015 +0100

      Merge remote-tracking branch 'remotes/aurel/tags/pull-sh4-next-20150612' 
into staging

      sh4 linux-user cpu and hwcap
      misc optimizations and cleanup
      convert r2d to new MMIO accessor style

      # gpg: Signature made Fri Jun 12 11:28:43 2015 BST using RSA key ID 
1DDD8C9B
      # gpg: Good signature from "Aurelien Jarno <aurelien@xxxxxxxxxxx>"
      # gpg:                 aka "Aurelien Jarno <aurelien@xxxxxxxx>"
      # gpg:                 aka "Aurelien Jarno <aurel32@xxxxxxxxxx>"
      # gpg: WARNING: This key is not certified with a trusted signature!
      # gpg:          There is no indication that the signature belongs to the 
owner.
      # Primary key fingerprint: 7746 2642 A9EF 94FD 0F77  196D BA9C 7806 1DDD 
8C9B

      * remotes/aurel/tags/pull-sh4-next-20150612:
        target-sh4: remove dead code
        target-sh4: factorize fmov implementation
        target-sh4: split out Q and M from of SR and optimize div1
        target-sh4: optimize negc using add2 and sub2
        target-sh4: optimize subc using sub2
        target-sh4: optimize addc using add2
        target-sh4: Split out T from SR
        target-sh4: use bit number for SR constants
        sh4/r2d: convert to new MMIO accessor style
        linux-user: Add HWCAP for SH4
        linux-user: Default sh4 to sh7785

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 2db33f88d2b340c049c576ad75d442e4b6ffe768
  Author: Alberto Garcia <berto@xxxxxxxxxx>
  Date:   Mon Jun 8 18:17:48 2015 +0200

      qemu-iotests: expand test 093 to support group throttling

      This patch improves the test by attaching a different number of drives
      to the VM and putting them in the same throttling group. The test
      verifies that the I/O is evenly distributed among all members of the
      group, and that the limits are enforced.

      By default the test is repeated 3 times with 1, 2 and 3 drives, but
      the maximum number of simultaneous drives is configurable.

      Signed-off-by: Alberto Garcia <berto@xxxxxxxxxx>
      Reviewed-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Message-id: 
513df1da5c658878191b579ebcddd985adcd4122.1433779731.git.berto@xxxxxxxxxx
      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>

  commit a291d5d9b9940e1b07319041afc2c4b9285b9c48
  Author: Alberto Garcia <berto@xxxxxxxxxx>
  Date:   Mon Jun 8 18:17:47 2015 +0200

      throttle: Update throttle infrastructure copyright

      Signed-off-by: Alberto Garcia <berto@xxxxxxxxxx>
      Reviewed-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Message-id: 
07dcd4ed02f0110b13b3140f477b761b8bb8e270.1433779731.git.berto@xxxxxxxxxx
      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>

  commit b8fe1694e506362706cde65d1bf55b23e62b150e
  Author: Alberto Garcia <berto@xxxxxxxxxx>
  Date:   Mon Jun 8 18:17:46 2015 +0200

      throttle: add the name of the ThrottleGroup to BlockDeviceInfo

      Signed-off-by: Alberto Garcia <berto@xxxxxxxxxx>
      Reviewed-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Message-id: 
172df91f09c69c6f0440a697bbd1b3f95b077ee4.1433779731.git.berto@xxxxxxxxxx
      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>

  commit db6283385cb708b9d589e5b57e96eab4afd0269e
  Author: Alberto Garcia <berto@xxxxxxxxxx>
  Date:   Mon Jun 8 18:17:45 2015 +0200

      throttle: acquire the ThrottleGroup lock in bdrv_swap()

      bdrv_swap() touches the fields of a BlockDriverState that are
      protected by the ThrottleGroup lock. Although those fields end up in
      their original place, they are temporarily swapped in the process,
      so there's a chance that an operation on a member of the same group
      happening on a different thread can try to use them.

      Signed-off-by: Alberto Garcia <berto@xxxxxxxxxx>
      Reviewed-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Message-id: 
d92dc40d7c4f1fc5cda5cbbf4ffb7a4670b79d17.1433779731.git.berto@xxxxxxxxxx
      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>

  commit 76f4afb40fa076ed23fe0ab42c7a768ddb71123f
  Author: Alberto Garcia <berto@xxxxxxxxxx>
  Date:   Mon Jun 8 18:17:44 2015 +0200

      throttle: Add throttle group support

      The throttle group support use a cooperative round robin scheduling
      algorithm.

      The principles of the algorithm are simple:
      - Each BDS of the group is used as a token in a circular way.
      - The active BDS computes if a wait must be done and arms the right
        timer.
      - If a wait must be done the token timer will be armed so the token
        will become the next active BDS.

      Signed-off-by: Alberto Garcia <berto@xxxxxxxxxx>
      Reviewed-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Message-id: 
f0082a86f3ac01c46170f7eafe2101a92e8fde39.1433779731.git.berto@xxxxxxxxxx
      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>

  commit 1fee955f9cc5903b3c7f79bbd90929aefad583a6
  Author: Alberto Garcia <berto@xxxxxxxxxx>
  Date:   Mon Jun 8 18:17:43 2015 +0200

      throttle: Add throttle group infrastructure tests

      Signed-off-by: Alberto Garcia <berto@xxxxxxxxxx>
      Message-id: 
ba7b9dc7fca43efbb31d5f3aad91a8dbdbea635b.1433779731.git.berto@xxxxxxxxxx
      Cc: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>

  commit 2ff1f2e3a39daf4a401a8904d00b29ea8c450463
  Author: Alberto Garcia <berto@xxxxxxxxxx>
  Date:   Mon Jun 8 18:17:42 2015 +0200

      throttle: Add throttle group infrastructure

      Signed-off-by: Alberto Garcia <berto@xxxxxxxxxx>
      Reviewed-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Message-id: 
2fdb4de17210b733a13eb472c33cd08b45f8fd21.1433779731.git.berto@xxxxxxxxxx
      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>

  commit 0e5b0a2d54f4dca2f6d1a676da8ec089dc143001
  Author: Benoît Canet <benoit.canet@xxxxxxxxxxxx>
  Date:   Mon Jun 8 18:17:41 2015 +0200

      throttle: Extract timers from ThrottleState into a separate structure

      Group throttling will share ThrottleState between multiple bs.
      As a consequence the ThrottleState will be accessed by multiple aio
      context.

      Timers are tied to their aio context so they must go out of the
      ThrottleState structure.

      This commit paves the way for each bs of a common ThrottleState to
      have its own timer.

      Signed-off-by: Benoit Canet <benoit.canet@xxxxxxxxxxxx>
      Signed-off-by: Alberto Garcia <berto@xxxxxxxxxx>
      Reviewed-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Message-id: 
6cf9ea96d8b32ae2f8769cead38f68a6a0c8c909.1433779731.git.berto@xxxxxxxxxx
      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>

  commit f4a769abaa51badea666093077c50c568c35de17
  Author: Kevin Wolf <kwolf@xxxxxxxxxx>
  Date:   Tue Jun 9 10:55:08 2015 +0200

      raw-posix: Fix .bdrv_co_get_block_status() for unaligned image size

      Image files with an unaligned image size have a final hole that starts
      at EOF, i.e. in the middle of a sector. Currently, *pnum == 0 is
      returned when checking the status of this sector. In qemu-img, this
      triggers an assertion failure.

      In order to fix this, one type for the sector that contains EOF must be
      found. Treating a hole as data is safe, so this patch rounds the
      calculated number of data sectors up, so that a partial sector at EOF is
      treated as a full data sector.

      This fixes https://bugzilla.redhat.com/show_bug.cgi?id=1229394

      Signed-off-by: Kevin Wolf <kwolf@xxxxxxxxxx>
      Message-id: 1433840108-9996-1-git-send-email-kwolf@xxxxxxxxxx
      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>

  commit da5e1de95bb235330d7724316e7a29239d1359d5
  Author: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
  Date:   Wed Jun 3 10:15:33 2015 +0100

      Revert "iothread: release iothread around aio_poll"

      This reverts commit a0710f7995f914e3044e5899bd8ff6c43c62f916.

      In qemu-devel email message <556DBF87.2020908@xxxxxxxxxx>, Christian
      Borntraeger writes:

        Having many guests all with a kernel/ramdisk (via -kernel) and
        several null block devices will result in hangs. All hanging
        guests are in partition detection code waiting for an I/O to return
        so very early maybe even the first I/O.

        Reverting that commit "fixes" the hangs.

      Reverting this commit for the 2.4 release.  More time is needed to
      investigate and correct this patch.

      Reported-by: Christian Borntraeger <borntraeger@xxxxxxxxxx>
      Suggested-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>
      Reviewed-by: Fam Zheng <famz@xxxxxxxxxx>
      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>

  commit fafa4d508b42a70a59a6bd647a2c0cfad86246c3
  Author: Scott Feldman <sfeldma@xxxxxxxxx>
  Date:   Wed Jun 10 18:21:21 2015 -0700

      qmp/hmp: add rocker device support

      Add QMP/HMP support for rocker devices.  This is mostly for debugging 
purposes
      to see inside the device's tables and port configurations.  Some examples:

      (qemu) info rocker sw1
      name: sw1
      id: 0x0000013512005452
      ports: 4

      (qemu) info rocker-ports sw1
                  ena/    speed/ auto
            port  link    duplex neg?
           sw1.1  up     10G  FD  No
           sw1.2  up     10G  FD  No
           sw1.3  !ena   10G  FD  No
           sw1.4  !ena   10G  FD  No

      (qemu) info rocker-of-dpa-flows sw1
      prio tbl hits key(mask) --> actions
      2    60       pport 1 vlan 1 LLDP src 00:02:00:00:02:00 dst 
01:80:c2:00:00:0e
      2    60       pport 1 vlan 1 ARP src 00:02:00:00:02:00 dst 
00:02:00:00:03:00
      2    60       pport 2 vlan 2 IPv6 src 00:02:00:00:03:00 dst 
33:33:ff:00:00:02 proto 58
      3    50       vlan 2 dst 33:33:ff:00:00:02 --> write group 0x32000001 
goto tbl 60
      2    60       pport 2 vlan 2 IPv6 src 00:02:00:00:03:00 dst 
33:33:ff:00:03:00 proto 58
      3    50  1    vlan 2 dst 33:33:ff:00:03:00 --> write group 0x32000001 
goto tbl 60
      2    60       pport 2 vlan 2 ARP src 00:02:00:00:03:00 dst 
00:02:00:00:02:00
      3    50  2    vlan 2 dst 00:02:00:00:02:00 --> write group 0x02000001 
goto tbl 60
      2    60  1    pport 2 vlan 2 IP src 00:02:00:00:03:00 dst 
00:02:00:00:02:00 proto 1
      3    50  2    vlan 1 dst 00:02:00:00:03:00 --> write group 0x01000002 
goto tbl 60
      2    60  1    pport 1 vlan 1 IP src 00:02:00:00:02:00 dst 
00:02:00:00:03:00 proto 1
      2    60       pport 1 vlan 1 IPv6 src 00:02:00:00:02:00 dst 
33:33:ff:00:00:01 proto 58
      3    50       vlan 1 dst 33:33:ff:00:00:01 --> write group 0x31000000 
goto tbl 60
      2    60       pport 1 vlan 1 IPv6 src 00:02:00:00:02:00 dst 
33:33:ff:00:02:00 proto 58
      3    50  1    vlan 1 dst 33:33:ff:00:02:00 --> write group 0x31000000 
goto tbl 60
      1    60  173  pport 2 vlan 2 LLDP src <any> dst 01:80:c2:00:00:0e --> 
write group 0x02000000
      1    60  6    pport 2 vlan 2 IPv6 src <any> dst <any> --> write group 
0x02000000
      1    60  174  pport 1 vlan 1 LLDP src <any> dst 01:80:c2:00:00:0e --> 
write group 0x01000000
      1    60  174  pport 2 vlan 2 IP src <any> dst <any> --> write group 
0x02000000
      1    60  6    pport 1 vlan 1 IPv6 src <any> dst <any> --> write group 
0x01000000
      1    60  181  pport 2 vlan 2 ARP src <any> dst <any> --> write group 
0x02000000
      1    10  715  pport 2 --> apply new vlan 2 goto tbl 20
      1    60  177  pport 1 vlan 1 ARP src <any> dst <any> --> write group 
0x01000000
      1    60  174  pport 1 vlan 1 IP src <any> dst <any> --> write group 
0x01000000
      1    10  717  pport 1 --> apply new vlan 1 goto tbl 20
      1    0   1432 pport 0(0xffff) --> goto tbl 10

      (qemu) info rocker-of-dpa-groups sw1
      id (decode) --> buckets
      0x32000001 (type L2 multicast vlan 2 index 1) --> groups 
[0x02000001,0x02000000]
      0x02000001 (type L2 interface vlan 2 pport 1) --> pop vlan out pport 1
      0x01000002 (type L2 interface vlan 1 pport 2) --> pop vlan out pport 2
      0x02000000 (type L2 interface vlan 2 pport 0) --> pop vlan out pport 0
      0x01000000 (type L2 interface vlan 1 pport 0) --> pop vlan out pport 0
      0x31000000 (type L2 multicast vlan 1 index 0) --> groups 
[0x01000002,0x01000000]

      [Added "query-" prefixes to rocker.json commands as suggested by Eric
      Blake <eblake@xxxxxxxxxx>.
      --Stefan]

      Signed-off-by: Scott Feldman <sfeldma@xxxxxxxxx>
      Signed-off-by: Jiri Pirko <jiri@xxxxxxxxxxx>
      Message-id: 1433985681-56138-5-git-send-email-sfeldma@xxxxxxxxx
      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>

  commit 5ff1547b756a820bc7b695fe393b25d82467d1fe
  Author: Scott Feldman <sfeldma@xxxxxxxxx>
  Date:   Wed Jun 10 18:21:20 2015 -0700

      rocker: bring link up/down on PHY enable/disable

      When the OS driver enables/disables the port, go ahead and set the port's
      link status to up/down in response to the change.  This more closely
      emulates real hardware when the PHY for the port is brought up/down
      and the PHY negotiates carrier (link status) with link partner.  In
      the case of qemu, the virtual rocker device can't really do link
      negotiation with the link partner as that requires signally over a
      physical medium (the wire), so just pretend the negotiation was
      successful and bring the link up when the port is enabled.

      Signed-off-by: Scott Feldman <sfeldma@xxxxxxxxx>
      Reviewed-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Message-id: 1433985681-56138-4-git-send-email-sfeldma@xxxxxxxxx
      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>

  commit 73da0232098a69d06ce0d49ad8751b7c5e8b9448
  Author: Scott Feldman <sfeldma@xxxxxxxxx>
  Date:   Wed Jun 10 18:21:19 2015 -0700

      rocker: update tests using hw-derived interface names

      With previous patch to support phy name attribute for each port, the OS
      can name port interfaces using the hw-derived name.  So update rocker
      tests to use the new hw-derived interface names.

      Signed-off-by: Scott Feldman <sfeldma@xxxxxxxxx>
      Reviewed-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Message-id: 1433985681-56138-3-git-send-email-sfeldma@xxxxxxxxx
      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>

  commit 773495364ffbfc6a4d1e13e24e932f96409ba1d3
  Author: David Ahern <dsahern@xxxxxxxxx>
  Date:   Wed Jun 10 18:21:18 2015 -0700

      rocker: Add support for phys name

      Add ROCKER_TLV_CMD_PORT_SETTINGS_PHYS_NAME to port settings. This 
attribute
      exports the port name to the guest OS allowing it to name interfaces with
      sensible defaults.

      Mostly done by Scott for phys_id support; adapted to phys_name by David.

      Signed-off-by: Scott Feldman <sfeldma@xxxxxxxxx>
      Signed-off-by: David Ahern <dsahern@xxxxxxxxx>
      Message-id: 1433985681-56138-2-git-send-email-sfeldma@xxxxxxxxx
      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>

  commit f4d248bdc33167ab9e91b1470ef47a61dffd0b38
  Author: Fam Zheng <famz@xxxxxxxxxx>
  Date:   Thu Jun 4 14:45:24 2015 +0800

      iohandler: Change return type of qemu_set_fd_handler to "void"

      Signed-off-by: Fam Zheng <famz@xxxxxxxxxx>
      Message-id: 1433400324-7358-14-git-send-email-famz@xxxxxxxxxx
      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>

  commit 1e354528bdaf9671ffc94e531e6967233abe7b8f
  Author: Fam Zheng <famz@xxxxxxxxxx>
  Date:   Thu Jun 4 14:45:23 2015 +0800

      event-notifier: Always return 0 for posix implementation

      qemu_set_fd_handler cannot fail, let's always return 0.

      Signed-off-by: Fam Zheng <famz@xxxxxxxxxx>
      Message-id: 1433400324-7358-13-git-send-email-famz@xxxxxxxxxx
      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>

  commit 6b5166f8a82888638bb9aba9dc49aa7fa25f292f
  Author: Fam Zheng <famz@xxxxxxxxxx>
  Date:   Thu Jun 4 14:45:22 2015 +0800

      xen_backend: Remove unused error handling of qemu_set_fd_handler

      The function cannot fail, so the check is superfluous.

      Signed-off-by: Fam Zheng <famz@xxxxxxxxxx>
      Message-id: 1433400324-7358-12-git-send-email-famz@xxxxxxxxxx
      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>

  commit b027a538c6790bcfc93ef7f4819fe3e581445959
  Author: Fam Zheng <famz@xxxxxxxxxx>
  Date:   Thu Jun 4 14:45:21 2015 +0800

      oss: Remove unused error handling of qemu_set_fd_handler

      The function cannot fail, so the check is superfluous.

      Signed-off-by: Fam Zheng <famz@xxxxxxxxxx>
      Message-id: 1433400324-7358-11-git-send-email-famz@xxxxxxxxxx
      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>

  commit be93f216278d84d283187c95cef16c0b60b711b8
  Author: Fam Zheng <famz@xxxxxxxxxx>
  Date:   Thu Jun 4 14:45:20 2015 +0800

      alsaaudio: Remove unused error handling of qemu_set_fd_handler

      The function cannot fail, so the check is superfluous.

      Signed-off-by: Fam Zheng <famz@xxxxxxxxxx>
      Message-id: 1433400324-7358-10-git-send-email-famz@xxxxxxxxxx
      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>

  commit 6484e422479c93f28e3f8a68258b0eacd3b31e6d
  Author: Fam Zheng <famz@xxxxxxxxxx>
  Date:   Thu Jun 4 14:45:19 2015 +0800

      main-loop: Drop qemu_set_fd_handler2

      All users are converted to qemu_set_fd_handler now, drop
      qemu_set_fd_handler2 and IOHandlerRecord.fd_read_poll.

      Signed-off-by: Fam Zheng <famz@xxxxxxxxxx>
      Message-id: 1433400324-7358-9-git-send-email-famz@xxxxxxxxxx
      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>

  commit 82e1cc4bf91a2e1c3b62297b10b0ab1d93adfc45
  Author: Fam Zheng <famz@xxxxxxxxxx>
  Date:   Thu Jun 4 14:45:18 2015 +0800

      Change qemu_set_fd_handler2(..., NULL, ...) to qemu_set_fd_handler

      Done with following Coccinelle semantic patch, plus manual cosmetic 
changes in
      net/*.c.

          @@
          expression E1, E2, E3, E4;
          @@
          -   qemu_set_fd_handler2(E1, NULL, E2, E3, E4);
          +   qemu_set_fd_handler(E1, E2, E3, E4);

      Signed-off-by: Fam Zheng <famz@xxxxxxxxxx>
      Message-id: 1433400324-7358-8-git-send-email-famz@xxxxxxxxxx
      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>

  commit a90a7425cf592a3afeff3eaf32f543b83050ee5c
  Author: Fam Zheng <famz@xxxxxxxxxx>
  Date:   Thu Jun 4 14:45:17 2015 +0800

      tap: Drop tap_can_send

      This callback is called by main loop before polling s->fd, if it returns
      false, the fd will not be polled in this iteration.

      This is redundant with checks inside read callback. After this patch,
      the data will be sent to peer when it arrives. If the device can't
      receive, it will be queued to incoming_queue, and when the device status
      changes, this queue will be flushed.

      Signed-off-by: Fam Zheng <famz@xxxxxxxxxx>
      Message-id: 1433400324-7358-7-git-send-email-famz@xxxxxxxxxx
      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>

  commit 6e99c631f116221d169ea53953d91b8aa74d297a
  Author: Fam Zheng <famz@xxxxxxxxxx>
  Date:   Thu Jun 4 14:45:16 2015 +0800

      net/socket: Drop net_socket_can_send

      This callback is called by main loop before polling s->fd, if it returns
      false, the fd will not be polled in this iteration.

      This is redundant with checks inside read callback. After this patch,
      the data will be sent to peer when it arrives. If the device can't
      receive, it will be queued to incoming_queue, and when the device status
      changes, this queue will be flushed.

      If the peer is not ready, disable the read poll until send completes.

      Signed-off-by: Fam Zheng <famz@xxxxxxxxxx>
      Message-id: 1433400324-7358-6-git-send-email-famz@xxxxxxxxxx
      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>

  commit e8dd1d9c396104f0fac4b39a701143df49df2a74
  Author: Fam Zheng <famz@xxxxxxxxxx>
  Date:   Thu Jun 4 14:45:15 2015 +0800

      netmap: Drop netmap_can_send

      This callback is called by main loop before polling s->fd, if it returns
      false, the fd will not be polled in this iteration.

      This is redundant with checks inside read callback. After this patch,
      the data will be copied from s->fd to s->iov when it arrives. If the
      device can't receive, it will be queued to incoming_queue, and when the
      device status changes, this queue will be flushed.

      Also remove the qemu_can_send_packet() check in netmap_send. If it's
      true, we are good; if it's false, the qemu_sendv_packet_async would
      return 0 and read poll will be disabled until netmap_send_completed is
      called.

      Signed-off-by: Fam Zheng <famz@xxxxxxxxxx>
      Message-id: 1433400324-7358-5-git-send-email-famz@xxxxxxxxxx
      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>

  commit 95b1416ae93106923f733941e52dfe55c4318643
  Author: Fam Zheng <famz@xxxxxxxxxx>
  Date:   Thu Jun 4 14:45:14 2015 +0800

      l2tpv3: Drop l2tpv3_can_send

      This callback is called by main loop before polling s->fd, if it returns
      false, the fd will not be polled in this iteration.

      This is redundant with checks inside read callback. After this patch,
      the data will be copied from s->fd to s->msgvec when it arrives. If the
      device can't receive, it will be queued to incoming_queue, and when the
      device status changes, this queue will be flushed.

      Signed-off-by: Fam Zheng <famz@xxxxxxxxxx>
      Message-id: 1433400324-7358-4-git-send-email-famz@xxxxxxxxxx
      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>

  commit 0bc12c4f7e8b5ff0f83908bdef0c247f1ca1a9d8
  Author: Fam Zheng <famz@xxxxxxxxxx>
  Date:   Thu Jun 4 14:45:12 2015 +0800

      stubs: Add qemu_set_fd_handler

      Some qemu_set_fd_handler2 stub callers will be converted to
      call qemu_set_fd_handler, add this stub for them before making the
      change.

      Signed-off-by: Fam Zheng <famz@xxxxxxxxxx>
      Message-id: 1433400324-7358-2-git-send-email-famz@xxxxxxxxxx
      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>

  commit 4cb618abc1818586c08011ff0a84a015787b1672
  Merge: a4ef02f 6773f9b
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Fri Jun 12 12:49:40 2015 +0100

      Merge remote-tracking branch 'remotes/lalrae/tags/mips-20150612' into 
staging

      MIPS patches 2015-06-12

      Changes:
      * improve dp8393x network card and rc4030 chipset emulation
      * support misaligned R6 and MSA memory accesses
      * support MIPS eXtended and Large Physical Addressing
      * add Config5.FRE bit and ERETNC instruction (Config5.LLB)
      * support ememsize on MALTA

      # gpg: Signature made Fri Jun 12 09:38:11 2015 BST using RSA key ID 
0B29DA6B
      # gpg: Good signature from "Leon Alrae <leon.alrae@xxxxxxxxxx>"
      # gpg: WARNING: This key is not certified with a trusted signature!
      # gpg:          There is no indication that the signature belongs to the 
owner.
      # Primary key fingerprint: 8DD3 2F98 5495 9D66 35D4  4FC0 5211 8E3C 0B29 
DA6B

      * remotes/lalrae/tags/mips-20150612: (29 commits)
        target-mips: enable XPA and LPA features
        target-mips: remove misleading comments in translate_init.c
        target-mips: add MTHC0 and MFHC0 instructions
        target-mips: add CP0.PageGrain.ELPA support
        target-mips: support Page Frame Number Extension field
        target-mips: extend selected CP0 registers to 64-bits in MIPS32
        target-mips: correct MFC0 for CP0.EntryLo in MIPS64
        net/dp8393x: fix hardware reset
        net/dp8393x: correctly reset in_use field
        net/dp8393x: add load/save support
        net/dp8393x: add PROM to store MAC address
        net/dp8393x: QOM'ify
        net/dp8393x: use dp8393x_ prefix for all functions
        net/dp8393x: do not use old_mmio accesses
        net/dp8393x: always calculate proper checksums
        dma/rc4030: convert to QOM
        dma/rc4030: use trace events instead of custom logging
        dma/rc4030: document register at offset 0x210
        dma/rc4030: do not use old_mmio accesses
        dma/rc4030: use AddressSpace and address_space_rw in users
        ...

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit a4ef02fd9b3d12b105b56942166c8364ade9be0f
  Merge: d8e3b72 4fa3dd1
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Fri Jun 12 11:06:03 2015 +0100

      Merge remote-tracking branch 
'remotes/juanquintela/tags/migration/20150612' into staging

      migration/next for 20150612

      # gpg: Signature made Fri Jun 12 05:56:21 2015 BST using RSA key ID 
5872D723
      # gpg: Good signature from "Juan Quintela <quintela@xxxxxxxxxx>"
      # gpg:                 aka "Juan Quintela <quintela@xxxxxxxxxx>"

      * remotes/juanquintela/tags/migration/20150612: (21 commits)
        Remove unneeded memset
        Rename RDMA structures to make destination clear
        Teach analyze-migration.py about section footers
        Add a protective section footer
        Disable section footers on older machine types
        Merge section header writing
        Move loadvm_handlers into MigrationIncomingState
        Move copy out of qemu_peek_buffer
        Create MigrationIncomingState
        qemu_ram_foreach_block: pass up error value, and down the ramblock name
        Split header writing out of qemu_savevm_state_begin
        Add qemu_get_counted_string to read a string prefixed by a count byte
        migration: Use normal VMStateDescriptions for Subsections
        migration: create savevm_state
        migration: Remove duplicated assignment of SETUP status
        rdma: Fix qemu crash when IPv6 address is used for migration
        arch_init: Clean up the duplicate variable 'len' defining in ram_load()
        migration: reduce include files
        migration: Add myself to the copyright list of both files
        migration: move savevm.c inside migration/
        ...

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit d218b28d28b8f4de297bfd35c082b22f153cf0df
  Author: Aurelien Jarno <aurelien@xxxxxxxxxxx>
  Date:   Mon May 25 01:28:56 2015 +0200

      target-sh4: remove dead code

      Reviewed-by: Richard Henderson <rth@xxxxxxxxxxx>
      Signed-off-by: Aurelien Jarno <aurelien@xxxxxxxxxxx>

  commit 91b4d29f4eecab14c5f8888ecd7b3a740ad80b7c
  Author: Aurelien Jarno <aurelien@xxxxxxxxxxx>
  Date:   Mon May 25 01:28:56 2015 +0200

      target-sh4: factorize fmov implementation

      Reviewed-by: Richard Henderson <rth@xxxxxxxxxxx>
      Signed-off-by: Aurelien Jarno <aurelien@xxxxxxxxxxx>

  commit 1d565b21e1aecbb0da6589f3c4ea83c9c788ad63
  Author: Aurelien Jarno <aurelien@xxxxxxxxxxx>
  Date:   Mon May 25 01:28:56 2015 +0200

      target-sh4: split out Q and M from of SR and optimize div1

      Splitting Q and M out of SR, it's possible to optimize div1 by using
      TCG code instead of an helper.

      At the same time removed the now unused gen_copy_bit_i32 function.

      Reviewed-by: Richard Henderson <rth@xxxxxxxxxxx>
      Signed-off-by: Aurelien Jarno <aurelien@xxxxxxxxxxx>

  commit 60eb27fe4951fbe6cf5e24cc3d6df7e97c43a909
  Author: Aurelien Jarno <aurelien@xxxxxxxxxxx>
  Date:   Mon May 25 01:28:56 2015 +0200

      target-sh4: optimize negc using add2 and sub2

      Reviewed-by: Richard Henderson <rth@xxxxxxxxxxx>
      Signed-off-by: Aurelien Jarno <aurelien@xxxxxxxxxxx>

  commit d0f44a55fa321e042bd6b2a0fa25ac48864b7a25
  Author: Aurelien Jarno <aurelien@xxxxxxxxxxx>
  Date:   Mon May 25 01:28:56 2015 +0200

      target-sh4: optimize subc using sub2

      Reviewed-by: Richard Henderson <rth@xxxxxxxxxxx>
      Signed-off-by: Aurelien Jarno <aurelien@xxxxxxxxxxx>

  commit a2368e01c95a093d250a0e5d3cef53dddf642f1e
  Author: Aurelien Jarno <aurelien@xxxxxxxxxxx>
  Date:   Mon May 25 01:28:56 2015 +0200

      target-sh4: optimize addc using add2

      Reviewed-by: Richard Henderson <rth@xxxxxxxxxxx>
      Signed-off-by: Aurelien Jarno <aurelien@xxxxxxxxxxx>

  commit 34086945254c035a03e01e472d99e4524a2f2416
  Author: Aurelien Jarno <aurelien@xxxxxxxxxxx>
  Date:   Mon May 25 01:28:56 2015 +0200

      target-sh4: Split out T from SR

      In preparation for more efficient setting of this field.

      Reviewed-by: Richard Henderson <rth@xxxxxxxxxxx>
      Signed-off-by: Aurelien Jarno <aurelien@xxxxxxxxxxx>

  commit 5ed9a259c164bb9fd2a6fe8a363a4bda2e4a5461
  Author: Aurelien Jarno <aurelien@xxxxxxxxxxx>
  Date:   Mon May 25 01:28:56 2015 +0200

      target-sh4: use bit number for SR constants

      Use the bit number for SR constants instead of using a bit mask. This
      make possible to also use the constants for shifts.

      Reviewed-by: Richard Henderson <rth@xxxxxxxxxxx>
      Signed-off-by: Aurelien Jarno <aurelien@xxxxxxxxxxx>

  commit 563807520ff19e6ed2d40695f543f1fba7ba432f
  Author: Aurelien Jarno <aurelien@xxxxxxxxxxx>
  Date:   Wed Jun 3 23:16:43 2015 +0200

      sh4/r2d: convert to new MMIO accessor style

      The documentation is clear to use 16-bit accesses for all registers.

      Signed-off-by: Aurelien Jarno <aurelien@xxxxxxxxxxx>

  commit e42fd944f02dda893fc8773959d6db75f2a49367
  Author: Richard Henderson <rth@xxxxxxxxxxx>
  Date:   Sat May 23 15:06:54 2015 -0700

      linux-user: Add HWCAP for SH4

      Only exposing FPU and LLSC as the only features
      supported by the translator.

      Signed-off-by: Richard Henderson <rth@xxxxxxxxxxx>
      Signed-off-by: Aurelien Jarno <aurelien@xxxxxxxxxxx>

  commit 91c45a38f282b970f443f8e9d6bdb6ffaa00dfbf
  Author: Richard Henderson <rth@xxxxxxxxxxx>
  Date:   Sat May 23 15:06:53 2015 -0700

      linux-user: Default sh4 to sh7785

      Signed-off-by: Richard Henderson <rth@xxxxxxxxxxx>
      Signed-off-by: Aurelien Jarno <aurelien@xxxxxxxxxxx>

  commit 7a4dfd1e4a741991df1acf31672b391648e0aa0c
  Author: Gerd Hoffmann <kraxel@xxxxxxxxxx>
  Date:   Wed Sep 10 13:04:17 2014 +0200

      virtio-vga: add vgabios configuration

      Add seavgabios configuration for virtio-vga,
      hook up the new vgabios in the makefiles.

      Signed-off-by: Gerd Hoffmann <kraxel@xxxxxxxxxx>

  commit a94f0c5ca2f0e3dba4a64f40c9d2e1149017d81d
  Author: Gerd Hoffmann <kraxel@xxxxxxxxxx>
  Date:   Wed Sep 10 14:28:48 2014 +0200

      virtio-vga: add '-vga virtio' support

      Some convinience fluff:  Add support for '-vga virtio', also add
      virtio-vga to the list of vga cards so '-device virtio-vga' will
      turn off the default vga.

      Written by Dave Airlie and Gerd Hoffmann.

      Signed-off-by: Dave Airlie <airlied@xxxxxxxxxx>
      Signed-off-by: Gerd Hoffmann <kraxel@xxxxxxxxxx>

  commit c5d4dac86b61070c078a7b35e25f56d2c8bff508
  Author: Gerd Hoffmann <kraxel@xxxxxxxxxx>
  Date:   Wed Sep 10 14:25:45 2014 +0200

      virtio-vga: add virtio gpu device with vga compatibility

      This patch adds a virtio-vga device.  It is simliar to virtio-gpu-pci,
      but it also adds in vga compatibility, so guests without native
      virtio-gpu support can drive the device in vga mode.  It is compatible
      with stdvga.

      Written by Dave Airlie and Gerd Hoffmann.

      Signed-off-by: Dave Airlie <airlied@xxxxxxxxxx>
      Signed-off-by: Gerd Hoffmann <kraxel@xxxxxxxxxx>

  commit 9eafb62d47ac1c8c2d431e1b4829445444ccc2ee
  Author: Gerd Hoffmann <kraxel@xxxxxxxxxx>
  Date:   Wed Sep 10 14:20:34 2014 +0200

      virtio-gpu-pci: add virtio pci support

      This patch adds virtio-gpu-pci, which is the pci proxy for the virtio
      gpu device.  With this patch in place virtio-gpu is functional.  You
      need a linux guest with a virtio-gpu driver though, and output will
      appear pretty late in boot, once the kernel initialized drm and fbcon.

      Written by Dave Airlie and Gerd Hoffmann.

      Signed-off-by: Dave Airlie <airlied@xxxxxxxxxx>
      Signed-off-by: Gerd Hoffmann <kraxel@xxxxxxxxxx>

  commit 2c84167b4efa4a0e81946ef624e96005396e14b2
  Author: Gerd Hoffmann <kraxel@xxxxxxxxxx>
  Date:   Tue Mar 17 08:56:18 2015 +0100

      virtio-gpu: fix error message

      iov limit was raised, but the error message still has the old limit ...

      Signed-off-by: Gerd Hoffmann <kraxel@xxxxxxxxxx>

  commit 6773f9b687e0a8ab4b638ef88d075fb233fb7669
  Author: Leon Alrae <leon.alrae@xxxxxxxxxx>
  Date:   Tue Apr 14 10:33:43 2015 +0100

      target-mips: enable XPA and LPA features

      Enable XPA in MIPS32R5-generic and LPA in MIPS64R6-generic.

      Signed-off-by: Leon Alrae <leon.alrae@xxxxxxxxxx>
      Reviewed-by: Aurelien Jarno <aurelien@xxxxxxxxxxx>

  commit 28b027d5b63c7550c7390041d6dd50948c8f55b8
  Author: Leon Alrae <leon.alrae@xxxxxxxxxx>
  Date:   Tue Apr 14 10:33:35 2015 +0100

      target-mips: remove misleading comments in translate_init.c

      PABITS are not hardcoded to 36 bits and we do not model 59 PABITS (which 
is
      the architectural limit) in QEMU.

      Signed-off-by: Leon Alrae <leon.alrae@xxxxxxxxxx>
      Reviewed-by: Aurelien Jarno <aurelien@xxxxxxxxxxx>

  commit 5204ea79ea739b557f47fc4db96c94edcb33a5d6
  Author: Leon Alrae <leon.alrae@xxxxxxxxxx>
  Date:   Thu Sep 11 16:28:17 2014 +0100

      target-mips: add MTHC0 and MFHC0 instructions

      Implement MTHC0 and MFHC0 instructions. In MIPS32 they are used to access
      upper word of extended to 64-bits CP0 registers.

      In MIPS64, when CP0 destination register specified is the EntryLo0 or
      EntryLo1, bits 1:0 of the GPR appear at bits 31:30 of EntryLo0 or
      EntryLo1. This is to compensate for RI and XI, which were shifted to bits
      63:62 by MTC0 to EntryLo0 or EntryLo1. Therefore creating separate
      functions for EntryLo0 and EntryLo1.

      Signed-off-by: Leon Alrae <leon.alrae@xxxxxxxxxx>
      Reviewed-by: Aurelien Jarno <aurelien@xxxxxxxxxxx>

  commit e117f52636d04502fab28bd3abe93347c29f39a5
  Author: Leon Alrae <leon.alrae@xxxxxxxxxx>
  Date:   Tue Apr 14 10:09:38 2015 +0100

      target-mips: add CP0.PageGrain.ELPA support

      CP0.PageGrain.ELPA enables support for large physical addresses. This 
field
      is encoded as follows:
      0: Large physical address support is disabled.
      1: Large physical address support is enabled.

      If this bit is a 1, the following changes occur to coprocessor 0 
registers:
      - The PFNX field of the EntryLo0 and EntryLo1 registers is writable and
        concatenated with the PFN field to form the full page frame number.
      - Access to optional COP0 registers with PA extension, LLAddr, TagLo is
        defined.

      P5600 can operate in 32-bit or 40-bit Physical Address Mode. Therefore if
      XPA is disabled (CP0.PageGrain.ELPA = 0) then assume 32-bit Address Mode.
      In MIPS64 assume 36 as default PABITS (when CP0.PageGrain.ELPA = 0).

      env->PABITS value is constant and indicates maximum PABITS available on
      a core, whereas env->PAMask is calculated from env->PABITS and is also
      affected by CP0.PageGrain.ELPA.

      Signed-off-by: Leon Alrae <leon.alrae@xxxxxxxxxx>
      Reviewed-by: Aurelien Jarno <aurelien@xxxxxxxxxxx>

  commit cd0d45c40133ef8b409aede5ad8a99aeaf6a70fe
  Author: Leon Alrae <leon.alrae@xxxxxxxxxx>
  Date:   Thu Sep 11 16:28:16 2014 +0100

      target-mips: support Page Frame Number Extension field

      Update tlb->PFN to contain PFN concatenated with PFNX. PFNX is 0 if large
      physical address is not supported.

      Signed-off-by: Leon Alrae <leon.alrae@xxxxxxxxxx>
      Reviewed-by: Aurelien Jarno <aurelien@xxxxxxxxxxx>

  commit 284b731a6ae47b9ebabb9613e753c4d83cf75dd3
  Author: Leon Alrae <leon.alrae@xxxxxxxxxx>
  Date:   Tue Jun 9 17:14:13 2015 +0100

      target-mips: extend selected CP0 registers to 64-bits in MIPS32

      Extend EntryLo0, EntryLo1, LLAddr and TagLo from 32 to 64 bits in MIPS32.

      Introduce gen_move_low32() function which moves low 32 bits from 64-bit
      temp to GPR; it sign extends 32-bit value on MIPS64 and truncates on
      MIPS32.

      Signed-off-by: Leon Alrae <leon.alrae@xxxxxxxxxx>
      Reviewed-by: Aurelien Jarno <aurelien@xxxxxxxxxxx>

  commit b435f3f3d174721382b55bbd0c785ec50c1796a9
  Author: Leon Alrae <leon.alrae@xxxxxxxxxx>
  Date:   Fri Mar 20 12:06:10 2015 +0000

      target-mips: correct MFC0 for CP0.EntryLo in MIPS64

      CP0.EntryLo bits 31:30 have to be cleared.

      Signed-off-by: Leon Alrae <leon.alrae@xxxxxxxxxx>
      Reviewed-by: Aurelien Jarno <aurelien@xxxxxxxxxxx>

  commit 4fa3dd17dc29c316726f0d4a354a4d895e130c73
  Author: Dr. David Alan Gilbert <dgilbert@xxxxxxxxxx>
  Date:   Mon Apr 20 16:57:21 2015 +0100

      Remove unneeded memset

      Signed-off-by: Dr. David Alan Gilbert <dgilbert@xxxxxxxxxx>
      Reviewed-by: Michael R. Hines <mrhines@xxxxxxxxxx>
      Signed-off-by: Juan Quintela <quintela@xxxxxxxxxx>

  commit a97270ad5d6dd0382ecb4568674226c8463e59fb
  Author: Dr. David Alan Gilbert <dgilbert@xxxxxxxxxx>
  Date:   Mon Apr 20 16:57:16 2015 +0100

      Rename RDMA structures to make destination clear

      RDMA has two data types that are named confusingly;
         RDMALocalBlock (pointed to indirectly by local_ram_blocks)
         RDMARemoteBlock (pointed to by block in RDMAContext)

      RDMALocalBlocks, as the name suggests is a data strucuture that
      represents the RDMAable RAM Blocks on the current side of the migration
      whichever that is.

      RDMARemoteBlocks is always the shape of the RAMBlocks on the
      destination, even on the destination.

      Rename:
           RDMARemoteBlock -> RDMADestBlock
           context->'block' -> context->dest_blocks

      Signed-off-by: Dr. David Alan Gilbert <dgilbert@xxxxxxxxxx>
      Reviewed-by: Michael R. Hines <mrhines@xxxxxxxxxx>
      Signed-off-by: Juan Quintela <quintela@xxxxxxxxxx>

  commit 73d9a7961ab1b083fb2095413a3bd091e35f4369
  Author: Dr. David Alan Gilbert <dgilbert@xxxxxxxxxx>
  Date:   Tue May 19 12:29:53 2015 +0100

      Teach analyze-migration.py about section footers

      Signed-off-by: Dr. David Alan Gilbert <dgilbert@xxxxxxxxxx>
      Signed-off-by: Juan Quintela <quintela@xxxxxxxxxx>

  commit f68945d42bab700d95b87f62e0898606ce2421ed
  Author: Dr. David Alan Gilbert <dgilbert@xxxxxxxxxx>
  Date:   Tue May 19 12:29:52 2015 +0100

      Add a protective section footer

      Badly formatted migration streams can go undetected or produce
      misleading errors due to a lock of checking at the end of sections.
      In particular a section that adds an extra 0x00 at the end
      causes what looks like a normal end of stream and thus doesn't produce
      any errors, and something that ends in a 0x01..0x04 kind of look
      like real section headers and then fail when the section parser tries
      to figure out which section they are.  This is made worse by the
      choice of 0x00..0x04 being small numbers that are particularly common
      in normal section data.

      This patch adds a section footer consisting of a marker (0x7e - ~)
      followed by the section-id that was also sent in the header.  If
      they mismatch then it throws an error explaining which section was
      being loaded.

      Signed-off-by: Dr. David Alan Gilbert <dgilbert@xxxxxxxxxx>
      Reviewed-by: Juan Quintela <quintela@xxxxxxxxxx>
      Signed-off-by: Juan Quintela <quintela@xxxxxxxxxx>

  commit 37fb569c0198cba58e3e1bdf6b9702c8248b89dd
  Author: Dr. David Alan Gilbert <dgilbert@xxxxxxxxxx>
  Date:   Tue May 19 12:29:51 2015 +0100

      Disable section footers on older machine types

      The next patch adds section footers; but we don't want to
      break migration compatibility so disable them on older
      machine types

      Signed-off-by: Dr. David Alan Gilbert <dgilbert@xxxxxxxxxx>
      Reviewed-by: Juan Quintela <quintela@xxxxxxxxxx>
      Signed-off-by: Juan Quintela <quintela@xxxxxxxxxx>

  commit ce39bfc9186005d222a78db4a7fbdc83e2d62481
  Author: Dr. David Alan Gilbert <dgilbert@xxxxxxxxxx>
  Date:   Tue May 19 12:29:50 2015 +0100

      Merge section header writing

      The header writing for device sections is open coded in
      a few places, merge it into one.

      Signed-off-by: Dr. David Alan Gilbert <dgilbert@xxxxxxxxxx>
      Reviewed-by: Juan Quintela <quintela@xxxxxxxxxx>
      Signed-off-by: Juan Quintela <quintela@xxxxxxxxxx>

  commit 1a8f46f8d61ef885ff9d0bda251e4e9830c932ef
  Author: Dr. David Alan Gilbert <dgilbert@xxxxxxxxxx>
  Date:   Thu May 21 13:24:16 2015 +0100

      Move loadvm_handlers into MigrationIncomingState

      In postcopy we need the loadvm_handlers to be used in a couple
      of different instances of the loadvm loop/routine, and thus
      it can't be local any more.

      Signed-off-by: Dr. David Alan Gilbert <dgilbert@xxxxxxxxxx>
      Reviewed-by: David Gibson <david@xxxxxxxxxxxxxxxxxxxxx>
      Reviewed-by: Juan Quintela <quintela@xxxxxxxxxx>
      Signed-off-by: Juan Quintela <quintela@xxxxxxxxxx>

  commit 7c1e52ba6f3994dc127118f491258ce84d0beb52
  Author: Dr. David Alan Gilbert <dgilbert@xxxxxxxxxx>
  Date:   Thu May 21 13:24:15 2015 +0100

      Move copy out of qemu_peek_buffer

      qemu_peek_buffer currently copies the data it reads into a buffer,
      however a future patch wants access to the buffer without the copy,
      hence rework to remove the copy to the layer above.

      Signed-off-by: Dr. David Alan Gilbert <dgilbert@xxxxxxxxxx>
      Reviewed-by: Amit Shah <amit.shah@xxxxxxxxxx>
      Reviewed-by: Juan Quintela <quintela@xxxxxxxxxx>
      Signed-off-by: Juan Quintela <quintela@xxxxxxxxxx>

  commit bca7856ae8220d9f15ff0f44b97397529e26a552
  Author: Dr. David Alan Gilbert <dgilbert@xxxxxxxxxx>
  Date:   Thu May 21 13:24:14 2015 +0100

      Create MigrationIncomingState

      There are currently lots of pieces of incoming migration state scattered
      around, and postcopy is adding more, and it seems better to try and keep
      it together.

      allocate MIS in process_incoming_migration_co

      Signed-off-by: Dr. David Alan Gilbert <dgilbert@xxxxxxxxxx>
      Reviewed-by: Amit Shah <amit.shah@xxxxxxxxxx>
      Reviewed-by: David Gibson <david@xxxxxxxxxxxxxxxxxxxxx>
      Reviewed-by: Juan Quintela <quintela@xxxxxxxxxx>
      Signed-off-by: Juan Quintela <quintela@xxxxxxxxxx>

  commit e3807054e20fb3b94d18cb751c437ee2f43b6fac
  Author: Dr. David Alan Gilbert <dgilbert@xxxxxxxxxx>
  Date:   Thu May 21 13:24:13 2015 +0100

      qemu_ram_foreach_block: pass up error value, and down the ramblock name

      check the return value of the function it calls and error if it's non-0
      Fixup qemu_rdma_init_one_block that is the only current caller,
        and rdma_add_block the only function it calls using it.

      Pass the name of the ramblock to the function; helps in debugging.

      Signed-off-by: Dr. David Alan Gilbert <dgilbert@xxxxxxxxxx>
      Reviewed-by: David Gibson <david@xxxxxxxxxxxxxxxxxxxxx>
      Reviewed-by: Amit Shah <amit.shah@xxxxxxxxxx>
      Reviewed-by: Michael R. Hines <mrhines@xxxxxxxxxx>
      Reviewed-by: Juan Quintela <quintela@xxxxxxxxxx>
      Signed-off-by: Juan Quintela <quintela@xxxxxxxxxx>

  commit f796baa1b3efcf105ba3a465f797e05ac2b3dcfc
  Author: Dr. David Alan Gilbert <dgilbert@xxxxxxxxxx>
  Date:   Thu May 21 13:24:12 2015 +0100

      Split header writing out of qemu_savevm_state_begin

      Split qemu_savevm_state_begin to:
        qemu_savevm_state_header   That writes the initial file header.
        qemu_savevm_state_begin    That sets up devices and does the first
                                   device pass.

      Used later in postcopy.

      Signed-off-by: Dr. David Alan Gilbert <dgilbert@xxxxxxxxxx>
      Reviewed-by: Amit Shah <amit.shah@xxxxxxxxxx>
      Reviewed-by: David Gibson <david@xxxxxxxxxxxxxxxxxxxxx>
      Reviewed-by: Juan Quintela <quintela@xxxxxxxxxx>
      Signed-off-by: Juan Quintela <quintela@xxxxxxxxxx>

  commit b3af1bc9d21e6bec7dfd283d91b465c9f815b6d6
  Author: Dr. David Alan Gilbert <dgilbert@xxxxxxxxxx>
  Date:   Thu May 21 13:24:11 2015 +0100

      Add qemu_get_counted_string to read a string prefixed by a count byte

      and use it in loadvm_state and ram_load.

      Where ever it's used, check the return and error if it failed.

      Minor: ram_load was using a 257 byte array for its string, the
             maximum length is 255 bytes + 0 terminator, so fix to 256

      Signed-off-by: Dr. David Alan Gilbert <dgilbert@xxxxxxxxxx>
      Reviewed-by: Amit Shah <amit.shah@xxxxxxxxxx>
      Reviewed-by: David Gibson <david@xxxxxxxxxxxxxxxxxxxxx>
      Reviewed-by: Juan Quintela <quintela@xxxxxxxxxx>
      Signed-off-by: Juan Quintela <quintela@xxxxxxxxxx>

  commit 5cd8cadae8db905afcbf877cae568c27d1d55a8a
  Author: Juan Quintela <quintela@xxxxxxxxxx>
  Date:   Tue Sep 23 14:09:54 2014 +0200

      migration: Use normal VMStateDescriptions for Subsections

      We create optional sections with this patch.  But we already have
      optional subsections.  Instead of having two mechanism that do the
      same, we can just generalize it.

      For subsections we just change:

      - Add a needed function to VMStateDescription
      - Remove VMStateSubsection (after removal of the needed function
        it is just a VMStateDescription)
      - Adjust the whole tree, moving the needed function to the corresponding
        VMStateDescription

      Signed-off-by: Juan Quintela <quintela@xxxxxxxxxx>

  commit 0163a2e025cda6acb33e100d296965671ace17d9
  Author: Juan Quintela <quintela@xxxxxxxxxx>
  Date:   Wed May 13 13:37:04 2015 +0200

      migration: create savevm_state

      This way, we will put savevm global state here, instead of lots of 
variables.

      Signed-off-by: Juan Quintela <quintela@xxxxxxxxxx>
      Reviewed-by: Dr. David Alan Gilbert <dgilbert@xxxxxxxxxx>

  commit e45a1ebfc65fb23be8cddb684d97eaa92725484d
  Author: Juan Quintela <quintela@xxxxxxxxxx>
  Date:   Wed May 20 17:14:28 2015 +0200

      migration: Remove duplicated assignment of SETUP status

      We assign the MIGRATION_STATUS_SETUP status in two places.  Just in
      succession.  Just remove the second one.

      Signed-off-by: Juan Quintela <quintela@xxxxxxxxxx>
      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>

  commit 5b61d5752156dcbbe2bf1366c877a676ed9f8f51
  Author: Padmanabh Ratnakar <padmanabh.ratnakar@xxxxxxxxxxxxx>
  Date:   Wed Jun 3 04:44:10 2015 +0530

      rdma: Fix qemu crash when IPv6 address is used for migration

      Qemu crashes when IPv6 address is specified for migration and access
      to any RDMA uverbs device available on the system is blocked using 
cgroups.
      Fix the crash by checking the return value of ibv_open_device routine.

      Signed-off-by: Meghana Cheripady <meghana.cheripady@xxxxxxxxxxxxx>
      Signed-off-by: Padmanabh Ratnakar <padmanabh.ratnakar@xxxxxxxxxxxxx>
      Signed-off-by: Juan Quintela <quintela@xxxxxxxxxx>

  commit 5ee6926582cca64238967b2d00d870265cdb10b8
  Author: zhanghailiang <zhang.zhanghailiang@xxxxxxxxxx>
  Date:   Fri May 15 17:00:03 2015 +0800

      arch_init: Clean up the duplicate variable 'len' defining in ram_load()

      There are two places that define 'len' variable, It's OK for compiling,
      but makes it difficult for reading.

      Remove the local one which defined in the inside 'while' loop.

      Signed-off-by: zhanghailiang <zhang.zhanghailiang@xxxxxxxxxx>
      Signed-off-by: Juan Quintela <quintela@xxxxxxxxxx>

  commit 7205c9ec525fe375dd34c0f116c36dc4aab4c0f7
  Author: Juan Quintela <quintela@xxxxxxxxxx>
  Date:   Fri May 8 13:54:36 2015 +0200

      migration: reduce include files

      To make changes easier, with the copy, I maintained almost all include
      files.  Now I remove the unnecessary ones on this patch.  This compiles
      on linux x64 with all architectures configured, and cross-compiles for
      windows 32 and 64 bits.

      Signed-off-by: Juan Quintela <quintela@xxxxxxxxxx>
      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>

  commit 76cc7b587f1cd1679821e034a2d9974af9bc7d2b
  Author: Juan Quintela <quintela@xxxxxxxxxx>
  Date:   Fri May 8 13:20:21 2015 +0200

      migration: Add myself to the copyright list of both files

      If anyone feels like adding himself to the list, just sent me a patch.

      Signed-off-by: Juan Quintela <quintela@xxxxxxxxxx>
      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>

  commit c3049a56d69f1ee7e85b5100ba5d0e3dc69a14f1
  Author: Juan Quintela <quintela@xxxxxxxxxx>
  Date:   Fri May 8 12:49:01 2015 +0200

      migration: move savevm.c inside migration/

      Now, everything is in place.

      Signed-off-by: Juan Quintela <quintela@xxxxxxxxxx>
      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>

  commit 56e93d26b85bac76b93211393163c2ebcdee9481
  Author: Juan Quintela <quintela@xxxxxxxxxx>
  Date:   Thu May 7 19:33:31 2015 +0200

      migration: move ram stuff to migration/ram

      For historic reasons, ram migration have been on arch_init.c.  Just
      split it into migration/ram.c, the same that happened with block.c.

      There is only code movement, no changes altogether.

      Signed-off-by: Juan Quintela <quintela@xxxxxxxxxx>
      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>

  commit 795dc6e46d953d70b4b7ddd3f4956f8f4b9d8565
  Author: Mao Chuan Li <maochuan@xxxxxxxxxxxxxxxxxx>
  Date:   Thu Feb 5 18:28:36 2015 +0800

      watchdog: Add new Virtual Watchdog action INJECT-NMI

      This patch allows QEMU to inject a NMI into a guest when the
      watchdog expires.

      Signed-off-by: Mao Chuan Li <maochuan@xxxxxxxxxxxxxxxxxx>
      Reviewed-by: David Hildenbrand <dahi@xxxxxxxxxxxxxxxxxx>
      CC: Eric Blake <eblake@xxxxxxxxxx>
      CC: Markus Armbruster <armbru@xxxxxxxxxx>
      Signed-off-by: Christian Borntraeger <borntraeger@xxxxxxxxxx>

  commit f9a535e089abcbc7ac99db83c8c6e4644e395b12
  Author: Xu Wang <gesaint@xxxxxxxxxxxxxxxxxx>
  Date:   Thu Feb 5 18:28:35 2015 +0800

      nmi: Implement inject_nmi() for non-monitor context use

      Let's introduce a general "inject_nmi()" function that doesn't rely on 
the cpu
      index of the monitor, but uses cpu index 0 as default (except for x86).
      This function can then later be used from a non-monitor context.

      Signed-off-by: Xu Wang <gesaint@xxxxxxxxxxxxxxxxxx>
      Reviewed-by: David Hildenbrand <dahi@xxxxxxxxxxxxxxxxxx>
      CC: Alexey Kardashevskiy <aik@xxxxxxxxx>
      Signed-off-by: Christian Borntraeger <borntraeger@xxxxxxxxxx>

  commit d67f5fe63caa0f707fa91c760508c340e050b6f0
  Author: Xu Wang <gesaint@xxxxxxxxxxxxxxxxxx>
  Date:   Thu Feb 5 18:28:34 2015 +0800

      s390x/watchdog: diag288 migration support

      Add vmstate structure to keep state and data during migration.

      Signed-off-by: Xu Wang <gesaint@xxxxxxxxxxxxxxxxxx>
      Reviewed-by: David Hildenbrand <dahi@xxxxxxxxxxxxxxxxxx>
      Signed-off-by: Christian Borntraeger <borntraeger@xxxxxxxxxx>

  commit 8fc639af4b62930671b6988c1f7eedf9e7c9f7bc
  Author: Xu Wang <gesaint@xxxxxxxxxxxxxxxxxx>
  Date:   Thu Jun 11 13:55:26 2015 +0200

      s390x/kvm: diag288 instruction interception and handling

      Intercept the diag288 requests from kvm guests, and hand the
      requested command to the diag288 watchdog device for further
      handling.

      Signed-off-by: Xu Wang <gesaint@xxxxxxxxxxxxxxxxxx>
      Reviewed-by: David Hildenbrand <dahi@xxxxxxxxxxxxxxxxxx>
      Signed-off-by: Christian Borntraeger <borntraeger@xxxxxxxxxx>

  commit 188f24c2c149bcb0088c6317e99e09afc007de34
  Author: Xu Wang <gesaint@xxxxxxxxxxxxxxxxxx>
  Date:   Thu Feb 5 18:28:32 2015 +0800

      s390x/watchdog: introduce diag288 watchdog device

      This patch introduces a new diag288 watchdog device that will, just like
      other watchdogs, monitor a guest and take corresponding actions when it
      detects that the guest is not responding.

      diag288 is s390x specific. The wiring to s390x KVM will be done in
      separate patches.

      Signed-off-by: Xu Wang <gesaint@xxxxxxxxxxxxxxxxxx>
      Reviewed-by: David Hildenbrand <dahi@xxxxxxxxxxxxxxxxxx>
      Signed-off-by: Christian Borntraeger <borntraeger@xxxxxxxxxx>
      [split out qemu-option.hx base changes]

  commit d7933ef3ac81149a51ba43ddac9fe70405008aba
  Author: Xu Wang <gesaint@xxxxxxxxxxxxxxxxxx>
  Date:   Thu Jun 11 17:32:05 2015 +0200

      watchdog: change option wording to allow for more watchdogs

      We will introduce a new watchdog for s390x. Lets adopt
      qemu-options.hx to allow more watchdog devices.

      Signed-off-by: Xu Wang <gesaint@xxxxxxxxxxxxxxxxxx>
      Reviewed-by: David Hildenbrand <dahi@xxxxxxxxxxxxxxxxxx>
      Signed-off-by: Christian Borntraeger <borntraeger@xxxxxxxxxx>
      [split out qemu-option.hx base changes]

  commit d8e3b729cf452d2689c8669f1ec18158db29fd5a
  Merge: afa25c4 4ebc736
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Thu Jun 11 15:33:38 2015 +0100

      Merge remote-tracking branch 'remotes/mst/tags/for_upstream' into staging

      pc, acpi, virtio

      Most notably this includes virtio 1 patches
      Still not all devices converted, and not fully spec compliant,
      so disabled by default.

      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>

      # gpg: Signature made Thu Jun 11 12:53:08 2015 BST using RSA key ID 
D28D5469
      # gpg: Good signature from "Michael S. Tsirkin <mst@xxxxxxxxxx>"
      # gpg:                 aka "Michael S. Tsirkin <mst@xxxxxxxxxx>"

      * remotes/mst/tags/for_upstream: (42 commits)
        i386/acpi-build: fix PXB workarounds for unsupported BIOSes
        i386/acpi-build: more traditional _UID and _HID for PXB root buses
        vhost-scsi: move qdev properties into vhost-scsi.c
        virtio-9p-device: move qdev properties into virtio-9p-device.c
        virtio-serial-bus: move qdev properties into virtio-serial-bus.c
        virtio-rng: move qdev properties into virtio-rng.c
        virtio-scsi: move qdev properties into virtio-scsi.c
        virtio-net.h: Remove unsed DEFINE_VIRTIO_NET_PROPERTIES
        virtio-net: move qdev properties into virtio-net.c
        virtio-input: emulated devices [pci]
        virtio-input: core code & base class [pci]
        pci: add PCI_CLASS_INPUT_*
        virtio-pci: fill VirtIOPCIRegions early.
        virtio-pci: drop identical virtio_pci_cap
        virtio-pci: move cap type to VirtIOPCIRegion
        virtio-pci: move virtio_pci_add_mem_cap call to 
virtio_pci_modern_region_map
        virtio-pci: add virtio_pci_modern_region_map()
        virtio-pci: add virtio_pci_modern_regions_init()
        virtio-pci: add struct VirtIOPCIRegion for virtio-1 regions
        virtio-balloon: switch to virtio_add_feature
        ...

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit afa25c4bb5bd0732dca4aa0691fd4682d242925f
  Merge: 0b70743 08d49df
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Thu Jun 11 14:40:25 2015 +0100

      Merge remote-tracking branch 'remotes/kraxel/tags/pull-sdl-20150611-1' 
into staging

      sdl2: fix crash in handle_windowevent() when restoring the screen size

      # gpg: Signature made Thu Jun 11 08:57:38 2015 BST using RSA key ID 
D3E87138
      # gpg: Good signature from "Gerd Hoffmann (work) <kraxel@xxxxxxxxxx>"
      # gpg:                 aka "Gerd Hoffmann <gerd@xxxxxxxxxx>"
      # gpg:                 aka "Gerd Hoffmann (private) <kraxel@xxxxxxxxx>"

      * remotes/kraxel/tags/pull-sdl-20150611-1:
        sdl2: fix crash in handle_windowevent() when restoring the screen size

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 0b70743d4f4f260b2fe6ed53fecc6bc6cda13910
  Author: Eric Auger <eric.auger@xxxxxxxxxx>
  Date:   Thu Jun 11 09:44:40 2015 +0100

      hw/vfio/platform: replace g_malloc0_n by g_new0

      g_malloc0_n() is introduced since glib-2.24 while QEMU currently
      requires glib-2.22. This may cause a link error on some distributions.

      Signed-off-by: Eric Auger <eric.auger@xxxxxxxxxx>
      Reviewed-by: Gonglei <arei.gonglei@xxxxxxxxxx>
      Acked-by: Alex Williamson <alex.williamson@xxxxxxxxxx>
      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 169b71331eaff7a28e3d4fabe8733e7db91f01aa
  Merge: 39e16a5 5a9259a
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Thu Jun 11 12:12:58 2015 +0100

      Merge remote-tracking branch 'remotes/spice/tags/pull-spice-20150611-1' 
into staging

      spice: fix segfault in qemu_spice_create_update, ui_info tweaks.

      # gpg: Signature made Thu Jun 11 08:48:49 2015 BST using RSA key ID 
D3E87138
      # gpg: Good signature from "Gerd Hoffmann (work) <kraxel@xxxxxxxxxx>"
      # gpg:                 aka "Gerd Hoffmann <gerd@xxxxxxxxxx>"
      # gpg:                 aka "Gerd Hoffmann (private) <kraxel@xxxxxxxxx>"

      * remotes/spice/tags/pull-spice-20150611-1:
        spice: ui_info tweaks
        spice-display: fix segfault in qemu_spice_create_update

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 4ebc736e9938a7e88ecc785734b17145bf802a56
  Author: Laszlo Ersek <lersek@xxxxxxxxxx>
  Date:   Thu Jun 11 02:37:59 2015 +0200

      i386/acpi-build: fix PXB workarounds for unsupported BIOSes

      The patch

        apci: fix PXB behaviour if used with unsupported BIOS

      uses the following condition to see if a "PXB mem/IO chunk" has *not* been
      configured by the BIOS:

        (!range_base || range_base > range_limit)

      When this condition evaluates to true, said patch *omits* the
      corresponding entry from the _CRS.

      Later on the patch checks for the opposite condition (with the intent of
      *adding* entries to the _CRS if the "PXB mem/IO chunks" *have* been
      configured). Unfortunately, the condition was negated incorrectly: only
      the first ! operator was removed, which led to the nonsensical expression

        (range_base || range_base > range_limit)

      leading to bogus entries in the _CRS, and causing BSOD in Windows Server
      2012 R2 when it runs on OVMF.

      The correct negative of the condition seen at the top is

        (range_base && range_base <= range_limit)

      Fix the expressions.

      Cc: Marcel Apfelbaum <marcel@xxxxxxxxxx>
      Cc: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: Laszlo Ersek <lersek@xxxxxxxxxx>
      Reviewed-by: Marcel Apfelbaum <marcel@xxxxxxxxxx>
      Reviewed-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>

  commit c96d9286a6d70452e5fa4f1e3f840715e325be95
  Author: Laszlo Ersek <lersek@xxxxxxxxxx>
  Date:   Thu Jun 11 02:37:58 2015 +0200

      i386/acpi-build: more traditional _UID and _HID for PXB root buses

      The ACPI specification permits the _HID and _UID objects to evaluate to
      strings. (See "6.1.5 _HID (Hardware ID)" and "6.1.12 _UID (Unique ID)" in
      the ACPI v6.0 spec.)

      With regard to related standards, the UEFI specification can also express
      a device address composed from string _HID and _UID identifiers, inside
      the Expanded ACPI Device Path Node. (See "9.3.3 ACPI Device Path", Table
      49, in the UEFI v2.5 spec.)

      However, numeric (integer) contents for both _HID and _UID are more
      traditional. They are recommended by the UEFI spec for size reasons:

        [...] the ACPI Device Path node is smaller and should be used if
        possible to reduce the size of device paths that may potentially be
        stored in nonvolatile storage [...]

      External tools support them better (for example the --acpi_hid and
      --acpi_uid options of "efibootmgr" only take numeric identifiers).
      Finally, numeric _HID and _UID contents are existing practice in the QEMU
      source.

      This patch was tested with a Fedora 20 LiveCD and a preexistent Windows
      Server 2012 R2 guest. Using "acpidump" and "iasl" in the Fedora guest, we
      get, in the SSDT:

      > Scope (\_SB)
      > {
      >   Device (PC04)
      >   {
      >     Name (_UID, 0x04)  // _UID: Unique ID
      >     Name (_HID, EisaId ("PNP0A03") /* PCI Bus */)  // _HID: Hardware ID

      Cc: Marcel Apfelbaum <marcel@xxxxxxxxxx>
      Cc: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: Laszlo Ersek <lersek@xxxxxxxxxx>
      Reviewed-by: Marcel Apfelbaum <marcel@xxxxxxxxxx>
      Reviewed-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>

  commit 39e16a5b708358202e8d2252e3d84863666dc9e5
  Merge: 0e12e61 060ab76
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Thu Jun 11 11:18:11 2015 +0100

      Merge remote-tracking branch 'remotes/kraxel/tags/pull-gtk-20150611-1' 
into staging

      gtk: don't exit early in case gtk init fails

      # gpg: Signature made Thu Jun 11 10:38:29 2015 BST using RSA key ID 
D3E87138
      # gpg: Good signature from "Gerd Hoffmann (work) <kraxel@xxxxxxxxxx>"
      # gpg:                 aka "Gerd Hoffmann <gerd@xxxxxxxxxx>"
      # gpg:                 aka "Gerd Hoffmann (private) <kraxel@xxxxxxxxx>"

      * remotes/kraxel/tags/pull-gtk-20150611-1:
        gtk: don't exit early in case gtk init fails

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 060ab76356fff6a420bc881a574c40a5dda086af
  Author: Gerd Hoffmann <kraxel@xxxxxxxxxx>
  Date:   Fri Jun 5 13:07:58 2015 +0200

      gtk: don't exit early in case gtk init fails

      Signed-off-by: Gerd Hoffmann <kraxel@xxxxxxxxxx>
      Reviewed-by: Daniel P. Berrange <berrange@xxxxxxxxxx>

  commit bd8f1ebce430eb6c1dd92e34baf7bc35aa600464
  Author: Hervé Poussineau <hpoussin@xxxxxxxxxxx>
  Date:   Wed Jun 3 22:45:49 2015 +0200

      net/dp8393x: fix hardware reset

      Documentation is not clear of what happens when doing a hardware reset,
      but firmware expect all registers to be zero unless specified otherwise.

      This fixes reboot on MIPS Magnum.

      Signed-off-by: Hervé Poussineau <hpoussin@xxxxxxxxxxx>
      Reviewed-by: Aurelien Jarno <aurelien@xxxxxxxxxxx>
      Signed-off-by: Leon Alrae <leon.alrae@xxxxxxxxxx>

  commit 409b52bfe199d8106dadf7c5ff3d88d2228e89b5
  Author: Hervé Poussineau <hpoussin@xxxxxxxxxxx>
  Date:   Wed Jun 3 22:45:48 2015 +0200

      net/dp8393x: correctly reset in_use field

      Don't write more than the field width, which is always 16 bit.
      Fixes network in NetBSD 5.1/arc

      Signed-off-by: Hervé Poussineau <hpoussin@xxxxxxxxxxx>
      Reviewed-by: Aurelien Jarno <aurelien@xxxxxxxxxxx>
      Signed-off-by: Leon Alrae <leon.alrae@xxxxxxxxxx>

  commit 1670735dd7087224cf8fabd37c78fc2aa1f0b22f
  Author: Hervé Poussineau <hpoussin@xxxxxxxxxxx>
  Date:   Wed Jun 3 22:45:47 2015 +0200

      net/dp8393x: add load/save support

      Signed-off-by: Hervé Poussineau <hpoussin@xxxxxxxxxxx>
      Reviewed-by: Aurelien Jarno <aurelien@xxxxxxxxxxx>
      Signed-off-by: Leon Alrae <leon.alrae@xxxxxxxxxx>

  commit 89ae0ff9b73ee74c9ba707a09a07ad77b9fdccb4
  Author: Hervé Poussineau <hpoussin@xxxxxxxxxxx>
  Date:   Wed Jun 3 22:45:46 2015 +0200

      net/dp8393x: add PROM to store MAC address

      Signed-off-by: Laurent Vivier <laurent@xxxxxxxxx>
      Signed-off-by: Hervé Poussineau <hpoussin@xxxxxxxxxxx>
      Reviewed-by: Aurelien Jarno <aurelien@xxxxxxxxxxx>
      Signed-off-by: Leon Alrae <leon.alrae@xxxxxxxxxx>

  commit 104655a5c818ea8de1329cef50d1cc8defc524f3
  Author: Hervé Poussineau <hpoussin@xxxxxxxxxxx>
  Date:   Wed Jun 3 22:45:45 2015 +0200

      net/dp8393x: QOM'ify

      Signed-off-by: Laurent Vivier <laurent@xxxxxxxxx>
      Signed-off-by: Hervé Poussineau <hpoussin@xxxxxxxxxxx>
      Reviewed-by: Aurelien Jarno <aurelien@xxxxxxxxxxx>
      Signed-off-by: Leon Alrae <leon.alrae@xxxxxxxxxx>

  commit 3df5de64f06f6b288b1cf30ce2bad7878a96454b
  Author: Hervé Poussineau <hpoussin@xxxxxxxxxxx>
  Date:   Wed Jun 3 22:45:44 2015 +0200

      net/dp8393x: use dp8393x_ prefix for all functions

      Signed-off-by: Hervé Poussineau <hpoussin@xxxxxxxxxxx>
      Reviewed-by: Aurelien Jarno <aurelien@xxxxxxxxxxx>
      Signed-off-by: Leon Alrae <leon.alrae@xxxxxxxxxx>

  commit 84689cbb97d2f8c7bb1ebe069f887eaaaddb0902
  Author: Hervé Poussineau <hpoussin@xxxxxxxxxxx>
  Date:   Wed Jun 3 22:45:43 2015 +0200

      net/dp8393x: do not use old_mmio accesses

      Signed-off-by: Hervé Poussineau <hpoussin@xxxxxxxxxxx>
      Reviewed-by: Aurelien Jarno <aurelien@xxxxxxxxxxx>
      Signed-off-by: Leon Alrae <leon.alrae@xxxxxxxxxx>

  commit f2f62c4db244f392381c9061c4185ced98f9be57
  Author: Hervé Poussineau <hpoussin@xxxxxxxxxxx>
  Date:   Wed Jun 3 22:45:42 2015 +0200

      net/dp8393x: always calculate proper checksums

      Signed-off-by: Hervé Poussineau <hpoussin@xxxxxxxxxxx>
      Reviewed-by: Aurelien Jarno <aurelien@xxxxxxxxxxx>
      Signed-off-by: Leon Alrae <leon.alrae@xxxxxxxxxx>

  commit d791d60f1cf944f578aa26ca9f8903ce5dda1c78
  Author: Hervé Poussineau <hpoussin@xxxxxxxxxxx>
  Date:   Wed Jun 3 22:45:41 2015 +0200

      dma/rc4030: convert to QOM

      Signed-off-by: Hervé Poussineau <hpoussin@xxxxxxxxxxx>
      Reviewed-by: Aurelien Jarno <aurelien@xxxxxxxxxxx>
      Signed-off-by: Leon Alrae <leon.alrae@xxxxxxxxxx>

  commit 95c357bc461b00785284403bf56567657d42e915
  Author: Hervé Poussineau <hpoussin@xxxxxxxxxxx>
  Date:   Wed Jun 3 22:45:40 2015 +0200

      dma/rc4030: use trace events instead of custom logging

      Remove also unneeded debug logs.

      Signed-off-by: Hervé Poussineau <hpoussin@xxxxxxxxxxx>
      Reviewed-by: Aurelien Jarno <aurelien@xxxxxxxxxxx>
      Signed-off-by: Leon Alrae <leon.alrae@xxxxxxxxxx>

  commit dc6e3e1e1aef2e6b2ed2ddf80c9559c91f685ecd
  Author: Hervé Poussineau <hpoussin@xxxxxxxxxxx>
  Date:   Wed Jun 3 22:45:39 2015 +0200

      dma/rc4030: document register at offset 0x210

      Signed-off-by: Hervé Poussineau <hpoussin@xxxxxxxxxxx>
      Reviewed-by: Aurelien Jarno <aurelien@xxxxxxxxxxx>
      Signed-off-by: Leon Alrae <leon.alrae@xxxxxxxxxx>

  commit b421f3f52aed306ecc69221a13fac22d03905956
  Author: Hervé Poussineau <hpoussin@xxxxxxxxxxx>
  Date:   Wed Jun 3 22:45:38 2015 +0200

      dma/rc4030: do not use old_mmio accesses

      Signed-off-by: Hervé Poussineau <hpoussin@xxxxxxxxxxx>
      Reviewed-by: Aurelien Jarno <aurelien@xxxxxxxxxxx>
      Signed-off-by: Leon Alrae <leon.alrae@xxxxxxxxxx>

  commit dd8205130bab277a27889b6d3c0c6c7651585732
  Author: Hervé Poussineau <hpoussin@xxxxxxxxxxx>
  Date:   Wed Jun 3 22:45:37 2015 +0200

      dma/rc4030: use AddressSpace and address_space_rw in users

      Now that rc4030 internally uses an AddressSpace for DMA handling, make 
its root
      memory region public. This is especially usefull for dp8393x netcard, 
which now
      uses well known QEMU types and methods.

      Signed-off-by: Hervé Poussineau <hpoussin@xxxxxxxxxxx>
      Reviewed-by: Aurelien Jarno <aurelien@xxxxxxxxxxx>
      Signed-off-by: Leon Alrae <leon.alrae@xxxxxxxxxx>

  commit a3d586f704609a45b6037534cb2f34da5dfd8895
  Author: Hervé Poussineau <hpoussin@xxxxxxxxxxx>
  Date:   Wed Jun 3 22:45:36 2015 +0200

      dma/rc4030: create custom DMA address space

      Add a new memory region in system address space where DMA address space
      definition (the 'translation table') belongs, so we can update on the fly
      the DMA address space.

      Signed-off-by: Hervé Poussineau <hpoussin@xxxxxxxxxxx>
      Reviewed-by: Aurelien Jarno <aurelien@xxxxxxxxxxx>
      Signed-off-by: Leon Alrae <leon.alrae@xxxxxxxxxx>

  commit 9b1d21c53b73c8f8f79e4aae69c4eb7a5270d6d4
  Author: Hervé Poussineau <hpoussin@xxxxxxxxxxx>
  Date:   Wed Jun 3 22:45:35 2015 +0200

      mips jazz: compile only in 64 bit

      Remove now useless device models from other MIPS configurations

      We're now compiling 12 files less than before.

      Signed-off-by: Hervé Poussineau <hpoussin@xxxxxxxxxxx>
      Reviewed-by: Aurelien Jarno <aurelien@xxxxxxxxxxx>
      Signed-off-by: Leon Alrae <leon.alrae@xxxxxxxxxx>

  commit ce9782f40ac16660ea9437bfaa2c9c34d5ed8110
  Author: Leon Alrae <leon.alrae@xxxxxxxxxx>
  Date:   Thu Jun 4 17:00:31 2015 +0100

      target-mips: add ERETNC instruction and Config5.LLB bit

      ERETNC is identical to ERET except that an ERETNC will not clear the LLbit
      that is set by execution of an LL instruction, and thus when placed 
between
      an LL and SC sequence, will never cause the SC to fail.

      Presence of ERETNC is denoted by the Config5.LLB.

      Signed-off-by: Leon Alrae <leon.alrae@xxxxxxxxxx>
      Reviewed-by: Aurelien Jarno <aurelien@xxxxxxxxxxx>

  commit adc370a48fd26b92188fa4848dfb088578b1936c
  Author: Yongbok Kim <yongbok.kim@xxxxxxxxxx>
  Date:   Mon Jun 1 12:13:24 2015 +0100

      target-mips: Misaligned memory accesses for MSA

      MIPS SIMD Architecture vector loads and stores require misalignment 
support.
      MSA Memory access should work as an atomic operation. Therefore, it has to
      check validity of all addresses for a vector store access if it is 
spanning
      into two pages.

      Separating helper functions for each data format as format is known in
      translation.
      To use mmu_idx from cpu_mmu_index() instead of calculating it from hflag.
      Removing save_cpu_state() call in translation because it is able to use
      cpu_restore_state() on fault as GETRA() is passed.

      Signed-off-by: Yongbok Kim <yongbok.kim@xxxxxxxxxx>
      Reviewed-by: Leon Alrae <leon.alrae@xxxxxxxxxx>
      [leon.alrae@xxxxxxxxxx: remove unused do_* functions]
      Signed-off-by: Leon Alrae <leon.alrae@xxxxxxxxxx>

  commit 3b4afc9e75ab1a95f33e41f462921093f8a109c4
  Author: Yongbok Kim <yongbok.kim@xxxxxxxxxx>
  Date:   Mon Jun 1 12:13:23 2015 +0100

      softmmu: Add probe_write()

      Probe for whether the specified guest write access is permitted.
      If it is not permitted then an exception will be taken in the same
      way as if this were a real write access (and we will not return).
      Otherwise the function will return, and there will be a valid
      entry in the TLB for this access.

      Signed-off-by: Yongbok Kim <yongbok.kim@xxxxxxxxxx>
      Reviewed-by: Leon Alrae <leon.alrae@xxxxxxxxxx>
      Signed-off-by: Leon Alrae <leon.alrae@xxxxxxxxxx>

  commit be3a8c53b4f18bcc51a462d977cc61a0f46ebb1c
  Author: Yongbok Kim <yongbok.kim@xxxxxxxxxx>
  Date:   Mon Jun 1 12:13:22 2015 +0100

      target-mips: Misaligned memory accesses for R6

      Release 6 requires misaligned memory access support for all ordinary 
memory
      access instructions (for example, LW/SW, LWC1/SWC1).
      However misaligned support is not provided for certain special memory 
accesses
      such as atomics (for example, LL/SC).

      Signed-off-by: Yongbok Kim <yongbok.kim@xxxxxxxxxx>
      Reviewed-by: Leon Alrae <leon.alrae@xxxxxxxxxx>
      Signed-off-by: Leon Alrae <leon.alrae@xxxxxxxxxx>

  commit 71c199c81d290b2077ee7cf5400332a342de3a97
  Author: Paul Burton <paul.burton@xxxxxxxxxx>
  Date:   Mon May 25 14:21:04 2015 +0100

      mips_malta: provide ememsize env variable to kernels

      Commit 94c2b6aff43c (mips_malta: support up to 2GiB RAM) provided
      support for using over 256MB of RAM with the MIPS Malta board, including
      capping the memsize variable that QEMUs pseudo-bootloader provides to
      the kernel at 256MB in order to match YAMON. It didn't however provide
      the ememsize variable which kernels supporting memory outside of the
      unmapped address spaces (ie. EVA or highmem) may use to determine the
      true size of the RAM present in the system.

      Set ememsize to the size of RAM so that such kernels may use all
      available memory without the user having to manually specifying its size
      & location.

      Signed-off-by: Paul Burton <paul.burton@xxxxxxxxxx>
      Cc: Aurelien Jarno <aurelien@xxxxxxxxxxx>
      Cc: Leon Alrae <leon.alrae@xxxxxxxxxx>
      Reviewed-by: Leon Alrae <leon.alrae@xxxxxxxxxx>
      Reviewed-by: Aurelien Jarno <aurelien@xxxxxxxxxxx>
      Signed-off-by: Leon Alrae <leon.alrae@xxxxxxxxxx>

  commit 7c979afd11b09a16634699dd6344e3ba10c9677e
  Author: Leon Alrae <leon.alrae@xxxxxxxxxx>
  Date:   Tue Apr 21 16:06:28 2015 +0100

      target-mips: add Config5.FRE support allowing Status.FR=0 emulation

      This relatively small architectural feature adds the following:

      FIR.FREP: Read-only. If FREP=1, then Config5.FRE and Config5.UFE are
                available.

      Config5.FRE: When enabled all single-precision FP arithmetic instructions,
                   LWC1/LWXC1/MTC1, SWC1/SWXC1/MFC1 cause a Reserved 
Instructions
                   exception.

      Config5.UFE: Allows user to write/read Config5.FRE using CTC1/CFC1
                   instructions.

      Enable the feature in MIPS64R6-generic CPU.

      Signed-off-by: Leon Alrae <leon.alrae@xxxxxxxxxx>

  commit eab9944c7801525737626fa45cddaf00932dd2c8
  Author: Leon Alrae <leon.alrae@xxxxxxxxxx>
  Date:   Tue Apr 21 16:06:27 2015 +0100

      target-mips: move group of functions above gen_load_fpr32()

      Move the "Tests" group of functions so that gen_load_fpr32() and
      gen_store_fpr32() can use generate_exception().

      Signed-off-by: Leon Alrae <leon.alrae@xxxxxxxxxx>

  commit 5a9259a0b5d6f9424f94539cd9c715b1d166d90c
  Author: Gerd Hoffmann <kraxel@xxxxxxxxxx>
  Date:   Fri Mar 13 12:21:50 2015 +0100

      spice: ui_info tweaks

      Use the new dpy_ui_info_supported function.
      Clarifies the control flow.

      Signed-off-by: Gerd Hoffmann <kraxel@xxxxxxxxxx>

  commit c6e484707f28b3e115e64122a0570f6b3c585489
  Author: Gerd Hoffmann <kraxel@xxxxxxxxxx>
  Date:   Tue Jun 9 21:08:47 2015 +0200

      spice-display: fix segfault in qemu_spice_create_update

      Although it is pretty unusual the stride for the guest image and the
      mirror image maintained by spice-display can be different.  So use
      separate variables for them.

      https://bugzilla.redhat.com/show_bug.cgi?id=1163047

      Cc: qemu-stable@xxxxxxxxxx
      Reported-by: perrier vincent <clownix@xxxxxxxxxxx>
      Signed-off-by: Gerd Hoffmann <kraxel@xxxxxxxxxx>

  commit 0e12e61ff9a3407d123d0dbc4d945aec98d60fdf
  Merge: 3974c9d 62232bf
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Wed Jun 10 18:13:58 2015 +0100

      Merge remote-tracking branch 'remotes/kraxel/tags/pull-vga-20150610-1' 
into staging

      stdvga: factor out mmio subregion init
      virtio-gpu: add virtio gpu core code, 2d mode

      # gpg: Signature made Wed Jun 10 10:03:11 2015 BST using RSA key ID 
D3E87138
      # gpg: Good signature from "Gerd Hoffmann (work) <kraxel@xxxxxxxxxx>"
      # gpg:                 aka "Gerd Hoffmann <gerd@xxxxxxxxxx>"
      # gpg:                 aka "Gerd Hoffmann (private) <kraxel@xxxxxxxxx>"

      * remotes/kraxel/tags/pull-vga-20150610-1:
        virtio-gpu/2d: add virtio gpu core code
        virtio: update headers, add virtio-gpu (2d)
        stdvga: factor out mmio subregion init
        stdvga: pass VGACommonState instead of PCIVGAState
        stdvga: fix offset in pci_vga_ioport_read

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 21549a4642e1f1b438ffc31dd9dc35f134b10e5b
  Author: Shannon Zhao <shannon.zhao@xxxxxxxxxx>
  Date:   Wed Jun 10 23:04:36 2015 +0800

      vhost-scsi: move qdev properties into vhost-scsi.c

      As only one place in vhost-scsi.c uses DEFINE_VHOST_SCSI_PROPERTIES,
      there is no need to expose it. Inline it into vhost-scsi.c to avoid
      wrongly use.

      Signed-off-by: Shannon Zhao <zhaoshenglong@xxxxxxxxxx>
      Signed-off-by: Shannon Zhao <shannon.zhao@xxxxxxxxxx>
      Reviewed-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>
      Acked-by: Cornelia Huck <cornelia.huck@xxxxxxxxxx>
      Reviewed-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>

  commit 83a84878da2e00b4d350bd90d6775c1f6320e7b4
  Author: Shannon Zhao <shannon.zhao@xxxxxxxxxx>
  Date:   Wed Jun 10 23:04:35 2015 +0800

      virtio-9p-device: move qdev properties into virtio-9p-device.c

      As only one place in virtio-9p-device.c uses
      DEFINE_VIRTIO_9P_PROPERTIES, there is no need to expose it. Inline it
      into virtio-9p-device.c to avoid wrongly use.

      Signed-off-by: Shannon Zhao <zhaoshenglong@xxxxxxxxxx>
      Signed-off-by: Shannon Zhao <shannon.zhao@xxxxxxxxxx>
      Reviewed-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>
      Acked-by: Cornelia Huck <cornelia.huck@xxxxxxxxxx>
      Reviewed-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>

  commit 448777c411b80df0263eb00b9df2f829cdc7cc9b
  Author: Shannon Zhao <shannon.zhao@xxxxxxxxxx>
  Date:   Wed Jun 10 23:04:34 2015 +0800

      virtio-serial-bus: move qdev properties into virtio-serial-bus.c

      As only one place in virtio-serial-bus.c uses
      DEFINE_VIRTIO_SERIAL_PROPERTIES, there is no need to expose it. Inline
      it into virtio-serial-bus.c to avoid wrongly use.

      Signed-off-by: Shannon Zhao <zhaoshenglong@xxxxxxxxxx>
      Signed-off-by: Shannon Zhao <shannon.zhao@xxxxxxxxxx>
      Reviewed-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>
      Acked-by: Cornelia Huck <cornelia.huck@xxxxxxxxxx>
      Reviewed-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>

  commit fe704809b974d8dd8e020b4d3f48ede338a886fe
  Author: Shannon Zhao <shannon.zhao@xxxxxxxxxx>
  Date:   Wed Jun 10 23:04:33 2015 +0800

      virtio-rng: move qdev properties into virtio-rng.c

      As only one place in virtio-rng.c uses DEFINE_VIRTIO_RNG_PROPERTIES,
      there is no need to expose it. Inline it into virtio-rng.c to avoid
      wrongly use.

      Signed-off-by: Shannon Zhao <zhaoshenglong@xxxxxxxxxx>
      Signed-off-by: Shannon Zhao <shannon.zhao@xxxxxxxxxx>
      Reviewed-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>
      Acked-by: Cornelia Huck <cornelia.huck@xxxxxxxxxx>
      Reviewed-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>

  commit 0c63237a90f37fffe8a8016f24f61bb228653e86
  Author: Shannon Zhao <shannon.zhao@xxxxxxxxxx>
  Date:   Wed Jun 10 23:04:32 2015 +0800

      virtio-scsi: move qdev properties into virtio-scsi.c

      As only one place in virtio-scsi.c uses DEFINE_VIRTIO_SCSI_PROPERTIES
      and DEFINE_VIRTIO_SCSI_FEATURES, there is no need to expose them. Inline
      them into virtio-scsi.c to avoid wrongly use.

      Signed-off-by: Shannon Zhao <zhaoshenglong@xxxxxxxxxx>
      Signed-off-by: Shannon Zhao <shannon.zhao@xxxxxxxxxx>
      Reviewed-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>
      Acked-by: Cornelia Huck <cornelia.huck@xxxxxxxxxx>
      Reviewed-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>

  commit db58c063e159f02f0232d1557f0930fd32a6580f
  Author: Shannon Zhao <shannon.zhao@xxxxxxxxxx>
  Date:   Wed Jun 10 23:04:31 2015 +0800

      virtio-net.h: Remove unsed DEFINE_VIRTIO_NET_PROPERTIES

      Remove unsed DEFINE_VIRTIO_NET_PROPERTIES in virtio-net.h and delete a
      space typo.

      Signed-off-by: Shannon Zhao <zhaoshenglong@xxxxxxxxxx>
      Signed-off-by: Shannon Zhao <shannon.zhao@xxxxxxxxxx>
      Reviewed-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>
      Acked-by: Cornelia Huck <cornelia.huck@xxxxxxxxxx>
      Reviewed-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>

  commit 87108bb26ce04637980c0897caeabee8901e72c9
  Author: Shannon Zhao <shannon.zhao@xxxxxxxxxx>
  Date:   Wed Jun 10 23:04:30 2015 +0800

      virtio-net: move qdev properties into virtio-net.c

      As only one place in virtio-net.c uses DEFINE_VIRTIO_NET_FEATURES,
      there is no need to expose it. Inline it into virtio-net.c to avoid
      wrongly use.

      Signed-off-by: Shannon Zhao <zhaoshenglong@xxxxxxxxxx>
      Signed-off-by: Shannon Zhao <shannon.zhao@xxxxxxxxxx>
      Reviewed-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>
      Reviewed-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>

  commit 710e2d90da1a16807f7885d37b203ce739fdc53a
  Author: Gerd Hoffmann <kraxel@xxxxxxxxxx>
  Date:   Thu Jun 4 12:34:42 2015 +0200

      virtio-input: emulated devices [pci]

      This patch adds virtio-pci support for the emulated virtio-input
      devices.  Using them is as simple as adding "-device virtio-tablet-pci"
      to your command line.  If you want add multiple devices but don't want
      waste a pci slot for each you can compose a multifunction device this way:

      qemu -device virtio-keyboard-pci,addr=0d.0,multifunction=on \
           -device virtio-tablet-pci,addr=0d.1,multifunction=on

      Signed-off-by: Gerd Hoffmann <kraxel@xxxxxxxxxx>
      Reviewed-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>

  commit f958c8aa138718b8126a300d6faece522f7674b8
  Author: Gerd Hoffmann <kraxel@xxxxxxxxxx>
  Date:   Thu Jun 4 12:34:41 2015 +0200

      virtio-input: core code & base class [pci]

      This patch adds the virtio-pci support bits for virtio-input-device.

      Signed-off-by: Gerd Hoffmann <kraxel@xxxxxxxxxx>
      Reviewed-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>

  commit ffaa05037134d48e3ccd7ebbf2d58db26590b96d
  Author: Gerd Hoffmann <kraxel@xxxxxxxxxx>
  Date:   Thu Jun 4 12:34:40 2015 +0200

      pci: add PCI_CLASS_INPUT_*

      Signed-off-by: Gerd Hoffmann <kraxel@xxxxxxxxxx>
      Reviewed-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>

  commit b6ce27a593ab39ac28baebc3045901925046bebd
  Author: Gerd Hoffmann <kraxel@xxxxxxxxxx>
  Date:   Thu Jun 4 12:34:39 2015 +0200

      virtio-pci: fill VirtIOPCIRegions early.

      Initialize the modern bar and the VirtIOPCIRegion fields early, in
      realize.  Also add a size field to VirtIOPCIRegion and variables for
      pci bars to VirtIOPCIProxy.

      This allows virtio-pci subclasses to change things before the
      device_plugged callback applies them.  virtio-vga will use that to
      arrange regions in a way that virtio-vga is compatible to both stdvga
      (in vga mode) and virtio-gpu-pci (in pci mode).

      Signed-off-by: Gerd Hoffmann <kraxel@xxxxxxxxxx>
      Reviewed-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>

  commit cc52ea90f835aa66d431db712b22f8b15bec2e46
  Author: Gerd Hoffmann <kraxel@xxxxxxxxxx>
  Date:   Thu Jun 4 12:34:38 2015 +0200

      virtio-pci: drop identical virtio_pci_cap

      Now the three struct virtio_pci_caps are identical,
      lets drop two of them ;)

      Signed-off-by: Gerd Hoffmann <kraxel@xxxxxxxxxx>
      Reviewed-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>

  commit fc004905c5b4b7568aad50087c156a5f4dfae1a7
  Author: Gerd Hoffmann <kraxel@xxxxxxxxxx>
  Date:   Thu Jun 4 12:34:37 2015 +0200

      virtio-pci: move cap type to VirtIOPCIRegion

      Signed-off-by: Gerd Hoffmann <kraxel@xxxxxxxxxx>
      Reviewed-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>

  commit 54790d71e4adcfaae95dac3c7019b10721e609de
  Author: Gerd Hoffmann <kraxel@xxxxxxxxxx>
  Date:   Thu Jun 4 12:34:36 2015 +0200

      virtio-pci: move virtio_pci_add_mem_cap call to 
virtio_pci_modern_region_map

      Also fill offset and length automatically,
      from VirtIOPCIRegion->offset and region size.

      Signed-off-by: Gerd Hoffmann <kraxel@xxxxxxxxxx>
      Reviewed-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>

  commit a3cc2e81592aba6d818005c078b94b16ba47a02c
  Author: Gerd Hoffmann <kraxel@xxxxxxxxxx>
  Date:   Thu Jun 4 12:34:35 2015 +0200

      virtio-pci: add virtio_pci_modern_region_map()

      Add function to map modern virtio regions.
      Add offset to VirtIOPCIRegion.

      Signed-off-by: Gerd Hoffmann <kraxel@xxxxxxxxxx>
      Reviewed-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>

  commit 1141ce2190c85daacfa9b874476651ed0f7dc6df
  Author: Gerd Hoffmann <kraxel@xxxxxxxxxx>
  Date:   Thu Jun 4 12:34:34 2015 +0200

      virtio-pci: add virtio_pci_modern_regions_init()

      Add init function for the modern pci regions,
      move over the init code.

      Signed-off-by: Gerd Hoffmann <kraxel@xxxxxxxxxx>
      Reviewed-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>

  commit 588255ad5021f06789f438f7b045015c54e30841
  Author: Gerd Hoffmann <kraxel@xxxxxxxxxx>
  Date:   Thu Jun 4 12:34:33 2015 +0200

      virtio-pci: add struct VirtIOPCIRegion for virtio-1 regions

      For now just place the MemoryRegion there,
      following patches will add more.

      Signed-off-by: Gerd Hoffmann <kraxel@xxxxxxxxxx>
      Reviewed-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>

  commit 40de55affda76392627e68d3b1ba5a6a11c492bc
  Author: Cornelia Huck <cornelia.huck@xxxxxxxxxx>
  Date:   Thu Jun 4 12:34:32 2015 +0200

      virtio-balloon: switch to virtio_add_feature

      This was missed during the conversion of feature bit manipulation.

      Signed-off-by: Cornelia Huck <cornelia.huck@xxxxxxxxxx>
      Reviewed-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Reviewed-by: Michael S. Tsirkin <mst@xxxxxxxxxx>

  commit fbdc6892dd8a842a3d86b8315ff56399e0387b74
  Author: Michael S. Tsirkin <mst@xxxxxxxxxx>
  Date:   Thu Jun 4 12:34:31 2015 +0200

      virtio_balloon: header update

      add modern header

      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Reviewed-by: Michael S. Tsirkin <mst@xxxxxxxxxx>

  commit 975acc0ae6d60260859884a9235ae3c62e2969a2
  Author: Jason Wang <jasowang@xxxxxxxxxx>
  Date:   Thu Jun 4 12:34:30 2015 +0200

      virtio-pci: correctly set host notifiers for modern bar

      Currently, during host notifier set. We only add eventfd for legacy
      bar, this is not correct since:

      - Non-transitional device does not have legacy bar, so qemu will crash
        since proxy->bar was not initialized.
      - Modern device uses modern bar and notify cap to notify the device,
        we should add eventfd for proxy->notify.

      So this patch fixes the above two issues by adding eventfd based on
      whether legacy or modern device were supported.

      Signed-off-by: Jason Wang <jasowang@xxxxxxxxxx>
      Reviewed-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Reviewed-by: Michael S. Tsirkin <mst@xxxxxxxxxx>

  commit 4e93a68eb369b2f7adbef7a4f6afd7a30a0ed927
  Author: Gerd Hoffmann <kraxel@xxxxxxxxxx>
  Date:   Thu Jun 4 12:34:29 2015 +0200

      virtio-pci: make modern bar 64bit + prefetchable

      Signed-off-by: Gerd Hoffmann <kraxel@xxxxxxxxxx>
      Reviewed-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Reviewed-by: Michael S. Tsirkin <mst@xxxxxxxxxx>

  commit 23c5e3977502a1b57fa2d8cf8cf4b5c9e45f0d1f
  Author: Gerd Hoffmann <kraxel@xxxxxxxxxx>
  Date:   Thu Jun 4 12:34:28 2015 +0200

      virtio-pci: change & document virtio pci bar layout.

      This patch adds variables for the pci bars (to get rid of the magic
      numbers in the code) and moves the modern virtio bar to region 4 so
      regions 2+3 are kept free.  virtio-vga wants use them.

      Signed-off-by: Gerd Hoffmann <kraxel@xxxxxxxxxx>
      Reviewed-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Reviewed-by: Michael S. Tsirkin <mst@xxxxxxxxxx>

  commit 8aca0d75869f8ad0aa0032c50d8c85dcad65302f
  Author: Gerd Hoffmann <kraxel@xxxxxxxxxx>
  Date:   Thu Jun 4 12:34:27 2015 +0200

      virtio-pci: make QEMU_VIRTIO_PCI_QUEUE_MEM_MULT smaller

      Signed-off-by: Gerd Hoffmann <kraxel@xxxxxxxxxx>
      Acked-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Reviewed-by: Michael S. Tsirkin <mst@xxxxxxxxxx>

  commit e266d421490e0ae83044bbebb209b2d3650c0ba6
  Author: Gerd Hoffmann <kraxel@xxxxxxxxxx>
  Date:   Thu Jun 4 12:34:26 2015 +0200

      virtio-pci: add flags to enable/disable legacy/modern

      Add VIRTIO_PCI_FLAG_DISABLE_LEGACY and VIRTIO_PCI_FLAG_DISABLE_MODERN
      for VirtIOPCIProxy->flags.  Also add properties for them.  They can be
      used to disable modern (virtio 1.0) or legacy (virtio 0.9) modes.

      By default only legacy is advertized, modern will be turned on by
      default once all remaining spec compilance issues are addressed.

      Signed-off-by: Gerd Hoffmann <kraxel@xxxxxxxxxx>
      Acked-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Reviewed-by: Michael S. Tsirkin <mst@xxxxxxxxxx>

  commit 54c720d49d3f9741b52ac95c65a5cc990254a5d8
  Author: Michael S. Tsirkin <mst@xxxxxxxxxx>
  Date:   Thu Jun 4 12:34:25 2015 +0200

      virtio-pci: switch to modern accessors for 1.0

      virtio 1.0 config space is in LE format for all
      devices, use modern wrappers when accessed through
      the 1.0 BAR.

      Reported-by: Rusty Russell <rusty@xxxxxxxxxxxxxxx>
      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Reviewed-by: Michael S. Tsirkin <mst@xxxxxxxxxx>

  commit adfb743c90c7aa5e92907ce875e4f35747ee1963
  Author: Michael S. Tsirkin <mst@xxxxxxxxxx>
  Date:   Thu Jun 4 12:34:24 2015 +0200

      virtio: add modern config accessors

      virtio 1.0 defines config space as LE,
      as opposed to pre-1.0 which was native endian.

      Add API for transports to execute word/dword accesses in
      little endian format - will be useful for mmio
      and pci (byte access is also wrapped, for completeness).

      For simplicity, we still keep config in host native
      endian format, byteswap to LE on guest access.

      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Reviewed-by: Michael S. Tsirkin <mst@xxxxxxxxxx>

  commit b8f059081d93f1802480059d1d49fe5c1d32f60c
  Author: Michael S. Tsirkin <mst@xxxxxxxxxx>
  Date:   Thu Jun 4 12:34:23 2015 +0200

      virtio: generation counter support

      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Reviewed-by: Michael S. Tsirkin <mst@xxxxxxxxxx>

  commit dfb8e184db758bff275f94f7aa634300886cfe21
  Author: Michael S. Tsirkin <mst@xxxxxxxxxx>
  Date:   Thu Jun 4 12:34:22 2015 +0200

      virtio-pci: initial virtio 1.0 support

      This is somewhat functional.  With this, and linux driver from my tree,
      I was able to use virtio net as virtio 1.0 device for light browsing.

      At the moment, dataplane and vhost code is
      still missing.

      Based on Cornelia's virtio 1.0 patchset:
          Date: Thu, 11 Dec 2014 14:25:02 +0100
          From: Cornelia Huck <cornelia.huck@xxxxxxxxxx>
          To: virtualization@xxxxxxxxxxxxxxxxxxxxxxxxxx, qemu-devel@xxxxxxxxxx
          Cc: rusty@xxxxxxxxxxxxxxx, thuth@xxxxxxxxxxxxxxxxxx, mst@xxxxxxxxxx,
          Cornelia Huck <cornelia.huck@xxxxxxxxxx>
          Subject: [PATCH RFC v6 00/20] qemu: towards virtio-1 host support
          Message-Id: 
<1418304322-7546-1-git-send-email-cornelia.huck@xxxxxxxxxx>

      which is itself still missing some core bits.

      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Reviewed-by: Michael S. Tsirkin <mst@xxxxxxxxxx>

  commit c17bef33601737e24a3d53259ddb6db28ac4d6d2
  Author: Michael S. Tsirkin <mst@xxxxxxxxxx>
  Date:   Thu Jun 4 12:34:21 2015 +0200

      linux-headers: add virtio_pci

      Easier than duplicating code.

      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Reviewed-by: Michael S. Tsirkin <mst@xxxxxxxxxx>

  commit 9a2ba82302bea7faf3b9579f9168b89c73ae34ad
  Author: Cornelia Huck <cornelia.huck@xxxxxxxxxx>
  Date:   Thu Jun 4 12:34:20 2015 +0200

      vhost: 64 bit features

      Make sure that all vhost interfaces use 64 bit features, as the virtio
      core does, and make sure to use ULL everywhere possible to be on the
      safe side.

      Signed-off-by: Cornelia Huck <cornelia.huck@xxxxxxxxxx>
      Reviewed-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Reviewed-by: Michael S. Tsirkin <mst@xxxxxxxxxx>

  commit b1506132001eee6b11cf23b5968cd66ec141a9ed
  Author: Michael S. Tsirkin <mst@xxxxxxxxxx>
  Date:   Thu Jun 4 12:34:19 2015 +0200

      vhost_net: add version_1 feature

      Add VERSION_1 to list of features that we should
      test at the backend.

      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Reviewed-by: Michael S. Tsirkin <mst@xxxxxxxxxx>

  commit df91055db5c9cee93d70ca8c08d72119a240b987
  Author: Cornelia Huck <cornelia.huck@xxxxxxxxxx>
  Date:   Thu Jun 4 12:34:18 2015 +0200

      virtio-net: enable virtio 1.0

      virtio-net (non-vhost) now should have everything in place to support
      virtio 1.0: let's enable the feature bit for it.

      Note that VIRTIO_F_VERSION_1 is technically a transport feature; once
      every device is ready for virtio 1.0, we can move setting this
      feature bit out of the individual devices.

      Signed-off-by: Cornelia Huck <cornelia.huck@xxxxxxxxxx>
      Reviewed-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Reviewed-by: Michael S. Tsirkin <mst@xxxxxxxxxx>

  commit bb9d17f831fa8e70494eab8421d83a542e3d8508
  Author: Cornelia Huck <cornelia.huck@xxxxxxxxxx>
  Date:   Thu Jun 4 12:34:17 2015 +0200

      virtio-net: support longer header

      virtio-1 devices always use num_buffers in the header, even if
      mergeable rx buffers have not been negotiated.

      Signed-off-by: Cornelia Huck <cornelia.huck@xxxxxxxxxx>
      Reviewed-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Reviewed-by: Michael S. Tsirkin <mst@xxxxxxxxxx>

  commit b6a3cddb22d3f0f729e267d45f350ae31bdebbcf
  Author: Cornelia Huck <cornelia.huck@xxxxxxxxxx>
  Date:   Thu Jun 4 12:34:16 2015 +0200

      virtio-net: no writeable mac for virtio-1

      Devices operating as virtio 1.0 may not allow writes to the mac
      address in config space.

      Signed-off-by: Cornelia Huck <cornelia.huck@xxxxxxxxxx>
      Reviewed-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Reviewed-by: Michael S. Tsirkin <mst@xxxxxxxxxx>

  commit 0b352fd680e1ca7827ddea47b5e9b603320913b6
  Author: Cornelia Huck <cornelia.huck@xxxxxxxxxx>
  Date:   Thu Jun 4 12:34:15 2015 +0200

      virtio: allow to fail setting status

      virtio-1 allow setting of the FEATURES_OK status bit to fail if
      the negotiated feature bits are inconsistent: let's fail
      virtio_set_status() in that case and update virtio-ccw to post an
      error to the guest.

      Signed-off-by: Cornelia Huck <cornelia.huck@xxxxxxxxxx>
      Reviewed-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Reviewed-by: Michael S. Tsirkin <mst@xxxxxxxxxx>

  commit 6c0196d702e8482a17638ee79f45ce27cdd1ef5d
  Author: Cornelia Huck <cornelia.huck@xxxxxxxxxx>
  Date:   Thu Jun 4 12:34:14 2015 +0200

      virtio: disallow late feature changes for virtio-1

      For virtio-1 devices, the driver must not attempt to set feature bits
      after it set FEATURES_OK in the device status. Simply reject it in
      that case.

      Signed-off-by: Cornelia Huck <cornelia.huck@xxxxxxxxxx>
      Reviewed-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Reviewed-by: Michael S. Tsirkin <mst@xxxxxxxxxx>

  commit f5a5628cf0b65b223fa0c9031714578dfac4cf04
  Author: Cornelia Huck <cornelia.huck@xxxxxxxxxx>
  Date:   Thu Jun 4 12:34:13 2015 +0200

      dataplane: allow virtio-1 devices

      Handle endianness conversion for virtio-1 virtqueues correctly.

      Note that dataplane now needs to be built per-target.

      Signed-off-by: Cornelia Huck <cornelia.huck@xxxxxxxxxx>
      Reviewed-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Reviewed-by: Michael S. Tsirkin <mst@xxxxxxxxxx>

  commit ab223c9518e8c7eb542ef3133de1a34475b69790
  Author: Cornelia Huck <cornelia.huck@xxxxxxxxxx>
  Date:   Thu Jun 4 12:34:12 2015 +0200

      virtio: allow virtio-1 queue layout

      For virtio-1 devices, we allow a more complex queue layout that doesn't
      require descriptor table and rings on a physically-contigous memory area:
      add virtio_queue_set_rings() to allow transports to set this up.

      Signed-off-by: Cornelia Huck <cornelia.huck@xxxxxxxxxx>
      Reviewed-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Reviewed-by: Michael S. Tsirkin <mst@xxxxxxxxxx>

  commit 3c185597c86b8cd0a07c46e7a5bd5aac28bb7200
  Author: Cornelia Huck <cornelia.huck@xxxxxxxxxx>
  Date:   Thu Jun 4 12:34:11 2015 +0200

      virtio: endianness checks for virtio 1.0 devices

      Add code that checks for the VERSION_1 feature bit in order to make
      decisions about the device's endianness. This allows us to support
      transitional devices.

      Signed-off-by: Cornelia Huck <cornelia.huck@xxxxxxxxxx>
      Reviewed-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Reviewed-by: Michael S. Tsirkin <mst@xxxxxxxxxx>

  commit 3974c9d8ccfccbd81edc9df271fcae7082f3921d
  Merge: eed8a8f 5efed5a
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Wed Jun 10 16:52:34 2015 +0100

      Merge remote-tracking branch 'remotes/kraxel/tags/pull-fw_cfg-20150610-1' 
into staging

      fw_cfg: drop write support, qemu cmdline support, bugfixes.
      bios-tables-test: fix smbios test.

      # gpg: Signature made Wed Jun 10 07:29:53 2015 BST using RSA key ID 
D3E87138
      # gpg: Good signature from "Gerd Hoffmann (work) <kraxel@xxxxxxxxxx>"
      # gpg:                 aka "Gerd Hoffmann <gerd@xxxxxxxxxx>"
      # gpg:                 aka "Gerd Hoffmann (private) <kraxel@xxxxxxxxx>"

      * remotes/kraxel/tags/pull-fw_cfg-20150610-1:
        bios-tables-test: handle false-positive smbios signature matches
        fw_cfg: insert fw_cfg file blobs via qemu cmdline
        fw_cfg: prohibit insertion of duplicate fw_cfg file names
        fw_cfg: prevent selector key conflict
        fw_cfg: remove support for guest-side data writes
        fw_cfg: fix FW_CFG_BOOT_DEVICE update on ppc and sparc
        fw_cfg: add fw_cfg_modify_i16 (update) method
        QemuOpts: increase number of vm_config_groups

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit eed8a8f572e659c85f8711d79c20da95021e06e2
  Merge: e015fe0 7a8d15d
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Wed Jun 10 15:46:39 2015 +0100

      Merge remote-tracking branch 
'remotes/awilliam/tags/vfio-update-20150609.0' into staging

      Initial VFIO platform device support, v2 (Eric Auger, et al.)

      # gpg: Signature made Tue Jun  9 15:25:40 2015 BST using RSA key ID 
3BB08B22
      # gpg: Good signature from "Alex Williamson <alex.williamson@xxxxxxxxxx>"
      # gpg:                 aka "Alex Williamson <alex@xxxxxxxxxxx>"
      # gpg:                 aka "Alex Williamson <alwillia@xxxxxxxxxx>"
      # gpg:                 aka "Alex Williamson <alex.l.williamson@xxxxxxxxx>"

      * remotes/awilliam/tags/vfio-update-20150609.0:
        hw/vfio/platform: calxeda xgmac device
        hw/vfio/platform: add irq assignment
        hw/vfio/platform: vfio-platform skeleton

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit e015fe008a3a8901913248cdb50c62dba795c588
  Merge: b041114 9f7c594
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Wed Jun 10 15:10:14 2015 +0100

      Merge remote-tracking branch 
'remotes/stefanha/tags/CVE-2015-3209-pcnet-tx-buffer-fix-pull-request' into 
staging

      # gpg: Signature made Wed Jun 10 15:04:11 2015 BST using RSA key ID 
81AB73C8
      # gpg: Good signature from "Stefan Hajnoczi <stefanha@xxxxxxxxxx>"
      # gpg:                 aka "Stefan Hajnoczi <stefanha@xxxxxxxxx>"

      * remotes/stefanha/tags/CVE-2015-3209-pcnet-tx-buffer-fix-pull-request:
        pcnet: force the buffer access to be in bounds during tx

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 9f7c594c006289ad41169b854d70f5da6e400a2a
  Author: Petr Matousek <pmatouse@xxxxxxxxxx>
  Date:   Sun May 24 10:53:44 2015 +0200

      pcnet: force the buffer access to be in bounds during tx

      4096 is the maximum length per TMD and it is also currently the size of
      the relay buffer pcnet driver uses for sending the packet data to QEMU
      for further processing. With packet spanning multiple TMDs it can
      happen that the overall packet size will be bigger than sizeof(buffer),
      which results in memory corruption.

      Fix this by only allowing to queue maximum sizeof(buffer) bytes.

      This is CVE-2015-3209.

      [Fixed 3-space indentation to QEMU's 4-space coding standard.
      --Stefan]

      Signed-off-by: Petr Matousek <pmatouse@xxxxxxxxxx>
      Reported-by: Matt Tait <matttait@xxxxxxxxxx>
      Reviewed-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Reviewed-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>

  commit 24bfa207efb9b9d591552eefc1f414ff33ef0eac
  Author: Jason Wang <jasowang@xxxxxxxxxx>
  Date:   Thu Jun 4 23:05:58 2015 -0400

      vhost: put log correctly in vhost_dev_start()

      We allocate an dummy log even if the size is zero. So we should put it
      unconditionally too.

      Signed-off-by: Jason Wang <jasowang@xxxxxxxxxx>
      Reviewed-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>

  commit 62232bf48456bda4058ceae05851bc58c1032338
  Author: Gerd Hoffmann <kraxel@xxxxxxxxxx>
  Date:   Wed Sep 10 14:12:28 2014 +0200

      virtio-gpu/2d: add virtio gpu core code

      This patch adds the core code for virtio gpu emulation,
      covering 2d support.

      Written by Dave Airlie and Gerd Hoffmann.

      Signed-off-by: Dave Airlie <airlied@xxxxxxxxxx>
      Signed-off-by: Gerd Hoffmann <kraxel@xxxxxxxxxx>

  commit 53476e07d299b7fc33fa480db6bd9a6b1e2e8a97
  Author: Gerd Hoffmann <kraxel@xxxxxxxxxx>
  Date:   Fri May 22 15:37:33 2015 +0200

      virtio: update headers, add virtio-gpu (2d)

      Signed-off-by: Gerd Hoffmann <kraxel@xxxxxxxxxx>

  commit 220869e12d96bfb0b44d8e47394587c30e9a093f
  Author: Gerd Hoffmann <kraxel@xxxxxxxxxx>
  Date:   Wed Apr 8 09:50:46 2015 +0200

      stdvga: factor out mmio subregion init

      Signed-off-by: Gerd Hoffmann <kraxel@xxxxxxxxxx>

  commit cf45ec6a52af77ec2cdfe229b6f496a29b8f7886
  Author: Gerd Hoffmann <kraxel@xxxxxxxxxx>
  Date:   Wed Apr 8 09:09:49 2015 +0200

      stdvga: pass VGACommonState instead of PCIVGAState

      Signed-off-by: Gerd Hoffmann <kraxel@xxxxxxxxxx>

  commit 24cdff7c8278849747035f9554f8c538beabf949
  Author: Gerd Hoffmann <kraxel@xxxxxxxxxx>
  Date:   Wed Apr 8 09:03:54 2015 +0200

      stdvga: fix offset in pci_vga_ioport_read

      Simliar to pci_vga_ioport_write.

      Signed-off-by: Gerd Hoffmann <kraxel@xxxxxxxxxx>

  commit 5efed5a172881f601ac3c57c22ec5c5721f895be
  Author: Gabriel L. Somlo <somlo@xxxxxxx>
  Date:   Mon May 18 08:47:24 2015 -0400

      bios-tables-test: handle false-positive smbios signature matches

      It has been reported that sometimes the .rodata section of SeaBIOS,
      containing the constant string against which the SMBIOS signature
      ends up being compared, also falls within the guest f-segment. In
      that case, the test obviously fails, unless we continue searching
      for the *real* SMBIOS entry point.

      Rather than stopping at the first match for the SMBIOS signature
      ("_SM_") in the f-segment (0xF0000-0xFFFFF), continue scanning
      until either a valid entry point table is found, or the f-segment
      has been exhausted.

      Reported-by: Bruce Rogers <brogers@xxxxxxxx>
      Signed-off-by: Gabriel Somlo <somlo@xxxxxxx>
      Tested-by: Bruce Rogers <brogers@xxxxxxxx>
      Signed-off-by: Gerd Hoffmann <kraxel@xxxxxxxxxx>

  commit 81b2b81062612ebeac4cd5333a3b15c7d79a5a3d
  Author: Gabriel L. Somlo <somlo@xxxxxxx>
  Date:   Wed Apr 29 11:21:53 2015 -0400

      fw_cfg: insert fw_cfg file blobs via qemu cmdline

      Allow user supplied files to be inserted into the fw_cfg
      device before starting the guest. Since fw_cfg_add_file()
      already disallows duplicate fw_cfg file names, qemu will
      exit with an error message if the user supplies multiple
      blobs with the same fw_cfg file name, or if a blob name
      collides with a fw_cfg name programmatically added from
      within the QEMU source code. A warning message will be
      printed if the fw_cfg item name does not begin with the
      prefix "opt/", which is recommended for external, user
      provided blobs.

      Signed-off-by: Gabriel Somlo <somlo@xxxxxxx>
      Reviewed-by: Laszlo Ersek <lersek@xxxxxxxxxx>
      Signed-off-by: Gerd Hoffmann <kraxel@xxxxxxxxxx>

  commit 0eb973f91521c6bcb6399d25327711d083f6eb10
  Author: Gabriel L. Somlo <somlo@xxxxxxx>
  Date:   Wed Apr 29 11:21:52 2015 -0400

      fw_cfg: prohibit insertion of duplicate fw_cfg file names

      Exit with an error (instead of simply logging a trace event)
      whenever the same fw_cfg file name is added multiple times via
      one of the fw_cfg_add_file[_callback]() host-side API calls.

      Signed-off-by: Gabriel Somlo <somlo@xxxxxxx>
      Reviewed-by: Laszlo Ersek <lersek@xxxxxxxxxx>
      Signed-off-by: Gerd Hoffmann <kraxel@xxxxxxxxxx>

  commit 0f9b214139d11ef058fa0f1c11c89e94fa6ef95d
  Author: Gabriel L. Somlo <somlo@xxxxxxx>
  Date:   Wed Apr 29 11:21:51 2015 -0400

      fw_cfg: prevent selector key conflict

      Enforce a single assignment of data for each distinct selector key.

      Signed-off-by: Gabriel Somlo <somlo@xxxxxxx>
      Reviewed-by: Laszlo Ersek <lersek@xxxxxxxxxx>
      Signed-off-by: Gerd Hoffmann <kraxel@xxxxxxxxxx>

  commit 023e3148567ac898c7258138f8e86c3c2bb40d07
  Author: Gabriel L. Somlo <somlo@xxxxxxx>
  Date:   Wed Apr 29 11:21:50 2015 -0400

      fw_cfg: remove support for guest-side data writes

      From this point forward, any guest-side writes to the fw_cfg
      data register will be treated as no-ops. This patch also removes
      the unused host-side API function fw_cfg_add_callback(), which
      allowed the registration of a callback to be executed each time
      the guest completed a full overwrite of a given fw_cfg data item.

      Signed-off-by: Gabriel Somlo <somlo@xxxxxxx>
      Reviewed-by: Laszlo Ersek <lersek@xxxxxxxxxx>
      Signed-off-by: Gerd Hoffmann <kraxel@xxxxxxxxxx>

  commit 48779e501810c5046ff8af7b9cf9c99bec2928a1
  Author: Gabriel L. Somlo <somlo@xxxxxxx>
  Date:   Mon Jun 8 14:10:45 2015 -0400

      fw_cfg: fix FW_CFG_BOOT_DEVICE update on ppc and sparc

      On ppc, sparc, and sparc64, the value of the FW_CFG_BOOT_DEVICE 16bit
      fw_cfg entry is repeatedly modified from a series of callbacks, which
      currently results in the previous value's dynamically allocated memory
      being leaked.

      This patch switches updating to the new fw_cfg_modify_i16() call, which
      does not cause memory leaks.

      Signed-off-by: Gabriel Somlo <somlo@xxxxxxx>
      Signed-off-by: Gerd Hoffmann <kraxel@xxxxxxxxxx>

  commit 1edd34b638f73d39a175fbc4f9ad5c97800d7470
  Author: Gabriel L. Somlo <somlo@xxxxxxx>
  Date:   Mon Jun 8 14:10:44 2015 -0400

      fw_cfg: add fw_cfg_modify_i16 (update) method

      Allow the ability to modify the value of an existing 16-bit integer
      fw_cfg item.

      Signed-off-by: Gabriel Somlo <somlo@xxxxxxx>
      Signed-off-by: Gerd Hoffmann <kraxel@xxxxxxxxxx>

  commit 1ceaefbd0d09642fcff05c6b8da49ad8fbc050cb
  Author: Gerd Hoffmann <kraxel@xxxxxxxxxx>
  Date:   Fri May 29 14:37:54 2015 +0200

      QemuOpts: increase number of vm_config_groups

      Adding the fw_cfg cmd line support patch by
      Gabriel L. Somlo hits the limit.

      Fix this by making the array larger.

      Cc: Gabriel L. Somlo <somlo@xxxxxxx>
      Signed-off-by: Gerd Hoffmann <kraxel@xxxxxxxxxx>

  commit b0411142f482df92717f8b4a3b746081a62b724f
  Merge: 44ee94e 36e60ef
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Tue Jun 9 15:29:34 2015 +0100

      Merge remote-tracking branch 'remotes/rth/tags/pull-tcg-20150609' into 
staging

      Collected TCG patches

      # gpg: Signature made Tue Jun  9 15:06:18 2015 BST using RSA key ID 
4DD0279B
      # gpg: Good signature from "Richard Henderson <rth7680@xxxxxxxxx>"
      # gpg:                 aka "Richard Henderson <rth@xxxxxxxxxx>"
      # gpg:                 aka "Richard Henderson <rth@xxxxxxxxxxx>"

      * remotes/rth/tags/pull-tcg-20150609:
        tcg/optimize: rename tcg_constant_folding
        tcg/optimize: fold constant test in tcg_opt_gen_mov
        tcg/optimize: fold temp copies test in tcg_opt_gen_mov
        tcg/optimize: remove opc argument from tcg_opt_gen_mov
        tcg/optimize: remove opc argument from tcg_opt_gen_movi
        tcg: fix dead computation for repeated input arguments
        tcg: fix register allocation with two aliased dead inputs
        tcg: Handle MO_AMASK in tcg_dump_ops
        tcg: Mask TCGMemOp appropriately for indexing

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 7a8d15d7702444be715b6ae32574659483c0c158
  Author: Eric Auger <eric.auger@xxxxxxxxxx>
  Date:   Tue Jun 9 09:00:07 2015 +0100

      hw/vfio/platform: calxeda xgmac device

      The platform device class has become abstract. This patch introduces
      a calxeda xgmac device that derives from it.

      Signed-off-by: Eric Auger <eric.auger@xxxxxxxxxx>
      Reviewed-by: Alex Bennée <alex.bennee@xxxxxxxxxx>
      Signed-off-by: Alex Williamson <alex.williamson@xxxxxxxxxx>

  commit 36e60ef6ac5d8a262d0fbeedfdb2b588514cb1ea
  Author: Aurelien Jarno <aurelien@xxxxxxxxxxx>
  Date:   Thu Jun 4 21:53:27 2015 +0200

      tcg/optimize: rename tcg_constant_folding

      The tcg_constant_folding folding ends up doing all the optimizations
      (which is a good thing to avoid looping on all ops multiple time), so
      make it clear and just rename it tcg_optimize.

      Cc: Richard Henderson <rth@xxxxxxxxxxx>
      Signed-off-by: Aurelien Jarno <aurelien@xxxxxxxxxxx>
      Message-Id: <1433447607-31184-6-git-send-email-aurelien@xxxxxxxxxxx>
      Signed-off-by: Richard Henderson <rth@xxxxxxxxxxx>

  commit 97a79eb70dd35a24fda87d86196afba5e6f21c5d
  Author: Aurelien Jarno <aurelien@xxxxxxxxxxx>
  Date:   Fri Jun 5 11:19:18 2015 +0200

      tcg/optimize: fold constant test in tcg_opt_gen_mov

      Most of the calls to tcg_opt_gen_mov are preceeded by a test to check if
      the source temp is a constant. Fold that into the tcg_opt_gen_mov
      function.

      Cc: Richard Henderson <rth@xxxxxxxxxxx>
      Signed-off-by: Aurelien Jarno <aurelien@xxxxxxxxxxx>
      Message-Id: <1433495958-9508-1-git-send-email-aurelien@xxxxxxxxxxx>
      Signed-off-by: Richard Henderson <rth@xxxxxxxxxxx>

  commit 5365718a9afeeabde3784d82a542f8ad909b18cf
  Author: Aurelien Jarno <aurelien@xxxxxxxxxxx>
  Date:   Thu Jun 4 21:53:25 2015 +0200

      tcg/optimize: fold temp copies test in tcg_opt_gen_mov

      Each call to tcg_opt_gen_mov is preceeded by a test to check if the
      source and destination temps are copies. Fold that into the
      tcg_opt_gen_mov function.

      Cc: Richard Henderson <rth@xxxxxxxxxxx>
      Signed-off-by: Aurelien Jarno <aurelien@xxxxxxxxxxx>
      Message-Id: <1433447607-31184-4-git-send-email-aurelien@xxxxxxxxxxx>
      Signed-off-by: Richard Henderson <rth@xxxxxxxxxxx>

  commit 8d6a91602ea824ef4435ea38fd475387eecc098c
  Author: Aurelien Jarno <aurelien@xxxxxxxxxxx>
  Date:   Thu Jun 4 21:53:24 2015 +0200

      tcg/optimize: remove opc argument from tcg_opt_gen_mov

      We can get the opcode using the TCGOp pointer. It needs to be
      dereferenced, but it's anyway done a few lines below to write
      the new value.

      Cc: Richard Henderson <rth@xxxxxxxxxxx>
      Signed-off-by: Aurelien Jarno <aurelien@xxxxxxxxxxx>
      Message-Id: <1433447607-31184-3-git-send-email-aurelien@xxxxxxxxxxx>
      Signed-off-by: Richard Henderson <rth@xxxxxxxxxxx>

  commit ebd27391b00cdafc81e0541a940686137b3b48df
  Author: Aurelien Jarno <aurelien@xxxxxxxxxxx>
  Date:   Thu Jun 4 21:53:23 2015 +0200

      tcg/optimize: remove opc argument from tcg_opt_gen_movi

      We can get the opcode using the TCGOp pointer. It needs to be
      dereferenced, but it's anyway done a few lines below to write
      the new value.

      Cc: Richard Henderson <rth@xxxxxxxxxxx>
      Signed-off-by: Aurelien Jarno <aurelien@xxxxxxxxxxx>
      Message-Id: <1433447607-31184-2-git-send-email-aurelien@xxxxxxxxxxx>
      Signed-off-by: Richard Henderson <rth@xxxxxxxxxxx>

  commit c19f47bf5e8fe3dbd10206a52d0e6e348f803933
  Author: Aurelien Jarno <aurelien@xxxxxxxxxxx>
  Date:   Thu Jun 4 21:47:08 2015 +0200

      tcg: fix dead computation for repeated input arguments

      When the same temp is used twice or more as an input argument to a TCG
      instruction, the dead computation code doesn't recognize the second use
      as a dead temp. This is because the temp is marked as live in the same
      loop where dead inputs are checked.

      The fix is to split the loop in two parts. This avoid emitting a move
      and using a register for the movcond instruction when used as "move if
      true" on x86-64. This might bring more improvements on RISC TCG targets
      which don't have outputs aliased to inputs.

      Reviewed-by: Richard Henderson <rth@xxxxxxxxxxx>
      Signed-off-by: Aurelien Jarno <aurelien@xxxxxxxxxxx>
      Message-Id: <1433447228-29425-3-git-send-email-aurelien@xxxxxxxxxxx>
      Signed-off-by: Richard Henderson <rth@xxxxxxxxxxx>

  commit 7e1df267a7e8b39fc0cf1d84d2afc2e88ccbfeac
  Author: Aurelien Jarno <aurelien@xxxxxxxxxxx>
  Date:   Thu Jun 4 21:47:07 2015 +0200

      tcg: fix register allocation with two aliased dead inputs

      For TCG ops with two outputs registers (add2, sub2, div2, div2u), when
      the same input temp is used for the two inputs aliased to the two
      outputs, and when these inputs are both dead, the register allocation
      code wrongly assigned the same register to the same output.

      This happens for example with sub2 t1, t2, t3, t3, t4, t5, when t3 is
      not used anymore after the TCG op.  In that case the same register is
      used for t1, t2 and t3.

      The fix is to look for already allocated aliased input when allocating
      a dead aliased input and check that the register is not already
      used.

      Cc: Richard Henderson <rth@xxxxxxxxxxx>
      Signed-off-by: Aurelien Jarno <aurelien@xxxxxxxxxxx>
      Message-Id: <1433447228-29425-2-git-send-email-aurelien@xxxxxxxxxxx>
      Signed-off-by: Richard Henderson <rth@xxxxxxxxxxx>

  commit 59c4b7e8dfab0cdc41434fedbf2686222f541e57
  Author: Richard Henderson <rth@xxxxxxxxxxx>
  Date:   Mon Jun 1 14:38:56 2015 -0700

      tcg: Handle MO_AMASK in tcg_dump_ops

      Reviewed-by: Yongbok Kim <yongbok.kim@xxxxxxxxxx>
      Tested-by: Yongbok Kim <yongbok.kim@xxxxxxxxxx>
      Signed-off-by: Richard Henderson <rth@xxxxxxxxxxx>

  commit 2b7ec66f025263a5331f37d5ad78a625496fd7bd
  Author: Richard Henderson <rth@xxxxxxxxxxx>
  Date:   Fri May 29 09:16:51 2015 -0700

      tcg: Mask TCGMemOp appropriately for indexing

      The addition of MO_AMASK means that places that used inverted masks
      need to be changed to use positive masks, and places that failed to
      mask the intended bits need updating.

      Reviewed-by: Yongbok Kim <yongbok.kim@xxxxxxxxxx>
      Tested-by: Yongbok Kim <yongbok.kim@xxxxxxxxxx>
      Signed-off-by: Richard Henderson <rth@xxxxxxxxxxx>

  commit 44ee94e4862603c2b1b21718effc5f17b39f43bc
  Merge: b781a60 6028ef0
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Tue Jun 9 11:07:41 2015 +0100

      Merge remote-tracking branch 'remotes/borntraeger/tags/s390x-20150609' 
into staging

      s390x/virtio-ccw: migration and virtio for 2.4

      1. Migration fixups
      2. virtio 9pfs

      # gpg: Signature made Tue Jun  9 09:00:05 2015 BST using RSA key ID 
B5A61C7C
      # gpg: Good signature from "Christian Borntraeger (IBM) 
<borntraeger@xxxxxxxxxx>"

      * remotes/borntraeger/tags/s390x-20150609:
        s390x/migration: add comment about floating point migration
        s390x/kvm: always ignore empty vcpu interrupt state
        virtio-ccw/migration: Migrate config vector for virtio devices
        virtio-ccw: add support for 9pfs

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit b781a60b1054e06de6733b75dd1489afff9c3276
  Merge: ee09f84 8190483
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Tue Jun 9 10:05:29 2015 +0100

      Merge remote-tracking branch 'remotes/armbru/tags/pull-error-2015-06-09' 
into staging

      Error reporting patches

      # gpg: Signature made Tue Jun  9 06:42:15 2015 BST using RSA key ID 
EB918653
      # gpg: Good signature from "Markus Armbruster <armbru@xxxxxxxxxx>"
      # gpg:                 aka "Markus Armbruster <armbru@xxxxxxxxxxxx>"

      * remotes/armbru/tags/pull-error-2015-06-09:
        vhost-user: Improve -netdev/netdev_add/-net/... error reporting
        QemuOpts: Convert qemu_opt_foreach() to Error
        QemuOpts: Drop qemu_opt_foreach() parameter abort_on_failure
        blkdebug: Simplify passing of Error through qemu_opts_foreach()
        QemuOpts: Convert qemu_opts_foreach() to Error
        QemuOpts: Drop qemu_opts_foreach() parameter abort_on_failure
        vl: Fail right after first bad -object
        vl: Print -device help at most once
        vl: Report failure to sandbox at most once

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 08d49df0dbaacc220a099dbfb644e1dc0eda57be
  Author: Alberto Garcia <berto@xxxxxxxxxx>
  Date:   Mon Jun 8 11:12:15 2015 +0200

      sdl2: fix crash in handle_windowevent() when restoring the screen size

      The Ctrl-Alt-u keyboard shortcut restores the screen to its original
      size. In the SDL2 UI this is done by destroying the window and
      creating a new one. The old window emits SDL_WINDOWEVENT_HIDDEN when
      it's destroyed, but trying to call SDL_GetWindowFromID() from that
      event's window ID returns a null pointer. handle_windowevent() assumes
      that the pointer is never null so it results in a crash.

      Cc: qemu-stable@xxxxxxxxxx
      Signed-off-by: Alberto Garcia <berto@xxxxxxxxxx>
      Signed-off-by: Gerd Hoffmann <kraxel@xxxxxxxxxx>

  commit 6028ef075791913228c36f10cb270f1f52e9f076
  Author: Christian Borntraeger <borntraeger@xxxxxxxxxx>
  Date:   Mon Jun 8 12:21:24 2015 +0200

      s390x/migration: add comment about floating point migration

      commit 46c804def4bd ("s390x: move fpu regs into a subsection
      of the vmstate") moved the fprs into a subsection and bumped
      the version number. This will allow to not transfer fprs in
      the future if necessary. Add a comment to mark the return true
      as intentional.

      CC: Juan Quintela <quintela@xxxxxxxxxx>
      CC: David Hildenbrand <dahi@xxxxxxxxxxxxxxxxxx>
      Signed-off-by: Christian Borntraeger <borntraeger@xxxxxxxxxx>
      Message-Id: <1433758884-2997-1-git-send-email-borntraeger@xxxxxxxxxx>
      Reviewed-by: Juan Quintela <quintela@xxxxxxxxxx>

  commit 8190483196148f765c65785876f7b893d64b6cdd
  Author: Markus Armbruster <armbru@xxxxxxxxxx>
  Date:   Fri Mar 13 14:17:16 2015 +0100

      vhost-user: Improve -netdev/netdev_add/-net/... error reporting

      When -netdev vhost-user fails, it first reports a specific error, then
      one or more generic ones, like this:

          $ qemu-system-x86_64 -netdev vhost-user,id=foo,chardev=xxx
          qemu-system-x86_64: -netdev vhost-user,id=foo,chardev=xxx: chardev 
"xxx" not found
          qemu-system-x86_64: -netdev vhost-user,id=foo,chardev=xxx: No 
suitable chardev found
          qemu-system-x86_64: -netdev vhost-user,id=foo,chardev=xxx: Device 
'vhost-user' could not be initialized

      With the command line, the messages go to stderr.  In HMP, they go to
      the monitor.  In QMP, the last one becomes the error reply, and the
      others go to stderr.

      Convert net_init_vhost_user() and its helpers to Error.  This
      suppresses the unwanted unspecific error messages, and makes the
      specific error the QMP error reply.

      Cc: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Cc: Jason Wang <jasowang@xxxxxxxxxx>
      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>
      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>
      Reviewed-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>

  commit 71df1d833776647fc12f5bbcd6d6fe4c5e931094
  Author: Markus Armbruster <armbru@xxxxxxxxxx>
  Date:   Thu Mar 12 08:40:25 2015 +0100

      QemuOpts: Convert qemu_opt_foreach() to Error

      Retain the function value for now, to permit selective conversion of
      its callers.

      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>
      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>

  commit 1640b200d53e3d981f12a192fe84b7bb7958c065
  Author: Markus Armbruster <armbru@xxxxxxxxxx>
  Date:   Thu Mar 12 07:45:10 2015 +0100

      QemuOpts: Drop qemu_opt_foreach() parameter abort_on_failure

      When the argument is non-zero, qemu_opt_foreach() stops on callback
      returning non-zero, and returns that value.

      When the argument is zero, it doesn't stop, and returns the callback's
      value from the last iteration.

      The two callers that pass zero could just as well pass one:

      * qemu_spice_init()'s callback add_channel() either returns zero or
        exit()s.

      * config_write_opts()'s callback config_write_opt() always returns
        zero.

      Drop the parameter, and always stop.

      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>
      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>

  commit 8809cfc38e4e93884d664bb00108fc71b423f589
  Author: Markus Armbruster <armbru@xxxxxxxxxx>
  Date:   Fri Mar 13 13:38:42 2015 +0100

      blkdebug: Simplify passing of Error through qemu_opts_foreach()

      Cc: Kevin Wolf <kwolf@xxxxxxxxxx>
      Cc: qemu-block@xxxxxxxxxx
      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>
      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>
      Acked-by: Kevin Wolf <kwolf@xxxxxxxxxx>

  commit 28d0de7a4fb721b06de72970bd163f5183c2188b
  Author: Markus Armbruster <armbru@xxxxxxxxxx>
  Date:   Fri Mar 13 13:35:14 2015 +0100

      QemuOpts: Convert qemu_opts_foreach() to Error

      Retain the function value for now, to permit selective conversion of
      its callers.

      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>
      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>
      Acked-by: Kevin Wolf <kwolf@xxxxxxxxxx>

  commit a4c7367f7dd9348f94dc4298571ed515b8160a27
  Author: Markus Armbruster <armbru@xxxxxxxxxx>
  Date:   Fri Mar 13 11:07:24 2015 +0100

      QemuOpts: Drop qemu_opts_foreach() parameter abort_on_failure

      When the argument is non-zero, qemu_opts_foreach() stops on callback
      returning non-zero, and returns that value.

      When the argument is zero, it doesn't stop, and returns the bit-wise
      inclusive or of all the return values.  Funky :)

      The callers that pass zero could just as well pass one, because their
      callbacks can't return anything but zero:

      * qemu_add_globals()'s callback qdev_add_one_global()

      * qemu_config_write()'s callback config_write_opts()

      * main()'s callbacks default_driver_check(), drive_enable_snapshot(),
        vnc_init_func()

      Drop the parameter, and always stop.

      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>
      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>
      Acked-by: Kevin Wolf <kwolf@xxxxxxxxxx>

  commit 8122928a52248e28513c79d9b9929c6d20c866ea
  Author: Markus Armbruster <armbru@xxxxxxxxxx>
  Date:   Fri Mar 13 13:08:36 2015 +0100

      vl: Fail right after first bad -object

      Failure to create an object with -object is a fatal error.  However,
      we delay the actual exit until all -object are processed.  On the one
      hand, this permits detection of genuine additional errors.  On the
      other hand, it can muddy the waters with uninteresting additional
      errors, e.g. when a later -object tries to reference a prior one that
      failed.

      We generally stop right on the first bad option, so do that for
      -object as well.

      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>
      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>

  commit 8416abb3b0f42132fc6346c439ec543635075135
  Author: Markus Armbruster <armbru@xxxxxxxxxx>
  Date:   Fri Mar 13 13:02:03 2015 +0100

      vl: Print -device help at most once

      We print it once for each -device help.  Not helpful.  Stop after the
      first one.

      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>
      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>

  commit 092b21aa7edf7962248e731cddaf5350d268e333
  Author: Markus Armbruster <armbru@xxxxxxxxxx>
  Date:   Fri Mar 13 12:59:43 2015 +0100

      vl: Report failure to sandbox at most once

      It's reported once per -sandbox on.  Stop on the first failure, like
      we do for other options.

      Not fixed: "-sandbox on -sandbox off" should leave the sandbox off.
      It doesn't.

      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>
      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>

  commit 38559979bf0095a586f61bc9e028df36673f21a1
  Author: Eric Auger <eric.auger@xxxxxxxxxx>
  Date:   Mon Jun 8 09:25:26 2015 -0600

      hw/vfio/platform: add irq assignment

      This patch adds the code requested to assign interrupts to
      a guest. The interrupts are mediated through user handled
      eventfds only.

      Signed-off-by: Eric Auger <eric.auger@xxxxxxxxxx>
      Tested-by: Vikram Sethi <vikrams@xxxxxxxxxxxxxx>
      Signed-off-by: Alex Williamson <alex.williamson@xxxxxxxxxx>

  commit 0ea2730bef0b764ce87f5d6859f9b1eac6069250
  Author: Eric Auger <eric.auger@xxxxxxxxxx>
  Date:   Mon Jun 8 09:25:25 2015 -0600

      hw/vfio/platform: vfio-platform skeleton

      Minimal VFIO platform implementation supporting register space
      user mapping but not IRQ assignment.

      Signed-off-by: Kim Phillips <kim.phillips@xxxxxxxxxx>
      Signed-off-by: Eric Auger <eric.auger@xxxxxxxxxx>
      Tested-by: Vikram Sethi <vikrams@xxxxxxxxxxxxxx>
      Signed-off-by: Alex Williamson <alex.williamson@xxxxxxxxxx>

  commit ee09f84e6bf5383a23c9624115c26b72aa1e076c
  Merge: 2e29dd7 24a3142
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Mon Jun 8 15:57:41 2015 +0100

      Merge remote-tracking branch 'remotes/bonzini/tags/for-upstream' into 
staging

      * KVM error improvement from Laurent
      * CONFIG_PARALLEL fix from Mirek
      * Atomic/optimized dirty bitmap access from myself and Stefan
      * BUILD_DIR convenience/bugfix from Peter C
      * Memory leak fix from Shannon
      * SMM improvements (though still TCG only) from myself and Gerd, acked by 
mst

      # gpg: Signature made Fri Jun  5 18:45:20 2015 BST using RSA key ID 
78C7AE83
      # gpg: Good signature from "Paolo Bonzini <bonzini@xxxxxxx>"
      # gpg:                 aka "Paolo Bonzini <pbonzini@xxxxxxxxxx>"
      # gpg: WARNING: This key is not certified with sufficiently trusted 
signatures!
      # gpg:          It is not certain that the signature belongs to the owner.
      # Primary key fingerprint: 46F5 9FBD 57D6 12E7 BFD4  E2F7 7E15 100C CD36 
69B1
      #      Subkey fingerprint: F133 3857 4B66 2389 866C  7682 BFFB D25F 78C7 
AE83

      * remotes/bonzini/tags/for-upstream: (62 commits)
        update Linux headers from kvm/next
        atomics: add explicit compiler fence in __atomic memory barriers
        ich9: implement SMI_LOCK
        q35: implement TSEG
        q35: add test for SMRAM.D_LCK
        q35: implement SMRAM.D_LCK
        q35: add config space wmask for SMRAM and ESMRAMC
        q35: fix ESMRAMC default
        q35: implement high SMRAM
        hw/i386: remove smram_update
        target-i386: use memory API to implement SMRAM
        hw/i386: add a separate region that tracks the SMRAME bit
        target-i386: create a separate AddressSpace for each CPU
        vl: run "late" notifiers immediately
        qom: add object_property_add_const_link
        vl: allow full-blown QemuOpts syntax for -global
        pflash_cfi01: add secure property
        pflash_cfi01: change to new-style MMIO accessors
        pflash_cfi01: change big-endian property to BIT type
        target-i386: wake up processors that receive an SMI
        ...

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 2e29dd7c44db30e3d3c108ab2a622cbdac6d16f0
  Merge: 0daba1f 0ba9888
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Mon Jun 8 14:07:32 2015 +0100

      Merge remote-tracking branch 'remotes/jnsnow/tags/ide-pull-request' into 
staging

      # gpg: Signature made Fri Jun  5 20:59:07 2015 BST using RSA key ID 
AAFC390E
      # gpg: Good signature from "John Snow (John Huston) <jsnow@xxxxxxxxxx>"
      # gpg: WARNING: This key is not certified with sufficiently trusted 
signatures!
      # gpg:          It is not certain that the signature belongs to the owner.
      # Primary key fingerprint: FAEB 9711 A12C F475 812F  18F2 88A9 064D 1835 
61EB
      #      Subkey fingerprint: F9B7 ABDB BCAC DF95 BE76  CBD0 7DEF 8106 AAFC 
390E

      * remotes/jnsnow/tags/ide-pull-request:
        macio: remove remainder_len DBDMA_io property
        macio: update comment/constants to reflect the new code
        macio: switch pmac_dma_write() over to new offset/len implementation
        macio: switch pmac_dma_read() over to new offset/len implementation
        fdc-test: Test state for existing cases more thoroughly
        fdc: Fix MSR.RQM flag
        fdc: Disentangle phases in fdctrl_read_data()
        fdc: Code cleanup in fdctrl_write_data()
        fdc: Use phase in fdctrl_write_data()
        fdc: Introduce fdctrl->phase
        fdc: Rename fdctrl_set_fifo() to fdctrl_to_result_phase()
        fdc: Rename fdctrl_reset_fifo() to fdctrl_to_command_phase()

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 0daba1f037ab85be7a9ff7ee37ba6b644c5e7977
  Author: Alexander Graf <agraf@xxxxxxx>
  Date:   Fri Jun 5 11:05:03 2015 +0200

      machine: Drop use of DEFAULT_RAM_SIZE in help text

      As of commit 076b35b5a (machine: add default_ram_size to machine
      class) we no longer have a global default ram size, but instead
      machine specific defaults.  When invoking qemu --help we don't know
      which machine you selected, so we can't tell the user the default RAM
      size in the help text anymore now.

      Thus I don't see an easy way to expose the default ram size to the
      user in the help text.  The easiest option IMHO is to just drop this
      piece of information.

      Reported-by: Laurent Desnogues <laurent.desnogues@xxxxxxxxx>
      Signed-off-by: Alexander Graf <agraf@xxxxxxx>
      Acked-by: Laurent Desnogues <laurent.desnogues@xxxxxxxxx>
      Acked-by: Nikunj A Dadhania <nikunj@xxxxxxxxxxxxxxxxxx>
      Message-id: 1433495103-62084-1-git-send-email-agraf@xxxxxxx
      [PMM: rewrapped long commit message lines]
      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 779cec4d20907cbccb26fbf5f5c19c6cdee33eff
  Author: Markus Armbruster <armbru@xxxxxxxxxx>
  Date:   Mon Jun 8 10:44:30 2015 +0200

      monitor: Fix QMP ABI breakage around "id"

      Commit 65207c5 accidentally dropped a line of code we need along with
      a comment that became wrong then.  This made QMP reject "id":

          {"execute": "system_reset", "id": "1"}
          {"error": {"class": "GenericError", "desc": "QMP input object member 
'id' is unexpected"}}

      Put the lost line right back, so QMP again accepts and returns "id",
      as promised by the ABI:

          {"execute": "system_reset", "id": "1"}
          {"return": {}, "id": "1"}

      Reported-by: Fabio Fantoni <fabio.fantoni@xxxxxxx>
      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>
      Signed-off-by: Don Slutz <dslutz@xxxxxxxxxxx>
      Tested-by: Fabio Fantoni <fabio.fantoni@xxxxxxx>
      Signed-off-by: Wen Congyang <wency@xxxxxxxxxxxxxx>
      Signed-off-by: Pavel Fedin <p.fedin@xxxxxxxxxxx>
      Tested-by: Eric Blake <eblake@xxxxxxxxxx>
      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>
      Message-id: 1433753070-12632-2-git-send-email-armbru@xxxxxxxxxx
      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 24a314269281a175b5540b3b6a8981ed2e8220e1
  Author: Paolo Bonzini <pbonzini@xxxxxxxxxx>
  Date:   Thu Jun 4 16:38:29 2015 +0200

      update Linux headers from kvm/next

      This is kvm.git commit 05ff30bb56c6b3d3000519d6e02ed35678ddae3b.

      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit 3bbf572345c65813f86a8fc434ea1b23beb08e16
  Author: Paolo Bonzini <pbonzini@xxxxxxxxxx>
  Date:   Wed Jun 3 14:21:20 2015 +0200

      atomics: add explicit compiler fence in __atomic memory barriers

      __atomic_thread_fence does not include a compiler barrier; in the
      C++11 memory model, fences take effect in combination with other
      atomic operations.  GCC implements this by making __atomic_load and
      __atomic_store access memory as if the pointer was volatile, and
      leaves no trace whatsoever of acquire and release fences in the
      compiler's intermediate representation.

      In QEMU, we want memory barriers to act on all memory, but at the same
      time we would like to use __atomic_thread_fence for portability reasons.
      Add compiler barriers manually around the __atomic_thread_fence.

      Message-Id: <1433334080-14912-1-git-send-email-pbonzini@xxxxxxxxxx>
      Reviewed-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit 11e66a15a084cb0820dba13f4ea3b15b0512fd39
  Author: Gerd Hoffmann <kraxel@xxxxxxxxxx>
  Date:   Wed May 6 10:58:30 2015 +0200

      ich9: implement SMI_LOCK

      Add write mask for the smi enable register, so we can disable write
      access to certain bits.  Open all bits on reset.  Disable write access
      to GBL_SMI_EN when SMI_LOCK (in ich9 lpc pci config space) is set.
      Write access to SMI_LOCK itself is disabled too.

      Signed-off-by: Gerd Hoffmann <kraxel@xxxxxxxxxx>
      Acked-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit bafc90bdc594a4d04db846bd8712bdcec59678a8
  Author: Gerd Hoffmann <kraxel@xxxxxxxxxx>
  Date:   Mon Apr 20 10:55:09 2015 +0200

      q35: implement TSEG

      TSEG provides larger amounts of SMRAM than the 128 KB available with
      legacy SMRAM and high SMRAM.

      Route access to tseg into nowhere when enabled, for both cpus and
      busmaster dma, and add tseg window to smram region, so cpus can access
      it in smm mode.

      Signed-off-by: Gerd Hoffmann <kraxel@xxxxxxxxxx>
      Acked-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit 66e2ec2417e72edea1df5fb340b210100b0571b7
  Author: Gerd Hoffmann <kraxel@xxxxxxxxxx>
  Date:   Tue Apr 14 15:11:36 2015 +0200

      q35: add test for SMRAM.D_LCK

      Signed-off-by: Gerd Hoffmann <kraxel@xxxxxxxxxx>
      Acked-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      [Fix compilation of the newly introduced test. - Paolo]
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit 68c77acfb18d28933f17b1c2a842bd936ce7223b
  Author: Gerd Hoffmann <kraxel@xxxxxxxxxx>
  Date:   Tue Apr 14 14:03:22 2015 +0200

      q35: implement SMRAM.D_LCK

      Once the SMRAM.D_LCK bit has been set by the guest several bits in SMRAM
      and ESMRAMC become readonly until the next machine reset.  Implement
      this by updating the wmask accordingly when the guest sets the lock bit.
      As the lock it itself is locked down too we don't need to worry about
      the guest clearing the lock bit.

      Signed-off-by: Gerd Hoffmann <kraxel@xxxxxxxxxx>
      Acked-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit b66a67d7519cb7f980885af5391b1103c42e9b6d
  Author: Gerd Hoffmann <kraxel@xxxxxxxxxx>
  Date:   Wed Apr 15 16:48:12 2015 +0200

      q35: add config space wmask for SMRAM and ESMRAMC

      Not all bits in SMRAM and ESMRAMC can be changed by the guest.
      Add wmask defines accordingly and set them in mch_reset().

      Signed-off-by: Gerd Hoffmann <kraxel@xxxxxxxxxx>
      Acked-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit 7744752402d11cebe4c1d4079dcd40d3145eb37b
  Author: Gerd Hoffmann <kraxel@xxxxxxxxxx>
  Date:   Wed Apr 15 16:43:24 2015 +0200

      q35: fix ESMRAMC default

      The cache bits in ESMRAMC are hardcoded to 1 (=disabled) according to
      the q35 mch specs.  Add and use a define with this default.

      While being at it also update the SMRAM default to use the name (no code
      change, just makes things a bit more readable).

      Signed-off-by: Gerd Hoffmann <kraxel@xxxxxxxxxx>
      Acked-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit 64130fa4a1514ae7a580b8d46290a11784770600
  Author: Paolo Bonzini <pbonzini@xxxxxxxxxx>
  Date:   Tue Mar 31 17:13:01 2015 +0200

      q35: implement high SMRAM

      When H_SMRAME is 1, low memory at 0xa0000 is left alone by
      SMM, and instead the chipset maps the 0xa0000-0xbffff window at
      0xfeda0000-0xfedbffff.  This affects both the "non-SMM" view controlled
      by D_OPEN and the SMM view controlled by G_SMRAME, so add two new
      MemoryRegions and toggle the enabled/disabled state of all four
      in mch_update_smram.

      Acked-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit 3de70c0899db2712a5ae321093aa6173d6f76706
  Author: Paolo Bonzini <pbonzini@xxxxxxxxxx>
  Date:   Tue Mar 31 14:14:28 2015 +0200

      hw/i386: remove smram_update

      It's easier to inline it now that most of its work is done by the CPU
      (rather than the chipset) through /machine/smram and the memory API.

      Acked-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit f809c605122df291bbb9004dc487bde0969134b5
  Author: Paolo Bonzini <pbonzini@xxxxxxxxxx>
  Date:   Tue Mar 31 14:12:25 2015 +0200

      target-i386: use memory API to implement SMRAM

      Remove cpu_smm_register and cpu_smm_update.  Instead, each CPU
      address space gets an extra region which is an alias of
      /machine/smram.  This extra region is enabled or disabled
      as the CPU enters/exits SMM.

      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit fe6567d5fddfb7501a352c5e080a9eecf7b89177
  Author: Paolo Bonzini <pbonzini@xxxxxxxxxx>
  Date:   Tue Mar 31 14:10:22 2015 +0200

      hw/i386: add a separate region that tracks the SMRAME bit

      This region is exported at /machine/smram.  It is "empty" if
      SMRAME=0 and points to SMRAM if SMRAME=1.  The CPU will
      enable/disable it as it enters or exits SMRAM.

      While touching nearby code, the existing memory region setup was
      slightly inconsistent.  The smram_region is *disabled* in order to open
      SMRAM (because the smram_region shows the low VRAM instead of the RAM
      at 0xa0000).  Because SMRAM is closed at startup, the smram_region must
      be enabled when creating the i440fx or q35 devices.

      Acked-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit 2001d0cd6d55e5efa9956fa8ff8b89034d6a4329
  Author: Paolo Bonzini <pbonzini@xxxxxxxxxx>
  Date:   Tue Mar 31 14:11:09 2015 +0200

      target-i386: create a separate AddressSpace for each CPU

      Different CPUs can be in SMM or not at the same time, thus they
      will see different things where the chipset places SMRAM.

      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit 71cdd1cb914e24000273bbbfa5fb226cdb8ea265
  Author: Paolo Bonzini <pbonzini@xxxxxxxxxx>
  Date:   Tue Mar 31 14:01:06 2015 +0200

      vl: run "late" notifiers immediately

      If a machine_init_done notifier is added late, as part of a hot-plugged
      device, run it immediately.
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit fb9e7e334b54350e8e3b62bd7892b78f63a9d848
  Author: Paolo Bonzini <pbonzini@xxxxxxxxxx>
  Date:   Tue May 5 18:29:00 2015 +0200

      qom: add object_property_add_const_link

      Suggested-by: Eduardo Habkost <ehabkost@xxxxxxxxxx>
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit 3751d7c43f795b45ffdb9429cfb09c6beea55c68
  Author: Paolo Bonzini <pbonzini@xxxxxxxxxx>
  Date:   Thu Apr 9 14:16:19 2015 +0200

      vl: allow full-blown QemuOpts syntax for -global

      -global does not work for drivers that have a dot in their name, such as
      cfi.pflash01.  This is just a parsing limitation, because such globals
      can be declared easily inside a -readconfig file.

      To allow this usage, support the full QemuOpts key/value syntax for 
-global
      too, for example "-global driver=cfi.pflash01,property=secure,value=on".
      The two formats do not conflict, because the key/value syntax does not 
have
      a period before the first equal sign.

      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit f71e42a5c98722d6faa5be84a34fbad90d27dc04
  Author: Paolo Bonzini <pbonzini@xxxxxxxxxx>
  Date:   Wed Apr 8 14:09:43 2015 +0200

      pflash_cfi01: add secure property

      When this property is set, MMIO accesses are only allowed with the
      MEMTXATTRS_SECURE attribute.  This is used for secure access to UEFI
      variables stored in flash.

      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit 5aa113f0a2c245b0a77865e1dd2445bdd24c3ef8
  Author: Paolo Bonzini <pbonzini@xxxxxxxxxx>
  Date:   Wed Apr 8 14:00:53 2015 +0200

      pflash_cfi01: change to new-style MMIO accessors

      This is a required step to implement read_with_attrs and write_with_attrs.

      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit e98094221ec336fcfd0c72c66f280f1cabb16c72
  Author: Paolo Bonzini <pbonzini@xxxxxxxxxx>
  Date:   Wed Apr 8 13:53:29 2015 +0200

      pflash_cfi01: change big-endian property to BIT type

      Make this consistent with the secure property, added in the next patch.

      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit a9bad65d2c1f61af74ce2ff43238d4b20bf81c3a
  Author: Paolo Bonzini <pbonzini@xxxxxxxxxx>
  Date:   Tue May 19 13:46:47 2015 +0200

      target-i386: wake up processors that receive an SMI

      An SMI should definitely wake up a processor in halted state!
      This lets OVMF boot with SMM on multiprocessor systems, although
      it halts very soon after that with a "CpuIndex != BspIndex"
      assertion failure.

      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit b4854f1384176d897747de236f426d020668fa3c
  Author: Paolo Bonzini <pbonzini@xxxxxxxxxx>
  Date:   Thu Apr 30 12:02:46 2015 +0200

      target-i386: set G=1 in SMM big real mode selectors

      Because the limit field's bits 31:20 is 1, G should be 1.
      VMX actually enforces this, let's do it for completeness
      in QEMU as well.

      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit 9982f74bad70479939491b69522da047a3be5a0d
  Author: Paolo Bonzini <pbonzini@xxxxxxxxxx>
  Date:   Wed Apr 22 11:40:41 2015 +0200

      target-i386: mask NMIs on entry to SMM

      QEMU is not blocking NMIs on entry to SMM.  Implementing this has to
      cover a few corner cases, because:

      - NMIs can then be enabled by an IRET instruction and there
      is no mechanism to _set_ the "NMIs masked" flag on exit from SMM:
      "A special case can occur if an SMI handler nests inside an NMI handler
      and then another NMI occurs. [...] When the processor enters SMM while
      executing an NMI handler, the processor saves the SMRAM state save map
      but does not save the attribute to keep NMI interrupts disabled.

      - However, there is some hidden state, because "If NMIs were blocked
      before the SMI occurred [and no IRET is executed while in SMM], they
      are blocked after execution of RSM."  This is represented by the new
      HF2_SMM_INSIDE_NMI_MASK bit.  If it is zero, NMIs are _unblocked_
      on exit from RSM.

      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit 3f7d84648607cc0fcb3812bb4b88978e2a7aa24f
  Author: Paolo Bonzini <pbonzini@xxxxxxxxxx>
  Date:   Wed Apr 8 14:45:53 2015 +0200

      target-i386: Use correct memory attributes for ioport accesses

      In order to do this, stop using the cpu_in*/out* helpers, and instead
      access address_space_io directly.

      cpu_in* and cpu_out* remain for usage in the monitor, in qtest, and
      in Xen.

      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit b216aa6c0fcbaa8ff4128969c14594896a5485a4
  Author: Paolo Bonzini <pbonzini@xxxxxxxxxx>
  Date:   Wed Apr 8 13:39:37 2015 +0200

      target-i386: Use correct memory attributes for memory accesses

      These include page table walks, SVM accesses and SMM state save accesses.

      The bulk of the patch is obtained with

         sed -i 's/\(\<[a-z_]*_phys\(_notdirty\)\?\>(cs\)->as,/x86_\1,/'

      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit f794aa4a2fd772a3ec413c4e478cc23857cfee98
  Author: Paolo Bonzini <pbonzini@xxxxxxxxxx>
  Date:   Wed Apr 8 14:52:04 2015 +0200

      target-i386: introduce cpu_get_mem_attrs

      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit d7a0f71d9aac33e58d39fdbe4861d440af44fa8b
  Author: Victor CLEMENT <victor.clement@xxxxxxxxxxx>
  Date:   Fri May 29 17:14:06 2015 +0200

      icount: print a warning if there is no more deadline in sleep=no mode

      While qemu is running in sleep=no mode, a warning will be printed
      when no timer deadline is set.
      As this mode is intended for getting deterministic virtual time, if no
      timer is set on the virtual clock this determinism is broken.

      Signed-off-by: Victor CLEMENT <victor.clement@xxxxxxxxxxx>
      Message-Id: <1432912446-9811-4-git-send-email-victor.clement@xxxxxxxxxxx>
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit f1f4b57e88ff7c9cb20b074ff6106fd8f4397baa
  Author: Victor CLEMENT <victor.clement@xxxxxxxxxxx>
  Date:   Fri May 29 17:14:05 2015 +0200

      icount: add sleep parameter to the icount option to set icount_sleep mode

      The 'sleep' parameter sets the icount_sleep mode, which is enabled by
      default. To disable it, add the 'sleep=no' parameter (or 'nosleep') to the
      qemu -icount option.

      Signed-off-by: Victor CLEMENT <victor.clement@xxxxxxxxxxx>
      Message-Id: <1432912446-9811-3-git-send-email-victor.clement@xxxxxxxxxxx>
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit 5045e9d912588a7421ab899ba510025722666fd1
  Author: Victor CLEMENT <victor.clement@xxxxxxxxxxx>
  Date:   Fri May 29 17:14:04 2015 +0200

      icount: implement a new icount_sleep mode toggleing real-time cpu sleep

      When the icount_sleep mode is disabled, the QEMU_VIRTUAL_CLOCK runs at the
      maximum possible speed by warping the sleep times of the virtual cpu to 
the
      soonest clock deadline. The virtual clock will be updated only according
      the instruction counter.

      Signed-off-by: Victor CLEMENT <victor.clement@xxxxxxxxxxx>
      Message-Id: <1432912446-9811-2-git-send-email-victor.clement@xxxxxxxxxxx>
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit ec05ec26f940564b1e07bf88857035ec27e21dd8
  Author: Paolo Bonzini <pbonzini@xxxxxxxxxx>
  Date:   Sun Mar 29 09:31:43 2015 +0200

      memory: use mr->ram_addr in "is this RAM?" assertions

      mr->terminates alone doesn't guarantee that we are looking at a RAM 
region.
      mr->ram_addr also has to be checked, in order to distinguish RAM and I/O
      regions.

      So, do the following:

      1) add a new define RAM_ADDR_INVALID, and test it in the assertions
      instead of mr->terminates

      2) IOMMU regions were not setting mr->ram_addr to a bogus value, 
initialize
      it in the instance_init function so that the new assertions would fire
      for IOMMU regions as well.

      Reviewed-by: Fam Zheng <famz@xxxxxxxxxx>
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit 5f2cb94688bd0b2c88e0fc1ac3c4582965b7b106
  Author: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
  Date:   Tue Dec 2 11:23:19 2014 +0000

      memory: make cpu_physical_memory_sync_dirty_bitmap() fully atomic

      The fast path of cpu_physical_memory_sync_dirty_bitmap() directly
      manipulates the dirty bitmap.  Use atomic_xchg() to make the
      test-and-clear atomic.

      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Message-Id: <1417519399-3166-7-git-send-email-stefanha@xxxxxxxxxx>
      [Only do xchg on nonzero words. - Paolo]
      Reviewed-by: Fam Zheng <famz@xxxxxxxxxx>
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit 03eebc9e3246b9b3f5925aa41f7dfd7c1e467875
  Author: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
  Date:   Tue Dec 2 11:23:18 2014 +0000

      memory: replace cpu_physical_memory_reset_dirty() with test-and-clear

      The cpu_physical_memory_reset_dirty() function is sometimes used
      together with cpu_physical_memory_get_dirty().  This is not atomic since
      two separate accesses to the dirty memory bitmap are made.

      Turn cpu_physical_memory_reset_dirty() and
      cpu_physical_memory_clear_dirty_range_type() into the atomic
      cpu_physical_memory_test_and_clear_dirty().

      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Message-Id: <1417519399-3166-6-git-send-email-stefanha@xxxxxxxxxx>
      Reviewed-by: Fam Zheng <famz@xxxxxxxxxx>
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit 20015f72bda7d2f356c43580a5542a659afedf83
  Author: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
  Date:   Tue Dec 2 11:23:17 2014 +0000

      migration: move dirty bitmap sync to ram_addr.h

      The dirty memory bitmap is managed by ram_addr.h and copied to
      migration_bitmap[] periodically during live migration.

      Move the code to sync the bitmap to ram_addr.h where related code lives.

      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Message-Id: <1417519399-3166-5-git-send-email-stefanha@xxxxxxxxxx>
      Reviewed-by: Fam Zheng <famz@xxxxxxxxxx>
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit d114875b9a1c21162f69a12d72f69a22e7bab376
  Author: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
  Date:   Tue Dec 2 11:23:16 2014 +0000

      memory: use atomic ops for setting dirty memory bits

      Use set_bit_atomic() and bitmap_set_atomic() so that multiple threads
      can dirty memory without race conditions.

      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Message-Id: <1417519399-3166-4-git-send-email-stefanha@xxxxxxxxxx>
      Reviewed-by: Fam Zheng <famz@xxxxxxxxxx>
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit 36546e5b803f6e363906607307f27c489441fd15
  Author: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
  Date:   Tue Dec 2 11:23:15 2014 +0000

      bitmap: add atomic test and clear

      The new bitmap_test_and_clear_atomic() function clears a range and
      returns whether or not the bits were set.

      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Message-Id: <1417519399-3166-3-git-send-email-stefanha@xxxxxxxxxx>
      [Test before xchg; then a full barrier is needed at the end just like
       in the previous patch.  The barrier can be avoided if we did at least
       one xchg.  - Paolo]
      Reviewed-by: Fam Zheng <famz@xxxxxxxxxx>
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit 9f02cfc84b85929947b32fe1674fbc6a429f332a
  Author: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
  Date:   Tue Dec 2 11:23:14 2014 +0000

      bitmap: add atomic set functions

      Use atomic_or() for atomic bitmaps where several threads may set bits at
      the same time.  This avoids the race condition between threads loading
      an element, bitwise ORing, and then storing the element.

      When setting all bits in a word we can avoid atomic ops and instead just
      use an smp_mb() at the end.

      Most bitmap users don't need atomicity so introduce new functions.

      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Message-Id: <1417519399-3166-2-git-send-email-stefanha@xxxxxxxxxx>
      [Avoid barrier in the single word case, use full barrier instead of write.
       - Paolo]
      Reviewed-by: Fam Zheng <famz@xxxxxxxxxx>
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit 9460dee4b2258e3990906fb34099481c8334c267
  Author: Paolo Bonzini <pbonzini@xxxxxxxxxx>
  Date:   Mon Mar 23 11:41:32 2015 +0100

      memory: do not touch code dirty bitmap unless TCG is enabled

      cpu_physical_memory_set_dirty_lebitmap unconditionally syncs the
      DIRTY_MEMORY_CODE bitmap.  This however is unused unless TCG is
      enabled.

      Reviewed-by: Fam Zheng <famz@xxxxxxxxxx>
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit e87f7778b64d4a6a78e16c288c7fdc6c15317d5f
  Author: Paolo Bonzini <pbonzini@xxxxxxxxxx>
  Date:   Wed Mar 25 15:21:39 2015 +0100

      exec: only check relevant bitmaps for cleanliness

      Most of the time, not all bitmaps have to be marked as dirty;
      do not do anything if the interesting ones are already dirty.
      Previously, any clean bitmap would have cause all the bitmaps to be
      marked dirty.

      In fact, unless running TCG most of the time bitmap operations need
      not be done at all, because memory_region_is_logging returns zero.
      In this case, skip the call to cpu_physical_memory_range_includes_clean
      altogether as well.

      With this patch, cpu_physical_memory_set_dirty_range is called
      unconditionally, so there need not be anymore a separate call to
      xen_modified_memory.

      Reviewed-by: Fam Zheng <famz@xxxxxxxxxx>
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit 72b47e79cef36ed6ffc718f10e21001d7ec2a66f
  Author: Paolo Bonzini <pbonzini@xxxxxxxxxx>
  Date:   Wed Apr 22 13:48:25 2015 +0200

      exec: invert return value of cpu_physical_memory_get_clean, rename

      While it is obvious that cpu_physical_memory_get_dirty returns true even 
if
      a single page is dirty, the same is not true for 
cpu_physical_memory_get_clean;
      one would expect that it returns true only if all the pages are clean, but
      it actually looks for even one clean page.  (By contrast, the caller of 
that
      function, cpu_physical_memory_range_includes_clean, has a good name).

      To clarify, rename the function to cpu_physical_memory_all_dirty and 
return
      true if _all_ the pages are dirty.  This is the opposite of the previous
      meaning, because "all are 1" is the same as "not (any is 0)", so we have 
to
      modify cpu_physical_memory_range_includes_clean as well.

      Reviewed-by: Fam Zheng <famz@xxxxxxxxxx>
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit 58d2707e8713ef17b89b8b4c9ce586c76655a385
  Author: Paolo Bonzini <pbonzini@xxxxxxxxxx>
  Date:   Mon Mar 23 11:56:01 2015 +0100

      exec: pass client mask to cpu_physical_memory_set_dirty_range

      This cuts in half the cost of bitmap operations (which will become more
      expensive when made atomic) during migration on non-VRAM regions.

      Reviewed-by: Fam Zheng <famz@xxxxxxxxxx>
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit fc377bcf617a48233a99a9fe0a26247c38b5cb76
  Author: Paolo Bonzini <pbonzini@xxxxxxxxxx>
  Date:   Wed Apr 22 14:20:35 2015 +0200

      translate-all: make less of tb_invalidate_phys_page_range depend on 
is_cpu_write_access

      is_cpu_write_access is only set if tb_invalidate_phys_page_range is called
      from tb_invalidate_phys_page_fast, and hence from notdirty_mem_write.
      However:

      - the code bitmap can be built directly in tb_invalidate_phys_page_fast
        (unconditionally, since is_cpu_write_access would always be passed as 
1);

      - the virtual address is not needed to mark the page as "not containing
        code" (dirty code bitmap = 1), so we can also remove that use of
        is_cpu_write_access.  For calls of tb_invalidate_phys_page_range
        that do not come from notdirty_mem_write, the next call to
        notdirty_mem_write will notice that the page does not contain code
        anymore, and will fix up the TLB entry.

      The parameter needs to remain in order to guard accesses to 
cpu->mem_io_pc.

      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit 9564f52da7eb061326956ed9a468935e3352512d
  Author: Paolo Bonzini <pbonzini@xxxxxxxxxx>
  Date:   Wed Apr 22 14:24:54 2015 +0200

      cputlb: remove useless arguments to tlb_unprotect_code_phys, rename

      These days modification of the TLB is done in notdirty_mem_write,
      so the virtual address and env pointer as unnecessary.

      The new name of the function, tlb_unprotect_code, is consistent with
      tlb_protect_code.

      Reviewed-by: Fam Zheng <famz@xxxxxxxxxx>
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit 358653391b0c0beaa0e3f9e28304e1918cd223b3
  Author: Paolo Bonzini <pbonzini@xxxxxxxxxx>
  Date:   Wed Apr 22 14:20:35 2015 +0200

      translate-all: remove unnecessary argument to tb_invalidate_phys_range

      The is_cpu_write_access argument is always 0, remove it.

      Reviewed-by: Fam Zheng <famz@xxxxxxxxxx>
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit 1652b974766401743879d78f796f44b8929b0787
  Author: Paolo Bonzini <pbonzini@xxxxxxxxxx>
  Date:   Wed Apr 22 14:15:48 2015 +0200

      exec: move functions to translate-all.h

      Remove them from the sundry exec-all.h header, since they are only used by
      the TCG runtime in exec.c and user-exec.c.

      Reviewed-by: Fam Zheng <famz@xxxxxxxxxx>
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit 845b6214a309fa58a4405050bf8313e19fde5c91
  Author: Paolo Bonzini <pbonzini@xxxxxxxxxx>
  Date:   Mon Mar 23 11:45:53 2015 +0100

      exec: use memory_region_get_dirty_log_mask to optimize dirty tracking

      The memory API can now return the exact set of bitmaps that have to
      be tracked.  Use it instead of the in_migration variable.

      In the next patches, we will also use it to set only DIRTY_MEMORY_VGA
      or DIRTY_MEMORY_MIGRATION if necessary.  This can make a difference
      for dataplane, especially after the dirty bitmap is changed to use
      more expensive atomic operations.

      Of some interest is the change to stl_phys_notdirty.  When migration
      was introduced, stl_phys_notdirty was changed to effectively behave
      as stl_phys during migration.  In fact, if one looks at the function as it
      was in the beginning (commit 8df1cd0, physical memory access functions,
      2005-01-28), at the time the dirty bitmap was the equivalent of
      DIRTY_MEMORY_CODE nowadays; hence, the function simply should not touch
      the dirty code bits.  This patch changes it to do the intended thing.

      Reviewed-by: Fam Zheng <famz@xxxxxxxxxx>
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit 49dfcec40349245ad365964468b67e132c3cedc7
  Author: Paolo Bonzini <pbonzini@xxxxxxxxxx>
  Date:   Mon Mar 23 11:35:19 2015 +0100

      ram_addr: tweaks to xen_modified_memory

      Invoke xen_modified_memory from 
cpu_physical_memory_set_dirty_range_nocode;
      it is akin to DIRTY_MEMORY_MIGRATION, so set it together with that bitmap.
      The remaining call from invalidate_and_set_dirty's "else" branch will go
      away soon.

      Second, fix the second argument to the function in the
      cpu_physical_memory_set_dirty_lebitmap call site.  That function is only 
used
      by KVM, but it is better to be clean anyway.

      Acked-by: Stefano Stabellini <stefano.stabellini@xxxxxxxxxxxxx>
      Reviewed-by: Fam Zheng <famz@xxxxxxxxxx>
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit 1bfbac4ee16e2ea95d087e0926727d9a113b483e
  Author: Paolo Bonzini <pbonzini@xxxxxxxxxx>
  Date:   Mon Mar 23 10:57:21 2015 +0100

      kvm: remove special handling of DIRTY_MEMORY_MIGRATION in the dirty log 
mask

      One recent example is commit 4cc856f (kvm-all: Sync dirty-bitmap from
      kvm before kvm destroy the corresponding dirty_bitmap, 2015-04-02).
      Another performance problem is that KVM keeps tracking dirty pages
      after a failed live migration, which causes bad performance due to
      disallowing huge page mapping.

      Thanks to the previous patch, KVM can now stop hooking into
      log_global_start/stop.  This simplifies the KVM code noticeably.

      Reported-by: Wanpeng Li <wanpeng.li@xxxxxxxxxxxxxxx>
      Reported-by: Xiao Guangrong <guangrong.xiao@xxxxxxxxxxxxxxx>
      Reviewed-by: Fam Zheng <famz@xxxxxxxxxx>
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit 6f6a5ef3e429f92f987678ea8c396aab4dc6aa19
  Author: Paolo Bonzini <pbonzini@xxxxxxxxxx>
  Date:   Mon Mar 23 10:57:21 2015 +0100

      memory: include DIRTY_MEMORY_MIGRATION in the dirty log mask

      The separate handling of DIRTY_MEMORY_MIGRATION, which does not
      call log_start/log_stop callbacks when it changes in a region's
      dirty logging mask, has caused several bugs.

      One recent example is commit 4cc856f (kvm-all: Sync dirty-bitmap from
      kvm before kvm destroy the corresponding dirty_bitmap, 2015-04-02).
      Another performance problem is that KVM keeps tracking dirty pages
      after a failed live migration, which causes bad performance due to
      disallowing huge page mapping.

      This patch removes the root cause of the problem by reporting
      DIRTY_MEMORY_MIGRATION changes via log_start and log_stop.
      Note that we now have to rebuild the FlatView when global dirty
      logging is enabled or disabled; this ensures that log_start and
      log_stop callbacks are invoked.

      This will also be used to make the setting of bitmaps conditional.
      In general, this patch lets users of the memory API ignore the
      global state of dirty logging if they handle dirty logging
      generically per region.

      Reviewed-by: Fam Zheng <famz@xxxxxxxxxx>
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit ea8cb1a8d98f5e3822a23a7cecdb4add0f29178b
  Author: Paolo Bonzini <pbonzini@xxxxxxxxxx>
  Date:   Mon Apr 27 14:51:31 2015 +0200

      kvm: accept non-mapped memory in kvm_dirty_pages_log_change

      It is okay if memory is not mapped into the guest but has dirty logging
      enabled.  When this happens, KVM will not do anything and only accesses
      from the host will be logged.

      This can be triggered by iofuzz.

      Reviewed-by: Fam Zheng <famz@xxxxxxxxxx>
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit 677e7805cf95f3b2bca8baf0888d1ebed7f0c606
  Author: Paolo Bonzini <pbonzini@xxxxxxxxxx>
  Date:   Mon Mar 23 10:53:21 2015 +0100

      memory: track DIRTY_MEMORY_CODE in mr->dirty_log_mask

      DIRTY_MEMORY_CODE is only needed for TCG.  By adding it directly to
      mr->dirty_log_mask, we avoid testing for TCG everywhere a region is
      checked for the enabled/disabled state of dirty logging.

      Reviewed-by: Fam Zheng <famz@xxxxxxxxxx>
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit 42af3e3a02f6d0c38c46465b7f0311eabf532f77
  Author: Paolo Bonzini <pbonzini@xxxxxxxxxx>
  Date:   Wed Apr 22 13:30:19 2015 +0200

      ui/console: remove dpy_gfx_update_dirty

      dpy_gfx_update_dirty expects DIRTY_MEMORY_VGA logging to be always on,
      but that will not be the case soon.  Because it computes the memory
      region on the fly for every update (with memory_region_find), it cannot
      enable/disable logging by itself.

      We could always treat updates as invalidations if dirty logging is
      not enabled, assuming that the board will enable logging on the
      RAM region that includes the framebuffer.

      However, the function is unused, so just drop it.

      Reviewed-by: Fam Zheng <famz@xxxxxxxxxx>
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit d55d42078bfb507743747b761673507b95a76620
  Author: Paolo Bonzini <pbonzini@xxxxxxxxxx>
  Date:   Mon Mar 23 10:46:52 2015 +0100

      framebuffer: check memory_region_is_logging

      framebuffer.c expects DIRTY_MEMORY_VGA logging to be always on, but that
      will not be the case soon.  Because framebuffer.c computes the memory
      region on the fly for every update (with memory_region_find), it cannot
      enable/disable logging by itself.

      Instead, always treat updates as invalidations if dirty logging is
      not enabled, assuming that the board will enable logging on the
      RAM region that includes the framebuffer.

      Reviewed-by: Fam Zheng <famz@xxxxxxxxxx>
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit b2dfd71c4843a762f2befe702adb249cf55baf66
  Author: Paolo Bonzini <pbonzini@xxxxxxxxxx>
  Date:   Sat Apr 25 14:38:30 2015 +0200

      memory: prepare for multiple bits in the dirty log mask

      When the dirty log mask will also cover other bits than DIRTY_MEMORY_VGA,
      some listeners may be interested in the overall zero/non-zero value of
      the dirty log mask; others may be interested in the value of single bits.

      For this reason, always call log_start/log_stop if bits have respectively
      appeared or disappeared, and pass the old and new values of the dirty log
      mask so that listeners can distinguish the kinds of change.

      For example, KVM checks if dirty logging used to be completely disabled
      (in log_start) or is now completely disabled (in log_stop).  On the
      other hand, Xen has to check manually if DIRTY_MEMORY_VGA changed,
      since that is the only bit it cares about.

      Reviewed-by: Fam Zheng <famz@xxxxxxxxxx>
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit 2d1a35bef0ed96b3f23535e459c552414ccdbafd
  Author: Paolo Bonzini <pbonzini@xxxxxxxxxx>
  Date:   Mon Mar 23 10:50:57 2015 +0100

      memory: differentiate memory_region_is_logging and 
memory_region_get_dirty_log_mask

      For now memory regions only track DIRTY_MEMORY_VGA individually, but
      this will change soon.  To support this, split memory_region_is_logging
      in two functions: one that returns a given bit from dirty_log_mask,
      and one that returns the entire mask.  memory_region_is_logging gets an
      extra parameter so that the compiler flags misuse.

      While VGA-specific users (including the Xen listener!) will want to keep
      checking that bit, KVM and vhost check for "any bit except migration"
      (because migration is handled via the global start/stop listener
      callbacks).

      Reviewed-by: Fam Zheng <famz@xxxxxxxxxx>
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit 5299c0f2cf951c23ec681ff87e455d1cf4ec537b
  Author: Paolo Bonzini <pbonzini@xxxxxxxxxx>
  Date:   Wed Apr 22 13:12:40 2015 +0200

      display: add memory_region_sync_dirty_bitmap calls

      These are strictly speaking only needed for KVM and Xen, but it's still
      nice to be consistent.

      Reviewed-by: Fam Zheng <famz@xxxxxxxxxx>
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit 74259ae55b15bff4ef7b26faa6431a3ff16d7c9d
  Author: Paolo Bonzini <pbonzini@xxxxxxxxxx>
  Date:   Mon Mar 23 10:47:45 2015 +0100

      display: enable DIRTY_MEMORY_VGA tracking explicitly

      This will be required soon by the memory core.

      Tested-by: Aurelien Jarno <aurelien@xxxxxxxxxxx>
      Reviewed-by: Fam Zheng <famz@xxxxxxxxxx>
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit 086f90e890fb25e7f12fbe72fe5a8078792398aa
  Author: Paolo Bonzini <pbonzini@xxxxxxxxxx>
  Date:   Wed Apr 22 12:43:24 2015 +0200

      g364fb: remove pointless call to memory_region_set_coalescing

      Coalescing work on MMIO, not RAM, thus this call has no effect.

      Reviewed-by: Fam Zheng <famz@xxxxxxxxxx>
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit dbddac6da01a13c9d5d162994a0a265173acecab
  Author: Paolo Bonzini <pbonzini@xxxxxxxxxx>
  Date:   Mon Mar 23 10:31:53 2015 +0100

      memory: the only dirty memory flag for users is DIRTY_MEMORY_VGA

      DIRTY_MEMORY_MIGRATION is triggered by memory_global_dirty_log_start
      and memory_global_dirty_log_stop, so it cannot be used with
      memory_region_set_log.

      Specify this in the documentation and assert it.

      Reviewed-by: Fam Zheng <famz@xxxxxxxxxx>
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit 6b4ad3b28d4a70ad93f287b50200b04766aeb0de
  Author: Peter Crosthwaite <crosthwaitepeter@xxxxxxxxx>
  Date:   Mon May 25 22:38:06 2015 -0700

      Makefile.target: set master BUILD_DIR

      make can be invoked in the individual build dirs to build an individual
      target or just a single file of a target. e.g.

      touch translate-all.c
      make -C microblazeel-softmmu translate-all.o

      There is however a small bug when using the pixman submodule.
      config-host.mak will ref BUILD_DIR for the pixman -I CFLAGS:

      grep BUILD_DIR config-host.mak
      QEMU_CFLAGS=-I$(SRC_PATH)/pixman/pixman -I$(BUILD_DIR)/pixman/pixman ...

      This causes a build failure as -I/pixman/pixman (BUILD_DIR=="") will
      not be found.

      BUILD_DIR is usually set by the top level Makefile. Just lazy-set it in
      Makefile.target to the parent directory.

      Granted, this will not work if the pixman submodule is not prebuilt,
      but it at least means you can do incremental partial builds once you
      have done your initial full build (or attempt) from the top level.

      The next step would be refactor make infrastructure to rebuild pixman
      on a submake like the one above.

      Cc: Gerd Hoffmann <kraxel@xxxxxxxxxx>
      Signed-off-by: Peter Crosthwaite <crosthwaite.peter@xxxxxxxxx>
      Message-Id: 
<1432618686-16077-1-git-send-email-crosthwaite.peter@xxxxxxxxx>
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit db94604b20278c1dc227a04e4c564d80230e6c3f
  Author: Paolo Bonzini <pbonzini@xxxxxxxxxx>
  Date:   Thu May 21 15:12:29 2015 +0200

      exec: optimize phys_page_set_level

      phys_page_set_level is writing zeroes to a struct that has just been
      filled in by phys_map_node_alloc.  Instead, tell phys_map_node_alloc
      whether to fill in the page "as a leaf" or "as a non-leaf".

      memcpy is faster than struct assignment, which copies each bitfield
      individually.  A compiler bug (https://gcc.gnu.org/PR66391), and
      small memcpys like this one are special-cased anyway, and optimized
      to a register move, so just use the memcpy.

      This cuts the cost of phys_page_set_level from 25% to 5% when
      booting qboot.

      Reviewed-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit e4afbf4fb4d026510700cb40bb72dea9aef14e3b
  Author: Fam Zheng <famz@xxxxxxxxxx>
  Date:   Tue May 19 10:50:59 2015 +0000

      qemu-nbd: Switch to qemu_set_fd_handler

      Achieved by:

      - Remembering the server fd with a global variable, in order to access
        it from nbd_client_closed.

      - Checking nbd_can_accept() and updating server_fd handler whenever
        client connects or disconnects.

      Signed-off-by: Fam Zheng <famz@xxxxxxxxxx>
      Reviewed-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>
      Message-Id: <1432032670-15124-3-git-send-email-famz@xxxxxxxxxx>
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit dae02ba55a66cb3194a2410c7725734e5bc6166f
  Author: Laurent Vivier <lvivier@xxxxxxxxxx>
  Date:   Mon May 18 21:06:47 2015 +0200

      ppc: add helpful message when KVM fails to start VCPU

      On POWER8 systems, KVM checks if VCPU is running on primary threads,
      and that secondary threads are offline. If this is not the case,
      ioctl() fails with errno set to EBUSY.

      QEMU aborts with a non explicit error message:
      $ ./qemu-system-ppc64 --nographic -machine pseries,accel=kvm
      error: kvm run failed Device or resource busy

      To help user to diagnose the problem, this patch adds an informative
      error message.

      There is no easy way to check if SMT is enabled before starting the VCPU,
      and as this case is the only one setting errno to EBUSY, we just check
      the errno value to display a message.

      Signed-off-by: Laurent Vivier <lvivier@xxxxxxxxxx>
      Message-Id: <1431976007-20503-1-git-send-email-lvivier@xxxxxxxxxx>
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit 9157eee1b1c076ff3316361b760e891dda13e9bf
  Author: Miroslav Rezanina <mrezanin@xxxxxxxxxx>
  Date:   Wed May 13 11:39:30 2015 +0200

      Move parallel_hds_isa_init to hw/isa/isa-bus.c

      Disabling CONFIG_PARALLEL cause removing parallel_hds_isa_init defined in
      parallel.c. This function is called during initialization of some boards 
so
      disabling CONFIG_PARALLEL cause build failure.

      This patch moves parallel_hds_isa_init to hw/isa/isa-bus.c so it is 
included
      in case of disabled CONFIG_PARALLEL. Build is successful but qemu will 
abort
      with "Unknown device" error when function is called.

      Signed-off-by: Miroslav Rezanina <mrezanin@xxxxxxxxxx>
      Message-Id: <1431509970-32154-1-git-send-email-mrezanin@xxxxxxxxxx>
      Reviewed-by: Markus Armbruster <armbru@xxxxxxxxxx>
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit 00967f4e0bab246679d0ddc32fd31a7179345baf
  Merge: d6688ba 9814fed
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Fri Jun 5 12:04:41 2015 +0100

      Merge remote-tracking branch 
'remotes/agraf/tags/signed-s390-for-upstream' into staging

      Patch queue for s390 - 2015-06-05

      This time there are a lot of s390x TCG emulation bug fixes - almost all
      of them from Aurelien, who returned from nirvana :).

      # gpg: Signature made Fri Jun  5 00:39:27 2015 BST using RSA key ID 
03FEDC60
      # gpg: Good signature from "Alexander Graf <agraf@xxxxxxx>"
      # gpg:                 aka "Alexander Graf <alex@xxxxxxxxx>"

      * remotes/agraf/tags/signed-s390-for-upstream: (34 commits)
        target-s390x: Only access allocated storage keys
        target-s390x: fix MVC instruction when areas overlap
        target-s390x: use softmmu functions for mvcp/mvcs
        target-s390x: support non current ASC in s390_cpu_handle_mmu_fault
        target-s390x: add a cpu_mmu_idx_to_asc function
        target-s390x: implement high-word facility
        target-s390x: implement load-and-trap facility
        target-s390x: implement miscellaneous-instruction-extensions facility
        target-s390x: implement LPDFR and LNDFR instructions
        target-s390x: implement TRANSLATE EXTENDED instruction
        target-s390x: implement TRANSLATE AND TEST instruction
        target-s390x: implement LOAD FP INTEGER instructions
        target-s390x: move SET DFP ROUNDING MODE to the correct facility
        target-s390x: move STORE CLOCK FAST to the correct facility
        target-s390x: change CHRL and CGHRL format to RIL-b
        target-s390x: fix CLGIT instruction
        target-s390x: fix exception for invalid operation code
        target-s390x: implement LAY and LAEY instructions
        target-s390x: move a few instructions to the correct facility
        target-s390x: detect tininess before rounding for FP operations
        ...

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 0ba98885a0e965a17df214ab12b819ef630d8a14
  Author: Mark Cave-Ayland <mark.cave-ayland@xxxxxxxxxxxx>
  Date:   Thu Jun 4 22:59:37 2015 +0100

      macio: remove remainder_len DBDMA_io property

      Since the block alignment code is now effectively independent of the DMA
      implementation, this variable is no longer required and can be removed.

      Signed-off-by: Mark Cave-Ayland <mark.cave-ayland@xxxxxxxxxxxx>
      Reviewed-by: John Snow <jsnow@xxxxxxxxxx>
      Message-id: 
1433455177-21243-5-git-send-email-mark.cave-ayland@xxxxxxxxxxxx
      Signed-off-by: John Snow <jsnow@xxxxxxxxxx>

  commit b01d44cd0623dec66e583d6cd2438451443261df
  Author: Mark Cave-Ayland <mark.cave-ayland@xxxxxxxxxxxx>
  Date:   Thu Jun 4 22:59:36 2015 +0100

      macio: update comment/constants to reflect the new code

      With the offset/len functions taking care of all of the alignment mapping
      in isolation from the DMA tranasaction, many comments are now unnecessary.
      Remove these and tidy up a few constants at the same time.

      Signed-off-by: Mark Cave-Ayland <mark.cave-ayland@xxxxxxxxxxxx>
      Reviewed-by: John Snow <jsnow@xxxxxxxxxx>
      Message-id: 
1433455177-21243-4-git-send-email-mark.cave-ayland@xxxxxxxxxxxx
      Signed-off-by: John Snow <jsnow@xxxxxxxxxx>

  commit ac58fe7b2c67a9be142beacd4c6ee51f3264d90f
  Author: Mark Cave-Ayland <mark.cave-ayland@xxxxxxxxxxxx>
  Date:   Thu Jun 4 22:59:35 2015 +0100

      macio: switch pmac_dma_write() over to new offset/len implementation

      In particular, this fixes a bug whereby chains of overlapping head/tail 
chains
      would incorrectly write over each other's remainder cache. This is the 
access
      pattern used by OS X/Darwin and fixes an issue with a corrupt Darwin
      installation in my local tests.

      While we are here, rename the DBDMA_io struct property remainder to
      head_remainder for clarification.

      Signed-off-by: Mark Cave-Ayland <mark.cave-ayland@xxxxxxxxxxxx>
      Reviewed-by: John Snow <jsnow@xxxxxxxxxx>
      Message-id: 
1433455177-21243-3-git-send-email-mark.cave-ayland@xxxxxxxxxxxx
      Signed-off-by: John Snow <jsnow@xxxxxxxxxx>

  commit 0389b8f8c7688fe512e16bdc00c5f35d2d8df12c
  Author: Mark Cave-Ayland <mark.cave-ayland@xxxxxxxxxxxx>
  Date:   Thu Jun 4 22:59:34 2015 +0100

      macio: switch pmac_dma_read() over to new offset/len implementation

      For better handling of unaligned block device accesses.

      Signed-off-by: Mark Cave-Ayland <mark.cave-ayland@xxxxxxxxxxxx>
      Reviewed-by: John Snow <jsnow@xxxxxxxxxx>
      Message-id: 
1433455177-21243-2-git-send-email-mark.cave-ayland@xxxxxxxxxxxx
      Signed-off-by: John Snow <jsnow@xxxxxxxxxx>

  commit 9814fed0afa73f5c37f04e02ec17c915a5d59303
  Author: Alexander Graf <agraf@xxxxxxx>
  Date:   Thu Jun 4 00:52:44 2015 +0200

      target-s390x: Only access allocated storage keys

      We allocate ram_size / PAGE_SIZE storage keys, so we need to make sure 
that
      we only access that many. Unfortunately the code can overrun this array by
      one, potentially overwriting unrelated memory.

      Fix it by limiting storage keys to their scope.

      Signed-off-by: Alexander Graf <agraf@xxxxxxx>
      Reviewed-by: Aurelien Jarno <aurelien@xxxxxxxxxxx>

  commit 068593deea6cc61b06243a33c7fcfadb1650b654
  Author: Aurelien Jarno <aurelien@xxxxxxxxxxx>
  Date:   Wed Jun 3 23:09:56 2015 +0200

      target-s390x: fix MVC instruction when areas overlap

      The MVC instruction and the memmove C funtion do not have the same
      semantic when memory areas overlap:

      MVC: When the operands overlap, the result is obtained as if the
      operands were processed one byte at a time and each result byte were
      stored immediately after fetching the necessary operand byte.

      memmove: Copying takes place as though the bytes in src are first copied
      into a temporary array that does not overlap src or dest, and the bytes
      are then copied from the temporary array to dest.

      The behaviour is therefore the same when the destination is at a lower
      address than the source, but not in the other case. This is actually a
      trick for propagating a value to an area. While the current code detects
      that and call memset in that case, it only does for 1-byte value. This
      trick can and is used for propagating two or more bytes to an area.

      In the softmmu case, the call to mvc_fast_memmove is correct as the
      above tests verify that source and destination are each within a page,
      and both in a different page. The part doing the move 8 bytes by 8 bytes
      is wrong and we need to check that if the source and destination
      overlap, they do with a distance of minimum 8 bytes before copying 8
      bytes at a time.

      In the user code, we should check check that the destination is at a
      lower address than source or than the end of the source is at a lower
      address than the destination before calling memmove. In the opposite
      case we fallback to the same code as the softmmu one. Note that l
      represents (length - 1).

      Signed-off-by: Aurelien Jarno <aurelien@xxxxxxxxxxx>
      Reviewed-by: Richard Henderson <rth@xxxxxxxxxxx>
      Signed-off-by: Alexander Graf <agraf@xxxxxxx>

  commit a3084e8055067b3fe8ed653a609021d2ab368564
  Author: Aurelien Jarno <aurelien@xxxxxxxxxxx>
  Date:   Wed Jun 3 23:09:55 2015 +0200

      target-s390x: use softmmu functions for mvcp/mvcs

      mvcp and mvcs helper get access to the physical memory by a call to
      mmu_translate for the virtual to real conversion and then using ldb_phys
      and stb_phys to physically access the data. In practice this is quite
      slow because it bypasses the QEMU softmmu TLB and because stb_phys calls
      try to invalidate the corresponding memory for each access.

      Instead use cpu_ldb_{primary,secondary} for the loads and
      cpu_stb_{primary,secondary} for the stores. Ideally this should be
      further optimized by a call to memcpy, but that already improves the
      boot time of a guest by a factor 1.8.

      Signed-off-by: Aurelien Jarno <aurelien@xxxxxxxxxxx>
      Reviewed-by: Richard Henderson <rth@xxxxxxxxxxx>
      Signed-off-by: Alexander Graf <agraf@xxxxxxx>

  commit c255ac601231e8c53007e10d640722ac58eb77cc
  Author: Aurelien Jarno <aurelien@xxxxxxxxxxx>
  Date:   Wed Jun 3 23:09:54 2015 +0200

      target-s390x: support non current ASC in s390_cpu_handle_mmu_fault

      s390_cpu_handle_mmu_fault currently looks at the current ASC mode
      defined in PSW mask instead of the MMU index. This prevent emulating
      easily instructions using a specific ASC mode. Fix that by using the
      MMU index converted back to ASC using the just added cpu_mmu_idx_to_asc
      function.

      Signed-off-by: Aurelien Jarno <aurelien@xxxxxxxxxxx>
      Reviewed-by: Richard Henderson <rth@xxxxxxxxxxx>
      Signed-off-by: Alexander Graf <agraf@xxxxxxx>

  commit 4decd76d71d6972a59bf0a16d0dea0c83490d001
  Author: Aurelien Jarno <aurelien@xxxxxxxxxxx>
  Date:   Wed Jun 3 23:09:53 2015 +0200

      target-s390x: add a cpu_mmu_idx_to_asc function

      Use constants to define the MMU indexes, and add a function to do
      the reverse conversion of cpu_mmu_index.

      Signed-off-by: Aurelien Jarno <aurelien@xxxxxxxxxxx>
      Reviewed-by: Richard Henderson <rth@xxxxxxxxxxx>
      Signed-off-by: Alexander Graf <agraf@xxxxxxx>

  commit a1f12d855b6ec79a640fa6a74d12884f1646ecfe
  Author: Aurelien Jarno <aurelien@xxxxxxxxxxx>
  Date:   Wed Jun 3 23:09:52 2015 +0200

      target-s390x: implement high-word facility

      Besides RISBHG and RISBLG, all high-word instructions are not
      implemented. Fix that.

      Reviewed-by: Richard Henderson <rth@xxxxxxxxxxx>
      Signed-off-by: Aurelien Jarno <aurelien@xxxxxxxxxxx>
      Signed-off-by: Alexander Graf <agraf@xxxxxxx>

  commit 782a8479522f8e4a596f968e4acad5c10b77e061
  Author: Aurelien Jarno <aurelien@xxxxxxxxxxx>
  Date:   Wed Jun 3 23:09:51 2015 +0200

      target-s390x: implement load-and-trap facility

      At the same time move the trap code from op_ct into gen_trap and use it
      for all new functions. The value needs to be stored back to register
      before the exception, but also before the brcond (as we don't use
      temp locals). That's why we can't use wout helper.

      Reviewed-by: Richard Henderson <rth@xxxxxxxxxxx>
      Signed-off-by: Aurelien Jarno <aurelien@xxxxxxxxxxx>
      Signed-off-by: Alexander Graf <agraf@xxxxxxx>

  commit 375ee58bedcda359011fe7fa99e0647f66f9ffa0
  Author: Aurelien Jarno <aurelien@xxxxxxxxxxx>
  Date:   Wed Jun 3 23:09:50 2015 +0200

      target-s390x: implement miscellaneous-instruction-extensions facility

      RISBGN is the same as RISBG, but without setting the condition code.
      CLT and CLGT are the same as CLRT and CLGRT, but using memory for the
      second operand.

      Reviewed-by: Richard Henderson <rth@xxxxxxxxxxx>
      Signed-off-by: Aurelien Jarno <aurelien@xxxxxxxxxxx>
      Signed-off-by: Alexander Graf <agraf@xxxxxxx>

  commit df46283ce7be962002a30140a91ffbb56832cc2d
  Author: Aurelien Jarno <aurelien@xxxxxxxxxxx>
  Date:   Wed Jun 3 23:09:49 2015 +0200

      target-s390x: implement LPDFR and LNDFR instructions

      This complete the floating point support sign handling facility.

      Reviewed-by: Richard Henderson <rth@xxxxxxxxxxx>
      Signed-off-by: Aurelien Jarno <aurelien@xxxxxxxxxxx>
      Signed-off-by: Alexander Graf <agraf@xxxxxxx>

  commit 3f4de6756cd87b508b37c7ffa93f7b827832c4eb
  Author: Aurelien Jarno <aurelien@xxxxxxxxxxx>
  Date:   Wed Jun 3 23:09:48 2015 +0200

      target-s390x: implement TRANSLATE EXTENDED instruction

      It is part of the basic zArchitecture instructions.

      Signed-off-by: Aurelien Jarno <aurelien@xxxxxxxxxxx>
      Reviewed-by: Richard Henderson <rth@xxxxxxxxxxx>
      Signed-off-by: Alexander Graf <agraf@xxxxxxx>

  commit 54f007750978ffbb98ce933077e0d1741e0202b0
  Author: Aurelien Jarno <aurelien@xxxxxxxxxxx>
  Date:   Wed Jun 3 23:09:47 2015 +0200

      target-s390x: implement TRANSLATE AND TEST instruction

      It is part of the basic zArchitecture instructions. Allow it to be call
      from EXECUTE.

      Reviewed-by: Richard Henderson <rth@xxxxxxxxxxx>
      Signed-off-by: Aurelien Jarno <aurelien@xxxxxxxxxxx>
      Signed-off-by: Alexander Graf <agraf@xxxxxxx>

  commit ed0bcecec105137567f461e5b57834e72c851855
  Author: Aurelien Jarno <aurelien@xxxxxxxxxxx>
  Date:   Wed Jun 3 23:09:46 2015 +0200

      target-s390x: implement LOAD FP INTEGER instructions

      This is needed to pass the gcc.c-torture/execute/ieee/20010114-2.c test
      in the gcc testsuite.

      Signed-off-by: Aurelien Jarno <aurelien@xxxxxxxxxxx>
      Reviewed-by: Richard Henderson <rth@xxxxxxxxxxx>
      Signed-off-by: Alexander Graf <agraf@xxxxxxx>

  commit 9182886d797a20925d801a3378ca5330c0d91dfb
  Author: Aurelien Jarno <aurelien@xxxxxxxxxxx>
  Date:   Wed Jun 3 23:09:45 2015 +0200

      target-s390x: move SET DFP ROUNDING MODE to the correct facility

      It belongs to the DFP rounding facility.

      Reviewed-by: Richard Henderson <rth@xxxxxxxxxxx>
      Signed-off-by: Aurelien Jarno <aurelien@xxxxxxxxxxx>
      Signed-off-by: Alexander Graf <agraf@xxxxxxx>

  commit f7c2114067cc32eb8d8f79b7374a641ec5f4eb72
  Author: Aurelien Jarno <aurelien@xxxxxxxxxxx>
  Date:   Wed Jun 3 23:09:44 2015 +0200

      target-s390x: move STORE CLOCK FAST to the correct facility

      STORE CLOCK FAST should be in the SCF facility.

      Reviewed-by: Richard Henderson <rth@xxxxxxxxxxx>
      Signed-off-by: Aurelien Jarno <aurelien@xxxxxxxxxxx>
      Signed-off-by: Alexander Graf <agraf@xxxxxxx>

  commit 74266b4a5837b46477034a39acc2be3a3afba431
  Author: Aurelien Jarno <aurelien@xxxxxxxxxxx>
  Date:   Wed Jun 3 23:09:43 2015 +0200

      target-s390x: change CHRL and CGHRL format to RIL-b

      Change to match the PoP. In practice both format RIL-a and RIL-b have
      the same fields. They differ on the way we decode the fields, and it's
      done correctly in QEMU.

      Reviewed-by: Richard Henderson <rth@xxxxxxxxxxx>
      Signed-off-by: Aurelien Jarno <aurelien@xxxxxxxxxxx>
      Signed-off-by: Alexander Graf <agraf@xxxxxxx>

  commit 1dedb9b76f061c8da730002f6c21a1fa2b76b106
  Author: Aurelien Jarno <aurelien@xxxxxxxxxxx>
  Date:   Wed Jun 3 23:09:42 2015 +0200

      target-s390x: fix CLGIT instruction

      The COMPARE LOGICAL IMMEDIATE AND TRAP instruction should compare the
      numbers as unsigned, as its name implies.

      Reviewed-by: Richard Henderson <rth@xxxxxxxxxxx>
      Signed-off-by: Aurelien Jarno <aurelien@xxxxxxxxxxx>
      Signed-off-by: Alexander Graf <agraf@xxxxxxx>

  commit 111d7f4a69751d333bac32526cd252add6b071d3
  Author: Aurelien Jarno <aurelien@xxxxxxxxxxx>
  Date:   Wed Jun 3 23:09:41 2015 +0200

      target-s390x: fix exception for invalid operation code

      When an operation code is not recognized (ie invalid instruction) an
      operation exception should be generated instead of a specification
      exception. The latter is for valid opcode, with invalid operands or
      modifiers.

      This give a very basic GDB support in the guest, as it uses the invalid
      opcode 0x0001 to generate a trap.

      Reviewed-by: Richard Henderson <rth@xxxxxxxxxxx>
      Signed-off-by: Aurelien Jarno <aurelien@xxxxxxxxxxx>
      Signed-off-by: Alexander Graf <agraf@xxxxxxx>

  commit a1c7610a68795d66249c25166220324d4d0b9289
  Author: Aurelien Jarno <aurelien@xxxxxxxxxxx>
  Date:   Mon May 25 01:47:31 2015 +0200

      target-s390x: implement LAY and LAEY instructions

      This complete the general-instructions-extension facility, enable it.

      Signed-off-by: Aurelien Jarno <aurelien@xxxxxxxxxxx>
      [agraf: remove facility bit]
      Signed-off-by: Alexander Graf <agraf@xxxxxxx>

  commit 92892330e78ffca7bebf03f4f7161c5bbd6602d2
  Author: Aurelien Jarno <aurelien@xxxxxxxxxxx>
  Date:   Mon May 25 01:47:30 2015 +0200

      target-s390x: move a few instructions to the correct facility

      LY is part of the long-displacement facility.
      RISBHG and RISBLG are part of the high-word facility.
      STCMH is part of the z/Architecture.

      Signed-off-by: Aurelien Jarno <aurelien@xxxxxxxxxxx>
      Signed-off-by: Alexander Graf <agraf@xxxxxxx>

  commit 4a33565f9f46145d8cc701ab623b18bf423c469e
  Author: Aurelien Jarno <aurelien@xxxxxxxxxxx>
  Date:   Mon May 25 01:47:26 2015 +0200

      target-s390x: detect tininess before rounding for FP operations

      The s390x floating point unit detects tininess before rounding, so set
      the softfloat fp_status up appropriately.

      Signed-off-by: Aurelien Jarno <aurelien@xxxxxxxxxxx>
      Signed-off-by: Alexander Graf <agraf@xxxxxxx>

  commit f821135cdd4df09b1362666ddfbdfd162b905b1f
  Author: Aurelien Jarno <aurelien@xxxxxxxxxxx>
  Date:   Mon May 25 01:47:25 2015 +0200

      target-s390x: silence NaNs for LOAD LENGTHENED and LOAD ROUNDED

      LOAD LENGTHENED and LOAD ROUNDED are considered as FP operations and
      thus need to convert input sNaN into corresponding qNaN.

      Signed-off-by: Aurelien Jarno <aurelien@xxxxxxxxxxx>
      Signed-off-by: Alexander Graf <agraf@xxxxxxx>

  commit 2daea9c16ffe61377b6e5426d9c52014bf538df3
  Author: Aurelien Jarno <aurelien@xxxxxxxxxxx>
  Date:   Mon May 25 01:47:24 2015 +0200

      target-s390x: define default NaN values

      Signed-off-by: Aurelien Jarno <aurelien@xxxxxxxxxxx>
      Signed-off-by: Alexander Graf <agraf@xxxxxxx>

  commit 1f65958d9c21fd3b461f6b645e7884866313c1f3
  Author: Aurelien Jarno <aurelien@xxxxxxxxxxx>
  Date:   Mon May 25 01:47:23 2015 +0200

      target-s390x: fix MMU index computation

      The cpu_mmu_index function wrongly looks at PSW P bit to determine the
      MMU index, while this bit actually only control the use of priviledge
      instructions. The addressing mode is detected by looking at the PSW ASC
      bits instead.

      This used to work more or less correctly up to kernel 3.6 as the kernel
      was running in primary space and userland in secondary space. Since
      kernel 3.7 the default is to run the kernel in home space and userland
      in primary space. While the current QEMU code seems to work it open some
      security issues, like accessing the lowcore memory in R/W mode from a
      userspace process once it has been accessed by the kernel (it is then
      cached by the QEMU TLB).

      At the same time change the MMU_USER_IDX value so that it matches the
      value used in recent kernels.

      Signed-off-by: Aurelien Jarno <aurelien@xxxxxxxxxxx>
      Signed-off-by: Alexander Graf <agraf@xxxxxxx>

  commit 9bebf9863bd16cc824231ad71959a338dc1819ac
  Author: Aurelien Jarno <aurelien@xxxxxxxxxxx>
  Date:   Mon May 25 01:47:22 2015 +0200

      target-s390x: fix PSW value on dynamical exception from helpers

      runtime_exception computes the psw.addr value using the actual exception
      address and the instruction length computed by calling the get_ilen
      function. However as explained above the get_ilen code, it returns the
      actual instruction length, and not the ILC. Therefore there is no need to
      multiply the value by 2.

      Signed-off-by: Aurelien Jarno <aurelien@xxxxxxxxxxx>
      Signed-off-by: Alexander Graf <agraf@xxxxxxx>

  commit aa752a4afc2a4b7ede58a960a9d553b3fd9e6882
  Author: Aurelien Jarno <aurelien@xxxxxxxxxxx>
  Date:   Tue May 26 11:09:44 2015 +0200

      target-s390x: fix LOAD MULTIPLE instruction on page boundary

      When consecutive memory locations are on page boundary a page fault
      might occur when using the LOAD MULTIPLE instruction. In that case real
      hardware doesn't load any register.

      This is an important detail in case the base register is in the list
      of registers to be loaded. If a page fault occurs this register might be
      overwritten and when the instruction is later restarted the wrong
      base register value is useD.

      Fix this by first loading the first and last value from memory, hence
      triggering all possible page faults, and then the remaining registers.

      This fixes random segmentation faults seen in the guest.

      Signed-off-by: Aurelien Jarno <aurelien@xxxxxxxxxxx>
      Reviewed-by: Richard Henderson <rth@xxxxxxxxxxx>
      Signed-off-by: Alexander Graf <agraf@xxxxxxx>

  commit b8ae94bd398ff772f40fb232887ecbcbd244c3d4
  Author: Aurelien Jarno <aurelien@xxxxxxxxxxx>
  Date:   Mon May 18 23:42:29 2015 +0200

      target-s390x: implement STPT helper

      Save the timer target value in the SPT helper, so that the STPT helper
      can compute the remaining time.

      This allow the Linux kernel to correctly do time accounting.

      Signed-off-by: Aurelien Jarno <aurelien@xxxxxxxxxxx>
      Signed-off-by: Alexander Graf <agraf@xxxxxxx>

  commit aa9e14e684506e8ddf02bd5cff720520827bf244
  Author: Aurelien Jarno <aurelien@xxxxxxxxxxx>
  Date:   Mon May 18 23:42:28 2015 +0200

      target-s390x: implement STCKC helper

      The STCKC instruction just returns the last written clock comparator
      value and KVM already provides the corresponding variable.

      Signed-off-by: Aurelien Jarno <aurelien@xxxxxxxxxxx>
      Signed-off-by: Alexander Graf <agraf@xxxxxxx>

  commit d9d55f1108f45c866098731d95fef88409ff1e94
  Author: Aurelien Jarno <aurelien@xxxxxxxxxxx>
  Date:   Mon May 18 23:42:27 2015 +0200

      target-s390x: streamline STCK helper

      Now that clock_value is only used in one place, we can inline it in
      the STCK helper.

      Signed-off-by: Aurelien Jarno <aurelien@xxxxxxxxxxx>
      Signed-off-by: Alexander Graf <agraf@xxxxxxx>

  commit c941f07485e56e4b2653048e166b720428307acb
  Author: Aurelien Jarno <aurelien@xxxxxxxxxxx>
  Date:   Mon May 18 23:42:26 2015 +0200

      target-s390x: simplify SCKC helper

      The clock comparator and the QEMU timer work the same way, triggering
      at a given time, they just differ by the origin and the scale. It is
      therefore possible to go from one to another without using the current
      clock value. This spares two calls to qemu_clock_get_ns, which probably
      return slightly different values, possibly reducing the accuracy.

      Signed-off-by: Aurelien Jarno <aurelien@xxxxxxxxxxx>
      Signed-off-by: Alexander Graf <agraf@xxxxxxx>

  commit 9cb32c442e11d16b747fa07e29dd29b5d8227b57
  Author: Aurelien Jarno <aurelien@xxxxxxxxxxx>
  Date:   Mon May 18 23:42:25 2015 +0200

      target-s390x: add a tod2time function

      Add a tod2time function similar to the time2tod one, instead of open
      coding the conversion.

      Signed-off-by: Aurelien Jarno <aurelien@xxxxxxxxxxx>
      Signed-off-by: Alexander Graf <agraf@xxxxxxx>

  commit a91a1b20a23424412a3e7bb184422ec30ae64453
  Author: Aurelien Jarno <aurelien@xxxxxxxxxxx>
  Date:   Mon May 18 15:40:00 2015 +0200

      target-s390x: remove unused helpers

      Signed-off-by: Aurelien Jarno <aurelien@xxxxxxxxxxx>
      Reviewed-by: Richard Henderson <rth@xxxxxxxxxxx>
      Signed-off-by: Alexander Graf <agraf@xxxxxxx>

  commit d30107814c8d02f1896bd57249aef1b5aaed38c9
  Author: Aurelien Jarno <aurelien@xxxxxxxxxxx>
  Date:   Mon May 18 15:39:59 2015 +0200

      target-s390x: optimize (negative-) abs computation

      Now that movcond exists, it's easy to write (negative-) absolute value
      using TCG code instead of an helper.

      Signed-off-by: Aurelien Jarno <aurelien@xxxxxxxxxxx>
      Reviewed-by: Richard Henderson <rth@xxxxxxxxxxx>
      Signed-off-by: Alexander Graf <agraf@xxxxxxx>

  commit 2aaa1940684a3bf2b381fd2a8ff26c287a05109d
  Author: Aurelien Jarno <aurelien@xxxxxxxxxxx>
  Date:   Mon May 18 15:39:58 2015 +0200

      target-s390x: fix CC computation for LOAD POSITIVE instructions

      LOAD POSITIVE instructions (LPR, LPGR and LPGFR) set the following
      condition code:
        0: Result zero; no overflow
        1: --
        2: Result greater than zero; no overflow
        3: Overflow

      The current code wrongly returns 1 instead of 2 in case of a result
      greater than 0. This patches fixes that. This fixes the marshalling of
      the value '0L' in Python.

      Signed-off-by: Aurelien Jarno <aurelien@xxxxxxxxxxx>
      Reviewed-by: Richard Henderson <rth@xxxxxxxxxxx>
      Signed-off-by: Alexander Graf <agraf@xxxxxxx>

  commit ee0d0be16819896cc6c8018cbe171a632b61489c
  Author: Aurelien Jarno <aurelien@xxxxxxxxxxx>
  Date:   Sun May 17 01:28:03 2015 +0200

      target-s390x: fix CC computation for EX instruction

      Commit 7a6c7067f optimized CC computation by only saving cc_op before
      calling helpers as they either don't touch the CC or generate a new
      static value. This however doesn't work for the EX instruction as the
      helper changes or not the CC value depending on the actual executed
      instruction (e.g. MVC vs CLC).

      This patches force a CC computation before calling the helper. This
      fixes random memory corruption occuring in guests.

      Signed-off-by: Aurelien Jarno <aurelien@xxxxxxxxxxx>
      [agraf: remove set_cc_static in op_ex as suggested by rth]
      Signed-off-by: Alexander Graf <agraf@xxxxxxx>

  commit d6688ba17b934f20f5e8953dbaafc9408d8799c5
  Merge: 3b730f5 309750f
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Thu Jun 4 18:32:44 2015 +0100

      Merge remote-tracking branch 'remotes/mst/tags/for_upstream' into staging

      pc, acpi, virtio, tpm

      This includes pxb support by Marcel, as well as multiple enhancements all 
over
      the place.

      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>

      # gpg: Signature made Thu Jun  4 11:51:02 2015 BST using RSA key ID 
D28D5469
      # gpg: Good signature from "Michael S. Tsirkin <mst@xxxxxxxxxx>"
      # gpg:                 aka "Michael S. Tsirkin <mst@xxxxxxxxxx>"

      * remotes/mst/tags/for_upstream: (28 commits)
        vhost: logs sharing
        hw/acpi: piix4_pm_init(): take fw_cfg object no more
        hw/acpi: move "etc/system-states" fw_cfg file from PIIX4 to core
        hw/acpi: acpi_pm1_cnt_init(): take "disable_s3" and "disable_s4"
        pc-dimm: don't assert if pc-dimm alignment != hotpluggable mem range 
size
        docs: Add PXB documentation
        apci: fix PXB behaviour if used with unsupported BIOS
        hw/pxb: add numa_node parameter
        hw/pci: add support for NUMA nodes
        hw/pxb: add map_irq func
        hw/pci: inform bios if the system has extra pci root buses
        hw/pci: introduce PCI Expander Bridge (PXB)
        hw/pci: removed 'rootbus nr is 0' assumption from qmp_pci_query
        hw/acpi: remove from root bus 0 the crs resources used by other buses.
        hw/acpi: add _CRS method for extra root busses
        hw/apci: add _PRT method for extra PCI root busses
        hw/acpi: add support for i440fx 'snooping' root busses
        hw/pci: extend PCI config access to support devices behind PXB
        hw/i386: query only for q35/pc when looking for pci host bridge
        hw/pci: made pci_bus_num a PCIBusClass method
        ...

      Conflicts:
        hw/i386/pc_piix.c

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 3b730f570c5872ceea2137848f1d4554d4847441
  Merge: 2700a97 1de29ae
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Thu Jun 4 14:04:14 2015 +0100

      Merge remote-tracking branch 'remotes/agraf/tags/signed-ppc-for-upstream' 
into staging

      Patch queue for ppc - 2015-06-03

      Highlights this time around:

        - sPAPR: endian fixes, speedups, bug fixes, hotplug basics
        - add default ram size capability for machines (sPAPR defaults to 512MB 
now)

      # gpg: Signature made Wed Jun  3 22:59:09 2015 BST using RSA key ID 
03FEDC60
      # gpg: Good signature from "Alexander Graf <agraf@xxxxxxx>"
      # gpg:                 aka "Alexander Graf <alex@xxxxxxxxx>"

      * remotes/agraf/tags/signed-ppc-for-upstream: (40 commits)
        softmmu: support up to 12 MMU modes
        tcg: add TCG_TARGET_TLB_DISPLACEMENT_BITS
        tci: do not use CPUArchState in tcg-target.h
        Add David Gibson for sPAPR in MAINTAINERS file
        pseries: Enable in-kernel H_LOGICAL_CI_{LOAD, STORE} implementations
        spapr: override default ram size to 512MB
        machine: add default_ram_size to machine class
        spapr_pci: emit hotplug add/remove events during hotplug
        spapr_pci: enable basic hotplug operations
        pci: make pci_bar useable outside pci.c
        spapr_pci: create DRConnectors for each PCI slot during PHB realize
        spapr_pci: add dynamic-reconfiguration option for spapr-pci-host-bridge
        spapr_drc: add spapr_drc_populate_dt()
        spapr_events: event-scan RTAS interface
        spapr_events: re-use EPOW event infrastructure for hotplug events
        spapr_rtas: add ibm, configure-connector RTAS interface
        spapr: add rtas_st_buffer_direct() helper
        spapr_rtas: add get-sensor-state RTAS interface
        spapr_rtas: add set-indicator RTAS interface
        spapr_rtas: add get/set-power-level RTAS interfaces
        ...

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 2700a976dba6b107365aa9af7fd927ffb3dd3b21
  Merge: 6fa6b31 de38528
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Thu Jun 4 12:49:15 2015 +0100

      Merge remote-tracking branch 
'remotes/mjt/tags/pull-trivial-patches-2015-06-03' into staging

      trivial patches for 2015-06-03

      # gpg: Signature made Wed Jun  3 14:07:47 2015 BST using RSA key ID 
A4C3D7DB
      # gpg: Good signature from "Michael Tokarev <mjt@xxxxxxxxxx>"
      # gpg:                 aka "Michael Tokarev <mjt@xxxxxxxxx>"
      # gpg:                 aka "Michael Tokarev <mjt@xxxxxxxxxx>"

      * remotes/mjt/tags/pull-trivial-patches-2015-06-03: (30 commits)
        configure: postfix --extra-cflags to QEMU_CFLAGS
        cadence_gem: Fix Rx buffer size field mask
        slirp: use less predictable directory name in /tmp for smb config 
(CVE-2015-4037)
        translate-all: delete prototype for non-existent function
        Add -incoming help text
        hw/display/tc6393xb.c: Fix misusing qemu_allocate_irqs for single irq
        hw/arm/nseries.c: Fix misusing qemu_allocate_irqs for single irq
        hw/alpha/typhoon.c: Fix misusing qemu_allocate_irqs for single irq
        hw/unicore32/puv3.c: Fix misusing qemu_allocate_irqs for single irq
        hw/lm32/milkymist.c: Fix misusing qemu_allocate_irqs for single irq
        hw/lm32/lm32_boards.c: Fix misusing qemu_allocate_irqs for single irq
        hw/ppc/prep.c: Fix misusing qemu_allocate_irqs for single irq
        hw/sparc/sun4m.c: Fix misusing qemu_allocate_irqs for single irq
        hw/timer/arm_timer.c: Fix misusing qemu_allocate_irqs for single irq
        hw/isa/i82378.c: Fix misusing qemu_allocate_irqs for single irq
        hw/isa/lpc_ich9.c: Fix misusing qemu_allocate_irqs for single irq
        hw/i386/pc: Fix misusing qemu_allocate_irqs for single irq
        hw/intc/exynos4210_gic.c: Fix memory leak by adjusting order
        hw/arm/omap_sx1.c: Fix memory leak spotted by valgrind
        hw/ppc/e500.c: Fix memory leak
        ...

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 309750fad51f17d1ec6195c5d8ad7d741596ddb6
  Author: Jason Wang <jasowang@xxxxxxxxxx>
  Date:   Thu Jun 4 05:28:46 2015 -0400

      vhost: logs sharing

      Currently we allocate one vhost log per vhost device. This is sub
      optimal when:

      - Guest has several device with vhost as backend
      - Guest has multiqueue devices

      In the above cases, we can avoid the memory allocation by sharing a
      single vhost log among all the vhost devices. This is done through:

      - Introducing a new vhost_log structure with refcnt inside.
      - Using a global pointer to vhost_log structure that will be used. And
        introduce helper to get the log with expected log size and helper to
      - drop the refcnt to the old log.
      - Each vhost device still keep track of a pointer to the log that was
        used.

      With above, if no resize happens, all vhost device will share a single
      vhost log. During resize, a new vhost_log structure will be allocated
      and made for the global pointer. And each vhost devices will drop the
      refcnt to the old log.

      Tested by doing scp during migration for a 2 queues virtio-net-pci.

      Cc: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: Jason Wang <jasowang@xxxxxxxxxx>
      Reviewed-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>

  commit 6fa6b312765f698dc81b2c30e7eeb9683804a05b
  Merge: d2ceeb1 1b93c9a
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Thu Jun 4 11:44:32 2015 +0100

      Merge remote-tracking branch 'remotes/ehabkost/tags/x86-pull-request' 
into staging

      X86 queue 2015-06-02

      # gpg: Signature made Tue Jun  2 20:21:17 2015 BST using RSA key ID 
984DC5A6
      # gpg: Good signature from "Eduardo Habkost <ehabkost@xxxxxxxxxx>"
      # gpg: WARNING: This key is not certified with sufficiently trusted 
signatures!
      # gpg:          It is not certain that the signature belongs to the owner.
      # Primary key fingerprint: 5A32 2FD5 ABC4 D3DB ACCF  D1AA 2807 936F 984D 
C5A6

      * remotes/ehabkost/tags/x86-pull-request:
        arch_init: Drop target-x86_64.conf
        target-i386: Register QOM properties for feature flags
        apic: convert ->busdev.qdev casts to C casts
        target-i386: Fix signedness of MSR_IA32_APICBASE_BASE
        pc: Ensure non-zero CPU ref count after attaching to ICC bus

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 6e7d82497dc8da7d420c8fa6632d759e08a18bc3
  Author: Laszlo Ersek <lersek@xxxxxxxxxx>
  Date:   Wed Apr 29 15:20:16 2015 +0200

      hw/acpi: piix4_pm_init(): take fw_cfg object no more

      This PIIX4 init function has no more reason to receive a pointer to the
      FwCfg object. Remove the parameter from the prototype, and update callers.

      As a result, the pc_init1() function no longer needs to save the return
      value of pc_memory_init() and xen_load_linux(), which makes it more
      similar to pc_q35_init().

      The return type & value of pc_memory_init() and xen_load_linux() are not
      changed themselves; maybe we'll need their return values sometime later.

      RHBZ: https://bugzilla.redhat.com/show_bug.cgi?id=1204696
      Cc: Amit Shah <amit.shah@xxxxxxxxxx>
      Cc: "Michael S. Tsirkin" <mst@xxxxxxxxxx>
      Cc: Paolo Bonzini <pbonzini@xxxxxxxxxx>
      Cc: Richard Henderson <rth@xxxxxxxxxxx>
      Cc: Eduardo Habkost <ehabkost@xxxxxxxxxx>
      Cc: Aurelien Jarno <aurelien@xxxxxxxxxxx>
      Cc: Leon Alrae <leon.alrae@xxxxxxxxxx>
      Signed-off-by: Laszlo Ersek <lersek@xxxxxxxxxx>
      Reviewed-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: Laszlo Ersek <lersek@xxxxxxxxxx>

  commit e3845e7c47cc3eaf35305c9c0f9d55ca3840b49b
  Author: Laszlo Ersek <lersek@xxxxxxxxxx>
  Date:   Wed Apr 29 15:20:15 2015 +0200

      hw/acpi: move "etc/system-states" fw_cfg file from PIIX4 to core

      The acpi_pm1_cnt_init() core function is responsible for setting up the
      register block that will ultimately react to S3 and S4 requests (see
      acpi_pm1_cnt_write()). It makes sense to advertise this configuration to
      the guest firmware via an easy to parse fw_cfg file (ACPI is too complex
      for firmware to parse), and indeed PIIX4 does that. However, since
      acpi_pm1_cnt_init() is not specific to PIIX4, neither should be the fw_cfg
      file.

      This patch makes "etc/system-states" appear on all chipsets modified in
      the previous patch, not just PIIX4 (assuming they have fw_cfg at all).

      RHBZ: https://bugzilla.redhat.com/show_bug.cgi?id=1204696
      Cc: Amit Shah <amit.shah@xxxxxxxxxx>
      Cc: "Michael S. Tsirkin" <mst@xxxxxxxxxx>
      Cc: Paolo Bonzini <pbonzini@xxxxxxxxxx>
      Cc: Richard Henderson <rth@xxxxxxxxxxx>
      Cc: Eduardo Habkost <ehabkost@xxxxxxxxxx>
      Cc: Aurelien Jarno <aurelien@xxxxxxxxxxx>
      Cc: Leon Alrae <leon.alrae@xxxxxxxxxx>
      Signed-off-by: Laszlo Ersek <lersek@xxxxxxxxxx>
      Reviewed-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: Laszlo Ersek <lersek@xxxxxxxxxx>

  commit 9a10bbb4e83b184faef6fa744396a6775283c0aa
  Author: Laszlo Ersek <lersek@xxxxxxxxxx>
  Date:   Wed Apr 29 15:20:14 2015 +0200

      hw/acpi: acpi_pm1_cnt_init(): take "disable_s3" and "disable_s4"

      This patch only modifies the function prototype and updates all chipset
      code that calls acpi_pm1_cnt_init() to pass in their own disable_s3 and
      disable_s4 settings. vt82c686 is assumed to be fixed "S3 and S4 enabled".

      RHBZ: https://bugzilla.redhat.com/show_bug.cgi?id=1204696
      Cc: Amit Shah <amit.shah@xxxxxxxxxx>
      Cc: "Michael S. Tsirkin" <mst@xxxxxxxxxx>
      Cc: Paolo Bonzini <pbonzini@xxxxxxxxxx>
      Cc: Richard Henderson <rth@xxxxxxxxxxx>
      Cc: Eduardo Habkost <ehabkost@xxxxxxxxxx>
      Cc: Aurelien Jarno <aurelien@xxxxxxxxxxx>
      Cc: Leon Alrae <leon.alrae@xxxxxxxxxx>
      Signed-off-by: Laszlo Ersek <lersek@xxxxxxxxxx>
      Reviewed-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: Laszlo Ersek <lersek@xxxxxxxxxx>

  commit d2ceeb1d68ed8b005892408fcdb533f578aae081
  Merge: a67bfbb 94edf02
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Thu Jun 4 10:21:52 2015 +0100

      Merge remote-tracking branch 
'remotes/pmaydell/tags/pull-target-arm-20150602' into staging

      target-arm queue:
       * more EL2 preparation patches
       * revert a no-longer-necessary workaround for old glib versions
       * add GICv2m support to virt board (MSI support)
       * pl061: fix wrong calculation of GPIOMIS register
       * support MSI via irqfd
       * remove a confusing v8_ prefix from some variable names
       * add dynamic sysbus device support to the virt board

      # gpg: Signature made Tue Jun  2 17:30:38 2015 BST using RSA key ID 
14360CDE
      # gpg: Good signature from "Peter Maydell <peter.maydell@xxxxxxxxxx>"

      * remotes/pmaydell/tags/pull-target-arm-20150602: (22 commits)
        hw/arm/virt: change indentation in a15memmap
        hw/arm/virt: add dynamic sysbus device support
        hw/arm/boot: arm_load_kernel implemented as a machine init done notifier
        hw/arm/sysbus-fdt: helpers for platform bus nodes addition
        target-arm: Remove v8_ prefix from names of non-v8-specific cpreg arrays
        arm_gicv2m: set kvm_gsi_direct_mapping and kvm_msi_via_irqfd_allowed
        kvm: introduce kvm_arch_msi_data_to_gsi
        pl061: fix wrong calculation of GPIOMIS register
        target-arm: Add the GICv2m to the virt board
        target-arm: Extend the gic node properties
        arm_gicv2m: Add GICv2m widget to support MSIs
        target-arm: Add GIC phandle to VirtBoardInfo
        Revert "target-arm: Avoid g_hash_table_get_keys()"
        target-arm: Add TLBI_VAE2{IS}
        target-arm: Add TLBI_ALLE2
        target-arm: Add TLBI_ALLE1{IS}
        target-arm: Add TTBR0_EL2
        target-arm: Add TPIDR_EL2
        target-arm: Add SCTLR_EL2
        target-arm: Add TCR_EL2
        ...

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit b5d3b039221f056befb3715471fee1f68214815c
  Author: Igor Mammedov <imammedo@xxxxxxxxxx>
  Date:   Wed Jun 3 17:10:43 2015 +0200

      pc-dimm: don't assert if pc-dimm alignment != hotpluggable mem range size

      Drop superfluous pc-dimm alignment on hot-pluggable mem
      range size assert, since it causes QEMU crash during hotplug
      when hotplugging pc-dimm with alignment bigger than
      an alignment of hot-pluggable mem range size.

      Instead allow pc_dimm_get_free_addr() find free address
      and bail out gracefully later in that function during
      checking if pc-dimm will fit in hot-pluggable mem range.

      Signed-off-by: Igor Mammedov <imammedo@xxxxxxxxxx>
      Reviewed-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>

  commit 1de29aef17a7d70dbc04a7fe51e18942e3ebe313
  Author: Paolo Bonzini <pbonzini@xxxxxxxxxx>
  Date:   Tue May 5 09:18:23 2015 +0200

      softmmu: support up to 12 MMU modes

      At 8k per TLB (for 64-bit host or target), 8 or more modes
      make the TLBs bigger than 64k, and some RISC TCG backends do
      not like that.  On the affected hosts, cut the TLB size in
      half---there is still a measurable speedup on PPC with the
      next patch.

      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>
      Message-Id: <1424436345-37924-3-git-send-email-pbonzini@xxxxxxxxxx>
      Reviewed-by: Richard Henderson <rth@xxxxxxxxxxx>
      Signed-off-by: Alexander Graf <agraf@xxxxxxx>

  commit 006f8638c62bca2b0caf609485f47fa5e14d8a3c
  Author: Paolo Bonzini <pbonzini@xxxxxxxxxx>
  Date:   Tue May 5 09:18:22 2015 +0200

      tcg: add TCG_TARGET_TLB_DISPLACEMENT_BITS

      This will be used to size the TLB when more than 8 MMU modes are
      used by the target.  Limitations come from the limited size of
      the immediate fields (which sometimes, as in the case of Aarch64,
      extend to instructions that shift the immediate).

      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>
      Message-Id: <1424436345-37924-2-git-send-email-pbonzini@xxxxxxxxxx>
      Reviewed-by: Richard Henderson <rth@xxxxxxxxxxx>
      Signed-off-by: Alexander Graf <agraf@xxxxxxx>

  commit 5a58e884d1d9905a835de2889c8cd73327fe2a94
  Author: Paolo Bonzini <pbonzini@xxxxxxxxxx>
  Date:   Tue May 19 09:59:34 2015 +0200

      tci: do not use CPUArchState in tcg-target.h

      tcg-target.h does not use any QEMU-specific symbols, save for tci's usage
      of CPUArchState.  Pull that up to tcg/tcg.h.

      This will make it possible to include tcg-target.h in cpu-defs.h.

      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>
      Reviewed-by: Richard Henderson <rth@xxxxxxxxxxx>
      Signed-off-by: Alexander Graf <agraf@xxxxxxx>

  commit 085eb217dfb3ee12e7985c11f71f8a038394735a
  Author: David Gibson <david@xxxxxxxxxxxxxxxxxxxxx>
  Date:   Fri May 8 10:11:00 2015 +1000

      Add David Gibson for sPAPR in MAINTAINERS file

      At Alex Graf's request I'm now acting as sub-maintainer for the sPAPR
      (-machine pseries) code.  This updates MAINTAINERS accordingly.

      While we're at it, change the label to mention pseries since that's the
      actual name of the machine type, even if most of the C files use the sPAPR
      name.

      Signed-off-by: David Gibson <david@xxxxxxxxxxxxxxxxxxxxx>
      Signed-off-by: Alexander Graf <agraf@xxxxxxx>

  commit 026bfd89cb896c8a3460cc551cc4836219bd7ff9
  Author: David Gibson <david@xxxxxxxxxxxxxxxxxxxxx>
  Date:   Thu May 7 15:33:59 2015 +1000

      pseries: Enable in-kernel H_LOGICAL_CI_{LOAD, STORE} implementations

      qemu currently implements the hypercalls H_LOGICAL_CI_LOAD and
      H_LOGICAL_CI_STORE as PAPR extensions.  These are used by the SLOF 
firmware
      for IO, because performing cache inhibited MMIO accesses with the MMU off
      (real mode) is very awkward on POWER.

      This approach breaks when SLOF needs to access IO devices implemented
      within KVM instead of in qemu.  The simplest example would be virtio-blk
      using an iothread, because the iothread / dataplane mechanism relies on
      an in-kernel implementation of the virtio queue notification MMIO.

      To fix this, an in-kernel implementation of these hypercalls has been 
made,
      (kernel commit 99342cf "kvmppc: Implement H_LOGICAL_CI_{LOAD,STORE} in 
KVM"
      however, the hypercalls still need to be enabled from qemu.  This performs
      the necessary calls to do so.

      It would be nice to provide some warning if we encounter a problematic
      device with a kernel which doesn't support the new calls.  Unfortunately,
      I can't see a way to detect this case which won't either warn in far too
      many cases that will probably work, or which is horribly invasive.

      Signed-off-by: David Gibson <david@xxxxxxxxxxxxxxxxxxxxx>
      Reviewed-by: Thomas Huth <thuth@xxxxxxxxxx>
      Signed-off-by: Alexander Graf <agraf@xxxxxxx>

  commit a34944fe2e2457309bde74c1ffe3a1c60c6da018
  Author: Nikunj A Dadhania <nikunj@xxxxxxxxxxxxxxxxxx>
  Date:   Thu May 7 15:33:58 2015 +1000

      spapr: override default ram size to 512MB

      Signed-off-by: Nikunj A Dadhania <nikunj@xxxxxxxxxxxxxxxxxx>
      Reviewed-by: Igor Mammedov <imammedo@xxxxxxxxxx>
      Reviewed-by: Thomas Huth <thuth@xxxxxxxxxx>
      Acked-by: David Gibson <david@xxxxxxxxxxxxxxxxxxxxx>
      Signed-off-by: David Gibson <david@xxxxxxxxxxxxxxxxxxxxx>
      Signed-off-by: Alexander Graf <agraf@xxxxxxx>

  commit 076b35b5a56bca57c4aa41044ed304fe9c45d6c5
  Author: Nikunj A Dadhania <nikunj@xxxxxxxxxxxxxxxxxx>
  Date:   Thu May 7 15:33:57 2015 +1000

      machine: add default_ram_size to machine class

      Machines types can have different requirement for default ram
      size. Introduce a member in the machine class and set the current
      default_ram_size to 128MB.

      For QEMUMachine types override the value during the registration of
      the machine and for MachineClass introduce the generic class init
      setting the default_ram_size.

      Add helpers [K,M,G,T,P,E]_BYTE for better readability and easy usage

      Signed-off-by: Nikunj A Dadhania <nikunj@xxxxxxxxxxxxxxxxxx>
      Reviewed-by: Thomas Huth <thuth@xxxxxxxxxx>
      Reviewed-by: David Gibson <david@xxxxxxxxxxxxxxxxxxxxx>
      Acked-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>
      Signed-off-by: David Gibson <david@xxxxxxxxxxxxxxxxxxxxx>
      Signed-off-by: Alexander Graf <agraf@xxxxxxx>

  commit c5bc152bc399ae7ec8ac5227762e4320d0fd2d1c
  Author: Tyrel Datwyler <tyreld@xxxxxxxxxxxxxxxxxx>
  Date:   Thu May 7 15:33:56 2015 +1000

      spapr_pci: emit hotplug add/remove events during hotplug

      This uses extension of existing EPOW interrupt/event mechanism
      to notify userspace tools like librtas/drmgr to handle
      in-guest configuration/cleanup operations in response to
      device_add/device_del.

      Userspace tools that don't implement this extension will need
      to be run manually in response/advance of device_add/device_del,
      respectively.

      Signed-off-by: Tyrel Datwyler <tyreld@xxxxxxxxxxxxxxxxxx>
      Signed-off-by: Michael Roth <mdroth@xxxxxxxxxxxxxxxxxx>
      Reviewed-by: David Gibson <david@xxxxxxxxxxxxxxxxxxxxx>
      Signed-off-by: David Gibson <david@xxxxxxxxxxxxxxxxxxxxx>
      Signed-off-by: Alexander Graf <agraf@xxxxxxx>

  commit 7454c7af91bdd60216e2b6eead827c012bb4d0d0
  Author: Michael Roth <mdroth@xxxxxxxxxxxxxxxxxx>
  Date:   Thu May 7 15:33:55 2015 +1000

      spapr_pci: enable basic hotplug operations

      This enables hotplug of PCI devices to a PHB. Upon hotplug we
      generate the OF-nodes required by PAPR specification and
      IEEE 1275-1994 "PCI Bus Binding to Open Firmware" for the
      device.

      We associate the corresponding FDT for these nodes with the DRC
      corresponding to the slot, which will be fetched via
      ibm,configure-connector RTAS calls by the guest as described by PAPR
      specification.

      Signed-off-by: Michael Roth <mdroth@xxxxxxxxxxxxxxxxxx>
      Reviewed-by: David Gibson <david@xxxxxxxxxxxxxxxxxxxxx>
      Signed-off-by: David Gibson <david@xxxxxxxxxxxxxxxxxxxxx>
      Signed-off-by: Alexander Graf <agraf@xxxxxxx>

  commit cf8c704d5a06e7b8327c65d19d0c342dc23fff84
  Author: Michael Roth <mdroth@xxxxxxxxxxxxxxxxxx>
  Date:   Thu May 7 15:33:54 2015 +1000

      pci: make pci_bar useable outside pci.c

      We need to work with PCI BARs to generate OF properties
      during PCI hotplug for sPAPR guests.

      Signed-off-by: Michael Roth <mdroth@xxxxxxxxxxxxxxxxxx>
      Reviewed-by: David Gibson <david@xxxxxxxxxxxxxxxxxxxxx>
      Acked-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: David Gibson <david@xxxxxxxxxxxxxxxxxxxxx>
      Signed-off-by: Alexander Graf <agraf@xxxxxxx>

  commit 62083979b0471ac07da6d94944bf12a9b18baa1f
  Author: Michael Roth <mdroth@xxxxxxxxxxxxxxxxxx>
  Date:   Thu May 7 15:33:53 2015 +1000

      spapr_pci: create DRConnectors for each PCI slot during PHB realize

      These will be used to support hotplug/unplug of PCI devices to the PCI
      bus associated with a particular PHB.

      We also set up device-tree properties in each PHBs initial FDT to
      describe the DRCs associated with them. This advertises to guests that
      each PHB is DR-capable device with physical hotpluggable slots, each
      managed by the corresponding DRC. This is necessary for allowing
      hotplugging of devices to it later via bus rescan or guest rpaphp
      hotplug module.

      Signed-off-by: Michael Roth <mdroth@xxxxxxxxxxxxxxxxxx>
      Reviewed-by: David Gibson <david@xxxxxxxxxxxxxxxxxxxxx>
      Signed-off-by: David Gibson <david@xxxxxxxxxxxxxxxxxxxxx>
      Signed-off-by: Alexander Graf <agraf@xxxxxxx>

  commit 7619c7b00c90a39243f1229facde8c53a8fba921
  Author: Michael Roth <mdroth@xxxxxxxxxxxxxxxxxx>
  Date:   Thu May 7 15:33:52 2015 +1000

      spapr_pci: add dynamic-reconfiguration option for spapr-pci-host-bridge

      This option enables/disables PCI hotplug for a particular PHB.

      Also add machine compatibility code to disable it by default for machine
      types prior to pseries-2.4.

      Signed-off-by: Michael Roth <mdroth@xxxxxxxxxxxxxxxxxx>
      Reviewed-by: David Gibson <david@xxxxxxxxxxxxxxxxxxxxx>
      Signed-off-by: David Gibson <david@xxxxxxxxxxxxxxxxxxxxx>
      [agraf: move commas for compat fields]
      Signed-off-by: Alexander Graf <agraf@xxxxxxx>

  commit e4b798bb53447ba4608fc7e6ed91927bdb1c3d5d
  Author: Michael Roth <mdroth@xxxxxxxxxxxxxxxxxx>
  Date:   Thu May 7 15:33:51 2015 +1000

      spapr_drc: add spapr_drc_populate_dt()

      This function handles generation of ibm,drc-* array device tree
      properties to describe DRC topology to guests. This will by used
      by the guest to direct RTAS calls to manage any dynamic resources
      we associate with a particular DR Connector as part of
      hotplug/unplug.

      Since general management of boot-time device trees are handled
      outside of sPAPRDRConnector, we insert these values blindly given
      an FDT and offset. A mask of sPAPRDRConnector types is given to
      instruct us on what types of connectors entries should be generated
      for, since descriptions for different connectors may live in
      different parts of the device tree.

      Based on code originally written by Nathan Fontenot.

      Signed-off-by: Nathan Fontenot <nfont@xxxxxxxxxxxxxxxxxx>
      Signed-off-by: Michael Roth <mdroth@xxxxxxxxxxxxxxxxxx>
      Reviewed-by: David Gibson <david@xxxxxxxxxxxxxxxxxxxxx>
      Signed-off-by: David Gibson <david@xxxxxxxxxxxxxxxxxxxxx>
      Signed-off-by: Alexander Graf <agraf@xxxxxxx>

  commit 79853e18d904b0a4bcef62701d48559688007c93
  Author: Tyrel Datwyler <tyreld@xxxxxxxxxxxxxxxxxx>
  Date:   Thu May 7 15:33:50 2015 +1000

      spapr_events: event-scan RTAS interface

      We don't actually rely on this interface to surface hotplug events, and
      instead rely on the similar-but-interrupt-driven check-exception RTAS
      interface used for EPOW events. However, the existence of this interface
      is needed to ensure guest kernels initialize the event-reporting
      interfaces which will in turn be used by userspace tools to handle these
      events, so we implement this interface here.

      Since events surfaced by this call are mutually exclusive to those
      surfaced via check-exception, we also update the RTAS event queue code
      to accept a boolean to mark/filter for events accordingly.

      Events of this sort are not currently generated by QEMU, but the interface
      has been tested by surfacing hotplug events via event-scan in place
      of check-exception.

      Signed-off-by: Tyrel Datwyler <tyreld@xxxxxxxxxxxxxxxxxx>
      Signed-off-by: Michael Roth <mdroth@xxxxxxxxxxxxxxxxxx>
      Reviewed-by: David Gibson <david@xxxxxxxxxxxxxxxxxxxxx>
      Signed-off-by: David Gibson <david@xxxxxxxxxxxxxxxxxxxxx>
      Signed-off-by: Alexander Graf <agraf@xxxxxxx>

  commit 31fe14d15d08d613ff38abb249911e98c7966b86
  Author: Nathan Fontenot <nfont@xxxxxxxxxxxxxxxxxx>
  Date:   Thu May 7 15:33:49 2015 +1000

      spapr_events: re-use EPOW event infrastructure for hotplug events

      This extends the data structures currently used to report EPOW events to
      guests via the check-exception RTAS interfaces to also include event types
      for hotplug/unplug events.

      This is currently undocumented and being finalized for inclusion in PAPR
      specification, but we implement this here as an extension for guest
      userspace tools to implement (existing guest kernels simply log these
      events via a sysfs interface that's read by rtas_errd, and current
      versions of rtas_errd/powerpc-utils already support the use of this
      mechanism for initiating hotplug operations).

      We also add support for queues of pending RTAS events, since in the
      case of hotplug there's chance for multiple events being in-flight
      at any point in time.

      Signed-off-by: Nathan Fontenot <nfont@xxxxxxxxxxxxxxxxxx>
      Signed-off-by: Michael Roth <mdroth@xxxxxxxxxxxxxxxxxx>
      Reviewed-by: David Gibson <david@xxxxxxxxxxxxxxxxxxxxx>
      Signed-off-by: David Gibson <david@xxxxxxxxxxxxxxxxxxxxx>
      Signed-off-by: Alexander Graf <agraf@xxxxxxx>

  commit 46503c2bc047bfe8c26440e17298fcbc59d7bbbe
  Author: Michael Roth <mdroth@xxxxxxxxxxxxxxxxxx>
  Date:   Thu May 7 15:33:48 2015 +1000

      spapr_rtas: add ibm, configure-connector RTAS interface

      This interface is used to fetch an OF device-tree nodes that describes a
      newly-attached device to guest. It is called multiple times to walk the
      device-tree node and fetch individual properties into a 'workarea'/buffer
      provided by the guest.

      The device-tree is generated by QEMU and passed to an sPAPRDRConnector 
during
      the initial hotplug operation, and the state of these RTAS calls is 
tracked by
      the sPAPRDRConnector. When the last of these properties is successfully
      fetched, we report as special return value to the guest and transition
      the device to a 'configured' state on the QEMU/DRC side.

      See docs/specs/ppc-spapr-hotplug.txt for a complete description of
      this interface.

      Signed-off-by: Michael Roth <mdroth@xxxxxxxxxxxxxxxxxx>
      Signed-off-by: David Gibson <david@xxxxxxxxxxxxxxxxxxxxx>
      Signed-off-by: Alexander Graf <agraf@xxxxxxx>

  commit ab316865db8ee97c53cd70c91b1b160c474102f8
  Author: Michael Roth <mdroth@xxxxxxxxxxxxxxxxxx>
  Date:   Thu May 7 15:33:47 2015 +1000

      spapr: add rtas_st_buffer_direct() helper

      This is similar to the existing rtas_st_buffer(), but for cases
      where the guest is not expecting a length-encoded byte array.
      Namely, for calls where a "work area" buffer is used to pass
      around arbitrary fields/data.

      Signed-off-by: Michael Roth <mdroth@xxxxxxxxxxxxxxxxxx>
      Reviewed-by: David Gibson <david@xxxxxxxxxxxxxxxxxxxxx>
      Signed-off-by: David Gibson <david@xxxxxxxxxxxxxxxxxxxxx>
      Signed-off-by: Alexander Graf <agraf@xxxxxxx>

  commit 886445a6ee808ee06533f9ecdf0f169c9ea83fbb
  Author: Mike Day <ncmike@xxxxxxxxxxx>
  Date:   Thu May 7 15:33:46 2015 +1000

      spapr_rtas: add get-sensor-state RTAS interface

      This interface allows a guest to read various platform/device sensors.
      initially, we only implement support necessary to support hotplug:
      reading of the dr-entity-sense sensor, which communicates the state of
      a hotplugged resource/device to the guest (EMPTY/PRESENT/UNUSABLE).

      See docs/specs/ppc-spapr-hotplug.txt for a complete description of
      this interface.

      Signed-off-by: Mike Day <ncmike@xxxxxxxxxxx>
      Signed-off-by: Michael Roth <mdroth@xxxxxxxxxxxxxxxxxx>
      Reviewed-by: David Gibson <david@xxxxxxxxxxxxxxxxxxxxx>
      Signed-off-by: David Gibson <david@xxxxxxxxxxxxxxxxxxxxx>
      Signed-off-by: Alexander Graf <agraf@xxxxxxx>

  commit 8c8639df32f19d5ca9bf6a823ac83e298a188fd1
  Author: Mike Day <ncmike@xxxxxxxxxxx>
  Date:   Thu May 7 15:33:45 2015 +1000

      spapr_rtas: add set-indicator RTAS interface

      This interface allows a guest to control various platform/device
      sensors. Initially, we only implement support necessary to control
      sensors that are required for hotplug: DR connector indicators/LEDs,
      resource allocation state, and resource isolation state.

      See docs/specs/ppc-spapr-hotplug.txt for a complete description of
      this interface.

      Signed-off-by: Mike Day <ncmike@xxxxxxxxxxx>
      Signed-off-by: Michael Roth <mdroth@xxxxxxxxxxxxxxxxxx>
      Reviewed-by: David Gibson <david@xxxxxxxxxxxxxxxxxxxxx>
      Signed-off-by: David Gibson <david@xxxxxxxxxxxxxxxxxxxxx>
      Signed-off-by: Alexander Graf <agraf@xxxxxxx>

  commit 094d20585ecdcd31959b1b88a390b4d2c4cfeab7
  Author: Nathan Fontenot <nfont@xxxxxxxxxxxxxxxxxx>
  Date:   Thu May 7 15:33:44 2015 +1000

      spapr_rtas: add get/set-power-level RTAS interfaces

      These interfaces manage the power domains that guest devices are
      assigned to and are used to power on/off devices. Currently we
      only utilize 1 power domain, the 'live-insertion' domain, which
      automates power management of plugged/unplugged devices, essentially
      making these calls no-ops, but the RTAS interfaces are still required
      by guest hotplug code and PAPR+.

      See docs/specs/ppc-spapr-hotplug.txt for a complete description of
      these interfaces.

      Signed-off-by: Nathan Fontenot <nfont@xxxxxxxxxxxxxxxxxx>
      Signed-off-by: Michael Roth <mdroth@xxxxxxxxxxxxxxxxxx>
      Reviewed-by: David Gibson <david@xxxxxxxxxxxxxxxxxxxxx>
      Signed-off-by: David Gibson <david@xxxxxxxxxxxxxxxxxxxxx>
      Signed-off-by: Alexander Graf <agraf@xxxxxxx>

  commit bbf5c878ab76a74f6277f99082c77bbdb1ad4c5b
  Author: Michael Roth <mdroth@xxxxxxxxxxxxxxxxxx>
  Date:   Thu May 7 15:33:43 2015 +1000

      spapr_drc: initial implementation of sPAPRDRConnector device

      This device emulates a firmware abstraction used by pSeries guests to
      manage hotplug/dynamic-reconfiguration of host-bridges, PCI devices,
      memory, and CPUs. It is conceptually similar to an SHPC device,
      complete with LED indicators to identify individual slots to physical
      physical users and indicate when it is safe to remove a device. In
      some cases it is also used to manage virtualized resources, such a
      memory, CPUs, and physical-host bridges, which in the case of pSeries
      guests are virtualized resources where the physical components are
      managed by the host.

      Guests communicate with these DR Connectors using RTAS calls,
      generally by addressing the unique DRC index associated with a
      particular connector for a particular resource. For introspection
      purposes we expose this state initially as QOM properties, and
      in subsequent patches will introduce the RTAS calls that make use of
      it. This constitutes to the 'guest' interface.

      On the QEMU side we provide an attach/detach interface to associate
      or cleanup a DeviceState with a particular sPAPRDRConnector in
      response to hotplug/unplug, respectively. This constitutes the
      'physical' interface to the DR Connector.

      Signed-off-by: Michael Roth <mdroth@xxxxxxxxxxxxxxxxxx>
      Reviewed-by: David Gibson <david@xxxxxxxxxxxxxxxxxxxxx>
      Signed-off-by: David Gibson <david@xxxxxxxxxxxxxxxxxxxxx>
      Signed-off-by: Alexander Graf <agraf@xxxxxxx>

  commit 11eec063f29733395846ba756ecd544876ef6839
  Author: Michael Roth <mdroth@xxxxxxxxxxxxxxxxxx>
  Date:   Thu May 7 15:33:42 2015 +1000

      docs: add sPAPR hotplug/dynamic-reconfiguration documentation

      This adds a general overview of hotplug/dynamic-reconfiguration
      for sPAPR/pSeries guest.

      As specified in PAPR+ v2.7.

      Signed-off-by: Michael Roth <mdroth@xxxxxxxxxxxxxxxxxx>
      Reviewed-by: David Gibson <david@xxxxxxxxxxxxxxxxxxxxx>
      Signed-off-by: David Gibson <david@xxxxxxxxxxxxxxxxxxxxx>
      Signed-off-by: Alexander Graf <agraf@xxxxxxx>

  commit 730fce593bbaa9240a0be860616ac4366113194d
  Author: Thomas Huth <thuth@xxxxxxxxxx>
  Date:   Thu May 7 15:33:41 2015 +1000

      hw/ppc/spapr: Use error_report() instead of hw_error()

      hw_error() is designed for printing CPU-related error messages
      (e.g. it also prints a full CPU register dump). For error messages
      that are not directly related to CPU problems, a function like
      error_report() should be used instead.

      Signed-off-by: Thomas Huth <thuth@xxxxxxxxxx>
      Signed-off-by: David Gibson <david@xxxxxxxxxxxxxxxxxxxxx>
      Signed-off-by: Alexander Graf <agraf@xxxxxxx>

  commit 68fea5a0d7bac17fd74f0608ceed1d914eb0718e
  Author: Thomas Huth <thuth@xxxxxxxxxx>
  Date:   Thu May 7 15:33:40 2015 +1000

      hw/ppc/spapr: Fix error message when firmware could not be loaded

      When specifying a non-existing file with the "-bios" parameter, QEMU
      complained that it "could not find LPAR rtas". That's obviously a
      copy-n-paste bug from the code which loads the spapr-rtas.bin, it
      should complain about a missing firmware file instead.
      Additionally the error message was printed with hw_error() - which
      also dumps the whole CPU state. However, this does not make much
      sense here since the CPU is not running yet and thus the registers
      only contain zeroes. So let's use error_report() here instead.
      And while we're at it, let's also bail out if the firmware file
      had zero length.

      Signed-off-by: Thomas Huth <thuth@xxxxxxxxxx>
      Signed-off-by: David Gibson <david@xxxxxxxxxxxxxxxxxxxxx>
      Signed-off-by: Alexander Graf <agraf@xxxxxxx>

  commit a1a45612433edb0eb65c468f7ed579cd92358818
  Author: David Gibson <david@xxxxxxxxxxxxxxxxxxxxx>
  Date:   Thu May 7 15:33:39 2015 +1000

      pseries: Add pseries-2.4 machine type

      Now that 2.4 development has opened, create a new pseries machine type
      variant.  For now it is identical to the pseries-2.3 machine type, but
      a number of new features are coming that will need to set backwards
      compatibility options.

      Signed-off-by: David Gibson <david@xxxxxxxxxxxxxxxxxxxxx>
      Signed-off-by: Alexander Graf <agraf@xxxxxxx>

  commit f9ce8e0aa3fb55ae7a8ea34d3169e73e87feb337
  Author: Thomas Huth <thuth@xxxxxxxxxx>
  Date:   Thu May 7 15:33:38 2015 +1000

      hw/ppc/spapr_iommu: Fix the check for invalid upper bits in liobn

      The check "liobn & 0xFFFFFFFF00000000ULL" in spapr_tce_find_by_liobn()
      is completely useless since liobn is only declared as an uint32_t
      parameter. Fix this by using target_ulong instead (this is what most
      of the callers of this function are using, too).

      Signed-off-by: Thomas Huth <thuth@xxxxxxxxxx>
      Signed-off-by: David Gibson <david@xxxxxxxxxxxxxxxxxxxxx>
      Signed-off-by: Alexander Graf <agraf@xxxxxxx>

  commit dea1b3ce756d7242d4212c22b7d6e6a896495154
  Author: Alexey Kardashevskiy <aik@xxxxxxxxx>
  Date:   Thu May 7 15:33:37 2015 +1000

      spapr_iommu: Give unique QOM name to TCE table

      Useful for debugging.

      Signed-off-by: Alexey Kardashevskiy <aik@xxxxxxxxx>
      Signed-off-by: David Gibson <david@xxxxxxxxxxxxxxxxxxxxx>
      Signed-off-by: Alexander Graf <agraf@xxxxxxx>

  commit ccf9ff8527a87ee485fbb6a0a73d28641cab5f60
  Author: Alexey Kardashevskiy <aik@xxxxxxxxx>
  Date:   Thu May 7 15:33:36 2015 +1000

      spapr_pci: Rework device-tree rendering

      This replaces object_child_foreach() and callback with existing
      SPAPR_PCI_LIOBN() and spapr_tce_find_by_liobn() to make the code easier
      to read.

      This is a mechanical patch so no behaviour change is expected.

      Signed-off-by: Alexey Kardashevskiy <aik@xxxxxxxxx>
      Signed-off-by: David Gibson <david@xxxxxxxxxxxxxxxxxxxxx>
      Signed-off-by: Alexander Graf <agraf@xxxxxxx>

  commit fae807a2b182a613798fe619f9069bd0bbe3dc6a
  Author: Alexey Kardashevskiy <aik@xxxxxxxxx>
  Date:   Thu May 7 15:33:35 2015 +1000

      spapr_iommu: Make spapr_tce_find_by_liobn() public

      At the moment spapr_tce_find_by_liobn() is used by H_PUT_TCE/...
      handlers to find an IOMMU by LIOBN.

      We are going to implement Dynamic DMA windows (DDW), new code
      will go to a new file and we will use spapr_tce_find_by_liobn()
      there too so let's make it public.

      Signed-off-by: Alexey Kardashevskiy <aik@xxxxxxxxx>
      Reviewed-by: David Gibson <david@xxxxxxxxxxxxxxxxxxxxx>
      Signed-off-by: David Gibson <david@xxxxxxxxxxxxxxxxxxxxx>
      Signed-off-by: Alexander Graf <agraf@xxxxxxx>

  commit 46c5874e9cd752ed8ded31af03472edd8fc3efc1
  Author: Alexey Kardashevskiy <aik@xxxxxxxxx>
  Date:   Thu May 7 15:33:34 2015 +1000

      spapr_pci: Make find_phb()/find_dev() public

      This makes find_phb()/find_dev() public and changed its names
      to spapr_pci_find_phb()/spapr_pci_find_dev() as they are going to
      be used from other parts of QEMU such as VFIO DDW (dynamic DMA window)
      or VFIO PCI error injection or VFIO EEH handling - in all these
      cases there are RTAS calls which are addressed to BUID+config_addr
      in IEEE1275 format.

      Signed-off-by: Alexey Kardashevskiy <aik@xxxxxxxxx>
      Reviewed-by: David Gibson <david@xxxxxxxxxxxxxxxxxxxxx>
      Signed-off-by: David Gibson <david@xxxxxxxxxxxxxxxxxxxxx>
      Signed-off-by: Alexander Graf <agraf@xxxxxxx>

  commit d9d96a3cc7267880fbccb6bc4018fc31909fc930
  Author: Alexey Kardashevskiy <aik@xxxxxxxxx>
  Date:   Thu May 7 15:33:33 2015 +1000

      spapr_iommu: Add separate trace points for PCI DMA operations

      This is to reduce VIO noise while debugging PCI DMA.

      Signed-off-by: Alexey Kardashevskiy <aik@xxxxxxxxx>
      Signed-off-by: David Gibson <david@xxxxxxxxxxxxxxxxxxxxx>
      Signed-off-by: Alexander Graf <agraf@xxxxxxx>

  commit 3e1a01cb554412e8a9c25573126356596dc0c50f
  Author: Alexey Kardashevskiy <aik@xxxxxxxxx>
  Date:   Thu May 7 15:33:32 2015 +1000

      spapr_pci: Define default DMA window size as a macro

      This gets rid of a magic constant describing the default DMA window size
      for an emulated PHB.

      Signed-off-by: Alexey Kardashevskiy <aik@xxxxxxxxx>
      Signed-off-by: David Gibson <david@xxxxxxxxxxxxxxxxxxxxx>
      Signed-off-by: Alexander Graf <agraf@xxxxxxx>

  commit 4290ca49eed5e239695ce85c925a770e4a7317a6
  Author: Alexey Kardashevskiy <aik@xxxxxxxxx>
  Date:   Thu May 7 15:33:31 2015 +1000

      spapr_vio: Introduce a liobn number generating macros

      This introduces a macro which makes up a LIOBN from fixed prefix and
      VIO device address (@reg property).

      This is to keep LIOBN macros rendering consistent - the same macro for
      PCI has been added by the previous patch.

      Signed-off-by: Alexey Kardashevskiy <aik@xxxxxxxxx>
      Reviewed-by: David Gibson <david@xxxxxxxxxxxxxxxxxxxxx>
      Signed-off-by: David Gibson <david@xxxxxxxxxxxxxxxxxxxxx>
      Signed-off-by: Alexander Graf <agraf@xxxxxxx>

  commit c8545818b331e9a32e5dd47f0aefbcf2b93e41da
  Author: Alexey Kardashevskiy <aik@xxxxxxxxx>
  Date:   Thu May 7 15:33:30 2015 +1000

      spapr_pci: Introduce a liobn number generating macros

      We are going to have multiple DMA windows per PHB and we want them to
      migrate so we need a predictable way of assigning LIOBNs.

      This introduces a macro which makes up a LIOBN from fixed prefix,
      PHB index (unique PHB id) and window number.

      This introduces a SPAPR_PCI_DMA_WINDOW_NUM() to know the window number
      from LIOBN. It is used to distinguish the default 32bit windows from
      dynamic windows and avoid picking default DMA window properties from
      a wrong TCE table.

      Signed-off-by: Alexey Kardashevskiy <aik@xxxxxxxxx>
      Reviewed-by: David Gibson <david@xxxxxxxxxxxxxxxxxxxxx>
      Signed-off-by: David Gibson <david@xxxxxxxxxxxxxxxxxxxxx>
      Signed-off-by: Alexander Graf <agraf@xxxxxxx>

  commit f1215ea702e6e6cb3876221cf1f7f60133e08c30
  Author: Alexey Kardashevskiy <aik@xxxxxxxxx>
  Date:   Thu May 7 15:33:29 2015 +1000

      spapr_iommu: Make H_PUT_TCE_INDIRECT endian-safe

      PAPR is defined as big endian so TCEs need an adjustment so
      does this patch.

      This changes code to have ldq_be_phys() in one place.

      Signed-off-by: Alexey Kardashevskiy <aik@xxxxxxxxx>
      Reviewed-by: David Gibson <david@xxxxxxxxxxxxxxxxxxxxx>
      Signed-off-by: David Gibson <david@xxxxxxxxxxxxxxxxxxxxx>
      Signed-off-by: Alexander Graf <agraf@xxxxxxx>

  commit 12fd28535891572be7aaf862a03019257dafa425
  Author: Alexey Kardashevskiy <aik@xxxxxxxxx>
  Date:   Thu May 7 15:33:28 2015 +1000

      spapr_iommu: Disable in-kernel IOMMU tables for >4GB windows

      The existing KVM_CREATE_SPAPR_TCE ioctl only support 4G windows max as
      the window size parameter to the kernel ioctl() is 32-bit so
      there's no way of expressing a TCE window > 4GB.

      We are going to add huge DMA windows support so this will create small
      window and unexpectedly fail later.

      This disables KVM_CREATE_SPAPR_TCE for windows bigger that 4GB.

      Signed-off-by: Alexey Kardashevskiy <aik@xxxxxxxxx>
      Reviewed-by: David Gibson <david@xxxxxxxxxxxxxxxxxxxxx>
      Signed-off-by: David Gibson <david@xxxxxxxxxxxxxxxxxxxxx>
      Signed-off-by: Alexander Graf <agraf@xxxxxxx>

  commit 421b1b27f6e9135ac8f01db219e0d8c0cefd7e71
  Author: David Gibson <david@xxxxxxxxxxxxxxxxxxxxx>
  Date:   Thu Mar 19 15:14:18 2015 +1100

      spapr_pci: Fix unsafe signed/unsigned comparisons

      spapr_pci.c contains a number of expressions of the form (uval == -1) or
      (uval != -1), where 'uval' is an unsigned value.

      This mostly works in practice, because as long as the width of uval is
      greater or equal than that of (int), the -1 will be promoted to the
      unsigned type, which is the expected outcome.

      However, at least for the cases where uval is uint32_t, this would break
      on platforms where sizeof(int) > 4 (and a few such do exist), because then
      the uint32_t value would be promoted to the larger int type, and never be
      equal to -1.

      This patch fixes these errors.  The fixes for the (uint32_t) cases are
      necessary as described above.  I've made similar fixes to (uint64_t) and
      (hwaddr) cases.  Those are strictly theoretical, since I don't know of any
      platforms where sizeof(int) > 8, but hey, it's not that hard so we might
      as well be strictly C standard compliant.

      Reported-by: Markus Armbruster <armbru@xxxxxxxxxx>
      Signed-off-by: David Gibson <david@xxxxxxxxxxxxxxxxxxxxx>
      Reviewed-by: Markus Armbruster <armbru@xxxxxxxxxx>
      Signed-off-by: Alexander Graf <agraf@xxxxxxx>

  commit 31ce0adb79655003465070fa90d7d20a5b8c2ff5
  Author: Thomas Huth <thuth@xxxxxxxxxx>
  Date:   Mon May 18 12:59:49 2015 +0200

      configure: Check for libfdt version 1.4.0

      Some recent patches require a function from libfdt version 1.4.0,
      so we should check for this version during the configure step
      already. Unfortunately, there does not seem to be a proper #define
      for the version number in the libfdt headers. So alternatively,
      we check for the availability of the required function
      fdt_get_property_by_offset() instead instead.

      Signed-off-by: Thomas Huth <thuth@xxxxxxxxxx>
      Signed-off-by: Alexander Graf <agraf@xxxxxxx>

  commit 28f490b24af83a007937daacb9ea8bf7537f9084
  Author: Thomas Huth <thuth@xxxxxxxxxx>
  Date:   Mon May 18 12:59:48 2015 +0200

      dtc: Update dtc / libfdt submodule to version 1.4.0

      Since some recent patches require libfdt version 1.4.0,
      let's update the dtc submodule to this version.

      Signed-off-by: Thomas Huth <thuth@xxxxxxxxxx>
      Signed-off-by: Alexander Graf <agraf@xxxxxxx>

  commit 62e9cd771cc368a8fd0f152832b78c43557897a9
  Author: Markus Armbruster <armbru@xxxxxxxxxx>
  Date:   Tue Mar 17 08:46:15 2015 +0100

      macio: Convert to realize()

      Convert device models "macio-oldworld" and "macio-newworld".

      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>
      Signed-off-by: Alexander Graf <agraf@xxxxxxx>

  commit 814550d73a94dcf9f2c9f8d2ee280226f1145388
  Author: Marcel Apfelbaum <marcel@xxxxxxxxxx>
  Date:   Tue Jun 2 14:23:12 2015 +0300

      docs: Add PXB documentation

      Signed-off-by: Marcel Apfelbaum <marcel@xxxxxxxxxx>
      Reviewed-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Acked-by: Laszlo Ersek <lersek@xxxxxxxxxx>

  commit 0f6dd8e1d514b8c24689499ed72ea89fd0d967f3
  Author: Marcel Apfelbaum <marcel@xxxxxxxxxx>
  Date:   Tue Jun 2 14:23:11 2015 +0300

      apci: fix PXB behaviour if used with unsupported BIOS

      PXB does not work with unsupported bioses, but should
      not interfere with normal OS operation.
      We don't ship them anymore, but it's reasonable
      to keep the work-around until we update the bios in qemu.

      Fix this by not adding PXB mem/IO chunks to _CRS
      if they weren't configured by BIOS.

      Signed-off-by: Marcel Apfelbaum <marcel@xxxxxxxxxx>
      Reviewed-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Acked-by: Laszlo Ersek <lersek@xxxxxxxxxx>

  commit 0e79e51a7dcbd4fde5738d713b60f0fb0321f1af
  Author: Marcel Apfelbaum <marcel@xxxxxxxxxx>
  Date:   Tue Jun 2 14:23:10 2015 +0300

      hw/pxb: add numa_node parameter

      The pxb can be attach to and existing numa node by specifying
      numa_node option that equals the desired numa nodeid.

      Signed-off-by: Marcel Apfelbaum <marcel@xxxxxxxxxx>
      Reviewed-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Acked-by: Laszlo Ersek <lersek@xxxxxxxxxx>

  commit 6a3042b23bbb1fa92c00ea9267c830e7f2e99313
  Author: Marcel Apfelbaum <marcel@xxxxxxxxxx>
  Date:   Tue Jun 2 14:23:09 2015 +0300

      hw/pci: add support for NUMA nodes

      PCI root buses can be attached to a specific NUMA node.
      PCI buses are not attached by default to a NUMA node.

      Signed-off-by: Marcel Apfelbaum <marcel@xxxxxxxxxx>
      Reviewed-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Acked-by: Laszlo Ersek <lersek@xxxxxxxxxx>

  commit 0639b00d055b313930c23c4d6c9ebfb4af61c00c
  Author: Marcel Apfelbaum <marcel@xxxxxxxxxx>
  Date:   Tue Jun 2 14:23:08 2015 +0300

      hw/pxb: add map_irq func

      The bios does not index the pxb slot number when
      it computes the IRQ because it resides on bus 0
      and not on the current bus.
      However Qemu routes the irq through bus 0 and adds
      the pxb slot to the IRQ computation of the PXB device.

      Synchronize between bios and Qemu by canceling
      pxb's effect.

      Signed-off-by: Marcel Apfelbaum <marcel@xxxxxxxxxx>
      Reviewed-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Acked-by: Laszlo Ersek <lersek@xxxxxxxxxx>

  commit 2118196bb3795a43bf708c37bdcf4b3c33778ccb
  Author: Marcel Apfelbaum <marcel.a@xxxxxxxxxx>
  Date:   Tue Jun 2 14:23:07 2015 +0300

      hw/pci: inform bios if the system has extra pci root buses

      The bios looks for 'etc/extra-pci-roots' to decide if
      is going to scan further buses after bus 0 tree.

      Signed-off-by: Marcel Apfelbaum <marcel@xxxxxxxxxx>
      Reviewed-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Acked-by: Laszlo Ersek <lersek@xxxxxxxxxx>

  commit 40d14bef8012087ade60f254487d31db822a1a44
  Author: Marcel Apfelbaum <marcel.a@xxxxxxxxxx>
  Date:   Tue Jun 2 14:23:06 2015 +0300

      hw/pci: introduce PCI Expander Bridge (PXB)

      PXB is a "light-weight" host bridge whose purpose is to enable
      the main host bridge to support multiple PCI root buses
      for pc machines.

      As oposed to PCI-2-PCI bridge's secondary bus, PXB's bus
      is a primary bus and can be associated with a NUMA node
      (different from the main host bridge) allowing the guest OS
      to recognize the proximity of a pass-through device to
      other resources as RAM and CPUs.

      The PXB is composed from:
       - A primary PCI bus (can be associated with a NUMA node)
         Acts like a normal pci bus and from the functionality point
         of view is an "expansion" of the bus behind the
         main host bridge.
       - A pci-2-pci bridge behind the primary PCI bus where the actual
         devices will be attached.
       - A host-bridge PCI device
         Situated on the bus behind the main host bridge, allows
         the BIOS to configure the bus number and IO/mem resources.
         It does not have its own config/data register for configuration
         cycles, this being handled by the main host bridge.
      -  A host-bridge sysbus to comply with QEMU current design.

      Signed-off-by: Marcel Apfelbaum <marcel@xxxxxxxxxx>
      Reviewed-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Acked-by: Laszlo Ersek <lersek@xxxxxxxxxx>

  commit cb2ed8b3c66284f226c523231e2c09e60bbb34bb
  Author: Marcel Apfelbaum <marcel.a@xxxxxxxxxx>
  Date:   Tue Jun 2 14:23:05 2015 +0300

      hw/pci: removed 'rootbus nr is 0' assumption from qmp_pci_query

      Use the newer pci_bus_num to correctly get the root bus number.

      Signed-off-by: Marcel Apfelbaum <marcel@xxxxxxxxxx>
      Reviewed-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Acked-by: Laszlo Ersek <lersek@xxxxxxxxxx>

  commit dcdca29655f774568f30a82b7fe0190b4bd38802
  Author: Marcel Apfelbaum <marcel@xxxxxxxxxx>
  Date:   Tue Jun 2 14:23:04 2015 +0300

      hw/acpi: remove from root bus 0 the crs resources used by other buses.

      If multiple root buses are used, root bus 0 cannot use all the
      pci holes ranges. Remove the IO/mem ranges used by the other
      primary buses.

      Signed-off-by: Marcel Apfelbaum <marcel@xxxxxxxxxx>
      Reviewed-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Acked-by: Laszlo Ersek <lersek@xxxxxxxxxx>

  commit a43c6e276231e8040203940cb07be00387686e87
  Author: Marcel Apfelbaum <marcel@xxxxxxxxxx>
  Date:   Tue Jun 2 14:23:03 2015 +0300

      hw/acpi: add _CRS method for extra root busses

      Save the IO/mem/bus numbers ranges assigned to the extra root busses
      to be removed from the root bus 0 range.

      Signed-off-by: Marcel Apfelbaum <marcel@xxxxxxxxxx>
      Reviewed-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Acked-by: Laszlo Ersek <lersek@xxxxxxxxxx>

  commit 0d8935e3370e07f57651e43d2de9011d75c2a066
  Author: Marcel Apfelbaum <marcel@xxxxxxxxxx>
  Date:   Tue Jun 2 14:23:02 2015 +0300

      hw/apci: add _PRT method for extra PCI root busses

      Signed-off-by: Marcel Apfelbaum <marcel@xxxxxxxxxx>
      Reviewed-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Acked-by: Laszlo Ersek <lersek@xxxxxxxxxx>

  commit a4894206e3672f8a5e5443d72b705495e022b638
  Author: Marcel Apfelbaum <marcel@xxxxxxxxxx>
  Date:   Tue Jun 2 14:23:01 2015 +0300

      hw/acpi: add support for i440fx 'snooping' root busses

      If the machine has extra root busses that are snooping to
      the i440fx host bridge, we need to add them to
      acpi in order to be properly detected by guests.

      Signed-off-by: Marcel Apfelbaum <marcel@xxxxxxxxxx>
      Reviewed-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Acked-by: Laszlo Ersek <lersek@xxxxxxxxxx>

  commit 09e5b81922179b6c52b42fd27587e64b474036c7
  Author: Marcel Apfelbaum <marcel@xxxxxxxxxx>
  Date:   Tue Jun 2 14:23:00 2015 +0300

      hw/pci: extend PCI config access to support devices behind PXB

      PXB buses are assumed to be children of bus 0. Look for them
      while scanning the buses.

      Signed-off-by: Marcel Apfelbaum <marcel@xxxxxxxxxx>
      Reviewed-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Acked-by: Laszlo Ersek <lersek@xxxxxxxxxx>

  commit ca6c18556c5e9c4aac12489b960c3e4601e183bf
  Author: Marcel Apfelbaum <marcel@xxxxxxxxxx>
  Date:   Tue Jun 2 14:22:59 2015 +0300

      hw/i386: query only for q35/pc when looking for pci host bridge

      Because of the PXB hosts we cannot simply query TYPE_PCI_HOST_BRIDGE 
anymore.
      On i386 arch we only have two pci hosts, so we can look only for them.

      Signed-off-by: Marcel Apfelbaum <marcel@xxxxxxxxxx>
      Reviewed-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Acked-by: Laszlo Ersek <lersek@xxxxxxxxxx>

  commit 602141d9974d726063907851528c89d617730156
  Author: Marcel Apfelbaum <marcel.a@xxxxxxxxxx>
  Date:   Tue Jun 2 14:22:58 2015 +0300

      hw/pci: made pci_bus_num a PCIBusClass method

      Refactoring it as a method of PCIBusClass will allow
      different implementations for subclasses.

      Signed-off-by: Marcel Apfelbaum <marcel@xxxxxxxxxx>
      Reviewed-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Acked-by: Laszlo Ersek <lersek@xxxxxxxxxx>

  commit ce6a28ee057da3e4a587dada369e33a8486b0066
  Author: Marcel Apfelbaum <marcel.a@xxxxxxxxxx>
  Date:   Tue Jun 2 14:22:57 2015 +0300

      hw/pci: made pci_bus_is_root a PCIBusClass method

      Refactoring it as a method of PCIBusClass will allow
      different implementations for subclasses.

      Removed the assumption that the root bus does not
      have a parent device because is specific only
      to the default class implementation.

      Signed-off-by: Marcel Apfelbaum <marcel@xxxxxxxxxx>
      Reviewed-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Acked-by: Laszlo Ersek <lersek@xxxxxxxxxx>

  commit 32d9ca15bac63e8a7bad6dc1a4ab624e6d6d3b0f
  Author: Marcel Apfelbaum <marcel@xxxxxxxxxx>
  Date:   Tue Jun 2 14:22:56 2015 +0300

      acpi: add implementation of aml_while() term

      Commit 68e6b0af7 (acpi: add aml_while() term) added
      the definition of aml_while without the actual implementation.
      Implement the term.

      Signed-off-by: Marcel Apfelbaum <marcel@xxxxxxxxxx>
      Reviewed-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Acked-by: Laszlo Ersek <lersek@xxxxxxxxxx>

  commit ca9b46bcecc0f06882eec1b152b71f93a066da79
  Author: Zhu Guihua <zhugh.fnst@xxxxxxxxxxxxxx>
  Date:   Wed May 13 17:21:36 2015 +0800

      acpi: add acpi_send_gpe_event() to rise sci for hotplug

      Add a new API named acpi_send_gpe_event() to send hotplug SCI.
      This API can be used by pci, cpu and memory hotplug.

      This patch is rebased on master.

      Signed-off-by: Zhu Guihua <zhugh.fnst@xxxxxxxxxxxxxx>
      Reviewed-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Reviewed-by: Igor Mammedov <imammedo@xxxxxxxxxx>

  commit d5aaa1b0456033fc9ff723ac881ebe1b61360cca
  Author: Gerd Hoffmann <kraxel@xxxxxxxxxx>
  Date:   Wed Jun 3 14:47:19 2015 +0200

      virtio: 64bit features fixups.

      Commit "019a3ed virtio: make features 64bit wide" missed a few changes,
      as I've noticed while trying to rebase the virtio-1 branch to latest
      master.  This patch adds them.

      Signed-off-by: Gerd Hoffmann <kraxel@xxxxxxxxxx>
      Reviewed-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>

  commit 977ad992f14b29a7d4f18eaba42a705004545a64
  Author: Juan Quintela <quintela@xxxxxxxxxx>
  Date:   Tue Jun 2 15:47:20 2015 +0200

      TPM: fix build with tpm disabled

      Failure was included on commit

      Signed-off-by: Juan Quintela <quintela@xxxxxxxxxx>
      Reviewed-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>

  commit 6652d0811c9463fbfb2d2d1cb2ec03f388145c5f
  Author: Jason Wang <jasowang@xxxxxxxxxx>
  Date:   Wed May 27 16:26:07 2015 +0800

      virtio-pci: don't try to mask or unmask vqs without notifiers

      We should validate the vq index against nvqs_with_notifiers. Otherwise we 
may
      try to mask or unmask vector for vqs without notifiers (e.g control vq). 
This
      will lead qemu abort on kvm_irqchip_commit_routes() when trying to boot 
win8.1
      guest.

      Fixes 851c2a75a6e80c8aa5e713864d98cfb512e7229b ("virtio-pci: speedup MSI-X
      masking and unmasking")

      Reported-by: Alex Williamson <alex.williamson@xxxxxxxxxx>
      Signed-off-by: Jason Wang <jasowang@xxxxxxxxxx>
      Reviewed-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>

  commit 557772f26b361ade84acecb366fe6fdd2d55a6d9
  Author: Marcel Apfelbaum <marcel@xxxxxxxxxx>
  Date:   Mon Jun 1 17:09:12 2015 +0300

      hw/q35: fix floppy controller definition in ich9

      In DSDT FDC0 declares the IO region as IO(Decode16, 0x03F2, 0x03F2, 0x00, 
0x04).
      Use the same in lpc_ich9 initialization code.
      Now the floppy drive is detected correctly on Windows.

      Signed-off-by: Marcel Apfelbaum <marcel@xxxxxxxxxx>
      Reviewed-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>

  commit cb3d37a93cc59da400d27361fcda024d49210abd
  Author: Michael S. Tsirkin <mst@xxxxxxxxxx>
  Date:   Mon Jun 1 21:03:59 2015 +0200

      acpi: add missing ssdt

      commit 5cb18b3d7bff2a83275ee98af2a14eb9e21c93ab
          TPM2 ACPI table support

      was missing a file, so build with iasl fails
      (build without iasl works since it uses the generated
       hex files).

      Reported-by: "Daniel P. Berrange" <berrange@xxxxxxxxxx>
      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>

  commit b853d4cbf2062813e84f9bb880feff8daf467e05
  Author: Sascha Silbe <silbe@xxxxxxxxxxxxxxxxxx>
  Date:   Tue Jun 2 18:51:00 2015 +0200

      s390x/kvm: always ignore empty vcpu interrupt state

      kvm_s390_vcpu_interrupt_pre_save() and
      kvm_s390_vcpu_interrupt_post_load() are essentially no-ops on hosts
      without KVM_CAP_S390_IRQ_STATE. Move the capability check after the
      check for saved IRQ state in kvm_s390_vcpu_interrupt_post_load() so that
      migration between hosts without KVM_CAP_S390_IRQ_STATE (including save /
      restore on the same host) continues to work.

      Fixes: 3cda44f7bae5 ("s390x/kvm: migrate vcpu interrupt state")
      Signed-off-by: Sascha Silbe <silbe@xxxxxxxxxxxxxxxxxx>
      Reviewed-by: David Hildenbrand <dahi@xxxxxxxxxxxxxxxxxx>
      Reviewed-by: Jens Freimann <jfrei@xxxxxxxxxxxxxxxxxx>
      Signed-off-by: Christian Borntraeger <borntraeger@xxxxxxxxxx>

  commit 2a72ea5f66b3b87a975475bdc1cabacbbb402937
  Author: Jason J. Herne <jjherne@xxxxxxxxxxxxxxxxxx>
  Date:   Wed Jun 3 11:04:03 2015 -0400

      virtio-ccw/migration: Migrate config vector for virtio devices

      virtio_ccw_{save|load}_config are missing code to save and restore a 
vdev's
      config_vector value. This causes some virtio devices to become disabled
      following a migration.

      This patch fixes a bug whereby the qmp/hmp balloon command (virsh setmem)
      silently fails to update the guest's available memory because the device 
was not
      properly migrated.

      This will break compatibility, but vmstate_s390_cpu was bumped from
      version 2 to version 4 between v2.3.0 and v2.4.0 without a compat
      handler. Furthermore, there is no production environment yet so
      migration is fenced anyway between any relevant version of 2.3 and 2.4.

      Signed-off-by: Jason J. Herne <jjherne@xxxxxxxxxxxxxxxxxx>
      Message-Id: <1433343843-803-1-git-send-email-jjherne@xxxxxxxxxxxxxxxxxx>
      Reviewed-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: Christian Borntraeger <borntraeger@xxxxxxxxxx>

  commit de6a92185e3ac25ba7d37f03e579b1fc72e70162
  Author: Pierre Morel <pmorel@xxxxxxxxxxxxxxxxxx>
  Date:   Wed May 27 13:11:59 2015 +0200

      virtio-ccw: add support for 9pfs

      This patch adds 9pfs support for virtio-ccw
      by registering the virtio_ccw_9p_info type
      and adding associated callbacks.

      Signed-off-by: Pierre Morel <pmorel@xxxxxxxxxxxxxxxxxx>
      Signed-off-by: Christian Borntraeger <borntraeger@xxxxxxxxxx>

  commit de3852877f1e452321352fdb7e678f079876a41b
  Author: Alex Bennée <alex.bennee@xxxxxxxxxx>
  Date:   Wed Jun 3 09:56:37 2015 +0100

      configure: postfix --extra-cflags to QEMU_CFLAGS

      It makes sense that extra-cflags should be appended after the normal
      CFLAGS so they don't get overridden by default behaviour. This way if
      you specify something like:

        ./configure --extra-cflags="-O0"

      You will see the requested behaviour.

      Signed-off-by: Alex Bennée <alex.bennee@xxxxxxxxxx>
      Signed-off-by: Michael Tokarev <mjt@xxxxxxxxxx>

  commit 2801339f2fb2534ccf01561d274398328bdd446d
  Author: Sai Pavan Boddu <sai.pavan.boddu@xxxxxxxxxx>
  Date:   Fri May 29 11:52:35 2015 +0530

      cadence_gem: Fix Rx buffer size field mask

      This patch corrects the Rx buffer size field mask to mask bits 23 to 16
      to match Xilinx UG585 documentation.

      Signed-off-by: Sai Pavan Boddu <saipava@xxxxxxxxxx>
      Reviewed-by: Alistair Francis <alistair.francis@xxxxxxxxxx>
      Reviewed-by: Peter Crosthwaite <peter.crosthwaite@xxxxxxxxxx>
      Signed-off-by: Michael Tokarev <mjt@xxxxxxxxxx>

  commit 8b8f1c7e9ddb2e88a144638f6527bf70e32343e3
  Author: Michael Tokarev <mjt@xxxxxxxxxx>
  Date:   Thu May 28 14:12:26 2015 +0300

      slirp: use less predictable directory name in /tmp for smb config 
(CVE-2015-4037)

      In this version I used mkdtemp(3) which is:

              _BSD_SOURCE
              || /* Since glibc 2.10: */
                  (_POSIX_C_SOURCE >= 200809L || _XOPEN_SOURCE >= 700)

      (POSIX.1-2008), so should be available on systems we care about.

      While at it, reset the resulting directory name within smb structure
      on error so cleanup function wont try to remove directory which we
      failed to create.

      Signed-off-by: Michael Tokarev <mjt@xxxxxxxxxx>
      Reviewed-by: Markus Armbruster <armbru@xxxxxxxxxx>

  commit b6b099541d6cf3c50b0fb5af916fff0db6508805
  Author: Paolo Bonzini <pbonzini@xxxxxxxxxx>
  Date:   Mon Jun 1 09:53:55 2015 +0200

      translate-all: delete prototype for non-existent function

      Missed in commit 3a808cc40

      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>
      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>
      Reviewed-by: Peter Crosthwaite <peter.crosthwaite@xxxxxxxxxx>
      Signed-off-by: Michael Tokarev <mjt@xxxxxxxxxx>

  commit 1597051b84b816c9608e1ee0947f8e6dc9876b56
  Author: Dr. David Alan Gilbert <dgilbert@xxxxxxxxxx>
  Date:   Fri May 29 19:52:52 2015 +0100

      Add -incoming help text

      The help/man text for

      -incoming defer

      didn't make it through the merge of the code that implemented it.

      Signed-off-by: Dr. David Alan Gilbert <dgilbert@xxxxxxxxxx>
      Reviewed-by: Markus Armbruster <armbru@xxxxxxxxxx>
      Signed-off-by: Michael Tokarev <mjt@xxxxxxxxxx>

  commit 26c8acb3f326166bf9dc60c3e8184f4b862e8451
  Author: Shannon Zhao <shannon.zhao@xxxxxxxxxx>
  Date:   Fri May 29 13:27:11 2015 +0800

      hw/display/tc6393xb.c: Fix misusing qemu_allocate_irqs for single irq

      Signed-off-by: Shannon Zhao <zhaoshenglong@xxxxxxxxxx>
      Signed-off-by: Shannon Zhao <shannon.zhao@xxxxxxxxxx>
      Signed-off-by: Michael Tokarev <mjt@xxxxxxxxxx>

  commit 294972ce546107f2215b3b162994b47f08aab7a4
  Author: Shannon Zhao <shannon.zhao@xxxxxxxxxx>
  Date:   Fri May 29 13:27:10 2015 +0800

      hw/arm/nseries.c: Fix misusing qemu_allocate_irqs for single irq

      Signed-off-by: Shannon Zhao <zhaoshenglong@xxxxxxxxxx>
      Signed-off-by: Shannon Zhao <shannon.zhao@xxxxxxxxxx>
      Signed-off-by: Michael Tokarev <mjt@xxxxxxxxxx>

  commit 5429273615e7b412402a7b22738737c09ab9f488
  Author: Shannon Zhao <shannon.zhao@xxxxxxxxxx>
  Date:   Fri May 29 13:27:09 2015 +0800

      hw/alpha/typhoon.c: Fix misusing qemu_allocate_irqs for single irq

      Signed-off-by: Shannon Zhao <zhaoshenglong@xxxxxxxxxx>
      Signed-off-by: Shannon Zhao <shannon.zhao@xxxxxxxxxx>
      Signed-off-by: Michael Tokarev <mjt@xxxxxxxxxx>

  commit 2c85fad022a5c23b835d7c78b653763ae1e3f6eb
  Author: Shannon Zhao <shannon.zhao@xxxxxxxxxx>
  Date:   Fri May 29 13:27:08 2015 +0800

      hw/unicore32/puv3.c: Fix misusing qemu_allocate_irqs for single irq

      Signed-off-by: Shannon Zhao <zhaoshenglong@xxxxxxxxxx>
      Signed-off-by: Shannon Zhao <shannon.zhao@xxxxxxxxxx>
      Signed-off-by: Michael Tokarev <mjt@xxxxxxxxxx>

  commit a9c8a0d8d4217754648decc5921e4b0fcd00ce7f
  Author: Shannon Zhao <shannon.zhao@xxxxxxxxxx>
  Date:   Fri May 29 13:27:07 2015 +0800

      hw/lm32/milkymist.c: Fix misusing qemu_allocate_irqs for single irq

      Signed-off-by: Shannon Zhao <zhaoshenglong@xxxxxxxxxx>
      Signed-off-by: Shannon Zhao <shannon.zhao@xxxxxxxxxx>
      Signed-off-by: Michael Tokarev <mjt@xxxxxxxxxx>

  commit d4ef00af2598fef06affbd42608e570237a7b276
  Author: Shannon Zhao <shannon.zhao@xxxxxxxxxx>
  Date:   Fri May 29 13:27:06 2015 +0800

      hw/lm32/lm32_boards.c: Fix misusing qemu_allocate_irqs for single irq

      Signed-off-by: Shannon Zhao <zhaoshenglong@xxxxxxxxxx>
      Signed-off-by: Shannon Zhao <shannon.zhao@xxxxxxxxxx>
      Signed-off-by: Michael Tokarev <mjt@xxxxxxxxxx>

  commit aaaee0b273082ee2836dcc2f61a878ee291a8d9b
  Author: Shannon Zhao <shannon.zhao@xxxxxxxxxx>
  Date:   Fri May 29 13:27:05 2015 +0800

      hw/ppc/prep.c: Fix misusing qemu_allocate_irqs for single irq

      Signed-off-by: Shannon Zhao <zhaoshenglong@xxxxxxxxxx>
      Signed-off-by: Shannon Zhao <shannon.zhao@xxxxxxxxxx>
      Signed-off-by: Michael Tokarev <mjt@xxxxxxxxxx>

  commit ca43b97b5f6fa57e79adc7f167b12d3e0545c7e1
  Author: Shannon Zhao <shannon.zhao@xxxxxxxxxx>
  Date:   Fri May 29 13:27:04 2015 +0800

      hw/sparc/sun4m.c: Fix misusing qemu_allocate_irqs for single irq

      Signed-off-by: Shannon Zhao <zhaoshenglong@xxxxxxxxxx>
      Signed-off-by: Shannon Zhao <shannon.zhao@xxxxxxxxxx>
      Signed-off-by: Michael Tokarev <mjt@xxxxxxxxxx>

  commit b64127244d669c33a4ffdcc47e076559497785af
  Author: Shannon Zhao <shannon.zhao@xxxxxxxxxx>
  Date:   Fri May 29 13:27:02 2015 +0800

      hw/timer/arm_timer.c: Fix misusing qemu_allocate_irqs for single irq

      Signed-off-by: Shannon Zhao <zhaoshenglong@xxxxxxxxxx>
      Signed-off-by: Shannon Zhao <shannon.zhao@xxxxxxxxxx>
      Signed-off-by: Michael Tokarev <mjt@xxxxxxxxxx>

  commit 5105505e65ba6bc3e1dc549bcd0d1d33f3546e60
  Author: Shannon Zhao <shannon.zhao@xxxxxxxxxx>
  Date:   Fri May 29 13:27:01 2015 +0800

      hw/isa/i82378.c: Fix misusing qemu_allocate_irqs for single irq

      Signed-off-by: Shannon Zhao <zhaoshenglong@xxxxxxxxxx>
      Signed-off-by: Shannon Zhao <shannon.zhao@xxxxxxxxxx>
      Signed-off-by: Michael Tokarev <mjt@xxxxxxxxxx>

  commit aff0d5e57a71260885d54c07cef5f4a486c8336b
  Author: Shannon Zhao <shannon.zhao@xxxxxxxxxx>
  Date:   Fri May 29 13:27:00 2015 +0800

      hw/isa/lpc_ich9.c: Fix misusing qemu_allocate_irqs for single irq

      Since ich9_lpc_pm_init only requests one irq, so let it just call
      qemu_allocate_irq.

      Signed-off-by: Shannon Zhao <zhaoshenglong@xxxxxxxxxx>
      Signed-off-by: Shannon Zhao <shannon.zhao@xxxxxxxxxx>
      Signed-off-by: Michael Tokarev <mjt@xxxxxxxxxx>

  commit 0b0cc076b78976b30360dd7c6ed994f864424779
  Author: Shannon Zhao <shannon.zhao@xxxxxxxxxx>
  Date:   Fri May 29 13:26:59 2015 +0800

      hw/i386/pc: Fix misusing qemu_allocate_irqs for single irq

      Since pc_allocate_cpu_irq only requests one irq, so let it just call
      qemu_allocate_irq.

      Signed-off-by: Shannon Zhao <zhaoshenglong@xxxxxxxxxx>
      Signed-off-by: Shannon Zhao <shannon.zhao@xxxxxxxxxx>
      Signed-off-by: Michael Tokarev <mjt@xxxxxxxxxx>

  commit 9ff7f5bddbe5814bafe5e798d2cf1087b58dc7b6
  Author: Shannon Zhao <shannon.zhao@xxxxxxxxxx>
  Date:   Fri May 29 13:27:03 2015 +0800

      hw/intc/exynos4210_gic.c: Fix memory leak by adjusting order

      Signed-off-by: Shannon Zhao <zhaoshenglong@xxxxxxxxxx>
      Signed-off-by: Shannon Zhao <shannon.zhao@xxxxxxxxxx>
      Signed-off-by: Michael Tokarev <mjt@xxxxxxxxxx>

  commit 9f9b026dc60398224fb035eb27ae0ed083d2d66f
  Author: Shannon Zhao <shannon.zhao@xxxxxxxxxx>
  Date:   Fri May 29 13:38:34 2015 +0800

      hw/arm/omap_sx1.c: Fix memory leak spotted by valgrind

      Signed-off-by: Shannon Zhao <zhaoshenglong@xxxxxxxxxx>
      Signed-off-by: Shannon Zhao <shannon.zhao@xxxxxxxxxx>
      Signed-off-by: Michael Tokarev <mjt@xxxxxxxxxx>

  commit f19377bf234a3359b0a03844822e97de80ad4f30
  Author: Shannon Zhao <shannon.zhao@xxxxxxxxxx>
  Date:   Thu May 28 20:39:43 2015 +0800

      hw/ppc/e500.c: Fix memory leak

      Signed-off-by: Shannon Zhao <zhaoshenglong@xxxxxxxxxx>
      Signed-off-by: Shannon Zhao <shannon.zhao@xxxxxxxxxx>
      Signed-off-by: Michael Tokarev <mjt@xxxxxxxxxx>

  commit c18f855697ab6b64a895f37cf47fd7061ce9e798
  Author: Shannon Zhao <shannon.zhao@xxxxxxxxxx>
  Date:   Thu May 28 20:39:42 2015 +0800

      hw/alpha/dp264.c: Fix memory leak spotted by valgrind

      valgrind complains about:
      ==7055== 58 bytes in 1 blocks are definitely lost in loss record 1,471 of 
2,192
      ==7055==    at 0x4C2845D: malloc (in 
/usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so)
      ==7055==    by 0x24410F: malloc_and_trace (vl.c:2556)
      ==7055==    by 0x64C770E: g_malloc (in /usr/lib64/libglib-2.0.so.0.3600.3)
      ==7055==    by 0x64DEFD7: g_strndup (in 
/usr/lib64/libglib-2.0.so.0.3600.3)
      ==7055==    by 0x650181A: g_vasprintf (in 
/usr/lib64/libglib-2.0.so.0.3600.3)
      ==7055==    by 0x64DF0CC: g_strdup_vprintf (in 
/usr/lib64/libglib-2.0.so.0.3600.3)
      ==7055==    by 0x64DF188: g_strdup_printf (in 
/usr/lib64/libglib-2.0.so.0.3600.3)
      ==7055==    by 0x242F81: qemu_find_file (vl.c:2121)
      ==7055==    by 0x217A32: clipper_init (dp264.c:105)
      ==7055==    by 0x2484DA: main (vl.c:4249)

      Signed-off-by: Shannon Zhao <zhaoshenglong@xxxxxxxxxx>
      Signed-off-by: Shannon Zhao <shannon.zhao@xxxxxxxxxx>
      Signed-off-by: Michael Tokarev <mjt@xxxxxxxxxx>

  commit bd4baf6eebff75c7e0c67a729d1bdb5b0b36fe72
  Author: Shannon Zhao <shannon.zhao@xxxxxxxxxx>
  Date:   Mon May 25 14:47:25 2015 +0800

      vl: fix memory leak spotted by valgrind

      valgrind complains about:
      ==9276== 13 bytes in 1 blocks are definitely lost in loss record 1,046 of 
3,673
      ==9276==    at 0x4C2845D: malloc (in 
/usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so)
      ==9276==    by 0x2EAFBB: malloc_and_trace (vl.c:2556)
      ==9276==    by 0x64C770E: g_malloc (in /usr/lib64/libglib-2.0.so.0.3600.3)
      ==9276==    by 0x4A28BD: addr_to_string (vnc.c:123)
      ==9276==    by 0x4A29AD: vnc_socket_local_addr (vnc.c:139)
      ==9276==    by 0x4A9AFE: vnc_display_local_addr (vnc.c:3240)
      ==9276==    by 0x2EF4FE: main (vl.c:4321)

      Signed-off-by: Shannon Zhao <zhaoshenglong@xxxxxxxxxx>
      Signed-off-by: Shannon Zhao <shannon.zhao@xxxxxxxxxx>
      Signed-off-by: Michael Tokarev <mjt@xxxxxxxxxx>

  commit 7df057bac3734ee3c2c052fd0807479602ab5583
  Author: Peter Crosthwaite <crosthwaitepeter@xxxxxxxxx>
  Date:   Sun May 24 13:20:14 2015 -0700

      device-tree: Make a common-obj

      There is no reason for device tree API to be built per-target.
      common-obj it. There is an extraneous inclusion of config.h that
      needs to be removed.

      Cc: Alexander Graf <agraf@xxxxxxx>
      Reviewed-by: Andreas Färber <afaerber@xxxxxxx>
      Signed-off-by: Peter Crosthwaite <crosthwaite.peter@xxxxxxxxx>
      Signed-off-by: Michael Tokarev <mjt@xxxxxxxxxx>

  commit d370dfa9f3703cf0af07d96d50ed567413e8ec65
  Author: Shannon Zhao <shannon.zhao@xxxxxxxxxx>
  Date:   Tue May 26 09:46:07 2015 +0800

      hw/i386/acpi-build: decref after use

      valgrind complains about:
      ==16447== 48 bytes in 2 blocks are definitely lost in loss record 2,033 
of 3,310
      ==16447==    at 0x4C2845D: malloc (in 
/usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so)
      ==16447==    by 0x2E4FD7: malloc_and_trace (vl.c:2546)
      ==16447==    by 0x64C770E: g_malloc (in 
/usr/lib64/libglib-2.0.so.0.3600.3)
      ==16447==    by 0x53EC3F: qint_from_int (qint.c:33)
      ==16447==    by 0x53B426: qmp_output_type_int (qmp-output-visitor.c:162)
      ==16447==    by 0x539257: visit_type_uint32 (qapi-visit-core.c:147)
      ==16447==    by 0x471D07: property_get_uint32_ptr (object.c:1651)
      ==16447==    by 0x47000C: object_property_get (object.c:822)
      ==16447==    by 0x472428: object_property_get_qobject (qom-qobject.c:37)
      ==16447==    by 0x25701A: build_append_pci_bus_devices (acpi-build.c:520)
      ==16447==    by 0x25902E: build_ssdt (acpi-build.c:1004)
      ==16447==    by 0x25A0A8: acpi_build (acpi-build.c:1420)

      Signed-off-by: Shannon Zhao <zhaoshenglong@xxxxxxxxxx>
      Signed-off-by: Shannon Zhao <shannon.zhao@xxxxxxxxxx>
      Reviewed-by: Igor Mammedov <imammedo@xxxxxxxxxx>
      Signed-off-by: Michael Tokarev <mjt@xxxxxxxxxx>

  commit 6e38a4ba7889083b65729db2144cdbcefbaa303a
  Author: Shannon Zhao <shannon.zhao@xxxxxxxxxx>
  Date:   Tue May 26 09:46:06 2015 +0800

      hw/ide/pci: Fix memory leak

      valgrind complains about:
      ==16447== 16 bytes in 2 blocks are definitely lost in loss record 1,304 
of 3,310
      ==16447==    at 0x4C2845D: malloc (in 
/usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so)
      ==16447==    by 0x2E4FD7: malloc_and_trace (vl.c:2546)
      ==16447==    by 0x64C770E: g_malloc (in 
/usr/lib64/libglib-2.0.so.0.3600.3)
      ==16447==    by 0x36FB47: qemu_extend_irqs (irq.c:55)
      ==16447==    by 0x36FBD3: qemu_allocate_irqs (irq.c:64)
      ==16447==    by 0x3B4B44: bmdma_init (pci.c:464)
      ==16447==    by 0x3B547B: pci_piix_init_ports (piix.c:144)
      ==16447==    by 0x3B55D2: pci_piix_ide_realize (piix.c:164)
      ==16447==    by 0x3EAEC6: pci_qdev_realize (pci.c:1790)
      ==16447==    by 0x36C685: device_set_realized (qdev.c:1058)
      ==16447==    by 0x47179E: property_set_bool (object.c:1514)
      ==16447==    by 0x470098: object_property_set (object.c:837)

      Signed-off-by: Shannon Zhao <zhaoshenglong@xxxxxxxxxx>
      Signed-off-by: Shannon Zhao <shannon.zhao@xxxxxxxxxx>
      Reviewed-by: Marcel Apfelbaum <marcel@xxxxxxxxxx>
      Signed-off-by: Michael Tokarev <mjt@xxxxxxxxxx>

  commit 2ba154cf4eb8636cdd3aa90f392ca9e77206ca39
  Author: Shannon Zhao <shannon.zhao@xxxxxxxxxx>
  Date:   Tue May 26 09:46:05 2015 +0800

      hw/i386/pc_piix: Fix memory leak

      valgrind complains about:
      ==16447== 8 bytes in 1 blocks are definitely lost in loss record 552 of 
3,310
      ==16447==    at 0x4C2845D: malloc (in 
/usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so)
      ==16447==    by 0x2E4FD7: malloc_and_trace (vl.c:2546)
      ==16447==    by 0x64C770E: g_malloc (in 
/usr/lib64/libglib-2.0.so.0.3600.3)
      ==16447==    by 0x36FB47: qemu_extend_irqs (irq.c:55)
      ==16447==    by 0x36FBD3: qemu_allocate_irqs (irq.c:64)
      ==16447==    by 0x24E622: pc_init1 (pc_piix.c:287)
      ==16447==    by 0x24E76A: pc_init_pci (pc_piix.c:310)
      ==16447==    by 0x2E9360: main (vl.c:4226)

      ==16447== 128 bytes in 1 blocks are definitely lost in loss record 2,569 
of 3,310
      ==16447==    at 0x4C2845D: malloc (in 
/usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so)
      ==16447==    by 0x2E4FD7: malloc_and_trace (vl.c:2546)
      ==16447==    by 0x64C770E: g_malloc (in 
/usr/lib64/libglib-2.0.so.0.3600.3)
      ==16447==    by 0x36FB47: qemu_extend_irqs (irq.c:55)
      ==16447==    by 0x36FBD3: qemu_allocate_irqs (irq.c:64)
      ==16447==    by 0x25BEB2: kvm_i8259_init (i8259.c:133)
      ==16447==    by 0x24E1F1: pc_init1 (pc_piix.c:219)
      ==16447==    by 0x24E76A: pc_init_pci (pc_piix.c:310)
      ==16447==    by 0x2E9360: main (vl.c:4226)

      Signed-off-by: Shannon Zhao <zhaoshenglong@xxxxxxxxxx>
      Signed-off-by: Shannon Zhao <shannon.zhao@xxxxxxxxxx>
      Reviewed-by: Marcel Apfelbaum <marcel@xxxxxxxxxx>
      Signed-off-by: Michael Tokarev <mjt@xxxxxxxxxx>

  commit 5708b2b736ebec6e3af04b9b249faadf896791cd
  Author: Chen Hanxiao <chenhanxiao@xxxxxxxxxxxxxx>
  Date:   Tue May 26 05:25:41 2015 -0400

      docs/writing-qmp-commands: fix a typo

      s/interation/iteration

      Signed-off-by: Chen Hanxiao <chenhanxiao@xxxxxxxxxxxxxx>
      Signed-off-by: Michael Tokarev <mjt@xxxxxxxxxx>

  commit b8981dc9aae25fa79e5f35609e63f50f078a572d
  Author: Peter Krempa <pkrempa@xxxxxxxxxx>
  Date:   Fri May 15 11:31:43 2015 +0200

      util: socket: Add missing localaddr and localport option for DGRAM socket

      The 'socket_optslist' structure does not contain the 'localaddr' and
      'localport' options that are parsed in case you are creating a
      'connect' type UDP character device.

      I've noticed it happening after commit f43e47dbf6de24db20ec9b588bb6cc762
      made qemu abort() after seeing the invalid option.

      A minimal reproducer for the case is:
      $ qemu-system-x86_64 -chardev 
udp,id=charrng0,host=127.0.0.1,port=1234,localaddr=,localport=1234
      qemu-system-x86_64: -chardev 
udp,id=charrng0,host=127.0.0.1,port=1234,localaddr=,localport=1234: Invalid 
parameter 'localaddr'
      Aborted (core dumped)

      Prior to the commit mentioned above the error would be printed but the
      value for localaddr and localport was simply ignored. I did not go
      through the code to find out when it was broken.

      Add the two fields so that the options can again be parsed correctly and
      qemu doesn't abort().

      Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1220252

      Signed-off-by: Peter Krempa <pkrempa@xxxxxxxxxx>
      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>
      Reviewed-by: Markus Armbruster <armbru@xxxxxxxxxx>
      Signed-off-by: Michael Tokarev <mjt@xxxxxxxxxx>

  commit a2f533da00f7278788afcf10f325f636805077dc
  Author: Peter Crosthwaite <crosthwaitepeter@xxxxxxxxx>
  Date:   Thu May 14 22:33:39 2015 -0700

      microblaze: cpu: Delete MMAP_SHIFT definition

      Just fallback on the default of 12 like other architectures. This
      allows changing the system-mode-affecting definition of
      TARGET_PAGE_BITS without affecting microblaze linux-user.

      Signed-off-by: Peter Crosthwaite <crosthwaite.peter@xxxxxxxxx>
      Reviewed-by: Edgar E. Iglesias <edgar.iglesias@xxxxxxxxxx>
      Signed-off-by: Michael Tokarev <mjt@xxxxxxxxxx>

  commit 44f192f364b71683379e104157b15b0685d24394
  Author: Fam Zheng <famz@xxxxxxxxxx>
  Date:   Wed May 13 13:15:28 2015 +0000

      iscsi: Remove pointless runtime check of macro value

      raw_bsd already has QEMU_BUILD_BUG_ON(BDRV_SECTOR_SIZE != 512), so iscsi
      should relax.

      Signed-off-by: Fam Zheng <famz@xxxxxxxxxx>
      Signed-off-by: Michael Tokarev <mjt@xxxxxxxxxx>

  commit 1b93c9a1040b3c12320cf55c6284882a2e6e8ff3
  Author: Ikey Doherty <michael.i.doherty@xxxxxxxxx>
  Date:   Tue May 26 13:54:06 2015 +0100

      arch_init: Drop target-x86_64.conf

      The target-x86_64.conf sysconfig file has been empty and essentially 
ignored
      now for several years. This change removes the unused file to enable 
moving
      towards a stateless configuration.

      Signed-off-by: Ikey Doherty <michael.i.doherty@xxxxxxxxx>
      Acked-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>
      Reviewed-by: Eduardo Habkost <ehabkost@xxxxxxxxxx>
      Signed-off-by: Eduardo Habkost <ehabkost@xxxxxxxxxx>

  commit 38e5c119c2925812bd441450ab9e5e00fc79e662
  Author: Eduardo Habkost <ehabkost@xxxxxxxxxx>
  Date:   Mon Mar 23 17:29:32 2015 -0300

      target-i386: Register QOM properties for feature flags

      This uses the feature name arrays to register QOM properties for feature
      flags. This simply adds properties that can be configured using -global,
      but doesn't change x86_cpu_parse_featurestr() to use them yet.

      Reviewed-by: Igor Mammedov <imammedo@xxxxxxxxxx>
      Signed-off-by: Eduardo Habkost <ehabkost@xxxxxxxxxx>

  commit be9f8a08727e46c790adb8caa8a4525a1e8e9e73
  Author: Zhu Guihua <zhugh.fnst@xxxxxxxxxxxxxx>
  Date:   Wed May 20 10:40:47 2015 +0800

      apic: convert ->busdev.qdev casts to C casts

      Use C casts to avoid accessing ICCDevice's qdev field
      directly.

      Signed-off-by: Zhu Guihua <zhugh.fnst@xxxxxxxxxxxxxx>
      Reviewed-by: Igor Mammedov <imammedo@xxxxxxxxxx>
      Reviewed-by: Andreas Färber <afaerber@xxxxxxx>
      Acked-by: Andreas Färber <afaerber@xxxxxxx>
      Signed-off-by: Eduardo Habkost <ehabkost@xxxxxxxxxx>

  commit 458cf469f4a1cb520b07092f5537c5a6d2389d23
  Author: Eduardo Habkost <ehabkost@xxxxxxxxxx>
  Date:   Fri May 29 16:31:12 2015 -0300

      target-i386: Fix signedness of MSR_IA32_APICBASE_BASE

      Existing definition triggers the following when using clang
      -fsanitize=undefined:

          hw/intc/apic_common.c:314:55: runtime error: left shift of 1048575 by 
12
              places cannot be represented in type 'int'

      Fix it so we won't try to shift a 1 to the sign bit of a signed integer.

      Suggested-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Reviewed-by: Igor Mammedov <imammedo@xxxxxxxxxx>
      Signed-off-by: Eduardo Habkost <ehabkost@xxxxxxxxxx>

  commit 0e3bd56294230ad0ee20fce587879c29a83a0d8b
  Author: Andreas Färber <afaerber@xxxxxxx>
  Date:   Tue Mar 17 17:46:36 2015 +0100

      pc: Ensure non-zero CPU ref count after attaching to ICC bus

      Setting the parent bus of a device increases its ref count, which we
      ultimately want to level out. However it is only safe to do so after the
      last reference to the device in local code, as qom-set or similar 
operations
      might decrease the ref count.

      Therefore move the object_unref() from pc_new_cpu() into its callers.

      The APIC operations on the last CPU in pc_cpus_init() are still 
potentially
      insecure, but that is beyond the scope of this code movement.

      Signed-off-by: Andreas Färber <afaerber@xxxxxxx>
      Acked-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Reviewed-by: Eduardo Habkost <ehabkost@xxxxxxxxxx>
      Signed-off-by: Eduardo Habkost <ehabkost@xxxxxxxxxx>

  commit 4964e18e490f3ecad35c9e4cc9b613316a98755e
  Author: Kevin Wolf <kwolf@xxxxxxxxxx>
  Date:   Thu May 21 15:19:38 2015 +0200

      fdc-test: Test state for existing cases more thoroughly

      This just adds a few additional checks of the MSR and interrupt pin to
      the already existing test cases.

      Signed-off-by: Kevin Wolf <kwolf@xxxxxxxxxx>
      Reviewed-by: John Snow <jsnow@xxxxxxxxxx>
      Message-id: 1432214378-31891-9-git-send-email-kwolf@xxxxxxxxxx
      Signed-off-by: John Snow <jsnow@xxxxxxxxxx>

  commit 6cc8a11c84ddc18c64fc88d54c8e9dca24ada489
  Author: Kevin Wolf <kwolf@xxxxxxxxxx>
  Date:   Thu May 21 15:19:37 2015 +0200

      fdc: Fix MSR.RQM flag

      The RQM bit in MSR should be set whenever the guest is supposed to
      access the FIFO, and it should be cleared in all other cases. This is
      important so the guest can't continue writing/reading the FIFO beyond
      the length that it's suppossed to access (see CVE-2015-3456).

      Commit e9077462 fixed the CVE by adding code that avoids the buffer
      overflow; however it doesn't correct the wrong behaviour of the floppy
      controller which should already have cleared RQM.

      Currently, RQM stays set all the time and during all phases while a
      command is being processed. This is error-prone because the command has
      to explicitly clear the flag if it doesn't need data (and indeed, the
      two buggy commands that are the culprits for the CVE just forgot to do
      that).

      This patch clears RQM immediately as soon as all bytes that are expected
      have been received. If the the FIFO is used in the next phase, the flag
      has to be set explicitly there.

      It also clear RQM after receiving all bytes even if the phase transition
      immediately sets it again. While it's technically not necessary at the
      moment because the state between clearing and setting RQM is not
      observable by the guest, this is more explicit and matches how real
      hardware works. It will actually become necessary in qemu once
      asynchronous code paths are introduced.

      This alone should have been enough to fix the CVE, but now we have two
      lines of defense - even better.

      Signed-off-by: Kevin Wolf <kwolf@xxxxxxxxxx>
      Reviewed-by: John Snow <jsnow@xxxxxxxxxx>
      Message-id: 1432214378-31891-8-git-send-email-kwolf@xxxxxxxxxx
      Signed-off-by: John Snow <jsnow@xxxxxxxxxx>

  commit f6c2d1d8425fd0ca450d515b06821e2224d4b43c
  Author: Kevin Wolf <kwolf@xxxxxxxxxx>
  Date:   Thu May 21 15:19:36 2015 +0200

      fdc: Disentangle phases in fdctrl_read_data()

      This commit makes similar improvements as have already been made to the
      write function: Instead of relying on a flag in the MSR to distinguish
      controller phases, use the explicit phase that we store now. Assertions
      of the right MSR flags are added.

      Signed-off-by: Kevin Wolf <kwolf@xxxxxxxxxx>
      Reviewed-by: John Snow <jsnow@xxxxxxxxxx>
      Message-id: 1432214378-31891-7-git-send-email-kwolf@xxxxxxxxxx
      Signed-off-by: John Snow <jsnow@xxxxxxxxxx>

  commit d275b33d76c8ed9d5a3dca22ea0fdec8d5a5c8e6
  Author: Kevin Wolf <kwolf@xxxxxxxxxx>
  Date:   Thu May 21 15:19:35 2015 +0200

      fdc: Code cleanup in fdctrl_write_data()

      Factor out a few common lines of code, reformat, improve comments.

      Signed-off-by: Kevin Wolf <kwolf@xxxxxxxxxx>
      Reviewed-by: John Snow <jsnow@xxxxxxxxxx>
      Message-id: 1432214378-31891-6-git-send-email-kwolf@xxxxxxxxxx
      Signed-off-by: John Snow <jsnow@xxxxxxxxxx>

  commit 5b0a25e8d2f15f89255c745c71d297b5b24d138c
  Author: Kevin Wolf <kwolf@xxxxxxxxxx>
  Date:   Thu May 21 15:19:34 2015 +0200

      fdc: Use phase in fdctrl_write_data()

      Instead of relying on a flag in the MSR to distinguish controller phases,
      use the explicit phase that we store now. Assertions of the right MSR
      flags are added.

      Signed-off-by: Kevin Wolf <kwolf@xxxxxxxxxx>
      Reviewed-by: John Snow <jsnow@xxxxxxxxxx>
      Message-id: 1432214378-31891-5-git-send-email-kwolf@xxxxxxxxxx
      Signed-off-by: John Snow <jsnow@xxxxxxxxxx>

  commit 85d291a08c91c07927bbbd29f72a27d3ad7478f3
  Author: Kevin Wolf <kwolf@xxxxxxxxxx>
  Date:   Thu May 21 15:19:33 2015 +0200

      fdc: Introduce fdctrl->phase

      The floppy controller spec describes three different controller phases,
      which are currently not explicitly modelled in our emulation. Instead,
      each phase is represented by a combination of flags in registers.

      This patch makes explicit in which phase the controller currently is.

      Signed-off-by: Kevin Wolf <kwolf@xxxxxxxxxx>
      Acked-by: John Snow <jsnow@xxxxxxxxxx>
      Message-id: 1432214378-31891-4-git-send-email-kwolf@xxxxxxxxxx
      Signed-off-by: John Snow <jsnow@xxxxxxxxxx>

  commit 83a260135f13db8b5d7df72090864a5ebcef2845
  Author: Kevin Wolf <kwolf@xxxxxxxxxx>
  Date:   Thu May 21 15:19:32 2015 +0200

      fdc: Rename fdctrl_set_fifo() to fdctrl_to_result_phase()

      What callers really do with this function is to switch from execution
      phase (including data transfers) to result phase where the guest can
      read out one or more status bytes from the FIFO (the number depends on
      the command).

      Rename the function accordingly.

      Signed-off-by: Kevin Wolf <kwolf@xxxxxxxxxx>
      Reviewed-by: John Snow <jsnow@xxxxxxxxxx>
      Message-id: 1432214378-31891-3-git-send-email-kwolf@xxxxxxxxxx
      Signed-off-by: John Snow <jsnow@xxxxxxxxxx>

  commit 07e415f2398d9cfb21cdd5ef902445032ba54556
  Author: Kevin Wolf <kwolf@xxxxxxxxxx>
  Date:   Thu May 21 15:19:31 2015 +0200

      fdc: Rename fdctrl_reset_fifo() to fdctrl_to_command_phase()

      What all callers of fdctrl_reset_fifo() really want to do is to start
      the command phase, where writes to the data port initiate a new command.

      The function doesn't only clear the FIFO, but also sets up the state so
      that a new command can be received. Rename it to reflect this.

      Signed-off-by: Kevin Wolf <kwolf@xxxxxxxxxx>
      Reviewed-by: John Snow <jsnow@xxxxxxxxxx>
      Message-id: 1432214378-31891-2-git-send-email-kwolf@xxxxxxxxxx
      Signed-off-by: John Snow <jsnow@xxxxxxxxxx>

  commit a67bfbb9e41e089caec61384c625e8a61a5f270f
  Merge: 42d58e7 489653b
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Tue Jun 2 18:23:28 2015 +0100

      Merge remote-tracking branch 
'remotes/armbru/tags/pull-monitor-2015-06-02' into staging

      Monitor patches

      # gpg: Signature made Tue Jun  2 09:16:07 2015 BST using RSA key ID 
EB918653
      # gpg: Good signature from "Markus Armbruster <armbru@xxxxxxxxxx>"
      # gpg:                 aka "Markus Armbruster <armbru@xxxxxxxxxxxx>"

      * remotes/armbru/tags/pull-monitor-2015-06-02: (21 commits)
        monitor: Change return type of monitor_cur_is_qmp() to bool
        monitor: Rename monitor_ctrl_mode() to monitor_is_qmp()
        monitor: Turn int command_mode into bool in_command_mode
        monitor: Drop do_qmp_capabilities()'s superfluous QMP check
        monitor: Unbox Monitor member mc and rename to qmp
        monitor: Rename monitor_control_read(), monitor_control_event()
        monitor: Rename handle_user_command() to handle_hmp_command()
        monitor: Limit QError use to command handlers
        monitor: Inline monitor_has_error() into its only caller
        monitor: Wean monitor_protocol_emitter() off mon->error
        monitor: Propagate errors through invalid_qmp_mode()
        monitor: Propagate errors through qmp_check_input_obj()
        monitor: Propagate errors through qmp_check_client_args()
        monitor: Drop unused "new" HMP command interface
        monitor: Use trad. command interface for HMP pcie_aer_inject_error
        monitor: Use traditional command interface for HMP device_add
        monitor: Use traditional command interface for HMP drive_del
        monitor: Convert client_migrate_info to QAPI
        monitor: Improve and document client_migrate_info protocol error
        monitor: Clean up after previous commit
        ...

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 42d58e7c6760cb9c55627c28ae538e27dcf2f144
  Merge: 3fc827d c25bbf1
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Tue Jun 2 16:47:31 2015 +0100

      Merge remote-tracking branch 'remotes/sstabellini/tags/xen-15-06-02-tag' 
into staging

      XSA 128 129 130 131

      # gpg: Signature made Tue Jun  2 16:46:38 2015 BST using RSA key ID 
70E1AE90
      # gpg: Good signature from "Stefano Stabellini 
<stefano.stabellini@xxxxxxxxxxxxx>"

      * remotes/sstabellini/tags/xen-15-06-02-tag:
        xen/pt: unknown PCI config space fields should be read-only
        xen/pt: add a few PCI config space field descriptions
        xen/pt: mark reserved bits in PCI config space fields
        xen/pt: mark all PCIe capability bits read-only
        xen/pt: split out calculation of throughable mask in PCI config space 
handling
        xen/pt: correctly handle PM status bit
        xen/pt: consolidate PM capability emu_mask
        xen/MSI: don't open-code pass-through of enable bit modifications
        xen/MSI-X: limit error messages
        xen: don't allow guest to control MSI mask register
        xen: properly gate host writes of modified PCI CFG contents

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 94edf02c4c94781fa777c459fe86b52131b83cb6
  Author: Eric Auger <eric.auger@xxxxxxxxxx>
  Date:   Tue Jun 2 12:29:14 2015 +0100

      hw/arm/virt: change indentation in a15memmap

      Re-indent in a15memmap after VIRT_PLATFORM_BUS introduction

      Signed-off-by: Eric Auger <eric.auger@xxxxxxxxxx>
      Reviewed-by: Alex Bennée <alex.bennee@xxxxxxxxxx>
      Reviewed-by: Shannon Zhao <shannon.zhao@xxxxxxxxxx>
      Message-id: 1433244554-12898-5-git-send-email-eric.auger@xxxxxxxxxx
      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 5f7a5a0edc4a2f65293658eb540290ddf9a1988a
  Author: Eric Auger <eric.auger@xxxxxxxxxx>
  Date:   Tue Jun 2 12:29:13 2015 +0100

      hw/arm/virt: add dynamic sysbus device support

      Allows sysbus devices to be instantiated from command line by
      using -device option. Machvirt creates a platform bus at init.
      The dynamic sysbus devices are attached to this platform bus device.

      The platform bus device registers a machine init done notifier
      whose role will be to bind the dynamic sysbus devices. Indeed
      dynamic sysbus devices are created after machine init.

      machvirt also registers a notifier that will build the device
      tree nodes for the platform bus and its children dynamic sysbus
      devices.

      Signed-off-by: Eric Auger <eric.auger@xxxxxxxxxx>
      Reviewed-by: Alex Bennée <alex.bennee@xxxxxxxxxx>
      Message-id: 1433244554-12898-4-git-send-email-eric.auger@xxxxxxxxxx
      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit ac9d32e39664e060cd1b538ff190980d57ad69e4
  Author: Eric Auger <eric.auger@xxxxxxxxxx>
  Date:   Tue Jun 2 12:29:12 2015 +0100

      hw/arm/boot: arm_load_kernel implemented as a machine init done notifier

      Device tree nodes for the platform bus and its children dynamic sysbus
      devices are added in a machine init done notifier. To load the dtb once,
      after those latter nodes are built and before ROM freeze, the actual
      arm_load_kernel existing code is moved into a notifier notify function,
      arm_load_kernel_notify. arm_load_kernel now only registers the
      corresponding notifier.

      Machine files that do not support platform bus stay unchanged. Machine
      files willing to support dynamic sysbus devices must call arm_load_kernel
      before sysbus-fdt arm_register_platform_bus_fdt_creator to make sure
      dynamic sysbus device nodes are integrated in the dtb.

      Signed-off-by: Eric Auger <eric.auger@xxxxxxxxxx>
      Reviewed-by: Shannon Zhao <zhaoshenglong@xxxxxxxxxx>
      Reviewed-by: Alexander Graf <agraf@xxxxxxx>
      Reviewed-by: Alex Bennée <alex.bennee@xxxxxxxxxx>
      Message-id: 1433244554-12898-3-git-send-email-eric.auger@xxxxxxxxxx
      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit c25bbf1545a53ac051f9e51d4140e397660c10ae
  Author: Jan Beulich <jbeulich@xxxxxxxx>
  Date:   Tue Jun 2 15:07:01 2015 +0000

      xen/pt: unknown PCI config space fields should be read-only

      ... by default. Add a per-device "permissive" mode similar to pciback's
      to allow restoring previous behavior (and hence break security again,
      i.e. should be used only for trusted guests).

      This is part of XSA-131.

      Signed-off-by: Jan Beulich <jbeulich@xxxxxxxx>
      Acked-by: Stefano Stabellini <stefano.stabellini@xxxxxxxxxxxxx>
      Reviewed-by: Anthony PERARD <anthony.perard@xxxxxxxxxx>)

  commit a88a3f887181605f4487a22bdfb7d87ffafde5d9
  Author: Jan Beulich <jbeulich@xxxxxxxx>
  Date:   Tue Jun 2 15:07:01 2015 +0000

      xen/pt: add a few PCI config space field descriptions

      Since the next patch will turn all not explicitly described fields
      read-only by default, those fields that have guest writable bits need
      to be given explicit descriptors.

      This is a preparatory patch for XSA-131.

      Signed-off-by: Jan Beulich <jbeulich@xxxxxxxx>

  commit 0ad3393ad032f76e88b4dbd04d36ad84dff75dd6
  Author: Jan Beulich <jbeulich@xxxxxxxx>
  Date:   Tue Jun 2 15:07:01 2015 +0000

      xen/pt: mark reserved bits in PCI config space fields

      The adjustments are solely to make the subsequent patches work right
      (and hence make the patch set consistent), namely if permissive mode
      (introduced by the last patch) gets used (as both reserved registers
      and reserved fields must be similarly protected from guest access in
      default mode, but the guest should be allowed access to them in
      permissive mode).

      This is a preparatory patch for XSA-131.

      Signed-off-by: Jan Beulich <jbeulich@xxxxxxxx>

  commit 45ebe3916ab16f859ed930e92fbd52d84d5dcdaf
  Author: Jan Beulich <jbeulich@xxxxxxxx>
  Date:   Tue Jun 2 15:07:01 2015 +0000

      xen/pt: mark all PCIe capability bits read-only

      xen_pt_emu_reg_pcie[]'s PCI_EXP_DEVCAP needs to cover all bits as read-
      only to avoid unintended write-back (just a precaution, the field ought
      to be read-only in hardware).

      This is a preparatory patch for XSA-131.

      Signed-off-by: Jan Beulich <jbeulich@xxxxxxxx>
      Reviewed-by: Stefano Stabellini <stefano.stabellini@xxxxxxxxxxxxx>

  commit 0e7ef22136955169a0fd03c4e41af95662352733
  Author: Jan Beulich <jbeulich@xxxxxxxx>
  Date:   Tue Jun 2 15:07:01 2015 +0000

      xen/pt: split out calculation of throughable mask in PCI config space 
handling

      This is just to avoid having to adjust that calculation later in
      multiple places.

      Note that including ->ro_mask in get_throughable_mask()'s calculation
      is only an apparent (i.e. benign) behavioral change: For r/o fields it
      doesn't matter > whether they get passed through - either the same flag
      is also set in emu_mask (then there's no change at all) or the field is
      r/o in hardware (and hence a write won't change it anyway).

      This is a preparatory patch for XSA-131.

      Signed-off-by: Jan Beulich <jbeulich@xxxxxxxx>
      Acked-by: Stefano Stabellini <stefano.stabellini@xxxxxxxxxxxxx>
      Reviewed-by: Anthony PERARD <anthony.perard@xxxxxxxxxx>

  commit c4ff1e68c621928abc680266cad0a451686c403b
  Author: Jan Beulich <jbeulich@xxxxxxxx>
  Date:   Tue Jun 2 15:07:01 2015 +0000

      xen/pt: correctly handle PM status bit

      xen_pt_pmcsr_reg_write() needs an adjustment to deal with the RW1C
      nature of the not passed through bit 15 (PCI_PM_CTRL_PME_STATUS).

      This is a preparatory patch for XSA-131.

      Signed-off-by: Jan Beulich <jbeulich@xxxxxxxx>
      Reviewed-by: Stefano Stabellini <stefano.stabellini@xxxxxxxxxxxxx>

  commit d61bb2482dc0c7426f451f23ba7e2748ae2cc06d
  Author: Jan Beulich <jbeulich@xxxxxxxx>
  Date:   Tue Jun 2 15:07:01 2015 +0000

      xen/pt: consolidate PM capability emu_mask

      There's no point in xen_pt_pmcsr_reg_{read,write}() each ORing
      PCI_PM_CTRL_STATE_MASK and PCI_PM_CTRL_NO_SOFT_RESET into a local
      emu_mask variable - we can have the same effect by setting the field
      descriptor's emu_mask member suitably right away. Note that
      xen_pt_pmcsr_reg_write() is being retained in order to allow later
      patches to be less intrusive.

      This is a preparatory patch for XSA-131.

      Signed-off-by: Jan Beulich <jbeulich@xxxxxxxx>
      Acked-by: Stefano Stabellini <stefano.stabellini@xxxxxxxxxxxxx>
      Acked-by: Ian Campbell <ian.campbell@xxxxxxxxxx>

  commit d1d35cf4ffb6a60a356193397919e83306d0bb74
  Author: Jan Beulich <jbeulich@xxxxxxxx>
  Date:   Tue Jun 2 15:07:01 2015 +0000

      xen/MSI: don't open-code pass-through of enable bit modifications

      Without this the actual XSA-131 fix would cause the enable bit to not
      get set anymore (due to the write back getting suppressed there based
      on the OR of emu_mask, ro_mask, and res_mask).

      Note that the fiddling with the enable bit shouldn't really be done by
      qemu, but making this work right (via libxc and the hypervisor) will
      require more extensive changes, which can be postponed until after the
      security issue got addressed.

      This is a preparatory patch for XSA-131.

      Signed-off-by: Jan Beulich <jbeulich@xxxxxxxx>
      Acked-by: Stefano Stabellini <stefano.stabellini@xxxxxxxxxxxxx>

  commit b38ec5ee7a581776bbce0bdaecb397632c3c4791
  Author: Jan Beulich <jbeulich@xxxxxxxx>
  Date:   Tue Jun 2 15:07:00 2015 +0000

      xen/MSI-X: limit error messages

      Limit error messages resulting from bad guest behavior to avoid allowing
      the guest to cause the control domain's disk to fill.

      The first message in pci_msix_write() can simply be deleted, as this
      is indeed bad guest behavior, but such out of bounds writes don't
      really need to be logged.

      The second one is more problematic, as there guest behavior may only
      appear to be wrong: For one, the old logic didn't take the mask-all bit
      into account. And then this shouldn't depend on host device state (i.e.
      the host may have masked the entry without the guest having done so).
      Plus these writes shouldn't be dropped even when an entry is unmasked.
      Instead, if they can't be made take effect right away, they should take
      effect on the next unmasking or enabling operation - the specification
      explicitly describes such caching behavior. Until we can validly drop
      the message (implementing such caching/latching behavior), issue the
      message just once per MSI-X table entry.

      Note that the log message in pci_msix_read() similar to the one being
      removed here is not an issue: "addr" being of unsigned type, and the
      maximum size of the MSI-X table being 32k, entry_nr simply can't be
      negative and hence the conditonal guarding issuing of the message will
      never be true.

      This is XSA-130.

      Signed-off-by: Jan Beulich <jbeulich@xxxxxxxx>
      Reviewed-by: Stefano Stabellini <stefano.stabellini@xxxxxxxxxxxxx>

  commit 7611dae8a69f0f1775ba1a9a942961c2aa10d88e
  Author: Jan Beulich <jbeulich@xxxxxxxx>
  Date:   Tue Jun 2 15:07:00 2015 +0000

      xen: don't allow guest to control MSI mask register

      It's being used by the hypervisor. For now simply mimic a device not
      capable of masking, and fully emulate any accesses a guest may issue
      nevertheless as simple reads/writes without side effects.

      This is XSA-129.

      Signed-off-by: Jan Beulich <jbeulich@xxxxxxxx>
      Reviewed-by: Stefano Stabellini <stefano.stabellini@xxxxxxxxxxxxx>

  commit 5c83b2f5b4b956e91dd6e5711f14df7ab800aefb
  Author: Jan Beulich <jbeulich@xxxxxxxx>
  Date:   Tue Jun 2 15:07:00 2015 +0000

      xen: properly gate host writes of modified PCI CFG contents

      The old logic didn't work as intended when an access spanned multiple
      fields (for example a 32-bit access to the location of the MSI Message
      Data field with the high 16 bits not being covered by any known field).
      Remove it and derive which fields not to write to from the accessed
      fields' emulation masks: When they're all ones, there's no point in
      doing any host write.

      This fixes a secondary issue at once: We obviously shouldn't make any
      host write attempt when already the host read failed.

      This is XSA-128.

      Signed-off-by: Jan Beulich <jbeulich@xxxxxxxx>
      Reviewed-by: Stefano Stabellini <stefano.stabellini@xxxxxxxxxxxxx>

  commit 11d306b9df172faeeb3409deba4083dbe479b23c
  Author: Eric Auger <eric.auger@xxxxxxxxxx>
  Date:   Tue Jun 2 12:29:11 2015 +0100

      hw/arm/sysbus-fdt: helpers for platform bus nodes addition

      This new C module will be used by ARM machine files to generate
      platform bus node and their dynamic sysbus device tree nodes.

      Dynamic sysbus device node addition is done in a machine init
      done notifier. arm_register_platform_bus_fdt_creator does the
      registration of this latter and is supposed to be called by
      ARM machine files that support platform bus and their dynamic
      sysbus. Addition of dynamic sysbus nodes is done only if the
      user did not provide any dtb.

      Signed-off-by: Alexander Graf <agraf@xxxxxxx>
      Signed-off-by: Eric Auger <eric.auger@xxxxxxxxxx>
      Reviewed-by: Shannon Zhao <zhaoshenglong@xxxxxxxxxx>
      Reviewed-by: Alexander Graf <agraf@xxxxxxx>
      Reviewed-by: Alex Bennée <alex.bennee@xxxxxxxxxx>
      Message-id: 1433244554-12898-2-git-send-email-eric.auger@xxxxxxxxxx
      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 4771cd01daaccb2a8929fa04c88c608e378cf814
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Mon Jun 1 19:18:36 2015 +0100

      target-arm: Remove v8_ prefix from names of non-v8-specific cpreg arrays

      The ARMCPRegInfo arrays v8_el3_no_el2_cp_reginfo and v8_el2_cp_reginfo
      are actually used on non-v8 CPUs as well. Remove the incorrect v8_
      prefix from their names.

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Reviewed-by: Peter Crosthwaite <peter.crosthwaite@xxxxxxxxxx>
      Message-id: 1433182716-6400-1-git-send-email-peter.maydell@xxxxxxxxxx

  commit 9718e4ae362d2f221ec028cdacefafc593ef1357
  Author: Eric Auger <eric.auger@xxxxxxxxxx>
  Date:   Tue Jun 2 14:56:23 2015 +0100

      arm_gicv2m: set kvm_gsi_direct_mapping and kvm_msi_via_irqfd_allowed

      After introduction of kvm_arch_msi_data_to_gsi, kvm_gsi_direct_mapping
      now can be set on ARM. Also kvm_msi_via_irqfd_allowed can be set,
      depending on kernel irqfd support, hence enabling VIRTIO-PCI with
      vhost back-end.

      Signed-off-by: Eric Auger <eric.auger@xxxxxxxxxx>
      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 1850b6b7d027bb4b45010a7d1da919267fff2cd4
  Author: Eric Auger <eric.auger@xxxxxxxxxx>
  Date:   Tue Jun 2 14:56:23 2015 +0100

      kvm: introduce kvm_arch_msi_data_to_gsi

      On ARM the MSI data corresponds to the shared peripheral interrupt (SPI)
      ID. This latter equals to the SPI index + 32. to retrieve the SPI index,
      matching the gsi, an architecture specific function is introduced.

      Signed-off-by: Eric Auger <eric.auger@xxxxxxxxxx>
      Acked-by: Christoffer Dall <christoffer.dall@xxxxxxxxxx>
      Acked-by: Cornelia Huck <cornelia.huck@xxxxxxxxxx>
      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 0b2ff2ceb8a45cbe51ca13a1a32fc5bdeec71815
  Author: Victor CLEMENT <victor.clement@xxxxxxxxxxx>
  Date:   Tue Jun 2 14:56:23 2015 +0100

      pl061: fix wrong calculation of GPIOMIS register

      The masked interrupt status register should be the state of the interrupt
      after masking.
      There should be a logical AND instead of a logical OR between the
      interrupt status and the interrupt mask.

      Signed-off-by: Victor CLEMENT <victor.clement@xxxxxxxxxxx>
      Reviewed-by: Peter Crosthwaite <peter.crosthwaite@xxxxxxxxxx>
      Message-id: 1433154824-6927-1-git-send-email-victor.clement@xxxxxxxxxxx
      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit bd204e63a7ce9d1b5c5903c9033863b179194989
  Author: Christoffer Dall <christoffer.dall@xxxxxxxxxx>
  Date:   Tue Jun 2 14:56:23 2015 +0100

      target-arm: Add the GICv2m to the virt board

      Add a GICv2m device to the virt board to enable MSIs on the generic PCI
      host controller.  We allocate 64 SPIs in the IRQ space for now (this can
      be increased/decreased later) and map the GICv2m right after the GIC in
      the memory map.

      Reviewed-by: Eric Auger <eric.auger@xxxxxxxxxx>
      Signed-off-by: Christoffer Dall <christoffer.dall@xxxxxxxxxx>
      Message-id: 1432897270-7780-5-git-send-email-christoffer.dall@xxxxxxxxxx
      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit dfd90a87155882d92a3efa6da9afc773fd8c6796
  Author: Christoffer Dall <christoffer.dall@xxxxxxxxxx>
  Date:   Tue Jun 2 14:56:23 2015 +0100

      target-arm: Extend the gic node properties

      In preparation for adding the GICv2m which requires address specifiers
      and is a subnode of the gic, we extend the gic DT definition to specify
      the #address-cells and #size-cells properties and add an empty ranges
      property properties of the DT node, since this is required to add the
      v2m node as a child of the gic node.

      Note that we must also expand the irq-map to reference the gic with the
      right address-cells as a consequence of this change.

      Reviewed-by: Eric Auger <eric.auger@xxxxxxxxxx>
      Signed-off-by: Christoffer Dall <christoffer.dall@xxxxxxxxxx>
      Message-id: 1432897270-7780-4-git-send-email-christoffer.dall@xxxxxxxxxx
      Suggested-by: Shanker Donthineni <shankerd@xxxxxxxxxxxxxx>
      Signed-off-by: Christoffer Dall <christoffer.dall@xxxxxxxxxx>
      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 770c58f8d10b61e80a211d87df83670711631530
  Author: Christoffer Dall <christoffer.dall@xxxxxxxxxx>
  Date:   Tue Jun 2 14:56:23 2015 +0100

      arm_gicv2m: Add GICv2m widget to support MSIs

      The ARM GICv2m widget is a little device that handles MSI interrupt
      writes to a trigger register and ties them to a range of interrupt lines
      wires to the GIC.  It has a few status/id registers and the interrupt 
wires,
      and that's about it.

      A board instantiates the device by setting the base SPI number and
      number SPIs for the frame.  The base-spi parameter is indexed in the SPI
      number space only, so base-spi == 0, means IRQ number 32.  When a device
      (the PCI host controller) writes to the trigger register, the payload is
      the GIC IRQ number, so we have to subtract 32 from that and then index
      into our frame of SPIs.

      When instantiating a GICv2m device, tell PCI that we have instantiated
      something that can deal with MSIs.  We rely on the board actually wiring
      up the GICv2m to the PCI host controller.

      Reviewed-by: Eric Auger <eric.auger@xxxxxxxxxx>
      Signed-off-by: Christoffer Dall <christoffer.dall@xxxxxxxxxx>
      Message-id: 1432897270-7780-3-git-send-email-christoffer.dall@xxxxxxxxxx
      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 747d009dcac37ce7372b58b21c168f0ad66cf7be
  Author: Christoffer Dall <christoffer.dall@xxxxxxxxxx>
  Date:   Tue Jun 2 14:56:22 2015 +0100

      target-arm: Add GIC phandle to VirtBoardInfo

      Instead of passing the GIC phandle around between functions, add it to
      the VirtBoardInfo just like we do for the clock_phandle.  We are about
      to add the v2m phandle as well, and it's easier not having to pass
      around a bunch of phandles, return multiple values from functions, etc.

      Reviewed-by: Eric Auger <eric.auger@xxxxxxxxxx>
      Reviewed-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Signed-off-by: Christoffer Dall <christoffer.dall@xxxxxxxxxx>
      Message-id: 1432897270-7780-2-git-send-email-christoffer.dall@xxxxxxxxxx
      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 57b6d95eb480d66c5bfa4e416d1fbcad0f84fdd2
  Author: Markus Armbruster <armbru@xxxxxxxxxx>
  Date:   Tue Jun 2 14:56:22 2015 +0100

      Revert "target-arm: Avoid g_hash_table_get_keys()"

      Since we now require GLib 2.22+ (commit f40685c), we don't have to
      work around lack of g_hash_table_get_keys() anymore.

      This reverts commit 82a3a11897308b606120f7235001e87809708f85.

      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>
      Message-id: 1432749090-4698-1-git-send-email-armbru@xxxxxxxxxx
      Reviewed-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 8742d49d6f2278d353a1623dfa8a5e237dbfd906
  Author: Edgar E. Iglesias <edgar.iglesias@xxxxxxxxxx>
  Date:   Tue Jun 2 14:56:22 2015 +0100

      target-arm: Add TLBI_VAE2{IS}

      Signed-off-by: Edgar E. Iglesias <edgar.iglesias@xxxxxxxxxx>
      Message-id: 1432881807-18164-11-git-send-email-edgar.iglesias@xxxxxxxxx
      Reviewed-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 51da90140bba4333eeb9c1d8d8d8afc2ca790628
  Author: Edgar E. Iglesias <edgar.iglesias@xxxxxxxxxx>
  Date:   Tue Jun 2 14:56:22 2015 +0100

      target-arm: Add TLBI_ALLE2

      Signed-off-by: Edgar E. Iglesias <edgar.iglesias@xxxxxxxxxx>
      Message-id: 1432881807-18164-10-git-send-email-edgar.iglesias@xxxxxxxxx
      Reviewed-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit bdb9e2d66afbe0571dce48a9430c35ae4d6bbd32
  Author: Edgar E. Iglesias <edgar.iglesias@xxxxxxxxxx>
  Date:   Tue Jun 2 14:56:22 2015 +0100

      target-arm: Add TLBI_ALLE1{IS}

      Signed-off-by: Edgar E. Iglesias <edgar.iglesias@xxxxxxxxxx>
      Message-id: 1432881807-18164-9-git-send-email-edgar.iglesias@xxxxxxxxx
      Reviewed-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit a57633c08fa861807a0713505785bd4d441d7df8
  Author: Edgar E. Iglesias <edgar.iglesias@xxxxxxxxxx>
  Date:   Tue Jun 2 14:56:21 2015 +0100

      target-arm: Add TTBR0_EL2

      Signed-off-by: Edgar E. Iglesias <edgar.iglesias@xxxxxxxxxx>
      Message-id: 1432881807-18164-8-git-send-email-edgar.iglesias@xxxxxxxxx
      [PMM: Switch to preferred opc1/crm order for 64-bit AArch32 cpregs;
       drop unneeded use of vmsa_ttbr_writefn]
      Reviewed-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit ff05f37babe7874f28dcead6e9e4f1904d35a13a
  Author: Edgar E. Iglesias <edgar.iglesias@xxxxxxxxxx>
  Date:   Tue Jun 2 14:56:21 2015 +0100

      target-arm: Add TPIDR_EL2

      Signed-off-by: Edgar E. Iglesias <edgar.iglesias@xxxxxxxxxx>
      Message-id: 1432881807-18164-7-git-send-email-edgar.iglesias@xxxxxxxxx
      [PMM: reordered fields into preferred opc0/opc1/crn/crm/opc2 order]
      Reviewed-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit b9cb5323bb671a0f2bfecc36168d3a3763e90261
  Author: Edgar E. Iglesias <edgar.iglesias@xxxxxxxxxx>
  Date:   Tue Jun 2 14:56:21 2015 +0100

      target-arm: Add SCTLR_EL2

      Signed-off-by: Edgar E. Iglesias <edgar.iglesias@xxxxxxxxxx>
      Message-id: 1432881807-18164-6-git-send-email-edgar.iglesias@xxxxxxxxx
      Reviewed-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 06ec4c8c9f9e21b7671c79296f3a47ab63d50067
  Author: Edgar E. Iglesias <edgar.iglesias@xxxxxxxxxx>
  Date:   Tue Jun 2 14:56:21 2015 +0100

      target-arm: Add TCR_EL2

      Signed-off-by: Edgar E. Iglesias <edgar.iglesias@xxxxxxxxxx>
      Message-id: 1432881807-18164-5-git-send-email-edgar.iglesias@xxxxxxxxx
      Reviewed-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 95f949ac3dc7d4a6ebee512a9d122db18210df64
  Author: Edgar E. Iglesias <edgar.iglesias@xxxxxxxxxx>
  Date:   Tue Jun 2 14:56:21 2015 +0100

      target-arm: Add MAIR_EL2

      Signed-off-by: Edgar E. Iglesias <edgar.iglesias@xxxxxxxxxx>
      Message-id: 1432881807-18164-4-git-send-email-edgar.iglesias@xxxxxxxxx
      Reviewed-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit a903c449b41f105aadd5f762a7aede531b4950f0
  Author: Edgar E. Iglesias <edgar.iglesias@xxxxxxxxxx>
  Date:   Tue Jun 2 14:56:21 2015 +0100

      target-arm: Break down TLB_LOCKDOWN

      Break down the overly broad wildcard definition of TLB_LOCKDOWN
      down to v7 level.

      Signed-off-by: Edgar E. Iglesias <edgar.iglesias@xxxxxxxxxx>
      Message-id: 1432881807-18164-3-git-send-email-edgar.iglesias@xxxxxxxxx
      Reviewed-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 3fc827d591679f3e262b9d1f8b34528eabfca8c0
  Author: Edgar E. Iglesias <edgar.iglesias@xxxxxxxxxx>
  Date:   Fri May 29 16:43:13 2015 +1000

      target-arm: Correct check for non-EL3

      This fixes a compile warning from clang 3.5 (the assertion
      could never fire).

      Signed-off-by: Edgar E. Iglesias <edgar.iglesias@xxxxxxxxxx>
      Message-id: 1432881807-18164-2-git-send-email-edgar.iglesias@xxxxxxxxx
      Reviewed-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Reviewed-by: John Snow <jsnow@xxxxxxxxxx>
      [PMM: added note in commit message that this is fixing a build warning]
      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 25611aa12b4155937d076dbe7445daed62ee6043
  Merge: ef99b3e e63d114
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Tue Jun 2 11:25:12 2015 +0100

      Merge remote-tracking branch 'remotes/kraxel/tags/pull-input-20150602-1' 
into staging

      virtio-input: two small fixups

      # gpg: Signature made Tue Jun  2 09:32:51 2015 BST using RSA key ID 
D3E87138
      # gpg: Good signature from "Gerd Hoffmann (work) <kraxel@xxxxxxxxxx>"
      # gpg:                 aka "Gerd Hoffmann <gerd@xxxxxxxxxx>"
      # gpg:                 aka "Gerd Hoffmann (private) <kraxel@xxxxxxxxx>"

      * remotes/kraxel/tags/pull-input-20150602-1:
        virtio-input: make virtio devices follow usual naming convention
        virtio-input: const_le16 and const_le32 not build time constant

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit ef99b3ee065d5c817fa0a50d95293e569bfb47fb
  Merge: b821cbe 9e47226
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Tue Jun 2 10:20:03 2015 +0100

      Merge remote-tracking branch 'remotes/mst/tags/for_upstream' into staging

      pc build fix

      My last pull breaks build on systems with iasl.
      Fix this up.

      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>

      # gpg: Signature made Mon Jun  1 20:41:08 2015 BST using RSA key ID 
D28D5469
      # gpg: Good signature from "Michael S. Tsirkin <mst@xxxxxxxxxx>"
      # gpg:                 aka "Michael S. Tsirkin <mst@xxxxxxxxxx>"

      * remotes/mst/tags/for_upstream:
        acpi: add missing ssdt

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit e63d114b8a81e22ff9295674ba64b21255d589ee
  Author: Gerd Hoffmann <kraxel@xxxxxxxxxx>
  Date:   Tue Jun 2 10:31:29 2015 +0200

      virtio-input: make virtio devices follow usual naming convention

      Signed-off-by: Gerd Hoffmann <kraxel@xxxxxxxxxx>

  commit 16c9d46d32b39b147774ddd948dd2f9ad9049d02
  Author: Michael Mueller <mimu@xxxxxxxxxxxxxxxxxx>
  Date:   Mon Jun 1 15:51:56 2015 +0200

      virtio-input: const_le16 and const_le32 not build time constant

      As the implementation of const_le16 and const_le32 is not build time 
constant
      on big endian systems this need to be fixed.

        CC    hw/input/virtio-input-hid.o
      hw/input/virtio-input-hid.c:340:13: error: initializer element is not 
constant
      hw/input/virtio-input-hid.c:340:13: error: (near initialization for 
â??virtio_keyboard_config[1].u.ids.bustypeâ??)
      ...

      Signed-off-by: Michael Mueller <mimu@xxxxxxxxxxxxxxxxxx>
      Signed-off-by: Gerd Hoffmann <kraxel@xxxxxxxxxx>

  commit 489653b5db17679fd61b740dd289c798bb25d7b9
  Author: Markus Armbruster <armbru@xxxxxxxxxx>
  Date:   Fri Mar 6 20:01:05 2015 +0100

      monitor: Change return type of monitor_cur_is_qmp() to bool

      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>
      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>
      Reviewed-by: Luiz Capitulino <lcapitulino@xxxxxxxxxx>

  commit 9f3982f2dcd96753d57d0ac64bd1ae3b37a90eb3
  Author: Markus Armbruster <armbru@xxxxxxxxxx>
  Date:   Fri Mar 6 19:56:38 2015 +0100

      monitor: Rename monitor_ctrl_mode() to monitor_is_qmp()

      ... and change return type to bool.

      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>
      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>
      Reviewed-by: Luiz Capitulino <lcapitulino@xxxxxxxxxx>

  commit f994b2587f081693b017ebd03b362d162d3108b3
  Author: Markus Armbruster <armbru@xxxxxxxxxx>
  Date:   Fri Mar 6 19:51:51 2015 +0100

      monitor: Turn int command_mode into bool in_command_mode

      While there, inline the pointless qmp_cmd_mode() wrapper.

      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>
      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>
      Reviewed-by: Luiz Capitulino <lcapitulino@xxxxxxxxxx>

  commit 6a50636f35ba677c747f2f6127b0dba994b039ca
  Author: Markus Armbruster <armbru@xxxxxxxxxx>
  Date:   Fri Mar 6 19:49:41 2015 +0100

      monitor: Drop do_qmp_capabilities()'s superfluous QMP check

      Superfluous since commit 30f5041 removed it from HMP.

      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>
      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>
      Reviewed-by: Luiz Capitulino <lcapitulino@xxxxxxxxxx>

  commit 74358f2a1647b239d87340ea0024f9d2efa266ca
  Author: Markus Armbruster <armbru@xxxxxxxxxx>
  Date:   Fri Mar 6 19:35:59 2015 +0100

      monitor: Unbox Monitor member mc and rename to qmp

      While there, rename its type as well, from MonitorControl to
      MonitorQMP.

      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>
      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>
      Reviewed-by: Luiz Capitulino <lcapitulino@xxxxxxxxxx>

  commit c83fe23b58199a6d4a938305cb0fc45fe7729b61
  Author: Markus Armbruster <armbru@xxxxxxxxxx>
  Date:   Fri Mar 6 19:20:51 2015 +0100

      monitor: Rename monitor_control_read(), monitor_control_event()

      ... to monitor_qmp_read(), monitor_qmp_event().

      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>
      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>
      Reviewed-by: Luiz Capitulino <lcapitulino@xxxxxxxxxx>

  commit 7ef6cf6341c453021939c909adf2d62d9dc25fd5
  Author: Markus Armbruster <armbru@xxxxxxxxxx>
  Date:   Fri Mar 6 19:12:36 2015 +0100

      monitor: Rename handle_user_command() to handle_hmp_command()

      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>
      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>
      Reviewed-by: Luiz Capitulino <lcapitulino@xxxxxxxxxx>

  commit 710aec915d208246891b68e2ba61b54951edc508
  Author: Markus Armbruster <armbru@xxxxxxxxxx>
  Date:   Fri Mar 6 11:28:00 2015 +0100

      monitor: Limit QError use to command handlers

      The previous commits narrowed use of QError to handle_qmp_command()
      and its helpers monitor_protocol_emitter(), build_qmp_error_dict().
      Narrow it further to just the command handler call: instead of
      converting Error to QError throughout handle_qmp_command(), convert
      the QError gotten from the command handler to Error, and switch the
      helpers from QError to Error.

      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>
      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>
      Reviewed-by: Luiz Capitulino <lcapitulino@xxxxxxxxxx>

  commit 452e0300a3521f13b6c4ba0b99a8cea3a29209f1
  Author: Markus Armbruster <armbru@xxxxxxxxxx>
  Date:   Fri Mar 6 19:11:13 2015 +0100

      monitor: Inline monitor_has_error() into its only caller

      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>
      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>
      Reviewed-by: Luiz Capitulino <lcapitulino@xxxxxxxxxx>

  commit 70ea0c58991ae44b5a1e67d9c189d79029168cb1
  Author: Markus Armbruster <armbru@xxxxxxxxxx>
  Date:   Fri Mar 6 10:47:08 2015 +0100

      monitor: Wean monitor_protocol_emitter() off mon->error

      Move mon->error handling to its caller handle_qmp_command().

      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>
      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>
      Reviewed-by: Luiz Capitulino <lcapitulino@xxxxxxxxxx>

  commit 4086182fcd9b106345b5cc535d78bcc6d13a7683
  Author: Markus Armbruster <armbru@xxxxxxxxxx>
  Date:   Fri May 29 10:27:16 2015 +0200

      monitor: Propagate errors through invalid_qmp_mode()

      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>
      Reviewed-by: Luiz Capitulino <lcapitulino@xxxxxxxxxx>

  commit ba0510aad43148e5284cb52fcc7a0103b5e0af4d
  Author: Markus Armbruster <armbru@xxxxxxxxxx>
  Date:   Mon Mar 2 18:41:43 2015 +0100

      monitor: Propagate errors through qmp_check_input_obj()

      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>
      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>
      Reviewed-by: Luiz Capitulino <lcapitulino@xxxxxxxxxx>

  commit 326283aa5d4d51d576185af4cbbdc29f648cd766
  Author: Markus Armbruster <armbru@xxxxxxxxxx>
  Date:   Mon Mar 2 18:39:09 2015 +0100

      monitor: Propagate errors through qmp_check_client_args()

      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>
      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>
      Reviewed-by: Luiz Capitulino <lcapitulino@xxxxxxxxxx>

  commit 8a4f501c09bcb8b5a220699e378aa8fb7ec178e4
  Author: Markus Armbruster <armbru@xxxxxxxxxx>
  Date:   Thu Mar 5 18:50:05 2015 +0100

      monitor: Drop unused "new" HMP command interface

      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>
      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>
      Reviewed-by: Luiz Capitulino <lcapitulino@xxxxxxxxxx>

  commit 04e00c92ef75629a241ebc50537f75de0867928d
  Author: Markus Armbruster <armbru@xxxxxxxxxx>
  Date:   Thu Mar 5 17:48:49 2015 +0100

      monitor: Use trad. command interface for HMP pcie_aer_inject_error

      All QMP commands use the "new" handler interface (mhandler.cmd_new).
      Most HMP commands still use the traditional interface (mhandler.cmd),
      but a few use the "new" one.  Complicates handle_user_command() for no
      gain, so I'm converting these to the traditional interface.

      pcie_aer_inject_error's implementation is split into the
      hmp_pcie_aer_inject_error() and pcie_aer_inject_error_print().  The
      former is a peculiar crossbreed between HMP and QMP handler.  On
      success, it works like a QMP handler: store QDict through ret_data
      parameter, return 0.  Printing the QDict is left to
      pcie_aer_inject_error_print().  On failure, it works more like an HMP
      handler: print error to monitor, return negative number.

      To convert to the traditional interface, turn
      pcie_aer_inject_error_print() into a command handler wrapping around
      hmp_pcie_aer_inject_error().  By convention, this command handler
      should be called hmp_pcie_aer_inject_error(), so rename the existing
      hmp_pcie_aer_inject_error() to do_pcie_aer_inject_error().

      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>
      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>
      Reviewed-by: Luiz Capitulino <lcapitulino@xxxxxxxxxx>

  commit 318660f84a0a26451750aee68ab7dcf88731637d
  Author: Markus Armbruster <armbru@xxxxxxxxxx>
  Date:   Thu Mar 5 17:24:48 2015 +0100

      monitor: Use traditional command interface for HMP device_add

      All QMP commands use the "new" handler interface (mhandler.cmd_new).
      Most HMP commands still use the traditional interface (mhandler.cmd),
      but a few use the "new" one.  Complicates handle_user_command() for no
      gain, so I'm converting these to the traditional interface.

      For device_add, that's easy: just wrap the obvious hmp_device_add()
      around do_device_add().

      monitor_user_noop() is now unused, drop it.

      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>
      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>
      Reviewed-by: Luiz Capitulino <lcapitulino@xxxxxxxxxx>

  commit 072ebe6b0351060b33287454fdef625fe79c858f
  Author: Markus Armbruster <armbru@xxxxxxxxxx>
  Date:   Thu Mar 5 17:00:56 2015 +0100

      monitor: Use traditional command interface for HMP drive_del

      All QMP commands use the "new" handler interface (mhandler.cmd_new).
      Most HMP commands still use the traditional interface (mhandler.cmd),
      but a few use the "new" one.  Complicates handle_user_command() for no
      gain, so I'm converting these to the traditional interface.

      For drive_del, that's easy: hmp_drive_del() sheds its unused last
      parameter, and its return value, which the caller ignored anyway.

      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>
      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>
      Reviewed-by: Luiz Capitulino <lcapitulino@xxxxxxxxxx>

  commit b8a185bc9a8ecbdc74fd64672e4abdd09a558e1c
  Author: Markus Armbruster <armbru@xxxxxxxxxx>
  Date:   Thu Mar 5 17:29:02 2015 +0100

      monitor: Convert client_migrate_info to QAPI

      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>
      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>
      Reviewed-by: Luiz Capitulino <lcapitulino@xxxxxxxxxx>

  commit 13cadefbda71e119db79fe0b7a4efd26a6d005bd
  Author: Markus Armbruster <armbru@xxxxxxxxxx>
  Date:   Thu Mar 5 19:16:58 2015 +0100

      monitor: Improve and document client_migrate_info protocol error

      Protocol must be spice, vnc isn't implemented.  Fix up documentation.

      Attempts to use vnc or any other unknown protocol yield the misleading
      error message "Invalid parameter 'protocol'".  Improve it to
      "Parameter 'protocol' expects spice".

      Cc: Gerd Hoffmann <kraxel@xxxxxxxxxx>
      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>
      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>
      Reviewed-by. Gerd Hoffmann <kraxel@xxxxxxxxxx>
      Reviewed-by: Luiz Capitulino <lcapitulino@xxxxxxxxxx>

  commit 84add864ebd2e6f3c645948ab595d8454165ebc5
  Author: Markus Armbruster <armbru@xxxxxxxxxx>
  Date:   Thu Mar 5 16:45:15 2015 +0100

      monitor: Clean up after previous commit

      Inline qmp_call_cmd() along with its helper handler_audit() into its
      only caller handle_qmp_command(), and simplify the result.

      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>
      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>
      Reviewed-by: Luiz Capitulino <lcapitulino@xxxxxxxxxx>

  commit 65207c59d99f2260c5f1d3b9c491146616a522aa
  Author: Markus Armbruster <armbru@xxxxxxxxxx>
  Date:   Thu Mar 5 14:35:26 2015 +0100

      monitor: Drop broken, unused asynchronous command interface

      The asynchronous monitor command interface goes back to commit 940cc30
      (Jan 2010).  Added a third case to command execution.  The hope back
      then according to the commit message was that all commands get
      converted to the asynchronous interface, killing off the other two
      cases.  Didn't happen.

      The initial asynchronous commands balloon and info balloon were
      converted back to synchronous long ago (commit 96637bc and d72f32),
      with commit messages calling the asynchronous interface "not fully
      working" and "deprecated".  The only other user went away in commit
      3b5704b.

      New code generally uses synchronous commands and asynchronous events.

      What exactly is still "not fully working" with asynchronous commands?
      Well, here's a bug that defeats actual asynchronous use pretty
      reliably: the reply's ID is wrong (and has always been wrong) unless
      you use the command synchronously!  To reproduce, we need an
      asynchronous command, so we have to go back before commit 3b5704b.
      Run QEMU with spice:

          $ qemu-system-x86_64 -nodefaults -S -spice 
port=5900,disable-ticketing -qmp stdio
          {"QMP": {"version": {"qemu": {"micro": 94, "minor": 2, "major": 2}, 
"package": ""}, "capabilities": []}}

      Connect a spice client in another terminal:

          $ remote-viewer spice://localhost:5900

      Set up a migration destination dummy in a third terminal:

          $ socat TCP-LISTEN:12345 STDIO

      Now paste the following into the QMP monitor:

          { "execute": "qmp_capabilities", "id": "i0" }
          { "execute": "client_migrate_info", "id": "i1", "arguments": { 
"protocol": "spice", "hostname": "localhost", "port": 12345 } }
          { "execute": "query-kvm", "id": "i2" }

      Produces two replies immediately, one to qmp_capabilities, and one to
      query-kvm:

          {"return": {}, "id": "i0"}
          {"return": {"enabled": false, "present": true}, "id": "i2"}

      Both are correct.  Two lines of debug output from libspice-server not
      shown.

      Now EOF socat's standard input to make it close the connection.  This
      makes the asynchronous client_migrate_info complete.  It replies:

          {"return": {}}

      Bug: "id": "i1" is missing.  Two lines of debug output from
      libspice-server not shown.  Cherry on top: storage for the missing ID
      is leaked.

      Get rid of this stuff before somebody hurts himself with it.

      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>
      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>
      Reviewed-by: Luiz Capitulino <lcapitulino@xxxxxxxxxx>

  commit 9e472263b07d53cb3401ee49ef1b45ef195ddb84
  Author: Michael S. Tsirkin <mst@xxxxxxxxxx>
  Date:   Mon Jun 1 21:03:59 2015 +0200

      acpi: add missing ssdt

      commit 5cb18b3d7bff2a83275ee98af2a14eb9e21c93ab
          TPM2 ACPI table support

      was missing a file, so build with iasl fails
      (build without iasl works since it uses the generated
       hex files).

      Reported-by: "Daniel P. Berrange" <berrange@xxxxxxxxxx>
      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>

  commit b821cbe274c5a5cacf1a7b28360d869ae1e6e0c3
  Merge: 9657caf 830d70d
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Mon Jun 1 15:22:46 2015 +0100

      Merge remote-tracking branch 'remotes/mst/tags/for_upstream' into staging

      pc, pci, tpm, virtio, vhost enhancements and fixes

      A bunch of cleanups and fixes all over the place,
      enhancements in TPM, virtio and vhost.

      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>

      # gpg: Signature made Mon Jun  1 13:19:48 2015 BST using RSA key ID 
D28D5469
      # gpg: Good signature from "Michael S. Tsirkin <mst@xxxxxxxxxx>"
      # gpg:                 aka "Michael S. Tsirkin <mst@xxxxxxxxxx>"

      * remotes/mst/tags/for_upstream: (60 commits)
        vhost-user: add multi queue support
        virtio: make features 64bit wide
        qdev: add 64bit properties
        virtio-mmio: ioeventfd support
        hw/acpi/aml-build: Fix memory leak
        acpi: add aml_while() term
        acpi: add aml_increment() term
        acpi: add aml_shiftright() term
        acpi: add aml_shiftleft() term
        acpi: add aml_index() term
        acpi: add aml_lless() term
        acpi: add aml_add() term
        TPM2 ACPI table support
        tpm: Probe for connected TPM 1.2 or TPM 2
        Extend TPM TIS interface to support TPM 2
        Add stream ID to MSI write
        acpi: Simplify printing to dynamic string
        i386: drop FDC in pc-q35-2.4+ if neither it nor floppy drives are wanted
        i386/pc_q35: don't insist on board FDC if there's no default floppy
        i386/pc: '-drive if=floppy' should imply a board-default FDC
        ...

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 830d70db692e374b55555f4407f96a1ceefdcc97
  Author: Ouyang Changchun <changchun.ouyang@xxxxxxxxx>
  Date:   Thu May 28 09:23:06 2015 +0800

      vhost-user: add multi queue support

      Based on patch by Nikolay Nikolaev:
      Vhost-user will implement the multi queue support in a similar way
      to what vhost already has - a separate thread for each queue.
      To enable the multi queue functionality - a new command line parameter
      "queues" is introduced for the vhost-user netdev.

      Signed-off-by: Nikolay Nikolaev <n.nikolaev@xxxxxxxxxxxxxxxxxxxxxx>
      Signed-off-by: Changchun Ouyang <changchun.ouyang@xxxxxxxxx>
      Reviewed-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>

  commit 019a3edbb25f1571e876f8af1ce4c55412939e5d
  Author: Gerd Hoffmann <kraxel@xxxxxxxxxx>
  Date:   Mon Jun 1 10:45:40 2015 +0200

      virtio: make features 64bit wide

      Make features 64bit wide everywhere.

      On migration a full 64bit guest_features field is sent if one of the
      high bits is set, in addition to the lower 32bit guest_features field
      which must stay for compatibility reasons.  That way we send the lower
      32 feature bits twice, but the code is simpler because we don't have
      to split and compose the 64bit features into two 32bit fields.

      Signed-off-by: Gerd Hoffmann <kraxel@xxxxxxxxxx>
      Reviewed-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>

  commit fdba6d967e00864edd21275a6ee1d23a383510e8
  Author: Gerd Hoffmann <kraxel@xxxxxxxxxx>
  Date:   Mon Jun 1 10:45:39 2015 +0200

      qdev: add 64bit properties

      Needed for virtio features which go from 32bit to 64bit with virtio 1.0

      Signed-off-by: Gerd Hoffmann <kraxel@xxxxxxxxxx>
      Reviewed-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>

  commit 434027badb421863b85ffdb4769966533c001cfa
  Author: Ying-Shiuan Pan <yingshiuan.pan@xxxxxxxxx>
  Date:   Tue May 12 11:10:50 2015 +0300

      virtio-mmio: ioeventfd support

      set_host_notifier and set_guest_notifiers supported by virtio-mmio now.
      Most code copied from virtio-pci.

      This makes it possible to use vhost-net with virtio-mmio,
      improving performance by about 30%.

      The kvm-arm does not yet support irqfd, need to fix the hard-coded part 
after
      kvm-arm gets irqfd support.

      Signed-off-by: Ying-Shiuan Pan <yingshiuan.pan@xxxxxxxxx>
      Signed-off-by: Pavel Fedin <p.fedin@xxxxxxxxxxx>
      Reviewed-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>

  commit afcf905cff7971324c2706600ead35a1f41f417a
  Author: Shannon Zhao <shannon.zhao@xxxxxxxxxx>
  Date:   Mon May 25 15:14:37 2015 +0800

      hw/acpi/aml-build: Fix memory leak

      Signed-off-by: Shannon Zhao <zhaoshenglong@xxxxxxxxxx>
      Signed-off-by: Shannon Zhao <shannon.zhao@xxxxxxxxxx>
      Reviewed-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Reviewed-by: Igor Mammedov <imammedo@xxxxxxxxxx>

  commit 68e6b0af784dda4efd9d4e2e9d3b03a31ca1408c
  Author: Marcel Apfelbaum <marcel@xxxxxxxxxx>
  Date:   Mon May 25 18:33:46 2015 +0300

      acpi: add aml_while() term

      Add encoding for ACPI DefWhile Opcode.

      Reviewed-by: Shannon Zhao <zhaoshenglong@xxxxxxxxxx>
      Reviewed-by: Igor Mammedov <imammedo@xxxxxxxxxx>
      Signed-off-by: Marcel Apfelbaum <marcel@xxxxxxxxxx>
      Reviewed-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>

  commit af39d5363f373e6c1168a0e84658d6e4ef57fa8c
  Author: Marcel Apfelbaum <marcel@xxxxxxxxxx>
  Date:   Mon May 25 18:33:45 2015 +0300

      acpi: add aml_increment() term

      Add encoding for ACPI DefIncrement Opcode.

      Reviewed-by: Shannon Zhao <zhaoshenglong@xxxxxxxxxx>
      Reviewed-by: Igor Mammedov <imammedo@xxxxxxxxxx>
      Signed-off-by: Marcel Apfelbaum <marcel@xxxxxxxxxx>
      Reviewed-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>

  commit f7bd7b8eb6573ed22bfc51e148455a1c0a1e36d0
  Author: Marcel Apfelbaum <marcel@xxxxxxxxxx>
  Date:   Mon May 25 18:33:44 2015 +0300

      acpi: add aml_shiftright() term

      Add encoding for ACPI DefShiftRight Opcode.

      Reviewed-by: Igor Mammedov <imammedo@xxxxxxxxxx>
      Signed-off-by: Marcel Apfelbaum <marcel@xxxxxxxxxx>
      Reviewed-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Reviewed-by: Shannon Zhao <shannon.zhao@xxxxxxxxxx>

  commit a57dddddd2f93b87852fac2ed41a31c45e6d192a
  Author: Marcel Apfelbaum <marcel@xxxxxxxxxx>
  Date:   Mon May 25 18:33:43 2015 +0300

      acpi: add aml_shiftleft() term

      Add encoding for ACPI DefShiftLeft Opcode.

      Reviewed-by: Igor Mammedov <imammedo@xxxxxxxxxx>
      Signed-off-by: Marcel Apfelbaum <marcel@xxxxxxxxxx>
      Reviewed-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Reviewed-by: Shannon Zhao <shannon.zhao@xxxxxxxxxx>

  commit 928b8996576875f9364f77c5a41f12cd55c7b9f7
  Author: Marcel Apfelbaum <marcel@xxxxxxxxxx>
  Date:   Mon May 25 18:33:42 2015 +0300

      acpi: add aml_index() term

      Add encoding for ACPI DefIndex Opcode.

      Signed-off-by: Marcel Apfelbaum <marcel@xxxxxxxxxx>
      Reviewed-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Reviewed-by: Shannon Zhao <shannon.zhao@xxxxxxxxxx>

  commit 96396e2858fd8a0b4ee218c9894b5a67d22d97d9
  Author: Marcel Apfelbaum <marcel@xxxxxxxxxx>
  Date:   Mon May 25 18:33:41 2015 +0300

      acpi: add aml_lless() term

      Add encoding for ACPI DefLLess Opcode.

      Reviewed-by: Shannon Zhao <zhaoshenglong@xxxxxxxxxx>
      Reviewed-by: Igor Mammedov <imammedo@xxxxxxxxxx>
      Signed-off-by: Marcel Apfelbaum <marcel@xxxxxxxxxx>
      Reviewed-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>

  commit c08cf0704247aa55e9b0bb14cf34d845629e0e3e
  Author: Marcel Apfelbaum <marcel@xxxxxxxxxx>
  Date:   Mon May 25 18:33:40 2015 +0300

      acpi: add aml_add() term

      Add encoding for ACPI DefAdd Opcode.

      Reviewed-by: Igor Mammedov <imammedo@xxxxxxxxxx>
      Signed-off-by: Marcel Apfelbaum <marcel@xxxxxxxxxx>
      Reviewed-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Reviewed-by: Shannon Zhao <shannon.zhao@xxxxxxxxxx>

  commit 5cb18b3d7bff2a83275ee98af2a14eb9e21c93ab
  Author: Stefan Berger <stefanb@xxxxxxxxxxxxxxxxxx>
  Date:   Tue May 26 16:51:07 2015 -0400

      TPM2 ACPI table support

      Add a TPM2 ACPI table if a TPM 2 is used in the backend.
      Also add an SSDT for the TPM 2.

      Rename tpm_find() to tpm_get_version() and have this function
      return the version of the TPM found, TPMVersion_Unspec if
      no TPM is found. Use the version number to build version
      specific ACPI tables.

      Signed-off-by: Stefan Berger <stefanb@xxxxxxxxxxxxxxxxxx>
      Reviewed-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>

  commit 9657cafceb90accedd574a3accb3d344def8e764
  Merge: 97af820 07e1548
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Mon Jun 1 11:29:37 2015 +0100

      Merge remote-tracking branch 
'remotes/bkoppelmann/tags/pull-tricore-20150530' into staging

      TriCore bugfixes

      # gpg: Signature made Sat May 30 15:50:49 2015 BST using RSA key ID 
6B69CA14
      # gpg: Good signature from "Bastian Koppelmann 
<kbastian@xxxxxxxxxxxxxxxxxxxxx>"

      * remotes/bkoppelmann/tags/pull-tricore-20150530:
        target-tricore: fix BOL_ST_H_LONGOFF using ld
        target-tricore: fix msub32_q producing the wrong overflow bit
        target-tricore: fix OPC2_32_RR_DVINIT_HU having write before use on the 
result

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 56a3c24ffc11955ddc7bb21362ca8069a3fc8c55
  Author: Stefan Berger <stefanb@xxxxxxxxxxxxxxxxxx>
  Date:   Tue May 26 16:51:06 2015 -0400

      tpm: Probe for connected TPM 1.2 or TPM 2

      In the TPM passthrough backend driver, modify the probing code so
      that we can check whether a TPM 1.2 or TPM 2 is being used
      and adapt the behavior of the TPM TIS accordingly.

      Move the code that tested for a TPM 1.2 into tpm_utils.c
      and extend it with test for probing for TPM 2. Have the
      function return the version of TPM found.

      Signed-off-by: Stefan Berger <stefanb@xxxxxxxxxxxxxxxxxx>
      Reviewed-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>

  commit 116694c34aa794a994051fce55bfee418fe1521d
  Author: Stefan Berger <stefanb@xxxxxxxxxxxxxxxxxx>
  Date:   Tue May 26 16:51:05 2015 -0400

      Extend TPM TIS interface to support TPM 2

      Following the recent upgrade to version 1.3, extend the TPM TIS
      interface with capabilities introduced for support of a TPM 2.

      TPM TIS for TPM 2 introduced the following extensions beyond the
      TPM TIS 1.3 (used for TPM 1.2):

      - A new 32bit interface Id register was introduced.
      - New flags for the status (STS) register were defined.
      - New flags for the capability flags were defined.

      Support the above if a TPM TIS 1.3 for TPM 2 is used with a TPM 2
      on the backend side. Support the old TPM TIS 1.3 configuration if a
      TPM 1.2 is being used. A subsequent patch will then determine which
      TPM version is being used in the backend.

      Signed-off-by: Stefan Berger <stefanb@xxxxxxxxxxxxxxxxxx>
      Reviewed-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>

  commit 38d40ff10f71657ea913a63d1f8477be368b92c1
  Author: Pavel Fedin <p.fedin@xxxxxxxxxxx>
  Date:   Wed May 27 15:59:59 2015 +0300

      Add stream ID to MSI write

      GICv3 ITS distinguishes between devices by using hardwired device IDs 
passed on the bus.
      This patch implements passing these IDs in qemu.
      SMMU is also known to use stream IDs, therefore this addition can also be 
useful for
      implementing platforms with SMMU.

      Signed-off-by: Pavel Fedin <p.fedin@xxxxxxxxxxx>
      Reviewed-by: Michael S. Tsirkin <mst@xxxxxxxxxx>

       Changes from v1:
      - Added bus number to the stream ID
      - Added stream ID not only to MSI-X, but also to plain MSI. Some common 
code was made into
      msi_send_message() function.
      Reviewed-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>

  commit c3bdc56c183f6ca6baa502bd7861583ca98b333b
  Author: Markus Armbruster <armbru@xxxxxxxxxx>
  Date:   Wed May 27 19:55:55 2015 +0200

      acpi: Simplify printing to dynamic string

      build_append_namestringv() and aml_string() first calculate the
      resulting string's length with vsnprintf(NULL, ...), then allocate,
      then print for real.  Simply use g_strdup_vprintf() or g_vasprintf()
      instead.

      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>
      Reviewed-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Reviewed-by: John Snow <jsnow@xxxxxxxxxx>
      Reviewed-by: Igor Mammedov <imammedo@xxxxxxxxxx>

  commit ea96bc629cbd52be98b2967a4b4f72e91dfc3ee4
  Author: Laszlo Ersek <lersek@xxxxxxxxxx>
  Date:   Thu May 28 22:04:11 2015 +0200

      i386: drop FDC in pc-q35-2.4+ if neither it nor floppy drives are wanted

      It is Very annoying to carry forward an outdatEd coNtroller with a mOdern
      Machine type.

      Hence, let us not instantiate the FDC when all of the following apply:
      - the machine type is pc-q35-2.4 or later,
      - "-device isa-fdc" is not passed on the command line (nor in the config
        file),
      - no "-drive if=floppy,..." is requested.

      Cc: Markus Armbruster <armbru@xxxxxxxxxx>
      Cc: Paolo Bonzini <pbonzini@xxxxxxxxxx>
      Cc: Gerd Hoffmann <kraxel@xxxxxxxxxx>
      Cc: John Snow <jsnow@xxxxxxxxxx>
      Cc: "Gabriel L. Somlo" <gsomlo@xxxxxxxxx>
      Cc: "Michael S. Tsirkin" <mst@xxxxxxxxxx>
      Cc: Kevin Wolf <kwolf@xxxxxxxxxx>
      Cc: qemu-block@xxxxxxxxxx
      Suggested-by: Markus Armbruster <armbru@xxxxxxxxxx>
      Signed-off-by: Laszlo Ersek <lersek@xxxxxxxxxx>
      Acked-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>
      Reviewed-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Reviewed-by: Markus Armbruster <armbru@xxxxxxxxxx>

  commit 6cd2234ccbacf2825372142a2658bf318ce2f848
  Author: Laszlo Ersek <lersek@xxxxxxxxxx>
  Date:   Thu May 28 22:04:10 2015 +0200

      i386/pc_q35: don't insist on board FDC if there's no default floppy

      The "no_floppy = 1" machine class setting causes "default_floppy" in
      main() to become zero. Consequently, default_drive() will not call
      drive_add() and drive_new() for IF_FLOPPY, index=0, meaning that no
      default floppy drive will be created for the virtual machine. In that
      case, board code should also not insist on the creation of the
      board-default FDC.

      The board-default FDC will still be created if the user requests a floppy
      drive with "-drive if=floppy".

      Additionally, separate FDCs can be specified manually with "-device
      isa-fdc". They allow the

        -device isa-fdc,driveA=...

      syntax that is more flexible than the one required by the board-default
      FDC:

        -global isa-fdc.driveA=...

      This patch doesn't change the behavior observably, as all Q35 machine
      types have "no_floppy = 0".

      Cc: Markus Armbruster <armbru@xxxxxxxxxx>
      Cc: Paolo Bonzini <pbonzini@xxxxxxxxxx>
      Cc: Gerd Hoffmann <kraxel@xxxxxxxxxx>
      Cc: John Snow <jsnow@xxxxxxxxxx>
      Cc: "Gabriel L. Somlo" <gsomlo@xxxxxxxxx>
      Cc: "Michael S. Tsirkin" <mst@xxxxxxxxxx>
      Cc: Kevin Wolf <kwolf@xxxxxxxxxx>
      Cc: qemu-block@xxxxxxxxxx
      Signed-off-by: Laszlo Ersek <lersek@xxxxxxxxxx>
      Reviewed-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Reviewed-by: Markus Armbruster <armbru@xxxxxxxxxx>

  commit 936a7c1cf7410a3bab97c98301054921d47a8918
  Author: Laszlo Ersek <lersek@xxxxxxxxxx>
  Date:   Thu May 28 22:04:09 2015 +0200

      i386/pc: '-drive if=floppy' should imply a board-default FDC

      Even if board code decides not to request the creation of the FDC (keyed
      off board-level factors, to be determined later), we should create the FDC
      nevertheless if the user passes '-drive if=floppy' on the command line.

      Otherwise '-drive if=floppy' would break without explicit '-device
      isa-fdc' on such boards.

      Cc: Markus Armbruster <armbru@xxxxxxxxxx>
      Cc: Paolo Bonzini <pbonzini@xxxxxxxxxx>
      Cc: Gerd Hoffmann <kraxel@xxxxxxxxxx>
      Cc: John Snow <jsnow@xxxxxxxxxx>
      Cc: "Gabriel L. Somlo" <gsomlo@xxxxxxxxx>
      Cc: "Michael S. Tsirkin" <mst@xxxxxxxxxx>
      Cc: Kevin Wolf <kwolf@xxxxxxxxxx>
      Cc: qemu-block@xxxxxxxxxx
      Signed-off-by: Laszlo Ersek <lersek@xxxxxxxxxx>
      Reviewed-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Reviewed-by: Markus Armbruster <armbru@xxxxxxxxxx>

  commit fd53c87cf6651b0dfe9f5107cfe77d2f697bd4f6
  Author: Laszlo Ersek <lersek@xxxxxxxxxx>
  Date:   Thu May 28 22:04:08 2015 +0200

      i386/pc: pc_basic_device_init(): delegate FDC creation request

      This patch introduces no observable change, but it allows the callers of
      pc_basic_device_init(), ie. pc_init1() and pc_q35_init(), to request (or
      not request) the creation of the FDC explicitly.

      At the moment both callers pass constant create_fdctrl=true (hence no
      observable change).

      Assuming a board passes create_fdctrl=false, "floppy" will be NULL on
      output, and (beyond the FDC not being created) that NULL will be passed on
      to pc_cmos_init(). Luckily, pc_cmos_init() already handles that case.

      Cc: Markus Armbruster <armbru@xxxxxxxxxx>
      Cc: Paolo Bonzini <pbonzini@xxxxxxxxxx>
      Cc: Gerd Hoffmann <kraxel@xxxxxxxxxx>
      Cc: John Snow <jsnow@xxxxxxxxxx>
      Cc: "Gabriel L. Somlo" <gsomlo@xxxxxxxxx>
      Cc: "Michael S. Tsirkin" <mst@xxxxxxxxxx>
      Cc: Kevin Wolf <kwolf@xxxxxxxxxx>
      Cc: qemu-block@xxxxxxxxxx
      Signed-off-by: Laszlo Ersek <lersek@xxxxxxxxxx>
      Reviewed-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Reviewed-by: Markus Armbruster <armbru@xxxxxxxxxx>

  commit b829c2a98f1f67308eb02fcddb52d8fa67775f18
  Author: Jason Wang <jasowang@xxxxxxxxxx>
  Date:   Fri May 29 14:15:32 2015 +0800

      virtio: increase the queue limit to 1024

      Increase the queue limit to 1024. But virtio-ccw and s390-virtio won't
      support this, this is done through failing device_plugged() for those
      two transports if the number of virtqueues is greater than 64.

      Signed-off-by: Jason Wang <jasowang@xxxxxxxxxx>
      Reviewed-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>

  commit 87b3bd1c858e6cacac4d403da9109ec3a04fe9d0
  Author: Jason Wang <jasowang@xxxxxxxxxx>
  Date:   Fri May 29 14:15:31 2015 +0800

      virtio: rename VIRTIO_PCI_QUEUE_MAX to VIRTIO_QUEUE_MAX

      VIRTIO_PCI_QUEUE_MAX is not only used for pci, so rename it be generic.

      Cc: Amit Shah <amit.shah@xxxxxxxxxx>
      Cc: Paolo Bonzini <pbonzini@xxxxxxxxxx>
      Signed-off-by: Jason Wang <jasowang@xxxxxxxxxx>
      Reviewed-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>

  commit d820331a0b47cbbdc409b435545aea25e19b57ad
  Author: Jason Wang <jasowang@xxxxxxxxxx>
  Date:   Fri May 29 14:15:30 2015 +0800

      virtio-s390: introduce virtio_s390_device_plugged()

      This patch introduce a virtio-s390 specific device_plugged() function
      and doing the number of virtqueue validation inside.

      Cc: Alexander Graf <agraf@xxxxxxx>
      Cc: Richard Henderson <rth@xxxxxxxxxxx>
      Signed-off-by: Jason Wang <jasowang@xxxxxxxxxx>
      Reviewed-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>

  commit 74c85296dc880568005b8e7572e08a39d66bcdca
  Author: Jason Wang <jasowang@xxxxxxxxxx>
  Date:   Fri May 29 14:15:29 2015 +0800

      virtio-s390: introduce virito s390 queue limit

      Cc: Alexander Graf <agraf@xxxxxxx>
      Cc: Richard Henderson <rth@xxxxxxxxxxx>
      Signed-off-by: Jason Wang <jasowang@xxxxxxxxxx>
      Reviewed-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>

  commit 10ceaa1e8f9f74c917df1fe5db856817a8b26fe7
  Author: Jason Wang <jasowang@xxxxxxxxxx>
  Date:   Fri May 29 14:15:28 2015 +0800

      virtio-ccw: validate the number of queues against bus limitation

      Cc: Cornelia Huck <cornelia.huck@xxxxxxxxxx>
      Cc: Christian Borntraeger <borntraeger@xxxxxxxxxx>
      Cc: Richard Henderson <rth@xxxxxxxxxxx>
      Cc: Alexander Graf <agraf@xxxxxxx>
      Signed-off-by: Jason Wang <jasowang@xxxxxxxxxx>
      Reviewed-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>

  commit 8dfbaa6ac450c4ec2646b1ca08a4017052a90c1d
  Author: Jason Wang <jasowang@xxxxxxxxxx>
  Date:   Fri May 29 14:15:27 2015 +0800

      virtio-ccw: introduce ccw specific queue limit

      Cc: Alexander Graf <agraf@xxxxxxx>
      Cc: Cornelia Huck <cornelia.huck@xxxxxxxxxx>
      Cc: Christian Borntraeger <borntraeger@xxxxxxxxxx>
      Cc: Richard Henderson <rth@xxxxxxxxxxx>
      Signed-off-by: Jason Wang <jasowang@xxxxxxxxxx>
      Reviewed-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>

  commit 8ad176aaed24535f535e0fdb03c538c23017535d
  Author: Jason Wang <jasowang@xxxxxxxxxx>
  Date:   Fri May 29 14:15:26 2015 +0800

      virtio: introduce virtio_get_num_queues()

      This patch introduces virtio_get_num_queues() which iterates the vqs
      array and return the number of virtqueues used by device.

      Signed-off-by: Jason Wang <jasowang@xxxxxxxxxx>
      Reviewed-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>

  commit e83980455c8c7eb066405de512be7c4bace3ac4d
  Author: Jason Wang <jasowang@xxxxxxxxxx>
  Date:   Fri May 29 14:15:25 2015 +0800

      virtio: device_plugged() can fail

      This patch passes error pointer to transport specific device_plugged()
      callback. Through this way, device_plugged() can do some transport
      specific check and fail. This will be uesd by following patches that
      check the number of virtqueues against the transport limitation.

      Cc: Cornelia Huck <cornelia.huck@xxxxxxxxxx>
      Cc: Christian Borntraeger <borntraeger@xxxxxxxxxx>
      Cc: Richard Henderson <rth@xxxxxxxxxxx>
      Cc: Alexander Graf <agraf@xxxxxxx>
      Signed-off-by: Jason Wang <jasowang@xxxxxxxxxx>
      Reviewed-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>

  commit da51a335aa61ec0e45879d80f3c5e2ee4f87cd2f
  Author: Jason Wang <jasowang@xxxxxxxxxx>
  Date:   Fri May 29 14:15:24 2015 +0800

      virtio-net: adding all queues in .realize()

      Instead of adding queues for multiqueue during feature set. This patch
      did this in .realize(), this will help the following patches that
      count the number of virtqueues used in .device_plugged() callback.

      Signed-off-by: Jason Wang <jasowang@xxxxxxxxxx>
      Reviewed-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>

  commit cf34f533a161f8ced7322321d70ca00414d47473
  Author: Cornelia Huck <cornelia.huck@xxxxxxxxxx>
  Date:   Fri May 29 11:29:40 2015 +0200

      virtio: move VIRTIO_F_NOTIFY_ON_EMPTY into core

      Nearly all transports have been offering VIRTIO_F_NOTIFY_ON_EMPTY,
      s390-virtio being the exception. There's no reason why it shouldn't
      offer it as well, though (handling is done in core anyway), so let's
      move it to the common virtio features.

      While we're changing it anyway, fix the indentation for the
      DEFINE_VIRTIO_COMMON_FEATURES macro.

      Signed-off-by: Cornelia Huck <cornelia.huck@xxxxxxxxxx>
      Reviewed-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>

  commit 13644819c5bf322ae4c2a415aca77d5dbde95fe8
  Author: Cornelia Huck <cornelia.huck@xxxxxxxxxx>
  Date:   Fri May 29 11:29:39 2015 +0200

      virtio-ccw: Don't advertise VIRTIO_F_BAD_FEATURE

      This was copied from virtio-pci, but it doesn't make much sense for
      ccw, as it doesn't have to handle the broken implementations this bit
      is supposed to deal with. Remove it.

      Signed-off-by: Cornelia Huck <cornelia.huck@xxxxxxxxxx>
      Reviewed-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>

  commit 6b8f1020540c27246277377aa2c3331ad2bfb160
  Author: Cornelia Huck <cornelia.huck@xxxxxxxxxx>
  Date:   Tue May 26 16:34:47 2015 +0200

      virtio: move host_features

      Move host_features from the individual transport proxies into
      the virtio device. Transports may continue to add feature bits
      during device plugging.

      This should it make easier to offer different sets of host features
      for virtio-1/transitional support.

      Tested-by: Shannon Zhao <shannon.zhao@xxxxxxxxxx>
      Signed-off-by: Cornelia Huck <cornelia.huck@xxxxxxxxxx>
      Reviewed-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>

  commit 2332333c9738b442fbbd5b83a1eaa6be656ab9b5
  Author: Radim KrÄ?máÅ? <rkrcmar@xxxxxxxxxx>
  Date:   Fri May 29 21:57:32 2015 +0200

      pc: acpi: fix pvpanic for buggy guests

      In the old times, we always had pvpanic in ACPI and a _STA method told
      the guest not to use it.  Automatic generation dropped the _STA method
      as the specification says that missing _STA means enabled and working.
      Some guests (Linux) had buggy drivers and this change made them unable
      to utilize pvpanic.

      A Linux patch is posted as well, but I think it's worth to make pvpanic
      useable on old guests at the price of three lines and few bytes of SSDT.

      The old _STA method was
        Method (_STA, 0, NotSerialized) {
            Store (PEST, Local0)
            If (LEqual (Local0, Zero)) {
                Return (Zero) }
            Else {
                Return (0x0F) }}

      Igor pointed out that we don't need to use a method to return a constant
      and that 0xB (don't show in UI) is the common definition now.

      Also, the device used to be PEVT.  (PEVT as in "panic event"?)

      Signed-off-by: Radim KrÄ?máÅ? <rkrcmar@xxxxxxxxxx>
      Reviewed-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>

  commit 99fbeafee8b568e796863980365080abdb8d675e
  Author: Eduardo Habkost <ehabkost@xxxxxxxxxx>
  Date:   Fri May 15 14:19:01 2015 -0300

      pc: Generate init functions with a macro

      All pc-i440fx and pc-q35 init functions simply call the corresponding
      compat function and then call the main init function. Use a macro to
      generate that code.

      Signed-off-by: Eduardo Habkost <ehabkost@xxxxxxxxxx>
      Reviewed-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>

  commit 211b5b1d0a31f2f7593d6858a0b10487fb7b7fac
  Author: Eduardo Habkost <ehabkost@xxxxxxxxxx>
  Date:   Fri May 15 14:19:00 2015 -0300

      piix: Eliminate pc_init_pci()

      The function is not needed anymore, we can simply call pc_init1()
      directly.

      Signed-off-by: Eduardo Habkost <ehabkost@xxxxxxxxxx>
      Reviewed-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>

  commit 72d164aa73b7c8d22a63b8ee789f97e4a8d2aa5c
  Author: Eduardo Habkost <ehabkost@xxxxxxxxxx>
  Date:   Fri May 15 14:18:59 2015 -0300

      piix: Add kvmclock_enabled, pci_enabled globals

      This looks like a step backwards, but it will allow pc-0.1[0123] and
      isapc to follow the same compat+init pattern used by the other
      machine-types, allowing us to generate all init function using the same
      macro later.

      Signed-off-by: Eduardo Habkost <ehabkost@xxxxxxxxxx>
      Reviewed-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>

  commit d48f4fa69eb3efb03a2efe2e4606a97a17cf222f
  Author: Eduardo Habkost <ehabkost@xxxxxxxxxx>
  Date:   Fri May 15 14:18:58 2015 -0300

      machine: Remove unused fields from QEMUMachine

      This removes the following fields from QEMUMachine: family, alias,
      reset, hot_add_cpu, units_per_default_bus, no_serial, no_parallel,
      use_virtcon, use_sclp, no_floppy, no_cdrom, default_display,
      compat_props, and hw_version.

      The only users of those fields were already converted to use QOM and
      MachineClass directly, so they are not needed anymore.

      Signed-off-by: Eduardo Habkost <ehabkost@xxxxxxxxxx>
      Reviewed-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>

  commit d644b11657ae047d50d8ea9ce285ecd6dae04ca2
  Author: Eduardo Habkost <ehabkost@xxxxxxxxxx>
  Date:   Fri May 15 14:18:57 2015 -0300

      pc: Remove qemu_register_pc_machine() function

      The helper is not needed anymore, as the PC machine classes are
      registered using QOM directly.

      Signed-off-by: Eduardo Habkost <ehabkost@xxxxxxxxxx>
      Reviewed-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>

  commit 865906f7fdadd2732441ab158787f81f6a212bfe
  Author: Eduardo Habkost <ehabkost@xxxxxxxxxx>
  Date:   Fri May 15 14:18:56 2015 -0300

      pc: Don't use QEMUMachine anymore

      Now that we have a DEFINE_PC_MACHINE helper macro that just requires an
      initialization function, it is trivial to convert them to register a QOM
      machine class directly, instead of using QEMUMachine.

      Signed-off-by: Eduardo Habkost <ehabkost@xxxxxxxxxx>
      Reviewed-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>

  commit 25519b062c70f2afe2d2f0c262f3838a41e8bc7c
  Author: Eduardo Habkost <ehabkost@xxxxxxxxxx>
  Date:   Fri May 15 14:18:55 2015 -0300

      pc: Move compat_props setting inside *_machine_options() functions

      This will simplify the DEFINE_PC_MACHINE macro, and will help us to
      implement reuse of PC_COMPAT_* macros through class_init function reuse,
      in the future.

      Signed-off-by: Eduardo Habkost <ehabkost@xxxxxxxxxx>
      Reviewed-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>

  commit fddd179ab962f6f78a8493742e1068d6a620e059
  Author: Eduardo Habkost <ehabkost@xxxxxxxxxx>
  Date:   Fri May 15 14:18:54 2015 -0300

      pc: Convert *_MACHINE_OPTIONS macros into functions

      By now the new functions will get QEMUMachine as argument, but they will
      be later converted to initialize a MachineClass struct directly.

      Signed-off-by: Eduardo Habkost <ehabkost@xxxxxxxxxx>
      Reviewed-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>

  commit 61f219dfb093c0df91926928c780299cdf429619
  Author: Eduardo Habkost <ehabkost@xxxxxxxxxx>
  Date:   Fri May 15 14:18:53 2015 -0300

      pc: Define machines using a DEFINE_PC_MACHINE macro

      This will automatically generate the existing QEMUMachine structs based
      on the *_MACHINE_OPTIONS macros, and automatically add registration code
      for them.

      Signed-off-by: Eduardo Habkost <ehabkost@xxxxxxxxxx>
      Reviewed-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>

  commit b6b5c8e492ae7b71a16fe702b7409bff0feebfa7
  Author: Eduardo Habkost <ehabkost@xxxxxxxxxx>
  Date:   Fri May 15 14:18:52 2015 -0300

      pc: Define MACHINE_OPTIONS macros consistently for all machines

      Define a MACHINE_OPTIONS macro for each PC machine, and move every field
      inside the QEMUMachine structs to the macros, except for name, init, and
      compat_props.

      This also ensures that all MACHINE_OPTIONS inherit the fields from the
      next version, so their definitions carry only the changes that exist
      between one version and the next one.

      Comments about specific cases:

      pc-*-2.1:

        Existing PC_*_2_1_MACHINE_OPTIONS macros were defined as:
            PC_*_MACHINE_OPTIONS,
            .default_machine_opts = "firmware=bios-256k.bin"

        PC_*_2_2_MACHINE_OPTIONS is:
            PC_*_2_3_MACHINE_OPTIONS
        which is expanded to:
            PC_*_MACHINE_OPTIONS,
            .default_machine_opts = "firmware=bios-256k.bin",
            .default_display = "std"

        The only difference between 2_1 and 2_2 is .default_display, that's why
        we didn't reuse PC_*_2_2_MACHINE_OPTIONS. The good news is that having
        multiple initializers for a field is allowed by C99, and the last
        initializer overrides the previous ones.

        So we can reuse the 2_2 macro in 2_1 and define PC_*_2_1_MACHINE_OPTIONS
        as:
            PC_*_2_2_MACHINE_OPTIONS,
            .default_display = NULL

      pc-*-1.7:

        PC_*_1_7_MACHINE_OPTIONS was defined as:
            PC_*_MACHINE_OPTIONS

        PC_*_2_0_MACHINE_OPTIONS is defined as:
            PC_*_2_1_MACHINE_OPTIONS
        which is expanded to:
            PC_*_2_2_MACHINE_OPTIONS,
            .default_display = NULL
        which is expanded to:
            PC_*_2_3_MACHINE_OPTIONS,
            .default_display = NULL
        which is expanded to:
            PC_*_MACHINE_OPTIONS,
            .default_machine_opts = "firmware=bios-256k.bin",
            .default_display = "std",
            .default_display = NULL  /* overrides the previous line */

        So, the only difference between PC_*_1_7_MACHINE_OPTIONS and
        PC_*_2_0_MACHINE_OPTIONS is .default_machine_opts (as .default_display
        is not explicitly set by PC_*_MACHINE_OPTIONS so it is NULL).

        So we can keep the macro reuse pattern and define
        PC_*_2_0_MACHINE_OPTIONS as:
            PC_*_2_0_MACHINE_OPTIONS,
            .default_machine_opts = NULL

      pc-*-2.4 (alias and is_default fields):

        Set alias and is_default fields inside the 2.4 MACHINE_OPTIONS macro,
        and clear it in the 2.3 macro (that reuses the 2.4 macro).

      hw_machine:

        As all the machines older than v1.0 set hw_version explicitly, we can
        safely move the field to the MACHINE_OPTIONS macros without affecting
        the other versions that reuse them.

      init function:

        Some machines had the init function set inside the MACHINE_OPTIONS
        macro. Move it to the QEMUMachine declaration, to keep it consistent
        with the other machines.

      Signed-off-by: Eduardo Habkost <ehabkost@xxxxxxxxxx>
      Reviewed-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>

  commit f6d5a0bad276ea97fac4e0efb0f41f54a3f1ac84
  Author: Eduardo Habkost <ehabkost@xxxxxxxxxx>
  Date:   Thu May 14 15:53:10 2015 -0300

      piix: Define PC_COMPAT_0_10

      Move compat_props from pc-0.10 to the macro, to make it consistent with
      the other machines.

      Signed-off-by: Eduardo Habkost <ehabkost@xxxxxxxxxx>
      Reviewed-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>

  commit faf7e4254fa33a13805a34a1ffeeb9dcc0a36a5e
  Author: Eduardo Habkost <ehabkost@xxxxxxxxxx>
  Date:   Thu May 14 15:53:09 2015 -0300

      piix: Move pc-0.1[23] rombar compat props to PC_COMPAT_0_13

      The VGA and vmware-svga rombar compat properties were added by commit
      281a26b15b4adcecb8604216738975abd754bea8, but only to pc-0.13 and
      pc-0.12. This breaks the PC_COMPAT_* nesting pattern we currently
      follow.

      The new variables will now be inherited by pc-0.11 and older, but
      pc-0.11 and pc-0.10 already have PCI.rombar=0 on compat_props, so they
      shouldn't be affected at all.

      Cc: Stefan Weil <sw@xxxxxxxxxxx>
      Cc: Gerd Hoffmann <kraxel@xxxxxxxxxx>
      Signed-off-by: Eduardo Habkost <ehabkost@xxxxxxxxxx>
      Reviewed-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>

  commit d765519bef48bd95f2139314a5354144387523eb
  Author: Eduardo Habkost <ehabkost@xxxxxxxxxx>
  Date:   Thu May 14 15:53:08 2015 -0300

      piix: Move pc-0.13 virtio-9p-pci compat to PC_COMPAT_0_13

      The compat property was added by commit
      9dbcca5aa13cb9ab40788ac4c56bc227d94ca920, and the pc-0.12 and older
      machine-types were not changed because virtio-9p-pci was introduced on 
QEMU
      0.13 (commit 9f10751365b26b13b8a9b67e0e90536ae3d282df). The only problem 
is
      that this breaks the PC_COMPAT_* nesting pattern we currently use.

      So, move the property to PC_COMPAT_0_13. This make pc-0.12 and older 
inherit
      it, but that shouldn't be an issue as QEMU 0.12 didn't have virtio-9p-pci.

      Cc: Gerd Hoffmann <kraxel@xxxxxxxxxx>
      Cc: Aneesh Kumar K.V <aneesh.kumar@xxxxxxxxxxxxxxxxxx>
      Signed-off-by: Eduardo Habkost <ehabkost@xxxxxxxxxx>
      Reviewed-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>

  commit d5303df71073da70e0ad29a6dfb304ec7b747f5c
  Author: Eduardo Habkost <ehabkost@xxxxxxxxxx>
  Date:   Thu May 14 15:53:07 2015 -0300

      piix: Move pc-0.11 drive version compat props to PC_COMPAT_0_11

      The current code setting ide-drive.ver and scsi-disk.ver on pc-0.11
      breaks the PC_COMPAT_* nesting pattern we currently use.

      As those variables are overwritten in pc-0.10 too, they can be inherited
      by pc-0.10 with no side-effects at all.

      Cc: Gerd Hoffmann <kraxel@xxxxxxxxxx>
      Signed-off-by: Eduardo Habkost <ehabkost@xxxxxxxxxx>
      Reviewed-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>

  commit bb08d8829b5bec6af619e4532a397ef12727516c
  Author: Eduardo Habkost <ehabkost@xxxxxxxxxx>
  Date:   Thu May 14 15:53:06 2015 -0300

      piix: Move pc-0.14 qxl compat properties to PC_COMPAT_0_14

      Those properties were introduced by commit
      3827cdb1c3aa17a792d1658161195b9d7173c26b. They were not duplicated into
      pc-0.13 and older because 0.14 was the first QEMU version supporting
      qxl. The only problem is that this breaks the PC_COMPAT_* nesting
      pattern we currently use.

      So, move the properties to PC_COMPAT_0_14. This makes pc-0.13 and older
      inherit them, but that shouldn't be an issue as QEMU 0.13 didn't support
      qxl.

      Cc: Gerd Hoffmann <kraxel@xxxxxxxxxx>
      Signed-off-by: Eduardo Habkost <ehabkost@xxxxxxxxxx>
      Reviewed-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>

  commit 38ff32c6e6fd966c5adb9cde4d393a8cca9ef093
  Author: Eduardo Habkost <ehabkost@xxxxxxxxxx>
  Date:   Thu May 14 15:53:05 2015 -0300

      spapr: define SPAPR_COMPAT_2_3

      Don't add the pseries-2.3 machine yet, but define the corresponding
      SPAPR_COMPAT macro to make sure both pseries-2.2 and pseries-2.1 will
      inherit HW_COMPAT_2_3.

      Signed-off-by: Eduardo Habkost <ehabkost@xxxxxxxxxx>
      Reviewed-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>

  commit 4dfd8eaa19c90087f19b56da5d04d9c468109a65
  Author: Eduardo Habkost <ehabkost@xxxxxxxxxx>
  Date:   Thu May 14 15:53:04 2015 -0300

      spapr: Use HW_COMPAT_* inside SPAPR_COMPAT_* macros

      SPAPR_COMPAT_2_1 will need to include both HW_COMPAT_2_2 and
      HW_COMPAT_2_1, so include HW_COMPAT_2_1 inside SPAPR_COMPAT_2_1 and
      HW_COMPAT_2_2 inside SPAPR_COMPAT_2_2.

      Signed-off-by: Eduardo Habkost <ehabkost@xxxxxxxxxx>
      Reviewed-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>

  commit 42134ac9d74799cf2f70257798b72a2988b75d31
  Author: Eduardo Habkost <ehabkost@xxxxxxxxxx>
  Date:   Thu May 14 15:53:03 2015 -0300

      pc: Define PC_COMPAT_2_[123] macros

      Once we start adding compat code for pc-2.3, the usage of HW_COMPAT_2_1
      in pc-*-2.2 won't be enough, as it also has to include PC_COMPAT_2_3
      inside it. To ensure that, define PC_COMPAT_2_3, PC_COMPAT_2_2, and
      PC_COMPAT_2_1 macros.

      Signed-off-by: Eduardo Habkost <ehabkost@xxxxxxxxxx>
      Reviewed-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>

  commit 1edbde82b809f80b973978886d8232fbf280cb03
  Author: Eduardo Habkost <ehabkost@xxxxxxxxxx>
  Date:   Thu May 14 15:53:02 2015 -0300

      hw: Define empty HW_COMPAT_2_[23] macros

      Now we can make everything consistent and define the macros even if they
      are still empty.

      Signed-off-by: Eduardo Habkost <ehabkost@xxxxxxxxxx>
      Reviewed-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>

  commit dd754baf46b6479a02521f671a0b58ffc799810e
  Author: Eduardo Habkost <ehabkost@xxxxxxxxxx>
  Date:   Thu May 14 15:53:01 2015 -0300

      spapr: Move commas inside SPAPR_COMPAT_* macros

      Changing the convention to include commas inside the macros will allow
      macros containing empty lists to be defined and used without compilation
      errors.

      Signed-off-by: Eduardo Habkost <ehabkost@xxxxxxxxxx>
      Reviewed-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>

  commit a7cde24dc2f104c8e5861df0e2938e79264e9d58
  Author: Eduardo Habkost <ehabkost@xxxxxxxxxx>
  Date:   Thu May 14 15:53:00 2015 -0300

      pc: Move commas inside PC_COMPAT_* macros

      Changing the convention to include commas inside the macros will allow
      macros containing empty lists to be defined and used without compilation
      errors.

      Signed-off-by: Eduardo Habkost <ehabkost@xxxxxxxxxx>
      Reviewed-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>

  commit f27086a731bbd0141646702c95f6dc5fce3e8575
  Author: Eduardo Habkost <ehabkost@xxxxxxxxxx>
  Date:   Thu May 14 15:52:59 2015 -0300

      hw: Move commas inside HW_COMPAT_2_1 macro

      Changing the convention to include commas inside the macros will allow
      macros containing empty lists to be defined and used without compilation
      errors.

      Signed-off-by: Eduardo Habkost <ehabkost@xxxxxxxxxx>
      Reviewed-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>

  commit 4974920ab8fc8cf05687f1f764650dbc7c821004
  Author: Eduardo Habkost <ehabkost@xxxxxxxxxx>
  Date:   Thu May 14 15:52:58 2015 -0300

      pc: Replace tab with spaces

      Coding style change only.

      Signed-off-by: Eduardo Habkost <ehabkost@xxxxxxxxxx>
      Reviewed-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>

  commit ecfa60e37439c870d08a90a845b061a53aa26f74
  Author: Shannon Zhao <shannon.zhao@xxxxxxxxxx>
  Date:   Mon May 11 17:34:07 2015 +0800

      hw/s390x/virtio-ccw: use alias property for virtio-balloon-ccw

      Signed-off-by: Shannon Zhao <zhaoshenglong@xxxxxxxxxx>
      Signed-off-by: Shannon Zhao <shannon.zhao@xxxxxxxxxx>
      Reviewed-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Reviewed-by: Cornelia Huck <cornelia.huck@xxxxxxxxxx>
      Reviewed-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit 39b87c7b9f8bf3618e0357699d29615e521264d8
  Author: Shannon Zhao <shannon.zhao@xxxxxxxxxx>
  Date:   Mon May 11 17:34:06 2015 +0800

      hw/virtio/virtio-pci: use alias property for virtio-balloon-pci

      Signed-off-by: Shannon Zhao <zhaoshenglong@xxxxxxxxxx>
      Signed-off-by: Shannon Zhao <shannon.zhao@xxxxxxxxxx>
      Reviewed-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Reviewed-by: Cornelia Huck <cornelia.huck@xxxxxxxxxx>
      Reviewed-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit 1190044ea5a1c9a871664c4e2013072e51e56d5a
  Author: Shannon Zhao <shannon.zhao@xxxxxxxxxx>
  Date:   Mon May 11 17:34:05 2015 +0800

      hw/virtio/virtio-balloon: move adding property to 
virtio_balloon_instance_init

      This is in preparation for using alias property in virtio-balloon-pci
      and virtio-balloon-ccw.

      Signed-off-by: Shannon Zhao <zhaoshenglong@xxxxxxxxxx>
      Signed-off-by: Shannon Zhao <shannon.zhao@xxxxxxxxxx>
      Reviewed-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Reviewed-by: Cornelia Huck <cornelia.huck@xxxxxxxxxx>
      Reviewed-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit 07e15486faf353260431f10e85185372c5036baa
  Author: Bastian Koppelmann <kbastian@xxxxxxxxxxxxxxxxxxxxx>
  Date:   Fri May 22 12:15:58 2015 +0200

      target-tricore: fix BOL_ST_H_LONGOFF using ld

      Signed-off-by: Bastian Koppelmann <kbastian@xxxxxxxxxxxxxxxxxxxxx>
      Message-Id: 
<1432289758-6250-4-git-send-email-kbastian@xxxxxxxxxxxxxxxxxxxxx>

  commit 9bbd4843c052a0a467c7a3363046b0c95c0e5fc0
  Author: Bastian Koppelmann <kbastian@xxxxxxxxxxxxxxxxxxxxx>
  Date:   Fri May 22 12:15:57 2015 +0200

      target-tricore: fix msub32_q producing the wrong overflow bit

      The inversion of the overflow bit as a special case, which was needed for 
the
      madd32_q instructions, does not apply for msub32_q instructions. So 
remove it.

      Signed-off-by: Bastian Koppelmann <kbastian@xxxxxxxxxxxxxxxxxxxxx>
      Message-Id: 
<1432289758-6250-3-git-send-email-kbastian@xxxxxxxxxxxxxxxxxxxxx>

  commit 05b6ca9bbcaede74120050aa8e6684300c09257c
  Author: Bastian Koppelmann <kbastian@xxxxxxxxxxxxxxxxxxxxx>
  Date:   Fri May 22 12:15:56 2015 +0200

      target-tricore: fix OPC2_32_RR_DVINIT_HU having write before use on the 
result

      If the argument r1 was the same as the extended result register r3+1, we 
would
      overwrite r1 and then use it.

      Signed-off-by: Bastian Koppelmann <kbastian@xxxxxxxxxxxxxxxxxxxxx>
      Message-Id: 
<1432289758-6250-2-git-send-email-kbastian@xxxxxxxxxxxxxxxxxxxxx>

  commit 97af820f539efe80b87615a04f9de11ea585f725
  Merge: 2cc3bdb 3960c33
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Fri May 29 17:10:57 2015 +0100

      Merge remote-tracking branch 
'remotes/pmaydell/tags/pull-target-arm-20150529' into staging

      target-arm:
       * Support ACPI for ARMv8 systems using the 'virt' board
         (and a UEFI boot image, typically)
       * avoid buffer overrun in some UNPREDICTABLE ldrd/strd cases
       * further work preparing for 64-bit EL2/EL3 support

      # gpg: Signature made Fri May 29 12:14:06 2015 BST using RSA key ID 
14360CDE
      # gpg: Good signature from "Peter Maydell <peter.maydell@xxxxxxxxxx>"

      * remotes/pmaydell/tags/pull-target-arm-20150529: (39 commits)
        target-arm: Avoid buffer overrun on UNPREDICTABLE ldrd/strd
        hw/arm/virt: Enable dynamic generation of ACPI v5.1 tables
        ACPI: split CONFIG_ACPI into 4 pieces
        hw/arm/virt-acpi-build: Add PCIe controller in ACPI DSDT table
        hw/acpi/aml-build: Add Unicode macro
        hw/acpi/aml-build: Add aml_dword_io() term
        hw/acpi/aml-build: Add aml_create_dword_field() term
        hw/acpi/aml-build: Add aml_else() term
        hw/acpi/aml-build: Add aml_lnot() term
        hw/acpi/aml-build: Add aml_or() term
        hw/acpi/aml-build: Add ToUUID macro
        hw/acpi/aml-build: Make aml_buffer() definition consistent with the spec
        hw/arm/virt-acpi-build: Generate MCFG table
        hw/arm/virt-acpi-build: Generate RSDP table
        hw/arm/virt-acpi-build: Generate RSDT table
        hw/arm/virt-acpi-build: Generate GTDT table
        hw/arm/virt-acpi-build: Generate MADT table
        hw/arm/virt-acpi-build: Generate FADT table and update ACPI headers
        hw/arm/virt-acpi-build: Generation of DSDT table for virt devices
        hw/acpi/aml-build: Add aml_interrupt() term
        ...

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 2cc3bdbe2d3908f7a813d1c2d774cc2bf07746cd
  Merge: 2a90c45 9abe3bd
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Fri May 29 15:32:15 2015 +0100

      Merge remote-tracking branch 'remotes/armbru/tags/pull-block-2015-05-29' 
into staging

      Block QAPI, monitor, command line patches

      # gpg: Signature made Fri May 29 12:02:32 2015 BST using RSA key ID 
EB918653
      # gpg: Good signature from "Markus Armbruster <armbru@xxxxxxxxxx>"
      # gpg:                 aka "Markus Armbruster <armbru@xxxxxxxxxxxx>"

      * remotes/armbru/tags/pull-block-2015-05-29:
        qapi: add dirty bitmap status

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 2a90c454a1b90ace56ed908cd064f2fd483d1231
  Merge: 9441aa2 63c67b6
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Fri May 29 14:24:35 2015 +0100

      Merge remote-tracking branch 'remotes/kraxel/tags/pull-gtk-20150529-1' 
into staging

      gtk: add opengl rendering support.
      small bugfixes for gtk and opengl ui code.

      # gpg: Signature made Fri May 29 10:44:54 2015 BST using RSA key ID 
D3E87138
      # gpg: Good signature from "Gerd Hoffmann (work) <kraxel@xxxxxxxxxx>"
      # gpg:                 aka "Gerd Hoffmann <gerd@xxxxxxxxxx>"
      # gpg:                 aka "Gerd Hoffmann (private) <kraxel@xxxxxxxxx>"

      * remotes/kraxel/tags/pull-gtk-20150529-1:
        gtk: Replace gdk_cursor_new()
        gtk: add opengl support, using egl
        ui: add egl-helpers
        ui: shader.h protect against double inclusion
        ui: use libexpoxy

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 9abe3bdc45ced367fe034c0fdd7c686212389767
  Author: John Snow <jsnow@xxxxxxxxxx>
  Date:   Tue May 12 15:53:01 2015 -0400

      qapi: add dirty bitmap status

      Bitmaps can be in a handful of different states with potentially
      more to come as we tool around with migration and persistence patches.

      Management applications may need to know why certain bitmaps are
      unavailable for various commands, e.g. busy in another operation,
      busy being migrated, etc.

      Right now, all we offer is BlockDirtyInfo's boolean member 'frozen'.
      Instead of adding more booleans, replace it by an enumeration member
      'status' with values 'active' and 'frozen'.  Then add new value
      'disabled'.

      Incompatible change.  Fine because the changed part hasn't been
      released so far.

      Suggested-by: Eric Blake <eblake@xxxxxxxxxx>
      Signed-off-by: John Snow <jsnow@xxxxxxxxxx>
      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>
      [Commit message tweaked]
      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>

  commit 3960c336ad96c2183549c8bf32bbff93ecda7ea4
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Fri May 29 11:29:00 2015 +0100

      target-arm: Avoid buffer overrun on UNPREDICTABLE ldrd/strd

      A LDRD or STRD where rd is not an even number is UNPREDICTABLE.
      We were letting this fall through, which is OK unless rd is 15,
      in which case we would attempt to do a load_reg or store_reg
      to a nonexistent r16 for the second half of the double-word.
      Catch the odd-numbered-rd cases and UNDEF them instead.

      To do this we rearrange the structure of the code a little
      so we can put the UNDEF catches at the top before we've
      allocated TCG temporaries.

      Cc: qemu-stable@xxxxxxxxxx
      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Message-id: 1431348973-21315-1-git-send-email-peter.maydell@xxxxxxxxxx

  commit d7c2e2db28eb7e8f2ed7467fa2f2c59026b206d1
  Author: Shannon Zhao <shannon.zhao@xxxxxxxxxx>
  Date:   Fri May 29 11:28:59 2015 +0100

      hw/arm/virt: Enable dynamic generation of ACPI v5.1 tables

      Initialize VirtGuestInfoState and register a machine_init_done notify to
      call virt_acpi_build().

      Signed-off-by: Shannon Zhao <zhaoshenglong@xxxxxxxxxx>
      Signed-off-by: Shannon Zhao <shannon.zhao@xxxxxxxxxx>
      Message-id: 1432522520-8068-25-git-send-email-zhaoshenglong@xxxxxxxxxx
      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 135a67a692bedb952ea720351026247104da8645
  Author: Shannon Zhao <shannon.zhao@xxxxxxxxxx>
  Date:   Fri May 29 11:28:59 2015 +0100

      ACPI: split CONFIG_ACPI into 4 pieces

      As core.c, piix4.c, ich9.c and pcihp.c are for x86, add CONFIG_ACPI_X86
      to make it only for x86. ARM doesn't support cpu and memory hotplug, add
      CONFIG_ACPI_CPU_HOTPLUG and CONFIG_ACPI_MEMORY_HOTPLUG to exclude them
      for target-arm.

      Signed-off-by: Shannon Zhao <zhaoshenglong@xxxxxxxxxx>
      Signed-off-by: Shannon Zhao <shannon.zhao@xxxxxxxxxx>
      Reviewed-by: Alex Bennée <alex.bennee@xxxxxxxxxx>
      Message-id: 1432522520-8068-24-git-send-email-zhaoshenglong@xxxxxxxxxx
      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit d4e5de1ae02f6b47eb088531d3d4d047b4db6cfa
  Author: Shannon Zhao <shannon.zhao@xxxxxxxxxx>
  Date:   Fri May 29 11:28:59 2015 +0100

      hw/arm/virt-acpi-build: Add PCIe controller in ACPI DSDT table

      Add PCIe controller in ACPI DSDT table, so the guest can detect
      the PCIe.

      Signed-off-by: Shannon Zhao <zhaoshenglong@xxxxxxxxxx>
      Signed-off-by: Shannon Zhao <shannon.zhao@xxxxxxxxxx>
      Message-id: 1432522520-8068-23-git-send-email-zhaoshenglong@xxxxxxxxxx
      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit e1f776c434f8f18079b82d8121c166fb53a63451
  Author: Shannon Zhao <shannon.zhao@xxxxxxxxxx>
  Date:   Fri May 29 11:28:59 2015 +0100

      hw/acpi/aml-build: Add Unicode macro

      Signed-off-by: Shannon Zhao <zhaoshenglong@xxxxxxxxxx>
      Signed-off-by: Shannon Zhao <shannon.zhao@xxxxxxxxxx>
      Reviewed-by: Igor Mammedov <imammedo@xxxxxxxxxx>
      Reviewed-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Message-id: 1432522520-8068-22-git-send-email-zhaoshenglong@xxxxxxxxxx
      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 616ef329adbb671be783a1dba96d881b9218ff80
  Author: Shannon Zhao <shannon.zhao@xxxxxxxxxx>
  Date:   Fri May 29 11:28:58 2015 +0100

      hw/acpi/aml-build: Add aml_dword_io() term

      Signed-off-by: Shannon Zhao <zhaoshenglong@xxxxxxxxxx>
      Signed-off-by: Shannon Zhao <shannon.zhao@xxxxxxxxxx>
      Reviewed-by: Alex Bennée <alex.bennee@xxxxxxxxxx>
      Reviewed-by: Igor Mammedov <imammedo@xxxxxxxxxx>
      Reviewed-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Message-id: 1432522520-8068-21-git-send-email-zhaoshenglong@xxxxxxxxxx
      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit ed8176a37a8f227e61daddbcf92dc5d1cad45818
  Author: Shannon Zhao <shannon.zhao@xxxxxxxxxx>
  Date:   Fri May 29 11:28:58 2015 +0100

      hw/acpi/aml-build: Add aml_create_dword_field() term

      Signed-off-by: Shannon Zhao <zhaoshenglong@xxxxxxxxxx>
      Signed-off-by: Shannon Zhao <shannon.zhao@xxxxxxxxxx>
      Reviewed-by: Alex Bennée <alex.bennee@xxxxxxxxxx>
      Reviewed-by: Igor Mammedov <imammedo@xxxxxxxxxx>
      Reviewed-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Message-id: 1432522520-8068-20-git-send-email-zhaoshenglong@xxxxxxxxxx
      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 467b07dfae6087381d0993ab910253a6c1850457
  Author: Shannon Zhao <shannon.zhao@xxxxxxxxxx>
  Date:   Fri May 29 11:28:58 2015 +0100

      hw/acpi/aml-build: Add aml_else() term

      Signed-off-by: Shannon Zhao <zhaoshenglong@xxxxxxxxxx>
      Signed-off-by: Shannon Zhao <shannon.zhao@xxxxxxxxxx>
      Reviewed-by: Alex Bennée <alex.bennee@xxxxxxxxxx>
      Reviewed-by: Igor Mammedov <imammedo@xxxxxxxxxx>
      Reviewed-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Message-id: 1432522520-8068-19-git-send-email-zhaoshenglong@xxxxxxxxxx
      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit ea7df04a0217fe6314a1520dde1883c45fefcaaa
  Author: Shannon Zhao <shannon.zhao@xxxxxxxxxx>
  Date:   Fri May 29 11:28:58 2015 +0100

      hw/acpi/aml-build: Add aml_lnot() term

      Signed-off-by: Shannon Zhao <zhaoshenglong@xxxxxxxxxx>
      Signed-off-by: Shannon Zhao <shannon.zhao@xxxxxxxxxx>
      Reviewed-by: Alex Bennée <alex.bennee@xxxxxxxxxx>
      Reviewed-by: Igor Mammedov <imammedo@xxxxxxxxxx>
      Reviewed-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Message-id: 1432522520-8068-18-git-send-email-zhaoshenglong@xxxxxxxxxx
      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 922cc8823e484733021a7be5b0e876eba2218623
  Author: Shannon Zhao <shannon.zhao@xxxxxxxxxx>
  Date:   Fri May 29 11:28:58 2015 +0100

      hw/acpi/aml-build: Add aml_or() term

      Signed-off-by: Shannon Zhao <zhaoshenglong@xxxxxxxxxx>
      Signed-off-by: Shannon Zhao <shannon.zhao@xxxxxxxxxx>
      Reviewed-by: Igor Mammedov <imammedo@xxxxxxxxxx>
      Reviewed-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Message-id: 1432522520-8068-17-git-send-email-zhaoshenglong@xxxxxxxxxx
      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit b930fb9db4aa07abb8f3871eb7379242edbdf2a5
  Author: Shannon Zhao <shannon.zhao@xxxxxxxxxx>
  Date:   Fri May 29 11:28:57 2015 +0100

      hw/acpi/aml-build: Add ToUUID macro

      Add ToUUID macro, this is useful for generating PCIe ACPI table.

      Signed-off-by: Shannon Zhao <zhaoshenglong@xxxxxxxxxx>
      Signed-off-by: Shannon Zhao <shannon.zhao@xxxxxxxxxx>
      Reviewed-by: Igor Mammedov <imammedo@xxxxxxxxxx>
      Reviewed-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Message-id: 1432522520-8068-16-git-send-email-zhaoshenglong@xxxxxxxxxx
      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit ed8b5847e46c24d6e9c286892a00a34bee9b0835
  Author: Shannon Zhao <shannon.zhao@xxxxxxxxxx>
  Date:   Fri May 29 11:28:57 2015 +0100

      hw/acpi/aml-build: Make aml_buffer() definition consistent with the spec

      According to ACPI spec, DefBuffer can take two parameters: BufferSize
      and ByteList. Make it consistent with the spec. Uninitialized buffer
      could be requested by passing ByteList as NULL to reserve space.

      Signed-off-by: Shannon Zhao <zhaoshenglong@xxxxxxxxxx>
      Signed-off-by: Shannon Zhao <shannon.zhao@xxxxxxxxxx>
      Reviewed-by: Igor Mammedov <imammedo@xxxxxxxxxx>
      Reviewed-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Message-id: 1432522520-8068-15-git-send-email-zhaoshenglong@xxxxxxxxxx
      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 8434488400971c6793893b8c9547bc6b97e076ce
  Author: Shannon Zhao <shannon.zhao@xxxxxxxxxx>
  Date:   Fri May 29 11:28:57 2015 +0100

      hw/arm/virt-acpi-build: Generate MCFG table

      Generate MCFG table for PCIe controller.

      Signed-off-by: Shannon Zhao <zhaoshenglong@xxxxxxxxxx>
      Signed-off-by: Shannon Zhao <shannon.zhao@xxxxxxxxxx>
      Reviewed-by: Alex Bennée <alex.bennee@xxxxxxxxxx>
      Message-id: 1432522520-8068-14-git-send-email-zhaoshenglong@xxxxxxxxxx
      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit d4bec5d876b694f7f13ad3fcfe510ff46e9748d0
  Author: Shannon Zhao <shannon.zhao@xxxxxxxxxx>
  Date:   Fri May 29 11:28:56 2015 +0100

      hw/arm/virt-acpi-build: Generate RSDP table

      RSDP points to RSDT which in turn points to other tables.

      Signed-off-by: Shannon Zhao <zhaoshenglong@xxxxxxxxxx>
      Signed-off-by: Shannon Zhao <shannon.zhao@xxxxxxxxxx>
      Reviewed-by: Alex Bennée <alex.bennee@xxxxxxxxxx>
      Message-id: 1432522520-8068-13-git-send-email-zhaoshenglong@xxxxxxxxxx
      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 243bdb79fb0b2eda176cdef37700f29068a71d43
  Author: Shannon Zhao <shannon.zhao@xxxxxxxxxx>
  Date:   Fri May 29 11:28:56 2015 +0100

      hw/arm/virt-acpi-build: Generate RSDT table

      RSDT points to other tables FADT, MADT, GTDT. This code is shared with 
x86.

      Here we still use RSDT as UEFI puts ACPI tables below 4G address space,
      and UEFI ignore the RSDT or XSDT.

      Signed-off-by: Shannon Zhao <zhaoshenglong@xxxxxxxxxx>
      Signed-off-by: Shannon Zhao <shannon.zhao@xxxxxxxxxx>
      Reviewed-by: Alex Bennée <alex.bennee@xxxxxxxxxx>
      Message-id: 1432522520-8068-12-git-send-email-zhaoshenglong@xxxxxxxxxx
      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit ee246400c1ceef2014e120b718388d5f4aea8a2a
  Author: Shannon Zhao <shannon.zhao@xxxxxxxxxx>
  Date:   Fri May 29 11:28:56 2015 +0100

      hw/arm/virt-acpi-build: Generate GTDT table

      ACPI v5.1 defines GTDT for ARM devices as a place to describe timer
      related information in the system. The Arch Timer interrupts must
      be provided for GTDT.

      Signed-off-by: Shannon Zhao <zhaoshenglong@xxxxxxxxxx>
      Signed-off-by: Shannon Zhao <shannon.zhao@xxxxxxxxxx>
      Reviewed-by: Alex Bennée <alex.bennee@xxxxxxxxxx>
      Message-id: 1432522520-8068-11-git-send-email-zhaoshenglong@xxxxxxxxxx
      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 982d06c561a62cf7d2a8d31e8a8c107fb3477419
  Author: Shannon Zhao <shannon.zhao@xxxxxxxxxx>
  Date:   Fri May 29 11:28:56 2015 +0100

      hw/arm/virt-acpi-build: Generate MADT table

      MADT describes GIC enabled ARM platforms. The GICC and GICD
      subtables are used to define the GIC regions.

      Signed-off-by: Shannon Zhao <zhaoshenglong@xxxxxxxxxx>
      Signed-off-by: Shannon Zhao <shannon.zhao@xxxxxxxxxx>
      Reviewed-by: Alex Bennée <alex.bennee@xxxxxxxxxx>
      Message-id: 1432522520-8068-10-git-send-email-zhaoshenglong@xxxxxxxxxx
      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit c2f7c0c306dcd56725b506d3743eed421e6d0994
  Author: Shannon Zhao <shannon.zhao@xxxxxxxxxx>
  Date:   Fri May 29 11:28:55 2015 +0100

      hw/arm/virt-acpi-build: Generate FADT table and update ACPI headers

      In the case of mach virt, it is used to set the Hardware Reduced bit
      and enable PSCI SMP booting through HVC. So ignore FACS and FADT
      points to DSDT.

      Update the header definitions for FADT taking into account the new
      additions of ACPI v5.1 in `include/hw/acpi/acpi-defs.h`

      Signed-off-by: Shannon Zhao <zhaoshenglong@xxxxxxxxxx>
      Signed-off-by: Shannon Zhao <shannon.zhao@xxxxxxxxxx>
      Message-id: 1432522520-8068-9-git-send-email-zhaoshenglong@xxxxxxxxxx
      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit dfccd8cfd7c5d1b6740463821d84106bbaced44c
  Author: Shannon Zhao <shannon.zhao@xxxxxxxxxx>
  Date:   Fri May 29 11:28:55 2015 +0100

      hw/arm/virt-acpi-build: Generation of DSDT table for virt devices

      DSDT consists of the usual common table header plus a definition
      block in AML encoding which describes all devices in the platform.

      After initializing DSDT with header information the namespace is
      created which is followed by the device encodings. The devices are
      described using the Resource Template for the 32-Bit Fixed Memory
      Range and the Extended Interrupt Descriptors.

      Signed-off-by: Shannon Zhao <zhaoshenglong@xxxxxxxxxx>
      Signed-off-by: Shannon Zhao <shannon.zhao@xxxxxxxxxx>
      Reviewed-by: Alex Bennée <alex.bennee@xxxxxxxxxx>
      Message-id: 1432522520-8068-8-git-send-email-zhaoshenglong@xxxxxxxxxx
      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 205d1d1c04033b1be4c925e687b6865d1fc1b26b
  Author: Shannon Zhao <shannon.zhao@xxxxxxxxxx>
  Date:   Fri May 29 11:28:55 2015 +0100

      hw/acpi/aml-build: Add aml_interrupt() term

      Add aml_interrupt() for describing device interrupt in resource template.
      These can be used to generating DSDT table for ACPI on ARM.

      Signed-off-by: Shannon Zhao <zhaoshenglong@xxxxxxxxxx>
      Signed-off-by: Shannon Zhao <shannon.zhao@xxxxxxxxxx>
      Reviewed-by: Igor Mammedov <imammedo@xxxxxxxxxx>
      Message-id: 1432522520-8068-7-git-send-email-zhaoshenglong@xxxxxxxxxx
      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit dc17ab1de53d37ddcca81b16dfeae839322fbe5a
  Author: Shannon Zhao <shannon.zhao@xxxxxxxxxx>
  Date:   Fri May 29 11:28:55 2015 +0100

      hw/acpi/aml-build: Add aml_memory32_fixed() term

      Add aml_memory32_fixed() for describing device mmio region in resource
      template. These can be used to generating DSDT table for ACPI on ARM.

      Signed-off-by: Shannon Zhao <zhaoshenglong@xxxxxxxxxx>
      Signed-off-by: Shannon Zhao <shannon.zhao@xxxxxxxxxx>
      Reviewed-by: Alex Bennée <alex.bennee@xxxxxxxxxx>
      Reviewed-by: Igor Mammedov <imammedo@xxxxxxxxxx>
      Reviewed-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Message-id: 1432522520-8068-6-git-send-email-zhaoshenglong@xxxxxxxxxx
      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit f5d8c8cd792b3712f85a1f9a3a9a719015691975
  Author: Shannon Zhao <shannon.zhao@xxxxxxxxxx>
  Date:   Fri May 29 11:28:54 2015 +0100

      hw/arm/virt-acpi-build: Basic framework for building ACPI tables on ARM

      Introduce a preliminary framework in virt-acpi-build.c with the main
      ACPI build functions. It exposes the generated ACPI contents to
      guest over fw_cfg.

      The required ACPI v5.1 tables for ARM are:
      - RSDP: Initial table that points to XSDT
      - RSDT: Points to FADT GTDT MADT tables
      - FADT: Generic information about the machine
      - GTDT: Generic timer description table
      - MADT: Multiple APIC description table
      - DSDT: Holds all information about system devices/peripherals, pointed 
by FADT

      Signed-off-by: Shannon Zhao <zhaoshenglong@xxxxxxxxxx>
      Signed-off-by: Shannon Zhao <shannon.zhao@xxxxxxxxxx>
      Reviewed-by: Alex Bennée <alex.bennee@xxxxxxxxxx>
      Reviewed-by: Igor Mammedov <imammedo@xxxxxxxxxx>
      Message-id: 1432522520-8068-5-git-send-email-zhaoshenglong@xxxxxxxxxx
      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 6a1f001be3ea7478cac803d03149cfcfc1fa2094
  Author: Shannon Zhao <shannon.zhao@xxxxxxxxxx>
  Date:   Fri May 29 11:28:54 2015 +0100

      hw/arm/virt: Record PCIe ranges in MemMapEntry array

      To generate ACPI table for PCIe controller, we need the base and size of
      the PCIe ranges. Record these ranges in MemMapEntry array, then we could
      share and use them for generating ACPI table.

      Signed-off-by: Shannon Zhao <zhaoshenglong@xxxxxxxxxx>
      Signed-off-by: Shannon Zhao <shannon.zhao@xxxxxxxxxx>
      Message-id: 1432522520-8068-4-git-send-email-zhaoshenglong@xxxxxxxxxx
      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit afe0b3803f1a5fffe618af5a483d4c9567b5c5b7
  Author: Shannon Zhao <shannon.zhao@xxxxxxxxxx>
  Date:   Fri May 29 11:28:54 2015 +0100

      hw/arm/virt: Move common definitions to virt.h

      Move some common definitions to virt.h. These will be used by
      generating ACPI tables.

      Signed-off-by: Shannon Zhao <zhaoshenglong@xxxxxxxxxx>
      Signed-off-by: Shannon Zhao <shannon.zhao@xxxxxxxxxx>
      Reviewed-by: Alex Bennée <alex.bennee@xxxxxxxxxx>
      Message-id: 1432522520-8068-3-git-send-email-zhaoshenglong@xxxxxxxxxx
      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit ff80dc7fa8045e2b2531888d965424d2b0e1d1b6
  Author: Shannon Zhao <shannon.zhao@xxxxxxxxxx>
  Date:   Fri May 29 11:28:54 2015 +0100

      hw/acpi/aml-build: Make enum values to be upper case to match coding style

      Signed-off-by: Shannon Zhao <zhaoshenglong@xxxxxxxxxx>
      Signed-off-by: Shannon Zhao <shannon.zhao@xxxxxxxxxx>
      Reviewed-by: Igor Mammedov <imammedo@xxxxxxxxxx>
      Message-id: 1432522520-8068-2-git-send-email-zhaoshenglong@xxxxxxxxxx
      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit b1eced713d9913a5c58ba9daa795f10e4c856c49
  Author: Greg Bellows <greg.bellows@xxxxxxxxxx>
  Date:   Fri May 29 11:28:53 2015 +0100

      target-arm: Add WFx instruction trap support

      Add support for trapping WFI and WFE instructions to the proper EL when
      SCTLR/SCR/HCR settings apply.

      Signed-off-by: Greg Bellows <greg.bellows@xxxxxxxxxx>
      [PMM: removed unnecessary tweaking of syn_wfx() prototype;
       use raise_exception();
       don't trap on WFE (and add comment explaining why not);
       remove unnecessary ARM_FEATURE checks;
       trap to EL3, not EL1, if in S-EL0 and SCTLR check fires]
      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Reviewed-by: Edgar E. Iglesias <edgar.iglesias@xxxxxxxxxx>

  commit 84549b6dcf9147559ec08b066de673587be6b763
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Fri May 29 11:28:53 2015 +0100

      target-arm: Don't halt on WFI unless we don't have any work

      Just NOP the WFI instruction if we have work to do.
      This doesn't make much difference currently (though it does avoid
      jumping out to the top level loop and immediately restarting),
      but the distinction between "halt" and "don't halt" will become
      more important when the decision to halt requires us to trap
      to a higher exception level instead.

      Suggested-by: Edgar E. Iglesias <edgar.iglesias@xxxxxxxxxx>
      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Reviewed-by: Edgar E. Iglesias <edgar.iglesias@xxxxxxxxxx>

  commit 647f767ba3b37fb229275086187e96242248a4ac
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Fri May 29 11:28:53 2015 +0100

      target-arm: Move TB flags down to fill gap

      Deleting the now-unused ARM_TBFLAG_CPACR_FPEN left a gap in the
      bit usage; move the following ARM_TBFLAG_XSCALE_CPAR and
      ARM_TBFLAG_NS_SHIFT down 3 bits to fill the gap.

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Reviewed-by: Edgar E. Iglesias <edgar.iglesias@xxxxxxxxxx>

  commit 9dbbc748d671c70599101836cd1c2719d92f3017
  Author: Greg Bellows <greg.bellows@xxxxxxxxxx>
  Date:   Fri May 29 11:28:53 2015 +0100

      target-arm: Extend FP checks to use an EL

      Extend the ARM disassemble context to take a target exception EL instead 
of a
      boolean enable. This change reverses the polarity of the check making a 
value
      of 0 indicate floating point enabled (no exception).

      Signed-off-by: Greg Bellows <greg.bellows@xxxxxxxxxx>
      [PMM: Use a common TB flag field for AArch32 and AArch64;
       CPTR_EL2 exists in v7; CPTR_EL2 should trap for EL2 accesses;
       CPTR_EL2 should not trap for secure accesses; CPTR_EL3
       should trap for EL3 accesses; CPACR traps for secure
       accesses should trap to EL3 if EL3 is AArch32]
      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Reviewed-by: Edgar E. Iglesias <edgar.iglesias@xxxxxxxxxx>

  commit 3cf6a0fcedd429693d439556543400d5f0e31e1d
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Fri May 29 11:28:52 2015 +0100

      target-arm: Make singlestate TB flags common between AArch32/64

      Currently we keep the TB flags PSTATE_SS and SS_ACTIVE in different
      bit positions for AArch64 and AArch32. Replace these separate
      definitions with a single common flag in the upper part of the
      flags word.

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Reviewed-by: Edgar E. Iglesias <edgar.iglesias@xxxxxxxxxx>

  commit c6f191642a4027909813b4e6e288411f8371e951
  Author: Greg Bellows <greg.bellows@xxxxxxxxxx>
  Date:   Fri May 29 11:28:52 2015 +0100

      target-arm: Add AArch64 CPTR registers

      Adds CPTR_EL2/3 system registers definitions and access function.

      Signed-off-by: Greg Bellows <greg.bellows@xxxxxxxxxx>
      [PMM: merge CPTR_EL2 and HCPTR definitions into a single
       def using STATE_BOTH;
       don't use readfn/writefn to implement RAZ/WI registers;
       don't use accessfn for the no-EL2 CPTR_EL2;
       fix cpacr_access logic to catch EL2 accesses to CPACR being
       trapped to EL3;
       use new CP_ACCESS_TRAP_EL[23] rather than setting
       exception.target_el directly]
      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Reviewed-by: Edgar E. Iglesias <edgar.iglesias@xxxxxxxxxx>

  commit 38836a2cd47c20daaaa84873e3d6020f19e4bfca
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Fri May 29 11:28:52 2015 +0100

      target-arm: Allow cp access functions to indicate traps to EL2 or EL3

      Some coprocessor access functions will need to indicate that the
      instruction should trap to EL2 or EL3 rather than the default
      target exception level; add corresponding CPAccessResult enum
      entries and handling code.

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Reviewed-by: Edgar E. Iglesias <edgar.iglesias@xxxxxxxxxx>

  commit 012a906b19e99b126403ff4a257617dab9b34163
  Author: Greg Bellows <greg.bellows@xxxxxxxxxx>
  Date:   Fri May 29 11:28:51 2015 +0100

      target-arm: Update interrupt handling to use target EL

      Updated the interrupt handling to utilize and report through the target EL
      exception field.  This includes consolidating and cleaning up code where
      needed. Target EL is now calculated once in arm_cpu_exec_interrupt() and
      do_interrupt was updated to use the target_el exception field.  The
      necessary code from arm_excp_target_el() was merged in where needed and 
the
      function removed.

      Signed-off-by: Greg Bellows <greg.bellows@xxxxxxxxxx>
      Acked-by: Edgar E. Iglesias <edgar.iglesias@xxxxxxxxxx>
      Message-id: 1429722561-12651-4-git-send-email-greg.bellows@xxxxxxxxxx
      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit c63285991b371c031147ad620dd7671662a90303
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Fri May 29 11:28:51 2015 +0100

      target-arm: Make raise_exception() take syndrome and target EL

      Rather than making every caller of raise_exception set the
      syndrome and target EL by hand, make these arguments to
      raise_exception() and have that do the job.

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Reviewed-by: Edgar E. Iglesias <edgar.iglesias@xxxxxxxxxx>

  commit 863b6589d738d0b4c8b283297b0ff228f3d3fb14
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Fri May 29 11:28:51 2015 +0100

      target-arm: Set exception target EL in tlb_fill

      Set the exception target EL for MMU faults in tlb_fill.

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Reviewed-by: Edgar E. Iglesias <edgar.iglesias@xxxxxxxxxx>

  commit 8c6084bf10fe721929ca94cf16acd6687e61d3ec
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Fri May 29 11:28:51 2015 +0100

      target-arm: Move setting of exception info into tlb_fill

      Move the code which sets exception information out of
      arm_cpu_handle_mmu_fault and into tlb_fill. tlb_fill
      is the only caller which wants to raise_exception()
      so it makes more sense for it to handle the whole of
      the exception setup.

      As part of this cleanup, move the user-mode-only
      implementation function for the handle_mmu_fault CPU
      method into cpu.c so we don't need to make it globally
      visible, and rename the softmmu-only utility function
      arm_cpu_handle_mmu_fault to arm_tlb_fill so it's clear
      that it's not the same thing.

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Reviewed-by: Edgar E. Iglesias <edgar.iglesias@xxxxxxxxxx>

  commit f2932df777dace044719dc2f394f5a5a8aa1b1cd
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Fri May 29 11:28:50 2015 +0100

      target-arm: Set correct syndrome for faults on MSR DAIF*, imm

      If the SCTLR.UMA trap bit is set then attempts by EL0 to update
      the PSTATE DAIF bits via "MSR DAIFSet, imm" and "MSR DAIFClr, imm"
      instructions will raise an exception. We were failing to set
      the syndrome information for this exception, which meant that
      it would be reported as a repeat of whatever the previous
      exception was. Set the correct syndrome information.

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Reviewed-by: Edgar E. Iglesias <edgar.iglesias@xxxxxxxxxx>

  commit e3b1d480995f6e2e86ef062038e618c1234dbcf1
  Author: Greg Bellows <greg.bellows@xxxxxxxxxx>
  Date:   Fri May 29 11:28:50 2015 +0100

      target-arm: Extend helpers to route exceptions

      Updated the various helper routines to set the target EL as needed using a
      dedicated function.

      Signed-off-by: Greg Bellows <greg.bellows@xxxxxxxxxx>
      Acked-by: Edgar E. Iglesias <edgar.iglesias@xxxxxxxxxx>
      Message-id: 1429722561-12651-3-git-send-email-greg.bellows@xxxxxxxxxx
      [PMM: Also set target_el in fault cases in access_check_cp_reg()]
      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 737103619869600668cc7e8700e4f6eab3943896
  Author: Greg Bellows <greg.bellows@xxxxxxxxxx>
  Date:   Fri May 29 11:28:50 2015 +0100

      target-arm: Add exception target el infrastructure

      Add a CPU state exception target EL field that will be used for 
communicating
      the EL to which an exception should be routed.

      Add a disassembly context field for tracking the EL3 architecture needed 
for
      determining the target exception EL.

      Add a target EL argument to the generic exception helper for callers to 
specify
      the EL to which the exception should be routed.  Extended the helper to 
set
      the newly added CPU state exception target el.

      Added a function for setting the target exception EL and updated calls to 
helpers
      to call it.

      Signed-off-by: Greg Bellows <greg.bellows@xxxxxxxxxx>
      Acked-by: Edgar E. Iglesias <edgar.iglesias@xxxxxxxxxx>
      Message-id: 1429722561-12651-2-git-send-email-greg.bellows@xxxxxxxxxx
      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 9441aa282bc3213ef0530cab86f318b877bac25c
  Merge: ba7c388 55a1d80
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Fri May 29 11:23:07 2015 +0100

      Merge remote-tracking branch 'remotes/kraxel/tags/pull-input-20150529-1' 
into staging

      kbd: add support for brazilian keyboard (two extra keys).
      input: add virtio-input devices.

      # gpg: Signature made Fri May 29 10:09:02 2015 BST using RSA key ID 
D3E87138
      # gpg: Good signature from "Gerd Hoffmann (work) <kraxel@xxxxxxxxxx>"
      # gpg:                 aka "Gerd Hoffmann <gerd@xxxxxxxxxx>"
      # gpg:                 aka "Gerd Hoffmann (private) <kraxel@xxxxxxxxx>"

      * remotes/kraxel/tags/pull-input-20150529-1:
        virtio-input: emulated devices [device]
        virtio-input: core code & base class [device]
        virtio-input: add linux/input.h
        kbd: add brazil kbd keys to x11 evdev map
        kbd: add brazil kbd keys to qemu

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 63c67b6d4462b6589b371d55e3740e9f0dba3281
  Author: Max Reitz <mreitz@xxxxxxxxxx>
  Date:   Wed May 20 15:35:31 2015 +0200

      gtk: Replace gdk_cursor_new()

      gdk_cursor_new() has been deprecated in GTK 3.16, it is recommended to
      use gdk_cursor_new_for_display() instead, so do that.

      Signed-off-by: Max Reitz <mreitz@xxxxxxxxxx>
      Reviewed-by: Cole Robinson <crobinso@xxxxxxxxxx>
      Signed-off-by: Gerd Hoffmann <kraxel@xxxxxxxxxx>

  commit 97edf3bd5eab8952d475de66ede77307c12b8c48
  Author: Gerd Hoffmann <kraxel@xxxxxxxxxx>
  Date:   Tue Jan 20 12:43:28 2015 +0100

      gtk: add opengl support, using egl

      This adds opengl rendering support to the gtk ui, using egl.
      It's off by default for now, use 'qemu -display gtk,gl=on'
      to play with this.

      Note that gtk got native opengl support with release 3.16.
      There most likely will be a separate implementation for 3.16+,
      using the native gtk opengl support.  This patch covers older
      versions (and for the time being 3.16 too, hopefully without
      rendering quirks).

      Signed-off-by: Gerd Hoffmann <kraxel@xxxxxxxxxx>

  commit ba7c388963e099c0d2cedb7f048e30747ffff25d
  Merge: ce0274f f7a8beb
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Fri May 29 10:17:48 2015 +0100

      Merge remote-tracking branch 'remotes/spice/tags/pull-spice-20150529-1' 
into staging

      spice: misc fixes.

      # gpg: Signature made Fri May 29 09:16:29 2015 BST using RSA key ID 
D3E87138
      # gpg: Good signature from "Gerd Hoffmann (work) <kraxel@xxxxxxxxxx>"
      # gpg:                 aka "Gerd Hoffmann <gerd@xxxxxxxxxx>"
      # gpg:                 aka "Gerd Hoffmann (private) <kraxel@xxxxxxxxx>"

      * remotes/spice/tags/pull-spice-20150529-1:
        spice: fix spice_chr_add_watch() pre-condition
        spice: don't update mm_time when spice-server is stopped.
        spice-char: notify the server when chardev is writable
        virtio-console: notify chardev when writable

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 7ced9e9f6da2257224591b91727cfeee4f3977fb
  Author: Gerd Hoffmann <kraxel@xxxxxxxxxx>
  Date:   Tue Jan 6 15:40:00 2015 +0100

      ui: add egl-helpers

      Add helper functions to initialize OpenGL using egl.

      Signed-off-by: Gerd Hoffmann <kraxel@xxxxxxxxxx>
      Reviewed-by: Max Reitz <mreitz@xxxxxxxxxx>

  commit 896e1a050a0d333b1f0ec0768cc64e26c5d0d104
  Author: Gerd Hoffmann <kraxel@xxxxxxxxxx>
  Date:   Mon May 11 12:25:23 2015 +0200

      ui: shader.h protect against double inclusion

      Signed-off-by: Gerd Hoffmann <kraxel@xxxxxxxxxx>
      Reviewed-by: Max Reitz <mreitz@xxxxxxxxxx>

  commit dcf30025c3e3d43140a687240433de1920adf8b0
  Author: Gerd Hoffmann <kraxel@xxxxxxxxxx>
  Date:   Mon May 11 12:24:43 2015 +0200

      ui: use libexpoxy

      libepoxy does the opengl extension handling for us.

      It also is helpful for trouble-shooting as it prints nice error messages
      instead of silently failing or segfaulting in case we do something
      wrong, like using gl commands not supported by the current context.

      Signed-off-by: Gerd Hoffmann <kraxel@xxxxxxxxxx>
      Reviewed-by: Max Reitz <mreitz@xxxxxxxxxx>

  commit 55a1d80a41032d6133adec041c0096820beaa1b7
  Author: Gerd Hoffmann <kraxel@xxxxxxxxxx>
  Date:   Tue Apr 1 10:06:29 2014 +0200

      virtio-input: emulated devices [device]

      This patch adds the virtio-input-hid base class and
      virtio-{keyboard,mouse,tablet} subclasses building on the base class.
      They are hooked up to the qemu input core and deliver input events
      to the guest like all other hid devices (ps/2 kbd, usb tablet, ...).

      Using them is as simple as adding "-device virtio-tablet-device" to
      your command line, for use all transports except pci.  virtio-pci
      support comes as separate patch, once virtio-pci got virtio 1.0
      support.

      Signed-off-by: Gerd Hoffmann <kraxel@xxxxxxxxxx>

  commit f73ddbad397f98c1d476ffbf93d65af1cfa796e6
  Author: Gerd Hoffmann <kraxel@xxxxxxxxxx>
  Date:   Fri Mar 14 14:39:20 2014 +0100

      virtio-input: core code & base class [device]

      This patch adds virtio-input support to qemu.  It brings a abstract
      base class providing core support, other classes can build on it to
      actually implement input devices.

      virtio-input basically sends linux input layer events (evdev) over
      virtio.

      Signed-off-by: Gerd Hoffmann <kraxel@xxxxxxxxxx>

  commit 2fe7c31832a345cdc34314cdcd5478d06b884842
  Author: Gerd Hoffmann <kraxel@xxxxxxxxxx>
  Date:   Thu Mar 19 11:55:24 2015 +0100

      virtio-input: add linux/input.h

      Linux input layer (evdev) header file.

      Signed-off-by: Gerd Hoffmann <kraxel@xxxxxxxxxx>

  commit 33aa30cafcce053b833f9fe09fbb88e2f54b93aa
  Author: Gerd Hoffmann <kraxel@xxxxxxxxxx>
  Date:   Tue May 26 13:12:54 2015 +0200

      kbd: add brazil kbd keys to x11 evdev map

      This patch adds the two extra brazilian keys to the evdev keymap for
      X11.  This patch gets the two keys going with the vnc, gtk and sdl1
      UIs.

      The SDL2 library complains it doesn't know these keys, so the SDL2
      library must be fixed before we can update ui/sdl2-keymap.h

      Cc: qemu-stable@xxxxxxxxxx
      Signed-off-by: Gerd Hoffmann <kraxel@xxxxxxxxxx>
      Reviewed-by: Markus Armbruster <armbru@xxxxxxxxxx>
      Reviewed-by: Daniel P. Berrange <berrange@xxxxxxxxxx>
      Reviewed-by: Michael Tokarev <mjt@xxxxxxxxxx>

  commit b771f470f3e2f99f585eaae68147f0c849fd1f8d
  Author: Gerd Hoffmann <kraxel@xxxxxxxxxx>
  Date:   Tue May 26 10:39:10 2015 +0200

      kbd: add brazil kbd keys to qemu

      The brazilian computer keyboard layout has two extra keys (compared to
      the usual 105-key intl ps/2 keyboard).  This patch makes these two keys
      known to qemu.

      For historic reasons qemu has two ways to specify a key:  A QKeyCode
      (name-based) or a number (ps/2 scancode based).  Therefore we have to
      update multiple places to make new keys known to qemu:

        (1) The QKeyCode definition in qapi-schema.json
        (2) The QKeyCode <-> number mapping table in ui/input-keymap.c

      This patch does just that.  With this patch applied you can send those
      two keys to the guest using the send-key monitor command.

      Cc: qemu-stable@xxxxxxxxxx
      Signed-off-by: Gerd Hoffmann <kraxel@xxxxxxxxxx>
      Reviewed-by: Markus Armbruster <armbru@xxxxxxxxxx>
      Reviewed-by: Daniel P. Berrange <berrange@xxxxxxxxxx>
      Reviewed-by: Michael Tokarev <mjt@xxxxxxxxxx>

  commit f7a8beb5e6a13dc924895244777d9ef08b23b367
  Author: Marc-André Lureau <marcandre.lureau@xxxxxxxxx>
  Date:   Thu May 28 15:04:58 2015 +0200

      spice: fix spice_chr_add_watch() pre-condition

      Since e02bc6de30c44fd668dc0d6e1cd1804f2eed3ed3, add_watch() is called
      with G_IO_HUP. Even if spice-qemu-char ignores this flag, the
      precondition must be changed.

      https://bugzilla.redhat.com/show_bug.cgi?id=1128992

      Signed-off-by: Gerd Hoffmann <kraxel@xxxxxxxxxx>

  commit 641381c1fcd66ea8de07ecfcd733089da26cbba9
  Author: Gerd Hoffmann <kraxel@xxxxxxxxxx>
  Date:   Tue May 12 11:54:34 2015 +0200

      spice: don't update mm_time when spice-server is stopped.

      Skip mm_time updates (in qxl device memory) in case the guest is stopped.
      Guest isn't able to look anyway, and it causes problems with migration.

      Also make sure the initial state for spice server is stopped.

      Reported-by: Dr. David Alan Gilbert <dgilbert@xxxxxxxxxx>
      Signed-off-by: Gerd Hoffmann <kraxel@xxxxxxxxxx>

  commit e95e203c085b7731746e39c9b9f8bd2f6eaa0cd6
  Author: Marc-André Lureau <marcandre.lureau@xxxxxxxxx>
  Date:   Tue May 5 16:58:56 2015 +0200

      spice-char: notify the server when chardev is writable

      The spice server is polling on write, unless
      SPICE_CHAR_DEVICE_NOTIFY_WRITABLE flag is set. In this case, qemu must
      call spice_server_char_device_wakeup() when the frontend is writable.

      Signed-off-by: Marc-André Lureau <marcandre.lureau@xxxxxxxxx>
      Signed-off-by: Gerd Hoffmann <kraxel@xxxxxxxxxx>

  commit 246ca55faff625f4c15e21f3424781e215a254ea
  Author: Marc-André Lureau <marcandre.lureau@xxxxxxxxx>
  Date:   Tue May 5 16:58:55 2015 +0200

      virtio-console: notify chardev when writable

      When the virtio serial is writable, notify the chardev backend
      with qemu_chr_accept_input().

      Signed-off-by: Marc-André Lureau <marcandre.lureau@xxxxxxxxx>
      Signed-off-by: Gerd Hoffmann <kraxel@xxxxxxxxxx>

  commit ce0274f730eacbd24c706523ddbbabb6b95d0659
  Author: Fabien Chouteau <chouteau@xxxxxxxxxxx>
  Date:   Sat Feb 7 09:38:45 2015 +0100

      Revert "gdbstub: Do not kill target in system emulation mode"

      The requirements described in this patch are implemented by "Add GDB
      qAttached support".

      This reverts commit 00e94dbc7fd0110b0555d59592b004333adfb4b8.

      Signed-off-by: Fabien Chouteau <chouteau@xxxxxxxxxxx>
      Reviewed-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit a3919386eab91b56e40fb4faead980f57a664b2e
  Author: Jan Kiszka <jan.kiszka@xxxxxxxxxxx>
  Date:   Sat Feb 7 09:38:44 2015 +0100

      Add GDB qAttached support

      With this patch QEMU handles qAttached request from gdb. When QEMU
      replies 1, GDB sends a "detach" command at the end of a debugging
      session otherwise GDB sends "kill".

      The default value for qAttached is 1 on system emulation and 0 on user
      emulation.

      Based on original version by Fabien Chouteau.

      Signed-off-by: Jan Kiszka <jan.kiszka@xxxxxxxxxxx>
      Reviewed-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 4dabe747af0a6bd66a86c2c7879f1882bec43c33
  Author: Jan Kiszka <jan.kiszka@xxxxxxxxxxx>
  Date:   Sat Feb 7 09:38:43 2015 +0100

      gdbstub: Introduce an is is_query_packet helper

      This helper supports parsing of query packets with optional extensions.
      The separator can be specified so that we can use it already for both
      qqemu.sstep[=] and qSupported[:feature].

      Signed-off-by: Jan Kiszka <jan.kiszka@xxxxxxxxxxx>
      Reviewed-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 070949f39ee96bd16654e6623ab4ff627d918ba6
  Author: Jan Kiszka <jan.kiszka@xxxxxxxxxxx>
  Date:   Sat Feb 7 09:38:42 2015 +0100

      gdbstub: Fix qOffsets packet detection

      qOffsets has no additional optional parameters. So match the complete
      string to avoid stumbling over possible future commands with identical
      prefix.

      Signed-off-by: Jan Kiszka <jan.kiszka@xxxxxxxxxxx>
      Reviewed-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit a84904737277c2f07c8fbcb69db27451d844f12b
  Merge: bc3004f 46ca6b3
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Thu May 28 14:57:34 2015 +0100

      Merge remote-tracking branch 'remotes/cohuck/tags/s390x-20150528' into 
staging

      A set of patches add support for vector registers on s390x.
      Notable: Floating point registers and vector registers overlap,
      so extra care is needed so that we end up with a consistent state
      in all cases.

      # gpg: Signature made Thu May 28 09:37:27 2015 BST using RSA key ID 
C6F02FAF
      # gpg: Good signature from "Cornelia Huck <huckc@xxxxxxxxxxxxxxxxxx>"
      # gpg:                 aka "Cornelia Huck <cornelia.huck@xxxxxxxxxx>"

      * remotes/cohuck/tags/s390x-20150528:
        s390x: Enable vector processing capability
        s390x: Migrate vector registers
        s390x: Add vector registers to ELF dump
        linux/elf.h update
        s390x: Add vector registers to HMP output
        s390x: gdb updates for vector registers
        gdb-xml: Include XML for s390 vector registers
        s390x: Store Additional Status SIGP order
        s390x: Vector Register IOCTLs
        s390x: Common access to floating point registers

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit bc3004f0bb28d36b97eea5ff48922d16b4df7a1f
  Merge: 0915aed 2bc22a5
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Thu May 28 11:03:02 2015 +0100

      Merge remote-tracking branch 'remotes/stefanha/tags/net-pull-request' 
into staging

      # gpg: Signature made Wed May 27 11:02:55 2015 BST using RSA key ID 
81AB73C8
      # gpg: Good signature from "Stefan Hajnoczi <stefanha@xxxxxxxxxx>"
      # gpg:                 aka "Stefan Hajnoczi <stefanha@xxxxxxxxx>"

      * remotes/stefanha/tags/net-pull-request:
        net/net: Record usage status of mac address
        tap: Improve -netdev/netdev_add/-net/... tap error reporting
        tap: Finish conversion of tap_open() to Error
        tap-solaris: Convert tap_open() to Error
        tap-bsd: Convert tap_open() to Error
        tap-linux: Convert tap_open() to Error
        tap: Permit incremental conversion of tap_open() to Error
        tap: Convert launch_script() to Error
        tap: Convert net_init_tap_one() to Error
        tap: Convert tap_set_sndbuf() to Error
        tap: Improve -netdev/netdev_add/-net/... bridge error reporting
        tap: net_tap_fd_init() can't fail, drop dead error handling
        net/dump: Improve -net/host_net_add dump error reporting
        net: Improve -net nic error reporting
        net: Permit incremental conversion of init functions to Error
        net: Improve error message for -net hubport a bit
        net: Change help text to list -netdev instead of -net by default

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 46ca6b3bc99ebf9205e28ed14c023ebf84d39bb7
  Author: Eric Farman <farman@xxxxxxxxxxxxxxxxxx>
  Date:   Thu Oct 30 09:23:06 2014 -0400

      s390x: Enable vector processing capability

      Everything is finally in place, inform the kernel that user space
      supports vector registers.

      Signed-off-by: Eric Farman <farman@xxxxxxxxxxxxxxxxxx>
      Reviewed-by: Thomas Huth <thuth@xxxxxxxxxxxxxxxxxx>
      Signed-off-by: Cornelia Huck <cornelia.huck@xxxxxxxxxx>

  commit b2ac0ff5d9478907cfd5b204c9179f77d0cb943f
  Author: Eric Farman <farman@xxxxxxxxxxxxxxxxxx>
  Date:   Thu May 7 10:52:16 2015 -0400

      s390x: Migrate vector registers

      When migrating a guest, be sure to include the vector registers.
      The vector registers are defined in a subsection, similar to the
      existing subsection for floating point registers.  Since the
      floating point registers are always present (and thus migrated),
      we can skip them when performing the migration of the vector
      registers which may or may not be present.

      Suggested-by: David Hildenbrand <dahi@xxxxxxxxxxxxxxxxxx>
      Signed-off-by: Eric Farman <farman@xxxxxxxxxxxxxxxxxx>
      Reviewed-by: David Hildenbrand <dahi@xxxxxxxxxxxxxxxxxx>
      Signed-off-by: Cornelia Huck <cornelia.huck@xxxxxxxxxx>

  commit 3ceeb2930faf1116ee4bb22c8a7794bb2337e8a9
  Author: Eric Farman <farman@xxxxxxxxxxxxxxxxxx>
  Date:   Thu May 29 14:54:26 2014 -0400

      s390x: Add vector registers to ELF dump

      Create ELF notes for the vector registers where applicable, so that
      their contents can be examined by utilities such as crash or readelf.

      Signed-off-by: Eric Farman <farman@xxxxxxxxxxxxxxxxxx>
      Reviewed-by: David Hildenbrand <dahi@xxxxxxxxxxxxxxxxxx>
      Signed-off-by: Cornelia Huck <cornelia.huck@xxxxxxxxxx>

  commit eeef559ab4a80753b7bf31728780692a3a4e3ec1
  Author: Eric Farman <farman@xxxxxxxxxxxxxxxxxx>
  Date:   Wed Nov 12 14:22:55 2014 -0500

      linux/elf.h update

      Sync with kernel elf.h updates to get s390x vector register definitions.

      Signed-off-by: Eric Farman <farman@xxxxxxxxxxxxxxxxxx>
      Signed-off-by: Cornelia Huck <cornelia.huck@xxxxxxxxxx>

  commit 56c42271495fc5f6c5bd70c4309a74b425c5cbda
  Author: Eric Farman <farman@xxxxxxxxxxxxxxxxxx>
  Date:   Thu May 29 13:50:37 2014 -0400

      s390x: Add vector registers to HMP output

      There are mechanisms to dump registers via the qemu HMP interface,
      such as the "info registers" command.  Expand this output to dump
      the new vector registers.

      Signed-off-by: Eric Farman <farman@xxxxxxxxxxxxxxxxxx>
      Reviewed-by: David Hildenbrand <dahi@xxxxxxxxxxxxxxxxxx>
      Reviewed-by: Thomas Huth <thuth@xxxxxxxxxxxxxxxxxx>
      Signed-off-by: Cornelia Huck <cornelia.huck@xxxxxxxxxx>

  commit ca343c7a84fbe457dd442d26d5a01f31e8a8d308
  Author: Eric Farman <farman@xxxxxxxxxxxxxxxxxx>
  Date:   Tue Jun 3 08:42:18 2014 -0400

      s390x: gdb updates for vector registers

      gdb allows registers to be displayed/modified, and is being updated
      to account for the new vector registers.  Mirror these changes in
      the gdb stub in qemu so that this can be performed when gdb is
      attached to the qemu gdbserver.

      Signed-off-by: Eric Farman <farman@xxxxxxxxxxxxxxxxxx>
      Reviewed-by: David Hildenbrand <dahi@xxxxxxxxxxxxxxxxxx>
      Signed-off-by: Cornelia Huck <cornelia.huck@xxxxxxxxxx>

  commit 773d4ebc9a31a5e0efbaf83f76715ab40c355384
  Author: Eric Farman <farman@xxxxxxxxxxxxxxxxxx>
  Date:   Tue Nov 18 17:03:02 2014 -0500

      gdb-xml: Include XML for s390 vector registers

      Include the vector registers XML file that is provided by gdb,
      and can be used by the qemu gdbserver interface.

      Signed-off-by: Eric Farman <farman@xxxxxxxxxxxxxxxxxx>
      Reviewed-by: David Hildenbrand <dahi@xxxxxxxxxxxxxxxxxx>
      Signed-off-by: Cornelia Huck <cornelia.huck@xxxxxxxxxx>

  commit abec53565dce5ed56bff4968d3bed88f6cf68c3c
  Author: Eric Farman <farman@xxxxxxxxxxxxxxxxxx>
  Date:   Wed Jan 14 09:57:16 2015 -0500

      s390x: Store Additional Status SIGP order

      Add handling for the Store Additional Status at Address order
      that exists for the Signal Processor (SIGP) instruction.

      Signed-off-by: Eric Farman <farman@xxxxxxxxxxxxxxxxxx>
      Reviewed-by: Thomas Huth <thuth@xxxxxxxxxxxxxxxxxx>
      Signed-off-by: Cornelia Huck <cornelia.huck@xxxxxxxxxx>

  commit fcb79802e07fe06fe24ba97a027d8a1c3a714fa7
  Author: Eric Farman <farman@xxxxxxxxxxxxxxxxxx>
  Date:   Mon Aug 18 15:33:39 2014 -0400

      s390x: Vector Register IOCTLs

      Handle the actual syncing of the vector registers with kernel space,
      via the get/put register IOCTLs.

      The vector registers that were introduced with the z13 overlay
      the existing floating point registers.  FP registers 0-15 are
      the high-halves of vector registers 0-15.  Thus, remove the
      freg fields and replace them with the equivalent vector field
      to avoid errors in duplication.  Moreover, synchronize either the
      vector registers via kvm_sync_regs, or floating point registers
      via the GET/SET FPU IOCTLs.

      Signed-off-by: Eric Farman <farman@xxxxxxxxxxxxxxxxxx>
      Signed-off-by: Cornelia Huck <cornelia.huck@xxxxxxxxxx>

  commit c498d8e36e2998fb67de21a34ece633d356a4834
  Author: Eric Farman <farman@xxxxxxxxxxxxxxxxxx>
  Date:   Thu May 7 14:35:44 2015 -0400

      s390x: Common access to floating point registers

      Provide a routine to access the correct floating point register,
      to simplify future expansion.

      Suggested-by: David Hildenbrand <dahi@xxxxxxxxxxxxxxxxxx>
      Signed-off-by: Eric Farman <farman@xxxxxxxxxxxxxxxxxx>
      Reviewed-by: David Hildenbrand <dahi@xxxxxxxxxxxxxxxxxx>
      Signed-off-by: Cornelia Huck <cornelia.huck@xxxxxxxxxx>

  commit 2bc22a58e16f0650e56dccfac9495e5aef58e2ef
  Author: Shannon Zhao <shannon.zhao@xxxxxxxxxx>
  Date:   Thu May 21 17:44:48 2015 +0800

      net/net: Record usage status of mac address

      Currently QEMU dynamically generates mac address for the NIC which
      doesn't specify the mac address. But when we hotplug a NIC without
      specifying mac address, the mac address will increase for the same NIC
      along with hotplug and hot-unplug, and at last it will overflow. And if
      we codeplug one NIC with mac address e.g. "52:54:00:12:34:56", then
      hotplug one NIC without specifying mac address and the mac address of
      the hotplugged NIC is duplicate of "52:54:00:12:34:56".

      This patch add a mac_table to record the usage status and free the mac
      address when the NIC is unrealized.

      Signed-off-by: Shannon Zhao <zhaoshenglong@xxxxxxxxxx>
      Signed-off-by: Shannon Zhao <shannon.zhao@xxxxxxxxxx>
      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>

  commit a308817743be5cc051d3379477f54027deb0befb
  Author: Markus Armbruster <armbru@xxxxxxxxxx>
  Date:   Fri May 15 13:59:03 2015 +0200

      tap: Improve -netdev/netdev_add/-net/... tap error reporting

      When -netdev tap fails, it first reports a specific error, then a
      generic one, like this:

          $ qemu-system-x86_64 -netdev tap,id=foo
          qemu-system-x86_64: -netdev tap,id=foo: could not configure 
/dev/net/tun: Operation not permitted
          qemu-system-x86_64: -netdev tap,id=foo: Device 'tap' could not be 
initialized

      With the command line, the messages go to stderr.  In HMP, they go to
      the monitor.  In QMP, the second one becomes the error reply, and the
      first one goes to stderr.

      Convert net_init_tap() to Error.  This suppresses the unwanted second
      message, and makes the specific error the QMP error reply.

      [Dropped duplicate "and" from error message as suggested by Eric Blake:
      "ifname=, script=, downscript=, and vnet_hdr=, "
      "queues=, and vhostfds= are invalid with helper="
      --Stefan]

      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>
      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>
      Message-id: 1431691143-1015-16-git-send-email-armbru@xxxxxxxxxx
      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>

  commit 95c35a74fea51e307f6a3967e465a22776056b7e
  Author: Markus Armbruster <armbru@xxxxxxxxxx>
  Date:   Fri May 15 13:59:02 2015 +0200

      tap: Finish conversion of tap_open() to Error

      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>
      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>
      Message-id: 1431691143-1015-15-git-send-email-armbru@xxxxxxxxxx
      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>

  commit 576c6eb6700d241c9d4a6883d25720c7bbaaeccd
  Author: Markus Armbruster <armbru@xxxxxxxxxx>
  Date:   Fri May 15 13:59:01 2015 +0200

      tap-solaris: Convert tap_open() to Error

      Fixes inappropriate use of syslog().

      Not fixed: leaks on error paths, suspicious non-fatal errors.  FIXMEs
      added instead.

      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>
      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>
      Message-id: 1431691143-1015-14-git-send-email-armbru@xxxxxxxxxx
      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>

  commit 4bce487e14bf8949a91883a3213c2b7fa9d668bc
  Author: Markus Armbruster <armbru@xxxxxxxxxx>
  Date:   Fri May 15 13:59:00 2015 +0200

      tap-bsd: Convert tap_open() to Error

      Fixes inappropriate use of stderr in monitor command handler.

      While there, improve some of the messages a bit.

      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>
      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>
      Message-id: 1431691143-1015-13-git-send-email-armbru@xxxxxxxxxx
      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>

  commit 47896e2fd3dd80685434b320cb0e10164995e31c
  Author: Markus Armbruster <armbru@xxxxxxxxxx>
  Date:   Fri May 15 13:58:59 2015 +0200

      tap-linux: Convert tap_open() to Error

      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>
      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>
      Message-id: 1431691143-1015-12-git-send-email-armbru@xxxxxxxxxx
      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>

  commit 468dd82408e950d48def28f87e4cffabfd592ace
  Author: Markus Armbruster <armbru@xxxxxxxxxx>
  Date:   Fri May 15 13:58:58 2015 +0200

      tap: Permit incremental conversion of tap_open() to Error

      Convert the trivial ones immediately: tap-aix and tap-haiku.

      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>
      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>
      Message-id: 1431691143-1015-11-git-send-email-armbru@xxxxxxxxxx
      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>

  commit ac4fcf5639f44f7d863a35eaa2ad07ff31aabc01
  Author: Markus Armbruster <armbru@xxxxxxxxxx>
  Date:   Fri May 15 13:58:57 2015 +0200

      tap: Convert launch_script() to Error

      Fixes inappropriate use of stderr in monitor command handler.

      While there, improve the messages some.

      [Fixed Error **err -> Error *err local variable that broke the build.
      --Stefan]

      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>
      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>
      Message-id: 1431691143-1015-10-git-send-email-armbru@xxxxxxxxxx
      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>

  commit 445f116cabe0c4435590244741ac3d0b8f08d91d
  Author: Markus Armbruster <armbru@xxxxxxxxxx>
  Date:   Fri May 15 13:58:56 2015 +0200

      tap: Convert net_init_tap_one() to Error

      [Dropped %s from "tap: open vhost char device failed: %s" since
      error_setg_errno() already prints a human-readable error string and
      there is no format string argument.
      --Stefan]

      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>
      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>
      Message-id: 1431691143-1015-9-git-send-email-armbru@xxxxxxxxxx
      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>

  commit 80b832c300c2fc39c68e0ab095d408cb9199cfa0
  Author: Markus Armbruster <armbru@xxxxxxxxxx>
  Date:   Fri May 15 13:58:55 2015 +0200

      tap: Convert tap_set_sndbuf() to Error

      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>
      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>
      Message-id: 1431691143-1015-8-git-send-email-armbru@xxxxxxxxxx
      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>

  commit a8a21be9855e0bb0947a7325d0d1741a8814f21e
  Author: Markus Armbruster <armbru@xxxxxxxxxx>
  Date:   Fri May 15 13:58:54 2015 +0200

      tap: Improve -netdev/netdev_add/-net/... bridge error reporting

      When -netdev bridge fails, it first reports a specific error, then a
      generic one, like this:

          $ qemu-system-x86_64 -netdev bridge,id=foo
          failed to launch bridge helper
          qemu-system-x86_64: -netdev bridge,id=foo: Device 'bridge' could not 
be initialized

      The first message goes to stderr.  Wrong for HMP, because errors need
      to go to the monitor there.

      The second message goes to stderr for -netdev, to the monitor for HMP
      netdev_add, and becomes the error reply for QMP netdev_add.

      Convert net_bridge_run_helper() to Error, and propagate its errors
      through net_init_bridge().  This ensures the error gets reported where
      the user is, and suppresses the unwanted second message.

      While there, improve the error messages a bit.

      The above example becomes:

          $ qemu-system-x86_64 -netdev bridge,id=foo
          qemu-system-x86_64: -netdev bridge,id=foo: bridge helper failed

      net_init_tap() also uses net_bridge_run_helper().  Propagate its
      errors there as well.  Improves reporting these errors with -netdev
      tap & friends.

      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>
      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>
      Message-id: 1431691143-1015-7-git-send-email-armbru@xxxxxxxxxx
      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>

  commit da4a4eac26381c7fce3f147f3c8a7e7bb483be1e
  Author: Markus Armbruster <armbru@xxxxxxxxxx>
  Date:   Fri May 15 13:58:53 2015 +0200

      tap: net_tap_fd_init() can't fail, drop dead error handling

      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>
      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>
      Message-id: 1431691143-1015-6-git-send-email-armbru@xxxxxxxxxx
      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>

  commit 3791f83ca999edc2d11eb2006ccc1091cd712c15
  Author: Markus Armbruster <armbru@xxxxxxxxxx>
  Date:   Fri May 15 13:58:52 2015 +0200

      net/dump: Improve -net/host_net_add dump error reporting

      When -net dump fails, it first reports a specific error, then a
      generic one, like this:

          $ qemu-system-x86_64 -net dump,id=foo,file=/eperm
          qemu-system-x86_64: -net dump,id=foo,file=/eperm: -net dump: can't 
open /eperm
          qemu-system-x86_64: -net dump,id=foo,file=/eperm: Device 'dump' could 
not be initialized

      Convert net_init_tap() to Error.  This suppresses the unwanted second
      message.

      Improve the error messages to include strerror(errno) where
      appropriate.

      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>
      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>
      Message-id: 1431691143-1015-5-git-send-email-armbru@xxxxxxxxxx
      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>

  commit 6630886863d4a9b3b7bcb3b0e2895d83eb269c75
  Author: Markus Armbruster <armbru@xxxxxxxxxx>
  Date:   Fri May 15 13:58:51 2015 +0200

      net: Improve -net nic error reporting

      When -net nic fails, it first reports a specific error, then a generic
      one, like this:

          $ qemu-system-x86_64 -net nic,netdev=nonexistent
          qemu-system-x86_64: -net nic,netdev=nonexistent: netdev 'nonexistent' 
not found
          qemu-system-x86_64: -net nic,netdev=nonexistent: Device 'nic' could 
not be initialized

      Convert net_init_nic() to Error to get rid of the unwanted second
      error message.

      While there, tidy up an Overcapitalized Error Message.

      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>
      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>
      Message-id: 1431691143-1015-4-git-send-email-armbru@xxxxxxxxxx
      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>

  commit a30ecde6e795682d1473c45acae66a60a76fca2f
  Author: Markus Armbruster <armbru@xxxxxxxxxx>
  Date:   Fri May 15 13:58:50 2015 +0200

      net: Permit incremental conversion of init functions to Error

      Error reporting for netdev_add is broken: the net_client_init_fun[]
      report the actual errors with (at best) error_report(), and their
      caller net_client_init1() makes up a generic error on top.

      For command line and HMP, this produces an mildly ugly error cascade.

      In QMP, the actual errors go to stderr, and the generic error becomes
      the command's error reply.

      To fix this, we need to convert the net_client_init_fun[] to Error.

      To permit fixing them one by one, add an Error ** parameter to the
      net_client_init_fun[].  If the call fails without returning an Error,
      make up the same generic Error as before.  But if it returns one, use
      that instead.  Since none of them does so far, no functional change.

      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>
      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>
      Message-id: 1431691143-1015-3-git-send-email-armbru@xxxxxxxxxx
      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>

  commit ca7eb1848bb06d9b75784d7760b83c7b0beb1102
  Author: Markus Armbruster <armbru@xxxxxxxxxx>
  Date:   Fri May 15 13:58:49 2015 +0200

      net: Improve error message for -net hubport a bit

      Type "hubport" is valid only with -netdev.  Unfortunately, that's
      detected late and the error message doesn't explain why:

          $ qemu-system-i386 -net hubport,id=foo,hubid=0
          qemu-system-i386: -net hubport,id=foo,hubid=0: Device 'hubport' could 
not be initialized

      Improve the error message to "Parameter 'type' expects a net type".

      Not fixed: -net hubport without the parameters required by -netdev
      hubport still asks for those parameters:

          $ qemu-system-i386 -net hubport
          qemu-system-i386: -net hubport: Parameter 'hubid' is missing

      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>
      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>
      Message-id: 1431691143-1015-2-git-send-email-armbru@xxxxxxxxxx
      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>

  commit 6a8b4a5be21ad4941c8a6a5db1d355a522aea2fb
  Author: Thomas Huth <thuth@xxxxxxxxxx>
  Date:   Fri May 15 16:58:24 2015 +0200

      net: Change help text to list -netdev instead of -net by default

      Looking at the output of "qemu-system-xxx -help", you easily get
      the impression that "-net" is the preferred way instead of "-netdev"
      to specify host network interface, since the "-net" option is
      omnipresent but the "-netdev" option is only listed as a one-liner
      at the end. This is ugly since "-net" is considered as legacy and
      even might be removed one day. Thus, this patch switches the output
      to explain the host network interfaces with the "-netdev" option
      instead, moving the old "-net" option into some few lines at
      the end.

      Signed-off-by: Thomas Huth <thuth@xxxxxxxxxx>
      Message-id: 1431701904-12230-1-git-send-email-thuth@xxxxxxxxxx
      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>

  commit 0915aed5842bd4dbe396b92d4f3b846ae29ad663
  Merge: 0d2ed60 cd6cb73
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Tue May 26 11:31:03 2015 +0100

      Merge remote-tracking branch 'remotes/jnsnow/tags/ide-pull-request' into 
staging

      # gpg: Signature made Fri May 22 20:58:44 2015 BST using RSA key ID 
AAFC390E
      # gpg: Good signature from "John Snow (John Huston) <jsnow@xxxxxxxxxx>"
      # gpg: WARNING: This key is not certified with sufficiently trusted 
signatures!
      # gpg:          It is not certain that the signature belongs to the owner.
      # Primary key fingerprint: FAEB 9711 A12C F475 812F  18F2 88A9 064D 1835 
61EB
      #      Subkey fingerprint: F9B7 ABDB BCAC DF95 BE76  CBD0 7DEF 8106 AAFC 
390E

      * remotes/jnsnow/tags/ide-pull-request:
        ahci: do not remap clb/fis unconditionally
        macio: move unaligned DMA write code into separate pmac_dma_write() 
function
        macio: move unaligned DMA read code into separate pmac_dma_read() 
function
        qtest: pre-buffer hex nibs
        libqos/ahci: Swap memread/write with bufread/write
        qtest: add memset to qtest protocol
        qtest: Add base64 encoded read/write
        qtest: allow arbitrarily long sends
        qtest/ahci: add migrate halted dma test
        qtest/ahci: add halted dma test
        qtest/ahci: add flush migrate test
        qtest/ahci: add migrate dma test
        qtest/ahci: Add migration test
        ich9/ahci: Enable Migration
        libqos: Add migration helpers
        libqos/ahci: Fix sector set method
        libqos/ahci: Add halted command helpers
        glib: remove stale compat functions
        configure: require glib 2.22

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit cd6cb73beb63e5fa62ca8ed540b9d54063b15c44
  Author: John Snow <jsnow@xxxxxxxxxx>
  Date:   Fri May 22 14:13:44 2015 -0400

      ahci: do not remap clb/fis unconditionally

      This continues the IOMMU fix from 2.3, where we should not attempt
      to remap the CLB or FIS RX buffers if the AHCI device is currently
      running.

      The same applies to migration: keep our mitts off these registers
      unless the device is supposed to be on.

      Does not impact backwards compatibility for the AHCI device.

      Signed-off-by: John Snow <jsnow@xxxxxxxxxx>
      Reviewed-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Message-id: 1431470173-30847-2-git-send-email-jsnow@xxxxxxxxxx

  commit bd4214fc92090694aefa17882815c6109f0fd70c
  Author: Mark Cave-Ayland <mark.cave-ayland@xxxxxxxxxxxx>
  Date:   Fri May 22 14:13:44 2015 -0400

      macio: move unaligned DMA write code into separate pmac_dma_write() 
function

      Similarly switch the macio IDE routines over to use the new function and
      tidy-up the remaining code as required.

      [Maintainer edit: printf format codes adjusted for 32/64bit. --js]

      Signed-off-by: Mark Cave-Ayland <mark.cave-ayland@xxxxxxxxxxxx>
      Acked-by: John Snow <jsnow@xxxxxxxxxx>
      Message-id: 
1425939893-14404-3-git-send-email-mark.cave-ayland@xxxxxxxxxxxx
      Signed-off-by: John Snow <jsnow@xxxxxxxxxx>

  commit 4827ac1e8f8306b24e61b44ea1f2082ea08099bb
  Author: Mark Cave-Ayland <mark.cave-ayland@xxxxxxxxxxxx>
  Date:   Fri May 22 14:13:44 2015 -0400

      macio: move unaligned DMA read code into separate pmac_dma_read() function

      This considerably helps simplify the complexity of the macio read 
routines and
      by switching macio CDROM accesses to use the new code, fixes the issue 
with
      the CDROM device being detected intermittently by Darwin/OS X.

      [Maintainer edit: printf format codes adjusted for 32/64bit. --js]

      Signed-off-by: Mark Cave-Ayland <mark.cave-ayland@xxxxxxxxxxxxx>
      Acked-by: John Snow <jsnow@xxxxxxxxxx>
      Message-id: 
1425939893-14404-2-git-send-email-mark.cave-ayland@xxxxxxxxxxxx
      Signed-off-by: John Snow <jsnow@xxxxxxxxxx>

  commit 5560b85a31e6f15a8841b66620d9497943094ee4
  Author: John Snow <jsnow@xxxxxxxxxx>
  Date:   Fri May 22 14:13:44 2015 -0400

      qtest: pre-buffer hex nibs

      Instead of converting each byte one-at-a-time and then sending each byte
      over the wire, use sprintf() to pre-compute all of the hex nibs into a
      single buffer, then send the entire buffer all at once.

      This gives a moderate speed boost to memread() and memwrite() functions.

      Signed-off-by: John Snow <jsnow@xxxxxxxxxx>
      Reviewed-by: Markus Armbruster <armbru@xxxxxxxxxx>
      Message-id: 1431021095-7558-2-git-send-email-jsnow@xxxxxxxxxx

  commit 91d0374a7ffbd6a9cd0ba159c9160d9f26220cf5
  Author: John Snow <jsnow@xxxxxxxxxx>
  Date:   Fri May 22 14:13:44 2015 -0400

      libqos/ahci: Swap memread/write with bufread/write

      Where it makes sense, use the new faster primitives.
      For generally small reads/writes such as for the PRDT
      and FIS packets, stick with the more wasteful but
      easier to debug memread/memwrite.

      For ahci-test (before migration tests):
      With this patch:
      real    0m3.675s
      user    0m2.582s
      sys     0m1.718s

      Without any qtest protocol improvements:
      real    0m14.171s
      user    0m12.072s
      sys     0m12.527s

      Signed-off-by: John Snow <jsnow@xxxxxxxxxx>
      Message-id: 1430864578-22072-6-git-send-email-jsnow@xxxxxxxxxx

  commit 4d00796364ec4edab86b08abc38fd644d5e3c0ad
  Author: John Snow <jsnow@xxxxxxxxxx>
  Date:   Fri May 22 14:13:44 2015 -0400

      qtest: add memset to qtest protocol

      Previously, memset was just a frontend to write() and only
      stupidly sent the pattern many times across the wire.

      Let's not discuss who stupidly wrote it like that in the first place.
      (Hint: It was me.)

      Signed-off-by: John Snow <jsnow@xxxxxxxxxx>
      Message-id: 1430864578-22072-4-git-send-email-jsnow@xxxxxxxxxx

  commit 7a6a740d8dcc02f5693315d7935b5de9b963bb96
  Author: John Snow <jsnow@xxxxxxxxxx>
  Date:   Fri May 22 14:13:44 2015 -0400

      qtest: Add base64 encoded read/write

      For larger pieces of data that won't need to be debugged and
      viewing the hex nibbles is unlikely to be useful, we can encode
      data using base64 instead of encoding each byte as %02x, which
      leads to some space savings and faster reads/writes.

      For now, the default is left as hex nibbles in memwrite() and memread().
      For the purposes of making qtest io easier to read and debug, some
      callers may want to specify using the old encoding format for small
      patches of data where the savings from base64 wouldn't be that profound.

      memwrite/memread use a data encoding that takes 2x the size of the 
original
      buffer, but base64 uses "only" (4/3)x, so for larger buffers we can save a
      decent amount of time and space.

      Signed-off-by: John Snow <jsnow@xxxxxxxxxx>
      Message-id: 1430864578-22072-3-git-send-email-jsnow@xxxxxxxxxx

  commit 332cc7e9b39ddb2feacb4c71dcd18c3e5b0c3147
  Author: John Snow <jsnow@xxxxxxxxxx>
  Date:   Fri May 22 14:13:43 2015 -0400

      qtest: allow arbitrarily long sends

      qtest currently has a static buffer of size 1024 that if we
      overflow, ignores the additional data silently which leads
      to hangs or stream failures.

      Use glib's string facilities to allow arbitrarily long data,
      but split this off into a new function, qtest_sendf.

      Static data can still be sent using qtest_send, which avoids
      the malloc/copy overhead.

      Signed-off-by: John Snow <jsnow@xxxxxxxxxx>
      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>
      Message-id: 1430864578-22072-2-git-send-email-jsnow@xxxxxxxxxx

  commit 5d1cf0917b4f1282ac81bb72697713d14c98a876
  Author: John Snow <jsnow@xxxxxxxxxx>
  Date:   Fri May 22 14:13:43 2015 -0400

      qtest/ahci: add migrate halted dma test

      Test migrating a halted DMA transaction.
      Resume, then test data integrity.

      Signed-off-by: John Snow <jsnow@xxxxxxxxxx>
      Reviewed-by: Kevin Wolf <kwolf@xxxxxxxxxx>
      Message-id: 1430417242-11859-10-git-send-email-jsnow@xxxxxxxxxx

  commit 189d1b6126625212fbb50ed3a30a3e9e7ba7ca37
  Author: John Snow <jsnow@xxxxxxxxxx>
  Date:   Fri May 22 14:13:43 2015 -0400

      qtest/ahci: add halted dma test

      If we're going to test the migration of halted DMA jobs,
      we should probably check to make sure we can resume them
      locally as a first step.

      Signed-off-by: John Snow <jsnow@xxxxxxxxxx>
      Reviewed-by: Kevin Wolf <kwolf@xxxxxxxxxx>
      Message-id: 1430417242-11859-9-git-send-email-jsnow@xxxxxxxxxx

  commit a606ce50c29561b567995ab663cbb40067623e82
  Author: John Snow <jsnow@xxxxxxxxxx>
  Date:   Fri May 22 14:13:43 2015 -0400

      qtest/ahci: add flush migrate test

      Use blkdebug to inject an error on first flush, then attempt to flush
      on the first guest. When the error halts the VM, migrate to the
      second VM, and attempt to resume the command.

      Signed-off-by: John Snow <jsnow@xxxxxxxxxx>
      Reviewed-by: Kevin Wolf <kwolf@xxxxxxxxxx>
      Message-id: 1430417242-11859-8-git-send-email-jsnow@xxxxxxxxxx

  commit 88e21f9485f0a41603f0af3483ff3f11c95979ab
  Author: John Snow <jsnow@xxxxxxxxxx>
  Date:   Fri May 22 14:13:43 2015 -0400

      qtest/ahci: add migrate dma test

      Write to one guest, migrate, and then read from the other.
      adjust ahci_io to clear any buffers it creates, so that we
      can use ahci_io safely on both guests knowing we are using
      empty buffers and not accidentally re-using data.

      Signed-off-by: John Snow <jsnow@xxxxxxxxxx>
      Reviewed-by: Kevin Wolf <kwolf@xxxxxxxxxx>
      Message-id: 1430417242-11859-7-git-send-email-jsnow@xxxxxxxxxx

  commit 278128ab06c36341edb2c8b0bfcfd92760f4db52
  Author: John Snow <jsnow@xxxxxxxxxx>
  Date:   Fri May 22 14:13:43 2015 -0400

      qtest/ahci: Add migration test

      Notes:

       * The migration is performed on QOSState objects.

       * The migration is performed in such a way that it does not assume
         consistency between the allocators attached to each. That is to say,
         you can use each QOSState object completely independently and then at
         an arbitrary point decide to migrate, and the destination object will
         now be consistent with the memory within the source guest. The source
         object that was migrated from will have a completely blank allocator.

      ahci-test.c:
       - verify_state is added
       - ahci_migrate is added as a frontend to migrate
       - test_migrate_sanity test case is added.

      Signed-off-by: John Snow <jsnow@xxxxxxxxxx>
      Reviewed-by: Kevin Wolf <kwolf@xxxxxxxxxx>
      Message-id: 1430417242-11859-6-git-send-email-jsnow@xxxxxxxxxx

  commit 04329029a8c539eb5f75dcb6d8b016f0c53a031a
  Author: John Snow <jsnow@xxxxxxxxxx>
  Date:   Fri May 22 14:13:43 2015 -0400

      ich9/ahci: Enable Migration

      Lift the flag preventing the migration of the ICH9/AHCI devices.

      Signed-off-by: John Snow <jsnow@xxxxxxxxxx>
      Reviewed-by: Kevin Wolf <kwolf@xxxxxxxxxx>
      Message-id: 1430417242-11859-5-git-send-email-jsnow@xxxxxxxxxx

  commit 085248ae87704f1c1e4e1f929f58beca3ba294a2
  Author: John Snow <jsnow@xxxxxxxxxx>
  Date:   Fri May 22 14:13:43 2015 -0400

      libqos: Add migration helpers

      libqos.c:
          -set_context for addressing which commands go where
          -migrate performs the actual migration

      malloc.c:
          - Structure of the allocator is adjusted slightly with
            a second-tier malloc to make swapping around the allocators
            easy when we "migrate" the lists from the source to the destination.

      Signed-off-by: John Snow <jsnow@xxxxxxxxxx>
      Reviewed-by: Kevin Wolf <kwolf@xxxxxxxxxx>
      Message-id: 1430417242-11859-4-git-send-email-jsnow@xxxxxxxxxx

  commit 455e861cc625891baacf74e66c31a914883b80ca
  Author: John Snow <jsnow@xxxxxxxxxx>
  Date:   Fri May 22 14:13:42 2015 -0400

      libqos/ahci: Fix sector set method

      || probably does not mean the same thing as |.

      Additionally, allow users to submit a prd_size of 0
      to indicate that they'd like to continue using the default.

      Signed-off-by: John Snow <jsnow@xxxxxxxxxx>
      Reviewed-by: Kevin Wolf <kwolf@xxxxxxxxxx>
      Message-id: 1430417242-11859-3-git-send-email-jsnow@xxxxxxxxxx

  commit 008b6e123ff2ee421112768e838b0b44bc7f6c45
  Author: John Snow <jsnow@xxxxxxxxxx>
  Date:   Fri May 22 14:13:42 2015 -0400

      libqos/ahci: Add halted command helpers

      Sometimes we want a command to halt the VM instead
      of complete successfully, so it'd be nice to let the
      libqos/ahci functions cope with such scenarios.

      Signed-off-by: John Snow <jsnow@xxxxxxxxxx>
      Reviewed-by: Kevin Wolf <kwolf@xxxxxxxxxx>
      Message-id: 1430417242-11859-2-git-send-email-jsnow@xxxxxxxxxx

  commit 62754b157156c2cd26a00ce534aeec9e74619d95
  Author: John Snow <jsnow@xxxxxxxxxx>
  Date:   Fri May 22 14:13:42 2015 -0400

      glib: remove stale compat functions

      Since we're bumping the version to 2.22+,
      remove the now-stale compat functions.

      Signed-off-by: John Snow <jsnow@xxxxxxxxxx>
      Reviewed-by: Markus Armbruster <armbru@xxxxxxxxxx>
      Reviewed-by: Alex Bennée <alex.bennee@xxxxxxxxxx>
      Message-id: 1431469140-22208-2-git-send-email-jsnow@xxxxxxxxxx

  commit f40685c62b802c8c3f5c914e8d357dd5c4d4f9cc
  Author: John Snow <jsnow@xxxxxxxxxx>
  Date:   Fri May 22 14:13:42 2015 -0400

      configure: require glib 2.22

      This provides g_ptr_array_new_with_free_func, as well as a few
      other functions that we've been hacking around in glib-compat.h.
      Cleaning up the compatibility headers will come later.

      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>
      Signed-off-by: John Snow <jsnow@xxxxxxxxxx>
      Reviewed-by: Markus Armbruster <armbru@xxxxxxxxxx>
      Reviewed-by: Alex Bennée <alex.bennee@xxxxxxxxxx>
      Message-id: 1431469140-22208-2-git-send-email-jsnow@xxxxxxxxxx

  commit 0d2ed6039cf86fe3a78671e32b5e3eb17d725762
  Merge: bb2fa17 4120201
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Fri May 22 17:20:09 2015 +0100

      Merge remote-tracking branch 'remotes/kevin/tags/for-upstream' into 
staging

      Block layer core and image format patches

      # gpg: Signature made Fri May 22 16:21:03 2015 BST using RSA key ID 
C88F2FD6
      # gpg: Good signature from "Kevin Wolf <kwolf@xxxxxxxxxx>"

      * remotes/kevin/tags/for-upstream: (22 commits)
        MAINTAINERS: Split "Block QAPI, monitor, command line" off core
        MAINTAINERS: Add header files to Block Layer Core section
        tests: add test case for encrypted qcow2 read/write
        qemu-io: prompt for encryption keys when required
        util: allow \n to terminate password input
        util: move read_password method out of qemu-img into osdep/oslib
        qcow2/qcow: protect against uninitialized encryption key
        qemu-iotests: Make debugging python tests easier
        qemu-iotests: qemu-img info on afl VMDK image with a huge capacity
        block: Detect multiplication overflow in bdrv_getlength
        qemu-io: Use getopt() correctly
        qcow2: style fixes in qcow2-cache.c
        qcow2: make qcow2_cache_put() a void function
        qcow2: use a hash to look for entries in the L2 cache
        qcow2: remove qcow2_cache_find_entry_to_replace()
        qcow2: use an LRU algorithm to replace entries from the L2 cache
        qcow2: simplify qcow2_cache_put() and qcow2_cache_entry_mark_dirty()
        qcow2: use one single memory block for the L2/refcount cache tables
        vmdk: Fix overflow if l1_size is 0x20000000
        vmdk: Fix next_cluster_sector for compressed write
        ...

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit bb2fa17f182ee0b45b53474f76679944fc891f04
  Merge: 8b6db32 9371557
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Fri May 22 16:22:42 2015 +0100

      Merge remote-tracking branch 
'remotes/bkoppelmann/tags/pull-tricore-20150522' into staging

      TriCore v1.6.1 ISA and missing v1.6 instructions

      # gpg: Signature made Fri May 22 16:02:45 2015 BST using RSA key ID 
6B69CA14
      # gpg: Good signature from "Bastian Koppelmann 
<kbastian@xxxxxxxxxxxxxxxxxxxxx>"

      * remotes/bkoppelmann/tags/pull-tricore-20150522:
        target-tricore: add RR_DIV and RR_DIV_U instructions of the v1.6 ISA
        target-tricore: add FRET instructions of the v1.6 ISA
        target-tricore: add FCALL instructions of the v1.6 ISA
        target-tricore: add SYS_RESTORE instruction of the v1.6 ISA
        target-tricore: add RR_CRC32 instruction of the v1.6.1 ISA
        target-tricore: add SWAPMSK instructions of the v1.6.1 ISA
        target-tricore: add CMPSWP instructions of the v1.6.1 ISA
        target-tricore: Add SRC_MOV_E instruction of the v1.6 ISA
        target-tricore: introduce ISA v1.6.1 feature
        target-tricore: Add ISA v1.3.1 cpu and fix tc1796 to using v1.3

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 4120201d2fcfc24404fe6eb6b761b66bc35bca16
  Author: Markus Armbruster <armbru@xxxxxxxxxx>
  Date:   Wed May 20 13:23:46 2015 +0200

      MAINTAINERS: Split "Block QAPI, monitor, command line" off core

      Kevin and Stefan asked me to take care of this part.

      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>
      Signed-off-by: Kevin Wolf <kwolf@xxxxxxxxxx>

  commit 4c346e0bb9300afe3036560c21baa7fdfb253d9b
  Author: Kevin Wolf <kwolf@xxxxxxxxxx>
  Date:   Wed May 20 12:03:17 2015 +0200

      MAINTAINERS: Add header files to Block Layer Core section

      Suggested-by: Markus Armbruster <armbru@xxxxxxxxxx>
      Reviewed-by: Alberto Garcia <berto@xxxxxxxxxx>
      Signed-off-by: Kevin Wolf <kwolf@xxxxxxxxxx>

  commit f7ac119cfac735b24412db8d53b9be13e5ff23b0
  Author: Daniel P. Berrange <berrange@xxxxxxxxxx>
  Date:   Tue May 12 17:09:22 2015 +0100

      tests: add test case for encrypted qcow2 read/write

      Add a simple test case for qemu-iotests that covers read/write
      with encrypted qcow2 files.

      Signed-off-by: Daniel P. Berrange <berrange@xxxxxxxxxx>
      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>
      Signed-off-by: Kevin Wolf <kwolf@xxxxxxxxxx>

  commit 8caf02127e92939fff39b63a7ff1a5834d320191
  Author: Daniel P. Berrange <berrange@xxxxxxxxxx>
  Date:   Tue May 12 17:09:21 2015 +0100

      qemu-io: prompt for encryption keys when required

      The qemu-io tool does not check if the image is encrypted so
      historically would silently corrupt the sectors by writing
      plain text data into them instead of cipher text. The earlier
      commit turns this mistake into a fatal abort, so check for
      encryption and prompt for key when required.

      This enables us to add unit tests to ensure we don't break
      the ability of qemu-img to convert existing encrypted qcow2
      files into a non-encrypted format.

      Signed-off-by: Daniel P. Berrange <berrange@xxxxxxxxxx>
      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>
      Signed-off-by: Kevin Wolf <kwolf@xxxxxxxxxx>

  commit 6a11d5183fb7564a3d32007b46846312fd61a1c5
  Author: Daniel P. Berrange <berrange@xxxxxxxxxx>
  Date:   Tue May 12 17:09:20 2015 +0100

      util: allow \n to terminate password input

      The qemu_read_password() method looks for \r to terminate the
      reading of the a password. This is what will be seen when
      reading the password from a TTY. When scripting though, it is
      useful to be able to send the password via a pipe, in which
      case we must look for \n to terminate password input.

      Signed-off-by: Daniel P. Berrange <berrange@xxxxxxxxxx>
      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>
      Signed-off-by: Kevin Wolf <kwolf@xxxxxxxxxx>

  commit d57e4e482e3997b1382625c84149ad0b69155fc0
  Author: Daniel P. Berrange <berrange@xxxxxxxxxx>
  Date:   Tue May 12 17:09:19 2015 +0100

      util: move read_password method out of qemu-img into osdep/oslib

      The qemu-img.c file has a read_password() method impl that is
      used to prompt for passwords on the console, with impls for
      POSIX and Windows. This will be needed by qemu-io.c too, so
      move it into the QEMU osdep/oslib files where it can be shared
      without code duplication

      Signed-off-by: Daniel P. Berrange <berrange@xxxxxxxxxx>
      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>
      Signed-off-by: Kevin Wolf <kwolf@xxxxxxxxxx>

  commit 8336aafae1451d54c81dd2b187b45f7c45d2428e
  Author: Daniel P. Berrange <berrange@xxxxxxxxxx>
  Date:   Tue May 12 17:09:18 2015 +0100

      qcow2/qcow: protect against uninitialized encryption key

      When a qcow[2] file is opened, if the header reports an
      encryption method, this is used to set the 'crypt_method_header'
      field on the BDRVQcow[2]State struct, and the 'encrypted' flag
      in the BDRVState struct.

      When doing I/O operations, the 'crypt_method' field on the
      BDRVQcow[2]State struct is checked to determine if encryption
      needs to be applied.

      The crypt_method_header value is copied into crypt_method when
      the bdrv_set_key() method is called.

      The QEMU code which opens a block device is expected to always
      do a check

         if (bdrv_is_encrypted(bs)) {
             bdrv_set_key(bs, ....key...);
         }

      If code forgets to do this, then 'crypt_method' is never set
      and so when I/O is performed, QEMU writes plain text data
      into a sector which is expected to contain cipher text, or
      when reading, will return cipher text instead of plain
      text.

      Change the qcow[2] code to consult bs->encrypted when deciding
      whether encryption is required, and assert(s->crypt_method)
      to protect against cases where the caller forgets to set the
      encryption key.

      Also put an assert in the set_key methods to protect against
      the case where the caller sets an encryption key on a block
      device that does not have encryption

      Signed-off-by: Daniel P. Berrange <berrange@xxxxxxxxxx>
      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>
      Signed-off-by: Kevin Wolf <kwolf@xxxxxxxxxx>

  commit aa4f592a1dd9aea5f5c36f6ff4b22b5bd208162a
  Author: Fam Zheng <famz@xxxxxxxxxx>
  Date:   Mon May 18 09:39:12 2015 +0800

      qemu-iotests: Make debugging python tests easier

      Adding "-d" option. The output goes to "tee" so it appears in your
      console. Also, raise the verbosity of unnitest runner.

      When testing a topic branch, it's possible that a bug introduced by a
      code change makes the python test case hang, with debug output, it is
      much easier to locate the problem.

      This can also be helpful if you want to watch the progress of a python
      test, it offers you a way to sense the speed of each test case method
      you're writing.

      Note: because there is no easy way to get *both* the verbose output and
      the output expected by ./check comparison, the case would always fail
      with an "output mismatch". The sole purpose of using this option is
      giving developers a quick way to debug when things go wrong.

      Signed-off-by: Fam Zheng <famz@xxxxxxxxxx>
      Reviewed-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Signed-off-by: Kevin Wolf <kwolf@xxxxxxxxxx>

  commit b93bbf4ee9035ae077679482305d5beb38df4d7d
  Author: Fam Zheng <famz@xxxxxxxxxx>
  Date:   Fri May 15 16:36:06 2015 +0800

      qemu-iotests: qemu-img info on afl VMDK image with a huge capacity

      The image is contributed by Richard W.M. Jones.

      Cc: Richard W.M. Jones <rjones@xxxxxxxxxx>
      Signed-off-by: Fam Zheng <famz@xxxxxxxxxx>
      Reviewed-by: Alberto Garcia <berto@xxxxxxxxxx>
      Reviewed-by: Markus Armbruster <armbru@xxxxxxxxxx>
      Signed-off-by: Kevin Wolf <kwolf@xxxxxxxxxx>

  commit 4a9c9ea0d318bec2f67848c5ceaf4ad5bcb91d09
  Author: Fam Zheng <famz@xxxxxxxxxx>
  Date:   Fri May 15 16:36:05 2015 +0800

      block: Detect multiplication overflow in bdrv_getlength

      Bogus image may have a large total_sectors that will overflow the
      multiplication. For cleanness, fix the return code so the error message
      will be meaningful.

      Reported-by: Richard W.M. Jones <rjones@xxxxxxxxxx>
      Signed-off-by: Fam Zheng <famz@xxxxxxxxxx>
      Reviewed-by: Alberto Garcia <berto@xxxxxxxxxx>
      Reviewed-by: Markus Armbruster <armbru@xxxxxxxxxx>
      Signed-off-by: Kevin Wolf <kwolf@xxxxxxxxxx>

  commit b062ad86dcd33ab39be5060b0655d8e13834b167
  Author: Eric Blake <eblake@xxxxxxxxxx>
  Date:   Tue May 12 09:10:56 2015 -0600

      qemu-io: Use getopt() correctly

      POSIX says getopt() returns -1 on completion.  While Linux happens
      to define EOF as -1, this definition is not required by POSIX, and
      there may be platforms where checking for EOF instead of -1 would
      lead to an infinite loop.

      Signed-off-by: Eric Blake <eblake@xxxxxxxxxx>
      Reviewed-by: Alberto Garcia <berto@xxxxxxxxxx>
      Signed-off-by: Kevin Wolf <kwolf@xxxxxxxxxx>

  commit d1b4efe5c4088fd2289e39b95bbdf73b3dcb7432
  Author: Alberto Garcia <berto@xxxxxxxxxx>
  Date:   Mon May 11 15:54:59 2015 +0300

      qcow2: style fixes in qcow2-cache.c

      Fix pointer declaration to make it consistent with the rest of the
      code.

      Signed-off-by: Alberto Garcia <berto@xxxxxxxxxx>
      Reviewed-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Reviewed-by: Max Reitz <mreitz@xxxxxxxxxx>
      Signed-off-by: Kevin Wolf <kwolf@xxxxxxxxxx>

  commit a3f1afb43a09e4577571c044c48f2ba9e6e4ad06
  Author: Alberto Garcia <berto@xxxxxxxxxx>
  Date:   Mon May 11 15:54:58 2015 +0300

      qcow2: make qcow2_cache_put() a void function

      This function never receives an invalid table pointer, so we can make
      it void and remove all the error checking code.

      Signed-off-by: Alberto Garcia <berto@xxxxxxxxxx>
      Reviewed-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Reviewed-by: Max Reitz <mreitz@xxxxxxxxxx>
      Signed-off-by: Kevin Wolf <kwolf@xxxxxxxxxx>

  commit 812e4082cae73e12fd425cace4fd3a715a7c1d32
  Author: Alberto Garcia <berto@xxxxxxxxxx>
  Date:   Mon May 11 15:54:57 2015 +0300

      qcow2: use a hash to look for entries in the L2 cache

      The current cache algorithm traverses the array starting always from
      the beginning, so the average number of comparisons needed to perform
      a lookup is proportional to the size of the array.

      By using a hash of the offset as the starting point, lookups are
      faster and independent from the array size.

      The hash is computed using the cluster number of the table, multiplied
      by 4 to make it perform better when there are collisions.

      In my tests, using a cache with 2048 entries, this reduces the average
      number of comparisons per lookup from 430 to 2.5.

      Signed-off-by: Alberto Garcia <berto@xxxxxxxxxx>
      Reviewed-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Signed-off-by: Kevin Wolf <kwolf@xxxxxxxxxx>

  commit fdfbca82a0874916007ca76323cd35f2af8a2ef3
  Author: Alberto Garcia <berto@xxxxxxxxxx>
  Date:   Mon May 11 15:54:56 2015 +0300

      qcow2: remove qcow2_cache_find_entry_to_replace()

      A cache miss means that the whole array was traversed and the entry
      we were looking for was not found, so there's no need to traverse it
      again in order to select an entry to replace.

      Signed-off-by: Alberto Garcia <berto@xxxxxxxxxx>
      Reviewed-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Reviewed-by: Max Reitz <mreitz@xxxxxxxxxx>
      Signed-off-by: Kevin Wolf <kwolf@xxxxxxxxxx>

  commit 2693310eccccf8351678ddd6f3b050163e51dba0
  Author: Alberto Garcia <berto@xxxxxxxxxx>
  Date:   Mon May 11 15:54:55 2015 +0300

      qcow2: use an LRU algorithm to replace entries from the L2 cache

      The current algorithm to evict entries from the cache gives always
      preference to those in the lowest positions. As the size of the cache
      increases, the chances of the later elements of being removed decrease
      exponentially.

      In a scenario with random I/O and lots of cache misses, entries in
      positions 8 and higher are rarely (if ever) evicted. This can be seen
      even with the default cache size, but with larger caches the problem
      becomes more obvious.

      Using an LRU algorithm makes the chances of being removed from the
      cache independent from the position.

      Signed-off-by: Alberto Garcia <berto@xxxxxxxxxx>
      Reviewed-by: Max Reitz <mreitz@xxxxxxxxxx>
      Signed-off-by: Kevin Wolf <kwolf@xxxxxxxxxx>

  commit baf07d60f5c5d5d0f0c9e844cde75691f1ceb3d1
  Author: Alberto Garcia <berto@xxxxxxxxxx>
  Date:   Mon May 11 15:54:54 2015 +0300

      qcow2: simplify qcow2_cache_put() and qcow2_cache_entry_mark_dirty()

      Since all tables are now stored together, it is possible to obtain
      the position of a particular table directly from its address, so the
      operation becomes O(1).

      Signed-off-by: Alberto Garcia <berto@xxxxxxxxxx>
      Reviewed-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Reviewed-by: Max Reitz <mreitz@xxxxxxxxxx>
      Signed-off-by: Kevin Wolf <kwolf@xxxxxxxxxx>

  commit 72e80b89015bab196f0f0e83b12b0eee75fa0574
  Author: Alberto Garcia <berto@xxxxxxxxxx>
  Date:   Mon May 11 15:54:53 2015 +0300

      qcow2: use one single memory block for the L2/refcount cache tables

      The qcow2 L2/refcount cache contains one separate table for each cache
      entry. Doing one allocation per table adds unnecessary overhead and it
      also requires us to store the address of each table separately.

      Since the size of the cache is constant during its lifetime, it's
      better to have an array that contains all the tables using one single
      allocation.

      In my tests measuring freshly created caches with sizes 128MB (L2) and
      32MB (refcount) this uses around 10MB of RAM less.

      Signed-off-by: Alberto Garcia <berto@xxxxxxxxxx>
      Reviewed-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Reviewed-by: Max Reitz <mreitz@xxxxxxxxxx>
      Signed-off-by: Kevin Wolf <kwolf@xxxxxxxxxx>

  commit 13c4941cdd8685d28c7e3a09e393a5579b58db46
  Author: Fam Zheng <famz@xxxxxxxxxx>
  Date:   Tue May 5 17:28:13 2015 +0800

      vmdk: Fix overflow if l1_size is 0x20000000

      Richard Jones caught this bug with afl fuzzer.

      In fact, that's the only possible value to overflow (extent->l1_size =
      0x20000000) l1_size:

      l1_size = extent->l1_size * sizeof(long) => 0x80000000;

      g_try_malloc returns NULL because l1_size is interpreted as negative
      during type casting from 'int' to 'gsize', which yields a enormous
      value. Hence, by coincidence, we get a "not too bad" behavior:

      qemu-img: Could not open '/tmp/afl6.img': Could not open
      '/tmp/afl6.img': Cannot allocate memory

      Values larger than 0x20000000 will be refused by the validation in
      vmdk_add_extent.

      Values smaller than 0x20000000 will not overflow l1_size.

      Cc: qemu-stable@xxxxxxxxxx
      Reported-by: Richard W.M. Jones <rjones@xxxxxxxxxx>
      Signed-off-by: Fam Zheng <famz@xxxxxxxxxx>
      Reviewed-by: Max Reitz <mreitz@xxxxxxxxxx>
      Tested-by: Richard W.M. Jones <rjones@xxxxxxxxxx>
      Signed-off-by: Kevin Wolf <kwolf@xxxxxxxxxx>

  commit 5e82a31eb967db135fc4e688b134fb0972d62de3
  Author: Fam Zheng <famz@xxxxxxxxxx>
  Date:   Wed May 6 20:23:46 2015 +0800

      vmdk: Fix next_cluster_sector for compressed write

      This fixes the bug introduced by commit c6ac36e (vmdk: Optimize cluster
      allocation).

      Sometimes, write_len could be larger than cluster size, because it
      contains both data and marker.  We must advance next_cluster_sector in
      this case, otherwise the image gets corrupted.

      Cc: qemu-stable@xxxxxxxxxx
      Reported-by: Antoni Villalonga <qemu-list@xxxxxxxxx>
      Signed-off-by: Fam Zheng <famz@xxxxxxxxxx>
      Reviewed-by: Max Reitz <mreitz@xxxxxxxxxx>
      Signed-off-by: Kevin Wolf <kwolf@xxxxxxxxxx>

  commit aacd5650c68ef2e9e19079ba60cb0df51e15880c
  Author: Christoph Hellwig <hch@xxxxxx>
  Date:   Thu Apr 30 11:44:17 2015 +0200

      nvme: support NVME_VOLATILE_WRITE_CACHE feature

      The SCSI emulation in the Linux NVMe driver really wants to know
      if a device has a volatile write cache.  Given that qemu has moved
      away from a model where we report the backing store WCE bit to
      one where the WCE bit is supposed to be part of the migratable
      guest-visible state we always return 1 here.

      Signed-off-by: Christoph Hellwig <hch@xxxxxx>
      Acked-by: Keith Busch <keith.busch@xxxxxxxxx>
      Signed-off-by: Kevin Wolf <kwolf@xxxxxxxxxx>

  commit ecbda7a22576591a84f44de1be0150faf6001f1c
  Author: Kevin Wolf <kwolf@xxxxxxxxxx>
  Date:   Wed May 6 13:21:51 2015 +0200

      qcow2: Flush pending discards before allocating cluster

      Before a freed cluster can be reused, pending discards for this cluster
      must be processed.

      The original assumption was that this was not a problem because discards
      are only cached during discard/write zeroes operations, which are
      synchronous so that no concurrent write requests can cause cluster
      allocations.

      However, the discard/write zeroes operation itself can allocate a new L2
      table (and it has to in order to put zero flags there), so make sure we
      can cope with the situation.

      This fixes https://bugs.launchpad.net/bugs/1349972.

      Cc: qemu-stable@xxxxxxxxxx
      Signed-off-by: Kevin Wolf <kwolf@xxxxxxxxxx>
      Reviewed-by: Max Reitz <mreitz@xxxxxxxxxx>

  commit 9371557115a734412974f8d4096cbe8a62ca2731
  Author: Bastian Koppelmann <kbastian@xxxxxxxxxxxxxxxxxxxxx>
  Date:   Mon May 11 14:59:55 2015 +0200

      target-tricore: add RR_DIV and RR_DIV_U instructions of the v1.6 ISA

      Signed-off-by: Bastian Koppelmann <kbastian@xxxxxxxxxxxxxxxxxxxxx>
      Reviewed-by: Richard Henderson <rth@xxxxxxxxxxx>

  commit 0e045f43c45f675711c3f6836118dc7eabcc2411
  Author: Bastian Koppelmann <kbastian@xxxxxxxxxxxxxxxxxxxxx>
  Date:   Thu May 7 22:46:50 2015 +0200

      target-tricore: add FRET instructions of the v1.6 ISA

      Signed-off-by: Bastian Koppelmann <kbastian@xxxxxxxxxxxxxxxxxxxxx>
      Reviewed-by: Richard Henderson <rth@xxxxxxxxxxx>

  commit 9e14a7b24f4cff93da664fdcfecad41fbd229e2b
  Author: Bastian Koppelmann <kbastian@xxxxxxxxxxxxxxxxxxxxx>
  Date:   Thu May 7 22:38:16 2015 +0200

      target-tricore: add FCALL instructions of the v1.6 ISA

      Signed-off-by: Bastian Koppelmann <kbastian@xxxxxxxxxxxxxxxxxxxxx>
      Reviewed-by: Richard Henderson <rth@xxxxxxxxxxx>

  commit bc3551c43308dd77bc1cc9a4e39962b2afd4dffc
  Author: Bastian Koppelmann <kbastian@xxxxxxxxxxxxxxxxxxxxx>
  Date:   Thu May 7 21:25:42 2015 +0200

      target-tricore: add SYS_RESTORE instruction of the v1.6 ISA

      Signed-off-by: Bastian Koppelmann <kbastian@xxxxxxxxxxxxxxxxxxxxx>
      Reviewed-by: Richard Henderson <rth@xxxxxxxxxxx>

  commit e5c96c82bc529674b61eacd221734abc2674e264
  Author: Bastian Koppelmann <kbastian@xxxxxxxxxxxxxxxxxxxxx>
  Date:   Thu May 7 19:55:37 2015 +0200

      target-tricore: add RR_CRC32 instruction of the v1.6.1 ISA

      This instruction was introduced by the new Aurix platform.

      Signed-off-by: Bastian Koppelmann <kbastian@xxxxxxxxxxxxxxxxxxxxx>
      Reviewed-by: Richard Henderson <rth@xxxxxxxxxxx>

  commit ddd8cebe3106bdfb2681d8d283296199fd6c7417
  Author: Bastian Koppelmann <kbastian@xxxxxxxxxxxxxxxxxxxxx>
  Date:   Wed May 6 20:57:10 2015 +0200

      target-tricore: add SWAPMSK instructions of the v1.6.1 ISA

      Those instruction were introduced in the new Aurix platform.

      Signed-off-by: Bastian Koppelmann <kbastian@xxxxxxxxxxxxxxxxxxxxx>
      Reviewed-by: Richard Henderson <rth@xxxxxxxxxxx>

  commit 62872ebc38d700ea30b0cd861e40703dccdcae2a
  Author: Bastian Koppelmann <kbastian@xxxxxxxxxxxxxxxxxxxxx>
  Date:   Wed May 6 20:47:39 2015 +0200

      target-tricore: add CMPSWP instructions of the v1.6.1 ISA

      Those instruction were introduced in the new Aurix platform.

      Signed-off-by: Bastian Koppelmann <kbastian@xxxxxxxxxxxxxxxxxxxxx>
      Reviewed-by: Richard Henderson <rth@xxxxxxxxxxx>

  commit fcecf12684e1169653df72ed307ec2a82ca69b18
  Author: Bastian Koppelmann <kbastian@xxxxxxxxxxxxxxxxxxxxx>
  Date:   Wed May 6 20:22:45 2015 +0200

      target-tricore: Add SRC_MOV_E instruction of the v1.6 ISA

      Signed-off-by: Bastian Koppelmann <kbastian@xxxxxxxxxxxxxxxxxxxxx>
      Reviewed-by: Richard Henderson <rth@xxxxxxxxxxx>

  commit 6d2afc8a5edc042e4e7c2ceb49f7cabe02aae793
  Author: Bastian Koppelmann <kbastian@xxxxxxxxxxxxxxxxxxxxx>
  Date:   Wed May 6 20:18:41 2015 +0200

      target-tricore: introduce ISA v1.6.1 feature

      The aurix platform contains of several different cpu models and uses
      the 1.6.1 ISA. This patch changes the generic aurix model to the more
      specific tc27x cpu model and sets specific features.

      Signed-off-by: Bastian Koppelmann <kbastian@xxxxxxxxxxxxxxxxxxxxx>
      Reviewed-by: Richard Henderson <rth@xxxxxxxxxxx>

  commit fd5ecf31d4c48651de97c1aaf8771762753de9a7
  Author: Bastian Koppelmann <kbastian@xxxxxxxxxxxxxxxxxxxxx>
  Date:   Sun Mar 22 12:49:12 2015 +0000

      target-tricore: Add ISA v1.3.1 cpu and fix tc1796 to using v1.3

      Signed-off-by: Bastian Koppelmann <kbastian@xxxxxxxxxxxxxxxxxxxxx>
      Reviewed-by: Richard Henderson <rth@xxxxxxxxxxx>

  commit 8b6db32a4ec47d1171ccfa21d557096b99f4eef0
  Merge: f5790c3 a53f1a9
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Fri May 22 13:25:40 2015 +0100

      Merge remote-tracking branch 'remotes/stefanha/tags/block-pull-request' 
into staging

      # gpg: Signature made Fri May 22 10:00:53 2015 BST using RSA key ID 
81AB73C8
      # gpg: Good signature from "Stefan Hajnoczi <stefanha@xxxxxxxxxx>"
      # gpg:                 aka "Stefan Hajnoczi <stefanha@xxxxxxxxx>"

      * remotes/stefanha/tags/block-pull-request: (38 commits)
        block: get_block_status: use "else" when testing the opposite condition
        qemu-iotests: Test unaligned sub-block zero write
        block: Fix NULL deference for unaligned write if qiov is NULL
        Revert "block: Fix unaligned zero write"
        block: align bounce buffers to page
        block: minimal bounce buffer alignment
        block: return EPERM on writes or discards to read-only devices
        configure: Add workaround for ccache and clang
        configure: silence glib unknown attribute __alloc_size__
        configure: factor out supported flag check
        configure: handle clang -nopie argument warning
        block/parallels: improve image writing performance further
        block/parallels: optimize linear image expansion
        block/parallels: add prealloc-mode and prealloc-size open paramemets
        block/parallels: delay writing to BAT till bdrv_co_flush_to_os
        block/parallels: create bat_entry_off helper
        block/parallels: improve image reading performance
        iotests, parallels: check for incorrectly closed image in tests
        block/parallels: implement incorrect close detection
        block/parallels: implement parallels_check method of block driver
        ...

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit f5790c3bc81702c98c7ddadedb274758cff8cbe7
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Fri May 22 12:30:13 2015 +0100

      Revert "target-alpha: Add vector implementation for CMPBGE"

      This reverts commit 32ad48abd74a997220b841e4e913edeb267aa362.

      Unfortunately the SSE2 code here fails to compile on some versions
      of gcc:
       target-alpha/int_helper.c:77:24: error: invalid operands to binary >=
       (have '__vector(16) unsigned char' and '__vector(16) unsigned char')

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 27e1259a69c49ee2dd53385f4ca4ca14b822191d
  Merge: 9e549d3 32ad48a
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Fri May 22 10:06:33 2015 +0100

      Merge remote-tracking branch 'remotes/rth/tags/pull-axp-20150521' into 
staging

      Rewrite fp exceptions

      # gpg: Signature made Thu May 21 18:35:52 2015 BST using RSA key ID 
4DD0279B
      # gpg: Good signature from "Richard Henderson <rth7680@xxxxxxxxx>"
      # gpg:                 aka "Richard Henderson <rth@xxxxxxxxxx>"
      # gpg:                 aka "Richard Henderson <rth@xxxxxxxxxxx>"

      * remotes/rth/tags/pull-axp-20150521:
        target-alpha: Add vector implementation for CMPBGE
        target-alpha: Rewrite helper_zapnot
        target-alpha: Raise IOV from CVTQL
        target-alpha: Suppress underflow from CVTTQ if DNZ
        target-alpha: Raise EXC_M_INV properly for fp inputs
        target-alpha: Disallow literal operand to 1C.30 to 1C.37
        target-alpha: Implement WH64EN
        target-alpha: Fix integer overflow checking insns
        target-alpha: Fix cvttq vs inf
        target-alpha: Fix cvttq vs large integers
        target-alpha: Raise IOV from CVTTQ
        target-alpha: Set EXC_M_SWC for exceptions from /S insns
        target-alpha: Set fpcr_exc_status even for disabled exceptions
        target-alpha: Tidy FPCR representation
        target-alpha: Set PC correctly for floating-point exceptions
        target-alpha: Forget installed round mode after MT_FPCR
        target-alpha: Rename floating-point subroutines
        target-alpha: Move VAX helpers to a new file

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit a53f1a95f9605f300fbafbc8b60b8a8c67e9c4b4
  Author: Paolo Bonzini <pbonzini@xxxxxxxxxx>
  Date:   Thu May 14 12:35:02 2015 +0200

      block: get_block_status: use "else" when testing the opposite condition

      A bit of Boolean algebra (and common sense) tells us that the
      second "if" here is looking for blocks that are not allocated.
      This is the opposite of the "if" that sets BDRV_BLOCK_ALLOCATED,
      and thus it can use an "else".

      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>
      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>
      Reviewed-by: Fam Zheng <famz@xxxxxxxxxx>
      Message-id: 1431599702-10431-1-git-send-email-pbonzini@xxxxxxxxxx
      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>

  commit ab53c44718305d3fde3d9d2251889f1cab694be2
  Author: Fam Zheng <famz@xxxxxxxxxx>
  Date:   Wed May 13 13:12:01 2015 +0000

      qemu-iotests: Test unaligned sub-block zero write

      Test zero write in byte range 512~1024 for 4k alignment.

      Signed-off-by: Fam Zheng <famz@xxxxxxxxxx>
      Reviewed-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Reviewed-by: Kevin Wolf <kwolf@xxxxxxxxxx>
      Message-id: 1431522721-3266-4-git-send-email-famz@xxxxxxxxxx
      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>

  commit 9eeb6dd1b27bd57eb4e3869290e87feac8e8b226
  Author: Fam Zheng <famz@xxxxxxxxxx>
  Date:   Wed May 13 13:12:00 2015 +0000

      block: Fix NULL deference for unaligned write if qiov is NULL

      For zero write, callers pass in NULL qiov (qemu-io "write -z" or
      scsi-disk "write same").

      Commit fc3959e466 fixed bdrv_co_write_zeroes which is the common case
      for this bug, but it still exists in bdrv_aio_write_zeroes. A simpler
      fix would be in bdrv_co_do_pwritev which is the NULL dereference point
      and covers both cases.

      So don't access it in bdrv_co_do_pwritev in this case, use three aligned
      writes.

      [Initialize ret to 0 in bdrv_co_do_zero_pwritev() to avoid uninitialized
      variable warning with gcc 4.9.2.
      --Stefan]

      Signed-off-by: Fam Zheng <famz@xxxxxxxxxx>
      Message-id: 1431522721-3266-3-git-send-email-famz@xxxxxxxxxx
      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>

  commit d01c07f2221ca39ab2dd9e55932d99db98103b30
  Author: Fam Zheng <famz@xxxxxxxxxx>
  Date:   Wed May 13 13:11:59 2015 +0000

      Revert "block: Fix unaligned zero write"

      This reverts commit fc3959e4669a1c2149b91ccb05101cfc7ae1fc05.

      The core write code already handles the case, so remove this
      duplication.

      Because commit 61007b316 moved the touched code from block.c to
      block/io.c, the change is manually reverted.

      Signed-off-by: Fam Zheng <famz@xxxxxxxxxx>
      Reviewed-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Reviewed-by: Kevin Wolf <kwolf@xxxxxxxxxx>
      Message-id: 1431522721-3266-2-git-send-email-famz@xxxxxxxxxx
      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>

  commit 459b4e66129d091a11e9886ecc15a8bf9f7f3d92
  Author: Denis V. Lunev <den@xxxxxxxxxx>
  Date:   Tue May 12 17:30:56 2015 +0300

      block: align bounce buffers to page

      The following sequence
          int fd = open(argv[1], O_RDWR | O_CREAT | O_DIRECT, 0644);
          for (i = 0; i < 100000; i++)
                  write(fd, buf, 4096);
      performs 5% better if buf is aligned to 4096 bytes.

      The difference is quite reliable.

      On the other hand we do not want at the moment to enforce bounce
      buffering if guest request is aligned to 512 bytes.

      The patch changes default bounce buffer optimal alignment to
      MAX(page size, 4k). 4k is chosen as maximal known sector size on real
      HDD.

      The justification of the performance improve is quite interesting.
      From the kernel point of view each request to the disk was split
      by two. This could be seen by blktrace like this:
        9,0   11  1     0.000000000 11151  Q  WS 312737792 + 1023 [qemu-img]
        9,0   11  2     0.000007938 11151  Q  WS 312738815 + 8 [qemu-img]
        9,0   11  3     0.000030735 11151  Q  WS 312738823 + 1016 [qemu-img]
        9,0   11  4     0.000032482 11151  Q  WS 312739839 + 8 [qemu-img]
        9,0   11  5     0.000041379 11151  Q  WS 312739847 + 1016 [qemu-img]
        9,0   11  6     0.000042818 11151  Q  WS 312740863 + 8 [qemu-img]
        9,0   11  7     0.000051236 11151  Q  WS 312740871 + 1017 [qemu-img]
        9,0    5  1     0.169071519 11151  Q  WS 312741888 + 1023 [qemu-img]
      After the patch the pattern becomes normal:
        9,0    6  1     0.000000000 12422  Q  WS 314834944 + 1024 [qemu-img]
        9,0    6  2     0.000038527 12422  Q  WS 314835968 + 1024 [qemu-img]
        9,0    6  3     0.000072849 12422  Q  WS 314836992 + 1024 [qemu-img]
        9,0    6  4     0.000106276 12422  Q  WS 314838016 + 1024 [qemu-img]
      and the amount of requests sent to disk (could be calculated counting
      number of lines in the output of blktrace) is reduced about 2 times.

      Both qemu-img and qemu-io are affected while qemu-kvm is not. The guest
      does his job well and real requests comes properly aligned (to page).

      Signed-off-by: Denis V. Lunev <den@xxxxxxxxxx>
      Reviewed-by: Kevin Wolf <kwolf@xxxxxxxxxx>
      Message-id: 1431441056-26198-3-git-send-email-den@xxxxxxxxxx
      CC: Paolo Bonzini <pbonzini@xxxxxxxxxx>
      CC: Kevin Wolf <kwolf@xxxxxxxxxx>
      CC: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>

  commit 4196d2f0308cb1ae13ed450424ab7dfe154acda9
  Author: Denis V. Lunev <den@xxxxxxxxxx>
  Date:   Tue May 12 17:30:55 2015 +0300

      block: minimal bounce buffer alignment

      The patch introduces new concept: minimal memory alignment for bounce
      buffers. Original so called "optimal" value is actually minimal required
      value for aligment. It should be used for validation that the IOVec
      is properly aligned and bounce buffer is not required.

      Though, from the performance point of view, it would be better if
      bounce buffer or IOVec allocated by QEMU will be aligned stricter.

      The patch does not change any alignment value yet.

      Signed-off-by: Denis V. Lunev <den@xxxxxxxxxx>
      Reviewed-by: Kevin Wolf <kwolf@xxxxxxxxxx>
      Message-id: 1431441056-26198-2-git-send-email-den@xxxxxxxxxx
      CC: Paolo Bonzini <pbonzini@xxxxxxxxxx>
      Reviewed-by: Kevin Wolf <kwolf@xxxxxxxxxx>
      CC: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>

  commit eaf5fe2dd4ec001d645ff3b343f466457badaa64
  Author: Paolo Bonzini <pbonzini@xxxxxxxxxx>
  Date:   Thu May 7 17:45:48 2015 +0200

      block: return EPERM on writes or discards to read-only devices

      This is the behavior in the operating system, for example Linux's
      blkdev_write_iter has the following:

              if (bdev_read_only(I_BDEV(bd_inode)))
                      return -EPERM;

      This does not apply to opening a device for read/write, when the
      device only supports read-only operation.  In this case any of
      EACCES, EPERM or EROFS is acceptable depending on why writing is
      not possible.

      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>
      Message-id: 1431013548-22492-1-git-send-email-pbonzini@xxxxxxxxxx
      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>

  commit fd0e60530f10078f488fa3e9591cc7db5732989c
  Author: John Snow <jsnow@xxxxxxxxxx>
  Date:   Wed Mar 25 18:57:39 2015 -0400

      configure: Add workaround for ccache and clang

      Test if ccache is interfering with semantic analysis of macros,
      disable its habit of trying to compile already pre-processed
      versions of code if so. ccache attempts to save time by compiling
      pre-processed versions of code, but this disturbs clang's static
      analysis enough to produce false positives.

      ccache allows us to disable this feature, opting instead to
      compile the original version instead of its preprocessed version.
      This makes ccache much slower for cache misses, but at least it
      becomes usable with QEMU/clang.

      This workaround only activates for users using ccache AND clang,
      and only if their configuration is observed to be producing warnings.
      You may need to clear your ccache for builds started without -Werror,
      as those may continue to produce warnings from the cache.

      Thanks to Peter Eisentraut for his writeup on the issue:
      http://peter.eisentraut.org/blog/2014/12/01/ccache-and-clang-part-3/

      Signed-off-by: John Snow <jsnow@xxxxxxxxxx>
      Reviewed-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Message-id: 1427324259-1481-5-git-send-email-jsnow@xxxxxxxxxx
      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>

  commit bbbf2e04e5ea347d877c7fa8ee02e4bb647a48fc
  Author: John Snow <jsnow@xxxxxxxxxx>
  Date:   Wed Mar 25 18:57:38 2015 -0400

      configure: silence glib unknown attribute __alloc_size__

      The glib headers use GCC attributes.  Unfortunately the __GNUC__ and
      __GNUC_MINOR__ version macros are also defined by clang, but clang
      doesn't support the same attributes as GCC.

      clang 3.5.0 does not support the __alloc_size__ attribute:

        
https://github.com/llvm-mirror/clang/commit/c047507a9a79e89fc8339e074fa72822a7e7ea73

      The following warning is produced:

        gstrfuncs.h:257:44: warning: unknown attribute '__alloc_size__' ignored 
[-Wunknown-attributes]
              G_GNUC_MALLOC G_GNUC_ALLOC_SIZE(2);
                gmacros.h:67:45: note: expanded from macro 'G_GNUC_ALLOC_SIZE'
                      #define G_GNUC_ALLOC_SIZE(x) 
__attribute__((__alloc_size__(x)))

      This patch checks whether glib headers cause warnings and disables
      -Wunknown-attributes if it is able to.

      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Signed-off-by: John Snow <jsnow@xxxxxxxxxx>
      Reviewed-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Message-id: 1427324259-1481-4-git-send-email-jsnow@xxxxxxxxxx
      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>

  commit 93b25869228a3c0c632a6aa66624cc4e549ba14a
  Author: John Snow <jsnow@xxxxxxxxxx>
  Date:   Wed Mar 25 18:57:37 2015 -0400

      configure: factor out supported flag check

      Factor out the function that checks if a compiler
      flag is supported or not.

      Signed-off-by: John Snow <jsnow@xxxxxxxxxx>
      Reviewed-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Message-id: 1427324259-1481-3-git-send-email-jsnow@xxxxxxxxxx
      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>

  commit e4a7b344df40b1f4b2e732ddb0d68079ce658d89
  Author: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
  Date:   Wed Mar 25 18:57:36 2015 -0400

      configure: handle clang -nopie argument warning

      gcc 4.9.2 treats -nopie as an error:

        cc: error: unrecognized command line option â??-nopieâ??

      clang 3.5.0 treats -nopie as a warning:

        clang: warning: argument unused during compilation: '-nopie'

      The causes ./configure to fail with clang:

        ERROR: configure test passed without -Werror but failed with -Werror.

      Make the -nopie test use -Werror so that compile_prog works for both gcc
      and clang.

      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Signed-off-by: John Snow <jsnow@xxxxxxxxxx>
      Reviewed-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Message-id: 1427324259-1481-2-git-send-email-jsnow@xxxxxxxxxx
      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>

  commit ddd2ef2ce8d693b6e2635a0c20f65744641ff8df
  Author: Denis V. Lunev <den@xxxxxxxxxx>
  Date:   Tue Apr 28 10:47:00 2015 +0300

      block/parallels: improve image writing performance further

      Try to perform IO for the biggest continuous block possible.
      All blocks abscent in the image are accounted in the same type
      and preallocation is made for all of them at once.

      The performance for sequential write is increased from 200 Mb/sec to
      235 Mb/sec on my SSD HDD.

      Signed-off-by: Denis V. Lunev <den@xxxxxxxxxx>
      Reviewed-by: Roman Kagan <rkagan@xxxxxxxxxxxxx>
      Signed-off-by: Roman Kagan <rkagan@xxxxxxxxxxxxx>
      Message-id: 1430207220-24458-28-git-send-email-den@xxxxxxxxxx
      CC: Kevin Wolf <kwolf@xxxxxxxxxx>
      CC: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>

  commit 19f5dc15912dfb6af06c97e4975023e545e85c72
  Author: Denis V. Lunev <den@xxxxxxxxxx>
  Date:   Tue Apr 28 10:46:59 2015 +0300

      block/parallels: optimize linear image expansion

      Plain image expansion spends a lot of time to update image file size.
      This seriously affects the performance. The following simple test
        qemu_img create -f parallels -o cluster_size=64k ./1.hds 64G
        qemu_io -n -c "write -P 0x11 0 1024M" ./1.hds
      could be improved if the format driver will pre-allocate some space
      in the image file with a reasonable chunk.

      This patch preallocates 128 Mb using bdrv_write_zeroes, which should
      normally use fallocate() call inside. Fallback to older truncate()
      could be used as a fallback using image open options thanks to the
      previous patch.

      The benefit is around 15%.

      Signed-off-by: Denis V. Lunev <den@xxxxxxxxxx>
      Reviewed-by: Roman Karan <rkagan@xxxxxxxxxxxxx>
      Signed-off-by: Roman Kagan <rkagan@xxxxxxxxxxxxx>
      Message-id: 1430207220-24458-27-git-send-email-den@xxxxxxxxxx
      CC: Kevin Wolf <kwolf@xxxxxxxxxx>
      CC: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>

  commit d61790112fa861fbbbb02b53f9c3beb9ca7f8419
  Author: Denis V. Lunev <den@xxxxxxxxxx>
  Date:   Tue Apr 28 10:46:58 2015 +0300

      block/parallels: add prealloc-mode and prealloc-size open paramemets

      This is preparational commit for tweaks in Parallels image expansion.
      The idea is that enlarge via truncate by one data block is slow. It
      would be much better to use fallocate via bdrv_write_zeroes and
      expand by some significant amount at once.

      Original idea with sequential file writing to the end of the file without
      fallocate/truncate would be slower than this approach if the image is
      expanded with several operations:
      - each image expanding means file metadata update, i.e. filesystem
        journal write. Truncate/write to newly truncated space update file
        metadata twice thus truncate removal helps. With fallocate call
        inside bdrv_write_zeroes file metadata is updated only once and
        this should happen infrequently thus this approach is the best one
        for the image expansion
      - tail writes are ordered, i.e. the guest IO queue could not be sent
        immediately to the host introducing additional IO delays

      This patch just adds proper parameters into BDRVParallelsState and
      performs options parsing in parallels_open.

      Signed-off-by: Denis V. Lunev <den@xxxxxxxxxx>
      Reviewed-by: Roman Kagan <rkagan@xxxxxxxxxxxxx>
      Signed-off-by: Roman Kagan <rkagan@xxxxxxxxxxxxx>
      Message-id: 1430207220-24458-26-git-send-email-den@xxxxxxxxxx
      CC: Roman Kagan <rkagan@xxxxxxxxxxxxx>
      CC: Kevin Wolf <kwolf@xxxxxxxxxx>
      CC: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>

  commit 0d31c7c200b3dca2aeeaa6f74ff3fd539aad803a
  Author: Denis V. Lunev <den@xxxxxxxxxx>
  Date:   Tue Apr 28 10:46:57 2015 +0300

      block/parallels: delay writing to BAT till bdrv_co_flush_to_os

      The idea is that we do not need to immediately sync BAT to the image as
      from the guest point of view there is a possibility that IO is lost
      even in the physical controller until flush command was finished.
      bdrv_co_flush_to_os is exactly the right place for this purpose.

      Technically the patch uses loaded BAT data as a cache and performs
      actual on-disk metadata updates in parallels_co_flush_to_os callback.

      This patch speed ups
        qemu-img create -f parallels -o cluster_size=64k ./1.hds 64G
        qemu-io -f parallels -c "write -P 0x11 0 1024k" 1.hds
      writing from 50-60 Mb/sec to 80-90 Mb/sec on rotational media and
      from 160 Mb/sec to 190 Mb/sec on SSD disk.

      Signed-off-by: Denis V. Lunev <den@xxxxxxxxxx>
      Reviewed-by: Roman Kagan <rkagan@xxxxxxxxxxxxx>
      Reviewed-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Signed-off-by: Roman Kagan <rkagan@xxxxxxxxxxxxx>
      Message-id: 1430207220-24458-25-git-send-email-den@xxxxxxxxxx
      CC: Kevin Wolf <kwolf@xxxxxxxxxx>
      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>

  commit 2d68e22e94e8bc5a0d32a38b53c592c320db8261
  Author: Denis V. Lunev <den@xxxxxxxxxx>
  Date:   Tue Apr 28 10:46:56 2015 +0300

      block/parallels: create bat_entry_off helper

      calculate offset of the BAT entry in the image file.

      Signed-off-by: Denis V. Lunev <den@xxxxxxxxxx>
      Reviewed-by: Roman Kagan <rkagan@xxxxxxxxxxxxx>
      Reviewed-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Signed-off-by: Roman Kagan <rkagan@xxxxxxxxxxxxx>
      Message-id: 1430207220-24458-24-git-send-email-den@xxxxxxxxxx
      CC: Kevin Wolf <kwolf@xxxxxxxxxx>
      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>

  commit 6953d920784466dfaea77f7cfd23df2ad8b772a0
  Author: Denis V. Lunev <den@xxxxxxxxxx>
  Date:   Tue Apr 28 10:46:55 2015 +0300

      block/parallels: improve image reading performance

      Try to perform IO for the biggest continuous block possible.
      The performance for sequential read is increased from 220 Mb/sec to
      360 Mb/sec for continous image on my SSD HDD.

      Signed-off-by: Denis V. Lunev <den@xxxxxxxxxx>
      Reviewed-by: Roman Kagan <rkagan@xxxxxxxxxxxxx>
      Reviewed-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Signed-off-by: Roman Kagan <rkagan@xxxxxxxxxxxxx>
      Message-id: 1430207220-24458-23-git-send-email-den@xxxxxxxxxx
      CC: Kevin Wolf <kwolf@xxxxxxxxxx>
      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>

  commit a6be831e99f89d72a8c4a114347d5512c326af29
  Author: Denis V. Lunev <den@xxxxxxxxxx>
  Date:   Tue Apr 28 10:46:54 2015 +0300

      iotests, parallels: check for incorrectly closed image in tests

      Signed-off-by: Denis V. Lunev <den@xxxxxxxxxx>
      Reviewed-by: Roman Kagan <rkagan@xxxxxxxxxxxxx>
      Reviewed-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Signed-off-by: Roman Kagan <rkagan@xxxxxxxxxxxxx>
      Message-id: 1430207220-24458-22-git-send-email-den@xxxxxxxxxx
      CC: Kevin Wolf <kwolf@xxxxxxxxxx>
      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>

  commit 6dd6b9f1440c37811ad963b49a48bf80a8bde377
  Author: Denis V. Lunev <den@xxxxxxxxxx>
  Date:   Tue Apr 28 10:46:53 2015 +0300

      block/parallels: implement incorrect close detection

      The software driver must set inuse field in Parallels header to
      0x746F6E59 when the image is opened in read-write mode. The presence of
      this magic in the header on open forces image consistency check.

      There is an unfortunate trick here. We can not check for inuse in
      parallels_check as this will happen too late. It is possible to do
      that for simple check, but during the fix this would always report
      an error as the image was opened in BDRV_O_RDWR mode. Thus we save
      the flag in BDRVParallelsState for this.

      On the other hand, nothing should be done to clear inuse in
      parallels_check. Generic close will do the job right.

      Signed-off-by: Denis V. Lunev <den@xxxxxxxxxx>
      Reviewed-by: Roman Kagan <rkagan@xxxxxxxxxxxxx>
      Reviewed-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Signed-off-by: Roman Kagan <rkagan@xxxxxxxxxxxxx>
      Message-id: 1430207220-24458-21-git-send-email-den@xxxxxxxxxx
      CC: Kevin Wolf <kwolf@xxxxxxxxxx>
      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>

  commit 49ad6467313d17486af9029413debb709dc971a8
  Author: Denis V. Lunev <den@xxxxxxxxxx>
  Date:   Tue Apr 28 10:46:52 2015 +0300

      block/parallels: implement parallels_check method of block driver

      The check is very simple at the moment. It calculates necessary stats
      and fix only the following errors:
      - space leak at the end of the image. This would happens due to
        preallocation
      - clusters outside the image are zeroed. Nothing else could be done here

      Signed-off-by: Denis V. Lunev <den@xxxxxxxxxx>
      Reviewed-by: Roman Kagan <rkagan@xxxxxxxxxxxxx>
      Reviewed-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Signed-off-by: Roman Kagan <rkagan@xxxxxxxxxxxxx>
      Message-id: 1430207220-24458-20-git-send-email-den@xxxxxxxxxx
      CC: Kevin Wolf <kwolf@xxxxxxxxxx>
      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>

  commit 23d6bd3bd1225e8c8ade6ed829eabcf90ddfa6f7
  Author: Denis V. Lunev <den@xxxxxxxxxx>
  Date:   Tue Apr 28 10:46:51 2015 +0300

      block/parallels: move parallels_open/probe to the very end of the file

      This will help to avoid forward declarations for upcoming parallels_check

      Some very obvious formatting fixes were made to the moved code to make
      checkpatch happy.

      Signed-off-by: Denis V. Lunev <den@xxxxxxxxxx>
      Reviewed-by: Roman Kagan <rkagan@xxxxxxxxxxxxx>
      Reviewed-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Signed-off-by: Roman Kagan <rkagan@xxxxxxxxxxxxx>
      Message-id: 1430207220-24458-19-git-send-email-den@xxxxxxxxxx
      CC: Kevin Wolf <kwolf@xxxxxxxxxx>
      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>

  commit 9eae9cca95e76afc2f2288a665e08a64953f2820
  Author: Denis V. Lunev <den@xxxxxxxxxx>
  Date:   Tue Apr 28 10:46:50 2015 +0300

      block/parallels: read parallels image header and BAT into single buffer

      This metadata cache would allow to properly batch BAT updates to disk
      in next patches. These updates will be properly aligned to avoid
      read-modify-write transactions on block level.

      Signed-off-by: Denis V. Lunev <den@xxxxxxxxxx>
      Reviewed-by: Roman Kagan <rkagan@xxxxxxxxxxxxx>
      Reviewed-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Signed-off-by: Roman Kagan <rkagan@xxxxxxxxxxxxx>
      Message-id: 1430207220-24458-18-git-send-email-den@xxxxxxxxxx
      CC: Kevin Wolf <kwolf@xxxxxxxxxx>
      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>

  commit dd97cdc064f24484a2ebc141a4ec6bba35f56007
  Author: Denis V. Lunev <den@xxxxxxxxxx>
  Date:   Tue Apr 28 10:46:49 2015 +0300

      block/parallels: keep BAT bitmap data in little endian in memory

      This will allow to use this data as buffer to BAT update directly
      without any intermediate buffers.

      Signed-off-by: Denis V. Lunev <den@xxxxxxxxxx>
      Reviewed-by: Roman Kagan <rkagan@xxxxxxxxxxxxx>
      Reviewed-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Signed-off-by: Roman Kagan <rkagan@xxxxxxxxxxxxx>
      Message-id: 1430207220-24458-17-git-send-email-den@xxxxxxxxxx
      CC: Kevin Wolf <kwolf@xxxxxxxxxx>
      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>

  commit 555cc9d9fc5c71be6bd3f288eaf1e5628732088f
  Author: Denis V. Lunev <den@xxxxxxxxxx>
  Date:   Tue Apr 28 10:46:48 2015 +0300

      block/parallels: create bat2sect helper

      deduplicate copy/paste arithmetcs

      Signed-off-by: Denis V. Lunev <den@xxxxxxxxxx>
      Reviewed-by: Roman Kagan <rkagan@xxxxxxxxxxxxx>
      Reviewed-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Signed-off-by: Roman Kagan <rkagan@xxxxxxxxxxxxx>
      Message-id: 1430207220-24458-16-git-send-email-den@xxxxxxxxxx
      CC: Kevin Wolf <kwolf@xxxxxxxxxx>
      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>

  commit 369f7de9d57e4dd2f312255fc12271d5749c0a4e
  Author: Denis V. Lunev <den@xxxxxxxxxx>
  Date:   Tue Apr 28 10:46:47 2015 +0300

      block/parallels: rename catalog_ names to bat_

      BAT means 'block allocation table'. Thus this name is clean and shorter
      on writing.

      Some obvious formatting fixes in the old code were made to make checkpatch
      happy.

      Signed-off-by: Denis V. Lunev <den@xxxxxxxxxx>
      Reviewed-by: Roman Kagan <rkagan@xxxxxxxxxxxxx>
      Reviewed-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Signed-off-by: Roman Kagan <rkagan@xxxxxxxxxxxxx>
      Message-id: 1430207220-24458-15-git-send-email-den@xxxxxxxxxx
      CC: Kevin Wolf <kwolf@xxxxxxxxxx>
      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>

  commit cc5690f20fcc075940a213380b362ae2054c03ba
  Author: Denis V. Lunev <den@xxxxxxxxxx>
  Date:   Tue Apr 28 10:46:46 2015 +0300

      parallels: change copyright information in the image header

      Signed-off-by: Denis V. Lunev <den@xxxxxxxxxx>
      Reviewed-by: Roman Kagan <rkagan@xxxxxxxxxxxxx>
      Reviewed-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Signed-off-by: Roman Kagan <rkagan@xxxxxxxxxxxxx>
      Message-id: 1430207220-24458-14-git-send-email-den@xxxxxxxxxx
      CC: Kevin Wolf <kwolf@xxxxxxxxxx>
      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>

  commit ca9c4e0675f9cb98138e1069605114f45746d985
  Author: Denis V. Lunev <den@xxxxxxxxxx>
  Date:   Tue Apr 28 10:46:45 2015 +0300

      iotests, parallels: test for newly created parallels image via qemu-img

      Signed-off-by: Denis V. Lunev <den@xxxxxxxxxx>
      Reviewed-by: Roman Kagan <rkagan@xxxxxxxxxxxxx>
      Reviewed-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Signed-off-by: Roman Kagan <rkagan@xxxxxxxxxxxxx>
      Message-id: 1430207220-24458-13-git-send-email-den@xxxxxxxxxx
      CC: Kevin Wolf <kwolf@xxxxxxxxxx>
      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>

  commit 74cf6c5026fef6e327f09786445f626df02cbdf0
  Author: Denis V. Lunev <den@xxxxxxxxxx>
  Date:   Tue Apr 28 10:46:44 2015 +0300

      block/parallels: support parallels image creation

      Do not even care to create WithoutFreeSpace image, it is obsolete.
      Always create WithouFreSpacExt one.

      The code also does not spend a lot of efforts to fill cylinders and
      heads fields, they are not used actually in a real life neither in
      QEMU nor in Parallels products.

      Signed-off-by: Denis V. Lunev <den@xxxxxxxxxx>
      Reviewed-by: Roman Kagan <rkagan@xxxxxxxxxxxxx>
      Reviewed-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Signed-off-by: Roman Kagan <rkagan@xxxxxxxxxxxxx>
      Message-id: 1430207220-24458-12-git-send-email-den@xxxxxxxxxx
      CC: Kevin Wolf <kwolf@xxxxxxxxxx>
      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>

  commit 50ffd8fd3cfceede87cec1f7f9a04cd7b9147271
  Author: Denis V. Lunev <den@xxxxxxxxxx>
  Date:   Tue Apr 28 10:46:43 2015 +0300

      iotests, parallels: test for write into Parallels image

      Signed-off-by: Denis V. Lunev <den@xxxxxxxxxx>
      Reviewed-by: Roman Kagan <rkagan@xxxxxxxxxxxxx>
      Reviewed-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Signed-off-by: Roman Kagan <rkagan@xxxxxxxxxxxxx>
      Message-id: 1430207220-24458-11-git-send-email-den@xxxxxxxxxx
      CC: Kevin Wolf <kwolf@xxxxxxxxxx>
      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>

  commit 5a41e1fa95f379e236883f38dacda292f6c48e6f
  Author: Denis V. Lunev <den@xxxxxxxxxx>
  Date:   Tue Apr 28 10:46:42 2015 +0300

      block/parallels: _co_writev callback for Parallels format

      Support write on Parallels images. The code is almost the same as one
      in the previous patch implemented scatter-gather IO for read.

      Signed-off-by: Denis V. Lunev <den@xxxxxxxxxx>
      Reviewed-by: Roman Kagan <rkagan@xxxxxxxxxxxxx>
      Signed-off-by: Roman Kagan <rkagan@xxxxxxxxxxxxx>
      Message-id: 1430207220-24458-10-git-send-email-den@xxxxxxxxxx
      CC: Roman Kagan <rkagan@xxxxxxxxxxxxx>
      CC: Kevin Wolf <kwolf@xxxxxxxxxx>
      CC: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>

  commit d0e61ce56d1520cade573eb344fdb136993d2279
  Author: Denis V. Lunev <den@xxxxxxxxxx>
  Date:   Tue Apr 28 10:46:41 2015 +0300

      block/parallels: mark parallels format driver as zero inited

      From the guest point of view unallocated blocks are zeroed.

      Signed-off-by: Denis V. Lunev <den@xxxxxxxxxx>
      Reviewed-by: Roman Kagan <rkagan@xxxxxxxxxxxxx>
      Signed-off-by: Roman Kagan <rkagan@xxxxxxxxxxxxx>
      Message-id: 1430207220-24458-9-git-send-email-den@xxxxxxxxxx
      CC: Roman Kagan <rkagan@xxxxxxxxxxxxx>
      CC: Kevin Wolf <kwolf@xxxxxxxxxx>
      CC: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>

  commit 912f31281a683a24b552a8cc6c293ab389b62013
  Author: Denis V. Lunev <den@xxxxxxxxxx>
  Date:   Tue Apr 28 10:46:40 2015 +0300

      block/parallels: replace magic constants 4, 64 with proper sizeofs

      simple purification..

      Signed-off-by: Denis V. Lunev <den@xxxxxxxxxx>
      Reviewed-by: Roman Kagan <rkagan@xxxxxxxxxxxxx>
      Reviewed-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Signed-off-by: Roman Kagan <rkagan@xxxxxxxxxxxxx>
      Message-id: 1430207220-24458-8-git-send-email-den@xxxxxxxxxx
      CC: Kevin Wolf <kwolf@xxxxxxxxxx>
      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>

  commit 481fb9cf18925eab19e4af8a44bd86b82eb897ad
  Author: Denis V. Lunev <den@xxxxxxxxxx>
  Date:   Tue Apr 28 10:46:39 2015 +0300

      block/parallels: provide _co_readv routine for parallels format driver

      Main approach is taken from qcow2_co_readv.

      The patch drops coroutine lock for the duration of IO operation and
      peforms normal scatter-gather IO using standard QEMU backend.

      The patch also adds comment about locking considerations in the driver.

      Signed-off-by: Denis V. Lunev <den@xxxxxxxxxx>
      Reviewed-by: Roman Kagan <rkagan@xxxxxxxxxxxxx>
      Signed-off-by: Roman Kagan <rkagan@xxxxxxxxxxxxx>
      Message-id: 1430207220-24458-7-git-send-email-den@xxxxxxxxxx
      CC: Roman Kagan <rkagan@xxxxxxxxxxxxx>
      CC: Kevin Wolf <kwolf@xxxxxxxxxx>
      CC: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>

  commit dd3bed16ff229496b30cc77224b0c0ae645c4dae
  Author: Roman Kagan <rkagan@xxxxxxxxxxxxx>
  Date:   Tue Apr 28 10:46:38 2015 +0300

      block/parallels: add get_block_status

      Implement VFS method for get_block_status to Parallels format driver.

      qemu_co_mutex_lock is not necessary yet (the driver is read-only) but
      will be necessary very soon when write will be supported.

      Signed-off-by: Roman Kagan <rkagan@xxxxxxxxxxxxx>
      Reviewed-by: Denis V. Lunev <den@xxxxxxxxxx>
      Signed-off-by: Denis V. Lunev <den@xxxxxxxxxx>
      Message-id: 1430207220-24458-6-git-send-email-den@xxxxxxxxxx
      CC: Kevin Wolf <kwolf@xxxxxxxxxx>
      CC: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>

  commit 9de9da17d8304576e8402697bcee72c88ce499b8
  Author: Roman Kagan <rkagan@xxxxxxxxxxxxx>
  Date:   Tue Apr 28 10:46:37 2015 +0300

      block/parallels: read up to cluster end in one go

      Teach parallels_read() to do reads in coarser granularity than just a
      single sector: if requested, read up to the cluster end in one go.

      Signed-off-by: Roman Kagan <rkagan@xxxxxxxxxxxxx>
      Reviewed-by: Denis V. Lunev <den@xxxxxxxxxx>
      Signed-off-by: Denis V. Lunev <den@xxxxxxxxxx>
      Reviewed-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Message-id: 1430207220-24458-5-git-send-email-den@xxxxxxxxxx
      CC: Kevin Wolf <kwolf@xxxxxxxxxx>
      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>

  commit 2944256997dd8b080f8b0cc062e4b663cb2ec09c
  Author: Roman Kagan <rkagan@xxxxxxxxxxxxx>
  Date:   Tue Apr 28 10:46:36 2015 +0300

      block/parallels: switch to bdrv_read

      Switch the .bdrv_read method implementation from using bdrv_pread() to
      bdrv_read() on the underlying file, since the latter is subject to i/o
      throttling while the former is not.

      Besides, since bdrv_read() operates in sectors rather than bytes, adjust
      the helper functions to do so too.

      Signed-off-by: Roman Kagan <rkagan@xxxxxxxxxxxxx>
      Reviewed-by: Denis V. Lunev <den@xxxxxxxxxx>
      Signed-off-by: Denis V. Lunev <den@xxxxxxxxxx>
      Message-id: 1430207220-24458-4-git-send-email-den@xxxxxxxxxx
      CC: Kevin Wolf <kwolf@xxxxxxxxxx>
      CC: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>

  commit 0789890467d30e2ab10d84b5398bdc903db8cb91
  Author: Denis V. Lunev <den@xxxxxxxxxx>
  Date:   Tue Apr 28 10:46:35 2015 +0300

      block/parallels: rename parallels_header to ParallelsHeader

      this follows QEMU coding convention

      Signed-off-by: Denis V. Lunev <den@xxxxxxxxxx>
      Reviewed-by: Roman Kagan <rkagan@xxxxxxxxxxxxx>
      Reviewed-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Message-id: 1430207220-24458-3-git-send-email-den@xxxxxxxxxx
      CC: Kevin Wolf <kwolf@xxxxxxxxxx>
      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>

  commit d134cf73b10e9d0283e1d2531299c8f9ab13b5eb
  Author: Denis V. Lunev <den@xxxxxxxxxx>
  Date:   Tue Apr 28 10:46:34 2015 +0300

      iotests, parallels: quote TEST_IMG in 076 test to be path-safe

      suggested by Jeff Cody

      Signed-off-by: Denis V. Lunev <den@xxxxxxxxxx>
      Reviewed-by: Roman Kagan <rkagan@xxxxxxxxxxxxx>
      Reviewed-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Message-id: 1430207220-24458-2-git-send-email-den@xxxxxxxxxx
      CC: Kevin Wolf <kwolf@xxxxxxxxxx>
      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>

  commit 32ad48abd74a997220b841e4e913edeb267aa362
  Author: Richard Henderson <rth@xxxxxxxxxxx>
  Date:   Mon Aug 18 10:19:06 2014 -0700

      target-alpha: Add vector implementation for CMPBGE

      While conditionalized on SSE2, it's a "portable" gcc generic vector
      implementation, which could be enabled on other hosts.

      Signed-off-by: Richard Henderson <rth@xxxxxxxxxxx>

  commit 8d8d324e3424bf891d41e9c7758dcc09cf3c38b9
  Author: Richard Henderson <rth@xxxxxxxxxxx>
  Date:   Tue Jul 15 12:07:05 2014 -0700

      target-alpha: Rewrite helper_zapnot

      This form produces significantly smaller code on x86_64.

      Signed-off-by: Richard Henderson <rth@xxxxxxxxxxx>

  commit 9e549d36e989b14423279fb991b71728a2a4ae7c
  Merge: eba05e9 0ef705a
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Thu May 21 09:07:19 2015 +0100

      Merge remote-tracking branch 'remotes/kraxel/tags/pull-vnc-20150520-1' 
into staging

      vnc: misc fixes.

      # gpg: Signature made Wed May 20 09:32:45 2015 BST using RSA key ID 
D3E87138
      # gpg: Good signature from "Gerd Hoffmann (work) <kraxel@xxxxxxxxxx>"
      # gpg:                 aka "Gerd Hoffmann <gerd@xxxxxxxxxx>"
      # gpg:                 aka "Gerd Hoffmann (private) <kraxel@xxxxxxxxx>"

      * remotes/kraxel/tags/pull-vnc-20150520-1:
        qemu-sockets: Report explicit error if unlink fails
        vnc: Tweak error when init fails
        vnc: Don't assert if opening unix socket fails
        ui: remove check for failure of qemu_acl_init()
        Strip brackets from vnc host

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 0ef705a2653f09c15e44a644a98b6febc761431e
  Author: Cole Robinson <crobinso@xxxxxxxxxx>
  Date:   Tue May 5 11:07:19 2015 -0400

      qemu-sockets: Report explicit error if unlink fails

      Consider this case:

      $ ls -ld ~/root-owned/
      drwx--x--x. 2 root root 4096 Apr 29 12:55 /home/crobinso/root-owned/
      $ ls -l ~/root-owned/foo.sock
      -rwxrwxrwx. 1 crobinso crobinso 0 Apr 29 12:55 
/home/crobinso/root-owned/foo.sock

      $ qemu-system-x86_64 -vnc unix:~/root-owned/foo.sock
      qemu-system-x86_64: -vnc unix:/home/crobinso/root-owned/foo.sock: Failed 
to start VNC server: Failed to bind socket to 
/home/crobinso/root-owned/foo.sock: Address already in use

      ...which is techinically true, but the real error is that we failed to
      unlink. So report it.

      This may seem pathological but it's a real possibility via libvirt.

      Signed-off-by: Cole Robinson <crobinso@xxxxxxxxxx>
      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>
      Signed-off-by: Gerd Hoffmann <kraxel@xxxxxxxxxx>

  commit bc119048d7377ec8335ecde5946df629a1b72b46
  Author: Cole Robinson <crobinso@xxxxxxxxxx>
  Date:   Tue May 5 11:07:18 2015 -0400

      vnc: Tweak error when init fails

      Before:
      qemu-system-x86_64: -display vnc=unix:/root/foo.sock: Failed to start VNC 
server on `(null)': Failed to bind socket to /root/foo.sock: Permission denied

      After:
      qemu-system-x86_64: -display vnc=unix:/root/foo.sock: Failed to start VNC 
server: Failed to bind socket to /root/foo.sock: Permission denied

      Rather than tweak the string possibly show unix: value as well,
      just drop the explicit display reporting. We already get the cli
      string in the error message, that should be sufficient.

      Signed-off-by: Cole Robinson <crobinso@xxxxxxxxxx>
      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>
      Signed-off-by: Gerd Hoffmann <kraxel@xxxxxxxxxx>

  commit 3d00ac1a2ee0294fc3d460e6013a5cdd9c73ea6c
  Author: Cole Robinson <crobinso@xxxxxxxxxx>
  Date:   Tue May 5 11:07:17 2015 -0400

      vnc: Don't assert if opening unix socket fails

      Reproducer:

      $ qemu-system-x86_64 -display vnc=unix:/root/i-cant-access-you.sock
      qemu-system-x86_64: iohandler.c:60: qemu_set_fd_handler2: Assertion `fd 
>= 0' failed.
      Aborted (core dumped)

      Signed-off-by: Cole Robinson <crobinso@xxxxxxxxxx>
      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>
      Signed-off-by: Gerd Hoffmann <kraxel@xxxxxxxxxx>

  commit 2b2c1a38eeaba5d8bfe92281e9e680361e09ee3b
  Author: Daniel P. Berrange <berrange@xxxxxxxxxx>
  Date:   Fri May 1 11:44:46 2015 +0100

      ui: remove check for failure of qemu_acl_init()

      The qemu_acl_init() function has long since stopped being able
      to return NULL, since g_malloc will abort on OOM. As such the
      checks for NULL were unreachable code.

      Signed-off-by: Daniel P. Berrange <berrange@xxxxxxxxxx>
      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>
      Signed-off-by: Gerd Hoffmann <kraxel@xxxxxxxxxx>

  commit 274c3b52e10466a4771d591f6298ef61e8354ce0
  Author: Ján Tomko <jtomko@xxxxxxxxxx>
  Date:   Mon Apr 27 17:03:14 2015 +0200

      Strip brackets from vnc host

      Commit v2.2.0-1530-ge556032 vnc: switch to inet_listen_opts
      bypassed the use of inet_parse in inet_listen, making literal
      IPv6 addresses enclosed in brackets fail:

      qemu-kvm: -vnc [::1]:0: Failed to start VNC server on `(null)': address
      resolution failed for [::1]:5900: Name or service not known

      Strip the brackets to make it work again.

      Signed-off-by: Ján Tomko <jtomko@xxxxxxxxxx>
      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>
      Signed-off-by: Gerd Hoffmann <kraxel@xxxxxxxxxx>

  commit eba05e922e8e7f307bc5d4104a78797e55124e97
  Merge: fdbe454 a48da7b
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Tue May 19 14:10:33 2015 +0100

      Merge remote-tracking branch 'remotes/kraxel/tags/pull-serial-20150519-1' 
into staging

      serial: fix multi-pci card error cleanup.

      # gpg: Signature made Tue May 19 11:47:29 2015 BST using RSA key ID 
D3E87138
      # gpg: Good signature from "Gerd Hoffmann (work) <kraxel@xxxxxxxxxx>"
      # gpg:                 aka "Gerd Hoffmann <gerd@xxxxxxxxxx>"
      # gpg:                 aka "Gerd Hoffmann (private) <kraxel@xxxxxxxxx>"

      * remotes/kraxel/tags/pull-serial-20150519-1:
        serial: fix multi-pci card error cleanup.

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit a48da7b5bc1f0c98e7a124337140efd47049066c
  Author: Gerd Hoffmann <kraxel@xxxxxxxxxx>
  Date:   Wed May 6 12:58:19 2015 +0200

      serial: fix multi-pci card error cleanup.

      Put the number of serial ports into a local variable in
      multi_serial_pci_realize, then increment the port count
      (pci->ports) as we initialize the serial port cores.

      Now pci->ports always holds the number of successfully
      initialized ports and we can use multi_serial_pci_exit
      to properly cleanup the already initialized bits in case
      of a init failure.

      https://bugzilla.redhat.com/show_bug.cgi?id=970551

      Signed-off-by: Gerd Hoffmann <kraxel@xxxxxxxxxx>
      Reviewed-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit fdbe454a242105fcfe48b9c44b5499b80ff84160
  Merge: faa261a 176c324
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Tue May 19 11:47:03 2015 +0100

      Merge remote-tracking branch 'remotes/kraxel/tags/pull-vga-20150519-1' 
into staging

      hw/display: qomify vga cards

      # gpg: Signature made Tue May 19 11:23:09 2015 BST using RSA key ID 
D3E87138
      # gpg: Good signature from "Gerd Hoffmann (work) <kraxel@xxxxxxxxxx>"
      # gpg:                 aka "Gerd Hoffmann <gerd@xxxxxxxxxx>"
      # gpg:                 aka "Gerd Hoffmann (private) <kraxel@xxxxxxxxx>"

      * remotes/kraxel/tags/pull-vga-20150519-1:
        vga-pci: QOMify
        qxl: QOMify
        cirrus_vga: QOMify

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 176c324febd76d6f164347583f5af35b3cb4e5fb
  Author: Gonglei <arei.gonglei@xxxxxxxxxx>
  Date:   Tue May 12 17:27:08 2015 +0800

      vga-pci: QOMify

      Signed-off-by: Gonglei <arei.gonglei@xxxxxxxxxx>
      Signed-off-by: Gerd Hoffmann <kraxel@xxxxxxxxxx>

  commit c69f6c7dcf6164ee0ee3b00bec27dfdec4e8b661
  Author: Gonglei <arei.gonglei@xxxxxxxxxx>
  Date:   Tue May 12 17:27:10 2015 +0800

      qxl: QOMify

      Signed-off-by: Gonglei <arei.gonglei@xxxxxxxxxx>
      Signed-off-by: Gerd Hoffmann <kraxel@xxxxxxxxxx>

  commit d338bae33a76d02678ea706622dfcc26b8b8325c
  Author: Gonglei <arei.gonglei@xxxxxxxxxx>
  Date:   Tue May 12 17:27:09 2015 +0800

      cirrus_vga: QOMify

      QOMify pci-cirrus-vga like isa-cirrus-vga device.

      Signed-off-by: Gonglei <arei.gonglei@xxxxxxxxxx>
      Signed-off-by: Gerd Hoffmann <kraxel@xxxxxxxxxx>

  commit faa261a7fb254866bdd5b6a25ad94677945f21b4
  Merge: 62bf3df b4c6a11
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Tue May 19 10:25:59 2015 +0100

      Merge remote-tracking branch 'remotes/pmaydell/tags/pull-cocoa-20150519' 
into staging

      cocoa queue:
       * fix various issues with full screen in the OSX UI
       * set an icon for our binary file
       * add entries to the View menu for QEMU consoles
       * fix various warnings that are produced when building on 10.10
         (largely deprecated interfaces)

      # gpg: Signature made Tue May 19 09:17:23 2015 BST using RSA key ID 
14360CDE
      # gpg: Good signature from "Peter Maydell <peter.maydell@xxxxxxxxxx>"

      * remotes/pmaydell/tags/pull-cocoa-20150519:
        ui/cocoa: Add console items to the View menu
        ui/cocoa: Avoid deprecated NSOKButton/NSCancelButton constants
        ui/cocoa: Don't use NSWindow useOptimizedDrawing on OSX 10.10 and up
        ui/cocoa: Declare that QemuCocoaAppController implements 
NSApplicationDelegate
        ui/cocoa: openPanelDidEnd returnCode should be NSInteger, not int
        ui/cocoa: Remove compatibility ifdefs for OSX 10.4
        ui/cocoa: Drop tests for CGImageCreateWithImageInRect support
        Makefile.target: set icon for binary file on Mac OS X
        ui/cocoa: Make -full-screen option work on Mac OS X
        ui/cocoa: Fix several full screen issues on Mac OS X

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit b4c6a112dcfa1d24b905e6cccc763e02000937f1
  Author: Programmingkid <programmingkidx@xxxxxxxxx>
  Date:   Tue May 19 09:11:18 2015 +0100

      ui/cocoa: Add console items to the View menu

      Add any console that is available to the current emulator as a
      menu item under the View menu.

      Signed-off-by: John Arbuckle <programmingkidx@xxxxxxxxx>
      [PMM: Adjusted to apply after zoom-to-fit menu item was added;
       create the View menu at the same time as all the others, and only
       add the dynamically-determined items to it later]
      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 8617989eae7398e9e782a73857fc53a548692b31
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Tue May 19 09:11:18 2015 +0100

      ui/cocoa: Avoid deprecated NSOKButton/NSCancelButton constants

      In OSX 10.10, the NSOKButton and NSCancelButton constants are deprecated
      and provoke compiler warnings. Avoid them by using the
      NSFileHandlingPanelCancelButton and NSFileHandlingPanelOKButton constants
      instead. These are the documented correct constants for the 10.6-and-up
      beginSheetModalForWindow API we use. We also use the same method for
      the pre-10.6 compatibility code path, but conveniently the constant
      values are the same and the constant names have been present since 10.0.
      Preferring the constant names that match the non-legacy API makes more
      sense anyway.

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Message-id: 1431296361-16981-7-git-send-email-peter.maydell@xxxxxxxxxx

  commit 81801ae21333d81a8e7887bc6b11c601b6ecbee6
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Tue May 19 09:11:18 2015 +0100

      ui/cocoa: Don't use NSWindow useOptimizedDrawing on OSX 10.10 and up

      Starting in OSX 10.10, NSWindow useOptimizedDrawing is deprecated, so
      don't use it there.

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Message-id: 1431296361-16981-6-git-send-email-peter.maydell@xxxxxxxxxx

  commit 2a4c8c53dabf564142d5329b9ff8a82468324fd6
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Tue May 19 09:11:18 2015 +0100

      ui/cocoa: Declare that QemuCocoaAppController implements 
NSApplicationDelegate

      Our class QemuCocoaAppController implements the NSApplicationDelegate
      interface, and we pass an object of this class to [NSApp setDelegate].
      However, we weren't declaring in the class definition that we implemented
      this interface; in OSX 10.10 this provokes the following (slighly
      misleading) warning:
      ui/cocoa.m:1031:24: warning: sending 'QemuCocoaAppController *' to 
parameter of
            incompatible type 'id<NSFileManagerDelegate>'
          [NSApp setDelegate:appController];
                             ^~~~~~~~~~~~~
      
/System/Library/Frameworks/Foundation.framework/Headers/NSFileManager.h:109:47:
      note: passing argument to parameter 'delegate' here
      @property (assign) id <NSFileManagerDelegate> delegate NS_AVAILABLE(10_5,
      2_0);
                                                    ^

      Annoyingly, this interface wasn't formally defined until OSX 10.6, so we
      have to surround the relevant part of the @interface line with an ifdef.

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Message-id: 1431296361-16981-5-git-send-email-peter.maydell@xxxxxxxxxx

  commit de1aadee289722478c19f211f0fa3a38e7e66b6f
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Tue May 19 09:11:18 2015 +0100

      ui/cocoa: openPanelDidEnd returnCode should be NSInteger, not int

      The type for openPanelDidEnd's returnCode argument should be NSInteger,
      not int. This only matters for the OSX 10.5 code path where we pass
      the method directly to an OSX function to call.

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Message-id: 1431296361-16981-4-git-send-email-peter.maydell@xxxxxxxxxx

  commit 89424ff32f5c106f90627c7abe019c81c716fd13
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Tue May 19 09:11:17 2015 +0100

      ui/cocoa: Remove compatibility ifdefs for OSX 10.4

      Remove compatibility ifdefs that work around OSX 10.4 not providing
      various typedefs and functions.

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Message-id: 1431296361-16981-3-git-send-email-peter.maydell@xxxxxxxxxx

  commit b63901d84cc22a06f82900620fdbe01ff16511ec
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Tue May 19 09:11:17 2015 +0100

      ui/cocoa: Drop tests for CGImageCreateWithImageInRect support

      The code that tries to test at both compiletime and runtime
      for whether CGImageCreateWithImageInRect is supported provokes
      a compile warning on OSX 10.3:

      ui/cocoa.m:378:13: warning: comparison of function 
'CGImageCreateWithImageInRect'
            equal to a null pointer is always 
false[-Wtautological-pointer-compare]
              if (CGImageCreateWithImageInRect == NULL) { // test if 
"CGImageCreateWithImageInRect" is
      supported on host at runtime
                  ^~~~~~~~~~~~~~~~~~~~~~~~~~~~    ~~~~

      The simplest way to deal with this is just to drop this code,
      since we don't in practice support OSX 10.4 anyway. (10.5 was
      released in 2007 and is the last PPC version, so is the earliest
      we really need to continue to support at all.)

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Message-id: 1431296361-16981-2-git-send-email-peter.maydell@xxxxxxxxxx

  commit 4e34017c21485e5606beda7e6218c36d3568b363
  Author: Programmingkid <programmingkidx@xxxxxxxxx>
  Date:   Tue May 19 09:11:17 2015 +0100

      Makefile.target: set icon for binary file on Mac OS X

      Implements setting the icon for the binary file in Mac OS X.

      Signed-off-by: John Arbuckle <programmingkidx@xxxxxxxxx>
      [PMM: tweaked makefile to use $@ and quiet-command]
      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 43227af88a36faed50cedb0c7cef71a49c0be9d2
  Author: Programmingkid <programmingkidx@xxxxxxxxx>
  Date:   Tue May 19 09:11:17 2015 +0100

      ui/cocoa: Make -full-screen option work on Mac OS X

      This patch makes the -full-screen option actually instruct QEMU to
      enter fullscreen at startup, on Mac OS X.

      Signed-off-by: John Arbuckle <programmingkidx@xxxxxxxxx>
      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 5d1b2eef58632974494b4b94f8970846aa0bffb9
  Author: Programmingkid <programmingkidx@xxxxxxxxx>
  Date:   Tue May 19 09:11:17 2015 +0100

      ui/cocoa: Fix several full screen issues on Mac OS X

      This patch makes several changes:
      - Minimizes distorted full screen display by respecting aspect
      ratios.
      - Makes full screen mode available on Mac OS 10.7 and higher.
      - Allows user to decide if video should be stretched to fill the
      screen, using a menu item called "Zoom To Fit".
      - Hides the normalWindow so it won't show up in full screen mode.
      - Allows user to exit full screen mode.

      Signed-off-by: John Arbuckle <programmingkidx@xxxxxxxxx>
      [PMM: minor whitespace tweaks, remove incorrectly duplicated
       use of 'f' menu accelerator key]
      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 57a808b6d7f52a62111f6070933dfca6cd88a0fd
  Author: Richard Henderson <rth@xxxxxxxxxxx>
  Date:   Tue Jul 8 10:42:55 2014 -0700

      target-alpha: Raise IOV from CVTQL

      Even if an exception isn't taken, the status flags need updating
      and the result should be written to the destination.  Move the body
      of cvtql out of line, since we now always need a call.

      Reported-by: Al Viro <viro@xxxxxxxxxxxxxxxxxx>
      Signed-off-by: Richard Henderson <rth@xxxxxxxxxxx>

  commit 4ed069ab5334a495b49d0704795524fa34e8dbfc
  Author: Richard Henderson <rth@xxxxxxxxxxx>
  Date:   Tue Jul 8 10:14:09 2014 -0700

      target-alpha: Suppress underflow from CVTTQ if DNZ

      I.e. respect flush_inputs_to_zero.

      Reported-by: Al Viro <viro@xxxxxxxxxxxxxxxxxx>
      Signed-off-by: Richard Henderson <rth@xxxxxxxxxxx>

  commit b99e80694cc635aa6ed5a3716e89645a8afa261c
  Author: Richard Henderson <rth@xxxxxxxxxxx>
  Date:   Tue Jul 8 10:11:06 2014 -0700

      target-alpha: Raise EXC_M_INV properly for fp inputs

      Ignore DNZ if software completion isn't used.  Raise INV for
      denormals in system mode so the OS completion handler sees them.

      Reported-by: Al Viro <viro@xxxxxxxxxxxxxxxxxx>
      Signed-off-by: Richard Henderson <rth@xxxxxxxxxxx>

  commit ed0851380c8ed181ddd6ed3542b14fcb0bca6700
  Author: Richard Henderson <rth@xxxxxxxxxxx>
  Date:   Mon Jul 7 06:18:20 2014 -0700

      target-alpha: Disallow literal operand to 1C.30 to 1C.37

      Before 64f45e49 we used to have literal checks for 4 of these 8 opcodes.
      Confirmed that real hardware doesn't allow them.

      Reported-by: Al Viro <viro@xxxxxxxxxxxxxxxxxx>
      Signed-off-by: Richard Henderson <rth@xxxxxxxxxxx>

  commit 2517def6f82bec9eba9333a37f85a6f368ba52ee
  Author: Richard Henderson <rth@xxxxxxxxxxx>
  Date:   Thu Jul 3 21:04:26 2014 -0700

      target-alpha: Implement WH64EN

      Backward compatible cache insn introduced for EV7.

      Reported-by: Al Viro <viro@xxxxxxxxxxxxxxxxxx>
      Signed-off-by: Richard Henderson <rth@xxxxxxxxxxx>

  commit 4d1628e832dfc6ec02b0d196f6cc250aaa7bf3b3
  Author: Richard Henderson <rth@xxxxxxxxxxx>
  Date:   Thu Jul 3 13:18:26 2014 -0700

      target-alpha: Fix integer overflow checking insns

      We need to write the result to the destination register before
      raising any exception.  Thus inline the code for each insn, and
      check for any exception after we're done.

      Reported-by: Al Viro <viro@xxxxxxxxxxxxxxxxxx>
      Signed-off-by: Richard Henderson <rth@xxxxxxxxxxx>

  commit 7b4dde839e86ca6c254d4e3cd28260e9d668afb5
  Author: Richard Henderson <rth@xxxxxxxxxxx>
  Date:   Thu Jul 3 12:37:59 2014 -0700

      target-alpha: Fix cvttq vs inf

      We should raise INV for infinities as well, not OVR+INE.

      Reported-by: Al Viro <viro@xxxxxxxxxxxxxxxxxx>
      Signed-off-by: Richard Henderson <rth@xxxxxxxxxxx>

  commit 7f2e40020cfc827f7e59670f8c400b0b9a704481
  Author: Richard Henderson <rth@xxxxxxxxxxx>
  Date:   Thu Jul 3 12:36:34 2014 -0700

      target-alpha: Fix cvttq vs large integers

      The range +- 2**63 - 2**64 was returning the wrong truncated
      result.  We also incorrectly signaled overflow for -2**63.

      Reported-by: Al Viro <viro@xxxxxxxxxxxxxxxxxx>
      Signed-off-by: Richard Henderson <rth@xxxxxxxxxxx>

  commit c24a8a0b6dad5a33d84f5fb846edb28c43312c71
  Author: Richard Henderson <rth@xxxxxxxxxxx>
  Date:   Sat Jun 28 12:57:03 2014 -0700

      target-alpha: Raise IOV from CVTTQ

      Floating-point overflow is a different bit from integer overflow.

      Reported-by: Al Viro <viro@xxxxxxxxxxxxxxxxxx>
      Signed-off-by: Richard Henderson <rth@xxxxxxxxxxx>

  commit f6b6b7b8a775f97edab43eb672d5991f534c2e61
  Author: Richard Henderson <rth@xxxxxxxxxxx>
  Date:   Mon Jun 30 09:53:46 2014 -0700

      target-alpha: Set EXC_M_SWC for exceptions from /S insns

      Previously forgotten, the kernel needs the software completion bit to
      know that it needs to emulate software completion qualified insns.

      Reported-by: Al Viro <viro@xxxxxxxxxxxxxxxxxx>
      Signed-off-by: Richard Henderson <rth@xxxxxxxxxxx>

  commit 471d4930470aee38dffe6fc4890ede3d8eaf23c4
  Author: Richard Henderson <rth@xxxxxxxxxxx>
  Date:   Sat Jun 28 11:08:28 2014 -0700

      target-alpha: Set fpcr_exc_status even for disabled exceptions

      The qualifiers can suppress the raising of exceptions, but real
      hardware still records that the exceptions occurred.

      Reported-by: Al Viro <viro@xxxxxxxxxxxxxxxxxx>
      Signed-off-by: Richard Henderson <rth@xxxxxxxxxxx>

  commit f3d3aad4a920a4436a9f5397d7a2963aefe141a9
  Author: Richard Henderson <rth@xxxxxxxxxxx>
  Date:   Fri Aug 8 12:17:07 2014 -1000

      target-alpha: Tidy FPCR representation

      Store the fpcr as the hardware represents it.  Convert the softfpu
      representation of exceptions into the fpcr representation.

      Signed-off-by: Richard Henderson <rth@xxxxxxxxxxx>

  commit ba9c5de5f2d33d468a07a8794121472ea031a0b5
  Author: Richard Henderson <rth@xxxxxxxxxxx>
  Date:   Sat Jun 28 13:06:19 2014 -0700

      target-alpha: Set PC correctly for floating-point exceptions

      PC should be one past the faulting insn.  Add better commentary
      for the machine-check exception path.

      Reported-by: Al Viro <viro@xxxxxxxxxxxxxxxxxx>
      Signed-off-by: Richard Henderson <rth@xxxxxxxxxxx>

  commit 9d5a626b2c3fa98761b35b5e2ac86f7adb231002
  Author: Richard Henderson <rth@xxxxxxxxxxx>
  Date:   Sat Jun 28 10:25:36 2014 -0700

      target-alpha: Forget installed round mode after MT_FPCR

      When we use QUAL_RM_D, we copy fpcr_dyn_round to float_status.
      When we install a new FPCR value, we update fpcr_dyn_round.
      Reset the status of the cache so that we re-copy for the next
      fp insn that requires dynamic rounding.

      Signed-off-by: Richard Henderson <rth@xxxxxxxxxxx>

  commit 3da653fa05579579b0ba55a02ffa2aa3d466f01b
  Author: Richard Henderson <rth@xxxxxxxxxxx>
  Date:   Fri Aug 8 10:54:35 2014 -1000

      target-alpha: Rename floating-point subroutines

      ... to match the instructions, which have no leading "f".

      Signed-off-by: Richard Henderson <rth@xxxxxxxxxxx>

  commit 9354452c39fef1ab2491da5989e6944d8bb2e16a
  Author: Richard Henderson <rth@xxxxxxxxxxx>
  Date:   Fri Aug 8 10:42:45 2014 -1000

      target-alpha: Move VAX helpers to a new file

      Keep the IEEE and VAX floating point emulation separate.

      Signed-off-by: Richard Henderson <rth@xxxxxxxxxxx>

  commit 62bf3df432d93fa6eb0f355c460d6d784b7cbc1a
  Merge: 385057c 18084b2
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Mon May 18 20:23:16 2015 +0100

      Merge remote-tracking branch 
'remotes/pmaydell/tags/pull-target-arm-20150518-3' into staging

      target-arm:
       * New board model: xlnx-ep108
       * Some more preparation for AArch64 EL2/EL3
       * Fix bugs in access checking for generic counter registers
       * Remove a stray '+' sign

      # gpg: Signature made Mon May 18 20:13:05 2015 BST using RSA key ID 
14360CDE
      # gpg: Good signature from "Peter Maydell <peter.maydell@xxxxxxxxxx>"

      * remotes/pmaydell/tags/pull-target-arm-20150518-3: (21 commits)
        target-arm: Remove unneeded '+'
        target-arm: Correct accessfn for CNTV_TVAL_EL0
        target-arm: Correct accessfn for CNTP_{CT}VAL_EL0
        target-arm: Add WFx syndrome function
        target-arm: Add EL3 and EL2 TCR checking
        target-arm: Add TTBR regime function and use
        linux-user/arm: Correct TARGET_NR_timerfd to TARGET_NR_timerfd_create
        arm: xlnx-ep108: Add bootloading
        arm: xlnx-ep108: Add external RAM
        arm: Add xlnx-ep108 machine
        arm: xlnx-zynqmp: Add UART support
        char: cadence_uart: Split state struct and type into header
        char: cadence_uart: Clean up variable names
        arm: xlnx-zynqmp: Add GEM support
        net: cadence_gem: Split state struct and type into header
        net: cadence_gem: Clean up variable names
        arm: xlnx-zynqmp: Connect CPU Timers to GIC
        arm: xlnx-zynqmp: Add GIC
        arm: Introduce Xilinx ZynqMP SoC
        target-arm: cpu64: Add support for Cortex-A53
        ...

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 18084b2f71b22b3ec3bf4828b8cb83d1d39e8502
  Author: Edgar E. Iglesias <edgar.iglesias@xxxxxxxxxx>
  Date:   Wed May 13 16:52:28 2015 +1000

      target-arm: Remove unneeded '+'

      Signed-off-by: Edgar E. Iglesias <edgar.iglesias@xxxxxxxxxx>
      Reviewed-by: Alex Bennée <alex.bennee@xxxxxxxxxx>
      Message-id: 1431499963-1019-4-git-send-email-edgar.iglesias@xxxxxxxxx
      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit b65c08ee1a05760c1c5a786a6cedf240f924c53e
  Author: Edgar E. Iglesias <edgar.iglesias@xxxxxxxxxx>
  Date:   Wed May 13 16:52:27 2015 +1000

      target-arm: Correct accessfn for CNTV_TVAL_EL0

      Signed-off-by: Edgar E. Iglesias <edgar.iglesias@xxxxxxxxxx>
      Message-id: 1431499963-1019-3-git-send-email-edgar.iglesias@xxxxxxxxx
      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 12cde08aaf571de65d3fbbdf93c83f0a4321267f
  Author: Edgar E. Iglesias <edgar.iglesias@xxxxxxxxxx>
  Date:   Wed May 13 16:52:26 2015 +1000

      target-arm: Correct accessfn for CNTP_{CT}VAL_EL0

      Signed-off-by: Edgar E. Iglesias <edgar.iglesias@xxxxxxxxxx>
      Message-id: 1431499963-1019-2-git-send-email-edgar.iglesias@xxxxxxxxx
      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 06fbb2fdf7a7ac468d62c66cfe4537d3c71f7bb9
  Author: Greg Bellows <greg.bellows@xxxxxxxxxx>
  Date:   Wed Apr 22 12:09:20 2015 -0500

      target-arm: Add WFx syndrome function

      Adds a utility function for creating a WFx exception syndrome

      Signed-off-by: Greg Bellows <greg.bellows@xxxxxxxxxx>
      Reviewed-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Acked-by: Edgar E. Iglesias <edgar.iglesias@xxxxxxxxxx>
      Message-id: 1429722561-12651-9-git-send-email-greg.bellows@xxxxxxxxxx
      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 88e8add8b6656c349a96b447b074688d02dc5415
  Author: Greg Bellows <greg.bellows@xxxxxxxxxx>
  Date:   Wed Apr 22 12:09:19 2015 -0500

      target-arm: Add EL3 and EL2 TCR checking

      Updated get_phys_addr_lpae to check the appropriate TTBCR/TCR depending 
on the
      current EL. Support includes using the different TCR format as well as 
checks to
      insure TTBR1 is not used when in EL2 or EL3.

      Signed-off-by: Greg Bellows <greg.bellows@xxxxxxxxxx>
      Acked-by: Edgar E. Iglesias <edgar.iglesias@xxxxxxxxxx>
      Message-id: 1429722561-12651-8-git-send-email-greg.bellows@xxxxxxxxxx
      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit aef878be4e7ab1bdb30b408007320400b0a29c83
  Author: Greg Bellows <greg.bellows@xxxxxxxxxx>
  Date:   Wed Apr 22 12:09:18 2015 -0500

      target-arm: Add TTBR regime function and use

      Add a utility function for choosing the correct TTBR system register 
based on
      the specified MMU index. Add use of function on physical address lookup.

      Signed-off-by: Greg Bellows <greg.bellows@xxxxxxxxxx>
      Acked-by: Edgar E. Iglesias <edgar.iglesias@xxxxxxxxxx>
      Message-id: 1429722561-12651-7-git-send-email-greg.bellows@xxxxxxxxxx
      [PMM: fixed regime_ttbr() return type to be uint64_t]
      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit d82322e175d58c0c8951cbc905da1ca9ee2e008c
  Author: Timothy Baldwin <T.E.Baldwin99@xxxxxxxxxxxxxxxxxxx>
  Date:   Wed Apr 8 21:40:52 2015 +0100

      linux-user/arm: Correct TARGET_NR_timerfd to TARGET_NR_timerfd_create

      Misspelled system call name in macro was causing timerfd_create not
      to be supported for the ARM target.

      Signed-off-by: Timothy Edward Baldwin <T.E.Baldwin99@xxxxxxxxxxxxxxxxxxx>
      Reviewed-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 082587b741efc5329380b4a156d86f2bdbfa2d70
  Author: Peter Crosthwaite <peter.crosthwaite@xxxxxxxxxx>
  Date:   Thu May 14 19:23:30 2015 -0700

      arm: xlnx-ep108: Add bootloading

      Add bootloader support using standard ARM bootloader.

      Reviewed-by: Alistair Francis <alistair.francis@xxxxxxxxxx>
      Tested-by: Alistair Francis <alistair.francis@xxxxxxxxxx>
      Signed-off-by: Peter Crosthwaite <peter.crosthwaite@xxxxxxxxxx>
      Message-id: 
b829abaf2b70d02b28e79301553cbd74afc416a1.1431381507.git.peter.crosthwaite@xxxxxxxxxx
      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit b79b9d28f6b8f7879c50b6c053b4e3796de5b7d0
  Author: Peter Crosthwaite <peter.crosthwaite@xxxxxxxxxx>
  Date:   Thu May 14 19:23:27 2015 -0700

      arm: xlnx-ep108: Add external RAM

      Zynq MPSoC supports external DDR RAM. Add a RAM at 0 to the model.

      Reviewed-by: Alistair Francis <alistair.francis@xxxxxxxxxx>
      Tested-by: Alistair Francis <alistair.francis@xxxxxxxxxx>
      Signed-off-by: Peter Crosthwaite <peter.crosthwaite@xxxxxxxxxx>
      Message-id: 
2c25e2a4198402a6477aef2975d5df7c415dd341.1431381507.git.peter.crosthwaite@xxxxxxxxxx
      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 859a0c5b5fb8be0c1ed78d96695a162c9210e1e6
  Author: Peter Crosthwaite <peter.crosthwaite@xxxxxxxxxx>
  Date:   Thu May 14 19:23:24 2015 -0700

      arm: Add xlnx-ep108 machine

      Add a machine model for the Xilinx ZynqMP SoC EP108 board.

      Reviewed-by: Alistair Francis <alistair.francis@xxxxxxxxxx>
      Reviewed-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Reviewed-by: Edgar E. Iglesias <edgar.iglesias@xxxxxxxxxx>
      Tested-by: Alistair Francis <alistair.francis@xxxxxxxxxx>
      Signed-off-by: Peter Crosthwaite <peter.crosthwaite@xxxxxxxxxx>
      Message-id: 
3896b34c862f370dc0679e4428bf3848d1f9f83c.1431381507.git.peter.crosthwaite@xxxxxxxxxx
      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 3bade2a9e6336e0eb7cc5ad7425994f1143c5cfa
  Author: Peter Crosthwaite <peter.crosthwaite@xxxxxxxxxx>
  Date:   Thu May 14 19:23:21 2015 -0700

      arm: xlnx-zynqmp: Add UART support

      There are 2x Cadence UARTs in Zynq MP. Add them.

      Reviewed-by: Alistair Francis <alistair.francis@xxxxxxxxxx>
      Reviewed-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Tested-by: Alistair Francis <alistair.francis@xxxxxxxxxx>
      Signed-off-by: Peter Crosthwaite <peter.crosthwaite@xxxxxxxxxx>
      Message-id: 
e30795536f77599fabc1052278d846ccd52322e2.1431381507.git.peter.crosthwaite@xxxxxxxxxx
      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 8ae57b2fa35dae9aa4b50db5e632156eded9bec0
  Author: Peter Crosthwaite <peter.crosthwaite@xxxxxxxxxx>
  Date:   Thu May 14 19:23:18 2015 -0700

      char: cadence_uart: Split state struct and type into header

      Create a new header for Cadence UART to allow using the device with
      modern SoC programming conventions. The state struct needs to be
      visible to embed the device in SoC containers.

      Reviewed-by: Alistair Francis <alistair.francis@xxxxxxxxxx>
      Reviewed-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Reviewed-by: Edgar E. Iglesias <edgar.iglesias@xxxxxxxxxx>
      Tested-by: Alistair Francis <alistair.francis@xxxxxxxxxx>
      Signed-off-by: Peter Crosthwaite <peter.crosthwaite@xxxxxxxxxx>
      Message-id: 
46a0fbd45b6b205f54c4a8c778deb75c77f8abdf.1431381507.git.peter.crosthwaite@xxxxxxxxxx
      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit e86da3cb40d6f70ce99d8e64952c49df8ad78848
  Author: Peter Crosthwaite <peter.crosthwaite@xxxxxxxxxx>
  Date:   Thu May 14 19:23:15 2015 -0700

      char: cadence_uart: Clean up variable names

      Clean up some variable names in preparation for migrating the state struct
      and type cast macro to a public header. The acronym "UART" on it's own is
      not specific enough to be used in a more global namespace so preface with
      "cadence". Fix the capitalisation of "uart" in the state type while 
touching
      the typename. Preface macros used by the state struct itself with 
CADENCE_UART
      so they don't conflict in namespace either.

      Reviewed-by: Alistair Francis <alistair.francis@xxxxxxxxxx>
      Reviewed-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Reviewed-by: Edgar E. Iglesias <edgar.iglesias@xxxxxxxxxx>
      Tested-by: Alistair Francis <alistair.francis@xxxxxxxxxx>
      Signed-off-by: Peter Crosthwaite <peter.crosthwaite@xxxxxxxxxx>
      Message-id: 
3812b7426c338beae9e082557f3524a99310ddc6.1431381507.git.peter.crosthwaite@xxxxxxxxxx
      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 14ca2e462ee137974d81729b1d88d9d39cf2f22c
  Author: Peter Crosthwaite <peter.crosthwaite@xxxxxxxxxx>
  Date:   Thu May 14 19:23:12 2015 -0700

      arm: xlnx-zynqmp: Add GEM support

      There are 4x Cadence GEMs in ZynqMP. Add them.

      Reviewed-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Tested-by: Alistair Francis <alistair.francis@xxxxxxxxxx>
      Signed-off-by: Peter Crosthwaite <peter.crosthwaite@xxxxxxxxxx>
      Message-id: 
7d3e68e5495d145255f0ee567046415e3a26d67e.1431381507.git.peter.crosthwaite@xxxxxxxxxx
      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit f49856d4e65703e347ee3e2277a87282ce601bcd
  Author: Peter Crosthwaite <peter.crosthwaite@xxxxxxxxxx>
  Date:   Thu May 14 19:23:09 2015 -0700

      net: cadence_gem: Split state struct and type into header

      Create a new header for Cadence GEM to allow using the device with
      modern SoC programming conventions. The state struct needs to be
      visible to embed the device in SoC containers.

      Reviewed-by: Alistair Francis <alistair.francis@xxxxxxxxxx>
      Reviewed-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Reviewed-by: Edgar E. Iglesias <edgar.iglesias@xxxxxxxxxx>
      Tested-by: Alistair Francis <alistair.francis@xxxxxxxxxx>
      Signed-off-by: Peter Crosthwaite <peter.crosthwaite@xxxxxxxxxx>
      Message-id: 
a98b5df6440c5bff8f813a26bb53ce1cfefb4c4c.1431381507.git.peter.crosthwaite@xxxxxxxxxx
      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 448f19e23155021e42878e7effc3da895921ad4e
  Author: Peter Crosthwaite <peter.crosthwaite@xxxxxxxxxx>
  Date:   Thu May 14 19:23:07 2015 -0700

      net: cadence_gem: Clean up variable names

      Cleanup some variable names in preparation for migrating the state
      struct and type cast macro to a public header. The acronym "GEM" on
      its own is not specific enough to be used in a more global namespace
      so preface with "cadence". Fix the capitalisation of "gem" in the
      state type while touching the typename. Also preface the GEM_MAXREG
      macro as this will need to migrate to public header.

      Reviewed-by: Alistair Francis <alistair.francis@xxxxxxxxxx>
      Reviewed-by: Alex Bennée <alex.bennee@xxxxxxxxxx>
      Reviewed-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Reviewed-by: Edgar E. Iglesias <edgar.iglesias@xxxxxxxxxx>
      Tested-by: Alistair Francis <alistair.francis@xxxxxxxxxx>
      Signed-off-by: Peter Crosthwaite <peter.crosthwaite@xxxxxxxxxx>
      Message-id: 
8e2b0687b3a7b7a3fde5ba2f3bee6f3b911e84ef.1431381507.git.peter.crosthwaite@xxxxxxxxxx
      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit bf4cb10966a7685bba3aeaf14434902889ef535d
  Author: Peter Crosthwaite <peter.crosthwaite@xxxxxxxxxx>
  Date:   Thu May 14 19:23:04 2015 -0700

      arm: xlnx-zynqmp: Connect CPU Timers to GIC

      Connect the GPIO outputs from the individual CPUs for the timers to the
      GIC.

      Tested-by: Alistair Francis <alistair.francis@xxxxxxxxxx>
      Reviewed-by: Edgar E. Iglesias <edgar.iglesias@xxxxxxxxxx>
      Signed-off-by: Peter Crosthwaite <peter.crosthwaite@xxxxxxxxxx>
      Message-id: 
a7866a4f0c903c91fa3034210b4d2879aa4bfcb9.1431381507.git.peter.crosthwaite@xxxxxxxxxx
      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 7729e1f4b3c670eca38cc0ee0d96c1177efbc1e3
  Author: Peter Crosthwaite <peter.crosthwaite@xxxxxxxxxx>
  Date:   Thu May 14 19:23:01 2015 -0700

      arm: xlnx-zynqmp: Add GIC

      Add the GIC and connect IRQ outputs to the CPUs. The GIC regions are
      under-decoded through a 64k address region so implement aliases
      accordingly.

      Signed-off-by: Peter Crosthwaite <peter.crosthwaite@xxxxxxxxxx>
      Message-id: 
5853189965728d676106d9e94e76b9bb87981cb5.1431381507.git.peter.crosthwaite@xxxxxxxxxx
      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit f0a902f76452211cadbdf1d25ef9b94732b096e8
  Author: Peter Crosthwaite <peter.crosthwaite@xxxxxxxxxx>
  Date:   Thu May 14 19:22:58 2015 -0700

      arm: Introduce Xilinx ZynqMP SoC

      With quad Cortex-A53 CPUs.

      Use SMC PSCI, with the standard policy of secondaries starting in
      power-off.

      Tested-by: Alistair Francis <alistair.francis@xxxxxxxxxx>
      Reviewed-by: Alistair Francis <alistair.francis@xxxxxxxxxx>
      Reviewed-by: Edgar E. Iglesias <edgar.iglesias@xxxxxxxxxx>
      Signed-off-by: Peter Crosthwaite <peter.crosthwaite@xxxxxxxxxx>
      Message-id: 
a16202a6c7b79e446e5289d38cb18d2ee4b897a0.1431381507.git.peter.crosthwaite@xxxxxxxxxx
      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit e35310260ec57d20301c65a5714ca55369e971cc
  Author: Peter Crosthwaite <peter.crosthwaite@xxxxxxxxxx>
  Date:   Thu May 14 19:22:55 2015 -0700

      target-arm: cpu64: Add support for Cortex-A53

      Add the ARM Cortex-A53 processor definition. Similar to A57, but with
      different L1 I cache policy, phys addr size and different cache
      geometries. The cache sizes is implementation configurable, but use
      these values (from Xilinx Zynq MPSoC) as a default until cache size
      configurability is added.

      Acked-by: Edgar E. Iglesias <edgar.iglesias@xxxxxxxxxx>
      Reviewed-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Signed-off-by: Peter Crosthwaite <peter.crosthwaite@xxxxxxxxxx>
      Message-id: 
db439ff834cf0431bc192b05272a3b28fe2045d0.1431381507.git.peter.crosthwaite@xxxxxxxxxx
      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit ee804264ddc4d3cd36a5183a09847e391da0fc66
  Author: Peter Crosthwaite <peter.crosthwaite@xxxxxxxxxx>
  Date:   Thu May 14 19:22:52 2015 -0700

      target-arm: cpu64: generalise name of A57 regs

      Rename some A57 CP register variables in preparation for support for
      Cortex A53. Use "a57_a53" to describe the shareable features. Some of
      the CP15 registers (such as ACTLR) are specific to implementation, but
      we currently just RAZ them so continue with that as the policy for both
      A57 and A53 processors under a shared definition.

      Reviewed-by: Edgar E. Iglesias <edgar.iglesias@xxxxxxxxxx>
      Reviewed-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Signed-off-by: Peter Crosthwaite <peter.crosthwaite@xxxxxxxxxx>
      Message-id: 
5a5f957994677d91435190b3be1cefa6f657e274.1431381507.git.peter.crosthwaite@xxxxxxxxxx
      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 385057cbec9b4a0eb6150330c572e875ed714965
  Merge: 99e7627 4180978
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Fri May 15 17:51:20 2015 +0100

      Merge remote-tracking branch 'remotes/armbru/tags/pull-qapi-2015-05-15' 
into staging

      qapi: Fix qapi mangling of downstream names, and more

      # gpg: Signature made Fri May 15 17:41:31 2015 BST using RSA key ID 
EB918653
      # gpg: Good signature from "Markus Armbruster <armbru@xxxxxxxxxx>"
      # gpg:                 aka "Markus Armbruster <armbru@xxxxxxxxxxxx>"

      * remotes/armbru/tags/pull-qapi-2015-05-15: (26 commits)
        qapi: Inline gen_command_decl_prologue(), gen_command_def_prologue()
        qapi: Drop pointless flush() before close()
        qapi: Factor open_output(), close_output() out of generators
        qapi: Turn generators' mandatory option -i into an argument
        qapi: Fix generators to report command line errors decently
        qapi: Factor parse_command_line() out of the generators
        qapi: qapi-commands.py option --type is unused, drop it
        qapi: qapi-event.py option -b does nothing, drop it
        tests: Add missing dependencies on $(qapi-py)
        qapi: Support downstream events and commands
        qapi: Support downstream alternates
        qapi: Support downstream flat unions
        qapi: Support downstream simple unions
        qapi: Support downstream structs
        qapi: Support downstream enums
        qapi: Make c_type() consistently convert qapi names
        qapi: Tidy c_type() logic
        qapi: Move camel_to_upper(), c_enum_const() to closely related code
        qapi: Use c_enum_const() in generate_alternate_qtypes()
        qapi: Simplify c_enum_const()
        ...

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 99e7627a70d1a23e30a514e5a4798005cf4eb3aa
  Merge: 1eeace9 dfb3630
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Fri May 15 16:02:08 2015 +0100

      Merge remote-tracking branch 'remotes/rth/tags/pull-tcg-20150514' into 
staging

      Per-memop alignment

      # gpg: Signature made Thu May 14 20:17:27 2015 BST using RSA key ID 
4DD0279B
      # gpg: Good signature from "Richard Henderson <rth7680@xxxxxxxxx>"
      # gpg:                 aka "Richard Henderson <rth@xxxxxxxxxx>"
      # gpg:                 aka "Richard Henderson <rth@xxxxxxxxxxx>"

      * remotes/rth/tags/pull-tcg-20150514:
        tcg: Add MO_ALIGN, MO_UNALN
        tcg: Push merged memop+mmu_idx parameter to softmmu routines
        tcg: Merge memop and mmu_idx parameters to qemu_ld/st

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit dfb36305626636e2e07e0c5acd3a002a5419399e
  Author: Richard Henderson <rth@xxxxxxxxxxx>
  Date:   Wed May 13 11:25:20 2015 -0700

      tcg: Add MO_ALIGN, MO_UNALN

      These modifiers control, on a per-memory-op basis, whether
      unaligned memory accesses are allowed.  The default setting
      reflects the target's definition of ALIGNED_ONLY.

      Reviewed-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Signed-off-by: Richard Henderson <rth@xxxxxxxxxxx>

  commit 3972ef6f830d65e9bacbd31257abedc055fd6dc8
  Author: Richard Henderson <rth@xxxxxxxxxxx>
  Date:   Wed May 13 09:10:33 2015 -0700

      tcg: Push merged memop+mmu_idx parameter to softmmu routines

      The extra information is not yet used but it is now available.
      This requires minor changes through all of the tcg backends.

      Reviewed-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Signed-off-by: Richard Henderson <rth@xxxxxxxxxxx>

  commit 59227d5d45bb3c31dc2118011691c35b3c00879c
  Author: Richard Henderson <rth@xxxxxxxxxxx>
  Date:   Tue May 12 11:51:44 2015 -0700

      tcg: Merge memop and mmu_idx parameters to qemu_ld/st

      At the tcg opcode level, not at the tcg-op.h generator level.
      This requires minor changes through all of the tcg backends,
      but none of the cpu translators.

      Reviewed-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Signed-off-by: Richard Henderson <rth@xxxxxxxxxxx>

  commit 4180978c9205c50acd2d6c385def9b3e81911696
  Author: Markus Armbruster <armbru@xxxxxxxxxx>
  Date:   Thu Apr 2 14:52:55 2015 +0200

      qapi: Inline gen_command_decl_prologue(), gen_command_def_prologue()

      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>
      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>

  commit 09896d3f48078a93e3d2dbd8ef86436b85ebda7c
  Author: Markus Armbruster <armbru@xxxxxxxxxx>
  Date:   Thu Apr 2 14:49:29 2015 +0200

      qapi: Drop pointless flush() before close()

      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>
      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>

  commit 12f8e1b9ff57e99dafbb13f89cd5a99ad5c28527
  Author: Markus Armbruster <armbru@xxxxxxxxxx>
  Date:   Thu Apr 2 14:46:39 2015 +0200

      qapi: Factor open_output(), close_output() out of generators

      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>
      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>

  commit 16d80f61814745bd3f5bb9f47ae3b00edf9e1e45
  Author: Markus Armbruster <armbru@xxxxxxxxxx>
  Date:   Thu Apr 2 13:32:16 2015 +0200

      qapi: Turn generators' mandatory option -i into an argument

      Mandatory option is silly, and the error handling is missing: the
      programs crash when -i isn't supplied.  Make it an argument, and check
      it properly.

      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>
      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>

  commit b45409683e829770000a4560ed21e704f87df74c
  Author: Markus Armbruster <armbru@xxxxxxxxxx>
  Date:   Thu Apr 2 13:17:34 2015 +0200

      qapi: Fix generators to report command line errors decently

      Report to stderr, prefix with the program name.  Also reject
      extra arguments.

      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>
      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>

  commit 2114f5a98d0d80774306279e1694de074ca86aa0
  Author: Markus Armbruster <armbru@xxxxxxxxxx>
  Date:   Thu Apr 2 13:12:21 2015 +0200

      qapi: Factor parse_command_line() out of the generators

      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>
      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>

  commit 72aaa73a4acef06bfaed750064c40a597f0cf745
  Author: Markus Armbruster <armbru@xxxxxxxxxx>
  Date:   Thu Apr 2 11:41:22 2015 +0200

      qapi: qapi-commands.py option --type is unused, drop it

      Anything but --type sync (which is the default) suppresses output
      entirely, which makes no sense.

      Dates back to the initial commit c17d990.  Commit message says
      "Currently only generators for synchronous qapi/qmp functions are
      supported", so maybe output other than "synchronous qapi/qmp" was
      planned at the time, to be selected with --type.

      Should other kinds of output ever materialize, we can put the option
      back.

      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>
      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>

  commit c70cef5bd48c7be603f75a7b5346db032a31b470
  Author: Markus Armbruster <armbru@xxxxxxxxxx>
  Date:   Thu Apr 2 11:40:21 2015 +0200

      qapi: qapi-event.py option -b does nothing, drop it

      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>
      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>

  commit df3e21a0e0edd30ea2e7c9b09b05feaaa297c718
  Author: Markus Armbruster <armbru@xxxxxxxxxx>
  Date:   Thu Apr 2 13:38:48 2015 +0200

      tests: Add missing dependencies on $(qapi-py)

      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>
      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>

  commit e3c4c3d796c1147d32f66fa1413d5d7c49d5aa37
  Author: Eric Blake <eblake@xxxxxxxxxx>
  Date:   Thu May 14 06:51:01 2015 -0600

      qapi: Support downstream events and commands

      Enhance the testsuite to cover downstream events and commands.
      Events worked without more tweaks, but commands needed a few final
      updates in the generator to mangle names in the appropriate places.
      In making those tweaks, it was easier to drop type_visitor() and
      inline its actions instead.

      Signed-off-by: Eric Blake <eblake@xxxxxxxxxx>
      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>

  commit d1f07c86c05706facf950b0b0dba370f71fd5ef6
  Author: Eric Blake <eblake@xxxxxxxxxx>
  Date:   Thu May 14 06:51:00 2015 -0600

      qapi: Support downstream alternates

      Enhance the testsuite to cover downstream alternates, including
      whether the branch name or type is downstream.  Update the
      generator to mangle alternate names in the appropriate places.

      Signed-off-by: Eric Blake <eblake@xxxxxxxxxx>
      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>

  commit 857af5f06c3fb097d1bb6bc8a23b9992aac99e75
  Author: Eric Blake <eblake@xxxxxxxxxx>
  Date:   Thu May 14 06:50:59 2015 -0600

      qapi: Support downstream flat unions

      Enhance the testsuite to cover downstream flat unions, including
      the base type, discriminator name and type, and branch name and
      type.  Update the generator to mangle the union names in the
      appropriate places.

      Signed-off-by: Eric Blake <eblake@xxxxxxxxxx>
      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>

  commit bb33729043ceda56b4068db13bdc17786ebd0ed0
  Author: Eric Blake <eblake@xxxxxxxxxx>
  Date:   Thu May 14 06:50:58 2015 -0600

      qapi: Support downstream simple unions

      Enhance the testsuite to cover downstream simple unions, including
      when a union branch is a downstream name.  Update the generator to
      mangle the union names in the appropriate places.

      Signed-off-by: Eric Blake <eblake@xxxxxxxxxx>
      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>

  commit 83a02706bb1fd31c93eab755de543dfe228682d4
  Author: Eric Blake <eblake@xxxxxxxxxx>
  Date:   Thu May 14 06:50:57 2015 -0600

      qapi: Support downstream structs

      Enhance the testsuite to cover downstream structs, including struct
      members and base structs.  Update the generator to mangle the
      struct names in the appropriate places.

      Signed-off-by: Eric Blake <eblake@xxxxxxxxxx>
      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>

  commit fce384b8e5193e02421f6b2c2880f3684abcbdc0
  Author: Eric Blake <eblake@xxxxxxxxxx>
  Date:   Thu May 14 06:50:56 2015 -0600

      qapi: Support downstream enums

      Enhance the testsuite to cover a downstream enum type and enum
      string.  Update the generator to mangle the enum name in the
      appropriate places.

      Signed-off-by: Eric Blake <eblake@xxxxxxxxxx>
      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>

  commit c6405b54b7b09a876f2f2fba2aa6f8ac87189cb9
  Author: Eric Blake <eblake@xxxxxxxxxx>
  Date:   Thu May 14 06:50:55 2015 -0600

      qapi: Make c_type() consistently convert qapi names

      Continuing the string of cleanups for supporting downstream names
      containing '.', this patch focuses on ensuring c_type() can
      handle a downstream name.  This patch alone does not fix the
      places where generator output should be calling this function
      but was open-coding things instead, but it gets us a step closer.

      In particular, the changes to c_list_type() and type_name() mean
      that type_name(FOO) now handles the case when FOO contains '.',
      '-', or is a ticklish identifier other than a builtin (builtins
      are exempted because ['int'] must remain mapped to 'intList' and
      not 'q_intList').  Meanwhile, ['unix'] now maps to 'q_unixList'
      rather than 'unixList', to match the fact that 'unix' is ticklish;
      however, our naming conventions state that complex types should
      start with a capital, so no type name following conventions will
      ever have the 'q_' prepended.

      Likewise, changes to c_type() mean that c_type(FOO) properly
      handles an enum or complex type FOO with '.' or '-' in the
      name, or is a ticklish identifier (again, a ticklish identifier
      as a type name violates conventions).

      Signed-off-by: Eric Blake <eblake@xxxxxxxxxx>
      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>

  commit d557344628e32771f07e5b6a2a818ee3d8e7a65f
  Author: Eric Blake <eblake@xxxxxxxxxx>
  Date:   Thu May 14 06:50:54 2015 -0600

      qapi: Tidy c_type() logic

      c_type() is designed to be called on both string names and on
      array designations, so 'name' is a bit misleading because it
      operates on more than strings.  Also, no caller ever passes
      an empty string.  Finally, + notation is a bit nicer to read
      than '%s' % value for string concatenation.

      Signed-off-by: Eric Blake <eblake@xxxxxxxxxx>
      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>

  commit 849bc5382e42b3b9590c6a50ba30c2fd2450308c
  Author: Markus Armbruster <armbru@xxxxxxxxxx>
  Date:   Thu May 14 06:50:53 2015 -0600

      qapi: Move camel_to_upper(), c_enum_const() to closely related code

      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>
      Signed-off-by: Eric Blake <eblake@xxxxxxxxxx>

  commit b42e91484df9772bb0c26aa0f05390a92d564d6f
  Author: Markus Armbruster <armbru@xxxxxxxxxx>
  Date:   Thu May 14 06:50:52 2015 -0600

      qapi: Use c_enum_const() in generate_alternate_qtypes()

      Missed in commit b0b5819.

      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>
      Signed-off-by: Eric Blake <eblake@xxxxxxxxxx>

  commit 02e20c7e593363c564aae96e3c5bdc58630ce584
  Author: Markus Armbruster <armbru@xxxxxxxxxx>
  Date:   Thu May 14 06:50:51 2015 -0600

      qapi: Simplify c_enum_const()

      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>
      Signed-off-by: Eric Blake <eblake@xxxxxxxxxx>

  commit 7c81c61f9c2274f66ba947eafd9618d60da838a6
  Author: Markus Armbruster <armbru@xxxxxxxxxx>
  Date:   Thu May 14 06:50:50 2015 -0600

      qapi: Rename generate_enum_full_value() to c_enum_const()

      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>
      Signed-off-by: Eric Blake <eblake@xxxxxxxxxx>

  commit fa6068a1e8ef3c878ac9ee2399bb01eeaf61c366
  Author: Markus Armbruster <armbru@xxxxxxxxxx>
  Date:   Thu May 14 06:50:49 2015 -0600

      qapi: Rename _generate_enum_string() to camel_to_upper()

      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>
      Signed-off-by: Eric Blake <eblake@xxxxxxxxxx>

  commit 18df515ebbefa9f13474b128b8050d5fa346ea1e
  Author: Eric Blake <eblake@xxxxxxxxxx>
  Date:   Thu May 14 06:50:48 2015 -0600

      qapi: Rename identical c_fun()/c_var() into c_name()

      Now that the two functions are identical, we only need one of them,
      and we might as well give it a more descriptive name.  Basically,
      the function serves as the translation from a QAPI name into a
      (portion of a) C identifier, without regards to whether it is a
      variable or function name.

      Signed-off-by: Eric Blake <eblake@xxxxxxxxxx>
      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>

  commit 47299262de424af0cb69965d082e5e70b2314183
  Author: Markus Armbruster <armbru@xxxxxxxxxx>
  Date:   Thu May 14 06:50:47 2015 -0600

      qapi: Fix C identifiers generated for names containing '.'

      c_fun() maps '.' to '_', c_var() doesn't.  Nothing prevents '.' in
      QAPI names that get passed to c_var().

      Which QAPI names get passed to c_fun(), to c_var(), or to both is not
      obvious.  Names of command parameters and struct type members get
      passed to c_var().

      c_var() strips a leading '*', but this cannot happen.  c_fun()
      doesn't.

      Fix c_var() to work exactly like c_fun().

      Perhaps they should be replaced by a single mapping function.

      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>
      [add 'import string']
      Signed-off-by: Eric Blake <eblake@xxxxxxxxxx>
      Reviewed-by: Alberto Garcia <berto@xxxxxxxxxx>

  commit 777abdfe7bb47e582c8eb87dd6cecdf3fd9f86fc
  Author: Michael S. Tsirkin <mst@xxxxxxxxxx>
  Date:   Mon May 11 17:17:49 2015 +0200

      doc: fix qmp event type

      Event name for hot unplug errors was wrong.
      Make doc match code.

      Cc: Zhu Guihua <zhugh.fnst@xxxxxxxxxxxxxx>
      Reported-by: Eric Blake <eblake@xxxxxxxxxx>
      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>
      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>

  commit 58f88d4b7e9e5578b8dd2c5acfe555b85b35af88
  Author: Eduardo Habkost <ehabkost@xxxxxxxxxx>
  Date:   Fri May 8 16:04:22 2015 -0300

      qmp: Add qom_path field to query-cpus command

      This will allow clients to query additional information directly using
      qom-get on the CPU objects.

      Reviewed-by: David Gibson <david@xxxxxxxxxxxxxxxxxxxxx>
      Reviewed-by: Andreas Färber <afaerber@xxxxxxx>
      Signed-off-by: Eduardo Habkost <ehabkost@xxxxxxxxxx>
      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>
      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>

  commit 1eeace9c237a729d11c7acd7c0338ab4562af637
  Merge: 4d2d2d8 57af728
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Wed May 13 16:06:07 2015 +0100

      Merge remote-tracking branch 
'remotes/agraf/tags/signed-s390-for-upstream' into staging

      Patch queue for s390 - 2015-05-13

      A few TCG fixes for the s390x target. Nothing special, but with these
      applied I can run most of the SLE12 binaries in Linux-user emulation.

      # gpg: Signature made Wed May 13 13:49:25 2015 BST using RSA key ID 
03FEDC60
      # gpg: Good signature from "Alexander Graf <agraf@xxxxxxx>"
      # gpg:                 aka "Alexander Graf <alex@xxxxxxxxx>"

      * remotes/agraf/tags/signed-s390-for-upstream:
        s390x: Add interlocked access facility 1 instructions
        s390x: Add some documentation in opcode list
        s390x: Fix stoc direction

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 4d2d2d8b21779d7becbdffd7cd7983a7ccb55b54
  Merge: 968bb75 e907746
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Wed May 13 13:57:44 2015 +0100

      Merge remote-tracking branch 'remotes/jnsnow/tags/ide-cve-pull-request' 
into staging

      # gpg: Signature made Wed May 13 12:52:19 2015 BST using RSA key ID 
AAFC390E
      # gpg: Good signature from "John Snow (John Huston) <jsnow@xxxxxxxxxx>"
      # gpg: WARNING: This key is not certified with sufficiently trusted 
signatures!
      # gpg:          It is not certain that the signature belongs to the owner.
      # Primary key fingerprint: FAEB 9711 A12C F475 812F  18F2 88A9 064D 1835 
61EB
      #      Subkey fingerprint: F9B7 ABDB BCAC DF95 BE76  CBD0 7DEF 8106 AAFC 
390E

      * remotes/jnsnow/tags/ide-cve-pull-request:
        fdc: force the fifo access to be in bounds of the allocated buffer

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 57af7289f276ce70b65f2fbb4981833f04264aac
  Author: Alexander Graf <agraf@xxxxxxx>
  Date:   Fri May 8 03:07:53 2015 +0200

      s390x: Add interlocked access facility 1 instructions

      We're currently missing all instructions defined by the 
"interlocked-access
      facility 1" which is part of zEC12. This patch implements all of them 
except
      for LPD and LPDG.

      Signed-off-by: Alexander Graf <agraf@xxxxxxx>
      Reviewed-by: Richard Henderson <rth@xxxxxxxxxxx>

  commit 13f67dd5825a7dfd7a4904a5fb0cf0a3f95d2d45
  Author: Alexander Graf <agraf@xxxxxxx>
  Date:   Fri May 8 03:06:41 2015 +0200

      s390x: Add some documentation in opcode list

      I find it really hard to grasp what each field in the opcode list means.
      Slowly walking through its semantics myself, I figured I'd write a small
      summary at the top of the file to make life easier for me and whoever
      looks at the file next.

      Signed-off-by: Alexander Graf <agraf@xxxxxxx>
      Reviewed-by: Richard Henderson <rth@xxxxxxxxxxx>

  commit c095ed731ce4fecf166e4ac02ddc606b408f5e1f
  Author: Alexander Graf <agraf@xxxxxxx>
  Date:   Wed Apr 15 03:45:41 2015 +0200

      s390x: Fix stoc direction

      The store conditional instruction wants to store when the condition
      is fulfilled, so we should branch out when it's not true.

      The code today branches out when the condition is true, clearly
      reversing the logic. Fix it up by negating the condition.

      Signed-off-by: Alexander Graf <agraf@xxxxxxx>
      Reviewed-by: Richard Henderson <rth@xxxxxxxxxxx>

  commit e907746266721f305d67bc0718795fedee2e824c
  Author: Petr Matousek <pmatouse@xxxxxxxxxx>
  Date:   Wed May 6 09:48:59 2015 +0200

      fdc: force the fifo access to be in bounds of the allocated buffer

      During processing of certain commands such as FD_CMD_READ_ID and
      FD_CMD_DRIVE_SPECIFICATION_COMMAND the fifo memory access could
      get out of bounds leading to memory corruption with values coming
      from the guest.

      Fix this by making sure that the index is always bounded by the
      allocated memory.

      This is CVE-2015-3456.

      Signed-off-by: Petr Matousek <pmatouse@xxxxxxxxxx>
      Reviewed-by: John Snow <jsnow@xxxxxxxxxx>
      Signed-off-by: John Snow <jsnow@xxxxxxxxxx>

  commit 968bb75c348a401b85e08d5eb1887a3e6c3185f5
  Merge: 19fbe50 5ae79fe
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Tue May 12 12:11:32 2015 +0100

      Merge remote-tracking branch 
'remotes/pmaydell/tags/pull-target-arm-20150512' into staging

      target-arm queue:
       * Support TZ and grouping in the GIC
       * hw/sd: sd_reset cleanup
       * armv7m_nvic: fix bug in systick device

      # gpg: Signature made Tue May 12 12:02:26 2015 BST using RSA key ID 
14360CDE
      # gpg: Good signature from "Peter Maydell <peter.maydell@xxxxxxxxxx>"

      * remotes/pmaydell/tags/pull-target-arm-20150512:
        hw/arm/highbank.c: Wire FIQ between CPU <> GIC
        hw/arm/vexpress.c: Wire FIQ between CPU <> GIC
        hw/arm/virt.c: Wire FIQ between CPU <> GIC
        hw/intc/arm_gic: Add grouping support to gic_update()
        hw/intc/arm_gic: Change behavior of IAR writes
        hw/intc/arm_gic: Change behavior of EOIR writes
        hw/intc/arm_gic: Handle grouping for GICC_HPPIR
        hw/intc/arm_gic: Restrict priority view
        hw/intc/arm_gic: Implement Non-secure view of RPR
        hw/intc/arm_gic: Make ICCICR/GICC_CTLR banked
        hw/intc/arm_gic: Make ICCBPR/GICC_BPR banked
        hw/intc/arm_gic: Make ICDDCR/GICD_CTLR banked
        hw/intc/arm_gic_kvm.c: Save and restore GICD_IGROUPRn state
        hw/intc/arm_gic: Add Interrupt Group Registers
        hw/intc/arm_gic: Switch to read/write callbacks with tx attributes
        hw/intc/arm_gic: Add Security Extensions property
        hw/intc/arm_gic: Create outbound FIQ lines
        hw/sd: Don't pass BlockBackend to sd_reset()
        armv7m_nvic: systick: Reload the RELOAD value and count down only if 
ENABLE bit is set

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 5ae79fe825bedc89db8b6bde9d0ed0bb5d59558c
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Tue May 12 11:57:19 2015 +0100

      hw/arm/highbank.c: Wire FIQ between CPU <> GIC

      Connect FIQ output of the GIC CPU interfaces to the CPUs.

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Message-id: 1430502643-25909-18-git-send-email-peter.maydell@xxxxxxxxxx

  commit 27192e390d064489dcb23d5fcceb21cabf86d789
  Author: Fabian Aggeler <aggelerf@xxxxxxx>
  Date:   Tue May 12 11:57:18 2015 +0100

      hw/arm/vexpress.c: Wire FIQ between CPU <> GIC

      Connect FIQ output of the GIC CPU interfaces to the CPUs.

      Signed-off-by: Fabian Aggeler <aggelerf@xxxxxxx>
      Signed-off-by: Greg Bellows <greg.bellows@xxxxxxxxxx>
      Reviewed-by: Edgar E. Iglesias <edgar.iglesias@xxxxxxxxxx>
      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Message-id: 1430502643-25909-17-git-send-email-peter.maydell@xxxxxxxxxx
      Message-id: 1429113742-8371-3-git-send-email-greg.bellows@xxxxxxxxxx
      [PMM: minor format tweak]
      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 8e7b4ca08b968c9e195bcae9c6cb827c8564871a
  Author: Greg Bellows <greg.bellows@xxxxxxxxxx>
  Date:   Tue May 12 11:57:18 2015 +0100

      hw/arm/virt.c: Wire FIQ between CPU <> GIC

      Connect FIQ output of the GIC CPU interfaces to the CPUs.

      Signed-off-by: Greg Bellows <greg.bellows@xxxxxxxxxx>
      Reviewed-by: Edgar E. Iglesias <edgar.iglesias@xxxxxxxxxx>
      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Message-id: 1430502643-25909-16-git-send-email-peter.maydell@xxxxxxxxxx
      Message-id: 1429113742-8371-4-git-send-email-greg.bellows@xxxxxxxxxx
      [PMM: minor format tweak]
      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit dadbb58f5955053c5f5dc2252a4b183f90d7bfce
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Tue May 12 11:57:18 2015 +0100

      hw/intc/arm_gic: Add grouping support to gic_update()

      Add support to gic_update() for determining the current IRQ
      and FIQ status when interrupt grouping is supported. This
      simply requires that instead of always raising IRQ we
      check the group of the highest priority pending interrupt
      and the GICC_CTLR.FIQEn bit to see whether we should raise
      IRQ or FIQ.

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Reviewed-by: Edgar E. Iglesias <edgar.iglesias@xxxxxxxxxx>
      Message-id: 1430502643-25909-15-git-send-email-peter.maydell@xxxxxxxxxx

  commit c5619bf9e8935aeb972c0bd935549e9ee0a739f2
  Author: Fabian Aggeler <aggelerf@xxxxxxx>
  Date:   Tue May 12 11:57:18 2015 +0100

      hw/intc/arm_gic: Change behavior of IAR writes

      Grouping (GICv2) and Security Extensions change the behavior of IAR
      reads. Acknowledging Group0 interrupts is only allowed from Secure
      state and acknowledging Group1 interrupts from Secure state is only
      allowed if AckCtl bit is set.

      Signed-off-by: Fabian Aggeler <aggelerf@xxxxxxx>
      Signed-off-by: Greg Bellows <greg.bellows@xxxxxxxxxx>
      Reviewed-by: Edgar E. Iglesias <edgar.iglesias@xxxxxxxxxx>
      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Message-id: 1430502643-25909-14-git-send-email-peter.maydell@xxxxxxxxxx
      Message-id: 1429113742-8371-14-git-send-email-greg.bellows@xxxxxxxxxx
      [PMM: simplify significantly by reusing the existing
       gic_get_current_pending_irq() rather than reimplementing the
       same logic here]
      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit f9c6a7f1395c6d88a3bb1a0cb48811994709966e
  Author: Fabian Aggeler <aggelerf@xxxxxxx>
  Date:   Tue May 12 11:57:18 2015 +0100

      hw/intc/arm_gic: Change behavior of EOIR writes

      Grouping (GICv2) and Security Extensions change the behavior of EOIR
      writes. Completing Group0 interrupts is only allowed from Secure state.

      Signed-off-by: Fabian Aggeler <aggelerf@xxxxxxx>
      Signed-off-by: Greg Bellows <greg.bellows@xxxxxxxxxx>
      Reviewed-by: Edgar E. Iglesias <edgar.iglesias@xxxxxxxxxx>
      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Message-id: 1430502643-25909-13-git-send-email-peter.maydell@xxxxxxxxxx
      Message-id: 1429113742-8371-13-git-send-email-greg.bellows@xxxxxxxxxx
      [PMM: Rather than go to great lengths to ignore the UNPREDICTABLE case
       of a Secure EOI of a Group1 (NS) irq with AckCtl == 0, we just let
       it fall through; add a comment about it.]
      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 7c0fa108d918ab818e49c4588ab290004d6b532e
  Author: Fabian Aggeler <aggelerf@xxxxxxx>
  Date:   Tue May 12 11:57:18 2015 +0100

      hw/intc/arm_gic: Handle grouping for GICC_HPPIR

      Grouping (GICv2) and Security Extensions change the behaviour of reads
      of the highest priority pending interrupt register (ICCHPIR/GICC_HPPIR).

      Signed-off-by: Fabian Aggeler <aggelerf@xxxxxxx>
      Signed-off-by: Greg Bellows <greg.bellows@xxxxxxxxxx>
      Reviewed-by: Edgar E. Iglesias <edgar.iglesias@xxxxxxxxxx>
      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Message-id: 1430502643-25909-12-git-send-email-peter.maydell@xxxxxxxxxx
      Message-id: 1429113742-8371-12-git-send-email-greg.bellows@xxxxxxxxxx
      [PMM: make utility fn static; coding style fixes; AckCtl has an effect
       for GICv2 without security extensions as well; removed checks on enable
       bits because these are done when we set current_pending[cpu]]
      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 8150847061f8d2606101bfff77cc6ec86b081ab0
  Author: Fabian Aggeler <aggelerf@xxxxxxx>
  Date:   Tue May 12 11:57:17 2015 +0100

      hw/intc/arm_gic: Restrict priority view

      GICs with Security Extensions restrict the non-secure view of the
      interrupt priority and priority mask registers.

      Signed-off-by: Fabian Aggeler <aggelerf@xxxxxxx>
      Signed-off-by: Greg Bellows <greg.bellows@xxxxxxxxxx>
      Reviewed-by: Edgar E. Iglesias <edgar.iglesias@xxxxxxxxxx>
      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Message-id: 1430502643-25909-11-git-send-email-peter.maydell@xxxxxxxxxx
      Message-id: 1429113742-8371-15-git-send-email-greg.bellows@xxxxxxxxxx
      [PMM: minor code tweaks; fixed missing masking in gic_set_priority_mask
      and gic_set_priority]
      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 08efa9f2d1bb27d64fbedcc2879ca45ae6832c20
  Author: Fabian Aggeler <aggelerf@xxxxxxx>
  Date:   Tue May 12 11:57:17 2015 +0100

      hw/intc/arm_gic: Implement Non-secure view of RPR

      For GICs with Security Extensions Non-secure reads have a restricted
      view on the current running priority.

      Signed-off-by: Fabian Aggeler <aggelerf@xxxxxxx>
      Signed-off-by: Greg Bellows <greg.bellows@xxxxxxxxxx>
      Reviewed-by: Edgar E. Iglesias <edgar.iglesias@xxxxxxxxxx>
      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Message-id: 1430502643-25909-10-git-send-email-peter.maydell@xxxxxxxxxx
      Message-id: 1429113742-8371-11-git-send-email-greg.bellows@xxxxxxxxxx
      [PMM: make function static, minor comment tweak]
      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 32951860834f09d1c1a0b81d8d7d5529e2d0e074
  Author: Fabian Aggeler <aggelerf@xxxxxxx>
  Date:   Tue May 12 11:57:17 2015 +0100

      hw/intc/arm_gic: Make ICCICR/GICC_CTLR banked

      ICCICR/GICC_CTLR is banked in GICv1 implementations with Security
      Extensions or in GICv2 in independent from Security Extensions.
      This makes it possible to enable forwarding of interrupts from
      the CPU interfaces to the connected processors for Group0 and Group1.

      We also allow to set additional bits like AckCtl and FIQEn by changing
      the type from bool to uint32. Since the field does not only store the
      enable bit anymore and since we are touching the vmstate, we use the
      opportunity to rename the field to cpu_ctlr.

      Signed-off-by: Fabian Aggeler <aggelerf@xxxxxxx>
      Signed-off-by: Greg Bellows <greg.bellows@xxxxxxxxxx>
      Reviewed-by: Edgar E. Iglesias <edgar.iglesias@xxxxxxxxxx>
      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Message-id: 1430502643-25909-9-git-send-email-peter.maydell@xxxxxxxxxx
      Message-id: 1429113742-8371-9-git-send-email-greg.bellows@xxxxxxxxxx
      [PMM: rewrote to store state in a single uint32_t rather than
       keeping the NS and S banked variants separate; this considerably
       simplifies the get/set functions]
      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 822e9cc310484f77e0b1c16fbef763a5d0eec80a
  Author: Fabian Aggeler <aggelerf@xxxxxxx>
  Date:   Tue May 12 11:57:17 2015 +0100

      hw/intc/arm_gic: Make ICCBPR/GICC_BPR banked

      This register is banked in GICs with Security Extensions. Storing the
      non-secure copy of BPR in the abpr, which is an alias to the non-secure
      copy for secure access. ABPR itself is only accessible from secure state
      if the GIC implements Security Extensions.

      Signed-off-by: Fabian Aggeler <aggelerf@xxxxxxx>
      Signed-off-by: Greg Bellows <greg.bellows@xxxxxxxxxx>
      Reviewed-by: Edgar E. Iglesias <edgar.iglesias@xxxxxxxxxx>
      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Message-id: 1430502643-25909-8-git-send-email-peter.maydell@xxxxxxxxxx
      Message-id: 1429113742-8371-10-git-send-email-greg.bellows@xxxxxxxxxx
      [PMM: rewrote to fix style issues and correct handling of GICv2
       without security extensions]
      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 679aa175e84f5f80b32b307fce5a6b92729e0e61
  Author: Fabian Aggeler <aggelerf@xxxxxxx>
  Date:   Tue May 12 11:57:17 2015 +0100

      hw/intc/arm_gic: Make ICDDCR/GICD_CTLR banked

      ICDDCR/GICD_CTLR is banked if the GIC has the security extensions,
      and the S (or only) copy has separate enable bits for Group0 and
      Group1 enable if the GIC implements interrupt groups.

      EnableGroup0 (Bit [1]) in GICv1 is architecturally IMPDEF. Since this
      bit (Enable Non-secure) is present in the integrated GIC of the Cortex-A9
      MPCore, we support this bit in our GICv1 implementation too.

      Signed-off-by: Fabian Aggeler <aggelerf@xxxxxxx>
      Signed-off-by: Greg Bellows <greg.bellows@xxxxxxxxxx>
      Reviewed-by: Edgar E. Iglesias <edgar.iglesias@xxxxxxxxxx>
      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Message-id: 1430502643-25909-7-git-send-email-peter.maydell@xxxxxxxxxx
      Message-id: 1429113742-8371-8-git-send-email-greg.bellows@xxxxxxxxxx
      [PMM: rewritten to store the state in a single s->ctlr uint32,
       with the NS register handled as an alias of bit 1 in that value;
       added vmstate version bump]
      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit eb8b9530b0c618d4f2e728eae10d89239d35b0c0
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Tue May 12 11:57:17 2015 +0100

      hw/intc/arm_gic_kvm.c: Save and restore GICD_IGROUPRn state

      Now that the GIC base class has state fields for the GICD_IGROUPRn
      registers, make kvm_arm_gic_get() and kvm_arm_gic_put() write and
      read them. This allows us to remove the check that made us
      fail migration if the guest had set any of the group register bits.

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Message-id: 1430502643-25909-6-git-send-email-peter.maydell@xxxxxxxxxx

  commit c27a5ba94874cb3a29e21b3ad4bd5e504aea93b2
  Author: Fabian Aggeler <aggelerf@xxxxxxx>
  Date:   Tue May 12 11:57:17 2015 +0100

      hw/intc/arm_gic: Add Interrupt Group Registers

      The Interrupt Group Registers allow the guest to configure interrupts
      into one of two groups, where Group0 are higher priority and may
      be routed to IRQ or FIQ, and Group1 are lower priority and always
      routed to IRQ. (In a GIC with the security extensions Group0 is
      Secure interrupts and Group 1 is NonSecure.)
      The GICv2 always supports interrupt grouping; the GICv1 does only
      if it implements the security extensions.

      This patch implements the ability to read and write the registers;
      the actual functionality the bits control will be added in a
      subsequent patch.

      Signed-off-by: Fabian Aggeler <aggelerf@xxxxxxx>
      Signed-off-by: Greg Bellows <greg.bellows@xxxxxxxxxx>
      Reviewed-by: Edgar E. Iglesias <edgar.iglesias@xxxxxxxxxx>
      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Message-id: 1430502643-25909-5-git-send-email-peter.maydell@xxxxxxxxxx
      Message-id: 1429113742-8371-7-git-send-email-greg.bellows@xxxxxxxxxx
      [PMM: bring GIC_*_GROUP macros into line with the others, ie a
       simple SET/CLEAR/TEST rather than GROUP0/GROUP1;
       utility gic_has_groups() function;
       minor style fixes;
       bump vmstate version]
      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit a9d853533cc1a27dc09b10c7ab89677f9c5dd8f4
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Tue May 12 11:57:16 2015 +0100

      hw/intc/arm_gic: Switch to read/write callbacks with tx attributes

      Switch the GIC's MMIO callback functions to the read_with_attrs
      and write_with_attrs functions which provide MemTxAttrs. This will
      allow the GIC to correctly handle secure and nonsecure register
      accesses.

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Reviewed-by: Edgar E. Iglesias <edgar.iglesias@xxxxxxxxxx>
      Message-id: 1430502643-25909-4-git-send-email-peter.maydell@xxxxxxxxxx

  commit 5543d1abb6e218a9d3b8887b777fd3947c86c4cf
  Author: Fabian Aggeler <aggelerf@xxxxxxx>
  Date:   Tue May 12 11:57:16 2015 +0100

      hw/intc/arm_gic: Add Security Extensions property

      Add a QOM property which allows the GIC Security Extensions to be
      enabled. These are an optional part of the GICv1 and GICv2 architecture.
      This commit just adds the property and some sanity checks that it
      is only enabled on GIC revisions that support it.

      Signed-off-by: Fabian Aggeler <aggelerf@xxxxxxx>
      Signed-off-by: Greg Bellows <greg.bellows@xxxxxxxxxx>
      Reviewed-by: Edgar E. Iglesias <edgar.iglesias@xxxxxxxxxx>
      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Message-id: 1430502643-25909-3-git-send-email-peter.maydell@xxxxxxxxxx
      Message-id: 1429113742-8371-5-git-send-email-greg.bellows@xxxxxxxxxx
      [PMM: changed property name, added checks that it isn't set for
       older GIC revisions or if using the KVM VGIC; reworded commit message]
      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 44f552964714a41ccd41b5e8ac4cbd2478249db1
  Author: Fabian Aggeler <aggelerf@xxxxxxx>
  Date:   Tue May 12 11:57:16 2015 +0100

      hw/intc/arm_gic: Create outbound FIQ lines

      Create the outbound FIQ lines from the GIC to the CPUs; these are
      used if the GIC has security extensions or grouping support.

      Signed-off-by: Fabian Aggeler <aggelerf@xxxxxxx>
      Signed-off-by: Greg Bellows <greg.bellows@xxxxxxxxxx>
      Reviewed-by: Edgar E. Iglesias <edgar.iglesias@xxxxxxxxxx>
      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Message-id: 1430502643-25909-2-git-send-email-peter.maydell@xxxxxxxxxx
      Message-id: 1429113742-8371-2-git-send-email-greg.bellows@xxxxxxxxxx
      [PMM: added FIQ lines to kvm-arm-gic so its interface is the same;
      tweaked commit message]
      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 16b781aaef69c90d5f4f5456615f0c26a4f45740
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Tue May 12 11:57:16 2015 +0100

      hw/sd: Don't pass BlockBackend to sd_reset()

      The only valid BlockBackend to pass to sd_reset() is the one for
      the SD card, which is sd->blk. Drop the second argument from this
      function in favour of having it just use sd->blk.

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Reviewed-by: Markus Armbruster <armbru@xxxxxxxxxx>
      Message-id: 1430683444-9797-1-git-send-email-peter.maydell@xxxxxxxxxx

  commit 165cdaf857dc850f676fff0b5b873a51865baa9c
  Author: Adrian Huang <adrianhuang0701@xxxxxxxxx>
  Date:   Tue May 12 11:57:16 2015 +0100

      armv7m_nvic: systick: Reload the RELOAD value and count down only if 
ENABLE bit is set

      Consider the following pseudo code to configure SYSTICK (The
      recommended programming sequence from "the definitive guide to the
      arm cortex-m3"):
          SYSTICK Reload Value Register = 0xffff
          SYSTICK Current Value Register = 0
          SYSTICK Control and Status Register = 0x7

      The pseudo code "SYSTICK Current Value Register = 0" leads to invoking
      systick_reload(). As a consequence, the systick.tick member is updated
      and the systick timer starts to count down when the ENABLE bit of
      SYSTICK Control and Status Register is cleared.

      The worst case is that: during the system initialization, the reset
      value of the SYSTICK Control and Status Register is 0x00000000.
      When the code "SYSTICK Current Value Register = 0" is executed, the
      systick.tick member is accumulated with "(s->systick.reload + 1) *
      systick_scale(s)". The systick_scale() gets the external_ref_clock
      scale because the CLKSOURCE bit of the SYSTICK Control and Status
      Register is cleared. This is the incorrect behavior because of the
      code "SYSTICK Control and Status Register = 0x7". Actually, we want
      the processor clock instead of the external reference clock.

      This incorrect behavior defers the generation of the first interrupt.

      The patch fixes the above-mentioned issue by setting the systick.tick
      member and modifying the systick timer only if the ENABLE bit of
      the SYSTICK Control and Status Register is set.

      In addition, the Cortex-M3 Devices Generic User Guide mentioned that
      "When ENABLE is set to 1, the counter loads the RELOAD value from the
      SYST RVR register and then counts down". This patch adheres to the
      statement of the user guide.

      Signed-off-by: Adrian Huang <adrianhuang0701@xxxxxxxxx>
      Reviewed-by: Jim Huang <jserv.tw@xxxxxxxxx>
      [PMM: minor tweak to comment text]
      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 19fbe5084c1da6af95177c86e4cab64241d479a8
  Merge: 704eb1c 7db161f
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Tue May 12 10:40:31 2015 +0100

      Merge remote-tracking branch 'remotes/stefanha/tags/net-pull-request' 
into staging

      # gpg: Signature made Mon May 11 16:25:58 2015 BST using RSA key ID 
81AB73C8
      # gpg: Good signature from "Stefan Hajnoczi <stefanha@xxxxxxxxxx>"
      # gpg:                 aka "Stefan Hajnoczi <stefanha@xxxxxxxxx>"

      * remotes/stefanha/tags/net-pull-request:
        rocker: timestamp on the debug logs helps correlate with events in the 
VM
        MAINTAINERS: add rocker
        rocker: add tests
        rocker: add new rocker switch device
        pci: add network device class 'other' for network switches
        pci: add rocker device ID
        rocker: add register programming guide
        virtio-net: use qemu_mac_strdup_printf
        net: add MAC address string printer

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 704eb1c09963149db4a3407d5ba173ba2a9244bb
  Merge: 0403b0f 1ceca07
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Tue May 12 09:01:51 2015 +0100

      Merge remote-tracking branch 'remotes/qmp-unstable/tags/for-upstream' 
into staging

      QMP pull request

      # gpg: Signature made Mon May 11 14:15:19 2015 BST using RSA key ID 
E24ED5A7
      # gpg: Good signature from "Luiz Capitulino <lcapitulino@xxxxxxxxx>"

      * remotes/qmp-unstable/tags/for-upstream:
        scripts: qmp-shell: Add verbose flag
        scripts: qmp-shell: add transaction subshell
        scripts: qmp-shell: Expand support for QMP expressions
        scripts: qmp-shell: refactor helpers
        MAINTAINERS: New maintainer for QMP and QAPI
        json-parser: Accept 'null' in QMP
        qobject: Add a special null QObject
        qobject: Clean up around qtype_code
        QJSON: Use OBJECT_CHECK

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 0403b0f539f40a21da60409b825b4653b273ab39
  Merge: 266745c bc1f7c4
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Mon May 11 16:21:50 2015 +0100

      Merge remote-tracking branch 'remotes/mst/tags/for_upstream' into staging

      pc, virtio enhancements

      Memory hot-unplug support for pc, MSI-X
      mapping update speedup for virtio-pci,
      misc refactorings and bugfixes.

      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>

      # gpg: Signature made Mon May 11 08:23:43 2015 BST using RSA key ID 
D28D5469
      # gpg: Good signature from "Michael S. Tsirkin <mst@xxxxxxxxxx>"
      # gpg:                 aka "Michael S. Tsirkin <mst@xxxxxxxxxx>"

      * remotes/mst/tags/for_upstream: (28 commits)
        acpi: update expected files for memory unplug
        virtio-scsi: Move DEFINE_VIRTIO_SCSI_FEATURES to virtio-scsi
        virtio-net: Move DEFINE_VIRTIO_NET_FEATURES to virtio-net
        pci: Merge pci_nic_init() into pci_nic_init_nofail()
        acpi: add a missing backslash to the \_SB scope.
        qmp-event: add event notification for memory hot unplug error
        acpi: add hardware implementation for memory hot unplug
        acpi: fix "Memory device control fields" register
        acpi: extend aml_field() to support UpdateRule
        acpi, mem-hotplug: add unplug cb for memory device
        acpi, mem-hotplug: add unplug request cb for memory device
        acpi, mem-hotplug: add acpi_memory_slot_status() to get MemStatus
        docs: update documentation for memory hot unplug
        virtio: coding style tweak
        pci: remove hard-coded bar size in msix_init_exclusive_bar()
        virtio-pci: speedup MSI-X masking and unmasking
        virtio: introduce vector to virtqueues mapping
        virtio-ccw: using VIRTIO_NO_VECTOR instead of 0 for invalid virtqueue
        monitor: check return value of qemu_find_net_clients_except()
        monitor: replace the magic number 255 with MAX_QUEUE_NUM
        ...

      Conflicts:
        hw/s390x/s390-virtio-bus.c

      [PMM: fixed conflict in s390_virtio_scsi_properties and
      s390_virtio_net_properties arrays; since the result of the
      two conflicting patches is to empty the property arrays
      completely, the conflict resolution is to remove them entirely.]
      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 266745cacb848d7cd0ae8889ae262e8718ace4d4
  Merge: 9ad2c8c 3446a11
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Mon May 11 15:07:12 2015 +0100

      Merge remote-tracking branch 
'remotes/bkoppelmann/tags/pull-tricore-20150511' into staging

      TriCore bugfixes

      # gpg: Signature made Mon May 11 13:26:40 2015 BST using RSA key ID 
6B69CA14
      # gpg: Good signature from "Bastian Koppelmann 
<kbastian@xxxxxxxxxxxxxxxxxxxxx>"

      * remotes/bkoppelmann/tags/pull-tricore-20150511:
        target-tricore: fix rfe not restoring the PC
        target-tricore: fix rslcx restoring the upper context instead of the 
lower
        target-tricore: fix BO_OFF10_SEXT calculating the wrong offset
        target-tricore: fix SLR_LD_W and SLR_LD_W_POSTINC insn being a 2 byte 
memory access insted of 4
        target-tricore: Fix LOOP using wrong register for compare

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 7db161f6dd144760b2912026d992837ef80ca7e7
  Author: David Ahern <dsahern@xxxxxxxxx>
  Date:   Fri Mar 13 21:09:33 2015 -0700

      rocker: timestamp on the debug logs helps correlate with events in the VM

      Signed-off-by: David Ahern <dsahern@xxxxxxxxx>
      Signed-off-by: Scott Feldman <sfeldma@xxxxxxxxx>
      Signed-off-by: Jiri Pirko <jiri@xxxxxxxxxxx>
      Message-id: 1426306173-24884-10-git-send-email-sfeldma@xxxxxxxxx
      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>

  commit de24d3f1013dbee65b42f34cb825f056647861a5
  Author: Scott Feldman <sfeldma@xxxxxxxxx>
  Date:   Fri Mar 13 21:09:32 2015 -0700

      MAINTAINERS: add rocker

      Signed-off-by: Scott Feldman <sfeldma@xxxxxxxxx>
      Signed-off-by: Jiri Pirko <jiri@xxxxxxxxxxx>
      Message-id: 1426306173-24884-9-git-send-email-sfeldma@xxxxxxxxx
      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>

  commit 63d2ada2f55a85c3143ecf69a5aeecf6b3f3ffc9
  Author: Scott Feldman <sfeldma@xxxxxxxxx>
  Date:   Fri Mar 13 21:09:31 2015 -0700

      rocker: add tests

      Add some basic test for rocker to test L2/L3/L4 functionality.  Requires 
an
      external test environment, simp, located here:

      https://github.com/scottfeldman/simp

      To run tests, simp environment must be installed and a suitable VM image 
built
      and installed with a Linux 3.18 (or greater) kernel with rocker driver 
support
      enabled.

      Signed-off-by: Scott Feldman <sfeldma@xxxxxxxxx>
      Message-id: 1426306173-24884-8-git-send-email-sfeldma@xxxxxxxxx
      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>

  commit dc488f888060afdc129e0cc8812cf50c4c083423
  Author: Scott Feldman <sfeldma@xxxxxxxxx>
  Date:   Fri Mar 13 21:09:30 2015 -0700

      rocker: add new rocker switch device

      Rocker is a simulated ethernet switch device.  The device supports up to 
62
      front-panel ports and supports L2 switching and L3 routing functions, as 
well
      as L2/L3/L4 ACLs.  The device presents a single PCI device for each 
switch,
      with a memory-mapped register space for device driver access.

      Rocker device is invoked with -device, for example a 4-port switch:

        -device rocker,name=sw1,len-ports=4,ports[0]=dev0,ports[1]=dev1, \
               ports[2]=dev2,ports[3]=dev3

      Each port is a netdev and can be paired with using -netdev id=<port name>.

      Signed-off-by: Scott Feldman <sfeldma@xxxxxxxxx>
      Signed-off-by: Jiri Pirko <jiri@xxxxxxxxxxx>
      Acked-by: Scott Feldman <sfeldma@xxxxxxxxx>
      Acked-by: Jiri Pirko <jiri@xxxxxxxxxxx>
      Signed-off-by: David Ahern <dsahern@xxxxxxxxx>
      Message-id: 1426306173-24884-7-git-send-email-sfeldma@xxxxxxxxx

      rocker: fix clang compiler errors

      Consolidate all forward typedef declarations to rocker.h.

      Signed-off-by: David Ahern <dsahern@xxxxxxxxx>
      Acked-by: Scott Feldman <sfeldma@xxxxxxxxx>
      Acked-by: Jiri Pirko <jiri@xxxxxxxxxxx>

      rocker: add support for flow modification

      We had support for flow add/del.  This adds support for flow mod.  I 
needed
      this for L3 support where an existing route is modified using 
NLM_F_REPLACE.
      For example:

        ip route add 12.0.0.0/30 nexthop via 11.0.0.1 dev swp1
        ip route change 12.0.0.0/30 nexthop via 11.0.0.9 dev swp2

      The first cmd adds the route.  The second cmd changes the existing route 
by
      changing its nexthop info.

      In the device, a mod operation results in the matching flow enty being 
modified
      with the new settings.  This is atomic to the device.

      Signed-off-by: Scott Feldman <sfeldma@xxxxxxxxx>
      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>

  commit dc407ae8a75d03cf48e114d3812d077fa29a8bd9
  Author: Scott Feldman <sfeldma@xxxxxxxxx>
  Date:   Fri Mar 13 21:09:29 2015 -0700

      pci: add network device class 'other' for network switches

      Rocker is an ethernet switch device, so add 'other' network device class 
as
      defined by PCI to cover these types of devices.

      Signed-off-by: Scott Feldman <sfeldma@xxxxxxxxx>
      Signed-off-by: Jiri Pirko <jiri@xxxxxxxxxxx>
      Message-id: 1426306173-24884-6-git-send-email-sfeldma@xxxxxxxxx
      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>

  commit 5dcc26371dcc72976777c51f0251127716a59ed8
  Author: Scott Feldman <sfeldma@xxxxxxxxx>
  Date:   Fri Mar 13 21:09:28 2015 -0700

      pci: add rocker device ID

      Signed-off-by: Scott Feldman <sfeldma@xxxxxxxxx>
      Signed-off-by: Jiri Pirko <jiri@xxxxxxxxxxx>
      Message-id: 1426306173-24884-5-git-send-email-sfeldma@xxxxxxxxx
      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>

  commit bbc53c7e2580264fe2b6ea84bd8f3480bcc7c845
  Author: Scott Feldman <sfeldma@xxxxxxxxx>
  Date:   Fri Mar 13 21:09:27 2015 -0700

      rocker: add register programming guide

      This is the register programming guide for the Rocker device.  It's 
intended
      for driver writers and device writers.  It covers the device's PCI space,
      the register set, DMA interface, and interrupts.

      Signed-off-by: Scott Feldman <sfeldma@xxxxxxxxx>
      Signed-off-by: Jiri Pirko <jiri@xxxxxxxxxxx>
      Message-id: 1426306173-24884-4-git-send-email-sfeldma@xxxxxxxxx
      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>

  commit b0575ba4a52c9259357af29d842950e978306fa4
  Author: Scott Feldman <sfeldma@xxxxxxxxx>
  Date:   Fri Mar 13 21:09:26 2015 -0700

      virtio-net: use qemu_mac_strdup_printf

      Signed-off-by: Scott Feldman <sfeldma@xxxxxxxxx>
      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>
      Message-id: 1426306173-24884-3-git-send-email-sfeldma@xxxxxxxxx
      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>

  commit 890ee6abb385d6508bba7f5273c74a8e43bea6af
  Author: Scott Feldman <sfeldma@xxxxxxxxx>
  Date:   Fri Mar 13 21:09:25 2015 -0700

      net: add MAC address string printer

      We can use this in virtio-net code as well as new Rocker driver code, so
      up-level this.

      Signed-off-by: Scott Feldman <sfeldma@xxxxxxxxx>
      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>
      Message-id: 1426306173-24884-2-git-send-email-sfeldma@xxxxxxxxx
      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>

  commit 1ceca07e48ead0dd2e41576c81d40e6a91cafefd
  Author: John Snow <jsnow@xxxxxxxxxx>
  Date:   Wed Apr 29 15:14:04 2015 -0400

      scripts: qmp-shell: Add verbose flag

      Add a verbose flag that shows the QMP command that was
      constructed, to allow for later copy/pasting, reference,
      debugging, etc.

      The QMP is converted from a Python literal to JSON first,
      to ensure that it is viable input to the actual QMP parser.

      As a side-effect, this JSON output will helpfully show all
      the necessary conversions that were performed on the input,
      illustrating that "True" was transformed back into "true",
      literal values are now escaped with "" instead of '', and so on.

      Signed-off-by: John Snow <jsnow@xxxxxxxxxx>
      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>
      Tested-by: Kashyap Chamarthy <kchamart@xxxxxxxxxx>
      Signed-off-by: Luiz Capitulino <lcapitulino@xxxxxxxxxx>

  commit 30bd6815efbaf5bae70885feac9a35e149e2f1ad
  Author: John Snow <jsnow@xxxxxxxxxx>
  Date:   Wed Apr 29 15:14:03 2015 -0400

      scripts: qmp-shell: add transaction subshell

      Add a special processing mode to craft transactions.

      By entering "transaction(" the shell will enter a special
      mode where each subsequent command will be saved as a transaction
      instead of executed as an individual command.

      The transaction can be submitted by entering ")" on a line by itself.

      Examples:

      Separate lines:

      (QEMU) transaction(
      TRANS> block-dirty-bitmap-add node=drive0 name=bitmap1
      TRANS> block-dirty-bitmap-clear node=drive0 name=bitmap0
      TRANS> )

      With a transaction action included on the first line:

      (QEMU) transaction( block-dirty-bitmap-add node=drive0 name=bitmap2
      TRANS> block-dirty-bitmap-add node=drive0 name=bitmap3
      TRANS> )

      As a one-liner, with just one transaction action:

      (QEMU) transaction( block-dirty-bitmap-add node=drive0 name=bitmap0 )

      As a side-effect of this patch, blank lines are now parsed as no-ops,
      regardless of which shell mode you are in.

      Signed-off-by: John Snow <jsnow@xxxxxxxxxx>
      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>
      Tested-by: Kashyap Chamarthy <kchamart@xxxxxxxxxx>
      Signed-off-by: Luiz Capitulino <lcapitulino@xxxxxxxxxx>

  commit 6092c3ecc4bdafee5bf07061be78a4a2cc5a5088
  Author: John Snow <jsnow@xxxxxxxxxx>
  Date:   Wed Apr 29 15:14:02 2015 -0400

      scripts: qmp-shell: Expand support for QMP expressions

      This includes support for [] expressions, single-quotes in
      QMP expressions (which is not strictly a part of JSON), and
      the ability to use "True", "False" and "None" literals instead
      of JSON's equivalent true, false, and null literals.

      qmp-shell currently allows you to describe values as
      JSON expressions:
      key={"key":{"key2":"val"}}

      But it does not currently support arrays, which are needed
      for serializing and deserializing transactions:
      key=[{"type":"drive-backup","data":{...}}]

      qmp-shell also only currently accepts doubly quoted strings
      as-per JSON spec, but QMP allows single quotes.

      Lastly, python allows you to utilize "True" or "False" as
      boolean literals, but JSON expects "true" or "false". Expand
      qmp-shell to allow the user to type either, converting to the
      correct type.

      As a consequence of the above, the key=val parsing is also improved
      to give better error messages if a key=val token is not provided.

      CAVEAT: The parser is still extremely rudimentary and does not
      expect to find spaces in {} nor [] expressions. This patch does
      not improve this functionality.

      Signed-off-by: John Snow <jsnow@xxxxxxxxxx>
      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>
      Tested-by: Kashyap Chamarthy <kchamart@xxxxxxxxxx>
      Signed-off-by: Luiz Capitulino <lcapitulino@xxxxxxxxxx>

  commit a7430a0badc59bd6295936e06c1869e8fe32649d
  Author: John Snow <jsnow@xxxxxxxxxx>
  Date:   Wed Apr 29 15:14:01 2015 -0400

      scripts: qmp-shell: refactor helpers

      Refactor the qmp-shell command line processing function
      into two components. This will be used to allow sub-expressions,
      which will assist us in adding transactional support to qmp-shell.

      Signed-off-by: John Snow <jsnow@xxxxxxxxxx>
      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>
      Tested-by: Kashyap Chamarthy <kchamart@xxxxxxxxxx>
      Signed-off-by: Luiz Capitulino <lcapitulino@xxxxxxxxxx>

  commit 9740618cd2a0ed85b9c1648f05f3066f525f4b2e
  Author: Luiz Capitulino <lcapitulino@xxxxxxxxxx>
  Date:   Tue May 5 10:39:15 2015 -0400

      MAINTAINERS: New maintainer for QMP and QAPI

      Markus is taking over maintership of QMP and the QAPI from
      me. Markus has always been a great reviewer and contributor
      to those subsystems. In the last few months he's also doing
      pull requests that are a lot more relevant than the ones I
      was able to do. So, this is a natural move.

      I'm still the maintainer of HMP and QObjects, but I'm
      looking for someone to take over those too.

      PS: This commit also fixes the file listing for the QMP
          entry.

      Signed-off-by: Luiz Capitulino <lcapitulino@xxxxxxxxxx>
      Reviewed-by: Michael Roth <mdroth@xxxxxxxxxxxxxxxxxx>
      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>

  commit e549e7161f37416ff66971d77d021d30057045ca
  Author: Eric Blake <eblake@xxxxxxxxxx>
  Date:   Wed Apr 29 15:35:06 2015 -0600

      json-parser: Accept 'null' in QMP

      We document that in QMP, the client may send any json-value
      for the optional "id" key, and then return that same value
      on reply (both success and failures, insofar as the failure
      happened after parsing the id).  [Note that the output may
      not be identical to the input, as whitespace may change and
      since we may reorder keys within a json-object, but that this
      still constitutes the same json-value].  However, we were not
      handling the JSON literal null, which counts as a json-value
      per RFC 7159.

      Also, down the road, given the QAPI schema of {'*foo':'str'} or
      {'*foo':'ComplexType'}, we could decide to allow the QMP client
      to pass { "foo":null } instead of the current representation of
      { } where omitting the key is the only way to get at the default
      NULL value.  Such a change might be useful for argument
      introspection (if a type in older qemu lacks 'foo' altogether,
      then an explicit "foo":null probe will force an easily
      distinguished error message for whether the optional "foo" key
      is even understood in newer qemu).  And if we add default values
      to optional arguments, allowing an explicit null would be
      required for getting a NULL value associated with an optional
      string that has a non-null default.  But all that can come at a
      later day.

      The 'check-unit' testsuite is enhanced to test that parsing
      produces the same object as explicitly requesting a reference
      to the special qnull object.  In addition, I tested with:

      $ ./x86_64-softmmu/qemu-system-x86_64 -qmp stdio -nodefaults
      {"QMP": {"version": {"qemu": {"micro": 91, "minor": 2, "major": 2}, 
"package": ""}, "capabilities": []}}
      {"execute":"qmp_capabilities","id":null}
      {"return": {}, "id": null}
      {"id":{"a":null,"b":[1,null]},"execute":"quit"}
      {"return": {}, "id": {"a": null, "b": [1, null]}}
      {"timestamp": {"seconds": 1427742379, "microseconds": 423128}, "event": 
"SHUTDOWN"}

      Signed-off-by: Eric Blake <eblake@xxxxxxxxxx>
      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>
      Signed-off-by: Luiz Capitulino <lcapitulino@xxxxxxxxxx>

  commit 481b002cc81ed7fc7b06e32e9d4d495d81739d14
  Author: Markus Armbruster <armbru@xxxxxxxxxx>
  Date:   Wed Apr 29 15:35:05 2015 -0600

      qobject: Add a special null QObject

      I'm going to fix the JSON parser to recognize null.  The obvious
      representation of JSON null as (QObject *)NULL doesn't work, because
      the parser already uses it as an error value.  Perhaps we should
      change it to free NULL for null, but that's more than I can do right
      now.  Create a special null QObject instead.

      The existing QDict, QList, and QString all represent something that
      is a pointer in C and could therefore be associated with NULL.  But
      right now, all three of these sub-types are always non-null once
      created, so the new null sentinel object is intentionally unrelated
      to them.

      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>
      Signed-off-by: Eric Blake <eblake@xxxxxxxxxx>
      Signed-off-by: Luiz Capitulino <lcapitulino@xxxxxxxxxx>

  commit a7c31816288a8f20fc387d69d441413e7a8c9ff1
  Author: Markus Armbruster <armbru@xxxxxxxxxx>
  Date:   Wed Apr 29 15:35:04 2015 -0600

      qobject: Clean up around qtype_code

      QTYPE_NONE is a sentinel value.  No QObject has this type code.
      Document it properly.

      Fix dump_qobject() to abort() on QTYPE_NONE, just like for any other
      invalid type code.

      Fix to_json() to abort() on all invalid type codes, not just
      QTYPE_MAX.

      Clean up Property member qtype's type: it's a qtype_code.

      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>
      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>
      Signed-off-by: Luiz Capitulino <lcapitulino@xxxxxxxxxx>

  commit 4cf2d837340589155acfda993c51e66eb5800416
  Author: Eduardo Habkost <ehabkost@xxxxxxxxxx>
  Date:   Sat Apr 25 12:28:06 2015 -0300

      QJSON: Use OBJECT_CHECK

      The QJSON code used casts to (QJSON*) directly, instead of OBJECT_CHECK.
      There were even some functions using object_dynamic_cast() calls
      followed by assert(), which is exactly what OBJECT_CHECK does (by
      calling object_dynamic_cast_assert()).

      Signed-off-by: Eduardo Habkost <ehabkost@xxxxxxxxxx>
      Signed-off-by: Luiz Capitulino <lcapitulino@xxxxxxxxxx>

  commit 9ad2c8cd41a086020e21aa6d616b73bd5e2a800b
  Merge: b951cda 0caef8f
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Mon May 11 13:54:00 2015 +0100

      Merge remote-tracking branch 
'remotes/mjt/tags/pull-trivial-patches-2015-05-09' into staging

      trivial patches for 2015-05-09

      # gpg: Signature made Fri May  8 22:58:42 2015 BST using RSA key ID 
A4C3D7DB
      # gpg: Good signature from "Michael Tokarev <mjt@xxxxxxxxxx>"
      # gpg:                 aka "Michael Tokarev <mjt@xxxxxxxxx>"
      # gpg:                 aka "Michael Tokarev <mjt@xxxxxxxxxx>"

      * remotes/mjt/tags/pull-trivial-patches-2015-05-09:
        docs: update BLOCK_IMAGE_CORRUPTED documentation
        glib-compat.h: change assert to g_assert
        Remove various unused functions
        sheepdog: fix resource leak with sd_snapshot_create
        xhci: remove unused code

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 3446a11181c6e8263dbd9c13c28986df4317099e
  Author: Bastian Koppelmann <kbastian@xxxxxxxxxxxxxxxxxxxxx>
  Date:   Tue May 5 19:41:10 2015 +0200

      target-tricore: fix rfe not restoring the PC

      Signed-off-by: Bastian Koppelmann <kbastian@xxxxxxxxxxxxxxxxxxxxx>

  commit bc72f8aaf23fa11833e0e04c10b5c0e1036c2609
  Author: Bastian Koppelmann <kbastian@xxxxxxxxxxxxxxxxxxxxx>
  Date:   Tue May 5 19:39:18 2015 +0200

      target-tricore: fix rslcx restoring the upper context instead of the lower

      Signed-off-by: Bastian Koppelmann <kbastian@xxxxxxxxxxxxxxxxxxxxx>

  commit 4959d6b3662d94a5add5811ba1ff5243116b8987
  Author: Bastian Koppelmann <kbastian@xxxxxxxxxxxxxxxxxxxxx>
  Date:   Tue May 5 19:36:55 2015 +0200

      target-tricore: fix BO_OFF10_SEXT calculating the wrong offset

      The lower part of the combined offset was sign extended and could lead to
      wrong results.

      Signed-off-by: Bastian Koppelmann <kbastian@xxxxxxxxxxxxxxxxxxxxx>

  commit 7bd0eaec311d188412123a034abb44595deb7dae
  Author: Bastian Koppelmann <kbastian@xxxxxxxxxxxxxxxxxxxxx>
  Date:   Fri Apr 3 14:29:22 2015 +0200

      target-tricore: fix SLR_LD_W and SLR_LD_W_POSTINC insn being a 2 byte 
memory access insted of 4

      Signed-off-by: Bastian Koppelmann <kbastian@xxxxxxxxxxxxxxxxxxxxx>

  commit 250ef8c76861c756354ed1c67f0a4524e5339369
  Author: Bastian Koppelmann <kbastian@xxxxxxxxxxxxxxxxxxxxx>
  Date:   Tue Dec 9 16:04:46 2014 +0000

      target-tricore: Fix LOOP using wrong register for compare

      Signed-off-by: Bastian Koppelmann <kbastian@xxxxxxxxxxxxxxxxxxxxx>

  commit b951cda21d6b232f138ccf008e12bce8ddc95465
  Merge: ec62ad1 ca44148
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Mon May 11 12:01:09 2015 +0100

      Merge remote-tracking branch 'remotes/bonzini/tags/for-upstream' into 
staging

      - build bugfix from Fam and new configure check from Emilio
      - two improvements to "info mtere" from Gerd
      - KVM support for memory transaction attributes
      - one more small step towards unlocked MMIO dispatch
      - one piece of the qemu-nbd errno fixes
      - trivial-ish patches from Denis and Thomas

      # gpg: Signature made Fri May  8 13:47:29 2015 BST using RSA key ID 
78C7AE83
      # gpg: Good signature from "Paolo Bonzini <bonzini@xxxxxxx>"
      # gpg:                 aka "Paolo Bonzini <pbonzini@xxxxxxxxxx>"
      # gpg: WARNING: This key is not certified with sufficiently trusted 
signatures!
      # gpg:          It is not certain that the signature belongs to the owner.
      # Primary key fingerprint: 46F5 9FBD 57D6 12E7 BFD4  E2F7 7E15 100C CD36 
69B1
      #      Subkey fingerprint: F133 3857 4B66 2389 866C  7682 BFFB D25F 78C7 
AE83

      * remotes/bonzini/tags/for-upstream:
        qemu-nbd: only send a limited number of errno codes on the wire
        rules.mak: Force CFLAGS for all objects in DSO
        configure: require __thread support
        exec: move rcu_read_lock/unlock to address_space_translate callers
        kvm: add support for memory transaction attributes
        mtree: also print disabled regions
        mtree: tag & indent a bit better
        apic_common: improve readability of apic_reset_common
        kvm: Silence warning from valgrind

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit ec62ad1e27ffd1f7ff2172a916d161cc385e73bd
  Merge: 4ae740c 1271f7f
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Mon May 11 10:43:08 2015 +0100

      Merge remote-tracking branch 'remotes/kraxel/tags/pull-gtk-20150508-1' 
into staging

      gtk: add ui_info support, cleanups + fixes.

      # gpg: Signature made Fri May  8 12:47:04 2015 BST using RSA key ID 
D3E87138
      # gpg: Good signature from "Gerd Hoffmann (work) <kraxel@xxxxxxxxxx>"
      # gpg:                 aka "Gerd Hoffmann <gerd@xxxxxxxxxx>"
      # gpg:                 aka "Gerd Hoffmann (private) <kraxel@xxxxxxxxx>"

      * remotes/kraxel/tags/pull-gtk-20150508-1:
        gtk: update mouse position in mouse_set()
        gtk: create gtk.h
        gtk: add ui_info support
        console: add dpy_ui_info_supported
        console: delayed ui_info guest notification

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 4ae740cc0e4a123047b40c373e699e28031d420e
  Merge: fc85cf4 ca5a21c
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Mon May 11 09:42:20 2015 +0100

      Merge remote-tracking branch 'remotes/kraxel/tags/pull-usb-20150508-1' 
into staging

      usb: qomify, bugfixes for xhci & uhci.

      # gpg: Signature made Fri May  8 12:39:28 2015 BST using RSA key ID 
D3E87138
      # gpg: Good signature from "Gerd Hoffmann (work) <kraxel@xxxxxxxxxx>"
      # gpg:                 aka "Gerd Hoffmann <gerd@xxxxxxxxxx>"
      # gpg:                 aka "Gerd Hoffmann (private) <kraxel@xxxxxxxxx>"

      * remotes/kraxel/tags/pull-usb-20150508-1:
        uhci: controller is halted after reset
        usb: usb-serial QOMify
        usb: usb-redir QOMify
        usb: usb-wacom-tablet QOMify
        usb: usb-uas QOMify
        usb: usb-storage QOMify
        usb: usb-ccid QOMify
        usb: usb-net QOMify
        usb-mtp: fix segmentation fault
        usb: usb-mtp QOMify
        usb: usb-hub QOMify
        usb: usb-hid QOMify
        usb: usb-bt QOMify
        usb: usb-audio QOMify
        uhci: QOMify
        xhci: fix events for setup trb.
        Revert "xhci: generate a Transfer Event for each Transfer TRB with the 
IOC bit set"
        xhci: set timer to retry xfers
        usb: fix usb-net segfault

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit bc1f7c4c915a7c727741c4d27a2795e1039eacd3
  Author: Michael S. Tsirkin <mst@xxxxxxxxxx>
  Date:   Mon May 11 09:21:37 2015 +0200

      acpi: update expected files for memory unplug

      commit c06b2ffb02bfcc642c67300d2c4dffd5aa54932b
          acpi: add hardware implementation for memory hot unplug

      Changed both the DSDT and the SSDT. Update the expected files
      accordingly.

      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>

  commit fc85cf4a8199a657fdfd5fb902f1835973406454
  Merge: f8340b3 3cda44f
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Sun May 10 21:40:54 2015 +0100

      Merge remote-tracking branch 'remotes/cohuck/tags/s390x-20150508' into 
staging

      Assorted s390x patches:
      - updates for virtio-ccw and s390-virtio, making them more similar
        to virtio-pci
      - improvements regarding per-vcpu interrupts and migration

      # gpg: Signature made Fri May  8 09:45:09 2015 BST using RSA key ID 
C6F02FAF
      # gpg: Good signature from "Cornelia Huck <huckc@xxxxxxxxxxxxxxxxxx>"
      # gpg:                 aka "Cornelia Huck <cornelia.huck@xxxxxxxxxx>"

      * remotes/cohuck/tags/s390x-20150508:
        s390x/kvm: migrate vcpu interrupt state
        s390x: move fpu regs into a subsection of the vmstate
        s390x/kvm: use ioctl KVM_S390_IRQ for vcpu interrupts
        virtio-ccw: implement ->device_plugged
        virtio-ccw: change realization sequence
        s390-virtio: clear {used,avail}_event_idx on reset as well
        s390-virtio: use common features
        s390-virtio: Accommodate guests using virtqueues too early

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit ca4414804114fd0095b317785bc0b51862e62ebb
  Author: Paolo Bonzini <pbonzini@xxxxxxxxxx>
  Date:   Thu May 7 17:25:10 2015 +0200

      qemu-nbd: only send a limited number of errno codes on the wire

      Right now, NBD includes potentially platform-specific error values in
      the wire protocol.

      Luckily, most common error values are more or less universal: in
      particular, of all errno values <= 34 (up to ERANGE), they are all the
      same on supported platforms except for 11 (which is EAGAIN on Windows and
      Linux, but EDEADLK on Darwin and the *BSDs).  So, in order to guarantee
      some portability, only keep a handful of possible error codes and squash
      everything else to EINVAL.

      This patch defines a limited set of errno values that are valid for the
      NBD protocol, and specifies recommendations for what error to return
      in specific corner cases.  The set of errno values is roughly based on
      the errors listed in the read(2) and write(2) man pages, with some
      exceptions:

      - ENOMEM is added for servers that implement copy-on-write or other
        formats that require dynamic allocation.

      - EDQUOT is not part of the universal set of errors; it can be changed
        to ENOSPC on the wire format.

      - EFBIG is part of the universal set of errors, but it is also changed
        to ENOSPC because it is pretty similar to ENOSPC or EDQUOT.

      Incoming values will in general match system errno values, but not
      on the Hurd which has different errno values (they have a "subsystem
      code" equal to 0x10 in bits 24-31).  The Hurd is probably not something
      to which QEMU has been ported, but still do the right thing and
      reverse-map the NBD errno values to the system errno values.

      The corresponding patch to the NBD protocol description can be found at
      http://article.gmane.org/gmane.linux.drivers.nbd.general/3154.

      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit d24697e1824467f3921c84a94f011f43d6466403
  Author: Fam Zheng <famz@xxxxxxxxxx>
  Date:   Thu May 7 14:55:15 2015 +0800

      rules.mak: Force CFLAGS for all objects in DSO

      Because of the trick of process-archive-undefs, all .mo objects, even
      with --enable-modules, are dependencies of executables.

      This breaks CFLAGS propogation because the compiling of module object
      will happen too early before building for DSO.

      With GCC 5, the linking would fail because .o doesn't have -fPIC. Also,
      BUILD_DSO will be missed. (module-common.o will have it, so the stamp
      symbol was still liked in .so).

      Fix the problem by forcing the CFLAGS on individual .o-cflags during
      unnest-vars.

      Reported-by: Alexander Graf <agraf@xxxxxxx>
      Signed-off-by: Fam Zheng <famz@xxxxxxxxxx>
      Cc: qemu-stable@xxxxxxxxxx # 2.3
      Message-Id: <1430981715-31465-1-git-send-email-famz@xxxxxxxxxx>
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit 0caef8f6df4a9426bd6333ab843ce51ce005d7d0
  Author: Alberto Garcia <berto@xxxxxxxxxx>
  Date:   Thu May 7 17:58:26 2015 +0300

      docs: update BLOCK_IMAGE_CORRUPTED documentation

      Label the "size" and "offset" fields in BLOCK_IMAGE_CORRUPTED as
      optional, and clarify that the latter refers to the host's offset into
      the image.

      Signed-off-by: Alberto Garcia <berto@xxxxxxxxxx>
      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>
      Signed-off-by: Michael Tokarev <mjt@xxxxxxxxxx>

  commit f20f2a1f339b99f5b840367236ddce9d9736247c
  Author: Michael Tokarev <mjt@xxxxxxxxxx>
  Date:   Thu May 7 13:38:02 2015 +0300

      glib-compat.h: change assert to g_assert

      include/glib-compat.h defines a bunch of functions based on glib 
primitives,
      and uses assert() without including assert.h.  Replace assert() with
      g_assert() to make the file more self-contained, and to fix compilation
      breakage after 28507a415a9b1e.

      Reported-by: Laurent Desnogues <laurent.desnogues@xxxxxxxxx>
      Signed-off-by: Michael Tokarev <mjt@xxxxxxxxxx>
      Tested-by: Laurent Desnogues <laurent.desnogues@xxxxxxxxx>

  commit ac9541579eb95b0b8c93ca58d0a074e1f22cd55a
  Author: Thomas Huth <huth@xxxxxxxxxxxxx>
  Date:   Sun May 3 10:47:22 2015 +0200

      Remove various unused functions

      The functions tpm_backend_thread_tpm_reset() and iothread_find()
      are completely unused, let's remove them.

      Signed-off-by: Thomas Huth <huth@xxxxxxxxxxxxx>
      Reviewed-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Signed-off-by: Michael Tokarev <mjt@xxxxxxxxxx>

  commit 973a8529c54f9e4410a0e4a18ca1dcb2b085ca7e
  Author: zhanghailiang <zhang.zhanghailiang@xxxxxxxxxx>
  Date:   Tue May 5 09:48:03 2015 +0800

      sheepdog: fix resource leak with sd_snapshot_create

      Signed-off-by: zhanghailiang <zhang.zhanghailiang@xxxxxxxxxx>
      Reviewed-by: Markus Armbruster <armbru@xxxxxxxxxx>
      Signed-off-by: Michael Tokarev <mjt@xxxxxxxxxx>

  commit e5a88b0cf3c902d6e9b342a90f0a4a4d5d954f7a
  Author: Gonglei <arei.gonglei@xxxxxxxxxx>
  Date:   Tue Apr 28 17:11:03 2015 +0800

      xhci: remove unused code

      Value from xfer->packet.ep is assigned to ep here, but that
      stored value is not used before it is overwritten. Remove it.

      Cc: Gerd Hoffmann <kraxel@xxxxxxxxxx>
      Signed-off-by: Gonglei <arei.gonglei@xxxxxxxxxx>
      Signed-off-by: Michael Tokarev <mjt@xxxxxxxxxx>

  commit ca5a21c40d95d7a4e26ea0a304fd2cd8ad4e6ae1
  Author: Gerd Hoffmann <kraxel@xxxxxxxxxx>
  Date:   Thu May 7 09:24:00 2015 +0200

      uhci: controller is halted after reset

      ... and the status register should say so.

      Fixes "usbus0: controller did not stop" error printed by freebsd.

      Signed-off-by: Gerd Hoffmann <kraxel@xxxxxxxxxx>

  commit cdf0d7694d877f19936d7404fd10b580f6e9a9b1
  Author: Gonglei <arei.gonglei@xxxxxxxxxx>
  Date:   Wed May 6 20:55:36 2015 +0800

      usb: usb-serial QOMify

      Signed-off-by: Gonglei <arei.gonglei@xxxxxxxxxx>
      Signed-off-by: Gerd Hoffmann <kraxel@xxxxxxxxxx>

  commit d371cbc778e1868b18faa8d6764602b1f4806100
  Author: Gonglei <arei.gonglei@xxxxxxxxxx>
  Date:   Wed May 6 20:55:35 2015 +0800

      usb: usb-redir QOMify

      Signed-off-by: Gonglei <arei.gonglei@xxxxxxxxxx>
      Signed-off-by: Gerd Hoffmann <kraxel@xxxxxxxxxx>

  commit 924e567e1e6641f4af7e927f9c420cc7b4464073
  Author: Gonglei <arei.gonglei@xxxxxxxxxx>
  Date:   Wed May 6 20:55:34 2015 +0800

      usb: usb-wacom-tablet QOMify

      Signed-off-by: Gonglei <arei.gonglei@xxxxxxxxxx>
      Signed-off-by: Gerd Hoffmann <kraxel@xxxxxxxxxx>

  commit 0b06d099b0ab9b055414508ca55133b200d675f8
  Author: Gonglei <arei.gonglei@xxxxxxxxxx>
  Date:   Wed May 6 20:55:33 2015 +0800

      usb: usb-uas QOMify

      Signed-off-by: Gonglei <arei.gonglei@xxxxxxxxxx>
      Signed-off-by: Gerd Hoffmann <kraxel@xxxxxxxxxx>

  commit 79e2590cbf9887a99a65d2aa62da78c6dfd9cdb8
  Author: Gonglei <arei.gonglei@xxxxxxxxxx>
  Date:   Wed May 6 20:55:32 2015 +0800

      usb: usb-storage QOMify

      Signed-off-by: Gonglei <arei.gonglei@xxxxxxxxxx>
      Signed-off-by: Gerd Hoffmann <kraxel@xxxxxxxxxx>

  commit 61b4887b41b270bc837ead57bc502d904af023bb
  Author: Gonglei <arei.gonglei@xxxxxxxxxx>
  Date:   Wed May 6 20:55:31 2015 +0800

      usb: usb-ccid QOMify

      Signed-off-by: Gonglei <arei.gonglei@xxxxxxxxxx>
      Signed-off-by: Gerd Hoffmann <kraxel@xxxxxxxxxx>

  commit fe47db72210dc17b794954f978ef1d1236cbeb72
  Author: Gonglei <arei.gonglei@xxxxxxxxxx>
  Date:   Wed May 6 20:55:30 2015 +0800

      usb: usb-net QOMify

      Signed-off-by: Gonglei <arei.gonglei@xxxxxxxxxx>
      Signed-off-by: Gerd Hoffmann <kraxel@xxxxxxxxxx>

  commit e60baebd409d547292c778d599111ea1623dd4b5
  Author: Gonglei <arei.gonglei@xxxxxxxxxx>
  Date:   Wed May 6 20:55:29 2015 +0800

      usb-mtp: fix segmentation fault

      When x-root property not be configured, will cause segfault
      because of null pointer accessing. Add a check for s->root
      property avoid segfault.

      Signed-off-by: Gonglei <arei.gonglei@xxxxxxxxxx>
      Signed-off-by: Gerd Hoffmann <kraxel@xxxxxxxxxx>

  commit 7c03a899e6e4030a88bd42c4d494e3a7521806ea
  Author: Gonglei <arei.gonglei@xxxxxxxxxx>
  Date:   Wed May 6 20:55:28 2015 +0800

      usb: usb-mtp QOMify

      Signed-off-by: Gonglei <arei.gonglei@xxxxxxxxxx>
      Signed-off-by: Gerd Hoffmann <kraxel@xxxxxxxxxx>

  commit e81b13ad94803bf13491bb71c8a76a5d7db9ddf1
  Author: Gonglei <arei.gonglei@xxxxxxxxxx>
  Date:   Wed May 6 20:55:27 2015 +0800

      usb: usb-hub QOMify

      Signed-off-by: Gonglei <arei.gonglei@xxxxxxxxxx>
      Signed-off-by: Gerd Hoffmann <kraxel@xxxxxxxxxx>

  commit f56691295e38429bbfe476d57676c53bcb1fd437
  Author: Gonglei <arei.gonglei@xxxxxxxxxx>
  Date:   Wed May 6 20:55:26 2015 +0800

      usb: usb-hid QOMify

      Signed-off-by: Gonglei <arei.gonglei@xxxxxxxxxx>
      Signed-off-by: Gerd Hoffmann <kraxel@xxxxxxxxxx>

  commit a293e82bbef666f66be733993e276998319568e1
  Author: Gonglei <arei.gonglei@xxxxxxxxxx>
  Date:   Wed May 6 20:55:25 2015 +0800

      usb: usb-bt QOMify

      Signed-off-by: Gonglei <arei.gonglei@xxxxxxxxxx>
      Signed-off-by: Gerd Hoffmann <kraxel@xxxxxxxxxx>

  commit 0389a0b10967b639ac7444453274b910a4b6f2ed
  Author: Gonglei <arei.gonglei@xxxxxxxxxx>
  Date:   Wed May 6 20:55:24 2015 +0800

      usb: usb-audio QOMify

      Signed-off-by: Gonglei <arei.gonglei@xxxxxxxxxx>
      Signed-off-by: Gerd Hoffmann <kraxel@xxxxxxxxxx>

  commit 49184b6253a50385c5e934cc4eb813b79cc956f2
  Author: Gonglei <arei.gonglei@xxxxxxxxxx>
  Date:   Wed May 6 20:55:23 2015 +0800

      uhci: QOMify

      Cc: Gerd Hoffmann <kraxel@xxxxxxxxxx>
      Signed-off-by: Gonglei <arei.gonglei@xxxxxxxxxx>
      Signed-off-by: Gerd Hoffmann <kraxel@xxxxxxxxxx>

  commit df0f1692db9236a469496cc09fc7bd5faf31efad
  Author: Gerd Hoffmann <kraxel@xxxxxxxxxx>
  Date:   Tue Apr 28 09:31:44 2015 +0200

      xhci: fix events for setup trb.

      When we find a IOC bit set on a setup trb and therefore queue an event,
      that should not stop events being generated for following data trbs.
      So clear the 'reported' flag.

      Signed-off-by: Gerd Hoffmann <kraxel@xxxxxxxxxx>

  commit 88dbed3f5946b74cf02c1bb0082b8c50037720ea
  Author: Gerd Hoffmann <kraxel@xxxxxxxxxx>
  Date:   Tue Apr 28 09:19:35 2015 +0200

      Revert "xhci: generate a Transfer Event for each Transfer TRB with the 
IOC bit set"

      This makes xhci generate multiple short packet events in case of
      multi-trb transfers.  Which is wrong.  We need to fix this in a
      different way.

      This reverts commit aa6857891df614c620e6e9fc4bc4af6e0e49cafd.

      Signed-off-by: Gerd Hoffmann <kraxel@xxxxxxxxxx>

  commit 4e8cfbe1143d8384387595b500212d7a7f11aeae
  Author: Gerd Hoffmann <kraxel@xxxxxxxxxx>
  Date:   Tue Apr 28 09:19:14 2015 +0200

      xhci: set timer to retry xfers

      Signed-off-by: Gerd Hoffmann <kraxel@xxxxxxxxxx>

  commit 278412d0e710e2e848c6e510f8308e5b1ed4d03e
  Author: Michal Kazior <michal.kazior@xxxxxxxxx>
  Date:   Wed Apr 29 11:34:59 2015 +0000

      usb: fix usb-net segfault

      The dev->config pointer isn't set until guest
      system initializes usb devices (via
      usb_desc_set_config). However qemu networking can
      go through some motions prior to that, e.g.:

       #0  is_rndis (s=0x555557261970) at hw/usb/dev-network.c:653
       #1  0x000055555585f723 in usbnet_can_receive (nc=0x55555641e820) at 
hw/usb/dev-network.c:1315
       #2  0x000055555587635e in qemu_can_send_packet (sender=0x5555572660a0) 
at net/net.c:470
       #3  0x0000555555878e34 in net_hub_port_can_receive (nc=0x5555562d7800) 
at net/hub.c:101
       #4  0x000055555587635e in qemu_can_send_packet (sender=0x5555562d7980) 
at net/net.c:470
       #5  0x000055555587dbca in tap_can_send (opaque=0x5555562d7980) at 
net/tap.c:172

      The command to reproduce most reliably was:

       qemu-system-i386 -usb -device usb-net,vlan=0 -net tap,vlan=0

      This wasn't strictly a problem with tap. Other
      networking endpoints (vde, user) could trigger
      this problem as well.

      Fixes: https://bugs.launchpad.net/qemu/+bug/1050823
      Cc: qemu-stable@xxxxxxxxxx
      Signed-off-by: Michal Kazior <michal.kazior@xxxxxxxxx>
      Signed-off-by: Gerd Hoffmann <kraxel@xxxxxxxxxx>

  commit 768b7855c86c4f46b605183ae9451e9af64ca288
  Author: Emilio G. Cota <cota@xxxxxxxxx>
  Date:   Wed Apr 29 13:09:02 2015 +0200

      configure: require __thread support

      The codebase doesn't build without __thread support.
      Formalise this requirement by adding a check for it in the
      configure script.

      Signed-off-by: Emilio G. Cota <cota@xxxxxxxxx>
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit 3cda44f7bae5c9feddc11630ba6eecb2e3bed425
  Author: Jens Freimann <jfrei@xxxxxxxxxxxxxxxxxx>
  Date:   Mon Mar 2 17:44:24 2015 +0100

      s390x/kvm: migrate vcpu interrupt state

      This patch adds support to migrate vcpu interrupts.
      We use ioctl KVM_S390_GET_IRQ_STATE and _SET_IRQ_STATE
      to get/set the complete interrupt state for a vcpu.

      Reviewed-by: David Hildenbrand <dahi@xxxxxxxxxxxxxxxxxx>
      Signed-off-by: Jens Freimann <jfrei@xxxxxxxxxxxxxxxxxx>
      Signed-off-by: Cornelia Huck <cornelia.huck@xxxxxxxxxx>

  commit 46c804def4bda2491c546e8e33b86fe4981e4b68
  Author: David Hildenbrand <dahi@xxxxxxxxxxxxxxxxxx>
  Date:   Mon Mar 30 13:22:47 2015 +0200

      s390x: move fpu regs into a subsection of the vmstate

      Let's move the floating point registers into a seperate subsection and
      bump up the version id. This cleans up the current vmstate and will
      allow for a future extension with vector registers in a compatible way.

      This patch is based on a patch from Eric Farman.

      Reviewed-by: Eric Farman <farman@xxxxxxxxxxxxxxxxxx>
      Signed-off-by: David Hildenbrand <dahi@xxxxxxxxxxxxxxxxxx>
      Signed-off-by: Cornelia Huck <cornelia.huck@xxxxxxxxxx>

  commit 1191c94963f36b3f9631fcd1ec2e9296631b407e
  Author: Jens Freimann <jfrei@xxxxxxxxxxxxxxxxxx>
  Date:   Thu Dec 18 17:38:05 2014 +0100

      s390x/kvm: use ioctl KVM_S390_IRQ for vcpu interrupts

      KVM_S390_INT uses only two parameter fields. This is not
      enough to pass all required information for certain interrupts.

      A new ioctl KVM_S390_IRQ is available which allows us to
      inject all local interrupts as defined in the Principles of
      Operation. It takes a struct kvm_s390_irq as a parameter
      which can store interrupt payload data for all interrupts.

      Let's use the new ioctl for injecting vcpu interrupts.

      Tested-by: Thomas Huth <thuth@xxxxxxxxxxxxxxxxxx>
      Reviewed-by: Thomas Huth <thuth@xxxxxxxxxxxxxxxxxx>
      Reviewed-by: David Hildenbrand <dahi@xxxxxxxxxxxxxxxxxx>
      Signed-off-by: Jens Freimann <jfrei@xxxxxxxxxxxxxxxxxx>
      Signed-off-by: Cornelia Huck <cornelia.huck@xxxxxxxxxx>

  commit fb846a094fdee7bb6a88b48aeed0d97a8080a20d
  Author: Cornelia Huck <cornelia.huck@xxxxxxxxxx>
  Date:   Tue Apr 21 16:36:56 2015 +0200

      virtio-ccw: implement ->device_plugged

      Let's move operations that are only valid after the backend has been
      realized to a ->device_plugged callback, just as virtio-pci does.
      Also reorder setting up the host feature bits to the sequence used
      by virtio-pci.

      While we're at it, also add a ->device_unplugged callback to stop
      ioeventfd, just to be on the safe side.

      Reviewed-by: Shannon Zhao <shannon.zhao@xxxxxxxxxx>
      Signed-off-by: Cornelia Huck <cornelia.huck@xxxxxxxxxx>
      Message-Id: <1429627016-30656-3-git-send-email-cornelia.huck@xxxxxxxxxx>

  commit 1fa755234e24697cc76f326782edbb09bd0a3a53
  Author: Cornelia Huck <cornelia.huck@xxxxxxxxxx>
  Date:   Tue Apr 21 16:36:55 2015 +0200

      virtio-ccw: change realization sequence

      virtio-ccw has an odd sequence of realizing devices: first the
      device-specific relization (net, block, ...), then the generic
      realization. It feels less odd to have the generic realization
      callback trigger the device-specific realization instead (and this
      also matches what virtio-pci does).

      One thing to note: We need to defer initializing the cu model in the
      sense id data until after the device-specific realization has been
      performed, as we need to refer to the virtio device's device_id.

      Signed-off-by: Cornelia Huck <cornelia.huck@xxxxxxxxxx>
      Message-Id: <1429627016-30656-2-git-send-email-cornelia.huck@xxxxxxxxxx>

  commit 77ae0b2a6e731ab7b97e9fae401c579397edb31c
  Author: Christian Borntraeger <borntraeger@xxxxxxxxxx>
  Date:   Mon May 4 15:27:25 2015 +0200

      s390-virtio: clear {used,avail}_event_idx on reset as well

      The old s390-virtio transport clears the vring used/avail indices in
      the shared area on reset. When we enabled event_idx for virtio-blk, we
      noticed that this is not enough: We also need to clear the published
      used/avail event indices, or reboot will fail.

      Signed-off-by: Christian Borntraeger <borntraeger@xxxxxxxxxx>
      Signed-off-by: Cornelia Huck <cornelia.huck@xxxxxxxxxx>

  commit f50616a81b7f88a9adac16f3ea0236311a748eca
  Author: Cornelia Huck <cornelia.huck@xxxxxxxxxx>
  Date:   Wed Apr 29 15:30:58 2015 +0200

      s390-virtio: use common features

      We used to avoid enabling event_idx for virtio-blk devices via
      s390-virtio, but we now have a workaround in place for guests trying
      to use the device before setting DRIVER_OK. Therefore, let's add
      DEFINE_VIRTIO_COMMON_FEATURES to the base device so all devices get
      those common features - and make s390-virtio use the same mechanism
      as the other transports do.

      Acked-by: Christian Borntraeger <borntraeger@xxxxxxxxxx>
      Reviewed-by: Shannon Zhao <shannon.zhao@xxxxxxxxxx>
      Signed-off-by: Cornelia Huck <cornelia.huck@xxxxxxxxxx>

  commit cb927b8aee7c3993a43cb829f7341071f873857b
  Author: Christian Borntraeger <borntraeger@xxxxxxxxxx>
  Date:   Thu Apr 30 17:53:13 2015 +0200

      s390-virtio: Accommodate guests using virtqueues too early

      Feature updates are not a synchronuous operation for the legacy
      s390-virtio transport. This transport syncs the guest feature bits
      (those from finalize) on the set_status hypercall. Before that qemu
      thinks that features are zero, which means QEMU will misbehave, e.g.
      it will not write the event index, even if the guest asks for it.

      Let's detect the case where a kick happens before the driver is ready
      and force sync the features.
      With this workaround, it is now safe to switch to the common feature
      bit handling code as used by all other transports.

      Signed-off-by: Christian Borntraeger <borntraeger@xxxxxxxxxx>
      Reviewed-by: Cornelia Huck <cornelia.huck@xxxxxxxxxx>
      Signed-off-by: Cornelia Huck <cornelia.huck@xxxxxxxxxx>

  commit f8340b360b9bc29d48716ba8aca79df2b9544979
  Author: Edgar E. Iglesias <edgar.iglesias@xxxxxxxxxx>
  Date:   Wed Sep 10 18:33:58 2014 +1000

      hw/ptimer: Do not artificially limit timers when using icount

      Reviewed-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>
      Signed-off-by: Edgar E. Iglesias <edgar.iglesias@xxxxxxxxxx>

  commit 838686357b1a175e9a32569700a153b207a9e10f
  Merge: 38003ae 362ba4e
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Thu May 7 18:22:03 2015 +0100

      Merge remote-tracking branch 
'remotes/juanquintela/tags/migration/20150507-1' into staging

      migration/next for 20150507

      # gpg: Signature made Thu May  7 17:42:19 2015 BST using RSA key ID 
5872D723
      # gpg: Good signature from "Juan Quintela <quintela@xxxxxxxxxx>"
      # gpg:                 aka "Juan Quintela <quintela@xxxxxxxxxx>"

      * remotes/juanquintela/tags/migration/20150507-1:
        migration: Fix migration state update issue
        migration: avoid divide by zero in xbzrle cache miss rate
        migration: Add hmp interface to set and query parameters
        migration: Add qmp commands to set and query parameters
        migration: Use an array instead of 3 parameters
        migration: Add interface to control compression
        migration: Add the core code for decompression
        migration: Make compression co-work with xbzrle
        migration: Add the core code of multi-thread compression
        migration: Split save_zero_page from ram_save_page
        arch_init: Add and free data struct for decompression
        arch_init: Alloc and free data struct for compression
        qemu-file: Add compression functions to QEMUFile
        migration: Add the framework of multi-thread decompression
        migration: Add the framework of multi-thread compression
        docs: Add a doc about multiple thread compression

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 362ba4e3ee801e8f5e28d72d0009547384222927
  Author: Liang Li <liang.z.li@xxxxxxxxx>
  Date:   Fri May 8 02:31:22 2015 +0800

      migration: Fix migration state update issue

      If live migration is very fast and can be completed in 1 second,
      the dirty_sync_count of MigrationState will not be updated.
      Then you will see "dirty sync count: 0" in qemu monitor even if
      the actual dirty sync count is not 0.

      Signed-off-by: Liang Li <liang.z.li@xxxxxxxxx>
      Reviewed-by: Juan Quintela <quintela@xxxxxxxxxx>
      Reviewed-by: Dr.David Alan Gilbert <dgilbert@xxxxxxxxxx>
      Signed-off-by: Juan Quintela <quintela@xxxxxxxxxx>

  commit 27ff42e29a1d12e9d9dbc473bbca36a50baf278b
  Author: Michael Chapman <mike@xxxxxxxxxxxxxxxxx>
  Date:   Wed Apr 15 13:59:14 2015 +1000

      migration: avoid divide by zero in xbzrle cache miss rate

      This bug manifested itself as a VM that could not be resumed by libvirt
      following a migration:

        # virsh resume example
        error: Failed to resume domain example
        error: internal error: cannot parse json {"return":
          {"xbzrle-cache":
            {..., "cache-miss-rate": -nan, ...},
            ...
          }
        }: lexical error: malformed number, a digit is required after the minus 
sign.

      This patch also ensures xbzrle_cache_miss_prev and iterations_prev are
      cleared at the start of the migration.

      Signed-off-by: Michael Chapman <mike@xxxxxxxxxxxxxxxxx>
      Reviewed-by: Amit Shah <amit.shah@xxxxxxxxxx>
      Signed-off-by: Juan Quintela <quintela@xxxxxxxxxx>

  commit 50e9a629c6c92e73260cd3d7c2e3f5bfd84e47e2
  Author: Liang Li <liang.z.li@xxxxxxxxx>
  Date:   Mon Mar 23 16:32:29 2015 +0800

      migration: Add hmp interface to set and query parameters

      Add the hmp interface to tune and query the parameters used in
      live migration.

      Signed-off-by: Liang Li <liang.z.li@xxxxxxxxx>
      Signed-off-by: Yang Zhang <yang.z.zhang@xxxxxxxxx>
      Signed-off-by: Juan Quintela <quintela@xxxxxxxxxx>

  commit 85de83231ecde075c6b25897f2e74cd1767880e3
  Author: Liang Li <liang.z.li@xxxxxxxxx>
  Date:   Mon Mar 23 16:32:28 2015 +0800

      migration: Add qmp commands to set and query parameters

      Add the qmp commands to tune and query the parameters used in live
      migration.

      Signed-off-by: Liang Li <liang.z.li@xxxxxxxxx>
      Signed-off-by: Yang Zhang <yang.z.zhang@xxxxxxxxx>
      Signed-off-by: Juan Quintela <quintela@xxxxxxxxxx>

  commit 43c60a81ba15ea040709be5809a279a4ca59b26b
  Author: Liang Li <liang.z.li@xxxxxxxxx>
  Date:   Mon Mar 23 16:32:27 2015 +0800

      migration: Use an array instead of 3 parameters

      Put the three parameters related to multiple thread (de)compression
      into an int array, and use an enum type to index the parameter.

      Signed-off-by: Liang Li <liang.z.li@xxxxxxxxx>
      Signed-off-by: Yang Zhang <yang.z.zhang@xxxxxxxxx>
      Signed-off-by: Juan Quintela <quintela@xxxxxxxxxx>

  commit dde4e694ae576462990b2ce711e62565e085c261
  Author: Liang Li <liang.z.li@xxxxxxxxx>
  Date:   Mon Mar 23 16:32:26 2015 +0800

      migration: Add interface to control compression

      The multiple compression threads can be turned on/off through
      qmp and hmp interface before doing live migration.

      Signed-off-by: Liang Li <liang.z.li@xxxxxxxxx>
      Signed-off-by: Yang Zhang <yang.z.zhang@xxxxxxxxx>
      Reviewed-by: Dr.David Alan Gilbert <dgilbert@xxxxxxxxxx>
      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>
      Signed-off-by: Juan Quintela <quintela@xxxxxxxxxx>

  commit 68ae113646dc84637359472e89669e5547dc5ee3
  Author: Liang Li <liang.z.li@xxxxxxxxx>
  Date:   Mon Mar 23 16:32:25 2015 +0800

      migration: Add the core code for decompression

      Implement the core logic of multiple thread decompression,
      the decompression can work now.

      Signed-off-by: Liang Li <liang.z.li@xxxxxxxxx>
      Signed-off-by: Yang Zhang <yang.z.zhang@xxxxxxxxx>
      Signed-off-by: Juan Quintela <quintela@xxxxxxxxxx>

  commit 98f1138902195bd9ab8a753d0ee2cf2a0a88b6e8
  Author: Liang Li <liang.z.li@xxxxxxxxx>
  Date:   Mon Mar 23 16:32:24 2015 +0800

      migration: Make compression co-work with xbzrle

      Now, multiple thread compression can co-work with xbzrle. when
      xbzrle is on, multiple thread compression will only work at the
      first round of RAM data sync.

      Signed-off-by: Liang Li <liang.z.li@xxxxxxxxx>
      Signed-off-by: Yang Zhang <yang.z.zhang@xxxxxxxxx>
      Reviewed-by: Dr.David Alan Gilbert <dgilbert@xxxxxxxxxx>
      Signed-off-by: Juan Quintela <quintela@xxxxxxxxxx>

  commit 20eb617eacf7a0ce76d9dd10ff246d6ae7f0b4e1
  Author: Liang Li <liang.z.li@xxxxxxxxx>
  Date:   Mon Mar 23 16:32:23 2015 +0800

      migration: Add the core code of multi-thread compression

      Implement the core logic of the multiple thread compression. At this
      point, multiple thread compression can't co-work with xbzrle yet.

      Signed-off-by: Liang Li <liang.z.li@xxxxxxxxx>
      Signed-off-by: Yang Zhang <yang.z.zhang@xxxxxxxxx>
      Signed-off-by: Juan Quintela <quintela@xxxxxxxxxx>

  commit e2102428c09901788a5e585f32f9e805137f5967
  Author: Liang Li <liang.z.li@xxxxxxxxx>
  Date:   Mon Mar 23 16:32:22 2015 +0800

      migration: Split save_zero_page from ram_save_page

      Split the function save_zero_page from ram_save_page so that we can
      reuse it later.

      Signed-off-by: Liang Li <liang.z.li@xxxxxxxxx>
      Signed-off-by: Yang Zhang <yang.z.zhang@xxxxxxxxx>
      Reviewed-by: Juan Quintela <quintela@xxxxxxxxxx>
      Signed-off-by: Juan Quintela <quintela@xxxxxxxxxx>

  commit 3caf633dbde8a347cff49e960691c7fa6a82afa1
  Author: Liang Li <liang.z.li@xxxxxxxxx>
  Date:   Mon Mar 23 16:32:21 2015 +0800

      arch_init: Add and free data struct for decompression

      Define the data structure and variables used to do multiple thread
      decompression, and add the code to initialize and free them.

      Signed-off-by: Liang Li <liang.z.li@xxxxxxxxx>
      Signed-off-by: Yang Zhang <yang.z.zhang@xxxxxxxxx>
      Reviewed-by: Dr.David Alan Gilbert <dgilbert@xxxxxxxxxx>
      Reviewed-by: Juan Quintela <quintela@xxxxxxxxxx>
      Signed-off-by: Juan Quintela <quintela@xxxxxxxxxx>

  commit 474ddaf6e3aebc470f4665ef4f7ce6578448c6d1
  Author: Liang Li <liang.z.li@xxxxxxxxx>
  Date:   Mon Mar 23 16:32:20 2015 +0800

      arch_init: Alloc and free data struct for compression

      Define the data structure and variables used to do multiple thread
      compression, and add the code to initialize and free them.

      Signed-off-by: Liang Li <liang.z.li@xxxxxxxxx>
      Signed-off-by: Yang Zhang <yang.z.zhang@xxxxxxxxx>
      Reviewed-by: Dr.David Alan Gilbert <dgilbert@xxxxxxxxxx>
      Reviewed-by: Juan Quintela <quintela@xxxxxxxxxx>
      Signed-off-by: Juan Quintela <quintela@xxxxxxxxxx>

  commit 44f0eadc338f55d3bffe4fccefb1d4241defa418
  Author: Liang Li <liang.z.li@xxxxxxxxx>
  Date:   Mon Mar 23 16:32:19 2015 +0800

      qemu-file: Add compression functions to QEMUFile

      qemu_put_compression_data() compress the data and put it to QEMUFile.
      qemu_put_qemu_file() put the data in the buffer of source QEMUFile to
      destination QEMUFile.

      Signed-off-by: Liang Li <liang.z.li@xxxxxxxxx>
      Signed-off-by: Yang Zhang <yang.z.zhang@xxxxxxxxx>
      Reviewed-by: Juan Quintela <quintela@xxxxxxxxxx>
      Signed-off-by: Juan Quintela <quintela@xxxxxxxxxx>

  commit 3fcb38c223510cf88c6101f5d218ce0840d1354c
  Author: Liang Li <liang.z.li@xxxxxxxxx>
  Date:   Mon Mar 23 16:32:18 2015 +0800

      migration: Add the framework of multi-thread decompression

      Add the code to create and destroy the multiple threads those will be
      used to do data decompression. Left some functions empty just to keep
      clearness, and the code will be added later.

      Signed-off-by: Liang Li <liang.z.li@xxxxxxxxx>
      Signed-off-by: Yang Zhang <yang.z.zhang@xxxxxxxxx>
      Reviewed-by: Dr.David Alan Gilbert <dgilbert@xxxxxxxxxx>
      Reviewed-by: Juan Quintela <quintela@xxxxxxxxxx>
      Signed-off-by: Juan Quintela <quintela@xxxxxxxxxx>

  commit 8706d2d566cbf4bad2c5597bb57358e3d5f5caf0
  Author: Liang Li <liang.z.li@xxxxxxxxx>
  Date:   Mon Mar 23 16:32:17 2015 +0800

      migration: Add the framework of multi-thread compression

      Add the code to create and destroy the multiple threads those will
      be used to do data compression. Left some functions empty to keep
      clearness, and the code will be added later.

      Signed-off-by: Liang Li <liang.z.li@xxxxxxxxx>
      Signed-off-by: Yang Zhang <yang.z.zhang@xxxxxxxxx>
      Reviewed-by: Dr.David Alan Gilbert <dgilbert@xxxxxxxxxx>
      Reviewed-by: Juan Quintela <quintela@xxxxxxxxxx>
      Signed-off-by: Juan Quintela <quintela@xxxxxxxxxx>

  commit 263170e679dfb456f8812a0100073990586cecb5
  Author: Liang Li <liang.z.li@xxxxxxxxx>
  Date:   Mon Mar 23 16:32:16 2015 +0800

      docs: Add a doc about multiple thread compression

      Give some details about the multiple thread (de)compression and
      how to use it in live migration.

      Signed-off-by: Liang Li <liang.z.li@xxxxxxxxx>
      Signed-off-by: Yang Zhang <yang.z.zhang@xxxxxxxxx>
      Reviewed-by: Dr.David Alan Gilbert <dgilbert@xxxxxxxxxx>
      Reviewed-by: Juan Quintela <quintela@xxxxxxxxxx>
      Signed-off-by: Juan Quintela <quintela@xxxxxxxxxx>

  commit 38003aee196a96edccd4d64471beb1b67e9b2b17
  Merge: 233353e 00c8fa9
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Wed May 6 11:16:35 2015 +0100

      Merge remote-tracking branch 'remotes/rth/tags/tcg-next-20150505' into 
staging

      size reduction merge

      # gpg: Signature made Wed May  6 00:21:43 2015 BST using RSA key ID 
4DD0279B
      # gpg: Good signature from "Richard Henderson <rth7680@xxxxxxxxx>"
      # gpg:                 aka "Richard Henderson <rth@xxxxxxxxxx>"
      # gpg:                 aka "Richard Henderson <rth@xxxxxxxxxxx>"

      * remotes/rth/tags/tcg-next-20150505:
        tcg: optimise memory layout of TCGTemp

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 1271f7f7c60e0b0a3cc031921008a69dfd53bd34
  Author: Gerd Hoffmann <kraxel@xxxxxxxxxx>
  Date:   Tue Jul 1 19:12:45 2014 +0200

      gtk: update mouse position in mouse_set()

      Without that the next mouse motion event uses the old position
      as base for relative move calculation, giving wrong results and
      making your mouse pointer jump around.

      Signed-off-by: Gerd Hoffmann <kraxel@xxxxxxxxxx>

  commit dc7ff344187db6a94294a87d63cf8332e8ed0e6f
  Author: Gerd Hoffmann <kraxel@xxxxxxxxxx>
  Date:   Wed Mar 4 15:37:27 2015 +0100

      gtk: create gtk.h

      Move various gtk bits (includes, data structures) to a header file.

      Signed-off-by: Gerd Hoffmann <kraxel@xxxxxxxxxx>

  commit 1301e515eff267d4b8684e74a5b2c1b5cf03f103
  Author: Gerd Hoffmann <kraxel@xxxxxxxxxx>
  Date:   Fri Mar 13 12:47:00 2015 +0100

      gtk: add ui_info support

      Pass new display size to the guest after window resizes.

      Signed-off-by: Gerd Hoffmann <kraxel@xxxxxxxxxx>

  commit b7fb49f0c709a406f79372be397367ff2550373b
  Author: Gerd Hoffmann <kraxel@xxxxxxxxxx>
  Date:   Fri Mar 13 12:21:14 2015 +0100

      console: add dpy_ui_info_supported

      Allow ui code to check whenever the emulated
      display supports display change notifications.

      Signed-off-by: Gerd Hoffmann <kraxel@xxxxxxxxxx>

  commit cf1ecc82ab84dbfb4b6eea02c329bf9c2aa856ec
  Author: Gerd Hoffmann <kraxel@xxxxxxxxxx>
  Date:   Thu Mar 12 12:51:13 2015 +0100

      console: delayed ui_info guest notification

      So we don't flood the guest with display change notifications
      while the user resizes the window.

      Signed-off-by: Gerd Hoffmann <kraxel@xxxxxxxxxx>

  commit 233353ec93e4541fa7ab1c53a922a6d5c2bfce7a
  Merge: 874e9ae ff55d72
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Tue May 5 18:22:12 2015 +0100

      Merge remote-tracking branch 'remotes/armbru/tags/pull-qmp-2015-05-05' 
into staging

      drop qapi nested structs

      # gpg: Signature made Tue May  5 17:40:40 2015 BST using RSA key ID 
EB918653
      # gpg: Good signature from "Markus Armbruster <armbru@xxxxxxxxxx>"
      # gpg:                 aka "Markus Armbruster <armbru@xxxxxxxxxxxx>"

      * remotes/armbru/tags/pull-qmp-2015-05-05: (40 commits)
        qapi: Check for member name conflicts with a base class
        qapi: Support (subset of) \u escapes in strings
        qapi: Tweak doc references to QMP when QGA is also meant
        qapi: Drop dead visitor code related to nested structs
        qapi: Drop support for inline nested types
        qapi: Drop inline nested structs in query-pci
        qapi: Drop inline nested struct in query-version
        qapi: Drop tests for inline nested structs
        qapi: Merge UserDefTwo and UserDefNested in tests
        qapi: Forbid 'type' in schema
        qapi: Use 'struct' instead of 'type' in schema
        qapi: Document 'struct' metatype
        qapi: Prefer 'struct' over 'type' in generator
        qapi: More rigorous checking for type safety bypass
        qapi: Whitelist commands that don't return dictionary
        qapi: Require valid names
        qapi: More rigourous checking of types
        qapi: Add some type check tests
        qapi: Unify type bypass and add tests
        qapi: Allow true, false and null in schema json
        ...

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit ff55d72eaf9628e7d58e7b067b361cdbf789c9f4
  Author: Eric Blake <eblake@xxxxxxxxxx>
  Date:   Mon May 4 09:05:37 2015 -0600

      qapi: Check for member name conflicts with a base class

      Our type inheritance for both 'struct' and for flat 'union' merges
      key/value pairs from the base class with those from the type in
      question.  Although the C code currently boxes things so that there
      is a distinction between which member is referred to, the QMP wire
      format does not allow passing a key more than once in a single
      object.  Besides, if we ever change the generated C code to not be
      quite so boxy, we'd want to avoid duplicate member names there,
      too.

      Fix a testsuite entry added in an earlier patch, as well as adding
      a couple more tests to ensure we have appropriate coverage.  Ensure
      that collisions are detected, regardless of whether there is a
      difference in opinion on whether the member name is optional.

      Signed-off-by: Eric Blake <eblake@xxxxxxxxxx>
      Reviewed-by: Markus Armbruster <armbru@xxxxxxxxxx>
      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>

  commit a7f5966b297330f6492020019544ae87c45d699b
  Author: Eric Blake <eblake@xxxxxxxxxx>
  Date:   Mon May 4 09:05:36 2015 -0600

      qapi: Support (subset of) \u escapes in strings

      The handling of \ inside QAPI strings was less than ideal, and
      really only worked JSON's \/, \\, \", and our extension of \'
      (an obvious extension, when you realize we use '' instead of ""
      for strings).  For other things, like '\n', it resulted in a
      literal 'n' instead of a newline.

      Of course, at the moment, we really have no use for escaped
      characters, as QAPI has to map to C identifiers, and we currently
      support ASCII only for that.  But down the road, we may add
      support for default values for string parameters to a command
      or struct; if that happens, it would be nice to correctly support
      all JSON escape sequences, such as \n or \uXXXX.  This gets us
      closer, by supporting Unicode escapes in the ASCII range.

      Since JSON does not require \OCTAL or \xXX escapes, and our QMP
      implementation does not understand them either, I intentionally
      reject it here, but it would be an easy addition if we desired it.
      Likewise, intentionally refusing the NUL byte means we don't have
      to worry about C strings being shorter than the qapi input.

      Signed-off-by: Eric Blake <eblake@xxxxxxxxxx>
      Reviewed-by: Markus Armbruster <armbru@xxxxxxxxxx>
      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>

  commit 363b4262a10a52f6d7ac1073bab5e6648da4051b
  Author: Eric Blake <eblake@xxxxxxxxxx>
  Date:   Mon May 4 09:05:35 2015 -0600

      qapi: Tweak doc references to QMP when QGA is also meant

      We have more than one qapi schema in use by more than one protocol.
      Add a new term 'Client JSON Protocol' for use throughout the
      document, to avoid confusion on whether something refers only to
      QMP and not QGA.

      Signed-off-by: Eric Blake <eblake@xxxxxxxxxx>
      Reviewed-by: Markus Armbruster <armbru@xxxxxxxxxx>
      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>

  commit a82b982e2bddf7cd7cb490f83643e952e17d4523
  Author: Eric Blake <eblake@xxxxxxxxxx>
  Date:   Mon May 4 09:05:34 2015 -0600

      qapi: Drop dead visitor code related to nested structs

      Now that we no longer have nested structs to visit, the use of
      prefix strings is no longer required.  Remove the code that is
      no longer reachable.

      Signed-off-by: Eric Blake <eblake@xxxxxxxxxx>
      Reviewed-by: Markus Armbruster <armbru@xxxxxxxxxx>
      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>

  commit 6b5abc7df7ef9aadb3ff0eba6ccf4f1f0181e2e1
  Author: Eric Blake <eblake@xxxxxxxxxx>
  Date:   Mon May 4 09:05:33 2015 -0600

      qapi: Drop support for inline nested types

      A future patch will be using a 'name':{dictionary} entry in the
      QAPI schema to specify a default value for an optional argument
      (see previous commit messages for more details why); but existing
      use of inline nested structs conflicts with that goal. Now that
      all commands have been changed to avoid inline nested structs,
      nuke support for them, and turn it into a hard error. Update the
      testsuite to reflect tighter parsing rules.

      Signed-off-by: Eric Blake <eblake@xxxxxxxxxx>
      Reviewed-by: Markus Armbruster <armbru@xxxxxxxxxx>
      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>

  commit 9fa02cd194a131aca75ab646ece975b6835400e1
  Author: Eric Blake <eblake@xxxxxxxxxx>
  Date:   Mon May 4 09:05:32 2015 -0600

      qapi: Drop inline nested structs in query-pci

      A future patch will be using a 'name':{dictionary} entry in the
      QAPI schema to specify a default value for an optional argument
      (see previous commit message for more details why); but existing
      use of inline nested structs conflicts with that goal. This patch
      fixes one of only two commands relying on nested types, by
      breaking the nesting into an explicit type; it means that the
      type is now boxed instead of unboxed in C code, but the QMP wire
      format is unaffected by this change.

      Prefer the safer g_new0() while making the conversion, and reduce
      some long lines.

      Signed-off-by: Eric Blake <eblake@xxxxxxxxxx>
      Reviewed-by: Markus Armbruster <armbru@xxxxxxxxxx>
      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>

  commit 4752cdbbf330ac7c593a6f337b97a79648f3f878
  Author: Eric Blake <eblake@xxxxxxxxxx>
  Date:   Mon May 4 09:05:31 2015 -0600

      qapi: Drop inline nested struct in query-version

      A future patch will be using a 'name':{dictionary} entry in the
      QAPI schema to specify a default value for an optional argument
      (see previous commit message for more details why); but existing
      use of inline nested structs conflicts with that goal. This patch
      fixes one of only two commands relying on nested types, by
      breaking the nesting into an explicit type; it means that the
      type is now boxed instead of unboxed in C code, but the QMP wire
      format is unaffected by this change.

      Prefer the safer g_new0() while making the conversion.

      Signed-off-by: Eric Blake <eblake@xxxxxxxxxx>
      Reviewed-by: Markus Armbruster <armbru@xxxxxxxxxx>
      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>

  commit 6446a592760155bb3e2e248d56bab97a34af0336
  Author: Eric Blake <eblake@xxxxxxxxxx>
  Date:   Mon May 4 09:05:30 2015 -0600

      qapi: Drop tests for inline nested structs

      A future patch will be using a 'name':{dictionary} entry in the
      QAPI schema to specify a default value for an optional argument;
      but existing use of inline nested structs conflicts with that goal.

      More precisely, a definition in the QAPI schema associates a name
      with a set of properties:

      Example 1: { 'struct': 'Foo', 'data': { MEMBERS... } }
      associates the global name 'Foo' with properties (meta-type struct)
      and MEMBERS...

      Example 2: 'mumble': TYPE
      within MEMBERS... above associates 'mumble' with properties (type
      TYPE) and (optional false) within type Foo

      The syntax of example 1 is extensible; if we need another property,
      we add another name/value pair to the dictionary (such as
      'base':TYPE).  The syntax of example 2 is not extensible, because
      the right hand side can only be a type.

      We have used name encoding to add a property: "'*mumble': 'int'"
      associates 'mumble' with (type int) and (optional true).  Nice,
      but doesn't scale.  So the solution is to change our existing uses
      to be syntactic sugar to an extensible form:

         NAME: TYPE   --> NAME:  { 'type': TYPE, 'optional': false }
         *ONAME: TYPE --> ONAME: { 'type': TYPE, 'optional': true }

      This patch fixes the testsuite to avoid inline nested types, by
      breaking the nesting into explicit types; it means that the type
      is now boxed instead of unboxed in C code, but makes no difference
      on the wire (and if desired, a later patch could change the
      generator to not do so much boxing in C).  When touching code to
      add new allocations, also convert existing allocations to
      consistently prefer typesafe g_new0 over g_malloc0 when a type
      name is involved.

      Signed-off-by: Eric Blake <eblake@xxxxxxxxxx>
      Reviewed-by: Markus Armbruster <armbru@xxxxxxxxxx>
      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>

  commit b6fcf32d9b851a83dedcb609091236b97cc4a985
  Author: Eric Blake <eblake@xxxxxxxxxx>
  Date:   Mon May 4 09:05:29 2015 -0600

      qapi: Merge UserDefTwo and UserDefNested in tests

      In the testsuite, UserDefTwo and UserDefNested were identical
      structs other than the member names.  Reduce code duplication by
      having just one type, and choose names that also favor reuse.
      This will also make it easier for a later patch to get rid of
      inline nested types in QAPI.  When touching code related to
      allocations, convert g_malloc0(sizeof(Type)) to the more typesafe
      g_new0(Type, 1).

      Ensure that 'make check-qapi-schema check-unit' still passes.

      Signed-off-by: Eric Blake <eblake@xxxxxxxxxx>
      Reviewed-by: Markus Armbruster <armbru@xxxxxxxxxx>
      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>

  commit 3e391d355644b2bff7c9f187759aadb46c6e051f
  Author: Eric Blake <eblake@xxxxxxxxxx>
  Date:   Mon May 4 09:05:28 2015 -0600

      qapi: Forbid 'type' in schema

      Referring to "type" as both a meta-type (built-in, enum, union,
      alternate, or struct) and a specific type (the name that the
      schema uses for declaring structs) is confusing.  Finish up the
      conversion to using "struct" in qapi schema by removing the hack
      in the generator that allowed 'type'.

      Signed-off-by: Eric Blake <eblake@xxxxxxxxxx>
      Reviewed-by: Markus Armbruster <armbru@xxxxxxxxxx>
      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>

  commit 895a2a80e0e054f0d5d3715aa93d10d15e49f9f7
  Author: Eric Blake <eblake@xxxxxxxxxx>
  Date:   Mon May 4 09:05:27 2015 -0600

      qapi: Use 'struct' instead of 'type' in schema

      Referring to "type" as both a meta-type (built-in, enum, union,
      alternate, or struct) and a specific type (the name that the
      schema uses for declaring structs) is confusing.  Do the bulk of
      the conversion to "struct" in qapi schema, with a fairly
      mechanical:

      for f in `find -name '*.json'; do sed -i "s/'type'/'struct'/"; done

      followed by manually filtering out the places where we have a
      'type' embedded in 'data'.  Then tweak a couple of tests whose
      output changes slightly due to longer lines.

      I also verified that the generated files for QMP and QGA (such
      as qmp-commands.h) are the same before and after, as assurance
      that I didn't leave in any accidental member name changes.

      Signed-off-by: Eric Blake <eblake@xxxxxxxxxx>
      Reviewed-by: Markus Armbruster <armbru@xxxxxxxxxx>
      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>

  commit 3b2a8b85322f3677525a65c0b35deadf45fb704b
  Author: Eric Blake <eblake@xxxxxxxxxx>
  Date:   Mon May 4 09:05:26 2015 -0600

      qapi: Document 'struct' metatype

      Referring to "type" as both a meta-type (built-in, enum, union,
      alternate, or struct) and a specific type (the name that the
      schema uses for declaring structs) is confusing.  Now that the
      generator accepts 'struct' as a synonym for 'type', update all
      documentation to use saner wording.

      Signed-off-by: Eric Blake <eblake@xxxxxxxxxx>
      Reviewed-by: Markus Armbruster <armbru@xxxxxxxxxx>
      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>

  commit fd41dd4eae5f7ea92f10c04cb3f217727fcee91f
  Author: Eric Blake <eblake@xxxxxxxxxx>
  Date:   Mon May 4 09:05:25 2015 -0600

      qapi: Prefer 'struct' over 'type' in generator

      Referring to "type" as both a meta-type (built-in, enum, union,
      alternate, or struct) and a specific type (the name that the
      schema uses for declaring structs) is confusing.  The confusion
      is only made worse by the fact that the generator mostly already
      refers to struct even when dealing with expr['type'].  This
      commit changes the generator to consistently refer to it as
      struct everywhere, plus a single back-compat tweak that allows
      accepting the existing .json files as-is, so that the meat of
      this change is separate from the mindless churn of that change.

      Fix the testsuite fallout for error messages that change, and
      in some cases, become more legible.  Improve comments to better
      match our intentions where a struct (rather than any complex
      type) is required.  Note that in some cases, an error message
      now refers to 'struct' while the schema still refers to 'type';
      that will be cleaned up in the later commit to the schema.

      Signed-off-by: Eric Blake <eblake@xxxxxxxxxx>
      Reviewed-by: Markus Armbruster <armbru@xxxxxxxxxx>
      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>

  commit 2cbf09925ad45401673a79ab77f67de2f04a826c
  Author: Eric Blake <eblake@xxxxxxxxxx>
  Date:   Mon May 4 09:05:24 2015 -0600

      qapi: More rigorous checking for type safety bypass

      Now that we have a way to validate every type, we can also be
      stricter about enforcing that callers that want to bypass
      type safety in generated code.  Prior to this patch, it didn't
      matter what value was associated with the key 'gen', but it
      looked odd that 'gen':'yes' could result in bypassing the
      generated code.  These changes also enforce the changes made
      earlier in the series for documentation and consolidation of
      using '**' as the wildcard type, as well as 'gen':false as the
      canonical spelling for requesting type bypass.

      Note that 'gen':false is a one-way switch away from the default;
      we do not support 'gen':true (similar for 'success-response').
      In practice, this doesn't matter.

      Signed-off-by: Eric Blake <eblake@xxxxxxxxxx>
      Reviewed-by: Markus Armbruster <armbru@xxxxxxxxxx>
      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>

  commit 10d4d997f86cf2a4ce89145df5658952d5722e56
  Author: Eric Blake <eblake@xxxxxxxxxx>
  Date:   Mon May 4 09:05:23 2015 -0600

      qapi: Whitelist commands that don't return dictionary

      ...or an array of dictionaries.  Although we have to cater to
      existing commands, returning a non-dictionary means the command
      is not extensible (no new name/value pairs can be added if more
      information must be returned in parallel).  By making the
      whitelist explicit, any new command that falls foul of this
      practice will have to be self-documenting, which will encourage
      developers to either justify the action or rework the design to
      use a dictionary after all.

      It's a little bit sloppy that we share a single whitelist among
      three clients (it's too permissive for each).  If this is a
      problem, a future patch could tighten things by having the
      generator take the whitelist as an argument (as in
      scripts/qapi-commands.py --legacy-returns=...), or by having
      the generator output C code that requires explicit use of the
      whitelist (as in:
       #ifndef FROBNICATE_LEGACY_RETURN_OK
       # error Command 'frobnicate' should return a dictionary
       #endif
      then having the callers define appropriate macros).  But until
      we need such fine-grained separation (if ever), this patch does
      the job just fine.

      Signed-off-by: Eric Blake <eblake@xxxxxxxxxx>
      Reviewed-by: Markus Armbruster <armbru@xxxxxxxxxx>
      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>

  commit c9e0a798691d8c45747b082206e789c8f50523c9
  Author: Eric Blake <eblake@xxxxxxxxxx>
  Date:   Mon May 4 09:05:22 2015 -0600

      qapi: Require valid names

      Previous commits demonstrated that the generator overlooked various
      bad naming situations:
      - types, commands, and events need a valid name
      - enum members must be valid names, when combined with prefix
      - union and alternate branches cannot be marked optional

      Valid upstream names match [a-zA-Z][a-zA-Z0-9_-]*; valid downstream
      names match __[a-zA-Z][a-zA-Z0-9._-]*.  Enumerations match the
      weaker [a-zA-Z0-9._-]+ (in part thanks to QKeyCode picking an enum
      that starts with a digit, which we can't change now due to
      backwards compatibility).  Rather than call out three separate
      regex, this patch just uses a broader combination that allows both
      upstream and downstream names, as well as a small hack that
      realizes that any enum name is merely a suffix to an already valid
      name prefix (that is, any enum name is valid if prepending _ fits
      the normal rules).

      We could reject new enumeration names beginning with a digit by
      whitelisting existing exceptions.  We could also be stricter
      about the distinction between upstream names (no leading
      underscore, no use of dot) and downstream (mandatory leading
      double underscore), but it is probably not worth the bother.

      Signed-off-by: Eric Blake <eblake@xxxxxxxxxx>
      Reviewed-by: Markus Armbruster <armbru@xxxxxxxxxx>
      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>

  commit dd883c6f0547f02ae805d02852ff3691f6d08f85
  Author: Eric Blake <eblake@xxxxxxxxxx>
  Date:   Mon May 4 09:05:21 2015 -0600

      qapi: More rigourous checking of types

      Now that we know every expression is valid with regards to
      its keys, we can add further tests that those keys refer to
      valid types.  With this patch, all uses of a type (the 'data':
      of command, type, union, alternate, and event; the 'returns':
      of command; the 'base': of type and union) must resolve to an
      appropriate subset of metatypes  declared by the current qapi
      parse; this includes recursing into each member of a data
      dictionary.  Dealing with '**' and nested anonymous structs
      will be done in later patches.

      Update the testsuite to match improved output.

      Signed-off-by: Eric Blake <eblake@xxxxxxxxxx>
      Reviewed-by: Markus Armbruster <armbru@xxxxxxxxxx>
      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>

  commit 0d8b9fb5f296a96723d98a45a6a00bfd4e45e1b9
  Author: Eric Blake <eblake@xxxxxxxxxx>
  Date:   Mon May 4 09:05:20 2015 -0600

      qapi: Add some type check tests

      Demonstrate that the qapi generator silently parses confusing
      types, which may cause other errors later on. Later patches
      will update the expected results as the generator is made stricter.

      Most of the new tests focus on blatant errors.  But
      returns-whitelist is a case where we have historically allowed
      returning something other than a JSON object from particular
      commands; we have to keep that behavior to avoid breaking clients,
      but it would be nicer to avoid adding such commands in the future,
      because any return that is not an (array of) object cannot be
      easily extended if future qemu wants to return additional
      information.  The QMP protocol already documents that clients
      should ignore unknown dictionary keys, but does not require
      clients to have to handle more than one type of JSON object.

      Signed-off-by: Eric Blake <eblake@xxxxxxxxxx>
      Reviewed-by: Markus Armbruster <armbru@xxxxxxxxxx>
      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>

  commit d708cdbe8792a55f53e90c1c787e871d527e8d4b
  Author: Eric Blake <eblake@xxxxxxxxxx>
  Date:   Mon May 4 09:05:19 2015 -0600

      qapi: Unify type bypass and add tests

      For a few QMP commands, we are forced to pass an arbitrary type
      without tracking it properly in QAPI.  Among the existing clients,
      this unnamed type was spelled 'dict', 'visitor', and '**'; this
      patch standardizes on '**', matching the documentation changes
      earlier in the series.

      Meanwhile, for the 'gen' key, we have been ignoring the value,
      although the schema consistently used "'no'" ('success-response'
      was hard-coded to checking for 'no').  But now that we can support
      a literal "false" in the schema, we might as well use that rather
      than ignoring the value or special-casing a random string.  Note
      that these are one-way switches (use of 'gen':true is not the same
      as omitting 'gen'). Also, the use of '**' requires 'gen':false,
      but the use of 'gen':false does not mandate the use of '**'.

      There is no difference to the generated code.  Add some tests on
      what we'd like to guarantee, although it will take later patches
      to clean up test results and actually enforce the use of a bool
      parameter.

      Signed-off-by: Eric Blake <eblake@xxxxxxxxxx>
      Reviewed-by: Markus Armbruster <armbru@xxxxxxxxxx>
      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>

  commit e53188ada516c814a729551be2448684d6d8ce08
  Author: Fam Zheng <famz@xxxxxxxxxx>
  Date:   Mon May 4 09:05:18 2015 -0600

      qapi: Allow true, false and null in schema json

      In the near term, we will use it for a sensible-looking
      'gen':false inside command declarations, instead of the
      current ugly 'gen':'no'.

      In the long term, it will allow conversion from shorthand
      with defaults mentioned only in side-band documentation:
       'data':{'*flag':'bool', '*string':'str'}
      into an explicit default value documentation, as in:
       'data':{'flag':{'type':'bool', 'optional':true, 'default':true},
               'string':{'type':'str', 'optional':true, 'default':null}}

      We still don't parse integer values (also necessary before
      we can allow explicit defaults), but that can come in a later
      series.

      Update the testsuite to match an improved error message.

      Signed-off-by: Fam Zheng <famz@xxxxxxxxxx>
      Signed-off-by: Eric Blake <eblake@xxxxxxxxxx>
      Reviewed-by: Markus Armbruster <armbru@xxxxxxxxxx>
      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>

  commit 4dc2e6906e1084fdd37bf67385c5dcd2c72ae22b
  Author: Eric Blake <eblake@xxxxxxxxxx>
  Date:   Mon May 4 09:05:17 2015 -0600

      qapi: Better error messages for duplicated expressions

      The previous commit demonstrated that the generator overlooked
      duplicate expressions:
      - a complex type or command reusing a built-in type name
      - redeclaration of a type name, whether by the same or different
      metatype
      - redeclaration of a command or event
      - collision of a type with implicit 'Kind' enum for a union
      - collision with an implicit MAX enum constant

      Since the c_type() function in the generator treats all names
      as being in the same namespace, this patch adds a global array
      to track all known names and their source, to prevent collisions
      before it can cause further problems.  While valid .json files
      won't trigger any of these cases, we might as well be nicer to
      developers that make a typo while trying to add new QAPI code.

      Signed-off-by: Eric Blake <eblake@xxxxxxxxxx>
      Reviewed-by: Markus Armbruster <armbru@xxxxxxxxxx>
      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>

  commit cfdd5bcad515a8371af59dba9625e31a6f6f733e
  Author: Eric Blake <eblake@xxxxxxxxxx>
  Date:   Mon May 4 09:05:16 2015 -0600

      qapi: Add tests of redefined expressions

      Demonstrate that the qapi generator doesn't deal very well with
      redefined expressions.  At the parse level, they are silently
      accepted; and while the testsuite just stops at parsing, I've
      further tested that many of them cause generator crashes or
      invalid C code if they were appended to qapi-schema-test.json.
      A later patch will tighten things up and adjust the testsuite
      to match.

      Signed-off-by: Eric Blake <eblake@xxxxxxxxxx>
      Reviewed-by: Markus Armbruster <armbru@xxxxxxxxxx>
      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>

  commit 0545f6b8874c28d97369f2c83e5077e0461d4f12
  Author: Eric Blake <eblake@xxxxxxxxxx>
  Date:   Mon May 4 09:05:15 2015 -0600

      qapi: Better error messages for bad expressions

      The previous commit demonstrated that the generator overlooked some
      fairly basic broken expressions:
      - missing metataype
      - metatype key has a non-string value
      - unknown key in relation to the metatype
      - conflicting metatype (this patch treats the second metatype as an
      unknown key of the first key visited, which is not necessarily the
      first key the user typed)

      Add check_keys to cover these situations, and update testcases to
      match.  A couple other tests (enum-missing-data, indented-expr) had
      to change since the validation added here occurs so early.
      Conversely, changes to ident-with-escape results show that we still
      have problems where our handling of escape sequences differs from
      true JSON, which will matter down the road if we allow arbitrary
      default string values for optional parameters (but for now is not
      too bad, as we currently can avoid unicode escaping as we don't
      need to represent anything beyond C identifier material).

      While valid .json files won't trigger any of these cases, we might
      as well be nicer to developers that make a typo while trying to add
      new QAPI code.

      Signed-off-by: Eric Blake <eblake@xxxxxxxxxx>
      Reviewed-by: Markus Armbruster <armbru@xxxxxxxxxx>
      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>

  commit 9050c65b71ac1d197330e6db221f63189e21bad5
  Author: Eric Blake <eblake@xxxxxxxxxx>
  Date:   Mon May 4 09:05:14 2015 -0600

      qapi: Add some expr tests

      Demonstrate that the qapi generator doesn't deal well with
      expressions that aren't up to par. Later patches will improve
      the expected results as the generator is made stricter.  Only
      a few of the the added tests actually behave sanely at
      rejecting obvious problems or demonstrating success.

      Note that in some cases, we reject bad QAPI merely because our
      pseudo-JSON parser does not yet know how to parse numbers.  This
      series does not address that, but when a later series adds support
      for numeric defaults of integer fields, the testsuite will ensure
      that we don't lose the error (and hopefully that the error
      message quality is improved).

      Signed-off-by: Eric Blake <eblake@xxxxxxxxxx>
      Reviewed-by: Markus Armbruster <armbru@xxxxxxxxxx>
      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>

  commit ab916faddd16f0165e9cc2551f90699be8efde53
  Author: Eric Blake <eblake@xxxxxxxxxx>
  Date:   Mon May 4 09:05:13 2015 -0600

      qapi: Use 'alternate' to replace anonymous union

      Previous patches have led up to the point where I create the
      new meta-type "'alternate':'Foo'".  See the previous patches
      for documentation; I intentionally split as much work into
      earlier patches to minimize the size of this patch, but a lot
      of it is churn due to testsuite fallout after updating to the
      new type.

      Signed-off-by: Eric Blake <eblake@xxxxxxxxxx>
      Reviewed-by: Markus Armbruster <armbru@xxxxxxxxxx>
      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>

  commit 7b1b98c420355ccea98d8bd55c9193ee6b7cef97
  Author: Eric Blake <eblake@xxxxxxxxxx>
  Date:   Mon May 4 09:05:12 2015 -0600

      qapi: Document new 'alternate' meta-type

      The next patch will quit special-casing "'union':'Foo',
      'discriminator':{}" and instead use "'alternate':'Foo'".

      Separating docs from implementation makes it easier to focus
      on wording without holding up code.  In particular, making
      alternate a separate type makes for a nice type hierarchy:

                /-------- meta-type ------\
               /              |            \
          simple types    alternate     complex types
          |         |                   |           |
       built-in   enum             type(struct)   union
       |       \    /                            /    \
      numeric  string                         simple  flat

      A later patch will then clean up 'type' vs. 'struct'
      confusion.

      Signed-off-by: Eric Blake <eblake@xxxxxxxxxx>
      Reviewed-by: Markus Armbruster <armbru@xxxxxxxxxx>
      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>

  commit ab045267447d52e63a79c0e18f89ae4411f5420b
  Author: Eric Blake <eblake@xxxxxxxxxx>
  Date:   Mon May 4 09:05:11 2015 -0600

      qapi: Rename anonymous union type in test

      Reduce churn in the future patch that replaces anonymous unions
      with a new metatype 'alternate' by changing 'AnonUnion' to
      'Alternate'.

      Signed-off-by: Eric Blake <eblake@xxxxxxxxxx>
      Reviewed-by: Markus Armbruster <armbru@xxxxxxxxxx>
      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>

  commit 811d04fd0cff1229480d3f5b2e349f646ab6e3c1
  Author: Eric Blake <eblake@xxxxxxxxxx>
  Date:   Mon May 4 09:05:10 2015 -0600

      qapi: Segregate anonymous unions into alternates in generator

      Special-casing 'discriminator == {}' for handling anonymous unions
      is getting awkward; since this particular type is not always a
      dictionary on the wire, it is easier to treat it as a completely
      different class of type, "alternate", so that if a type is listed
      in the union_types array, we know it is not an anonymous union.

      This patch just further segregates union handling, to make sure that
      anonymous unions are not stored in union_types, and splitting up
      check_union() into separate functions.  A future patch will change
      the qapi grammar, and having the segregation already in place will
      make it easier to deal with the distinct meta-type.

      Signed-off-by: Eric Blake <eblake@xxxxxxxxxx>
      Reviewed-by: Markus Armbruster <armbru@xxxxxxxxxx>
      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>

  commit 268a1c5eb10832c2e4476d3fe199ea547dabecb7
  Author: Eric Blake <eblake@xxxxxxxxxx>
  Date:   Mon May 4 09:05:09 2015 -0600

      qapi: Prepare for catching more semantic parse errors

      This patch widens the scope of a try block (with the attending
      reindentation required by Python) in preparation for a future
      patch adding more instances of QAPIExprError inside the block.
      It's easier to separate indentation from semantic changes, so
      this patch has no real behavior change.

      Signed-off-by: Eric Blake <eblake@xxxxxxxxxx>
      Reviewed-by: Markus Armbruster <armbru@xxxxxxxxxx>
      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>

  commit 44bd1276a7dea747c41f250cb71ab65965343a7f
  Author: Eric Blake <eblake@xxxxxxxxxx>
  Date:   Mon May 4 09:05:08 2015 -0600

      qapi: Tighten checking of unions

      Previous commits demonstrated that the generator had several
      flaws with less-than-perfect unions:
      - a simple union that listed the same branch twice (or two variant
      names that map to the same C enumerator, including the implicit
      MAX sentinel) ended up generating invalid C code
      - an anonymous union that listed two branches with the same qtype
      ended up generating invalid C code
      - the generator crashed on anonymous union attempts to use an
      array type
      - the generator was silently ignoring a base type for anonymous
      unions
      - the generator allowed unknown types or nested anonymous unions
      as a branch in an anonymous union

      Signed-off-by: Eric Blake <eblake@xxxxxxxxxx>
      Reviewed-by: Markus Armbruster <armbru@xxxxxxxxxx>
      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>

  commit a8d4a2e4d7e1a0207699de47142c9bdbf2cc8675
  Author: Eric Blake <eblake@xxxxxxxxxx>
  Date:   Mon May 4 09:05:07 2015 -0600

      qapi: Forbid base without discriminator in unions

      None of the existing QMP or QGA interfaces uses a union with a
      base type but no discriminator; it is easier to avoid this in the
      generator to save room for other future extensions more likely to
      be useful.  An earlier commit added a union-base-no-discriminator
      test to ensure that we eventually give a decent error message;
      likewise, removing UserDefUnion outright is okay, because we moved
      all the tests we wish to keep into the tests of the simple union
      UserDefNativeListUnion in the previous commit.  Now is the time to
      actually forbid simple union with base, and remove the last
      vestiges from the testsuite.

      Signed-off-by: Eric Blake <eblake@xxxxxxxxxx>
      Reviewed-by: Markus Armbruster <armbru@xxxxxxxxxx>
      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>

  commit 805017b7791200f1b72deef17dc98fd272b941eb
  Author: Eric Blake <eblake@xxxxxxxxxx>
  Date:   Mon May 4 09:05:06 2015 -0600

      qapi: Clean up test coverage of simple unions

      The tests of UserDefNativeListUnion serve to validate code
      generation of simple unions without a base type, except that it
      did not have full coverage in the strict test.  The next commits
      will remove tests and support for simple unions with a base type,
      so there is no real loss at repurposing that test here as
      opposed to churn of adding a new test then deleting the old one.

      Fix some indentation and long lines while at it.

      Signed-off-by: Eric Blake <eblake@xxxxxxxxxx>
      Reviewed-by: Markus Armbruster <armbru@xxxxxxxxxx>
      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>

  commit 3d0c48292633260269cb21551d9bab006b2f2781
  Author: Eric Blake <eblake@xxxxxxxxxx>
  Date:   Mon May 4 09:05:05 2015 -0600

      qapi: Add some union tests

      Demonstrate that the qapi generator doesn't deal well with unions
      that aren't up to par. Later patches will update the expected
      reseults as the generator is made stricter.  A few tests work
      as planned, but most show poor or missing error messages.

      Of particular note, qapi-code-gen.txt documents 'base' only for
      flat unions, but the tests here demonstrate that we currently allow
      a 'base' to a simple union, although it is exercised only in the
      testsuite.  Later patches will remove this undocumented feature, to
      give us more flexibility in adding other future extensions to union
      types.  For example, one possible extension is the idea of a
      type-safe simple enum, where added fields tie the discriminator to
      a user-defined enum type rather than creating an implicit enum from
      the names in 'data'.  But adding such safety on top of a simple
      enum with a base type could look ambiguous with a flat enum;
      besides, the documentation also mentions how any simple union can
      be represented by an equivalent flat union.  So it will be simpler
      to just outlaw support for something we aren't using.

      Signed-off-by: Eric Blake <eblake@xxxxxxxxxx>
      Reviewed-by: Markus Armbruster <armbru@xxxxxxxxxx>
      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>

  commit cf3935907b5df16f667d54ad6761c7e937dcf425
  Author: Eric Blake <eblake@xxxxxxxxxx>
  Date:   Mon May 4 09:05:04 2015 -0600

      qapi: Better error messages for bad enums

      The previous commit demonstrated that the generator had several
      flaws with less-than-perfect enums:
      - an enum that listed the same string twice (or two variant
      strings that map to the same C enumerator) ended up generating
      an invalid C enum
      - because the generator adds a _MAX terminator to each enum,
      the use of an enum member 'max' can also cause this clash
      - if an enum omits 'data', the generator left a python stack
      trace rather than a graceful message
      - an enum that used a non-array 'data' was silently accepted by
      the parser
      - an enum that used non-string members in the 'data' member
      was silently accepted by the parser

      Add check_enum to cover these situations, and update testcases
      to match.  While valid .json files won't trigger any of these
      cases, we might as well be nicer to developers that make a typo
      while trying to add new QAPI code.

      Signed-off-by: Eric Blake <eblake@xxxxxxxxxx>
      Reviewed-by: Markus Armbruster <armbru@xxxxxxxxxx>
      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>

  commit ad11dbb93752ffd4bd1d5f31da7e2d9c40a68e8a
  Author: Eric Blake <eblake@xxxxxxxxxx>
  Date:   Mon May 4 09:05:03 2015 -0600

      qapi: Add some enum tests

      Demonstrate that the qapi generator doesn't deal well with enums
      that aren't up to par. Later patches will update the expected
      results as the generator is made stricter.

      Signed-off-by: Eric Blake <eblake@xxxxxxxxxx>
      Reviewed-by: Markus Armbruster <armbru@xxxxxxxxxx>
      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>

  commit fe2a9303c9e511462f662a415c2e9d2defe9b7ca
  Author: Eric Blake <eblake@xxxxxxxxxx>
  Date:   Mon May 4 09:05:02 2015 -0600

      qapi: Require ASCII in schema

      Python 2 and Python 3 have a wild history of whether strings
      default to ascii or unicode, where Python 3 requires checking
      isinstance(foo, basestr) to cover all strings, but where that
      code is not portable to Python 2.  It's simpler to just state
      that we don't care about Unicode strings, and to just always
      use the simpler isinstance(foo, str) everywhere.

      I'm no python expert, so I'm basing it on this conversation:
      https://lists.gnu.org/archive/html/qemu-devel/2014-09/msg05278.html

      Signed-off-by: Eric Blake <eblake@xxxxxxxxxx>
      Reviewed-by: Markus Armbruster <armbru@xxxxxxxxxx>
      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>

  commit cb17f79eef0d161e81ac457e4c1f124405be2a18
  Author: Eric Blake <eblake@xxxxxxxxxx>
  Date:   Mon May 4 09:05:01 2015 -0600

      qapi: Fix generation of 'size' builtin type

      We were missing the 'size' builtin type (which means that QAPI using
      [ 'size' ] would fail to compile).

      Signed-off-by: Eric Blake <eblake@xxxxxxxxxx>
      Reviewed-by: Markus Armbruster <armbru@xxxxxxxxxx>
      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>

  commit b52c4b9cf0bbafdf8cede4ea1f62770d86815718
  Author: Eric Blake <eblake@xxxxxxxxxx>
  Date:   Mon May 4 09:05:00 2015 -0600

      qapi: Simplify builtin type handling

      There was some redundancy between builtin_types[] and
      builtin_type_qtypes{}.  Merge them into one.

      Signed-off-by: Eric Blake <eblake@xxxxxxxxxx>
      Reviewed-by: Markus Armbruster <armbru@xxxxxxxxxx>
      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>

  commit e790e666518e68134ca0570b6b4a707169ea3cb1
  Author: Eric Blake <eblake@xxxxxxxxxx>
  Date:   Mon May 4 09:04:59 2015 -0600

      qapi: Document type-safety considerations

      Go into more details about the various types of valid expressions
      in a qapi schema, including tweaks to document fixes being done
      later in the current patch series.  Also fix some stale and missing
      documentation in the QMP specification.

      Signed-off-by: Eric Blake <eblake@xxxxxxxxxx>
      Reviewed-by: Markus Armbruster <armbru@xxxxxxxxxx>
      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>

  commit 6fb55451728e6dc74ae4e67e4f5ab557468f084e
  Author: Eric Blake <eblake@xxxxxxxxxx>
  Date:   Mon May 4 09:04:58 2015 -0600

      qapi: Add copyright declaration on docs

      While our top-level COPYING with its GPLv2+ license applies to
      any documentation file that omits explicit instructions, these
      days it's better to be a good example of calling out our
      intentions.  Correct use of GPL requires the use of a copyright
      statement, so I'm adding notice to two QAPI documents, by
      attributing these files to the initial authors and major
      contributors.  I used:

      $ git blame --line-porcelain $file \
        | sed -n 's/^author //p' | sort | uniq -c | sort -rn

      to determine authorship of these two files.  qmp-spec.txt blames
      entirely to Red Hat (easy, since my contribution falls in that
      category); while qapi-code-gen.txt has multiple contributors
      representing multiple entities.  But since it was originally
      supplied by Michael Roth, the notice I added there copies the
      notice he has used in other files.  As there is no intended
      change in license from the implicit one previously present from
      the top level, I have not bothered to CC other contributors;
      if we want to weaken things to something looser (such as LGPL)
      so that there is no question that someone re-implementing the
      spec is not forced to use GPL, that would be a different commit.

      CC: Michael Roth <mdroth@xxxxxxxxxxxxxxxxxx>
      Signed-off-by: Eric Blake <eblake@xxxxxxxxxx>
      Reviewed-by: Markus Armbruster <armbru@xxxxxxxxxx>
      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>

  commit 00c8fa9ffeee7458e5ed62c962faf638156c18da
  Author: Emilio G. Cota <cota@xxxxxxxxx>
  Date:   Thu Apr 2 20:07:53 2015 -0400

      tcg: optimise memory layout of TCGTemp

      This brings down the size of the struct from 56 to 32 bytes on 64-bit,
      and to 20 bytes on 32-bit. This leads to memory savings:

      Before:
      $ find . -name 'tcg.o' | xargs size
         text    data     bss     dec     hex filename
        41131   29800      88   71019   1156b ./aarch64-softmmu/tcg/tcg.o
        37969   29416      96   67481   10799 ./x86_64-linux-user/tcg/tcg.o
        39354   28816      96   68266   10aaa ./arm-linux-user/tcg/tcg.o
        40802   29096      88   69986   11162 ./arm-softmmu/tcg/tcg.o
        39417   29672      88   69177   10e39 ./x86_64-softmmu/tcg/tcg.o

      After:
      $ find . -name 'tcg.o' | xargs size
         text    data     bss     dec     hex filename
        40883   29800      88   70771   11473 ./aarch64-softmmu/tcg/tcg.o
        37473   29416      96   66985   105a9 ./x86_64-linux-user/tcg/tcg.o
        38858   28816      96   67770   108ba ./arm-linux-user/tcg/tcg.o
        40554   29096      88   69738   1106a ./arm-softmmu/tcg/tcg.o
        39169   29672      88   68929   10d41 ./x86_64-softmmu/tcg/tcg.o

      Note that using an entire byte for some enums that need less than
      that wastes a few bits (noticeable in 32 bits, where we use
      20 bytes instead of 16) but avoids extraction code, which overall
      is a win--I've tested several variations of the patch, and the appended
      is the best performer for OpenSSL's bntest by a very small margin:

      Before:
      $ taskset -c 0 perf stat -r 15 -- x86_64-linux-user/qemu-x86_64 
img/bntest-x86_64 >/dev/null
      [...]
       Performance counter stats for 'x86_64-linux-user/qemu-x86_64 
img/bntest-x86_64' (15 runs):

            10538.479833 task-clock (msec)  # 0.999 CPUs utilized  ( +-  0.38% )
                     772 context-switches   # 0.073 K/sec          ( +-  2.03% )
                       0 cpu-migrations     # 0.000 K/sec          ( +-100.00% )
                   2,207 page-faults        # 0.209 K/sec          ( +-  0.08% )
            10.552871687 seconds time elapsed                      ( +-  0.39% )

      After:
      $ taskset -c 0 perf stat -r 15 -- x86_64-linux-user/qemu-x86_64 
img/bntest-x86_64 >/dev/null
       Performance counter stats for 'x86_64-linux-user/qemu-x86_64 
img/bntest-x86_64' (15 runs):

            10459.968847 task-clock (msec)  # 0.999 CPUs utilized  ( +-  0.30% )
                     739 context-switches   # 0.071 K/sec          ( +-  1.71% )
                       0 cpu-migrations     # 0.000 K/sec          ( +- 68.14% )
                   2,204 page-faults        # 0.211 K/sec          ( +-  0.10% )
            10.473900411 seconds time elapsed                      ( +-  0.30% )

      Suggested-by: Stefan Weil <sw@xxxxxxxxxxx>
      Suggested-by: Richard Henderson <rth@xxxxxxxxxxx>
      Reviewed-by: Alex Bennée <alex.bennee@xxxxxxxxxx>
      Signed-off-by: Emilio G. Cota <cota@xxxxxxxxx>
      Signed-off-by: Richard Henderson <rth@xxxxxxxxxxx>

  commit 874e9aeeeb74c5459639a93439a502d262847e68
  Merge: b4c5df7 e444ea3
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Tue May 5 14:06:12 2015 +0100

      Merge remote-tracking branch 'remotes/kraxel/tags/pull-sdl-20150505-1' 
into staging

      sdl2: add opengl support

      # gpg: Signature made Tue May  5 10:36:25 2015 BST using RSA key ID 
D3E87138
      # gpg: Good signature from "Gerd Hoffmann (work) <kraxel@xxxxxxxxxx>"
      # gpg:                 aka "Gerd Hoffmann <gerd@xxxxxxxxxx>"
      # gpg:                 aka "Gerd Hoffmann (private) <kraxel@xxxxxxxxx>"

      * remotes/kraxel/tags/pull-sdl-20150505-1:
        sdl2: Fix RGB555
        sdl2: add support for display rendering using opengl.
        sdl2: move SDL_* includes to sdl2.h
        console-gl: add opengl rendering helper functions
        opengl: add shader helper functions.
        opengl: add shader build infrastructure

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit b4c5df7a15dad2417bc05d08a470b82ab89d56ea
  Merge: 5bccbb0 2e1c92d
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Tue May 5 10:23:22 2015 +0100

      Merge remote-tracking branch 
'remotes/armbru/tags/pull-cov-model-2015-05-05' into staging

      coverity: fix address_space_rw model

      # gpg: Signature made Tue May  5 09:44:26 2015 BST using RSA key ID 
EB918653
      # gpg: Good signature from "Markus Armbruster <armbru@xxxxxxxxxx>"
      # gpg:                 aka "Markus Armbruster <armbru@xxxxxxxxxxxx>"

      * remotes/armbru/tags/pull-cov-model-2015-05-05:
        coverity: fix address_space_rw model

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit e444ea34f8ec27acfa9ead7eaa9904238c831e69
  Author: Max Reitz <mreitz@xxxxxxxxxx>
  Date:   Tue Mar 3 12:25:27 2015 -0500

      sdl2: Fix RGB555

      Reproducable with:

      $ x86_64-softmmu/qemu-system-x86_64 \
          -kernel $vmlinuz_of_your_choice \
          -append vga=0x313 -sdl

      Signed-off-by: Max Reitz <mreitz@xxxxxxxxxx>
      Signed-off-by: Gerd Hoffmann <kraxel@xxxxxxxxxx>

  commit 0b71a5d5caa4f709d37fa1d7786dffc2c94f8414
  Author: Gerd Hoffmann <kraxel@xxxxxxxxxx>
  Date:   Tue Nov 11 16:54:45 2014 +0100

      sdl2: add support for display rendering using opengl.

      Add new sdl2-gl.c file, with display
      rendering functions using opengl.

      Signed-off-by: Gerd Hoffmann <kraxel@xxxxxxxxxx>
      Reviewed-by: Max Reitz <mreitz@xxxxxxxxxx>

  commit 19dadfccd0124804e2790e7cb075c9df7cd3154f
  Author: Gerd Hoffmann <kraxel@xxxxxxxxxx>
  Date:   Wed Nov 19 14:19:49 2014 +0100

      sdl2: move SDL_* includes to sdl2.h

      Signed-off-by: Gerd Hoffmann <kraxel@xxxxxxxxxx>
      Reviewed-by: Max Reitz <mreitz@xxxxxxxxxx>

  commit cd2bc889e5b30c69926fc1511b6522e7cb4c705d
  Author: Gerd Hoffmann <kraxel@xxxxxxxxxx>
  Date:   Fri Jan 9 11:40:23 2015 +0100

      console-gl: add opengl rendering helper functions

      Signed-off-by: Gerd Hoffmann <kraxel@xxxxxxxxxx>
      Reviewed-by: Max Reitz <mreitz@xxxxxxxxxx>

  commit 985e1c9b008e5e8b6eac41546266d3abcfa6282a
  Author: Gerd Hoffmann <kraxel@xxxxxxxxxx>
  Date:   Fri Apr 24 07:48:45 2015 +0200

      opengl: add shader helper functions.

      Helper functions to compile, link and run opengl shader programs.

      Signed-off-by: Gerd Hoffmann <kraxel@xxxxxxxxxx>

  commit 2e1c92daff752c056ae10087e6b1702b0460af88
  Author: Paolo Bonzini <pbonzini@xxxxxxxxxx>
  Date:   Mon May 4 14:18:09 2015 +0200

      coverity: fix address_space_rw model

      If the is_write argument is true, address_space_rw writes to memory
      and thus reads from the buffer.  The opposite holds if is_write is
      false.  Fix the model.

      Cc: Markus Armbruster <armbru@xxxxxxxxxx>
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>
      Signed-off-by: Markus Armbruster <armbru@xxxxxxxxxx>

  commit d98bc0b654b97d130338e76e0928296f84e6d6fd
  Author: Gerd Hoffmann <kraxel@xxxxxxxxxx>
  Date:   Fri Jan 16 13:59:17 2015 +0100

      opengl: add shader build infrastructure

      perl script to transform shader programs into c include files with
      static string constands containing the shader programs, so we can
      easily embed them into qemu.  Also some Makefile logic for them.

      Signed-off-by: Gerd Hoffmann <kraxel@xxxxxxxxxx>
      Reviewed-by: Max Reitz <mreitz@xxxxxxxxxx>

  commit 5bccbb04a4abba7af4398de992bf06d585fd1333
  Merge: f90f5b9 4a4d614
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Thu Apr 30 20:34:54 2015 +0100

      Merge remote-tracking branch 'remotes/kevin/tags/for-upstream' into 
staging

      Block patches

      # gpg: Signature made Thu Apr 30 19:51:16 2015 BST using RSA key ID 
C88F2FD6
      # gpg: Good signature from "Kevin Wolf <kwolf@xxxxxxxxxx>"

      * remotes/kevin/tags/for-upstream:
        Enable NVMe start controller for Windows guest.
        MAINTAINERS: Add qemu-block list where missing
        MAINTAINERS: make block layer core Kevin Wolf's responsibility
        MAINTAINERS: make image fuzzer Stefan Hajnoczi's responsibility
        MAINTAINERS: make block I/O path Stefan Hajnoczi's responsibility
        MAINTAINERS: split out image formats
        MAINTAINERS: make virtio-blk Stefan Hajnoczi's responsibility

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 41063e1e7afcb2f13e103720fe96221657f5dbbc
  Author: Paolo Bonzini <pbonzini@xxxxxxxxxx>
  Date:   Wed Mar 18 14:21:43 2015 +0100

      exec: move rcu_read_lock/unlock to address_space_translate callers

      Once address_space_translate will be called outside the BQL, the returned
      MemoryRegion might disappear as soon as the RCU read-side critical section
      ends.  Avoid this by moving the critical section to the callers.

      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>
      Message-Id: <1426684909-95030-3-git-send-email-pbonzini@xxxxxxxxxx>

  commit 4c6637525290dc863a00be7f58fc11d07b780bd4
  Author: Paolo Bonzini <pbonzini@xxxxxxxxxx>
  Date:   Wed Apr 8 13:30:58 2015 +0200

      kvm: add support for memory transaction attributes

      Let kvm_arch_post_run convert fields in the kvm_run struct to MemTxAttrs.
      These are then passed to address_space_rw.

      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit f8a9f720dd2fa5c1560838c26c6dad396a0cef5b
  Author: Gerd Hoffmann <kraxel@xxxxxxxxxx>
  Date:   Wed Apr 8 12:57:11 2015 +0200

      mtree: also print disabled regions

      Signed-off-by: Gerd Hoffmann <kraxel@xxxxxxxxxx>
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit e48816aac6eef50c851e3833add886f0403b6f11
  Author: Gerd Hoffmann <kraxel@xxxxxxxxxx>
  Date:   Wed Apr 8 12:53:47 2015 +0200

      mtree: tag & indent a bit better

      Signed-off-by: Gerd Hoffmann <kraxel@xxxxxxxxxx>
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit 813297541196698f60525d611dd09007fa60b45b
  Author: Denis V. Lunev <den@xxxxxxxxxx>
  Date:   Tue Apr 7 16:53:52 2015 +0300

      apic_common: improve readability of apic_reset_common

      Replace call of cpu_is_bsp(s->cpu) which really returns
          !!(s->apicbase & MSR_IA32_APICBASE_BSP)
      with directly collected value. Due to this the tracepoint
        trace_cpu_get_apic_base((uint64_t)s->apicbase);
      will not be hit anymore in apic_reset_common.

      Signed-off-by: Denis V. Lunev <den@xxxxxxxxxx>
      CC: Andreas F�¤rber <afaerber@xxxxxxx>
      CC: Paolo Bonzini <pbonzini@xxxxxxxxxx>
      Message-Id: <1428414832-3104-1-git-send-email-den@xxxxxxxxxx>
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit 03a96b83b539498510e22aab585e41015ba18247
  Author: Thomas Huth <thuth@xxxxxxxxxx>
  Date:   Mon Apr 27 18:59:04 2015 +0200

      kvm: Silence warning from valgrind

      valgrind complains here about uninitialized bytes with the following 
message:

      ==17814== Syscall param ioctl(generic) points to uninitialised byte(s)
      ==17814==    at 0x466A780: ioctl (in /usr/lib64/power8/libc-2.17.so)
      ==17814==    by 0x100735B7: kvm_vm_ioctl (kvm-all.c:1920)
      ==17814==    by 0x10074583: kvm_set_ioeventfd_mmio (kvm-all.c:574)

      Let's fix it by using a proper struct initializer in 
kvm_set_ioeventfd_mmio().

      Signed-off-by: Thomas Huth <thuth@xxxxxxxxxx>
      Message-Id: <1430153944-24368-1-git-send-email-thuth@xxxxxxxxxx>
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit f90f5b9a9aa41e5ea47dc7a0f3e1f99196f485c3
  Merge: 4981475 5530293
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Thu Apr 30 15:18:30 2015 +0100

      Merge remote-tracking branch 
'remotes/mjt/tags/pull-trivial-patches-2015-04-30' into staging

      trivial patches for 2015-04-30

      # gpg: Signature made Thu Apr 30 14:07:50 2015 BST using RSA key ID 
A4C3D7DB
      # gpg: Good signature from "Michael Tokarev <mjt@xxxxxxxxxx>"
      # gpg:                 aka "Michael Tokarev <mjt@xxxxxxxxx>"
      # gpg:                 aka "Michael Tokarev <mjt@xxxxxxxxxx>"

      * remotes/mjt/tags/pull-trivial-patches-2015-04-30: (42 commits)
        openrisc: cpu: Remove unused cpu_get_pc
        microblaze: fix memory leak
        tcg: Delete unused cpu_pc_from_tb()
        kvm: Silence warning from valgrind
        vhost-user: remove superfluous '\n' around error_report()
        target-mips: fix memory leak
        qmp-commands: Fix typo
        linux-user/elfload: use QTAILQ_FOREACH instead of open-coding it
        coroutine: remove unnecessary parentheses in qemu_co_queue_empty
        qemu-char: remove unused list node from FDCharDriver
        input: remove unused mouse_handlers list
        cpus: use first_cpu macro instead of QTAILQ_FIRST(&cpus)
        microblaze: cpu: delete unused cpu_interrupts_enabled
        microblaze: cpu: Renumber EXCP_* constants to close gap
        microblaze: cpu: Delete EXCP_NMI
        microblaze: cpu: Remove unused CC_OP enum
        microblaze: cpu: Remote unused cpu_get_pc
        microblaze: mmu: Delete flip_um fn prototype
        defconfigs: Piggyback microblazeel on microblaze
        libcacard: do not use full paths for include files in the same dir
        ...

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 4a4d614ff56b4cf15e83629946afe51dc116053f
  Author: Daniel Stekloff <dan@xxxxxxxxxx>
  Date:   Fri Apr 24 11:55:42 2015 -0700

      Enable NVMe start controller for Windows guest.

      Windows seems to send two separate calls to NVMe controller 
configuration. The
      first sends configuration info and the second the enable bit. I couldn't
      enable the Windows 8.1 in-box NVMe driver with base Qemu. I made the
      following change to store the configuration data and then handle enable 
and
      NVMe driver works on Windows 8.1.

      I am not a Windows expert and I'm not entirely sure this is the correct
      approach. I'm offering it for anyone who wishes to use NVMe on Windows 8.1
      using Qemu.

      I have tested this change with Linux and Windows guests with NVMe devices.

      Signed-off-by: Daniel Stekloff <dan@xxxxxxxxxx>
      Acked-by: Keith Busch <keith.busch@xxxxxxxxx>
      Signed-off-by: Kevin Wolf <kwolf@xxxxxxxxxx>

  commit 498147529d1f8e902e6528a0115143b53475791e
  Merge: 06feaac 2c80e99
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Thu Apr 30 14:15:56 2015 +0100

      Merge remote-tracking branch 'remotes/cohuck/tags/s390x-20150430' into 
staging

      First pile of s390x patches for 2.4, including:
      - some cleanup patches
      - sort most of the s390x devices into categories
      - support for the new STSI post handler, used to insert vm name and
        friends
      - support for the new MEM_OP ioctl (including access register mode)
        for accessing guest memory

      # gpg: Signature made Thu Apr 30 12:56:58 2015 BST using RSA key ID 
C6F02FAF
      # gpg: Good signature from "Cornelia Huck <huckc@xxxxxxxxxxxxxxxxxx>"
      # gpg:                 aka "Cornelia Huck <cornelia.huck@xxxxxxxxxx>"

      * remotes/cohuck/tags/s390x-20150430:
        kvm: better advice for failed s390x startup
        s390x/kvm: Support access register mode for KVM_S390_MEM_OP ioctl
        s390x/mmu: Use ioctl for reading and writing from/to guest memory
        s390x/kvm: Put vm name, extended name and UUID into STSI322 SYSIB
        linux-headers: update
        s390x/mmu: Use access type definitions instead of magic values
        s390x/ipl: sort into categories
        sclp: sort into categories
        s390-virtio: sort into categories
        virtio-ccw: sort into categories

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit c95e4c0e53c774dd82a78ae751ea24f537e38778
  Author: Kevin Wolf <kwolf@xxxxxxxxxx>
  Date:   Thu Apr 30 15:15:13 2015 +0200

      MAINTAINERS: Add qemu-block list where missing

      Signed-off-by: Kevin Wolf <kwolf@xxxxxxxxxx>

  commit 17f1e8f5acf0016bf0b14ef9ec591d3f5081fc60
  Author: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
  Date:   Wed Apr 29 15:13:29 2015 +0100

      MAINTAINERS: make block layer core Kevin Wolf's responsibility

      Kevin is now sole maintainer of the core block layer, including
      BlockDriverState graphs and monitor commands.

      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Signed-off-by: Kevin Wolf <kwolf@xxxxxxxxxx>

  commit abfe4e9408a9e82bec9e9834eabc65f53907f281
  Author: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
  Date:   Wed Apr 29 15:13:28 2015 +0100

      MAINTAINERS: make image fuzzer Stefan Hajnoczi's responsibility

      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Signed-off-by: Kevin Wolf <kwolf@xxxxxxxxxx>

  commit d55053b16e22d46db0d98819814a31ae5c33e2c7
  Author: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
  Date:   Wed Apr 29 15:13:27 2015 +0100

      MAINTAINERS: make block I/O path Stefan Hajnoczi's responsibility

      The block I/O path includes the asynchronous I/O machinery and
      read/write/flush/discard processing.  It somewhat arbitrarily also
      includes block migration, which I've found myself reviewing patches for
      over the years.

      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Signed-off-by: Kevin Wolf <kwolf@xxxxxxxxxx>

  commit e7c6e631b191c99eecb4a06fe19302e863f033c6
  Author: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
  Date:   Wed Apr 29 15:13:26 2015 +0100

      MAINTAINERS: split out image formats

      Block driver submaintainers has proven to be a good model.  Kevin and
      Stefan are splitting up the unclaimed block drivers so each has a
      dedicated maintainer.

      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Signed-off-by: Kevin Wolf <kwolf@xxxxxxxxxx>

  commit b457a5f54cd857815401dc4708a4c778481ec562
  Author: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
  Date:   Wed Apr 29 15:13:25 2015 +0100

      MAINTAINERS: make virtio-blk Stefan Hajnoczi's responsibility

      Cc: Kevin Wolf <kwolf@xxxxxxxxxx>
      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Signed-off-by: Kevin Wolf <kwolf@xxxxxxxxxx>

  commit 553029351bac9f5b4f9ea72793e55f02e7677ec2
  Author: Peter Crosthwaite <crosthwaitepeter@xxxxxxxxx>
  Date:   Thu Apr 30 00:38:52 2015 -0700

      openrisc: cpu: Remove unused cpu_get_pc

      This function is not used by anything. Remove.

      Signed-off-by: Peter Crosthwaite <crosthwaite.peter@xxxxxxxxx>
      Reviewed-by: Alex Bennée <alex.bennee@xxxxxxxxxx>
      Signed-off-by: Michael Tokarev <mjt@xxxxxxxxxx>

  commit 4d850406a859d3a5dcfca74eb9caa76ccc064ab3
  Author: Gonglei <arei.gonglei@xxxxxxxxxx>
  Date:   Thu Mar 5 11:05:20 2015 +0800

      microblaze: fix memory leak

      When not assign a -dtb argument, the variable dtb_filename
      storage returned from qemu_find_file(), which should be freed
      after use. Alternatively we define a local variable filename,
      with 'char *' type, free after use.

      Signed-off-by: Gonglei <arei.gonglei@xxxxxxxxxx>
      Reviewed-by: Peter Crosthwaite <peter.crosthwaite@xxxxxxxxxx>
      Reviewed-by: Edgar E. Iglesias <edgar.iglesias@xxxxxxxxxx>
      Signed-off-by: Michael Tokarev <mjt@xxxxxxxxxx>

  commit fee068e4f190a36ef3bda9aa7c802f90434ef8e5
  Author: Peter Crosthwaite <crosthwaitepeter@xxxxxxxxx>
  Date:   Wed Apr 29 00:52:21 2015 -0700

      tcg: Delete unused cpu_pc_from_tb()

      No code uses the cpu_pc_from_tb() function. Delete from tricore and
      arm which each provide an unused implementation. Update the comment
      in tcg.h to reflect that this is obsoleted by synchronize_from_tb.

      Signed-off-by: Peter Crosthwaite <crosthwaite.peter@xxxxxxxxx>
      Signed-off-by: Michael Tokarev <mjt@xxxxxxxxxx>

  commit 2ed0c3dad769ab747e1f5448b70eeaf134c76982
  Author: Thomas Huth <thuth@xxxxxxxxxx>
  Date:   Mon Apr 27 18:59:04 2015 +0200

      kvm: Silence warning from valgrind

      valgrind complains here about uninitialized bytes with the following 
message:

      ==17814== Syscall param ioctl(generic) points to uninitialised byte(s)
      ==17814==    at 0x466A780: ioctl (in /usr/lib64/power8/libc-2.17.so)
      ==17814==    by 0x100735B7: kvm_vm_ioctl (kvm-all.c:1920)
      ==17814==    by 0x10074583: kvm_set_ioeventfd_mmio (kvm-all.c:574)

      Let's fix it by using a proper struct initializer in 
kvm_set_ioeventfd_mmio().

      Signed-off-by: Thomas Huth <thuth@xxxxxxxxxx>
      Signed-off-by: Michael Tokarev <mjt@xxxxxxxxxx>

  commit ab7c5aaf31213f5fc96018514e3d258e951d520f
  Author: Gonglei <arei.gonglei@xxxxxxxxxx>
  Date:   Tue Apr 28 17:11:04 2015 +0800

      vhost-user: remove superfluous '\n' around error_report()

      Signed-off-by: Gonglei <arei.gonglei@xxxxxxxxxx>
      Reviewed-by: Andreas Färber <afaerber@xxxxxxx>
      Signed-off-by: Michael Tokarev <mjt@xxxxxxxxxx>

  commit 3ad9fd5a257794d516db515c217c78a5806112fe
  Author: Gonglei <arei.gonglei@xxxxxxxxxx>
  Date:   Tue Apr 28 17:11:02 2015 +0800

      target-mips: fix memory leak

      Coveristy reports that variable prom_buf/params_buf going
      out of scope leaks the storage it points to.

      Cc: Aurelien Jarno <aurelien@xxxxxxxxxxx>
      Cc: Leon Alrae <leon.alrae@xxxxxxxxxx>
      Signed-off-by: Gonglei <arei.gonglei@xxxxxxxxxx>
      Reviewed-by: Leon Alrae <leon.alrae@xxxxxxxxxx>
      Signed-off-by: Michael Tokarev <mjt@xxxxxxxxxx>

  commit 5403432f39fc09ce1973cc8c1a62e16502358bf7
  Author: John Snow <jsnow@xxxxxxxxxx>
  Date:   Tue Apr 28 15:20:41 2015 -0400

      qmp-commands: Fix typo

      Just a trivial patch to correct a QMP example in qmp-commands.hx.

      Signed-off-by: John Snow <jsnow@xxxxxxxxxx>
      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>
      Signed-off-by: Michael Tokarev <mjt@xxxxxxxxxx>

  commit 52a53afebd2604af957d50fd4f3ce2012350a40d
  Author: Emilio G. Cota <cota@xxxxxxxxx>
  Date:   Mon Apr 27 12:45:33 2015 -0400

      linux-user/elfload: use QTAILQ_FOREACH instead of open-coding it

      Signed-off-by: Emilio G. Cota <cota@xxxxxxxxx>
      Signed-off-by: Michael Tokarev <mjt@xxxxxxxxxx>

  commit b1201addc7ceb8f1fcdc378071ec6f5ab5b3f7ab
  Author: Emilio G. Cota <cota@xxxxxxxxx>
  Date:   Mon Apr 27 12:45:32 2015 -0400

      coroutine: remove unnecessary parentheses in qemu_co_queue_empty

      Signed-off-by: Emilio G. Cota <cota@xxxxxxxxx>
      Signed-off-by: Michael Tokarev <mjt@xxxxxxxxxx>

  commit 63d229c32b72767461262ade78a5cb98dbe0f1b4
  Author: Emilio G. Cota <cota@xxxxxxxxx>
  Date:   Mon Apr 27 12:45:30 2015 -0400

      qemu-char: remove unused list node from FDCharDriver

      Signed-off-by: Emilio G. Cota <cota@xxxxxxxxx>
      Signed-off-by: Michael Tokarev <mjt@xxxxxxxxxx>

  commit dfbf272b77cfb6b74131746a67c82271ab009f2f
  Author: Emilio G. Cota <cota@xxxxxxxxx>
  Date:   Mon Apr 27 12:45:29 2015 -0400

      input: remove unused mouse_handlers list

      Signed-off-by: Emilio G. Cota <cota@xxxxxxxxx>
      Signed-off-by: Michael Tokarev <mjt@xxxxxxxxxx>

  commit c28e399cadbeaa996e2a3d334368edd4cd6b6889
  Author: Emilio G. Cota <cota@xxxxxxxxx>
  Date:   Mon Apr 27 12:45:28 2015 -0400

      cpus: use first_cpu macro instead of QTAILQ_FIRST(&cpus)

      Signed-off-by: Emilio G. Cota <cota@xxxxxxxxx>
      Signed-off-by: Michael Tokarev <mjt@xxxxxxxxxx>

  commit 93100f67c723f5812d0fa9a026208cf320ef46e6
  Author: Peter Crosthwaite <crosthwaitepeter@xxxxxxxxx>
  Date:   Sun Apr 26 12:10:24 2015 -0700

      microblaze: cpu: delete unused cpu_interrupts_enabled

      This function is unused. Remove.

      Signed-off-by: Peter Crosthwaite <crosthwaite.peter@xxxxxxxxx>
      Signed-off-by: Michael Tokarev <mjt@xxxxxxxxxx>

  commit 2161be35ce57ed5b0da0b98f902d003bfebac2c9
  Author: Michael Tokarev <mjt@xxxxxxxxxx>
  Date:   Wed Apr 29 08:34:29 2015 +0300

      microblaze: cpu: Renumber EXCP_* constants to close gap

      After removal of EXCP_NMI there's a gap in EXCP_*
      numbering. Let's remove it.

      Signed-off-by: Michael Tokarev <mjt@xxxxxxxxxx>
      Reviewed-by: Edgar E. Iglesias <edgar.iglesias@xxxxxxxxxx>

  commit 059ec9aa34fd3c5bfe65141741c671b3e80ac6e7
  Author: Peter Crosthwaite <crosthwaitepeter@xxxxxxxxx>
  Date:   Sun Apr 26 12:10:23 2015 -0700

      microblaze: cpu: Delete EXCP_NMI

      This define is unused. Remove.

      Signed-off-by: Peter Crosthwaite <crosthwaite.peter@xxxxxxxxx>
      Reviewed-by: Edgar E. Iglesias <edgar.iglesias@xxxxxxxxxx>
      Signed-off-by: Michael Tokarev <mjt@xxxxxxxxxx>

  commit 004f979fbb83397349c9158946ec5d4f0036632b
  Author: Peter Crosthwaite <crosthwaitepeter@xxxxxxxxx>
  Date:   Sun Apr 26 12:10:22 2015 -0700

      microblaze: cpu: Remove unused CC_OP enum

      This enum is not used by anything. Remove.

      Signed-off-by: Peter Crosthwaite <crosthwaite.peter@xxxxxxxxx>
      Reviewed-by: Edgar E. Iglesias <edgar.iglesias@xxxxxxxxxx>
      Signed-off-by: Michael Tokarev <mjt@xxxxxxxxxx>

  commit b133b09a9d8ae280bba279a1aba9af73a805e198
  Author: Peter Crosthwaite <crosthwaitepeter@xxxxxxxxx>
  Date:   Sun Apr 26 12:10:21 2015 -0700

      microblaze: cpu: Remote unused cpu_get_pc

      This function is not used by anything. Remove.

      Signed-off-by: Peter Crosthwaite <crosthwaite.peter@xxxxxxxxx>
      Reviewed-by: Edgar E. Iglesias <edgar.iglesias@xxxxxxxxxx>
      Reviewed-by: Alex Bennée <alex.bennee@xxxxxxxxxx>
      Signed-off-by: Michael Tokarev <mjt@xxxxxxxxxx>

  commit 19191a6bc537b2290e18430e1877de9c2db20510
  Author: Peter Crosthwaite <crosthwaitepeter@xxxxxxxxx>
  Date:   Sun Apr 26 12:10:20 2015 -0700

      microblaze: mmu: Delete flip_um fn prototype

      This is not implemented or used.

      Signed-off-by: Peter Crosthwaite <crosthwaite.peter@xxxxxxxxx>
      Reviewed-by: Edgar E. Iglesias <edgar.iglesias@xxxxxxxxxx>
      Signed-off-by: Michael Tokarev <mjt@xxxxxxxxxx>

  commit a0970d91c94241c74b2b8027268d2a7e8fe19ae3
  Author: Peter Crosthwaite <crosthwaitepeter@xxxxxxxxx>
  Date:   Sun Apr 26 12:10:19 2015 -0700

      defconfigs: Piggyback microblazeel on microblaze

      Theres no difference in defconfig. Going forward microblazeel should
      superset microblaze so use an include.

      Signed-off-by: Peter Crosthwaite <crosthwaite.peter@xxxxxxxxx>
      Reviewed-by: Edgar E. Iglesias <edgar.iglesias@xxxxxxxxxx>
      Signed-off-by: Michael Tokarev <mjt@xxxxxxxxxx>

  commit f66759d3aec208651a7ad0cd37f4fec8d86fa7c1
  Author: Michael Tokarev <mjt@xxxxxxxxxx>
  Date:   Mon Apr 27 16:29:58 2015 +0300

      libcacard: do not use full paths for include files in the same dir

      Signed-off-by: Michael Tokarev <mjt@xxxxxxxxxx>
      Reviewed-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit 28507a415a9b1e897aa8cdab658c6cdc00eff6cd
  Author: Paolo Bonzini <pbonzini@xxxxxxxxxx>
  Date:   Mon Apr 27 12:34:18 2015 +0200

      libcacard: stop including qemu-common.h

      This is a small step towards making libcacard standalone.

      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>
      Signed-off-by: Michael Tokarev <mjt@xxxxxxxxxx>

  commit d3e4abdddfcf70b2e678de1c6b9b1c6cd3ce541e
  Author: Laszlo Ersek <lersek@xxxxxxxxxx>
  Date:   Mon Apr 27 13:32:35 2015 +0200

      docs/atomics.txt: fix two typos

      Cc: Paolo Bonzini <pbonzini@xxxxxxxxxx>
      Signed-off-by: Laszlo Ersek <lersek@xxxxxxxxxx>
      Signed-off-by: Michael Tokarev <mjt@xxxxxxxxxx>

  commit 5ecaa4ed882aa6040d2ddbfc6f487d8b4bcd3b83
  Author: Peter Crosthwaite <crosthwaitepeter@xxxxxxxxx>
  Date:   Sun Apr 26 19:14:26 2015 -0700

      configure: alphabetize tricore in target list

      tricore was out of alphabetical order in the target list. Fix.

      Signed-off-by: Peter Crosthwaite <crosthwaite.peter@xxxxxxxxx>
      Acked-by: Bastian Koppelmann <kbastian@xxxxxxxxxxxxxxxxxxxxx>
      Signed-off-by: Michael Tokarev <mjt@xxxxxxxxxx>

  commit ef1d27f4b17c4238ed3395724026910973026d2b
  Author: Peter Crosthwaite <crosthwaitepeter@xxxxxxxxx>
  Date:   Sun Apr 26 18:38:18 2015 -0700

      arm: cpu.h: Remove unused typdefs

      These CP accessor function prototypes are unused. Remove them.

      Signed-off-by: Peter Crosthwaite <crosthwaite.peter@xxxxxxxxx>
      Signed-off-by: Michael Tokarev <mjt@xxxxxxxxxx>

  commit 3bf2af7b40281f73d0e33ecca4095078feed07b1
  Author: Thomas Huth <thuth@xxxxxxxxxxxxxxxxxx>
  Date:   Sat Mar 14 07:19:33 2015 +0100

      util: Remove unused functions

      Delete the unused functions qemu_signalfd_available(),
      qemu_send_full() and qemu_recv_full().

      Signed-off-by: Thomas Huth <thuth@xxxxxxxxxxxxxxxxxx>
      Signed-off-by: Michael Tokarev <mjt@xxxxxxxxxx>

  commit ec29ea1b2b5ffed569d52393ad8e8d3f4215b9b3
  Author: Thomas Huth <thuth@xxxxxxxxxxxxxxxxxx>
  Date:   Sat Mar 14 07:19:32 2015 +0100

      usb: Remove unused functions

      Delete set_usb_string(), usb_ep_get_ifnum(), usb_ep_get_max_packet_size()
      usb_ep_get_max_streams() and usb_ep_set_pipeline() since they are
      not used anymore.

      Signed-off-by: Thomas Huth <thuth@xxxxxxxxxxxxxxxxxx>
      Reviewed-by: Gerd Hoffmann <kraxel@xxxxxxxxxx>
      Signed-off-by: Michael Tokarev <mjt@xxxxxxxxxx>

  commit 26b93109c0dff55aab67da66ebbace2cc39becfc
  Author: Thomas Huth <thuth@xxxxxxxxxxxxxxxxxx>
  Date:   Sat Mar 14 07:19:31 2015 +0100

      monitor: Remove unused functions

      The functions ringbuf_read_completion() and monitor_get_rs()
      are not used anywhere anymore, so let's remove them.

      Signed-off-by: Thomas Huth <thuth@xxxxxxxxxxxxxxxxxx>
      Cc: Luiz Capitulino <lcapitulino@xxxxxxxxxx>
      Signed-off-by: Michael Tokarev <mjt@xxxxxxxxxx>

  commit 04768b985e8da35cba67b60dab02865a4d8ecdca
  Author: Thomas Huth <thuth@xxxxxxxxxxxxxxxxxx>
  Date:   Sat Mar 14 07:19:30 2015 +0100

      pci: Remove unused function ich9_d2pbr_init()

      The function ich9_d2pbr_init() is completely unused and
      thus can be deleted.

      Signed-off-by: Thomas Huth <thuth@xxxxxxxxxxxxxxxxxx>
      Reviewed-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: Michael Tokarev <mjt@xxxxxxxxxx>

  commit 9dcfda1298662223af1b99f7aef1bcf94df134a8
  Author: Thomas Huth <thuth@xxxxxxxxxxxxxxxxxx>
  Date:   Sat Mar 14 07:19:29 2015 +0100

      vmxnet: Remove unused function vmxnet_rx_pkt_get_num_frags()

      The function is not used anymore and thus can be deleted.

      Signed-off-by: Thomas Huth <thuth@xxxxxxxxxxxxxxxxxx>
      Cc: Dmitry Fleytman <dmitry@xxxxxxxxxx>
      Signed-off-by: Michael Tokarev <mjt@xxxxxxxxxx>

  commit 825976153ee4c787326e0beb31144906f0a3c210
  Author: Michael Tokarev <mjt@xxxxxxxxxx>
  Date:   Mon Apr 27 11:12:49 2015 +0300

      qemu-options: trivial spelling fix (messsage)

      Signed-off-by: Michael Tokarev <mjt@xxxxxxxxxx>
      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>

  commit c2cb2b041b56e113e43da78528c9dfd8257e0206
  Author: Jan Kiszka <jan.kiszka@xxxxxxxxxxx>
  Date:   Fri Apr 24 19:41:26 2015 +0200

      hostmem: Fix mem-path property name in error report

      The subtle difference between "property not found" and "property not
      set" is already confusing enough.

      Signed-off-by: Jan Kiszka <jan.kiszka@xxxxxxxxxxx>
      Reviewed-by: Peter Crosthwaite <peter.crosthwaite@xxxxxxxxxx>
      Signed-off-by: Michael Tokarev <mjt@xxxxxxxxxx>

  commit 29b558d87710a962203a45d9dd57bf7eab19dca0
  Author: Stefan Berger <stefanb@xxxxxxxxxxxxxxxxxx>
  Date:   Wed Apr 15 10:18:55 2015 -0400

      tpm: fix coding style

      Fix coding style in one instance.

      Signed-off-by: Stefan Berger <stefanb@xxxxxxxxxxxxxxxxxx>
      Signed-off-by: Michael Tokarev <mjt@xxxxxxxxxx>

  commit 1897b212b780a02a5605ad934a6dd16c76571fe3
  Author: Paolo Bonzini <pbonzini@xxxxxxxxxx>
  Date:   Mon Apr 13 17:28:27 2015 +0200

      qemu-config: remove stray inclusions of hw/ files

      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>
      Signed-off-by: Michael Tokarev <mjt@xxxxxxxxxx>

  commit f2fbb40ea32445b281696a1b3f16de670951de2e
  Author: Paolo Bonzini <pbonzini@xxxxxxxxxx>
  Date:   Mon Apr 13 17:28:26 2015 +0200

      range: remove useless inclusions

      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>
      Signed-off-by: Michael Tokarev <mjt@xxxxxxxxxx>

  commit 631b22ea206300f09b9d1bb9249169e0f0092639
  Author: Stefan Weil <sw@xxxxxxxxxxx>
  Date:   Thu Apr 9 20:32:39 2015 +0200

      misc: Fix new collection of typos

      All of them were reported by codespell.
      Most typos are in comments, one is in an error message.

      Signed-off-by: Stefan Weil <sw@xxxxxxxxxxx>
      Reviewed-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Reviewed-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Signed-off-by: Michael Tokarev <mjt@xxxxxxxxxx>

  commit c9f88ce330c3d9107adfabdde33bdf10dcc05934
  Author: Chih-Min Chao <cmchao@xxxxxxxxx>
  Date:   Thu Apr 9 02:04:14 2015 +0800

      hw/display : remove 'struct' from 'typedef QXL struct'

      Signed-off-by: Chih-Min Chao <cmchao@xxxxxxxxx>
      Reviewed-by: Gerd Hoffmann <kraxel@xxxxxxxxxx>
      Signed-off-by: Michael Tokarev <mjt@xxxxxxxxxx>

  commit 9425c004fe287bfe95e2bf64634d6a618c2b596c
  Author: Chih-Min Chao <cmchao@xxxxxxxxx>
  Date:   Thu Apr 9 02:04:13 2015 +0800

      ui/console : remove 'struct' from 'typedef struct' type

      Signed-off-by: Chih-Min Chao <cmchao@xxxxxxxxx>
      Reviewed-by: Gerd Hoffmann <kraxel@xxxxxxxxxx>
      Signed-off-by: Michael Tokarev <mjt@xxxxxxxxxx>

  commit 4769a881cbe1130e7ba4650471ef37e2cf998a9c
  Author: Chih-Min Chao <cmchao@xxxxxxxxx>
  Date:   Thu Apr 9 02:04:12 2015 +0800

      ui/vnc : remove 'struct' of 'typedef struct'

      Signed-off-by: Chih-Min Chao <cmchao@xxxxxxxxx>
      Reviewed-by: Gerd Hoffmann <kraxel@xxxxxxxxxx>
      Signed-off-by: Michael Tokarev <mjt@xxxxxxxxxx>

  commit 494cb81741f867319f11ecfa0949168baf9f01d7
  Author: Chih-Min Chao <cmchao@xxxxxxxxx>
  Date:   Thu Apr 9 02:04:11 2015 +0800

      ui/vnc : fix coding style

          reported by checkpatch.pl

      Signed-off-by: Chih-Min Chao <cmchao@xxxxxxxxx>
      Reviewed-by: Gerd Hoffmann <kraxel@xxxxxxxxxx>
      Signed-off-by: Michael Tokarev <mjt@xxxxxxxxxx>

  commit 4188e39055bfaf6d76b7d98294b0aeb8e4f3082d
  Author: Chih-Min Chao <cmchao@xxxxxxxxx>
  Date:   Thu Apr 9 02:04:10 2015 +0800

      bitops : fix coding style

          don't mix tab and space. The rule is 4 spaces

      Signed-off-by: Chih-Min Chao <cmchao@xxxxxxxxx>
      Reviewed-by: Gerd Hoffmann <kraxel@xxxxxxxxxx>
      Signed-off-by: Michael Tokarev <mjt@xxxxxxxxxx>

  commit 4d1ba9c4f8a4d68b9d053946d551ffa8f1006b77
  Author: Stefan Berger <stefanb@xxxxxxxxxxxxxxxxxx>
  Date:   Tue Mar 31 14:49:10 2015 -0400

      tpm: Modify DPRINTF to enable -Wformat checking

      Modify DPRINTF to always enable -Wformat checking.

      Signed-off-by: Stefan Berger <stefanb@xxxxxxxxxxxxxxxxxx>
      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>
      Signed-off-by: Michael Tokarev <mjt@xxxxxxxxxx>

  commit 070c7607f62f9623be9ff14623a43b0ca195c572
  Author: Stefan Berger <stefanb@xxxxxxxxxxxxxxxxxx>
  Date:   Tue Mar 31 14:49:09 2015 -0400

      tpm: Cast 64bit variables to int when used in DPRINTF

      Cast 64bit variables to int when used in DPRINTF. They only contain
      32bit of data.

      Signed-off-by: Stefan Berger <stefanb@xxxxxxxxxxxxxxxxxx>
      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>
      Signed-off-by: Michael Tokarev <mjt@xxxxxxxxxx>

  commit 2c80e996e427ae31982f3405a762859578a6261d
  Author: Cornelia Huck <cornelia.huck@xxxxxxxxxx>
  Date:   Thu Apr 23 17:03:46 2015 +0200

      kvm: better advice for failed s390x startup

      If KVM_CREATE failed on s390x, we print a hint to enable the switch_amode
      kernel parameter. This only applies to old kernels, and only if the
      error was -EINVAL. Moreover, with new kernels, the most likely reason
      for -EINVAL is that pgstes were not enabled.

      Let's update the error message to give a better hint on where things
      may need fixing.

      Acked-by: Christian Borntraeger <borntraeger@xxxxxxxxxx>
      Signed-off-by: Cornelia Huck <cornelia.huck@xxxxxxxxxx>

  commit 6cb1e49de58cab8f243b05a971a9a1f80ab3223d
  Author: Alexander Yarygin <yarygin@xxxxxxxxxxxxxxxxxx>
  Date:   Thu Mar 5 12:36:48 2015 +0300

      s390x/kvm: Support access register mode for KVM_S390_MEM_OP ioctl

      Access register mode is one of the modes that control dynamic address
      translation. In this mode the address space is specified by values of
      the access registers. The effective address-space-control element is
      obtained from the result of the access register translation. See
      the "Access-Register Introduction" section of the chapter 5 "Program
      Execution" in "Principles of Operations" for more details.

      When the CPU is in AR mode, the s390_cpu_virt_mem_rw() function must
      know which access register number to use for address translation.
      This patch does several things:
      - add new parameter 'uint8_t ar' to that function
      - decode ar number from intercepted instructions
      - pass the ar number to s390_cpu_virt_mem_rw(), which in turn passes it
      to the KVM_S390_MEM_OP ioctl.

      Signed-off-by: Alexander Yarygin <yarygin@xxxxxxxxxxxxxxxxxx>
      Reviewed-by: Thomas Huth <thuth@xxxxxxxxxxxxxxxxxx>
      Reviewed-by: David Hildenbrand <dahi@xxxxxxxxxxxxxxxxxx>
      Signed-off-by: Cornelia Huck <cornelia.huck@xxxxxxxxxx>

  commit a9bcd1b8719dea2e91512238d810e2a0037e174d
  Author: Thomas Huth <thuth@xxxxxxxxxxxxxxxxxx>
  Date:   Fri Feb 6 15:54:58 2015 +0100

      s390x/mmu: Use ioctl for reading and writing from/to guest memory

      Add code to make use of the new ioctl for reading from / writing to
      virtual guest memory. By using the ioctl, the memory accesses are now
      protected with the so-called ipte-lock in the kernel.

      [CH: moved error message into kvm_s390_mem_op()]
      Signed-off-by: Thomas Huth <thuth@xxxxxxxxxxxxxxxxxx>
      Acked-by: Christian Borntraeger <borntraeger@xxxxxxxxxx>
      Signed-off-by: Cornelia Huck <cornelia.huck@xxxxxxxxxx>

  commit f07177a5599fb204e42a007db4820ceda1bc85ba
  Author: Ekaterina Tumanova <tumanova@xxxxxxxxxxxxxxxxxx>
  Date:   Tue Mar 3 18:35:27 2015 +0100

      s390x/kvm: Put vm name, extended name and UUID into STSI322 SYSIB

      KVM prefills the SYSIB, returned by STSI 3.2.2. This patch allows
      userspace to intercept execution, and fill in the values, that are
      known to qemu: machine name (8 chars), extended machine name (256
      chars), extended machine name encoding (equals 2 for UTF-8) and UUID.

      STSI322 qemu handler also finds a highest virtualization level in
      level-3 virtualization stack that doesn't support Extended Names
      (Ext Name delimiter) and propagates zero Ext Name to all levels below,
      because this level is not capable of managing Extended Names of lower
      levels.

      Signed-off-by: Ekaterina Tumanova <tumanova@xxxxxxxxxxxxxxxxxx>
      Reviewed-by: Christian Borntraeger <borntraeger@xxxxxxxxxx>
      Reviewed-by: Thomas Huth <thuth@xxxxxxxxxxxxxxxxxx>
      Signed-off-by: Cornelia Huck <cornelia.huck@xxxxxxxxxx>

  commit 7a52ce8a160739c5d37469b0e344d3239eb86462
  Author: Cornelia Huck <cornelia.huck@xxxxxxxxxx>
  Date:   Tue Mar 31 16:07:08 2015 +0200

      linux-headers: update

      This updates linux-headers against master 4.1-rc1 (commit
      b787f68c36d49bb1d9236f403813641efa74a031).

      Signed-off-by: Cornelia Huck <cornelia.huck@xxxxxxxxxx>

  commit 217a4acb211d603f33199cf94ada9fce3ac419b5
  Author: Thomas Huth <thuth@xxxxxxxxxxxxxxxxxx>
  Date:   Thu Mar 19 15:04:50 2015 +0100

      s390x/mmu: Use access type definitions instead of magic values

      Since there are now proper definitions for the MMU access type,
      let's use them in the s390x MMU code, too, instead of the
      hard-to-understand magic values.

      Signed-off-by: Thomas Huth <thuth@xxxxxxxxxxxxxxxxxx>
      Reviewed-by: Jens Freimann <jfrei@xxxxxxxxxxxxxxxxxx>
      Acked-by: Cornelia Huck <cornelia.huck@xxxxxxxxxx>
      Signed-off-by: Cornelia Huck <cornelia.huck@xxxxxxxxxx>

  commit b4ab4572b319f2c26435b2ed18cfd3fb602c7439
  Author: Cornelia Huck <cornelia.huck@xxxxxxxxxx>
  Date:   Fri Mar 20 10:17:08 2015 +0100

      s390x/ipl: sort into categories

      The s390 ipl device has no real home (it's not really a storage device),
      so let's sort it into the misc category.

      Reviewed-by: David Hildenbrand <dahi@xxxxxxxxxxxxxxxxxx>
      Acked-by: Christian Borntraeger <borntraeger@xxxxxxxxxx>
      Signed-off-by: Cornelia Huck <cornelia.huck@xxxxxxxxxx>

  commit 183f6b8d7e7adf6b892523644e38b534c5954be1
  Author: Cornelia Huck <cornelia.huck@xxxxxxxxxx>
  Date:   Tue Mar 17 13:44:39 2015 +0100

      sclp: sort into categories

      Sort the sclp consoles into the input category, just as virtio-serial.
      Various other sclp devices don't have an obvious category, sort them
      into misc.

      Reviewed-by: David Hildenbrand <dahi@xxxxxxxxxxxxxxxxxx>
      Acked-by: Christian Borntraeger <borntraeger@xxxxxxxxxx>
      Signed-off-by: Cornelia Huck <cornelia.huck@xxxxxxxxxx>

  commit 4d1866de9422c4b359f61819ee01efc9b988187b
  Author: Cornelia Huck <cornelia.huck@xxxxxxxxxx>
  Date:   Tue Mar 17 13:43:26 2015 +0100

      s390-virtio: sort into categories

      Sort the various s390-virtio devices into the same categories as their
      virtio-pci counterparts.

      Reviewed-by: David Hildenbrand <dahi@xxxxxxxxxxxxxxxxxx>
      Acked-by: Christian Borntraeger <borntraeger@xxxxxxxxxx>
      Signed-off-by: Cornelia Huck <cornelia.huck@xxxxxxxxxx>

  commit cd20d61634092a9fa19c8c6f0a749526e9958374
  Author: Cornelia Huck <cornelia.huck@xxxxxxxxxx>
  Date:   Tue Mar 17 13:42:03 2015 +0100

      virtio-ccw: sort into categories

      Sort the various virtio-ccw devices into the same categories as their
      virtio-pci counterparts.

      Reviewed-by: David Hildenbrand <dahi@xxxxxxxxxxxxxxxxxx>
      Acked-by: Christian Borntraeger <borntraeger@xxxxxxxxxx>
      Signed-off-by: Cornelia Huck <cornelia.huck@xxxxxxxxxx>

  commit 06feaacfb4cfef10cc0c93d97df7bfc8a71dbc7e
  Merge: a1fe58f d064d9f
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Thu Apr 30 12:04:11 2015 +0100

      Merge remote-tracking branch 'remotes/bonzini/tags/for-upstream' into 
staging

      - miscellaneous cleanups for TCG (Emilio) and NBD (Bogdan)
      - next part in the thread-safe address_space_* saga: atomic access
        to the bounce buffer and the map_clients list, from Fam
      - optional support for linking with tcmalloc, also from Fam
      - reapplying Peter Crosthwaite's "Respect as_translate_internal
        length clamp" after fixing the SPARC fallout.
      - build system fix from Wei Liu
      - small acpi-build and ioport cleanup by myself

      # gpg: Signature made Wed Apr 29 09:34:00 2015 BST using RSA key ID 
78C7AE83
      # gpg: Good signature from "Paolo Bonzini <bonzini@xxxxxxx>"
      # gpg:                 aka "Paolo Bonzini <pbonzini@xxxxxxxxxx>"
      # gpg: WARNING: This key is not certified with sufficiently trusted 
signatures!
      # gpg:          It is not certain that the signature belongs to the owner.
      # Primary key fingerprint: 46F5 9FBD 57D6 12E7 BFD4  E2F7 7E15 100C CD36 
69B1
      #      Subkey fingerprint: F133 3857 4B66 2389 866C  7682 BFFB D25F 78C7 
AE83

      * remotes/bonzini/tags/for-upstream: (22 commits)
        nbd/trivial: fix type cast for ioctl
        translate-all: use bitmap helpers for PageDesc's bitmap
        target-i386: disable LINT0 after reset
        Makefile.target: prepend $libs_softmmu to $LIBS
        milkymist: do not modify libs-softmmu
        configure: Add support for tcmalloc
        exec: Respect as_translate_internal length clamp
        ioport: reserve the whole range of an I/O port in the AddressSpace
        ioport: loosen assertions on emulation of 16-bit ports
        ioport: remove wrong comment
        ide: there is only one data port
        gus: clean up MemoryRegionPortio
        sb16: remove useless mixer_write_indexw
        sun4m: fix slavio sysctrl and led register sizes
        acpi-build: remove dependency from ram_addr.h
        memory: add memory_region_ram_resize
        dma-helpers: Fix race condition of continue_after_map_failure and 
dma_aio_cancel
        exec: Notify cpu_register_map_client caller if the bounce buffer is 
available
        exec: Protect map_client_list with mutex
        linux-user, bsd-user: Remove two calls to cpu_exec_init_all
        ...

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit a1fe58f6ad2282399da256b8579b49b43527e486
  Merge: 52b7aba c836867
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Thu Apr 30 10:10:31 2015 +0100

      Merge remote-tracking branch 'remotes/jnsnow/tags/ide-pull-request' into 
staging

      # gpg: Signature made Wed Apr 29 00:03:44 2015 BST using RSA key ID 
AAFC390E
      # gpg: Good signature from "John Snow (John Huston) <jsnow@xxxxxxxxxx>"
      # gpg: WARNING: This key is not certified with sufficiently trusted 
signatures!
      # gpg:          It is not certain that the signature belongs to the owner.
      # Primary key fingerprint: FAEB 9711 A12C F475 812F  18F2 88A9 064D 1835 
61EB
      #      Subkey fingerprint: F9B7 ABDB BCAC DF95 BE76  CBD0 7DEF 8106 AAFC 
390E

      * remotes/jnsnow/tags/ide-pull-request:
        qtest: Add assertion that required environment variable is set
        qtest/ahci: add flush retry test
        libqos: add blkdebug_prepare_script
        libqtest: add qmp_async
        libqtest: add qmp_eventwait
        qtest/ahci: Allow override of default CLI options
        qtest/ahci: Add simple flush test
        qtest/ahci: test different disk sectors
        qtest/ahci: add qcow2 support to ahci-test
        fdc: remove sparc sun4m mutations

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit d064d9f381b00538e41f14104b88a1ae85d78865
  Author: Bogdan Purcareata <bogdan.purcareata@xxxxxxxxxxxxx>
  Date:   Fri Apr 3 11:01:54 2015 +0000

      nbd/trivial: fix type cast for ioctl

      This fixes ioctl behavior on powerpc e6500 platforms with 64bit kernel 
and 32bit
      userspace. The current type cast has no effect there and the value passed 
to the
      kernel is still 0. Probably an issue related to the compiler, since I'm 
assuming
      the same configuration works on a similar setup on x86.

      Also ensure consistency with previous type cast in TRACE message.

      Signed-off-by: Bogdan Purcareata <bogdan.purcareata@xxxxxxxxxxxxx>
      Message-Id: 
<1428058914-32050-1-git-send-email-bogdan.purcareata@xxxxxxxxxxxxx>
      Cc: qemu-stable@xxxxxxxxxx
      [Fix parens as noticed by Michael. - Paolo]
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit 510a647fa27a12b66be40da4c2c098430003225c
  Author: Emilio G. Cota <cota@xxxxxxxxx>
  Date:   Wed Apr 22 17:50:52 2015 -0400

      translate-all: use bitmap helpers for PageDesc's bitmap

      Here we have an open-coded byte-based bitmap implementation.
      Get rid of it since there's a ulong-based implementation to be
      used by all code.

      Signed-off-by: Emilio G. Cota <cota@xxxxxxxxx>
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit b8eb5512fd8a115f164edbbe897cdf8884920ccb
  Author: Nadav Amit <namit@xxxxxxxxxxxxxxxxx>
  Date:   Mon Apr 13 02:32:08 2015 +0300

      target-i386: disable LINT0 after reset

      Due to old Seabios bug, QEMU reenable LINT0 after reset. This bug is long 
gone
      and therefore this hack is no longer needed.  Since it violates the
      specifications, it is removed.

      Signed-off-by: Nadav Amit <namit@xxxxxxxxxxxxxxxxx>
      Message-Id: <1428881529-29459-2-git-send-email-namit@xxxxxxxxxxxxxxxxx>
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit 7398dfc7799a50097803db4796c7edb6cd7d47a1
  Author: Wei Liu <wei.liu2@xxxxxxxxxx>
  Date:   Mon Mar 9 14:54:33 2015 +0000

      Makefile.target: prepend $libs_softmmu to $LIBS

      I discovered a problem when trying to build QEMU statically with gcc.
      libm is an element of LIBS while libpixman-1 is an element in
      libs_softmmu. Libpixman references functions in libm, so the original
      ordering makes linking fail.

      This fix is to reorder $libs_softmmu and $LIBS to make -lm appear after
      -lpixman-1. However I'm not quite sure if this is the right fix, hence
      the RFC tag.

      Normally QEMU is built with c++ compiler which happens to link in libm
      (at least this is the case with g++), so building QEMU statically
      normally just works and nobody notices this issue.

      Signed-off-by: Wei Liu <wei.liu2@xxxxxxxxxx>
      Message-Id: <1425912873-21215-1-git-send-email-wei.liu2@xxxxxxxxxx>
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit 738e4171de478da2516180c7a139f1b762443618
  Author: Paolo Bonzini <pbonzini@xxxxxxxxxx>
  Date:   Tue Mar 10 11:17:48 2015 +0100

      milkymist: do not modify libs-softmmu

      This is better and prepares for the next patch.  When we copy
      libs_softmmu's value into LIBS with a := assignment, we cannot
      anymore modify libs_softmmu in the Makefiles.

      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit 2847b46958ab0bd604e1b3fcafba0f5ba4375833
  Author: Fam Zheng <famz@xxxxxxxxxx>
  Date:   Thu Mar 26 11:03:12 2015 +0800

      configure: Add support for tcmalloc

      This adds "--enable-tcmalloc" and "--disable-tcmalloc" to allow linking
      to libtcmalloc from gperftools.

      tcmalloc is a malloc implementation that works well with threads and is
      fast, so it is good for performance.

      It is disabled by default, because the MALLOC_PERTURB_ flag we use in
      tests doesn't work with tcmalloc. However we can enable tcmalloc
      specific heap checker and profilers later.

      An IOPS gain can be observed with virtio-blk-dataplane, other parts of
      QEMU will directly benefit from it as well:

      ==========================================================
                             glibc malloc
      ----------------------------------------------------------
      rw         bs         iodepth    bw     iops       latency
      read       4k         1          150    38511      24
      ----------------------------------------------------------

      ==========================================================
                               tcmalloc
      ----------------------------------------------------------
      rw         bs         iodepth    bw     iops       latency
      read       4k         1          156    39969      23
      ----------------------------------------------------------

      Signed-off-by: Fam Zheng <famz@xxxxxxxxxx>
      Message-Id: <1427338992-27057-1-git-send-email-famz@xxxxxxxxxx>
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit c8368674980b299604e3cfe9215c4105acefa516
  Author: Ed Maste <emaste@xxxxxxxxxxx>
  Date:   Tue Apr 28 15:27:51 2015 -0400

      qtest: Add assertion that required environment variable is set

      Signed-off-by: Ed Maste <emaste@xxxxxxxxxxx>
      Reviewed-by: John Snow <jsnow@xxxxxxxxxx>
      Message-id: 1427911244-22565-1-git-send-email-emaste@xxxxxxxxxxx
      Signed-off-by: John Snow <jsnow@xxxxxxxxxx>

  commit cf5aa89e9d32ae39bd9df27c9b2aec03c0d240b2
  Author: John Snow <jsnow@xxxxxxxxxx>
  Date:   Tue Apr 28 15:27:51 2015 -0400

      qtest/ahci: add flush retry test

      Signed-off-by: John Snow <jsnow@xxxxxxxxxx>
      Message-id: 1426018503-821-7-git-send-email-jsnow@xxxxxxxxxx

  commit 72c85e949fd162b039614d588d94393ff3e2dae3
  Author: John Snow <jsnow@xxxxxxxxxx>
  Date:   Tue Apr 28 15:27:51 2015 -0400

      libqos: add blkdebug_prepare_script

      Pull this helper out of ide-test and into libqos,
      to be shared with ahci-test.

      Signed-off-by: John Snow <jsnow@xxxxxxxxxx>
      Message-id: 1426018503-821-6-git-send-email-jsnow@xxxxxxxxxx

  commit ba4ed39346c1bdbfefd1d781b39009f90822b956
  Author: John Snow <jsnow@xxxxxxxxxx>
  Date:   Tue Apr 28 15:27:51 2015 -0400

      libqtest: add qmp_async

      Add qmp_async, which lets us send QMP commands asynchronously.
      This is useful when we want to send commands that will trigger
      event responses, but we don't know in what order to expect them.

      Sometimes the event responses may arrive even before the command
      confirmation will show up, so it is convenient to leave the responses
      in the stream.

      Signed-off-by: John Snow <jsnow@xxxxxxxxxx>
      Message-id: 1426018503-821-5-git-send-email-jsnow@xxxxxxxxxx

  commit 8fe941f749b2db3735abade1c298552de4eab496
  Author: John Snow <jsnow@xxxxxxxxxx>
  Date:   Tue Apr 28 15:27:51 2015 -0400

      libqtest: add qmp_eventwait

      Allow the user to poll until a desired interrupt occurs.

      Signed-off-by: John Snow <jsnow@xxxxxxxxxx>
      Message-id: 1426018503-821-4-git-send-email-jsnow@xxxxxxxxxx

  commit debaaa114a8877a939533ba846e64168fb287b7b
  Author: John Snow <jsnow@xxxxxxxxxx>
  Date:   Tue Apr 28 15:27:51 2015 -0400

      qtest/ahci: Allow override of default CLI options

      Signed-off-by: John Snow <jsnow@xxxxxxxxxx>
      Message-id: 1426018503-821-3-git-send-email-jsnow@xxxxxxxxxx

  commit 4e217074ca3f704d9a1c3bd1ebb03eb7621ab882
  Author: John Snow <jsnow@xxxxxxxxxx>
  Date:   Tue Apr 28 15:27:51 2015 -0400

      qtest/ahci: Add simple flush test

      Signed-off-by: John Snow <jsnow@xxxxxxxxxx>
      Message-id: 1426018503-821-2-git-send-email-jsnow@xxxxxxxxxx

  commit 727be1a7550b5caad0b94098a41de8033ad43f85
  Author: John Snow <jsnow@xxxxxxxxxx>
  Date:   Tue Apr 28 15:27:51 2015 -0400

      qtest/ahci: test different disk sectors

      Test sector offset 0, 1, and the last sector(s)
      in LBA28 and LBA48 modes.

      Signed-off-by: John Snow <jsnow@xxxxxxxxxx>
      Acked-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Message-id: 1426274523-22661-3-git-send-email-jsnow@xxxxxxxxxx

  commit 122fdf2d8822699482723e6f50f34c9c3933360b
  Author: John Snow <jsnow@xxxxxxxxxx>
  Date:   Tue Apr 28 15:27:51 2015 -0400

      qtest/ahci: add qcow2 support to ahci-test

      This will enable the testing of high offsets without
      wasting a lot of disk space, and does not impact the
      previous tests.

      mkimg and mkqcow2 are added to libqos for other tests.

      Signed-off-by: John Snow <jsnow@xxxxxxxxxx>
      Acked-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Message-id: 1426274523-22661-2-git-send-email-jsnow@xxxxxxxxxx

  commit 24a5c62cfe3cbe3fb4722f79661b9900a2579316
  Author: Hervé Poussineau <hpoussin@xxxxxxxxxxx>
  Date:   Tue Apr 28 15:27:51 2015 -0400

      fdc: remove sparc sun4m mutations

      They were introduced in 6f7e9aec5eb5bdfa57a9e458e391b785c283a007 and
      82407d1a4035e5bfefb53ffdcb270872f813b34c and lots of bug fixes were done 
after that.

      This fixes (at least) the detection of the floppy controller on Debian 
4.0r9/SPARC,
      and SS-5's OBP initialization routine still works.

      Signed-off-by: Hervé Poussineau <hpoussin@xxxxxxxxxxx>
      Tested-by: Mark Cave-Ayland <mark.cave-ayland@xxxxxxxxxxxx>
      Message-id: 1426351846-6497-1-git-send-email-hpoussin@xxxxxxxxxxx
      Signed-off-by: John Snow <jsnow@xxxxxxxxxx>

  commit 52b7aba62f02cf90f57ee7e02f67d2d8445e7e40
  Merge: a9392bc 5655f93
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Tue Apr 28 18:58:15 2015 +0100

      Merge remote-tracking branch 
'remotes/awilliam/tags/vfio-update-20150428.0' into staging

      VFIO updates
       - Correction to BAR overflow
       - Fix error sign
       - Reset workaround for AMD Bonaire & Hawaii GPUs

      # gpg: Signature made Tue Apr 28 18:26:43 2015 BST using RSA key ID 
3BB08B22
      # gpg: Good signature from "Alex Williamson <alex.williamson@xxxxxxxxxx>"
      # gpg:                 aka "Alex Williamson <alex@xxxxxxxxxxx>"
      # gpg:                 aka "Alex Williamson <alwillia@xxxxxxxxxx>"
      # gpg:                 aka "Alex Williamson <alex.l.williamson@xxxxxxxxx>"

      * remotes/awilliam/tags/vfio-update-20150428.0:
        vfio-pci: Reset workaround for AMD Bonaire and Hawaii GPUs
        vfio-pci: Fix error path sign
        vfio-pci: Further fix BAR size overflow

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 5655f931abcfa5f100d12d021eaed606c2d4ef52
  Author: Alex Williamson <alex.williamson@xxxxxxxxxx>
  Date:   Tue Apr 28 11:14:02 2015 -0600

      vfio-pci: Reset workaround for AMD Bonaire and Hawaii GPUs

      Somehow these GPUs manage not to respond to a PCI bus reset, removing
      our primary mechanism for resetting graphics cards.  The result is
      that these devices typically work well for a single VM boot.  If the
      VM is rebooted or restarted, the guest driver is not able to init the
      card from the dirty state, resulting in a blue screen for Windows
      guests.

      The workaround is to use a device specific reset.  This is not 100%
      reliable though since it depends on the incoming state of the device,
      but it substantially improves the usability of these devices in a VM.

      Credit to Alex Deucher <alexander.deucher@xxxxxxx> for his guidance.

      Signed-off-by: Alex Williamson <alex.williamson@xxxxxxxxxx>

  commit c6d231e2fd3773ef9a566ca24962f2314cb78f73
  Author: Alex Williamson <alex.williamson@xxxxxxxxxx>
  Date:   Tue Apr 28 11:14:02 2015 -0600

      vfio-pci: Fix error path sign

      This is an impossible error path due to the fact that we're reading a
      kernel provided, rather than user provided link, which will certainly
      always fit in PATH_MAX.  Currently it returns a fixed 26 char path
      plus %d group number, which typically maxes out at double digits.
      However, the caller of the initfn certainly expects a less-than zero
      return value on error, not just a non-zero value.  Therefore we
      should correct the sign here.

      Reported-by: Laszlo Ersek <lersek@xxxxxxxxxx>
      Reviewed-by: Laszlo Ersek <lersek@xxxxxxxxxx>
      Signed-off-by: Alex Williamson <alex.williamson@xxxxxxxxxx>

  commit 07ceaf98800519ef9c5dc893af00f1fe1f9144e4
  Author: Alex Williamson <alex.williamson@xxxxxxxxxx>
  Date:   Tue Apr 28 11:14:02 2015 -0600

      vfio-pci: Further fix BAR size overflow

      In an analysis by Laszlo, the resulting type of our calculation for
      the end of the MSI-X table, and thus the start of memory after the
      table, is uint32_t.  We're therefore not correctly preventing the
      corner case overflow that we intended to fix here where a BAR >=4G
      could place the MSI-X table to end exactly at the 4G boundary.  The
      MSI-X table offset is defined by the hardware spec to 32bits, so we
      simply use a cast rather than changing data structure types.  This
      scenario is purely theoretically, typically the MSI-X table is located
      at the front of the BAR.

      Reported-by: Laszlo Ersek <lersek@xxxxxxxxxx>
      Reviewed-by: Laszlo Ersek <lersek@xxxxxxxxxx>
      Signed-off-by: Alex Williamson <alex.williamson@xxxxxxxxxx>

  commit a9392bc93c8615ad1983047e9f91ee3fa8aae75f
  Merge: 84cbd63 61007b3
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Tue Apr 28 16:55:03 2015 +0100

      Merge remote-tracking branch 'remotes/kevin/tags/for-upstream' into 
staging

      Block patches

      # gpg: Signature made Tue Apr 28 15:35:05 2015 BST using RSA key ID 
C88F2FD6
      # gpg: Good signature from "Kevin Wolf <kwolf@xxxxxxxxxx>"

      * remotes/kevin/tags/for-upstream: (76 commits)
        block: move I/O request processing to block/io.c
        block: extract bdrv_setup_io_funcs()
        block: add bdrv_set_dirty()/bdrv_reset_dirty() to block_int.h
        block: replace bdrv_states iteration with bdrv_next()
        vmdk: Widen before shifting 32 bit header field
        block/dmg: make it modular
        block/mirror: Always call block_job_sleep_ns()
        iotests: add incremental backup granularity tests
        iotests: add incremental backup failure recovery test
        iotests: add simple incremental backup case
        iotests: add QMP event waiting queue
        iotests: add invalid input incremental backup tests
        hbitmap: truncate tests
        block: Resize bitmaps on bdrv_truncate
        block: Ensure consistent bitmap function prototypes
        block: add BdrvDirtyBitmap documentation
        qmp: Add dirty bitmap status field in query-block
        qmp: add block-dirty-bitmap-clear
        qmp: Add support of "dirty-bitmap" sync mode for drive-backup
        block: Add bitmap successors
        ...

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit da2f84d1270d203027d82f778d5bcc1f7a49bab0
  Author: Shannon Zhao <shannon.zhao@xxxxxxxxxx>
  Date:   Tue Apr 28 19:51:13 2015 +0800

      virtio-scsi: Move DEFINE_VIRTIO_SCSI_FEATURES to virtio-scsi

      So far virtio-scsi-device can't expose host features to guest while
      using virtio-mmio because it doesn't set DEFINE_VIRTIO_SCSI_FEATURES on
      backend or transport.

      The host features belong to the backends while virtio-scsi-pci,
      virtio-scsi-s390 and virtio-scsi-ccw set the DEFINE_VIRTIO_SCSI_FEATURES
      on transports. But they already have the ability to forward property
      accesses to the backend child. So if we move the host features to
      backends, it doesn't break the backwards compatibility for them and
      make host features work while using virtio-mmio.

      Move DEFINE_VIRTIO_SCSI_FEATURES to the backend virtio-scsi. The
      transports just sync the host features from backends.

      Signed-off-by: Shannon Zhao <zhaoshenglong@xxxxxxxxxx>
      Signed-off-by: Shannon Zhao <shannon.zhao@xxxxxxxxxx>
      Reviewed-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Reviewed-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit da3e8a23492dbc13c4b70d90b6ae42970624e63a
  Author: Shannon Zhao <shannon.zhao@xxxxxxxxxx>
  Date:   Tue Apr 28 19:51:12 2015 +0800

      virtio-net: Move DEFINE_VIRTIO_NET_FEATURES to virtio-net

      So far virtio-net-device can't expose host features to guest while
      using virtio-mmio because it doesn't set DEFINE_VIRTIO_NET_FEATURES on
      backend or transport. So the performance is low.

      The host features belong to the backend while virtio-net-pci,
      virtio-net-s390 and virtio-net-ccw set the DEFINE_VIRTIO_NET_FEATURES
      on transports. But they already have the ability to forward property
      accesses to the backend child. So if we move the host features to
      backends, it doesn't break the backwards compatibility for them and
      make host features work while using virtio-mmio.

      Here we move DEFINE_VIRTIO_NET_FEATURES to the backend virtio-net. The
      transports just sync the host features from backend. Meanwhile move
      virtio_net_set_config_size to virtio-net to make sure the config size
      is correct and don't expose it.

      Signed-off-by: Shannon Zhao <zhaoshenglong@xxxxxxxxxx>
      Signed-off-by: Shannon Zhao <shannon.zhao@xxxxxxxxxx>
      Reviewed-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Reviewed-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 51f7cb974ba1af9f68302f2bae4bf0161fb0ab03
  Author: Thomas Huth <thuth@xxxxxxxxxx>
  Date:   Tue Apr 28 12:50:07 2015 +0200

      pci: Merge pci_nic_init() into pci_nic_init_nofail()

      The error reporting in pci_nic_init() is quite erratic: Some errors
      are printed directly with error_report(), and some are passed back
      to the caller pci_nic_init_nofail() via an Error pointer.
      Since pci_nic_init() is only used by pci_nic_init_nofail(), the
      functions can be simply merged to clean up this inconsistency.

      Signed-off-by: Thomas Huth <thuth@xxxxxxxxxx>
      Reviewed-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Reviewed-by: Markus Armbruster <armbru@xxxxxxxxxx>

  commit 61007b316cd71ee7333ff7a0a749a8949527575f
  Author: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
  Date:   Tue Apr 28 14:27:52 2015 +0100

      block: move I/O request processing to block/io.c

      The block.c file has grown to over 6000 lines.  It is time to split this
      file so there are fewer conflicts and the code is easier to maintain.

      Extract I/O request processing code:
       * Read
       * Write
       * Zero writes and making the image empty
       * Flush
       * Discard
       * ioctl
       * Tracked requests and queuing
       * Throttling and copy-on-read
       * Block status and allocated functions
       * Refreshing block limits
       * Reading/writing vmstate
       * qemu_blockalign() and friends

      The patch simply moves code from block.c into block/io.c.

      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Signed-off-by: Kevin Wolf <kwolf@xxxxxxxxxx>

  commit 0eb7217e49b84553bb30f97bc34380633fd846fe
  Author: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
  Date:   Tue Apr 28 14:27:51 2015 +0100

      block: extract bdrv_setup_io_funcs()

      Move the code to install coroutine and aio emulation function pointers
      in a BlockDriver to its own function.

      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Signed-off-by: Kevin Wolf <kwolf@xxxxxxxxxx>

  commit e0c47b6cb1de430fbc6f828f7acffa851c580840
  Author: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
  Date:   Tue Apr 28 14:27:50 2015 +0100

      block: add bdrv_set_dirty()/bdrv_reset_dirty() to block_int.h

      The dirty bitmap functions are called from the block I/O processing
      code.  Make them visible to block_int.h users so they can be used
      outside block.c.

      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Signed-off-by: Kevin Wolf <kwolf@xxxxxxxxxx>

  commit 4f5472cb2d3d37ec3282cc3829612f9d696c2df7
  Author: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
  Date:   Tue Apr 28 14:27:49 2015 +0100

      block: replace bdrv_states iteration with bdrv_next()

      The bdrv_states list is a static variable in block.c.

      bdrv_drain_all() and bdrv_flush_all() use this variable to iterate over
      all drives.

      The next patch will move bdrv_drain_all() and bdrv_flush_all() out of
      block.c so it's necessary to switch to the public bdrv_next() interface.

      Reviewed-by: Alberto Garcia <berto@xxxxxxxxxx>
      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Signed-off-by: Kevin Wolf <kwolf@xxxxxxxxxx>

  commit 7237aecd7e8fcc3ccf7fded77b6c127b4df5d3ac
  Author: Fam Zheng <famz@xxxxxxxxxx>
  Date:   Mon Apr 27 22:23:01 2015 +0800

      vmdk: Widen before shifting 32 bit header field

      Coverity spotted this.

      The field is 32 bits, but if it's possible to overflow in 32 bit
      left shift.

      Signed-off-by: Fam Zheng <famz@xxxxxxxxxx>
      Reviewed-by: John Snow <jsnow@xxxxxxxxxx>
      Signed-off-by: Kevin Wolf <kwolf@xxxxxxxxxx>

  commit 5505e8b76f86f925c35ecc2b2d311886bb36534c
  Author: Michael Tokarev <mjt@xxxxxxxxxx>
  Date:   Mon Apr 27 14:51:56 2015 +0300

      block/dmg: make it modular

      dmg can optionally utilize libbz2, make it modular

      Signed-off-by: Michael Tokarev <mjt@xxxxxxxxxx>
      Reviewed-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>
      Signed-off-by: Kevin Wolf <kwolf@xxxxxxxxxx>

  commit 001c95b740b2ed3d8b486952f68b5f06e609f1f2
  Author: Max Reitz <mreitz@xxxxxxxxxx>
  Date:   Mon Apr 27 13:07:31 2015 +0200

      block/mirror: Always call block_job_sleep_ns()

      The mirror block job is trying to take a clever shortcut if delay_ns is
      0 and skips block_job_sleep_ns() in that case. But that function must be
      called in every block job iteration, because otherwise it is for example
      impossible to pause the job.

      Signed-off-by: Max Reitz <mreitz@xxxxxxxxxx>
      Reviewed-by: Fam Zheng <famz@xxxxxxxxxx>
      Reviewed-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>
      Signed-off-by: Kevin Wolf <kwolf@xxxxxxxxxx>

  commit 59fc5d844fe192494308d0f07507b712ec395129
  Author: John Snow <jsnow@xxxxxxxxxx>
  Date:   Fri Apr 17 19:50:09 2015 -0400

      iotests: add incremental backup granularity tests

      Test what happens if you fiddle with the granularity.

      Reviewed-by: Max Reitz <mreitz@xxxxxxxxxx>
      Signed-off-by: John Snow <jsnow@xxxxxxxxxx>
      Reviewed-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Message-id: 1429314609-29776-22-git-send-email-jsnow@xxxxxxxxxx
      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Signed-off-by: Kevin Wolf <kwolf@xxxxxxxxxx>

  commit 24618f5381da650bd50c78feea07b35cf82e7d6c
  Author: John Snow <jsnow@xxxxxxxxxx>
  Date:   Fri Apr 17 19:50:08 2015 -0400

      iotests: add incremental backup failure recovery test

      Test the failure case for incremental backups.

      Signed-off-by: John Snow <jsnow@xxxxxxxxxx>
      Reviewed-by: Max Reitz <mreitz@xxxxxxxxxx>
      Reviewed-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Message-id: 1429314609-29776-21-git-send-email-jsnow@xxxxxxxxxx
      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Signed-off-by: Kevin Wolf <kwolf@xxxxxxxxxx>

  commit a3d715958c4456afea402e891288864fe4e51547
  Author: John Snow <jsnow@xxxxxxxxxx>
  Date:   Fri Apr 17 19:50:07 2015 -0400

      iotests: add simple incremental backup case

      Signed-off-by: John Snow <jsnow@xxxxxxxxxx>
      Reviewed-by: Max Reitz <mreitz@xxxxxxxxxx>
      Reviewed-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Message-id: 1429314609-29776-20-git-send-email-jsnow@xxxxxxxxxx
      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Signed-off-by: Kevin Wolf <kwolf@xxxxxxxxxx>

  commit 7898f74e78a5900fc079868e255b65d807fa8a8f
  Author: John Snow <jsnow@xxxxxxxxxx>
  Date:   Fri Apr 17 19:50:06 2015 -0400

      iotests: add QMP event waiting queue

      A filter is added to allow callers to request very specific
      events to be pulled from the event queue, while leaving undesired
      events still in the stream.

      This allows us to poll for completion data for multiple asynchronous
      events in any arbitrary order.

      A new timeout context is added to the qmp pull_event method's
      wait parameter to allow tests to fail if they do not complete
      within some expected period of time.

      Also fixed is a bug in qmp.pull_event where we try to retrieve an event
      from an empty list if we attempt to retrieve an event with wait=False
      but no events have occurred.

      Signed-off-by: John Snow <jsnow@xxxxxxxxxx>
      Reviewed-by: Max Reitz <mreitz@xxxxxxxxxx>
      Reviewed-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Message-id: 1429314609-29776-19-git-send-email-jsnow@xxxxxxxxxx
      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Signed-off-by: Kevin Wolf <kwolf@xxxxxxxxxx>

  commit 9f7264f57c8307bca32e78427348b8b323d5db21
  Author: John Snow <jsnow@xxxxxxxxxx>
  Date:   Fri Apr 17 19:50:05 2015 -0400

      iotests: add invalid input incremental backup tests

      Signed-off-by: John Snow <jsnow@xxxxxxxxxx>
      Reviewed-by: Max Reitz <mreitz@xxxxxxxxxx>
      Reviewed-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Message-id: 1429314609-29776-18-git-send-email-jsnow@xxxxxxxxxx
      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Signed-off-by: Kevin Wolf <kwolf@xxxxxxxxxx>

  commit a94e87c08cfff73ac4b179adc3d0d9c3b8d2ddef
  Author: John Snow <jsnow@xxxxxxxxxx>
  Date:   Fri Apr 17 19:50:04 2015 -0400

      hbitmap: truncate tests

      The general approach is to set bits close to the boundaries of
      where we are truncating and ensure that everything appears to
      have gone OK.

      We test growing and shrinking by different amounts:
      - Less than the granularity
      - Less than the granularity, but across a boundary
      - Less than sizeof(unsigned long)
      - Less than sizeof(unsigned long), but across a ulong boundary
      - More than sizeof(unsigned long)

      Signed-off-by: John Snow <jsnow@xxxxxxxxxx>
      Reviewed-by: Max Reitz <mreitz@xxxxxxxxxx>
      Reviewed-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Message-id: 1429314609-29776-17-git-send-email-jsnow@xxxxxxxxxx
      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Signed-off-by: Kevin Wolf <kwolf@xxxxxxxxxx>

  commit ce1ffea8cdcea41533bde87759b8390f0e3a9ad3
  Author: John Snow <jsnow@xxxxxxxxxx>
  Date:   Fri Apr 17 19:50:03 2015 -0400

      block: Resize bitmaps on bdrv_truncate

      Signed-off-by: John Snow <jsnow@xxxxxxxxxx>
      Reviewed-by: Max Reitz <mreitz@xxxxxxxxxx>
      Reviewed-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Message-id: 1429314609-29776-16-git-send-email-jsnow@xxxxxxxxxx
      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Signed-off-by: Kevin Wolf <kwolf@xxxxxxxxxx>

  commit 20dca81075e712ebcbc151eed9b1a02d4e5d08f5
  Author: John Snow <jsnow@xxxxxxxxxx>
  Date:   Fri Apr 17 19:50:02 2015 -0400

      block: Ensure consistent bitmap function prototypes

      We often don't need the BlockDriverState for functions
      that operate on bitmaps. Remove it.

      Signed-off-by: John Snow <jsnow@xxxxxxxxxx>
      Reviewed-by: Max Reitz <mreitz@xxxxxxxxxx>
      Reviewed-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Message-id: 1429314609-29776-15-git-send-email-jsnow@xxxxxxxxxx
      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Signed-off-by: Kevin Wolf <kwolf@xxxxxxxxxx>

  commit aa0c7ca506bb3f661be673b3d5c1320f37e52fdb
  Author: John Snow <jsnow@xxxxxxxxxx>
  Date:   Fri Apr 17 19:50:01 2015 -0400

      block: add BdrvDirtyBitmap documentation

      Signed-off-by: John Snow <jsnow@xxxxxxxxxx>
      Reviewed-by: Max Reitz <mreitz@xxxxxxxxxx>
      Reviewed-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Message-id: 1429314609-29776-14-git-send-email-jsnow@xxxxxxxxxx
      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Signed-off-by: Kevin Wolf <kwolf@xxxxxxxxxx>

  commit a113534ffb8f2580d323e6397e6908d5f4bfa0b7
  Author: John Snow <jsnow@xxxxxxxxxx>
  Date:   Fri Apr 17 19:50:00 2015 -0400

      qmp: Add dirty bitmap status field in query-block

      Add the "frozen" status booleans, to inform clients
      when a bitmap is occupied doing a task.

      Signed-off-by: Fam Zheng <famz@xxxxxxxxxx>
      Signed-off-by: John Snow <jsnow@xxxxxxxxxx>
      Reviewed-by: Max Reitz <mreitz@xxxxxxxxxx>
      Reviewed-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>
      Message-id: 1429314609-29776-13-git-send-email-jsnow@xxxxxxxxxx
      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Signed-off-by: Kevin Wolf <kwolf@xxxxxxxxxx>

  commit e74e6b78e6fe0c9ee426d1278fff45f5fa0af766
  Author: John Snow <jsnow@xxxxxxxxxx>
  Date:   Fri Apr 17 19:49:59 2015 -0400

      qmp: add block-dirty-bitmap-clear

      Add bdrv_clear_dirty_bitmap and a matching QMP command,
      qmp_block_dirty_bitmap_clear that enables a user to reset
      the bitmap attached to a drive.

      This allows us to reset a bitmap in the event of a full
      drive backup.

      Signed-off-by: John Snow <jsnow@xxxxxxxxxx>
      Reviewed-by: Max Reitz <mreitz@xxxxxxxxxx>
      Reviewed-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>
      Message-id: 1429314609-29776-12-git-send-email-jsnow@xxxxxxxxxx
      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Signed-off-by: Kevin Wolf <kwolf@xxxxxxxxxx>

  commit d58d84539784d27c826924a79d9436178b07ff69
  Author: John Snow <jsnow@xxxxxxxxxx>
  Date:   Fri Apr 17 19:49:58 2015 -0400

      qmp: Add support of "dirty-bitmap" sync mode for drive-backup

      For "dirty-bitmap" sync mode, the block job will iterate through the
      given dirty bitmap to decide if a sector needs backup (backup all the
      dirty clusters and skip clean ones), just as allocation conditions of
      "top" sync mode.

      Signed-off-by: Fam Zheng <famz@xxxxxxxxxx>
      Signed-off-by: John Snow <jsnow@xxxxxxxxxx>
      Reviewed-by: Max Reitz <mreitz@xxxxxxxxxx>
      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>
      Reviewed-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Message-id: 1429314609-29776-11-git-send-email-jsnow@xxxxxxxxxx
      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Signed-off-by: Kevin Wolf <kwolf@xxxxxxxxxx>

  commit 9bd2b08f27b9c27bb40d73b6466321b8c635086e
  Author: John Snow <jsnow@xxxxxxxxxx>
  Date:   Fri Apr 17 19:49:57 2015 -0400

      block: Add bitmap successors

      A bitmap successor is an anonymous BdrvDirtyBitmap that is intended to
      be created just prior to a sensitive operation (e.g. Incremental Backup)
      that can either succeed or fail, but during the course of which we still
      want a bitmap tracking writes.

      On creating a successor, we "freeze" the parent bitmap which prevents
      its deletion, enabling, anonymization, or creating a bitmap with the
      same name.

      On success, the parent bitmap can "abdicate" responsibility to the
      successor, which will inherit its name. The successor will have been
      tracking writes during the course of the backup operation. The parent
      will be safely deleted.

      On failure, we can "reclaim" the successor from the parent, unifying
      them such that the resulting bitmap describes all writes occurring since
      the last successful backup, for instance. Reclamation will thaw the
      parent, but not explicitly re-enable it.

      BdrvDirtyBitmap operations that target a single bitmap are protected
      by assertions that the bitmap is not frozen and/or disabled.

      BdrvDirtyBitmap operations that target a group of bitmaps, such as
      bdrv_{set,reset}_dirty will ignore frozen/disabled drives with a
      conditional instead.

      Internal functions that enable/disable dirty bitmaps have assertions
      added to them to prevent modifying frozen bitmaps.

      Signed-off-by: John Snow <jsnow@xxxxxxxxxx>
      Reviewed-by: Max Reitz <mreitz@xxxxxxxxxx>
      Reviewed-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>
      Message-id: 1429314609-29776-10-git-send-email-jsnow@xxxxxxxxxx
      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Signed-off-by: Kevin Wolf <kwolf@xxxxxxxxxx>

  commit b8e6fb752e43b45b428487c244cab35f0ab94b10
  Author: John Snow <jsnow@xxxxxxxxxx>
  Date:   Fri Apr 17 19:49:56 2015 -0400

      block: Add bitmap disabled status

      Add a status indicating the enabled/disabled state of the bitmap.
      A bitmap is by default enabled, but you can lock the bitmap into
      a read-only state by setting disabled = true.

      A previous version of this patch added a QMP interface for changing
      the state of the bitmap, but it has since been removed for now until
      a use case emerges where this state must be revealed to the user.

      The disabled state WILL be used internally for bitmap migration and
      bitmap persistence.

      Signed-off-by: Fam Zheng <famz@xxxxxxxxxx>
      Signed-off-by: John Snow <jsnow@xxxxxxxxxx>
      Reviewed-by: Max Reitz <mreitz@xxxxxxxxxx>
      Reviewed-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Message-id: 1429314609-29776-9-git-send-email-jsnow@xxxxxxxxxx
      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Signed-off-by: Kevin Wolf <kwolf@xxxxxxxxxx>

  commit be58721dbf882fa8830f3669f499b0a5b501e90f
  Author: John Snow <jsnow@xxxxxxxxxx>
  Date:   Fri Apr 17 19:49:55 2015 -0400

      hbitmap: add hbitmap_merge

      We add a bitmap merge operation to assist in error cases
      where we wish to combine two bitmaps together.

      This is algorithmically O(bits) provided HBITMAP_LEVELS remains
      constant. For a full bitmap on a 64bit machine:
      sum(bits/64^k, k, 0, HBITMAP_LEVELS) ~= 1.01587 * bits

      We may be able to improve running speed for particularly sparse
      bitmaps by using iterators, but the running time for dense maps
      will be worse.

      We present the simpler solution first, and we can refine it later
      if needed.

      Signed-off-by: John Snow <jsnow@xxxxxxxxxx>
      Reviewed-by: Max Reitz <mreitz@xxxxxxxxxx>
      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>
      Reviewed-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Message-id: 1429314609-29776-8-git-send-email-jsnow@xxxxxxxxxx
      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Signed-off-by: Kevin Wolf <kwolf@xxxxxxxxxx>

  commit 8515efbef1759b9143f06e9722c8f4e145032181
  Author: John Snow <jsnow@xxxxxxxxxx>
  Date:   Fri Apr 17 19:49:54 2015 -0400

      hbitmap: cache array lengths

      As a convenience: between incremental backups, bitmap migrations
      and bitmap persistence we seem to need to recalculate these a lot.

      Because the lengths are a little bit-twiddly, let's just solidly
      cache them and be done with it.

      Reviewed-by: Max Reitz <mreitz@xxxxxxxxxx>
      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>
      Signed-off-by: John Snow <jsnow@xxxxxxxxxx>
      Reviewed-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Message-id: 1429314609-29776-7-git-send-email-jsnow@xxxxxxxxxx
      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Signed-off-by: Kevin Wolf <kwolf@xxxxxxxxxx>

  commit 592fdd02ae987a439a2ba25a2a973673f1484805
  Author: John Snow <jsnow@xxxxxxxxxx>
  Date:   Fri Apr 17 19:49:53 2015 -0400

      block: Introduce bdrv_dirty_bitmap_granularity()

      This returns the granularity (in bytes) of dirty bitmap,
      which matches the QMP interface and the existing query
      interface.

      Signed-off-by: John Snow <jsnow@xxxxxxxxxx>
      Reviewed-by: Max Reitz <mreitz@xxxxxxxxxx>
      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>
      Reviewed-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Message-id: 1429314609-29776-6-git-send-email-jsnow@xxxxxxxxxx
      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Signed-off-by: Kevin Wolf <kwolf@xxxxxxxxxx>

  commit 341ebc2f81b14862347e4d4c1fcb3759f815237a
  Author: John Snow <jsnow@xxxxxxxxxx>
  Date:   Fri Apr 17 19:49:52 2015 -0400

      qmp: Add block-dirty-bitmap-add and block-dirty-bitmap-remove

      The new command pair is added to manage a user created dirty bitmap. The
      dirty bitmap's name is mandatory and must be unique for the same device,
      but different devices can have bitmaps with the same names.

      The granularity is an optional field. If it is not specified, we will
      choose a default granularity based on the cluster size if available,
      clamped to between 4K and 64K to mirror how the 'mirror' code was
      already choosing granularity. If we do not have cluster size info
      available, we choose 64K. This code has been factored out into a helper
      shared with block/mirror.

      This patch also introduces the 'block_dirty_bitmap_lookup' helper,
      which takes a device name and a dirty bitmap name and validates the
      lookup, returning NULL and setting errp if there is a problem with
      either field. This helper will be re-used in future patches in this
      series.

      The types added to block-core.json will be re-used in future patches
      in this series, see:
      'qapi: Add transaction support to block-dirty-bitmap-{add, enable, 
disable}'

      Signed-off-by: John Snow <jsnow@xxxxxxxxxx>
      Reviewed-by: Max Reitz <mreitz@xxxxxxxxxx>
      Reviewed-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>
      Message-id: 1429314609-29776-5-git-send-email-jsnow@xxxxxxxxxx
      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Signed-off-by: Kevin Wolf <kwolf@xxxxxxxxxx>

  commit 5fba6c0e50b66691568b34d5a2f4be0b39f5e20a
  Author: John Snow <jsnow@xxxxxxxxxx>
  Date:   Fri Apr 17 19:49:51 2015 -0400

      qmp: Ensure consistent granularity type

      We treat this field with a variety of different types everywhere
      in the code. Now it's just uint32_t.

      Signed-off-by: John Snow <jsnow@xxxxxxxxxx>
      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>
      Reviewed-by: Max Reitz <mreitz@xxxxxxxxxx>
      Reviewed-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Message-id: 1429314609-29776-4-git-send-email-jsnow@xxxxxxxxxx
      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Signed-off-by: Kevin Wolf <kwolf@xxxxxxxxxx>

  commit 0db6e54a8a2c6e16780356422da671b71f862341
  Author: Fam Zheng <famz@xxxxxxxxxx>
  Date:   Fri Apr 17 19:49:50 2015 -0400

      qapi: Add optional field "name" to block dirty bitmap

      This field will be set for user created dirty bitmap. Also pass in an
      error pointer to bdrv_create_dirty_bitmap, so when a name is already
      taken on this BDS, it can report an error message. This is not global
      check, two BDSes can have dirty bitmap with a common name.

      Implemented bdrv_find_dirty_bitmap to find a dirty bitmap by name, will
      be used later when other QMP commands want to reference dirty bitmap by
      name.

      Add bdrv_dirty_bitmap_make_anon. This unsets the name of dirty bitmap.

      Signed-off-by: Fam Zheng <famz@xxxxxxxxxx>
      Signed-off-by: John Snow <jsnow@xxxxxxxxxx>
      Reviewed-by: Max Reitz <mreitz@xxxxxxxxxx>
      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>
      Reviewed-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Message-id: 1429314609-29776-3-git-send-email-jsnow@xxxxxxxxxx
      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Signed-off-by: Kevin Wolf <kwolf@xxxxxxxxxx>

  commit efcfa278dca27f1c9db8b8283eac54f5e19074e7
  Author: John Snow <jsnow@xxxxxxxxxx>
  Date:   Fri Apr 17 19:49:49 2015 -0400

      docs: incremental backup documentation

      Signed-off-by: John Snow <jsnow@xxxxxxxxxx>
      Reviewed-by: Max Reitz <mreitz@xxxxxxxxxx>
      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>
      Message-id: 1429314609-29776-2-git-send-email-jsnow@xxxxxxxxxx
      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Signed-off-by: Kevin Wolf <kwolf@xxxxxxxxxx>

  commit 9eac3622a2b1159ab50b10540e822f3e58fdc383
  Author: Peter Lieven <pl@xxxxxxx>
  Date:   Thu Apr 16 16:08:33 2015 +0200

      block/iscsi: use the allocationmap also if cache.direct=on

      the allocationmap has only a hint character. The driver always
      double checks that blocks marked unallocated in the cache are
      still unallocated before taking the fast path and return zeroes.
      So using the allocationmap is migration safe and can
      also be enabled with cache.direct=on.

      Signed-off-by: Peter Lieven <pl@xxxxxxx>
      Message-id: 1429193313-4263-10-git-send-email-pl@xxxxxxx
      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Signed-off-by: Kevin Wolf <kwolf@xxxxxxxxxx>

  commit 03e40fef4678f9a42846c91a804b6d3c820e8b90
  Author: Peter Lieven <pl@xxxxxxx>
  Date:   Thu Apr 16 16:08:32 2015 +0200

      block/iscsi: bump year in copyright notice

      Signed-off-by: Peter Lieven <pl@xxxxxxx>
      Message-id: 1429193313-4263-9-git-send-email-pl@xxxxxxx
      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Signed-off-by: Kevin Wolf <kwolf@xxxxxxxxxx>

  commit e380aff831c24b37c023010852e7ddd2ae1ec385
  Author: Peter Lieven <pl@xxxxxxx>
  Date:   Thu Apr 16 16:08:31 2015 +0200

      block/iscsi: handle SCSI_STATUS_TASK_SET_FULL

      a target may issue a SCSI_STATUS_TASK_SET_FULL status
      if there is more than one "BUSY" command queued already.

      Signed-off-by: Peter Lieven <pl@xxxxxxx>
      Message-id: 1429193313-4263-8-git-send-email-pl@xxxxxxx
      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Signed-off-by: Kevin Wolf <kwolf@xxxxxxxxxx>

  commit 59dd0a22ca4c3ac70c37263208b9e49cfeacf2e4
  Author: Peter Lieven <pl@xxxxxxx>
  Date:   Thu Apr 16 16:08:30 2015 +0200

      block/iscsi: increase retry count

      The idea is that a command is retried in a BUSY condition
      up a time of approx. 60 seconds before it is failed. This should
      be far higher than any command timeout in the guest.

      Signed-off-by: Peter Lieven <pl@xxxxxxx>
      Message-id: 1429193313-4263-7-git-send-email-pl@xxxxxxx
      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Signed-off-by: Kevin Wolf <kwolf@xxxxxxxxxx>

  commit 73b5394e2e4af3bbe01e221fa395373facc67f78
  Author: Peter Lieven <pl@xxxxxxx>
  Date:   Thu Apr 16 16:08:29 2015 +0200

      block/iscsi: optimize WRITE10/16 if cache.writeback is not set

      SCSI allowes to tell the target to not return from a write command
      if the date is not written to the disk. Use this so called FUA
      bit if it is supported to optimize WRITE commands if writeback is
      not allowed.

      In this case qemu always issues a WRITE followed by a FLUSH. This
      is 2 round trip times. If we set the FUA bit we can ignore the
      following FLUSH.

      Signed-off-by: Peter Lieven <pl@xxxxxxx>
      Message-id: 1429193313-4263-6-git-send-email-pl@xxxxxxx
      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Signed-off-by: Kevin Wolf <kwolf@xxxxxxxxxx>

  commit 752ce45150d3d70aabc4eb46a7a9cdfd8b4640fd
  Author: Peter Lieven <pl@xxxxxxx>
  Date:   Thu Apr 16 16:08:28 2015 +0200

      block/iscsi: store DPOFUA bit from the modesense command

      Signed-off-by: Peter Lieven <pl@xxxxxxx>
      Message-id: 1429193313-4263-5-git-send-email-pl@xxxxxxx
      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Signed-off-by: Kevin Wolf <kwolf@xxxxxxxxxx>

  commit 7191f2080c70228c6483b6604cc1c18943d8d766
  Author: Peter Lieven <pl@xxxxxxx>
  Date:   Thu Apr 16 16:08:27 2015 +0200

      block/iscsi: rename iscsi_write_protected and let it return void

      Signed-off-by: Peter Lieven <pl@xxxxxxx>
      Message-id: 1429193313-4263-4-git-send-email-pl@xxxxxxx
      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Signed-off-by: Kevin Wolf <kwolf@xxxxxxxxxx>

  commit 0a386e48527d16e5dedbc1ff62aa0042a1cbdac5
  Author: Peter Lieven <pl@xxxxxxx>
  Date:   Thu Apr 16 16:08:26 2015 +0200

      block/iscsi: change all iscsilun properties from uint8_t to bool

      Signed-off-by: Peter Lieven <pl@xxxxxxx>
      Message-id: 1429193313-4263-3-git-send-email-pl@xxxxxxx
      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Signed-off-by: Kevin Wolf <kwolf@xxxxxxxxxx>

  commit 20474e9aa040b9a255c63127f1eb873c29c54f68
  Author: Peter Lieven <pl@xxxxxxx>
  Date:   Thu Apr 16 16:08:25 2015 +0200

      block/iscsi: do not forget to logout from target

      We actually were always impolitely dropping the connection and
      not cleanly logging out.

      CC: qemu-stable@xxxxxxxxxx
      Signed-off-by: Peter Lieven <pl@xxxxxxx>
      Message-id: 1429193313-4263-2-git-send-email-pl@xxxxxxx
      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Signed-off-by: Kevin Wolf <kwolf@xxxxxxxxxx>

  commit d5a8ee60a0fbc20a2c2d02f3bda1bb1bd365f1ee
  Author: Alberto Garcia <berto@xxxxxxxxxx>
  Date:   Fri Apr 17 14:52:43 2015 +0300

      qmp: fill in the image field in BlockDeviceInfo

      The image field in BlockDeviceInfo is supposed to contain an ImageInfo
      object. However that is being filled in by bdrv_query_info(), not by
      bdrv_block_device_info(), which is where BlockDeviceInfo is actually
      created.

      Anyone calling bdrv_block_device_info() directly will get a null image
      field. As a consequence of this, the HMP command 'info block -n -v'
      crashes QEMU.

      This patch moves the code that fills in that field from
      bdrv_query_info() to bdrv_block_device_info().

      Signed-off-by: Alberto Garcia <berto@xxxxxxxxxx>
      Message-id: 1429271563-3765-1-git-send-email-berto@xxxxxxxxxx
      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Signed-off-by: Kevin Wolf <kwolf@xxxxxxxxxx>

  commit 9419874f709469de16c1bced7731bfecb07fe1cf
  Author: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
  Date:   Wed Apr 22 11:15:10 2015 +0100

      Revert "hmp: fix crash in 'info block -n -v'"

      This reverts commit 638b8366200130cc7cf7a026630bc6bfb63b0c4c.

      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Signed-off-by: Kevin Wolf <kwolf@xxxxxxxxxx>

  commit dc881b441d74b8fc6c9c007cd03d5d05bca388dd
  Author: Alberto Garcia <berto@xxxxxxxxxx>
  Date:   Wed Apr 8 12:29:20 2015 +0300

      block: add 'node-name' field to BLOCK_IMAGE_CORRUPTED

      Since this event can occur in nodes that cannot have a device name
      associated, include also a field with the node name.

      Signed-off-by: Alberto Garcia <berto@xxxxxxxxxx>
      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>
      Reviewed-by: Max Reitz <mreitz@xxxxxxxxxx>
      Message-id: 
147cec5b3594f4bec0cb41c98afe5fcbfb67567c.1428485266.git.berto@xxxxxxxxxx
      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Signed-off-by: Kevin Wolf <kwolf@xxxxxxxxxx>

  commit 81e5f78a9f4f13548ec1edddaf780d339f18e2d2
  Author: Alberto Garcia <berto@xxxxxxxxxx>
  Date:   Wed Apr 8 12:29:19 2015 +0300

      block: use bdrv_get_device_or_node_name() in error messages

      There are several error messages that identify a BlockDriverState by
      its device name. However those errors can be produced in nodes that
      don't have a device name associated.

      In those cases we should use bdrv_get_device_or_node_name() to fall
      back to the node name and produce a more meaningful message. The
      messages are also updated to use the more generic term 'node' instead
      of 'device'.

      Signed-off-by: Alberto Garcia <berto@xxxxxxxxxx>
      Reviewed-by: Max Reitz <mreitz@xxxxxxxxxx>
      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>
      Message-id: 
9823a1f0514fdb0692e92868661c38a9e00a12d6.1428485266.git.berto@xxxxxxxxxx
      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Signed-off-by: Kevin Wolf <kwolf@xxxxxxxxxx>

  commit 9b2aa84f87f5b95cb0295dcae38fbfbf115df2be
  Author: Alberto Garcia <berto@xxxxxxxxxx>
  Date:   Wed Apr 8 12:29:18 2015 +0300

      block: add bdrv_get_device_or_node_name()

      This function gets the device name associated with a BlockDriverState,
      or its node name if the device name is empty.

      Signed-off-by: Alberto Garcia <berto@xxxxxxxxxx>
      Reviewed-by: Max Reitz <mreitz@xxxxxxxxxx>
      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>
      Message-id: 
4fa30aa8d61d9052ce266fd5429a59a14e941255.1428485266.git.berto@xxxxxxxxxx
      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Signed-off-by: Kevin Wolf <kwolf@xxxxxxxxxx>

  commit ec683d604069dcdaaa516789274bc0cdc14e5247
  Author: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
  Date:   Wed Apr 15 11:43:42 2015 +0100

      block: document block-stream in qmp-commands.hx

      The 'block-stream' QMP command is documented in block-core.json but not
      qmp-commands.hx.  Add a summary of the command to qmp-commands.hx
      (similar to the documentation for 'block-commit').

      Reported-by: Kashyap Chamarthy <kchamart@xxxxxxxxxx>
      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>
      Reviewed-by: Max Reitz <mreitz@xxxxxxxxxx>
      Message-id: 1429094622-26218-1-git-send-email-stefanha@xxxxxxxxxx
      Signed-off-by: Kevin Wolf <kwolf@xxxxxxxxxx>

  commit c485cf9c9277ca9b3d5227c99a13c374e812f42b
  Author: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
  Date:   Wed Apr 15 10:43:44 2015 +0100

      m25p80: fix s->blk usage before assignment

      Delay the call to blk_blockalign() until s->blk has been assigned.

      This never caused a crash because blk_blockalign(NULL, size) defaults to
      4096 alignment but it's technically incorrect.

      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Reviewed-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>
      Message-id: 1429091024-25098-1-git-send-email-stefanha@xxxxxxxxxx
      Signed-off-by: Kevin Wolf <kwolf@xxxxxxxxxx>

  commit d07063e46047242c4f010ff9ddbff5e02f15d9e7
  Author: Paolo Bonzini <pbonzini@xxxxxxxxxx>
  Date:   Tue Apr 14 17:29:47 2015 +0200

      m25p80: add missing blk_attach_dev_nofail

      Of the block devices that poked into -drive options via drive_get_next,
      m25p80 was the only one who also did not attach itself to the 
BlockBackend.

      Since sd does it, and all other devices go through a "drive" property,
      with this change all block backends attached to the guest will have a
      non-NULL result for blk_get_attached_dev().

      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>
      Reviewed-by: Peter Crosthwaite <peter.crosthwaite@xxxxxxxxxx>
      Message-id: 1429025387-11077-1-git-send-email-pbonzini@xxxxxxxxxx
      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Signed-off-by: Kevin Wolf <kwolf@xxxxxxxxxx>

  commit 4eb867e98c1815d9d7a2a9380182005df12064a7
  Author: Michael S. Tsirkin <mst@xxxxxxxxxx>
  Date:   Sun Apr 12 17:55:17 2015 +0200

      virtio_blk: comment fix

      update virtio blk header from latest linux, include comment fixups.

      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Message-id: 1428854036-12806-1-git-send-email-mst@xxxxxxxxxx
      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Signed-off-by: Kevin Wolf <kwolf@xxxxxxxxxx>

  commit 0b5a24454fc551f0294fe93821e8c643214a55f5
  Author: Paolo Bonzini <pbonzini@xxxxxxxxxx>
  Date:   Sat Mar 28 07:37:18 2015 +0100

      block: avoid unnecessary bottom halves

      bdrv_aio_* APIs can use coroutines to achieve asynchronicity.  However,
      the coroutine may terminate without having yielded back to the caller
      (for example because of something that invokes a nested event loop,
      or because the coroutine is doing nothing at all).  In this case,
      the bdrv_aio_* API must delay the completion to the next iteration
      of the main loop, because bdrv_aio_* will never invoke the callback
      before returning.

      This can be done with a bottom half, and indeed bdrv_aio_* is always
      using one for simplicity.  It is possible to gain some performance
      (~3%) by avoiding this in the common case.  A new field in the
      BlockAIOCBCoroutine struct is set to true until the first time the
      corotine has yielded to its creator, and completion goes through a
      new function bdrv_co_complete.  If the flag is false, bdrv_co_complete
      invokes the callback immediately.  If it is true, the caller will
      notice that the coroutine has completed and schedule the bottom
      half itself.

      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>
      Reviewed-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Message-id: 1427524638-28157-1-git-send-email-pbonzini@xxxxxxxxxx
      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Signed-off-by: Kevin Wolf <kwolf@xxxxxxxxxx>

  commit a7282330c01364ef00260749bc6a37c7f16ec047
  Author: Fam Zheng <famz@xxxxxxxxxx>
  Date:   Fri Apr 3 22:05:21 2015 +0800

      blockjob: Update function name in comments

      Signed-off-by: Fam Zheng <famz@xxxxxxxxxx>
      Reviewed-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Reviewed-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>
      Reviewed-by: Alberto Garcia <berto@xxxxxxxxxx>
      Message-id: 1428069921-2957-5-git-send-email-famz@xxxxxxxxxx
      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Signed-off-by: Kevin Wolf <kwolf@xxxxxxxxxx>

  commit e62303a437af72141c8d04c36799521a56d6f4f6
  Author: Fam Zheng <famz@xxxxxxxxxx>
  Date:   Fri Apr 3 22:05:20 2015 +0800

      qemu-iotests: Test that "stop" doesn't drain block jobs

      Signed-off-by: Fam Zheng <famz@xxxxxxxxxx>
      Reviewed-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Reviewed-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>
      Reviewed-by: Alberto Garcia <berto@xxxxxxxxxx>
      Message-id: 1428069921-2957-4-git-send-email-famz@xxxxxxxxxx
      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Signed-off-by: Kevin Wolf <kwolf@xxxxxxxxxx>

  commit 69da3b0b47c8f6016e9109fcfa608e9e7e99bc05
  Author: Fam Zheng <famz@xxxxxxxxxx>
  Date:   Fri Apr 3 22:05:19 2015 +0800

      block: Pause block jobs in bdrv_drain_all

      This is necessary to suppress more IO requests from being generated from
      block job coroutines.

      Signed-off-by: Fam Zheng <famz@xxxxxxxxxx>
      Reviewed-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Reviewed-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>
      Reviewed-by: Alberto Garcia <berto@xxxxxxxxxx>
      Message-id: 1428069921-2957-3-git-send-email-famz@xxxxxxxxxx
      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Signed-off-by: Kevin Wolf <kwolf@xxxxxxxxxx>

  commit 751ebd76e654bd1e65da08ecf694325282b4cfcc
  Author: Fam Zheng <famz@xxxxxxxxxx>
  Date:   Fri Apr 3 22:05:18 2015 +0800

      blockjob: Allow nested pause

      This patch changes block_job_pause to increase the pause counter and
      block_job_resume to decrease it.

      The counter will allow calling block_job_pause/block_job_resume
      unconditionally on a job when we need to suspend the IO temporarily.

      From now on, each block_job_resume must be paired with a block_job_pause
      to keep the counter balanced.

      The user pause from QMP or HMP will only trigger block_job_pause once
      until it's resumed, this is achieved by adding a user_paused flag in
      BlockJob.

      One occurrence of block_job_resume in mirror_complete is replaced with
      block_job_enter which does what is necessary.

      In block_job_cancel, the cancel flag is good enough to instruct
      coroutines to quit loop, so use block_job_enter to replace the unpaired
      block_job_resume.

      Upon block job IO error, user is notified about the entering to the
      pause state, so this pause belongs to user pause, set the flag
      accordingly and expect a matching QMP resume.

      [Extended doc comments as suggested by Paolo Bonzini
      <pbonzini@xxxxxxxxxx>.
      --Stefan]

      Signed-off-by: Fam Zheng <famz@xxxxxxxxxx>
      Reviewed-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Reviewed-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>
      Reviewed-by: Alberto Garcia <berto@xxxxxxxxxx>
      Message-id: 1428069921-2957-2-git-send-email-famz@xxxxxxxxxx
      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Signed-off-by: Kevin Wolf <kwolf@xxxxxxxxxx>

  commit 199667a8c843d268f0fe80f09041b8c7193f1ba5
  Author: Fam Zheng <famz@xxxxxxxxxx>
  Date:   Wed Apr 1 09:45:40 2015 +0800

      MAINTAINERS: Add Fam Zheng as Null block driver maintainer

      Signed-off-by: Fam Zheng <famz@xxxxxxxxxx>
      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>
      Reviewed-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Message-id: 1427852740-24315-4-git-send-email-famz@xxxxxxxxxx
      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Signed-off-by: Kevin Wolf <kwolf@xxxxxxxxxx>

  commit 1c2b49a17282f3abd9ccf71b65d0be62d3b3192e
  Author: Fam Zheng <famz@xxxxxxxxxx>
  Date:   Wed Apr 1 09:45:39 2015 +0800

      block/null: Support reopen

      Reopen is used in block-commit. With this always-succeed operation, it
      is now possible to test committing to a null drive, by specifying
      "null-aio://" or "null-co://" as the backing image when creating the
      qcow2 image.

      Signed-off-by: Fam Zheng <famz@xxxxxxxxxx>
      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>
      Reviewed-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Message-id: 1427852740-24315-3-git-send-email-famz@xxxxxxxxxx
      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Signed-off-by: Kevin Wolf <kwolf@xxxxxxxxxx>

  commit e5e51dd3af6a0872dedce290ee41437b5aeed109
  Author: Fam Zheng <famz@xxxxxxxxxx>
  Date:   Wed Apr 1 09:45:38 2015 +0800

      block/null: Latency simulation by adding new option "latency-ns"

      Aio context switch should just work because the requests will be
      drained, so the scheduled timer(s) on the old context will be freed.

      Signed-off-by: Fam Zheng <famz@xxxxxxxxxx>
      Reviewed-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Message-id: 1427852740-24315-2-git-send-email-famz@xxxxxxxxxx
      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Signed-off-by: Kevin Wolf <kwolf@xxxxxxxxxx>

  commit 9eddd6a4b3b187ba50038800b6e4aeda4973b365
  Author: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
  Date:   Thu Mar 26 22:42:34 2015 +0000

      scripts: add 'qemu coroutine' command to qemu-gdb.py

      The 'qemu coroutine <coroutine-address>' GDB command prints the
      backtrace for a CoroutineUContext.  This is useful for peeking inside
      yielded coroutines that are waiting for file descriptor events, timers,
      etc.

      For example:

        $ gdb tests/test-coroutine
        (gdb) b test_yield
        (gdb) r
        (gdb) b qemu_coroutine_enter
        (gdb) c
        (gdb) c
        Continuing.

        Breakpoint 2, qemu_coroutine_enter (co=0x555555c66520, opaque=0x0) at 
qemu-coroutine.c:103
        103     {
        (gdb) source scripts/qemu-gdb.py
        (gdb) qemu coroutine 0x555555c66520
        #0  0x000055555557a740 in qemu_coroutine_switch (from_=<optimized out>, 
to_=0x7ffff7f90a70, action=COROUTINE_YIELD) at coroutine-ucontext.c:177
        #1  0x0000555555566af9 in yield_5_times (opaque=0x7fffffffdbb7) at 
tests/test-coroutine.c:107
        #2  0x000055555557a7aa in coroutine_trampoline (i0=<optimized out>, 
i1=<optimized out>) at coroutine-ucontext.c:80
        #3  0x00007ffff08de000 in __start_context () at /lib64/libc.so.6

      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Message-id: 1427409754-8556-1-git-send-email-stefanha@xxxxxxxxxx
      Signed-off-by: Kevin Wolf <kwolf@xxxxxxxxxx>

  commit 1faa5bb73247339bf3d797433a9ade990ef0fb32
  Author: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
  Date:   Thu Apr 2 17:39:22 2015 +0100

      thread-pool: clean up thread_pool_completion_bh()

      This patch simplifies thread_pool_completion_bh().

      The function first checks elem->state:

        if (elem->state != THREAD_DONE) {
            continue;
        }

      It then goes on to check elem->state == THREAD_DONE although we already
      know this must be the case.

      The QLIST_REMOVE() is duplicated down both branches of an if-else
      statement so that can be lifted out as well.

      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Reviewed-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>
      Message-id: 1427992762-10126-1-git-send-email-stefanha@xxxxxxxxxx
      Signed-off-by: Kevin Wolf <kwolf@xxxxxxxxxx>

  commit d1a126c53ddc563b7b731cee013e0362f7a5f22f
  Author: Kevin Wolf <kwolf@xxxxxxxxxx>
  Date:   Tue Apr 14 16:36:16 2015 +0200

      vhdx: Fix zero-fill iov length

      Fix the length of the zero-fill for the back, which was accidentally
      using the same value as for the front. This is caught by qemu-iotests
      033.

      For consistency, change the code for the front as well to use the length
      stored in the iov (it is the same value, copied four lines above).

      Signed-off-by: Kevin Wolf <kwolf@xxxxxxxxxx>
      Acked-by: Jeff Cody <jcody@xxxxxxxxxx>

  commit 8eedfbd4a50299f03b3630659c34ad1b01f69370
  Author: Kevin Wolf <kwolf@xxxxxxxxxx>
  Date:   Tue Apr 14 16:32:45 2015 +0200

      blkdebug: Add bdrv_truncate()

      This is, amongst others, required for qemu-iotests 033 to run as
      intended on VHDX, which uses explicit bdrv_truncate() calls to bs->file
      when allocating new blocks.

      Signed-off-by: Kevin Wolf <kwolf@xxxxxxxxxx>
      Reviewed-by: Jeff Cody <jcody@xxxxxxxxxx>

  commit e4f587492331df0ac50bad6131ea273d527af796
  Author: Kevin Wolf <kwolf@xxxxxxxxxx>
  Date:   Thu Mar 19 13:33:33 2015 +0100

      qemu-iotests: Some qemu-img convert tests

      This adds a regression test for some problems that the qemu-img convert
      rewrite just fixed.

      Signed-off-by: Kevin Wolf <kwolf@xxxxxxxxxx>
      Reviewed-by: Max Reitz <mreitz@xxxxxxxxxx>

  commit 690c7301600162421b928c7f26fd488fd8fa464e
  Author: Kevin Wolf <kwolf@xxxxxxxxxx>
  Date:   Thu Mar 19 13:33:32 2015 +0100

      qemu-img convert: Rewrite copying logic

      The implementation of qemu-img convert is (a) messy, (b) buggy, and
      (c) less efficient than possible. The changes required to beat some
      sense into it are massive enough that incremental changes would only
      make my and the reviewers' life harder. So throw it away and reimplement
      it from scratch.

      Let me give some examples what I mean by messy, buggy and inefficient:

      (a) The copying logic of qemu-img convert has two separate branches for
          compressed and normal target images, which roughly do the same -
          except for a little code that handles actual differences between
          compressed and uncompressed images, and much more code that
          implements just a different set of optimisations and bugs. This is
          unnecessary code duplication, and makes the code for compressed
          output (unsurprisingly) suffer from bitrot.

          The code for uncompressed ouput is run twice to count the the total
          length for the progress bar. In the first run it just takes a
          shortcut and runs only half the loop, and when it's done, it toggles
          a boolean, jumps out of the loop with a backwards goto and starts
          over. Works, but pretty is something different.

      (b) Converting while keeping a backing file (-B option) is broken in
          several ways. This includes not writing to the image file if the
          input has zero clusters or data filled with zeros (ignoring that the
          backing file will be visible instead).

          It also doesn't correctly limit every iteration of the copy loop to
          sectors of the same status so that too many sectors may be copied to
          in the target image. For -B this gives an unexpected result, for
          other images it just does more work than necessary.

          Conversion with a compressed target completely ignores any target
          backing file.

      (c) qemu-img convert skips reading and writing an area if it knows from
          metadata that copying isn't needed (except for the bug mentioned
          above that ignores a status change in some cases). It does, however,
          read from the source even if it knows that it will read zeros, and
          then search for non-zero bytes in the read buffer, if it's possible
          that a write might be needed.

      This reimplementation of the copying core reorganises the code to remove
      the duplication and have a much more obvious code flow, by essentially
      splitting the copy iteration loop into three parts:

      1. Find the number of contiguous sectors of the same status at the
         current offset (This can also be called in a separate loop before the
         copying loop in order to determine the total sectors for the progress
         bar.)

      2. Read sectors. If the status implies that there is no data there to
         read (zero or unallocated cluster), don't do anything.

      3. Write sectors depending on the status. If it's data, write it. If
         we want the backing file to be visible (with -B), don't write it. If
         it's zeroed, skip it if you can, otherwise use bdrv_write_zeroes() to
         optimise the write at least where possible.

      Signed-off-by: Kevin Wolf <kwolf@xxxxxxxxxx>
      Reviewed-by: Max Reitz <mreitz@xxxxxxxxxx>

  commit 0df89e8e6f62aea32a7302e73a86b7bfe5821018
  Author: Kevin Wolf <kwolf@xxxxxxxxxx>
  Date:   Thu Mar 19 13:33:31 2015 +0100

      block-backend: Expose bdrv_write_zeroes()

      Signed-off-by: Kevin Wolf <kwolf@xxxxxxxxxx>
      Reviewed-by: Max Reitz <mreitz@xxxxxxxxxx>

  commit a0710f7995f914e3044e5899bd8ff6c43c62f916
  Author: Paolo Bonzini <pbonzini@xxxxxxxxxx>
  Date:   Fri Feb 20 17:26:52 2015 +0100

      iothread: release iothread around aio_poll

      This is the first step towards having fine-grained critical sections in
      dataplane threads, which resolves lock ordering problems between
      address_space_* functions (which need the BQL when doing MMIO, even
      after we complete RCU-based dispatch) and the AioContext.

      Because AioContext does not use contention callbacks anymore, the
      unit test has to be changed.

      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>
      Reviewed-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Message-id: 1424449612-18215-4-git-send-email-pbonzini@xxxxxxxxxx
      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Signed-off-by: Kevin Wolf <kwolf@xxxxxxxxxx>

  commit 49110174f8835ec3d5ca7fc076ee1f51c18564fe
  Author: Paolo Bonzini <pbonzini@xxxxxxxxxx>
  Date:   Fri Feb 20 17:26:51 2015 +0100

      AioContext: acquire/release AioContext during aio_poll

      This is the first step in pushing down acquire/release, and will let
      rfifolock drop the contention callback feature.

      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>
      Reviewed-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Message-id: 1424449612-18215-3-git-send-email-pbonzini@xxxxxxxxxx
      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Signed-off-by: Kevin Wolf <kwolf@xxxxxxxxxx>

  commit e98ab097092e54999f046e9efa1ca1dd52f0c9e5
  Author: Paolo Bonzini <pbonzini@xxxxxxxxxx>
  Date:   Fri Feb 20 17:26:50 2015 +0100

      aio-posix: move pollfds to thread-local storage

      By using thread-local storage, aio_poll can stop using global data during
      g_poll_ns.  This will make it possible to drop callbacks from rfifolock.

      [Moved npfd = 0 assignment to end of walking_handlers region as
      suggested by Paolo.  This resolves the assert(npfd == 0) assertion
      failure in pollfds_cleanup().
      --Stefan]

      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>
      Reviewed-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Message-id: 1424449612-18215-2-git-send-email-pbonzini@xxxxxxxxxx
      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Signed-off-by: Kevin Wolf <kwolf@xxxxxxxxxx>

  commit de50a20a4cc368d241d67c600f8c0f667186a8b5
  Author: Fam Zheng <famz@xxxxxxxxxx>
  Date:   Wed Mar 25 15:27:26 2015 +0800

      block: Switch to host monotonic clock for IO throttling

      Currently, throttle timers won't make any progress when VCPU is not
      running, which would stall the request queue in utils, qtest, vm
      suspending, and live migration, without special handling.

      Block jobs are confusingly inconsistent between with and without
      throttling: if user sets a bps limit, stops the vm, then start a block
      job, the block job will not make any progress; in contrary, if user
      unsets the bps limit, or if it's not set, the block job will run
      normally.

      After this patch, with the host clock, even if the VCPUs are stopped,
      the throttle queues will be processed.

      This patch also enables potential to add throttle to bdrv_drain_all.
      Currently all requests are drained immediately. In other words whenever
      it is called, IO throttling goes ineffective (examples: system reset,
      migration and many block job operations.). This is a loophole that guest
      could exploit. If we use the host clock, we can later just trust the
      nested poll. This could be done on top.

      Note that for qemu-iotests case 093, which uses qtest, we still keep vm
      clock so the script can control the clock stepping in order to be
      deterministic.

      Reviewed-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>
      Reviewed-by: Alberto Garcia <berto@xxxxxxxxxx>
      Signed-off-by: Fam Zheng <famz@xxxxxxxxxx>
      Message-id: 1427268446-6426-1-git-send-email-famz@xxxxxxxxxx
      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Signed-off-by: Kevin Wolf <kwolf@xxxxxxxxxx>

  commit 8b6ee9aeb3f0508ed2a41381cde13bdb8707b7be
  Author: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
  Date:   Mon Mar 23 15:29:31 2015 +0000

      checkpatch: complain about ffs(3) calls

      The ffs(3) family of functions is not portable.  MinGW doesn't always
      provide the function.

      Use ctz32() or ctz64() instead.

      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Message-id: 1427124571-28598-10-git-send-email-stefanha@xxxxxxxxxx
      Signed-off-by: Kevin Wolf <kwolf@xxxxxxxxxx>

  commit f450a85899585776ccd0913d2361dd8f82666e44
  Author: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
  Date:   Mon Mar 23 15:29:30 2015 +0000

      os-win32: drop ffs(3) prototype

      The lack of ffs(3) in the MinGW headers is a hint that we shouldn't rely
      on it.  MinGW 4.9.2 does not make it available for linking when QEMU's
      ./configure --enable-debug is used (release builds are fine though).

      Now that all QEMU code has been switched to ctz32() there is no need for
      ffs(3).

      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Message-id: 1427124571-28598-9-git-send-email-stefanha@xxxxxxxxxx
      Signed-off-by: Kevin Wolf <kwolf@xxxxxxxxxx>

  commit 41074f3d3ff0e9a3c6f638627c12ebbf6d757cea
  Author: Paolo Bonzini <pbonzini@xxxxxxxxxx>
  Date:   Mon Mar 23 15:29:29 2015 +0000

      omap_intc: convert ffs(3) to ctz32() in omap_inth_sir_update()

      Rewrite the loop using level &= level - 1 to clear the least significant
      bit after each iteration.  This simplifies the loop and makes it easy to
      replace ffs(3) with ctz32().

      Cc: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>
      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Message-id: 1427124571-28598-8-git-send-email-stefanha@xxxxxxxxxx
      Signed-off-by: Kevin Wolf <kwolf@xxxxxxxxxx>

  commit c9d933185181cb1cf81bc4c9e5c3a10a5934b017
  Author: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
  Date:   Mon Mar 23 15:29:28 2015 +0000

      sd: convert sd_normal_command() ffs(3) call to ctz32()

      ffs() cannot be replaced with ctz32() when the argument might be zero,
      because ffs(0) returns 0 while ctz32(0) returns 32.

      The ffs(3) call in sd_normal_command() is a special case though.  It can
      be converted to ctz32() + 1 because the argument is never zero:

        if (!(req.arg >> 8) || (req.arg >> (ctz32(req.arg & ~0xff) + 1))) {
            ~~~~~~~~~~~~~~~
                  ^--------------- req.arg cannot be zero

      Cc: Markus Armbruster <armbru@xxxxxxxxxx>
      Cc: Peter Crosthwaite <peter.crosthwaite@xxxxxxxxxx>
      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Message-id: 1427124571-28598-7-git-send-email-stefanha@xxxxxxxxxx
      Signed-off-by: Kevin Wolf <kwolf@xxxxxxxxxx>

  commit bd2a88840e2496e29442f333c8fdd6491e831a35
  Author: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
  Date:   Mon Mar 23 15:29:27 2015 +0000

      Convert ffs() != 0 callers to ctz32()

      There are a number of ffs(3) callers that do roughly:

        bit = ffs(val);
        if (bit) {
            do_something(bit - 1);
        }

      This pattern can be converted to ctz32() like this:

        zeroes = ctz32(val);
        if (zeroes != 32) {
            do_something(zeroes);
        }

      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Message-id: 1427124571-28598-6-git-send-email-stefanha@xxxxxxxxxx
      Signed-off-by: Kevin Wolf <kwolf@xxxxxxxxxx>

  commit 786a4ea82ec9c87e3a895cf41081029b285a5fe5
  Author: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
  Date:   Mon Mar 23 15:29:26 2015 +0000

      Convert (ffs(val) - 1) to ctz32(val)

      This commit was generated mechanically by coccinelle from the following
      semantic patch:

      @@
      expression val;
      @@
      - (ffs(val) - 1)
      + ctz32(val)

      The call sites have been audited to ensure the ffs(0) - 1 == -1 case
      never occurs (due to input validation, asserts, etc).  Therefore we
      don't need to worry about the fact that ctz32(0) == 32.

      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Message-id: 1427124571-28598-5-git-send-email-stefanha@xxxxxxxxxx
      Signed-off-by: Kevin Wolf <kwolf@xxxxxxxxxx>

  commit 5863d374a32c98a7adb4c5e49d62de3cdc16d2ea
  Author: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
  Date:   Mon Mar 23 15:29:25 2015 +0000

      uninorth: convert ffs(3) to ctz32()

      It is not clear from the code how a 0 parameter should be handled by the
      hardware.  Keep the same behavior as ffs(0) - 1 == -1.

      Cc: Alexander Graf <agraf@xxxxxxx>
      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Message-id: 1427124571-28598-4-git-send-email-stefanha@xxxxxxxxxx
      Signed-off-by: Kevin Wolf <kwolf@xxxxxxxxxx>

  commit ad5f5fdca83cccd1a4c269b1fd8ba2fce8d1ba26
  Author: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
  Date:   Mon Mar 23 15:29:24 2015 +0000

      hw/arm/nseries: convert ffs(3) to ctz32()

      It is not clear from the code how a 0 parameter should be handled by the
      hardware.  Keep the same behavior as ffs(0) - 1 == -1.

      Cc: Andrzej Zaborowski <balrog@xxxxxxxxx>
      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Message-id: 1427124571-28598-3-git-send-email-stefanha@xxxxxxxxxx
      Signed-off-by: Kevin Wolf <kwolf@xxxxxxxxxx>

  commit 588ef9d411339012fc3c94bfad8911e9d0a517a2
  Author: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
  Date:   Mon Mar 23 15:29:23 2015 +0000

      bt-sdp: fix broken uuids power-of-2 calculation

      The binary search in sdp_uuid_match() only works when the number of
      elements to search is a power of two.

        lo = record->uuid;
        hi = record->uuids;
        while (hi >>= 1)
            if (lo[hi] <= val)
                lo += hi;

        return *lo == val;

      I noticed that the record->uuids calculation in
      sdp_service_record_build() was suspect:

        record->uuids = 1 << ffs(record->uuids - 1);

      Unlike most ffs(val) - 1 users, the expression is ffs(val - 1)!

      Actually ffs() is the wrong function to use for power-of-2.  Use
      pow2ceil() to achieve the correct effect.  Now the record->uuid[] array
      is sized correctly and the binary search in sdp_uuid_match() should
      work.

      I'm not sure how to run/test this code.

      Cc: Andrzej Zaborowski <balrog@xxxxxxxxx>
      Cc: qemu-stable@xxxxxxxxxx
      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Message-id: 1427124571-28598-2-git-send-email-stefanha@xxxxxxxxxx
      Signed-off-by: Kevin Wolf <kwolf@xxxxxxxxxx>

  commit ecdda9e03d73d2cc1c82c00cccc02f087741b6a5
  Author: Alberto Garcia <berto@xxxxxxxxxx>
  Date:   Mon Mar 16 18:22:05 2015 +0200

      MAINTAINERS: Add myself as the maintainer of the Quorum driver

      Signed-off-by: Alberto Garcia <berto@xxxxxxxxxx>
      Message-id: 1426522925-14444-1-git-send-email-berto@xxxxxxxxxx
      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Signed-off-by: Kevin Wolf <kwolf@xxxxxxxxxx>

  commit 407bc15033b2a8faeb7ca42aab63b7bcede76e10
  Author: Yi Wang <up2wing@xxxxxxxxx>
  Date:   Thu Mar 12 22:54:42 2015 +0800

      savevm: create snapshot failed when id_str already exists

      The command "virsh create" will fail in such condition: vm has two
      disks: vda and vdb. vda has snapshot s1 with id "1", vdb doesn't have
      s1 but has snapshot s2 with id "1".  When we want to run command "virsh
      create s1", del_existing_snapshots() only deletes s1 in vda, and
      bdrv_snapshot_create() tries to create vdb's snapshot s1 with id "1",
      but id "1" alreay exists in vdb with name "s2"!

      The simplest way is call find_new_snapshot_id() unconditionally.

      Signed-off-by: Yi Wang <up2wing@xxxxxxxxx>
      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Signed-off-by: Kevin Wolf <kwolf@xxxxxxxxxx>

  commit 84cbd63f87c1d246f51ec8eee5367a5588f367fd
  Merge: 54965ee 726a8ff
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Tue Apr 28 12:22:20 2015 +0100

      Merge remote-tracking branch 'remotes/ehabkost/tags/x86-pull-request' 
into staging

      X86 queue, 2015-04-27 (v2)

      # gpg: Signature made Mon Apr 27 19:42:39 2015 BST using RSA key ID 
984DC5A6
      # gpg: Good signature from "Eduardo Habkost <ehabkost@xxxxxxxxxx>"
      # gpg: WARNING: This key is not certified with sufficiently trusted 
signatures!
      # gpg:          It is not certain that the signature belongs to the owner.
      # Primary key fingerprint: 5A32 2FD5 ABC4 D3DB ACCF  D1AA 2807 936F 984D 
C5A6

      * remotes/ehabkost/tags/x86-pull-request:
        target-i386: Remove AMD feature flag aliases from CPU model table
        target-i386: X86CPU::xlevel2 QOM property
        target-i386: Make "level" and "xlevel" properties static
        qemu-config: Accept empty option values
        MAINTAINERS: Change status of X86 to Maintained
        MAINTAINERS: Add myself to X86

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 54965ee61dbc114e98777f456b7cd6a778fbb412
  Merge: da378d0 2f54eb9
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Tue Apr 28 11:33:47 2015 +0100

      Merge remote-tracking branch 'remotes/ehabkost/tags/numa-pull-request' 
into staging

      NUMA queue, 2015-04-27

      # gpg: Signature made Mon Apr 27 19:02:19 2015 BST using RSA key ID 
984DC5A6
      # gpg: Good signature from "Eduardo Habkost <ehabkost@xxxxxxxxxx>"
      # gpg: WARNING: This key is not certified with sufficiently trusted 
signatures!
      # gpg:          It is not certain that the signature belongs to the owner.
      # Primary key fingerprint: 5A32 2FD5 ABC4 D3DB ACCF  D1AA 2807 936F 984D 
C5A6

      * remotes/ehabkost/tags/numa-pull-request:
        MAINTAINERS: Add myself as NUMA code maintainer

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit da378d014d27fe3a243bd8e7e060e9eb8c1a272b
  Merge: 3d27b09 4eb2764
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Tue Apr 28 10:31:03 2015 +0100

      Merge remote-tracking branch 
'remotes/pmaydell/tags/pull-target-arm-20150427' into staging

      target-arm queue:
       * memory system updates to support transaction attributes
       * set user-mode and secure attributes for accesses made by ARM CPUs
       * rename c1_coproc to cpacr_el1
       * adjust id_aa64pfr0 when has_el3 CPU property disabled
       * allow ARMv8 SCR.SMD updates

      # gpg: Signature made Mon Apr 27 16:14:30 2015 BST using RSA key ID 
14360CDE
      # gpg: Good signature from "Peter Maydell <peter.maydell@xxxxxxxxxx>"

      * remotes/pmaydell/tags/pull-target-arm-20150427:
        Allow ARMv8 SCR.SMD updates
        target-arm: Adjust id_aa64pfr0 when has_el3 CPU property disabled
        target-arm: rename c1_coproc to cpacr_el1
        target-arm: Check watchpoints against CPU security state
        target-arm: Use attribute info to handle user-only watchpoints
        target-arm: Add user-mode transaction attribute
        target-arm: Use correct memory attributes for page table walks
        target-arm: Honour NS bits in page tables
        Switch non-CPU callers from ld/st*_phys to address_space_ld/st*
        exec.c: Capture the memory attributes for a watchpoint hit
        exec.c: Add new address_space_ld*/st* functions
        exec.c: Make address_space_rw take transaction attributes
        exec.c: Convert subpage memory ops to _with_attrs
        Add MemTxAttrs to the IOTLB
        Make CPU iotlb a structure rather than a plain hwaddr
        memory: Replace io_mem_read/write with memory_region_dispatch_read/write
        memory: Define API for MemoryRegionOps to take attrs and return status

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 7824df3889499acc7466317175a3fb24a0824002
  Author: Gal Hammer <ghammer@xxxxxxxxxx>
  Date:   Tue Apr 21 11:26:12 2015 +0300

      acpi: add a missing backslash to the \_SB scope.

      A predefined scope in the ACPI specs is precede with a backslash.

      Signed-off-by: Gal Hammer <ghammer@xxxxxxxxxx>
      Reviewed-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Reviewed-by: Igor Mammedov <imammedo@xxxxxxxxxx>

  commit bc09e06113e79e5d70cf2b37015a26f2102cc03e
  Author: Zhu Guihua <zhugh.fnst@xxxxxxxxxxxxxx>
  Date:   Mon Apr 27 16:47:22 2015 +0800

      qmp-event: add event notification for memory hot unplug error

      When memory hot unplug fails, this patch adds support to send
      QMP event to notify mgmt about this failure.

      Reviewed-by: Igor Mammedov <imammedo@xxxxxxxxxx>
      Signed-off-by: Zhu Guihua <zhugh.fnst@xxxxxxxxxxxxxx>
      Reviewed-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>

  commit c06b2ffb02bfcc642c67300d2c4dffd5aa54932b
  Author: Zhu Guihua <zhugh.fnst@xxxxxxxxxxxxxx>
  Date:   Mon Apr 27 16:47:21 2015 +0800

      acpi: add hardware implementation for memory hot unplug

      - implements QEMU hardware part of memory hot unplug protocol
        described at "docs/spec/acpi_mem_hotplug.txt"
      - handles memory remove notification event
      - handles device eject notification

      Reviewed-by: Igor Mammedov <imammedo@xxxxxxxxxx>
      Signed-off-by: Zhu Guihua <zhugh.fnst@xxxxxxxxxxxxxx>
      Reviewed-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>

  commit 660e8ec70065c8b1fd68b2cb137de16d831959f4
  Author: Zhu Guihua <zhugh.fnst@xxxxxxxxxxxxxx>
  Date:   Mon Apr 27 16:47:20 2015 +0800

      acpi: fix "Memory device control fields" register

      0 bit in Memory device control fields must be cleared before writing to
      register. But now this field isn't cleared when other fields are written.

      To solve this bug, This patch fixes UpdateRule to WriteAsZeros in "Memory
      device control fields" register.

      Reviewed-by: Igor Mammedov <imammedo@xxxxxxxxxx>
      Signed-off-by: Zhu Guihua <zhugh.fnst@xxxxxxxxxxxxxx>
      Reviewed-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>

  commit af5098973136029211848b4999ad5d38bc90180f
  Author: Zhu Guihua <zhugh.fnst@xxxxxxxxxxxxxx>
  Date:   Mon Apr 27 16:47:19 2015 +0800

      acpi: extend aml_field() to support UpdateRule

      The flags field is declared with default update rule 'Preserve',
      this patch extends aml_field() to support UpdateRule so that we
      can specify different values per field.

      Reviewed-by: Igor Mammedov <imammedo@xxxxxxxxxx>
      Signed-off-by: Zhu Guihua <zhugh.fnst@xxxxxxxxxxxxxx>
      Reviewed-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>

  commit f7d3e29db5a5900a1f0ed10f8313f7c3f28e5b59
  Author: Tang Chen <tangchen@xxxxxxxxxxxxxx>
  Date:   Mon Apr 27 16:47:18 2015 +0800

      acpi, mem-hotplug: add unplug cb for memory device

      This patch adds unplug cb for memory device. It resets memory status
      "is_enabled" in acpi_memory_unplug_cb(), removes the corresponding
      memory region, unregisters vmstate, and unparents the object.

      Reviewed-by: Igor Mammedov <imammedo@xxxxxxxxxx>
      Signed-off-by: Tang Chen <tangchen@xxxxxxxxxxxxxx>
      Signed-off-by: Zhu Guihua <zhugh.fnst@xxxxxxxxxxxxxx>
      Reviewed-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>

  commit 64fec58e8ab62490edd2638e4214d8c9f84518c9
  Author: Tang Chen <tangchen@xxxxxxxxxxxxxx>
  Date:   Mon Apr 27 16:47:17 2015 +0800

      acpi, mem-hotplug: add unplug request cb for memory device

      This patch adds unplug request cb for memory device, and adds the
      is_removing boolean field to MemStatus. This field is used to indicate
      whether the memory device in slot has been requested to be ejected.
      This field is set to true in acpi_memory_unplug_request_cb().

      Reviewed-by: Igor Mammedov <imammedo@xxxxxxxxxx>
      Signed-off-by: Tang Chen <tangchen@xxxxxxxxxxxxxx>
      Signed-off-by: Zhu Guihua <zhugh.fnst@xxxxxxxxxxxxxx>
      Reviewed-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>

  commit 4aae99b63333e71b2097b106bb15a6fde7f9b55b
  Author: Tang Chen <tangchen@xxxxxxxxxxxxxx>
  Date:   Mon Apr 27 16:47:16 2015 +0800

      acpi, mem-hotplug: add acpi_memory_slot_status() to get MemStatus

      Add a new API named acpi_memory_slot_status() to obtain a single memory
      slot status. Doing this is because this procedure will be used by other
      functions in the next coming patches.

      Reviewed-by: Igor Mammedov <imammedo@xxxxxxxxxx>
      Signed-off-by: Tang Chen <tangchen@xxxxxxxxxxxxxx>
      Signed-off-by: Zhu Guihua <zhugh.fnst@xxxxxxxxxxxxxx>
      Reviewed-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>

  commit 4fccb4834d0455519ff6d7a81551a8dfd360fefa
  Author: Zhu Guihua <zhugh.fnst@xxxxxxxxxxxxxx>
  Date:   Mon Apr 27 16:47:15 2015 +0800

      docs: update documentation for memory hot unplug

      Add specification about how to use memory hot unplug, and add
      a flow diagram to explain memory hot unplug process.

      Reviewed-by: Igor Mammedov <imammedo@xxxxxxxxxx>
      Signed-off-by: Zhu Guihua <zhugh.fnst@xxxxxxxxxxxxxx>
      Reviewed-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>

  commit 850d00700ba787988b6c5404e8c1a3add7141db1
  Author: Michael S. Tsirkin <mst@xxxxxxxxxx>
  Date:   Mon Apr 27 21:01:20 2015 +0200

      virtio: coding style tweak

      no space needed after *.

      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>

  commit a0ccd2123ee2f83a1f081e4c39013c3316f9ec7a
  Author: Jason Wang <jasowang@xxxxxxxxxx>
  Date:   Thu Apr 23 14:21:49 2015 +0800

      pci: remove hard-coded bar size in msix_init_exclusive_bar()

      This patch lets msix_init_exclusive_bar() can calculate the bar and
      pba size based on the number of MSI-X vectors other than using a
      hard-coded limit 4096. This is needed to allow device to have more
      than 128 MSI_X vectors. To keep migration compatibility, keep using
      4096 as bar size and 2048 for pba offset.

      Notes: We don't care about the case that using vectors > 128 for
      legacy machine type. Since we limit the queue max to 64, so vectors >=
      65 is meaningless.

      Virtio device will be the first user for this.

      Cc: Keith Busch <keith.busch@xxxxxxxxx>
      Cc: Kevin Wolf <kwolf@xxxxxxxxxx>
      Cc: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Cc: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: Jason Wang <jasowang@xxxxxxxxxx>
      Reviewed-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>

  commit 851c2a75a6e80c8aa5e713864d98cfb512e7229b
  Author: Jason Wang <jasowang@xxxxxxxxxx>
  Date:   Thu Apr 23 14:21:47 2015 +0800

      virtio-pci: speedup MSI-X masking and unmasking

      This patch tries to speed up the MSI-X masking and unmasking through
      the mapping between vector and queues. With this patch it will there's
      no need to go through all possible virtqueues, which may help to
      reduce the time spent when doing MSI-X masking/unmasking a single
      vector when more than hundreds or even thousands of virtqueues were
      supported.

      Tested with 80 queue pairs virito-net-pci by changing the smp affinity
      in the background and doing netperf in the same time:

      Before the patch:
      5711.70 Gbits/sec
      After the patch:
      6830.98 Gbits/sec

      About 19.6% improvements in throughput.

      Cc: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: Jason Wang <jasowang@xxxxxxxxxx>
      Reviewed-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>

  commit e0d686bf4b9d018ba5449f057b486bb5e1fa1a0d
  Author: Jason Wang <jasowang@xxxxxxxxxx>
  Date:   Thu Apr 23 14:21:46 2015 +0800

      virtio: introduce vector to virtqueues mapping

      Currently we will try to traverse all virtqueues to find a subset that
      using a specific vector. This is sub optimal when we will support
      hundreds or even thousands of virtqueues. So this patch introduces a
      method which could be used by transport to get all virtqueues that
      using a same vector. This is done through QLISTs and the number of
      QLISTs was queried through a transport specific method. When guest
      setting vectors, the virtqueue will be linked and helpers for traverse
      the list was also introduced.

      The first user will be virtio pci which will use this to speed up
      MSI-X masking and unmasking handling.

      Cc: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: Jason Wang <jasowang@xxxxxxxxxx>
      Reviewed-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>

  commit 955cc8c9541779e09895a9c5ccbf8ace15d884f5
  Author: Jason Wang <jasowang@xxxxxxxxxx>
  Date:   Thu Apr 23 14:21:40 2015 +0800

      virtio-ccw: using VIRTIO_NO_VECTOR instead of 0 for invalid virtqueue

      It's a bad idea to need to use vector 0 for invalid virtqueue. So this 
patch
      changes to using VIRTIO_NO_VECTOR instead.

      Cc: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Cc: Cornelia Huck <cornelia.huck@xxxxxxxxxx>
      CC: Christian Borntraeger <borntraeger@xxxxxxxxxx>
      Cc: Richard Henderson <rth@xxxxxxxxxxx>
      Cc: Alexander Graf <agraf@xxxxxxx>
      Signed-off-by: Jason Wang <jasowang@xxxxxxxxxx>
      Acked-by: Cornelia Huck <cornelia.huck@xxxxxxxxxx>
      Reviewed-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>

  commit bcfa4d60144fb879f0ffef0a6d174faa37b2df82
  Author: Jason Wang <jasowang@xxxxxxxxxx>
  Date:   Thu Apr 23 14:21:39 2015 +0800

      monitor: check return value of qemu_find_net_clients_except()

      qemu_find_net_clients_except() may return a value which is greater
      than the size of array we provided. So we should check this value
      before using it, otherwise this may cause unexpected memory access.

      This patch fixes the net related command completion when we have a
      virtio-net nic with more than 255 queues.

      Cc: Luiz Capitulino <lcapitulino@xxxxxxxxxx>
      Signed-off-by: Jason Wang <jasowang@xxxxxxxxxx>
      Reviewed-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>

  commit eaed483c1b3db1ac312116fca5d20c45b4b418b2
  Author: Jason Wang <jasowang@xxxxxxxxxx>
  Date:   Thu Apr 23 14:21:38 2015 +0800

      monitor: replace the magic number 255 with MAX_QUEUE_NUM

      This patch replace the magic number 255, and increase it to
      MAX_QUEUE_NUM which is maximum number of queues supported by a nic.

      Cc: Luiz Capitulino <lcapitulino@xxxxxxxxxx>
      Signed-off-by: Jason Wang <jasowang@xxxxxxxxxx>
      Reviewed-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>

  commit d25228e7befac33b665cd9250292de47ae6b78b5
  Author: Jason Wang <jasowang@xxxxxxxxxx>
  Date:   Thu Apr 23 14:21:37 2015 +0800

      ppc: spapr: add 2.4 machine type

      The following patches will limit the following things to legacy
      machine type:

      - maximum number of virtqueues for virtio-pci were limited to 64

      Cc: Alexander Graf <agraf@xxxxxxx>
      Cc: qemu-ppc@xxxxxxxxxx

      Signed-off-by: Jason Wang <jasowang@xxxxxxxxxx>
      Reviewed-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>

      Reviewed-by: Alexander Graf <agraf@xxxxxxx>

  commit 3d27b09cf6f62ec61c1330d0a811811a91e7514d
  Merge: 3f9d69b 700cd85
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Mon Apr 27 20:00:57 2015 +0100

      Merge remote-tracking branch 'remotes/spice/tags/pull-spice-20150427-1' 
into staging

      spice: misc fixes.

      # gpg: Signature made Mon Apr 27 12:03:16 2015 BST using RSA key ID 
D3E87138
      # gpg: Good signature from "Gerd Hoffmann (work) <kraxel@xxxxxxxxxx>"
      # gpg:                 aka "Gerd Hoffmann <gerd@xxxxxxxxxx>"
      # gpg:                 aka "Gerd Hoffmann (private) <kraxel@xxxxxxxxx>"

      * remotes/spice/tags/pull-spice-20150427-1:
        spice: learn to hide cursor
        spice: set pointer position on hotspot
        spice: fix mouse cursor position
        spice: fix simple display on bigendian hosts
        monitor: Make client_migrate_info synchronous

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit b0e966d0209fa5c93d510d1756a87dd4229b1f8a
  Author: Jason Wang <jasowang@xxxxxxxxxx>
  Date:   Thu Apr 23 14:21:36 2015 +0800

      spapr: add machine type specific instance init function

      This patches adds machine type specific instance initialization
      functions. Those functions will be used by following patches to compat
      class properties for legacy machine types.

      Cc: Alexander Graf <agraf@xxxxxxx>
      Cc: qemu-ppc@xxxxxxxxxx
      Signed-off-by: Jason Wang <jasowang@xxxxxxxxxx>
      Reviewed-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>

  commit 5cb50e0acc7ba6063b87664404103cce217c0493
  Author: Jason Wang <jasowang@xxxxxxxxxx>
  Date:   Thu Apr 23 14:21:35 2015 +0800

      pc: add 2.4 machine types

      The following patches will limit the following things to legacy
      machine type:

      - maximum number of virtqueues for virtio-pci were limited to 64
      - auto msix bar size for virtio-net-pci were disabled by default

      Cc: Paolo Bonzini <pbonzini@xxxxxxxxxx>
      Cc: Richard Henderson <rth@xxxxxxxxxxx>
      Cc: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: Jason Wang <jasowang@xxxxxxxxxx>
      Reviewed-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>

  commit 27a46dcf5038e20451101ed2d5414aebf3846e27
  Author: Jason Wang <jasowang@xxxxxxxxxx>
  Date:   Thu Apr 23 14:21:34 2015 +0800

      virtio-net: fix the upper bound when trying to delete queues

      Virtqueue were indexed from zero, so don't delete virtqueue whose
      index is n->max_queues * 2 + 1.

      Cc: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Cc: qemu-stable <qemu-stable@xxxxxxxxxx>
      Signed-off-by: Jason Wang <jasowang@xxxxxxxxxx>
      Reviewed-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>

  commit 294ce717e0f212ed0763307f3eab72b4a1bdf4d0
  Author: Luke Gorrie <luke@xxxxxxxx>
  Date:   Sun Apr 26 15:00:49 2015 +0200

      vhost-user: Send VHOST_RESET_OWNER on vhost stop

      Ensure that the vhost-user slave knows when the vrings are valid and
      when they are invalid, for example during a guest reboot.

      The vhost-user protocol says this of VHOST_RESET_OWNER:

            Issued when a new connection is about to be closed. The Master
            will no longer own this connection (and will usually close it).

      Send this message to tell the vhost-user slave that the vhost session
      has ended and that session state (e.g. vrings) is no longer valid.

      Signed-off-by: Luke Gorrie <luke@xxxxxxxx>
      Reviewed-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>

  commit 658c27181bf3b08a9cf2fab00ecce7f76065f6af
  Author: Shannon Zhao <shannon.zhao@xxxxxxxxxx>
  Date:   Fri Apr 3 18:03:34 2015 +0800

      hw/i386/acpi-build: move generic acpi building helpers into dedictated 
file

      Move generic acpi building helpers into dedictated file and this
      can be shared with other machines.

      Signed-off-by: Shannon Zhao <zhaoshenglong@xxxxxxxxxx>
      Signed-off-by: Shannon Zhao <shannon.zhao@xxxxxxxxxx>
      Reviewed-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>

  commit 395e5fb4421a03c9d3a002bbb55d56b74024a568
  Author: Shannon Zhao <shannon.zhao@xxxxxxxxxx>
  Date:   Fri Apr 3 18:03:33 2015 +0800

      hw/i386: Move ACPI header definitions in an arch-independent location

      The ACPI related header file acpi-defs.h, includes definitions that
      apply on other architectures as well. Move it in `include/hw/acpi/`
      to sanely include it from other architectures.

      Signed-off-by: Alvise Rigo <a.rigo@xxxxxxxxxxxxxxxxxxxxxx>
      Signed-off-by: Shannon Zhao <zhaoshenglong@xxxxxxxxxx>
      Signed-off-by: Shannon Zhao <shannon.zhao@xxxxxxxxxx>
      Reviewed-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>

  commit 853cff8e2815c99429d53baa71110416c1de2798
  Author: Michael S. Tsirkin <mst@xxxxxxxxxx>
  Date:   Wed Apr 15 10:55:46 2015 +0200

      acpi-build: close } in comment

      missing } confuses editors

      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>

  commit 726a8ff68677d8d5fba17eb0ffb85076bfb598dc
  Author: Eduardo Habkost <ehabkost@xxxxxxxxxx>
  Date:   Fri Apr 10 14:45:00 2015 -0300

      target-i386: Remove AMD feature flag aliases from CPU model table

      When CPU vendor is AMD, the AMD feature alias bits on
      CPUID[0x80000001].EDX are already automatically copied from CPUID[1].EDX
      on x86_cpu_realizefn(). When CPU vendor is Intel, those bits are
      reserved and should be zero. On either case, those bits shouldn't be set
      in the CPU model table.

      Reviewed-by: Igor Mammedov <imammedo@xxxxxxxxxx>
      Signed-off-by: Eduardo Habkost <ehabkost@xxxxxxxxxx>

  commit 01431f3ce0f31e123172cc99c12c98c0ddbe9917
  Author: Eduardo Habkost <ehabkost@xxxxxxxxxx>
  Date:   Thu Apr 2 17:22:27 2015 -0300

      target-i386: X86CPU::xlevel2 QOM property

      We already have "level" and "xlevel", only "xlevel2" is missing.

      Reviewed-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>
      Signed-off-by: Eduardo Habkost <ehabkost@xxxxxxxxxx>

  commit b9472b76d273c7796d877c49af50969c0a879c50
  Author: Eduardo Habkost <ehabkost@xxxxxxxxxx>
  Date:   Thu Apr 2 17:21:53 2015 -0300

      target-i386: Make "level" and "xlevel" properties static

      Static properties require only 1 line of code, much simpler than the
      existing code that requires writing new getters/setters.

      As a nice side-effect, this fixes an existing bug where the setters were
      incorrectly allowing the properties to be changed after the CPU was
      already realized.

      Reviewed-by: Igor Mammedov <imammedo@xxxxxxxxxx>
      Signed-off-by: Eduardo Habkost <ehabkost@xxxxxxxxxx>

  commit d9f7e29ee5a6915caa049ba64c0a9f28766351d2
  Author: Eduardo Habkost <ehabkost@xxxxxxxxxx>
  Date:   Wed Apr 8 14:57:31 2015 -0300

      qemu-config: Accept empty option values

      Currently it is impossible to set an option in a config file to an empty
      string, because the parser matches only lines containing non-empty
      strings between double-quotes.

      As sscanf() "[" conversion specifier only matches non-empty strings, add
      a special case for empty strings.

      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>
      Acked-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>
      Signed-off-by: Eduardo Habkost <ehabkost@xxxxxxxxxx>

  commit b203a4ba93fc25bf1eb49039a8ec4b260b446211
  Author: Eduardo Habkost <ehabkost@xxxxxxxxxx>
  Date:   Wed Apr 8 08:36:24 2015 -0300

      MAINTAINERS: Change status of X86 to Maintained

      "Odd Fixes" doesn't reflect the current status of target-i386. We have
      people looking after it, now.

      Acked-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>
      Signed-off-by: Eduardo Habkost <ehabkost@xxxxxxxxxx>

  commit e1a0433956bbe68b56853e6ae633a5004b1f6351
  Author: Eduardo Habkost <ehabkost@xxxxxxxxxx>
  Date:   Wed Apr 8 08:34:56 2015 -0300

      MAINTAINERS: Add myself to X86

      Acked-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>
      Signed-off-by: Eduardo Habkost <ehabkost@xxxxxxxxxx>

  commit 3f9d69ba12da6f2874631f6e426a7ef148ba4c82
  Merge: 0d81cdd 1a01716
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Mon Apr 27 19:06:08 2015 +0100

      Merge remote-tracking branch 'remotes/kraxel/tags/pull-gtk-20150427-1' 
into staging

      gtk: support text consoles without vte, bugfixes.

      # gpg: Signature made Mon Apr 27 14:34:15 2015 BST using RSA key ID 
D3E87138
      # gpg: Good signature from "Gerd Hoffmann (work) <kraxel@xxxxxxxxxx>"
      # gpg:                 aka "Gerd Hoffmann <gerd@xxxxxxxxxx>"
      # gpg:                 aka "Gerd Hoffmann (private) <kraxel@xxxxxxxxx>"

      * remotes/kraxel/tags/pull-gtk-20150427-1:
        gtk: Avoid accel key leakage into guest on console switch
        gtk: Fix VTE focus grabbing
        console/gtk: add qemu_console_get_label
        gtk: bind to text terminal consoles too
        gtk: handle switch_surface(NULL) properly

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 2f54eb98c3255154dc6bdbb8b38982af9b3f3a8f
  Author: Eduardo Habkost <ehabkost@xxxxxxxxxx>
  Date:   Wed Apr 8 08:34:33 2015 -0300

      MAINTAINERS: Add myself as NUMA code maintainer

      The "srat" and "numa" keywords will help get_maintainer.pl catch
      NUMA-related code in other files too.

      Acked-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>
      Signed-off-by: Eduardo Habkost <ehabkost@xxxxxxxxxx>

  commit 0d81cdddaa40a1988b24657aeac19959cfad0fde
  Merge: e1a5476 2d5a834
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Mon Apr 27 17:28:41 2015 +0100

      Merge remote-tracking branch 'remotes/qmp-unstable/tags/for-upstream' 
into staging

      Four little fixes

      # gpg: Signature made Fri Apr 24 19:56:51 2015 BST using RSA key ID 
E24ED5A7
      # gpg: Good signature from "Luiz Capitulino <lcapitulino@xxxxxxxxx>"

      * remotes/qmp-unstable/tags/for-upstream:
        qmp: Give saner messages related to qmp_capabilities misuse
        qmp-commands: fix incorrect uses of ":O" specifier
        qapi: Drop dead genlist parameter
        balloon: improve error msg when adding second device

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 23820dbfc79d1c9dce090b4c555994f2bb6a69b3
  Author: Peter Crosthwaite <peter.crosthwaite@xxxxxxxxxx>
  Date:   Mon Mar 16 22:35:54 2015 -0700

      exec: Respect as_translate_internal length clamp

      address_space_translate_internal will clamp the *plen length argument
      based on the size of the memory region being queried. The iommu walker
      logic in addresss_space_translate was ignoring this by discarding the
      post fn call value of *plen. Fix by just always using *plen as the
      length argument throughout the fn, removing the len local variable.

      This fixes a bootloader bug when a single elf section spans multiple
      QEMU memory regions.

      Signed-off-by: Peter Crosthwaite <peter.crosthwaite@xxxxxxxxxx>
      Message-Id: 
<1426570554-15940-1-git-send-email-peter.crosthwaite@xxxxxxxxxx>
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit 4080a13c11398d684668d286da27b6f8ee668e44
  Author: Paolo Bonzini <pbonzini@xxxxxxxxxx>
  Date:   Mon Mar 30 12:35:00 2015 +0200

      ioport: reserve the whole range of an I/O port in the AddressSpace

      When an I/O port is more than 1 byte long, ioport.c is currently
      creating "short" regions, for example 0x1ce-0x1ce for the 16-bit
      Bochs index port.  When I/O ports are memory mapped, and thus
      accessed via a subpage_ops memory region, subpage_accepts gets
      confused because it finds a hole at 0x1cf and rejects the access.

      In order to fix this, modify registration of the region to cover
      the whole size of the I/O port.  Attempts to access an invalid
      port will be blocked by find_portio returning NULL.

      This only affects the VBE DISPI regions.  For all other cases,
      the MemoryRegionPortio entries for 2- or 4-byte accesses overlap
      an entry for 1-byte accesses, thus the size of the memory region
      is not affected.

      Reported-by: Zoltan Balaton <balaton@xxxxxxxxxx>
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit 147ed379838176d4780688157891c06f49403b19
  Author: Paolo Bonzini <pbonzini@xxxxxxxxxx>
  Date:   Mon Mar 30 12:49:40 2015 +0200

      ioport: loosen assertions on emulation of 16-bit ports

      Right now, ioport.c assumes that the entire range specified with
      MemoryRegionPortio includes a region with size == 1.  This however
      is not true for the VBE DISPI ports, which are 16-bit only.  The
      next patch will make these regions' length equal to two, which can
      cause the assertions to trigger.  Replace them with simple conditionals.

      Also, ioport.c will emulate a 16-bit ioport with two distinct reads
      or writes, even if one of the two accesses is out of the bounds given
      by the MemoryRegionPortio array.  Do not do this anymore, instead
      discard writes to the incorrect register and read it as all-ones.
      This ensures that the mrp->read and mrp->write callbacks get an
      in-range ioport number.

      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit 30476b2282c69c9ec1e44e33a4c0b5d5f4bc884e
  Author: Paolo Bonzini <pbonzini@xxxxxxxxxx>
  Date:   Mon Mar 30 12:50:36 2015 +0200

      ioport: remove wrong comment

      ioport.c has not been using an alias since commit b40acf9 (ioport:
      Switch dispatching to memory core layer, 2013-06-24).  Remove the
      obsolete comment.

      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit e477317cce98c399a2299d025bcb6bf0fd69df49
  Author: Paolo Bonzini <pbonzini@xxxxxxxxxx>
  Date:   Mon Mar 30 13:19:16 2015 +0200

      ide: there is only one data port

      IDE PIO data must be written, for example, at 0x1f0.  You cannot
      do word or dword writes to 0x1f1..0x1f3 to access the data register.
      Adjust the ide_portio_list accordingly.

      Cc: John Snow <jsnow@xxxxxxxxxx>
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit 54da54e543eea8e689a625fcb3dada1b296f5d3d
  Author: Paolo Bonzini <pbonzini@xxxxxxxxxx>
  Date:   Mon Mar 30 13:12:32 2015 +0200

      gus: clean up MemoryRegionPortio

      Remove 16-bit reads/writes, since ioport.c is able to synthesize them.
      Remove the two MIDI registers (0x300 and 0x301) from gus_portio_list1,
      and add the second MIDI register (0x301) to gus_portio_list2.

      Tested with Second Reality.

      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit 3337d0b2794131425d0b5cb525e67c5989f4a9dd
  Author: Paolo Bonzini <pbonzini@xxxxxxxxxx>
  Date:   Mon Mar 30 12:34:17 2015 +0200

      sb16: remove useless mixer_write_indexw

      ioport.c is already able to split a 16-bit access into two 8-bit
      accesses to consecutive ports.  Tested with Epic Pinball.

      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit 0e1cd6576c55269b6e5251dc739a7fc819f9b4a6
  Author: Mark Cave-Ayland <mark.cave-ayland@xxxxxxxxxxxx>
  Date:   Thu Apr 2 16:09:30 2015 +0100

      sun4m: fix slavio sysctrl and led register sizes

      These were being incorrectly declared as MISC_SIZE (1 byte) rather than
      4 bytes and 2 bytes respectively. As a result accesses clamped to the
      real register size would unexpectedly fail.

      Signed-off-by: Mark Cave-Ayland <mark.cave-ayland@xxxxxxxxxxxx>
      CC: Paolo Bonzini <pbonzini@xxxxxxxxxx>
      Message-Id: 
<1427987370-15897-1-git-send-email-mark.cave-ayland@xxxxxxxxxxxx>
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit 339240b5cd42bd13d4f6629f2aedf8b4b07459fb
  Author: Paolo Bonzini <pbonzini@xxxxxxxxxx>
  Date:   Mon Mar 23 10:24:16 2015 +0100

      acpi-build: remove dependency from ram_addr.h

      ram_addr_t is an internal interface, everyone should go through
      MemoryRegion.  Clean it up by making rom_add_blob return a
      MemoryRegion* and using the new qemu_ram_resize infrastructure.

      Reviewed-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit 37d7c08413cd4307f53c83d43b1b06cf2701d7a7
  Author: Paolo Bonzini <pbonzini@xxxxxxxxxx>
  Date:   Mon Mar 23 10:21:46 2015 +0100

      memory: add memory_region_ram_resize

      This is a simple MemoryRegion wrapper for qemu_ram_resize.

      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit e95205e1f9cd2c4262b7a7b1c992a94512c86d0e
  Author: Fam Zheng <famz@xxxxxxxxxx>
  Date:   Mon Mar 16 17:03:37 2015 +0800

      dma-helpers: Fix race condition of continue_after_map_failure and 
dma_aio_cancel

      If DMA's owning thread cancels the IO while the bounce buffer's owning 
thread
      is notifying the "cpu client list", a use-after-free happens:

           continue_after_map_failure               dma_aio_cancel
           ------------------------------------------------------------------
           aio_bh_new
                                                    qemu_bh_delete
           qemu_bh_schedule (use after free)

      Also, the old code doesn't run the bh in the right AioContext.

      Fix both problems by passing a QEMUBH to cpu_register_map_client.

      Signed-off-by: Fam Zheng <famz@xxxxxxxxxx>
      Reviewed-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>
      Message-Id: <1426496617-10702-6-git-send-email-famz@xxxxxxxxxx>
      [Remove unnecessary forward declaration. - Paolo]
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit 33b6c2edf6214f02b9beaea61b169506c01f90aa
  Author: Fam Zheng <famz@xxxxxxxxxx>
  Date:   Mon Mar 16 17:03:36 2015 +0800

      exec: Notify cpu_register_map_client caller if the bounce buffer is 
available

      The caller's workflow is like

          if (!address_space_map()) {
              ...
              cpu_register_map_client();
          }

      If bounce buffer became available after address_space_map() but before
      cpu_register_map_client(), the caller could miss it and has to wait for 
the
      next bounce buffer notify, which may never happen in the worse case.

      Just notify the list in cpu_register_map_client().

      Signed-off-by: Fam Zheng <famz@xxxxxxxxxx>
      Message-Id: <1426496617-10702-5-git-send-email-famz@xxxxxxxxxx>
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit 38e047b50d2bfd1df99fbbca884c9f1db0785ff4
  Author: Fam Zheng <famz@xxxxxxxxxx>
  Date:   Mon Mar 16 17:03:35 2015 +0800

      exec: Protect map_client_list with mutex

      So that accesses from multiple threads are safe.

      Signed-off-by: Fam Zheng <famz@xxxxxxxxxx>
      Message-Id: <1426496617-10702-4-git-send-email-famz@xxxxxxxxxx>
      [Remove #if from cpu_exec_init_all. - Paolo]
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit 02f4035c47b4d34cdc61780292ee288f400b9c49
  Author: Fam Zheng <famz@xxxxxxxxxx>
  Date:   Mon Mar 16 17:03:34 2015 +0800

      linux-user, bsd-user: Remove two calls to cpu_exec_init_all

      The function is a nop for user mode, so just remove them.

      Signed-off-by: Fam Zheng <famz@xxxxxxxxxx>
      Message-Id: <1426496617-10702-3-git-send-email-famz@xxxxxxxxxx>
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit c2cba0ffe495b60c4cc58080281e99c7a6580d4b
  Author: Fam Zheng <famz@xxxxxxxxxx>
  Date:   Mon Mar 16 17:03:33 2015 +0800

      exec: Atomic access to bounce buffer

      There could be a race condition when two processes call
      address_space_map concurrently and both want to use the bounce buffer.

      Add an in_use flag in BounceBuffer to sync it.

      Signed-off-by: Fam Zheng <famz@xxxxxxxxxx>
      Message-Id: <1426496617-10702-2-git-send-email-famz@xxxxxxxxxx>
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit e3a0abfda71db1fa83be894dcff7c4871b36cc8d
  Author: Emilio G. Cota <cota@xxxxxxxxx>
  Date:   Thu Apr 9 16:07:33 2015 -0400

      translate-all: use glib for all page descriptor allocations

      Since commit

        b7b5233a "bsd-user/mmap.c: Don't try to override g_malloc/g_free"

      the exception we make here for usermode has been unnecessary.
      Get rid of it.

      Signed-off-by: Emilio G. Cota <cota@xxxxxxxxx>
      Message-Id: <1428610053-26148-1-git-send-email-cota@xxxxxxxxx>
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>

  commit 700cd855def54c2a9f2b6a016dcebf75fe19c238
  Author: Marc-André Lureau <marcandre.lureau@xxxxxxxxx>
  Date:   Tue Mar 24 17:50:13 2015 +0100

      spice: learn to hide cursor

      Signed-off-by: Gerd Hoffmann <kraxel@xxxxxxxxxx>

  commit dc8dceee64f45820c20f3ffa3c3fecd7b6539990
  Author: Marc-André Lureau <marcandre.lureau@xxxxxxxxx>
  Date:   Tue Mar 24 17:50:12 2015 +0100

      spice: set pointer position on hotspot

      The Spice protocol uses cursor position on hotspot: the client is
      applying hotspot offset when drawing the cursor.

      Signed-off-by: Gerd Hoffmann <kraxel@xxxxxxxxxx>

  commit d0df04a1569c75f6442123fdda0b2e9aadc3fcc7
  Author: Marc-André Lureau <marcandre.lureau@xxxxxxxxx>
  Date:   Tue Mar 24 17:50:11 2015 +0100

      spice: fix mouse cursor position

      Signed-off-by: Gerd Hoffmann <kraxel@xxxxxxxxxx>

  commit c1d37cd353be3ea4c5773fc227ba8459c1f20470
  Author: Gerd Hoffmann <kraxel@xxxxxxxxxx>
  Date:   Tue Apr 14 08:56:21 2015 +0200

      spice: fix simple display on bigendian hosts

      Denis Kirjanov is busy getting spice run on ppc64 and trapped into this
      one.  Spice wire format is little endian, so we have to explicitly say
      we want little endian when letting pixman convert the data for us.

      Reported-by: Denis Kirjanov <kirjanov@xxxxxxxxx>
      Signed-off-by: Gerd Hoffmann <kraxel@xxxxxxxxxx>

  commit 3b5704b2f80189b2f9fdddf1690998e566eeacab
  Author: Markus Armbruster <armbru@xxxxxxxxxx>
  Date:   Thu Mar 5 09:30:16 2015 +0100

      monitor: Make client_migrate_info synchronous

      Live migration with spice works like this today:

        (1) client_migrate_info monitor cmd
        (2) spice server notifies client, client connects to target host.
        (3) qemu waits until spice client connect is finished.
        (4) send over vmstate (i.e. main part of live migration).
        (5) spice handover to target host.

      (3) is implemented by making client_migrate_info a async monitor
      command.  This is the only async monitor command we have.

      The original reason to implement this dance was that qemu did not accept
      new tcp connections while the incoming migration was running, so (2) and
      (4) could not be done in parallel.  That issue was fixed long ago though.
      Qemu version 1.3.0 (released Dec 2012) and newer happily accept tcp
      connects while the incoming migration runs.

      Time to drop step (3).  This patch does exactly that, by making the
      monitor command synchronous and removing the code needed to handle the
      async monitor command in ui/spice-core.c

      Signed-off-by: Gerd Hoffmann <kraxel@xxxxxxxxxx>

  commit 1a01716a307387e5cf1336f61a96f772dddadc90
  Author: Jan Kiszka <jan.kiszka@xxxxxxxxxxx>
  Date:   Sun Apr 26 21:04:21 2015 +0200

      gtk: Avoid accel key leakage into guest on console switch

      GTK2 sends the accel key to the guest when switching to the graphic
      console via that shortcut. Resolve this by ignoring any keys until the
      next key-release event. However, do not ignore keys when switching via
      the menu or when on GTK3.

      Signed-off-by: Jan Kiszka <jan.kiszka@xxxxxxxxxxx>
      Signed-off-by: Gerd Hoffmann <kraxel@xxxxxxxxxx>

  commit 9d677e1c2fa479336fb7a2b90aea78c10d037e98
  Author: Jan Kiszka <jan.kiszka@xxxxxxxxxxx>
  Date:   Sun Apr 26 21:04:20 2015 +0200

      gtk: Fix VTE focus grabbing

      At least on GTK2, the VTE terminal has to be specified as target of
      gtk_widget_grab_focus. Otherwise, switching from one VTE terminal to
      another causes the focus to get lost.

      CC: John Snow <jsnow@xxxxxxxxxx>
      Signed-off-by: Jan Kiszka <jan.kiszka@xxxxxxxxxxx>

      [ kraxel: fixed build with CONFIG_VTE=n ]

      Signed-off-by: Gerd Hoffmann <kraxel@xxxxxxxxxx>

  commit 4eb276408363aef5435a72a8e818f24220b5edd0
  Author: Greg Bellows <greg.bellows@xxxxxxxxxx>
  Date:   Sun Apr 26 16:49:26 2015 +0100

      Allow ARMv8 SCR.SMD updates

      Updated scr_write to always allow updates to the SCR.SMD bit on ARMv8
      regardless of whether virtualization (EL2) is enabled or not.

      Signed-off-by: Greg Bellows <greg.bellows@xxxxxxxxxx>
      Message-id: 1429888797-4378-1-git-send-email-greg.bellows@xxxxxxxxxx
      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 3d5c84ff21a8a7a3bfb3a75154be8905e62f51db
  Author: Sergey Fedorov <serge.fdrv@xxxxxxxxx>
  Date:   Sun Apr 26 16:49:26 2015 +0100

      target-arm: Adjust id_aa64pfr0 when has_el3 CPU property disabled

      Signed-off-by: Sergey Fedorov <serge.fdrv@xxxxxxxxx>
      Message-id: 1429669112-29835-1-git-send-email-serge.fdrv@xxxxxxxxx
      Reviewed-by: Greg Bellows <greg.bellows@xxxxxxxxxx>
      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 7ebd5f2e03a00889619bb97e83062d27066d4a26
  Author: Sergey Fedorov <serge.fdrv@xxxxxxxxx>
  Date:   Sun Apr 26 16:49:25 2015 +0100

      target-arm: rename c1_coproc to cpacr_el1

      Rename the field holding CPACR_EL1 system register state in AArch64
      naming style.

      Signed-off-by: Sergey Fedorov <serge.fdrv@xxxxxxxxx>
      [PMM: also fixed a couple of missed occurrences in cpu.c]
      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit ef7bab8d73580b48bda83b8d16b5eea8a3ac43fe
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Sun Apr 26 16:49:25 2015 +0100

      target-arm: Check watchpoints against CPU security state

      Fix a TODO in bp_wp_matches() now that we have a function for
      testing whether the CPU is currently in Secure mode or not.

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Reviewed-by: Edgar E. Iglesias <edgar.iglesias@xxxxxxxxxx>
      Reviewed-by: Alex Bennée <alex.bennee@xxxxxxxxxx>

  commit 9e1fc5bdfdf94564abf7621c0ef644599196360f
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Sun Apr 26 16:49:25 2015 +0100

      target-arm: Use attribute info to handle user-only watchpoints

      Now that we have memory access attribute information in the watchpoint
      checking code, we can correctly implement handling of watchpoints
      which should match only on userspace accesses, where LDRT/STRT/LDT/STT
      from EL1 are treated as userspace accesses.

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Reviewed-by: Edgar E. Iglesias <edgar.iglesias@xxxxxxxxxx>
      Reviewed-by: Alex Bennée <alex.bennee@xxxxxxxxxx>

  commit 0995bf8cd91b81ec9c1078e37b808794080dc5c0
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Sun Apr 26 16:49:25 2015 +0100

      target-arm: Add user-mode transaction attribute

      Add a transaction attribute indicating that a memory access is being
      done from user-mode (unprivileged). This corresponds to an equivalent
      signal in ARM AMBA buses.

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Reviewed-by: Alex Bennée <alex.bennee@xxxxxxxxxx>

  commit ebca90e4c3aaaae5ed1ee7c569dea00d5d6ed476
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Sun Apr 26 16:49:25 2015 +0100

      target-arm: Use correct memory attributes for page table walks

      Factor out the page table walk memory accesses into their own function,
      so that we can specify the correct S/NS memory attributes for them.
      This will also provide a place to use the correct endianness and
      handle the need for a stage-2 translation when virtualization is
      supported.

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Reviewed-by: Edgar E. Iglesias <edgar.iglesias@xxxxxxxxxx>
      Reviewed-by: Alex Bennée <alex.bennee@xxxxxxxxxx>

  commit 8bf5b6a9c1911d2c8473385fc0cebfaaeef42dbc
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Sun Apr 26 16:49:25 2015 +0100

      target-arm: Honour NS bits in page tables

      Honour the NS bit in ARM page tables:
       * when adding entries to the TLB, include the Secure/NonSecure
         transaction attribute
       * set the NS bit in the PAR when doing ATS operations

      Note that we don't yet correctly use the NSTable bit to
      cause the page table walk itself to use the right attributes.

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Reviewed-by: Alex Bennée <alex.bennee@xxxxxxxxxx>

  commit 42874d3a8c6267ff7789a0396843c884b1d0933a
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Sun Apr 26 16:49:24 2015 +0100

      Switch non-CPU callers from ld/st*_phys to address_space_ld/st*

      Switch all the uses of ld/st*_phys to address_space_ld/st*,
      except for those cases where the address space is the CPU's
      (ie cs->as). This was done with the following script which
      generates a Coccinelle patch.

      A few over-80-columns lines in the result were rewrapped by
      hand where Coccinelle failed to do the wrapping automatically,
      as well as one location where it didn't put a line-continuation
      '\' when wrapping lines on a change made to a match inside
      a macro definition.

      ===begin===
      #!/bin/sh -e
      # Usage:
      # ./ldst-phys.spatch.sh > ldst-phys.spatch
      # spatch -sp_file ldst-phys.spatch -dir . | sed -e '/^+/s/\t/        /g' 
> out.patch
      # patch -p1 < out.patch

      for FN in ub uw_le uw_be l_le l_be q_le q_be uw l q; do
      cat <<EOF
      @ cpu_matches_ld_${FN} @
      expression E1,E2;
      identifier as;
      @@

      ld${FN}_phys(E1->as,E2)

      @ other_matches_ld_${FN} depends on !cpu_matches_ld_${FN} @
      expression E1,E2;
      @@

      -ld${FN}_phys(E1,E2)
      +address_space_ld${FN}(E1,E2, MEMTXATTRS_UNSPECIFIED, NULL)

      EOF

      done

      for FN in b w_le w_be l_le l_be q_le q_be w l q; do
      cat <<EOF
      @ cpu_matches_st_${FN} @
      expression E1,E2,E3;
      identifier as;
      @@

      st${FN}_phys(E1->as,E2,E3)

      @ other_matches_st_${FN} depends on !cpu_matches_st_${FN} @
      expression E1,E2,E3;
      @@

      -st${FN}_phys(E1,E2,E3)
      +address_space_st${FN}(E1,E2,E3, MEMTXATTRS_UNSPECIFIED, NULL)

      EOF

      done
      ===endit===

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Reviewed-by: Edgar E. Iglesias <edgar.iglesias@xxxxxxxxxx>
      Reviewed-by: Alex Bennée <alex.bennee@xxxxxxxxxx>

  commit 66b9b43c42049bcae37668e890fedde9a72c8167
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Sun Apr 26 16:49:24 2015 +0100

      exec.c: Capture the memory attributes for a watchpoint hit

      Capture the memory attributes for the transaction which triggered
      a watchpoint; this allows CPU specific code to implement features
      like ARM's "user-mode only WPs also hit for LDRT/STRT accesses
      made from privileged code". This change also correctly passes
      through the memory attributes to the underlying device when
      a watchpoint access doesn't hit.

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Reviewed-by: Alex Bennée <alex.bennee@xxxxxxxxxx>

  commit 500131154d677930fce35ec3a6f0b5a26bcd2973
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Sun Apr 26 16:49:24 2015 +0100

      exec.c: Add new address_space_ld*/st* functions

      Add new address_space_ld*/st* functions which allow transaction
      attributes and error reporting for basic load and stores. These
      are named to be in line with the address_space_read/write/rw
      buffer operations.

      The existing ld/st*_phys functions are now wrappers around
      the new functions.

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Reviewed-by: Edgar E. Iglesias <edgar.iglesias@xxxxxxxxxx>
      Reviewed-by: Alex Bennée <alex.bennee@xxxxxxxxxx>

  commit 5c9eb0286c819c1836220a32f2e1a7b5004ac79a
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Sun Apr 26 16:49:24 2015 +0100

      exec.c: Make address_space_rw take transaction attributes

      Make address_space_rw take transaction attributes, rather
      than always using the 'unspecified' attributes.

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Reviewed-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>
      Reviewed-by: Edgar E. Iglesias <edgar.iglesias@xxxxxxxxxx>
      Reviewed-by: Alex Bennée <alex.bennee@xxxxxxxxxx>

  commit f25a49e0057bbfcc2b1111f60785d919b6ddaeea
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Sun Apr 26 16:49:24 2015 +0100

      exec.c: Convert subpage memory ops to _with_attrs

      Convert the subpage memory ops to _with_attrs; this will allow
      us to pass the attributes through to the underlying access
      functions. (Nothing uses the attributes yet.)

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Reviewed-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>
      Reviewed-by: Edgar E. Iglesias <edgar.iglesias@xxxxxxxxxx>

  commit fadc1cbe85c6b032d5842ec0d19d209f50fcb375
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Sun Apr 26 16:49:24 2015 +0100

      Add MemTxAttrs to the IOTLB

      Add a MemTxAttrs field to the IOTLB, and allow target-specific
      code to set it via a new tlb_set_page_with_attrs() function;
      pass the attributes through to the device when making IO accesses.

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Reviewed-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>
      Reviewed-by: Edgar E. Iglesias <edgar.iglesias@xxxxxxxxxx>
      Reviewed-by: Alex Bennée <alex.bennee@xxxxxxxxxx>

  commit e469b22ffda40188954fafaf6e3308f58d50f8f8
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Sun Apr 26 16:49:23 2015 +0100

      Make CPU iotlb a structure rather than a plain hwaddr

      Make the CPU iotlb a structure rather than a plain hwaddr;
      this will allow us to add transaction attributes to it.

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Reviewed-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>
      Reviewed-by: Edgar E. Iglesias <edgar.iglesias@xxxxxxxxxx>
      Reviewed-by: Alex Bennée <alex.bennee@xxxxxxxxxx>

  commit 3b6434953934e6d4a776ed426d8c6d6badee176f
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Sun Apr 26 16:49:23 2015 +0100

      memory: Replace io_mem_read/write with memory_region_dispatch_read/write

      Rather than retaining io_mem_read/write as simple wrappers around
      the memory_region_dispatch_read/write functions, make the latter
      public and change all the callers to use them, since we need to
      touch all the callsites anyway to add MemTxAttrs and MemTxResult
      support. Delete io_mem_read and io_mem_write entirely.

      (All the callers currently pass MEMTXATTRS_UNSPECIFIED
      and convert the return value back to bool or ignore it.)

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Reviewed-by: Alex Bennée <alex.bennee@xxxxxxxxxx>

  commit cc05c43ad942165ecc6ffd39e41991bee43af044
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Sun Apr 26 16:49:23 2015 +0100

      memory: Define API for MemoryRegionOps to take attrs and return status

      Define an API so that devices can register MemoryRegionOps whose read
      and write callback functions are passed an arbitrary pointer to some
      transaction attributes and can return a success-or-failure status code.
      This will allow us to model devices which:
       * behave differently for ARM Secure/NonSecure memory accesses
       * behave differently for privileged/unprivileged accesses
       * may return a transaction failure (causing a guest exception)
         for erroneous accesses

      This patch defines the new API and plumbs the attributes parameter through
      to the memory.c public level functions io_mem_read() and io_mem_write(),
      where it is currently dummied out.

      The success/failure response indication is also propagated out to
      io_mem_read() and io_mem_write(), which retain the old-style
      boolean true-for-error return.

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Acked-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>
      Reviewed-by: Alex Bennée <alex.bennee@xxxxxxxxxx>

  commit e1a5476354d396773e4c555f126d752d4ae58fa9
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Sat Apr 25 22:05:07 2015 +0100

      Open 2.4 development tree

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 2d5a8346a484250934526a15b3a522bdba7e6772
  Author: Eric Blake <eblake@xxxxxxxxxx>
  Date:   Wed Apr 15 09:19:23 2015 -0600

      qmp: Give saner messages related to qmp_capabilities misuse

      Pretending that QMP doesn't understand a command merely because
      we are not in the right mode doesn't help first-time users figure
      out what to do to correct things.  Although the documentation for
      QMP calls out capabilities negotiation, we should also make it
      clear in our error messages what we were expecting.  With this
      patch, I now get the following transcript:

      $ ./x86_64-softmmu/qemu-system-x86_64 -qmp stdio -nodefaults
      {"QMP": {"version": {"qemu": {"micro": 93, "minor": 2, "major": 2}, 
"package": ""}, "capabilities": []}}
      {"execute":"huh"}
      {"error": {"class": "CommandNotFound", "desc": "The command huh has not 
been found"}}
      {"execute":"quit"}
      {"error": {"class": "CommandNotFound", "desc": "Expecting capabilities 
negotiation with 'qmp_capabilities' before command 'quit'"}}
      {"execute":"qmp_capabilities"}
      {"return": {}}
      {"execute":"qmp_capabilities"}
      {"error": {"class": "CommandNotFound", "desc": "Capabilities negotiation 
is already complete, command 'qmp_capabilities' ignored"}}
      {"execute":"quit"}
      {"return": {}}
      {"timestamp": {"seconds": 1429110729, "microseconds": 181935}, "event": 
"SHUTDOWN"}

      Signed-off-by: Eric Blake <eblake@xxxxxxxxxx>
      Tested-By: Kashyap Chamarthy <kchamart@xxxxxxxxxx>
      Reviewed-by: Paulo Vital <paulo.vital@xxxxxxxxxxxxxxxx>
      Reviewed-by: John Snow <jsnow@xxxxxxxxxx>
      Signed-off-by: Luiz Capitulino <lcapitulino@xxxxxxxxxx>

  commit 43d0a2c1af5bc77ed067636db956209779351dfe
  Author: Paolo Bonzini <pbonzini@xxxxxxxxxx>
  Date:   Wed Apr 15 13:30:04 2015 +0200

      qmp-commands: fix incorrect uses of ":O" specifier

      As far as the QMP parser is concerned, neither the 'O' nor the 'q' format 
specifiers
      put any constraint on the command.  However, there are two differences:

      1) from a documentation point of view 'O' says that this command takes
      a dictionary.  The dictionary will be converted to QemuOpts in the
      handler to match the corresponding HMP command.

      2) 'O' sets QMP_ACCEPT_UNKNOWNS, resulting in the command accepting 
invalid
      extra arguments.  For example the following is accepted:

         { "execute": "send-key",
              "arguments": { "keys": [ { "type": "qcode", "data": "ctrl" },
                                       { "type": "qcode", "data": "alt" },
                                       { "type": "qcode", "data": "delete" } ], 
"foo": "bar" } }

      Neither send-key nor migrate-set-capabilities take a QemuOpts-like
      dictionary; they take an array of dictionaries.  And neither command
      really wants to have extra unknown arguments.  Thus, the right
      specifier to use in this case is 'q'; with this patch the above
      command fails with

         {"error": {"class": "GenericError", "desc": "Invalid parameter 'foo'"}}

      as intended.

      Reported-by: Alberto Garcia <berto@xxxxxxxxxx>
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>
      Reviewed-by: Alberto Garcia <berto@xxxxxxxxxx>
      Signed-off-by: Luiz Capitulino <lcapitulino@xxxxxxxxxx>

  commit 6540e9f35bfeea2baf4509745516172070dca412
  Author: Eric Blake <eblake@xxxxxxxxxx>
  Date:   Fri Apr 10 15:07:59 2015 -0600

      qapi: Drop dead genlist parameter

      Defaulting a parameter to True, then having all callers omit or
      pass an explicit True for that parameter, is pointless. Looks
      like it has been dead since introduction in commit 06d64c6, more
      than 4 years ago.

      Signed-off-by: Eric Blake <eblake@xxxxxxxxxx>
      Signed-off-by: Luiz Capitulino <lcapitulino@xxxxxxxxxx>

  commit 46abb8124006887d071921c5e657eeec3c50a9e2
  Author: Luiz Capitulino <lcapitulino@xxxxxxxxxx>
  Date:   Tue Mar 31 13:00:26 2015 -0400

      balloon: improve error msg when adding second device

      A VM supports only one balloon device, but due to several changes
      in infrastructure the error message got messed up when trying
      to add a second device. Fix it.

      Before this fix

      Command-line:

      qemu-qmp: -device virtio-balloon-pci,id=balloon0: Another balloon device 
already registered
      qemu-qmp: -device virtio-balloon-pci,id=balloon0: Adding balloon handler 
failed
      qemu-qmp: -device virtio-balloon-pci,id=balloon0: Device 
'virtio-balloon-pci' could not be initialized

      HMP:

      Another balloon device already registered
      Adding balloon handler failed
      Device 'virtio-balloon-pci' could not be initialized

      QMP:

      { "execute": "device_add", "arguments": { "driver": "virtio-balloon-pci", 
"id": "balloon0" } }
      {
        "error": {
                "class": "GenericError",
                "desc": "Adding balloon handler failed"
        }
      }

      After this fix

      Command-line:

      qemu-qmp: -device virtio-balloon-pci,id=balloon0: Only one balloon device 
is supported
      qemu-qmp: -device virtio-balloon-pci,id=balloon0: Device 
'virtio-balloon-pci' could not be initialized

      HMP:

      (qemu) device_add virtio-balloon-pci,id=balloon0
      Only one balloon device is supported
      Device 'virtio-balloon-pci' could not be initialized
      (qemu)

      QMP:

      { "execute": "device_add",
                "arguments": { "driver": "virtio-balloon-pci", "id": "balloon0" 
} }
      {
          "error": {
              "class": "GenericError",
              "desc": "Only one balloon device is supported"
          }
      }

      Signed-off-by: Luiz Capitulino <lcapitulino@xxxxxxxxxx>
      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>

  commit e5b3a24181ea0cebf1c5b20f44d016311b7048f0
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Fri Apr 24 15:05:06 2015 +0100

      Update version for v2.3.0 release

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 779ce88fbd3f977112bc77ccb028b0ace762105e
  Author: Gerd Hoffmann <kraxel@xxxxxxxxxx>
  Date:   Tue Feb 17 10:41:08 2015 +0100

      console/gtk: add qemu_console_get_label

      Add a new function to get a nice label for a given QemuConsole.
      Drop the labeling code in gtk.c and use the new function instead.

      Signed-off-by: Gerd Hoffmann <kraxel@xxxxxxxxxx>

  commit f8c223f69ac58488ea830597281b7ddd33037c4c
  Author: Gerd Hoffmann <kraxel@xxxxxxxxxx>
  Date:   Thu May 22 11:08:54 2014 +0200

      gtk: bind to text terminal consoles too

      This way gtk has text terminal consoles even when building without vte.
      Most notably you'll get a monitor tab on windows now.

      Signed-off-by: Gerd Hoffmann <kraxel@xxxxxxxxxx>

  commit f98f43eab0fcc536c5f95df3a94943d5dff5ccdc
  Author: Gerd Hoffmann <kraxel@xxxxxxxxxx>
  Date:   Fri Feb 27 14:36:09 2015 +0100

      gtk: handle switch_surface(NULL) properly

      Signed-off-by: Gerd Hoffmann <kraxel@xxxxxxxxxx>

  commit f2a581010cb8e3a2564a45a2863a33a732cc2fc7
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Mon Apr 20 17:13:16 2015 +0100

      Update version for v2.3.0-rc4 release

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit e05ca8200216149008fa1b1d1d847bf16691f6b4
  Author: Michael S. Tsirkin <mst@xxxxxxxxxx>
  Date:   Fri Apr 17 17:13:24 2015 +0200

      vhost: fix log base address

      VHOST_SET_LOG_BASE got an incorrect address, causing
      migration errors and potentially even memory corruption.

      Reported-by: Wen Congyang <wency@xxxxxxxxxxxxxx>
      Signed-off-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Reviewed-by: Amos Kong <akong@xxxxxxxxxx>
      Message-id: 1429283565-32265-1-git-send-email-mst@xxxxxxxxxx
      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 638b8366200130cc7cf7a026630bc6bfb63b0c4c
  Author: Alberto Garcia <berto@xxxxxxxxxx>
  Date:   Fri Apr 17 15:44:48 2015 +0300

      hmp: fix crash in 'info block -n -v'

      The image field in BlockDeviceInfo should never be null, however
      bdrv_block_device_info() is not filling it in.

      This makes the 'info block -n -v' command crash QEMU.

      The proper solution is probably to move the relevant code from
      bdrv_query_info() to bdrv_block_device_info(), but since we're too
      close to the release for that this simpler workaround solves the
      crash.

      Signed-off-by: Alberto Garcia <berto@xxxxxxxxxx>
      Message-id: 1429274688-8115-1-git-send-email-berto@xxxxxxxxxx
      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 87a8adc0876c11a434d3ecdfb10cd797259ddaaa
  Merge: b6df74c 0ca4f94
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Fri Apr 17 12:54:46 2015 +0100

      Merge remote-tracking branch 'remotes/lalrae/tags/mips-20150417-2' into 
staging

      MIPS patches 2015-04-17

      Changes:
      * fix broken fulong2e

      # gpg: Signature made Fri Apr 17 12:14:37 2015 BST using RSA key ID 
0B29DA6B
      # gpg: Can't check signature: public key not found

      * remotes/lalrae/tags/mips-20150417-2:
        mips: fix broken fulong2e machine

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit b6df74c46528646f3163890cf16b74af551c3494
  Merge: 993ebe4 6cec43e
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Fri Apr 17 12:37:38 2015 +0100

      Merge remote-tracking branch 'remotes/kraxel/tags/pull-fwcfg-20150414-1' 
into staging

      fw_cfg: add documentation file (docs/specs/fw_cfg.txt)

      # gpg: Signature made Tue Apr 14 12:22:20 2015 BST using RSA key ID 
D3E87138
      # gpg: Good signature from "Gerd Hoffmann (work) <kraxel@xxxxxxxxxx>"
      # gpg:                 aka "Gerd Hoffmann <gerd@xxxxxxxxxx>"
      # gpg:                 aka "Gerd Hoffmann (private) <kraxel@xxxxxxxxx>"

      * remotes/kraxel/tags/pull-fwcfg-20150414-1:
        fw_cfg: add documentation file (docs/specs/fw_cfg.txt)

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 0ca4f94195cce77b624edc6d9abcf14a3bf01f06
  Author: Paolo Bonzini <pbonzini@xxxxxxxxxx>
  Date:   Thu Apr 16 21:11:23 2015 +0100

      mips: fix broken fulong2e machine

      After commit 5312bd8 the bonito_readl() and bonito_writel() have been
      accessing incorrect addresses. Consequently QEMU is crashing when trying
      to boot Linux kernel on fulong2e machine.

      Cc: qemu-stable@xxxxxxxxxx
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>
      Signed-off-by: Leon Alrae <leon.alrae@xxxxxxxxxx>

  commit 993ebe4a0be9aa4e4821818a81fab00b1ab1a79a
  Author: Mark Cave-Ayland <mark.cave-ayland@xxxxxxxxxxxx>
  Date:   Fri Apr 17 08:16:49 2015 +0100

      target-ppc: don't invalidate msr MSR_HVB bit in cpu_post_load

      The invalidation code introduced in commit 2360b works by inverting most 
bits
      of env->msr to ensure that hreg_store_msr() will forcibly update the CPU 
env
      state to reflect the new msr value post-migration. Unfortunately
      hreg_store_msr() is called with alter_hv set to 0 which preserves the 
MSR_HVB
      state from the CPU env which is now the opposite value to what it should 
be.

      Ensure that we don't invalidate the msr MSR_HVB bit during cpu_post_load 
so
      that the correct value is restored. This fixes suspend/resume for PPC64.

      Reported-by: Stefan Berger <stefanb@xxxxxxxxxxxxxxxxxx>
      Signed-off-by: Mark Cave-Ayland <mark.cave-ayland@xxxxxxxxxxxx>
      Reviewed-by: Alexander Graf <agraf@xxxxxxx>
      Message-id: 
1429255009-12751-1-git-send-email-mark.cave-ayland@xxxxxxxxxxxx
      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 6cec43e178cde38a3eac43a2cd741ce741b10f36
  Author: Gabriel L. Somlo <somlo@xxxxxxx>
  Date:   Thu Apr 9 10:40:01 2015 -0400

      fw_cfg: add documentation file (docs/specs/fw_cfg.txt)

      This document covers the guest-side hardware interface, as
      well as the host-side programming API of QEMU's firmware
      configuration (fw_cfg) device.

      Signed-off-by: Jordan Justen <jordan.l.justen@xxxxxxxxx>
      Signed-off-by: Gabriel Somlo <somlo@xxxxxxx>
      Reviewed-by: Laszlo Ersek <lersek@xxxxxxxxxx>
      Signed-off-by: Gerd Hoffmann <kraxel@xxxxxxxxxx>

  commit b8df9208f357d2b36e1b19634aea973618dc7ba8
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Mon Apr 13 17:35:44 2015 +0100

      Update version for v2.3.0-rc3 release

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit ae6e8ef11e6cb43ec83a5846e8f3b266834cf280
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Fri Apr 10 13:58:01 2015 +0100

      Revert seccomp tests that allow it to be used on non-x86 architectures

      Unfortunately it turns out that libseccomp 2.2 still does not work
      correctly on non-x86 architectures; return to the previous configure
      setup of insisting on libseccomp 2.1 or better and i386/x86_64 and
      disabling seccomp support in all other situations.

      This reverts the two commits:
       * "seccomp: libseccomp version varying according to arch"
         (commit 896848f0d3e2393905845ef2b244bb2601f9df0c)
       * "seccomp: update libseccomp version and remove arch restriction"
         (commit 8e27fc200457e3f2473d0069263774d4ba17bd85)

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Message-id: 1428670681-23032-1-git-send-email-peter.maydell@xxxxxxxxxx

  commit 4d0ecde44ae6dab3aa9d10c23e61d9d43789731a
  Author: Thomas Huth <thuth@xxxxxxxxxx>
  Date:   Thu Apr 9 15:32:45 2015 +0200

      pci: Fix crash with illegal "-net nic, model=xxx" option

      Current QEMU crashes when specifying an illegal model with the
      "-net nic,model=xxx" option, e.g.:

       $ qemu-system-x86_64 -net nic,model=n/a
       qemu-system-x86_64: Unsupported NIC model: n/a

       Program received signal SIGSEGV, Segmentation fault.

      The gdb backtrace looks like this:

      0x0000555555965fe0 in error_get_pretty (err=0x0) at util/error.c:152
      152           return err->msg;
      (gdb) bt
       0  0x0000555555965fe0 in error_get_pretty (err=0x0) at util/error.c:152
       1  0x0000555555965ffd in error_report_err (err=0x0) at util/error.c:157
       2  0x0000555555809c90 in pci_nic_init_nofail (nd=0x555555e49860 
<nd_table>, rootbus=0x5555564409b0,
          default_model=0x55555598c37b "e1000", default_devaddr=0x0) at 
hw/pci/pci.c:1663
       3  0x0000555555691e42 in pc_nic_init (isa_bus=0x555556f71900, 
pci_bus=0x5555564409b0)
          at hw/i386/pc.c:1506
       4  0x000055555569396b in pc_init1 (machine=0x5555562abbf0, 
pci_enabled=1, kvmclock_enabled=1)
          at hw/i386/pc_piix.c:248
       5  0x0000555555693d27 in pc_init_pci (machine=0x5555562abbf0) at 
hw/i386/pc_piix.c:310
       6  0x000055555572ddf5 in main (argc=3, argv=0x7fffffffe018, 
envp=0x7fffffffe038) at vl.c:4226

      The problem is that pci_nic_init_nofail() does not check whether the err
      parameter from pci_nic_init has been set up and thus passes a NULL pointer
      to error_report_err(). Fix it by correctly checking the err parameter.

      Signed-off-by: Thomas Huth <thuth@xxxxxxxxxx>
      Reviewed-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
      Reviewed-by: Jason Wang <jasowang@xxxxxxxxxx>
      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 342b0711cd62ddc08d334d879eac57b68f925fd5
  Author: Andreas Färber <afaerber@xxxxxxx>
  Date:   Fri Apr 10 16:37:56 2015 +0200

      stm32f205: Fix SoC type name

      The type name for the SoC device, unlike those of its sub-devices,
      did not follow the QOM naming conventions. While the usage is internal
      only, this is exposed through QMP and HMP, so fix it before release.

      Cc: Alistair Francis <alistair.francis@xxxxxxxxxx>
      Signed-off-by: Andreas Färber <afaerber@xxxxxxx>
      Reviewed-by: Alistair Francis <alistair@xxxxxxxxxxxxx>
      Message-id: 1428676676-23056-1-git-send-email-afaerber@xxxxxxx
      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit c0c8584142a13e728178e51f2477c23a84ce74b4
  Author: Dirk Müller <dirk@xxxxxxxx>
  Date:   Sat Apr 4 14:15:10 2015 +0200

      cris: memory: Replace memory_region_init_ram with 
memory_region_allocate_system_memory

      Commit 0b183fc871:"memory: move mem_path handling to
      memory_region_allocate_system_memory" split memory_region_init_ram and
      memory_region_init_ram_from_file. Also it moved mem-path handling a step
      up from memory_region_init_ram to memory_region_allocate_system_memory.

      Therefore for any board that uses memory_region_init_ram directly,
      -mem-path is not supported.

      Fix this by replacing memory_region_init_ram with
      memory_region_allocate_system_memory.

      Tested-by: Edgar E. Iglesias <edgar.iglesias@xxxxxxxxxx>
      Reviewed-by: Edgar E. Iglesias <edgar.iglesias@xxxxxxxxxx>
      Cc: Edgar E. Iglesias <edgar.iglesias@xxxxxxxxx>
      Signed-off-by: Dirk Mueller <dmueller@xxxxxxxx>
      Signed-off-by: Edgar E. Iglesias <edgar.iglesias@xxxxxxxxxx>

  commit 58c24a4775ef7ccf16cfcd695753dfdf149fe29d
  Author: Dirk Müller <dirk@xxxxxxxx>
  Date:   Sat Apr 4 14:14:14 2015 +0200

      alpha: memory: Replace memory_region_init_ram with 
memory_region_allocate_system_memory

      Commit 0b183fc871:"memory: move mem_path handling to
      memory_region_allocate_system_memory" split memory_region_init_ram and
      memory_region_init_ram_from_file. Also it moved mem-path handling a step
      up from memory_region_init_ram to memory_region_allocate_system_memory.

      Therefore for any board that uses memory_region_init_ram directly,
      -mem-path is not supported.

      Fix this by replacing memory_region_init_ram with
      memory_region_allocate_system_memory.

      Cc: Richard Henderson <rth@xxxxxxxxxxx>
      Signed-off-by: Dirk Mueller <dmueller@xxxxxxxx>
      Acked-by: Richard Henderson <rth@xxxxxxxxxxx>
      Message-id: 
CAL5wTH64_ykF17cw2T1Axq8P3vCWm=6WbUJ3qJrLF-u+-MmzUw@xxxxxxxxxxxxxx
      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit b7ccb83f44eca09e48c61866a090425c762598f0
  Author: Dirk Müller <dirk@xxxxxxxx>
  Date:   Sat Apr 4 14:16:18 2015 +0200

      lm32: memory: Replace memory_region_init_ram with 
memory_region_allocate_system_memory

      Commit 0b183fc871:"memory: move mem_path handling to
      memory_region_allocate_system_memory" split memory_region_init_ram and
      memory_region_init_ram_from_file. Also it moved mem-path handling a step
      up from memory_region_init_ram to memory_region_allocate_system_memory.

      Therefore for any board that uses memory_region_init_ram directly,
      -mem-path is not supported.

      Fix this by replacing memory_region_init_ram with
      memory_region_allocate_system_memory.

      Cc: Michael Walle <michael@xxxxxxxx>
      Signed-off-by: Dirk Mueller <dmueller@xxxxxxxx>
      Acked-by: Michael Walle <michael@xxxxxxxx>
      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 81b23ef82cd1be29ca3d69ab7e98b5b5e55926ce
  Author: Jan Beulich <jbeulich@xxxxxxxx>
  Date:   Tue Mar 31 15:18:03 2015 +0100

      xen: limit guest control of PCI command register

      Otherwise the guest can abuse that control to cause e.g. PCIe
      Unsupported Request responses (by disabling memory and/or I/O decoding
      and subsequently causing [CPU side] accesses to the respective address
      ranges), which (depending on system configuration) may be fatal to the
      host.

      This is CVE-2015-2756 / XSA-126.

      Signed-off-by: Jan Beulich <jbeulich@xxxxxxxx>
      Reviewed-by: Stefano Stabellini <stefano.stabellini@xxxxxxxxxxxxx>
      Acked-by: Ian Campbell <ian.campbell@xxxxxxxxxx>
      Message-id: alpine.DEB.2.02.1503311510300.7690@xxxxxxxxxxxxxxxxxxxxxxx
      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 6a460ed18a3fda0eb2d9c96b8b01817b4dcbded4
  Author: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
  Date:   Thu Apr 9 14:52:18 2015 +0100

      configure: disable Archipelago by default and warn about libxseg GPLv3 
license

      libxseg has changed license to GPLv3.  QEMU includes GPL "v2 only" code
      which is not compatible with GPLv3.  This means the resulting binaries
      may not be redistributable!

      Disable Archipelago (libxseg) by default to prevent accidental license
      violations.  Also warn if linking against libxseg is enabled to remind
      the user.

      Note that this commit does not constitute any advice about software
      licensing.  If you have doubts you should consult a lawyer.

      Cc: Chrysostomos Nanakos <cnanakos@xxxxxxxx>
      Suggested-by: Kevin Wolf <kwolf@xxxxxxxxxx>
      Reported-by: Andreas Färber <afaerber@xxxxxxx>
      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Reviewed-by: Andreas Färber <afaerber@xxxxxxx>
      Message-id: 1428587538-8765-1-git-send-email-stefanha@xxxxxxxxxx
      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit a6f2cb037a82fb8679e70e175cfbc879dd829e06
  Merge: cf811ff 05b685f
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Thu Apr 9 12:05:00 2015 +0100

      Merge remote-tracking branch 'remotes/stefanha/tags/block-pull-request' 
into staging

      # gpg: Signature made Thu Apr  9 10:55:11 2015 BST using RSA key ID 
81AB73C8
      # gpg: Good signature from "Stefan Hajnoczi <stefanha@xxxxxxxxxx>"
      # gpg:                 aka "Stefan Hajnoczi <stefanha@xxxxxxxxx>"

      * remotes/stefanha/tags/block-pull-request:
        block/iscsi: handle zero events from iscsi_which_events
        aio: strengthen memory barriers for bottom half scheduling
        virtio-blk: correctly dirty guest memory
        qcow2: Fix header update with overridden backing file

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit cf811fff2ae20008f00455d0ab2212a4dea0b56f
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Wed Apr 8 20:57:09 2015 +0100

      tcg/tcg-op.c: Fix ld/st of 64 bit values on 32-bit bigendian hosts

      Commit 951c6300f7 out-of-lined the 32-bit-host versions of
      tcg_gen_{ld,st}_i64, but in the process it inadvertently changed
      an #ifdef HOST_WORDS_BIGENDIAN to #ifdef TCG_TARGET_WORDS_BIGENDIAN.
      Since the latter doesn't get defined anywhere this meant we always
      took the "LE host" codepath, and stored the two halves of the value
      in the wrong order on BE hosts. This typically breaks any 64-bit
      guest on a 32-bit BE host completely, and will have possibly more
      subtle effects even for 32-bit guests.

      Switch the ifdef back to HOST_WORDS_BIGENDIAN.

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>
      Reviewed-by: Richard Henderson <rth@xxxxxxxxxxx>
      Tested-by: Andreas Färber <afaerber@xxxxxxx>
      Message-id: 1428523029-13620-1-git-send-email-peter.maydell@xxxxxxxxxx

  commit 05b685fbabb7fdcab72cb42b27db916fd74b2265
  Author: Peter Lieven <pl@xxxxxxx>
  Date:   Tue Apr 7 22:08:15 2015 +0200

      block/iscsi: handle zero events from iscsi_which_events

      newer libiscsi versions may return zero events from iscsi_which_events.

      In this case iscsi_service will return immediately without any progress.
      To avoid busy waiting for iscsi_which_events to change we deregister all
      read and write handlers in this case and schedule a timer to periodically
      check iscsi_which_events for changed events.

      Next libiscsi version will introduce async reconnects and zero events
      are returned while libiscsi is waiting for a reconnect retry.

      Signed-off-by: Peter Lieven <pl@xxxxxxx>
      Message-id: 1428437295-29577-1-git-send-email-pl@xxxxxxx
      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>

  commit e8d3b1a25f284cdf9705b7cf0412281cc9ee3a36
  Author: Paolo Bonzini <pbonzini@xxxxxxxxxx>
  Date:   Tue Apr 7 17:16:19 2015 +0200

      aio: strengthen memory barriers for bottom half scheduling

      There are two problems with memory barriers in async.c.  The fix is
      to use atomic_xchg in order to achieve sequential consistency between
      the scheduling of a bottom half and the corresponding execution.

      First, if bh->scheduled is already 1 in qemu_bh_schedule, QEMU does
      not execute a memory barrier to order any writes needed by the callback
      before the read of bh->scheduled.  If the other side sees req->state as
      THREAD_ACTIVE, the callback is not invoked and you get deadlock.

      Second, the memory barrier in aio_bh_poll is too weak.  Without this
      patch, it is possible that bh->scheduled = 0 is not "published" until
      after the callback has returned.  Another thread wants to schedule the
      bottom half, but it sees bh->scheduled = 1 and does nothing.  This causes
      a lost wakeup.  The memory barrier should have been changed to smp_mb()
      in commit 924fe12 (aio: fix qemu_bh_schedule() bh->ctx race condition,
      2014-06-03) together with qemu_bh_schedule()'s.  Guess who reviewed
      that patch?

      Both of these involve a store and a load, so they are reproducible on
      x86_64 as well.  It is however much easier on aarch64, where the
      libguestfs test suite triggers the bug fairly easily.  Even there the
      failure can go away or appear depending on compiler optimization level,
      tracing options, or even kernel debugging options.

      Paul Leveille however reported how to trigger the problem within 15
      minutes on x86_64 as well.  His (untested) recipe, reproduced here
      for reference, is the following:

         1) Qcow2 (or 3) is critical â?? raw files alone seem to avoid the 
problem.

         2) Use â??cache=directsyncâ?? rather than the default of
         â??cache=noneâ?? to make it happen easier.

         3) Use a server with a write-back RAID controller to allow for rapid
         IO rates.

         4) Run a random-access load that (mostly) writes chunks to various
         files on the virtual block device.

            a. I use â??diskload.exe c:25â??, a Microsoft HCT load
               generator, on Windows VMs.

            b. Iometer can probably be configured to generate a similar load.

         5) Run multiple VMs in parallel, against the same storage device,
         to shake the failure out sooner.

         6) IvyBridge and Haswell processors for certain; not sure about others.

      A similar patch survived over 12 hours of testing, where an unpatched
      QEMU would fail within 15 minutes.

      This bug is, most likely, also the cause of failures in the libguestfs
      testsuite on AArch64.

      Thanks to Laszlo Ersek for initially reporting this bug, to Stefan
      Hajnoczi for suggesting closer examination of qemu_bh_schedule, and to
      Paul for providing test input and a prototype patch.

      Reported-by: Laszlo Ersek <lersek@xxxxxxxxxx>
      Reported-by: Paul Leveille <Paul.Leveille@xxxxxxxxxxx>
      Reported-by: John Snow <jsnow@xxxxxxxxxx>
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>
      Message-id: 1428419779-26062-1-git-send-email-pbonzini@xxxxxxxxxx
      Suggested-by: Paul Leveille <Paul.Leveille@xxxxxxxxxxx>
      Suggested-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>
      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>

  commit c8623c0215e18eb4a8ec73eba014d97e51ed707e
  Author: Dirk Müller <dirk@xxxxxxxx>
  Date:   Sat Apr 4 14:24:38 2015 +0200

      arm: memory: Replace memory_region_init_ram with 
memory_region_allocate_system_memory

      Commit 0b183fc871:"memory: move mem_path handling to
      memory_region_allocate_system_memory" split memory_region_init_ram and
      memory_region_init_ram_from_file. Also it moved mem-path handling a step
      up from memory_region_init_ram to memory_region_allocate_system_memory.

      Therefore for any board that uses memory_region_init_ram directly,
      -mem-path is not supported.

      Fix this by replacing memory_region_init_ram with
      memory_region_allocate_system_memory.

      Signed-off-by: Dirk Mueller <dmueller@xxxxxxxx>
      Message-id: 
CAL5wTH4UHYKpJF=dLJfFzxpufjY189chnCow47-ySuLf8GLbug@xxxxxxxxxxxxxx
      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 2a6cdd6d35158bc7a6aacd92b5b0302f28ec480e
  Author: Paolo Bonzini <pbonzini@xxxxxxxxxx>
  Date:   Thu Apr 2 19:50:44 2015 +0200

      virtio-blk: correctly dirty guest memory

      After qemu_iovec_destroy, the QEMUIOVector's size is zeroed and
      the zero size ultimately is used to compute virtqueue_push's len
      argument.  Therefore, reads from virtio-blk devices did not
      migrate their results correctly.  (Writes were okay).

      Save the size in virtio_blk_handle_request, and use it when the request
      is completed.

      Based on a patch by Wen Congyang.

      Signed-off-by: Wen Congyang <wency@xxxxxxxxxxxxxx>
      Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>
      Reviewed-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>
      Tested-by: Li Zhijian <lizhijian@xxxxxxxxxxxxxx>
      Message-id: 1427997044-392-1-git-send-email-pbonzini@xxxxxxxxxx
      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>

  commit e4603fe139e2161464d7e75faa3a650e31f057fc
  Author: Kevin Wolf <kwolf@xxxxxxxxxx>
  Date:   Tue Apr 7 15:03:16 2015 +0200

      qcow2: Fix header update with overridden backing file

      In recent qemu versions, it is possible to override the backing file
      name and format that is stored in the image file with values given at
      runtime. In such cases, the temporary override could end up in the
      image header if the qcow2 header was updated, while obviously correct
      behaviour would be to leave the on-disk backing file path/format
      unchanged.

      Fix this and add a test case for it.

      Reported-by: Michael Tokarev <mjt@xxxxxxxxxx>
      Signed-off-by: Kevin Wolf <kwolf@xxxxxxxxxx>
      Reviewed-by: Eric Blake <eblake@xxxxxxxxxx>
      Message-id: 1428411796-2852-1-git-send-email-kwolf@xxxxxxxxxx
      Signed-off-by: Stefan Hajnoczi <stefanha@xxxxxxxxxx>

  commit 5a24f20a7208a58fb80d78ca0521bba6f4d7b145
  Merge: f2155a0 9be6e69
  Author: Peter Maydell <peter.maydell@xxxxxxxxxx>
  Date:   Tue Apr 7 14:33:46 2015 +0100

      Merge remote-tracking branch 
'remotes/mjt/tags/pull-trivial-patches-2015-04-04' into staging

      trivial patches for 2015-04-04

      # gpg: Signature made Sat Apr  4 08:07:49 2015 BST using RSA key ID 
A4C3D7DB
      # gpg: Good signature from "Michael Tokarev <mjt@xxxxxxxxxx>"
      # gpg:                 aka "Michael Tokarev <mjt@xxxxxxxxx>"
      # gpg:                 aka "Michael Tokarev <mjt@xxxxxxxxxx>"

      * remotes/mjt/tags/pull-trivial-patches-2015-04-04:
        vhost: fix typo in vq_index description
        gitignore: Ignore more .pod files.
        target-tricore: Fix check which was always false
        target-i386: remove superfluous TARGET_HAS_SMC macro
        pcspk: Fix I/O port name

      Signed-off-by: Peter Maydell <peter.maydell@xxxxxxxxxx>

  commit 9be6e69f12bc65e9c43ee5b8eb026412f11b8b71
  Author: Greg Kurz <gkurz@xxxxxxxxxxxxxxxxxx>
  Date:   Thu Mar 26 12:10:29 2015 +0100

      vhost: fix typo in vq_index description

      Signed-off-by: Greg Kurz <gkurz@xxxxxxxxxxxxxxxxxx>
      Acked-by: Jason Wang <jasowang@xxxxxxxxxx>
      Signed-off-by: Michael Tokarev <mjt@xxxxxxxxxx>

  commit 085feb61dbc6130bfd2e6c3f59d03220ff9e1bb3
  Author: Eric Blake <eblake@xxxxxxxxxx>
  Date:   Fri Mar 20 10:30:44 2015 -0600

      gitignore: Ignore more .pod files.

      kvm_stat.{1,pod} started showing up as untracked files in my
      directory, and I nearly accidentally merged them into a commit
      with my usual habit of 'git add .'.  Rather than spelling out
      each such file, just ignore the entire pattern.

      Signed-off-by: Eric Blake <eblake@xxxxxxxxxx>
      Reviewed-by: Stefan Weil <sw@xxxxxxxxxxx>
      Signed-off-by: Michael Tokarev <mjt@xxxxxxxxxx>

  commit 7b4b0b5795e934a9b7efb916af86715b68555be9
  Author: Stefan Weil <sw@xxxxxxxxxxx>
  Date:   Sat Mar 21 14:44:58 2015 +0100

      target-tricore: Fix check which was always false

      With a mask value of 0x00400000, the result will never be 1.
      This fixes a Coverity warning.

      Signed-off-by: Stefan Weil <sw@xxxxxxxxxxx>
      Signed-off-by: Michael Tokarev <mjt@xxxxxxxxxx>

  commit 9c04146ad4696b20c440bfbb4a6ab27ea254e7ca
  Author: Emilio G. Cota <cota@xxxxxxxxx>
  Date:   Sat Mar 21 13:29:09 2015 -0400

      target-i386: remove superfluous TARGET_HAS_SMC macro

      Signed-off-by: Emilio G. Cota <cota@xxxxxxxxx>
      Reviewed-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>
      Signed-off-by: Michael Tokarev <mjt@xxxxxxxxxx>

  commit ecf2e5a46d7559f258a2c914131ba25d3c5326bf
  Author: Jan Kiszka <jan.kiszka@xxxxxxxxxxx>
  Date:   Thu Mar 19 13:08:40 2015 +0100

      pcspk: Fix I/O port name

      Probably a copy&paste bug. Fixing it helps identifying the device model
      behind port 0x61.

      Signed-off-by: Jan Kiszka <jan.kiszka@xxxxxxxxxxx>
      Reviewed-by: Gonglei <arei.gonglei@xxxxxxxxxx>
      Signed-off-by: Michael Tokarev <mjt@xxxxxxxxxx>

Revision graph left in 
/home/logs/results/bisect/qemu-mainline/test-amd64-i386-xl-qemuu-debianhvm-amd64.debian-hvm-install.{dot,ps,png,html,svg}.
----------------------------------------
65229: tolerable ALL FAIL

flight 65229 qemu-mainline real-bisect [real]
http://logs.test-lab.xenproject.org/osstest/logs/65229/

Failures :-/ but no regressions.

Tests which did not succeed,
including tests which could not be run:
 test-amd64-i386-xl-qemuu-debianhvm-amd64 9 debian-hvm-install fail baseline 
untested


jobs:
 test-amd64-i386-xl-qemuu-debianhvm-amd64                     fail


------------------------------------------------------------
sg-report-flight on osstest.test-lab.xenproject.org
logs: /home/logs/logs
images: /home/logs/images

Logs, config files, etc. are available at
    http://logs.test-lab.xenproject.org/osstest/logs

Explanation of these reports, and of osstest in general, is at
    http://xenbits.xen.org/gitweb/?p=osstest.git;a=blob;f=README.email;hb=master
    http://xenbits.xen.org/gitweb/?p=osstest.git;a=blob;f=README;hb=master

Test harness code can be found at
    http://xenbits.xen.org/gitweb?p=osstest.git;a=summary


_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxx
http://lists.xen.org/xen-devel

 


Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.